On 1/29/23 09:12, Rowland Penny via samba wrote:>
>
> On 29/01/2023 14:00, Michael Tokarev via samba wrote:
>> 29.01.2023 16:51, Rowland Penny via samba wrote:
>>
>>> ?From the distros you mentioned, the first two didn't supply
Samba
>>> packages that could be provisioned as a DC, As far as I am aware,
>>> Slackware is the same. Arch did supply Samba packages that could be
>>> used as an AD DC, these used Samba's builtin Heimdal, are you
saying
>>> that this has changed and they now use MIT ?
>>
>> I haven't followed history.
>
> I have.
> Redhat is on record of saying that they will never supply Samba
> packages that will be capable of being provisioned as a DC (they want
> you to use freeipa)
>
>> At least Fedora provides samba ad-dc packages built
>> with mit-krb5 for quite some time (I posted their rpm.spec file here).
>
> Yes I know, I just wish they would be honest and mark them as
> experimental.
>
>> Arch samba also works as an ad-dc.
>
> Arch has always worked as an AD DC, but they did use Heimdal, if they
> have moved to MIT, then they have also moved to the 'experimental'
camp.
>
>> ..
>>
>>> Seeing as how Samba is now using pretty much the latest Heimdal, I
>>> am not surprised it works. However, Samba tests against the Heimdal
>>> it supplies.
>>
>> Samba tests against mit-krb5 too, fwiw.
>
> This I know, but, as far as I am aware, it is just so that the code
> doesn't get broken.
>
>>
>> Unfortunately due to the way samba builds for testing has little to
>> do with production build.
>
> No, in my opinion, it has little to do with what you perceive to be a
> production build.
>
> From my perspective, until Samba stops marking MIT as experimental and
> leaves the choice of KDC type up to the installer, then the only KDC
> to use in production is the Heimdal one that Samba provides.
>
> Your views are probably different.
>
> Rowland
>
I am torn between using Heimdal and MIT. On the one hand, I really like
to use the packages supplied by the distro with as little
"customization" as possible, which in my case would be MIT. On the
other
hand, my initial DC deployment using Slackware 14.1 back in 2014
apparently did use Heimdal. And it appears that Heimdal is the
recommended kerberos by Samba.
For reasons explained earlier, include not using the
--dns-backend=BIND9_FLATFILE which is apparently obsoleted, I am going
to attempt to set up another DC using the latest Slackware 15.0 distro.
I will find out how to transfer all the FSMO roles to this new DC, then
decommission the old one.
I will go ahead and attempt to use the Heimdal kerberos if possible.
However, the instructions
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos
just start with, "Set the following settings in your Kerberos client
configuration file /etc/krb5.conf", nothing about choosing which
kerberos. Before I get too deep into this, how do I specify using
Heimdal on a system that comes with MIT?
THX --Mark