Samba | Bronze bit, S4U and RBCD support with MIT Kerberos 1.20 (!2330)

Fri Feb 25 09:41:04 UTC 2022

On Friday, February 25, 2022 9:48:52 AM CET Andrew Bartlett via samba-
technical wrote:
> I think this is a discussion worth having somewhere a little less
> hidden than a MR.  So sent to Samba-technical, but BCC to the MR.  Lets
> see if that works...
> 
> On https://gitlab.com/samba-team/samba/-/merge_requests/2330#note_855084458
> Andreas, Alexander and I are caught on the philosophical point of what
> MIT krb5 versions we should be including runtime support for in master.
> 
> My point is that we test MIT 1.20 on Fedora.  The non-Fedora builds all
> build Heimdal.  That is, with these changes the MIT 1.19 support is
> untested in our CI, so we shouldn't put untested code in such important
> codepaths.

This is not true!

Take a look at the pipeline:

https://gitlab.com/samba-team/devel/samba/-/pipelines/478777772

samba-addc-mit120 - This runner tests MIT Kerberos 1.20 (pre-release). It
                    tests the most important bits which have significantly
                    changed. Like the KDB interface, S4U and RBCD.
                    If you look at the log you can see:
    $ if [ -x "$(command -v krb5-config)" ]; then krb5-config --version; fi
    Kerberos 5 release 1.20-prerelease

samba-addc-mit-1 - This runner tests MIT Kerberos 1.19
    From the log:
    $ if [ -x "$(command -v krb5-config)" ]; then krb5-config --version; fi
    Kerberos 5 release 1.19.2

samba-addc-mit-4a - This runner tests MIT Kerberos 1.19
samba-addc-mit-4b - This runner tests MIT Kerberos 1.19
samba-admem-mit - This runner tests MIT Kerberos 1.19
samba-mitkrb5 - This runner tests MIT Kerberos 1.19

> I'm honestly not making this argument to destroy the MIT KDC effort, on
> the contrary I want it to succeed!
> 
> But for it to be a long-term success we must also be able to learn from
> the past 6 months in particular to ensure we have a viable, practised
> process for changes need to be made in both codebases.
> 
> In particular, I'm concerned that the AD DC 'will build and securely
> operate against the MIT version found on enterprise distributions' is
> just not a promise we can keep, so setting that up as the baseline
> expectation sets us up to fail.

What sense does it make to drop support for the latest MIT Kerberos release 
(version 1.19) and require our users to build MIT Kerberos from git master 
with the next Samba release?

	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D