[Samba] Current status of MIT5 Kerberos fork.

Andrew Bartlett abartlet at samba.org
Wed Aug 3 22:04:48 UTC 2022 

On Wed, 2022-08-03 at 22:02 +0100, Sérgio Basto via samba wrote:
> On Wed, 2022-08-03 at 21:59 +0100, Rowland Penny via samba wrote:
> > On Thu, 2022-08-04 at 08:47 +1200, Andrew Bartlett wrote:
> > > On Wed, 2022-08-03 at 08:05 +0100, Rowland Penny via samba wrote:
> > > > On Wed, 2022-08-03 at 09:50 +0300, Sami Hulkko via samba wrote:
> > > > > Hi,
> > > > > 
> > > > > The information on Samba Wiki for MIT Kerberos related fork
> > > > > is
> > > > > from
> > > > > 4.7. 
> > > > > Is there anywhere information available for the current
> > > > > status?
> > > > 
> > > > It isn't really a fork, it is just a different way of
> > > > configuring
> > > > the
> > > > build and, while there have been a few updates, using a MIT
> > > > based
> > > > Samba
> > > > DC is still considered experimental. Do not use one in
> > > > production,
> > > > only
> > > > use one for testing purposes.
> > > > 
> > > > Rowland
> > > 
> > > While the above is our correct official statement (and covers in
> > > particular how much promise we give on any security issues,
> > > because
> > > some of those have to be fixed in both places which is
> > > difficult),
> > > since the efforts over Dec->Feb this year, things are much
> > > better.  
> > > 
> > > Extensive testsuites were written and they mostly pass, so there
> > > can
> > > be
> > > some increased comfort if MIT Kerberos is an organisational
> > > requirement. 
> > > 
> > > There is no RODC support in the MIT KDC.
> > > 
> > > Andrew Bartlett
> > 
> > This wikipage:
> > 
> > https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> > 
> > States that using MIT is experimental, it also lists these
> > limitations:
> > 
> > Samba DCs with MIT Kerberos KDC currently do not support:
> > 
> >     PKINIT support required for using smart cards
> >     Service for User to Self-service (S4U2self)
> >     Service for User to Proxy (S4U2proxy)
> >     Running as a Read only domain controller (RODC)
> >     Authentication Audit logging
> >     Computer GPO's are not applied, see Bug 13516
> > 
> 
> IMHO , no support of GPO's are the biggest showstopper 

Given all the other things now pinned down with tests, this might have
been fixed while fixing other things.  It was always a strange bug.

Testing this manually would be really good.

Andrew Bartlett



-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list