logo_kerberos.gif

Projects/Samba4 Port

From K5Wiki
< Projects
Revision as of 13:57, 14 July 2009 by Don (talk | contribs) (Maybe not: Add a KDC-as-library API)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Introduction

Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos instead. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and krb5 realms.

The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project.

To do list

This is a task-list offered by Samba4's Andrew Bartlett, but Andrew is unsure of how much of this list is already available in MIT's 1.7 release.

Replace the MIT KDC's LDAP driver

  1. Our LDAP driver for the KDB needs to know how to do Samba4's intricate canonicalization of server names, user-names, and realm names.
  2. AD-style aliases for HOST/ service names.
  3. Implicit names for Win2k accounts.
  4. Principal "types": client / server / krbtgs
  5. Most or all of this code is in 3 samba4 source files, ~1000 lines in all.

Use 1.7's AD-support features

This stuff should already just work:

  1. PAC handling;
  2. AD-style name canonicalization;
  3. NT-ENTERPRISE names, which carry two realms;
  4. CHECK_POLICY/AUDIT methods;
  5. DCE_STYLE;
  6. Accept legacy Samba3 clients' bad GSSAPI checksums;
  7. Principal-manipulation functions;

MIT KDC changes

  1. Add HBAC to the KDC's TGT-issuance, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints;
    1. LH: "use KRB5_KDB_METHOD_CHECK_POLICY_TGS method. We have access to the complete request. See against_local_policy_tgs() in policy.c .
  2. Add a heuristic for failed-kinit counts, to support AD-style unified account-lockouts across all authentication methods (Krb, NTLM, LDAP simple bind, etc).
    1. LH: "Use a KRB5_KDB_METHOD_AUDIT_AS method for this."

Controversial proposed changes for the port

Maybe: Improve or replace MIT's DAL

Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;

Maybe not: Add a KDC-as-library API

Samba4 currently runs as a single process, and Samba4 invokes the Heimdal KDC via a libkdc interface (KDC as library). Andrew Bartlett says this libkdc interface is "nice to have", not essential. Tom Yu says adding a libkdc interface to MIT's code would be a lot of work, but would tie naturally into code-cleanup work that MIT wants to do, anyway.

Retrieved from "https://k5wiki.kerberos.org/wiki?title=Projects/Samba4_Port&oldid=1367"