Closed jborean93 closed 3 years ago
thanks for PR! this PR seems be not special to MacOS, and it seems a new feature about add HEIMDAL
support while we currently used MIT Kerberos. And any new feature needs to be trigger by OMI PM/Manager internal and there is some process internal, if you want to do this new feature, the best way is to have a customer request a DCR internal, and then there might be some process to trigger it, PM will determine trigger it or not internal based on business justification, etc. just like that.
this PR seems be not special to MacOS
I somewhat disagree, macOS uses Heimdal so fixing one fixes the other.
And any new feature needs to be trigger by OMI PM/Manager internal and there is some process internal
Disappointing that a "open source" project still needs to have an internal review that is completely opaque to contributors. You may as well just remove the repo and keep everything internal.
Ultimately this is maintained by some team in Microsoft. If they don't want fixes for their code that's contributed by outsiders then good luck to them. Feel free to take whatever you want from here in the future if you desire. I'll just maintain my own fork for my own purposes.
The current code has a few problems when running on macOS
HEIMDAL
macro was not set on macOS, this causes it to try and load the wrong names.GSS_C_NT_HOSTBASED_SERVICE
is not used anywhere in the code (although it probably should be)GSS_KRB5_NT_PRINCIPAL_NAME
is valid for MIT krb5 but on Heimdal it needs to be accessed with__gss_krb5_nt_principal_name_oid_desc
Finally there was an issue when using an IP that was not routable. The
getaddrinfo()
function would set aNULL
value forai_canonname
. This causes a seg fault when callingstrlen(info->ai_canonname)
. Instead this just falls back to using the HTTP hostname that was set and let it fail later on.Ultimately this enables Kerberos auth to work on macOS.
Unfortunately enabling NTLM auth through SPNEGO requires a lot more effort that I still need to investigate. Right now the code sends the NTLM negotiate and processes the challenge message but it fails to send the authenticate message causing a failure. Hopefully it's a simple fix I can address in another PR.