MIT Krb5 KDC in the AD DC

Andrew Bartlett abartlet at samba.org
Sat Aug 2 14:16:04 MDT 2014 

On Sat, 2014-08-02 at 10:57 -0400, Simo wrote:
> On Wed, 2014-07-16 at 18:16 +0200, Guenther Deschner wrote:
> > Hi,
> > 
> > On 01/07/14 00:06, Andrew Bartlett wrote:
> > > On Mon, 2014-06-30 at 18:38 +0200, Andreas Schneider wrote:
> > >> On Thursday 19 June 2014 15:03:24 Andrew Bartlett wrote:
> > >>> G'Day Andreas,
> > >> 
> > >> Hi Andrew,
> > >> 
> > >>> I'm just wanting to touch base with you as to how we can 
> > >>> progress your MIT KDC efforts?
> > >> 
> > >> there were no efforts during my vacation. Günther just rebased 
> > >> the code. We will be back working on this and proposing patches 
> > >> by the end of this week hopefully.
> > >> 
> > >> We will try to write together what to look at and where we see 
> > >> that we need improvements.
> > >> 
> > >> We know that what we have isn't perfect and some things are ugly 
> > >> but we know were we need to rewrite code again to make it 
> > >> cleaner.
> > >> 
> > >> 
> > >> So we will try to bring it in a state it is easy you know what
> > >> to review and then have an explanation of the code we think is
> > >> not ready yet.
> > >> 
> > >> Maybe we can have a chat next week then.
> > > 
> > > I look forward to it.  I didn't want you feeling that I was 
> > > indifferent to your efforts here, because on the contrary I see 
> > > great benefits from opening Samba's AD DC capability up to 
> > > platforms that can't use our embedded Heimdal, and getting out of 
> > > the Kerberos-library business in the long term.
> > 
> > The current work branch has a bit more then 130 patches right now, so
> > we would really like to start bringing pieces of it upstream now.
> > 
> > So what we did today was to move out all the krb5 wrapping calls out
> > of the main branch to a separate branch. Getting this first series of
> > patches upstream would make it much easier to step forward on this matter.
> > 
> > This new branch now contains most of the prerequisite work to make all
> > of samba's DC code to compile with both a MIT or a Heimdal kerberos
> > library in one of the next steps (in particular the krb5 client code
> > which currently is not compiled at all when using a system MIT
> > kerberos library).
> > 
> > Some of the commits might read a bit abstract and unrelated when seen
> > isolated in the new branch. In that case one can always check the
> > larger wip branch where - when seen in context - the order of commits
> > explains much better why this and that is needed.
> > 
> > Again: the main wip branch is still this:
> > 
> > https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc
> > 
> > while we ask for review of this branch for now:
> > 
> > https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc-ok
> 
> I was takign a look at the changes in source3/libads/krb5_setpw.c and I
> realized this is all duplicate code already implemented in libkrb5 both
> in MIT and Heimdal.
> 
> Can you consider pulling the 2 top patches here:
> https://git.samba.org/?p=idra/samba.git;a=shortlog;h=refs/heads/krb-cleanup
> 
> They remove all the custom kpasswd stuff and uses standard libkrb5
> calls. It compiles fine but I haven't had a chance to test it yet.

Can you add tests, against the AD DC environment, for:
net ads user
net ads password
net ads changetrustpw

As this code appears only to be used by these commands, and sadly
(outside wintest) they appear to be untested, at least per my initial
git grep.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list