Security with Samba 3.0 and Kerberos

Love lha at stacken.kth.se
Sat Apr 5 23:09:55 GMT 2003


Andrew Bartlett <abartlet at samba.org> writes:

> On Sat, 2003-04-05 at 10:15, Luke Howard wrote:
>> 
>> Also, historically it's the responsibility of the Kerberos client
>> library to manage a replay cache. I don't believe Heimdal has one,
>> though.
>
> So where would it normally maintain such a cache?  In-memory won't work
> due to the fork()ed nature of smbd...
>
> It would be good to be able to address this somehow.

(In MIT) its in a file, its parsed when the process starts and then written
the file (and stored in a hash) for each requst. Each request checks the
hash before inserting the request.

So, in a forked architeture you'll have problems if the process can handle
multiple requests.

You can register your own reply cache operations in the kerberos lib,
however this is undocumented.

Heimdal includes a reply-cache, but it disable by default.

Love


More information about the samba-technical mailing list