On Thu, 14 Aug 2014, Steve Holme wrote: > You will have noticed that I have started to push my GSSAPI > commits.
I have just pushed the last of my changes from my branch and included updates to documentation that I wrote last night. > It seems that whilst the email protocols pretty much follow > RFC4752 there are some suitable differences (probably due > to ambiguity between RFC4752 and RFC2222?) - certainly with > Exchange server anyway. Anyone reviewing the code will note that Curl_sasl_create_gssapi_user_message() supports a mutual authentication flag - this is currently FALSE in each of the email protocols although setting it to TRUE does work ;-) TRUE should probably be the default but I would l to be able to override this from curl's command line but... reading the existing options and help from source code and documentation I have got myself a little confused and can't work out whether or not I can use --krb LEVEL at all. I would appreciate it if someone could help me with the following: a) Is this option used in the current krb5 (GSS-API) code that FTP/Socks5 uses or is it a krb4 only option? b) If it is a krb4 only option shouldn't it be removed to avoid any confusion? c) Are there any other options that control krb5 (either in via our GSS-API implementation in FTP/socks5 or in the SSPI socks5 code) as I can't find any myself > Note: From my own testing I found that I had to specify > the username with the Windows Domain name prefixed > to it if the username was specified in -u, for example, > "-u MY-DOMAIN\steve.holme" I have added this to the documentation - if anyone else finds differently, then I would be interested to know and we can update the docs accordingly ;-) > I also found that the SPN had to be a fully registered SPN, > so if you have an alias for a mail server for example as I do: I will probably add this to the documentation as well - for --url > Finally, I would like to ask a favour of my fellow curl SSPI > developers to review my next patch. As I mentioned above all working code is now in... so if anyone fancies performing a review it would be appreciated, there's obviously quite a bit and my apologies for a last minute feature! You will also have noticed that I pushed some bug fixes last weekend, as I scrutinised our existing SSPI code for help and inspiration whilst struggling with SASL GSSAPI. In the process I also noticed that our socks5 SSPI implementation (socks_sspi.c) doesn't have the ability to use the user name and password as specified by --proxy-user and subsequently CURLOPT_PROXYUSERPWD / CURLOPT_PROXYUSERNAME. Essentially it suffers the same bug / limitation that the SSPI Negotiate implementation did before commit f8a8ed73fe. It will be quite an easy fix to do but I don't have the ability to test it here - unless someone has access to a Windows based socks 5 server I can borrow for testing? Finally, a bit of a cheeky request - but does anyone fancy the challenge of implementing the SASL GSSAPI support for GSS-API (via Heimdal or MIT Kerberos) ;-) Kind Regards Steve ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
