KDC built in or out of smbd

Andrew Bartlett abartlet at samba.org
Wed Nov 30 09:45:08 GMT 2005


On Wed, 2005-11-30 at 10:09 +0100, Volker Lendecke wrote:
> On Wed, Nov 30, 2005 at 09:56:29AM +0100, Marc Balmer wrote:
> > Having the LDAP server, KDC, RPC services, and fileserver on the same
> > host mandatory would be a major drawback.  At least for the LDAP and
> > KDC it should be possible to run them on different machines.
> 
> Sorry to be so direct, but Windows clients expect those services to be
> available under the same IP address. You could in theory play nasty games with
> port forwarding, but this would be an administrative nightmare.

And even with port forwarding, we have major problems:  A client may
(currently doesn't, but with Win2k3 and a registry setting may, and unix
clients do) encode it's client address in the KDC requests.  

The KDC should then reject the request, because it has been forwarded...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/4e8196ea/attachment.bin


More information about the samba-technical mailing list