On 6/28/24 08:16, Douglas Bagnall wrote: ..> One of the reporters says "building bind against heimdal instead of MIT krb5 > solves this issue", which I guess is consistent with a symbol clash.Heh. Wow. And I guess, building samba against MIT krb5 will solve that issue too :) Having two krb5 implementations loaded into the same address space is asking for BIG troubles. And we already have this on a large scale.. I reported this last summer already. Besides, it looks like samba libraries are "too dirty", so to say, - eg, I don't think bind_dlz.so needs any krb5 stuff, it just talks to samba-ad-dc over a unix socket. It needs none of samba libraries. But here I might be completely wrong. It links with heimdal, libwbclient, etc. /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
On 6/28/24 08:44, Michael Tokarev wrote: ..> Besides, it looks like samba libraries are "too dirty", so to say, - eg, I don't think > bind_dlz.so needs any krb5 stuff, it just talks to samba-ad-dc over a unix socket. > It needs none of samba libraries.? But here I might be completely wrong.? It links > with heimdal, libwbclient, etc.Aha.. bind_dlz talks to samba using kerberos. Somehow I thought it uses a socket in /var/lib/samba/private/ like ntp. I was wrong indeed. So bind_dlz obviously needs kerberos. It looks like it should be build the same way nss_winbind & pam_winbind are built, with all samba modules compiled into the binary. Also, I think it would be useful if mit-krb5 and heimdal checks if both of them are loaded into the same address space and fail to run, since symbol clashes is too basically unavoidable in this case. This means there's no bind_dlz for heimdal- based samba though, but it's better be sorry than crash (neither works anyway). Samba should really switch to mit-krb5... /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt
On Fri, 28 Jun 2024 08:44:01 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> On 6/28/24 08:16, Douglas Bagnall wrote: > .. > > One of the reporters says "building bind against heimdal instead of > > MIT krb5 solves this issue", which I guess is consistent with a > > symbol clash. > > Heh. Wow. And I guess, building samba against MIT krb5 will solve > that issue too :) >And then again, it might not, the first bug report on the list Douglas provided was about bind9 crashing on fedora, fedora does build Samba with MIT. Rowland