mit-krb5 and heimdal binaries
rpenny at samba.org
Sun Mar 19 07:12:38 UTC 2023
On 19/03/2023 06:12, Michael Tokarev via samba-technical wrote:
> I already asked a similar question before, but it keeps popping up in
> contexts and forms, and the more I use samba myself, the more often it
> comes to
> me too, especially in context of using various security tokens for
> auth. And the
> more I think about all this, the more sane it looks to me.
> The thing is: mit-krb5 has much better user-level support than heimdal.
> But samba
> does not fully support mit-krb5 as an active directory domain
> controller. The
> AD-DC thing is server-side.
> I can think of providing two builds of samba for a distribution (eg
> debian/ubuntu), -
> one implementing whole ad-dc, as a complete thing, using their own set
> of libs,
> linked with heimdal. And a usual set of more client-side packages, with
> their own
> libraries, built against mit-krb5. Or maybe some other combination also
> has its
> right to be, - for example, smbclient built with mit-krb5, the rest is
> An essential part of this is that the two sets (built against mit-krb5
> and heimdal)
> do not share any internal libraries, each has its own libraries. This
> way, there's
> no "mix" of differently built samba, each build uses only its own libs,
> so there's
> no clash here. They share the same smb.conf though.
> So far, I've seen requests to build two versions of the server (again,
> with mit-krb5
> and with heimdal), - and I faced the same issues too. This is because a
> regular AD
> member server is also good to have mit-krb5 support to integrate nicely
> into the auth
> infrastructure. While for ad-dc, it is less often used as "end-user"
> So I can think of a separate samba-ad-dc binary package providing whole
> samba suite
> built against heimdal (maybe without smbclient and some other minor
> things), and
> samba "file server" binary package providing regular server not suitable
> to use as
> an ad-dc, but conflicting with samba-ad-dc, so it is not possible to
> install one
> together with another.
> This approach also has another good side effect, to discourage usage of
> as a regular file server.
> Or maybe the whole thing is moot now, and we just can provide regular
> samba built
> against mit-krb5 to work as a good AD-DC? That would be the best
> solution IMHO.
Please do not do this, you would only confuse people and they would try
to use the wrong package, I suggest you stick to what Debian has been
doing for the last 10 years at least.
For reasons why, see here:
More information about the samba-technical