Difference between revisions of "Samba4 port: libkdc Interface"
From K5Wiki
(→Handling Krb5 Traffic) |
(→libkdc Entry Points) |
||
Line 7: | Line 7: | ||
|- |
|- |
||
| kdc_log() |
| kdc_log() |
||
− | | kdc/log.c |
+ | | heimdal/kdc/log.c |
| no |
| no |
||
|- |
|- |
||
| kdc_log_msg() |
| kdc_log_msg() |
||
− | | kdc/log.c |
+ | | heimdal/kdc/log.c |
| no |
| no |
||
|- |
|- |
||
| kdc_log_msg_va() |
| kdc_log_msg_va() |
||
− | | kdc/log.c |
+ | | heimdal/kdc/log.c |
| no |
| no |
||
|- |
|- |
||
| kdc_openlog() |
| kdc_openlog() |
||
− | | kdc/log.c |
+ | | heimdal/kdc/log.c |
| no |
| no |
||
|- |
|- |
||
| krb5_kdc_get_config() |
| krb5_kdc_get_config() |
||
− | | kdc/default_config.c |
+ | | heimdal/kdc/default_config.c |
| kdc/kdc.c |
| kdc/kdc.c |
||
|- |
|- |
||
| krb5_kdc_process_krb5_request() |
| krb5_kdc_process_krb5_request() |
||
− | | kdc/process.c |
+ | | heimdal/kdc/process.c |
| kdc/kdc.c |
| kdc/kdc.c |
||
|- |
|- |
||
| krb5_kdc_process_request() |
| krb5_kdc_process_request() |
||
− | | kdc/process.c |
+ | | heimdal/kdc/process.c |
| no |
| no |
||
Line 47: | Line 47: | ||
|- |
|- |
||
| krb5_kdc_save_request() |
| krb5_kdc_save_request() |
||
− | | kdc/process.c |
+ | | heimdal/kdc/process.c |
| no |
| no |
||
|- |
|- |
||
| krb5_kdc_update_time() |
| krb5_kdc_update_time() |
||
− | | kdc/process.c |
+ | | heimdal/kdc/process.c |
| kdc/kdc.c |
| kdc/kdc.c |
||
|- |
|- |
||
| krb5_kdc_windc_init() |
| krb5_kdc_windc_init() |
||
− | | kdc/windc.c |
+ | | heimdal/kdc/windc.c |
| kdc/kdc.c |
| kdc/kdc.c |
||
Revision as of 12:59, 10 September 2009
libkdc Entry Points
Entry Point | Samba4 file | Samba4 callers |
kdc_log() | heimdal/kdc/log.c | no |
kdc_log_msg() | heimdal/kdc/log.c | no |
kdc_log_msg_va() | heimdal/kdc/log.c | no |
kdc_openlog() | heimdal/kdc/log.c | no |
krb5_kdc_get_config() | heimdal/kdc/default_config.c | kdc/kdc.c |
krb5_kdc_process_krb5_request() | heimdal/kdc/process.c | kdc/kdc.c |
krb5_kdc_process_request() | heimdal/kdc/process.c | no |
krb5_kdc_set_dbinfo() | kdc/set_dbinfo.c | no |
krb5_kdc_save_request() | heimdal/kdc/process.c | no |
krb5_kdc_update_time() | heimdal/kdc/process.c | kdc/kdc.c |
krb5_kdc_windc_init() | heimdal/kdc/windc.c | kdc/kdc.c |
Samba4's Handling of Krb5 Traffic
Samba4 uses the following Heimdal KDC functions, via the krb5_kdc_process_krb5_request() entry point:
Protocol | Heimdal fcn | MIT-krb fcn |
AS | decode_AS_REQ() | decode_krb5_as_req() |
AS | free_AS_REQ() | krb5_free_kdc_req() |
AS | _kdc_as_rep() | process_as_req() |
TGS | decode_TGS_REQ() | decode_krb5_tgs_req() |
TGS | free_TGS_REQ() | krb5_free_kdc_req() |
TGS | _kdc_tgs_rep() | process_tgs_req() |
krb524 | decode_ticket() | krb5_decode_ticket() |
krb524 | _kdc_do_524 | <deprecated> |
krb524 | free_Ticket() | no |
digest auth | decode_DigestREQ() | no |
digest auth | free_DigestREQ() | no |
digest auth | _kdc_do_digest() | no |
kx509 | _kdc_try_kx509_request() | no |
kx509 | _kdc_do_kx509() | no |
kx509 | free_Kx509Request() | no |
krb v4 | _kdc_maybe_version4 | deprecated? |
krb v4 | _kdc_do_version4 | deprecated |
AFS | _kdc_do_kaserver() | deprecated? |
It's not clear that the MIT port needs to support anything more than the usual AS & TGS protocols:
- MIT-krb no longer supports v4 operation, as of MIT v1.7;
- Samba4 doesn't actually use the Windows "digest auth" protocols;
- UMichigan's hx509 protocol may not be necessary for Samba4;
- Carnegie-Mellon's AFS prohject seems to have deprecated kaserver.
Caution: libkdc has another similarly-named function, but Samba4 uses only one of these two functions:
- krb5_kdc_process_krb5_request() gets used by Samba4
- krb5_kdc_process_request() doesn't.
Samba4's KDC Config
Heimdal has a run-time apparatus for managing the KDC's configuration, while MIT-krb uses a simple configuration file.
- Samba4 passes config-settings to the KDC, using the krb5_kdc_configuration{} structure.
- Samba4 uses the libkdc entry-point krb5_kdc_get_config() to initialize the krb5_kdc_configuration{} structure;
- As of Sept '09, Samba4 does not change this config structure's contents at runtime, except in one place: if hx509 fails to find a user cert, hx509 turns itself off.