> The other challenge will be ensuring that Heimdal is started and stopped
> by Samba4 as an integrated service, listens on the right interfaces etc.
> We could try to have a libkdc exported by Heimdal (so we control those
> matters, as we do now), but this will be more work again.

I think a libkdc is exactly what we need and I don't see how this more
work... If the system doesn't have the stuff we need, we can build
static libraries of them internaly and link against them.
The same way we do this with libtalloc and libtdb already.

metze


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFIRkgWm70gjA5TCD8RAgb2AKCXXe5+d9/i54U2ILdF7kbCfKTNpACff7IB
AMkqinzlA4QdprQ0wF4C1PI=
=L2oK
-----END PGP SIGNATURE-----

Metze,

Don't forget IPv6. Need to ensure that if Samba4 is using IPv6 then the
KDC also listens on IPv6.

Regards,
David
------------------------------------------------------------------------
Dr David Holder CEng FIET MIEEE

Erion Ltd, Oakleigh, Upper Sutherland Road, Halifax, HX3 8NT

Reception: +44 (0)1422 207000

Direct Dial: +44 (0)131 2026317

Cell: +44 (0) 7768 456831

Registered in England and Wales. Registered Number 3521142
VAT Number: GB 698 3633 78




Stefan (metze) Metzmacher wrote:
>> The other challenge will be ensuring that Heimdal is started and stopped
>> by Samba4 as an integrated service, listens on the right interfaces etc.
>> We could try to have a libkdc exported by Heimdal (so we control those
>> matters, as we do now), but this will be more work again.
>>
>
> I think a libkdc is exactly what we need and I don't see how this more
> work... If the system doesn't have the stuff we need, we can build
> static libraries of them internaly and link against them.
> The same way we do this with libtalloc and libtdb already.
>
> metze
>
>

On Wed, 2008-06-04 at 09:45 +0200, Stefan (metze) Metzmacher wrote:
> > The other challenge will be ensuring that Heimdal is started and stopped
> > by Samba4 as an integrated service, listens on the right interfaces etc..
> > We could try to have a libkdc exported by Heimdal (so we control those
> > matters, as we do now), but this will be more work again.
>
> I think a libkdc is exactly what we need and I don't see how this more
> work...

Using libgssapi and providing plugins for the KDC would 'just' be build
system work, while libkdc would be a new creation that does not yet
exist.

> If the system doesn't have the stuff we need, we can build
> static libraries of them internaly and link against them.
> The same way we do this with libtalloc and libtdb already.

With the proviso that socket_wrapper makes things more difficult, I
agree.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBIRl81z4A8Wyi0NrsRAouMAJ9xpQr7zeDebhefNPZl+N QXlkbyZACfTbD/
5CLfucP+6r/SgrFuBi4p4W8=
=X8nJ
-----END PGP SIGNATURE-----

On Wed, 2008-06-04 at 09:07 +0100, David Holder wrote:
> Metze,
>
> Don't forget IPv6. Need to ensure that if Samba4 is using IPv6 then
> the KDC also listens on IPv6.

IPv6 is something where Heimdal is well ahead of Samba4, so I don't see
a need to worry here.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBIRl97z4A8Wyi0NrsRAtmmAJ9096Y5iUZ0WuF8Ory+VD KC3P+mlQCfU0b4
Cyq7DHlbITcHrX8/4yx9GMw=
=ps1l
-----END PGP SIGNATURE-----

Andrew Bartlett wrote:
> Get the last of the heimdal-lorikeet.diff merged into Heimdal. The only
> two bits that appear important are the patches to:
>
> kdc/kerberos5.c
> lib/hdb/keytab.c
> lib/krb5/get_in_tkt.c
>
> The other patches probably go away if we use system libraries, as they
> were related to us linking only part of Heimdal into Samba.
>
> The KDC will need to load a hdb and 'windc' plugin. I'm sure the Samba
> build system can build these pretty easily, but the task is to make it
> easy for Heimdal (now seperated) to load them. This will probably be
> handled by having provision's generated krb5.conf contain the right
> magic.

There may be a solution between using system KDC and linking against a
built-in KDC. Before all necessary plugins are accepted upstream and
adopted by distributions, samba may build and install its own fork of
Heimdal KDC. The hdb and windc plugins will be included there.

The key difference will be that the patched KDC can be installed,
configured, and maintained independently of the rest of Samba.

> Samba will need to link against Heimdal's libgssapi and libkrb5. We
> will need checks to ensure we don't accidentally hit MIT's libs, until
> someone ports the KDC magic into MIT.

This part is important but easy. It needs just a simple test for
configure. The same test can also check for required KDC functionality. (1)

> One of the big challenges will be to keep both modes of operation
> working - both with the system Heimdal and the included version that all
> developers (who need 'make test' to run) will use.

The above proposal allows to have only one mode of operation (external
server), but still retain control over the KDC to the degree necessary
to run test.

> The other challenge will be ensuring that Heimdal is started and stopped
> by Samba4 as an integrated service, listens on the right interfaces etc.
> We could try to have a libkdc exported by Heimdal (so we control those
> matters, as we do now), but this will be more work again.

I am not sure about correct usage pattern of configure options, so I
will use GNU meanings. Feel free to correct.

* --enable-tests configure options builds tests;
* --with-system-kdc tries to use installed Heimdal, invokes configure
tests from (1). The negative form builds Samba Heimdal version;
* 'make test' depends on --enable-tests configure option;
* --enable-tests option depends on --without-system-kdc.

--
Sergey Yanovich
Abstract Accounting Ltd.
http://aasii.org/

Andrew Bartlett schrieb:
> On Wed, 2008-06-04 at 09:45 +0200, Stefan (metze) Metzmacher wrote:
>>> The other challenge will be ensuring that Heimdal is started and stopped
>>> by Samba4 as an integrated service, listens on the right interfaces etc.
>>> We could try to have a libkdc exported by Heimdal (so we control those
>>> matters, as we do now), but this will be more work again.
>> I think a libkdc is exactly what we need and I don't see how this more
>> work...
>
> Using libgssapi and providing plugins for the KDC would 'just' be build
> system work, while libkdc would be a new creation that does not yet
> exist.

libkdc and libhdb already exist...

metze@SERNOX:~/prefix/heimdal-1.2/libexec> ldd kdc
linux-gate.so.1 => (0xffffe000)
libkdc.so.2 =>
/home/People/metze/prefix/heimdal-1.2/lib/libkdc.so.2 (0xb7f39000)
libhdb.so.9 =>
/home/People/metze/prefix/heimdal-1.2/lib/libhdb.so.9 (0xb7f20000)
libheimntlm.so.0 =>
/home/People/metze/prefix/heimdal-1.2/lib/libheimntlm.so.0 (0xb7f19000)
libkrb5.so.25 =>
/home/People/metze/prefix/heimdal-1.2/lib/libkrb5.so.25 (0xb7e42000)
libhx509.so.3 =>
/home/People/metze/prefix/heimdal-1.2/lib/libhx509.so.3 (0xb7dff000)
libwind.so.0 =>
/home/People/metze/prefix/heimdal-1.2/lib/libwind.so.0 (0xb7dd6000)
libhcrypto.so.4 =>
/home/People/metze/prefix/heimdal-1.2/lib/libhcrypto.so.4 (0xb7da4000)
libasn1.so.8 =>
/home/People/metze/prefix/heimdal-1.2/lib/libasn1.so.8 (0xb7d10000)
libdl.so.2 => /lib/libdl.so.2 (0xb7cde000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7cd9000)
libroken.so.18 =>
/home/People/metze/prefix/heimdal-1.2/lib/libroken.so.18 (0xb7cbf000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7c8c000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7c79000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7c61000)
libc.so.6 => /lib/libc.so.6 (0xb7b32000)
/lib/ld-linux.so.2 (0xb7f62000)

metze



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFIRvMhm70gjA5TCD8RApWdAJ9Ya6v5nGfkflRHAApx6Z zzKbPtlQCgnQ22
RS0H/Loz1UZxx1dggKHUhDM=
=F5ld
-----END PGP SIGNATURE-----