Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Tue May 24 22:05:36 EDT 2005

On Tue, 2005-05-24 at 16:30 -0400, Sam Hartman wrote:
> >>>>> "Jeremy" == Jeremy Allison <jra at> writes:
>     Jeremy> On Tue, May 24, 2005 at 11:34:52AM -0400, Ken Hornstein
>     Jeremy> wrote:
>     >> I think given your requirements, shipping a _basic_ KDC is
>     >> probably unavoidable.  I just wanted to point out that there is
>     >> a number of us who really want to use our own KDCs with Samba4,
>     >> and we'd like you to be able to deal with that at some point.
>     >> I don't think there's a huge amount of work you have to do to
>     >> make that happen (at least, I hope not).
>     Jeremy> We'll try and accomodate this, as we have accommodated
>     Jeremy> people who want to use their own keytabs in Samba3. But
>     Jeremy> let me tell you that this code (in Samba3) has taken 90%
>     Jeremy> of the work for less than 10% of the users. Even people
>     Jeremy> wanting this to work send incorrect, memory-leaking
>     Jeremy> patches.
> If you actually do this, I think we'll all be happy.  If you even
> design to support this model but demand that the people who want it to
> work with their own KDCs send in working code, I think we'll be happy.
> I completely agree that you need some sort of KDC in the samba
> distribution that is known to work with Samba and that is easy to set
> up and that hopefully the user doesn't even notice.

Then I think we all can be happy. 

> However I'm hearing from Andrew that he's choosing a design that will
> make it very challenging for people to supply their own KDC and that
> is where I have concerns.

I'm really not trying to screw MIT (or anybody else) over, and the
current work is nicely isolated behind various interfaces.   The future
work should be as well, if I ever want a hope of continuing to update to
newer versions of Heimdal.  The use of linking will help me comply with
the Samba4 policy of 'one smbd', and handle a few startup/sockets
issues, I don't expect it to drastically alter the structure of the
code, or provide interfaces which are 'impossible' to export to a
different KDC.

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list