people.samba.org/people/
Fri, 04 May 2007
It's been a year since I last visited Europe, and spoke at the annual
SambaXP event, so again I'm tracking across the globe, laptop in hand
to our annual geek-out, hosted by SerNet in Goettingen, Germany.
This time it's a little harder - I'm now a married man, and time away
is hard on both of us - but I'm still very much enjoying the trip, and
the chance to catch up with friends, old and new.
This year I'm presenting on a similar topic to last year - Directory
Services - but I hope to bring more than vaporware to the party. It
has been a long year of work to get an LDAP backend to Samba4, and I
hope I give suitable enough credit to everybody else who worked on the
features that I so critically depend on.
I'm hoping to make a little bit of a splash, and I've planned a live
demo - a risky, but usually entertaining option for a talk. I'm
hoping to show off what is special about Fedora DS (particularly as
Howard Chu of OpenLDAP is giving a keynote), in the spirit of friendly
rivalry: I'll show Samba4 in front of 2 replicating Fedora DS
servers, in a multi-master replication agreement.
One of the great advantages of Fedora DS is that it's the only Free
Software LDAP server that I know of with full multi-master replication
(including all the fiddly bits of per-attribute conflict resolution).
This should show that, even if we don't have full DRSUAPI (Native AD
replication), that we can have more than a single AD master - nobody
would want Samba4's features in a site with just a single DC. By
making replication 'somebody else's problem', we leave that to the
experts (replicated LDAP implementations).
It is taking some time to get this demo ready, mostly because I'm
still fairly green at Fedora DS, and to make the demo 'real', I'm
adding in the CN=Configuration partition to the LDAP backend. This
has required some work on Samba4, and it's configuration of the LDAP
backends, particularly as we have very specific subtree search
behaviours we are looking for.
Andrew Bartlett
2007-04-23
posted at: 20:40 | path: /abartlet |
permanent link to this entry
After SambaXP, I decided to experience the full glory of German
trains. Well, that wasn't the prime motivation, but by train is how
you get around in Germany, and I first travelled north to Bremen.
I stayed as a guest of Univention, a small German IT firm, which has a
product based around Samba 3.0. As with many companies looking
forward, they are intersted in how Samba4 could fit into their
product, and it was their interest that got ldb_map going again, as
they proposed one of their interns (Martin Keuhl) for a Google Summer
of Code project to fix it up last year.
Then I took a long trip south, and stayed with Kai Blin, in Teubligen,
near Stuttgart. Kai has been a Google SoC student for Wine the past
two years, and this year has been accepted to work on Samba4's
winbind. I wanted to get to know him better, and to help him get
started with his work.
I had a wonderful time, and very much enjoyed Kai and Regi's
hospitailiy. Importantly, we also worked on winbind bugs, isolating a
pidl issue that metze eventually fixed, to get NTLM pass-though
authentication working on our member server. I hope this gives Kai an
easier start, when he begins his coding, but the real benfit was
getting to know him - understanding people in the flesh makes IRC and
e-mail interactions so much easier...
Now I'm on my long trip home, with the jetlag and my wife's arms to
look forward to.
Andrew Bartlett
2007-05-01
posted at: 20:40 | path: /abartlet |
permanent link to this entry
Yesterday Howard Chu paraded his latest benchmarks on OpenLDAP and
other directory servers, and generally poked fun at the competition,
but today was all about Samba. We started the day hearing about
Volker talk about how he had been cleaning up Samba3's 'room', taking
the drastic action that has been long-overdue to some of that
codebase. However, the really impressive talks were later in the day:
Julian presented OpenChange, the exchange connector built on Samba4's
DCE/RPC infrastructure. Sending and receiving mails may seem like a
simple task, but when you need to use Microsoft's proprietary
protocols to do it, this was a massive challenge that nobody has
succeeded at in the past. The existing 'WebDAV' connector is a kludge
at best, compared with this 'native protocols' implementation.
The other impressive talk was that of Metze. Working long and hard on
his research thesis for his university studies, Metze has implemented
pull and push replication with Windows over DRSUAPI. Similarly, this
is a massive break-though in the use of native protocols, and means
that we know the internal database format used by windows. This will
allow products like Fedora DS's AD Sync to be improved, to use native
protocols, and I talked to Howard about doing the same for OpenLDAP.
I hope we can see this as a useful tool component, for other projects
to pick Samba4 up for.
Jelmer and I then took the stage to discuss the progress of Samba4.
It has been a long year, but we have made a great deal of progress,
and similarly Jelmer made a much better presentation (with better
planning and practice). We still did this together, as we have
effectively become co-release managers, but Jelmer did most of the
speaking this time.
We are hoping to move to an Alpha release of Samba4 in the next few
months (next stop is one more 'TP', hopefully in the next week or
two). Given the list we promised last year, we just don't have that
many blockers any more: In particular, we know the database format, so
we won't loose/require conversion of user's passwords.
My talk on Fedora DS didn't go as well - between the two presentations,
my screen locked, but gnome-screensaver didn't display a password
dialog (just a black screen). I restarted X, and then lost it's link
to the external display (as I found out only when I got up front).
Tridge came to the rescue, restarting the computer for me, while I
started my talk, but it left me a little flustered. I never got to
the demo I worked so hard to create, but hope to at least get
reproducible instructions out of it. I did demo the smart-card
insertion technology (Love had commented that loading smart-cards was
too hard), and at least that worked.
Andrew Bartlett
2007-04-25
posted at: 20:40 | path: /abartlet |
permanent link to this entry
Fri, 28 Apr 2006
And again, I find myself on a train, as SambaXP ends for another year.
SambaXP is 'the' Samba conference, and provides a great opportunity
for us to meet up, particularly for our developers in Europe. Even
with the horror 23 or so hours flying from Australia, I haven't missed
a conference yet.
Particularly in recent years, SambaXP has given us an opportunity to
hear from our users, as they present on their deployments and
experiences. This is something that we just can't get at the other
annual conference (the CIFS conference) that many Samba team members
attend.
Likewise we get to talk about technical details of Samba's internals,
without fear that we are exceeding our mandate, or dominating the
schedule. With Tridge away on EU duty, it was left to Jelmer and I to
deliver the Samba4 Status report. (Including the compulsory live
demo). I also had an opportunity to discuss ideas about how we might
integrate Samba4 with existing directory servers.
While presentations are importantly, equally so is the ability to
spend time with my fellow developers. In particular, it was a great
opportunity to meet with Kai Blin, a Wine developer experimenting with
making Wine use Samba4's GENSEC. While we were making very good
progress on e-mail and IRC, there is nothing quite like working
problems out in person.
Andrew Bartlett
2006-04-27
posted at: 04:30 | path: /abartlet |
permanent link to this entry
I have this arrangement: Every Saturday, when I'm town, I spend part
or all of the afternoon doing something with my Grandmother. It is a
special time for both of us, and something we both look forward to.
But there is a catch to this regular routine 'when I'm in town'. I
won't be home again for a bit, and it will have been 6 weeks by the
time I return.
I've had a ball. I returned to Tasmania for the first time since I
was 12, and we spend 3 weeks hiking and camping around the apple isle.
And now I'm on a train as I travel though rural Germany. I'll also be
at LinuxTag before this trip is over.
Meanwhile, back at Hawker (where my Linux network remains, for an
unknown length of time), it seems my computers miss me too. As we
descended from our camp at Cradle Valley, a message appeared on the
mobile: 'Ring Ben'. Ben is one of the year 12 students at Hawker, and
in year 11 he was taken on as a 'School-based New Apprentice'. As the
Network admin, I tried to train him and James in the mysterious arts
of systems and network administration. In any case, as I left, I
handed him the keys, and a phone number in case it all went to mush.
It went to mush: Somehow they knew, and a server locked up, was
rebooted, and never returned.
It's not the first time this has happened. Just before I left for the
CIFS conference in 2004, a server decided to spit disks out of it's
RAID array. I got the critical files onto an alternate server, while
my father waited in the carpark, waiting to rush me to the airport.
Or when my mobile rings, and I'm half-way down the Hume highway to
Melbourne, or attending a family funeral...
How do they know?!?
Andrew Bartlett
2006-04-27
posted at: 04:30 | path: /abartlet |
permanent link to this entry
Wed, 08 Mar 2006
I recently found some time to get away from the computer, and spent it
on the NSW Big Bike Ride. I, and 700 others, rode our bicycles from
Holbrook to Binalong, over a distance of around 550KM, taking 9 days.
This was an event like no other that I had ever been a part of, and I
most certainly enjoyed it. But what I enjoyed most was the time spent
with friends, old and new, doing something we all loved.
I'll remember the days, both easy and very, very hard. I'll remember
the 6AM wakeup calls, from a big bloke named 'Debbie' (a one-off joke
that stuck). I'll remember packing up a tent in 15mins, still wet
from the morning dew. I'll remember riding in the crisp morning air,
before the sun and the wind. I'll remember the sunscreen (applied
like paint, yet still feeling like it will still all sweat off). I'll
remember the long, long day: 98KM of up and down hills (how could I
ever forget).
But most of all I will remember spending time with people I grew to
know well, and who's company I treasured.
Andrew Bartlett
2006-03-07
posted at: 06:23 | path: /abartlet |
permanent link to this entry
Mon, 23 Jan 2006
I recently gave a presentation at the Linux in Education mini-conference,
and was again bugged for my collection of scripts that I use at
Hawker College
(a year 11/12 High School in the ACT). As the network at Hawker
is 'upgraded' to Win2003, I hope that some last part of what we have
learnt at Hawker is useful to a wider world.
Hawker's network is a collection of Linux servers, all tied togeather
by a bunch of perl scripts. I've uploaded these to my scripts directory
on my homepage.
These scripts, and a pile of 'junk code' snippites continually modifed
for various tasks, are what runs my entire network. There is no
documentation, just the source.
I originaly gave this presentation at the Association of Independent
Schools IT managers conference (when I worked for Novell), but
I gave it again at LCA.
Andrew Bartlett
2006-01-23
posted at: 15:50 | path: /abartlet |
permanent link to this entry
Fri, 13 Jan 2006
It is 3 months since Tridge posted his proposal for a Samba4
technology preview, and almost a month since I started a real push on
the topic. It has been a wild ride, with hundreds of commits, strong
mailing list discussion and real progress on packaging and external
testing.
For me, the race for a technology preview started while I was spending
time in the US, talking with companies about Samba4. I was hoping to
drum up the kind of interest that would put a corporate backing behind
the Samba4 DC (and potentially find me some work back home in the
process). But time after time, I found myself having to sell our
progress so far, against a backdrop without a prospect of a release.
We have made great progress on Samba4, and we achieved a AD domain join
and login with Kerberos and the infamous PAC months ago. But as Roger
Binns (of BitPIM fame) so eloquently put it: 'If you never release,
you never release'. Each manager and engineer I talked with didn't
know of our progress so far, and was pleasantly surprised. But
pleasant surprises doesn't sell us into upper management, doesn't get
us users and doesn't attract us developers.
I came back from the US energised and with a single goal in mind: To
produce a technology preview by the time Tridge gave his 'Samba4
status update' talk at Linux.conf.au in Dunedin NZ.
And that has been my battle ever since. Joined in my cause have been
my fellow developers, both on the Samba Team and further afield. In
particular Jelmer, Metze and Simo found time in their Christmas holidays to
keep the tree ticking over, and Steinar H. Gunderson pushed the Debian
packaging from an in-tree idea into a reality in Debian's experimental
distribution.
Samba4 is rapidly growing up, and I've been able to put some polish on
the raw technologies. For example, we now support 'vampire'
operations from the SWAT GUI, doing the domain join and vampire in the
one action. This extracts the full user database from windows and
replicates it, including passwords and Kerberos attributes, into
Samba4's LDB database.
Likewise, we have closed off some of the silly things that were
blocking the release, like bugs in SWAT and lack of any access control
on LDB. While the solutions may not be final, we can at least make
the technology preview release with a straight face.
To everybody who has helped us get this far, Congratulations!
Andrew Bartlett
2006-01-14
posted at: 18:20 | path: /abartlet |
permanent link to this entry
Fri, 30 Dec 2005
As the Christmas week rolls by, it seems right to ponder the different
and very enjoyable ways I have spent this time over the past years.
In the past few years I have enjoyed to spend some of the time before
Christmas camping, particularly at Tidal River, Wilsons Promontory. A
few years back we were fortunate enough to spend Christmas day there.
This year Christmas was postponed by a few hours (into the early
evening), and Dad and I used the opportunity to go for a bike ride.
The weather was great, not to hot, and we circled Lake Burley Griffin.
That the roads were dead quiet was no surprise, but what I was quite
pleasantly surprised by was how many families had chosen the lake
foreshore for the Christmas lunch. All around the lake, families were
enjoying each other and this magnificent centrepiece to our capital.
As we completed our ride, most had packed up, and we got home for our
own Christmas dinner, the quiet ride such a counterpoint to the hassle
and bustle so often associated with this season of Peace and Goodwill.
Andrew Bartlett
2005-12-31
posted at: 22:10 | path: /abartlet |
permanent link to this entry
Sun, 18 Dec 2005
Over the past few weeks and months, some great progress has been made
in the area of the Samba4 KDC and Kerberos library. This is in no
small part been due to the cooperation of the Heimdal Kerberos team,
in the form of Love Hörnquist Åstrand.
I have been working to make Samba4's hooks into Heimdal more
reasonable, and as I have done so Love has merged many of them into the
upstream code. As an example of this, we recently changed the HDB
interface, so that it would return pointers to allow additional
manipulation (such as give me a PAC for this user). These are
critical hooks for Samba4, but are also unique to our requirements.
Love has met me half way, not introducing all the hooks into Heidmal,
but making my patch adding them smaller. This makes it easier for me
to merge new upstream code, and ensures more of the code-paths in
Samba4 is tested by other Heimdal users.
At the functional level, we now have the same level of account
management checking in Heimdal as the NTLM authentication code, and we
correctly issue the PAC into the TGT. Behind the hdb interface, we
are now able to call into common libraries for name translation and
authorisation, including hacks such as the 'netbios name as
workstation'.
On the much more mundane level, I have had a number of other issues in
Heimdal and Samba4 resolved with ease: My changes for GSSAPI
credentials were not accepted, instead Love coded a better API.
Similarly, MEMORY: keytabs have been improved due to Samba's
requirements.
This day to day co-operation has made my life much easier, as I
navigate the maze that is Kerberos.
Andrew Bartlett
2005-12-17
posted at: 00:40 | path: /abartlet |
permanent link to this entry
Sat, 12 Nov 2005
And the peace of God, which transcends all understanding, will guard
your hearts and your minds in Christ Jesus. Philippians 4:7 (NIV)
In the Anglican tradition, this forms part of the final blessing in
the service. Like much of the liturgy it is said so often, but it
really seemed to mean something in the past week:
It has been a rough week, and in many ways I feel like a punching bag,
taking a hit, and recoiling for more. So many things are changing,
yet each day I stand up, even more ready for what the world may
bring.
I should have every right to feel angry: Life was already changing,
but in the course of a week, I lost both a contract position with SuSE
and learned that the Linux/Samba/LDAP network I built at Hawker
College would be dismantled, to be replaced with Windows 2003.
But angry is not how I feel. Disappointed certainly. Frustrated, but
more than ever in such difficult circumstances I felt peace. I cannot
explain it any way but in faith, and in the sound knowledge that no
matter the frustrations of this world, that there are much bigger
plans for my life.
Andrew Bartlett
2005-11-13
posted at: 16:50 | path: /abartlet |
permanent link to this entry
Sat, 03 Sep 2005
Over the weeks before the CIFS conference, both metze and I spent time
trying to track down remaining problems with the PAC. We got to the
stage of being able to verify the signature, and later to
reconstructing an identical PAC, through a full parse and resign
process.
So, why did I venture off into the world of SamSync? SamSync is the
windows NT4 SAM (users, groups and passwords) replication protocol.
It features in the 'net rpc samsync' command in Samba 3.0, and is a
key feature there. I had spent some time on the protocol in late
2004, but why finish off that work now? It certainly sparked comment
from Tridge, along the lines of 'samsync is important, but it's not
exactly key for a release. How about domain member support?'.
This is why I call it the unlikely hero, because it seemed just a
diversion. What I knew, (but Tridge didn't yet know), was how I was
trying to prove our internal routines:
What we were not confident of was the data inside the PAC: could the
data, rather than the format, be causing the client rejection?
To answer that, we needed to be able to match the windows data, to
operate in a mode where we would issue exactly the same data as we
would see from a windows system, to show that it matched. From there
we should be able to do a byte-for-byte comparison, and prove we had
things correct.
I saw there being two ways to get data identical to windows: One is
to ad-hock, hard code the correct data into various points in the
code, while the other would be to 'correctly' generate that data from
the database. I chose to pursue the generation option, because we
would need to have a correct mapping from ldb to the PAC structures
anyway. (We could also validate with LDAP the correctness of the
SamSync, and therefore validate the entire area pretty well).
The SamSync turned out to be even more useful than that, and when
Tridge and I were playing the proxy attacks between the windows client
and AD DC, we could do so knowing we had at all times the full and
current set of (preferred) arcfour-hmac-md5 keys. This allowed us to
swap Samba4 and AD for each other without changing the client at all,
as well as giving us the key material for 'resigning' the PAC (when
the TGT was generated by AD, but we issued the service ticket).
Like all things, the SamSync code could be improved, and the main pain
we felt when using it was the lack of msDS-keyVersionNumber
replication (as this is not an NT4 concept). In production, we may
have a combination process using both LDAP and SamSync, or move to the
newly decoded DSSsync code (the AD way of doing things).
Andrew Bartlett
2005-09-04
posted at: 07:00 | path: /abartlet |
permanent link to this entry
Just a week ago, we finally figured out the last of the problems with
the PAC. Nothing complex really, just one time field that must match
another.
It makes it seem so simple really: What was not simple were the
efforts we needed to put in, to get this far.
Between the two of us, we spent Thursday and Friday of last week on
the problem, working though the status so far, and devising solutions.
Thursday was a day of frustration: Particularly with an odd bug in
ethereal, which prevented us seeing or copying the decrypted data,
despite it being displayed in the protocol tree.
We reproduced the problem, analysed traces, compared tickets, and
everything seemed to be in order. There were a few flags different,
but nothing that stood out.
The evening rolled around, and we both headed out for a night of geeky
talks and pizza at CLUG. Tridge continued to work that evening, and I
got some well-needed sleep.
Clearly this wasn't a problem that Tridge was going to let die,
because the next morning (Friday) I heard news that Tridge had made
the it work, if we didn't use our KDC (but used Microsoft's instead).
This started the process to chase things down, and after spending the
day on other tasks I returned to work on the puzzle.
Finally, it simplified the problem down, and we could smell a possible
victory. By later that evening we had cracked it.
Tridge made an interesting post detailing some of the final steps we used, which is well-worth repeating here:
I thought it might be useful to describe the specifics of this
technique, as others working on similar problems may find it useful.
Andrew and I setup a vmware network like this:
------- w2k3 PDC
|
Samba4
|
------- w2k3 member server
the linux box had 2 virtual network interfaces, on 192.168.114.1 and
192.168.115.1.
We first joined the w2k3 member server to the w2k3 PDCs domain. Then
we used the samsync code to replicate the account information from
that PDC onto the Samba box, so the Samba4 box was using exactly the
same keys and account information as the w2k3 box for the same domain
name.
Then we used a combination of 'sockspy' and 'udpproxy' which are two
little hackish C progs from junkcode (junkcode.samba.org) to proxy
different combinations of the various protcols, alternately allowing
the Samba4 box to serve the protocols or the w2k3 PDC to serve them to
the w2k3 member server. The various protocols we needed are:
- udp 88 - kerberos
- udp 53 - dns
- udp 389 - cldap
- tcp 135 - rpc portmapper
- tcp 139 - SMB/CIFS
- tcp 389 - ldap
- tcp 445 - SMB/CIFS
- tcp 1024, 1025, 1026 - RPC
So we did things like this:
UDP="88 389"
for p in $UDP; do
./udpproxy $p 192.168.114.5 $p &
done
TCP="135 139 389 445 1024 1025 1026"
for p in $TCP; do
while ./sockspy $p 192.168.114.5 $p; do date; done &
done
and in that way we proxied whatever selection of protocols we wanted
to.
The first test was to proxy all protocols, except for DNS which we
setup on the Linux box to always point all the PDC names at the Linux
box IP. This was the 'null' test, and showed that logins work via the
proxies.
Next, we proxied all protocols except kerberos, and setup smbd to only
server kerberos. This showed the "PAC bug", as expected. That proved
that the bug is definately kerberos related, and not an artifact of
some RPC or LDAP problem.
Next, we proxied all only kerberos, serving everying else from
smbd. In this case the login worked, again showing the bug is kerberos
related.
Finally, we hacked udpproxy.c to only proxy packets smaller than 400
bytes. This was a really nasty hack, but had the effect of only
proxying the AS-REQ packet, and not the TS-REQ. This meant the client
gave us back the PAC from the AS-REP from the real PDC in the TS-REQ,
which meant that the Samba4 kdc received the real PAC from the w2k3
box. We could then re-sign this PAC using the clients keys and send it
out in the TS-REP from smbd. This worked, giving us a successful
login.
That last test proved the problem lay in the PAC itself, and not in
any other part of the krb5 packets. From there we did a byte by byte
comparison of our generated PAC to the one that w2k3 gave, and tested
'fixing' each field by replacing it with the field from the w2k3
PAC. The field that turned out to be critcal was
LOGON_NAME->logon_time, which must exactly equal the time from the
AS-REP authtime field. That solved the puzzle.
Cheers, Tridge
Andrew Bartlett
2005-09-04
posted at: 07:00 | path: /abartlet |
permanent link to this entry
Fri, 19 Aug 2005
I always 'knew' what testing involved, and have been happy to run
'make test', to give myself some confidence that a change was good, or
even to work on the automated testing system that is the samba build
farm. What I've never done before is a real-life binary search over
months of Samba changes, in the hunt for a real regression.
That is how I've spent the past couple of days, working on my test-net
at Hawker College, trying to pin down why Samba 3.0.13 worked, but
Samba 3.0.20rc2 didn't.
In many ways, the procedure is simple:
- Download Samba
- Install Samba
- Attempt domain logon from windows client
- Record result
- Save network trace
- Reset client
This is done in a bisection, as we try to half the distance to the bug
each time.
What is not simple is the waiting, particularly as my poor, slow test
server (a PIII 700Mhz) compiles up yet another Samba revision.
But with few other clues: the network trace suggests a particular
packet may be upsetting the client, but I'm not sure why or how, I'm
left to try and find the change-set that broke it.
Andrew Bartlett
2005-08-19
posted at: 02:50 | path: /abartlet |
permanent link to this entry
Tue, 09 Aug 2005
As a slowly recover from jet-lag, I realise that it is all over again.
Again I'm at home, trying to migrate back into a normal sleep pattern,
and again I'm trying to do all the things I got so rev'ed up about at
the conference.
From trying to convince Windows to accept our PAC, to sucessfully
fixing Samba to accept logins from Windows Vista clients, it has been
an eventful week. Best of all was the chance to talk tech-to-tech
with the other CIFS vendors, and the long hours in the lab: able to
work face-to-face with the others on the team.
I hope we continue to get the opportunity to have such an event, be it
at the 'CIFS Conference' or something less formal. Now if only I can
stay in one spot long enough to implement all these things...
Andrew Bartlett
2005-08-09
posted at: 00:01 | path: /abartlet |
permanent link to this entry
Recently, I attended Convo C3, a 'youth' camp run by the local
Anglican Church. It was a great experience, mostly because of the
people I met.
One of the many questions posed at the camp was 'what is your image of
God, and how has it changed?'. And since then, I've been thinking
about this point: There are of course many images, but the one that
sprang to mind was that of a soft breeze over the water. Sitting in
the water, you can go about life pretending it's not there, but reach
out with faith, put up the windsurfer and God races you across the
surface, on an amazing journey with him.
The other image of God I have is very simple: It is people, and the
human condition. We are made in God's image, and much as we stray far
from that at times, the Church is about community, about people and
about relationships with one another.
As a certified geek (and currently working from home), I certainly am
feeling the last part: I gained so much from simply spending time with
the other campers at C3, hearing their story, telling mine, without
strings or overtones attached. It is sad: we so easily loose our
relationships with one another, yet these are the very things God gave
us to make us strong.
Andrew Bartlett
2005-07-05
posted at: 00:01 | path: /abartlet |
permanent link to this entry
Well, I finally did it: I graduated from the Australian National
University as a Bachelor of Software Engineering. I say finally,
because I decided to put it off for 6 months, to take a pre-Christmas
holiday instead.
I enjoyed the big day, wore my silly dress, silly hat and specially
coloured silly hood, walked across the stage and shook the hand of
Chancellor. Actually, it all looked very nice.
But perhaps more noted in that big day were the comments made from the
podium: "and there will be some children with us on this special day
today, who we hope will some day walk proudly across a stage similar
to this one. And so, if they act as children, we won't let that
bother us one little bit. ". It brought such a beautiful humanity
to what was also a formal and joyful occasion.
Andrew Bartlett
2005-07-14
posted at: 00:01 | path: /abartlet |
permanent link to this entry
Perhaps the single biggest challenge in Samba4's implementation of the
windows logon protocols is that of the PAC. Micrsoft's proprietry
extension to Kerberos, the PAC is a signed and validated data
structure that includes information on the user and their group
membership.
For the last 12 months, I have been working on and off, along with
others on the Samba and Heimdal teams, to built a KDC that a Windows
client will respect as one of it's own. Slowly, we have built
backends, hacks, and patches for the KDC we derived from the Heimdal
Kerberos.
As the months have gone by, we have got closer and closer: We now
accept the PAC when generated by windows, and have written tests (with
static data) that ensure we continue to. We accept the PAC we
generate, and can produce a PAC that matches the windows format
exactly. But still, we don't have it quite right: we still don't
have something right.
It is a game I have come to know as whack a mole: Always one more
thing, one more problem to be solved, and no particular clue how to
solve it. The hunt is again on, and the exact byte-for-byte
differences need to be tracked down, one by one.
For the moment, I've decided to leave the PAC, and I'll concentrate on
other areas in Kerberos (such as improving the structure of the link
between Heimdal and Samba4), as well as a kpasswd implementation. I
figure that even if I can't get windows to accept what I'm producing,
I may as well try to get Apple, NetApp and Samba3 clients to play
ball.
In going so far, I do have to thank
Stefan Metzmacher and
Love Hörnquist Åstrand,
because without their efforts, going even this far would not be possible.
Andrew Bartlett
2005-08-09
posted at: 00:01 | path: /abartlet |
permanent link to this entry
