Seperating Heimdal from Samba4

Andrew Bartlett abartlet at samba.org
Wed Jun 4 04:02:19 GMT 2008 

Sergey's question earlier today about separating the KDC and GSSAPI
client libs from Samba4 caused me to ponder exactly what it would
require, the costs and benefits.

The primary cost is the build system and integration work required to
have Samba operate in multiple modes - with and without a built in KDC,
while retaining the full test coverage of this important code.

The benefits are in not bundling a complex security library that will
need separate maintenance and patches.  Distributions strongly favour
using system libraries where possible. 

The tasks as I see it are:

Get the last of the heimdal-lorikeet.diff merged into Heimdal.  The only
two bits that appear important are the patches to:

kdc/kerberos5.c
lib/hdb/keytab.c 
lib/krb5/get_in_tkt.c 

The other patches probably go away if we use system libraries, as they
were related to us linking only part of Heimdal into Samba. 

The KDC will need to load a hdb and 'windc' plugin.  I'm sure the Samba
build system can build these pretty easily, but the task is to make it
easy for Heimdal (now seperated) to load them.  This will probably be
handled by having provision's generated krb5.conf contain the right
magic. 

Samba will need to link against Heimdal's libgssapi and libkrb5.  We
will need checks to ensure we don't accidentally hit MIT's libs, until
someone ports the KDC magic into MIT. 

We will need a way to continue to build with an internal copy of
Heimdal, because for development (and to run against make test, and for
the build farm) we must have a KDC and libkrb5 that uses SOCKET_WRAPPER.
Similarly, many platforms will not have the right version of Heimdal,
and so we must be able to use the internal copy.

One of the big challenges will be to keep both modes of operation
working - both with the system Heimdal and the included version that all
developers (who need 'make test' to run) will use. 

The other challenge will be ensuring that Heimdal is started and stopped
by Samba4 as an integrated service, listens on the right interfaces etc.
We could try to have a libkdc exported by Heimdal (so we control those
matters, as we do now), but this will be more work again. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080604/c2dbb031/attachment.bin

More information about the samba-technical mailing list