[Samba] Upgrading from Samba 4.8.2 to 4.15.5

Rowland Penny rpenny at samba.org
Sun Jan 29 19:25:31 UTC 2023 


On 29/01/2023 18:58, Mark Foley via samba wrote:
> I am torn between using Heimdal and MIT. On the one hand, I really like 
> to use the packages supplied by the distro with as little 
> "customization" as possible, which in my case would be MIT. On the other 
> hand, my initial DC deployment using Slackware 14.1 back in 2014 
> apparently did use Heimdal. And it appears that Heimdal is the 
> recommended kerberos by Samba.

I can only advise, whether you follow my advice is up to you.

 From my understanding, Samba when trying to emulate an AD domain tried 
to use MIT for the DC's (note: it is only relevant on the DC's what 
kerberos is used, on the clients you can use either), but there were 
lots of problems. Not sure when Heimdal came into the mix, but it was 
soon chosen as the kerberos for the KDC, though work carried on to 
attempt to use MIT instead.
If you use a Heimdal based Samba, then everything is expected to work 
(bugs allowing), but there will be problems using a MIT based Samba, 
that is why it is marked 'experimental'

My advice would be, if you are going to continue to use Slackware, build 
Samba yourself using the builtin Heimdal.

> 
> For reasons explained earlier, include not using the 
> --dns-backend=BIND9_FLATFILE which is apparently obsoleted, I am going 
> to attempt to set up another DC using the latest Slackware 15.0 distro. 
> I will find out how to transfer all the FSMO roles to this new DC, then 
> decommission the old one.

Ah, that I can help you with, Very easy, just use 'samba-tool fsmo transfer'

> 
> I will go ahead and attempt to use the Heimdal kerberos if possible. 
> However, the instructions
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos just start with, "Set the following settings in your Kerberos client configuration file /etc/krb5.conf", nothing about choosing which kerberos. Before I get too deep into this, how do I specify using Heimdal on a system that comes with MIT?

As I said, if you build Samba yourself, it should just build with 
Heimdal, you have to use an explicit './configure' option 
(--with-experimental-mit-ad-dc) to use MIT.

The distros that supply Samba AD DC packages that use MIT, must be using 
that option, but they do not seem to tell anyone that their packages are 
classed as experimental when it comes to provisioning an AD domain.

Rowland

More information about the samba mailing list