[Samba] logging lines in krb5.conf

Jason Keltz jas at eecs.yorku.ca
Mon Oct 5 20:47:36 UTC 2020 

On 10/5/2020 4:16 PM, Rowland penny via samba wrote:
> On 05/10/2020 21:05, Jason Keltz via samba wrote:
>> On 10/5/2020 2:52 PM, Rowland penny via samba wrote:
>>
>>> On 05/10/2020 19:29, Jason Keltz via samba wrote:
>>>>
>>>> On 10/5/2020 12:44 PM, Rowland penny via samba wrote:
>>>>> On 05/10/2020 17:27, Jason Keltz via samba wrote:
>>>>>>
>>>>>> Hi Roland,
>>>>>>
>>>>>> I'm glad you brought that up.  This is a piece of the puzzle I 
>>>>>> have been very confused with.  I'm not using the Samba from 
>>>>>> CentOS/RHEL, but a custom compiled one (latest 4.11.13).   As 
>>>>>> CentOS uses MIT Kerberos by default, am I not automatically using 
>>>>>> MIT Krb5 on the server in the mode you describe as 
>>>>>> "Experimental"?   Is Samba re-implenting the Heimdal based 
>>>>>> Kerberos, or using the system Kerberos? Do I have a choice? And 
>>>>>> If my system doesn't use Heimdel and only has MIT Krb5 libraries, 
>>>>>> isn't that  what would be used? Here's the ldd on the samba 
>>>>>> binary...
>>>>>
>>>>> It depends on how you actually built Samba, did you pass 
>>>>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ?
>>>>>
>>>>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC
>>>>>
>>>>> Rowland 
>>>>
>>>> Hi Rowland,
>>>>
>>>> Our auto build system is compiling with this:
>>>>
>>>>                  --with-acl-support
>>>>                  --with-piddir=/run
>>>>                  --with-configdir=/etc/samba
>>>>                  --with-statedir=/local/samba/locks
>>>>                  --with-cachedir=/local/samba/cache
>>>>                  --with-lockdir=/local/samba/lock
>>>>                  --with-privatedir=/local/samba/private
>>>>                  --with-sockets-dir=/run
>>>>                  --with-privileged-socket-dir=/var/lib
>>>>                  --with-logfilebase=/local/log
>>>>                  --with-syslog
>>>>
>>>> However,
>>>>
>>>>> %  smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>>>>    HAVE_LIBKADM5SRV_MIT
>>>
>>> Strange, do you the OS Samba packages installed as well ?
>>>
>>> It has been sometime since I tested using MIT as the kdc and you are 
>>> supposed to pass '--with-system-mitkrb5 
>>> --with-experimental-mit-ad-dc' to configure, otherwise Heimdal is 
>>> used. You do not seem to have done this, but your version of smbd 
>>> seems to have been built with MIT. How did you build Samba ? Was it 
>>> the standard 'configure' (with options as above), 'make' and 'make 
>>> install', or do you build packages with a 'spec' file ?
>>>
>>>>
>>>> I'd like to believe that the Kerberos implementation with Samba 
>>>> could run independent of the O/S one, but I suspect that if you 
>>>> have MIT Kerberos, it's going to compile with that?
>>>
>>> It is possible to build Samba on Centos using Heimdal (there are a 
>>> couple of users that supply rpms or instructions on how to do this, 
>>> but only for Centos 7).
>>
>> Hi Rowland,
>>
>> I've been looking at the compile trying to figure out how the MIT 
>> Kerberos option was added in.  Right now, I can't figure out why, but 
>> I will eventually.  I compiled using the same options directly from 
>> the command line, and it builds with embedded Kerberos.  Very 
>> puzzling.  However, the truth is, the server has been very stable.  
>> It's been working with our Windows systems for quite some time, and 
>> in testing working on Linux systems as well.
>>
>> I'd like to understand if it would be possible under CentOS 7 not 
>> just to run Samba with Heimdal Kerberos - but to run it as an Active 
>> Directory Domain Controller  with Heimdal Kerberos without losing any 
>> of the functionality that I have now in terms of Windows or Linux 
>> clients (eg. secure krb5 NFS mounts) that I'm getting because of the 
>> MIT options compiled into my install.   Can you help me to understand 
>> why, if Samba has its own embedded Heimdal Kerberos that doesn't 
>> depend on the O/S Kerberos implementation at all, then why is it so 
>> important for Samba to have an MIT Kerberos implementation?   There 
>> is a whole lot of interest in that from what I can understand, and I 
>> just want to clearly understand why.  From what I thought I 
>> understood, you could not have an AD-DC on CentOS 7 without those 
>> options, but now it's not so clear.
>>
>> Jason.
>>
>>
> Perhaps reading this will help:
>
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC 


Actually, thanks, but I've read that multiple times.  What I don't 
understand (because I guess I'm new to Kerberos) is the level of system 
integration missing by not having Samba using MIT Kerberos on CentOS 7.  
So far, there hasn't been anything I've wanted to do that I can't do.   
   The page talks about what's supported under the experimental MIT 
mode, but not what you miss out on by not using it when you're using 
Heimdal.

Jason.

More information about the samba mailing list