[Spice-devel] [spice-gtk] Support SASL GSSAPI

Alexander Bokovoy abokovoy at redhat.com
Mon Jun 6 13:34:09 UTC 2016


On Mon, 06 Jun 2016, Daniel P. Berrange wrote:
>On Mon, Jun 06, 2016 at 09:01:10AM -0400, Marc-André Lureau wrote:
>> Hi
>>
>> ----- Original Message -----
>> > I'm sending Alexander Bokovoy's patch as it is, also here is some notes from
>> > him:
>> >
>> > "I'd really like to find a way to do it with pure SASL properties so that the
>> > code would work for both SPNEGO and Kerberos. SPNEGO NTLMSSP would make it
>> > working for environments where you don't have Kerberos but what we have
>> > right now should be fine for pure Kerberos environments like FreeIPA or
>> > Active Directory."
>> >
>> > And also his blog post:
>> > https://vda.li/en/posts/2016/05/30/Single-sign-on-to-virtual-machines/
>> >
>> > On one hand I think would be good to have this issue partially fixed (as per
>> > Alexander's comment) for 0.32, on the other hand I don't like calling these
>> > kerberos functions directly. Also, we probably would have to add a kerberos
>> > check/option on configure, right? I can do that without any problems, but I
>> > firstly would like to hear the opinions from other people in the project.
>>
>> Yes, it will have to be optional (especially because compiling krb5 on mingw is *hard* - last time I checked)
>
>Even compiling cryus-sasl is hard - indeed last I looked fedora didn't
>have any mingw packages for it.
>
>>
>> > I'm willing to re-work this patch after the release and try to find an ideal
>> > solution (if possible) and also spend some more time digging into the
>> > differences on handling this between gtk-vnc and spice-gtk.
>>
>> From his blog, I gathered that it worked with gtk-vnc but not with
>> spice-gtk. Why do we need krb specific code when gtk-vnc doesn't need it?
>
>It looks like the code is trying to set a default username based on the
>current kerberos credential the user has. gtk-vnc doesn't bother trying
>todo this - the user just always has to supply the username explicitly
>IMHO it would be fine for spice-gtk todo the same and avoid the krb dep/
I tried that. Let me get a bit deeper into details, though.

Cyrus SASL GSSAPI would work if you provide NULL username but the code
in spice-gtk rejects such usernames:
https://cgit.freedesktop.org/spice/spice-gtk/tree/src/spice-channel.c#n1390

I tried to allow NULL username here but the problem is that we need
eventually to set actual username so that SPICE communication can
continue. And if SASL GSSAPI module did find default credentials, we
need to pick up the username from them. This is possible theoretically
but all my attempts to do so caused SPICE server side to drop actual
SPICE connection.

gtk-vnc works because it explicitly initializes name to an empty
property and handles that just fine.

-- 
/ Alexander Bokovoy


More information about the Spice-devel mailing list