[PATCH] Implement a more abstracted kpasswd service
Andrew Bartlett
abartlet at samba.org
Sat Sep 10 01:21:59 UTC 2016
On Wed, 2016-09-07 at 18:02 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> I've implemented a working kpasswd service with MIT Kerberos in the
> meantime.
> This patchset is the work to cleanup Heimdal code and prepare for
> later MIT
> Kerberos code.
>
> I've started with splitting up the test_passwords.sh test. Now we
> have a
> test_password_settings.sh and test_kpasswd_heimdal.sh test.
>
> The test_kpasswd_heimdal.sh only tests the kpasswd service
> implementation in
> different ways. It has some additional tests, like doing a password
> change
> with kinit.
>
> Next I reworked the kpasswd service implementation to be able to
> share code
> which is not Kerberos flavor specific.
>
> The patchset is attached but you can also find it here:
>
> https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master
> -kpasswd
>
>
> Please review and push if appropriate!
I see Jeremy is doing a careful review, but I've also given this a
quick look over, and it certainly seems reasonable.
I also wish to give an apology to you and your team for some historical
bad advise: I recall suggesting you could avoid gensec_krb5 if you
avoided implementing the kpasswd server, both of which you have now
needed to do.
I think this is the right choice, it is much easier to ensure we get
the correct protocol semantics this way, but I know your team spent
quite some resources on the attempt to use the MIT kpasswd server.
Thanks for all the hard work on this, it is critical work and really
important to the long term viability of Samba.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list