A proposal for an MIT KDC for Samba4
webserv at s3group.cz
Mon Oct 12 11:29:32 MDT 2009
> We in the freeIPA project tried to find some solution to the problem of
> two KDCs and two different schemas.
> The issues turn out to be much more challenging than it looked on the
> surface. Making Heimdal KDC swappable is a huge body of work and it is
> unclear why it should be done.
> What we ended up deciding is that we will not try to rip Heimdal KDC or
> kerberos client library from Samba 4 code.
> I will be wasted time and will bring more destabilization to the Samba
> code than needed.
> Instead Andrew agreed to add an option to stop Heimdal KDC from
> listening on the kerberos port.
> FreeIPA solution includes MIT KDC. It will listen for the requests from
> clients. In our case clients are Windows and UNIX/Linux machines.
> MIT KDC will serve as KDC for both on KDC port but Samba 4 listens on
> all sorts of other ports for other communication coming from Windows
> clients. For those the internally run heimdal KDC should be still
> active. It will be a lot of extra work to make it a "clean" swappable
> KDC solution.
> Now we are looking at making MIT KDC be able to interact with Samba 4
> via RPC to get things like PAC so that we do not need to duplicate the
> effort (Samba is already capable of building PACs so we want to reuse it
> rather than reinvent the wheel in the MIT code.) But MIT ldap driver
> uses 2307 schema while Samba uses AD style schema. Synchronization of
> the two trees is something that we came up as a first phase solution to
> tree differences problem. We have a prototype of this part and it seems
> to work good enough for us to decide to build the solution around it.
> In future other approaches can be considered, but synchronization is a
> low hanging fruit for now, though everybody agrees that synchronizations
> are bad.
> Some more detailed design information can be found here:
Thanks for pointing me on freeipa - great project!
I agree exactly that Linux always lacked a robust identity management
system - something like Active Directory for Linux. There were attempts
to achieve this with just a Directory server (I remember the Sun's
iPlanet DS) and I always thought that this is no match to AD.
I believe AD does it a right and quite transparently (although I must
agree with Andrew's "AD-like domains look simple until you spend 4 years
working on building one.") and I am happy to see that IPA is trying to
achieve the same.
So I understand it that freeIPA is basically Active Directory for Unix -
this makes a sense for Unix-only networks.
1. For mixed Windows&Unix networks with a native AD Controller, nothing
is necessary (just existing Samba 3 & winbind does the job nicely - no
Centrify/Vintella is actually needed - see my blog:
2. For purely Unix networks just existing freeIPA does the job (no Samba
3. We are talking here about mixed networks with no native ADC. So right
now you say freeIPA can coexist with Samba4 (with effectively two KDC's
and two synchronized DS's) - taking into account that Samba4 is still
highly experimental, this seems to me simply to crazy to be actually
Please let me know if I am missing something.
More information about the samba-technical