samba - Jun 2025 - both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

Hi Rowland, thank for clarification!

On Mon, 30 Jun 2025 08:46:42 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Sun, 29 Jun 2025 23:26:40 +0200
> Franta Hanzl?k <franta at hanzlici.cz> wrote:
> > 
[...]
> > 
> > Regarding using Debian distro - we have been using Fedora for a long
> > time now because we know it. And we compile Samba packages for DC
> > ourselves, with Heimdal Kerberos (Fedora has MIT, I'm not sure how
> > suitable it is for production deployment, I think it is still marked
> > as experimental). I don't know if switching to Debian would cause
> > some confusion and damage, when it will be new for us. IMO there will
> > not be much difference in functionality, although support in Debian
> > is probably greater today than in Fedora.  
> 
> In my opinion, the problem with Fedora is, they are not honest. The use
> of MIT for the kdc on a Samba AD DC is experimental and redhat is on
> record of saying there will never be Samba packages for RHEL that can
> be provisioned as an AD DC, but they do not and will not tell their
> users this.
> 
> You can easily switch to Debian, just install Debian 12 in a VM,
> install Samba from bookworm-backports and you will get the latest Samba
> version (4.22.2 at present), just join this and it will work.
> 
> Rowland
> -- 
From what I've gleaned from the Fedora mailing list and website and 
the internet, I get the impression that Fedora's status on using Heimdal 
or MIT Kerberos is roughly:
- Heimdal Kerberos doesn't have all the features the team needs (but 
 that probably applies to the old pre-7.x versions from 7+ years ago)

- MIT Kerberos fit better into their FreeIPA (Identity, Policy, Audit) 
 project.

- and maybe it's also their effort to maintain more control over 
 FreeIPA and possibly related projects.

In the long run, switching to Debian would probably be a better option, 
but right now it would mean a bit more of a burden.
We'll think about it...
-- 
Thank Yoy, Franta Hanzlik

On Mon, 30 Jun 2025 12:50:44 +0200
Franta Hanzl?k <franta at hanzlici.cz> wrote:
> From what I've gleaned from the Fedora mailing list and website and 
> the internet, I get the impression that Fedora's status on using
> Heimdal or MIT Kerberos is roughly:
> - Heimdal Kerberos doesn't have all the features the team needs (but 
>  that probably applies to the old pre-7.x versions from 7+ years ago)
Yes, there are differences between MIT and Heimdal, but Samba is mainly
written to work Heimdal (that is the server on a DC, not the clients,
they are happy with MIT tools).

I can sort of understand redhats stance on this, they do not want to
have to support both Heimdal and MIT on the same machine, while Fedora
just compiles Samba with MIT and doesn't say anything (or if they have,
I missed it). By using MIT, there are a few things that do not work.
> 
> - MIT Kerberos fit better into their FreeIPA (Identity, Policy,
> Audit) project.
That is one reason they do not require a Samba AD DC, they have freeipa.
> 
> - and maybe it's also their effort to maintain more control over 
>  FreeIPA and possibly related projects.
Well, freeipa is their product, which is why it works well on redhat
distros.
> 
> In the long run, switching to Debian would probably be a better
> option, but right now it would mean a bit more of a burden.
> We'll think about it...
Not sure why it would be a burden, create new VM, install Debian 12,
use Samba from bookworm backports, join as a DC in exactly the same way.
I can do it in a very short while.

Rowland

PS, please do not 'CC' me, it breaks my mail flow, just reply to list.