Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Tue May 24 05:27:49 EDT 2005

On Tue, 2005-05-24 at 18:23 +1000, James Peach wrote:
> On Tue, May 24, 2005 at 10:06:44AM +1000, Andrew Bartlett wrote:

> > It would be great if they could join in the discussion on samba-
> > technical.  Perhaps their requirements are more easily addressed than I
> > fear.
> I'm by no means even a Kerberos novice and I haven't been following the
> Samba4 code very closely, but maybe I can contribute some vendor
> perspective. These are personal opinions and do not necessarily reflect
> the official views or plans of SGI.
>     o Customers want a unified Kerberos infrastructure today. It would
>     be good if Samba4 brought us a step further to being able to
>     seamlessly use Kerberos for CIFS, NFS and local logins.

In this sense, Samba3 and Samba4 will be able to handle whatever KDC is
thrown at them, where they are just another kerberised service (just
accepting file shares).  What makes Samba4 different is that it is
trying to be compatible with Microsoft's Active Directory, so we have
sudden demand to 'provide' a KDC, because that's what our clients expect
(and they expect particular behaviours).

>     o Many vendors are already shipping multiple versions of Kerberos
>     and other crypto libraries for various reasons (not all of them
>     good). Each time this happens, there is a cost involved in code
>     maintenance, issuing security updates and patches, interop,
>     diagnosing customer problems, etc.
>     o The desire not to ship more that one KDC is pretty strong. I would
>     think that vendors supporting Heimdall and MIT KDCs feel they
>     already get enough support calls without a Samba KDC.

Is there a support call cost difference between a MIT or Heimdal KDC
with most facets of their operation influenced by a Samba module, and a
KDC built in and 'just working' inside Samba?  My argument is that where
Samba controls such a KDC from a logic perspective, it is already a
'different KDC'.

>     o Convincing customers to upgrade is (justifiably) hard. If I need
>     to upgrade Samba, will the customer be willing to risk the
>     corresponding KDC upgrade? If not, will I have to spin a
>     site-specific patch?

Samba4 will be a big change, but if you already have a KDC you are quite
happy with, you probably don't want to turn Samba4 on as a DC of any
sort anyway.  The fileserver will certainly not require it's own KDC.

>     o Finally, my guess is that vendors will eventually ship Samba4
>     whatever happens because there will be customer demand.

I think you are right on this one :-)

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list