[WHATSNEW] Samba AD with MIT Kerberos + Version change
rpenny at samba.org
Mon May 1 14:18:11 UTC 2017
On Sun, 30 Apr 2017 17:42:19 +0100
Rowland Penny via samba-technical <samba-technical at lists.samba.org>
> On Sun, 30 Apr 2017 09:30:21 -0700
> Jeremy Allison <jra at samba.org> wrote:
> > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
> > >
> > > That's basically what I said, move to MIT instead of Heimdal and
> > > change the version to 5 at the same time.
> > Yes, we are in violent agreement :-).
> > > How about putting something on the Samba webpage, it would make a
> > > change from all the out of date info ;-)
> > That's a really good idea !
> > > The other question is, How do I use MIT instead of Heimdal on
> > > debian ?
> > I know you need MIT 1.15.1 which is the *very latest*
> > release. Not sure if that's in debian yet (it's not
> > in Ubuntu 17.04).
> OK, I will ask that question in a different way, what packages do you
> need to install on Fedora to compile Samba as an AD DC using MIT ?
There seems to be a problem on debian stretch:
leads to this:
Checking for kdb : yes
Checking for gssapi : yes
ERROR: MIT KRB5 build with Samba AD requires at least 1.15.1. 1.15 has been found and cannot be used
ERROR: If you want to just build Samba FS use the option --without-ad-dc which requires version 1.9
ERROR: You may try to build with embedded Heimdal Kerebros by not
But when you check the installed package, you get this:
dpkg -s libkrb5-dev
Status: install ok installed
Maintainer: Sam Hartman <hartmans at debian.org>
Replaces: krb5-multidev (<< 1.8+dfsg~alpha1-3)
Depends: krb5-multidev (= 1.15-1)
Description: headers and development libraries for MIT Kerberos
Kerberos is a system for authenticating users and services on a network.
Kerberos is a trusted third-party service. That means that there is a
third party (the Kerberos server) that is trusted by all the entities on
the network (users and services, usually called "principals").
This is the MIT reference implementation of Kerberos V5.
This package contains the symlinks, headers, and development libraries
needed to compile and link programs that use the Kerberos libraries.
It would seem that 'Version: 1.15-1' isn't the same as the version that
Samba AD requires, which is 'at least 1.15.1' ;-)
To me it looks like Samba requires a dot between the package minor
version and revision i.e. 15.1, but debian uses a dash '-' instead.
More information about the samba-technical