Security with Samba 3.0 and Kerberos
Andrew Bartlett
abartlet at samba.org
Sun Apr 6 03:19:40 GMT 2003
On Sun, 2003-04-06 at 09:09, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
>
> > On Sat, 2003-04-05 at 10:15, Luke Howard wrote:
> >>
> >> Also, historically it's the responsibility of the Kerberos client
> >> library to manage a replay cache. I don't believe Heimdal has one,
> >> though.
> >
> > So where would it normally maintain such a cache? In-memory won't work
> > due to the fork()ed nature of smbd...
> >
> > It would be good to be able to address this somehow.
>
> (In MIT) its in a file, its parsed when the process starts and then written
> the file (and stored in a hash) for each requst. Each request checks the
> hash before inserting the request.
>
> So, in a forked architeture you'll have problems if the process can handle
> multiple requests.
Yes, Samba can authenticated multiple users in a single smbd process.
> You can register your own reply cache operations in the kerberos lib,
> however this is undocumented.
>
> Heimdal includes a reply-cache, but it disable by default.
How do you suggest we best deal with this?
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030406/5f93115a/attachment.bin
More information about the samba-technical
mailing list