[Samba] mit-krb5 and heimdal binaries

Robert Marcano robert at marcanoonline.com
Mon Mar 20 14:48:16 UTC 2023


On 3/19/23 6:21 PM, Andrew Bartlett via samba wrote:

....

> 
> Regarding the support and stability of a Samba AD Deployment based on
> MIT Kerberos, given the advances in testing over the past few years, I
> have, in 2023, no major concerns.  The features that are provided work
> and can be expected to operate in production without concern.
> 
> The "experimental" designation is no longer correct, but it is not
> clear to me what different word we should apply instead, the closest I
> can come to is "unsupported".

A few years back when I started migrating legacy style domains to Samba 
AD, I tried the experimental MIT Kerberos (Fedora) and it worked fine 
until a few corner cases after the production deployment make me switch 
to the supported Heimdal build.

This new information about the testing improvements, will make me try 
another round with the "experimental" back-end to see if these corner 
cases are fixed now.

> 
> Just as a distribution can and will ship a pre-release version of some
> software, to meet that distributions overall goals, Red Hat is free to
> ship the "experimental" MIT-based Samba AD DC, and provide the security
> support (in particular) for that configuration to its users.  Red Hat
> has the resources and ability to coordinate the release of patched
> Samba and a patched MIT Kerberos simultaneously if required, for
> example.
> 
> However, things are different upstream.  I would suggest that, while
> vendoring has well documented costs (as seen when we got stuck on 'old
> Heimdal'), the choice to embed an copy of Heimdal has been a
> significant advantage to upstream Samba.
> 
> As a current example, this is allowing Claims support to be added, with
> the KDC-side changes (to link the device and user) recorded in
> lorikeet-heimdal and proposed upstream but not required to be accepted
> at the time that the patches land in Samba.
> 
> Likewise, security releases, which have been a significant burden of
> late, can be made from Samba master and directly consumed by our users.
> 
> I'm very sorry I won't be at SambaXP this year, as I would very much
> like to be part of the conversation around any changes we make here.
> 
> It is not that the the current situation is ideal, but it has come with
> a number of significant advantages.
> 
> In both cases the development process includes tests, and these tests
> are at least initially marked as knownfail for MIT Kerberos.  This is
> not as dire as it seems, because more then 50% of a Samba development
> task is tests, those supporting the MIT KDC are presented with a full
> set of tests and a list of know failures the address.
> 
> However that knownfail listing is the limit that the developers
> providing new Samba AD features and providing the security support are
> expected to provide.
> 
> This last point is critical, as only one of these Kerberos
> implementations is funded, and currently the Kerberos distribution that
> the developers involved are funded to provide is Heimdal.
> 
> This choice may of course change in the future, but as far as I see it
> it will always be one or the other.
> 
> Andrew Bartlett
> 




More information about the samba mailing list