On 29/01/2023 14:00, Michael Tokarev via samba wrote:> 29.01.2023 16:51, Rowland Penny via samba wrote: > >> ?From the distros you mentioned, the first two didn't supply Samba >> packages that could be provisioned as a DC, As far as I am aware, >> Slackware is the same. Arch did supply Samba packages that could be >> used as an AD DC, these used Samba's builtin Heimdal, are you saying >> that this has changed and they now use MIT ? > > I haven't followed history.I have. Redhat is on record of saying that they will never supply Samba packages that will be capable of being provisioned as a DC (they want you to use freeipa)> At least Fedora provides samba ad-dc > packages built > with mit-krb5 for quite some time (I posted their rpm.spec file here).Yes I know, I just wish they would be honest and mark them as experimental.> Arch samba also works as an ad-dc.Arch has always worked as an AD DC, but they did use Heimdal, if they have moved to MIT, then they have also moved to the 'experimental' camp.> .. > >> Seeing as how Samba is now using pretty much the latest Heimdal, I am >> not surprised it works. However, Samba tests against the Heimdal it >> supplies. > > Samba tests against mit-krb5 too, fwiw.This I know, but, as far as I am aware, it is just so that the code doesn't get broken.> > Unfortunately due to the way samba builds for testing has > little to do with production build.No, in my opinion, it has little to do with what you perceive to be a production build. From my perspective, until Samba stops marking MIT as experimental and leaves the choice of KDC type up to the installer, then the only KDC to use in production is the Heimdal one that Samba provides. Your views are probably different. Rowland
On 29/01/2023 14:12, Rowland Penny via samba wrote:> > > Arch has always worked as an AD DC, but they did use Heimdal, if they > have moved to MIT, then they have also moved to the 'experimental' camp.After a bit of digging, Arch is still using Heimdal, or that is how I read it. From their samba PKGBUILD in git, there is this: ./configure --enable-fhs \ --prefix=/usr \ --sysconfdir=/etc \ --sbindir=/usr/bin \ --libdir=/usr/lib \ --libexecdir=/usr/lib/samba \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-lockdir=/var/cache/samba \ --with-sockets-dir=/run/samba \ --with-piddir=/run \ --with-ads \ --with-ldap \ --with-winbind \ --with-acl-support \ --with-systemd \ --systemd-install-services \ --with-pam \ --with-pammodulesdir=/usr/lib/security \ --bundled-libraries=!tdb,!talloc,!pytalloc-util,!tevent,!popt,!ldb,!pyldb-util \ --with-shared-modules=${_samba4_idmap_modules},${_samba4_pdb_modules},${_samba4_auth_modules},vfs_io_uring \ --disable-rpath-install \ --with-profiling-data # Add this to the options once it's working... #--with-system-mitkrb5 /opt/heimdal Notice that '--with-system-mitkrb5' is commented out and that needs to be set to build with MIT. Rowland
29.01.2023 17:12, Rowland Penny via samba ?????: ..>> Unfortunately due to the way samba builds for testing has >> little to do with production build. > > No, in my opinion, it has little to do with what you perceive to be a production build.FWIW, I never expressed what is, in my view, a build suitable for production. /mjt
On 1/29/23 09:12, Rowland Penny via samba wrote:> > > On 29/01/2023 14:00, Michael Tokarev via samba wrote: >> 29.01.2023 16:51, Rowland Penny via samba wrote: >> >>> ?From the distros you mentioned, the first two didn't supply Samba >>> packages that could be provisioned as a DC, As far as I am aware, >>> Slackware is the same. Arch did supply Samba packages that could be >>> used as an AD DC, these used Samba's builtin Heimdal, are you saying >>> that this has changed and they now use MIT ? >> >> I haven't followed history. > > I have. > Redhat is on record of saying that they will never supply Samba > packages that will be capable of being provisioned as a DC (they want > you to use freeipa) > >> At least Fedora provides samba ad-dc packages built >> with mit-krb5 for quite some time (I posted their rpm.spec file here). > > Yes I know, I just wish they would be honest and mark them as > experimental. > >> Arch samba also works as an ad-dc. > > Arch has always worked as an AD DC, but they did use Heimdal, if they > have moved to MIT, then they have also moved to the 'experimental' camp. > >> .. >> >>> Seeing as how Samba is now using pretty much the latest Heimdal, I >>> am not surprised it works. However, Samba tests against the Heimdal >>> it supplies. >> >> Samba tests against mit-krb5 too, fwiw. > > This I know, but, as far as I am aware, it is just so that the code > doesn't get broken. > >> >> Unfortunately due to the way samba builds for testing has little to >> do with production build. > > No, in my opinion, it has little to do with what you perceive to be a > production build. > > From my perspective, until Samba stops marking MIT as experimental and > leaves the choice of KDC type up to the installer, then the only KDC > to use in production is the Heimdal one that Samba provides. > > Your views are probably different. > > Rowland >I am torn between using Heimdal and MIT. On the one hand, I really like to use the packages supplied by the distro with as little "customization" as possible, which in my case would be MIT. On the other hand, my initial DC deployment using Slackware 14.1 back in 2014 apparently did use Heimdal. And it appears that Heimdal is the recommended kerberos by Samba. For reasons explained earlier, include not using the --dns-backend=BIND9_FLATFILE which is apparently obsoleted, I am going to attempt to set up another DC using the latest Slackware 15.0 distro. I will find out how to transfer all the FSMO roles to this new DC, then decommission the old one. I will go ahead and attempt to use the Heimdal kerberos if possible. However, the instructions https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Kerberos just start with, "Set the following settings in your Kerberos client configuration file /etc/krb5.conf", nothing about choosing which kerberos. Before I get too deep into this, how do I specify using Heimdal on a system that comes with MIT? THX --Mark