From 370f5b9563ff993229bde1cababf3e2a52c60661 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 4 Sep 2005 06:19:57 +0000 Subject: r10021: More kerberos notes. (This used to be commit f36e657a416d7ec7146d84da88b28c2606ff838a) --- source4/auth/kerberos/kerberos-notes.txt | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/kerberos/kerberos-notes.txt b/source4/auth/kerberos/kerberos-notes.txt index a9b62742fe..eec1cac3aa 100644 --- a/source4/auth/kerberos/kerberos-notes.txt +++ b/source4/auth/kerberos/kerberos-notes.txt @@ -229,8 +229,9 @@ the kerberos libraries - DCE_STYLE - - gsskrb5_get_initiator_subkey() (return the opposite key to what the - lucid context and get_subkey() calls return). + - gsskrb5_get_initiator_subkey() (return the exact key that Samba3 + has always asked for. gsskrb5_get_subkey() might do what we need + anyway) - gsskrb5_get_authz_data() @@ -281,13 +282,29 @@ still wanted to supply a keytab to the GSSAPI code), a 'wildcard' keytab was devised. MEMORY_WILDCARD: is much like MEMORY:, except it only matches on kvno, rather than on the principal name. +Another way of handling this amy be to declare "" as a wildcard name, +or perhaps allow principal names to be fnmatch() or regex expressions. + +Hmm, looking over the code again, I'm really not sure we need this... +We should be able to just specify the same principal as a desired name +(GSSAPI) and principal (keytab). + Extra Heimdal functions used ---------------------------- (an attempt to list some of the Heimdal-specific functions I know we use) -krb5_make_principal() krb5_free_keyblock_contents() +also a raft of prinicpal manipulation functions: + +Prncipal Manipulation +--------------------- + +Samba makes extensive use of the principal manipulation functions in +Heimdal, including the known structure behind krb_principal and +krb5_realm (a char *). + + KDC Extensions -------------- -- cgit