KDC built in or out of smbd
Andrew Bartlett
abartlet at samba.org
Wed Nov 30 09:45:08 GMT 2005
On Wed, 2005-11-30 at 10:09 +0100, Volker Lendecke wrote:
> On Wed, Nov 30, 2005 at 09:56:29AM +0100, Marc Balmer wrote:
> > Having the LDAP server, KDC, RPC services, and fileserver on the same
> > host mandatory would be a major drawback. At least for the LDAP and
> > KDC it should be possible to run them on different machines.
>
> Sorry to be so direct, but Windows clients expect those services to be
> available under the same IP address. You could in theory play nasty games with
> port forwarding, but this would be an administrative nightmare.
And even with port forwarding, we have major problems: A client may
(currently doesn't, but with Win2k3 and a registry setting may, and unix
clients do) encode it's client address in the KDC requests.
The KDC should then reject the request, because it has been forwarded...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/4e8196ea/attachment.bin
More information about the samba-technical
mailing list