MIT Krb5 KDC in the AD DC
Andrew Bartlett
abartlet at samba.org
Thu Aug 7 15:55:57 MDT 2014
On Thu, 2014-08-07 at 17:50 +0200, Andreas Schneider wrote:
> On Friday 01 August 2014 15:35:24 Andrew Bartlett wrote:
> > Can we try and avoid adding back all this glue by taking an alternative
> > approach on the kpasswd server? It is the only user of the gensec_krb5
> > code, which is essentially still the old, horrid, kerberos acceptor from
> > the 3.0 days.
>
> Yep!
>
> Günther and I worked on starting kadmind the whole week. We can change
> passwords with kpasswd now!
Great! The only concern that came to my mind is a rename risk: Do you
have some way to determine that if you get a ticket to change the
password on one user, and before the password is changed the user is
renamed, that user is renamed, and a new user created in it's place, you
change the password on the 'right' user?
(The SID in the PAC would be unchanged, but the principal would have
changed).
> In the MIT KRB5 build we don't build gensec_krb5 and we removed the patches we
> resurrected for this. We will take a look later if we could remove gensec_krb5
> completely.
The trouble is we don't run the Heimdal kadmind, so I think we are stuck
with some of gensec_krb5 for the Heimdal case.
> So here is a updated branch for review:
>
> https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc-ok
I'll take another look over it. I was quite pleased with it when I last
looked over that part of the changes.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140808/44bc651f/attachment.pgp>
More information about the samba-technical
mailing list