[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current ideas on kerberos requirements for Samba4

To: "Gerald (Jerry) Carter" <jerry@samba.org>
Subject: Re: Current ideas on kerberos requirements for Samba4
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 25 May 2005 08:32:19 +1000
Cc: Michelle Escalante <mescalante@novell.com>, heimdal-discuss@sics.se, krbdev@mit.edu, samba-technical@samba.org
In-Reply-To: <4293278C.1020405@samba.org>
References: <200505231518.j4NFHxwo007314@ginger.cmf.nrl.navy.mil> <1116895198.13737.79.camel@amy.samba4.abartlet.net> <4293278C.1020405@samba.org>
Sender: owner-heimdal-discuss@sics.se

On Tue, 2005-05-24 at 08:09 -0500, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andrew Bartlett wrote:
> 
> | Perhaps we should make something clear from the
> | outset.  Just as Samba4's LDAP server is not
> | intended to be a world-class (or even standards-conforming)
> | LDAP server,
> 
> Andrew,
> 
> I'm not getting into this thread for obvious reasons, but
> I think this is a very dangerous statement (and assumption)
> to make. You are claiming to match against AD.  That's a
> big order from the LDAP side of things.  People will expect
> you to get the LDAP part right if you are taking it over.

Indeed, and this is actually something that I do worry about with Samba4
going forward.  I do wish we had more directory experts working with the
team, so we don't make more of a muddle of ourselves in the process.

I'll also pass the blame along on that one, the standard on the LDAP
server was set by others, I'm just repeating it (and trying not to
promise the world.  As we all so painfully know, this is a very small
team doing a lot of work...).

> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.
> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.

This is actually why I have pushed to work with Heimdal, rather than the
more appealing (at times) option of doing it ourselves.  At least I know
that when we started, we worked from a well respected KDC in production
use for this kind of task already.  My intention is to (despite linking
for unification of service control and socket infrastructure) keep the
codebases separable along existing or new interfaces in the Heimdal
code.  In that way, I hope to keep those qualities in Heimdal, even as
we integrate it.  I was just hoping not to promise the world to a
community that each holds their sites specific kerberos infrastructure
very near and dear :-)

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

References:
- Re: Current ideas on kerberos requirements for Samba4
  - From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
- Re: Current ideas on kerberos requirements for Samba4
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Current ideas on kerberos requirements for Samba4
  - From: "Gerald (Jerry) Carter" <jerry@samba.org>

Prev by Date: Re: Current ideas on kerberos requirements for Samba4
Next by Date: Re: Current ideas on kerberos requirements for Samba4
Prev by thread: Re: Current ideas on kerberos requirements for Samba4
Next by thread: Re: Current ideas on kerberos requirements for Samba4
Index(es):
- Date
- Thread