Simo's Blog


Hurray! Got the first ticket from MIT Kerberos + Samba 4

It is always a sweet feeling when things go the way you like, and fast too!

After just a week working around this Chimera, today I was able to tame the beast. I made krb5kdc return a TGT reading all data off of samba4 internal database.

I can't feel anything but triumph. It is true that it is not that much after all, but I can't help feeling happy for the result. This effort has been put off for so long and deemed so difficult that I was very pleased to find out it wasn't too difficult after all.

Of course the job is not done. The impedance mismatch between Samba 4's embedded Heimdal and MIT Kerberos interfaces forced me to defer adding the PAC. Without the PAC, the nice Windows 7 refuses to log you in of course, but that was expected, so it didn't bother me in the least.

Adding the PAC is not difficult, and all the code I need is in Luke's HDB Bridge code, which provided also most of the guidance and code I needed for this effort.

Without Luke's code this effort would have been much more difficult indeed. The code itself is not very complex, but the knowledge of both project internals was needed and Luke provided the knowledge I missed on the MIT kdb plugin side.

I hope to have a hacky prototype able to add the PAC using Luke's code next week. Once I can make Windows work with this code, I will actually start working on trying to get a little bit cleaner interfaces within Samba so that I can reduce the dependency on the Heimdal code hacks in the bridge code.

PS: if you want to see the work you can pull the code from these 2 branches:

Mail me if you have comments. They will be posted online after review.