Seperating Heimdal from Samba4 - Samba

This is a discussion on Seperating Heimdal from Samba4 - Samba ; Sergey's question earlier today about separating the KDC and GSSAPI client libs from Samba4 caused me to ponder exactly what it would require, the costs and benefits. The primary cost is the build system and integration work required to have ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Seperating Heimdal from Samba4

  1. Seperating Heimdal from Samba4

    Sergey's question earlier today about separating the KDC and GSSAPI
    client libs from Samba4 caused me to ponder exactly what it would
    require, the costs and benefits.

    The primary cost is the build system and integration work required to
    have Samba operate in multiple modes - with and without a built in KDC,
    while retaining the full test coverage of this important code.

    The benefits are in not bundling a complex security library that will
    need separate maintenance and patches. Distributions strongly favour
    using system libraries where possible.

    The tasks as I see it are:

    Get the last of the heimdal-lorikeet.diff merged into Heimdal. The only
    two bits that appear important are the patches to:

    kdc/kerberos5.c
    lib/hdb/keytab.c
    lib/krb5/get_in_tkt.c

    The other patches probably go away if we use system libraries, as they
    were related to us linking only part of Heimdal into Samba.

    The KDC will need to load a hdb and 'windc' plugin. I'm sure the Samba
    build system can build these pretty easily, but the task is to make it
    easy for Heimdal (now seperated) to load them. This will probably be
    handled by having provision's generated krb5.conf contain the right
    magic.

    Samba will need to link against Heimdal's libgssapi and libkrb5. We
    will need checks to ensure we don't accidentally hit MIT's libs, until
    someone ports the KDC magic into MIT.

    We will need a way to continue to build with an internal copy of
    Heimdal, because for development (and to run against make test, and for
    the build farm) we must have a KDC and libkrb5 that uses SOCKET_WRAPPER.
    Similarly, many platforms will not have the right version of Heimdal,
    and so we must be able to use the internal copy.

    One of the big challenges will be to keep both modes of operation
    working - both with the system Heimdal and the included version that all
    developers (who need 'make test' to run) will use.

    The other challenge will be ensuring that Heimdal is started and stopped
    by Samba4 as an integrated service, listens on the right interfaces etc.
    We could try to have a libkdc exported by Heimdal (so we control those
    matters, as we do now), but this will be more work again.

    Andrew Bartlett
    --
    Andrew Bartlett http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc. http://redhat.com


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIRhPKz4A8Wyi0NrsRAvO9AJ9WLF0W/qt942Q2/+PbYHJE++yvlQCfd0gd
    itma+UZRMsDs6z4Rk+ONysQ=
    =9sFw
    -----END PGP SIGNATURE-----


  2. Re: Seperating Heimdal from Samba4

    > The other challenge will be ensuring that Heimdal is started and stopped
    > by Samba4 as an integrated service, listens on the right interfaces etc.
    > We could try to have a libkdc exported by Heimdal (so we control those
    > matters, as we do now), but this will be more work again.


    I think a libkdc is exactly what we need and I don't see how this more
    work... If the system doesn't have the stuff we need, we can build
    static libraries of them internaly and link against them.
    The same way we do this with libtalloc and libtdb already.

    metze


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

    iD8DBQFIRkgWm70gjA5TCD8RAgb2AKCXXe5+d9/i54U2ILdF7kbCfKTNpACff7IB
    AMkqinzlA4QdprQ0wF4C1PI=
    =L2oK
    -----END PGP SIGNATURE-----


  3. Re: Seperating Heimdal from Samba4

    Metze,

    Don't forget IPv6. Need to ensure that if Samba4 is using IPv6 then the
    KDC also listens on IPv6.

    Regards,
    David
    ------------------------------------------------------------------------
    Dr David Holder CEng FIET MIEEE

    Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT

    Reception: +44 (0)1422 207000

    Direct Dial: +44 (0)131 2026317

    Cell: +44 (0) 7768 456831

    Registered in England and Wales. Registered Number 3521142
    VAT Number: GB 698 3633 78




    Stefan (metze) Metzmacher wrote:
    >> The other challenge will be ensuring that Heimdal is started and stopped
    >> by Samba4 as an integrated service, listens on the right interfaces etc.
    >> We could try to have a libkdc exported by Heimdal (so we control those
    >> matters, as we do now), but this will be more work again.
    >>

    >
    > I think a libkdc is exactly what we need and I don't see how this more
    > work... If the system doesn't have the stuff we need, we can build
    > static libraries of them internaly and link against them.
    > The same way we do this with libtalloc and libtdb already.
    >
    > metze
    >
    >



  4. Re: Seperating Heimdal from Samba4

    On Wed, 2008-06-04 at 09:45 +0200, Stefan (metze) Metzmacher wrote:
    > > The other challenge will be ensuring that Heimdal is started and stopped
    > > by Samba4 as an integrated service, listens on the right interfaces etc..
    > > We could try to have a libkdc exported by Heimdal (so we control those
    > > matters, as we do now), but this will be more work again.

    >
    > I think a libkdc is exactly what we need and I don't see how this more
    > work...


    Using libgssapi and providing plugins for the KDC would 'just' be build
    system work, while libkdc would be a new creation that does not yet
    exist.

    > If the system doesn't have the stuff we need, we can build
    > static libraries of them internaly and link against them.
    > The same way we do this with libtalloc and libtdb already.


    With the proviso that socket_wrapper makes things more difficult, I
    agree.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIRl81z4A8Wyi0NrsRAouMAJ9xpQr7zeDebhefNPZl+N QXlkbyZACfTbD/
    5CLfucP+6r/SgrFuBi4p4W8=
    =X8nJ
    -----END PGP SIGNATURE-----


  5. Re: Seperating Heimdal from Samba4

    On Wed, 2008-06-04 at 09:07 +0100, David Holder wrote:
    > Metze,
    >
    > Don't forget IPv6. Need to ensure that if Samba4 is using IPv6 then
    > the KDC also listens on IPv6.


    IPv6 is something where Heimdal is well ahead of Samba4, so I don't see
    a need to worry here.

    Andrew Bartlett

    --
    Andrew Bartlett
    http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc.

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIRl97z4A8Wyi0NrsRAtmmAJ9096Y5iUZ0WuF8Ory+VD KC3P+mlQCfU0b4
    Cyq7DHlbITcHrX8/4yx9GMw=
    =ps1l
    -----END PGP SIGNATURE-----


  6. Re: Seperating Heimdal from Samba4

    Andrew Bartlett wrote:
    > Get the last of the heimdal-lorikeet.diff merged into Heimdal. The only
    > two bits that appear important are the patches to:
    >
    > kdc/kerberos5.c
    > lib/hdb/keytab.c
    > lib/krb5/get_in_tkt.c
    >
    > The other patches probably go away if we use system libraries, as they
    > were related to us linking only part of Heimdal into Samba.
    >
    > The KDC will need to load a hdb and 'windc' plugin. I'm sure the Samba
    > build system can build these pretty easily, but the task is to make it
    > easy for Heimdal (now seperated) to load them. This will probably be
    > handled by having provision's generated krb5.conf contain the right
    > magic.


    There may be a solution between using system KDC and linking against a
    built-in KDC. Before all necessary plugins are accepted upstream and
    adopted by distributions, samba may build and install its own fork of
    Heimdal KDC. The hdb and windc plugins will be included there.

    The key difference will be that the patched KDC can be installed,
    configured, and maintained independently of the rest of Samba.

    > Samba will need to link against Heimdal's libgssapi and libkrb5. We
    > will need checks to ensure we don't accidentally hit MIT's libs, until
    > someone ports the KDC magic into MIT.


    This part is important but easy. It needs just a simple test for
    configure. The same test can also check for required KDC functionality. (1)

    > One of the big challenges will be to keep both modes of operation
    > working - both with the system Heimdal and the included version that all
    > developers (who need 'make test' to run) will use.


    The above proposal allows to have only one mode of operation (external
    server), but still retain control over the KDC to the degree necessary
    to run test.

    > The other challenge will be ensuring that Heimdal is started and stopped
    > by Samba4 as an integrated service, listens on the right interfaces etc.
    > We could try to have a libkdc exported by Heimdal (so we control those
    > matters, as we do now), but this will be more work again.


    I am not sure about correct usage pattern of configure options, so I
    will use GNU meanings. Feel free to correct.

    * --enable-tests configure options builds tests;
    * --with-system-kdc tries to use installed Heimdal, invokes configure
    tests from (1). The negative form builds Samba Heimdal version;
    * 'make test' depends on --enable-tests configure option;
    * --enable-tests option depends on --without-system-kdc.

    --
    Sergey Yanovich
    Abstract Accounting Ltd.
    http://aasii.org/


  7. Re: Seperating Heimdal from Samba4

    Andrew Bartlett schrieb:
    > On Wed, 2008-06-04 at 09:45 +0200, Stefan (metze) Metzmacher wrote:
    >>> The other challenge will be ensuring that Heimdal is started and stopped
    >>> by Samba4 as an integrated service, listens on the right interfaces etc.
    >>> We could try to have a libkdc exported by Heimdal (so we control those
    >>> matters, as we do now), but this will be more work again.

    >> I think a libkdc is exactly what we need and I don't see how this more
    >> work...

    >
    > Using libgssapi and providing plugins for the KDC would 'just' be build
    > system work, while libkdc would be a new creation that does not yet
    > exist.


    libkdc and libhdb already exist...

    metze@SERNOX:~/prefix/heimdal-1.2/libexec> ldd kdc
    linux-gate.so.1 => (0xffffe000)
    libkdc.so.2 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libkdc.so.2 (0xb7f39000)
    libhdb.so.9 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libhdb.so.9 (0xb7f20000)
    libheimntlm.so.0 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libheimntlm.so.0 (0xb7f19000)
    libkrb5.so.25 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libkrb5.so.25 (0xb7e42000)
    libhx509.so.3 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libhx509.so.3 (0xb7dff000)
    libwind.so.0 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libwind.so.0 (0xb7dd6000)
    libhcrypto.so.4 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libhcrypto.so.4 (0xb7da4000)
    libasn1.so.8 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libasn1.so.8 (0xb7d10000)
    libdl.so.2 => /lib/libdl.so.2 (0xb7cde000)
    libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7cd9000)
    libroken.so.18 =>
    /home/People/metze/prefix/heimdal-1.2/lib/libroken.so.18 (0xb7cbf000)
    libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7c8c000)
    libresolv.so.2 => /lib/libresolv.so.2 (0xb7c79000)
    libpthread.so.0 => /lib/libpthread.so.0 (0xb7c61000)
    libc.so.6 => /lib/libc.so.6 (0xb7b32000)
    /lib/ld-linux.so.2 (0xb7f62000)

    metze



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

    iD8DBQFIRvMhm70gjA5TCD8RApWdAJ9Ya6v5nGfkflRHAApx6Z zzKbPtlQCgnQ22
    RS0H/Loz1UZxx1dggKHUhDM=
    =F5ld
    -----END PGP SIGNATURE-----


+ Reply to Thread