[Samba] Heimdal, MIT and packaging (was: Re: Sernet 4.3.X package is no longer free :/)

Andrew Bartlett abartlet at samba.org
Tue Sep 22 08:56:10 UTC 2015

On Mon, 2015-09-21 at 17:54 +0200, Reindl Harald wrote:
> Am 21.09.2015 um 17:47 schrieb Mark Foley:
> > On Mon, 21 Sep 2015 09:02AM Nico Kadel-Garcia <nkadel at gmail.com>
> > wrote:
> > 
> > > RHEL's decision to use the incompatible "Heimdal" library for
> > > Kerberos make it a
> > > lot more awkward to compile with directory controller support,
> > > which is partly
> > > why I maintain my build.
> > 
> > I'm not writing about the main topic of "Sernet ... no longer
> > free", but your
> > above statement caught my eye.
> > 
> > Why do you say that the Heimdal library for Kerberos is
> > incompatible?
> nobody knows because the opposite is true
> https://wiki.samba.org/index.php/MIT_Build#Kerberos_Issues

To be really clear, the biggest thing the Heimdal libs are incompatible
with is distributions policies.  In particular, the major enterprise
distributions, RedHat and SuSE are members of the MIT Consortium, to
support the development of that platform, and do not wish to build,
support and inevitably also develop a SECOND Kerberos and GSSAPI

Putting policy aside, deployed on it's own, I've seen no issues running
Samba on systems built otherwise with MIT Kerberos. 

The use of library and symbol versions has generally prevented these
issues from coming up.

Even at build time, provided we maintain the correct internal
dependencies, we will select the correct gssapi and krb5 headers.

Things get more difficult if the thing you want from Samba is a support
library for FreeIPA, a system build totally around MIT Kerberos.  

There are good reasons why we will be moving to MIT Kerberos, mostly
related to the lack of timely releases from the Heimdal project, and
the desire to make that integration with FreeIPA easier, but in the
meantime, there is nothing to fear about our current state for running
an AD DC.

I agree that some rough edges like DIR: support are annoying, but these
won't impact on the ability to run an AD DC.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list