[Samba] logging lines in krb5.conf

[Jason Keltz]

On 10/5/2020 2:52 PM, Rowland penny via samba wrote:

> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>
>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>
>>>> Hi Roland,
>>>>
>>>> I'm glad you brought that up.  This is a piece of the puzzle I have 
>>>> been very confused with.  I'm not using the Samba from CentOS/RHEL, 
>>>> but a custom compiled one (latest 4.11.13).   As CentOS uses MIT 
>>>> Kerberos by default, am I not automatically using MIT Krb5 on the 
>>>> server in the mode you describe as "Experimental"?   Is Samba 
>>>> re-implenting the Heimdal based Kerberos, or using the system 
>>>> Kerberos? Do I have a choice? And If my system doesn't use Heimdel 
>>>> and only has MIT Krb5 libraries, isn't that  what would be used? 
>>>> Here's the ldd on the samba binary...
>>>
>>> It depends on how you actually built Samba, did you pass 
>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>
>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>
>>> Rowland 
>>
>> Hi Rowland,
>>
>> Our auto build system is compiling with this:
>>
>>                  --with-acl-support
>>                  --with-piddir=/run
>>                  --with-configdir=/etc/samba
>>                  --with-statedir=/local/samba/locks
>>                  --with-cachedir=/local/samba/cache
>>                  --with-lockdir=/local/samba/lock
>>                  --with-privatedir=/local/samba/private
>>                  --with-sockets-dir=/run
>>                  --with-privileged-socket-dir=/var/lib
>>                  --with-logfilebase=/local/log
>>                  --with-syslog
>>
>> However,
>>
>>> %  smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>>    HAVE_LIBKADM5SRV_MIT
>
> Strange, do you the OS Samba packages installed as well ?
>
> It has been sometime since I tested using MIT as the kdc and you are 
> supposed to pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' 
> to configure, otherwise Heimdal is used. You do not seem to have done 
> this, but your version of smbd seems to have been built with MIT. How 
> did you build Samba ? Was it the standard 'configure' (with options as 
> above), 'make' and 'make install', or do you build packages with a 
> 'spec' file ?
>
>>
>> I'd like to believe that the Kerberos implementation with Samba could 
>> run independent of the O/S one, but I suspect that if you have MIT 
>> Kerberos, it's going to compile with that?
>
> It is possible to build Samba on Centos using Heimdal (there are a 
> couple of users that supply rpms or instructions on how to do this, 
> but only for Centos 7).

Hi Rowland,

I've been looking at the compile trying to figure out how the MIT 
Kerberos option was added in.  Right now, I can't figure out why, but I 
will eventually.  I compiled using the same options directly from the 
command line, and it builds with embedded Kerberos.  Very puzzling.  
However, the truth is, the server has been very stable.  It's been 
working with our Windows systems for quite some time, and in testing 
working on Linux systems as well.

I'd like to understand if it would be possible under CentOS 7 not just 
to run Samba with Heimdal Kerberos - but to run it as an Active 
Directory Domain Controller  with Heimdal Kerberos without losing any of 
the functionality that I have now in terms of Windows or Linux clients 
(eg. secure krb5 NFS mounts) that I'm getting because of the MIT options 
compiled into my install.   Can you help me to understand why, if Samba 
has its own embedded Heimdal Kerberos that doesn't depend on the O/S 
Kerberos implementation at all, then why is it so important for Samba to 
have an MIT Kerberos implementation?   There is a whole lot of interest 
in that from what I can understand, and I just want to clearly 
understand why.  From what I thought I understood, you could not have an 
AD-DC on CentOS 7 without those options, but now it's not so clear.

Jason.