[Pkg-samba-maint] Bug#897269: Bug#897269: samba: build against system heimdal instead of outdated embedded code copy

L.P.H. van Belle belle at bazuin.nl
Thu May 3 10:19:16 BST 2018


Now im not a Debian Maintainer, but i must say the following. 

Personaly, i think its not wize to switch MIT at this moment.
I dont know the exact status of the roadmap, was updated 5 months ago. 
Note this : 
Active Directory Server
WIP: S4U2Self, S4U2Proxy, PKINIT and RODC support with MIT Kerberos - Work is currently stalled (Andreas, G√ľnther)

I must keep the heimdal version working for myself, no problem for me but i am not alone here.
Atm i have about 250 uniq ips, using my packages also, so these are safe if i keep following the samba sources. 

I cant use the MIT version myself due to : S4U2Self PKINIT  S4U2Proxy ( i dont use RODC ).

@Paul, you are speaking of crashes of samba. 
I dont see any crashes of samba on any of my servers, this is with my own packages,
but these are heavily based on the debian packages and i use a bit more updated sources atm on my Stretch packages.

Can you tell more about these crashes, so i can test this a bit if i can make my samba crash. 
Or can you try to simulate this with my packages? 4.7.7 is my latest production version. 

You can get them here. 
echo "deb http://apt.van-belle.nl/debian stretch-unstable main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

Note, the stretch-unstable is not unstable, a wrong choice in nameing here, 
i use the 4.7.7 on all my production machines atm and im very happy with these.

I've made an debian stretch package of 4.8.1, which is getting updated now. 
ldb change to 1.3.3 and testing the "corruption" fix, Samba bug 13335

But i do agree to keep debian clean of embedded sources. 

Switch to MIT, yes, but only if S4U2Self, S4U2Proxy, PKINIT and RODC is supported in MIT.
This is a major behavior change which Debian should avoid ( for now imo. ) 
Just expressing my concerns here if debian is going for MIT to early.



> -----Oorspronkelijk bericht-----
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl at alioth-lists.d
> ebian.net] Namens Mathieu Parent
> Verzonden: dinsdag 1 mei 2018 21:46
> Aan: Paul Wise; 897269 at bugs.debian.org
> CC: Andrew Bartlett
> Onderwerp: [Pkg-samba-maint] Bug#897269: Bug#897269: samba: 
> build against system heimdal instead of outdated embedded code copy
> Control: tag -1 + upstream
> 2018-05-01 7:36 GMT+02:00 Paul Wise <pabs at debian.org>:
> > Source: samba
> > Severity: wishlist
> > Usertags: embed
> > Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=12976
> Hello Paul,
> Thanks for your report
> > As noted in samba upstream bug #12505, the embedded copy of 
> heimdal in
> > samba is outdated, at least in respect to the krb5_storage_free
> > function and this seems to cause some crashes in samba at times.
> > There are probably other bugs in samba's copy of heimdal that were
> > fixed in heimdal upstream.
> >
> > 
> https://git.samba.org/?p=samba.git;a=blob;f=source4/heimdal/li
> b/krb5/store.c;hb=HEAD#l270
> > https://github.com/heimdal/heimdal/blob/master/lib/krb5/store.c#L289
> > https://bugzilla.samba.org/show_bug.cgi?id=11824
> > https://bugzilla.samba.org/show_bug.cgi?id=12505
> > https://www.spinics.net/lists/samba/msg133243.html
> >
> > I asked samba upstream last year to either remove or update the
> > embedded code copy but there was no response to my bug report.
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=12976
> >
> > Until samba upstream reaches a decision on this, I think that Debian
> > should patch samba so that our builds use the system 
> version of heimdal
> > instead of the outdated embedded code copy.
> >
> > See also Debian Policy 4.13 and the corresponding wiki page:
> >
> > https://www.debian.org/doc/debian-policy/#convenience-copies-of-code
> > https://wiki.debian.org/EmbeddedCodeCopies
> Currently there is no way to build using system Heimdal, the embedded
> copy has diverged too much from upstream I believe.
> Maybe a fix would be to switch to MIT Kerberos, see #726459. I'm
> hesitant to do this given the risk of this big change (and some people
> probably use Debian for the features that don't have parity yet).
> Andrew, is there any chance to sync Heimdal code with upstream? Or
> should we switch to MIT?
> Regards
> -- 
> Mathieu Parent
> _______________________________________________
> Pkg-samba-maint mailing list
> Pkg-samba-maint at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint

More information about the Pkg-samba-maint mailing list