Recent kerberos refactoring

simo idra at samba.org
Fri Apr 13 06:05:28 MDT 2012


On Fri, 2012-04-13 at 19:51 +1000, Andrew Bartlett wrote:
> 
> Yes, this needs to be done in the Samba3 SMB client.  It needs to be
> upgraded to use gensec for GSSAPI and SPNEGO, just like the RPC client
> already does.  To do that, we preferably need to unify the ntlmssp
> client modules, importing the 'ask winbind' credential cache code into
> a
> common ntlmssp client (as a flag on the cli_credentials I think). 

No, no, no, this is backwards again. You need to provide a callback
mechanism that is opaque to ntlmssp, and gets back credentials, not make
ntlmssp depends on winbindd. This is client libraries, on samba you may
use winbindd and on another system people may use a different provider.
But in any case you do not want to have direct dependencies on winbind
in the ntlmssp code.

> > I'd like to get to the point that client libraries provided by
> > source4/ and source3/ code base could be compiled against
> > system-provided MIT krb5 libraries where possible (barring
> > functionality that requires accessing HDB). Right now even with
> > linking scripts source3/ gets embedded heimdal libraries linked and
> > then linked against system libldap libraries which are using system
> > MIT krb5 libraries -- as result, I can't really use GSSAPI with a
> > keytab produced by MIT krb5 as described in another thread where I
> > tried to get to authenticate to LDAP with keytab only.
> 
> I thought the problem in the other thread was mixing calls between the
> two libraries (calling a function that wasn't implemented in Heimdal).

That also happened.

> The default 'FILE' credential cache format is compatible btw.

It is not, try to do s4u2proxy with a ccache file generated by a
different implementation, it will not work.
MIT's gssapi depends on special hints stored in the ccache.
Also try to use the DIR: ccache type with Heimdal.

>   If not,
> I'm sorry I don't understand exactly what the problem is here.  We
> successfully run dlz_bind9 based on Samba4 and Heimdal in a MIT-linked
> bind9.

You had some specific and simple test cases working, good for you,
that's not the general rule. The Rule is that you *do not mix* kerberos
libraries. Period.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list