[Samba] Heimdal Kerberos in Samba4

Mon Aug 1 14:27:45 UTC 2016

As we wanted to test last Samba version we had to compile Samba manually
once 4.3.0 went out.
As we wanted to continue to deploy Samba using system's package manager, we
decided to built our own RPM.
As I hate RPM, I had to learn. As I'm lazy, I tried to not waste too much
time learning RPM.

So I downloaded .spec from Sernet's package 4.2.x, I modified that .spec to
match new Samba version and I used rpmbuild to build my RPMs (our systems
are Centos 7).

This needed some time but is working since 4.3.0 went out, which is already
a bunch of months and also a bunch of version recompiled using the same
.spec, each time with some little adjustments.

And now we have one .spec which is used once per Samba version. Generated
RPMs can be used for our AD DC and also for our file servers.

Cheers.

2016-07-29 6:15 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:

> correction samba-dc still doesn't come with samba-tool
>
> On Thu, Jul 28, 2016 at 10:13 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
> wrote:
>
> > I would like to start testing this? I saw a few months back Alexander
> > Bokovoy  Released a build for F23 and I started using that. Now that F24
> > is out I have to look for a way to upgrade. Is there a build for rawhide
> > with this? The standard samba-ad package for rawhide that install still
> > doesn't come with samba-tool.  And compiling samba 4.4.5 with-mit-krb5
> > automatically disables ad support it seems as samba-tool is missing
> unless
> > I remove that option. Is this going to be fixed in 4.5.0? Should I
> download
> > the source code for 4.5.0 and do I need a bunch of patches that I get
> > somewhere? I'm a regular Fedora user and I am having difficulties seeing
> > how to put this all together.
> >
> > On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com>
> > wrote:
> >
> >> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:
> >> > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:
> >> >> Hi List,
> >> >>
> >> >> I do my best to ask my question in english. ;-)
> >> >>
> >> >> Samba4 integrated heimdal kerberos to do the kerberos work for
> >> >> Active Directory. Some Linux Distributions like fedora/RedHat and
> >> >> openSUSE/SUSE don't accept heimdal even if it is shipped inside
> >> >> samba.
> >> >>
> >> >> Their argument is that heimdal isn't maintained since 2012.
> >> >> Compiling samba against MIT krb5 results in Samba-Packages without
> >> >> AD.
> >> >>
> >> >> Result: Active Directory is impossible with the Disitribution
> >> >> packages of samba.with the above mentioned Linux distributions.
> >> >>
> >> >> Fedoras way to solve this is:
> >> >>
> >> >> "We are intending to make possible use of AD DC functionality with
> >> >> MIT Kerberos but this is longer term project that requires
> >> >> cooperation between Samba, MIT, and FreeIPA."
> >> >> which means never, in my opinion."
> >> >
> >> > No you're wrong about that. Andreas, Guenther and Alexander
> >> > at Redhat are working diligently every day towards this. We're
> planning
> >> > to get to that sooner rather than later.
> >> >
> >> >> My questions:
> >> >>
> >> >> Is the heimdal code inside of samba4 maintained by the samba team or
> >> >> is this unmaintained static code?
> >> >
> >> > Maintained. If it's in Samba we are responsible.
> >> > Once it's working with MIT we'll eventually remove
> >> > it from our tree though.
> >>
> >> I really wish you luck with that, becuase it's been an ongoing problem
> >> in Fedora. The Red Hat personnel I personally met working with
> >> Kerberos were pretty tightly focused on SSSD, which seems to me to be
> >> a fairly silly re-implementation of what Samba already does more
> >> broadly and more consistently.
> >>
> >> >> Are there considerations about using MIT krb5 inside samba4 instead
> >> >> of heimdal?
> >> >
> >> > Talk to Andreas, Guenther and Alexander for the latest.
> >> >
> >> >> The intention of our project "invis-server" is to bring samba 4 with
> >> >> AD DC functionality into openSUSE. Therefor we need arguments for
> >> >> the coming discussion.
> >> >
> >> > Hurrah ! I'm really glad to hear this ! If you could
> >> > coordinate with the people doing the Heimdal -> MIT
> >> > work then we can get there faster.
> >> >
> >> > Cheers,
> >> >
> >> >         Jeremy.
> >>
> >> I'd also encourage you to take a look at the Fedora "rawhide"
> >> buindles, for tracing of changed components for RPM. And if you like,
> >> you might even take a look at my DC enabled ports over at
> >> https://github.com/nkadel/samba4repo and
> >> https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>