Current ideas on kerberos requirements for Samba4
tonye at billy.demon.nl
Tue May 24 19:13:14 GMT 2005
Paul Kölle wrote:
> I might add that AD is in some way an "enabling technology" for
> Microsoft. People buy it to get the best out of other MS technologies
> like Sharepoint or Exchange, it is the glue and cornerstone of an MS
> based network infrastructure.
The problem is, that AFAICS there is no way Samba of any ilk will ever
get to be a mini-Microsoft surrogate. It will never get to interface
with Exchange (think of mapi). Not that there aren't already excellent
alternatives to Exchange, as has been pointed out in other threads and
Wat Samba will ever be good for (and nothing else) is authentication in
a Windows (whatever) environment and file and print. Microsoft need
never be worried.
Having witnessed the great one-sided slag-off between Howard Chu (for
whom I have the greatest respect and admiration for what he personally
has achieved) and many of the Samba team , I'd side myself on Howard's
side, in as much as samba will =have= to keep itself on the side of
modularity if it wishes to gain any place in a team leader in OS utilities.
There is no way Samba will ever become an acceptable mini LDAP server.
There is no way Samba will ever become a potted KDC server, NO WAY.
These services are modular and always based on site-wide configurations
often involving many discreet site configurations. It may well be so
that the Samba team wishes this were possible and is attempting to
implement it for the greater good of the unwashed (lusers), but it can
For every so-called successful implementation of the IDEALX Samba LDAP
on-the-fly crap utilities, there's a subsequent LDAP administrator who
can't tell his AFHT as far as LDAP s concerned and will never be able to
get his LDAP DSE to do what he wants extra (and that's one heck of a
lot) ever again. Because he now does not know his AFHT and has =no way=
of ever finding out how. Were he to do so, his self-confidence would, at
that point, be so deflated, that he'd simply cave in and give up.
It should be noted that I have the greatest admiration for the Samba
team in their wishing to confer Windows-ignorant system configuration
possibilities onto the great unwashed. It's almost religious, like going
to heaven. However, what the team is actually striving for is isolation.
The team should never forget that, whether it likes it or not, there is
a huge mental difference between most Windows and most Unix sysadmins.
It would be counter-productive to wish to confer the average Windows
sysadmin's mentality onto a Unix sysadmin. There is *NO* single major
Unix utility that I know of that even attempts that. Nuff said.
I don't know if that is a goal for samba.
> Personally I'd rather like to see it as a bridge for windows clients to
> an unix network, e.g. if samba will be able to trick clients into an
> kerberos backed domain and hand them out tickets, one will be able to
> finally use Kerberos/GSSAPI with all SASL enabled services. I'd love to
> see my windows clients doing http/imap/cvs/whatever with a ticket
> obtained from samba.
> BTW: This is a great discussion. I think it is very important for
> users/administrators to be aware of the conceptual issues samba has to
> cope with. This is invaluable background information a HOWTO will never
> provide. I hope to read some more details about the issues mapping AD
> concepts to "standard" protocols (e.g. nested/universal groups)
With the latter I am completely in agreement.
mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they ? ...
More information about the samba-technical