summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-06-05 04:17:08 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:17:37 -0500
commit2e787b5b17afe761c863ccccc262c2a276bdbc66 (patch)
treee7bff20f8bd704fbf58e84eeb6729c5d5b032960
parentcf5d6ef89943714bce0c7914f8317fda68e3d059 (diff)
downloadsamba-2e787b5b17afe761c863ccccc262c2a276bdbc66.tar.gz
samba-2e787b5b17afe761c863ccccc262c2a276bdbc66.tar.bz2
samba-2e787b5b17afe761c863ccccc262c2a276bdbc66.zip
r7291: Additional notes on what we require from a kerberos implementation.
Andrew Bartlett (This used to be commit a8d3493b6f7a0c28465b00bbadf24e152422e4b5)
-rw-r--r--source4/auth/kerberos/kerberos-notes.txt37
1 files changed, 36 insertions, 1 deletions
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index a2e034f768..3422612e03 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -67,7 +67,7 @@ For example, this is how HTTP/, DNS/ and CIFS/ can use HOST/ without
any explicit entry.
-Jean-Baptiste.Marchand@hsc.fr remainds me:
+Jean-Baptiste.Marchand@hsc.fr reminds me:
> This is the SPNMappings attribute in Active Directory:
@@ -219,6 +219,41 @@ We currently define 3 classes:
I also now specify the kerberos principal as an explict parameter, not
an in/out value on the entry itself.
+libkdc
+------
+
+Samba4 needs to be built as a single binary (design requirement), and
+this should include the KDC. Samba also (and perhaps more
+importantly) needs to control the configuration environment of the
+KDC.
+
+The interface we have defined for libkdc allow for packet injection
+into the post-socket layer, with a defined krb5_context and
+kdb5_kdc_configuration structure. These effectively redirect the
+kerberos warnings, logging and database calls as we require.
+
+Using our socket lib
+--------------------
+
+An important detail in the use of libkdc is that we use our own socket
+lib. This allows the KDC code to be as portable as the rest of samba
+(this cuts both ways), but far more importantly it ensures a
+consistancy in the handling of requests, binding to sockets etc.
+
+To handle TCP, we will use of our socket layer in much the same way as
+we deal with TCP for CIFS.
+
+Kerberos logging support
+------------------------
+
+Samba now (optionally in the main code, required for the KDC) uses the
+krb5_log_facility from Heimdal. This allows us to redirect the
+warnings and status from the KDC (and client/server kerberos code) to
+Samba's DEBUG() system.
+
+We have added krb5_freelog() to be the opposite of krb5_initlog(), and
+ensure we do not leak memeory in this operation. (krb5_closelog() does
+not free everything that krb5_initlog creates).