Windows 2000/2003 Domain on Linux

g.w@hurderos.org g.w at hurderos.org
Tue Aug 10 17:55:43 EDT 2004 

On Aug 5,  7:28pm, Thomas Schweizer wrote:
} Subject: Re: Windows 2000/2003 Domain on Linux

Good afternoon to everyone on the list, hope that the week is
progressing well for everyone.

> Luis Daniel Lucio Quiroz wrote:
> > Does anyone has tried to do a Win2k domain under linux?
> > 
> > Any doc?
> > 
> > I have al ready runing an configured
> > Kerberos
> > DNS - With all SRV entries
> > Datetime service
> > SAMBA domain (NT4 style)

> Well, an ADS domain consists of Kerberos 5, LDAP and DDNS all glued
> together. It is unfortunately not sufficient just to have all of
> these services running. As we all know MSFT, they have added their
> own extensions (PAC, connectionless LDAP,...) to these protocols and
> the clients do relay on them. Hence it would be necessary to
> implement quite a lot of them. I think the major goal of Samba 4.0
> will be the implementation of a complete ADS-compatible directory
> service. But the time schedule is AFAIK not very concrete. So you've
> got to be a little patient...

A schedule that is not only not very concrete but ultimately very
problematic as well, IMHO.  Problematic enough that we launched the
Hurderos Project to see if there was an appetite for building an OSS
Active Directory work-alike without entertaining all the problems
secondary to building a clone.

I've argued myself almost blue in the face with a number of prominent
members of the Open-Source community over the glaring lack of response
that OSS has in this area.  Middleware isn't very sexy but its the
stuff that organizations spend lots of money and time on and don't
change very much once they have it in place.  I think that AD has the
potential to be one of the most overlooked cards that can be played in
the arena of proprietary lock-down in the enterprise.

AD's current Kerberos implementation may be 'RFC compliant' but this
list is full of documentation for how little that means when it comes
to making multiple implementations inter-operable.  If I was a CIO of
a major corporation it wouldn't take me very long to be sold that AD
'just works' with the desktop and the host of other very popular
applications that organizations depend on.

Once that happens uprooting an increasingly complex and expansive AD
implementation is going to be more and more problematic.  This opens
the door for cutting the legs out from under the infiltration pathway
that OSS solutions have been using in the enterprise.

If I were a betting man I would wager that an exact Samba 4.x AD clone
will be the arena where patent litigation gets used to slow down
Open-Source.  Building a clone in this space is going to involve
treading very close to some sensitive legal ground.

> Cheers.

It will be interesting to see how all this plays out.  In the meantime
we are focusing on trying to give the community an alternative.

}-- End of excerpt from Thomas Schweizer

As always,
GW
------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list