[Samba] Kerberos, MIT and Dovecot (was: Re: Sernet 4.3.X package is no longer free :/)
Andrew Bartlett
abartlet at samba.org
Tue Sep 22 09:03:59 UTC 2015
On Mon, 2015-09-21 at 21:15 -0400, Mark Foley wrote:
> Hmmm, your link:
> https://wiki.samba.org/index.php/MIT_Build#Kerberos_Issues
> actually sounds pretty scarey:
>
> "There are APIs that are unique to Heimdal and their usage breaks
> compilation
> against MIT Kerberos.
>
> "These cases, like use of Heimdal-specific configuration setup in
> source4/auth/kerberos/kerberos.c, or ticket decoding, need to be
> solved by
> wrapping the code into common helpers that are implementation
> dependent."
>
> Does this seem like it could cause a problem with Dovecot trying to
> NTLM
> authenticate? I get the error:
It is unlikely, as Dovecot isn't compiled against Samba components, as
far as I know.
What it does mean is that in that file, some parts are now under #ifdef
and used only when building against Heimdal.
It means what everybody involved in the Kerberos porting dev work
knows, that switching between the Kerberos libraries is hard work, and
that a 1-to-1 match isn't possible in all places. That is why the MIT
build project isn't finished, and why it will continue to take
considerable efforts.
I realise this makes the hope of distribution packages of the AD DC
from Red Hat or SuSE a long way off, but that is the reality of the
firm positions taken.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list