diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-05-16 15:31:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:16:47 -0500 |
commit | e29cb65a909d9a6fbf1574e23f2e37b62084f6e9 (patch) | |
tree | 41b64cbf3534d4abd01848ef955390cf7498308f /source4/auth | |
parent | 9469051d5bcdd6a91b688d20bc91bb3cb2ba094d (diff) | |
download | samba-e29cb65a909d9a6fbf1574e23f2e37b62084f6e9.tar.gz samba-e29cb65a909d9a6fbf1574e23f2e37b62084f6e9.tar.bz2 samba-e29cb65a909d9a6fbf1574e23f2e37b62084f6e9.zip |
r6819: More notes on krb5 requirements
Andrew Bartlett
(This used to be commit dbd845998723987c75dc0e6a427330116dce0bf4)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/kerberos/kerberos-notes.txt | 84 |
1 files changed, 66 insertions, 18 deletions
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index 89c9dfabb2..a2e034f768 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -2,8 +2,8 @@ AllowedWorkstationNames and Krb5 -------------------------------- Microsoft uses the clientAddresses *multiple value* field in the krb5 -protocol to communicate it's netbios name. This is (my guess) to -permit the userWorkstations field to work. +protocol (particularly the AS_REQ) to communicate it's netbios name. +This is (my guess) to permit the userWorkstations field to work. The KDC I imagine checks the netbios address against this value, in the same way that the Samba server does this. @@ -15,19 +15,19 @@ Is a DAL the layer we need? Looking at what we need to pass around, I start to seriously wonder if the DAL is even the right layer - we seem to want to create an account -authorization abstracton layer - is this account permitted to login to +authorization abstraction layer - is this account permitted to login to this computer, at this time? This information in AD is much richer than the Heimdal HDB, and it seems to make sense to do AD-specific access control checks in an -AD-specific layer, not in the backend agnostic server. +AD-specific layer, not in the back-end agnostic server. Because the DAL only reads in the principalName as the key, it has trouble performing access control decisions on things other than the name. -I'll be very intersted if the DAL really works for eDirectory too. -Perhaps all we need to do is add in the same cludges as we have in +I'll be very interested if the DAL really works for eDirectory too. +Perhaps all we need to do is add in the same kludges as we have in Samba 3.0 for eDirectory. Hmm... @@ -36,10 +36,10 @@ GSSAPI layer requirements Welcome to the wonderful world of canonicalisation -The Heimdal GSSAPI libs do not support kinit returning a different +The MIT GSSAPI libs do not support kinit returning a different realm to what the client asked for, even just in case differences. -No idea on MIT +Not looked into this on Heimdal quite yet. Principal Names, long and short names @@ -58,7 +58,7 @@ causes pain for current client libraries. HOST/ Aliases ------------- -There is another post somehwere (ref lost for the moment) that details +There is another post somewhere (ref lost for the moment) that details where in active directory the list of stored aliases for HOST/ is. This should be read, parsed and used to allow any of these requests to use the HOST/ key. @@ -66,6 +66,14 @@ use the HOST/ key. For example, this is how HTTP/, DNS/ and CIFS/ can use HOST/ without any explicit entry. + +Jean-Baptiste.Marchand@hsc.fr remainds me: + +> This is the SPNMappings attribute in Active Directory: + +> http://msdn.microsoft.com/library/en-us/adschema/adschema/a_spnmappings.asp + + Returned Salt for PreAuthentication ----------------------------------- @@ -75,7 +83,7 @@ connected with the current names. (ie, even if the userPrincipalName and samAccountName are renamed, the old salt is returned). This is probably the kerberos standard salt, kept in the 'Key'. The -standard generation rules are found in a Mail from Luke howard dated +standard generation rules are found in a Mail from Luke Howard dated 10 Nov 2004: @@ -135,19 +143,60 @@ http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-krb-wg-kerberos-referrals-0 Heimdal oddities ---------------- -Heimdal is built such that it should be able to serve muliple realms -at the same time. This isn't relevent for Samba's use, but it shows -up in a lot of generalisations thougout the code. +Heimdal is built such that it should be able to serve multiple realms +at the same time. This isn't relevant for Samba's use, but it shows +up in a lot of generalisations throughout the code. + + +State Machine safety +-------------------- + +Samba is a giant state machine, and as such have very different +requirements to those traditionally expressed for kerberos and GSSAPI +libraries. + +Samba requires all of the libraries it uses to be state machine safe in +their use of internal data. This does not mean thread safe, and an +application could be thread safe, but not state machine safe (if it +instead used thread-local variables). + +So, what does it mean for a library to be state machine safe? This is +mostly a question of context, and how the library manages whatever +internal state machines it has. If the library uses a context +variable, passed in by the caller, which contains all the information +about the current state of the library, then it is safe. A n example +of this state is the sequence number and session keys for an ongoing +encrypted session). + +The other issue affecting state machines is 'blocking' (waiting for a +read on a network socket). + +Heimdal is not state machine safe for the GSSAPI layer in particular. +Krb5 alone is much closer, as far as I can tell (the exception being the +error string handling). Adding safety is so 'easy', it is very, very +tempting to modify the APIs required and 'just do it'. Testing is a +different problem however. + +We may just use a fork()ed child to handle this, and have one process +per context. This is primarily to solve the non-blocking issue. + +I had hoped to use the 'GSSAPI export context' function to transfer +the GSSAPI state back into the main code for the wrap()/unwrap() part +of the operation, but we still hit issues of static storage (one +gss_krb5_context per process, and multiple GSSAPI encrypted sessions +at a time). GSSAPI and Kerberos extensions ------------------------------ -This is a general list of the extensions we have made to / need from the kerberos libraries +This is a general list of the other extensions we have made to / need from +the kerberos libraries - DCE_STYLE - - gsskrb5_get_initiator_subkey() + - gsskrb5_get_initiator_subkey() (return the opposite key to what the + lucid context and get_subkey() calls return). - gsskrb5_get_authz_data() @@ -155,13 +204,12 @@ This is a general list of the extensions we have made to / need from the kerbero - in-memory keytab - wildcard keytab (for in-memory operations) - KDC Extensions -------------- We have modified Heimdal's 'hdb' interface to specify the 'type' of -prinicpal being requested. This allows us to correctly behave with -the different 'classes' of prinicpal name. +Principal being requested. This allows us to correctly behave with +the different 'classes' of Principal name. We currently define 3 classes: - krbtgt |