Simo's Blog


Samba + MIT Kerberos, first steps are done

I've been working on rebasing the samba patches to be able to push them upstream. After some quite deep rebasing work I was able to push all of the changes required to common code. And the amount of changes were surprisingly small all considered.

Today I finished nailing the last bits in the samba and mit sides of the plugin implementing both policy checks calls and constraint delegation calls. I will propose the patch to both upstreams soon.

Meanwhile my focus has been shifting toward Cross-Realm trust relationships and in particular External and Forest trusts in AD parlance, both one-way and two-way

Unfortunately the samba 4 code still does not support cross-realm trust so I had to use 2 Windows 2008 Servers to do my experiments.

The amount of calls that need to be implementd does not look too big, although the devil is always in the details. It even seem that there is some code already available but it is not fully patched in. As we stand, A Windows DC is able to actually create the trust domain object in Samba's Database, but then Samba fails to reply to some queries about it and to setup Schannel over RPC to validate the Trust from the Windows pov.

I am considering working on Samba 4 to get it to work in a trusted realm scenario, but I still need to do some more research first.

Mail me if you have comments. They will be posted online after review.