A proposal for an MIT KDC for Samba4

Andrew Bartlett abartlet at samba.org
Mon Oct 12 04:07:28 MDT 2009

On Mon, 2009-10-12 at 11:18 +0200, Ondrej Valousek wrote:
> Question:
> Does it mean that Samba4 includes its own KDC (based on Heimdal) as well 
> as an LDAP server?


> I thought (well, hoped) that Samba4 will make it possible to integrate 
> existing pre-installed MIT KDC and OpenLdap server creating a complete 
> identity management system for both Windows and Unix systems.

We can't use a pre-installed MIT KDC because what we want is an AD KDC.
FreeIPA proposes to use the MIT KDC, but even then it won't be anything
like the one you already have. 

The same applies on existing OpenLDAP installs - we can back against
OpenLDAP, but using the AD schema.  FreeIPA proposes to syncornise
between their unix and AD view.  The mappings and experience they
develop may be useful in your environment at some point, but Windows
clients require that port 389 looks like AD. 

> If Samba wants to ship everything on its own, it would make it too 
> bloated I think...

It is no more bloated than it needs to be.  We had much the same
discussion when we started, but the past few years have validated our

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091012/f6c54e93/attachment.pgp>

More information about the samba-technical mailing list