Andrew Bartlett
2017-Jan-04 23:28 UTC
[Samba] Gentoo, Heimdal and Samba 4.2 EOL (was: Re: bug in smbclient (?) 4.2.x)
On Thu, 2017-01-05 at 12:26 +1300, Andrew Bartlett wrote:> On Thu, 2017-01-05 at 00:07 +0100, Stefan G. Weichinger via samba > wrote: > > > > Am 2017-01-04 um 23:49 schrieb Stefan G. Weichinger via samba: > > > > > > > > > > > on my way to 4.5.3 now > > > > compiling samba-4.5.3 on gentoo *failed* right now > > > > seems to be related to heimdal issues .. it's too late here right > > now > > to > > go on with that, maybe tomorrow. > > > > browsed the gentooo bugzilla, found > > > > https://bugs.gentoo.org/show_bug.cgi?id=593486 > > > > (and commented) > > > > That seems to be the showstopper at gentoo. > > > > Aside from that: pls remember that they had/have that issue with > > debian > > as well. > > In Debian we re-bundled heimdal. Samba is only known to work and is > only tested with the bundled copy. The semi-private interfaces we > use > with the KDC have skewed and we rely on specific patches to be > applied > on the Heimdal side. > > The work to have Heimdal updated in Samba, so we can then port out > the > last few patches and unbundle it remains uncompleted. The port to > MIT > kerberos is ongoing, but also not complete.For clarity, I speak here regarding the AD DC mode. The file server has always supported the system MIT Krb5, and continues to do so as a fully supported option. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Am 2017-01-05 um 00:28 schrieb Andrew Bartlett:>> In Debian we re-bundled heimdal. Samba is only known to work and is >> only tested with the bundled copy. The semi-private interfaces we >> use >> with the KDC have skewed and we rely on specific patches to be >> applied >> on the Heimdal side. >> >> The work to have Heimdal updated in Samba, so we can then port out >> the >> last few patches and unbundle it remains uncompleted. The port to >> MIT >> kerberos is ongoing, but also not complete. > > For clarity, I speak here regarding the AD DC mode. The file server > has always supported the system MIT Krb5, and continues to do so as a > fully supported option.Thank you, Andrew, for your replies. A gentoo dev pointed me to this bug: https://bugs.gentoo.org/show_bug.cgi?id=588262#c3 They seem to have issues with heimdal (Comment 3), I don't know if they asked for upstream help or could need some. - For me and the current job it sounds like hopping over to Debian. They also are still at 4.2.14, but AD-DC works. Stefan
On Thu, 2017-01-05 at 10:45 +0100, Stefan G. Weichinger via samba wrote:> Am 2017-01-05 um 00:28 schrieb Andrew Bartlett: > > > > > > > > > In Debian we re-bundled heimdal. Samba is only known to work and > > > is > > > only tested with the bundled copy. The semi-private interfaces > > > we > > > use > > > with the KDC have skewed and we rely on specific patches to be > > > applied > > > on the Heimdal side. > > > > > > The work to have Heimdal updated in Samba, so we can then port > > > out > > > the > > > last few patches and unbundle it remains uncompleted. The port > > > to > > > MIT > > > kerberos is ongoing, but also not complete. > > > > For clarity, I speak here regarding the AD DC mode. The file > > server > > has always supported the system MIT Krb5, and continues to do so as > > a > > fully supported option. > > Thank you, Andrew, for your replies. > > A gentoo dev pointed me to this bug: > > https://bugs.gentoo.org/show_bug.cgi?id=588262#c3 > > They seem to have issues with heimdal (Comment 3), I don't know if > they > asked for upstream help or could need some.If they want the AD DC, they just need to stop thinking of Heimdal as anything other than code we ship, and stop trying to unbundle it. Just build it like all the rest of Samba.> - > > For me and the current job it sounds like hopping over to Debian. > They also are still at 4.2.14, but AD-DC works.More recent packages are posted here by some contributors, or you can help Debian on the packaging team and so get us the bandwith to consider a backport (the backport is 'easy', the support is not and we are understaffed on the debian Samba Team). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba