[Pkg-samba-maint] samba ad-dc: mit-krb5, splitting off samba-dc package, more...

Wed Nov 23 18:24:35 GMT 2022

Hi Michael,

On Sat, Nov 12, 2022 at 7:52 AM Michael Tokarev <mjt at tls.msk.ru> wrote:
>
> Hello!
>
> After experimenting a bit with building Samba with MIT-Kerberos5 and playing
> with the resulting Samba-based AD DC, I've quite a few questions which I'd
> love to discuss.  I'm not sure this is a right place to do that though, but
> I know no better place anyway.  Also including Andreas who seems to maintain
> samba in Ubuntu.
>
> One question is the mit-krb5 vs embedded Heimdal.  It looks like there's no
> show-stopper anymore to switch samba from embedded Heimdal to MIT-Kerberos,
> everything works quite well, at least from the first look.  Redhat uses this
> setup for quite a while too.  The only issue here is the generation of
> /var/lib/samba/private/kdc.conf file which has to be done somewhere, and
> doing this in a postinst script, while works, seems to be somewhat wrong,
> but not entirely wrong.  If we go that route (the mit-kerberos way), it
> can be done at an upgrade time if the version we're upgrading from is older
> than the switch heimdal -> mit-krb5.  Assuming we'll do the switch once.
> Not that a bad thing to do.

I haven't tried a MIT build of samba yet. I don't know what the
reasoning was that made Samba decide on embedding Heimdal. I suppose
samba needed modifications, that were perhaps not ready for upstream
at the time, or would have to be changed to be accepted upstream. It
would be helpful to perhaps understand why samba today can't use
external heimdal instead of an embeded one, and then attempt a MIT
supported build.

This reminds me of the of the attempts at using openldap instead of an
embedded ldap server, and how difficult using the external one was, so
much that samba developed its own in the end.

Redhat has a lot of in-house expertise in kerberos and crypto
algorithms and may have their own downstream patches to samba or MIT
or both, to make that build work. I haven't checked.

> Am I right the mit-krb5 way is the way to go these days, or should we still
> support embedded heimdal build? It is easy to have 2 build profiles in the

>From an external point of view, MIT kerberos does seem to have a
better cadence in releases and development, but heimdal development
has not stopped. Debian and Ubuntu have both, and I'm sure we can find
enough people using either. Does Samba even want to switch to a) an
external kerberos implementation (which could be heimdal, but
external); b) that external one being MIT?

> Another question is about splitting out the domain functionality from main
> samba package into a separate samba-domain-controller package.  This way,

I haven't deployed enough DCs to have a better opinion on this. Other
that, in general, samba packaging is complex, both for users (to
understand what they need to install) and developers (who try to
create splits that make sense).

> Speaking of the samba-dsdb-modules and samba-vfs-modules, I don't really

No idea, other than perhaps something with sssd and other consumers of
LDB? I see in the ubuntu case adsys has a dependency on it.