[Pkg-samba-maint] Bug#963899: Build smbclient against MIT krb5

Sam Morris sam at robots.org.uk
Sun Jun 28 16:39:44 BST 2020 

Package: smbclient
Version: 2:4.9.5+dfsg-1
Severity: wishlist

I don't know how sane this might be, but you don't find out of if you
don't ask, right?

I run into lots of problems trying to use smbclient in my workplace.
They boil down to the fact that Samba's bundled Heimdal library has a
number of missing features compared to MIT Kerberos, including:

 * Support for DIR, KCM and KEYRING credential cache types. These are
   improvements upon the FILE type (all support multiple credential
   caches, as opposed to FILE; KEYRING keeps credentials off disk as
   opposed to DIR; KCM stores credentials in a daemon (UNIX socket
   access isolated by mount namespaces)).
 * Support for includdedir directives when reading configuration.
   Files in /etc/krb5.conf.d and /var/lib/sss/pubconf/krb5.include.d
   (created by freeipa-client and sssd) are ignored.
 * Support for locator plugins. In a multi-site Active Directory
   environment, this causes Kerberos clients to talk to the local site's
   KDCs. This might also apply to FreeIPA multi-location environments
   too.
 * Support for other plugin types. sssd provides localauth, authdata and
   preauth plugins. Admittedly I don't think these would be used by
   smbclient.

For a long time I figured there was nothing to be done about this--Samba
is pretty tightly wedded to Heimdal. However I recently noticed that
Fedora build Samba against krb5, and I figure it should be possible to
do this in Debian.

Since running Samba AD DC built with MIT Kerberos is still an
experimental feature, it's not a good idea to switch the whole source
package over wholesale. But I wonder if it would be possible to build
only smbcliennt with the system libkrb5, so that it can take advantage
of these features (in particular, credential cache types other than
FILE)?

-- System Information:
Debian Release: 10.4
  APT prefers stable-updates
  APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages smbclient depends on:
ii  dpkg          1.19.7
ii  libarchive13  3.3.3-4+deb10u1
ii  libbsd0       0.9.1-2
ii  libc6         2.28-10
ii  libgnutls30   3.6.7-4+deb10u4
ii  libpopt0      1.16-12
ii  libreadline7  7.0-5
pn  libreadline8  <none>
pn  libsmbclient  <none>
pn  libtalloc2    <none>
pn  libtevent0    <none>
pn  libwbclient0  <none>
pn  samba-common  <none>
pn  samba-libs    <none>

smbclient recommends no packages.

Versions of packages smbclient suggests:
pn  cifs-utils       <none>
pn  heimdal-clients  <none>

More information about the Pkg-samba-maint mailing list