[PATCH] support for kerberos in plugin DC code

tridge at samba.org tridge at samba.org
Wed Jul 27 22:43:38 MDT 2011

Hi Metze,

 > Yes, this needs a lot of review, I hope to get some time in the next days.

thanks! You'll find that most of the patches are refactoring to fix
some of the layering problems. The core stuff is really where it adds
in a hook to get at gensec if a module provides it.

The way I currently envisage this will work for 4.0 is that people who
want a Samba3 style file/print server only won't use the auth_samba4
module. That means the code will just run as it does now. Those people
will use existing startup scripts to start smbd/nmbd/winbindd.

For those who run a AD domain controller or a RODC they will use the
auth_samba4 module, which allows the s3 file server code to use all
the AD authentication code.

I think trying to retrofit all of the AD server auth logic into the
source3/auth without just calling to the Samba4 code is far too big a
task, and even if it was done would still leave us with a lot of
duplication. We really need to ensure that the tokens and auth paths
used over the various protocols (ldap, SMB, samr, drs etc etc) are
identical. Getting back different tokens on different protocols leads
to really hard to track down problems (eg. with group policies between
the ldap and SMB portions).

The auth_samba4 module is the 'gateway' between these two. It is built
as an external module, so none of the s4 auth code gets loaded into
smbd unless it is used (that is something that Andrew and I just fixed
- it had been declared as a static module in our initial work).

Cheers, Tridge

More information about the samba-technical mailing list