On Thu, 2022-08-04 at 08:47 +1200, Andrew Bartlett
wrote:> On Wed, 2022-08-03 at 08:05 +0100, Rowland Penny via samba wrote:
> > On Wed, 2022-08-03 at 09:50 +0300, Sami Hulkko via samba wrote:
> > > Hi,
> > >
> > > The information on Samba Wiki for MIT Kerberos related fork is
> > > from
> > > 4.7.
> > > Is there anywhere information available for the current status?
> >
> > It isn't really a fork, it is just a different way of configuring
> > the
> > build and, while there have been a few updates, using a MIT based
> > Samba
> > DC is still considered experimental. Do not use one in production,
> > only
> > use one for testing purposes.
> >
> > Rowland
>
> While the above is our correct official statement (and covers in
> particular how much promise we give on any security issues, because
> some of those have to be fixed in both places which is difficult),
> since the efforts over Dec->Feb this year, things are much
> better.
>
> Extensive testsuites were written and they mostly pass, so there can
> be
> some increased comfort if MIT Kerberos is an organisational
> requirement.
>
> There is no RODC support in the MIT KDC.
>
> Andrew Bartlett
This wikipage:
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
States that using MIT is experimental, it also lists these limitations:
Samba DCs with MIT Kerberos KDC currently do not support:
PKINIT support required for using smart cards
Service for User to Self-service (S4U2self)
Service for User to Proxy (S4U2proxy)
Running as a Read only domain controller (RODC)
Authentication Audit logging
Computer GPO's are not applied, see Bug 13516
Have any of these changed and can they be removed from the list ?
Rowland