[PATCHSET] Introduce SDB - a KDC backend abstraction

Andrew Bartlett abartlet at samba.org
Tue Aug 4 02:03:24 UTC 2015

On Mon, 2015-08-03 at 13:21 +0200, Andreas Schneider wrote:
> On Saturday 01 August 2015 09:58:33 Andrew Bartlett wrote:
> > 
> > I'm just worried that when we have a #define that needs to be the 
> > same
> > as the Heimdal define, but isn't linked to that define by the 
> > compiler,
> > that this kind of thing becomes mind-bending to debug.  I don't 
> > expect
> > such changes, but I would like some protections, like in the 
> > Heimdal
> > case importing the header and using the original values, or failing 
> > to
> > build with a #error if they don't match.
> See attached patch ...

This is a good start.  We also need the various other #defines like
SDB_ERR_* protected.

Reviewed-by: Andrew Bartlett <abartlet at samba.org>

> > > What remains is to get Samba from here to when the MIT Krb5 effort
> > finishes in the safest way possible.  For my part, I'll try and 
> > keep a
> > closer eye on the WIP branches (please mail me when you have 
> > something
> > interesting to look at) and if you can let me give a final look
> > -over
> > before they land, that would be great.
> Important was to get the sdb changes upstream cause changes to the 
> kdc code 
> broke our MIT tree every few days when metze committed patched for 
> trusted 
> domains.
> At the moment I've clean up the repo and the next patchset proposed 
> for master 
> will be the mit_samba patches. A layer between SDB/Samba and KDB so 
> that we do 
> not have SDB inside the MIT KDB driver.
> It is still possible that we do not handle some corner cases in this 
> code. For 
> example reporting errors for the user correctly. S4U2Self and 
> S4U2Proxy is not 
> implemented yet too ...

Agreed.  And we need more tests for this, like the other KDC tests. 

> You can take a look at it but I suggest to look at the .c file in a 
> checkout 
> and not at the patches cause some code is already there ...
> There is a TODO file which will tell you what still need to be done 

Missing from that file is:

* Implement the gssapi_krb5 module to emulate broken clients that hand
-build GSSAPI incorrectly (revert removal of wrapper functions). 
* Accept these dodgy clients in MIT krb5 (ok, not a Samba TODO)
* Perhaps support AllowedWorkstationNames in Krb5 (sadly no existing
* enable the disabled tests
* Testing against windows wintest or some other automated fashion
* and perhaps not much else.  

I'll keep thinking about it, but maybe, one the tests are all re-enable
and all work, then we might be close.  It has been a very long road.

Finally, can you review the attached patch for this failure in the
samba-libs test in autobuild on a clean 14.04 machine?

[2048/3974] Compiling source4/kdc/sdb_to_hdb.c
In file included from ../source4/kdc/sdb_to_hdb.c:24:0:
../source4/include/includes.h:54:20: fatal error: talloc.h: No such
file or directory
 #include <talloc.h>
compilation terminated.
Waf: Leaving directory `/home/ubuntu/autobuild/b31939/samba-libs/bin'
Build failed:  -> task failed (err #1): 
	{task: cc sdb_to_hdb.c -> sdb_to_hdb_9.o}
make: *** [all] Error 1

A similar issue exists for 'sdb', but you may there wish not to include
includes.h.  I'll let you work that one out.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-build-Fix-missing-dep-on-talloc.patch
Type: text/x-patch
Size: 758 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150804/17c6ed50/0001-build-Fix-missing-dep-on-talloc.bin>

More information about the samba-technical mailing list