[RFE] Add RODC support to MIT Kerberos
Andreas Schneider
asn at samba.org
Wed Jun 15 03:28:47 EDT 2016
On Monday, 13 June 2016 10:45:34 CEST Greg Hudson wrote:
> On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> > * A new KDC error code so we can tell from the KDB the KDC should proxy
> > the
> >
> > request (KRB5KDC_ERR_PROXY_REQUEST).
> >
> > * A new kdb function to get a list of KDCs we can proxy the request to
> > * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the
> > list
> >
> > of KDCs we can proxy the packet to from KDB, then start sending the
> > packet
> > to the list we got. Do this until all fail or we get a response from one
> > of
> > the KDCs and send it to the client
> >
> > Please let me know if this makes sense.
>
> This makes sense in the abstract, but I am concerned about the
> complexity of the implementation. We implemented support for
> asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
> it came at a significant cost to the maintainability of do_as_req.c and
> kdc_preauth.c.
I need to look into that. In Samba the packet handling code including the
proxy is ~1000 loc.
> Have you thought about designing a libkdc-like interface for the MIT
> krb5 KDC, so that Samba could do RODC support in the same way as it does
> for Heimdal?
No, not yet. I need to look into that. It would also be nice to have a header
file with all the decode_* and encode_* prototypes.
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the krbdev
mailing list