[Samba] Heimdal Kerberos in Samba4
Nico Kadel-Garcia
nkadel at gmail.com
Mon Jul 25 05:38:44 UTC 2016
On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:
> On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:
>> Hi List,
>>
>> I do my best to ask my question in english. ;-)
>>
>> Samba4 integrated heimdal kerberos to do the kerberos work for
>> Active Directory. Some Linux Distributions like fedora/RedHat and
>> openSUSE/SUSE don't accept heimdal even if it is shipped inside
>> samba.
>>
>> Their argument is that heimdal isn't maintained since 2012.
>> Compiling samba against MIT krb5 results in Samba-Packages without
>> AD.
>>
>> Result: Active Directory is impossible with the Disitribution
>> packages of samba.with the above mentioned Linux distributions.
>>
>> Fedoras way to solve this is:
>>
>> "We are intending to make possible use of AD DC functionality with
>> MIT Kerberos but this is longer term project that requires
>> cooperation between Samba, MIT, and FreeIPA."
>> which means never, in my opinion."
>
> No you're wrong about that. Andreas, Guenther and Alexander
> at Redhat are working diligently every day towards this. We're planning
> to get to that sooner rather than later.
>
>> My questions:
>>
>> Is the heimdal code inside of samba4 maintained by the samba team or
>> is this unmaintained static code?
>
> Maintained. If it's in Samba we are responsible.
> Once it's working with MIT we'll eventually remove
> it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
>> Are there considerations about using MIT krb5 inside samba4 instead
>> of heimdal?
>
> Talk to Andreas, Guenther and Alexander for the latest.
>
>> The intention of our project "invis-server" is to bring samba 4 with
>> AD DC functionality into openSUSE. Therefor we need arguments for
>> the coming discussion.
>
> Hurrah ! I'm really glad to hear this ! If you could
> coordinate with the people doing the Heimdal -> MIT
> work then we can get there faster.
>
> Cheers,
>
> Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
More information about the samba
mailing list