On Tue, 2018-09-25 at 09:44 +0100, Rowland Penny via samba wrote:> On Mon, 24 Sep 2018 21:22:06 GMT > "Torin Woltjer" <torin.woltjer at granddial.com> wrote: > > > > > Thanks for the quick reply, I believe I am using MIT based on log > > file names; but is there a better way to tell? I'm not very > > knowledgeable about the distinction between MIT and Heimdal > > regarding > > KDC. Can you direct me to a resource that explains how to make the > > switch as I am just using the defaults in SUSE. Additionally, many > > of the domains experiencing this bug were working fine; before > > migrating them from Ubuntu 16.04. Is this because the bug was > > introduced in a newer version that I am now using? Is the bug fixed > > in a version newer than what I am using now? > > > > Thanks again, I appreciate the help. > > > > Torin Woltjer > > > > Grand Dial Communications - A ZK Tech Inc. Company > > > > 616.776.1066 ext. 2006 > > www.granddial.com > > > > > Took some finding, but I am now very sure that the opensuse Samba AD > DC > uses MIT instead of Heimdal, so this makes it inadvisable to use in > production. There are just too many problems to make it usable, the > password problem being one of them. > > I am sorry, but, as far as I am aware, there is no RPM based distro > that has production ready Samba packages, I also have a feeling that > the Ubuntu packages now use MIT, so this really just leaves Debian > etc.I've not seen any indication that Ubuntu has changed to MIT Kerberos, thankfully. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, 25 Sep 2018 20:49:07 +1200 Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2018-09-25 at 09:44 +0100, Rowland Penny via samba wrote: > > On Mon, 24 Sep 2018 21:22:06 GMT > > "Torin Woltjer" <torin.woltjer at granddial.com> wrote: > > > > > > > > Thanks for the quick reply, I believe I am using MIT based on log > > > file names; but is there a better way to tell? I'm not very > > > knowledgeable about the distinction between MIT and Heimdal > > > regarding > > > KDC. Can you direct me to a resource that explains how to make the > > > switch as I am just using the defaults in SUSE. Additionally, > > > many of the domains experiencing this bug were working fine; > > > before migrating them from Ubuntu 16.04. Is this because the bug > > > was introduced in a newer version that I am now using? Is the bug > > > fixed in a version newer than what I am using now? > > > > > > Thanks again, I appreciate the help. > > > > > > Torin Woltjer > > > > > > Grand Dial Communications - A ZK Tech Inc. Company > > > > > > 616.776.1066 ext. 2006 > > > www.granddial.com > > > > > > > > Took some finding, but I am now very sure that the opensuse Samba AD > > DC > > uses MIT instead of Heimdal, so this makes it inadvisable to use in > > production. There are just too many problems to make it usable, the > > password problem being one of them. > > > > I am sorry, but, as far as I am aware, there is no RPM based distro > > that has production ready Samba packages, I also have a feeling that > > the Ubuntu packages now use MIT, so this really just leaves Debian > > etc. > > I've not seen any indication that Ubuntu has changed to MIT Kerberos, > thankfully. > > Andrew Bartlett >I thought I had seen it somewhere, but I bow to your superior knowledge. Rowland
On Tue, 2018-09-25 at 09:59 +0100, Rowland Penny via samba wrote:> On Tue, 25 Sep 2018 20:49:07 +1200 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Tue, 2018-09-25 at 09:44 +0100, Rowland Penny via samba wrote: > > > On Mon, 24 Sep 2018 21:22:06 GMT > > > "Torin Woltjer" <torin.woltjer at granddial.com> wrote: > > > > > > > > > > > Thanks for the quick reply, I believe I am using MIT based on > > > > log > > > > file names; but is there a better way to tell? I'm not very > > > > knowledgeable about the distinction between MIT and Heimdal > > > > regarding > > > > KDC. Can you direct me to a resource that explains how to make > > > > the > > > > switch as I am just using the defaults in SUSE. Additionally, > > > > many of the domains experiencing this bug were working fine; > > > > before migrating them from Ubuntu 16.04. Is this because the > > > > bug > > > > was introduced in a newer version that I am now using? Is the > > > > bug > > > > fixed in a version newer than what I am using now? > > > > > > > > Thanks again, I appreciate the help. > > > > > > > > Torin Woltjer > > > > > > > > Grand Dial Communications - A ZK Tech Inc. Company > > > > > > > > 616.776.1066 ext. 2006 > > > > www.granddial.com > > > > > > > > > > > > > > Took some finding, but I am now very sure that the opensuse Samba > > > AD > > > DC > > > uses MIT instead of Heimdal, so this makes it inadvisable to use > > > in > > > production. There are just too many problems to make it usable, > > > the > > > password problem being one of them. > > > > > > I am sorry, but, as far as I am aware, there is no RPM based > > > distro > > > that has production ready Samba packages, I also have a feeling > > > that > > > the Ubuntu packages now use MIT, so this really just leaves > > > Debian > > > etc. > > > > I've not seen any indication that Ubuntu has changed to MIT > > Kerberos, > > thankfully. > > > > Andrew Bartlett > > > > I thought I had seen it somewhere, but I bow to your superior > knowledge. > > Rowland >Following the advice here "Verifying if Samba Has Been Built with MIT Kerberos Support" https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC ... in reverse: $ cat /etc/os-release NAME="Ubuntu" VERSION="18.04.1 LTS (Bionic Beaver)" $ smbd -b | grep HAVE_LIBKADM5SRV_MIT $ So, no MIT involved on Ubuntu Cheers Jon