[Samba] Heimdal Kerberos in Samba4
Jeff Sadowski
jeff.sadowski at gmail.com
Fri Jul 29 04:15:32 UTC 2016
correction samba-dc still doesn't come with samba-tool
On Thu, Jul 28, 2016 at 10:13 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
wrote:
> I would like to start testing this? I saw a few months back Alexander
> Bokovoy Released a build for F23 and I started using that. Now that F24
> is out I have to look for a way to upgrade. Is there a build for rawhide
> with this? The standard samba-ad package for rawhide that install still
> doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
> automatically disables ad support it seems as samba-tool is missing unless
> I remove that option. Is this going to be fixed in 4.5.0? Should I download
> the source code for 4.5.0 and do I need a bunch of patches that I get
> somewhere? I'm a regular Fedora user and I am having difficulties seeing
> how to put this all together.
>
> On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com>
> wrote:
>
>> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:
>> > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:
>> >> Hi List,
>> >>
>> >> I do my best to ask my question in english. ;-)
>> >>
>> >> Samba4 integrated heimdal kerberos to do the kerberos work for
>> >> Active Directory. Some Linux Distributions like fedora/RedHat and
>> >> openSUSE/SUSE don't accept heimdal even if it is shipped inside
>> >> samba.
>> >>
>> >> Their argument is that heimdal isn't maintained since 2012.
>> >> Compiling samba against MIT krb5 results in Samba-Packages without
>> >> AD.
>> >>
>> >> Result: Active Directory is impossible with the Disitribution
>> >> packages of samba.with the above mentioned Linux distributions.
>> >>
>> >> Fedoras way to solve this is:
>> >>
>> >> "We are intending to make possible use of AD DC functionality with
>> >> MIT Kerberos but this is longer term project that requires
>> >> cooperation between Samba, MIT, and FreeIPA."
>> >> which means never, in my opinion."
>> >
>> > No you're wrong about that. Andreas, Guenther and Alexander
>> > at Redhat are working diligently every day towards this. We're planning
>> > to get to that sooner rather than later.
>> >
>> >> My questions:
>> >>
>> >> Is the heimdal code inside of samba4 maintained by the samba team or
>> >> is this unmaintained static code?
>> >
>> > Maintained. If it's in Samba we are responsible.
>> > Once it's working with MIT we'll eventually remove
>> > it from our tree though.
>>
>> I really wish you luck with that, becuase it's been an ongoing problem
>> in Fedora. The Red Hat personnel I personally met working with
>> Kerberos were pretty tightly focused on SSSD, which seems to me to be
>> a fairly silly re-implementation of what Samba already does more
>> broadly and more consistently.
>>
>> >> Are there considerations about using MIT krb5 inside samba4 instead
>> >> of heimdal?
>> >
>> > Talk to Andreas, Guenther and Alexander for the latest.
>> >
>> >> The intention of our project "invis-server" is to bring samba 4 with
>> >> AD DC functionality into openSUSE. Therefor we need arguments for
>> >> the coming discussion.
>> >
>> > Hurrah ! I'm really glad to hear this ! If you could
>> > coordinate with the people doing the Heimdal -> MIT
>> > work then we can get there faster.
>> >
>> > Cheers,
>> >
>> > Jeremy.
>>
>> I'd also encourage you to take a look at the Fedora "rawhide"
>> buindles, for tracing of changed components for RPM. And if you like,
>> you might even take a look at my DC enabled ports over at
>> https://github.com/nkadel/samba4repo and
>> https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
More information about the samba
mailing list