Current ideas on kerberos requirements for Samba4

Sam Hartman hartmans at MIT.EDU
Tue May 24 16:26:03 EDT 2005

>>>>> "Alan" == Alan DeKok <aland at> writes:

    Alan> "James F. Hranicky" <jfh at> wrote:
    >> I don't know the intimate details of what AD clients expect
    >> from an AD controller, but I wonder if perhaps the requirements
    >> could be addressed by a meta-smbd of sorts? The meta-smbd acts
    >> as an AD controller, but passes off requests for various
    >> services to the respective daemons,

    Alan>   Except that AD requires that the other protocols talk to
    Alan> each other, too.  That is, they *all* share a common data
    Alan> set, and each protocol must server a view of the database,
    Alan> and that view must be consistent across all protocols.  This
    Alan> integration means that much of the internal state of each
    Alan> daemon must be exposed to others, and must be modifiable by
    Alan> others.

Yes, but keep in mind two things:

1) This state should be exposed through well-defined interfaces to
   allow for extensibity and code abstraction.  It should not be
   exposed through sticking everything together in one process.  Even
   Microsoft is finding that model is not working for them.

2) Long term, we need to allow our models to grow beyond the model
   Microsoft has provided for us.  The right model for a collection of
   Unix machines using NFSV4 isn't the same model as AD.  Clearly you
   need a way of exposing an AD schema to the AD protocols (including
   LDAP) but you also need a way to move beyond that schema internally
   so you can support all the environments that will run in your
   Kerberos infrastructure.

More information about the krbdev mailing list