[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Simo Sorce ssorce at redhat.com
Mon Mar 31 22:41:52 UTC 2008 

On Mon, 2008-03-31 at 20:41 +0200, Ahmed Kamal wrote:
>         There some key differences indeed, and AD has some neat
>         solutions.
>         But the fact is that Linux and other Unices are tied to the
>         POSIX
>         model,a nd that's what we have to deal with.
>         
> 
> *why* does GNU/Linux always has to stick to Ancient And Broken (AAB)
> designs! M$ had AAB designs too in the NT era, but they refreshed the
> design, introduced very neat solutions, and also introduced a
> "compatibility" mode for those who want to stick with older boxes.
> After around a decade (which is now) no one is running WinNT in
> production, no one simply needs it! Why doesn't GNU/Linux get a chance
> to brush off old skin and "evolve" in such ways?

Eehh, to be honest the core of NT is still what powers current Windows
stuff, very few changes were made in the kernel semantics.

> For example, the flat user/group namespace is not a different design,
> it's a plain broken design as mentioned multiple times by Jeremy
> Allison AFAIR, why aren't we trying to improve the situation while
> maintaining compatibility for those who need it for now, instead of
> sticking to "that's what we have to deal with"!

Because you cannot easily maintain compatibility when you break
semantics I guess :-)
And also because you need to prove that something is indeed need for
well defined use cases before breaking with a very well established set
of *standards* like POSIX, SUS and countless others.
A change in these core components is not trivial as it has a rippling
effect on almost the whole system, not something you can do lightly or
quickly.

But don't worry I have evil plans to conquer the world and change the
situation eventually </evil grin>

> Does everyone agree I am wrong :)

No, but recognizing a problem is only the very first step to start
implementing a solution, and many still do not see or recognize this as
a problem. There is a long road to a decent solution for network wide
identities. I hope we will be able to implement part of the solution
within FreeIPA in the next years and slowly help others help us into
getting what is needed in the right places.

Now, what about getting back to v2 planning and discussion about how to
deal with cross-realm trust relationship in the given framework ? :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list