Current ideas on kerberos requirements for Samba4

Gerald (Jerry) Carter jerry at
Tue May 24 09:09:32 EDT 2005

Hash: SHA1

Andrew Bartlett wrote:

| Perhaps we should make something clear from the
| outset.  Just as Samba4's LDAP server is not
| intended to be a world-class (or even standards-conforming)
| LDAP server,


I'm not getting into this thread for obvious reasons, but
I think this is a very dangerous statement (and assumption)
to make. You are claiming to match against AD.  That's a
big order from the LDAP side of things.  People will expect
you to get the LDAP part right if you are taking it over.

| I'm targeting our KDC as a match for the Microsoft
| interface, not as the new gold standard for KDCs in POSIX.

Again, I think this is a dangerous assumption to make.
| I'm trying to fill the space currently filled
| by Microsoft's Active Directory, not trying
| (particularly in the first release of Samba4) to
| replace an existing corporate Kerberos infrastructure.

But in a way you are and I think that is the concern that
is expressed.  This is a tough road.

I think there are two basic philosophies at work here.
One is to use Samba as a bridge between Windows and Unix.
Here Samba is a thin layer of glue.  We have posix
mappings of ACLs, lpr print queues exported to clients,
and posixAccounts integrated with Samba accounts.

The other side of the fence is to reimplement AD.  A
very admirable goal.  But to be 100%, you are not longer
acting as a thin layer of glue.  In some ways, Samba
no longer acts as an interoperability tool.  It the network
portion of the OS.

At this point the justification to install Samba is
not based on interoperability because Samba is acting
just like AD.  Not solving existing interoperability issues
between Unix and AD.  The justification of installing
Samba is based on license fees.

If you want to add interoperability back to the buffet, then
the Samba4 kdc implementation (and LDAP implementation)
will have to be world class, scalable implementations.
I think you might also be ignoring the fact that while CIFS
is primarily a Windows protocol, LDAP and Kerberos will be
used by non-MS clients and so at some point you will
have to support them as well.

cheers,  jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the krbdev mailing list