working long-term with the MIT KRB5 codebase in the AD DC
abartlet at samba.org
Thu Oct 19 22:45:22 UTC 2017
On Thu, 2017-10-19 at 21:03 +0200, Andreas Schneider wrote:
> Well, install a newer libkrb5 on autobuild and we can do that.
I don't think this is the right approach. This needs a longer
discussion than I can do right now, but to get started:
The reasons are:
- sn-devel is not the only build box for Samba.
- We have travis-ci boxes on github and Catalyst's developers use the
scripts our samba-cloud-autobuild repo to build Samba on VMs.
- It means we could only ever use a feature of MIT krb5 once it is
upstream, released, packaged and installed
Instead, we need to make MIT Kerberos a first-class part of our build
What I propose is:
- Our build system uses a git reference (via a submodule or otherwise)
to check out and build MIT krb5
- In Samba master, this tracks either:
- MIT master
- a Samba vendor fork of MIT in limited circumstances
- In Samba release branches this tracks:
- the release branch, the released version of MIT krb5 that we will
- This occur in parallel to the Heimdal build
Naturally, coordination will be needed to get patches from master into
MIT releases in time for Samba releases.
This will resolve the issues we have seen so far, being:
- patches breaking the MIT build
- MIT Releases being made that break Samba
- features (like auth logging) being blocked on MIT releases
I also propose we move Heimdal to the same system, once we get the
current upgrade working, so we can finally kick Heimdal out of our
This proposal needs more work, but I hope it explains things a little.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba-technical