Current ideas on kerberos requirements for Samba4
Stefan (metze) Metzmacher
metze at samba.org
Wed May 25 11:20:30 EDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Gerald (Jerry) Carter schrieb:
> Andrew Bartlett wrote:
> | Perhaps we should make something clear from the
> | outset. Just as Samba4's LDAP server is not
> | intended to be a world-class (or even standards-conforming)
> | LDAP server,
> I'm not getting into this thread for obvious reasons, but
> I think this is a very dangerous statement (and assumption)
> to make. You are claiming to match against AD. That's a
> big order from the LDAP side of things. People will expect
> you to get the LDAP part right if you are taking it over.
> | I'm targeting our KDC as a match for the Microsoft
> | interface, not as the new gold standard for KDCs in POSIX.
> Again, I think this is a dangerous assumption to make.
> | I'm trying to fill the space currently filled
> | by Microsoft's Active Directory, not trying
> | (particularly in the first release of Samba4) to
> | replace an existing corporate Kerberos infrastructure.
> But in a way you are and I think that is the concern that
> is expressed. This is a tough road.
> I think there are two basic philosophies at work here.
> One is to use Samba as a bridge between Windows and Unix.
> Here Samba is a thin layer of glue. We have posix
> mappings of ACLs, lpr print queues exported to clients,
> and posixAccounts integrated with Samba accounts.
> The other side of the fence is to reimplement AD. A
> very admirable goal. But to be 100%, you are not longer
> acting as a thin layer of glue. In some ways, Samba
> no longer acts as an interoperability tool. It the network
> portion of the OS.
> At this point the justification to install Samba is
> not based on interoperability because Samba is acting
> just like AD. Not solving existing interoperability issues
> between Unix and AD. The justification of installing
> Samba is based on license fees.
> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.
I strongly agree here! (but we might not able to get to that stage for the first releases...)
> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.
yes! as a MS ADS LDAP Server also support every LDAPv3 client...
So we also have to support all basic LDAPv3 features!
Stefan Metzmacher <metze at samba.org> www.samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the krbdev