[WHATSNEW] Samba AD with MIT Kerberos + Version change

Lukas Slebodnik lslebodn at redhat.com
Tue May 2 08:47:47 UTC 2017


On (02/05/17 08:05), Rowland Penny via samba-technical wrote:
>On Mon, 01 May 2017 22:44:59 +0200
>Andreas Schneider <asn at samba.org> wrote:
>
>> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
>> > On Mon, 1 May 2017 17:58:20 +0300
>> > 
>> > Alexander Bokovoy <ab at samba.org> wrote:
>> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
>> > > > On Sun, 30 Apr 2017 17:42:19 +0100
>> > > > Rowland Penny via samba-technical
>> > > > <samba-technical at lists.samba.org>
>> > > > 
>> > > > wrote:
>> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
>> > > > > 
>> > > > > Jeremy Allison <jra at samba.org> wrote:
>> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
>> > > > > > wrote:
>> > > > > > > That's basically what I said, move to MIT instead of
>> > > > > > > Heimdal and change the version to 5 at the same time.
>> > > > > > 
>> > > > > > Yes, we are in violent agreement :-).
>> > > > > > 
>> > > > > > > How about putting something on the Samba webpage, it would
>> > > > > > > make a change from all the out of date info ;-)
>> > > > > > 
>> > > > > > That's a really good idea !
>> > > > > > 
>> > > > > > > The other question is, How do I use MIT instead of
>> > > > > > > Heimdal on debian ?
>> > > > > > 
>> > > > > > I know you need MIT 1.15.1 which is the *very latest*
>> > > > > > release. Not sure if that's in debian yet (it's not
>> > > > > > in Ubuntu 17.04).
>> > > > > 
>> > > > > OK, I will ask that question in a different way, what
>> > > > > packages do you need to install on Fedora to compile Samba as
>> > > > > an AD DC using MIT ?
>> > > > > 
>> > > > > Rowland
>> > > > 
>> > > > There seems to be a problem on debian stretch:
>> > > > 
>> > > > ./configure --with-system-mitkrb5
>> > > > 
>> > > > leads to this:
>> > > > 
>> > > > Checking for
>> > > > kdb                                                                  :
>> > > > yes Checking for
>> > > > gssapi                                                               :
>> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
>> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
>> > > > want to just build Samba FS use the option --without-ad-dc
>> > > > which requires version 1.9 ERROR: You may try to build with
>> > > > embedded Heimdal Kerebros by not specifying
>> > > > --with-system-mitkrb5
>> > > > 
>> > > > But when you check the installed package, you get this:
>> > > > 
>> > > > dpkg -s libkrb5-dev
>> > > > Package: libkrb5-dev
>> > > > Status: install ok installed
>> > > > Priority: extra
>> > > > Section: libdevel
>> > > > Installed-Size: 173
>> > > > Maintainer: Sam Hartman <hartmans at debian.org>
>> > > > Architecture: amd64
>> > > > Source: krb5
>> > > > Version: 1.15-1
>> > > 
>> > > This is version 1.15, not 1.15.1.
>> > > 
>> > > > It would seem that 'Version: 1.15-1' isn't the same as the
>> > > > version that Samba AD requires, which is 'at least 1.15.1' ;-)
>> > > 
>> > > Yes, 1.15 is 1.15.0.
>> > > 
>> > > > To me it looks like Samba requires a dot between the package
>> > > > minor version and revision i.e. 15.1, but debian uses a dash
>> > > > '-' instead.
>> > > 
>> > > No, this is really an older version than required. A dash is for
>> > > build number, e.g. it is "1.15, Debian build 1".
>> > 
>> > Thanks for clarifying that ;-)
>> > 
>> > In which case and as I cannot find 1.15.1 packages for debian, I
>> > return to my stance that we shouldn't bump the Samba version to 5,
>> > because we will just be switching from not being able to build an
>> > AD DC on red-hat, to not being able to build an AD DC on debian
>> > based systems :-(
>> 
>> Debian has just to update their package. MIT Kerberos 1.15 has a
>> major flaw, it is not able to release memory allocated by a KDB
>> module.
>> 
>> It might work as standalone but not with any project which provides
>> their own KDB module it is not useable.
>> 
>> Debian could easily apply the two relevant to patches to address the
>> issue on their MIT Keberos package and lower the required version
>> number for MIT Kerberos in Samba.
>> 
>
>I am not saying that debian cannot update MIT kerberos, in fact I think
>they should, but until they do, it is not possible to build an AD DC on
>debian using MIT kerberos.
>
Debian (Stretch) testing is in freeze since 5th January 2017.
The best would be file a bug to debian and let krb5 maintainers
to decide whether it is acceptable to update krb5 there.

Maybe they didn't consider to update because of missing reason.
And samba-dc + krb5 might be a good reason :-)

LS



More information about the samba-technical mailing list