Am 13.01.23 um 11:31 schrieb Rowland Penny via samba:> > On 13/01/2023 09:53, Markus Dellermann via samba wrote: >> Hi Thorsten, hi Rowland, >> Just one hint from me: >> openSUSE-samba-Packages are normally mit-kerberos based. >> For DCs it could be better to use the heimdal-based >> >> There are some convenient repos on openSUSE-Build-Server.. >> >> Markus > I thought that the standard suse Samba packages were like the rhel ones, > you cannot use them for a DC, or are they like the fedora ones, were you > can, but shouldn't ? > > Try running: > > smbd -b | grep HAVE_LIBKADM5SRV_MIT > > If you get back: > > HAVE_LIBKADM5SRV_MIT > > Then you are using MIT. > > If you are using MIT, then I suggest you find and use packages that have > been compiled for Heimdal. If you cannot find any, then I suggest you > use a different OS, such as Debian 11 > > RowlandWill I face serious problems if I continue with the MIT kerberos based samba packages? I like my openSUSE but I don't like to use packages aside from the official ones. But honestly I'm somewhat surprised about the fact that openSUSE stays on MIT Kerberos and doesn't switch to Heimdal (at least for samba builds). Chears Thorsten
On 13/01/2023 11:28, Thorsten Marquardt via samba wrote:> > Will I face serious problems if I continue with the MIT kerberos based > samba packages? I like my openSUSE but I don't like to use packages > aside from the official ones. But honestly I'm somewhat surprised about > the fact that openSUSE stays on MIT Kerberos and doesn't switch to > Heimdal (at least for samba builds). > > Chears Thorsten > >I take it that you are using MIT. There is a wiki page about using MIT: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC This page was altered back in November and these lines about the known limitations were removed: * PKINIT support required for using smart cards * Service for User to Self-service (S4U2self) not supported * Service for User to Proxy (S4U2proxy) not supported * Computer GPO's are not applied, see [https://bugzilla.samba.org/show_bug.cgi?id=13516 Bug 13516] I am unclear about the first three, but the bug referred to in the last one is still open. Using Samba packages that use MIT for a DC is experimental and isn't supported in production. RHEL does not supply any Samba packages that can be provisioned as a DC, but are fine for a Unix domain member. Fedora (and seemingly, Suse) do provide Samba packages that can be provisioned as a DC, but I wish they would state that they should only be used for testing because they use MIT for the kdc. Any and all Samba OS packages are okay for use as Unix domain members etc, it is just the use of MIT as the kdc that is experimental. Rowland
Hi, Am Freitag, 13. Januar 2023, 12:28:24 CET schrieb Thorsten Marquardt via samba:> Am 13.01.23 um 11:31 schrieb Rowland Penny via samba: > > On 13/01/2023 09:53, Markus Dellermann via samba wrote: > >> Hi Thorsten, hi Rowland, > >> Just one hint from me: > >> openSUSE-samba-Packages are normally mit-kerberos based. > >> For DCs it could be better to use the heimdal-based > >> > >> There are some convenient repos on openSUSE-Build-Server.. > >> > >> Markus > > > > I thought that the standard suse Samba packages were like the rhel ones, > > you cannot use them for a DC, or are they like the fedora ones, were you > > can, but shouldn't ? > >the latter..> > Try running: > > > > smbd -b | grep HAVE_LIBKADM5SRV_MIT > > > > If you get back: > > > > HAVE_LIBKADM5SRV_MIT > > > > Then you are using MIT. > > > > If you are using MIT, then I suggest you find and use packages that have > > been compiled for Heimdal. If you cannot find any, then I suggest you > > use a different OS, such as Debian 11 > > > > Rowland > > Will I face serious problems if I continue with the MIT kerberos based > samba packages? I like my openSUSE but I don't like to use packages > aside from the official ones.Shouldnt it be possible to test if mitkrb-packages works well for you and otherwise switch to heimdal-packages? In this case this repo could be good way for usage of current Packages: https://build.opensuse.org/project/show/network:samba:ADDC> But honestly I'm somewhat surprised about > the fact that openSUSE stays on MIT Kerberos and doesn't switch to > Heimdal (at least for samba builds). >hm, Compliance.?.> Chears ThorstenMarkus