Security with Samba 3.0 and Kerberos
abartlet at samba.org
Sun Apr 6 03:19:40 GMT 2003
On Sun, 2003-04-06 at 09:09, Love wrote:
> Andrew Bartlett <abartlet at samba.org> writes:
> > On Sat, 2003-04-05 at 10:15, Luke Howard wrote:
> >> Also, historically it's the responsibility of the Kerberos client
> >> library to manage a replay cache. I don't believe Heimdal has one,
> >> though.
> > So where would it normally maintain such a cache? In-memory won't work
> > due to the fork()ed nature of smbd...
> > It would be good to be able to address this somehow.
> (In MIT) its in a file, its parsed when the process starts and then written
> the file (and stored in a hash) for each requst. Each request checks the
> hash before inserting the request.
> So, in a forked architeture you'll have problems if the process can handle
> multiple requests.
Yes, Samba can authenticated multiple users in a single smbd process.
> You can register your own reply cache operations in the kerberos lib,
> however this is undocumented.
> Heimdal includes a reply-cache, but it disable by default.
How do you suggest we best deal with this?
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030406/5f93115a/attachment.bin
More information about the samba-technical