[Samba] Heimdal Kerberos in Samba4
Jeff Sadowski
jeff.sadowski at gmail.com
Fri Jul 29 04:13:41 UTC 2016
I would like to start testing this? I saw a few months back Alexander
Bokovoy Released a build for F23 and I started using that. Now that F24 is
out I have to look for a way to upgrade. Is there a build for rawhide with
this? The standard samba-ad package for rawhide that install still doesn't
come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
automatically disables ad support it seems as samba-tool is missing unless
I remove that option. Is this going to be fixed in 4.5.0? Should I download
the source code for 4.5.0 and do I need a bunch of patches that I get
somewhere? I'm a regular Fedora user and I am having difficulties seeing
how to put this all together.
On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com>
wrote:
> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:
> > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:
> >> Hi List,
> >>
> >> I do my best to ask my question in english. ;-)
> >>
> >> Samba4 integrated heimdal kerberos to do the kerberos work for
> >> Active Directory. Some Linux Distributions like fedora/RedHat and
> >> openSUSE/SUSE don't accept heimdal even if it is shipped inside
> >> samba.
> >>
> >> Their argument is that heimdal isn't maintained since 2012.
> >> Compiling samba against MIT krb5 results in Samba-Packages without
> >> AD.
> >>
> >> Result: Active Directory is impossible with the Disitribution
> >> packages of samba.with the above mentioned Linux distributions.
> >>
> >> Fedoras way to solve this is:
> >>
> >> "We are intending to make possible use of AD DC functionality with
> >> MIT Kerberos but this is longer term project that requires
> >> cooperation between Samba, MIT, and FreeIPA."
> >> which means never, in my opinion."
> >
> > No you're wrong about that. Andreas, Guenther and Alexander
> > at Redhat are working diligently every day towards this. We're planning
> > to get to that sooner rather than later.
> >
> >> My questions:
> >>
> >> Is the heimdal code inside of samba4 maintained by the samba team or
> >> is this unmaintained static code?
> >
> > Maintained. If it's in Samba we are responsible.
> > Once it's working with MIT we'll eventually remove
> > it from our tree though.
>
> I really wish you luck with that, becuase it's been an ongoing problem
> in Fedora. The Red Hat personnel I personally met working with
> Kerberos were pretty tightly focused on SSSD, which seems to me to be
> a fairly silly re-implementation of what Samba already does more
> broadly and more consistently.
>
> >> Are there considerations about using MIT krb5 inside samba4 instead
> >> of heimdal?
> >
> > Talk to Andreas, Guenther and Alexander for the latest.
> >
> >> The intention of our project "invis-server" is to bring samba 4 with
> >> AD DC functionality into openSUSE. Therefor we need arguments for
> >> the coming discussion.
> >
> > Hurrah ! I'm really glad to hear this ! If you could
> > coordinate with the people doing the Heimdal -> MIT
> > work then we can get there faster.
> >
> > Cheers,
> >
> > Jeremy.
>
> I'd also encourage you to take a look at the Fedora "rawhide"
> buindles, for tracing of changed components for RPM. And if you like,
> you might even take a look at my DC enabled ports over at
> https://github.com/nkadel/samba4repo and
> https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list