Recent kerberos refactoring

Andrew Bartlett abartlet at
Fri Apr 13 02:21:29 MDT 2012

On Fri, 2012-04-13 at 08:05 +0300, Alexander Bokovoy wrote:

> What is more important here is a logic that pulls server-side code
> into client-side libraries. For example, in source4/auth/, there are
> auth_session, auth4_sam, and pyauth subsystems that require
> server-side code. auth_session is pulled into gensec_schannel and that
> one is pulled into libnet, a pure client side library now that I
> separated extract_keytab code which was only used in python bindings
> to libnet and which took HDB driver in, together with Heimdal KDC
> code.

This is probably best resolved by making gensec_schannel a plugin.
That's why gensec accepts plugins, to break silly dependency chains like

If that isn't enough, we can call
auth4_context->get_user_info_dc_principal with a DN of <SID=S-1-5-7> and
have the implementation of that function pointer look for the special DN
and create the anonymous token there. 

> Moving further, auth/gensec now requires auth_system_session which
> requires auth_session and pulls samdb from Samba4 server-side which,
> again, links in auth_session and auth4_sam. Besides being cyclic, it
> pulls samdb linking into libsmb in source3.

This (auth_system_session) appears not to be a required dependency of
gensec, and I certainly worked to avoid gensec depending on samdb
directly in that way.  That is why the auth4_context has such odd extra
function pointers.  I'll push the removal with some real patches if you
don't get to it first. 

> These dependencies need to be fixed. In most cases a solution could be
> in making interfaces clear of server-specific arguments and instead
> either pass a callback where required or allow using an "object" that
> encapsulates proper callbacks and states and two initializers: for
> server-side and client-side uses. 

I have been slowly working towards this.  For example, gensec shouldn't
need the client or server databases, it should be handled by either the
supplied cli_credentials or auth4_context.

> Or split libraries even more. For
> example, credentials_secrets.c operates on server side and it is
> folded into pycredentials, Python bindings for credentials library
> which is necessary for client operations on any Python client. I'd
> rather separated it, as well as POPT_CREDENTIALS subsystem which in
> addition is pulled into WMI sample client which is definitely not
> supposed to be running only on Samba4 server.

credentials_secrets is also used on the client, as you can (including in
the python bindings) obtain credentials as the local machine account. 

I agree that this area is tricky, but with patience and co-operation I'm
quite certain we can find an acceptable way though this. 

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list