Building Samba master on CentOS 7 (gnutls)

Alexander Bokovoy ab at samba.org
Thu Sep 19 05:33:40 UTC 2019 

19 сентября 2019 г. 5:16:44 GMT+03:00, Andrew Bartlett via samba-technical <samba-technical at lists.samba.org> пишет:
>On Wed, 2019-09-18 at 22:01 -0400, Nico Kadel-Garcia wrote:
>> On Wed, Sep 18, 2019 at 7:33 PM Andrew Bartlett via samba-technical
>> <samba-technical at lists.samba.org> wrote:
>> 
>> > We can't easily add comments like that to the bootstap.sh, but a
>README
>> > might work.  Only trouble is that you will need to modify
>> > bootstrap/template.py to also exclude that new file from the
>sha1sum
>> > calcuations.
>> > 
>> > Getting a better gnutls34 or later package into EPEL without the
>> > conflicts would also be really helpful.
>> 
>> The published compat-gnutls34 and compat-nettle32 from have "devel"
>> packages that conflict with the default gnutls and nettle packages.
>> There are probably more graceful ways around them, but they'd need
>> some hooks in the samba building tools to *find* and use the
>> alternative locations.
>
>We are already setting 
>
>> Is there any chance that the alternative, mit-krb5 based Kerberos
>> setups are good enough to use for samba-4.11?
>
>This was also asked by someone else yesterday.  The answer is still no.
>
>>  Fedora has been enabling
>> them in rawhide, but I don't know if all the older components in RHEL
>> 7 or now RHEL 8 are recent and play nicely, and I for one have not
>had
>> the spare stable build environment to test it out lately.
>
>The issue isn't with MIT Kerberos per se, but the whole combined work
>is not supported as an AD DC.  The effort largely stopped before RHEL8
>branched from Fedora, so the right packages will be in place, but that
>isn't the problem.  
Nope, both MIT krb5 and Heimdal are inadequate. ;) Heimdal version works by lucky consequence of not fully implementing correct checks for S4U operations. MIT version lacks relaxed principal comparison checks while having more correct implementation of S4U features.

Isaac is working on fixing the principal comparison checks in https://github.com/iboukris/krb5/commit/66bdc866896b3d22f552bcee757929dfc3fb9776

>
>The problem is resources to support it (issuing security patches etc),
>the additional tests needed (because everything has changed) and the
>missing features.

The support part is irrelevant here at the moment. More strict principal comparison checks than what is required by MS-KILE is preventing to even get us to any serious testing.


>
>https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
>
>Andrew Bartlett


-- 
Alexander Bokovoy

More information about the samba-technical mailing list