[PATCHSET] Samba AD with MIT Kerberos
Andrew Bartlett
abartlet at samba.org
Wed Apr 19 09:26:29 UTC 2017
The configure --help output does not explain the changed behaviour, it
still says:
--with-system-mitkrb5
enable system MIT krb5 build (includes Samba 4 client and
Samba 3 code base).You may specify list of paths where Kerberos is
installed (e.g. /usr/local
/usr/kerberos) to search krb5-config
In this patch, the comment in the code still says 1 second:
commit 0711cd66419989fb6a22f4a6e7b67855981892c6
Author: Andreas Schneider <asn at samba.org>
Date: Mon Sep 26 18:51:33 2016 +0200
selftest: Set clockskew grace time to 5 seconds
Signed-off-by: Andreas Schneider <asn at samba.org>
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 3e5a7c3..e6f5ef8 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -201,6 +201,10 @@ sub mk_krb5_conf($$)
ticket_lifetime = 24h
forwardable = yes
allow_weak_crypto = yes
+ # Set the grace clocskew to 1 second
+ # This is especially required by samba3.raw.session krb5 and
+ # reauth tests
+ clockskew = 5
When building on MIT 1.14.4 (on my Fedora laptop), I get:
ERROR: MIT krb5 build requires at least 1.14.4. 1.15.1 is found and
cannot be used
ERROR: You may try to build with embedded Heimdal Kerebros by not
specifying --with-system-mitkrb5
This is different to master, and is what caused the earlier autobuild
failure I mentioned on ubuntu 14.04 (in the Catalyst Cloud). What I
can't find is which commit changed the AD DC to be on with --with-
system-mitkrb5.
Additionally specifying --without-ad-dc doesn't help, and isn't
suggested in any case. I think the default for --with-system-mitkrb5
should be --without-ad-dc for now.
commit 6e48c4ad9718f3ee6fbf78f7236105f2dfd9bdab
Author: Andreas Schneider <asn at samba.org>
Date: Fri Oct 9 15:06:52 2015 +0200
python: Add provisioning support for MIT KDC in samba-tool
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
In these provision changes, you directly import _glue into domain.py
and python/samba/provision/kerberos.py. Instead you should do like
with_ntvfs_fileserver, and go via samba/__init__.py.
eg
python/samba/__init__.py:is_ntvfs_fileserver_built =
_glue.is_ntvfs_fileserver_built
It also seems to partially revert:
commit 04d8e0605f27d1fe57de05a9dba749ce36f7e004
Author: Andreas Schneider <asn at samba.org>
Date: Mon Nov 23 11:44:26 2015 +0100
waf: Create kerberos_implementation.py for provisioning
Signed-off-by: Andreas Schneider <asn at samba.org>
We are getting closer, but some details still remain to get this right.
I wish you the very best with the last few details. Otherwise, I hope
we can find some time to knock this off at SambaXP.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list