A proposal for an MIT KDC for Samba4

Dmitri Pal dpal at redhat.com
Mon Oct 12 08:29:57 MDT 2009

Andrew Bartlett wrote:
> On Mon, 2009-10-12 at 13:25 +0200, Ondrej Valousek wrote:
>> Hi Andrew,
>>> We can't use a pre-installed MIT KDC because what we want is an AD KDC.
>>> FreeIPA proposes to use the MIT KDC, but even then it won't be anything
>>> like the one you already have. 
>> I know AD KDC is a bit different than MIT KDC (no kadmin interface, SPN 
>> vs. UPN etc...) but the base functionality is the same right? For fully 
>> Kerberized environment (login, ssh, nfs4) one can use either MIT KDC or 
>> AD KDC - so I thought that maybe the base functionality can be taken 
>> from MIT.
> We chose to take it from Heimdal, and to build it in.  It really does
> work better this way. 
>>> The same applies on existing OpenLDAP installs - we can back against
>>> OpenLDAP, but using the AD schema.  FreeIPA proposes to syncornise
>>> between their unix and AD view.  The mappings and experience they
>>> develop may be useful in your environment at some point, but Windows
>>> clients require that port 389 looks like AD.
>> AD as of Windows server 2008 employs partial RFC2307 so one schema 
>> should be sufficient for both OSes - I did not know that port 389 needs 
>> to "look like AD" for Win clients though. Maybe some wrapper around 
>> OpenLdap server would be sufficient?
>> In general, I hate any idea of "synchronization" as this is the first 
>> thing most likely to break.
>> Anyway - I know you guys are doing your best - I was just curious why do 
>> we need to "reinvent the wheel" again....
>> Many thanks,
> We reinvent only what we have to, and even then, using Heimdal as our
> Kerberos subsystem was exactly to avoid reinventing. 
> Regarding wrapping an existing OpenLDAP server, efforts to revive the
> 'samba3sam' module and provide a mapping between Samba4 and an existing
> OpenLDAP server are welcome, but we expect it will take a lot of
> effort. 
> AD-like domains look simple until you spend 4 years working on building
> one. 
> Andrew Bartlett

We in the freeIPA project tried to find some solution to the problem of
two KDCs and two different schemas.
The issues turn out to be much more challenging than it looked on the
surface. Making Heimdal KDC swappable is a huge body of work and it is
unclear why it should be done.
What we ended up deciding is that we will not try to rip Heimdal KDC or
kerberos client library from Samba 4 code.
I will be wasted time and will bring more destabilization to the Samba
code than needed.
Instead Andrew agreed to add an option to stop Heimdal KDC from
listening on the kerberos port.
FreeIPA solution includes MIT KDC. It will listen for the requests from
clients. In our case clients are Windows and UNIX/Linux machines.
MIT KDC will serve as KDC for both on KDC port but Samba 4 listens on
all sorts of other ports for other communication coming from Windows
clients. For those the internally run heimdal KDC should be still
active. It will be a lot of extra work to make it a "clean" swappable
KDC solution.
Now we are looking at making MIT KDC be able to interact with Samba 4
via RPC to get things like PAC so that we do not need to duplicate the
effort (Samba is already capable of building PACs so we want to reuse it
rather than reinvent the wheel in the MIT code.) But MIT ldap driver
uses 2307 schema while Samba uses AD style schema. Synchronization of
the two trees is something that we came up as a first phase solution to
tree differences problem. We have a prototype of this part and it seems
to work good enough for us to decide to build the solution around it.
In future other approaches can be considered, but synchronization is a
low hanging fruit for now, though everybody agrees that synchronizations
are bad.

Some more detailed design information can be found here:

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

More information about the samba-technical mailing list