Heimdal upgrade, really happening this time

Andrew Bartlett abartlet at samba.org
Fri Jul 9 10:29:54 UTC 2021

On Tue, 2021-07-06 at 10:14 +0200, Stefan Metzmacher via samba-
technical wrote:
> Hi Andrew,
> > > My current draft is up as a MR, and I'll continue to work to upstream
> > > what I can (into Samba/Heimdal).  I do plan to upgrade Heimdal again
> > > (perhaps to align to a release in 2021 if they make one) before I
> > > finally merge the branch.
> > > 
> > > https://gitlab.com/samba-team/samba/-/merge_requests/2014
> Also keep the following in mind when proposing upstream changes:
> - (kdc outdated passwords)
>   https://gitlab.com/samba-team/samba/-/merge_requests/664
> - S4U2Proxy requests with encrypted authorization-data are rejected by a Samba KDC
>   https://bugzilla.samba.org/show_bug.cgi?id=13131
> - The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
>   https://bugzilla.samba.org/show_bug.cgi?id=13135
> - S4U2Proxy tickets from a Samba KDC don't pass PAC verification checks (authtime mismatch)
>   https://bugzilla.samba.org/show_bug.cgi?id=13137
> - PKINIT fixes:
>   https://github.com/metze-samba/heimdal/tree/heimdal-smartcard
> We most likely also need to change some apis in order to generate PAC Ticket checksums
> (Wireshark support is being added by Isaac and me, see https://gitlab.com/wireshark/wireshark/-/merge_requests/3570)
> and also for compound identity PACs when offering FAST.
> "wip: rework PAC and AD-SIGNTICKET for S4U2Proxy support"
> https://github.com/heimdal/heimdal/pull/767
> might also be related here.
> I'll also try to start the discussion about
> https://github.com/heimdal/heimdal/pull/656
> https://github.com/krb5/krb5/pull/1005
> metze

For the list, some of the discussion is happening on:

We are really close.  Probably not close enough to drop for 4.15 (we
may have missed something, and last-moment isn't when to drop in
something like this) but quite close, and starting the 4.16 development
cycle would give plenty of time to shake out bugs. 

There are more tests to write, but also at some point we are going to
need to just say 'this is good enough and sort the rest out in master'
as rebasing on both Samba and Heimdal takes time, care and energy. 

To be clear, I won't get in the way if you want to move faster, I've
just been trying to stay as careful as I thought you would be expecting
me to be (if that makes any sense).

I do suggest we should keep a fairly 'dirty' history with the previous
merge points working as much as possible, in case we need to bisect
back on bugs, to at least have some reference points.  Not our usual
practice but for this one case I think worthwhile.

We now have a mostly-working branch of current Heimdal on current
Samba, compiling on all our supported system, which is pretty

Andrew Bartlett

Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list