Projects/Samba4 Port
Contents
Introduction
Samba4 aims to provide a complete OSS replacement for Active Directory. Samba4, like earlier versions of Samba, uses Heimdal Kerberos. The Samba4 Port project proposes to enable Samba4 to use MIT kerberos instead. The near-term goal is that mixed krb5+AD deployments could use Samba4 to provide better interoperation between AD realms and krb5 realms.
The Samba4 team, the MIT Krb Consortium, RedHat, Ubuntu, and Sun all have shown some interest in this Samba4 Port project.
To do list
This is a task-list offered by Samba4's Andrew Bartlett, but Andrew is unsure of how much of this list is already available in MIT's 1.7 release.
Replace the MIT KDC's LDAP driver
- Our LDAP driver for the KDB needs to know how to do Samba4's intricate canonicalization of server names, user-names, and realm names.
- AD-style aliases for HOST/ service names.
- Implicit names for Win2k accounts.
- Principal "types": client / server / krbtgs
- Most or all of this code is in 3 samba4 source files, ~1000 lines in all.
MIT KDC changes
- Add HBAC to the KDC's TGT-issuance, so that Samba4 can refuse TGTs to kinit, based on time-of-day & IP-addr constraints; (LH: "use KRB5_KDB_METHOD_CHECK_POLICY_TGS method. We have access to the complete request. See against_local_policy_tgs() in policy.c .
- Turn on MIT-krb 1.7's PAC handling
- Add a heuristic for failed-kinit counts, to support AD-style unified account-lockouts across all authentication methods (Krb, NTLM, LDAP simple bind, etc). (Luke H says we can use a KRB5_KDB_METHOD_AUDIT_AS method for this.)
Controversial proposed changes for the port
Maybe: Improve or replace MIT's DAL
Rewrite the MIT KDC's Data-Abstraction Layer (DAL), mostly because the MIT KDC needs to see & manipulate more LDAP detail, on Samba4's behalf;