Use of kdc_send_hook with gss_init_sec_context

[Andrew Bartlett]

On Fri, 2022-02-04 at 22:36 +0200, Isaac Boukris wrote:
> On Fri, Feb 4, 2022 at 8:34 PM Greg Hudson <ghudson at mit.edu> wrote:
> > 
> > On 2/4/22 11:57 AM, Isaac Boukris wrote:
> > > > > Is there a way to use 'kdc_send_hook' with 'gss_init_sec_context'?
> > > > > If there isn't, can we add something like 'gsskrb5_set_krb5_context'?
> > 
> > I've floated this idea before, as a way to bridge libkrb5 functionality
> > (such as krb5_init_context_profile()) and GSS.
> > 
> > Nico dislikes the idea because he doesn't like anything that encourages
> > mechanism-specific code in GSS applications.  He tends to favor name
> > attributes as the extension point when possible.
> > 
> > Sam has raised a more specific objection: if the context set by
> > gsskrb5_set_krb5_context() is per-thread (which is the easiest way to
> > get around contexts not being thread-safe), then it could be a source of
> > subtle bugs if someone creates a GSS object in one thread and gets
> > different behavior when they use it in another thread.
> 
> Also typically the krb5 specifics are set via krb5.conf, so maybe we
> can do the same for kdc_send_hook, by specifying an so file the the
> conf.

For Samba use I would much prefer a C hook, because Samba is (eg
libsmbclient) used as a library in other applications, within the same
thread, and I don't like per-thread or fully global variables for that
reason.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba