[PATCHSET] Samba AD with MIT Kerberos

Andrew Bartlett abartlet at samba.org
Wed Apr 19 09:26:29 UTC 2017

The configure --help output does not explain the changed behaviour, it
still says:

            enable system MIT krb5 build (includes Samba 4 client and
Samba 3 code base).You may specify list of paths where Kerberos is
installed (e.g. /usr/local
            /usr/kerberos) to search krb5-config

In this patch, the comment in the code still says 1 second:

commit 0711cd66419989fb6a22f4a6e7b67855981892c6
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Sep 26 18:51:33 2016 +0200

    selftest: Set clockskew grace time to 5 seconds
    Signed-off-by: Andreas Schneider <asn at samba.org>

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 3e5a7c3..e6f5ef8 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -201,6 +201,10 @@ sub mk_krb5_conf($$)
  ticket_lifetime = 24h
  forwardable = yes
  allow_weak_crypto = yes
+ # Set the grace clocskew to 1 second
+ # This is especially required by samba3.raw.session krb5 and
+ # reauth tests
+ clockskew = 5

When building on MIT 1.14.4 (on my Fedora laptop), I get:

ERROR: MIT krb5 build requires at least 1.14.4. 1.15.1 is found and
cannot be used
ERROR: You may try to build with embedded Heimdal Kerebros by not
specifying --with-system-mitkrb5
This is different to master, and is what caused the earlier autobuild
failure I mentioned on ubuntu 14.04 (in the Catalyst Cloud).  What I
can't find is which commit changed the AD DC to be on with --with-

Additionally specifying --without-ad-dc doesn't help, and isn't
suggested in any case.  I think the default for --with-system-mitkrb5
should be --without-ad-dc for now.

commit 6e48c4ad9718f3ee6fbf78f7236105f2dfd9bdab
Author: Andreas Schneider <asn at samba.org>
Date:   Fri Oct 9 15:06:52 2015 +0200

    python: Add provisioning support for MIT KDC in samba-tool
    Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
In these provision changes, you directly import _glue into domain.py
and python/samba/provision/kerberos.py.  Instead you should do like
with_ntvfs_fileserver, and go via samba/__init__.py.  

python/samba/__init__.py:is_ntvfs_fileserver_built =

It also seems to partially revert:

commit 04d8e0605f27d1fe57de05a9dba749ce36f7e004
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Nov 23 11:44:26 2015 +0100

    waf: Create kerberos_implementation.py for provisioning
    Signed-off-by: Andreas Schneider <asn at samba.org>

We are getting closer, but some details still remain to get this right.
 I wish you the very best with the last few details.  Otherwise, I hope
we can find some time to knock this off at SambaXP.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list