[ubuntu-directory] NetworkAuthentication/Client

Tue Oct 31 16:23:43 GMT 2006

> Good ideas all and all, but why are we keen on building a
> Kerberos/LDAP -solution that wouldn't be compatible with winbind on
> the client side, as well as Windows workstations?

Yes. Winbind can solve the problem. And yes, it might be the solution
for pure AD authentication on Fiesty. We might be able to do it in that
time frame.

Beyond that though, Winbind is not a solution. Any work put into making
Winbind work perfectly in the NSS and PAM (!password) cases would be
discarded as soon as we target other directory services.

Winbind is still a great stop gap. Thing is, we know it exists, and we
understand how it operates. I would like to spend some time upfront
investigating what it would take to make a long term solution.

> And on the NSS side, Winbind's solution is ready, mature and quite
> featureful, whereas getting an LDAP NSS module to do the work would
> require way too much to get it to even edgy+2, if this project doesn't
> get big boost from Canonical.

I completely agree. I doubt much of this is going to happen unless
Canonical is willing to step in. We have no developers who have the time
to work on it. My regular job takes most of my time.

I want to put together a cohesive plan, and then bring it in front of
the powers that be.

> And on the PAM side, the new winbind PAM module knows how to do
> credential caching, so that again would simplify the implementation
> somewhat.

Same as above.

> Because of some of these reasons, SuSE, which I believe is the distro
> furthest on this road, chose winbind. Naturally they didn't want to
> lock in, but that's why they have an easy and simple configuration
> tool to set the authentication up to your environment. (We need this
> anyway, so why shouldn't winbind be one of the options it provides?
> Why do we have to use "clean LDAP/Krb"?)

We don't HAVE to, but it will get us further. Winbind only works against
AD. I personally don't even use AD, I run a Heimdal/OpenLDAP setup. So
this solution is useless for me.

Some of my clients do use AD.

So, after all that, if I was investing *MY* time, I would work towards
not using Winbind.

> And finally, if you're fixated on getting a simple and static
> PAM/NSS-solution, you'll probably have to start creating proxy
> PAM/NSS-modules, which doesn't quite make sense considering you're
> solving the problem that PAM/NSS was supposed to solve. That's why PAM
> and NSS are modular: so you can have multiple modules that implement
> authentication.

Yes. NSS and PAM LDAP/Kerberos support are in a terrible shape. To be
honest, I sort of wish the Samba guys had taken the work they'd put into
Winbind and separated the generic Kerberos/LDAP parts of it out into
components that could be usable separately without the Windows
components. Actually, that might be a good path to investigate. Winbind
has a lot of great logic in it. Can we split that into Windows and
non-Windows pieces?

Andrew?