diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-06-05 04:17:08 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2005-06-05 04:17:08 +0000 |
commit | 23d0f040993fb97dc2663bb137213070478b1709 (patch) | |
tree | 22de83f653588ce91314ab7f9e9f3186f3904a08 | |
parent | f6be348f15905d10580fa0f3b518d62741f4eede (diff) | |
download | samba-23d0f040993fb97dc2663bb137213070478b1709.tar.gz samba-23d0f040993fb97dc2663bb137213070478b1709.tar.xz samba-23d0f040993fb97dc2663bb137213070478b1709.zip |
r7291: Additional notes on what we require from a kerberos implementation.
Andrew Bartlett
-rw-r--r-- | source/auth/kerberos/kerberos-notes.txt | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/source/auth/kerberos/kerberos-notes.txt b/source/auth/kerberos/kerberos-notes.txt index a2e034f768d..3422612e03c 100644 --- a/source/auth/kerberos/kerberos-notes.txt +++ b/source/auth/kerberos/kerberos-notes.txt @@ -67,7 +67,7 @@ For example, this is how HTTP/, DNS/ and CIFS/ can use HOST/ without any explicit entry. -Jean-Baptiste.Marchand@hsc.fr remainds me: +Jean-Baptiste.Marchand@hsc.fr reminds me: > This is the SPNMappings attribute in Active Directory: @@ -219,6 +219,41 @@ We currently define 3 classes: I also now specify the kerberos principal as an explict parameter, not an in/out value on the entry itself. +libkdc +------ + +Samba4 needs to be built as a single binary (design requirement), and +this should include the KDC. Samba also (and perhaps more +importantly) needs to control the configuration environment of the +KDC. + +The interface we have defined for libkdc allow for packet injection +into the post-socket layer, with a defined krb5_context and +kdb5_kdc_configuration structure. These effectively redirect the +kerberos warnings, logging and database calls as we require. + +Using our socket lib +-------------------- + +An important detail in the use of libkdc is that we use our own socket +lib. This allows the KDC code to be as portable as the rest of samba +(this cuts both ways), but far more importantly it ensures a +consistancy in the handling of requests, binding to sockets etc. + +To handle TCP, we will use of our socket layer in much the same way as +we deal with TCP for CIFS. + +Kerberos logging support +------------------------ + +Samba now (optionally in the main code, required for the KDC) uses the +krb5_log_facility from Heimdal. This allows us to redirect the +warnings and status from the KDC (and client/server kerberos code) to +Samba's DEBUG() system. + +We have added krb5_freelog() to be the opposite of krb5_initlog(), and +ensure we do not leak memeory in this operation. (krb5_closelog() does +not free everything that krb5_initlog creates). |