Current ideas on kerberos requirements for Samba4

Henrik Nordstrom hno at squid-cache.org
Wed May 25 17:46:39 EDT 2005 

On Wed, 25 May 2005, Andrew Tridgell wrote:

> Our typical user profile has changed a lot over the years. These days
> the typical Samba site has no sysadmin. It is installed by doctors,
> teachers and other professionals who are smart in their own field, but
> don't care about the intricacies of how Samba works, they just want it
> to serve files. Typically they have a network of just a few Windows
> PCs in a single realm (though they don't know what a 'realm' is).

After following this thread for some time and thinking on the deployment 
cenarios I am not entirely sure this will be the case for Samba-4 in the 
same sense.

As already mentioned initial adopters of Samba-4 is likely those wanting 
to run it as an AD DC. In my view these is quite likely the same people 
who have a reasonable understanding of what krb5 is and how LDAP works, 
and now looking at Samba-4 to see if it can fit their existing 
environments better than MS AD.

For those just wanting to serve files they quite likely already have an 
Microsoft domain and mainly wants Samba to act in the existing domain as 
an member server, not as the DC.

So I actually expect the 'enterprise' users to be among the first looking 
at Samba-4 AD DC capabilities, with all the intrict details of krb5 
integration etc. There is obviously also the odd "noob admin" which 
attempts this, but hopefully most who do so is interested in learning.

Then when the Samba AD technology is slightly more prooven & documented 
the masses will follow ;-)

This should give a quite reasonable window for OS maintainers to catch up, 
provided the Samba requirements on the KDC and LDAP where applicable is 
well documented with working reference implementations.

One sticky issue to consider is licensing if the OS maintainers are 
supposed to include/link certain components of Samba into their KDC and/or 
LDAP servers.

> It really is quite common that Samba is the first free software package 
> that a site tries. If you think about it, I think you would agree that 
> kerberos is almost never the first free software package someone tries. 
> We have to make a good first impression, and that means making stuff as 
> easy as we possibly can.

Agreed.

But at the same time do not forget that both LDAP and KDC servers is 
common components of the OS:es these days.

Regards
Henrik

More information about the krbdev mailing list