[Samba] logging lines in krb5.conf

Jason Keltz jas at eecs.yorku.ca
Mon Oct 5 20:12:50 UTC 2020 

On 10/5/2020 4:05 PM, Jason Keltz via samba wrote:
> On 10/5/2020 2:52 PM, Rowland penny via samba wrote:
>
>> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>>
>>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>>
>>>>> Hi Roland,
>>>>>
>>>>> I'm glad you brought that up.  This is a piece of the puzzle I 
>>>>> have been very confused with.  I'm not using the Samba from 
>>>>> CentOS/RHEL, but a custom compiled one (latest 4.11.13).   As 
>>>>> CentOS uses MIT Kerberos by default, am I not automatically using 
>>>>> MIT Krb5 on the server in the mode you describe as "Experimental"? 
>>>>>   Is Samba re-implenting the Heimdal based Kerberos, or using the 
>>>>> system Kerberos? Do I have a choice? And If my system doesn't use 
>>>>> Heimdel and only has MIT Krb5 libraries, isn't that  what would be 
>>>>> used? Here's the ldd on the samba binary...
>>>>
>>>> It depends on how you actually built Samba, did you pass 
>>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>>
>>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>>
>>>> Rowland 
>>>
>>> Hi Rowland,
>>>
>>> Our auto build system is compiling with this:
>>>
>>>                  --with-acl-support
>>>                  --with-piddir=/run
>>>                  --with-configdir=/etc/samba
>>>                  --with-statedir=/local/samba/locks
>>>                  --with-cachedir=/local/samba/cache
>>>                  --with-lockdir=/local/samba/lock
>>>                  --with-privatedir=/local/samba/private
>>>                  --with-sockets-dir=/run
>>>                  --with-privileged-socket-dir=/var/lib
>>>                  --with-logfilebase=/local/log
>>>                  --with-syslog
>>>
>>> However,
>>>
>>>> %  smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>>>    HAVE_LIBKADM5SRV_MIT
>>
>> Strange, do you the OS Samba packages installed as well ?
>>
>> It has been sometime since I tested using MIT as the kdc and you are 
>> supposed to pass '--with-system-mitkrb5 
>> --with-experimental-mit-ad-dc' to configure, otherwise Heimdal is 
>> used. You do not seem to have done this, but your version of smbd 
>> seems to have been built with MIT. How did you build Samba ? Was it 
>> the standard 'configure' (with options as above), 'make' and 'make 
>> install', or do you build packages with a 'spec' file ?
>>
>>>
>>> I'd like to believe that the Kerberos implementation with Samba 
>>> could run independent of the O/S one, but I suspect that if you have 
>>> MIT Kerberos, it's going to compile with that?
>>
>> It is possible to build Samba on Centos using Heimdal (there are a 
>> couple of users that supply rpms or instructions on how to do this, 
>> but only for Centos 7).
>
> Hi Rowland,
>
> I've been looking at the compile trying to figure out how the MIT 
> Kerberos option was added in.  Right now, I can't figure out why, but 
> I will eventually.  I compiled using the same options directly from 
> the command line, and it builds with embedded Kerberos.  Very 
> puzzling.  However, the truth is, the server has been very stable.  
> It's been working with our Windows systems for quite some time, and in 
> testing working on Linux systems as well.
>
> I'd like to understand if it would be possible under CentOS 7 not just 
> to run Samba with Heimdal Kerberos - but to run it as an Active 
> Directory Domain Controller  with Heimdal Kerberos without losing any 
> of the functionality that I have now in terms of Windows or Linux 
> clients (eg. secure krb5 NFS mounts) that I'm getting because of the 
> MIT options compiled into my install.   Can you help me to understand 
> why, if Samba has its own embedded Heimdal Kerberos that doesn't 
> depend on the O/S Kerberos implementation at all, then why is it so 
> important for Samba to have an MIT Kerberos implementation?   There is 
> a whole lot of interest in that from what I can understand, and I just 
> want to clearly understand why.  From what I thought I understood, you 
> could not have an AD-DC on CentOS 7 without those options, but now 
> it's not so clear.

Sigh.  Too long a day.  Looks like I was completely wrong --

OS smbd:

/sbin/smbd -b | grep HAVE_LIBK
    HAVE_LIBKADM5SRV_MIT

MY custom compiled smbd:

/xsys/pkg/samba/sbin/smbd -b | grep HAVE_LIBK
    HAVE_LIBKRB5

So I *believe* this means that we are not using the MIT Kerberos in our 
Samba install after all. (yay) Correct?

But the question then is, what exactly are we missing?

Jason.

More information about the samba mailing list