Current ideas on kerberos requirements for Samba4
Sam Hartman
hartmans at mit.edu
Tue May 24 20:26:03 GMT 2005
>>>>> "Alan" == Alan DeKok <aland at ox.org> writes:
Alan> "James F. Hranicky" <jfh at cise.ufl.edu> wrote:
>> I don't know the intimate details of what AD clients expect
>> from an AD controller, but I wonder if perhaps the requirements
>> could be addressed by a meta-smbd of sorts? The meta-smbd acts
>> as an AD controller, but passes off requests for various
>> services to the respective daemons,
Alan> Except that AD requires that the other protocols talk to
Alan> each other, too. That is, they *all* share a common data
Alan> set, and each protocol must server a view of the database,
Alan> and that view must be consistent across all protocols. This
Alan> integration means that much of the internal state of each
Alan> daemon must be exposed to others, and must be modifiable by
Alan> others.
Yes, but keep in mind two things:
1) This state should be exposed through well-defined interfaces to
allow for extensibity and code abstraction. It should not be
exposed through sticking everything together in one process. Even
Microsoft is finding that model is not working for them.
2) Long term, we need to allow our models to grow beyond the model
Microsoft has provided for us. The right model for a collection of
Unix machines using NFSV4 isn't the same model as AD. Clearly you
need a way of exposing an AD schema to the AD protocols (including
LDAP) but you also need a way to move beyond that schema internally
so you can support all the environments that will run in your
Kerberos infrastructure.
More information about the samba-technical
mailing list