Internal MIT Kerberos functions used by Samba
ghudson at mit.edu
Mon Mar 20 10:54:42 EDT 2017
Thanks again for writing this up.
On 03/20/2017 05:45 AM, Andreas Schneider wrote:
> The MIT Kerberos library has several symbols which are public but do not offer
> a prototype in a header file.
Just to be clear, we don't consider functions exported by libkrb5 to be
part of the public API unless they have a prototype. In most cases
those symbols are exported for ease of testing or by use in other parts
of the tree.
[for the Samba kpasswd server]
The krb5_setpw_req structure is also not public.
If the only reason Samba needs its own kpasswd server is access control,
I would hope that is a temporary need, although we've been very slow to
create a pluggable access control interface for kadmind's password server.
[for the Samba test suite]
We have krb5_rd_error() which wraps decode_krb5_error(). This and
krb5_mk_error() exist for applications which use KRB_ERROR messages in
their protocols, such as kprop.
One option would be to add similar krb5_rd_kdc_req(), krb5_rd_kdc_rep(),
and krb5_rd_padata() wrappers, or some variation along those lines. The
argument against doing this is that libkrb5 isn't designed to be a
nuts-and-bolts encoding library for test suites. I've done some
preliminary work on a Python library for this purpose, but I stalled out
after implementing the crypto layer.
A more conservative option, in the sense of not making a long-term API
commitment, would be to create a new public header marked as unstable
across releases, containing prototypes for a set of encoding and
decoding functions, and perhaps some formerly private structures such as
I would welcome opinions from other Kerberos developers.
More information about the krbdev