Current ideas on kerberos requirements for Samba4
abartlet at samba.org
Thu May 26 05:05:35 EDT 2005
On Tue, 2005-05-24 at 22:48 -0400, Sam Hartman wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
> >> own KDC and that is where I have concerns.
> Andrew> I'm really not trying to screw MIT (or anybody else) over,
> I certainly have never gotten that impression. Your phrasing of
> certain things has made things challenging on a political level but I
> understand your goal is to get a good technical solution not to play
> I do think the discussion here is mostly technical and I'd like to
> keep it that way.
> As an aside, I've invited some vendors to join in and contribute
> requirements. I hope they will join, but more importantly I hope they
> will contribute the necessary resources (or fund others) to make their
> requirements a reality. That's the only way technical problems get
> Let me summarize the requirements I'm hearing today and see if we're on the same page:
This set of requirements seems pretty correct to me.
> 1) Samba must be usable. It must provide a single integrated solution
> that works for users with no knowledge of Kerberos, LDAP and other
> 2) Samba needs to be involved in most aspects of the KDC request handling. It needs to add PAC data. It needs to authorize or deny requests.
> 3) Samba needs to keep account data in sync between Kerberos, LDAP and
> other protocols that access that data. Passwords are particularly
> challenging to sync. Samba plans to meet this need by storing all
> the data in a Samba-managed database and to manage password->key operations itself.
> 4) Vendors and sites want a single Kerberos implementation from a
> security patch, local extension and maintainability standpoint.
> 5) Vendors want to integrate Samba as one protocol frontend/data
> producer into larger systems. We haven't really heard from the
> vendors on this one; it is mostly me babling on this point.
> 6) Kerberos implementers want to minimize code forks.
> 7) Kerberos implementers want to minimize the number of
> interoperability test targets.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050526/f0339a4b/attachment.bin
More information about the krbdev