[PATCHSET] Samba AD with MIT Kerberos
Jeremy Allison
jra at samba.org
Wed Apr 19 17:05:00 UTC 2017
On Wed, Apr 19, 2017 at 09:26:29PM +1200, Andrew Bartlett via samba-technical wrote:
> The configure --help output does not explain the changed behaviour, it
> still says:
>
> --with-system-mitkrb5
> enable system MIT krb5 build (includes Samba 4 client and
> Samba 3 code base).You may specify list of paths where Kerberos is
> installed (e.g. /usr/local
> /usr/kerberos) to search krb5-config
>
>
> In this patch, the comment in the code still says 1 second:
>
> commit 0711cd66419989fb6a22f4a6e7b67855981892c6
> Author: Andreas Schneider <asn at samba.org>
> Date: Mon Sep 26 18:51:33 2016 +0200
>
> selftest: Set clockskew grace time to 5 seconds
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
>
> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 3e5a7c3..e6f5ef8 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -201,6 +201,10 @@ sub mk_krb5_conf($$)
> ticket_lifetime = 24h
> forwardable = yes
> allow_weak_crypto = yes
> + # Set the grace clocskew to 1 second
> + # This is especially required by samba3.raw.session krb5 and
> + # reauth tests
> + clockskew = 5
FYI Andreas I'd already spotted the above :-).
> When building on MIT 1.14.4 (on my Fedora laptop), I get:
>
> ERROR: MIT krb5 build requires at least 1.14.4. 1.15.1 is found and
> cannot be used
> ERROR: You may try to build with embedded Heimdal Kerebros by not
> specifying --with-system-mitkrb5
>
> This is different to master, and is what caused the earlier autobuild
> failure I mentioned on ubuntu 14.04 (in the Catalyst Cloud). What I
> can't find is which commit changed the AD DC to be on with --with-
> system-mitkrb5.
>
> Additionally specifying --without-ad-dc doesn't help, and isn't
> suggested in any case. I think the default for --with-system-mitkrb5
> should be --without-ad-dc for now.
>
>
> commit 6e48c4ad9718f3ee6fbf78f7236105f2dfd9bdab
> Author: Andreas Schneider <asn at samba.org>
> Date: Fri Oct 9 15:06:52 2015 +0200
>
> python: Add provisioning support for MIT KDC in samba-tool
>
> Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
> In these provision changes, you directly import _glue into domain.py
> and python/samba/provision/kerberos.py. Instead you should do like
> with_ntvfs_fileserver, and go via samba/__init__.py.
>
> eg
> python/samba/__init__.py:is_ntvfs_fileserver_built =
> _glue.is_ntvfs_fileserver_built
>
> It also seems to partially revert:
>
> commit 04d8e0605f27d1fe57de05a9dba749ce36f7e004
> Author: Andreas Schneider <asn at samba.org>
> Date: Mon Nov 23 11:44:26 2015 +0100
>
> waf: Create kerberos_implementation.py for provisioning
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
>
> We are getting closer, but some details still remain to get this right.
> I wish you the very best with the last few details. Otherwise, I hope
> we can find some time to knock this off at SambaXP.
Can you fix up Andrew's issues and re-post a fixed
version for re-review !
Thanks,
Jeremy.
More information about the samba-technical
mailing list