Current ideas on kerberos requirements for Samba4

Sam Hartman hartmans at MIT.EDU
Mon May 23 14:50:11 EDT 2005

Andrew and I had this conversation on IRC, but I feel the need to
state the following publically for the record.

I think that Samba including a KDC based either on Heimdal or MIT is a
non-starter for several OS vendors.  They need to be able to treat
Samba as one Kerberos service that provides authorization, group
membership, etc.  However Samba will not be the only such service.
The OS vendors also have a strong requirement to have a single
Kerberos implementation.

That said, Samba needs to have a solution for users who are not OS
vendors.  Also, it seems reasonable that Samba does not want to do the
OS vendors work for them.

I do believe that linking the kdc into the smbd process really does
create an untenible situation for a lot of people and I think you will
find that the work required to get access to Samba facilities in a
native KDC is well worth the effort in the long run.

I do think it is reasonable and necessary at the current time for
Samba to include a KDC of some kind; I agree that Heimdal is the least
effort for Samba at the current time.

I think it is also important to work with OS vendors in this.  I think
you need to design Samba assuming that people will end up supplying
patches to plug Samba into the system KDC.  (Yes, I fully realize that
Samba will get involved in almost all aspects of handling a request).
I think it will be important to try and work with those vendors to
integrate their patches when such patches are written.


More information about the krbdev mailing list