[Samba] Current status of MIT5 Kerberos fork.
Sérgio Basto
sergio at serjux.com
Wed Aug 3 21:02:43 UTC 2022
On Wed, 2022-08-03 at 21:59 +0100, Rowland Penny via samba wrote:
> On Thu, 2022-08-04 at 08:47 +1200, Andrew Bartlett wrote:
> > On Wed, 2022-08-03 at 08:05 +0100, Rowland Penny via samba wrote:
> > > On Wed, 2022-08-03 at 09:50 +0300, Sami Hulkko via samba wrote:
> > > > Hi,
> > > >
> > > > The information on Samba Wiki for MIT Kerberos related fork is
> > > > from
> > > > 4.7.
> > > > Is there anywhere information available for the current status?
> > >
> > > It isn't really a fork, it is just a different way of configuring
> > > the
> > > build and, while there have been a few updates, using a MIT based
> > > Samba
> > > DC is still considered experimental. Do not use one in
> > > production,
> > > only
> > > use one for testing purposes.
> > >
> > > Rowland
> >
> > While the above is our correct official statement (and covers in
> > particular how much promise we give on any security issues, because
> > some of those have to be fixed in both places which is difficult),
> > since the efforts over Dec->Feb this year, things are much
> > better.
> >
> > Extensive testsuites were written and they mostly pass, so there
> > can
> > be
> > some increased comfort if MIT Kerberos is an organisational
> > requirement.
> >
> > There is no RODC support in the MIT KDC.
> >
> > Andrew Bartlett
>
> This wikipage:
>
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
>
> States that using MIT is experimental, it also lists these
> limitations:
>
> Samba DCs with MIT Kerberos KDC currently do not support:
>
> PKINIT support required for using smart cards
> Service for User to Self-service (S4U2self)
> Service for User to Proxy (S4U2proxy)
> Running as a Read only domain controller (RODC)
> Authentication Audit logging
> Computer GPO's are not applied, see Bug 13516
>
IMHO , no support of GPO's are the biggest showstopper
> Have any of these changed and can they be removed from the list ?
>
> Rowland
>
>
>
>
--
Sérgio M. B.
More information about the samba
mailing list