[Samba] logging lines in krb5.conf

Rowland penny rpenny at samba.org
Mon Oct 5 20:16:31 UTC 2020 

On 05/10/2020 21:05, Jason Keltz via samba wrote:
> On 10/5/2020 2:52 PM, Rowland penny via samba wrote:
>
>> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>>
>>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>>
>>>>> Hi Roland,
>>>>>
>>>>> I'm glad you brought that up.  This is a piece of the puzzle I 
>>>>> have been very confused with.  I'm not using the Samba from 
>>>>> CentOS/RHEL, but a custom compiled one (latest 4.11.13).   As 
>>>>> CentOS uses MIT Kerberos by default, am I not automatically using 
>>>>> MIT Krb5 on the server in the mode you describe as "Experimental"? 
>>>>>   Is Samba re-implenting the Heimdal based Kerberos, or using the 
>>>>> system Kerberos? Do I have a choice? And If my system doesn't use 
>>>>> Heimdel and only has MIT Krb5 libraries, isn't that  what would be 
>>>>> used? Here's the ldd on the samba binary...
>>>>
>>>> It depends on how you actually built Samba, did you pass 
>>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>>
>>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>>
>>>> Rowland 
>>>
>>> Hi Rowland,
>>>
>>> Our auto build system is compiling with this:
>>>
>>>                  --with-acl-support
>>>                  --with-piddir=/run
>>>                  --with-configdir=/etc/samba
>>>                  --with-statedir=/local/samba/locks
>>>                  --with-cachedir=/local/samba/cache
>>>                  --with-lockdir=/local/samba/lock
>>>                  --with-privatedir=/local/samba/private
>>>                  --with-sockets-dir=/run
>>>                  --with-privileged-socket-dir=/var/lib
>>>                  --with-logfilebase=/local/log
>>>                  --with-syslog
>>>
>>> However,
>>>
>>>> %  smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>>>    HAVE_LIBKADM5SRV_MIT
>>
>> Strange, do you the OS Samba packages installed as well ?
>>
>> It has been sometime since I tested using MIT as the kdc and you are 
>> supposed to pass '--with-system-mitkrb5 
>> --with-experimental-mit-ad-dc' to configure, otherwise Heimdal is 
>> used. You do not seem to have done this, but your version of smbd 
>> seems to have been built with MIT. How did you build Samba ? Was it 
>> the standard 'configure' (with options as above), 'make' and 'make 
>> install', or do you build packages with a 'spec' file ?
>>
>>>
>>> I'd like to believe that the Kerberos implementation with Samba 
>>> could run independent of the O/S one, but I suspect that if you have 
>>> MIT Kerberos, it's going to compile with that?
>>
>> It is possible to build Samba on Centos using Heimdal (there are a 
>> couple of users that supply rpms or instructions on how to do this, 
>> but only for Centos 7).
>
> Hi Rowland,
>
> I've been looking at the compile trying to figure out how the MIT 
> Kerberos option was added in.  Right now, I can't figure out why, but 
> I will eventually.  I compiled using the same options directly from 
> the command line, and it builds with embedded Kerberos.  Very 
> puzzling.  However, the truth is, the server has been very stable.  
> It's been working with our Windows systems for quite some time, and in 
> testing working on Linux systems as well.
>
> I'd like to understand if it would be possible under CentOS 7 not just 
> to run Samba with Heimdal Kerberos - but to run it as an Active 
> Directory Domain Controller  with Heimdal Kerberos without losing any 
> of the functionality that I have now in terms of Windows or Linux 
> clients (eg. secure krb5 NFS mounts) that I'm getting because of the 
> MIT options compiled into my install.   Can you help me to understand 
> why, if Samba has its own embedded Heimdal Kerberos that doesn't 
> depend on the O/S Kerberos implementation at all, then why is it so 
> important for Samba to have an MIT Kerberos implementation?   There is 
> a whole lot of interest in that from what I can understand, and I just 
> want to clearly understand why.  From what I thought I understood, you 
> could not have an AD-DC on CentOS 7 without those options, but now 
> it's not so clear.
>
> Jason.
>
>
Perhaps reading this will help:

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

Rowland

More information about the samba mailing list