The krb5_{ccache,keytab,client_keytab} parameters are replaced with a
multivalued "cred_store" parameter instead.

krb5_keytab = /etc/krb5.keytab

becomes:

cred_store = krb5_keytab:/etc/krb5.keytab

Likewise for the "krb5_ccache" and "krb5_client_keytab" parameters.

This call returns an allocated array of strings. It allows to return multiple
values for a single parameter like:

param = value1
param = value2

This cannot be supported with iniparser, so we have to remove iniparser support.

Signed-off-by: Günther Deschner <gdeschner@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

Use /etc/krb5.keytab when nfsd service tries to acquire creds and
no id is specified in desired_name.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

This is the only thread safe way to pass in aribitrary values for all the bits
of environment we want to use when doing impersonation within gss-proxy.

Requires MIT version 1.12 for the client_keytab part to be operational.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

This way it can be reused for keytab path names too

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>

In case the name type is GSS_C_NT_STRING_UID_NAME or GSS_NT_MACHINE_UID_NAME
we want to be able to impersonate the user referenced by the uid.

This is allowed exclusively for trusted services otherwise a generic
unprivileged application would be allowed to impersonate any user if there are
credentials available on the system or client keytabs installed.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Günther Deschner <gdeschner@redhat.com>