logo_kerberos.gif

Projects/Samba4 Port

From K5Wiki
< Projects
Revision as of 10:19, 14 July 2009 by Don (talk | contribs) (To do list)

Jump to: navigation, search
This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Introduction

Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos instead. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and krb5 realms.

The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project.

To do list

This is a task-list offered by Samba4's Andrew Bartlett, but Andrew is unsure of how much of this list is already available in MIT's 1.7 release.

Replace the MIT KDC's LDAP driver

  1. Our LDAP driver for the KDB needs to know how to do Samba4's intricate canonicalization of server names, user-names, and realm names.
  2. AD-style aliases for HOST/ service names.
  3. Implicit names for Win2k accounts.
  4. Principal "types": client / server / krbtgs
  5. Most or all of this code is in 3 samba4 source files, ~1000 lines in all.

MIT KDC changes

  1. Add HBAC to the KDC's TGT-issuance, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints; (LH: "use KRB5_KDB_METHOD_CHECK_POLICY_TGS method. We have access to the complete request. See against_local_policy_tgs() in policy.c .
  2. Turn on MIT-krb 1.7's PAC handling
  3. Add a heuristic for failed-kinit counts, to support AD-style unified account-lockouts across all authentication methods (Krb, NTLM, LDAP simple bind, etc). (Luke H says we can use a KRB5_KDB_METHOD_AUDIT_AS method for this.)

Use 1.7's AD-support features

  1. PAC handling;
  2. AD-style name canonicalization;
  3. NT-ENTERPRISE names, which carry two realms;
  4. CHECK_POLICY/AUDIT methods;
  5. DCE_STYLE;
  6. Accept legacy Samba3 clients' bad GSSAPI checksums;
  7. Principal-manipulation functions;

Controversial proposed changes for the port

Maybe: Improve or replace MIT's DAL

Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;


Maybe not: Add a KDC-as-library API