KDC built in or out of smbd
krishnag at marakicorp.com
Tue Nov 29 16:03:59 GMT 2005
I presume the motivation is to be an AD-like domain controller. I've not
reviewed the process division in Samba, but I would agree with you that the
KDC be run in a process separate from the file server process. I was
speculating/ hoping that winbind would become this secure process and
integrate the directory service and the KDC.
In Windows, the KDC runs in the "secure" lsass process distinct from the
file server. The file server was actually implemented as kernel mode driver
as opposed to a user mode process. Typically a domain controller does not
function as a file server and thus the domain controller primarily functions
as a KDC and as directory store. The domain controller is subject to all the
security requirements that govern a KDC. (restricted physical access,
minimum number of necessary services, lockdown mode)
A separate question for me is to understand how the source tree is
architected to handle the "client mode" (Linux machines (desktops and
servers) as member servers of an AD domain) and the "domain controller" mode
(Linux machines that are promoted to becoming domain controllers). I think a
better nomenclature would be "member" mode and "domain controller" mode so
I'll use that..
In the end, the file server component of Samba will run on member servers
and on "domain controllers" (architecturally, its functionality is the same
whether the file server is run on a member server or on a domain
controller.) however the authentication subsystem will vary depending on
whether the machine is in "member mode" or "domain controller" mode
In "member mode", the authentication subsystem would include
a) the authentication process may need to support an in-process ticket cache
b) PAM which authenticates to the authentication subsystem and caches its
credentials (NTLM or Kerberos keys for regeneration of TGTs)
c) GSS providers for spnego and ntlm *
d) A robust NTP implementation
d) authentication semantics currently offered by winbindd
In "domain controller mode", the authentication subsystem would include
a) Everything in member mode because a domain controller is also a member
b) The KDC
c) The ldap directory
Thus since Samba 4 is moving towards supporting AD semantics, would someone
comment if there is this move to decouple authentication services from the
file server architecture and is that already in place?
Note I have not yet been able to successfully build all the Samba4 bits (for
some reason, my machine is choking, so my thoughts are speculative, but if
the Samba folks could shed some light, I'd be most obliged...
----- Original Message -----
From: "Lukasz Stelmach" <lukasz.stelmach at telmark.waw.pl>
To: <samba-technical at lists.samba.org>
Cc: <lukasz.stelmach at telmark.waw.pl>
Sent: Tuesday, November 29, 2005 4:31 AM
Subject: KDC built in or out of smbd
> Greetings All.
> I've read some papers (e.g. kerberos-notes.txt) about Kerberos support
> in the new Samba and feel a little uncertain, to say the least. I've
> found that the most probable option is to incorporate kdc functionality
> *into* smbd process. IMHO it is completly against the design principles
> of the Kerberos where kdc is meant to run on a separate, extra safe
> machine as the only service. This helps to gain the securiti by
> cutting down the complexity.
> No offense, but it is rather obvious that if the whole smbd runs on such
> machine it becomes less secure than it could be. I understand that no
> Kerberos suit (except the MS one) today supports PAC but IMHO it is not
> an option to put kdc together with smbd.
> I might have missed something. If so please correct me.
> Best regards.
> PS. I'm not subscribed, please cc.
> Miłego dnia
More information about the samba-technical