Current ideas on kerberos requirements for Samba4

Andrew Bartlett abartlet at samba.org
Fri May 27 02:54:20 EDT 2005 

On Fri, 2005-05-27 at 01:16 -0500, Nicolas Williams wrote:
> On Fri, May 27, 2005 at 01:06:55AM -0500, Nicolas Williams wrote:
> > On Fri, May 27, 2005 at 08:00:18AM +0200, Stefan (metze) Metzmacher wrote:
> > > so the design would be like this:
> > > 
> > > [wire] -> [samba socket lib] -> [samba kdc server service] -> [KDC library]
> > > [wire] <- [samba socket lib] <- [samba kdc server service] <- [KDC library]
> > 
> > I suppose I don't mind a "KDC library too much..." but, methinks that this
> > is going too far.  My first reaction, really, is "ick."
> 
> BTW, I think coding services in such a way that they can be made into a
> library with ease is a good idea.  But usually existing code has not
> been written that way...  I think you'll find the alternative easier to
> implement.

I'll let you know in a few days, but for Heimdal this seems to be mostly
sane, and as I may have said elsewhere, it fits with the other Samba4
requirements I am under.

I actually hope that vendors *do not* create and ship their own libkdc,
particularly in the early days of Samba4.

The reason I hope this is because while high-clue, large site sysadmins
have a good chance of getting it right, and testing within their own
site, I am not looking forward to the text matrix explosion that will
occur if every vendor rips out and replaces the few thousand lines of
KDC.

I won't block it by overly silly design, and I will look reasonably at
real patches, but I'm just trying not to encourage it.  (There is only
one of me to manage all this complexity).

I also just expect that in the early days of Samba4, the interfaces and
expectations will wobble around, as we try and build one KDC that
works...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20050527/a003bf70/attachment.bin

More information about the krbdev mailing list