[PATCHSET] Samba AD with MIT Kerberos

Andrew Bartlett abartlet at samba.org
Mon Mar 13 17:40:21 UTC 2017 

On Mon, 2017-03-13 at 08:29 +0100, Andreas Schneider via samba-
technical wrote:
> Hello,
> 
> after more than 3 years of work I finally got this:
> 
> 
> 	ALL OK (14658 tests in 2030 testsuites)
> 
> 
> The testsuite completed for the first time!

Congratulations!

> The journey started with the cwrap [1] project to make it possible to
> test 
> Samba with the MIT KDC. We already pushed some code upstream
> especially code 
> which not only handles MIT Kerberos but also fixed bugs with Heimdal.
> We 
> discovered a lot of issues while working on this code.
> 
> Attached is the patchset to implement the missing parts and get
> everything 
> working.
> 
> 
>  46 files changed, 3113 insertions(+), 507 deletions(-)
> 
> 
> What isn't working yet
> ----------------------
> 
> * KDC canon tests are not implemented yet
> * PKINIT
> * S4U2SELF/S4U2PROXY
> * RODC
> 
> 
> The patches are also available at [2].
> 
> 
> It requires MIT Kerberos 1.15.1! Packages for Fedora 25 can be found
> at [3].
> 
> 
> Review is much appreciated!

I'm really, really impressed.  I'll look again, but I have no
objections so far, other than for:

> 
> Subject: [PATCH 01/49] s4:torture: Fix the remote_pac test
> 
> All the Kerberos implementation do not expect an order of the pac
> buffer. The buffers are not processed in the oder they are sent but
> when
> required just located.
> 
> I confirmed this with MS at the IO Lab.
> 
> Signed-off-by: Andreas Schneider <asn at samba.org>

For this patch, are we sure old Samba versions are not picky?  My gut
feeling at 6:30am is that our code there was pretty fragile, but it
seems that if so, the additions of LOGON_CREDS and the upn dns info
would have broken it anyway.

Very, very well done.  Thank you for your persistence, congratulations
and many thanks for meeting the challenges given you, particularly
those landed on you (like the horror kdc and kdc-canon test still to
go) without much notice. 

Finally, from here, what do you see as the procedure to add features to
the MIT KDC?  

Specifically, about the time you land this, I hope to land the NTLM
logging patches Gary is working on, and follow up shortly  with similar
patches for Heimdal's KDC, so we spit out a similar JSON structure on
failure, and send it over Samba's message bus (that helps us write
tests).  

The hooks we have in Heimdal are not quite good enough for what we want
(can't catch unknown user), so we will need to add some more.  Assuming
the same applies in MIT, how should we get such hooks, and given
Samba's needs remain a moving target, how do you expect the engineering
pattern to work long term?   Will we try to support multiple MIT
versions with #ifdefs, or just the latest?  

Will it be OK for features to be Heimdal-only?  (And vice-versa).  

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list