On Mon, 2005-05-23 at 11:18 -0400, Ken Hornstein wrote: > >My current feeling is that Samba may well ship it's own KDC (based > >either on Heimdal, our own code or potentially some other codebase) for > >some time into the future. To whatever extent Samba includes a > >derivative of another distribution of kerberos, the aim would be to keep > >the 'diff' between the two projects as small as possible, while > >integrating the code for minimum administrative and engineering pain. > > Just my $0.02: > > I already have a hacked KDC (based on MIT) that has a number of custom > extensions that I need. Running a Samba-supplied KDC is simply a > non-starter. I know plenty of people who are in the same boat. Just > as an aside - it seems when you do Kerberos for a while, you find that > you need to do some number of changes to make it fit better at your > site, so this sort of thing just tends to crop up. This probably > isn't an issue for smaller sites, or sites that just want to run a KDC > to suppot Samba. Perhaps we should make something clear from the outset. Just as Samba4's LDAP server is not intended to be a world-class (or even standards-conforming) LDAP server, I'm targeting our KDC as a match for the Microsoft interface, not as the new gold standard for KDCs in POSIX. I'm trying to fill the space currently filled by Microsoft's Active Directory, not trying (particularly in the first release of Samba4) to replace an existing corporate Kerberos infrastructure. Now, I come at this whole area from rather a different direction than I suspect you do, because I'm not steeped in the history of Kerberos, nor do I run a large and complex site that uses it. What is custom about your kerberos setup, and given that I realise that having multiple kerberos realms is the pits, what could we do to make your life easier? > If you provide a chunk of code and say, "You need to integrate this", > then that's fine with me (if it's Heimdal-only, then that will be a > pain, but I can deal). I know, I could always do cross-realm ... but > trust me, I have more experience with cross-realm than most people, and > I'm not going to run a seperate realm just for Samba. Well, it will always be open source, so unlike AD you can hack it however you please :-) My observation is that sites fit into one of the these three boxes: (98%) Never used Kerberos, or don't know what Kerberos is: - NT4 sites - Samba3 based sites - Low-clue AD networks (you don't need to understand Kerberos to use AD) - Everybody else (most linux networks, workgroups) (~1.75%) Large sites, which run AD, know what kerberos is and use it to their advantage (<.25%) Sites that chose to use unix-based kerberos systems, and have integrated it properly into a majority of their systems. My problem is that while I do *not* wish to exclude anybody, I need to care about the first two categories far more than the clued-in SysAdmin of a real kerberos site. (Where I think that long-term, we can work something out). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part