MIT Krb5 KDC in the AD DC

Simo simo at
Sat Aug 2 08:57:50 MDT 2014

On Wed, 2014-07-16 at 18:16 +0200, Guenther Deschner wrote:
> Hi,
> On 01/07/14 00:06, Andrew Bartlett wrote:
> > On Mon, 2014-06-30 at 18:38 +0200, Andreas Schneider wrote:
> >> On Thursday 19 June 2014 15:03:24 Andrew Bartlett wrote:
> >>> G'Day Andreas,
> >> 
> >> Hi Andrew,
> >> 
> >>> I'm just wanting to touch base with you as to how we can 
> >>> progress your MIT KDC efforts?
> >> 
> >> there were no efforts during my vacation. Günther just rebased 
> >> the code. We will be back working on this and proposing patches 
> >> by the end of this week hopefully.
> >> 
> >> We will try to write together what to look at and where we see 
> >> that we need improvements.
> >> 
> >> We know that what we have isn't perfect and some things are ugly 
> >> but we know were we need to rewrite code again to make it 
> >> cleaner.
> >> 
> >> 
> >> So we will try to bring it in a state it is easy you know what
> >> to review and then have an explanation of the code we think is
> >> not ready yet.
> >> 
> >> Maybe we can have a chat next week then.
> > 
> > I look forward to it.  I didn't want you feeling that I was 
> > indifferent to your efforts here, because on the contrary I see 
> > great benefits from opening Samba's AD DC capability up to 
> > platforms that can't use our embedded Heimdal, and getting out of 
> > the Kerberos-library business in the long term.
> The current work branch has a bit more then 130 patches right now, so
> we would really like to start bringing pieces of it upstream now.
> So what we did today was to move out all the krb5 wrapping calls out
> of the main branch to a separate branch. Getting this first series of
> patches upstream would make it much easier to step forward on this matter.
> This new branch now contains most of the prerequisite work to make all
> of samba's DC code to compile with both a MIT or a Heimdal kerberos
> library in one of the next steps (in particular the krb5 client code
> which currently is not compiled at all when using a system MIT
> kerberos library).
> Some of the commits might read a bit abstract and unrelated when seen
> isolated in the new branch. In that case one can always check the
> larger wip branch where - when seen in context - the order of commits
> explains much better why this and that is needed.
> Again: the main wip branch is still this:
> while we ask for review of this branch for now:

I was takign a look at the changes in source3/libads/krb5_setpw.c and I
realized this is all duplicate code already implemented in libkrb5 both
in MIT and Heimdal.

Can you consider pulling the 2 top patches here:;a=shortlog;h=refs/heads/krb-cleanup

They remove all the custom kpasswd stuff and uses standard libkrb5
calls. It compiles fine but I haven't had a chance to test it yet.


More information about the samba-technical mailing list