[RFE] Add RODC support to MIT Kerberos

Greg Hudson ghudson at mit.edu
Mon Jun 13 10:45:34 EDT 2016

On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> * A new KDC error code so we can tell from the KDB the KDC should proxy the
> * A new kdb function to get a list of KDCs we can proxy the request to
> * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
>   of KDCs we can proxy the packet to from KDB, then start sending the packet
>   to the list we got. Do this until all fail or we get a response from one of
>   the KDCs and send it to the client
> Please let me know if this makes sense.

This makes sense in the abstract, but I am concerned about the
complexity of the implementation.  We implemented support for
asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
it came at a significant cost to the maintainability of do_as_req.c and

Have you thought about designing a libkdc-like interface for the MIT
krb5 KDC, so that Samba could do RODC support in the same way as it does
for Heimdal?

More information about the krbdev mailing list