[RFE] Add RODC support to MIT Kerberos

Andreas Schneider asn at samba.org
Wed Jun 15 03:28:47 EDT 2016

On Monday, 13 June 2016 10:45:34 CEST Greg Hudson wrote:
> On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> > * A new KDC error code so we can tell from the KDB the KDC should proxy
> > the
> > 
> >   request (KRB5KDC_ERR_PROXY_REQUEST).
> > 
> > * A new kdb function to get a list of KDCs we can proxy the request to
> > * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the
> > list
> > 
> >   of KDCs we can proxy the packet to from KDB, then start sending the
> >   packet
> >   to the list we got. Do this until all fail or we get a response from one
> >   of
> >   the KDCs and send it to the client
> > 
> > Please let me know if this makes sense.
> This makes sense in the abstract, but I am concerned about the
> complexity of the implementation.  We implemented support for
> asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
> it came at a significant cost to the maintainability of do_as_req.c and
> kdc_preauth.c.

I need to look into that. In Samba the packet handling code including the 
proxy is ~1000 loc.
> Have you thought about designing a libkdc-like interface for the MIT
> krb5 KDC, so that Samba could do RODC support in the same way as it does
> for Heimdal?

No, not yet. I need to look into that. It would also be nice to have a header 
file with all the decode_* and encode_* prototypes.

	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the krbdev mailing list