Hi List, I do my best to ask my question in english. ;-) Samba4 integrated heimdal kerberos to do the kerberos work for Active Directory. Some Linux Distributions like fedora/RedHat and openSUSE/SUSE don't accept heimdal even if it is shipped inside samba. Their argument is that heimdal isn't maintained since 2012. Compiling samba against MIT krb5 results in Samba-Packages without AD. Result: Active Directory is impossible with the Disitribution packages of samba.with the above mentioned Linux distributions. Fedoras way to solve this is: "We are intending to make possible use of AD DC functionality with MIT Kerberos but this is longer term project that requires cooperation between Samba, MIT, and FreeIPA." which means never, in my opinion." My questions: Is the heimdal code inside of samba4 maintained by the samba team or is this unmaintained static code? Are there considerations about using MIT krb5 inside samba4 instead of heimdal? The intention of our project "invis-server" is to bring samba 4 with AD DC functionality into openSUSE. Therefor we need arguments for the coming discussion. Stefan -- www.invis-server.org Stefan Schäfer Ludwigstr. 1-3 63679 Schotten
On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:> Hi List, > > I do my best to ask my question in english. ;-) > > Samba4 integrated heimdal kerberos to do the kerberos work for > Active Directory. Some Linux Distributions like fedora/RedHat and > openSUSE/SUSE don't accept heimdal even if it is shipped inside > samba. > > Their argument is that heimdal isn't maintained since 2012. > Compiling samba against MIT krb5 results in Samba-Packages without > AD. > > Result: Active Directory is impossible with the Disitribution > packages of samba.with the above mentioned Linux distributions. > > Fedoras way to solve this is: > > "We are intending to make possible use of AD DC functionality with > MIT Kerberos but this is longer term project that requires > cooperation between Samba, MIT, and FreeIPA." > which means never, in my opinion."No you're wrong about that. Andreas, Guenther and Alexander at Redhat are working diligently every day towards this. We're planning to get to that sooner rather than later.> My questions: > > Is the heimdal code inside of samba4 maintained by the samba team or > is this unmaintained static code?Maintained. If it's in Samba we are responsible. Once it's working with MIT we'll eventually remove it from our tree though.> Are there considerations about using MIT krb5 inside samba4 instead > of heimdal?Talk to Andreas, Guenther and Alexander for the latest.> The intention of our project "invis-server" is to bring samba 4 with > AD DC functionality into openSUSE. Therefor we need arguments for > the coming discussion.Hurrah ! I'm really glad to hear this ! If you could coordinate with the people doing the Heimdal -> MIT work then we can get there faster. Cheers, Jeremy.
On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:> On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote: >> Hi List, >> >> I do my best to ask my question in english. ;-) >> >> Samba4 integrated heimdal kerberos to do the kerberos work for >> Active Directory. Some Linux Distributions like fedora/RedHat and >> openSUSE/SUSE don't accept heimdal even if it is shipped inside >> samba. >> >> Their argument is that heimdal isn't maintained since 2012. >> Compiling samba against MIT krb5 results in Samba-Packages without >> AD. >> >> Result: Active Directory is impossible with the Disitribution >> packages of samba.with the above mentioned Linux distributions. >> >> Fedoras way to solve this is: >> >> "We are intending to make possible use of AD DC functionality with >> MIT Kerberos but this is longer term project that requires >> cooperation between Samba, MIT, and FreeIPA." >> which means never, in my opinion." > > No you're wrong about that. Andreas, Guenther and Alexander > at Redhat are working diligently every day towards this. We're planning > to get to that sooner rather than later. > >> My questions: >> >> Is the heimdal code inside of samba4 maintained by the samba team or >> is this unmaintained static code? > > Maintained. If it's in Samba we are responsible. > Once it's working with MIT we'll eventually remove > it from our tree though.I really wish you luck with that, becuase it's been an ongoing problem in Fedora. The Red Hat personnel I personally met working with Kerberos were pretty tightly focused on SSSD, which seems to me to be a fairly silly re-implementation of what Samba already does more broadly and more consistently.>> Are there considerations about using MIT krb5 inside samba4 instead >> of heimdal? > > Talk to Andreas, Guenther and Alexander for the latest. > >> The intention of our project "invis-server" is to bring samba 4 with >> AD DC functionality into openSUSE. Therefor we need arguments for >> the coming discussion. > > Hurrah ! I'm really glad to hear this ! If you could > coordinate with the people doing the Heimdal -> MIT > work then we can get there faster. > > Cheers, > > Jeremy.I'd also encourage you to take a look at the Fedora "rawhide" buindles, for tracing of changed components for RPM. And if you like, you might even take a look at my DC enabled ports over at https://github.com/nkadel/samba4repo and https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5