On Fri, 2018-01-05 at 10:10 +0000, James Hogarth wrote:
On 5 January 2018 at 09:35, David Woodhouse
<dwmw2(a)infradead.org> wrote:
> On Fri, 2018-01-05 at 09:23 +0100, Jan Kurik wrote:
> >
> >
> > == Detailed Description ==
> > Replace older, clunkier, less user-friendly python interfaces to
> > Kerberos with python-gssapi. python-gssapi uses the GSSAPI interface,
> > which is widely standardized, implemented by both MIT and Heimdal
> > Kerberos, and much more user-friendly.
> >
> > As part of this effort, python-requests-gssapi will be introduced to
> > fedora to enable transition off of python-requests-kerberos (which
> > requires pykerberos). Its package review (completed as of 2018-01-03)
> > was rhbz#1527682
>
> In affected components, presumably this should fix authentication to
> services where GSSAPI needs to fall back from Kerberos to GSS-NTLMSSP.
>
> If possible, it would be nice to include that fallback in any testing
> that gets done.
Note that python-requests-kerberos is a fairly common library used in
the Windows managed by Ansible world.
Although many use the basic ntlm auth the single sign on aspect of the
Kerberos library is useful.
There is a general transition to CredSSP recommended for windows
Ansible users (which is somewhat waiting on me in Fedora... Christmas
was busy... and only covers ntlm not kerberos at this time) but we
will want to avoid dropping that for the time being or at least
provide some guidance or a pull request for python-winrm to use
python-requests-gssapi instead of (or in addition to)
python-requests-kerberos.
I've cc'd jborean as he's responsible for python-requests-credssp and
should probably be aware of the the pykerberos -> python-gssapi stuff
for his development activities.
Can we avoid using ntlm_auth in new packages and instead use gssapi
with gss-ntlmssp ?
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc