Current ideas on kerberos requirements for Samba4

Tony Earnshaw tonye at
Tue May 24 19:13:14 GMT 2005

Paul Kölle wrote:

> I might add that AD is in some way an "enabling technology" for
> Microsoft. People buy it to get the best out of other MS technologies
> like Sharepoint or Exchange, it is the glue and cornerstone of an MS
> based network infrastructure.

The problem is, that AFAICS there is no way Samba of any ilk will ever 
get to be a mini-Microsoft surrogate. It will never get to interface 
with Exchange (think of mapi). Not that there aren't already excellent 
alternatives to Exchange, as has been pointed out in other threads and 
other MLs.

Wat Samba will ever be good for (and nothing else) is authentication in 
a Windows (whatever) environment and file and print. Microsoft need 
never be worried.

Having witnessed the great one-sided slag-off between Howard Chu (for 
whom I have the greatest respect and admiration for what he personally 
has achieved) and many of the Samba team , I'd side myself on Howard's 
side, in as much as samba will =have= to keep itself on the side of 
modularity if it wishes to gain any place in a team leader in OS utilities.

There is no way Samba will ever become an acceptable mini LDAP server. 
There is no way Samba will ever become a potted KDC server, NO WAY. 
These services are modular and always based on site-wide configurations 
often involving many discreet site configurations. It may well be so 
that the Samba team wishes this were possible and is attempting to 
implement it for the greater good of the unwashed (lusers), but it can 
never succeed.

For every so-called successful implementation of the IDEALX Samba LDAP 
on-the-fly crap utilities, there's a subsequent LDAP administrator who 
can't tell his AFHT as far as LDAP s concerned and will never be able to 
get his LDAP DSE to do what he wants extra (and that's one heck of a 
lot) ever again. Because he now does not know his AFHT and has =no way= 
of ever finding out how. Were he to do so, his self-confidence would, at 
that point, be so deflated, that he'd simply cave in and give up.

It should be noted that I have the greatest admiration for the Samba 
team in their wishing to confer Windows-ignorant system configuration 
possibilities onto the great unwashed. It's almost religious, like going 
to heaven. However, what the team is actually striving for is isolation. 
The team should never forget that, whether it likes it or not, there is 
a huge mental difference between most Windows and most Unix sysadmins. 
It would be counter-productive to wish to confer the average Windows 
sysadmin's mentality onto a Unix sysadmin. There is *NO* single major 
Unix utility that I know of that even attempts that. Nuff said.

  I don't know if that is a goal for samba.
> Personally I'd rather like to see it as a bridge for windows clients to
> an unix network, e.g. if samba will be able to trick clients into an
> kerberos backed domain and hand them out tickets, one will be able to
> finally use Kerberos/GSSAPI with all SASL enabled services. I'd love to
> see my windows clients doing http/imap/cvs/whatever with a ticket
> obtained from samba.

> BTW: This is a great discussion. I think it is very important for
> users/administrators to be aware of the conceptual issues samba has to
> cope with. This is invaluable background information a HOWTO will never
> provide. I hope to read some more details about the issues mapping AD
> concepts to "standard" protocols (e.g. nested/universal groups)

With the latter I am completely in agreement.



mail: tonye at

They'll love us, won't they? They feed us, don't they ? ...

More information about the samba-technical mailing list