Samba4 and Heimdal Kerberos dependencies

Luke Howard lukeh at
Tue Feb 8 23:14:25 GMT 2005

>While GSSAPI is common between many implementations, we also need access
>to functions added to Heimdal by PADL, for their AD implementation (such
>as gsskrb5_extract_authz_data_from_sec_context()).  This example allows
>us, as a server, to extract the PAC from an incoming request, without
>needing to separately parse the GSSAPI wrapping.

Also, we contributed a port of the MIT mechanism glue, it is currently
sitting in a branch pending integration. This allows you to dynamically
load different security mechanisms.

>With a few bugfixes in recent times, it is now possible to install
>Heimdal kerberos in a separate prefix (the default is /usr/heimdal), and
>to link Samba4 against it, even while the rest of the system may use
>MIT.  Provided we don't get a dependency on OpenSSL, and provided
>Heimdal is not linked with OpenSSL, it all appears to work.

You do want to avoid an OpenSSL dependency, also because Red Hat ships
OpenSSL linked against MIT Kerberos.

-- Luke


More information about the samba-technical mailing list