[Samba] Current status of MIT5 Kerberos fork.

Sérgio Basto sergio at serjux.com
Wed Aug 3 21:02:43 UTC 2022


On Wed, 2022-08-03 at 21:59 +0100, Rowland Penny via samba wrote:
> On Thu, 2022-08-04 at 08:47 +1200, Andrew Bartlett wrote:
> > On Wed, 2022-08-03 at 08:05 +0100, Rowland Penny via samba wrote:
> > > On Wed, 2022-08-03 at 09:50 +0300, Sami Hulkko via samba wrote:
> > > > Hi,
> > > > 
> > > > The information on Samba Wiki for MIT Kerberos related fork is
> > > > from
> > > > 4.7. 
> > > > Is there anywhere information available for the current status?
> > > 
> > > It isn't really a fork, it is just a different way of configuring
> > > the
> > > build and, while there have been a few updates, using a MIT based
> > > Samba
> > > DC is still considered experimental. Do not use one in
> > > production,
> > > only
> > > use one for testing purposes.
> > > 
> > > Rowland
> > 
> > While the above is our correct official statement (and covers in
> > particular how much promise we give on any security issues, because
> > some of those have to be fixed in both places which is difficult),
> > since the efforts over Dec->Feb this year, things are much
> > better.  
> > 
> > Extensive testsuites were written and they mostly pass, so there
> > can
> > be
> > some increased comfort if MIT Kerberos is an organisational
> > requirement. 
> > 
> > There is no RODC support in the MIT KDC.
> > 
> > Andrew Bartlett
> 
> This wikipage:
> 
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> 
> States that using MIT is experimental, it also lists these
> limitations:
> 
> Samba DCs with MIT Kerberos KDC currently do not support:
> 
>     PKINIT support required for using smart cards
>     Service for User to Self-service (S4U2self)
>     Service for User to Proxy (S4U2proxy)
>     Running as a Read only domain controller (RODC)
>     Authentication Audit logging
>     Computer GPO's are not applied, see Bug 13516
> 

IMHO , no support of GPO's are the biggest showstopper 


> Have any of these changed and can they be removed from the list ?
> 
> Rowland
> 
> 
> 
> 

-- 
Sérgio M. B.



More information about the samba mailing list