[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Tue May 2 10:41:43 UTC 2017 

On Tue, 2 May 2017 10:47:47 +0200
Lukas Slebodnik <lslebodn at redhat.com> wrote:

> On (02/05/17 08:05), Rowland Penny via samba-technical wrote:
> >On Mon, 01 May 2017 22:44:59 +0200
> >Andreas Schneider <asn at samba.org> wrote:
> >
> >> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
> >> > On Mon, 1 May 2017 17:58:20 +0300
> >> > 
> >> > Alexander Bokovoy <ab at samba.org> wrote:
> >> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
> >> > > > On Sun, 30 Apr 2017 17:42:19 +0100
> >> > > > Rowland Penny via samba-technical
> >> > > > <samba-technical at lists.samba.org>
> >> > > > 
> >> > > > wrote:
> >> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
> >> > > > > 
> >> > > > > Jeremy Allison <jra at samba.org> wrote:
> >> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
> >> > > > > > wrote:
> >> > > > > > > That's basically what I said, move to MIT instead of
> >> > > > > > > Heimdal and change the version to 5 at the same time.
> >> > > > > > 
> >> > > > > > Yes, we are in violent agreement :-).
> >> > > > > > 
> >> > > > > > > How about putting something on the Samba webpage, it
> >> > > > > > > would make a change from all the out of date info ;-)
> >> > > > > > 
> >> > > > > > That's a really good idea !
> >> > > > > > 
> >> > > > > > > The other question is, How do I use MIT instead of
> >> > > > > > > Heimdal on debian ?
> >> > > > > > 
> >> > > > > > I know you need MIT 1.15.1 which is the *very latest*
> >> > > > > > release. Not sure if that's in debian yet (it's not
> >> > > > > > in Ubuntu 17.04).
> >> > > > > 
> >> > > > > OK, I will ask that question in a different way, what
> >> > > > > packages do you need to install on Fedora to compile Samba
> >> > > > > as an AD DC using MIT ?
> >> > > > > 
> >> > > > > Rowland
> >> > > > 
> >> > > > There seems to be a problem on debian stretch:
> >> > > > 
> >> > > > ./configure --with-system-mitkrb5
> >> > > > 
> >> > > > leads to this:
> >> > > > 
> >> > > > Checking for
> >> > > > kdb                                                                  :
> >> > > > yes Checking for
> >> > > > gssapi                                                               :
> >> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
> >> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
> >> > > > want to just build Samba FS use the option --without-ad-dc
> >> > > > which requires version 1.9 ERROR: You may try to build with
> >> > > > embedded Heimdal Kerebros by not specifying
> >> > > > --with-system-mitkrb5
> >> > > > 
> >> > > > But when you check the installed package, you get this:
> >> > > > 
> >> > > > dpkg -s libkrb5-dev
> >> > > > Package: libkrb5-dev
> >> > > > Status: install ok installed
> >> > > > Priority: extra
> >> > > > Section: libdevel
> >> > > > Installed-Size: 173
> >> > > > Maintainer: Sam Hartman <hartmans at debian.org>
> >> > > > Architecture: amd64
> >> > > > Source: krb5
> >> > > > Version: 1.15-1
> >> > > 
> >> > > This is version 1.15, not 1.15.1.
> >> > > 
> >> > > > It would seem that 'Version: 1.15-1' isn't the same as the
> >> > > > version that Samba AD requires, which is 'at least
> >> > > > 1.15.1' ;-)
> >> > > 
> >> > > Yes, 1.15 is 1.15.0.
> >> > > 
> >> > > > To me it looks like Samba requires a dot between the package
> >> > > > minor version and revision i.e. 15.1, but debian uses a dash
> >> > > > '-' instead.
> >> > > 
> >> > > No, this is really an older version than required. A dash is
> >> > > for build number, e.g. it is "1.15, Debian build 1".
> >> > 
> >> > Thanks for clarifying that ;-)
> >> > 
> >> > In which case and as I cannot find 1.15.1 packages for debian, I
> >> > return to my stance that we shouldn't bump the Samba version to
> >> > 5, because we will just be switching from not being able to
> >> > build an AD DC on red-hat, to not being able to build an AD DC
> >> > on debian based systems :-(
> >> 
> >> Debian has just to update their package. MIT Kerberos 1.15 has a
> >> major flaw, it is not able to release memory allocated by a KDB
> >> module.
> >> 
> >> It might work as standalone but not with any project which provides
> >> their own KDB module it is not useable.
> >> 
> >> Debian could easily apply the two relevant to patches to address
> >> the issue on their MIT Keberos package and lower the required
> >> version number for MIT Kerberos in Samba.
> >> 
> >
> >I am not saying that debian cannot update MIT kerberos, in fact I
> >think they should, but until they do, it is not possible to build an
> >AD DC on debian using MIT kerberos.
> >
> Debian (Stretch) testing is in freeze since 5th January 2017.
> The best would be file a bug to debian and let krb5 maintainers
> to decide whether it is acceptable to update krb5 there.
> 
> Maybe they didn't consider to update because of missing reason.
> And samba-dc + krb5 might be a good reason :-)
> 
> LS

OK, bug reported:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861651

Rowland

More information about the samba-technical mailing list