Kerberos Feature Request

Sam Hartman hartmans at MIT.EDU
Tue Feb 10 14:14:22 EST 2004

[cc list trimmed]

>>>>> "Henry" == Henry B Hotz <hotz at> writes:

    Henry> I probably should send this to the IETF group, but I'm not
    Henry> on their mailing lists.  (Apologies if the cross-posting
    Henry> causes problems.)  It would be *nice* if all Kerberos
    Henry> distributions added this feature the same way.

    Henry> One of the famous things that Microsoft did in their AD
    Henry> Kerberos implementation is added authorization data to the
    Henry> (supposedly optional) PAC field that is necessary when
    Henry> using certain other Microsoft functionality.  AFAIK all of
    Henry> the information added is also contained in the LDAP
    Henry> directory that AD also provides.

    Henry> I do not think it makes any sense for a (non-Microsoft)
    Henry> Kerberos server to directly maintain this data.  Rather it
    Henry> should have a mechanism for acquiring the data from an
    Henry> external source, such as an LDAP directory.

I agree with you so far.  I disagree however that we should focus on
providing the same data as the AD interface.

Replacing a windows domain controller with a Kerberos server is a fine
goal.  Kerberos vendors should support it with plugins.

But Microsoft seems to have solved the problem well for Windows
machines.  Many aspects of the solution do not seem to be appropriate
for other environments.

As such, I'd rather see the Kerberos community work on its own more
general solution and let folks like Samba etc work on replacing
Windows DCs.  

I don't think you will see standardization of the interfaces for
getting this information.  I understand it would be nice for you.  I
just don't know that there will be resources available for that
standardization work.  It's certainly outside the scope of the IETF.

More information about the krbdev mailing list