Recent kerberos refactoring
abartlet at samba.org
Fri Apr 13 02:21:29 MDT 2012
On Fri, 2012-04-13 at 08:05 +0300, Alexander Bokovoy wrote:
> What is more important here is a logic that pulls server-side code
> into client-side libraries. For example, in source4/auth/, there are
> auth_session, auth4_sam, and pyauth subsystems that require
> server-side code. auth_session is pulled into gensec_schannel and that
> one is pulled into libnet, a pure client side library now that I
> separated extract_keytab code which was only used in python bindings
> to libnet and which took HDB driver in, together with Heimdal KDC
This is probably best resolved by making gensec_schannel a plugin.
That's why gensec accepts plugins, to break silly dependency chains like
If that isn't enough, we can call
auth4_context->get_user_info_dc_principal with a DN of <SID=S-1-5-7> and
have the implementation of that function pointer look for the special DN
and create the anonymous token there.
> Moving further, auth/gensec now requires auth_system_session which
> requires auth_session and pulls samdb from Samba4 server-side which,
> again, links in auth_session and auth4_sam. Besides being cyclic, it
> pulls samdb linking into libsmb in source3.
This (auth_system_session) appears not to be a required dependency of
gensec, and I certainly worked to avoid gensec depending on samdb
directly in that way. That is why the auth4_context has such odd extra
function pointers. I'll push the removal with some real patches if you
don't get to it first.
> These dependencies need to be fixed. In most cases a solution could be
> in making interfaces clear of server-specific arguments and instead
> either pass a callback where required or allow using an "object" that
> encapsulates proper callbacks and states and two initializers: for
> server-side and client-side uses.
I have been slowly working towards this. For example, gensec shouldn't
need the client or server databases, it should be handled by either the
supplied cli_credentials or auth4_context.
> Or split libraries even more. For
> example, credentials_secrets.c operates on server side and it is
> folded into pycredentials, Python bindings for credentials library
> which is necessary for client operations on any Python client. I'd
> rather separated it, as well as POPT_CREDENTIALS subsystem which in
> addition is pulled into WMI sample client which is definitely not
> supposed to be running only on Samba4 server.
credentials_secrets is also used on the client, as you can (including in
the python bindings) obtain credentials as the local machine account.
I agree that this area is tricky, but with patience and co-operation I'm
quite certain we can find an acceptable way though this.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical