Generating krb5.keytab
Andrew Bartlett
abartlet at samba.org
Sat Jun 14 12:12:47 GMT 2008
On Sat, 2008-06-14 at 12:54 +0300, Sergey Yanovich wrote:
> Andrew Bartlett wrote:
> > On Thu, 2008-06-12 at 11:08 +0300, Sergey Yanovich wrote:
> >> There maybe a few points to consider:
> >> 1. Samba will probably be much happier in the long run, if it manages to
> >> put 'hdb_samba4.so' (and 'win_dc' plugin as well) into Heimdal's tree,
> >> so that it is updated/patched together with the rest of their code.
> >
> > I don't expect this to happen. The reason these are plugins to
> > Heimdal's stable API and ABI rather than the other way around is because
> > they are better maintained in Samba (they use a *lot* of Samba) and
> > because we expect to maintain them as part of Samba into the future. A
> > good packaging will of course place them in the right filesystem
> > location to be used by Heimdal.
>
> If plug-ins use only stable ABI, this approach is fine.
>
> >> 3. Using external KDC is a solution that address both 1. and 2. from
> >> above. However, the solution seems to be in a distant future. However,
> >> there is a half-way solution: internally build the external KDC with
> >> proposed Samba-related patches. This will require an /etc/init.d-style
> >> script to launch that KDC after Samba, similarly to how smbd is launched
> >> after nmbd in Samba 3.
> >
> > I do not expect this to happen, because I don't see what benefits it
> > brings us. One of the gains in Samba4 is that we don't leave the
> > administrator the launch interdependent services, but instead provide it
> > in one deamon. Samba may be a marvel of Software Engineering, but it
> > does not follow that our users should have to see it's internal
> > construction for it to start :-)
>
> The question is rather "see it's internal construction to use it". See
> Samba4 is on the linux server, and is using a linux KDC, it is natural
> to manage it in linux way.
But it is a very long way from a linux server in the services in
provides, and (more importantly) the integrated way they must be
provided.
> BTW, I don't see much difference from user's point of view between
> Samba4 *being* KDC and Samba4 *starting* KDC the same way Samba3 starts
> nmbd.
I see that as a flaw in Samba3's design (based on it's history and with
good reason at the time), not an advantage.
> Samba4 and Kerberos may be managed by people in different organizational
> units, so having this option maybe useful.
Sadly due to Microsoft's design of AD, these must be co-located. That
said, I certainly understand where you are coming from - it mirrors many
of the discussions we had when Samba4 first started, and first looked at
using or building a KDC. People who understand Kerberos are naturally
very protective of their KDCs, and their initial comments were similar.
> However, I understand, that
> resources are always limited, and the only available path is the one of
> least resistance. With that said, as I stated before, the current path
> may result in certain adoption resistance. Samba3 isn't usually the
> central part of linux domain infrastructure, it simply provides one of
> the services. Samba4 is going to alter the things here significantly,
> and was thinking about ways to soften transition/interop issues.
It is an unfortunate part of the way AD is designed, and the overlap of
services. We hope to allow Samba4 to be a consumer of an external
directory (this is the purpose of the LDAP backend project), but it will
always be a big intrusion on the rest of the infrastructure, simply
because of the protocols it must serve.
I appreciate your comments, and don't mean to just push them aside. As
you have seen, we are looking to move to a system-provided KDC (in the
form of Heimdal libkdc, which smbd will link to), but I strongly believe
that Kerberos as-is is way to hard to manage, and that of the big things
Microsoft got right with AD is that kerberos is 'just there'.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080614/5eb46470/attachment.bin
More information about the samba-technical
mailing list