[RFE] Add RODC support to MIT Kerberos

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[RFE] Add RODC support to MIT Kerberos

Andreas Schneider
Hello,

my name is Andreas Schneider. I'm a member of the Samba Team and work on Samba
AD with MIT Kerberos. I don't know what's the best way to file tickets for RFE
so I'm writing to this list as there might be comments by other developers.

Samba AD (Active Directory) supports running a Domain Controller (DC) as an
Read-only DC (RODC). In Samba AD we start the MIT KDC so the MIT KDC needs
support for RODC. What is missing is that a TGS request is proxied to a
writeable DC.

Samba currently uses libkdc from Heimdal to implement the KDC functionality.
The packet handling is implemented Samba code and async.

* If a TGS request comes in we look up the information to fulfill the request
  in the SAMDB (Security Account Management Database).
* If we are an RODC, the SAMDB detects this and returns a special error code,
  if we see this error we set the KDC_PROXY_REQUEST for the packet handling
  code
* Then the packet handling functions get a list list of writeable DCs from the
  SAMDB, we start sending the packet unmodified to each DC in the list of
  writeable DCs till one comes back with success or all failed.
* If we get a response packet from one of the writeable DCs we send it to the
  client requesting the TGS

So to support this we need the following:

* A new KDC error code so we can tell from the KDB the KDC should proxy the
  request (KRB5KDC_ERR_PROXY_REQUEST).
* A new kdb function to get a list of KDCs we can proxy the request to
* If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
  of KDCs we can proxy the packet to from KDB, then start sending the packet
  to the list we got. Do this until all fail or we get a response from one of
  the KDCs and send it to the client

Please let me know if this makes sense.


Best regards,


        -- andreas



--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: [RFE] Add RODC support to MIT Kerberos

Greg Hudson
On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> * A new KDC error code so we can tell from the KDB the KDC should proxy the
>   request (KRB5KDC_ERR_PROXY_REQUEST).
> * A new kdb function to get a list of KDCs we can proxy the request to
> * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the list
>   of KDCs we can proxy the packet to from KDB, then start sending the packet
>   to the list we got. Do this until all fail or we get a response from one of
>   the KDCs and send it to the client
>
> Please let me know if this makes sense.

This makes sense in the abstract, but I am concerned about the
complexity of the implementation.  We implemented support for
asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
it came at a significant cost to the maintainability of do_as_req.c and
kdc_preauth.c.

Have you thought about designing a libkdc-like interface for the MIT
krb5 KDC, so that Samba could do RODC support in the same way as it does
for Heimdal?
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: [RFE] Add RODC support to MIT Kerberos

Andreas Schneider
On Monday, 13 June 2016 10:45:34 CEST Greg Hudson wrote:

> On 06/13/2016 09:14 AM, Andreas Schneider wrote:
> > * A new KDC error code so we can tell from the KDB the KDC should proxy
> > the
> >
> >   request (KRB5KDC_ERR_PROXY_REQUEST).
> >
> > * A new kdb function to get a list of KDCs we can proxy the request to
> > * If the kdb returns KRB5KDC_ERR_PROXY_REQUEST, the KDC should get the
> > list
> >
> >   of KDCs we can proxy the packet to from KDB, then start sending the
> >   packet
> >   to the list we got. Do this until all fail or we get a response from one
> >   of
> >   the KDCs and send it to the client
> >
> > Please let me know if this makes sense.
>
> This makes sense in the abstract, but I am concerned about the
> complexity of the implementation.  We implemented support for
> asynchronous preauth mechanisms in the AS-REQ code path, and I feel like
> it came at a significant cost to the maintainability of do_as_req.c and
> kdc_preauth.c.

I need to look into that. In Samba the packet handling code including the
proxy is ~1000 loc.
 
> Have you thought about designing a libkdc-like interface for the MIT
> krb5 KDC, so that Samba could do RODC support in the same way as it does
> for Heimdal?

No, not yet. I need to look into that. It would also be nice to have a header
file with all the decode_* and encode_* prototypes.


        -- andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev