Current ideas on kerberos requirements for Samba4
Nicolas Williams
Nicolas.Williams at Sun.COM
Fri May 27 02:06:55 EDT 2005
On Fri, May 27, 2005 at 08:00:18AM +0200, Stefan (metze) Metzmacher wrote:
> Nicolas Williams schrieb:
> > What Wyllys said.
> >
> > The Samba team can go and do what they like -- there's plenty of KDC
> > source code with sufficiently friendly licensing to go around. But I'd
> > much rather see cooperation (and cooperate) in the design of pluggable
> > interfaces for KDCs, such as pluggable backends, pluggable
> > pre-authentication provides, and pluggable authorization-data providers
> > (particularly AD-KDCIssued containees), and later, when extensions comes
> > along, pluggable ticket extensions providers.
>
> yep, I think that is what we are aiming for...
> and just also an interface to hook into the kdc packet parse functions,
> so that we can controll the network interface and raw data from the wire in our
> async event driven infrastructure...
>
> so the design would be like this:
>
> [wire] -> [samba socket lib] -> [samba kdc server service] -> [KDC library]
> [wire] <- [samba socket lib] <- [samba kdc server service] <- [KDC library]
I suppose I don't mind a "KDC library too much..." but, methinks that this
is going too far. My first reaction, really, is "ick."
> or as alternative if the admin wants to run the kdc seperate, he just starts the [KDC binary]
> which is internally also uses its [KDC library], and on some Platforms/Systems the Vendors
> can make the [KDC library] shared. So for security updates just need an update of the shared library.
>
> - From the [KDC library] it looks like this:
>
> [KDC library]-> [db backend] -> [samba ldb backend]
> [KDC library]-> [pre-auth] -> [samba pre-auth backend]
> [KDC library]-> [auth-data] -> [samba auth-data backend]
> ...
That's more like it I think.
More information about the krbdev
mailing list