KDC built in or out of smbd
abartlet at samba.org
Tue Nov 29 22:37:24 GMT 2005
On Tue, 2005-11-29 at 08:03 -0800, Krishna Ganugapati wrote:
> I presume the motivation is to be an AD-like domain controller. I've not
> reviewed the process division in Samba, but I would agree with you that the
> KDC be run in a process separate from the file server process. I was
> speculating/ hoping that winbind would become this secure process and
> integrate the directory service and the KDC.
While winbindd has become the dumping ground for 'persistant' samba
services in Samba3, Samba4 has a different modal, and winbindd does not
exist specifically, but as part of that same integrated service.
> In Windows, the KDC runs in the "secure" lsass process distinct from the
> file server. The file server was actually implemented as kernel mode driver
> as opposed to a user mode process. Typically a domain controller does not
> function as a file server and thus the domain controller primarily functions
> as a KDC and as directory store.
In windows, there is still the need to have the IPC$, netlogon and
similar shares available.
> The domain controller is subject to all the
> security requirements that govern a KDC. (restricted physical access,
> minimum number of necessary services, lockdown mode)
> A separate question for me is to understand how the source tree is
> architected to handle the "client mode" (Linux machines (desktops and
> servers) as member servers of an AD domain) and the "domain controller" mode
> (Linux machines that are promoted to becoming domain controllers). I think a
> better nomenclature would be "member" mode and "domain controller" mode so
> I'll use that..
> In the end, the file server component of Samba will run on member servers
> and on "domain controllers" (architecturally, its functionality is the same
> whether the file server is run on a member server or on a domain
> controller.) however the authentication subsystem will vary depending on
> whether the machine is in "member mode" or "domain controller" mode
> In "member mode", the authentication subsystem would include
> a) the authentication process may need to support an in-process ticket cache
> b) PAM which authenticates to the authentication subsystem and caches its
> credentials (NTLM or Kerberos keys for regeneration of TGTs)
> c) GSS providers for spnego and ntlm *
> d) A robust NTP implementation
> d) authentication semantics currently offered by winbindd
> In "domain controller mode", the authentication subsystem would include
> a) Everything in member mode because a domain controller is also a member
> b) The KDC
> c) The ldap directory
This is a fair descripton of the situation.
> Thus since Samba 4 is moving towards supporting AD semantics, would someone
> comment if there is this move to decouple authentication services from the
> file server architecture and is that already in place?
> Note I have not yet been able to successfully build all the Samba4 bits (for
> some reason, my machine is choking, so my thoughts are speculative, but if
> the Samba folks could shed some light, I'd be most obliged...
I'm not entirely sure what you mean by decoupling in this context.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/6a2b4a38/attachment.bin
More information about the samba-technical