Kerberos Feature Request
hartmans at MIT.EDU
Tue Feb 10 14:14:22 EST 2004
[cc list trimmed]
>>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:
Henry> I probably should send this to the IETF group, but I'm not
Henry> on their mailing lists. (Apologies if the cross-posting
Henry> causes problems.) It would be *nice* if all Kerberos
Henry> distributions added this feature the same way.
Henry> One of the famous things that Microsoft did in their AD
Henry> Kerberos implementation is added authorization data to the
Henry> (supposedly optional) PAC field that is necessary when
Henry> using certain other Microsoft functionality. AFAIK all of
Henry> the information added is also contained in the LDAP
Henry> directory that AD also provides.
Henry> I do not think it makes any sense for a (non-Microsoft)
Henry> Kerberos server to directly maintain this data. Rather it
Henry> should have a mechanism for acquiring the data from an
Henry> external source, such as an LDAP directory.
I agree with you so far. I disagree however that we should focus on
providing the same data as the AD interface.
Replacing a windows domain controller with a Kerberos server is a fine
goal. Kerberos vendors should support it with plugins.
But Microsoft seems to have solved the problem well for Windows
machines. Many aspects of the solution do not seem to be appropriate
for other environments.
As such, I'd rather see the Kerberos community work on its own more
general solution and let folks like Samba etc work on replacing
I don't think you will see standardization of the interfaces for
getting this information. I understand it would be nice for you. I
just don't know that there will be resources available for that
standardization work. It's certainly outside the scope of the IETF.
More information about the krbdev