SYSTEM krb5 support matrix for Samba 4.0
abartlet at samba.org
Thu May 31 04:15:23 MDT 2012
I recently did some work on our krb5 support, and so as not to waste the
background I obtained, here is the matrix of what krb5 versions we
support when we are asked to use the system kerberos lib, with both
autoconf: 1.8 minimum recent (> 1.1 at least, needs DCE_STYLE gssapi)
waf: 1.9 minimum current (needs to essentially match lorikeet-heimdal)
Of course, on any waf-compatible platform we can build the bundled
We agreed on the MIT 1.8 minimum in order to use real GSSAPI on the
The waf minimum of 1.9 is due to gss_krb5_import_cred, which is needed
to import a credentials cache into a GSSAPI context without using a
global environment variable.
The autoconf Heimdal minimum comes from the need to support gss_wrap_iov
and DCE_STYLE GSSAPI. The waf Heimdal minimum comes from the fact that
we need to provide plugins for the KDC.
Either way, the Heimdal krb5 1.1 shipped by default in FreeBSD 8.2 and 9
isn't able to provide the things Samba needs.
This means that we cannot restore ADS support to your FreeBSD
development environment unless you install MIT krb5 1.8 or are willing
to use the waf build.
I hope this clarifies things, and helps others with a summary of the
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical