[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using GSSAPI without implicit static/global variables

I've been looking more and more at using Heimdal's GSSAPI layer to
replace the hacked up version we have in Samba4.  However, we have a
strong move against global variables, due to the possible use of threads
(and a general distrust of them...).

The particular use case I'm worried about is when we have the client
libraries used in a threaded manner, such that two different kerberos
principals are being used to contact two different servers.  It would
seem impossible to do this in a thread-safe manner, because at the very
least, the ccache is tied to the gss_krb5_context, and is therefore a
global variable.  Even without threads, it looks messy to swtich around
the ccache before all the respective calls.

It would seem a logical extension that gss_init_sec_context() should
match MIT 1.4, which allows the caller to specify a security context to
the first pass.  (I could then add another function to setup this
context correctly).

In this vein, I'm attempting an experiment to remove the global
gssapi_krb5_context variable, in favor of a more local context attached
to the existing structures.  

What I'm wondering (with regard to global variable elimination) is:
 - Has this been tried before (and found some insurmounable obstacle?)
 - Is this something that would be accepted back upstream?
 - How does this interact with the port of MIT's mechglue that PADL has

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part