I hear that Fedora 18 will come with Samba 4
Andreas Schneider
asn at samba.org
Thu Aug 2 00:29:07 MDT 2012
On Wednesday 01 August 2012 21:10:23 Richard Sharpe wrote:
> Hi folks,
Hi Richard,
> Is anyone making sure that the transition from Samba 3 to Samba 4
> after an upgrade works fine?
Samba 4 AD DC functionality relies heavily on Heimdal Kerberos implementation.
Samba 4 includes the embedded Heimdal, if your system misses it, like we have
in Fedora. When embedded Heimdal is in use, all Samba 4 code is compiled
against this Kerberos implementation, including client side libraries and
tools, and traditional file serving smbd daemon we know as 'samba' package in
Fedora.
Fedora uses MIT Kerberos implementation, both server and client side. Heimdal
and MIT Kerberos are targetting to implement the same Kerberos V protocol but
have their own extensions API and certain semantical differences. They also
have slightly different meaning to Kerberos credential cache files format
where Kerberos-aware applications store their Kerberos keys. While this is not
an issue for client-server communication over a network (a Heimdal client does
talk the same Kerberos V protocol that MIT Kerberos server understands and
vice versa), interoperability of the client or server code using the same
credential cache files on the same system is much less supported for advanced
features like S4U2Proxy and S4U2Self.
It is generally not advisable to load two different API implementations into
the same address space either. When the rest of the system libraries is
compiled against MIT Kerberos, use of them within Samba 4 code brings in MIT
Kerberos as well. This happens, for example, when linking against OpenLDAP
client libraries and using SASL authentication.
As part of work we are doing on FreeIPA v3, we have made possible to compile
Samba 4 code against MIT Kerberos implementation. Unfortunately, MIT Kerberos
does not give option of embedding Kerebros KDC server within another process
which is required for Samba 4 AD DC functionality. Thus, when compiled with
MIT Kerberos, Samba 4 currently does not provide Active Directory Domain
Controller functionality at all, only client side libraries and tools to the
extent that does not involve AD DC operations. Also, smbd is compiled against
MIT Kerberos and provides functionality equivalent to what is provided by
Samba 3's smbd.
We are intending to make possible use of AD DC functionality with MIT Kerberos
but this is longer term project that requires cooperation between Samba, MIT,
and FreeIPA.
So Samba 4.0.0 in F18 will proivde the same as Samba 3.6.6 and in addition the
new client libraries and python bindings.
Cheers,
-- andreas
--
Andreas Schneider GPG-ID: F33E3FC6
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list