On Tue, 2005-05-24 at 18:23 +1000, James Peach wrote: > On Tue, May 24, 2005 at 10:06:44AM +1000, Andrew Bartlett wrote: > > It would be great if they could join in the discussion on samba- > > technical. Perhaps their requirements are more easily addressed than I > > fear. > > I'm by no means even a Kerberos novice and I haven't been following the > Samba4 code very closely, but maybe I can contribute some vendor > perspective. These are personal opinions and do not necessarily reflect > the official views or plans of SGI. > > o Customers want a unified Kerberos infrastructure today. It would > be good if Samba4 brought us a step further to being able to > seamlessly use Kerberos for CIFS, NFS and local logins. In this sense, Samba3 and Samba4 will be able to handle whatever KDC is thrown at them, where they are just another kerberised service (just accepting file shares). What makes Samba4 different is that it is trying to be compatible with Microsoft's Active Directory, so we have sudden demand to 'provide' a KDC, because that's what our clients expect (and they expect particular behaviours). > o Many vendors are already shipping multiple versions of Kerberos > and other crypto libraries for various reasons (not all of them > good). Each time this happens, there is a cost involved in code > maintenance, issuing security updates and patches, interop, > diagnosing customer problems, etc. > > o The desire not to ship more that one KDC is pretty strong. I would > think that vendors supporting Heimdall and MIT KDCs feel they > already get enough support calls without a Samba KDC. Is there a support call cost difference between a MIT or Heimdal KDC with most facets of their operation influenced by a Samba module, and a KDC built in and 'just working' inside Samba? My argument is that where Samba controls such a KDC from a logic perspective, it is already a 'different KDC'. > o Convincing customers to upgrade is (justifiably) hard. If I need > to upgrade Samba, will the customer be willing to risk the > corresponding KDC upgrade? If not, will I have to spin a > site-specific patch? Samba4 will be a big change, but if you already have a KDC you are quite happy with, you probably don't want to turn Samba4 on as a DC of any sort anyway. The fileserver will certainly not require it's own KDC. > o Finally, my guess is that vendors will eventually ship Samba4 > whatever happens because there will be customer demand. I think you are right on this one :-) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
This is a digitally signed message part