Heimdal Samba4 KDC progress

Andrew Bartlett abartlet at samba.org
Tue May 10 15:23:00 GMT 2005

Just a quick note to let the list know where I am up to with the heimdal
KDC work.

After a few distractions (and ideas of writing our own KDC inside
Samba4), I have decided in the short-term to finish one KDC at a time,
and have been working on a new version of hdb-ldb, and associated
changes within Heimdal required to support it.

We now work with a current ldb, and require (and make very good use of)
talloc() within the module.  I have removed much of the very silly code,
in favor of the provision of extra information by the caller, as to
which type of principal it is looking for.

The items that remain TODO are:

- Pass the utf8password from the kpasswdd and kadmin interfaces right
down to the hdb, for set into the unicodePwd attribute

- Build and use another external Samba project, this time for iconv()
and friends.  (we need proper unicode conversions for the arcfour-hmac-
md5 encryption type, for example).

- Add authorization hooks, for the PAC

- Add 'arbitrary' access control hooks, to implement things like
userWorkstations checks (which are just not possible with a Database
Abstraction Layer, as this is no longer a query/response interface.

The big TODO is the work on so called 'DCE_STYE' GSSAPI, which I need to
get to grips with, as it is the current blocker on a 'Kerberos' domain

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050510/c0db7eec/attachment.bin

More information about the samba-technical mailing list