[PATCH] support for kerberos in plugin DC code

[tridge at samba.org]

Hi Simo,

 > Does this means the s3 code will now depend on both ldb and the heimdal
 > embedded in s4 and other dependencies ? Or are they loaded only at
 > runtime and only if a AD DC setup is used ?

They are hooked at runtime via external modules (in the waf build tree
they are bin/modules/pdb/samba4.so and bin/modules/auth/samba4.so)

When we initially did this work we made them static modules, which
meant it was linked in, but we've now fixed that so they are purely
runtime loaded.

All bin/smbd depends on is libgensec_runtime.so, which is an extremely
thin hook later, and doesn't contain any of the s4 auth code.

 > I'd like you to give quite some time to review and decide if it is ok.

I'd be glad for more review, but please do try to get to this as soon
as you can, as this is core to our efforts to get a combined s3/s4
server with AD server capabilities but the s3 file server. We don't
really have a prototype for a 4.0 release until we get this working
and there is plenty more for us to do that builds on top of this.

 > I have been opposed on introducing gensec in s3 for a few reasons. One
 > is dependencies, the other is that IIRC gensec does not create new event
 > loops bu allows nesting of loops. That is something too dangerous for
 > the file server imho.

As Andrew mentioned, this is addressed in these patches by creating a
new event context for gensec to use. So the s3 event context is
unchanged. It sees the gensec calls as 'blocking' calls.

So if you run bin/smbd and bin/nmbd as is now done for a s3 file
server then you get exactly the same event handling as is there now.

Cheers, Tridge