A proposal for an MIT KDC for Samba4

Ondrej Valousek webserv at s3group.cz
Mon Oct 12 05:25:54 MDT 2009

Hi Andrew,

> We can't use a pre-installed MIT KDC because what we want is an AD KDC.
> FreeIPA proposes to use the MIT KDC, but even then it won't be anything
> like the one you already have. 
I know AD KDC is a bit different than MIT KDC (no kadmin interface, SPN 
vs. UPN etc...) but the base functionality is the same right? For fully 
Kerberized environment (login, ssh, nfs4) one can use either MIT KDC or 
AD KDC - so I thought that maybe the base functionality can be taken 
from MIT.
> The same applies on existing OpenLDAP installs - we can back against
> OpenLDAP, but using the AD schema.  FreeIPA proposes to syncornise
> between their unix and AD view.  The mappings and experience they
> develop may be useful in your environment at some point, but Windows
> clients require that port 389 looks like AD.
AD as of Windows server 2008 employs partial RFC2307 so one schema 
should be sufficient for both OSes - I did not know that port 389 needs 
to "look like AD" for Win clients though. Maybe some wrapper around 
OpenLdap server would be sufficient?
In general, I hate any idea of "synchronization" as this is the first 
thing most likely to break.

Anyway - I know you guys are doing your best - I was just curious why do 
we need to "reinvent the wheel" again....
Many thanks,


More information about the samba-technical mailing list