[Pkg-samba-maint] Bug#726459: MIT instead of Heimdal in Debian

Andrew Bartlett abartlet at samba.org
Thu Nov 10 18:30:50 GMT 2022


On Thu, 2022-11-10 at 17:04 +0300, Michael Tokarev wrote:
> On Sat, 7 Apr 2018 11:37:18 +0200 Mathieu Parent <math.parent at gmail.com> wrote:
> > Hi,
> > 
> > Most of this was done in Samba 4.8, but we still build with Heimdal in Debian.
> > 
> > There are two reasons:
> > - missing features [1]
> 
> The missing features needs to be evaluated really, - how relevant these actually
> are these days.  For example, "Computer GPO's are not applied" listed in that
> wiki pages seems to work fine.

This is good to hear.  That one scared me, not because breakage was
unexpected, but because we couldn't tell why or how.

We now have a much, much better testsuite that covers things pretty
well, and know what tests the MIT KDC still fails.  

> > - fear to break things (especially on upgrade)
> 
> Things are easy to break indeed.  But from the same wiki page it
> *seems* a switch is
> actually easy - the only thing needed is to create
> /var/lib/samba/private/kdc.conf
> file.  I dunno how much this is true.

I don't really expect much breakage honestly, given the testsuite. 

That testsuite is why we were happy to upgrade the Heimdal version,
which was just as much of a change and risk.

> > I hope that the feature gap will decrease in 4.9 and later, but we
> > probably won't migrate before buster+1 (i.e next-next stable)

There is no particular effort to address the lack of RODC support for
the MIT KDC, and efforts to close the gaps shown by the testsuite are
sporadic.  

It is also much harder to develop for the MIT KDC, as there isn't a
standard vendored copy we can apply patches to and then filter to
upstream (which is the process for Heimdal).

> How about buster+4? :))
> 
> Anyway, I implemented a build profile, pkg.samba.mitkrb5, to build whole samba
> (with the experimental ad-dc support) with mit-krb5.  Dunno how it will go..
> 
> Thanks,
> 
> /mjt
> 
> > [1]: Samba DCs with MIT Kerberos KDC currently do not support:
> > - PKINIT support required for using smart cards
> > - Service for User to Self-service (S4U2self)
> > - Service for User to Proxy (S4U2proxy)

These are fixed.

> > - Running as a Read only domain controller (RODC)
> > (https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Ke
> > rberos_KDC)

This is the big one.  Plus just other differences that may or may not
matter as much.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba



More information about the Pkg-samba-maint mailing list