KDC built in or out of smbd

Andrew Bartlett abartlet at samba.org
Tue Nov 29 22:04:24 GMT 2005 

On Tue, 2005-11-29 at 13:31 +0100, Lukasz Stelmach wrote:
> Greetings All.
> 
> I've read some papers (e.g. kerberos-notes.txt) about Kerberos support
> in the new Samba and feel a little uncertain, to say the least. I've
> found that the most probable option is to incorporate kdc functionality
> *into* smbd process. IMHO it is completly against the design principles
> of the Kerberos where kdc is meant to run on a separate, extra safe
> machine as the only service.  This helps to gain the securiti by
> cutting down the complexity. 
> 
> No offense, but it is rather obvious that if the whole smbd runs on such
> machine it becomes less secure than it could be. I understand that no
> Kerberos suit (except the MS one) today supports PAC but IMHO it is not
> an option to put kdc together with smbd.

We chose to implement the entire Samba suite in a single process for
simplicity of administrator operation.  Samba4 consists of a large
number of services, all inter-dependent in various ways, most of which
must operate with the ability to regain full root privileges, operate on
sensitive databases and access files.

As such, absent technologies like SELinux, there is little to be gained
from mandating a separate process for the various components, other than
administrator confusion, and posts to the list caused by failure to
start a particular service.

That said, I would like to eventually see tools like SELinux applied to
Samba, to correctly 'box in' the various services.  Fortunately for
this, Samba4 is also very modular, and uses quite a bit of interprocess
communication between it's components.  This should allow a viable
constraints modal to be devised by those (presumably distributors) who
have the time and patience for the additional complexity (and who can
ensure that all the correct services still start).

In terms of host separation, unfortunately the assumptions in the Active
Directory modal include that the LDAP server, KDC, RPC servcies and a
fileserver (for the netlogon share at least) must reside in the same
place.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/72de8125/attachment.bin

More information about the samba-technical mailing list