Current ideas on kerberos requirements for Samba4
jpeach at sgi.com
Tue May 24 04:23:05 EDT 2005
On Tue, May 24, 2005 at 10:06:44AM +1000, Andrew Bartlett wrote:
> On Mon, 2005-05-23 at 14:50 -0400, Sam Hartman wrote:
> > Andrew and I had this conversation on IRC, but I feel the need to
> > state the following publically for the record.
> And I'm glad to finally get a discussion going here, lest it be said
> that we did our kerberos work in the shadows and the dark :-).
> > I think that Samba including a KDC based either on Heimdal or MIT is a
> > non-starter for several OS vendors. They need to be able to treat
> > Samba as one Kerberos service that provides authorization, group
> > membership, etc. However Samba will not be the only such service.
> > The OS vendors also have a strong requirement to have a single
> > Kerberos implementation.
> > That said, Samba needs to have a solution for users who are not OS
> > vendors. Also, it seems reasonable that Samba does not want to do the
> > OS vendors work for them.
> Indeed, I'm not going to 'do the OS vendors work for them', as I have
> enough work to do getting this ship sailing at all, let along dealing
> with the particular requirements of unnamed 'vendors'. But I'm also at
> a bit of a loss: aside from some desire 'not to ship more than one KDC',
> I'm yet to hear what they feel 'they' need (or who these vendors are).
> It would be great if they could join in the discussion on samba-
> technical. Perhaps their requirements are more easily addressed than I
I'm by no means even a Kerberos novice and I haven't been following the
Samba4 code very closely, but maybe I can contribute some vendor
perspective. These are personal opinions and do not necessarily reflect
the official views or plans of SGI.
o Customers want a unified Kerberos infrastructure today. It would
be good if Samba4 brought us a step further to being able to
seamlessly use Kerberos for CIFS, NFS and local logins.
o Many vendors are already shipping multiple versions of Kerberos
and other crypto libraries for various reasons (not all of them
good). Each time this happens, there is a cost involved in code
maintenance, issuing security updates and patches, interop,
diagnosing customer problems, etc.
o The desire not to ship more that one KDC is pretty strong. I would
think that vendors supporting Heimdall and MIT KDCs feel they
already get enough support calls without a Samba KDC.
o Convincing customers to upgrade is (justifiably) hard. If I need
to upgrade Samba, will the customer be willing to risk the
corresponding KDC upgrade? If not, will I have to spin a
o Finally, my guess is that vendors will eventually ship Samba4
whatever happens because there will be customer demand.
James Peach | jpeach at sgi.com | SGI Australian Software Group
I don't speak for SGI.
More information about the krbdev