MIT Krb5 KDC in the AD DC

Simo simo at samba.org
Sat Aug 2 11:19:40 MDT 2014


On Sat, 2014-08-02 at 12:58 -0400, Simo wrote:
> On Sat, 2014-08-02 at 10:57 -0400, Simo wrote:
> > On Wed, 2014-07-16 at 18:16 +0200, Guenther Deschner wrote:
> > > Hi,
> > > 
> > > On 01/07/14 00:06, Andrew Bartlett wrote:
> > > > On Mon, 2014-06-30 at 18:38 +0200, Andreas Schneider wrote:
> > > >> On Thursday 19 June 2014 15:03:24 Andrew Bartlett wrote:
> > > >>> G'Day Andreas,
> > > >> 
> > > >> Hi Andrew,
> > > >> 
> > > >>> I'm just wanting to touch base with you as to how we can 
> > > >>> progress your MIT KDC efforts?
> > > >> 
> > > >> there were no efforts during my vacation. Günther just rebased 
> > > >> the code. We will be back working on this and proposing patches 
> > > >> by the end of this week hopefully.
> > > >> 
> > > >> We will try to write together what to look at and where we see 
> > > >> that we need improvements.
> > > >> 
> > > >> We know that what we have isn't perfect and some things are ugly 
> > > >> but we know were we need to rewrite code again to make it 
> > > >> cleaner.
> > > >> 
> > > >> 
> > > >> So we will try to bring it in a state it is easy you know what
> > > >> to review and then have an explanation of the code we think is
> > > >> not ready yet.
> > > >> 
> > > >> Maybe we can have a chat next week then.
> > > > 
> > > > I look forward to it.  I didn't want you feeling that I was 
> > > > indifferent to your efforts here, because on the contrary I see 
> > > > great benefits from opening Samba's AD DC capability up to 
> > > > platforms that can't use our embedded Heimdal, and getting out of 
> > > > the Kerberos-library business in the long term.
> > > 
> > > The current work branch has a bit more then 130 patches right now, so
> > > we would really like to start bringing pieces of it upstream now.
> > > 
> > > So what we did today was to move out all the krb5 wrapping calls out
> > > of the main branch to a separate branch. Getting this first series of
> > > patches upstream would make it much easier to step forward on this matter.
> > > 
> > > This new branch now contains most of the prerequisite work to make all
> > > of samba's DC code to compile with both a MIT or a Heimdal kerberos
> > > library in one of the next steps (in particular the krb5 client code
> > > which currently is not compiled at all when using a system MIT
> > > kerberos library).
> > > 
> > > Some of the commits might read a bit abstract and unrelated when seen
> > > isolated in the new branch. In that case one can always check the
> > > larger wip branch where - when seen in context - the order of commits
> > > explains much better why this and that is needed.
> > > 
> > > Again: the main wip branch is still this:
> > > 
> > > https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc
> > > 
> > > while we ask for review of this branch for now:
> > > 
> > > https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc-ok
> > 
> > I was takign a look at the changes in source3/libads/krb5_setpw.c and I
> > realized this is all duplicate code already implemented in libkrb5 both
> > in MIT and Heimdal.
> > 
> > Can you consider pulling the 2 top patches here:
> > https://git.samba.org/?p=idra/samba.git;a=shortlog;h=refs/heads/krb-cleanup
> > 
> > They remove all the custom kpasswd stuff and uses standard libkrb5
> > calls. It compiles fine but I haven't had a chance to test it yet.
> > 
> > Simo.
> 
> Btw, make test gave me 2 errors here, but they seem unrelated to me, one
> in one of the samba3.rpc.schannel 

I get this same error even wit my patch reverted, so at least I know
it's not it.

> tests and one much later in
> samba.blackbox.wbinfo(s4member:local)
> 
> Simo.





More information about the samba-technical mailing list