Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Tue May 24 18:32:19 EDT 2005

On Tue, 2005-05-24 at 08:09 -0500, Gerald (Jerry) Carter wrote:
> Hash: SHA1
> Andrew Bartlett wrote:
> | Perhaps we should make something clear from the
> | outset.  Just as Samba4's LDAP server is not
> | intended to be a world-class (or even standards-conforming)
> | LDAP server,
> Andrew,
> I'm not getting into this thread for obvious reasons, but
> I think this is a very dangerous statement (and assumption)
> to make. You are claiming to match against AD.  That's a
> big order from the LDAP side of things.  People will expect
> you to get the LDAP part right if you are taking it over.

Indeed, and this is actually something that I do worry about with Samba4
going forward.  I do wish we had more directory experts working with the
team, so we don't make more of a muddle of ourselves in the process.

I'll also pass the blame along on that one, the standard on the LDAP
server was set by others, I'm just repeating it (and trying not to
promise the world.  As we all so painfully know, this is a very small
team doing a lot of work...).

> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.
> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.

This is actually why I have pushed to work with Heimdal, rather than the
more appealing (at times) option of doing it ourselves.  At least I know
that when we started, we worked from a well respected KDC in production
use for this kind of task already.  My intention is to (despite linking
for unification of service control and socket infrastructure) keep the
codebases separable along existing or new interfaces in the Heimdal
code.  In that way, I hope to keep those qualities in Heimdal, even as
we integrate it.  I was just hoping not to promise the world to a
community that each holds their sites specific kerberos infrastructure
very near and dear :-)

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list