[Samba] Upgrading from Samba 4.8.2 to 4.15.5
Mark Foley
mfoley at novatec-inc.com
Wed Feb 1 01:15:18 UTC 2023
I am going make another attempt at upgrading my Slackware 14.2/Samba
4.8.2 DC to Slackware 15.0/Samba 4.15.x. I have questions ...
Kerberos: a couple of things have been previously established in this
thread (and please correct any wrong understandings):
First: The "preferred" Kerberos for Samba as DC is Heimdal which, as I
understand it, is built in to Samba -- i.e. no separate package. MIT
Kerberos is considered "experimental" by Samba.
Second: Based on running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT', my
current Slackware 14.2/Samba 4.8.2 DC is /NOT /using MIT Kerberos (and
therefore is using Heimdal), whereas the as-shipped Slackware 15.0/Samba
4.15.5 /IS /using MIT Kerberos.
Furthermore, Slackware 14.2 did not ship with either PAM or Kerberos,
which probably explains the lack of MIT Kerberos on my current 4.8.2 DC.
Slackware 15.0 ships with both PAM and Kerberos, the latter apparently
being MIT.
Additional wrinkle: being unaware of these Kerberos version issues, I
downloaded and installed MIT Kerberos 1.11.6 to my DC (running Heimdal
Samba 4.8.2) back in 2016. Not sure why I did that. There must have been
a reason.
Questions:
Given my download and installation of MIT Kerberos 1.11.6 on my
Heimdal-Sama DC, what Kerberos am I now running (there's no --version
option for kinit)? Did the MIT Kerberos installation clobber some of the
Samba-Heimdal Kerberos files? Are the Kerberoses completely/physically
separate? Is the MIT Kerberos simply being ignored by Samba and can I
just uninstall it? Note that I upgraded Samba to 4.8.2 two years AFTER
installing the MIT Kerberos, so maybe it clobbered MIT.
When I upgrade my Slackware from 14.2 to 15.0, should I inhibit
installing their packages of Samba and possibly also their MIT Kerberos?
If so, should I then download and build Samba from sources at samba.org?
Given that Samba has Heimdal Kerberos built in, should I skip
downloading and installing any Kerberos package?
I wonder if the PAM packed depends on the MIT Kerberos, or should PAM
work with any Kerberos?
OR ... I can roll the dice and take my chances with "experimental" MIT
Kerberos and not worry about uninstalling, downloading, building and
installing anything! There's something also risky about going outside
the package suite vetted by the distro developers.
(As an aside, IMO if all or most distros are shipping with MIT Kerberos
now, as previously mentioned in this thread, perhaps the Samba folks
should make an effort to confirm MIT and move it out of the experimental
category.)
And a non-Kerberos question:
My DC was initially provisioned with --dns-backend=BIND9_FLATFILE. The
wiki https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends says,
"Do not use the BIND9_FLATFILE DNS back end. It is not supported and
will be formally deprecated when 4.11.0 is released and removed at 4.12.0."
So, can I even use my current (4.8.2) configs when I upgrade to 4.15.x?
OK, that's enough questions for now.
Thanks --Mark
More information about the samba
mailing list