Implementing a KDB plugin

Greg Hudson ghudson at
Thu May 5 15:41:51 EDT 2016

On 05/05/2016 02:57 PM, harsh savla wrote:
> The idea is that end users map Samba share using map drive and enter their
> Kerberos credentials. This hits our VM (specifically the krb5kdc service)
> and we just pass these credentials to the cloud service which then
> authenticates against the AD.

Kerberos KDCs do not generally receive the user's password from the
client.  Instead, the client and KDC leverage their shared knowledge of
the password (more specifically, a long-term key derived from the
password) to authenticate and create a ticket-granting ticket for the
client.  Therefore, it is not possible to create a KDB module which
causes the KDC to act as a pass-through password authentication service.

With some caveats, it is possible to do this using the FAST OTP preauth
protocol (RFC 6560).  In our implementation, you would do this by
creating a local RADIUS server which authenticates the client's
otp-value (which could just be a password) against a third-party
service.  The two caveats are (1) you must deploy FAST on the client to
protect the communication between the client and KDC, and (2) this
preauth mechanism is only implemented by MIT krb5 clients, not Microsoft
or Heimdal.

More information about the krbdev mailing list