logo_kerberos.gif

Difference between revisions of "Projects/Samba4 Port"

From K5Wiki
Jump to: navigation, search
(Small changes)
(Small changes)
Line 86: Line 86:
 
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#MIT_libraries '''MIT library changes''']
 
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#MIT_libraries '''MIT library changes''']
 
</li>
 
</li>
<li> [[#NTLM_support | '''Samba4/AD libraries: NTLM support''']]
+
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#NTLM_support '''Samba4/AD libraries: NTLM support''']
 
</li>
 
</li>
 
<li> [[#Key-handling_changes | '''Key-handling changes''']]
 
<li> [[#Key-handling_changes | '''Key-handling changes''']]

Revision as of 10:05, 31 August 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Introduction

Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos as an alternative. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and MIT-krb5 realms.

Use case: For example, suppose a kerberos customer is deploying a network with mixed operating systems using kerberos and would want to use one KDC for all of them. In this case, a single MIT Kerberos deployment should be able to support both traditonal UNIX clients and servers, intermixed with Windows clients and Samba servers:

  1. The Windows clients should be able to use the MIT KDC(s) as AD servers, so as to authenticate themselves to Samba file-servers and to Windows servers;
  2. A Windows client's tickets will carry PACs, as usual for AD;
  3. The UNIX clients should be able to access the KDC as a traditional non-AD-style KDC, so as to access UNIX services securely;
  4. A UNIX client's ticket will not carry a PAC, except when the UNIX client accesses a Windows server.


The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project.

Key to the asterisks in the Table of Contents

  1. No asterisks: Work that needs to be done.
  2. *: Some work to be done, some already done.
  3. **: Nothing much to do.
  4. ***: Can be done later, if at all.

Concise to-do list

This is a condensed version of the task-list offered by Samba4's Andrew Bartlett, containing only what hasn't yet been done already by MIT.

The two big chunks of work are LDAP Driver and Replacing / improving MIT's DAL, but the DAL work may not be needed.

Replace the MIT KDC's LDAP driver

Samba4's LDAP driver for the MIT KDB needs to know how to do AD's intricate naming:

  1. Canonicalization of server names, user-names, and realm names. MIT 1.7 already supports canonicalization.
  2. AD-style aliases for HOST/ service names.
  3. Implicit names for Win2k accounts.
  4. Principal "types": client / server / krbtgs
  5. Flexible server-naming
  6. Keytabs & name-canonicalization

Most or all of Heimdal's LDAP driver code is in three Samba4 source files, ~1000 lines in all.


Small changes

Of the things on this list, only NTLM support (bullet 2) is needed for the Samba4 KDC port. The other tasks are all application-library stuff, and arguably aren't needed at all, because Samba3 already works well with MIT application libraries.

  1. MIT library changes
  2. Samba4/AD libraries: NTLM support
  3. Key-handling changes
  4. Extra Krb library functions
  5. Error-handling, logging, testing

Use 1.7's AD-support features

This stuff should already just work:

  1. PAC handling;
  2. AD-style name canonicalization;
  3. NT-ENTERPRISE names, which carry two realms-suffixes;
  4. CHECK_POLICY/AUDIT methods (needed for TGS access-control);
  5. DCE_STYLE Challenge/Response handshakes: see Krb lib & GSSAPI.
  6. Accept legacy Samba3 clients' bad GSSAPI checksums;
  7. Principal-manipulation functions;
  8. State-machine safety;

Controversial proposed changes for the port

Maybe: Improve or replace MIT's DAL

Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;

** Maybe not: Add a KDC-as-library API

Samba4 currently runs as a single process, and Samba4 invokes the Heimdal KDC via a libkdc interface (KDC as library).

  1. Andrew Bartlett says this libkdc interface is "nice to have", but not essential.
  2. Tom Yu says adding a libkdc interface to MIT's code would be a lot of work, but would tie naturally into code-cleanup work that MIT wants to do, anyway.
  3. If we build a libkdc interface for MIT's KDC, Samba4 will need the KDC to use Samba's socket library correctly.

*** Later: TGS access-control

MIT krb will need to support these AD features, once Samba4 does. Alternatively, this could be seen as an opportunity for MIT-based Samba4 to surpass Heimdal-based Samba.

  1. Add HBAC to the TGS, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints;
    1. DTD: This is natural; the TGS should enforce its own access-control, as all other services do.
    2. TGS-HBAC is part of the rationale for rewriting the DAL.
  2. Failed-kinit counts: Add a KDC heuristic for tracking intervals between kinits, so that Samba4 can enforce AD's unified account-lockout on kinit. Samba4 already does lockouts for other PW-based authentication methods (NTLM, LDAP simple bind, etc).

Samba's use of Heimdal symbols, with MIT differences

This table shows the 253 Heimdal symbols that Samba4 uses.

Definition summary:

  1. 125 of these 265 Heimdal symbols are more-or-less compatible with the corresponding MIT-krb versions having the same names.
  2. 111 of the 265 symbols don't appear in the MIT-krb source-tree.
  3. 25 of the 265 symbols have conflicting definitions in Heimdal & MIT-krb.
  4. 3 of the 265 symbols are MIT-krb names that Samba3 also uses.
  5. 1 of the 265 symbols doesn't appear in the Heimdal tree, but is a Samba3 kerberos-related name.

Samba Usage summary

  1. 179 of the 265 symbols get used in Samba4's auth subtree.
  2. 75 of the 265 symbols get used in Samba4's kdc subtree.
  3. 25 of the 265 symbols get used in other Samba subtrees.

Together, these 3 figures exceed 265, because many Heimdal symbols get used in more than one Samba4 subtree.

Porting summary:

  • "different" functions and struct-layouts are the biggest obstacles to the MIT port;
  • "not MIT" isn't so straightforward as just porting or rewriting these functions, because MIT may have a similar (but hard-to-find) function with a different name;
  • "not Heimdal" symbols should continue working for Samba4, insofar as they've worked before now;
  • "same" & "same, almost" ought to be easiest, we hope.

Key to the table's "Similarity" column:

  • same, almost: Structs are near-identical; functions have the same arguments and similar implementations.
  • same: Structs are identical. None of these Heimdal functions are identical to MIT's versions.
  • different: Structs have different layouts, functions have different parameters and / or behavior.
  • not MIT: MIT's kerberos-tree lacks the symbol.
  • not Heimdal: Heimdal has a function-prototype, but no function definition. Some of these appear in the Samba3 tree.

Please note:

  • This table has 5 columns and 265 rows, and works best if you maximize your screen;
  • You can click any column's header, to sort the rows by that column's field-contents.
Symbol Similarity Type Heimdal location Samba4 referrers
AP_OPTS_MUTUAL_REQUIRED same value enum lib/krb5/krb5.h auth/gensec/gensec_krb5.c
AP_OPTS_USE_SUBKEY same value enum lib/krb5/krb5.h auth/gensec/gensec_krb5.c
ChangePasswdDataMS{} not MIT typedef struct lib/asn1/krb5_asn1.h kdc/kpasswdd.c
Checksum{} not MIT typedef struct lib/asn1/krb5_asn1.h auth/kerberos/kerberos_pac.c
CKSUMTYPE{} not MIT typedef enum lib/asn1/krb5_asn1.h auth/kerberos/kerberos_pac.c
copy_Principal() not MIT function lib/asn1/asn1_Principal.c kdc/hdb-samba4.c
credentials{} same, almost struct lib/krb5/lrb5-v4compat.h 88 files
decode_ChangePasswdDataMS() not MIT function lib/asn1/asn1_ChangePasswdDataMS.c kdc/kpasswdd.c
dns_lookup() not MIT function lib/roken/resolve.h libcli/resolve/dns_ex.c
dns_reply() not MIT function lib/roken/resolve.h libcli/resolve/dns_ex.c
dns_srv_order() not MIT function lib/roken/resolve.h libcli/resolve/dns_ex.c
ENCTYPE_AES128_CTS_HMAC_SHA1_96 same value enum lib/krb5/krb5.h dsdb/samdb/ldb_modules/password_hash.c
ENCTYPE_AES256_CTS_HMAC_SHA1_96 same value enum lib/krb5/krb5.h dsdb/samdb/ldb_modules/password_hash.c
ENCTYPE_ARCFOUR_HMAC_MD5 not MIT enum lib/krb5/krb5.h kdc/hdb-samba4.c
ENCTYPE_ARCFOUR_HMAC same value enum lib/krb5/krb5.h torture/auth/pac.c
ENCTYPE_DES_CBC_CRC same value enum lib/krb5/krb5.h dsdb/samdb/ldb_modules/password_hash.c, kdc/hdb-samba4.c
ENCTYPE_DES_CBC_MD5 same value enum lib/krb5/krb5.h dsdb/samdb/ldb_modules/password_hash.c, kdc/hdb-samba4.c
error_message() same, almost function lib/com_err/com_err.c 8 files
ETYPE_ARCFOUR_HMAC_MD5 not MIT enum lib/asn1/krb5_asn1.h auth/kerberos/kerberos_util.c, kdc/kdc.c
free_ChangePasswdDataMS() not MIT function lib/asn1/asn1_ChangePasswdDataMS.c kdc/kpasswdd.c
free_Checksum() not MIT function lib/asn1/asn1_Checksum.c auth/kerberos/kerberos_pac.c
free_hdb_entry() not MIT function lib/hdb/asn1_hdb_entry.c kdc/hdb-samba4.c
free_Salt() not MIT function lib/hdb/asn1_Salt.c kdc/hdb-samba4.c
gss_accept_sec_context() same, almost function lib/gssapi/mech/gss_accept_sec_context.c auth/gensec/gensec_gssapi.c
gss_buffer_desc{} same typedef struct lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c, auth/credentials/credentials_krb5.c
GSS_C_DCE_STYLE same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_EMPTY_BUFFER same value macro lib/gssapi/gssapi/gssapi.h auth/credentials/credentials_krb5.c
GSS_C_GSS_CODE same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_MECH_CODE same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NO_BUFFER same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NO_CHANNEL_BINDINGS same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NO_CONTEXT same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NO_CREDENTIAL same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NO_NAME same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NULL_OID same value macro lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
GSS_C_NT_HOSTBASED_SERVICE different struct * lib/gssapi/krb5/external.c auth/gensec/gensec_gssapi.c
gss_cred_id_t{} same typedef struct lib/gssapi/gssapi/gssapi.h auth/credentials/credentials_krb5.c
gss_delete_sec_context() same, almost function lib/gssapi/mech/gss_delete_sec_context.c auth/gensec/gensec_gssapi.c
gss_display_name() same, almost function lib/gssapi/mech/gss_display_name.c auth/gensec/gensec_gssapi.c
gss_display_status() same, almost function lib/gssapi/mech/gss_display_status.c auth/gensec/gensec_gssapi.c
gss_get_mic() same, almost function lib/gssapi/mech/gss_get_mic.c auth/gensec/gensec_gssapi.c
gss_import_name() same, almost function lib/gssapi/mech/gss_import_name.c auth/gensec/gensec_gssapi.c
gss_init_sec_context() same, almost function lib/gssapi/mech/gss_init_sec_context.c auth/gensec/gensec_gssapi.c
gss_krb5_copy_ccache() same, almost function lib/gssapi/mech/gss_krb5.c auth/credentials/credentials_krb5.c
GSS_KRB5_CRED_NO_CI_FLAGS_X not MIT struct * lib/gssapi/krb5/set_cred_option.c auth/credentials/credentials_krb5.c
gss_krb5_export_lucid_sec_context() same, almost function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gsskrb5_extract_authz_data_from_sec_context() same, almost function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gss_krb5_free_lucid_sec_context() different function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gsskrb5_get_subkey() not MIT function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gss_krb5_import_cred() not MIT function lib/gssapi/mech/gss_krb5.c auth/credentials/credentials_krb5.c
gsskrb5_send_to_kdc{} not MIT struct lib/gssapi/gssapi/gssapi_krb5.h auth/gensec/gensec_gssapi.c
gss_krb5_set_allowable_enctypes() same, almost function lib/gssapi/mech/gss_krb5.c auth/credentials/credentials_krb5.c
gsskrb5_set_default_realm() not MIT function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gsskrb5_set_dns_canonicalize() not MIT function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gsskrb5_set_send_to_kdc() not MIT function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gss_mech_krb5 different macro lib/gssapi/gssapi/gssapi_krb5.h auth/gensec/gensec_gssapi.c
gss_oid_equal() not MIT function lib/gssapi/mech/gss_krb5.c auth/gensec/gensec_gssapi.c
gss_OID same typedef struct lib/gssapi/gssapi/gssapi.h auth/gensec/gensec_gssapi.c
gss_qop_t{} same typedef lib/gssapi/gssapi/gssapi_krb5.h auth/gensec/gensec_gssapi.c
gss_release_buffer() same, almost function lib/gssapi/mech/gss_release_buffer.c auth/gensec/gensec_gssapi.c
gss_release_cred() same, almost function lib/gssapi/mech/gss_release_cred.c auth/gensec/gensec_gssapi.c, auth/credentials/credentials_krb5.c
gss_release_name() same, almost function lib/gssapi/mech/gss_release_name.c auth/gensec/gensec_gssapi.c
gss_set_cred_option() not MIT function lib/gssapi/mech/gss_set_cred_option.c auth/credentials/credentials_krb5.c
gss_unwrap() same, almost function lib/gssapi/mech/gss_unwrap.c auth/gensec/gensec_gssapi.c
gss_verify_mic() same, almost function lib/gssapi/mech/gss_verify_mic.c auth/gensec/gensec_gssapi.c
gss_wrap() same, almost function lib/gssapi/mech/gss_wrap.c auth/gensec/gensec_gssapi.c
gss_wrap_size_limit() same, almost function lib/gssapi/mech/gss_wrap_size_limit.c auth/gensec/gensec_gssapi.c
hdb_enctype2key() not MIT function lib/hdb/hdb.c kdc/kdc.c
hdb_entry_ex{} not MIT typedef struct lib/hdb/hdb.h kdc/hdb-samba4.c, kdc/kdc.c, kdc/pac-glue.c
hdb_free_entry not MIT function lib/hdb/hdb.c kdc/hdb-samba4.c, kdc/kdc.c
HDB_F_DECRYPT not MIT macro lib/hdb/hdb.h kdc/kdc.c
hdb_fetch() not MIT function ptr lib/hdb/hdb.h kdc/hdb-samba4.c, kdc/kdc.c
HDB_F_GET_CLIENT not MIT macro lib/hdb/hdb.h kdc/hdb-samba4.c
HDB_F_GET_KRBTGT not MIT macro lib/hdb/hdb.h kdc/hdb-samba4.c, kdc/kdc.c
HDB_F_GET_SERVER not MIT macro lib/hdb/hdb.h kdc/hdb-samba4.c
HDBFlags{} not MIT typedef struct lib/hdb/hdb_asn1.h kdc/hdb-samba4.c
HDB_INTERFACE_VERSION not MIT macro lib/hdb/hdb.h kdc/kdc.c
hdb_kt_ops{} not MIT struct lib/hdb/keytab.c kdc/kdc.c
HDB{} not MIT typedef struct lib/hdb/hdb.h kdc/hdb-samba4.c, kdc/kdc.c
HostAddresses{} not MIT typedef struct lib/asn1/krb5_asn1.h kdc/pac-glue.c
initialize_hdb_error_table_r() not MIT function lib/hdb/hdb_err.c kdc/kdc.c
initialize_krb5_error_table() not MIT function lib/krb5/krb5_err.c auth/kerberos/krb5_init_context.c, kdc/kdc.c
int2HDBFlags() not MIT function lib/hdb/asn1_HDBFlags.c kdc/hdb-samba4.c
KDC_REQ not MIT macro lib/asn1/krb5_asn1.h kdc/pac-glue.c
KerberosTime not MIT typedef lib/asn1/krb5_asn1.h kdc/hdb-samba4.c
KEYTYPE_ARCFOUR_56 not MIT enum lib/krb5/krb5.h auth/gensec/gensec_gssapi.c
KEYTYPE_ARCFOUR not MIT enum lib/krb5/krb5.h auth/gensec/gensec_gssapi.c
KEYTYPE_DES3 not MIT enum lib/krb5/krb5.h auth/gensec/gensec_gssapi.c
KEYTYPE_DES not MIT enum lib/krb5/krb5.h auth/gensec/gensec_gssapi.c
KRB5_ADDRESS_NETBIOS not MIT enum lib/krb5/krb5.h kdc/pac-glue.c
krb5_address{} same typedef lib/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_add_et_list() not MIT function lib/krb5/add_et_list.c kdc/kdc.c
krb5_addlog_func() not MIT function lib/krb5/log.c auth/kerberos/krb5_init_context.c
krb5_ap_rep_enc_part{} same typedef struct /usr/include/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_auth_con_free() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_getlocalsubkey() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_getremotesubkey() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_init() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_setaddrs() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_setflags() same, almost function lib/krb5/auth_context.c auth/gensec/gensec_krb5.c
krb5_auth_con_setuserkey() not MIT function lib/krb5/auth_context.c see krb5_auth_con_setuseruserkey
krb5_auth_con_setuseruserkey not Heimdal function unknown see krb5_auth_con_setuserkey
KRB5_AUTH_CONTEXT_DO_SEQUENCE same enum lib/krb5/krb5.h auth/gensec/gensec_krb5.c
KRB5_AUTHDATA_WIN2K_PAC not MIT enum lib/asn1/krb5_asn1.h auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c
krb5_auth_context{} same typedef struct /usr/include/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_boolean same, almost typedef lib/krb5/krb5.h kdc/hdb-samba4.c
KRB5_CC_END same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c
KRB5_CC_NOTFOUND same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c
krb5_ccache{} same, almost typedef struct * lib/krb5/krb5.h auth/kerberos/kerberos.c, auth/kerberos/kerberos_util.c
krb5_cc_close() same, almost function lib/krb5/cache.c auth/credentials/credentials_krb5.c
krb5_cc_default() same, almost function lib/krb5/cache.c auth/credentials/credentials_krb5.c
krb5_cc_destroy() same, almost function lib/krb5/cache.c auth/credentials/credentials_krb5.c
krb5_cc_get_principal() same, almost function lib/krb5/cache.c auth/credentials/credentials_krb5.c
krb5_cc_initialize() same, almost function lib/krb5/cache.c auth/kerberos/kerberos.c
krb5_cc_resolve() same, almost function lib/krb5/cache.c auth/credentials/credentials_krb5.c
krb5_cc_store_cred() same, almost function lib/krb5/cache.c auth/kerberos/kerberos.c
krb5_cksumtype_to_enctype() not MIT function lib/krb5/crypto.c kdc/kdc.c
krb5_clear_error_string() not MIT function lib/krb5/error_string.c auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
krb5_closelog() not MIT function lib/krb5/log.c auth/kerberos/krb5_init_context.c
krb5_const_principal same typedef struct * lib/krb5/krb5.h auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
krb5_context{} same, almost typedef struct * lib/krb5/krb5.h 16 files
krb5_copy_principal() same, almost function lib/krb5/principal.c kdc/hdb-samba4.c
krb5_create_checksum() not MIT function lib/krb5/crypto.c auth/kerberos/kerberos_pac.c
krb5_creds{} different typedef struct lib/krb5/krb5.h auth/kerberos/kerberos.c
krb5_crypto not MIT typedef struct * lib/krb5/krb5.h auth/kerberos/kerberos_pac.c
krb5_crypto_destroy() not MIT function lib/krb5/crypto.c auth/kerberos/kerberos_pac.c
krb5_crypto_init() not MIT function lib/krb5/crypto.c auth/kerberos/kerberos_pac.c
krb5_data{} different typedef struct /usr/include/krb5/krb5.h 9 files
krb5_data_copy() not MIT function lib/krb5/data.c auth/kerberos/krb5_init_context.c, kdc/hdb-samba4.c, kdc/pac-glue.c
krb5_data_free() not MIT function lib/krb5/data.c 6 files
krb5_data_zero() not MIT function lib/krb5/data.c kdc/kdc.c
krb5_dh_moduli{} not MIT struct lib/krb5/krb5_locl.h kdc/pac-glue.c
krb5_encrypt_block{} same typedef struct /usr/include/krb5/krb5.h auth/kerberos/clikrb5.c
krb5_enctype same, almost typedef lib/krb5/krb5.h 4 files
krb5_error_code same typedef lib/krb5/krb5.h 15 files
KRB5_FCC_NOFILE same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c
krb5_flags same, almost typedef /usr/include/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_free_ap_rep_enc_part() same, almost function lib/krb5/rd_rep.c auth/gensec/gensec_krb5.c
krb5_free_config_files() same, almost function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_free_context() same, almost function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_free_cred_contents() same, almost function lib/krb5/creds.c auth/kerberos/kerberos.c
krb5_free_error_string() not MIT function lib/krb5/error_string.c auth/kerberos/clikrb5.c
krb5_free_keyblock_contents() different function lib/krb5/keyblock.c dsdb/samdb/ldb_modules/password_hash.c, torture/auth/pac.c, auth/kerberos/kerberos_util.c
krb5_free_keyblock() same, almost function lib/krb5/keyblock.c auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_heimdal.c
krb5_free_keytab_entry_contents() not Heimdal function lib/krb5/keyblock.c auth/kerberos/clikrb5.c
krb5_free_principal() same, almost function lib/krb5/principal.c 8 files
krb5_free_salt() not MIT function lib/krb5/crypto.c dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
krb5_free_ticket() different function lib/krb5/ticket.c auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_heimdal.c
krb5_get_default_in_tkt_etypes() not MIT function lib/krb5/context.c auth/credentials/credentials_krb5.c
krb5_get_default_realm() different function lib/krb5/get_default_realm.c kdc/hdb-samba4.c
krb5_get_error_string() not MIT function lib/krb5/error_string.c auth/kerberos/clikrb5.c
krb5_get_init_creds_keyblock() not MIT function lib/krb5/init_creds_pw.c auth/kerberos/kerberos.c
krb5_get_init_creds_opt{} different typedef struct lib/krb5/krb5.h auth/kerberos/kerberos.c
krb5_get_init_creds_opt_init() different function lib/krb5/init_creds.c auth/kerberos/kerberos.c
krb5_get_init_creds_opt_set_default_flags() not MIT function lib/krb5/init_creds.c auth/kerberos/kerberos.c
krb5_get_init_creds_password() different function lib/krb5/init_creds_pw.c auth/kerberos/kerberos.c
krb5_get_max_time_skew() not MIT function lib/krb5/context.c rpc_server/lsa/dcesrv_lsa.c
krb5_get_pw_salt() not MIT function lib/krb5/crypto.c dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
krb5_init_context() different function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_initlog() not MIT function lib/krb5/log.c auth/kerberos/krb5_init_context.c
krb5_kdc_get_config() not MIT function kdc/default_config.c kdc/kdc.c
krb5_kdc_process_krb5_request() not MIT function kdc/process.c kdc/kdc.c
krb5_kdc_update_time() not MIT function kdc/process.c kdc/kdc.c
krb5_kdc_windc_init() not MIT function kdc/windc.c kdc/kdc.c
krb5_keyblock{} same typedef struct /usr/include/krb5/krb5.h 8 files
krb5_keyblock_init() not MIT function lib/krb5/keyblock.c torture/auth/pac.c, auth/kerberos/kerberos_util.c, kdc/hdb-samba4.c
krb5_keytab_entry{} same typedef struct /usr/include/krb5/krb5.h auth/kerberos/clikrb5.c, auth/kerberos/kerberos_util.c
krb5_keytab{} same typedef struct * /usr/include/krb5/krb5.h auth/kerberos/kerberos_util.c
KRB5_KDCREP_SKEW same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
KRB5_KDC_UNREACH same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
KRB5_KPASSWD_ACCESSDENIED same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_BAD_VERSION same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_HARDERROR same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_MALFORMED same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_SOFTERROR same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_SUCCESS same value macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_VERS_CHANGEPW not MIT macro lib/krb5/krb5.h kdc/kpasswdd.c
KRB5_KPASSWD_VERS_SETPW not MIT macro lib/krb5/krb5.h kdc/kpasswdd.c
_krb5_krb_auth_data not MIT struct lib/krb5/krb5-v4compat.h kdc/pac-glue.c
krb5_krbhst_get_addrinfo() not MIT function lib/krb5/krbhst.c auth/kerberos/krb5_init_context.c
KRB5_KRBHST_HTTP not MIT enum lib/krb5/krb5.h auth/kerberos/krb5_init_context.c
krb5_krbhst_info{} not MIT typedef struct lib/krb5/krb5.h auth/kerberos/krb5_init_context.c
KRB5_KRBHST_TCP not MIT enum lib/krb5/krb5.h auth/kerberos/krb5_init_context.c
KRB5_KRBHST_UDP not MIT enum lib/krb5/krb5.h auth/kerberos/krb5_init_context.c
krb5_kt_add_entry() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_close() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_compare() not MIT function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_cursor{} different typedef struct lib/krb5/krb5.h auth/kerberos/kerberos_util.c
krb5_kt_end_seq_get() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_free_entry() same, almost function lib/krb5/keytab.c auth/kerberos/clikrb5.c, auth/kerberos/kerberos_util.c
krb5_kt_next_entry() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_register() different function lib/krb5/keytab.c kdc/kdc.c
krb5_kt_remove_entry() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_resolve() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
krb5_kt_start_seq_get() same, almost function lib/krb5/keytab.c auth/kerberos/kerberos_util.c
KRB5_KT_END same value enum lib/krb5/krb5_err.h auth/kerberos/kerberos_util.c
KRB5_KU_OTHER_CKSU not MIT enum lib/krb5/krb5.h auth/kerberos/kerberos_pac.c
krb5_make_principal() not MIT function lib/krb5/principal.c 4 functions
krb5_mk_error() different function lib/krb5/mk_error.c kdc/kpasswdd.c
krb5_mk_priv() same, almost function lib/krb5/mk_priv.c auth/gensec/gensec_krb5.c
krb5_mk_req() same, almost function lib/krb5/mk_req.c auth/gensec/gensec_krb5.c
krb5_mk_req_exact() not MIT function lib/krb5/mk_req.c auth/gensec/gensec_krb5.c
krb5_pac not MIT typedef struct * lib/krb5/krb5.h auth/kerberos/kerberos_pac.c, kdc/pac-glue.c
krb5_pac_add_buffer() same, almost function lib/krb5/pac.c kdc/pac-glue.c
krb5_pac_free() same, almost function lib/krb5/pac.c auth/kerberos/kerberos_pac.c, kdc/pac-glue.c
krb5_pac_get_buffer() different function lib/krb5/pac.c auth/kerberos/kerberos_pac.c
krb5_pac_init() different function lib/krb5/pac.c kdc/pac-glue.c
krb5_pac_parse() different function lib/krb5/pac.c auth/kerberos/kerberos_pac.c
KRB5_PADATA_PW_SALT same value enum lib/asn1/krb5_asn1.h kdc/pac-glue.c
KRB5_PARSE_MALFORMED same value enum lib/krb5/krb5_err.h auth/kerberos/kerberos_pac.c
krb5_parse_name() different function lib/krb5/principal.c dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
krb5_parse_name_flags() same, almost function lib/krb5/principal.c dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/kerberos/kerberos_pac.c,
krb5_plugin_register() not MIT function lib/krb5/plugin.c kdc/kdc.c
krb5_prepend_config_files_default() not MIT function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_principal2salt() not Heimdal function /usr/include/krb5/krb5.h auth/kerberos/clikrb5.c
krb5_principal_compare_any_realm() same, almost function lib/krb5/principal.c auth/kerberos/kerberos_pac.c
krb5_principal_get_realm() not MIT function lib/krb5/principal.c kdc/hdb-samba4.c
_krb5_principalname2krb5_principal() not MIT function lib/krb5/asn1_glue.c kdc/kpasswdd.c
KRB5_PRINCIPAL_PARSE_MUST_REALM not MIT enum lib/krb5/krb5.h dsdb/samdb/cracknames.c
KRB5_PRINCIPAL_PARSE_NO_REALM same, almost enum lib/krb5/krb5.h dsdb/samdb/cracknames.c, torture/auth/pac.c, auth/kerberos/kerberos_pac.c
krb5_principal different typedef struct * lib/krb5/krb5.h 12 files
KRB5_PRINCIPAL_UNPARSE_NO_REALM same, almost enum lib/krb5/krb5.h dsdb/samdb/cracknames.c, auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
krb5_princ_realm() same, almost macro lib/krb5/principal.c dsdb/samdb/cracknames.c, auth/credentials/credentials_krb5.c, kdc/hdb-samba4.c
krb5_princ_set_realm() same, almost function lib/krb5/principal.c auth/kerberos/kerberos_pac.c
krb5_rd_priv() same, almost function lib/krb5/rd_priv.c auth/gensec/gensec_krb5.c
krb5_rd_rep() same, almost function lib/krb5/rd_rep.c auth/gensec/gensec_krb5.c
krb5_replay_data{} same, almost typedef struct lib/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_salt{} not MIT typedef struct lib/krb5/krb5.h dsdb/samdb/ldb_modules/password_hash.c, auth/kerberos/clikrb5.c
krb5_set_config_files() different function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_set_default_realm() different function lib/krb5/set_default_realm.c auth/kerberos/krb5_init_context.c
krb5_set_dns_canonicalize_hostname() not MIT function lib/krb5/context.c auth/kerberos/krb5_init_context.c
krb5_set_error_string() not MIT function lib/krb5/context.c kdc/hdb-samba4.c
krb5_set_real_time() same, almost function lib/krb5/time.c auth/kerberos/kerberos_util.c
krb5_set_send_to_kdc_func() not MIT function lib/krb5/send_to_kdc.c auth/kerberos/krb5_init_context.c
krb5_set_warn_dest not MIT function lib/krb5/send_to_kdc.c auth/kerberos/krb5_init_context.c
krb5_sockaddr2address() not MIT function lib/krb5/addr_families.c auth/gensec/gensec_krb5.c
krb5_string_to_enctype() same, almost function lib/krb5/crypto.c auth/kerberos/kerberos_util.c
krb5_string_to_key() different function lib/krb5/crypto.c auth/kerberos/clikrb5.c
krb5_string_to_key_data_salt() not MIT function lib/krb5/crypto.c libnet/libnet_become_dc.c
krb5_string_to_key_salt() not MIT function lib/krb5/crypto.c auth/kerberos/clikrb5.c
KRB5_TGS_NAME not MIT function lib/krb5/krb5.h kdc/hdb-samba4.c
krb5_ticket{} different typedef struct lib/krb5/krb5.h auth/gensec/gensec_krb5.c
krb5_ticket_get_authorization_data_type() not MIT function lib/krb5/ticket.c auth/gensec/gensec_krb5.c
krb5_ticket_get_client() not MIT function lib/krb5/ticket.c auth/gensec/gensec_krb5.c
krb5_unparse_name() same, almost function lib/krb5/principal.c 6 files
krb5_unparse_name_flags() same, almost function lib/krb5/principal.c dsdb/samdb/cracknames.c, auth/kerberos/kerberos_pac.c, kdc/hdb-samba4.c
krb5_use_enctype() not Heimdal function /usr/include/krb5/krb5.h auth/kerberos/clikrb5.c
krb5_verify_checksum() same, almost function lib/krb5/crypto.c auth/kerberos/kerberos_pac.c
krb5_warnx() not MIT function lib/krb5/warn.c kdc/hdb-samba4.c
krb5_xfree() different function lib/krb5/free.c auth/credentials/credentials_krb5.c
KRB5_WINDC_PLUGING_MINOR not MIT macro kdc/windc_plugin.h kdc/kdc.c
KRB5KDC_ERR_CLIENT_REVOKED same value enum lib/krb5/krb5_err.h kdc/pac-glue.c
KRB5KDC_ERR_KEY_EXPIRED not MIT enum lib/krb5/krb5_err.h kdc/pac-glue.c
KRB5KDC_ERR_POLICY same value enum lib/krb5/krb5_err.h kdc/pac-glue.c
KRB5KDC_ERR_PREAUTH_FAILED same value enum lib/krb5/krb5_err.h auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN same value enum lib/krb5/krb5_err.h auth/gensec/gensec_gssapi.c, auth/gensec/gensec_krb5.c
KRB5KRB_AP_ERR_MSG_TYPE same value enum lib/krb5/krb5_err.h auth/gensec/gensec_gssapi.c
KRB5KRB_AP_ERR_SKEW same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c, auth/kerberos/kerberos_util.c
KRB5KRB_AP_ERR_TKT_EXPIRED same value enum lib/krb5/krb5_err.h auth/gensec/gensec_krb5.c
OM_uint32 same, almost typedef lib/gssapi/gssapi/gssapi.h auth/credentials/credentials_krb5.c, auth/gensec/gensec_gssapi.c
PA_DATA not MIT typedef struct lib/asn1/krb5_asn1.h kdc/pac-glue.c
PLUGIN_TYPE_DATA not MIT enum lib/krb5/krb5.h kdc/kdc.c
Principal{} not MIT typedef struct lib/asn1/krb5_asn1.h dsdb/samdb/ldb_modules/password_hash.c
resource_record{} not MIT struct lib/roken/resolve.h libcli/resolve/dns_ex.c
SHA256_DIGEST_LENGTH same value macro lib/hcrypto/sha.h libcli/smb2/signing.c