MIT Krb5 KDC in the AD DC

Andrew Bartlett abartlet at samba.org
Thu Aug 7 21:08:29 MDT 2014 

On Thu, 2014-08-07 at 17:50 +0200, Andreas Schneider wrote:
> On Friday 01 August 2014 15:35:24 Andrew Bartlett wrote:
> > Can we try and avoid adding back all this glue by taking an alternative
> > approach on the kpasswd server?  It is the only user of the gensec_krb5
> > code, which is essentially still the old, horrid, kerberos acceptor from
> > the 3.0 days.
> 
> Yep!
> 
> Günther and I worked on starting kadmind the whole week. We can change 
> passwords with kpasswd now!
> 
> In the MIT KRB5 build we don't build gensec_krb5 and we removed the patches we 
> resurrected for this. We will take a look later if we could remove gensec_krb5 
> completely.
> 
> So here is a updated branch for review:
> 
> https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-mit-kdc-ok

I've reviewed and pushed all these, except:

In:
lib/krb5_wrap: provide KRB5KDC_ERR_KEY_EXPIRED error code matching MIT.

You mean, I think, 
s4-kdc: Use KRB5KDC_ERR_KEY_EXP error code available in both MIT and
Heimdal

Also skipped were:

Remove custom password change code in libads (we need the tests I
mentioned earlier)
krb5_wrap: Use com_err in krb5_warnx. (It's fine, and reviewed, but just
was missing the signed off tag).

Also skipped for the same missing signed-off-by are the gensec_krb5
wscript change and:

pick e3e4834 lib/krb5_wrap: make sure smb_krb5_principal_get_realm
returns a malloced string.
pick d9716f1 s3-libads/krb5_setpw: free realm from
smb_krb5_principal_get_realm().
pick 32237c8 s4-dsdb/cracknames: free realm from
smb_krb5_principal_get_realm().

Aside from the tests, all this is pretty cosmetic, please tidy it up,
add my review tag and push. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140808/580019f8/attachment.pgp>

More information about the samba-technical mailing list