Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Mon May 23 20:39:57 EDT 2005

On Mon, 2005-05-23 at 11:18 -0400, Ken Hornstein wrote:
> >My current feeling is that Samba may well ship it's own KDC (based
> >either on Heimdal, our own code or potentially some other codebase) for
> >some time into the future.  To whatever extent Samba includes a
> >derivative of another distribution of kerberos, the aim would be to keep
> >the 'diff' between the two projects as small as possible, while
> >integrating the code for minimum administrative and engineering pain.
> Just my $0.02:
> I already have a hacked KDC (based on MIT) that has a number of custom
> extensions that I need.  Running a Samba-supplied KDC is simply a
> non-starter.  I know plenty of people who are in the same boat.  Just
> as an aside - it seems when you do Kerberos for a while, you find that
> you need to do some number of changes to make it fit better at your
> site, so this sort of thing just tends to crop up.  This probably
> isn't an issue for smaller sites, or sites that just want to run a KDC
> to suppot Samba.

Perhaps we should make something clear from the outset.  Just as
Samba4's LDAP server is not intended to be a world-class (or even
standards-conforming) LDAP server, I'm targeting our KDC as a match for
the Microsoft interface, not as the new gold standard for KDCs in POSIX.

I'm trying to fill the space currently filled by Microsoft's Active
Directory, not trying (particularly in the first release of Samba4) to
replace an existing corporate Kerberos infrastructure.  

Now, I come at this whole area from rather a different direction than I
suspect you do, because I'm not steeped in the history of Kerberos, nor
do I run a large and complex site that uses it.  What is custom about
your kerberos setup, and given that I realise that having multiple
kerberos realms is the pits, what could we do to make your life easier?

> If you provide a chunk of code and say, "You need to integrate this",
> then that's fine with me (if it's Heimdal-only, then that will be a
> pain, but I can deal).  I know, I could always do cross-realm ... but
> trust me, I have more experience with cross-realm than most people, and
> I'm not going to run a seperate realm just for Samba.

Well, it will always be open source, so unlike AD you can hack it
however you please :-)

My observation is that sites fit into one of the these three boxes:

(98%) Never used Kerberos, or don't know what Kerberos is:
 - NT4 sites
 - Samba3 based sites
 - Low-clue AD networks (you don't need to understand Kerberos to use
 - Everybody else (most linux networks, workgroups)

(~1.75%) Large sites, which run AD, know what kerberos is and use it to
their advantage

(<.25%) Sites that chose to use unix-based kerberos systems, and have
integrated it properly into a majority of their systems.

My problem is that while I do *not* wish to exclude anybody, I need to
care about the first two categories far more than the clued-in SysAdmin
of a real kerberos site.  (Where I think that long-term, we can work
something out).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list