Skip Menu |
 

Subject: Listing third-party KDC modules
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: krb5-bugs@mit.edu
Date: Sat, 08 Jun 2019 07:35:18 +0000
Please document the available third-party KDC modules.

http://mailman.mit.edu/pipermail/krbdev/2019-April/013098.html mentions FreeIPA and Samba.

For Samba, reference https://wiki.samba.org/index.php/Roadmap_MIT_KDC .

https://web.mit.edu/kerberos/krb5-1.17/ says KDC supports S4U2Self requests when used with the Samba KDB module, but
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server leaves the impression S4U2Self does not work with
Samba. Please clarify.
I am not sure what the Samba roadmap entry is referring to. The MIT
KDC has supported within-realm S4U2Self since release 1.8. In release
1.17, the KDC supports cross-realm S4U2Self, if the KDB module issues
appropriate realm referrals. This KDC work was done by a Samba
developer, so it is my understanding that the Samba KDB module can
issue those referrals.

(There is another S4U2Self case where the client is identified by X.509
certificate instead of principal name. This case will be supported in
release 1.18, provided that the KDB module implements a new lookup
function.)
Subject: Re: [krbdev.mit.edu #8814] Listing third-party KDC modules
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: rt-comment@krbdev.mit.edu
Date: Fri, 21 Jun 2019 20:02:39 +0000
RT-Send-Cc:
Hello,

I tried to get information on the Samba roadmap. In order to get access to the bugzilla, one has to write motivation,
and after my email from 10 June (attached), nothing happened.

Nevertheless, please document the known third-party modules, that work to any extend mit MIT Kerberos.

Kind regards
Дилян Палаузов

On Mon, 2019-06-10 at 00:21 -0400, Greg Hudson via RT wrote:
Show quoted text
> I am not sure what the Samba roadmap entry is referring to. The MIT
> KDC has supported within-realm S4U2Self since release 1.8. In release
> 1.17, the KDC supports cross-realm S4U2Self, if the KDB module issues
> appropriate realm referrals. This KDC work was done by a Samba
> developer, so it is my understanding that the Samba KDB module can
> issue those referrals.
>
> (There is another S4U2Self case where the client is identified by X.509
> certificate instead of principal name. This case will be supported in
> release 1.18, provided that the KDB module implements a new lookup
> function.)
Download (untitled)
message/rfc822 2.6KiB
Message-ID: <1f66ea95e42da923c21c55ab2b535328aa7fc4d5.camel@aegee.org>
Subject: MIT Kerberos with S4U2Self support | why i want a bugzilla account
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?=
=?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?=
<dilyan.palauzov@aegee.org>
To: bugzilla-maintenance@samba.org
Date: Mon, 10 Jun 2019 12:33:00 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.3
MIME-Version: 1.0
X-Evolution-Identity: 4293d395f0294e74084caa0d1f3645b812299a48
X-Evolution-Fcc: folder://464c881b958d691952a17fdfff5d54540651678e/Sent
X-Evolution-Transport: c112dbb2739b2bed1ab8a2c7f5f9228924b7e9a4
X-Evolution-Source:
Content-Transfer-Encoding: quoted-printable

Hello,

I am mailing you, since the procedure for creating new BZ accounts, describ=
ed at=20
https://bugzilla.samba.org/createaccount-save.html suggests so.

Please update https://wiki.samba.org/index.php/Roadmap#Active_Directory_Ser=
ver to state, to whick extend S4U2Self,
S4U2Proxy, PKINIT=E2=80=A6 are (not) supported.

The release notes for MIT Kerberos 1.17 at https://web.mit.edu/kerberos/krb=
5-1.17/ state:

Protocol evolution:
=E2=80=A2 The KDC now supports cross-realm S4U2Self requests when used with=
a third-party KDB module such as Samba's. The client
code for cross-realm S4U2Self requests is also now more robust.

I asked at krb5-bugs@mit.edu on Saturday:


https://web.mit.edu/kerberos/krb5-1.17/ says KDC supports S4U2Self requests=
when used with the Samba KDB module, but=20
https://wiki.samba.org/index.php/Roadmap#Active_Directory_Server leaves the=
impression S4U2Self does not work with
Samba. Please clarify.

On which the answer today was:

Subject: [krbdev.mit.edu #8814] Listing third-party KDC modules=20
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>

I am not sure what the Samba roadmap entry is referring to. The MIT=20
KDC has supported within-realm S4U2Self since release 1.8. In release=20
1.17, the KDC supports cross-realm S4U2Self, if the KDB module issues=20
appropriate realm referrals. This KDC work was done by a Samba=20
developer, so it is my understanding that the Samba KDB module can=20
issue those referrals.

(There is another S4U2Self case where the client is identified by X.509=20
certificate instead of principal name. This case will be supported in=20
release 1.18, provided that the KDB module implements a new lookup=20
function.)

That said, please update:
https://wiki.samba.org/index.php/Roadmap_MIT_KDC and https://wiki.samba.org=
/index.php/Roadmap#Active_Directory_Server to
include more precise information on what works and not works with MIT Kerbe=
ro 1.17.

Regards
=D0=94=D0=B8=D0=BB=D1=8F=D0=BD