[Samba] Heimdal, MIT and packaging

Rowland Penny rowlandpenny241155 at gmail.com
Tue Sep 22 09:14:40 UTC 2015

On 22/09/15 09:56, Andrew Bartlett wrote:
> On Mon, 2015-09-21 at 17:54 +0200, Reindl Harald wrote:
>> Am 21.09.2015 um 17:47 schrieb Mark Foley:
>>> On Mon, 21 Sep 2015 09:02AM Nico Kadel-Garcia <nkadel at gmail.com>
>>> wrote:
>>>> RHEL's decision to use the incompatible "Heimdal" library for
>>>> Kerberos make it a
>>>> lot more awkward to compile with directory controller support,
>>>> which is partly
>>>> why I maintain my build.
>>> I'm not writing about the main topic of "Sernet ... no longer
>>> free", but your
>>> above statement caught my eye.
>>> Why do you say that the Heimdal library for Kerberos is
>>> incompatible?
>> nobody knows because the opposite is true
>> https://wiki.samba.org/index.php/MIT_Build#Kerberos_Issues
> To be really clear, the biggest thing the Heimdal libs are incompatible
> with is distributions policies.  In particular, the major enterprise
> distributions, RedHat and SuSE are members of the MIT Consortium, to
> support the development of that platform, and do not wish to build,
> support and inevitably also develop a SECOND Kerberos and GSSAPI
> platform.
> Putting policy aside, deployed on it's own, I've seen no issues running
> Samba on systems built otherwise with MIT Kerberos.
> The use of library and symbol versions has generally prevented these
> issues from coming up.
> Even at build time, provided we maintain the correct internal
> dependencies, we will select the correct gssapi and krb5 headers.
> Things get more difficult if the thing you want from Samba is a support
> library for FreeIPA, a system build totally around MIT Kerberos.
> There are good reasons why we will be moving to MIT Kerberos, mostly
> related to the lack of timely releases from the Heimdal project, and
> the desire to make that integration with FreeIPA easier, but in the
> meantime, there is nothing to fear about our current state for running
> an AD DC.
> I agree that some rough edges like DIR: support are annoying, but these
> won't impact on the ability to run an AD DC.
> Andrew Bartlett

Hi Andrew, thanks for setting out the state of kerberos and Samba, I had 
a look at the wikipage and noticed it was written nearly three and half 
years ago by yourself and, except for minor updates, has never really 
been updated. As you seem to understand what is going on with kerberos, 
could I ask you to check the page over and update it as needed.



More information about the samba mailing list