[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current ideas on kerberos requirements for Samba4



On Tue, 24 May 2005 19:56:33 +1000
Andrew Bartlett <abartlet@samba.org> wrote:

> This is the situation we are in currently, the Microsoft clients expect
> a very tight interface between the KDC and the rest of the domain
> controller (requiring coherent operations over multiple protocols, the
> PAC and other fun things).  

I'm no expert on anything, but that's not going to stop me :->

Personally, I'm quite wary of seeing new KDC/LDAP implementations. We 
already have good ones out there under active development, and I'd like 
to see them used in the project instead of yet more code duplication.

I don't know the intimate details of what AD clients expect from an AD 
controller, but I wonder if perhaps the requirements could be addressed 
by a meta-smbd of sorts? The meta-smbd acts as an AD controller, but 
passes off requests for various services to the respective daemons, 
something like this:


  XP -- TGT/PAC req -->             -- AS_REQ --> Heimdal/MIT KDC 
                                    <-- TGT --
                        meta-smbd
     <-- TGT/PAC                    -- Group LDAP req --> OpenLDAP
                        (genPAC)    <-- groups 

That's just one example. I don't know how feasible it is, but I 
just thought I'd throw the idea out.

Since one of the motivating factors for the integration of services is
the difficulty experienced when trying to integrate the various packages
to work together, perhaps this should be the area of focus for an AD
controller clone: scripts/configuration systems that make it easy to 
combine all the various packages out there (Heimdal/SASL/OpenLDAP/etc)
to work together in a conherent way to form the basis for a production-level
AD controller. I know how hard it can be having done it myself, but I don't
know if that's a good reason to try to re-implement functions that are
already available in stable, actively-maintained packages. Focusing on 
easing the integration seems a better route IMO.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------