On Tue, 2005-05-17 at 01:36 +1000, Andrew Bartlett wrote: > Just a quick note to let a few more people know that I am putting > together a rough text document describing various things about kerberos. > I'm sure parts are just complete fiction, but I'm still new to many > parts of this game. :-) > > The idea is to write down the special things Samba4 will need from > GSSAPI/Kerberos libraries and KDC implementations, however we end up > producing things. So, things have progressed a lot over the last week, and I want to fill in the various concerned lists as to my current status, and the research direction. KDC --- The research direction so far shows that Samba4 can use Heimdal kerberos for it's KDC needs: the only major remaining issue is the PAC generation, and I know this is at least possible. We are currently looking at how we will start and plug into the KDC, and I'm wondering if we can do so by linking the KDC code directly into the main smbd process, just like our other services. Linking directly 'in process' has a number of advantages, particularly because I can then use many of the other facilities of Samba4 behind the heimdal interfaces. For example I can use our UTF8 manipulation code, our full db layer (including ACLs as required for the password change deamon), and not rely on getting all these bits into shared/static libraries. My current feeling is that Samba may well ship it's own KDC (based either on Heimdal, our own code or potentially some other codebase) for some time into the future. To whatever extent Samba includes a derivative of another distribution of kerberos, the aim would be to keep the 'diff' between the two projects as small as possible, while integrating the code for minimum administrative and engineering pain. At an engineering level, this might entail a libkdc.a supplied either with Samba, or perhaps at some long-future date, supplied by the operating system. Client Libs ----------- A more open question surrounds the client libraries - Samba has very particular needs for a 'state machine safe', 'asynchronous' and (to a lesser extent) thread safe GSSAPI layer. I'm still looking at what pain it will take to modify Heimdal (mostly looking at the gssapi_krb5_context) to meet these requirements. I also need to look at GNU GSS and the MIT libs here. I intend to write some tests to show the safety or otherwise of these libs, by constructing and using parallel contexts. In the short-term, my current research indicates that it should be viable for Samba4 to ship a modified snapshot of Heimdal's GSSAPI/Kerberos library, and use that library if the system libs are not found suitable. Indeed, my hope is that in the long-term, we will not need to maintain these in Samba, and we will be able to use whichever brand of system kerberos lib is available. How this interacts with KDC design will be another important point to watch. > The current version (updated from SVN) is at: > http://samba.org/ftp/unpacked/samba4/source/auth/kerberos/kerberos- > notes.txt I hope to keep this updated, as I make things more concrete. In any case, this mail is a request for discussion - I want know if I'm mad, and if so, what other solutions/suggestions do you have? I do realise that the idea of a 'Samba KDC' still makes a number of people uncomfortable, but I'm also at a loss to find software engineering reasons to propose any other forward direction. That is why I'm writing this mail. BTW, I also look forward to the public release of the code behind http://web.mit.edu/jaltman/Public/Samba-XP-Presentation.pdf to see how it compares/complements/contrasts with our current approach. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part