Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Tue May 24 18:01:49 EDT 2005

On Tue, 2005-05-24 at 19:57 +0200, Michael Ströder wrote:
> Andrew Bartlett wrote:
> > 
> > This is the situation we are in currently, the Microsoft clients expect
> > a very tight interface between the KDC and the rest of the domain
> > controller (requiring coherent operations over multiple protocols, the
> > PAC and other fun things).  
> Are you also going to implement a DNS server?

From what I've see, DNS is the one part of the AD game that Microsoft
has allowed an external implementation of.  It appears that the clients
and servers all do DNS updates separately to their main record in AD.
So fortunately we get to avoid that one :-)

Now, we will have to patch and convince vendors to patch and ship an
updated DNS server running 'TSIG', just as we will need them to patch
and ship an NTP server for 'schannel signing'. 

This is indeed slightly contradictory, but in the experimentation I've
done, the lack of these services isn't nearly as critical as Krb5, and
the changes we propose are much smaller than we require to krb5.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list