Internal MIT Kerberos functions used by Samba

Andreas Schneider asn at samba.org
Mon Mar 20 05:45:14 EDT 2017 

Hello,

as you might know I'm working on migrating Samba AD to use MIT Kerberos 
instead of Heimdal Kerberos since several years now.

The MIT Kerberos library has several symbols which are public but do not offer 
a prototype in a header file. Samba uses several of those functions to either 
implement important parts or to be able to write tests. This document collects 
them and will describe its use cases.

We would like to see a public header file to use those functions. We do not 
need stable API guarantees.

A warning before the changes happen to those functions would be great!



decode_krb5_setpw_req

Samba implements its own kpasswd server to be able to apply ACLs on the 
principal requesting to change a password. To achieve to do a set_password it 
needs do decode a set_password request packet.

See source4/kdc/kpasswd-service-mit.c

It would be great to have a stable API for this function.






The following functions are used by source4/torture/krb5/kdc-mit.c. This is a 
set of tests that make sure that the KDC responds correctly to certain errors.

decode_krb5_error

If we send incorrect packets, we expect that certain error codes are returned. 
We use that functions to decode error packets and make sure the correct error 
code is returned by the KDC.

decode_krb5_as_req

This is needed to verfiy that certain aspects which are expected by AD are 
sent in the request.

decode_krb5_as_rep

This is used to verify that the KVNO is for a RODC or a normal DC. Or we use 
it to check if we request certain enctypes they are also part of the ticket 
returned.

decode_krb5_padata_sequence

We have a test which authenticates with a wrong password. In this case we get 
an error packet and check the error e-data has KRB5_PADATA_ENC_TIMESTAMP set.

krb5_free_kdc_req

Used to free memory allocated by the decode functions

krb5_free_kdc_rep

Used to free memory allocated by the decode functions

krb5_free_pa_data

Used to free memory allocated by the decode functions






-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the krbdev mailing list