[Samba] logging lines in krb5.conf
Rowland penny
rpenny at samba.org
Mon Oct 5 20:16:31 UTC 2020
On 05/10/2020 21:05, Jason Keltz via samba wrote:
> On 10/5/2020 2:52 PM, Rowland penny via samba wrote:
>
>> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>>
>>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>>
>>>>> Hi Roland,
>>>>>
>>>>> I'm glad you brought that up. This is a piece of the puzzle I
>>>>> have been very confused with. I'm not using the Samba from
>>>>> CentOS/RHEL, but a custom compiled one (latest 4.11.13). As
>>>>> CentOS uses MIT Kerberos by default, am I not automatically using
>>>>> MIT Krb5 on the server in the mode you describe as "Experimental"?
>>>>> Is Samba re-implenting the Heimdal based Kerberos, or using the
>>>>> system Kerberos? Do I have a choice? And If my system doesn't use
>>>>> Heimdel and only has MIT Krb5 libraries, isn't that what would be
>>>>> used? Here's the ldd on the samba binary...
>>>>
>>>> It depends on how you actually built Samba, did you pass
>>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>>
>>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>>
>>>> Rowland
>>>
>>> Hi Rowland,
>>>
>>> Our auto build system is compiling with this:
>>>
>>> --with-acl-support
>>> --with-piddir=/run
>>> --with-configdir=/etc/samba
>>> --with-statedir=/local/samba/locks
>>> --with-cachedir=/local/samba/cache
>>> --with-lockdir=/local/samba/lock
>>> --with-privatedir=/local/samba/private
>>> --with-sockets-dir=/run
>>> --with-privileged-socket-dir=/var/lib
>>> --with-logfilebase=/local/log
>>> --with-syslog
>>>
>>> However,
>>>
>>>> % smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>>> HAVE_LIBKADM5SRV_MIT
>>
>> Strange, do you the OS Samba packages installed as well ?
>>
>> It has been sometime since I tested using MIT as the kdc and you are
>> supposed to pass '--with-system-mitkrb5
>> --with-experimental-mit-ad-dc' to configure, otherwise Heimdal is
>> used. You do not seem to have done this, but your version of smbd
>> seems to have been built with MIT. How did you build Samba ? Was it
>> the standard 'configure' (with options as above), 'make' and 'make
>> install', or do you build packages with a 'spec' file ?
>>
>>>
>>> I'd like to believe that the Kerberos implementation with Samba
>>> could run independent of the O/S one, but I suspect that if you have
>>> MIT Kerberos, it's going to compile with that?
>>
>> It is possible to build Samba on Centos using Heimdal (there are a
>> couple of users that supply rpms or instructions on how to do this,
>> but only for Centos 7).
>
> Hi Rowland,
>
> I've been looking at the compile trying to figure out how the MIT
> Kerberos option was added in. Right now, I can't figure out why, but
> I will eventually. I compiled using the same options directly from
> the command line, and it builds with embedded Kerberos. Very
> puzzling. However, the truth is, the server has been very stable.
> It's been working with our Windows systems for quite some time, and in
> testing working on Linux systems as well.
>
> I'd like to understand if it would be possible under CentOS 7 not just
> to run Samba with Heimdal Kerberos - but to run it as an Active
> Directory Domain Controller with Heimdal Kerberos without losing any
> of the functionality that I have now in terms of Windows or Linux
> clients (eg. secure krb5 NFS mounts) that I'm getting because of the
> MIT options compiled into my install. Can you help me to understand
> why, if Samba has its own embedded Heimdal Kerberos that doesn't
> depend on the O/S Kerberos implementation at all, then why is it so
> important for Samba to have an MIT Kerberos implementation? There is
> a whole lot of interest in that from what I can understand, and I just
> want to clearly understand why. From what I thought I understood, you
> could not have an AD-DC on CentOS 7 without those options, but now
> it's not so clear.
>
> Jason.
>
>
Perhaps reading this will help:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
Rowland
More information about the samba
mailing list