Status of Kerberos Support across Samba versions

Phil Mayers p.mayers at ic.ac.uk
Mon May 8 21:39:26 GMT 2000 

Nicolas Williams wrote:
> 
> Phil,
> 
> I hope you don't mind my posting this to samba-technical...


Not at all.


> > MIT can, should and probably will implement an Open Standard, but I
> > don't think MS will; They'll claim that they can't for "technical
> > limitations in the current standard", which is a pretty normal tactic
> > for them - commoditising protocols...
> 
> Right. But if we extend the standard through the standards process in
> such a way as to achieve every technical thing that MS wanted to
> achieve with their extension, then the pressure on MS to dump their
> spec for the new standard will be hard to resist.
> 


Would be nice


> So have I and others. Look at samba-technical archives around just
> before 1/1/2000.


Nice to know someone else is interested. I'll have to get current with
the 2.4 (2.3pre actually) Linux kernel code and see exactly what needs
to be done.

> You'll also need to deal with the Unix real vs. effective credential
> model. That is, it would be nice to have a real vs. effective SID/RID :)
> and it would be nice to have setsidrid bits in permissions masks on
> files.


Yeah - would be cool to have UID/GIDs as a "legacy" mode.


> At some point this idea will have to be broached to the various kernel
> (Linux, BSD) mailing lists...
> 
> Frankly, I really like the NT domain SID + entity RID model. It leads to
> irresistible features which are particularly desirable in the context of
> organization mergers.
> 
> Nico
> --


Bring it up diplomatically!

The SID model (not to mention NT ACLs) are hugely comprehensive and
quite neat, but I wonder about Posix compliance in all this - I don't
know how the conformance testing and such would fare. That said, I think
it's worth setting up a test case. I'll take a look at 2.4 once the
first release code is out, and it's starting to settle down a bit...

The question is, if Samba had this option open to it (moving to a more
NT like security model), would it be too hard to ./configure alongside
the existing code (depends on the API I suppose, but also on the
internal Samba organisation).

Cheers,
Phil

More information about the samba-technical mailing list