GSS implementation in ldap_child

[thalman]

With this patch, ldap_child is able to obtain kerberos
ticket via GSS API instead of using kerberos library.

The patch uses environment variable GSS_USE_PROXY to decide
whether to use GSS API or kerberos libraries. If this variable is
set to any value, GSS API is used. Note that this variable
is used by GSS libraries too.

Setting this variable to "yes" causes the GSS library
to communicate with GSS proxy and therefore GSS proxy must be
configured in advance to accept SSSD requests.

By setting this variable to (for example) "no" ldap_child still
uses the GSS API to get the kerberos ticket, but it is done
directly - without communicating with GSS proxy. In such case
ldap_child still needs permission to access keytab (i. e. must
run as privileged user).

If the variable is unset, ldap_child works the old way.

[alexey-tikhonov]

Hi @thalman, @sumit-bose.

As Tomáš explained, currently 3 variants are supported in "run time" (simultaneously):

1. GSS_USE_PROXY = yes => use 'GSS proxy' via 'GSS library'
2. GSS_USE_PROXY = !yes => 'GSS library' works with 'keytab' directly
3. GSS_USE_PROXY unset => fallback to "legacy" (current) way (SSSD works with 'keytab' directly)

Further, Tomáš explained, that difference between (3) and (2) is that (3) can handle a "worst case scenario "*" wildcard for matching principals" (and (2) cant'), but Sumit is working on a patch that will allow to handle this case in (2) as well.

I propose:

• to have a dedicated branch (here, at upstream repo) for this feature (like feature-gss_proxy-support), where we could test (and eventually merge) all relevant patches together
• make this (entire) feature build time configurable (./configure option)
• to not support all 3 variants at run time: support (1) & (2) if feature is enabled, fallback to (3) if feature is disabled.

Besides, I think it would be also great to include required gss proxy configuration snippet (/etc/gssproxy/) into this branch.

What would you say?

[alexey-tikhonov]

Sumit said we would need changes in 'gss lib' (at the very least, or maybe even in 'gss proxy') to fully support our use case.
Still he thinks it makes sense to build patches from this PR in Fedora to gather some feedback.
Thus my proposal to have a single 'feature branch' and merge everything together is void.

But nonetheless we need to include into this PR:

• gss proxy configuration snippet (/etc/gssproxy/);
• ./configure option to enable/disable feature (so that we can build and enable by default in Fedora 39 but wouldn't build for stable releases).

[alexey-tikhonov]

Additionally, could you please also:

• update spec file (Requires, BuildRequires)
• add :relnote: / :packaging: / :config: to the commit message

[sumit-bose]

Hi,

if I understand it correctly gss_krb5_copy_ccache() cannot be used with gss-proxy because gss-proxy will only return an encrypted blob (01/01/1970 00:00:00 01/01/1970 00:00:00 Encrypted/Credentials/v1@X-GSSPROXY: in the klist output) which cannot properly be parsed by libkrb5 calls.

But it should be possible to let gss_acquire_cred_from() write the creds directly into a ccache by adding a "ccache" cstore element.

bye,
Sumit

[thalman]

This is not needed any more