Current ideas on kerberos requirements for Samba4

James Peach jpeach at sgi.com
Tue May 24 04:23:05 EDT 2005 

On Tue, May 24, 2005 at 10:06:44AM +1000, Andrew Bartlett wrote:
> On Mon, 2005-05-23 at 14:50 -0400, Sam Hartman wrote:
> > Andrew and I had this conversation on IRC, but I feel the need to
> > state the following publically for the record.
> 
> And I'm glad to finally get a discussion going here, lest it be said
> that we did our kerberos work in the shadows and the dark :-).  
> 
> > I think that Samba including a KDC based either on Heimdal or MIT is a
> > non-starter for several OS vendors.  They need to be able to treat
> > Samba as one Kerberos service that provides authorization, group
> > membership, etc.  However Samba will not be the only such service.
> > The OS vendors also have a strong requirement to have a single
> > Kerberos implementation.
> > 
> > That said, Samba needs to have a solution for users who are not OS
> > vendors.  Also, it seems reasonable that Samba does not want to do the
> > OS vendors work for them.
> 
> Indeed, I'm not going to 'do the OS vendors work for them', as I have
> enough work to do getting this ship sailing at all, let along dealing
> with the particular requirements of unnamed 'vendors'.  But I'm also at
> a bit of a loss: aside from some desire 'not to ship more than one KDC',
> I'm yet to hear what they feel 'they' need (or who these vendors are).  
> 
> It would be great if they could join in the discussion on samba-
> technical.  Perhaps their requirements are more easily addressed than I
> fear.

I'm by no means even a Kerberos novice and I haven't been following the
Samba4 code very closely, but maybe I can contribute some vendor
perspective. These are personal opinions and do not necessarily reflect
the official views or plans of SGI.

    o Customers want a unified Kerberos infrastructure today. It would
    be good if Samba4 brought us a step further to being able to
    seamlessly use Kerberos for CIFS, NFS and local logins.

    o Many vendors are already shipping multiple versions of Kerberos
    and other crypto libraries for various reasons (not all of them
    good). Each time this happens, there is a cost involved in code
    maintenance, issuing security updates and patches, interop,
    diagnosing customer problems, etc.

    o The desire not to ship more that one KDC is pretty strong. I would
    think that vendors supporting Heimdall and MIT KDCs feel they
    already get enough support calls without a Samba KDC.

    o Convincing customers to upgrade is (justifiably) hard. If I need
    to upgrade Samba, will the customer be willing to risk the
    corresponding KDC upgrade? If not, will I have to spin a
    site-specific patch?

    o Finally, my guess is that vendors will eventually ship Samba4
    whatever happens because there will be customer demand.

-- 
James Peach | jpeach at sgi.com | SGI Australian Software Group
I don't speak for SGI.

More information about the krbdev mailing list