Credentials code extension in Samba4

Andrew Bartlett abartlet at
Thu Aug 25 22:04:40 GMT 2005

I'm just writing this to the list FYI, and for a bit of feedback from
other Samba4 developers.

As I have been working on our two kerberos auth modules, I have lost the
ability to handle what kerberos is meant to do best, single sign on.
This is because we no longer use the default credentials cache, but
instead an appropriate private cache, with the supplied password.

I'm proposing the following extensions:

The credentials code will be able to supply as a product (like the
username, password, realm etc to be queried) a credentials cache.  This
may be the system default cache (if no username is specified, and one
appears to be available), or a local cache in memory.
(Using a local cache will therefore cause a kinit to occur etc)

This will also allow a credentials cache to be created with delegated
credentials from a Krb5/GSSAPI login (which will help both the
kerberos-authenticated-swat case, and the CIFS proxy case).  

I'm also looking at hiding more of the credentials code behind access
functions, to ensure callers can't override or query things incorrectly.

It has been (correctly) suggested that the credentials code has become a
kitchen sink, but I prefer to think of it as a growing, significant
subsystem ;-).

Andrew Bartlett
Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list