Discussion:
Big Sur & MIT Kerberos no longer interoperate
Greg Hudson
2021-03-20 06:13:43 UTC
Permalink
So we have noticed in our testing that SOMETHING has changed on Big Sur,
and MIT Kerberos and the vendor MacOS X Kerberos no longer interoperate.
Specifically, MIT Kerberos and Big Sur Kerberos cannot see each other's
credential caches; a "kinit" with one implementation has credential
caches that are not visible from the other.
From a look at the latest forked Heimdal code on opensource.apple.com,
Apple seems to have switched the default ccache type to a new type
called XCC, which is built on top of a macOS IPC framework called XPC.

It looks like it would require a fair amount of code for us to
interoperate with the XCC cache, and unlike the KCM code, it wouldn't
give us ancillary benefits on other platforms. So I'm not certain what
we'll do. One option is to create a public ccache pluggable interface
to allow maintenance of an XCC plugin module outside of our tree, but
that (1) assumes someone would put in that work, and (2) would be harder
to deploy than just building MIT krb5 and having it use the native
ccache automatically.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Ken Hornstein
2021-03-20 13:39:53 UTC
Permalink
Post by Greg Hudson
It looks like it would require a fair amount of code for us to
interoperate with the XCC cache, and unlike the KCM code, it wouldn't
give us ancillary benefits on other platforms. So I'm not certain what
we'll do. One option is to create a public ccache pluggable interface
to allow maintenance of an XCC plugin module outside of our tree, but
that (1) assumes someone would put in that work, and (2) would be harder
to deploy than just building MIT krb5 and having it use the native
ccache automatically.
One relatively simple possibility is to create a shim layer that
dlopen()'s the Heimdal framework and calls the appropriate credential
cache functions.

I kind of have to solve this problem sooner rather than later, and I
don't mind doing the work and contributing it to MIT. Like everyone
else we have been telling everyone not to upgrade to Big Sur, but I
know eventually systems are going to start shipping with Big Sur (and
of course Apple Silicon systems already are). If we could work out an
acceptable approach I can get to work on that and see where it leads me.
Maintaining an out-of-tree plugin ... well, we do that for some things,
but I can tell you from experience that it sucks. It's not so bad on
server systems that you manage, but it is a huge pain on client systems
that are administrated by users.

--Ken
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2021-03-20 16:07:37 UTC
Permalink
Post by Ken Hornstein
One relatively simple possibility is to create a shim layer that
dlopen()'s the Heimdal framework and calls the appropriate credential
cache functions.
Sure, that would be acceptable.

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Loading...