[Samba] both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions
Rowland Penny
rpenny at samba.org
Mon Jun 30 11:08:09 UTC 2025
On Mon, 30 Jun 2025 12:50:44 +0200
Franta Hanzlík <franta at hanzlici.cz> wrote:
> From what I've gleaned from the Fedora mailing list and website and
> the internet, I get the impression that Fedora's status on using
> Heimdal or MIT Kerberos is roughly:
> - Heimdal Kerberos doesn't have all the features the team needs (but
> that probably applies to the old pre-7.x versions from 7+ years ago)
Yes, there are differences between MIT and Heimdal, but Samba is mainly
written to work Heimdal (that is the server on a DC, not the clients,
they are happy with MIT tools).
I can sort of understand redhats stance on this, they do not want to
have to support both Heimdal and MIT on the same machine, while Fedora
just compiles Samba with MIT and doesn't say anything (or if they have,
I missed it). By using MIT, there are a few things that do not work.
>
> - MIT Kerberos fit better into their FreeIPA (Identity, Policy,
> Audit) project.
That is one reason they do not require a Samba AD DC, they have freeipa.
>
> - and maybe it's also their effort to maintain more control over
> FreeIPA and possibly related projects.
Well, freeipa is their product, which is why it works well on redhat
distros.
>
> In the long run, switching to Debian would probably be a better
> option, but right now it would mean a bit more of a burden.
> We'll think about it...
Not sure why it would be a burden, create new VM, install Debian 12,
use Samba from bookworm backports, join as a DC in exactly the same way.
I can do it in a very short while.
Rowland
PS, please do not 'CC' me, it breaks my mail flow, just reply to list.
More information about the samba
mailing list