[PATCHSET] Samba AD with MIT Kerberos

Jeremy Allison jra at samba.org
Wed Apr 19 17:05:00 UTC 2017 

On Wed, Apr 19, 2017 at 09:26:29PM +1200, Andrew Bartlett via samba-technical wrote:
> The configure --help output does not explain the changed behaviour, it
> still says:
> 
>   --with-system-mitkrb5
>             enable system MIT krb5 build (includes Samba 4 client and
> Samba 3 code base).You may specify list of paths where Kerberos is
> installed (e.g. /usr/local
>             /usr/kerberos) to search krb5-config
> 
> 
> In this patch, the comment in the code still says 1 second:
> 
> commit 0711cd66419989fb6a22f4a6e7b67855981892c6
> Author: Andreas Schneider <asn at samba.org>
> Date:   Mon Sep 26 18:51:33 2016 +0200
> 
>     selftest: Set clockskew grace time to 5 seconds
>     
>     Signed-off-by: Andreas Schneider <asn at samba.org>
> 
> diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> index 3e5a7c3..e6f5ef8 100644
> --- a/selftest/target/Samba.pm
> +++ b/selftest/target/Samba.pm
> @@ -201,6 +201,10 @@ sub mk_krb5_conf($$)
>   ticket_lifetime = 24h
>   forwardable = yes
>   allow_weak_crypto = yes
> + # Set the grace clocskew to 1 second
> + # This is especially required by samba3.raw.session krb5 and
> + # reauth tests
> + clockskew = 5

FYI Andreas I'd already spotted the above :-).

> When building on MIT 1.14.4 (on my Fedora laptop), I get:
> 
> ERROR: MIT krb5 build requires at least 1.14.4. 1.15.1 is found and
> cannot be used
> ERROR: You may try to build with embedded Heimdal Kerebros by not
> specifying --with-system-mitkrb5
>  
> This is different to master, and is what caused the earlier autobuild
> failure I mentioned on ubuntu 14.04 (in the Catalyst Cloud).  What I
> can't find is which commit changed the AD DC to be on with --with-
> system-mitkrb5.  
> 
> Additionally specifying --without-ad-dc doesn't help, and isn't
> suggested in any case.  I think the default for --with-system-mitkrb5
> should be --without-ad-dc for now.
> 
> 
> commit 6e48c4ad9718f3ee6fbf78f7236105f2dfd9bdab
> Author: Andreas Schneider <asn at samba.org>
> Date:   Fri Oct 9 15:06:52 2015 +0200
> 
>     python: Add provisioning support for MIT KDC in samba-tool
>     
>     Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
> In these provision changes, you directly import _glue into domain.py
> and python/samba/provision/kerberos.py.  Instead you should do like
> with_ntvfs_fileserver, and go via samba/__init__.py.  
> 
> eg
> python/samba/__init__.py:is_ntvfs_fileserver_built =
> _glue.is_ntvfs_fileserver_built
> 
> It also seems to partially revert:
> 
> commit 04d8e0605f27d1fe57de05a9dba749ce36f7e004
> Author: Andreas Schneider <asn at samba.org>
> Date:   Mon Nov 23 11:44:26 2015 +0100
> 
>     waf: Create kerberos_implementation.py for provisioning
>     
>     Signed-off-by: Andreas Schneider <asn at samba.org>
> 
> We are getting closer, but some details still remain to get this right.
>  I wish you the very best with the last few details.  Otherwise, I hope
> we can find some time to knock this off at SambaXP.

Can you fix up Andrew's issues and re-post a fixed
version for re-review !

Thanks,

Jeremy.

More information about the samba-technical mailing list