summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-06-10 11:37:49 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-06-10 11:37:49 +1000
commitfbde0011e63e7bb41c6d9801f7775ad75dc90b16 (patch)
tree8336e32c777041fe5bdd0d44905ae0024d31e685 /source4/auth
parent8e1b848aed38a1e297a1b7df68b6a6b703fcd2ff (diff)
downloadsamba-fbde0011e63e7bb41c6d9801f7775ad75dc90b16.tar.gz
samba-fbde0011e63e7bb41c6d9801f7775ad75dc90b16.tar.bz2
samba-fbde0011e63e7bb41c6d9801f7775ad75dc90b16.zip
Remove copy of kerberos-notes.txt added in incorrect location
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/kerberos-notes.txt760
1 files changed, 0 insertions, 760 deletions
diff --git a/source4/auth/kerberos-notes.txt b/source4/auth/kerberos-notes.txt
deleted file mode 100644
index 78efe179c1..0000000000
--- a/source4/auth/kerberos-notes.txt
+++ /dev/null
@@ -1,760 +0,0 @@
-Copyright Andrew Bartlett <abartlet@samba.org> 2005-2009
-Copyright Donald T. Davis <don@mit.edu>
-
-Released under the GPLv3
-
-Important context for porting to MIT
-------------------------------------
-
-This document should be read in conjuction with the Samba4 source code.
-DAL and KDC requirements are expressed (as an implementation against Heimdal's
-HDB abstraction layer) in Samba4's source4/kdc/hdb-samba4.c in particular.
-hbd-samba4.c is the biggest piece of samba-to-krb glue layer, so the main
-part of the port to MIT is to replace hdb-samba4 with a similar glue layer
-that's designed for MIT's code.
-
-PAC requirements are implemeneted in source4/kdc/pac-glue.c
-
-The plugins (both of the above are Heimdal plugins) for the above are loaded
-in source4/kdc/kdc.c
-
-For GSSAPI requirements, see auth/gensec/gensec_gssapi.c (the consumer of
-GSSAPI in Samba4)
-
-For Kerberos requirements, see auth/kerberos/krb5_init_context.c .
-
-Samba has its own credentials system, wrapping GSS creds, just as GSS
-creds wrap around krb5 creds. For the interaction between Samba4 credentials
-system and GSSAPI and Kerberos see auth/credentials/credentials_krb5.c .
-
-AllowedWorkstationNames and Krb5
---------------------------------
-
-Microsoft uses the clientAddresses *multiple value* field in the krb5
-protocol (particularly the AS_REQ) to communicate the client's netbios
-name (legacy undotted name, <14 chars)
-
-This is (my guess) to support the userWorkstations field (in user's AD record).
-The idea is to support client-address restrictions, as was standard in NT:
-The AD authentication server I imagine checks the netbios address against
-this userWorkstations value (BTW, the NetLogon server does this, too).
-
-The checking of this field implies a little of the next question:
-
-Is a DAL the layer we need?
----------------------------
-
-Looking at what we need to pass around, I don't think
-the DAL is even the right layer; what we really want
-is to create an account-authorization abstraction layer
-(e.g., is this account permitted to login to this computer,
-at this time?).
-Here is how we ended up doing this in Heimdal:
- * We created a separate plugin, with this API:
- typedef struct hdb_entry_ex {
- void *ctx;
- hdb_entry entry;
- void (*free_entry)(krb5_context, struct hdb_entry_ex *);
- } hdb_entry_ex;
-
- * The void *ctx is a "private pointer," provided by the 'get' method's
- hdb_entry_ex retval. The APIs below use the void *ctx so as to find
- additional information about the user, not contained in the hdb_entry
- structure. Both the provider and the APIs below understand how to cast
- the private void *ctx pointer.
-
- typedef krb5_error_code
- (*krb5plugin_windc_pac_generate)(void *, krb5_context,
- struct hdb_entry_ex *, krb5_pac*);
- typedef krb5_error_code
- (*krb5plugin_windc_pac_verify)(void *, krb5_context,
- const krb5_principal,
- struct hdb_entry_ex *,
- struct hdb_entry_ex *,
- krb5_pac *);
- typedef krb5_error_code
- (*krb5plugin_windc_client_access)(void *,
- krb5_context,
- struct hdb_entry_ex *,
- KDC_REQ *, krb5_data *);
-
- * (The krb5_data* here is critical, so that samba's KDC can return
- the right NTSTATUS code in the 'error string' returned to the client.
- Otherwise, the windows client won't get the right error message to
- the user (such as 'password expired' etc). The pure Kerberos error
- is not enough)
-
- typedef struct krb5plugin_windc_ftable {
- int minor_version;
- krb5_error_code (*init)(krb5_context, void **);
- void (*fini)(void *);
- rb5plugin_windc_pac_generate pac_generate;
- krb5plugin_windc_pac_verify pac_verify;
- krb5plugin_windc_client_access client_access;
- } krb5plugin_windc_ftable;
- This API has some heimdal-specific stuff, that'll have to change when we port the plugin to MIT krb.
- * 1st callback (pac_generate) creates an initial PAC from the user's AD record.
- * 2nd callback (pac_verify) check that a PAC is correctly signed, add additional groups (for cross-realm tickets) and re-sign with the key of the target kerberos service's account
- * 3rd callback (client_access) perform additional access checks, such as allowedWorkstations and account expiry.
- * for example, to register this plugin, use the kdc's standard
- plugin-system at Samba4's initialisation:
- /* first, setup the table of callback pointers */
- /* Registar WinDC hooks */
- ret = krb5_plugin_register(krb5_context,
- PLUGIN_TYPE_DATA, "windc",
- &windc_plugin_table);
- /* once registered, the KDC will invoke the callbacks */
- /* while preparing each new ticket (TGT or app-tkt) */
- * an alternate way to register the plugin is with a config-file that names
- a DSO (Dynamically Shared Object).
-
-
-This plugin helps bridge an important gap: The user's AD record is much
-richer than the Heimdal HDB format allows, so we do AD-specific access
-control checks in an AD-specific layer (ie, the plugin), not in the
-DB-agnostic KDC server.
-
-In Novell's pure DAL approach, the DAL only read in the principalName as
-the key, so it had trouble performing access-control decisions on things
-other than the name (like the addresses).
-
-There is another, currently unhandled challenge in this area - the need to handle
-bad password counts (and good password notification), so that a single policy can
-be applied against all means of checking a password (NTLM, Kerberos, LDAP Simple
-bind etc)
-
-The Original work by Novell in creating a DAL did not seem to provide a way to
-update the PW counts information. Nevertheless, we know that this is very much
-required (and may have been addressed in Simo's subsequent IPA-KDC design),
-because in Samba3+eDirectory, great lengths are taken to update this information.
-
-GSSAPI layer requirements
--------------------------
-
-Welcome to the wonderful world of canonicalisation
-
-The MIT Krb5 libs (including GSSAPI) do not support kinit returning a different
-realm to what the client asked for, even just in case differences.
-
-Heimdal has the same problem, and this too applies to the krb5 layer, not
-just gssapi.
-
-there's two kinds of name-canonicalization that can occur:
- * lower-to-upper case conversion, because Windows domain names are
- usually in upper case;
- * an unrecognizable subsitution of names, such as might happen when
- a user requests a ticket for a NetBIOS domain name, but gets back
- a ticket for the corresponging FQDN.
-
-As developers, we should test if the AD KDC's name-canonicalisation
-can be turned off with the KDCOption flags in the AS-REQ or TGS-REQ;
-Windows clients always send the Canonicalize flags as KDCOption values.
-
-Old Clients (samba3 and HPUX clients) use 'selfmade' gssapi/krb5 tokens
-for use in the CIFS session setup. these hand-crafted ASN.1 packets don't
-follow rfc1964 perfectly, so server-side krblib code has to be flexible
-enough to accept these bent tokens.
-It turns out that Windows' GSSAPI server-side code is sloppy about checking
-some GSSAPI tokens' checksums. During initial work to implement an AD client,
-it was easier to make an acceptable solution (to Windows servers) than to
-correctly implement the GSSAPI specification, particularly on top of the
-(inflexible) MIT Kerberos API. It did not seem possible to write a correct,
-seperate GSSAPI implementation on top of MIT Kerberos's public krb5lib API,
-and at the time, the effort did not need to extend beyond what Windows would
-require.
-
-The upshot is that old Samba3 clients send GSSAPI tokens bearing incorrect
-checksums, which AD's Krb5lib cheerfully accepts (but accepts the good checksums,
-too). Similarly, Samba4's heimdal krb5lib accepts these incorrect checksums.
-Accordingly, if MIT's krb5lib wants to interoperate with the old Samba3 clients,
-then MIT's library will have to do the same.
-
-Because these old clients use krb5_mk_req()
-the app-servers get a chksum field depending on the encryption type, but that's
-wrong for GSSAPI (see rfc 1964 section 1.1.1). The Checksum type 8003 should
-be used in the Authenticator of the AP-REQ! That (correct use of the 8003 type)
-would allows the channel bindings, the GCC_C_* req_flags and optional delegation
-tickets to be passed from the client to the server. However windows doesn't
-seem to care whether the checksum is of the wrong type, and for CIFS SessionSetups,
-it seems that the req_flags are just set to 0.
-This deviant checksum can't work for LDAP connections with sign or seal, or
-for any DCERPC connection, because those connections do not require the
-negotiation of GSS-Wrap paraemters (signing or sealing of whole payloads).
-Note: CIFS has an independent SMB signing mechanism, using the Kerberos key.
-
-see heimdal/lib/gssapi/krb5/accept_sec_context.c, lines 390-450 or so.
-
-This bug-compatibility is likely to be controversial in the kerberos community,
-but a similar need for bug-compatibility arose around MIT's & Heimdal's both
-failing to support TGS_SUBKEYs correctly, and there are numerous other cases.
-see https://lists.anl.gov/pipermail/ietf-krb-wg/2009-May/007630.html
-
-So MIT's krb5lib needs to also support old clients!
-
-Principal Names, long and short names
--------------------------------------
-
-As far as servicePrincipalNames are concerned, these are not
-canonicalised by AD's KDC, except as regards the realm in the reply.
-That is, the client gets back the principal it asked for, with
-the realm portion 'fixed' to uppercase, long form.
-Heimdal doesn't canonicalize names, but Samba4 does some canonicalization:
-For hostnames and usernames, Samba4 canonicalizes the requested name only
-for the LDAP principal-lookup, but then Samba4 returns the retrieved LDAP
-record with the request's original, uncanonicalized hostname replacing the
-canonicalized name that actually was retrieved.
-AB says that for usernames, Samba4 used to return the canonicalized username,
-as retrieved from LDAP. The reason for the different treatment was that
-the user needs to present his own canonicalized username to servers, for
-ACL-matching. For hostnames this isn't necessary.
-So, for bug-compatibility, we may need to optionally disable any
-namne-canonicalization that MIT's KDC does.
-
-The short name of the realm seems to be accepted for at least AS_REQ
-operations, but the AD KDC always performs realm-canonicalisation,
-which converts the short realm-name to the canonical long form.
-So, this causes pain for current krb client libraries.
-
-The canonicalisation of names matters not only for the KDC, but also
-for code that has to deal with keytabs.
-With credential-caches, when canonicalization leads to cache-misses,
-the client just asks for new credentials for the variant server-name.
-This could happen, for example, if the user asks to access the server
-twice, using different variants of the server-name.
-
-We also need to handle type 10 names (NT-ENTERPRISE), which are a full
-principal name in the principal field, unrelated to the realm.
-The principal field contains both principal & realm names, while the
-realm field contains a realm name, too, possibly different.
-For example, an NT-ENTERPRISE principal name might look like:
-joeblow@microsoft.com@NTDEV.MICROSOFT.COM ,
-<--principal field-->|<----realm name--->|
-
-Where joe@microsoft.com is the leading portion, and NTDEV.MICROSOFT.COM is
-the realm. This is used for the 'email address-like login-name' feature of AD.
-
-HOST/ Aliases
--------------
-
-There is another post somewhere (ref lost for the moment) that details
-where in active directory the list of stored aliases for HOST/ is.
-This list is read & parsed by the AD KDC, so as to allow any of these
-aliased ticket-requests to use the HOST/ key.
-
-Samba4 currently has set:
-sPNMappings: host=ldap,dns,cifs,http (but dns's presence is a bug, somehow)
-
-AD actually has ~50 entries:
-
-sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat
- or,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,i
- as,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstora
- ge,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog
- on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,ww
- w,http,w3svc,iisadmin,msdtc
-
-Domain members that expect the longer list will break in damb4, as of 6/09.
-AB says he'll try to fix this right away.
-
-For example, this is how HTTP/, and CIFS/ can use HOST/ without
-any explicit entry in the servicePrincipalName attribute
-
-
-For example, the application-server might have (on its AD record):
-servicePrincipalName: HOST/my.computer@MY.REALM
-
-but the client asks for a ticket to cifs/my.computer@MY.REALM
-AD looks in LDAP for both name-variants
-AD then transposes cifs -> host after performing the lookup in the
-directory (for the original name), then looks for host/my.computer@MY.REALM
-
-for hostnames & usernames, alternate names appear as extra values in
-the multivalued "principal name" attributes:
- - For hostnames, the other names (other than it's short name, implied
- from the CN), is stored in the servicePrincipalName
- - For usernames, the other names are stored in the userPrincipalName
- attribute, and can be full e-mail address like names, such as
- joe@microsoft.com (see above).
-
-Jean-Baptiste.Marchand@hsc.fr reminds me:
-> This is the SPNMappings attribute in Active Directory:
-> http://msdn.microsoft.com/library/en-us/adschema/adschema/a_spnmappings.asp
-
-We implement this in hdb-ldb.
-
-Implicit names for Win2000 Accounts
------------------------------------
-AD's records for servers are keyed by CN or by servicePrincipalName,
-but for win2k boxes, these records don't include servicePrincipalName,
-so, the CN attribute is used instead.
-Despite not having a servicePrincipalName on accounts created
-by computers running win2000, it appears we are expected
-to have an implicit mapping from host/computer.full.name and
-host/computer to the computer's entry in the AD LDAP database
-(ie, be able to obtain tickets for that host name in the KDC).
-
-Returned Salt for PreAuthentication
------------------------------------
-
-When the KDC replies for pre-authentication, it returns the Salt,
-which may be in the form of a principalName that is in no way
-connected with the current names. (ie, even if the userPrincipalName
-and samAccountName are renamed, the old salt is returned).
-
-This is the kerberos standard salt, kept in the 'Key'. The
-AD generation rules are found in a Mail from Luke Howard dated
-10 Nov 2004. The MIT glue layer doesn't really need to care about
-these salt-handling details; the samba4 code & the LDAP backend
-will conspire to make sure that MIT's KDC gets correct salts.
-
-
-From: Luke Howard <lukeh@padl.com>
-Organization: PADL Software Pty Ltd
-To: lukeh@padl.com
-Date: Wed, 10 Nov 2004 13:31:21 +1100
-Cc: huaraz@moeller.plus.com, samba-technical@lists.samba.org
-Subject: Re: Samba-3.0.7-1.3E Active Directory Issues
--------
-
-Did some more testing, it appears the behaviour has another
-explanation. It appears that the standard Kerberos password salt
-algorithm is applied in Windows 2003, just that the source principal
-name is different.
-
-Here is what I've been able to deduce from creating a bunch of
-different accounts:
-[SAM name in this mail means the AD attribute samAccountName .
- E.g., jbob for a user and jbcomputer$ for a computer.]
-
-[UPN is the AD userPrincipalName attribute. For example, jbob@mydomain.com]
-
-Type of account Principal for Salting
-========================================================================
-Computer Account host/<SAM-Name-Without-$>.realm@REALM
-User Account Without UPN <SAM-Name>@REALM
-User Account With UPN <LHS-Of-UPN>@REALM
-
-Note that if the computer account's SAM account name does not include
-the trailing '$', then the entire SAM account name is used as input to
-the salting principal. Setting a UPN for a computer account has no
-effect.
-
-It seems to me odd that the RHS of the UPN is not used in the salting
-principal. For example, a user with UPN foo@mydomain.com in the realm
-MYREALM.COM would have a salt of MYREALM.COMfoo. Perhaps this is to
-allow a user's UPN suffix to be changed without changing the salt. And
-perhaps using the UPN for salting signifies a move away SAM names and
-their associated constraints.
-
-For more information on how UPNs relate to the Kerberos protocol,
-see:
-
-http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-krb-wg-kerberos-referrals-02.txt
-
--- Luke
-
-
-
-Heimdal oddities
-----------------
-
-Heimdal is built such that it should be able to serve multiple realms
-at the same time. This isn't relevant for Samba's use, but it shows
-up in a lot of generalisations throughout the code.
-
-Samba4's code originally tried internally to make it possible to use
-Heimdal's multi-realms-per-KDC ability, but this was ill-conceived,
-and AB has recently (6/09) ripped the last of that multi-realms
-stuff out of samba4. AB says that in AD, it's not really possible
-to make this work; several AD components structurally assume that
-there's one realm per KDC. However, we do use this to support
-canonicalization of realm-names: case variations, plus long-vs-short
-variants of realm-names.
-
-Other odd things:
- - Heimdal supports multiple passwords on a client account: Samba4
- seems to call hdb_next_enctype2key() in the pre-authentication
- routines to allow multiple passwords per account in krb5.
- (I think this was intended to allow multiple salts).
- AD doesn't support this, so the MIT port shouldn't bother with
- this.
-
-State Machine safety when using Kerberos and GSSAPI libraries
--------------------------------------------------------------
-
-Samba's client-side & app-server-side libraries are built on a giant
-state machine, and as such have very different
-requirements to those traditionally expressed for kerberos and GSSAPI
-libraries.
-
-Samba requires all of the libraries it uses to be state machine safe in
-their use of internal data. This does not mean thread safe, and an
-application could be thread safe, but not state machine safe (if it
-instead used thread-local variables).
-
-So, what does it mean for a library to be state machine safe? This is
-mostly a question of context, and how the library manages whatever
-internal state machines it has. If the library uses a context
-variable, passed in by the caller, which contains all the information
-about the current state of the library, then it is safe. An example
-of this state is the sequence number and session keys for an ongoing
-encrypted session).
-
-The other issue affecting state machines is 'blocking' (waiting for a
-read on a network socket). Samba's non-blocking I/O doesn't like
-waiting for libkrb5 to go away for awhile to talk to the KDC.
-
-Samba4 provides a hook 'send_to_kdc', that allows Samba4 to take over the
-IO handling, and run other events in the meantime. This uses a
-'nested event context' (which presents the challenges that the kerberos
-library might be called again, while still in the send_to_kdc hook).
-
-Heimdal has this 'state machine safety' in parts, and we have modified
-the lorikeet branch to improve this behviour, when using a new,
-non-standard API to tunnelling a ccache (containing a set of tickets)
-through the gssapi, by temporarily casting the ccache pointer to a
-gss credential pointer.
-This new API is Heimdal's samba4-requested gss_krb5_import_cred() fcn;
-this will have to be rewritten or ported in the MIT port.
-
-This replaces an older scheme using the KRB5_CCACHE
-environment variable to get the same job done. This tunnelling trick
-enables a command-line app-client to run kinit tacitly, before running
-GSSAPI for service-authentication. This tunnelling trick avoids the
-more usual approach of keeping the ccache pointer in a global variable.
-
-No longer true; the krb5_context global is gone now:
-[Heimdal uses a per-context variable for the 'krb5_auth_context', which
-controls the ongoing encrypted connection, but does use global
-variables for the ubiquitous krb5_context parameter.]
-
-The modification that has added most to 'state machine safety' of
-GSSAPI is the addition of the gss_krb5_acquire_creds() function. This
-allows the caller to specify a keytab and ccache, for use by the
-GSSAPI code. Therefore there is no need to use global variables to
-communicate this information about keytab & ccache.
-
-At a more theoritical level (simply counting static and global
-variables) Heimdal is not state machine safe for the GSSAPI layer.
-(Heimdal is now (6/09) much more nearly free of globals.)
-The Krb5 layer alone is much closer, as far as I can tell, blocking
-excepted. .
-
-
-As an alternate to fixing MIT Kerberos for better safety in this area,
-a new design might be implemented in Samba, where blocking read/write
-is made to the KDC in another (fork()ed) child process, and the results
-passed back to the parent process for use in other non-blocking operations.
-
-To deal with blocking, we could have a fork()ed child per context,
-using the 'GSSAPI export context' function to transfer
-the GSSAPI state back into the main code for the wrap()/unwrap() part
-of the operation. This will still hit issues of static storage (one
-gss_krb5_context per process, and multiple GSSAPI encrypted sessions
-at a time) but these may not matter in practice.
-
-This approach has long been controversial in the Samba team.
-An alternate way would be to be implement E_AGAIN in libkrb5: similar
-to the way to way read() works with incomplete operations. to do this
-in libkrb5 would be difficult, but valuable.
-
-In the short-term, we deal with blocking by taking over the network
-send() and recv() functions, therefore making them 'semi-async'. This
-doens't apply to DNS yet.These thread-safety context-variables will
-probably present porting problems, during the MIT port. This will
-probably be most of the work in the port to MIT.
-
-
-
-GSSAPI and Kerberos extensions
-------------------------------
-
-This is a general list of the other extensions we have made to / need from
-the kerberos libraries
-
- - DCE_STYLE : Microsoft's hard-coded 3-msg Challenge/Response handshake
- emulates DCE's preference for C/R. Microsoft calls this DCE_STYLE.
- MIT already has this nowadays (6/09).
-
- - gsskrb5_get_initiator_subkey() (return the exact key that Samba3
- has always asked for. gsskrb5_get_subkey() might do what we need
- anyway). This is necessary, because in some spots, Microsoft uses
- raw Kerberos keys, outside the Kerberos protocls, and not using Kerberos
- wrappings etc. Ie, as a direct input to MD5 and ARCFOUR, without using
- the make_priv() or make_safe() calls.
-
- - gsskrb5_acquire_creds() (takes keytab and/or ccache as input
- parameters, see keytab and state machine discussion in prev section)
-
-Not needed anymore, because MIT's code now handles PACs fully:
- - gss_krb5_copy_service_keyblock() (get the key used to actually
- encrypt the ticket to the server, because the same key is used for
- the PAC validation).
- - gsskrb5_extract_authtime_from_sec_context (get authtime from
- kerberos ticket)
- - gsskrb5_extract_authz_data_from_sec_context (get authdata from
- ticket, ie the PAC. Must unwrap the data if in an AD-IFRELEVENT)]
-The new function to handle the PAC fully
- - gsskrb5_extract_authz_data_from_sec_context()
-
-Samba still needs this one:
- - gsskrb5_wrap_size (find out how big the wrapped packet will be,
- given input length).
-
-Keytab requirements
--------------------
-
-Because windows machine account handling is very different to the
-traditional 'MIT' keytab operation.
-This starts when we look at the basics of the secrets handling:
-
-Samba file-servers can have many server-name simultaneously (kindof
-like web servers' software virtual hosting), but since these servers
-are running in AD, these names are free to be set up to all share
-the same secret key. In AD, host-sharing server names almost always
-share a secret key like this. In samba3, this key-sharing was optional, so
-some samba3 hosts' keytabs did hold multiple keys. samba4 abandons this
-traditional "old MIT" style of keytab, and only supports one key per keytab,
-and multiple server-names can use that keytab key in common.
-Heimdal offered "in-memory keytabs" for servers that use passwords.
-These server-side passwords were held in a Samba LDB database called secrets.ldb,
-and the heimdal library would be supplied the password from the ldb file and
-would construct an in-memory keytab struct containing the password,
-just as if the library had read an MIT-style keytab file.
-Unfortunately, only later, at recv_auth() time, would the heimdal library
-convert the PW into a salted-&-hashed AES key, by hashing 10,000 times with
-SHA-1. So, nowadays, this password-based in-memory keytab is seen as too
-slow, and is falling into disuse.
-
-Traditional 'MIT' behaviour is to use a keytab, containing salted key
-data, extracted from the KDC. (In this modal, there is no 'service
-password', instead the keys are often simply application of random
-bytes). Heimdal also implements this behaviour.
-
-The windows modal is very different - instead of sharing a keytab with
-each member server, a random utf-16 pseudo-textual password is stored
-for the whole machine.
-The password is set with non-kerberos mechanisms (particularly SAMR,
-a DCE-RPC service) and when interacting on a kerberos basis, the
-password is salted by the member server (ie, an AD server-host).
-(That is, no salt information appears to be conveyed from the AD KDC
-to the member server. ie, the member server must use the rule's
-described in Luke's mail above).
-
-pre-win7 AD and samba3/4 both use SAMR, an older protocol, to jumpstart
-the member server's PW-sharing with AD (the "windows domain-join process").
-This PW-sharing transfers only the PW's utf-16 text, without any salting
-or hashing, so that non-krb security mechanisms can use the same utf-16
-text PW. for windows 7, this domain-joining uses LDAP for PW-setting.
-
-In dealing with this model, we use both the traditional file
-keytab and in-MEMORY keytabs.
-
-When dealing with a windows KDC, the behaviour regarding case
-sensitivity and canonacolisation must be accomidated. This means that
-an incoming request to a member server may have a wide variety of
-service principal names. These include:
-
-machine$@REALM (samba clients)
-HOST/foo.bar@realm (win2k clients)
-HOST/foo@realm (win2k clients, using netbios)
-cifs/foo.bar@realm (winxp clients)
-cifs/foo@realm (winxp clients, using netbios)
-
-as well as all case variations on the above.
-
-Heimdal's GSSAPI expects to get a principal-name & a keytab, possibly containing
-multiple principals' different keys. However, AD has a different problem to
-solve, which is that the client may know the member-server by a non-canonicalized
-principal name, yet AD knows the keytab contains exactly one key, indexed by
-the canonical name. So, GSSAPI is unprepared to canonicalize the server-name
-that the cliet requested, and is also overprepared to do an unnecessary search
-through the keytab by principal-name. So samba's server-side GSSAPI calls game
-the GSSAPI, by supplying the server's known canonical name, and the one-key keytab.
-this doesn't really affect the port to mit-krb.
-
-Because the number of U/L case combinations got 'too hard' to put into a keytab in the
-traditional way (with the client to specify the name), we either
-pre-compute the keys into a traditional keytab or make an in-MEMORY
-keytab at run time. In both cases we specifiy the principal name to
-GSSAPI, which avoids the need to store duplicate principals.
-
-We use a 'private' keytab in our private dir, referenced from the
-secrets.ldb by default.
-
-Extra Heimdal functions used
-----------------------------
-these fcns didn't exist in the MIT code, years ago, when samba started.
-AB will try to build a final list of these fcns.
-
-(an attempt to list some of the Heimdal-specific functions I know we use)
-
-krb5_free_keyblock_contents()
-
-also a raft of prinicpal manipulation functions:
-
-Prncipal Manipulation
----------------------
-
-Samba makes extensive use of the principal manipulation functions in
-Heimdal, including the known structure behind krb_principal and
-krb5_realm (a char *). for example,
-krb5_parse_name_flags(smb_krb5_context->krb5_context, name,
- KRB5_PRINCIPAL_PARSE_MUST_REALM, &principal);
-krb5_princ_realm(smb_krb5_context->krb5_context, principal);
-krb5_unparse_name_flags(smb_krb5_context->krb5_context, principal,
- KRB5_PRINCIPAL_UNPARSE_NO_REALM, &new_princ);
-These are needed for juggling the AD variant-structures for server names.
-
-Authz data extraction
----------------------
-
-We use krb5_ticket_get_authorization_data_type(), and expect it to
-return the correct authz data, even if wrapped in an AD-IFRELEVENT container.
-
-KDC/hdb Extensions
---------------
-
-We have modified Heimdal's 'hdb' interface to specify the 'class' of
-Principal being requested. This allows us to correctly behave with
-the different 'classes' of Principal name. This is necessary because
-of the AD structure, which uses very different record-structures
-for user-principals, trust principals & server-principals.
-
-We currently define 3 classes:
- - client (kinit)
- - server (tgt)
- - krbtgt (kinit, tgt) the kdc's own ldap record
-
-I also now specify the kerberos principal as an explict parameter to LDB_fetch(),
-not an in/out value on the struct hdb_entry parameter itself.
-
-Private Data pointer (and windc hooks) (see above):
- In addition, I have added a new interface hdb_fetch_ex(), which
- returns a structure including a private data-pointer, which may be used
- by the windc plugin inferface functions. The windc plugin provides
- the hook for the PAC, as well as a function for the main access control routines.
-
- A new windc plugin function should be added to increment the bad password counter
- on failure.
-
-libkdc (doesn't matter for IPA; Samba invokes the Heimdal kdc as a library call,
-but this is just a convenience, and the MIT port can do otherwise w/o trouble.)
-------
-
-Samba4 needs to be built as a single binary (design requirement), and
-this should include the KDC. Samba also (and perhaps more
-importantly) needs to control the configuration environment of the
-KDC.
-
-The interface we have defined for libkdc allow for packet injection
-into the post-socket layer, with a defined krb5_context and
-kdb5_kdc_configuration structure. These effectively redirect the
-kerberos warnings, logging and database calls as we require.
-
-Using our socket lib (para 3 does matter for the send_to_kdc() plugin).
-See also the discussion about state machine safety above)
---------------------
-
-An important detail in the use of libkdc is that we use samba4's own socket
-lib. This allows the KDC code to be as portable as the rest of samba
-(this cuts both ways), but far more importantly it ensures a
-consistancy in the handling of requests, binding to sockets etc.
-
-To handle TCP, we use of our socket layer in much the same way as
-we deal with TCP for CIFS. Tridge created a generic packet handling
-layer for this.
-
-For the client, samba4 likewise must take over the socket functions,
-so that our single thread smbd will not lock up talking to itself.
-(We allow processing while waiting for packets in our socket routines).
-send_to_kdc() presents to its caller the samba-style socket interface,
-but the MIT port will reimplement send_to_kdc(), and this routine will
-use internally the same socket library that MIT-krb uses.
-
-Kerberos logging support (this will require porting attention)
-------------------------
-
-Samba4 now (optionally in the main code, required for the KDC) uses the
-krb5_log_facility from Heimdal. This allows us to redirect the
-warnings and status from the KDC (and client/server kerberos code) to
-Samba's DEBUG() system.
-
-Similarly important is the Heimdal-specific krb5_get_error_string()
-function, which does a lot to reduce the 'administrator pain' level,
-by providing specific, english text-string error messages instead of
-just error code translations. (this isn't necessarty for the port,
-but it's more useful than MIT's default err-handling; make sure
-this works for MIT-krb)
-
-
-Short name rules
-----------------
-
-Samba is highly likely to be misconfigured, in many weird and
-interesting ways. As such, we have a patch for Heimdal that avoids
-DNS lookups on names without a . in them. This should avoid some
-delay and root server load. (this may need to be ported to MIT.)
-
-PAC Correctness
----------------
-
-We now put the PAC into the TGT, not just the service ticket.
-
-Forwarded tickets
------------------
-
-We extract forwarded tickets from the GSSAPI layer, and put
-them into the memory-based credentials cache.
-We can then use them for proxy work.
-
-
-Kerberos TODO
-=============
-
-(Feel free to contribute to any of these tasks, or ask
-abartlet@samba.org about them).
-
-Lockout Control (still undone in samba4 on heimdal)
---------------
-
-We need to get (either if PADL publishes their patch, or write our
-own) access control hooks in the Heimdal KDC. We need to lockout
-accounts (eg, after 10 failed PW-attemps), and perform other controls.
-This is standard AD behavior, that samba4 needs to get right, whether
-heimdal or MIT-krb is doing the ticket work.
-
-Gssmonger
----------
-
-Microsoft has released a krb-specific testsuite called gssmonger,
-which tests interop. We should compile it against lorikeet-heimdal,
-MIT and see if we can build a 'Samba4' server for it.
-GSSMonger wasn't intended to be Windows-specific.
-
-Kpasswd server (kpasswd server is now finished, but not testsuite)
---------------
-
-I have a partial kpasswd server which needs finishing, and a we need a
-client testsuite written, either via the krb5 API or directly against
-GENSEC and the ASN.1 routines.
-Samba4 likes to test failure-modes, not just successful behavior.
-
-Currently it only works for Heimdal, not MIT clients. This may be due
-to call ordering constraints.
-
-
-Correct TCP support
--------------------
-
-Samba4 socket-library's current TCP support does not send back 'too large'
-error messages if the high bit is set. This is needed for a proposed extension
-mechanism (SSL-armored kinit, by Leif Johansson <leifj@it.su.se>),
-but is likewise unsupported in both current Heimdal and MIT.
-
-=========================================================================
-AB says MIT's 1.7 announcement about AD support covers Luke Howard's
-changes. It all should be easy for IPA to exploit/use during the port
-of Samba4 to MIT.
-AB says Likewise software will likely give us their freeware NTLM/MIT-krb
-implementation.