[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current ideas on kerberos requirements for Samba4

To: Alan DeKok <aland@ox.org>
Subject: Re: Current ideas on kerberos requirements for Samba4
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 25 May 2005 08:21:49 +1000
Cc: heimdal-discuss@sics.se, samba-technical@samba.org, krbdev@mit.edu, mescalante@novell.com
In-Reply-To: <20050524190721.DEED016D00@mail.nitros9.org>
References: <20050524190721.DEED016D00@mail.nitros9.org>
Sender: owner-heimdal-discuss@sics.se

On Tue, 2005-05-24 at 15:07 -0400, Alan DeKok wrote:
> "James F. Hranicky" <jfh@cise.ufl.edu> wrote:
> > Well, my first reaction is that since Heimdal and Samba can currently both
> > share an LDAP database for PDC support, could it be possible to do the 
> > same with AD?
> 
>   1) Investigate what AD needs from protocol data sharing

Wrote the thesis:
http://samba.org/samba/news/articles/abartlet_thesis.pdf

>   2) Investigate how this would be put into LDAP

We have done so, and implemented our own 'ldap like' interface backing
onto either LDAP or an in-memory database.

>   3) Investigate how it would be implemented in Heimdal, etc.

Done that.  See the version of Heimdal in 'lorikeet'
svn co svn://svnanon.samba.org/lorikeet/trunk/heimdal lorikeet-heimdal

>   4) Report back.

This series of notes.  I was certainly not going to be so silly as to
talk about this before I had spent time to actually implement a viable
proposal.

>   My bet is that you'd need (0) to do this:
> 
>   0) Get contract to spend 6 months working on the following

Yes, it took about 6 months, on and off.  

We do actually, already implement a good series of interfaces which
keeps the KDC separate.  Currently they don't even share any source code
aside from standard shared/static libraries we provide.  

However, to finish off the job, I'm proposing to integrate at the object
link level (with lukeh tells me he has done before) and to handle some
things consistently across the whole suite (no user config errors).  

Now, the mistake I made was opening my big trap before I had just
quietly finished the libkdc part (which is a few days integration, I
hope, and actually doesn't change Heimdal's internal structure very much
anyway).  

Jeremy is right about kerberos patches, and it has been a right pain in
Samba3.  This is why I've tried not to promise the world to those
running their own KDCs.  I know their plight, and I'll be receptive to
patches, but I'm just going to try and get mine working first. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

Prev by Date: Re: Current ideas on kerberos requirements for Samba4
Next by Date: Re: Current ideas on kerberos requirements for Samba4
Prev by thread: Re: Current ideas on kerberos requirements for Samba4
Next by thread: gss_release_cred(), and memory ccache
Index(es):
- Date
- Thread