Seperating Heimdal from Samba4

Sergey Yanovich ynvich at
Wed Jun 4 11:57:53 GMT 2008

Andrew Bartlett wrote:
> Get the last of the heimdal-lorikeet.diff merged into Heimdal.  The only
> two bits that appear important are the patches to:
> kdc/kerberos5.c
> lib/hdb/keytab.c 
> lib/krb5/get_in_tkt.c 
> The other patches probably go away if we use system libraries, as they
> were related to us linking only part of Heimdal into Samba. 
> The KDC will need to load a hdb and 'windc' plugin.  I'm sure the Samba
> build system can build these pretty easily, but the task is to make it
> easy for Heimdal (now seperated) to load them.  This will probably be
> handled by having provision's generated krb5.conf contain the right
> magic. 

There may be a solution between using system KDC and linking against a 
built-in KDC. Before all necessary plugins are accepted upstream and 
adopted by distributions, samba may build and install its own fork of 
Heimdal KDC. The hdb and windc plugins will be included there.

The key difference will be that the patched KDC can be installed, 
configured, and maintained independently of the rest of Samba.

> Samba will need to link against Heimdal's libgssapi and libkrb5.  We
> will need checks to ensure we don't accidentally hit MIT's libs, until
> someone ports the KDC magic into MIT. 

This part is important but easy. It needs just a simple test for 
configure. The same test can also check for required KDC functionality. (1)

> One of the big challenges will be to keep both modes of operation
> working - both with the system Heimdal and the included version that all
> developers (who need 'make test' to run) will use. 

The above proposal allows to have only one mode of operation (external 
server), but still retain control over the KDC to the degree necessary 
to run test.

> The other challenge will be ensuring that Heimdal is started and stopped
> by Samba4 as an integrated service, listens on the right interfaces etc.
> We could try to have a libkdc exported by Heimdal (so we control those
> matters, as we do now), but this will be more work again. 

I am not sure about correct usage pattern of configure options, so I 
will use GNU meanings. Feel free to correct.

* --enable-tests configure options builds tests;
* --with-system-kdc tries to use installed Heimdal, invokes configure 
tests from (1). The negative form builds Samba Heimdal version;
* 'make test' depends on --enable-tests configure option;
* --enable-tests option depends on --without-system-kdc.

Sergey Yanovich
Abstract Accounting Ltd.

More information about the samba-technical mailing list