KDC built in or out of smbd

Andrew Bartlett abartlet at samba.org
Tue Nov 29 22:37:24 GMT 2005

On Tue, 2005-11-29 at 08:03 -0800, Krishna Ganugapati wrote:
> I presume the motivation is to be an AD-like domain controller. I've not 
> reviewed the process division in Samba, but I would agree with you that the 
> KDC be run in a process separate from the file server process. I was 
> speculating/ hoping  that winbind would become this secure process and 
> integrate the directory service and the KDC.

While winbindd has become the dumping ground for 'persistant' samba
services in Samba3, Samba4 has a different modal, and winbindd does not
exist specifically, but as part of that same integrated service.

> In Windows, the KDC runs in the "secure" lsass  process distinct from the 
> file server. The file server was actually implemented as kernel mode driver 
> as opposed to a user mode process. Typically a domain controller does not 
> function as a file server and thus the domain controller primarily functions 
> as a KDC and as directory store. 

In windows, there is still the need to have the IPC$, netlogon and
similar shares available.

> The domain controller is subject to all the 
> security requirements that govern a  KDC. (restricted physical access, 
> minimum number of necessary services, lockdown mode)
> A separate question for me is to understand how the source tree is 
> architected to handle the "client mode" (Linux machines (desktops and 
> servers) as member servers of an AD domain) and the "domain controller" mode 
> (Linux machines that are promoted to becoming domain controllers). I think a 
> better nomenclature would be "member" mode and "domain controller" mode so 
> I'll use that..
> In the end, the file server component of Samba will run on member servers 
> and on "domain controllers" (architecturally, its functionality is the same 
> whether the file server is run on a member server or on a domain 
> controller.) however the authentication subsystem will vary depending on 
> whether the machine is in "member mode" or  "domain controller" mode
> In "member mode", the authentication subsystem would include
> a) the authentication process may need to support an in-process ticket cache
> b) PAM which authenticates to the authentication subsystem and caches its 
> credentials (NTLM or Kerberos keys for regeneration of TGTs)
> c) GSS providers for spnego and ntlm *
> d) A robust NTP implementation
> d) authentication semantics currently offered by winbindd
> In "domain controller mode", the authentication subsystem would include
> a) Everything in member mode because a domain controller is also a member 
> server
> b) The KDC
> c) The ldap directory

This is a fair descripton of the situation.

> Thus since Samba 4 is moving towards supporting AD semantics, would someone 
> comment if there is this move to decouple authentication services from the 
> file server architecture and is that already in place?
> Note I have not yet been able to successfully build all the Samba4 bits (for 
> some reason, my machine is choking, so my thoughts are speculative, but if 
> the Samba folks could shed some light, I'd be most obliged...

I'm not entirely sure what you mean by decoupling in this context.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/6a2b4a38/attachment.bin

More information about the samba-technical mailing list