[Samba] RHEL, Fedora and the MIT kerberos backend (was: Re: RHEL7/Centos7 with Samba AD)

Andrew Bartlett abartlet at samba.org
Thu Dec 6 19:56:49 UTC 2018 

On Thu, 2018-12-06 at 14:11 -0500, Vincent S. Cojot via samba wrote:
> Hi All,
> 
> I know RHEL has bad press here but I'd like to share a different opinion 
> (works for me) and maybe share some of my settings.
> BTW, Those views are my own, not those of my employer.
> 
> I run a small AD at home. The setup is as follows:
> - two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on 
> SPECs from TranquilIT/Fedora).

To be clear, Tranquil IT use the internal Heimdal Kerberos.  That is
all the 'bad press' about using Fedora for the AD DC is about.  Also,
many assumed that the packages in Fedora would go directly to RHEL as a
supported feature, but they made it clear that this won't happen with
this statement:

https://bugzilla.redhat.com/show_bug.cgi?id=910464

I'm sad they are not shipping it, not just for the validation, but
because the distribution model of support subscriptions could really
have helped fill in some of our documentation holes and rough edges.  

Red Hat made an amazing effort to get Samba to totally switch the
Kerberos implementation on which it is based over to MIT.  They have a
strict internal rule not to have two Kerberos implementations, and they
started with MIT and financially back that, ensuring it is maintained. 
It is very good for what they need it for in FreeIPA and the rest of
their distribution.

Sadly the transition for Samba wasn't finished, and the final issues
are just enough to be a real problems in production.  (And the time it
has taken to fix those indicates that there not the resources for the
Samba Team to promise it as a fully supported feature).

"
Samba 4.7 and later versions have shipped with code to support building
the Samba AD DC using MIT Kerberos.  Since the time of the release a
number of issues, including security issues, have been found by real-
world use.  However sadly the Samba Team has not been able to resource
the resolution of these issues to a standard that we are happy with,
and so this release marks this mode more clearly as experimental.  

As an experimental feature, we will not be issuing security patches for
this feature, including for:

 S4U2Self crash with MIT KDC build    
 https://bugzilla.samba.org/show_bug.cgi?id=13571

For further information, please see 
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
"

(a non-security patch for this has been issued however, thankfully).

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list