svn commit: samba r12422 - in
branches/SAMBA_4_0/source/auth/kerberos: .
abartlet at samba.org
abartlet at samba.org
Thu Dec 22 06:50:05 GMT 2005
Author: abartlet
Date: 2005-12-22 06:50:04 +0000 (Thu, 22 Dec 2005)
New Revision: 12422
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=12422
Log:
Some kerberos comments and clarifications.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-12-22 06:47:00 UTC (rev 12421)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos-notes.txt 2005-12-22 06:50:04 UTC (rev 12422)
@@ -99,7 +99,14 @@
We implement this in hdb-ldb.
+Implicit names for Win2000 Accounts
+-----------------------------------
+Despite not having a DNS name, nor a servicePrincipalName on accounts
+created by computers running win2000, it appears we are expected to
+have an implicit mapping from host/computer.full.name and
+host/computer to it's entry.
+
Returned Salt for PreAuthentication
-----------------------------------
@@ -276,12 +283,8 @@
password is salted by the client. (That is, no salt infromation
appears to be convayed from the KDC to the member).
-In dealing with this modal, the traditional file keytab seems
-outmoded, because it is not the primary source of the keys, and as
-such we have replaced it with an IN-MEMORY keytab. This avoids Samba4
-needing to deal with system files for it's internal operation. (We
-will however forward-port parts of Samba3's net ads keytab, for the
-benifit of other applications).
+In dealing with this modal, we leverage both the traditional file
+keytab and in-MEMORY keytabs.
When dealing with a windows KDC, the behaviour regarding case
sensitivity and canonacolisation must be accomidated. This means that
@@ -296,10 +299,15 @@
as well as all case variations on the above.
-Because that all got 'too hard' to put into a real keytab (and because we
-still wanted to supply a keytab to the GSSAPI code), we use in-memory
-keytabs, and specify the target name.
+Because that all got 'too hard' to put into a keytab in the
+traditional way (with the client to specify the name), we either
+pre-compute the keys into a traditional keytab or make an in-MEMORY
+keytab at run time. In both cases we specifiy the principal name to
+GSSAPI, which avoids the need to store duplicate principals.
+We use a 'private' keytab in our private dir, referenced from the
+secrets.ldb by default.
+
Extra Heimdal functions used
----------------------------
(an attempt to list some of the Heimdal-specific functions I know we use)
Modified: branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c
===================================================================
--- branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-22 06:47:00 UTC (rev 12421)
+++ branches/SAMBA_4_0/source/auth/kerberos/kerberos_util.c 2005-12-22 06:50:04 UTC (rev 12422)
@@ -89,6 +89,8 @@
}
if (ret == 0) {
+ /* This song-and-dance effectivly puts the principal
+ * into talloc, so we can't loose it. */
mem_ctx->smb_krb5_context = talloc_reference(mem_ctx, smb_krb5_context);
mem_ctx->principal = *salt_princ;
talloc_set_destructor(mem_ctx, free_principal);
@@ -115,7 +117,8 @@
princ_string = cli_credentials_get_principal(credentials, mem_ctx);
- /* A NULL here has meaning, as the gssapi server case will then use the principal from the client */
+ /* A NULL here has meaning, as the gssapi server case will
+ * then use the principal from the client */
if (!princ_string) {
talloc_free(mem_ctx);
princ = NULL;
@@ -548,7 +551,7 @@
* because deletes during enumeration may not
* always be consistant.
*
- * Also, the enumeration locks the keytab
+ * Also, the enumeration locks a FILE: keytab
*/
krb5_kt_end_seq_get(smb_krb5_context->krb5_context, keytab, &cursor);
More information about the samba-cvs
mailing list