[Samba] Upgrading from Samba 4.8.2 to 4.15.5

Mark Foley mfoley at novatec-inc.com
Wed Feb 1 01:15:18 UTC 2023


I am going make another attempt at upgrading my Slackware 14.2/Samba 
4.8.2 DC to Slackware 15.0/Samba 4.15.x. I have questions ...

Kerberos: a couple of things have been previously established in this 
thread (and please correct any wrong understandings):

First: The "preferred" Kerberos for Samba as DC is Heimdal which, as I 
understand it, is built in to Samba -- i.e. no separate package. MIT 
Kerberos is considered "experimental" by Samba.

Second: Based on running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT', my 
current Slackware 14.2/Samba 4.8.2 DC is /NOT /using MIT Kerberos (and 
therefore is using Heimdal), whereas the as-shipped Slackware 15.0/Samba 
4.15.5 /IS /using MIT Kerberos.

Furthermore, Slackware 14.2 did not ship with either PAM or Kerberos, 
which probably explains the lack of MIT Kerberos on my current 4.8.2 DC. 
Slackware 15.0 ships with both PAM and Kerberos, the latter apparently 
being MIT.

Additional wrinkle: being unaware of these Kerberos version issues, I 
downloaded and installed MIT Kerberos 1.11.6 to my DC (running Heimdal 
Samba 4.8.2) back in 2016. Not sure why I did that. There must have been 
a reason.

Questions:

Given my download and installation of MIT Kerberos 1.11.6 on my 
Heimdal-Sama DC, what Kerberos am I now running (there's no --version 
option for kinit)? Did the MIT Kerberos installation clobber some of the 
Samba-Heimdal Kerberos files? Are the Kerberoses completely/physically 
separate? Is the MIT Kerberos simply being ignored by Samba and can I 
just uninstall it? Note that I upgraded Samba to 4.8.2 two years AFTER 
installing the MIT Kerberos, so maybe it clobbered MIT.

When I upgrade my Slackware from 14.2 to 15.0, should I inhibit 
installing their packages of Samba and possibly also their MIT Kerberos? 
If so, should I then download and build Samba from sources at samba.org?

Given that Samba has Heimdal Kerberos built in, should I skip 
downloading and installing any Kerberos package?

I wonder if the PAM packed depends on the MIT Kerberos, or should PAM 
work with any Kerberos?

OR ... I can roll the dice and take my chances with "experimental" MIT 
Kerberos and not worry about uninstalling, downloading, building and 
installing anything! There's something also risky about going outside 
the package suite vetted by the distro developers.

(As an aside, IMO if all or most distros are shipping with MIT Kerberos 
now, as previously mentioned in this thread, perhaps the Samba folks 
should make an effort to confirm MIT and move it out of the experimental 
category.)

And a non-Kerberos question:

My DC was initially provisioned with --dns-backend=BIND9_FLATFILE. The 
wiki https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends says, 
"Do not use the BIND9_FLATFILE DNS back end. It is not supported and 
will be formally deprecated when 4.11.0 is released and removed at 4.12.0."

So, can I even use my current (4.8.2) configs when I upgrade to 4.15.x?

OK, that's enough questions for now.

Thanks --Mark


More information about the samba mailing list