[Samba-it] samba-ldap-kerberos

Aldo Bortot abortot at comune.belluno.it
Tue Dec 21 14:57:01 MST 2004 

Muriel ha scritto:
> On Tue, 21 Dec 2004 10:59:42 +0100, Piviul <pluto at flanet.org> wrote:
> 
>>Aldo Bortot wrote:
>>
>>>Ho un pdf sul Single Sign On su kerberos-ldap di G.Paternò.
>>>Non affronta in modo dettagliato la questione Samba, ma offre spunti
>>>molto interessanti.
>>>Non ricordo da dove lo ho scaricato, ne ho una copia. Se interessa lo 
>>
>>da qui?
>>
>>http://gpaterno.free.fr/publications/SingleSignon/Single_Signon_Kerberos_LDAP.pdf
> 
> 
> Ottima lettura, ma temo che non serva allo scopo. Non vorrei dire
> eresie ma non mi risulta che  samba abbia il supporto per il kerbers
> mit.
> Mi sono occupato anche io della cosa e fra i documenti di samba avevo
> trovato questo:
> 
> ----- Quote -----
> Active Directory Replacement with Kerberos, LDAP, and Samba
> 
>    The Microsoft networking protocols extensively make use of remote
> procedure call (RPC) technology. Active Directory is not a simple
> mixture of LDAP and Kerberos together with file and print services,
> but rather is a complex intertwined implementation of them that uses
> RPCs that are not supported by any of these component technologies and
> yet by which they are made to interoperate in ways that the components
> do not support.
> 
>    In order to make the popular request for Samba to be an Active
> Directory Server a reality, it is necessary to add to OpenLDAP,
> Kerberos, as well as Samba, RPC calls that are not presently
> supported. The Samba Team has not been able to gain critical overall
> support for all project maintainers to work together on the complex
> challenge of developing and integrating the necessary technologies.
> Therefore, if the Samba Team does not make it a priority to absorb
> Kerberos and LDAP functionality into the Samba project, this dream
> request can not become a reality.
> 
>    At this time, the integration of LDAP, Kerberos, and the missing
> RPCs is not on the Samba development roadmap. If it is not on the
> published roadmap, it cannot be delivered anytime soon. Ergo, ADS
> server support is not a current goal for Samba development. The Samba
> Team is most committed to permitting Samba to be a full ADS Domain
> member that is increasingly capable of being managed using Microsoft
> Windows MMC tools."
> ----- End Quote -----
> 
> Chiaro no?
> 
> Muriel

Giusto, però nel documento citato (che credo proprio sia scaricabile da 
dove dice Pivul) si sostiene una cosa diversa: si crea una struttura 
kerberos/ldap con cui tutti i clients, siano essi windows oppure unix, 
possano ottenere autenticazioni.
E' una strada molto diversa, ma in fondo potrebbe (con opportuni 
adattamenti) portare in luoghi molto vicini.

aldo

More information about the samba-it mailing list