logo_kerberos.gif

Difference between revisions of "Projects/Samba4 Port"

From K5Wiki
Jump to: navigation, search
(Replace the MIT KDC's LDAP driver)
 
(38 intermediate revisions by 2 users not shown)
Line 23: Line 23:
 
non-AD-style KDC, so as to access UNIX services securely;
 
non-AD-style KDC, so as to access UNIX services securely;
 
<li> A UNIX client's ticket will ''not'' carry a PAC, except when
 
<li> A UNIX client's ticket will ''not'' carry a PAC, except when
the UNIX client accesses a Windows server.
+
the UNIX client accesses a Windows server
  +
([http://k5wiki.kerberos.org/wiki/Samba4:_Optional_PACs_for_Unix_clients '''Rationale'''])
  +
.
 
</li>
 
</li>
 
</ol>
 
</ol>
 
   
 
The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have
 
The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have
shown some interest in this Samba4 Port project.
+
shown some interest in this Samba4 Port project.
  +
[http://k5wiki.kerberos.org/wiki/Supported_platforms_for_Samba4_port '''Here''']
  +
is a table showing which OS platforms are supported by Samba4, Heimdal, and MIT kerberos.
  +
Summary: MIT-krb5 & Samba4 both run on Mac OS X, NetBSD, Debian, RedHat, Ubuntu, & Solaris.
   
==== Key to the asterisks in the Table of Contents ====
 
  +
----
<ol>
 
<li> No asterisks: Work that needs to be done. </li>
 
<li> '''*''': Some work to be done, some already done. </li>
 
<li> '''**''': Nothing much to do.
 
<li> '''***''': Can be done later, if at all.
 
</ol>
 
   
 
== Concise to-do list ==
 
== Concise to-do list ==
   
 
This is a condensed version of the
 
This is a condensed version of the
task-list offered by Samba4's Andrew Bartlett,
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_%28Andrew_Bartlett%29#Data-Abstraction_Layer_.28DAL.29 '''task-list'''] offered by Samba4's Andrew Bartlett,
 
containing only what hasn't yet been done already by MIT.
 
containing only what hasn't yet been done already by MIT.
   
Line 65: Line 58:
 
for Win2k accounts.
 
for Win2k accounts.
 
</li>
 
</li>
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Principal_.22types.22 '''Principal "types"''']: client / server / krbtgs
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Principal_.22types.22 '''Principal "types":'''] client / server / krbtgs
 
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Flexible_server-naming '''Flexible server-naming''']
 
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Flexible_server-naming '''Flexible server-naming''']
 
</li>
 
</li>
Line 72: Line 65:
 
</ol>
 
</ol>
 
Most or all of Heimdal's LDAP driver code is in
 
Most or all of Heimdal's LDAP driver code is in
[[#LDAP_driver | '''three Samba4 source files''']],
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#LDAP_driver '''three Samba4 source files'''],
 
~1000 lines in all.
 
~1000 lines in all.
   
Line 78: Line 71:
   
 
=== Small changes ===
 
=== Small changes ===
Of the things on this list, only NTLM support is needed
+
Of the things on this list, only NTLM support (bullet 2)
for the Samba4 KDC port.
+
is needed for the Samba4 KDC port.
 
The other tasks are all application-library stuff,
 
The other tasks are all application-library stuff,
 
and arguably aren't needed at all, because Samba3
 
and arguably aren't needed at all, because Samba3
 
already works well with MIT application libraries.
 
already works well with MIT application libraries.
 
<ol>
 
<ol>
<li> [[#MIT_libraries | '''MIT library changes''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#MIT_libraries '''MIT library changes''']
 
</li>
 
</li>
<li> [[#NTLM_support | '''Samba4/AD libraries: NTLM support''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#NTLM_support '''Samba4/AD libraries: NTLM support''']. See also
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_NTLM_thread '''this Sept-2009 NTLM thread'''] (this implies to me that a GSS NTLM mech is not an immediate requirement - LH)
 
</li>
 
</li>
<li> [[#Key-handling_changes | '''Key-handling changes''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Key-handling_changes '''Key-handling changes''']]
 
</li>
 
</li>
<li> [[#.2A_Extra_krb_library_functions | '''Extra Krb library functions''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Extra_krb_library_functions '''Extra Krb library functions''']
 
</li>
 
</li>
<li> [[#Error-handling.2C_logging.2C_testing | '''Error-handling, logging, testing''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Error-handling.2C_logging.2C_testing '''Error-handling, logging, testing''']
 
</li>
 
</li>
 
</ol>
 
</ol>
Line 101: Line 94:
 
This stuff should already just work:
 
This stuff should already just work:
 
<ol>
 
<ol>
<li> [[#.2A.2A_Turn_on_MIT-krb_1.7.27s_PAC_handling | '''PAC handling''']]; </li>
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Turn_on_MIT-krb_1.7.27s_PAC_handling '''PAC handling''']; </li>
<li> [[#Name_Canonicalization | '''AD-style name canonicalization''']]; </li>
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Name_Canonicalization '''AD-style name canonicalization''']; </li>
<li> [[#Doubled_realm-names | '''NT-ENTERPRISE names''']],
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Doubled_realm-names '''NT-ENTERPRISE names'''],
which carry two realms-suffixes; </li>
+
which carry two realm-suffixes; </li>
 
<li> CHECK_POLICY/AUDIT methods (needed for
 
<li> CHECK_POLICY/AUDIT methods (needed for
[[#.2A.2A.2A_Add_access-control_to_the_TGS | '''TGS access-control''']]); </li>
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A.2A_Add_access-control_to_the_TGS '''TGS access-control''']); </li>
 
<li> DCE_STYLE Challenge/Response handshakes: see
 
<li> DCE_STYLE Challenge/Response handshakes: see
[[#.2A_Krb5_lib_.26_GSSAPI | '''Krb lib & GSSAPI''']]. </li>
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Krb5_lib_.26_GSSAPI '''Krb lib & GSSAPI''']. </li>
 
<li> Accept legacy Samba3 clients'
 
<li> Accept legacy Samba3 clients'
[[#.2A.2A_Legacy_Samba3_clients_.26_GSSAPI | '''bad GSSAPI checksums''']]; </li>
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Legacy_Samba3_clients_.26_GSSAPI '''bad GSSAPI checksums''']; </li>
<li> [[#.2A_Extra_krb_library_functions | '''Principal-manipulation functions''']]; </li>
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Extra_krb_library_functions '''Principal-manipulation functions''']; </li>
<li> [[#.2A.2A_State-machine_safety_for_krb_libraries | '''State-machine safety''']]; </li>
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_State-machine_safety_for_krb_libraries '''State-machine safety''']; </li>
 
</ol>
 
</ol>
   
Line 121: Line 114:
   
 
==== Maybe: Improve or replace MIT's DAL ====
 
==== Maybe: Improve or replace MIT's DAL ====
[[#Data-Abstraction_Layer_.28DAL.29 | '''Rewrite the MIT KDC's Data-Abstraction Layer (DAL)''']],
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Data-Abstraction_Layer_.28DAL.29 '''Rewrite the MIT KDC's Data-Abstraction Layer (DAL)'''],
 
mostly because the MIT KDC needs to see & manipulate
 
mostly because the MIT KDC needs to see & manipulate
 
more LDAP detail, on Samba4's behalf;
 
more LDAP detail, on Samba4's behalf;
   
==== ** [[Maybe not: Add a KDC-as-library API]] ====
+
==== Maybe, or not: Add a KDC-as-library API ====
Samba4 currently runs as a single process, and Samba4 invokes the Heimdal
+
Samba4 currently runs as a single process, and Samba4's smbd invokes the Heimdal KDC via a
KDC via a libkdc interface (KDC as library).
+
[http://k5wiki.kerberos.org/wiki/Samba4_port:_libkdc_Interface#krb5_kdc_update_time.28.29 '''libkdc interface'''] (KDC as library).
 
<ol>
 
<ol>
<li> Andrew Bartlett says this libkdc interface is [[#libkdc | '''"nice to have"''']],
 
  +
<li> Rationale:
but not essential.
 
  +
# smbd uses the libkdc interface to configure the KDC, both at startup & during runtime.
  +
# Samba4's build/test environment uses libkdc's socket-passing, to simulate network traffic.
  +
</li>
  +
<li> Andrew Bartlett says this libkdc interface is
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#libkdc '''"nice to have"'''],
  +
but not essential for getting the port to work.
 
</li>
 
</li>
 
<li> Tom Yu says adding a libkdc interface to MIT's code would be a lot
 
<li> Tom Yu says adding a libkdc interface to MIT's code would be a lot
Line 136: Line 134:
 
to do, anyway.
 
to do, anyway.
 
</li>
 
</li>
<li> If we build a libkdc interface for MIT's KDC,
+
<li> Sam Hartman says he needs the libkdc interface, too, for his work on PK-U2U (but not immediately).
  +
</li>
  +
<li>
  +
Another way, which Simo dismisses on Samba4's behalf:
  +
Samba can use
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_iptables_Remapping '''iptables remapping'''],
  +
but only for kdc packets, so that Samba acts as a router between the AD client and the KDC.
  +
This would work for MIT-krb & for Heimdal.
  +
</li>
  +
<li> If we do have to build a libkdc interface for MIT's KDC,
 
Samba4 will need the KDC to use
 
Samba4 will need the KDC to use
[[#.2A.2A_Samba4.27s_portable_socket_API | '''Samba's socket library''']]
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Samba4.27s_portable_socket_API '''Samba's socket library''']
 
correctly.
 
correctly.
 
</li>
 
</li>
 
</ol>
 
</ol>
   
==== *** [[Later: TGS access-control]] ====
+
==== [[Later: TGS access-control]] ====
 
MIT krb will need to support these AD features, once Samba4 does.
 
MIT krb will need to support these AD features, once Samba4 does.
 
Alternatively, this could be seen as an opportunity for MIT-based
 
Alternatively, this could be seen as an opportunity for MIT-based
 
Samba4 to surpass Heimdal-based Samba.
 
Samba4 to surpass Heimdal-based Samba.
 
<ol>
 
<ol>
<li> [[#HBAC_for_the_TGS | '''Add HBAC to the TGS''']],
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#HBAC_for_the_TGS '''Add HBAC to the TGS'''],
 
so that Samba4 can refuse TGTs to kinit,
 
so that Samba4 can refuse TGTs to kinit,
 
based on time-of-day & IP-addr constraints;
 
based on time-of-day & IP-addr constraints;
Line 156: Line 154:
 
</li>
 
</li>
 
<li> TGS-HBAC is part of the rationale for
 
<li> TGS-HBAC is part of the rationale for
[[#Data-Abstraction_Layer_.28DAL.29 | '''rewriting the DAL''']].
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Data-Abstraction_Layer_.28DAL.29 '''rewriting the DAL'''].
 
</li>
 
</li>
 
</ol>
 
</ol>
 
</li>
 
</li>
<li> [[#Failed_PW_lockouts | '''Failed-kinit counts''']]:
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Failed_PW_lockouts '''Failed-kinit counts''']:
 
Add a KDC heuristic for tracking intervals between kinits,
 
Add a KDC heuristic for tracking intervals between kinits,
 
so that Samba4 can enforce AD's unified account-lockout on kinit.
 
so that Samba4 can enforce AD's unified account-lockout on kinit.
Line 171: Line 169:
   
 
== Samba's use of Heimdal symbols, with MIT differences ==
 
== Samba's use of Heimdal symbols, with MIT differences ==
This table shows the 253 Heimdal symbols that Samba4 uses.
 
   
Definition summary:
 
  +
Samba4 uses around
  +
[http://k5wiki.kerberos.org/wiki/Samba%27s_use_of_Heimdal_symbols%2C_with_MIT_differences '''265 Heimdal symbols:''']
  +
# 150 functions,
  +
# 45 structs & typedefs, and
  +
# 70 macros & enums.
  +
  +
Of these, roughly half present problems for the port:
  +
# 25 symbols have different definitions in the MIT & Heimdal trees.
  +
# 110 symbols are missing from MIT's krb5 tree.
  +
  +
----
  +
  +
== Samba4 Interfaces with Heimdal ==
  +
 
<ol>
 
<ol>
<li> 125 of these 265 Heimdal symbols are more-or-less compatible
 
  +
<li> Samba4's
with the corresponding MIT-krb versions having the same names.
 
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_hdb_%26_ldb_Interfaces '''Database Interfaces''']
  +
enable Heimdal to use Samba4's directory data,
  +
whether the directory is stored in LDAP or in local disk files.
 
</li>
 
</li>
<li> 111 of the 265 symbols don't appear in the MIT-krb source-tree. </li>
 
  +
<li> Heimdal's
<li> 25 of the 265 symbols have conflicting definitions in Heimdal & MIT-krb. </li>
 
  +
[http://k5wiki.kerberos.org/wiki/Samba4_port:_libkdc_Interface '''libkdc Interface''']
<li> 3 of the 265 symbols are MIT-krb names that Samba3 also uses. </li>
 
  +
gives Samba4 a direct subroutine interface to the Heimdal KDC,
<li> 1 of the 265 symbols doesn't appear in the Heimdal tree,
 
  +
with the KDC running as part of the Samba4 process.
but is a Samba3 kerberos-related name.
 
 
</li>
 
</li>
 
</ol>
 
</ol>
Samba Usage summary
 
<ol>
 
<li> 179 of the 265 symbols get used in Samba4's auth subtree. </li>
 
<li> 75 of the 265 symbols get used in Samba4's kdc subtree. </li>
 
<li> 25 of the 265 symbols get used in other Samba subtrees. </li>
 
</ol>
 
Together, these 3 figures exceed 265, because many Heimdal symbols
 
get used in more than one Samba4 subtree.
 
 
Porting summary:
 
* "different" functions and struct-layouts are the biggest obstacles to the MIT port;
 
* "not MIT" isn't so straightforward as just porting or rewriting these functions, because MIT may have a similar (but hard-to-find) function with a different name;
 
* "not Heimdal" symbols should continue working for Samba4, insofar as they've worked before now;
 
* "same" & "same, almost" ought to be easiest, we hope.
 
 
Key to the table's "Similarity" column:
 
* '''same, almost''': Structs are near-identical; functions have the same arguments and similar implementations.
 
* '''same''': Structs are identical. None of these Heimdal functions are identical to MIT's versions.
 
* '''different''': Structs have different layouts, functions have different parameters and / or behavior.
 
* '''not MIT''': MIT's kerberos-tree lacks the symbol.
 
* '''not Heimdal''': Heimdal has a function-prototype, but no function definition. Some of these appear in the Samba3 tree.
 
 
Please note:
 
* This table has 5 columns and 265 rows, and works best if you maximize your screen;
 
* You can click any column's header, to sort the rows by that column's field-contents.
 
 
{| class="wikitable sortable" width="100%" border="1" style="border-collapse: collapse; border: 1px solid #dfdfdf;"
 
| bgcolor="#cc0000" |<font color="#ffffff">'''Symbol''' </font>
 
| bgcolor="#cc0000" |<font color="#ffffff">'''Similarity'''</font>
 
| bgcolor="#cc0000" |<font color="#ffffff">'''Type'''</font>
 
| bgcolor="#cc0000" |<font color="#ffffff">'''Heimdal location'''</font>
 
| bgcolor="#cc0000" |<font color="#ffffff">'''Samba4 referrers'''</font>
 
 
|-
 
| AP_OPTS_MUTUAL_REQUIRED
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| AP_OPTS_USE_SUBKEY
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| ChangePasswdDataMS{}
 
| not MIT
 
| typedef struct
 
| lib/asn1/krb5_asn1.h
 
| kdc/kpasswdd.c
 
 
|-
 
| Checksum{}
 
| not MIT
 
| typedef struct
 
| lib/asn1/krb5_asn1.h
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| CKSUMTYPE{}
 
| not MIT
 
| typedef enum
 
| lib/asn1/krb5_asn1.h
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| copy_Principal()
 
| not MIT
 
| function
 
| lib/asn1/asn1_Principal.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| credentials{}
 
| same, almost
 
| struct
 
| lib/krb5/lrb5-v4compat.h
 
| 88 files
 
 
|-
 
| decode_ChangePasswdDataMS()
 
| not MIT
 
| function
 
| lib/asn1/asn1_ChangePasswdDataMS.c
 
| kdc/kpasswdd.c
 
 
|-
 
| dns_lookup()
 
| not MIT
 
| function
 
| lib/roken/resolve.h
 
| libcli/resolve/dns_ex.c
 
 
|-
 
| dns_reply()
 
| not MIT
 
| function
 
| lib/roken/resolve.h
 
| libcli/resolve/dns_ex.c
 
 
|-
 
| dns_srv_order()
 
| not MIT
 
| function
 
| lib/roken/resolve.h
 
| libcli/resolve/dns_ex.c
 
 
|-
 
| ENCTYPE_AES128_CTS_HMAC_SHA1_96
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/ldb_modules/password_hash.c
 
 
|-
 
| ENCTYPE_AES256_CTS_HMAC_SHA1_96
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/ldb_modules/password_hash.c
 
 
|-
 
| ENCTYPE_ARCFOUR_HMAC_MD5
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| ENCTYPE_ARCFOUR_HMAC
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| torture/auth/pac.c
 
 
|-
 
| ENCTYPE_DES_CBC_CRC
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/ldb_modules/password_hash.c, kdc/hdb-samba4.c
 
 
|-
 
| ENCTYPE_DES_CBC_MD5
 
| same value
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/ldb_modules/password_hash.c, kdc/hdb-samba4.c
 
 
|-
 
| error_message()
 
| same, almost
 
| function
 
| lib/com_err/com_err.c
 
| 8 files
 
 
|-
 
| ETYPE_ARCFOUR_HMAC_MD5
 
| not MIT
 
| enum
 
| lib/asn1/krb5_asn1.h
 
| auth/kerberos/kerberos_util.c, kdc/kdc.c
 
 
|-
 
| free_ChangePasswdDataMS()
 
| not MIT
 
| function
 
| lib/asn1/asn1_ChangePasswdDataMS.c
 
| kdc/kpasswdd.c
 
 
|-
 
| free_Checksum()
 
| not MIT
 
| function
 
| lib/asn1/asn1_Checksum.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| free_hdb_entry()
 
| not MIT
 
| function
 
| lib/hdb/asn1_hdb_entry.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| free_Salt()
 
| not MIT
 
| function
 
| lib/hdb/asn1_Salt.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| gss_accept_sec_context()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_accept_sec_context.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_buffer_desc{}
 
| same
 
| typedef struct
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c, auth/credentials/credentials_krb5.c
 
 
|-
 
| GSS_C_DCE_STYLE
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_EMPTY_BUFFER
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| GSS_C_GSS_CODE
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_MECH_CODE
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NO_BUFFER
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NO_CHANNEL_BINDINGS
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NO_CONTEXT
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NO_CREDENTIAL
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NO_NAME
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NULL_OID
 
| same value
 
| macro
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| GSS_C_NT_HOSTBASED_SERVICE
 
| different
 
| struct *
 
| lib/gssapi/krb5/external.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_cred_id_t{}
 
| same
 
| typedef struct
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| gss_delete_sec_context()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_delete_sec_context.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_display_name()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_display_name.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_display_status()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_display_status.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_get_mic()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_get_mic.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_import_name()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_import_name.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_init_sec_context()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_init_sec_context.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_krb5_copy_ccache()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| GSS_KRB5_CRED_NO_CI_FLAGS_X
 
| not MIT
 
| struct *
 
| lib/gssapi/krb5/set_cred_option.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| gss_krb5_export_lucid_sec_context()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gsskrb5_extract_authz_data_from_sec_context()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_krb5_free_lucid_sec_context()
 
| different
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gsskrb5_get_subkey()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_krb5_import_cred()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| gsskrb5_send_to_kdc{}
 
| not MIT
 
| struct
 
| lib/gssapi/gssapi/gssapi_krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_krb5_set_allowable_enctypes()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| gsskrb5_set_default_realm()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gsskrb5_set_dns_canonicalize()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gsskrb5_set_send_to_kdc()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_mech_krb5
 
| different
 
| macro
 
| lib/gssapi/gssapi/gssapi_krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_oid_equal()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_krb5.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_OID
 
| same
 
| typedef struct
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_qop_t{}
 
| same
 
| typedef
 
| lib/gssapi/gssapi/gssapi_krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_release_buffer()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_release_buffer.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_release_cred()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_release_cred.c
 
| auth/gensec/gensec_gssapi.c, auth/credentials/credentials_krb5.c
 
 
|-
 
| gss_release_name()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_release_name.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_set_cred_option()
 
| not MIT
 
| function
 
| lib/gssapi/mech/gss_set_cred_option.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| gss_unwrap()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_unwrap.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_verify_mic()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_verify_mic.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_wrap()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_wrap.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| gss_wrap_size_limit()
 
| same, almost
 
| function
 
| lib/gssapi/mech/gss_wrap_size_limit.c
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| hdb_enctype2key()
 
| not MIT
 
| function
 
| lib/hdb/hdb.c
 
| kdc/kdc.c
 
 
|-
 
| hdb_entry_ex{}
 
| not MIT
 
| typedef struct
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c, kdc/kdc.c, kdc/pac-glue.c
 
 
|-
 
| hdb_free_entry
 
| not MIT
 
| function
 
| lib/hdb/hdb.c
 
| kdc/hdb-samba4.c, kdc/kdc.c
 
 
|-
 
| HDB_F_DECRYPT
 
| not MIT
 
| macro
 
| lib/hdb/hdb.h
 
| kdc/kdc.c
 
 
|-
 
| hdb_fetch()
 
| not MIT
 
| function ptr
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c, kdc/kdc.c
 
 
|-
 
| HDB_F_GET_CLIENT
 
| not MIT
 
| macro
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| HDB_F_GET_KRBTGT
 
| not MIT
 
| macro
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c, kdc/kdc.c
 
 
|-
 
| HDB_F_GET_SERVER
 
| not MIT
 
| macro
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| HDBFlags{}
 
| not MIT
 
| typedef struct
 
| lib/hdb/hdb_asn1.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| HDB_INTERFACE_VERSION
 
| not MIT
 
| macro
 
| lib/hdb/hdb.h
 
| kdc/kdc.c
 
 
|-
 
| hdb_kt_ops{}
 
| not MIT
 
| struct
 
| lib/hdb/keytab.c
 
| kdc/kdc.c
 
 
|-
 
| HDB{}
 
| not MIT
 
| typedef struct
 
| lib/hdb/hdb.h
 
| kdc/hdb-samba4.c, kdc/kdc.c
 
 
|-
 
| HostAddresses{}
 
| not MIT
 
| typedef struct
 
| lib/asn1/krb5_asn1.h
 
| kdc/pac-glue.c
 
 
|-
 
| initialize_hdb_error_table_r()
 
| not MIT
 
| function
 
| lib/hdb/hdb_err.c
 
| kdc/kdc.c
 
 
|-
 
| initialize_krb5_error_table()
 
| not MIT
 
| function
 
| lib/krb5/krb5_err.c
 
| auth/kerberos/krb5_init_context.c, kdc/kdc.c
 
 
|-
 
| int2HDBFlags()
 
| not MIT
 
| function
 
| lib/hdb/asn1_HDBFlags.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| KDC_REQ
 
| not MIT
 
| macro
 
| lib/asn1/krb5_asn1.h
 
| kdc/pac-glue.c
 
 
|-
 
| KerberosTime
 
| not MIT
 
| typedef
 
| lib/asn1/krb5_asn1.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| KEYTYPE_ARCFOUR_56
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| KEYTYPE_ARCFOUR
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| KEYTYPE_DES3
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| KEYTYPE_DES
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| KRB5_ADDRESS_NETBIOS
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| kdc/pac-glue.c
 
 
|-
 
| krb5_address{}
 
| same
 
| typedef
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_add_et_list()
 
| not MIT
 
| function
 
| lib/krb5/add_et_list.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_addlog_func()
 
| not MIT
 
| function
 
| lib/krb5/log.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_ap_rep_enc_part{}
 
| same
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_free()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_getlocalsubkey()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_getremotesubkey()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_init()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_setaddrs()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_setflags()
 
| same, almost
 
| function
 
| lib/krb5/auth_context.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_con_setuserkey()
 
| not MIT
 
| function
 
| lib/krb5/auth_context.c
 
| see krb5_auth_con_setuseruserkey
 
 
|-
 
| krb5_auth_con_setuseruserkey
 
| not Heimdal
 
| function
 
| unknown
 
| see krb5_auth_con_setuserkey
 
 
|-
 
| KRB5_AUTH_CONTEXT_DO_SEQUENCE
 
| same
 
| enum
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| KRB5_AUTHDATA_WIN2K_PAC
 
| not MIT
 
| enum
 
| lib/asn1/krb5_asn1.h
 
| auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_auth_context{}
 
| same
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_boolean
 
| same, almost
 
| typedef
 
| lib/krb5/krb5.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| KRB5_CC_END
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| KRB5_CC_NOTFOUND
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_ccache{}
 
| same, almost
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_cc_close()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_cc_default()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_cc_destroy()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_cc_get_principal()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_cc_initialize()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_cc_resolve()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_cc_store_cred()
 
| same, almost
 
| function
 
| lib/krb5/cache.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_cksumtype_to_enctype()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_clear_error_string()
 
| not MIT
 
| function
 
| lib/krb5/error_string.c
 
| auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_closelog()
 
| not MIT
 
| function
 
| lib/krb5/log.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_const_principal
 
| same
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_context{}
 
| same, almost
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| 16 files
 
 
|-
 
| krb5_copy_principal()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| krb5_create_checksum()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_creds{}
 
| different
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_crypto
 
| not MIT
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_crypto_destroy()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_crypto_init()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_data{}
 
| different
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| 9 files
 
 
|-
 
| krb5_data_copy()
 
| not MIT
 
| function
 
| lib/krb5/data.c
 
| auth/kerberos/krb5_init_context.c, kdc/hdb-samba4.c, kdc/pac-glue.c
 
 
|-
 
| krb5_data_free()
 
| not MIT
 
| function
 
| lib/krb5/data.c
 
| 6 files
 
 
|-
 
| krb5_data_zero()
 
| not MIT
 
| function
 
| lib/krb5/data.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_dh_moduli{}
 
| not MIT
 
| struct
 
| lib/krb5/krb5_locl.h
 
| kdc/pac-glue.c
 
 
|-
 
| krb5_encrypt_block{}
 
| same
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_enctype
 
| same, almost
 
| typedef
 
| lib/krb5/krb5.h
 
| 4 files
 
 
|-
 
| krb5_error_code
 
| same
 
| typedef
 
| lib/krb5/krb5.h
 
| 15 files
 
 
|-
 
| KRB5_FCC_NOFILE
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_flags
 
| same, almost
 
| typedef
 
| /usr/include/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_free_ap_rep_enc_part()
 
| same, almost
 
| function
 
| lib/krb5/rd_rep.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_free_config_files()
 
| same, almost
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_free_context()
 
| same, almost
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_free_cred_contents()
 
| same, almost
 
| function
 
| lib/krb5/creds.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_free_error_string()
 
| not MIT
 
| function
 
| lib/krb5/error_string.c
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_free_keyblock_contents()
 
| different
 
| function
 
| lib/krb5/keyblock.c
 
| dsdb/samdb/ldb_modules/password_hash.c, torture/auth/pac.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_free_keyblock()
 
| same, almost
 
| function
 
| lib/krb5/keyblock.c
 
| auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_heimdal.c
 
 
|-
 
| krb5_free_keytab_entry_contents()
 
| not Heimdal
 
| function
 
| lib/krb5/keyblock.c
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_free_principal()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| 8 files
 
 
|-
 
| krb5_free_salt()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_free_ticket()
 
| different
 
| function
 
| lib/krb5/ticket.c
 
| auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_heimdal.c
 
 
|-
 
| krb5_get_default_in_tkt_etypes()
 
| not MIT
 
| function
 
| lib/krb5/context.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| krb5_get_default_realm()
 
| different
 
| function
 
| lib/krb5/get_default_realm.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| krb5_get_error_string()
 
| not MIT
 
| function
 
| lib/krb5/error_string.c
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_get_init_creds_keyblock()
 
| not MIT
 
| function
 
| lib/krb5/init_creds_pw.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_get_init_creds_opt{}
 
| different
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_get_init_creds_opt_init()
 
| different
 
| function
 
| lib/krb5/init_creds.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_get_init_creds_opt_set_default_flags()
 
| not MIT
 
| function
 
| lib/krb5/init_creds.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_get_init_creds_password()
 
| different
 
| function
 
| lib/krb5/init_creds_pw.c
 
| auth/kerberos/kerberos.c
 
 
|-
 
| krb5_get_max_time_skew()
 
| not MIT
 
| function
 
| lib/krb5/context.c
 
| rpc_server/lsa/dcesrv_lsa.c
 
 
|-
 
| krb5_get_pw_salt()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_init_context()
 
| different
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_initlog()
 
| not MIT
 
| function
 
| lib/krb5/log.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_kdc_get_config()
 
| not MIT
 
| function
 
| kdc/default_config.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_kdc_process_krb5_request()
 
| not MIT
 
| function
 
| kdc/process.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_kdc_update_time()
 
| not MIT
 
| function
 
| kdc/process.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_kdc_windc_init()
 
| not MIT
 
| function
 
| kdc/windc.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_keyblock{}
 
| same
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| 8 files
 
 
|-
 
| krb5_keyblock_init()
 
| not MIT
 
| function
 
| lib/krb5/keyblock.c
 
| torture/auth/pac.c, auth/kerberos/kerberos_util.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_keytab_entry{}
 
| same
 
| typedef struct
 
| /usr/include/krb5/krb5.h
 
| auth/kerberos/clikrb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_keytab{}
 
| same
 
| typedef struct *
 
| /usr/include/krb5/krb5.h
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5_KDCREP_SKEW
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5_KDC_UNREACH
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5_KPASSWD_ACCESSDENIED
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_BAD_VERSION
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_HARDERROR
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_MALFORMED
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_SOFTERROR
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_SUCCESS
 
| same value
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_VERS_CHANGEPW
 
| not MIT
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_KPASSWD_VERS_SETPW
 
| not MIT
 
| macro
 
| lib/krb5/krb5.h
 
| kdc/kpasswdd.c
 
 
|-
 
| _krb5_krb_auth_data
 
| not MIT
 
| struct
 
| lib/krb5/krb5-v4compat.h
 
| kdc/pac-glue.c
 
 
|-
 
| krb5_krbhst_get_addrinfo()
 
| not MIT
 
| function
 
| lib/krb5/krbhst.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| KRB5_KRBHST_HTTP
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_krbhst_info{}
 
| not MIT
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| KRB5_KRBHST_TCP
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| KRB5_KRBHST_UDP
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_kt_add_entry()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_close()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_compare()
 
| not MIT
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_cursor{}
 
| different
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_end_seq_get()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_free_entry()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/clikrb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_next_entry()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_register()
 
| different
 
| function
 
| lib/krb5/keytab.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_kt_remove_entry()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_resolve()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_kt_start_seq_get()
 
| same, almost
 
| function
 
| lib/krb5/keytab.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5_KT_END
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5_KU_OTHER_CKSU
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_make_principal()
 
| not MIT
 
| function
 
| lib/krb5/principal.c
 
| 4 functions
 
 
|-
 
| krb5_mk_error()
 
| different
 
| function
 
| lib/krb5/mk_error.c
 
| kdc/kpasswdd.c
 
 
|-
 
| krb5_mk_priv()
 
| same, almost
 
| function
 
| lib/krb5/mk_priv.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_mk_req()
 
| same, almost
 
| function
 
| lib/krb5/mk_req.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_mk_req_exact()
 
| not MIT
 
| function
 
| lib/krb5/mk_req.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_pac
 
| not MIT
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| auth/kerberos/kerberos_pac.c, kdc/pac-glue.c
 
 
|-
 
| krb5_pac_add_buffer()
 
| same, almost
 
| function
 
| lib/krb5/pac.c
 
| kdc/pac-glue.c
 
 
|-
 
| krb5_pac_free()
 
| same, almost
 
| function
 
| lib/krb5/pac.c
 
| auth/kerberos/kerberos_pac.c, kdc/pac-glue.c
 
 
|-
 
| krb5_pac_get_buffer()
 
| different
 
| function
 
| lib/krb5/pac.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_pac_init()
 
| different
 
| function
 
| lib/krb5/pac.c
 
| kdc/pac-glue.c
 
 
|-
 
| krb5_pac_parse()
 
| different
 
| function
 
| lib/krb5/pac.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| KRB5_PADATA_PW_SALT
 
| same value
 
| enum
 
| lib/asn1/krb5_asn1.h
 
| kdc/pac-glue.c
 
 
|-
 
| KRB5_PARSE_MALFORMED
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_parse_name()
 
| different
 
| function
 
| lib/krb5/principal.c
 
| dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_parse_name_flags()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/kerberos/kerberos_pac.c,
 
 
|-
 
| krb5_plugin_register()
 
| not MIT
 
| function
 
| lib/krb5/plugin.c
 
| kdc/kdc.c
 
 
|-
 
| krb5_prepend_config_files_default()
 
| not MIT
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_principal2salt()
 
| not Heimdal
 
| function
 
| /usr/include/krb5/krb5.h
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_principal_compare_any_realm()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_principal_get_realm()
 
| not MIT
 
| function
 
| lib/krb5/principal.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| _krb5_principalname2krb5_principal()
 
| not MIT
 
| function
 
| lib/krb5/asn1_glue.c
 
| kdc/kpasswdd.c
 
 
|-
 
| KRB5_PRINCIPAL_PARSE_MUST_REALM
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/cracknames.c
 
 
|-
 
| KRB5_PRINCIPAL_PARSE_NO_REALM
 
| same, almost
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_principal
 
| different
 
| typedef struct *
 
| lib/krb5/krb5.h
 
| 12 files
 
 
|-
 
| KRB5_PRINCIPAL_UNPARSE_NO_REALM
 
| same, almost
 
| enum
 
| lib/krb5/krb5.h
 
| dsdb/samdb/cracknames.c, auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_princ_realm()
 
| same, almost
 
| macro
 
| lib/krb5/principal.c
 
| dsdb/samdb/cracknames.c, auth/credentials/credentials_krb5.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_princ_set_realm()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_rd_priv()
 
| same, almost
 
| function
 
| lib/krb5/rd_priv.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_rd_rep()
 
| same, almost
 
| function
 
| lib/krb5/rd_rep.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_replay_data{}
 
| same, almost
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_salt{}
 
| not MIT
 
| typedef struct
 
| lib/krb5/krb5.h
 
| dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_set_config_files()
 
| different
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_set_default_realm()
 
| different
 
| function
 
| lib/krb5/set_default_realm.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_set_dns_canonicalize_hostname()
 
| not MIT
 
| function
 
| lib/krb5/context.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_set_error_string()
 
| not MIT
 
| function
 
| lib/krb5/context.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| krb5_set_real_time()
 
| same, almost
 
| function
 
| lib/krb5/time.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_set_send_to_kdc_func()
 
| not MIT
 
| function
 
| lib/krb5/send_to_kdc.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_set_warn_dest
 
| not MIT
 
| function
 
| lib/krb5/send_to_kdc.c
 
| auth/kerberos/krb5_init_context.c
 
 
|-
 
| krb5_sockaddr2address()
 
| not MIT
 
| function
 
| lib/krb5/addr_families.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_string_to_enctype()
 
| same, almost
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/kerberos_util.c
 
 
|-
 
| krb5_string_to_key()
 
| different
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_string_to_key_data_salt()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| libnet/libnet_become_dc.c
 
 
|-
 
| krb5_string_to_key_salt()
 
| not MIT
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| KRB5_TGS_NAME
 
| not MIT
 
| function
 
| lib/krb5/krb5.h
 
| kdc/hdb-samba4.c
 
 
|-
 
| krb5_ticket{}
 
| different
 
| typedef struct
 
| lib/krb5/krb5.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_ticket_get_authorization_data_type()
 
| not MIT
 
| function
 
| lib/krb5/ticket.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_ticket_get_client()
 
| not MIT
 
| function
 
| lib/krb5/ticket.c
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| krb5_unparse_name()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| 6 files
 
 
|-
 
| krb5_unparse_name_flags()
 
| same, almost
 
| function
 
| lib/krb5/principal.c
 
| dsdb/samdb/cracknames.c, auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
 
 
|-
 
| krb5_use_enctype()
 
| not Heimdal
 
| function
 
| /usr/include/krb5/krb5.h
 
| auth/kerberos/clikrb5.c
 
 
|-
 
| krb5_verify_checksum()
 
| same, almost
 
| function
 
| lib/krb5/crypto.c
 
| auth/kerberos/kerberos_pac.c
 
 
|-
 
| krb5_warnx()
 
| not MIT
 
| function
 
| lib/krb5/warn.c
 
| kdc/hdb-samba4.c
 
 
|-
 
| krb5_xfree()
 
| different
 
| function
 
| lib/krb5/free.c
 
| auth/credentials/credentials_krb5.c
 
 
|-
 
| KRB5_WINDC_PLUGING_MINOR
 
| not MIT
 
| macro
 
| kdc/windc_plugin.h
 
| kdc/kdc.c
 
 
|-
 
| KRB5KDC_ERR_CLIENT_REVOKED
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| kdc/pac-glue.c
 
 
|-
 
| KRB5KDC_ERR_KEY_EXPIRED
 
| not MIT
 
| enum
 
| lib/krb5/krb5_err.h
 
| kdc/pac-glue.c
 
 
|-
 
| KRB5KDC_ERR_POLICY
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| kdc/pac-glue.c
 
 
|-
 
| KRB5KDC_ERR_PREAUTH_FAILED
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c
 
 
|-
 
| KRB5KRB_AP_ERR_MSG_TYPE
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_gssapi.c
 
 
|-
 
| KRB5KRB_AP_ERR_SKEW
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
 
 
|-
 
| KRB5KRB_AP_ERR_TKT_EXPIRED
 
| same value
 
| enum
 
| lib/krb5/krb5_err.h
 
| auth/gensec/gensec_krb5.c
 
 
|-
 
| OM_uint32
 
| same, almost
 
| typedef
 
| lib/gssapi/gssapi/gssapi.h
 
| auth/credentials/credentials_krb5.c, auth/gensec/gensec_gssapi.c
 
 
|-
 
| PA_DATA
 
| not MIT
 
| typedef struct
 
| lib/asn1/krb5_asn1.h
 
| kdc/pac-glue.c
 
 
|-
 
| PLUGIN_TYPE_DATA
 
| not MIT
 
| enum
 
| lib/krb5/krb5.h
 
| kdc/kdc.c
 
 
|-
 
| Principal{}
 
| not MIT
 
| typedef struct
 
| lib/asn1/krb5_asn1.h
 
| dsdb/samdb/ldb_modules/password_hash.c
 
 
|-
 
| resource_record{}
 
| not MIT
 
| struct
 
| lib/roken/resolve.h
 
| libcli/resolve/dns_ex.c
 
 
|-
 
| SHA256_DIGEST_LENGTH
 
| same value
 
| macro
 
| lib/hcrypto/sha.h
 
| libcli/smb2/signing.c
 
 
|}
 
   
 
----
 
----

Latest revision as of 09:40, 18 September 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Introduction

Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos as an alternative. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and MIT-krb5 realms.

Use case: For example, suppose a kerberos customer is deploying a network with mixed operating systems using kerberos and would want to use one KDC for all of them. In this case, a single MIT Kerberos deployment should be able to support both traditonal UNIX clients and servers, intermixed with Windows clients and Samba servers:

  1. The Windows clients should be able to use the MIT KDC(s) as AD servers, so as to authenticate themselves to Samba file-servers and to Windows servers;
  2. A Windows client's tickets will carry PACs, as usual for AD;
  3. The UNIX clients should be able to access the KDC as a traditional non-AD-style KDC, so as to access UNIX services securely;
  4. A UNIX client's ticket will not carry a PAC, except when the UNIX client accesses a Windows server (Rationale) .

The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project. Here is a table showing which OS platforms are supported by Samba4, Heimdal, and MIT kerberos. Summary: MIT-krb5 & Samba4 both run on Mac OS X, NetBSD, Debian, RedHat, Ubuntu, & Solaris.


Concise to-do list

This is a condensed version of the task-list offered by Samba4's Andrew Bartlett, containing only what hasn't yet been done already by MIT.

The two big chunks of work are LDAP Driver and Replacing / improving MIT's DAL, but the DAL work may not be needed.

Replace the MIT KDC's LDAP driver

Samba4's LDAP driver for the MIT KDB needs to know how to do AD's intricate naming:

  1. Canonicalization of server names, user-names, and realm names. MIT 1.7 already supports canonicalization.
  2. AD-style aliases for HOST/ service names.
  3. Implicit names for Win2k accounts.
  4. Principal "types": client / server / krbtgs
  5. Flexible server-naming
  6. Keytabs & name-canonicalization

Most or all of Heimdal's LDAP driver code is in three Samba4 source files, ~1000 lines in all.


Small changes

Of the things on this list, only NTLM support (bullet 2) is needed for the Samba4 KDC port. The other tasks are all application-library stuff, and arguably aren't needed at all, because Samba3 already works well with MIT application libraries.

  1. MIT library changes
  2. Samba4/AD libraries: NTLM support. See also this Sept-2009 NTLM thread (this implies to me that a GSS NTLM mech is not an immediate requirement - LH)
  3. Key-handling changes]
  4. Extra Krb library functions
  5. Error-handling, logging, testing

Use 1.7's AD-support features

This stuff should already just work:

  1. PAC handling;
  2. AD-style name canonicalization;
  3. NT-ENTERPRISE names, which carry two realm-suffixes;
  4. CHECK_POLICY/AUDIT methods (needed for TGS access-control);
  5. DCE_STYLE Challenge/Response handshakes: see Krb lib & GSSAPI.
  6. Accept legacy Samba3 clients' bad GSSAPI checksums;
  7. Principal-manipulation functions;
  8. State-machine safety;

Controversial proposed changes for the port

Maybe: Improve or replace MIT's DAL

Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;

Maybe, or not: Add a KDC-as-library API

Samba4 currently runs as a single process, and Samba4's smbd invokes the Heimdal KDC via a libkdc interface (KDC as library).

  1. Rationale:
    1. smbd uses the libkdc interface to configure the KDC, both at startup & during runtime.
    2. Samba4's build/test environment uses libkdc's socket-passing, to simulate network traffic.
  2. Andrew Bartlett says this libkdc interface is "nice to have", but not essential for getting the port to work.
  3. Tom Yu says adding a libkdc interface to MIT's code would be a lot of work, but would tie naturally into code-cleanup work that MIT wants to do, anyway.
  4. Sam Hartman says he needs the libkdc interface, too, for his work on PK-U2U (but not immediately).
  5. Another way, which Simo dismisses on Samba4's behalf: Samba can use iptables remapping, but only for kdc packets, so that Samba acts as a router between the AD client and the KDC. This would work for MIT-krb & for Heimdal.
  6. If we do have to build a libkdc interface for MIT's KDC, Samba4 will need the KDC to use Samba's socket library correctly.

Later: TGS access-control

MIT krb will need to support these AD features, once Samba4 does. Alternatively, this could be seen as an opportunity for MIT-based Samba4 to surpass Heimdal-based Samba.

  1. Add HBAC to the TGS, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints;
    1. DTD: This is natural; the TGS should enforce its own access-control, as all other services do.
    2. TGS-HBAC is part of the rationale for rewriting the DAL.
  2. Failed-kinit counts: Add a KDC heuristic for tracking intervals between kinits, so that Samba4 can enforce AD's unified account-lockout on kinit. Samba4 already does lockouts for other PW-based authentication methods (NTLM, LDAP simple bind, etc).

Samba's use of Heimdal symbols, with MIT differences

Samba4 uses around 265 Heimdal symbols:

  1. 150 functions,
  2. 45 structs & typedefs, and
  3. 70 macros & enums.

Of these, roughly half present problems for the port:

  1. 25 symbols have different definitions in the MIT & Heimdal trees.
  2. 110 symbols are missing from MIT's krb5 tree.

Samba4 Interfaces with Heimdal

  1. Samba4's Database Interfaces enable Heimdal to use Samba4's directory data, whether the directory is stored in LDAP or in local disk files.
  2. Heimdal's libkdc Interface gives Samba4 a direct subroutine interface to the Heimdal KDC, with the KDC running as part of the Samba4 process.