Current ideas on kerberos requirements for Samba4

Andrew Tridgell tridge at osdl.org
Tue May 24 13:42:48 GMT 2005 

Howard,

The type of users we are aiming at are not the ones who read
documentation on ancillary packages. We have trouble enough getting
our users to read the Samba docs, let alone reading the docs on half a
dozen external services they would need to install to make Samba4
work.

For the types of end users we are aiming for, setting up a kerberos
realm is like asking them to setup /etc/memcpy.conf. The fact that we
call memcpy() in Samba is completely irrelevant to what our users are
trying to achieve, which is to install a file server for their windows
clients.  They don't care that we use memcpy(), and they don't care
that recent versions of windows now send auth packets formatted
according to krb5 standards.

I think that Samba3 is far to hard too install and configure. I want
to make Samba4 much easier, and my fear is that it will in fact become
much harder as we start to become dependent on more external tools.

Ideally krb5 and ldap would be like our lib/popt/ code. We detect if
the system has a working popt library, and if it does then we use
it. If it doesn't then we use the version we ship with the code.

That is the idea of ldb with the ldap backend. It means people who
don't care about the fact that their network now has an ldap server
can use the builtin ldb code. For those who do care, they can tell
Samba to use an existing ldap server. The default will be to use the
builtin one, as the defaults are meant for the majority who don't know
about the intricacies of ldap.

If we can achieve that with krb5 as well then that would be
great. Andrew Bartlett has been working with lha to try to achieve
that with Heimdal for quite a while. They have made a lot of progress,
but we still don't have anything we can usefully ship, although its
getting close.

We are not trying to replace the roles that MIT and Heimdal kerberos
have played over the years. If someone wants a KDC, they should
certainly install a real one, and not use Samba as their KDC. What we
want is something that is invisible for people who want to remain
blissfully unaware of the fact that krb5 packets are flying over their
network. They want the Windows admin tools to work and that is it.

One way of looking at this is that we are trying to protect the MIT
and Heimdal communities from the hordes of Samba users asking you
silly questions when Samba4 comes out :-)

Cheers, Tridge

More information about the samba-technical mailing list