Current ideas on kerberos requirements for Samba4
hartmans at mit.edu
Wed May 25 02:48:07 GMT 2005
>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
>> own KDC and that is where I have concerns.
Andrew> I'm really not trying to screw MIT (or anybody else) over,
I certainly have never gotten that impression. Your phrasing of
certain things has made things challenging on a political level but I
understand your goal is to get a good technical solution not to play
I do think the discussion here is mostly technical and I'd like to
keep it that way.
As an aside, I've invited some vendors to join in and contribute
requirements. I hope they will join, but more importantly I hope they
will contribute the necessary resources (or fund others) to make their
requirements a reality. That's the only way technical problems get
Let me summarize the requirements I'm hearing today and see if we're on the same page:
1) Samba must be usable. It must provide a single integrated solution
that works for users with no knowledge of Kerberos, LDAP and other
2) Samba needs to be involved in most aspects of the KDC request handling. It needs to add PAC data. It needs to authorize or deny requests.
3) Samba needs to keep account data in sync between Kerberos, LDAP and
other protocols that access that data. Passwords are particularly
challenging to sync. Samba plans to meet this need by storing all
the data in a Samba-managed database and to manage password->key operations itself.
4) Vendors and sites want a single Kerberos implementation from a
security patch, local extension and maintainability standpoint.
5) Vendors want to integrate Samba as one protocol frontend/data
producer into larger systems. We haven't really heard from the
vendors on this one; it is mostly me babling on this point.
6) Kerberos implementers want to minimize code forks.
7) Kerberos implementers want to minimize the number of
interoperability test targets.
More information about the samba-technical