I promised I would keep the various lists informed as to our progress
with the Samba4 KDC experiment. (But if you feel this cross-posting is
just noise, let me know).
Over the past week, we have achieved as code what I proposed in theory.
That is, I have demonstrated a Samba4 smbd process with an embedded KDC,
with samba handing the sockets, and Heimdal kerberos packaged into a
'libkdc' and handling the Kerberos part.
This has actually reduced the Samba-specific changes in Heimdal, as our
hdb-ldb is now plugged in from the Samba side. I have also had great
pleasure in seeing how simple it was to plug into Heimdal's KDC and
Kerberos logging systems. Indeed, the integration has been rather
smooth all round, so far. (This is a new requirement, over what we have
come up with before).
To clear up our direction with regard to choice of KDC implementation:
I am very happy with the technical progress I have made with Heimdal
kerberos, and as such intend to continue down that track. (This is
mostly a statement of the progress I've made, rather than a judgement on
the competing implementations. I need to get one implementation
finished before I can really lay our requirements properly).
We are currently looking into how to build this 'libkdc' in the Samba
build framework. Currently we build heimdal separately, and link to the
resultant .a files, but we would like something more integrated than
that. The proposal currently being advocated by tridge is to leave
Heimdal's build system (and indeed the entire Heimdal tree) intact, and
to have our build system reach in to compile individual .c files
directly into Samba4.
> I promised I would keep the various lists informed as to our progress
> with the Samba4 KDC experiment. (But if you feel this cross-posting is
> just noise, let me know).
Here's something that would make this more palatable in deployment at
my site and, I presume, many others. Perhaps there's no impediment to
If the smbd-served realm contained only service principals and accepted
cross authentication from the realm holding the user principals,
filling in the Windowsish authorization from its own database, it would
work the way our existing W2K realm works when users mount a share from
a Mac or log in directly with their non-Windows principal. Most of the
custom hackery we've done would not be interfered with and would not
have to be done over.
Matt Crawford <[hidden email]>
FNAL/CD/CCF/Wide Area Systems
+1 630 840 3461