[Samba] logging lines in krb5.conf
Jason Keltz
jas at eecs.yorku.ca
Mon Oct 5 20:05:30 UTC 2020
On 10/5/2020 2:52 PM, Rowland penny via samba wrote:
> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>
>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>
>>>> Hi Roland,
>>>>
>>>> I'm glad you brought that up. This is a piece of the puzzle I have
>>>> been very confused with. I'm not using the Samba from CentOS/RHEL,
>>>> but a custom compiled one (latest 4.11.13). As CentOS uses MIT
>>>> Kerberos by default, am I not automatically using MIT Krb5 on the
>>>> server in the mode you describe as "Experimental"? Is Samba
>>>> re-implenting the Heimdal based Kerberos, or using the system
>>>> Kerberos? Do I have a choice? And If my system doesn't use Heimdel
>>>> and only has MIT Krb5 libraries, isn't that what would be used?
>>>> Here's the ldd on the samba binary...
>>>
>>> It depends on how you actually built Samba, did you pass
>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>
>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>
>>> Rowland
>>
>> Hi Rowland,
>>
>> Our auto build system is compiling with this:
>>
>> --with-acl-support
>> --with-piddir=/run
>> --with-configdir=/etc/samba
>> --with-statedir=/local/samba/locks
>> --with-cachedir=/local/samba/cache
>> --with-lockdir=/local/samba/lock
>> --with-privatedir=/local/samba/private
>> --with-sockets-dir=/run
>> --with-privileged-socket-dir=/var/lib
>> --with-logfilebase=/local/log
>> --with-syslog
>>
>> However,
>>
>>> % smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>> HAVE_LIBKADM5SRV_MIT
>
> Strange, do you the OS Samba packages installed as well ?
>
> It has been sometime since I tested using MIT as the kdc and you are
> supposed to pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc'
> to configure, otherwise Heimdal is used. You do not seem to have done
> this, but your version of smbd seems to have been built with MIT. How
> did you build Samba ? Was it the standard 'configure' (with options as
> above), 'make' and 'make install', or do you build packages with a
> 'spec' file ?
>
>>
>> I'd like to believe that the Kerberos implementation with Samba could
>> run independent of the O/S one, but I suspect that if you have MIT
>> Kerberos, it's going to compile with that?
>
> It is possible to build Samba on Centos using Heimdal (there are a
> couple of users that supply rpms or instructions on how to do this,
> but only for Centos 7).
Hi Rowland,
I've been looking at the compile trying to figure out how the MIT
Kerberos option was added in. Right now, I can't figure out why, but I
will eventually. I compiled using the same options directly from the
command line, and it builds with embedded Kerberos. Very puzzling.
However, the truth is, the server has been very stable. It's been
working with our Windows systems for quite some time, and in testing
working on Linux systems as well.
I'd like to understand if it would be possible under CentOS 7 not just
to run Samba with Heimdal Kerberos - but to run it as an Active
Directory Domain Controller with Heimdal Kerberos without losing any of
the functionality that I have now in terms of Windows or Linux clients
(eg. secure krb5 NFS mounts) that I'm getting because of the MIT options
compiled into my install. Can you help me to understand why, if Samba
has its own embedded Heimdal Kerberos that doesn't depend on the O/S
Kerberos implementation at all, then why is it so important for Samba to
have an MIT Kerberos implementation? There is a whole lot of interest
in that from what I can understand, and I just want to clearly
understand why. From what I thought I understood, you could not have an
AD-DC on CentOS 7 without those options, but now it's not so clear.
Jason.
More information about the samba
mailing list