[RFE] Add RODC support to MIT Kerberos
Andreas Schneider
asn at samba.org
Mon Jun 13 09:14:24 EDT 2016
Hello,
my name is Andreas Schneider. I'm a member of the Samba Team and work on Samba
AD with MIT Kerberos. I don't know what's the best way to file tickets for RFE
so I'm writing to this list as there might be comments by other developers.
Samba AD (Active Directory) supports running a Domain Controller (DC) as an
Read-only DC (RODC). In Samba AD we start the MIT KDC so the MIT KDC needs
support for RODC. What is missing is that a TGS request is proxied to a
writeable DC.
Samba currently uses libkdc from Heimdal to implement the KDC functionality.
The packet handling is implemented Samba code and async.
* If a TGS request comes in we look up the information to fulfill the request
in the SAMDB (Security Account Management Database).
* If we are an RODC, the SAMDB detects this and returns a special error code,
if we see this error we set the KDC_PROXY_REQUEST for the packet handling
code
* Then the packet handling functions get a list list of writeable DCs from the
SAMDB, we start sending the packet unmodified to each DC in the list of
writeable DCs till one comes back with success or all failed.
* If we get a response packet from one of the writeable DCs we send it to the
client requesting the TGS
So to support this we need the following:
* A new KDC error code so we can tell from the KDB the KDC should proxy the
request (KRB5KDC_ERR_PROXY_REQUEST).
* A new kdb function to get a list of KDCs we can proxy the request to
* If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
of KDCs we can proxy the packet to from KDB, then start sending the packet
to the list we got. Do this until all fail or we get a response from one of
the KDCs and send it to the client
Please let me know if this makes sense.
Best regards,
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the krbdev
mailing list