[Pkg-samba-maint] Bug#726459: MIT instead of Heimdal in Debian

Michael Tokarev mjt at tls.msk.ru
Thu Nov 10 14:04:49 GMT 2022


On Sat, 7 Apr 2018 11:37:18 +0200 Mathieu Parent <math.parent at gmail.com> wrote:
> Hi,
> 
> Most of this was done in Samba 4.8, but we still build with Heimdal in Debian.
> 
> There are two reasons:
> - missing features [1]

The missing features needs to be evaluated really, - how relevant these actually
are these days.  For example, "Computer GPO's are not applied" listed in that
wiki pages seems to work fine.

> - fear to break things (especially on upgrade)

Things are easy to break indeed.  But from the same wiki page it *seems* a switch is
actually easy - the only thing needed is to create /var/lib/samba/private/kdc.conf
file.  I dunno how much this is true.

> I hope that the feature gap will decrease in 4.9 and later, but we
> probably won't migrate before buster+1 (i.e next-next stable)

How about buster+4? :))

Anyway, I implemented a build profile, pkg.samba.mitkrb5, to build whole samba
(with the experimental ad-dc support) with mit-krb5.  Dunno how it will go..

Thanks,

/mjt

> [1]: Samba DCs with MIT Kerberos KDC currently do not support:
> - PKINIT support required for using smart cards
> - Service for User to Self-service (S4U2self)
> - Service for User to Proxy (S4U2proxy)
> - Running as a Read only domain controller (RODC)
> (https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC)



More information about the Pkg-samba-maint mailing list