Heimdal compatibility

Andrew Bartlett abartlet at samba.org
Thu Aug 17 17:53:59 EDT 2006 

On Thu, 2006-08-17 at 14:04 -0400, Sam Hartman wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
> 
>     Andrew> On Wed, 2006-08-16 at 15:16 -0400, Sam Hartman wrote:
>     >> >>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
>     >> 
>     Andrew> Has anything more happened on this?
>     >>  Novell responded explaining why it was different between MIT
>     >> and Heimdal and you never responded to that.
> 
>     Andrew> I must have missed that mail.  I'll try and dig it up.
>     Andrew> Which list was it on?
> krbdev.

I must be loosing krbdev mail, as I can't find it :-(

> The basic issue is that MIT supports multiple kvnos and Heimdal does
> not.

OK, that's reasonable.  I just hadn't heard it expressed as such. 

>     >> I definitely don't want to see this particular attribute
>     >> modified by the server.
> 
>     Andrew> Oh?  Why is that?  Because it is exactly the kind of thing
>     Andrew> I expect to see folks like eDirectory wanting to do, and
>     Andrew> exactly how I would design any central identity server.
> 
> 
> Because I think you want the Kerberos implementation involved in
> maintaining the Kerberos implementation's invariants.  I don't care if
> this is a network callout or a directory server plugin, but I believe
> the code that updates the password needs to be supplied by the KDC
> vendor not the directory vendor.

My worry, and experience as a member of the Samba team, is that it is
far better to clearly document what you need, than to hope that users
won't write tools that manipulate the attributes directly.  The harder
you make it for users, the uglier the kludges become...

Of course, writing and supporting plugins for the various Free directory
servers would prevent most users from starting down this path, but I
don't expect MIT has the time for this, and Novell probably has
something for eDirectory anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060818/0f5e95e1/attachment.bin

More information about the krbdev mailing list