KDC built in or out of smbd

Andrew Bartlett abartlet at samba.org
Wed Nov 30 11:51:18 GMT 2005

On Wed, 2005-11-30 at 11:31 +0000, Neil Hoggarth wrote:
> On Wed, 30 Nov 2005, Andrew Bartlett wrote:
> > On Wed, 2005-11-30 at 09:09 +1100, Tim Potter wrote:
> >
> > > Last time this was discussed the option to hook in an external KDC, 
> > > if there is one available on the network, was raised.  Is this still 
> > > the case?
> >
> > Yes and No... There is not currently any way to hook in an external 
> > KDC, but we have shown that should an external KDC happen to share the 
> > same database, simply disabling our KDC would suffice.
> The O'Reilly book "Kerberos: The Definitive Guide" has a section on 
> Windows/Unix interoperability where it suggests that one can use a 
> non-MS KDC with a Windows Active Directory server, by establishing a 
> cross-realm trust relationship between the AD realm and the pre-existing 
> realm.
> Is something like this likely to be possible with Samba 4?

Only to the same level of function as this achieves with Windows.  I
don't know the full details, but my understanding is that it introduces
compromises in the operation.  

It doesn't change the KDC for the AD realm, it just allows users in a
different KDC to login.

> I have previously entertained hopes of using Samba 4 as a "glue layer" 
> between an existing MIT-based University-wide Kerberos service (which is 
> not under my administrative control) and a Windows domain which I would 
> administer on my department's local LAN. I get less hopeful the more I 
> learn about AD, but any encouragement would be gratefully received!

I don't see Samba4 filling any different role than an AD deployment
would.  For our own KDC we require very specific 'AD' semantics, and a
shared backend, so your separately administered KDC would not fit.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/0dfa94fa/attachment.bin

More information about the samba-technical mailing list