On Tue, 2005-05-24 at 19:57 +0200, Michael Ströder wrote: > Andrew Bartlett wrote: > > > > This is the situation we are in currently, the Microsoft clients expect > > a very tight interface between the KDC and the rest of the domain > > controller (requiring coherent operations over multiple protocols, the > > PAC and other fun things). > > Are you also going to implement a DNS server? From what I've see, DNS is the one part of the AD game that Microsoft has allowed an external implementation of. It appears that the clients and servers all do DNS updates separately to their main record in AD. So fortunately we get to avoid that one :-) Now, we will have to patch and convince vendors to patch and ship an updated DNS server running 'TSIG', just as we will need them to patch and ship an NTP server for 'schannel signing'. This is indeed slightly contradictory, but in the experimentation I've done, the lack of these services isn't nearly as critical as Krb5, and the changes we propose are much smaller than we require to krb5. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part