A proposal for an MIT KDC for Samba4

Andrew Bartlett abartlet at samba.org
Mon Oct 12 05:32:31 MDT 2009

On Mon, 2009-10-12 at 13:25 +0200, Ondrej Valousek wrote:
> Hi Andrew,
> > We can't use a pre-installed MIT KDC because what we want is an AD KDC.
> > FreeIPA proposes to use the MIT KDC, but even then it won't be anything
> > like the one you already have. 
> >   
> I know AD KDC is a bit different than MIT KDC (no kadmin interface, SPN 
> vs. UPN etc...) but the base functionality is the same right? For fully 
> Kerberized environment (login, ssh, nfs4) one can use either MIT KDC or 
> AD KDC - so I thought that maybe the base functionality can be taken 
> from MIT.

We chose to take it from Heimdal, and to build it in.  It really does
work better this way. 

> > The same applies on existing OpenLDAP installs - we can back against
> > OpenLDAP, but using the AD schema.  FreeIPA proposes to syncornise
> > between their unix and AD view.  The mappings and experience they
> > develop may be useful in your environment at some point, but Windows
> > clients require that port 389 looks like AD.
> >   
> AD as of Windows server 2008 employs partial RFC2307 so one schema 
> should be sufficient for both OSes - I did not know that port 389 needs 
> to "look like AD" for Win clients though. Maybe some wrapper around 
> OpenLdap server would be sufficient?
> In general, I hate any idea of "synchronization" as this is the first 
> thing most likely to break.
> Anyway - I know you guys are doing your best - I was just curious why do 
> we need to "reinvent the wheel" again....
> Many thanks,

We reinvent only what we have to, and even then, using Heimdal as our
Kerberos subsystem was exactly to avoid reinventing. 

Regarding wrapping an existing OpenLDAP server, efforts to revive the
'samba3sam' module and provide a mapping between Samba4 and an existing
OpenLDAP server are welcome, but we expect it will take a lot of

AD-like domains look simple until you spend 4 years working on building

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091012/343c2a0a/attachment.pgp>

More information about the samba-technical mailing list