Heimdal upgrade, really happening this time

Andrew Bartlett abartlet at samba.org
Tue Jun 15 23:56:22 UTC 2021


I just wanted to say that Catalyst is finally making a solid run to get
the Heimdal upgrade done, and FAST implemented.

The purpose of this mail is to outline my proposed approach, in case
there are any major issues.

Firstly, I wanted to pass on great thanks to you Metze for your prompt
review of the patches last night.  Where I can, I want to keep 'drip
feeding' the patches in, but that might be as much as I can manage on
the Heimdal side, the rest and pretty firmly tied to the actual

There is still so much to do of course and any assistance you can give
will make things better and safer, but be assured that this time we
(Catalyst) are committed, serious and can pick up and hold up our end
of the task.

On testing, our intention is implement an initial Python test for the
FAST protocol, and enough of the Python testing to allow the C based
krb5.kdc.canon to be stripped back, stopping it modifying the AS-REQ
and allowing us to restore the AS-REQ protection.

In parallel to that, I'm working to get a modern Heimdal building and
passing tests, based on the great work already done.  For the Samba-
tree changes to source4/heimdal in the branch, I'm going to upstream
what changes I can, and push the rest to lorikeet-heimdal so we are not
totally blocked on upstream merge issues.

This will land as a pretty big bang, I don't really know any other way

We don't have an infinite budget, quite the opposite really, but if we
are all sensible then I'm confident we can land this by the end of
2021, perhaps even sooner!

I greatly appreciate the work you have done over the years towards
this, without that ongoing effort this just wouldn't be possible.

My current draft is up as a MR, and I'll continue to work to upstream
what I can (into Samba/Heimdal).  I do plan to upgrade Heimdal again
(perhaps to align to a release in 2021 if they make one) before I
finally merge the branch.


If you have any specific directions, concerns or hints I should follow
please let me know early.

Andrew Bartlett
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list