KDC built in or out of smbd

[Krishna Ganugapati]

I presume the motivation is to be an AD-like domain controller. I've not 
reviewed the process division in Samba, but I would agree with you that the 
KDC be run in a process separate from the file server process. I was 
speculating/ hoping  that winbind would become this secure process and 
integrate the directory service and the KDC.

In Windows, the KDC runs in the "secure" lsass  process distinct from the 
file server. The file server was actually implemented as kernel mode driver 
as opposed to a user mode process. Typically a domain controller does not 
function as a file server and thus the domain controller primarily functions 
as a KDC and as directory store. The domain controller is subject to all the 
security requirements that govern a  KDC. (restricted physical access, 
minimum number of necessary services, lockdown mode)

A separate question for me is to understand how the source tree is 
architected to handle the "client mode" (Linux machines (desktops and 
servers) as member servers of an AD domain) and the "domain controller" mode 
(Linux machines that are promoted to becoming domain controllers). I think a 
better nomenclature would be "member" mode and "domain controller" mode so 
I'll use that..

In the end, the file server component of Samba will run on member servers 
and on "domain controllers" (architecturally, its functionality is the same 
whether the file server is run on a member server or on a domain 
controller.) however the authentication subsystem will vary depending on 
whether the machine is in "member mode" or  "domain controller" mode

In "member mode", the authentication subsystem would include
a) the authentication process may need to support an in-process ticket cache
b) PAM which authenticates to the authentication subsystem and caches its 
credentials (NTLM or Kerberos keys for regeneration of TGTs)
c) GSS providers for spnego and ntlm *
d) A robust NTP implementation
d) authentication semantics currently offered by winbindd

In "domain controller mode", the authentication subsystem would include
a) Everything in member mode because a domain controller is also a member 
server
b) The KDC
c) The ldap directory

Thus since Samba 4 is moving towards supporting AD semantics, would someone 
comment if there is this move to decouple authentication services from the 
file server architecture and is that already in place?
Note I have not yet been able to successfully build all the Samba4 bits (for 
some reason, my machine is choking, so my thoughts are speculative, but if 
the Samba folks could shed some light, I'd be most obliged...

Best regards,

Krishna
----- Original Message ----- 
From: "Lukasz Stelmach" <lukasz.stelmach at telmark.waw.pl>
To: <samba-technical at lists.samba.org>
Cc: <lukasz.stelmach at telmark.waw.pl>
Sent: Tuesday, November 29, 2005 4:31 AM
Subject: KDC built in or out of smbd


> Greetings All.
>
> I've read some papers (e.g. kerberos-notes.txt) about Kerberos support
> in the new Samba and feel a little uncertain, to say the least. I've
> found that the most probable option is to incorporate kdc functionality
> *into* smbd process. IMHO it is completly against the design principles
> of the Kerberos where kdc is meant to run on a separate, extra safe
> machine as the only service.  This helps to gain the securiti by
> cutting down the complexity.
>
> No offense, but it is rather obvious that if the whole smbd runs on such
> machine it becomes less secure than it could be. I understand that no
> Kerberos suit (except the MS one) today supports PAC but IMHO it is not
> an option to put kdc together with smbd.
>
> I might have missed something. If so please correct me.
>
> Best regards.
> PS. I'm not subscribed, please cc.
> -- 
> Miłego dnia
>>Łukasz<