A proposal for an MIT KDC for Samba4
webserv at s3group.cz
Mon Oct 12 05:25:54 MDT 2009
> We can't use a pre-installed MIT KDC because what we want is an AD KDC.
> FreeIPA proposes to use the MIT KDC, but even then it won't be anything
> like the one you already have.
I know AD KDC is a bit different than MIT KDC (no kadmin interface, SPN
vs. UPN etc...) but the base functionality is the same right? For fully
Kerberized environment (login, ssh, nfs4) one can use either MIT KDC or
AD KDC - so I thought that maybe the base functionality can be taken
> The same applies on existing OpenLDAP installs - we can back against
> OpenLDAP, but using the AD schema. FreeIPA proposes to syncornise
> between their unix and AD view. The mappings and experience they
> develop may be useful in your environment at some point, but Windows
> clients require that port 389 looks like AD.
AD as of Windows server 2008 employs partial RFC2307 so one schema
should be sufficient for both OSes - I did not know that port 389 needs
to "look like AD" for Win clients though. Maybe some wrapper around
OpenLdap server would be sufficient?
In general, I hate any idea of "synchronization" as this is the first
thing most likely to break.
Anyway - I know you guys are doing your best - I was just curious why do
we need to "reinvent the wheel" again....
More information about the samba-technical