samba - Aug 2016 - Possible to use MIT Kerberos yet?

Hey all,

$Dayjob currently uses MIT Kerberos.  We also use Zimbra with Kerberos 
auth, but Zimbra's LDAP is only internal to itself.

I see various things on the wiki that say "We need MIT Kerberos support 
cleaned up for a 4.0 release"

https://wiki.samba.org/index.php/MIT_Build
https://wiki.samba.org/index.php/Samba4/MIT_KDC

And the "How to build a domain controller" doc, effectively says
"it's not
*required* to build an alternate KDC.  It says other LDAP implementations 
aren't supported.  It does NOT say other KDC's are not supported.

I see people asking on this list if it's possible, and being told, 
outright, no, in 2014:

https://lists.samba.org/archive/samba/2014-July/182765.html

And yet I see it being possible:

https://ssimo.org/blog/id_005.html

So, is this a thing that one can do in mainline Samba yet -- add it on to 
an existing, already-provisioned Kerberos realm?

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

On Tue, 2016-08-16 at 13:49 -0700, Dan Mahoney, System Admin via samba
wrote:
> 
> So, is this a thing that one can do in mainline Samba yet -- add it
> on to 
> an existing, already-provisioned Kerberos realm?
No, Samba won't ever be able to use an existing already-provisioned
kerberos realm.  The best we will be able to offer is to import those
keys into Samba, and then run the Samba KDC (no matter what that is
based on), or set up a trust between them (which may or may not be
helpful).

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba