Current ideas on kerberos requirements for Samba4

Andrew Tridgell tridge at osdl.org
Tue May 24 22:09:13 GMT 2005 

Howard,

If we were primarily aiming for sites that have a real sysadmin, then
I'd somewhat agree with you that all our users should learn to
properly understand how kerberos works. A sysadmin should understand
these things.

In the early days of Samba it was most common that real sysadmins
installed it. In those days the typical user would worry about what
socket options were set and whether their routers were setup to
forward broadcasts. In those days I would have had no problem saying
'learn about kerberos to use Samba' as our users would have relished
the challenge.

Our typical user profile has changed a lot over the years. These days
the typical Samba site has no sysadmin. It is installed by doctors,
teachers and other professionals who are smart in their own field, but
don't care about the intricacies of how Samba works, they just want it
to serve files. Typically they have a network of just a few Windows
PCs in a single realm (though they don't know what a 'realm' is).

We still want to work well for the 'enterprise' users, where there is
one or more fulltime sysadmins, thousands of users and many realms
with trust relationships, but those sites only represent a small
fraction of the user base. For those users it is no problem that they
have to add a couple more lines to a config file to point smbd at an
existing KDC and ldap server. Those are the users that push the
boundaries of what Samba can do, and we love working with them as they
provide great feedback. Those are the users who currently run Samba3
as a PDC with a ldap backend for example. We really want to accomodate
them for Samba4, but we must not sacrifice our 'doctors and teachers'
users in doing so.

One thing I've seen with Samba is what I call the 'free software life
cycle'. It goes like this:

  - site starts as pure windows
  - site tries out Linux and Samba on an old PC
  - it works well, so they try apache
  - that works well, so they try some scripting (maybe perl or python)
  - a few of the users see Linux doing well, and try it on the desktop
  - those do well, and more follow
  - everyone is now running Linux, so they stop using Samba

It's not often that I see the cycle come all the way to completion,
but it certainly is fun when it happens! Samba is no longer needed,
but it played an important role in getting them started.

It really is quite common that Samba is the first free software
package that a site tries. If you think about it, I think you would
agree that kerberos is almost never the first free software package
someone tries. We have to make a good first impression, and that means
making stuff as easy as we possibly can.

Cheers, Tridge

More information about the samba-technical mailing list