KDC built in or out of smbd

Lukasz Stelmach lukasz.stelmach at telmark.waw.pl
Tue Nov 29 12:31:16 GMT 2005


Greetings All.

I've read some papers (e.g. kerberos-notes.txt) about Kerberos support
in the new Samba and feel a little uncertain, to say the least. I've
found that the most probable option is to incorporate kdc functionality
*into* smbd process. IMHO it is completly against the design principles
of the Kerberos where kdc is meant to run on a separate, extra safe
machine as the only service.  This helps to gain the securiti by
cutting down the complexity. 

No offense, but it is rather obvious that if the whole smbd runs on such
machine it becomes less secure than it could be. I understand that no
Kerberos suit (except the MS one) today supports PAC but IMHO it is not
an option to put kdc together with smbd.

I might have missed something. If so please correct me.

Best regards.
PS. I'm not subscribed, please cc.
-- 
Miłego dnia
>Łukasz<


More information about the samba-technical mailing list