logo_kerberos.gif

Release Meeting Minutes/2013-02-19

From K5Wiki
Jump to: navigation, search


David Benjamin, Shawn Emery, Will Fiveash, Greg Hudson, Ben Kaduk, Simo Sorce, Zhanna Tsitkov, Tom Yu

Greg
Dmitri Pal is advocating for generic printf-like thing as opposed to one function per event. Dmitri wants plugin to handle future events without updating module.
Simo
Because we send somewhat linearized, we wouldn't have to linearize in the plugin.
Greg
Could provide both.
Shawn
Current structure of audit is separate function wrappers. Populate event structure into audit system. XML. Dynamic generation. Revamp in progress includes libbsm, XML definitions, primitives.
Tom
Enumerated event types in libbsm will be preserved?
Shawn
Broken down to KDC, kadmin. XML ID # per service event (KDC/kadmin). More transparent info. (Yes, retain one numeric ID per event type.)
Greg
XML affects API?
Shawn
Superset of structure.
Greg
several possibilities
  1. 1 function per event... plugin writer linearizes
  2. call 1 generic function
  3. hybrid: default implementation of function linearizes (if back end doesn't implement a specific event function)
Shawn
To support more generic approach, operator as element of event structure... string.
Greg
Can't find...
Shawn
Framework. ADT interface. Will try to find differences.
Tom
Would like to hear high level requirements about what events need to be audited.

domain_realm

Simo
Multiple masters. Trust relationships. Which KDC to contact. Trusted domains. CAnnot change domain_realm mappings on the fly. Pluggable interfaces?
Greg
Not too hard. (Right now busy with an2lname though) You can do via your custom KDB back end.
Simo
Dropping domain_realm into include file but not getting read until KDC restart.
Greg
Tough the master profile file.
Tom
We've talked about removing rechecking behavior in the future, so don't count on this as a long-term solution.
Simo
New trust with AD.
Greg
DAL can return a referral TGS principal.
Simo
Clients using domain_realm. So need plugin.

Greg recaps long-term DNS avoidance strategy.

Greg
Plugin work more likely to happen in 1.12 time frame. Short hostnames... does client append domain? Sending short names to KDC... Nico et al. say the KDC's search path might be different than the client's; need to deal somehow. Maybe get search path through res_* API.
Simo
First send user-provided name without change, then maybe append domain.
Tom
Your preference is to have config variable to turn off client hostname resolution? (This could happen for 1.12.)
Simo
Yes.
Retrieved from "https://k5wiki.kerberos.org./wiki?title=Release_Meeting_Minutes/2013-02-19&oldid=5091"