[Spice-devel] [spice-gtk v2] sasl: fix SASL GSSAPI by allowing NULL username

[Pavel Grunt]

On Fri, 2016-06-10 at 12:22 +0300, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Pavel Grunt wrote:
> > > > How does it affect info about auth failure provided by
> > > > spice_channel_failed_authentication() ?
> > > If c->auth_needs_username is set, spice_channel_failed_authentication()
> > > will tell that a username is required. This is certainly true -- if SASL
> > > GSSAPI failed, username/password are indeed required. So it wouldn't be
> > > a problem, at least from my reading of the code and tests with spicy
> > > tool.
> > > 
> > > However, there is a problem with cases like virt-manager which assumes
> > > there is only a password per channel required and never shows you a
> > > request to enter username in case of SASL GSSAPI failure. When you enter
> > > a password, the underlying code would complain that username is missing
> > > but no way to enter username would be provided. This is virt-manager's
> > > issue
> > Is there a bug ?
> No, now I'm not able to reproduce it when SASL GSSAPI is fixed.

ok, I'm just asking :).

I think virt-viewer / remote-viewer handles it correctly (shows dialog with
username and password fields). But it may be interesting for virt-manager to
have it fixed.

> Do you want a bug for the case when you don't have a valid ticket in the
> ccache?
Not sure if spice-gtk should be taking care about validity of the ticket - it
should report an error to the user

> 
> > (not related to the patch - it would be nice to rewrite/clean up the "SASL"
> > part
> > of spice-channel.c)
> There could be a bit of clean up but the main auth code is correct.
> 
> I would perhaps added support to optionally allow TGT delegation but we
> would need it only once we would build up a channel to sign in into a
> VM so that TGT could be forwarded into a VM's ccache.
> 
It can be good feature

Thanks,
Pavel