[Samba] mit-krb5 and heimdal binaries

Robert Marcano robert at marcanoonline.com
Mon Mar 20 14:42:09 UTC 2023


On 3/19/23 2:12 AM, Michael Tokarev via samba wrote:
> Hi!
> 
> I already asked a similar question before, but it keeps popping up in 
> different
> contexts and forms, and the more I use samba myself, the more often it 
> comes to
> me too, especially in context of using various security tokens for 
> auth.  And the
> more I think about all this, the more sane it looks to me.
> 
> The thing is: mit-krb5 has much better user-level support than heimdal. 
> But samba
> does not fully support mit-krb5 as an active directory domain 
> controller.  The
> AD-DC thing is server-side.

The Samba recommendation is to not use Samba in AD DC mode as a generic 
file server, so for that reason, even on pretty small installations (1 
server) I build Samba with Heimdal to be used exclusively on a container 
and use the distribution built Samba with MIT Kerberos without AD on the 
host as a joined server for all file sharing outside a DC role.

Previously I used the apt.van-belle.nl but as those aren't available 
anymore (thanks to the author for all that time he worked on it), I am 
patching the Fedora's Samba RPM  to be build it with Heimdal to be used 
as a container image. I am using Fedora as it is the best distribution 
to get the latest Samba release posible something I like on an AD DC, 
Still using a RHEL derived distro on the host.

> 
> I can think of providing two builds of samba for a distribution (eg 
> debian/ubuntu), -
> one implementing whole ad-dc, as a complete thing, using their own set 
> of libs,
> linked with heimdal. And a usual set of more client-side packages, with 
> their own
> libraries, built against mit-krb5.  Or maybe some other combination also 
> has its
> right to be, - for example, smbclient built with mit-krb5, the rest is 
> heimdal.
> 
> An essential part of this is that the two sets (built against mit-krb5 
> and heimdal)
> do not share any internal libraries, each has its own libraries. This 
> way, there's
> no "mix" of differently built samba, each build uses only its own libs, 
> so there's
> no clash here.  They share the same smb.conf though.
> 
> So far, I've seen requests to build two versions of the server (again, 
> with mit-krb5
> and with heimdal), - and I faced the same issues too.  This is because a 
> regular AD
> member server is also good to have mit-krb5 support to integrate nicely 
> into the auth
> infrastructure. While for ad-dc, it is less often used as "end-user" 
> server.
> 
> So I can think of a separate samba-ad-dc binary package providing whole 
> samba suite
> built against heimdal (maybe without smbclient and some other minor 
> things), and
> samba "file server" binary package providing regular server not suitable 
> to use as
> an ad-dc, but conflicting with samba-ad-dc, so it is not possible to 
> install one
> together with another.
> 
> This approach also has another good side effect, to discourage usage of 
> samba-ad-dc
> as a regular file server.
> 
> Or maybe the whole thing is moot now, and we just can provide regular 
> samba built
> against mit-krb5 to work as a good AD-DC?  That would be the best 
> solution IMHO.
> 
> Thanks,
> 
> /mjt
> 




More information about the samba mailing list