[Freeipa-devel] Planning for v2: How to deal with kerberos trusts?

Mon Mar 31 23:37:32 UTC 2008

May the force be with you :) FreeIPA is surely very interesting, and is very
much needed.
Regards

On Tue, Apr 1, 2008 at 12:41 AM, Simo Sorce <ssorce at redhat.com> wrote:

>
> On Mon, 2008-03-31 at 20:41 +0200, Ahmed Kamal wrote:
> >         There some key differences indeed, and AD has some neat
> >         solutions.
> >         But the fact is that Linux and other Unices are tied to the
> >         POSIX
> >         model,a nd that's what we have to deal with.
> >
> >
> > *why* does GNU/Linux always has to stick to Ancient And Broken (AAB)
> > designs! M$ had AAB designs too in the NT era, but they refreshed the
> > design, introduced very neat solutions, and also introduced a
> > "compatibility" mode for those who want to stick with older boxes.
> > After around a decade (which is now) no one is running WinNT in
> > production, no one simply needs it! Why doesn't GNU/Linux get a chance
> > to brush off old skin and "evolve" in such ways?
>
> Eehh, to be honest the core of NT is still what powers current Windows
> stuff, very few changes were made in the kernel semantics.
>
> > For example, the flat user/group namespace is not a different design,
> > it's a plain broken design as mentioned multiple times by Jeremy
> > Allison AFAIR, why aren't we trying to improve the situation while
> > maintaining compatibility for those who need it for now, instead of
> > sticking to "that's what we have to deal with"!
>
> Because you cannot easily maintain compatibility when you break
> semantics I guess :-)
> And also because you need to prove that something is indeed need for
> well defined use cases before breaking with a very well established set
> of *standards* like POSIX, SUS and countless others.
> A change in these core components is not trivial as it has a rippling
> effect on almost the whole system, not something you can do lightly or
> quickly.
>
> But don't worry I have evil plans to conquer the world and change the
> situation eventually </evil grin>
>
> > Does everyone agree I am wrong :)
>
> No, but recognizing a problem is only the very first step to start
> implementing a solution, and many still do not see or recognize this as
> a problem. There is a long road to a decent solution for network wide
> identities. I hope we will be able to implement part of the solution
> within FreeIPA in the next years and slowly help others help us into
> getting what is needed in the right places.
>
> Now, what about getting back to v2 planning and discussion about how to
> deal with cross-realm trust relationship in the given framework ? :-)
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080401/ecfd422e/attachment.htm>