summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-27 02:00:12 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:46:48 -0500
commit01fc59df4297020ce0252d6440b6d123a63e85ea (patch)
tree0b69ed50b952c3dbde507fc8b8d66744862cbe32 /source4/auth
parentc91bdb3af2a0e464ef2c65f200d7848de2350e22 (diff)
downloadsamba-01fc59df4297020ce0252d6440b6d123a63e85ea.tar.gz
samba-01fc59df4297020ce0252d6440b6d123a63e85ea.tar.bz2
samba-01fc59df4297020ce0252d6440b6d123a63e85ea.zip
r11928: More Kerberos musings...
Andrew Bartlett (This used to be commit 571f9c9c51b93946d23f2b35ef76ac881994b8cc)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/kerberos/kerberos-notes.txt84
1 files changed, 64 insertions, 20 deletions
diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt
index ece8bce372..25524ebba7 100644
--- a/source4/auth/kerberos/kerberos-notes.txt
+++ b/source4/auth/kerberos/kerberos-notes.txt
@@ -173,6 +173,19 @@ Heimdal is built such that it should be able to serve multiple realms
at the same time. This isn't relevant for Samba's use, but it shows
up in a lot of generalisations throughout the code.
+Other odd things:
+ - Support for multiple passwords on a client account: we seem to
+ call hdb_next_enctype2key() in the pre-authentication routines to
+ allow multiple passwords per account in krb5. (I think this was
+ intened to allow multiple salts)
+
+ - When sending the enc-type negotiation, we call get_pa_etype_info if
+ there are only 'old' enc types present, but always call
+ get_pa_etype_info2. It would seem more logical to have an
+ either/or, or only send both to clients that show signs of knowing
+ about the old enc types.
+ - Perhaps this is to cope with clients that expect the older info in
+ the first position? (Comments needed)
State Machine safety
--------------------
@@ -223,6 +236,9 @@ of the operation. This will still hit issues of static storage (one
gss_krb5_context per process, and multiple GSSAPI encrypted sessions
at a time) but these may not matter in practice.
+In the short-term, we deal with blocking by taking over the network
+send() and recv() functions, therefore making them 'semi-async'. This
+doens't apply to DNS yet.
GSSAPI and Kerberos extensions
------------------------------
@@ -314,7 +330,7 @@ We use krb5_ticket_get_authorization_data_type(), and expect it to
return the correct authz data, even if wrapped in an AD-IFRELEVENT container.
-KDC Extensions
+KDC/hdb Extensions
--------------
We have modified Heimdal's 'hdb' interface to specify the 'type' of
@@ -331,6 +347,23 @@ an in/out value on the entry itself.
Inside hdb-ldb, we add krbtgt as a special class of principal, because
of particular special-case backend requirements.
+Callbacks:
+ In addition, I have added a new interface hdb_fetch_ex(), which
+ returns a structure including callbacks, which provide the hook for
+ the PAC, as well as a callback into the main access control routines.
+
+ A new callback should be added to increment the bad password counter
+ on failure.
+
+ Another possability for a callback is to obtain the keys. This would
+ allow the plaintext password to only be hashed into the encryption
+ types we need. This idea from the eDirectory/MIT DAL work.
+
+ This probably should be combined with storing the hashed passwords in
+ the supplementalCredentials attribute. If combined with a kvno
+ parameter, this could also allow changing of the krbtgt password
+ (valuable for security).
+
libkdc
------
@@ -352,8 +385,9 @@ lib. This allows the KDC code to be as portable as the rest of samba
(this cuts both ways), but far more importantly it ensures a
consistancy in the handling of requests, binding to sockets etc.
-To handle TCP, we will use of our socket layer in much the same way as
-we deal with TCP for CIFS. Tridge has promised this generalisation.
+To handle TCP, we use of our socket layer in much the same way as
+we deal with TCP for CIFS. Tridge created a generic packet handling
+layer for this.
For the client, we likewise must take over the socket functions, so
that our single thread smbd will not lock up talking to itself. (We
@@ -381,38 +415,38 @@ interesting ways. As such, we have a patch for Heimdal that avoids
DNS lookups on names without a . in them. This should avoid some
delay and root server load.
-
-Kerberos TODO
-=============
-
-(Feel free to contribute to any of these tasks, or ask
-abartlet@samba.org about them).
-
-Gssmonger
----------
-
-Microsoft has released a testsuite called gssmonger, which tests
-interop. We should compile it against lorikeet-heimdal, MIT and see
-if we can build a 'Samba4' server for it.
-
PAC Correctness
---------------
-We need to put the PAC into the TGT, not just the service ticket.
+We now put the PAC into the TGT, not just the service ticket.
Forwarded tickets
-----------------
-We need to extract forwarded tickets from the GSSAPI layer, and put
+We extract forwarded tickets from the GSSAPI layer, and put
them into the credentials. We can then use them for proxy work.
-Access Control
+
+Kerberos TODO
+=============
+
+(Feel free to contribute to any of these tasks, or ask
+abartlet@samba.org about them).
+
+Lockout Control
--------------
We need to get (either if PADL publishes their patch, or write our
own) access control hooks in the Heimdal KDC. We need to lockout
accounts, and perform other controls.
+Gssmonger
+---------
+
+Microsoft has released a testsuite called gssmonger, which tests
+interop. We should compile it against lorikeet-heimdal, MIT and see
+if we can build a 'Samba4' server for it.
+
Kpasswd server
--------------
@@ -420,3 +454,13 @@ I have a partial kpasswd server which needs finishing, and a we need a
client testsuite written, either via the krb5 API or directly against
GENSEC and the ASN.1 routines.
+Currently it only works for Heimdal, not MIT clients. This may be due
+to call ordering constraints.
+
+
+Correct TCP support
+-------------------
+
+Our current TCP support does not send back 'too large' error messages
+if the high bit is set. This is needed for a proposed extension
+mechanism, but is likewise unsupported in both current Heimdal and MIT.