logo_kerberos.gif

Difference between revisions of "Projects/Samba4 Port"

From K5Wiki
Jump to: navigation, search
(To do list)
 
(537 intermediate revisions by 2 users not shown)
Line 4: Line 4:
 
Samba4, like earlier versions of Samba, uses Heimdal Kerberos.
 
Samba4, like earlier versions of Samba, uses Heimdal Kerberos.
 
The Samba4 Port project proposes to enable Samba4 to use MIT kerberos
 
The Samba4 Port project proposes to enable Samba4 to use MIT kerberos
instead. The near-term goal is that mixed krb5+AD deployments could
+
as an alternative. The near-term goal is that mixed krb5+AD deployments
use Samba4 to provide better interoperation between AD realms and krb5
+
could use Samba4 to provide better interoperation between AD realms
realms.
+
and MIT-krb5 realms.
  +
  +
Use case: For example, suppose a kerberos customer is deploying a network
  +
with mixed operating systems using kerberos and would want to use one KDC
  +
for all of them. In this case, a single MIT Kerberos deployment should
  +
be able to support both traditonal UNIX clients and servers, intermixed
  +
with Windows clients and Samba servers:
  +
<ol>
  +
<li> The Windows clients should be able to use the MIT KDC(s) as AD servers,
  +
so as to authenticate themselves to Samba file-servers and to Windows
  +
servers;
  +
</li>
  +
<li> A Windows client's tickets will carry PACs, as usual for AD;
  +
</li>
  +
<li> The UNIX clients should be able to access the KDC as a traditional
  +
non-AD-style KDC, so as to access UNIX services securely;
  +
<li> A UNIX client's ticket will ''not'' carry a PAC, except when
  +
the UNIX client accesses a Windows server
  +
([http://k5wiki.kerberos.org/wiki/Samba4:_Optional_PACs_for_Unix_clients '''Rationale'''])
  +
.
  +
</li>
  +
</ol>
   
 
The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have
 
The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have
shown some interest in this Samba4 Port project.
+
shown some interest in this Samba4 Port project.
  +
[http://k5wiki.kerberos.org/wiki/Supported_platforms_for_Samba4_port '''Here''']
  +
is a table showing which OS platforms are supported by Samba4, Heimdal, and MIT kerberos.
  +
Summary: MIT-krb5 & Samba4 both run on Mac OS X, NetBSD, Debian, RedHat, Ubuntu, & Solaris.
   
== To do list ==
 
  +
----
   
This is a task-list offered by Samba4's Andrew Bartlett,
 
  +
== Concise to-do list ==
but Andrew is unsure of how much of this list is already
 
  +
available in MIT's 1.7 release.
 
  +
This is a condensed version of the
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_%28Andrew_Bartlett%29#Data-Abstraction_Layer_.28DAL.29 '''task-list'''] offered by Samba4's Andrew Bartlett,
  +
containing only what hasn't yet been done already by MIT.
  +
  +
The two big chunks of work are
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#LDAP_driver '''LDAP Driver'''] and
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Data-Abstraction_Layer_.28DAL.29 '''Replacing / improving MIT's DAL'''],
  +
but the DAL work may not be needed.
   
 
=== Replace the MIT KDC's LDAP driver ===
 
=== Replace the MIT KDC's LDAP driver ===
  +
  +
Samba4's LDAP driver for the MIT KDB needs to know how to do
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#LDAP_driver '''AD's intricate naming''']:
 
<ol>
 
<ol>
<li> Our LDAP driver for the KDB needs to know how to do
 
  +
<li> Canonicalization of server names,
Samba4's intricate canonicalization of server names,
 
  +
user-names, and realm names. MIT 1.7 already
user-names, and realm names. </li>
 
  +
[[#Use_1.7.27s_AD-support_features | '''supports canonicalization''']].
<li> AD-style aliases for HOST/ service names. </li>
 
  +
</li>
<li> Implicit names for Win2k accounts. </li>
 
  +
<li> AD-style aliases for
<li> Principal "types": client / server / krbtgs
 
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Keytab-sharing_amongst_HOST.2F_service_names '''HOST/ service names'''].
<li> Most or all of this code is in 3 samba4 source files,
 
  +
</li>
~1000 lines in all. </li>
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Implicit_names_for_Win2000_Accounts '''Implicit names''']
  +
for Win2k accounts.
  +
</li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Principal_.22types.22 '''Principal "types":'''] client / server / krbtgs
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Flexible_server-naming '''Flexible server-naming''']
  +
</li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Keytabs_.26_Name-canonicalization '''Keytabs & name-canonicalization''']
  +
</li>
 
</ol>
 
</ol>
  +
Most or all of Heimdal's LDAP driver code is in
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#LDAP_driver '''three Samba4 source files'''],
  +
~1000 lines in all.
   
 
----
 
----
   
=== Use 1.7's AD-support features ===
 
  +
=== Small changes ===
This stuff should just work:
 
  +
Of the things on this list, only NTLM support (bullet 2)
  +
is needed for the Samba4 KDC port.
  +
The other tasks are all application-library stuff,
  +
and arguably aren't needed at all, because Samba3
  +
already works well with MIT application libraries.
 
<ol>
 
<ol>
<li> PAC handling; </li>
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#MIT_libraries '''MIT library changes''']
<li> AD-style name canonicalization; </li>
 
  +
</li>
<li> NT-ENTERPRISE names, which carry two realms; </li>
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#NTLM_support '''Samba4/AD libraries: NTLM support''']. See also
<li> CHECK_POLICY/AUDIT methods; </li>
 
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_NTLM_thread '''this Sept-2009 NTLM thread'''] (this implies to me that a GSS NTLM mech is not an immediate requirement - LH)
<li> DCE_STYLE; </li>
 
  +
</li>
<li> Accept legacy Samba3 clients' bad GSSAPI checksums; </li>
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Key-handling_changes '''Key-handling changes''']]
<li> Principal-manipulation functions; </li>
 
  +
</li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Extra_krb_library_functions '''Extra Krb library functions''']
  +
</li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Error-handling.2C_logging.2C_testing '''Error-handling, logging, testing''']
  +
</li>
 
</ol>
 
</ol>
   
 
----
 
----
   
=== MIT KDC changes ===
+
=== Use 1.7's AD-support features ===
  +
This stuff should already just work:
 
<ol>
 
<ol>
<li> Add HBAC to the KDC's TGT-issuance, so that Samba4 can refuse TGTs
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Turn_on_MIT-krb_1.7.27s_PAC_handling '''PAC handling''']; </li>
to kinit, based on time-of-day & IP-addr constraints;
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Name_Canonicalization '''AD-style name canonicalization''']; </li>
(LH: "use KRB5_KDB_METHOD_CHECK_POLICY_TGS method. We have access
 
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Doubled_realm-names '''NT-ENTERPRISE names'''],
to the complete request. See against_local_policy_tgs() in
 
  +
which carry two realm-suffixes; </li>
policy.c .</li>
 
  +
<li> CHECK_POLICY/AUDIT methods (needed for
<li> Add a heuristic for failed-kinit counts, to support AD-style
 
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A.2A_Add_access-control_to_the_TGS '''TGS access-control''']); </li>
unified account-lockouts across all authentication methods
 
  +
<li> DCE_STYLE Challenge/Response handshakes: see
(Krb, NTLM, LDAP simple bind, etc). (Luke H says we can use
 
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Krb5_lib_.26_GSSAPI '''Krb lib & GSSAPI''']. </li>
a KRB5_KDB_METHOD_AUDIT_AS method for this.) </li>
 
  +
<li> Accept legacy Samba3 clients'
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Legacy_Samba3_clients_.26_GSSAPI '''bad GSSAPI checksums''']; </li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A_Extra_krb_library_functions '''Principal-manipulation functions''']; </li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_State-machine_safety_for_krb_libraries '''State-machine safety''']; </li>
 
</ol>
 
</ol>
   
Line 61: Line 92:
   
 
=== Controversial proposed changes for the port ===
 
=== Controversial proposed changes for the port ===
  +
   
 
==== Maybe: Improve or replace MIT's DAL ====
 
==== Maybe: Improve or replace MIT's DAL ====
Rewrite the MIT KDC's Data-Abstraction Layer (DAL),
+
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Data-Abstraction_Layer_.28DAL.29 '''Rewrite the MIT KDC's Data-Abstraction Layer (DAL)'''],
 
mostly because the MIT KDC needs to see & manipulate
 
mostly because the MIT KDC needs to see & manipulate
 
more LDAP detail, on Samba4's behalf;
 
more LDAP detail, on Samba4's behalf;
  +
  +
==== Maybe, or not: Add a KDC-as-library API ====
  +
Samba4 currently runs as a single process, and Samba4's smbd invokes the Heimdal KDC via a
  +
[http://k5wiki.kerberos.org/wiki/Samba4_port:_libkdc_Interface#krb5_kdc_update_time.28.29 '''libkdc interface'''] (KDC as library).
 
<ol>
 
<ol>
<li>
+
<li> Rationale:
</ol>
+
# smbd uses the libkdc interface to configure the KDC, both at startup & during runtime.
  +
# Samba4's build/test environment uses libkdc's socket-passing, to simulate network traffic.
  +
</li>
  +
<li> Andrew Bartlett says this libkdc interface is
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#libkdc '''"nice to have"'''],
  +
but not essential for getting the port to work.
  +
</li>
  +
<li> Tom Yu says adding a libkdc interface to MIT's code would be a lot
  +
of work, but would tie naturally into code-cleanup work that MIT wants
  +
to do, anyway.
  +
</li>
  +
<li> Sam Hartman says he needs the libkdc interface, too, for his work on PK-U2U (but not immediately).
  +
</li>
  +
<li>
  +
Another way, which Simo dismisses on Samba4's behalf:
  +
Samba can use
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_iptables_Remapping '''iptables remapping'''],
  +
but only for kdc packets, so that Samba acts as a router between the AD client and the KDC.
  +
This would work for MIT-krb & for Heimdal.
  +
</li>
  +
<li> If we do have to build a libkdc interface for MIT's KDC,
  +
Samba4 will need the KDC to use
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#.2A.2A_Samba4.27s_portable_socket_API '''Samba's socket library''']
  +
correctly.
  +
</li>
  +
</ol>
  +
  +
==== [[Later: TGS access-control]] ====
  +
MIT krb will need to support these AD features, once Samba4 does.
  +
Alternatively, this could be seen as an opportunity for MIT-based
  +
Samba4 to surpass Heimdal-based Samba.
  +
<ol>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#HBAC_for_the_TGS '''Add HBAC to the TGS'''],
  +
so that Samba4 can refuse TGTs to kinit,
  +
based on time-of-day & IP-addr constraints;
  +
<ol>
  +
<li> DTD: This is natural; the TGS should enforce its own
  +
access-control, as all other services do.
  +
</li>
  +
<li> TGS-HBAC is part of the rationale for
  +
[http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Data-Abstraction_Layer_.28DAL.29 '''rewriting the DAL'''].
  +
</li>
  +
</ol>
  +
</li>
  +
<li> [http://k5wiki.kerberos.org/wiki/Task-List_for_Samba4_Port_(Andrew_Bartlett)#Failed_PW_lockouts '''Failed-kinit counts''']:
  +
Add a KDC heuristic for tracking intervals between kinits,
  +
so that Samba4 can enforce AD's unified account-lockout on kinit.
  +
Samba4 already does lockouts for other PW-based authentication methods
  +
(NTLM, LDAP simple bind, etc).
  +
</li>
  +
</ol>
   
 
----
 
----
   
==== Maybe not: Add a KDC-as-library API ====
 
  +
== Samba's use of Heimdal symbols, with MIT differences ==
Samba4 currently runs as a single process, and Samba4 invokes the Heimdal
 
  +
KDC via a libkdc interface (KDC as library).
 
  +
Samba4 uses around
Andrew Bartlett says this libkdc interface is "nice to have",
 
  +
[http://k5wiki.kerberos.org/wiki/Samba%27s_use_of_Heimdal_symbols%2C_with_MIT_differences '''265 Heimdal symbols:''']
not essential.
 
  +
# 150 functions,
Tomt Yu says adding a libkdc interface to MIT's code would be a lot
 
  +
# 45 structs & typedefs, and
of work, but would tie naturally into code-cleanup work that MIT wants
 
  +
# 70 macros & enums.
to do, anyway.
 
  +
  +
Of these, roughly half present problems for the port:
  +
# 25 symbols have different definitions in the MIT & Heimdal trees.
  +
# 110 symbols are missing from MIT's krb5 tree.
  +
  +
----
  +
  +
== Samba4 Interfaces with Heimdal ==
  +
  +
<ol>
  +
<li> Samba4's
  +
[http://k5wiki.kerberos.org/wiki/Samba4_Port:_hdb_%26_ldb_Interfaces '''Database Interfaces''']
  +
enable Heimdal to use Samba4's directory data,
  +
whether the directory is stored in LDAP or in local disk files.
  +
</li>
  +
<li> Heimdal's
  +
[http://k5wiki.kerberos.org/wiki/Samba4_port:_libkdc_Interface '''libkdc Interface''']
  +
gives Samba4 a direct subroutine interface to the Heimdal KDC,
  +
with the KDC running as part of the Samba4 process.
  +
</li>
  +
</ol>
   
 
----
 
----

Latest revision as of 08:40, 18 September 2009

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Introduction

Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos as an alternative. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and MIT-krb5 realms.

Use case: For example, suppose a kerberos customer is deploying a network with mixed operating systems using kerberos and would want to use one KDC for all of them. In this case, a single MIT Kerberos deployment should be able to support both traditonal UNIX clients and servers, intermixed with Windows clients and Samba servers:

  1. The Windows clients should be able to use the MIT KDC(s) as AD servers, so as to authenticate themselves to Samba file-servers and to Windows servers;
  2. A Windows client's tickets will carry PACs, as usual for AD;
  3. The UNIX clients should be able to access the KDC as a traditional non-AD-style KDC, so as to access UNIX services securely;
  4. A UNIX client's ticket will not carry a PAC, except when the UNIX client accesses a Windows server (Rationale) .

The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project. Here is a table showing which OS platforms are supported by Samba4, Heimdal, and MIT kerberos. Summary: MIT-krb5 & Samba4 both run on Mac OS X, NetBSD, Debian, RedHat, Ubuntu, & Solaris.


Concise to-do list

This is a condensed version of the task-list offered by Samba4's Andrew Bartlett, containing only what hasn't yet been done already by MIT.

The two big chunks of work are LDAP Driver and Replacing / improving MIT's DAL, but the DAL work may not be needed.

Replace the MIT KDC's LDAP driver

Samba4's LDAP driver for the MIT KDB needs to know how to do AD's intricate naming:

  1. Canonicalization of server names, user-names, and realm names. MIT 1.7 already supports canonicalization.
  2. AD-style aliases for HOST/ service names.
  3. Implicit names for Win2k accounts.
  4. Principal "types": client / server / krbtgs
  5. Flexible server-naming
  6. Keytabs & name-canonicalization

Most or all of Heimdal's LDAP driver code is in three Samba4 source files, ~1000 lines in all.


Small changes

Of the things on this list, only NTLM support (bullet 2) is needed for the Samba4 KDC port. The other tasks are all application-library stuff, and arguably aren't needed at all, because Samba3 already works well with MIT application libraries.

  1. MIT library changes
  2. Samba4/AD libraries: NTLM support. See also this Sept-2009 NTLM thread (this implies to me that a GSS NTLM mech is not an immediate requirement - LH)
  3. Key-handling changes]
  4. Extra Krb library functions
  5. Error-handling, logging, testing

Use 1.7's AD-support features

This stuff should already just work:

  1. PAC handling;
  2. AD-style name canonicalization;
  3. NT-ENTERPRISE names, which carry two realm-suffixes;
  4. CHECK_POLICY/AUDIT methods (needed for TGS access-control);
  5. DCE_STYLE Challenge/Response handshakes: see Krb lib & GSSAPI.
  6. Accept legacy Samba3 clients' bad GSSAPI checksums;
  7. Principal-manipulation functions;
  8. State-machine safety;

Controversial proposed changes for the port

Maybe: Improve or replace MIT's DAL

Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;

Maybe, or not: Add a KDC-as-library API

Samba4 currently runs as a single process, and Samba4's smbd invokes the Heimdal KDC via a libkdc interface (KDC as library).

  1. Rationale:
    1. smbd uses the libkdc interface to configure the KDC, both at startup & during runtime.
    2. Samba4's build/test environment uses libkdc's socket-passing, to simulate network traffic.
  2. Andrew Bartlett says this libkdc interface is "nice to have", but not essential for getting the port to work.
  3. Tom Yu says adding a libkdc interface to MIT's code would be a lot of work, but would tie naturally into code-cleanup work that MIT wants to do, anyway.
  4. Sam Hartman says he needs the libkdc interface, too, for his work on PK-U2U (but not immediately).
  5. Another way, which Simo dismisses on Samba4's behalf: Samba can use iptables remapping, but only for kdc packets, so that Samba acts as a router between the AD client and the KDC. This would work for MIT-krb & for Heimdal.
  6. If we do have to build a libkdc interface for MIT's KDC, Samba4 will need the KDC to use Samba's socket library correctly.

Later: TGS access-control

MIT krb will need to support these AD features, once Samba4 does. Alternatively, this could be seen as an opportunity for MIT-based Samba4 to surpass Heimdal-based Samba.

  1. Add HBAC to the TGS, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints;
    1. DTD: This is natural; the TGS should enforce its own access-control, as all other services do.
    2. TGS-HBAC is part of the rationale for rewriting the DAL.
  2. Failed-kinit counts: Add a KDC heuristic for tracking intervals between kinits, so that Samba4 can enforce AD's unified account-lockout on kinit. Samba4 already does lockouts for other PW-based authentication methods (NTLM, LDAP simple bind, etc).

Samba's use of Heimdal symbols, with MIT differences

Samba4 uses around 265 Heimdal symbols:

  1. 150 functions,
  2. 45 structs & typedefs, and
  3. 70 macros & enums.

Of these, roughly half present problems for the port:

  1. 25 symbols have different definitions in the MIT & Heimdal trees.
  2. 110 symbols are missing from MIT's krb5 tree.

Samba4 Interfaces with Heimdal

  1. Samba4's Database Interfaces enable Heimdal to use Samba4's directory data, whether the directory is stored in LDAP or in local disk files.
  2. Heimdal's libkdc Interface gives Samba4 a direct subroutine interface to the Heimdal KDC, with the KDC running as part of the Samba4 process.