[Samba] Upgrading from Samba 4.8.2 to 4.15.5

Andrew Bartlett abartlet at samba.org
Wed Feb 1 08:11:49 UTC 2023

On Tue, 2023-01-31 at 20:15 -0500, Mark Foley via samba wrote:
> Questions:
> Given my download and installation of MIT Kerberos 1.11.6 on my 
> Heimdal-Sama DC, what Kerberos am I now running (there's no --version 
> option for kinit)? 

Samba doesn't provide a kinit (we build but don't install a
samba4kinit) to this will be MIT

> Did the MIT Kerberos installation clobber some of the 
> Samba-Heimdal Kerberos files? 


> Are the Kerberoses completely/physically 
> separate? 

Yes, pretty much.

> Is the MIT Kerberos simply being ignored by Samba and can I 
> just uninstall it? 

Other bits of your system may be using it.

> Note that I upgraded Samba to 4.8.2 two years AFTER 
> installing the MIT Kerberos, so maybe it clobbered MIT.
> When I upgrade my Slackware from 14.2 to 15.0, should I inhibit 
> installing their packages of Samba and possibly also their MIT Kerberos? 

That depends on if you want their package of Samba, and how it was

> If so, should I then download and build Samba from sources at samba.org?
> Given that Samba has Heimdal Kerberos built in, should I skip 
> downloading and installing any Kerberos package?

No, you probably want a system Kerberos, Samba just won't use those
libraries.  Tools like kinit are helpful.

> I wonder if the PAM packed depends on the MIT Kerberos, or should PAM 
> work with any Kerberos?

You should not fear Kerberos, and while you are unlikely to use
pam_krb5 or similar in your install, don't break things to avoid thsi.

> OR ... I can roll the dice and take my chances with "experimental" MIT 
> Kerberos and not worry about uninstalling, downloading, building and 
> installing anything! There's something also risky about going outside 
> the package suite vetted by the distro developers.

That just chooses who rolls the dice, honestly.  Or pay SerNet for
Samba Plus packages, in turn supporting their work.

> (As an aside, IMO if all or most distros are shipping with MIT Kerberos 
> now, as previously mentioned in this thread, perhaps the Samba folks 
> should make an effort to confirm MIT and move it out of the experimental 
> category.)

The effort has been significant so far.  An incredible number of tests
have been written, however the mythical "Samba folks" who just have
free time to do this don't exist - the level of integration we have is
enough for those who got the effort so far, and the rest depends on
(bluntly, given the scale) commercial funding to Samba support
providers or the commercial interests of Samba distributors (who did
the work so far). 

The folks who use Samba in production and fund the development so far
use the production Kerberos server.

> And a non-Kerberos question:
> My DC was initially provisioned with --dns-backend=BIND9_FLATFILE. The 
> wiki https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends says, 
> "Do not use the BIND9_FLATFILE DNS back end. It is not supported and 
> will be formally deprecated when 4.11.0 is released and removed at 4.12.0."
> So, can I even use my current (4.8.2) configs when I upgrade to 4.15.x?

It will remain as broken as it was, but don't do that.  We make the
domain join reliable by putting DNS entries in over RPC and LDAP during
the join, if you don't use a Samba DNS server then that won't help.

Andrew Bartlett

Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

More information about the samba mailing list