Credentials code extension in Samba4
Jeremy Allison
jra at samba.org
Fri Aug 26 00:26:54 GMT 2005
On Fri, Aug 26, 2005 at 08:04:40AM +1000, Andrew Bartlett wrote:
> I'm just writing this to the list FYI, and for a bit of feedback from
> other Samba4 developers.
>
> As I have been working on our two kerberos auth modules, I have lost the
> ability to handle what kerberos is meant to do best, single sign on.
> This is because we no longer use the default credentials cache, but
> instead an appropriate private cache, with the supplied password.
>
> I'm proposing the following extensions:
>
> The credentials code will be able to supply as a product (like the
> username, password, realm etc to be queried) a credentials cache. This
> may be the system default cache (if no username is specified, and one
> appears to be available), or a local cache in memory.
> (Using a local cache will therefore cause a kinit to occur etc)
>
> This will also allow a credentials cache to be created with delegated
> credentials from a Krb5/GSSAPI login (which will help both the
> kerberos-authenticated-swat case, and the CIFS proxy case).
>
> I'm also looking at hiding more of the credentials code behind access
> functions, to ensure callers can't override or query things incorrectly.
>
> It has been (correctly) suggested that the credentials code has become a
> kitchen sink, but I prefer to think of it as a growing, significant
> subsystem ;-).
FYI: You might want to also look at some of the Linux desktop "keyring"
API's that allow credentials to be shared amongst programs in the same
desktop session. I know the Samba4 requirements are likely to be a little
different in that area but it might be worth the effort to see if you
can design something that will interface easily with other credential
cache modules.
Cheers,
Jeremy.
More information about the samba-technical
mailing list