On 10/5/2020 12:44 PM, Rowland penny via samba wrote:> On 05/10/2020 17:27, Jason Keltz via samba wrote: >> >> Hi Roland, >> >> I'm glad you brought that up.? This is a piece of the puzzle I have >> been very confused with.? I'm not using the Samba from CentOS/RHEL, >> but a custom compiled one (latest 4.11.13).?? As CentOS uses MIT >> Kerberos by default, am I not automatically using MIT Krb5 on the >> server in the mode you describe as "Experimental"? ? Is Samba >> re-implenting the Heimdal based Kerberos, or using the system >> Kerberos? Do I have a choice? And If my system doesn't use Heimdel >> and only has MIT Krb5 libraries, isn't that? what would be used?? >> Here's the ldd on the samba binary... > > It depends on how you actually built Samba, did you pass > '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ? > > You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC > > RowlandHi Rowland, Our auto build system is compiling with this: ? ? ? ? ? ? ? ?? --with-acl-support ???????????????? --with-piddir=/run ???????????????? --with-configdir=/etc/samba ???????????????? --with-statedir=/local/samba/locks ???????????????? --with-cachedir=/local/samba/cache ???????????????? --with-lockdir=/local/samba/lock ???????????????? --with-privatedir=/local/samba/private ???????????????? --with-sockets-dir=/run ???????????????? --with-privileged-socket-dir=/var/lib ???????????????? --with-logfilebase=/local/log ???????????????? --with-syslog However,> %? smbd -b | grep HAVE_LIBKADM5SRV_MIT > ?? HAVE_LIBKADM5SRV_MITI'd like to believe that the Kerberos implementation with Samba could run independent of the O/S one, but I suspect that if you have MIT Kerberos, it's going to compile with that? Jason.
On 05/10/2020 19:29, Jason Keltz via samba wrote:> > On 10/5/2020 12:44 PM, Rowland penny via samba wrote: >> On 05/10/2020 17:27, Jason Keltz via samba wrote: >>> >>> Hi Roland, >>> >>> I'm glad you brought that up.? This is a piece of the puzzle I have >>> been very confused with.? I'm not using the Samba from CentOS/RHEL, >>> but a custom compiled one (latest 4.11.13).?? As CentOS uses MIT >>> Kerberos by default, am I not automatically using MIT Krb5 on the >>> server in the mode you describe as "Experimental"? ? Is Samba >>> re-implenting the Heimdal based Kerberos, or using the system >>> Kerberos? Do I have a choice? And If my system doesn't use Heimdel >>> and only has MIT Krb5 libraries, isn't that? what would be used?? >>> Here's the ldd on the samba binary... >> >> It depends on how you actually built Samba, did you pass >> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ? >> >> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC >> >> Rowland > > Hi Rowland, > > Our auto build system is compiling with this: > > ? ? ? ? ? ? ? ?? --with-acl-support > ???????????????? --with-piddir=/run > ???????????????? --with-configdir=/etc/samba > ???????????????? --with-statedir=/local/samba/locks > ???????????????? --with-cachedir=/local/samba/cache > ???????????????? --with-lockdir=/local/samba/lock > ???????????????? --with-privatedir=/local/samba/private > ???????????????? --with-sockets-dir=/run > ???????????????? --with-privileged-socket-dir=/var/lib > ???????????????? --with-logfilebase=/local/log > ???????????????? --with-syslog > > However, > >> %? smbd -b | grep HAVE_LIBKADM5SRV_MIT >> ?? HAVE_LIBKADM5SRV_MITStrange, do you the OS Samba packages installed as well ? It has been sometime since I tested using MIT as the kdc and you are supposed to pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure, otherwise Heimdal is used. You do not seem to have done this, but your version of smbd seems to have been built with MIT. How did you build Samba ? Was it the standard 'configure' (with options as above), 'make' and 'make install', or do you build packages with a 'spec' file ?> > I'd like to believe that the Kerberos implementation with Samba could > run independent of the O/S one, but I suspect that if you have MIT > Kerberos, it's going to compile with that?It is possible to build Samba on Centos using Heimdal (there are a couple of users that supply rpms or instructions on how to do this, but only for Centos 7). Rowland
On 10/5/2020 2:52 PM, Rowland penny via samba wrote:> On 05/10/2020 19:29, Jason Keltz via samba wrote: >> >> On 10/5/2020 12:44 PM, Rowland penny via samba wrote: >>> On 05/10/2020 17:27, Jason Keltz via samba wrote: >>>> >>>> Hi Roland, >>>> >>>> I'm glad you brought that up.? This is a piece of the puzzle I have >>>> been very confused with.? I'm not using the Samba from CentOS/RHEL, >>>> but a custom compiled one (latest 4.11.13).?? As CentOS uses MIT >>>> Kerberos by default, am I not automatically using MIT Krb5 on the >>>> server in the mode you describe as "Experimental"? ? Is Samba >>>> re-implenting the Heimdal based Kerberos, or using the system >>>> Kerberos? Do I have a choice? And If my system doesn't use Heimdel >>>> and only has MIT Krb5 libraries, isn't that? what would be used? >>>> Here's the ldd on the samba binary... >>> >>> It depends on how you actually built Samba, did you pass >>> '--with-system-mitkrb5 --with-experimental-mit-ad-dc' to configure ? >>> >>> You could try running 'smbd -b | grep HAVE_LIBKADM5SRV_MIT' on the DC >>> >>> Rowland >> >> Hi Rowland, >> >> Our auto build system is compiling with this: >> >> ? ? ? ? ? ? ? ?? --with-acl-support >> ???????????????? --with-piddir=/run >> ???????????????? --with-configdir=/etc/samba >> ???????????????? --with-statedir=/local/samba/locks >> ???????????????? --with-cachedir=/local/samba/cache >> ???????????????? --with-lockdir=/local/samba/lock >> ???????????????? --with-privatedir=/local/samba/private >> ???????????????? --with-sockets-dir=/run >> ???????????????? --with-privileged-socket-dir=/var/lib >> ???????????????? --with-logfilebase=/local/log >> ???????????????? --with-syslog >> >> However, >> >>> %? smbd -b | grep HAVE_LIBKADM5SRV_MIT >>> ?? HAVE_LIBKADM5SRV_MIT > > Strange, do you the OS Samba packages installed as well ? > > It has been sometime since I tested using MIT as the kdc and you are > supposed to pass '--with-system-mitkrb5 --with-experimental-mit-ad-dc' > to configure, otherwise Heimdal is used. You do not seem to have done > this, but your version of smbd seems to have been built with MIT. How > did you build Samba ? Was it the standard 'configure' (with options as > above), 'make' and 'make install', or do you build packages with a > 'spec' file ? > >> >> I'd like to believe that the Kerberos implementation with Samba could >> run independent of the O/S one, but I suspect that if you have MIT >> Kerberos, it's going to compile with that? > > It is possible to build Samba on Centos using Heimdal (there are a > couple of users that supply rpms or instructions on how to do this, > but only for Centos 7).Hi Rowland, I've been looking at the compile trying to figure out how the MIT Kerberos option was added in.? Right now, I can't figure out why, but I will eventually.? I compiled using the same options directly from the command line, and it builds with embedded Kerberos.? Very puzzling.? However, the truth is, the server has been very stable.? It's been working with our Windows systems for quite some time, and in testing working on Linux systems as well. I'd like to understand if it would be possible under CentOS 7 not just to run Samba with Heimdal Kerberos - but to run it as an Active Directory Domain Controller? with Heimdal Kerberos without losing any of the functionality that I have now in terms of Windows or Linux clients (eg. secure krb5 NFS mounts) that I'm getting because of the MIT options compiled into my install.?? Can you help me to understand why, if Samba has its own embedded Heimdal Kerberos that doesn't depend on the O/S Kerberos implementation at all, then why is it so important for Samba to have an MIT Kerberos implementation??? There is a whole lot of interest in that from what I can understand, and I just want to clearly understand why.? From what I thought I understood, you could not have an AD-DC on CentOS 7 without those options, but now it's not so clear. Jason.