Current ideas on kerberos requirements for Samba4

Sam Hartman hartmans at MIT.EDU
Tue May 24 16:30:42 EDT 2005

>>>>> "Jeremy" == Jeremy Allison <jra at> writes:

    Jeremy> On Tue, May 24, 2005 at 11:34:52AM -0400, Ken Hornstein
    Jeremy> wrote:
    >> I think given your requirements, shipping a _basic_ KDC is
    >> probably unavoidable.  I just wanted to point out that there is
    >> a number of us who really want to use our own KDCs with Samba4,
    >> and we'd like you to be able to deal with that at some point.
    >> I don't think there's a huge amount of work you have to do to
    >> make that happen (at least, I hope not).

    Jeremy> We'll try and accomodate this, as we have accommodated
    Jeremy> people who want to use their own keytabs in Samba3. But
    Jeremy> let me tell you that this code (in Samba3) has taken 90%
    Jeremy> of the work for less than 10% of the users. Even people
    Jeremy> wanting this to work send incorrect, memory-leaking
    Jeremy> patches.

If you actually do this, I think we'll all be happy.  If you even
design to support this model but demand that the people who want it to
work with their own KDCs send in working code, I think we'll be happy.
I completely agree that you need some sort of KDC in the samba
distribution that is known to work with Samba and that is easy to set
up and that hopefully the user doesn't even notice.

However I'm hearing from Andrew that he's choosing a design that will
make it very challenging for people to supply their own KDC and that
is where I have concerns.


More information about the krbdev mailing list