SYSTEM krb5 support matrix for Samba 4.0

Andrew Bartlett abartlet at
Thu May 31 04:15:23 MDT 2012

I recently did some work on our krb5 support, and so as not to waste the
background I obtained, here is the matrix of what krb5 versions we
support when we are asked to use the system kerberos lib, with both
build systems.

              MIT              Heimdal
autoconf:     1.8 minimum      recent (> 1.1 at least, needs DCE_STYLE gssapi)
waf:          1.9 minimum      current (needs to essentially match lorikeet-heimdal)

Of course, on any waf-compatible platform we can build the bundled
heimdal internally.  

We agreed on the MIT 1.8 minimum in order to use real GSSAPI on the

The waf minimum of 1.9 is due to gss_krb5_import_cred, which is needed
to import a credentials cache into a GSSAPI context without using a
global environment variable. 

The autoconf Heimdal minimum comes from the need to support gss_wrap_iov
and DCE_STYLE GSSAPI.  The waf Heimdal minimum comes from the fact that
we need to provide plugins for the KDC.

Either way, the Heimdal krb5 1.1 shipped by default in FreeBSD 8.2 and 9
isn't able to provide the things Samba needs.  


This means that we cannot restore ADS support to your FreeBSD
development environment unless you install MIT krb5 1.8 or are willing
to use the waf build. 

I hope this clarifies things, and helps others with a summary of the

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list