Re: Current ideas on kerberos requirements for Samba4

[Keith Matthews <heimdal@frequentous.co.uk>]

This originally sent to Jerry by mistake.


I too do not wish to stoke any flames, but Jerry has made a point I
support (albeit not a kerberos one for which I apologise).

On Tue, 24 May 2005 08:09:32 -0500
"Gerald (Jerry) Carter" <jerry@samba.org> wrote:


> The other side of the fence is to reimplement AD.  A
> very admirable goal.  But to be 100%, you are not longer
> acting as a thin layer of glue.  In some ways, Samba
> no longer acts as an interoperability tool.  It the network
> portion of the OS.
> 
> At this point the justification to install Samba is
> not based on interoperability because Samba is acting
> just like AD.  Not solving existing interoperability issues
> between Unix and AD.  The justification of installing
> Samba is based on license fees.
> 
> If you want to add interoperability back to the buffet, then
> the Samba4 kdc implementation (and LDAP implementation)
> will have to be world class, scalable implementations.
> I think you might also be ignoring the fact that while CIFS
> is primarily a Windows protocol, LDAP and Kerberos will be
> used by non-MS clients and so at some point you will
> have to support them as well.
> 


I don't work with any sites that use AD. I do inhabit mailing lists that
are heavily into mail systems. An increasingly common subject is how to
sensibly run serious MTAs as protection for MS Exchange server. This
requires the MTA to know about the users in the system and requires
seriously scalable access to the LDAP side of AD.  For big sites, the
problems are major in that lack of scalability can result in their email
system going down under a spammers' dictionary attack.