Samba4 kadmin interface (commit 12ce07e53b9453f35a1483d941bfce9c23f790a0)

Andrew Bartlett abartlet at samba.org
Tue Dec 6 14:42:41 MST 2011 

On Tue, 2011-12-06 at 22:25 +0100, Gémes Géza wrote:
> 2011-12-04 22:58 keltezéssel, Andrew Bartlett írta:
> > On Sun, 2011-12-04 at 17:16 +0100, Gémes Géza wrote:
> >> 2011-12-03 23:25 keltezéssel, Andrew Bartlett írta:
> >>> On Fri, 2011-12-02 at 18:32 +0100, Gémes Géza wrote:
> >>>> Hi,
> >>>>
> >>>> I've tried using  heimdal (1.4.0) kadmin with the new hdb_samba4.so
> >>>> module. Unfortunately it doesn't support it:
> >>>> # kadmin -l
> >>>> kadmin: error trying to load dynamic module /usr/lib/hdb_samba4.so: (null)
> >>>>
> >>>> kadmin: No database support for samba4:
> >>>>
> >>>> I suppose my heimdal installation is too old. What is the minimal
> >>>> heimdal version this module should work with?
> >>> I used current Heimdal from GIT when I tried it out.
> >>>
> >>> The ideal situation would be to compile Samba against lorikeet-heimdal
> >>> as the system Heimdal, and then use the kadmin from there, as that will
> >>> be the same version. 
> >>>
> >>> I will probably restrict this feature to this case, as in retrospect
> >>> this is unsafe unless we have use the same libkrb5 (due to the passed in
> >>> krb5_context). 
> >>>
> >>> Andrew Bartlett
> >>>
> >> Unfortunately on my test system heimdal from current git checkout fails
> >> to compile.
> >> Wouldn't importing (the relevant parts of) heimdal/lib/kadm5  and
> >> heimdal/kadmin into samba4 source tree a better way?
> > No, as I do not wish Samba to be the source of standard kerberos
> > libraries or tools.  We build samba4kinit, but this is in my mind a
> > special case as it allows a number of important tests, but we
> > deliberately do not install it.
> >
> > It took me a number of attempts to build current Heimdal from GIT, but
> > these were due to the remains of a previous build in the checkout.  A
> > clean build from scratch should work. 
> >
> > Andrew Bartlett
> >
> Thank you!
> 
> It works now (on a fresh git clone of heimdal) with (just one detected
> so far) exception:
> del_enctype seems to be unimplemented (it says: kadmin:
> kadm5_modify_principal: Database is locked or in use--try again later)

All write operations are unimplemented.  We need to decide if it is
worth implementing them, and then do the work.  It isn't trivial - we
essentially need to copy the guts of the password_hash module into a
helper function that converts the sequence of keys back into unicodePwd
and supplementalCredentials.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list