Current ideas on kerberos requirements for Samba4
abartlet at samba.org
Mon May 23 09:46:02 GMT 2005
On Tue, 2005-05-17 at 01:36 +1000, Andrew Bartlett wrote:
> Just a quick note to let a few more people know that I am putting
> together a rough text document describing various things about kerberos.
> I'm sure parts are just complete fiction, but I'm still new to many
> parts of this game. :-)
> The idea is to write down the special things Samba4 will need from
> GSSAPI/Kerberos libraries and KDC implementations, however we end up
> producing things.
So, things have progressed a lot over the last week, and I want to fill
in the various concerned lists as to my current status, and the research
The research direction so far shows that Samba4 can use Heimdal kerberos
for it's KDC needs: the only major remaining issue is the PAC
generation, and I know this is at least possible.
We are currently looking at how we will start and plug into the KDC, and
I'm wondering if we can do so by linking the KDC code directly into the
main smbd process, just like our other services.
Linking directly 'in process' has a number of advantages, particularly
because I can then use many of the other facilities of Samba4 behind the
heimdal interfaces. For example I can use our UTF8 manipulation code,
our full db layer (including ACLs as required for the password change
deamon), and not rely on getting all these bits into shared/static
My current feeling is that Samba may well ship it's own KDC (based
either on Heimdal, our own code or potentially some other codebase) for
some time into the future. To whatever extent Samba includes a
derivative of another distribution of kerberos, the aim would be to keep
the 'diff' between the two projects as small as possible, while
integrating the code for minimum administrative and engineering pain.
At an engineering level, this might entail a libkdc.a supplied either
with Samba, or perhaps at some long-future date, supplied by the
A more open question surrounds the client libraries - Samba has very
particular needs for a 'state machine safe', 'asynchronous' and (to a
lesser extent) thread safe GSSAPI layer. I'm still looking at what pain
it will take to modify Heimdal (mostly looking at the
gssapi_krb5_context) to meet these requirements. I also need to look at
GNU GSS and the MIT libs here. I intend to write some tests to show
the safety or otherwise of these libs, by constructing and using
In the short-term, my current research indicates that it should be
viable for Samba4 to ship a modified snapshot of Heimdal's
GSSAPI/Kerberos library, and use that library if the system libs are not
found suitable. Indeed, my hope is that in the long-term, we will not
need to maintain these in Samba, and we will be able to use whichever
brand of system kerberos lib is available. How this interacts with KDC
design will be another important point to watch.
> The current version (updated from SVN) is at:
I hope to keep this updated, as I make things more concrete.
In any case, this mail is a request for discussion - I want know if I'm
mad, and if so, what other solutions/suggestions do you have?
I do realise that the idea of a 'Samba KDC' still makes a number of
people uncomfortable, but I'm also at a loss to find software
engineering reasons to propose any other forward direction. That is why
I'm writing this mail.
BTW, I also look forward to the public release of the code behind
http://web.mit.edu/jaltman/Public/Samba-XP-Presentation.pdf to see how
it compares/complements/contrasts with our current approach.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050523/256af295/attachment.bin
More information about the samba-technical