[PATCH] Implement a more abstracted kpasswd service

Andrew Bartlett abartlet at samba.org
Tue Sep 13 10:06:35 UTC 2016 

On Mon, 2016-09-12 at 09:32 +0200, Andreas Schneider wrote:
> On Saturday, 10 September 2016 13:21:59 CEST Andrew Bartlett wrote:
> > 
> > I see Jeremy is doing a careful review, but I've also given this a
> > quick look over, and it certainly seems reasonable.
> > 
> > I also wish to give an apology to you and your team for some
> > historical
> > bad advise:  I recall suggesting you could avoid gensec_krb5 if you
> > avoided implementing the kpasswd server, both of which you have now
> > needed to do.
> 
> The reason for implementing the kpasswd server is that the kadmind
> from MIT 
> Kerberos doesn't provide a way to check ACLs using the KDB plugin.

Yep.  

> Why do we have/need gensec_krb5?

kpasswd is a krb5 wrapped service, not a gssapi service, so we need it.

> Each GSSAPI functions creates a new krb5_context and throws it away
> when the 
> function is done.
> 
> However we need to load the HDB/KDB plugin we have so we can access
> the keytab 
> to decrypt tickets. Registering the plugin is done on the
> krb5_context but we 
> are not able to use that as GSSAPI is creating a new context for each
> call.
> 
> To fix that MIT Kerberos has a call krb5_ktkdb_set_context(). It is
> used to 
> set a different context for ktkdb_get_entry(). GSSAPI has its own
> context but 
> to access the KDB we need a context with the KDB keytab operations
> registered. 
> This functions allows it. The function is not public but we could
> look into it 
> and check if we can do something similar in Heimdal.
> 
> We should get rid of the gensec_krb5 module at least in production.

We can't, because the wrapping of the kpasswd protocol is not gssapi.

> > 
> > I think this is the right choice, it is much easier to ensure we
> > get
> > the correct protocol semantics this way, but I know your team spent
> > quite some resources on the attempt to use the MIT kpasswd server.
> 
> gensec_krb5 is used in testing to verify that some old Samba client
> behavior 
> still works against the current Samba AD KDC. I don't know which
> version had 
> this strange behavior it would be great to know which versions that
> really 
> are.
> 
> > 
> > Thanks for all the hard work on this, it is critical work and
> > really
> > important to the long term viability of Samba.
> 
> Thanks, I hope we can work on some things during the Samba IO Lab and
> find and 
> fix some bugs.

I very much look forward to it.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list