Current ideas on kerberos requirements for Samba4
hno at squid-cache.org
Wed May 25 17:46:39 EDT 2005
On Wed, 25 May 2005, Andrew Tridgell wrote:
> Our typical user profile has changed a lot over the years. These days
> the typical Samba site has no sysadmin. It is installed by doctors,
> teachers and other professionals who are smart in their own field, but
> don't care about the intricacies of how Samba works, they just want it
> to serve files. Typically they have a network of just a few Windows
> PCs in a single realm (though they don't know what a 'realm' is).
After following this thread for some time and thinking on the deployment
cenarios I am not entirely sure this will be the case for Samba-4 in the
As already mentioned initial adopters of Samba-4 is likely those wanting
to run it as an AD DC. In my view these is quite likely the same people
who have a reasonable understanding of what krb5 is and how LDAP works,
and now looking at Samba-4 to see if it can fit their existing
environments better than MS AD.
For those just wanting to serve files they quite likely already have an
Microsoft domain and mainly wants Samba to act in the existing domain as
an member server, not as the DC.
So I actually expect the 'enterprise' users to be among the first looking
at Samba-4 AD DC capabilities, with all the intrict details of krb5
integration etc. There is obviously also the odd "noob admin" which
attempts this, but hopefully most who do so is interested in learning.
Then when the Samba AD technology is slightly more prooven & documented
the masses will follow ;-)
This should give a quite reasonable window for OS maintainers to catch up,
provided the Samba requirements on the KDC and LDAP where applicable is
well documented with working reference implementations.
One sticky issue to consider is licensing if the OS maintainers are
supposed to include/link certain components of Samba into their KDC and/or
> It really is quite common that Samba is the first free software package
> that a site tries. If you think about it, I think you would agree that
> kerberos is almost never the first free software package someone tries.
> We have to make a good first impression, and that means making stuff as
> easy as we possibly can.
But at the same time do not forget that both LDAP and KDC servers is
common components of the OS:es these days.
More information about the krbdev