working long-term with the MIT KRB5 codebase in the AD DC

Andrew Bartlett abartlet at
Thu Oct 19 22:45:22 UTC 2017

On Thu, 2017-10-19 at 21:03 +0200, Andreas Schneider wrote:
> Well, install a newer libkrb5 on autobuild and we can do that.

I don't think this is the right approach.  This needs a longer
discussion than I can do right now, but to get started:

The reasons are: 
 - sn-devel is not the only build box for Samba.  

 - We have travis-ci boxes on github and Catalyst's developers use the
scripts our samba-cloud-autobuild repo to build Samba on VMs.

 - It means we could only ever use a feature of MIT krb5 once it is
upstream, released, packaged and installed

Instead, we need to make MIT Kerberos a first-class part of our build

What I propose is:
 - Our build system uses a git reference (via a submodule or otherwise)
to check out and build MIT krb5
 - In Samba master, this tracks either:
   - MIT master
   - a Samba vendor fork of MIT in limited circumstances
 - In Samba release branches this tracks:
   - the release branch, the released version of MIT krb5 that we will
 - This occur in parallel to the Heimdal build

Naturally, coordination will be needed to get patches from master into
MIT releases in time for Samba releases.

This will resolve the issues we have seen so far, being:
 - patches breaking the MIT build
 - MIT Releases being made that break Samba
 - features (like auth logging) being blocked on MIT releases

I also propose we move Heimdal to the same system, once we get the
current upgrade working, so we can finally kick Heimdal out of our

This proposal needs more work, but I hope it explains things a little.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT

More information about the samba-technical mailing list