[Pkg-samba-maint] Bug#726459: MIT instead of Heimdal in Debian
Michael Tokarev
mjt at tls.msk.ru
Thu Nov 10 14:04:49 GMT 2022
On Sat, 7 Apr 2018 11:37:18 +0200 Mathieu Parent <math.parent at gmail.com> wrote:
> Hi,
>
> Most of this was done in Samba 4.8, but we still build with Heimdal in Debian.
>
> There are two reasons:
> - missing features [1]
The missing features needs to be evaluated really, - how relevant these actually
are these days. For example, "Computer GPO's are not applied" listed in that
wiki pages seems to work fine.
> - fear to break things (especially on upgrade)
Things are easy to break indeed. But from the same wiki page it *seems* a switch is
actually easy - the only thing needed is to create /var/lib/samba/private/kdc.conf
file. I dunno how much this is true.
> I hope that the feature gap will decrease in 4.9 and later, but we
> probably won't migrate before buster+1 (i.e next-next stable)
How about buster+4? :))
Anyway, I implemented a build profile, pkg.samba.mitkrb5, to build whole samba
(with the experimental ad-dc support) with mit-krb5. Dunno how it will go..
Thanks,
/mjt
> [1]: Samba DCs with MIT Kerberos KDC currently do not support:
> - PKINIT support required for using smart cards
> - Service for User to Self-service (S4U2self)
> - Service for User to Proxy (S4U2proxy)
> - Running as a Read only domain controller (RODC)
> (https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC)
More information about the Pkg-samba-maint
mailing list