[PATCHSET] Samba AD with MIT Kerberos

Andrew Bartlett abartlet at samba.org
Mon Apr 24 11:44:27 UTC 2017 

On Thu, 2017-04-20 at 16:13 +0200, Andreas Schneider via samba-
technical wrote:
> On Wednesday, 19 April 2017 11:26:29 CEST Andrew Bartlett wrote:
> > The configure --help output does not explain the changed behaviour,
> > it
> > still says:
> > 
> >   --with-system-mitkrb5
> >             enable system MIT krb5 build (includes Samba 4 client
> > and
> > Samba 3 code base).You may specify list of paths where Kerberos is
> > installed (e.g. /usr/local
> >             /usr/kerberos) to search krb5-config
> > 
> 
> Fixed, and also changed the test of the --without-ad-dc option. We
> need to 
> stop referring to Samba4 and Samba3 and use Samba AD and Samba FS!

It still fails for me with:

Checking for gssapi                                                               : yes 
ERROR: MIT krb5 build requires at least 1.15.1. 1.14.4 is found and cannot be used
ERROR: You may try to build with embedded Heimdal Kerebros by not specifying --with-system-mitkrb5

This implies to me that you have not restored the behaviour to have --
without-ad-dc be the default when --with-system-mitkrb5 is set.  

There are these problems:
 - It means that builds that worked will now fail, until an extra
option is specified
 - The AD DC will be built for installations that previously didn't get
it
 - Nothing in the error message suggests that --without-ad-dc is a fix
for this error.

Please do as I requested, and again make --with-system-mitkrb5 imply --
without-ad-dc unless specified otherwise.  Then test that you can
./configure --with-system-mitkrb5 on Ubuntu 14.04 and Fedora 25. 

There will be a time when this will also build the AD DC by default,
but that needs to be later, preferably once we sort out the remaining
features. 

> > In this patch, the comment in the code still says 1 second:
> > 
> > commit 0711cd66419989fb6a22f4a6e7b67855981892c6
> > Author: Andreas Schneider <asn at samba.org>
> > Date:   Mon Sep 26 18:51:33 2016 +0200
> > 
> >     selftest: Set clockskew grace time to 5 seconds
> >     
> >     Signed-off-by: Andreas Schneider <asn at samba.org>
> > 
> > diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
> > index 3e5a7c3..e6f5ef8 100644
> > --- a/selftest/target/Samba.pm
> > +++ b/selftest/target/Samba.pm
> > @@ -201,6 +201,10 @@ sub mk_krb5_conf($$)
> >   ticket_lifetime = 24h
> >   forwardable = yes
> >   allow_weak_crypto = yes
> > + # Set the grace clocskew to 1 second
> > + # This is especially required by samba3.raw.session krb5 and
> > + # reauth tests
> > + clockskew = 5
> > 
> 
> Fixed.
> 
> > 
> > When building on MIT 1.14.4 (on my Fedora laptop), I get:
> > 
> > ERROR: MIT krb5 build requires at least 1.14.4. 1.15.1 is found and
> > cannot be used
> > ERROR: You may try to build with embedded Heimdal Kerebros by not
> > specifying --with-system-mitkrb5
> 
> OK, the printed versions are in the wrong order, fixed.

Per the above, it wasn't just the order I was worried about. 

> > This is different to master, and is what caused the earlier
> > autobuild
> > failure I mentioned on ubuntu 14.04 (in the Catalyst Cloud).  What
> > I
> > can't find is which commit changed the AD DC to be on with --with-
> > system-mitkrb5.
> > 
> > Additionally specifying --without-ad-dc doesn't help, and isn't
> > suggested in any case.  I think the default for --with-system-
> > mitkrb5
> > should be --without-ad-dc for now.
> 
> Fixed, we need integer comparsion for versions and not strings.
> 
>  def parse_version(v):
> -    return tuple(map(str, (v.split("."))))
> +    return tuple(map(int, (v.split("."))))
> 
> This explains a lot :)
> 
> > commit 6e48c4ad9718f3ee6fbf78f7236105f2dfd9bdab
> > Author: Andreas Schneider <asn at samba.org>
> > Date:   Fri Oct 9 15:06:52 2015 +0200
> > 
> >     python: Add provisioning support for MIT KDC in samba-tool
> >     
> >     Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
> > In these provision changes, you directly import _glue into
> > domain.py
> > and python/samba/provision/kerberos.py.  Instead you should do like
> > with_ntvfs_fileserver, and go via samba/__init__.py.
> > 
> > eg
> > python/samba/__init__.py:is_ntvfs_fileserver_built =
> > _glue.is_ntvfs_fileserver_built
> 
> Fixed.
> 
> > It also seems to partially revert:
> > 
> > commit 04d8e0605f27d1fe57de05a9dba749ce36f7e004
> > Author: Andreas Schneider <asn at samba.org>
> > Date:   Mon Nov 23 11:44:26 2015 +0100
> > 
> >     waf: Create kerberos_implementation.py for provisioning
> >     
> >     Signed-off-by: Andreas Schneider <asn at samba.org>
> > 
> > We are getting closer, but some details still remain to get this
> > right.
> >  I wish you the very best with the last few details.  Otherwise, I
> > hope
> > we can find some time to knock this off at SambaXP.
> 
> Fixed.
> 
> Thanks for the review!
> 
> 
> Updated patchset attached.

I'm sorry that I can't give you a review quite yet.  Additionally,
Jeremy's war on talloc_autofree() has broken the patch set against
master.  It isn't a hard fix, but I know it will be frustrating.

I'm sure we can move forward on some of the patches, however this patch
is at the front of the set.  If you can get me a set of un-dependent
patches it may be easier to filter those in, and reduce the queue size.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list