[RFE] Add RODC support to MIT Kerberos
Greg Hudson
ghudson at mit.edu
Mon Jun 13 10:45:34 EDT 2016
On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> * A new KDC error code so we can tell from the KDB the KDC should proxy the
> request (KRB5KDC_ERR_PROXY_REQUEST).
> * A new kdb function to get a list of KDCs we can proxy the request to
> * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
> of KDCs we can proxy the packet to from KDB, then start sending the packet
> to the list we got. Do this until all fail or we get a response from one of
> the KDCs and send it to the client
>
> Please let me know if this makes sense.
This makes sense in the abstract, but I am concerned about the
complexity of the implementation. We implemented support for
asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
it came at a significant cost to the maintainability of do_as_req.c and
kdc_preauth.c.
Have you thought about designing a libkdc-like interface for the MIT
krb5 KDC, so that Samba could do RODC support in the same way as it does
for Heimdal?
More information about the krbdev
mailing list