[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Tue May 2 07:05:06 UTC 2017 

On Mon, 01 May 2017 22:44:59 +0200
Andreas Schneider <asn at samba.org> wrote:

> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
> > On Mon, 1 May 2017 17:58:20 +0300
> > 
> > Alexander Bokovoy <ab at samba.org> wrote:
> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
> > > > On Sun, 30 Apr 2017 17:42:19 +0100
> > > > Rowland Penny via samba-technical
> > > > <samba-technical at lists.samba.org>
> > > > 
> > > > wrote:
> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
> > > > > 
> > > > > Jeremy Allison <jra at samba.org> wrote:
> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
> > > > > > wrote:
> > > > > > > That's basically what I said, move to MIT instead of
> > > > > > > Heimdal and change the version to 5 at the same time.
> > > > > > 
> > > > > > Yes, we are in violent agreement :-).
> > > > > > 
> > > > > > > How about putting something on the Samba webpage, it would
> > > > > > > make a change from all the out of date info ;-)
> > > > > > 
> > > > > > That's a really good idea !
> > > > > > 
> > > > > > > The other question is, How do I use MIT instead of
> > > > > > > Heimdal on debian ?
> > > > > > 
> > > > > > I know you need MIT 1.15.1 which is the *very latest*
> > > > > > release. Not sure if that's in debian yet (it's not
> > > > > > in Ubuntu 17.04).
> > > > > 
> > > > > OK, I will ask that question in a different way, what
> > > > > packages do you need to install on Fedora to compile Samba as
> > > > > an AD DC using MIT ?
> > > > > 
> > > > > Rowland
> > > > 
> > > > There seems to be a problem on debian stretch:
> > > > 
> > > > ./configure --with-system-mitkrb5
> > > > 
> > > > leads to this:
> > > > 
> > > > Checking for
> > > > kdb                                                                  :
> > > > yes Checking for
> > > > gssapi                                                               :
> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
> > > > want to just build Samba FS use the option --without-ad-dc
> > > > which requires version 1.9 ERROR: You may try to build with
> > > > embedded Heimdal Kerebros by not specifying
> > > > --with-system-mitkrb5
> > > > 
> > > > But when you check the installed package, you get this:
> > > > 
> > > > dpkg -s libkrb5-dev
> > > > Package: libkrb5-dev
> > > > Status: install ok installed
> > > > Priority: extra
> > > > Section: libdevel
> > > > Installed-Size: 173
> > > > Maintainer: Sam Hartman <hartmans at debian.org>
> > > > Architecture: amd64
> > > > Source: krb5
> > > > Version: 1.15-1
> > > 
> > > This is version 1.15, not 1.15.1.
> > > 
> > > > It would seem that 'Version: 1.15-1' isn't the same as the
> > > > version that Samba AD requires, which is 'at least 1.15.1' ;-)
> > > 
> > > Yes, 1.15 is 1.15.0.
> > > 
> > > > To me it looks like Samba requires a dot between the package
> > > > minor version and revision i.e. 15.1, but debian uses a dash
> > > > '-' instead.
> > > 
> > > No, this is really an older version than required. A dash is for
> > > build number, e.g. it is "1.15, Debian build 1".
> > 
> > Thanks for clarifying that ;-)
> > 
> > In which case and as I cannot find 1.15.1 packages for debian, I
> > return to my stance that we shouldn't bump the Samba version to 5,
> > because we will just be switching from not being able to build an
> > AD DC on red-hat, to not being able to build an AD DC on debian
> > based systems :-(
> 
> Debian has just to update their package. MIT Kerberos 1.15 has a
> major flaw, it is not able to release memory allocated by a KDB
> module.
> 
> It might work as standalone but not with any project which provides
> their own KDB module it is not useable.
> 
> Debian could easily apply the two relevant to patches to address the
> issue on their MIT Keberos package and lower the required version
> number for MIT Kerberos in Samba.
> 

I am not saying that debian cannot update MIT kerberos, in fact I think
they should, but until they do, it is not possible to build an AD DC on
debian using MIT kerberos.

> 
> Also, Samba AD with MIT Kerberos has not been released yet. It is
> likely that Debian has MIT Kerberos 1.15.1 when the next Samba vesion
> ships and that's in September.

Yes and until debian ships 1.15.1 (or later), then the next version of
Samba should be 4.7.0

> 
> 
> The Heimdal version used by Samba is from 2011!

Yes, I know, and as such needs to be replaced, but it can only be
replaced when most distro's have MIT 1.15.1. I personally think that
Samba should move to 5.0.0 only when Heimdal is removed.

Rowland

More information about the samba-technical mailing list