On Tue, May 24, 2005 at 07:14:54PM -0400, Wyllys Ingersoll wrote:
> I work for one of the "Vendors" described earlier and I am
> uncomfortable with the idea that SAMBA would include their
> own KDC.
> My thoughts when I first read this thread were much like what
> Doug has suggested - instead of creating a whole new KDC,
> why not open up some interfaces on both sides - other KDCs
> (MIT, Heimdal) and in SAMBA so that the necessary communication
> can be exchanged and SAMBA can integrate with pre-existing
> KDCs. I know there are alot of people in the Kerberos
> community that would probably be able to help define these
> interfaces and make sure that they get implemented
> by the various implementors.
> By having SAMBA provide a new KDC puts people currently using
> MIT or Heimdal in the same position that they are today with
> AD - they must maintain 2 KDC and REALMS or drop their
> existing KDC infrastructure (MIT or Heimdal) and go with
> Anyway, I applaud your efforts in the area of making a
> fully compliant AD-like server, but I am not so supportive
> of creating yet another KDC and further fracturing the
> Kerberos community by forcing a choice like this.
What Wyllys said.
The Samba team can go and do what they like -- there's plenty of KDC
source code with sufficiently friendly licensing to go around. But I'd
much rather see cooperation (and cooperate) in the design of pluggable
interfaces for KDCs, such as pluggable backends, pluggable
pre-authentication provides, and pluggable authorization-data providers
(particularly AD-KDCIssued containees), and later, when extensions comes
along, pluggable ticket extensions providers.