Getting rid of smb_krb5_send_and_recv_func()

Andrew Bartlett abartlet at samba.org
Tue May 6 01:48:33 MDT 2014 

On Tue, 2014-05-06 at 08:25 +0200, Andreas Schneider wrote:
> On Tuesday 06 May 2014 10:52:00 you wrote:
> > On Mon, 2014-05-05 at 09:32 +0200, Andreas Schneider wrote:
> > > On Thursday 01 May 2014 09:31:50 Andrew Bartlett wrote:
> > > > On Wed, 2014-04-30 at 11:54 +0200, Andreas Schneider wrote:
> > > > > Hi,
> > > > > 
> > > > > with Andrew his patches and the preloadable socket_wrapper we're now
> > > > > able
> > > > > to get rid of smb_krb5_send_and_recv_func().
> > > > > 
> > > > > I've prepared a patchset here:
> > > > > 
> > > > > https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/smb_krb
> > > > > 5_se
> > > > > nd_and_recv_func
> > > > > 
> > > > > 
> > > > > A local 'make test' completed successfully.
> > > > 
> > > > My main concern is that this implies that we are backing down from
> > > > Kerberos due to it failing, rather than actually handling this properly.
> > > 
> > > I don't really get what you want to explain to me. For me this code looks
> > > like it has been created so that heimdal works with socket_wrapper.
> > > 
> > > > That is, I think we fall into the KDC not found case, and fall back to
> > > > NTLM, when Samba is operating in single process mode.
> > > 
> > > If we remove this function then heimdal will take care of sending the
> > > packet. doesn't it?
> > > 
> > > Can you please explain this in more details so that Günther and I
> > > understand the purpose of these functions.
> > 
> > It has three purposes:
> > 
> > To use socket_wrapper, and to use our name resolution, and to use our
> > event loop, so a single-process mode server can talk to itself.  You
> > handled the first, perhaps the second and not the third.
> 
> nss_wrapper does name resolution and this works even with system libraries! 
> For more details read: https://lwn.net/Articles/594863/

Yes, but so far we have not removed the dns_host_file as far as I can
see, and does nss_wrapper handle the SRV records and do real DNS lookups
to emulated DNS servers?

As I mention at
https://lists.samba.org/archive/samba-technical/2013-November/095966.html
I need this for the multi-domain stuff to work in 'make test'. 

> So this leaves the event loop. Why does it need to use the Samba event loop?

When 'samba' is run as a single process, some aspects of the AD DC
(dreplsrv in particular) will need to ask for tickets from the KDC,
implemented in the same process.  Unless it uses the same event loop, it
would block on the read() waiting for a reply, because nothing will
allow the KDC to run.

> > Please do not remove this without my explicit ACK.
> 
> We're trying to port Samba 4 to MIT Kerberos and are trying to understand why 
> we do certain things. Please go into more details so we can understand why it 
> was done this way.

As you won't run the AD DC in a true single process, you probably don't
need it.

However, this moment where we have interest in making this work properly
is a great opportunity to fix this properly.  What we need is a fork or
threads based async handler for gssapi and kerberos, so that the work
being done elsewhere to make gensec async can work for the gssapi
client.  I need someone confident with tevent and async work (that is,
not me) to take this part on.  This too will remove the need for the
event loop inside libkrb5, because it would instead loop at the gensec
caller or above, plus become async and non-blocking etc :-).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list