KDC built in or out of smbd
abartlet at samba.org
Wed Nov 30 11:51:18 GMT 2005
On Wed, 2005-11-30 at 11:31 +0000, Neil Hoggarth wrote:
> On Wed, 30 Nov 2005, Andrew Bartlett wrote:
> > On Wed, 2005-11-30 at 09:09 +1100, Tim Potter wrote:
> > > Last time this was discussed the option to hook in an external KDC,
> > > if there is one available on the network, was raised. Is this still
> > > the case?
> > Yes and No... There is not currently any way to hook in an external
> > KDC, but we have shown that should an external KDC happen to share the
> > same database, simply disabling our KDC would suffice.
> The O'Reilly book "Kerberos: The Definitive Guide" has a section on
> Windows/Unix interoperability where it suggests that one can use a
> non-MS KDC with a Windows Active Directory server, by establishing a
> cross-realm trust relationship between the AD realm and the pre-existing
> Is something like this likely to be possible with Samba 4?
Only to the same level of function as this achieves with Windows. I
don't know the full details, but my understanding is that it introduces
compromises in the operation.
It doesn't change the KDC for the AD realm, it just allows users in a
different KDC to login.
> I have previously entertained hopes of using Samba 4 as a "glue layer"
> between an existing MIT-based University-wide Kerberos service (which is
> not under my administrative control) and a Windows domain which I would
> administer on my department's local LAN. I get less hopeful the more I
> learn about AD, but any encouragement would be gratefully received!
I don't see Samba4 filling any different role than an AD deployment
would. For our own KDC we require very specific 'AD' semantics, and a
shared backend, so your separately administered KDC would not fit.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051130/0dfa94fa/attachment.bin
More information about the samba-technical