Re: Current ideas on kerberos requirements for Samba4

classic Classic list List threaded Threaded
51 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Jeremy Allison
On Tue, May 24, 2005 at 11:34:52AM -0400, Ken Hornstein wrote:

> I think given your requirements, shipping a _basic_ KDC is probably
> unavoidable.  I just wanted to point out that there is a number of
> us who really want to use our own KDCs with Samba4, and we'd like
> you to be able to deal with that at some point.  I don't think
> there's a huge amount of work you have to do to make that happen
> (at least, I hope not).

We'll try and accomodate this, as we have accommodated people
who want to use their own keytabs in Samba3. But let me tell
you that this code (in Samba3) has taken 90% of the work for
less than 10% of the users. Even people wanting this to work
send incorrect, memory-leaking patches.

Kerberos isn't easy to use or set up - period. Unless you're
using a Windows KDC. That's just an unpleasant fact of life
currently.

Jeremy.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Alan DeKok
In reply to this post by James F. Hranicky
"James F. Hranicky" <[hidden email]> wrote:
> I don't know the intimate details of what AD clients expect from an AD
> controller, but I wonder if perhaps the requirements could be addressed
> by a meta-smbd of sorts? The meta-smbd acts as an AD controller, but
> passes off requests for various services to the respective daemons,

  Except that AD requires that the other protocols talk to each other,
too.  That is, they *all* share a common data set, and each protocol
must server a view of the database, and that view must be consistent
across all protocols.  This integration means that much of the
internal state of each daemon must be exposed to others, and must be
modifiable by others.

  If we had a "uber-DB" underlying all of the daemons, this would be
easy.  This is the implementation Microsoft has, which influenced
their design.  I don't know if it was intentional, but the endless
protocol integration makes it much more difficult for Samba to
inter-operate with AD.

  Alan DeKok.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

James F. Hranicky
On Tue, 24 May 2005 13:15:57 -0400
"Alan DeKok" <[hidden email]> wrote:

>   If we had a "uber-DB" underlying all of the daemons, this would be
> easy.  This is the implementation Microsoft has, which influenced
> their design.  I don't know if it was intentional, but the endless
> protocol integration makes it much more difficult for Samba to
> inter-operate with AD.

Well, my first reaction is that since Heimdal and Samba can currently both
share an LDAP database for PDC support, could it be possible to do the
same with AD?

Jim
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Michael Ströder
In reply to this post by Andrew Bartlett
Andrew Bartlett wrote:
>
> This is the situation we are in currently, the Microsoft clients expect
> a very tight interface between the KDC and the rest of the domain
> controller (requiring coherent operations over multiple protocols, the
> PAC and other fun things).  

Are you also going to implement a DNS server?

Ciao, Michael.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Alan DeKok
In reply to this post by James F. Hranicky
"James F. Hranicky" <[hidden email]> wrote:
> Well, my first reaction is that since Heimdal and Samba can currently both
> share an LDAP database for PDC support, could it be possible to do the
> same with AD?

  1) Investigate what AD needs from protocol data sharing
  2) Investigate how this would be put into LDAP
  3) Investigate how it would be implemented in Heimdal, etc.
  4) Report back.

  My bet is that you'd need (0) to do this:

  0) Get contract to spend 6 months working on the following

  :)

  Alan DeKok.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Ken Hornstein
In reply to this post by Jeremy Allison
>Kerberos isn't easy to use or set up - period. Unless you're
>using a Windows KDC. That's just an unpleasant fact of life
>currently.

I can't argue that, unfortunately.  Whatever else we say about Microsoft,
they do a good job at putting a friendly face on a complicated technology
like Kerberos (I did once try getting some useful Kerberos logs out of
an AD server and I failed, but probably few people would need to do that).
This is the point where the open-source crowd is at it's weakest.

One additional point: _most_ (but maybe not all) open-source Kerberos
implementations support DNS SRV records to find the KDC (the same
way Windows finds it's KDC).  So at least for clients, the issue
of setting up krb5.conf correctly should be a non-issue.  Of course,
that doesn't really correct the OTHER half-billion error messages you
can run into when working with Kerberos :-)

--Ken
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

hartmans
In reply to this post by Alan DeKok
>>>>> "Alan" == Alan DeKok <[hidden email]> writes:

    Alan> "James F. Hranicky" <[hidden email]> wrote:
    >> I don't know the intimate details of what AD clients expect
    >> from an AD controller, but I wonder if perhaps the requirements
    >> could be addressed by a meta-smbd of sorts? The meta-smbd acts
    >> as an AD controller, but passes off requests for various
    >> services to the respective daemons,

    Alan>   Except that AD requires that the other protocols talk to
    Alan> each other, too.  That is, they *all* share a common data
    Alan> set, and each protocol must server a view of the database,
    Alan> and that view must be consistent across all protocols.  This
    Alan> integration means that much of the internal state of each
    Alan> daemon must be exposed to others, and must be modifiable by
    Alan> others.

Yes, but keep in mind two things:

1) This state should be exposed through well-defined interfaces to
   allow for extensibity and code abstraction.  It should not be
   exposed through sticking everything together in one process.  Even
   Microsoft is finding that model is not working for them.



2) Long term, we need to allow our models to grow beyond the model
   Microsoft has provided for us.  The right model for a collection of
   Unix machines using NFSV4 isn't the same model as AD.  Clearly you
   need a way of exposing an AD schema to the AD protocols (including
   LDAP) but you also need a way to move beyond that schema internally
   so you can support all the environments that will run in your
   Kerberos infrastructure.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

hartmans
In reply to this post by Jeremy Allison
>>>>> "Jeremy" == Jeremy Allison <[hidden email]> writes:

    Jeremy> On Tue, May 24, 2005 at 11:34:52AM -0400, Ken Hornstein
    Jeremy> wrote:
    >> I think given your requirements, shipping a _basic_ KDC is
    >> probably unavoidable.  I just wanted to point out that there is
    >> a number of us who really want to use our own KDCs with Samba4,
    >> and we'd like you to be able to deal with that at some point.
    >> I don't think there's a huge amount of work you have to do to
    >> make that happen (at least, I hope not).

    Jeremy> We'll try and accomodate this, as we have accommodated
    Jeremy> people who want to use their own keytabs in Samba3. But
    Jeremy> let me tell you that this code (in Samba3) has taken 90%
    Jeremy> of the work for less than 10% of the users. Even people
    Jeremy> wanting this to work send incorrect, memory-leaking
    Jeremy> patches.

If you actually do this, I think we'll all be happy.  If you even
design to support this model but demand that the people who want it to
work with their own KDCs send in working code, I think we'll be happy.
I completely agree that you need some sort of KDC in the samba
distribution that is known to work with Samba and that is easy to set
up and that hopefully the user doesn't even notice.


However I'm hearing from Andrew that he's choosing a design that will
make it very challenging for people to supply their own KDC and that
is where I have concerns.

--Sam

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Henrik Nordstrom-2
In reply to this post by Gerald Carter-4
On Tue, 24 May 2005, Gerald (Jerry) Carter wrote:

> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.

I have always assumed the LDAP and KDC server componends of Samba4 is only
required if you run Samba as a domain controller, while in most if not all
interoperability situations Samba runs as a memberserver without the LDAP
or KDC server components where this isn't an issue.

Based on this I don't really see the concerns. But if the above isn't true
then I am truly concerned about how to deploy Samba4.

If you want to run Samba as a AD domain controller (not as a member
server) then in my eyes is it quite reasonable that Samba provides a LDAP
and KDC for this purpose.

But I agree to some extend on your concerns in the long run. If the goal
is to become a full replacement for MS AD then the last word in that name
needs to be fulfilled. MS AD is a quite good directory server capable and
often used for far more than just the domain controller tasks. But I do
not see this as a requirement for the MS AD controller capability of
Samba-4.0.

Regards
Henrik
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Gerald Carter-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Henrik Nordstrom wrote:
| On Tue, 24 May 2005, Gerald (Jerry) Carter wrote:
|
|> If you want to add interoperability back to the buffet, then
|> the Samba4 kdc implementation (and LDAP implementation)
|> will have to be world class, scalable implementations.
|
| I have always assumed the LDAP and KDC server componends
| of Samba4 is  only required if you run Samba as a domain
| controller, while in most if  not all interoperability
| situations Samba runs as a memberserver without
| the LDAP or KDC server components where this
| isn't an issue.
|
| Based on this I don't really see the concerns. But if
| the above isn't  true then I am truly concerned about
| how to deploy Samba4.

You are correct.  We are strictly talking about being an
AD DC here.

| If you want to run Samba as a AD domain controller (not
| as a member  server) then in my eyes is it quite reasonable
| that Samba provides a LDAP and KDC for this purpose.

My best guess is that the early adopters of Samba 4 will
be entirely for the AD  domain controller functionality.

I used to compare Samba 3 and 4 to apache 1.3 and 2.0.
But it really is not a good comparison.  Samba 3 and 4
are different code bases and in some ways different
projects with different goals.  I expect that Samba 3
and 4 will be deployed side by side for quite some time
until Samba 4 is able to completely replace all of the
crufty features that exist in Samba 3.





cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCk58LIR7qMdg1EfYRAl3NAJ0YVSXkuHH4kYsI3lYqacJl70RaigCfRX4Q
sqY6Vaow7LsMJAidhpeCB5w=
=IYKH
-----END PGP SIGNATURE-----
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Bartlett
In reply to this post by Michael Ströder
On Tue, 2005-05-24 at 19:57 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> >
> > This is the situation we are in currently, the Microsoft clients expect
> > a very tight interface between the KDC and the rest of the domain
> > controller (requiring coherent operations over multiple protocols, the
> > PAC and other fun things).  
>
> Are you also going to implement a DNS server?

From what I've see, DNS is the one part of the AD game that Microsoft
has allowed an external implementation of.  It appears that the clients
and servers all do DNS updates separately to their main record in AD.
So fortunately we get to avoid that one :-)

Now, we will have to patch and convince vendors to patch and ship an
updated DNS server running 'TSIG', just as we will need them to patch
and ship an NTP server for 'schannel signing'.

This is indeed slightly contradictory, but in the experimentation I've
done, the lack of these services isn't nearly as critical as Krb5, and
the changes we propose are much smaller than we require to krb5.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Tridgell
In reply to this post by Howard Chu
Howard,

If we were primarily aiming for sites that have a real sysadmin, then
I'd somewhat agree with you that all our users should learn to
properly understand how kerberos works. A sysadmin should understand
these things.

In the early days of Samba it was most common that real sysadmins
installed it. In those days the typical user would worry about what
socket options were set and whether their routers were setup to
forward broadcasts. In those days I would have had no problem saying
'learn about kerberos to use Samba' as our users would have relished
the challenge.

Our typical user profile has changed a lot over the years. These days
the typical Samba site has no sysadmin. It is installed by doctors,
teachers and other professionals who are smart in their own field, but
don't care about the intricacies of how Samba works, they just want it
to serve files. Typically they have a network of just a few Windows
PCs in a single realm (though they don't know what a 'realm' is).

We still want to work well for the 'enterprise' users, where there is
one or more fulltime sysadmins, thousands of users and many realms
with trust relationships, but those sites only represent a small
fraction of the user base. For those users it is no problem that they
have to add a couple more lines to a config file to point smbd at an
existing KDC and ldap server. Those are the users that push the
boundaries of what Samba can do, and we love working with them as they
provide great feedback. Those are the users who currently run Samba3
as a PDC with a ldap backend for example. We really want to accomodate
them for Samba4, but we must not sacrifice our 'doctors and teachers'
users in doing so.

One thing I've seen with Samba is what I call the 'free software life
cycle'. It goes like this:

  - site starts as pure windows
  - site tries out Linux and Samba on an old PC
  - it works well, so they try apache
  - that works well, so they try some scripting (maybe perl or python)
  - a few of the users see Linux doing well, and try it on the desktop
  - those do well, and more follow
  - everyone is now running Linux, so they stop using Samba

It's not often that I see the cycle come all the way to completion,
but it certainly is fun when it happens! Samba is no longer needed,
but it played an important role in getting them started.

It really is quite common that Samba is the first free software
package that a site tries. If you think about it, I think you would
agree that kerberos is almost never the first free software package
someone tries. We have to make a good first impression, and that means
making stuff as easy as we possibly can.

Cheers, Tridge
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Bartlett
In reply to this post by Alan DeKok
On Tue, 2005-05-24 at 15:07 -0400, Alan DeKok wrote:
> "James F. Hranicky" <[hidden email]> wrote:
> > Well, my first reaction is that since Heimdal and Samba can currently both
> > share an LDAP database for PDC support, could it be possible to do the
> > same with AD?
>
>   1) Investigate what AD needs from protocol data sharing

Wrote the thesis:
http://samba.org/samba/news/articles/abartlet_thesis.pdf

>   2) Investigate how this would be put into LDAP

We have done so, and implemented our own 'ldap like' interface backing
onto either LDAP or an in-memory database.

>   3) Investigate how it would be implemented in Heimdal, etc.

Done that.  See the version of Heimdal in 'lorikeet'
svn co svn://svnanon.samba.org/lorikeet/trunk/heimdal lorikeet-heimdal

>   4) Report back.

This series of notes.  I was certainly not going to be so silly as to
talk about this before I had spent time to actually implement a viable
proposal.

>   My bet is that you'd need (0) to do this:
>
>   0) Get contract to spend 6 months working on the following

Yes, it took about 6 months, on and off.  

We do actually, already implement a good series of interfaces which
keeps the KDC separate.  Currently they don't even share any source code
aside from standard shared/static libraries we provide.  

However, to finish off the job, I'm proposing to integrate at the object
link level (with lukeh tells me he has done before) and to handle some
things consistently across the whole suite (no user config errors).  

Now, the mistake I made was opening my big trap before I had just
quietly finished the libkdc part (which is a few days integration, I
hope, and actually doesn't change Heimdal's internal structure very much
anyway).  

Jeremy is right about kerberos patches, and it has been a right pain in
Samba3.  This is why I've tried not to promise the world to those
running their own KDCs.  I know their plight, and I'll be receptive to
patches, but I'm just going to try and get mine working first.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Alan DeKok
In reply to this post by Andrew Tridgell
Andrew Tridgell <[hidden email]> wrote:
> Our typical user profile has changed a lot over the years. These days
> the typical Samba site has no sysadmin. It is installed by doctors,
> teachers and other professionals who are smart in their own field, but
> don't care about the intricacies of how Samba works, they just want it
> to serve files. Typically they have a network of just a few Windows
> PCs in a single realm (though they don't know what a 'realm' is).

  And they will most likely be using pre-packaged software.  As noted
earlier, though, many vendors have problems packaging software that
works.  I've seen vendors ship packages where any attempt to use the
software results in core dumps.  Yet they charge for it, ship it, and
claim it's "stable".

  Alan DeKok.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Bartlett
In reply to this post by Gerald Carter-4
On Tue, 2005-05-24 at 08:09 -0500, Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrew Bartlett wrote:
>
> | Perhaps we should make something clear from the
> | outset.  Just as Samba4's LDAP server is not
> | intended to be a world-class (or even standards-conforming)
> | LDAP server,
>
> Andrew,
>
> I'm not getting into this thread for obvious reasons, but
> I think this is a very dangerous statement (and assumption)
> to make. You are claiming to match against AD.  That's a
> big order from the LDAP side of things.  People will expect
> you to get the LDAP part right if you are taking it over.
Indeed, and this is actually something that I do worry about with Samba4
going forward.  I do wish we had more directory experts working with the
team, so we don't make more of a muddle of ourselves in the process.

I'll also pass the blame along on that one, the standard on the LDAP
server was set by others, I'm just repeating it (and trying not to
promise the world.  As we all so painfully know, this is a very small
team doing a lot of work...).

> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.
> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.

This is actually why I have pushed to work with Heimdal, rather than the
more appealing (at times) option of doing it ourselves.  At least I know
that when we started, we worked from a well respected KDC in production
use for this kind of task already.  My intention is to (despite linking
for unification of service control and socket infrastructure) keep the
codebases separable along existing or new interfaces in the Heimdal
code.  In that way, I hope to keep those qualities in Heimdal, even as
we integrate it.  I was just hoping not to promise the world to a
community that each holds their sites specific kerberos infrastructure
very near and dear :-)

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Wyllys Ingersoll
In reply to this post by Douglas E. Engert

I work for one of the "Vendors" described earlier and I am
uncomfortable with the idea that SAMBA would include their
own KDC.

My thoughts when I first read this thread were much like what
Doug has suggested - instead of creating a whole new KDC,
why not open up some interfaces on both sides - other KDCs
(MIT, Heimdal) and in SAMBA so that the necessary communication
can be exchanged and SAMBA can integrate with pre-existing
KDCs.   I know there are alot of people in the Kerberos
community that would probably be able to help define these
interfaces and make sure that they get implemented
by the various implementors.

By having SAMBA provide a new KDC puts people currently using
MIT or Heimdal in the same position that they are today with
AD - they must maintain 2 KDC and REALMS or drop their
existing KDC infrastructure (MIT or Heimdal) and go with
SAMBA.

Anyway, I applaud your efforts in the area of making a
fully compliant AD-like server, but I am not so supportive
of creating yet another KDC and further fracturing the
Kerberos community by forcing a choice like this.

-Wyllys Ingersoll

Douglas E. Engert wrote:

> So far all the respondents to this thread represent the 2% of the sites
> and have all be active with Kerberos and AFS for years, but do understand
> the issues of the other 98%.
>
> You have suggested a libkdc, and shipping someone else KDC. What about
> the other way around, where you work with the KDC vendors, to add the hooks
> needed to support your needs. In this way you could work your way gradually
> into an existing Kerberos environment, and could also ship or point at
> the KDC vendors to use.
>
> It really comes down to what are the real requirements for the KDC
> and what are the minimal changes required.
>
> It would appear that the first thing needed is to add a PAC to a Kerberos
> ticket for a samba server, or even to a TGT. From a first glance, a KDC
> could make a simple call out to your libs to do this.
>
> Also to start with, you may want to consider letting the KDC use its
> own databases for its authentication information separate from
> the authorization information you need for the PAC. This would
> also make is much simpler on the KDC or existing sites.
>
> I would really like to see them separate. Your AD replacement could
> use the kadmin interfaces to update the KDC's databases much like the
> kadmind does today if really needed.
>
> This is only a first cut, but I would suspect that the authentication
> and AD like authorization could be separated out keeping the KDC and
> the AD functions pretty much separate.
>
> I am sure the the Kerberos vendors would be glad to work with you.
>
> As Howard and others have said, don't fall into the traps that DCE
> and AD have falling into of tightly combining authentication and
> authorization into a single server.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Bartlett
In reply to this post by Howard Chu
On Tue, 2005-05-24 at 07:32 -0700, Howard Chu wrote:

> Andrew Tridgell wrote:
> > I think that Samba3 is far to hard too install and configure. I want
> > to make Samba4 much easier, and my fear is that it will in fact become
> > much harder as we start to become dependent on more external tools.
>
> You can create a nicely integrated package from multiple components
> without needing to reimplement all of the components. Symas has done it
> with our CDS packages (OpenLDAP+BerkeleyDB+Cyrus SASL+Heimdal+OpenSSL),
> and PADL has done it with XAD. You get far more mileage out of your own
> time and resources by leveraging what already exists. When you run into
> rough edges, you beat them into submission and move on...  ;)
Just p

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

The 'perfect' LDAP+Krb5+glue setup (was: Re: Current ideas on kerberos requirements for Samba4)

Andrew Bartlett
In reply to this post by Howard Chu
On Tue, 2005-05-24 at 07:32 -0700, Howard Chu wrote:

> Andrew Tridgell wrote:
> > I think that Samba3 is far to hard too install and configure. I want
> > to make Samba4 much easier, and my fear is that it will in fact become
> > much harder as we start to become dependent on more external tools.
>
> You can create a nicely integrated package from multiple components
> without needing to reimplement all of the components. Symas has done it
> with our CDS packages (OpenLDAP+BerkeleyDB+Cyrus SASL+Heimdal+OpenSSL),
> and PADL has done it with XAD. You get far more mileage out of your own
> time and resources by leveraging what already exists. When you run into
> rough edges, you beat them into submission and move on...  ;)
(now where did that send button jump out from...)

Just picking up this point for a moment:  Aside from your fine
commercial products, is there any public document that describes how to
do this?  

As you know, I've been working to make Samba3 play nicer in such a
setup, in the hope that I might one day get the time to deploy it at
Hawker (I deploy parts of this mix, to mixed success).  Entirely aside
from my Samba4 work I would love to be able to point admins,
particularly of Unix-oriented sites to a known working description of
how to do this.  

As you said before, it should be just 'make install', and we shouldn't
be so easily mislead by those 'self-proclaimed LDAP experts'.

I would love to be able to brow-beat the vendors we are still on
speaking terms with into actually shipping this combination *configured
correctly*, and I would love to see vendors taking advantage of the
'just add water' Heimdal KDC (0.7pre) when using the Samba3 LDAP schema
(removing the 're-enter the password' battle that scares off most first-
time kerberos admins).

Are there vendors other than Symas (I'm thinking Operating System/Linux
Distribution vendors in particular), who get this right, out of the box?

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

Andrew Bartlett
In reply to this post by hartmans
On Tue, 2005-05-24 at 16:30 -0400, Sam Hartman wrote:

> >>>>> "Jeremy" == Jeremy Allison <[hidden email]> writes:
>
>     Jeremy> On Tue, May 24, 2005 at 11:34:52AM -0400, Ken Hornstein
>     Jeremy> wrote:
>     >> I think given your requirements, shipping a _basic_ KDC is
>     >> probably unavoidable.  I just wanted to point out that there is
>     >> a number of us who really want to use our own KDCs with Samba4,
>     >> and we'd like you to be able to deal with that at some point.
>     >> I don't think there's a huge amount of work you have to do to
>     >> make that happen (at least, I hope not).
>
>     Jeremy> We'll try and accomodate this, as we have accommodated
>     Jeremy> people who want to use their own keytabs in Samba3. But
>     Jeremy> let me tell you that this code (in Samba3) has taken 90%
>     Jeremy> of the work for less than 10% of the users. Even people
>     Jeremy> wanting this to work send incorrect, memory-leaking
>     Jeremy> patches.
>
> If you actually do this, I think we'll all be happy.  If you even
> design to support this model but demand that the people who want it to
> work with their own KDCs send in working code, I think we'll be happy.
> I completely agree that you need some sort of KDC in the samba
> distribution that is known to work with Samba and that is easy to set
> up and that hopefully the user doesn't even notice.
Then I think we all can be happy.

> However I'm hearing from Andrew that he's choosing a design that will
> make it very challenging for people to supply their own KDC and that
> is where I have concerns.

I'm really not trying to screw MIT (or anybody else) over, and the
current work is nicely isolated behind various interfaces.   The future
work should be as well, if I ever want a hope of continuing to update to
newer versions of Heimdal.  The use of linking will help me comply with
the Samba4 policy of 'one smbd', and handle a few startup/sockets
issues, I don't expect it to drastically alter the structure of the
code, or provide interfaces which are 'impossible' to export to a
different KDC.

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on kerberos requirements for Samba4

hartmans
>>>>> "Andrew" == Andrew Bartlett <[hidden email]> writes:

    >> own KDC and that is where I have concerns.

    Andrew> I'm really not trying to screw MIT (or anybody else) over,


I certainly have never gotten that impression.  Your phrasing of
certain things has made things challenging on a political level but I
understand your goal is to get a good technical solution not to play
politics.


I do think the discussion here is mostly technical and I'd like to
keep it that way.

As an aside, I've invited some vendors to join in and contribute
requirements.  I hope they will join, but more importantly I hope they
will contribute the necessary resources (or fund others) to make their
requirements a reality.  That's the only way technical problems get
solved.



Let me summarize the requirements I'm hearing today and see if we're on the same page:

1) Samba must be usable.  It must provide a single integrated solution
   that works for users with no knowledge of Kerberos, LDAP and other
   protocols.

2) Samba needs to be involved in most aspects of the KDC request handling.  It needs to add PAC data.  It needs  to authorize or deny requests.

3) Samba needs to keep account data in sync between Kerberos, LDAP and
   other protocols that access that data.  Passwords are particularly
   challenging to sync.  Samba plans to meet this need by storing all
   the data in a Samba-managed database and to manage password->key operations itself.

4) Vendors and sites want a single Kerberos implementation from a
   security patch, local extension and maintainability standpoint.

5) Vendors want to integrate Samba as one protocol frontend/data
   producer into larger systems.  We haven't really heard from the
   vendors on this one; it is mostly me babling on this point.


6) Kerberos implementers want to minimize code forks.

7) Kerberos implementers want to minimize the number of
   interoperability test targets.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
123