Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at
Thu May 26 05:05:35 EDT 2005

On Tue, 2005-05-24 at 22:48 -0400, Sam Hartman wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet at> writes:
>     >> own KDC and that is where I have concerns.
>     Andrew> I'm really not trying to screw MIT (or anybody else) over,
> I certainly have never gotten that impression.  Your phrasing of
> certain things has made things challenging on a political level but I
> understand your goal is to get a good technical solution not to play
> politics.
> I do think the discussion here is mostly technical and I'd like to
> keep it that way.


> As an aside, I've invited some vendors to join in and contribute
> requirements.  I hope they will join, but more importantly I hope they
> will contribute the necessary resources (or fund others) to make their
> requirements a reality.  That's the only way technical problems get
> solved.
> Let me summarize the requirements I'm hearing today and see if we're on the same page:

This set of requirements seems pretty correct to me.

> 1) Samba must be usable.  It must provide a single integrated solution
>    that works for users with no knowledge of Kerberos, LDAP and other
>    protocols.
> 2) Samba needs to be involved in most aspects of the KDC request handling.  It needs to add PAC data.  It needs  to authorize or deny requests.
> 3) Samba needs to keep account data in sync between Kerberos, LDAP and
>    other protocols that access that data.  Passwords are particularly
>    challenging to sync.  Samba plans to meet this need by storing all
>    the data in a Samba-managed database and to manage password->key operations itself.
> 4) Vendors and sites want a single Kerberos implementation from a
>    security patch, local extension and maintainability standpoint.
> 5) Vendors want to integrate Samba as one protocol frontend/data
>    producer into larger systems.  We haven't really heard from the
>    vendors on this one; it is mostly me babling on this point.
> 6) Kerberos implementers want to minimize code forks.
> 7) Kerberos implementers want to minimize the number of
>    interoperability test targets.
Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the krbdev mailing list