I've been looking more and more at using Heimdal's GSSAPI layer to replace the hacked up version we have in Samba4. However, we have a strong move against global variables, due to the possible use of threads (and a general distrust of them...). The particular use case I'm worried about is when we have the client libraries used in a threaded manner, such that two different kerberos principals are being used to contact two different servers. It would seem impossible to do this in a thread-safe manner, because at the very least, the ccache is tied to the gss_krb5_context, and is therefore a global variable. Even without threads, it looks messy to swtich around the ccache before all the respective calls. It would seem a logical extension that gss_init_sec_context() should match MIT 1.4, which allows the caller to specify a security context to the first pass. (I could then add another function to setup this context correctly). In this vein, I'm attempting an experiment to remove the global gssapi_krb5_context variable, in favor of a more local context attached to the existing structures. What I'm wondering (with regard to global variable elimination) is: - Has this been tried before (and found some insurmounable obstacle?) - Is this something that would be accepted back upstream? - How does this interact with the port of MIT's mechglue that PADL has done? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part