Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Tue May 24 18:21:49 EDT 2005

On Tue, 2005-05-24 at 15:07 -0400, Alan DeKok wrote:
> "James F. Hranicky" <jfh at> wrote:
> > Well, my first reaction is that since Heimdal and Samba can currently both
> > share an LDAP database for PDC support, could it be possible to do the 
> > same with AD?
>   1) Investigate what AD needs from protocol data sharing

Wrote the thesis:

>   2) Investigate how this would be put into LDAP

We have done so, and implemented our own 'ldap like' interface backing
onto either LDAP or an in-memory database.

>   3) Investigate how it would be implemented in Heimdal, etc.

Done that.  See the version of Heimdal in 'lorikeet'
svn co svn:// lorikeet-heimdal

>   4) Report back.

This series of notes.  I was certainly not going to be so silly as to
talk about this before I had spent time to actually implement a viable

>   My bet is that you'd need (0) to do this:
>   0) Get contract to spend 6 months working on the following

Yes, it took about 6 months, on and off.  

We do actually, already implement a good series of interfaces which
keeps the KDC separate.  Currently they don't even share any source code
aside from standard shared/static libraries we provide.  

However, to finish off the job, I'm proposing to integrate at the object
link level (with lukeh tells me he has done before) and to handle some
things consistently across the whole suite (no user config errors).  

Now, the mistake I made was opening my big trap before I had just
quietly finished the libkdc part (which is a few days integration, I
hope, and actually doesn't change Heimdal's internal structure very much

Jeremy is right about kerberos patches, and it has been a right pain in
Samba3.  This is why I've tried not to promise the world to those
running their own KDCs.  I know their plight, and I'll be receptive to
patches, but I'm just going to try and get mine working first. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list