[RFE] Add RODC support to MIT Kerberos

Andreas Schneider asn at samba.org
Mon Jun 13 09:14:24 EDT 2016


my name is Andreas Schneider. I'm a member of the Samba Team and work on Samba 
AD with MIT Kerberos. I don't know what's the best way to file tickets for RFE 
so I'm writing to this list as there might be comments by other developers.

Samba AD (Active Directory) supports running a Domain Controller (DC) as an 
Read-only DC (RODC). In Samba AD we start the MIT KDC so the MIT KDC needs 
support for RODC. What is missing is that a TGS request is proxied to a 
writeable DC.

Samba currently uses libkdc from Heimdal to implement the KDC functionality. 
The packet handling is implemented Samba code and async.

* If a TGS request comes in we look up the information to fulfill the request
  in the SAMDB (Security Account Management Database).
* If we are an RODC, the SAMDB detects this and returns a special error code,
  if we see this error we set the KDC_PROXY_REQUEST for the packet handling 
* Then the packet handling functions get a list list of writeable DCs from the
  SAMDB, we start sending the packet unmodified to each DC in the list of 
  writeable DCs till one comes back with success or all failed.
* If we get a response packet from one of the writeable DCs we send it to the
  client requesting the TGS

So to support this we need the following:

* A new KDC error code so we can tell from the KDB the KDC should proxy the
* A new kdb function to get a list of KDCs we can proxy the request to
* If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
  of KDCs we can proxy the packet to from KDB, then start sending the packet
  to the list we got. Do this until all fail or we get a response from one of
  the KDCs and send it to the client

Please let me know if this makes sense.

Best regards,

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the krbdev mailing list