[PATCHSET] Introduce SDB - a KDC backend abstraction
Andrew Bartlett
abartlet at samba.org
Tue Aug 4 02:03:24 UTC 2015
On Mon, 2015-08-03 at 13:21 +0200, Andreas Schneider wrote:
> On Saturday 01 August 2015 09:58:33 Andrew Bartlett wrote:
> >
> > I'm just worried that when we have a #define that needs to be the
> > same
> > as the Heimdal define, but isn't linked to that define by the
> > compiler,
> > that this kind of thing becomes mind-bending to debug. I don't
> > expect
> > such changes, but I would like some protections, like in the
> > Heimdal
> > case importing the header and using the original values, or failing
> > to
> > build with a #error if they don't match.
>
> See attached patch ...
This is a good start. We also need the various other #defines like
SDB_ERR_* protected.
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> > > What remains is to get Samba from here to when the MIT Krb5 effort
> > finishes in the safest way possible. For my part, I'll try and
> > keep a
> > closer eye on the WIP branches (please mail me when you have
> > something
> > interesting to look at) and if you can let me give a final look
> > -over
> > before they land, that would be great.
>
> Important was to get the sdb changes upstream cause changes to the
> kdc code
> broke our MIT tree every few days when metze committed patched for
> trusted
> domains.
>
> At the moment I've clean up the repo and the next patchset proposed
> for master
> will be the mit_samba patches. A layer between SDB/Samba and KDB so
> that we do
> not have SDB inside the MIT KDB driver.
>
> It is still possible that we do not handle some corner cases in this
> code. For
> example reporting errors for the user correctly. S4U2Self and
> S4U2Proxy is not
> implemented yet too ...
Agreed. And we need more tests for this, like the other KDC tests.
> You can take a look at it but I suggest to look at the .c file in a
> checkout
> and not at the patches cause some code is already there ...
>
> There is a TODO file which will tell you what still need to be done
Missing from that file is:
* Implement the gssapi_krb5 module to emulate broken clients that hand
-build GSSAPI incorrectly (revert removal of wrapper functions).
* Accept these dodgy clients in MIT krb5 (ok, not a Samba TODO)
* Perhaps support AllowedWorkstationNames in Krb5 (sadly no existing
test)
* enable the disabled tests
* Testing against windows wintest or some other automated fashion
* and perhaps not much else.
I'll keep thinking about it, but maybe, one the tests are all re-enable
and all work, then we might be close. It has been a very long road.
Finally, can you review the attached patch for this failure in the
samba-libs test in autobuild on a clean 14.04 machine?
[2048/3974] Compiling source4/kdc/sdb_to_hdb.c
In file included from ../source4/kdc/sdb_to_hdb.c:24:0:
../source4/include/includes.h:54:20: fatal error: talloc.h: No such
file or directory
#include <talloc.h>
^
compilation terminated.
Waf: Leaving directory `/home/ubuntu/autobuild/b31939/samba-libs/bin'
Build failed: -> task failed (err #1):
{task: cc sdb_to_hdb.c -> sdb_to_hdb_9.o}
make: *** [all] Error 1
A similar issue exists for 'sdb', but you may there wish not to include
includes.h. I'll let you work that one out.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-build-Fix-missing-dep-on-talloc.patch
Type: text/x-patch
Size: 758 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150804/17c6ed50/0001-build-Fix-missing-dep-on-talloc.bin>
More information about the samba-technical
mailing list