Re: SSPI authentication - patch

Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>> On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote:
>>> My thinking would be to have the autoconf to disable it, but enable it
>>> by default. I don't feel particularly strongly about it though.
>> Do you see a use-case where someone would disable it? I'll be happy to add
>> the switch if you do, it's not hard to do, but adding a switch just for the
>> sake of adding a switch is not something I lik e:-)
>
> Eh, I could contrive one but, as I said, I don't feel particularly
> strongly about it. How about we go w/o it for now and see if anyone
> asks for it.

Sounds like a plan.

>> The change is there to because the majority of windows installs will
>> be using Active Directory, at least that's what I would expect. Certainly
>> not all, but most. It's a way of lowering the bar for the majority, at the
>> expense of the minority ;-)
>
> It's also at the expense of backwards compatibility. :/ People who are
> currently using the krb5 auth mechanism with AD are used to having to
> flip that or set the environment variable while people who have been
> using it with an MIT KDC may get suprised by it.

Yeah, that's certainly the expense of it :-( It's helping the newbies
though.

>> That said, I actually intended to submit that as a separate patch for
>> separate discussion. If people are against it, I'll be happy to drop that
>> part.
>
> My main concern is that it's a backward-incompatible change. I realize
> that it's likely going in the direction of the majority on Windows but
> it seems to make like it's not something we should just 'do'. That
> said, I don't see it as a problem for me since I've got a reasonably
> small user-base (10s, not 100s or 1000s) of Windows users and setting
> the environment variable shouldn't be an issue.

Right. For now, I'll pull it out of that patch, and we can have a
separate discussion about it. I'd certainly like to hear someone else
than just me and you say something about it :-)

>> Again, it's not related to the library used, it's related to the KDC. And
>> we can't detect that, at least not early enough.
>
> That's true, but if we used upper-case with something NEW (SSPI) while
> keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're
> not breaking backwards compatibility while also catering to the masses.
> I guess I don't see too many people using SSPI w/ an MIT KDC, and it
> wasn't possible previously anyway.
>
> What do you think?

Hmm. It makes the default a lot less clear, and opens up for confusion.
So I'm not so sure I like it :-)

Plus, it's not as easy to implement - you have to consider how it gets
affected by say manual specification of --with-krbsrvnam etc.

//Magnus