On Wed, 2012-07-18 at 10:11 -0400, Simo Sorce wrote:
This is sadly a final NACK.
We discussed this on IRC, and we agreed this approach is a dead end.
There are various reasons.
The concurrency issue comes in in threaded applications where multiple
threads use kerberos at the same time (gss-proxy is one such example).
Another issue is the fact that talloc is still use statically compiled
in some samba binaries and dragging in talloc as a dependency to the
kerberos library (also used by samba) could cause very bad issues if the
2 version do not match precisely.
In general we should try to do as little as possible in the locator
plugin itself as it runs within applications that link libkrb5.
A preliminary consensus seem to be that we should adopt a sss-client
like interface so we can just reuse our client code already used with
nss and pam interfaces there and the memory cache with it, the shared
cache and all the client code is already thread safe and most
importantly it is already well tested as safe and reduces the amount of
memory management and need to parsing to nothing not already
implemented.
Stephen will post later a new design document for this feature.
I've begun a new design here:
https://fedorahosted.org/sssd/wiki/DesignDocs/KerberosLocator
It is incomplete. I still need to define the provider behavior, the SBUS
protocol and a variety of of other things, but I've gotten started.
Recommendations are surely welcome.