KDC built in or out of smbd

Andrew Bartlett abartlet at samba.org
Wed Nov 30 09:45:08 GMT 2005

On Wed, 2005-11-30 at 10:09 +0100, Volker Lendecke wrote:
> On Wed, Nov 30, 2005 at 09:56:29AM +0100, Marc Balmer wrote:
> > Having the LDAP server, KDC, RPC services, and fileserver on the same
> > host mandatory would be a major drawback.  At least for the LDAP and
> > KDC it should be possible to run them on different machines.
> Sorry to be so direct, but Windows clients expect those services to be
> available under the same IP address. You could in theory play nasty games with
> port forwarding, but this would be an administrative nightmare.

And even with port forwarding, we have major problems:  A client may
(currently doesn't, but with Win2k3 and a registry setting may, and unix
clients do) encode it's client address in the KDC requests.  

The KDC should then reject the request, because it has been forwarded...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/4e8196ea/attachment.bin

More information about the samba-technical mailing list