Should we continue with Heimdal (was: Re: [PATCH] Some coverity fixes)

Andrew Bartlett abartlet at
Wed May 13 12:44:58 MDT 2015

On Wed, 2015-05-13 at 09:00 +0200, Andreas Schneider wrote:

> > I know this must sound strange, but I really look forward to the day
> > that you get the MIT Krb5 port finished, and we can just use a solid,
> > widely distributed system library.  I admire the work done so far, but I
> > also fear we are still a very long way off, based on the work that was
> > required for Heimdal.  That is, there were just so many small but
> > critical details.
> I'm sure that Heimdal was the right choice when Samba started to write a DC 
> but in the meantime it seems the project is not active anymore.

I agree that it isn't what it once was, but also it has moved to github,
so some of what would have been mailing list conversation has moved
there.  The GIT tree is actually quite active, full of github pull

> > The tests I wrote recently should help a lot however, in ensuring
> > correctness at least with the KDC protocols.  We need some similar tests
> > around the GSSAPI layer, for features like DCE_STYLE authentication and
> > some of the auto-skew handling.
> The tests are using Heimdal code which is an issue. I guess I could compile 
> smbtorture with heimdal and then run them agains the MIT KDC. Maybe I can try 
> this next week.

Yes, that is exactly what I think will be required.  

> > I think we will continue to have similar challenges when we need small
> > but critical changes to the library sooner than a RHEL package might
> > allow, but we can both agree that this isn't a new problem in Free Software.
> > 
> > However, when we get there, when all the internal and windows-integration
> > tests pass (and I am confident in your team's abilities that
> > we will succeed in this eventually), then I would like to seriously discuss
> > if maintaining two alternate solutions here is really worth the costs
> > involved, and the risks/benefits of supporting just one, system Kerberos
> > library.
> We are almost there! I have a handful of tests (~10) which do not work yet. 
> Next week at SambaXP I need to investigate if we got something wrong with TLS 
> and GSSAPI. After that we either need to change Samba code or MIT.
> Remember that FreeIPA is handling trusts with Active Directory. We already did 
> some testing in this area using the MIT KDC :)
> > While it saddens me that we have to go to so much effort to change horses,
> > dead or otherwise, I don't fancy riding two of them at the same time in the
> > long term.
> I guess we will have MIT Kerberos fully working by the end of the year. Maybe 
> earlier if someone joins to polish the last bits (like migrating the KDC tests 
> ;).
> Talk to you next week,

I look forward to it.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list