[Samba] logging lines in krb5.conf

Rowland penny rpenny at samba.org
Mon Oct 5 18:52:45 UTC 2020 

On 05/10/2020 19:29, Jason Keltz via samba wrote:
>
> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>
>>> Hi Roland,
>>>
>>> I'm glad you brought that up.  This is a piece of the puzzle I have 
>>> been very confused with.  I'm not using the Samba from CentOS/RHEL, 
>>> but a custom compiled one (latest 4.11.13).   As CentOS uses MIT 
>>> Kerberos by default, am I not automatically using MIT Krb5 on the 
>>> server in the mode you describe as "Experimental"?   Is Samba 
>>> re-implenting the Heimdal based Kerberos, or using the system 
>>> Kerberos? Do I have a choice? And If my system doesn't use Heimdel 
>>> and only has MIT Krb5 libraries, isn't that  what would be used?  
>>> Here's the ldd on the samba binary...
>>
>> It depends on how you actually built Samba, did you pass 
>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>
>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>
>> Rowland 
>
> Hi Rowland,
>
> Our auto build system is compiling with this:
>
>                  --with-acl-support
>                  --with-piddir=/run
>                  --with-configdir=/etc/samba
>                  --with-statedir=/local/samba/locks
>                  --with-cachedir=/local/samba/cache
>                  --with-lockdir=/local/samba/lock
>                  --with-privatedir=/local/samba/private
>                  --with-sockets-dir=/run
>                  --with-privileged-socket-dir=/var/lib
>                  --with-logfilebase=/local/log
>                  --with-syslog
>
> However,
>
>> %  smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>    HAVE_LIBKADM5SRV_MIT

Strange, do you the OS Samba packages installed as well ?

It has been sometime since I tested using MIT as the kdc and you are 
supposed to pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' 
to configure, otherwise Heimdal is used. You do not seem to have done 
this, but your version of smbd seems to have been built with MIT. How 
did you build Samba ? Was it the standard 'configure' (with options as 
above), 'make' and 'make install', or do you build packages with a 
'spec' file ?

>
> I'd like to believe that the Kerberos implementation with Samba could 
> run independent of the O/S one, but I suspect that if you have MIT 
> Kerberos, it's going to compile with that?

It is possible to build Samba on Centos using Heimdal (there are a 
couple of users that supply rpms or instructions on how to do this, but 
only for Centos 7).

Rowland

More information about the samba mailing list