[Spice-devel] [spice-gtk] Support SASL GSSAPI

[Fabiano Fidêncio]

On Mon, Jun 6, 2016 at 3:01 PM, Marc-André Lureau <mlureau at redhat.com> wrote:
> Hi
>
> ----- Original Message -----
>> I'm sending Alexander Bokovoy's patch as it is, also here is some notes from
>> him:
>>
>> "I'd really like to find a way to do it with pure SASL properties so that the
>> code would work for both SPNEGO and Kerberos. SPNEGO NTLMSSP would make it
>> working for environments where you don't have Kerberos but what we have
>> right now should be fine for pure Kerberos environments like FreeIPA or
>> Active Directory."
>>
>> And also his blog post:
>> https://vda.li/en/posts/2016/05/30/Single-sign-on-to-virtual-machines/
>>
>> On one hand I think would be good to have this issue partially fixed (as per
>> Alexander's comment) for 0.32, on the other hand I don't like calling these
>> kerberos functions directly. Also, we probably would have to add a kerberos
>> check/option on configure, right? I can do that without any problems, but I
>> firstly would like to hear the opinions from other people in the project.
>
> Yes, it will have to be optional (especially because compiling krb5 on mingw is *hard* - last time I checked)

Currently we build mingw-spice-gtk with --without-sasl (both fedora
and downstream). So, it won't be that problematic.

>
>> I'm willing to re-work this patch after the release and try to find an ideal
>> solution (if possible) and also spend some more time digging into the
>> differences on handling this between gtk-vnc and spice-gtk.
>
> From his blog, I gathered that it worked with gtk-vnc but not with spice-gtk. Why do we need krb specific code when gtk-vnc doesn't need it?

Yeah, that's part of my plan to setup the environment and dig into it
as soon as I have time for it.

>
>>
>> Please, as I'm not whether Alexander is subscribed to our mailing list or
>> not,
>> let's keep him CC'ed for any further interaction.
>>
>
> Thanks again Alexander

Best Regards,
--
Fabiano Fidêncio