gss_pname_to_uid: is that the right interface
simo at redhat.com
Tue Sep 20 18:50:09 EDT 2011
On Tue, 2011-09-20 at 16:11 -0500, Nico Williams wrote:
> I think this one's really just for compatibility with Solaris. I
> agree that putting UIDs in any of these APIs is a bad idea, but I'm
> not sure that the SSSD problem wouldn't exist for your proposed
> variant. If the problem for SSSD is one of timing, why couldn't that
> problem exist for *any* GSS version of krb5_aname_to_lname()?
> Any timing issues w.r.t. SSSD should be documented by RedHat and/or
> the mechanism implementor/vendor.
We have an issue with OpenSSH doing getpwnam() before SSSD has a chance
of getting its hands on the MS-PAC (or in future the PAD with the POSIX
attributes). So avoiding getpw*() calss is a good idea.
If krb5_aname_to_lname() is implemented by using getpw() calls it has
the same kind of issues, but it doesn't need to. mapping principal name
to local name usually is not done through the NSS interface, while
getting the uid can only be done through that interface.
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev