Current ideas on kerberos requirements for Samba4

[Sam Hartman]

>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:

    >> own KDC and that is where I have concerns.

    Andrew> I'm really not trying to screw MIT (or anybody else) over,


I certainly have never gotten that impression.  Your phrasing of
certain things has made things challenging on a political level but I
understand your goal is to get a good technical solution not to play
politics.


I do think the discussion here is mostly technical and I'd like to
keep it that way.

As an aside, I've invited some vendors to join in and contribute
requirements.  I hope they will join, but more importantly I hope they
will contribute the necessary resources (or fund others) to make their
requirements a reality.  That's the only way technical problems get
solved.



Let me summarize the requirements I'm hearing today and see if we're on the same page:

1) Samba must be usable.  It must provide a single integrated solution
   that works for users with no knowledge of Kerberos, LDAP and other
   protocols.

2) Samba needs to be involved in most aspects of the KDC request handling.  It needs to add PAC data.  It needs  to authorize or deny requests.

3) Samba needs to keep account data in sync between Kerberos, LDAP and
   other protocols that access that data.  Passwords are particularly
   challenging to sync.  Samba plans to meet this need by storing all
   the data in a Samba-managed database and to manage password->key operations itself.

4) Vendors and sites want a single Kerberos implementation from a
   security patch, local extension and maintainability standpoint.

5) Vendors want to integrate Samba as one protocol frontend/data
   producer into larger systems.  We haven't really heard from the
   vendors on this one; it is mostly me babling on this point.


6) Kerberos implementers want to minimize code forks.

7) Kerberos implementers want to minimize the number of
   interoperability test targets.