A proposal for an MIT KDC for Samba4

Andrew Bartlett abartlet at samba.org
Tue Oct 13 03:50:28 MDT 2009

On Tue, 2009-10-13 at 08:42 +0200, Michael Ströder wrote:
> Dmitri Pal wrote:
> > We in the freeIPA project tried to find some solution to the problem of
> > two KDCs and two different schemas.
> Dmitri, I understand that FreeIPA has a problem with different LDAP schemas
> for both KDCs. But wouldn't it be much better to support Howard Chu's approach
> of defining a common LDAP schema for KDCs? He wrote some postings on the
> ietf-krb-wg mailing list with subject "LDAP schema for kdc".

Howard's work is great, but it's not relevant (not does he intend it to
be relevant) to this task.  Samba4 can't use that schema, because we
must share data with AD, in the format AD uses internally. 

The proposal here is about having an MIT KDC use Samba4's database in
the exact same way Heimdal currently uses it.  

The two approaches currently proposed are for this to occur via IRPC or
direct function calls via a library load to the 'hdb-samba4' module that
Samba already wrote for Heimdal.  (As such the data is in the AD

> IMHO it's a waste of effort using MIT KDC with Samba4 if there's no
> possibility to use an existing one.

I'm not sure what you mean here.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091013/74474e62/attachment.pgp>

More information about the samba-technical mailing list