Current ideas on kerberos requirements for Samba4

Stefan (metze) Metzmacher metze at
Wed May 25 11:20:30 EDT 2005

Hash: SHA1

Gerald (Jerry) Carter schrieb:
> Andrew Bartlett wrote:
> | Perhaps we should make something clear from the
> | outset.  Just as Samba4's LDAP server is not
> | intended to be a world-class (or even standards-conforming)
> | LDAP server,
> Andrew,
> I'm not getting into this thread for obvious reasons, but
> I think this is a very dangerous statement (and assumption)
> to make. You are claiming to match against AD.  That's a
> big order from the LDAP side of things.  People will expect
> you to get the LDAP part right if you are taking it over.
> | I'm targeting our KDC as a match for the Microsoft
> | interface, not as the new gold standard for KDCs in POSIX.
> Again, I think this is a dangerous assumption to make.
> .
> | I'm trying to fill the space currently filled
> | by Microsoft's Active Directory, not trying
> | (particularly in the first release of Samba4) to
> | replace an existing corporate Kerberos infrastructure.
> But in a way you are and I think that is the concern that
> is expressed.  This is a tough road.
> I think there are two basic philosophies at work here.
> One is to use Samba as a bridge between Windows and Unix.
> Here Samba is a thin layer of glue.  We have posix
> mappings of ACLs, lpr print queues exported to clients,
> and posixAccounts integrated with Samba accounts.
> The other side of the fence is to reimplement AD.  A
> very admirable goal.  But to be 100%, you are not longer
> acting as a thin layer of glue.  In some ways, Samba
> no longer acts as an interoperability tool.  It the network
> portion of the OS.
> At this point the justification to install Samba is
> not based on interoperability because Samba is acting
> just like AD.  Not solving existing interoperability issues
> between Unix and AD.  The justification of installing
> Samba is based on license fees.
> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.

I strongly agree here! (but we might not able to get to that stage for the first releases...)

> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.
yes! as a MS ADS LDAP Server also support every LDAPv3 client...
So we also have to support all basic LDAPv3 features!

- --

Stefan Metzmacher <metze at>
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird -


More information about the krbdev mailing list