Discussion:
[Samba] Heimdal Kerberos in Samba4
Stefan Schäfer
2016-07-22 12:54:05 UTC
Permalink
Hi List,

I do my best to ask my question in english. ;-)

Samba4 integrated heimdal kerberos to do the kerberos work for Active
Directory. Some Linux Distributions like fedora/RedHat and openSUSE/SUSE
don't accept heimdal even if it is shipped inside samba.

Their argument is that heimdal isn't maintained since 2012. Compiling
samba against MIT krb5 results in Samba-Packages without AD.

Result: Active Directory is impossible with the Disitribution packages
of samba.with the above mentioned Linux distributions.

Fedoras way to solve this is:

"We are intending to make possible use of AD DC functionality with MIT
Kerberos but this is longer term project that requires cooperation
between Samba, MIT, and FreeIPA."
which means never, in my opinion."

My questions:

Is the heimdal code inside of samba4 maintained by the samba team or is
this unmaintained static code?

Are there considerations about using MIT krb5 inside samba4 instead of
heimdal?

The intention of our project "invis-server" is to bring samba 4 with AD
DC functionality into openSUSE. Therefor we need arguments for the
coming discussion.

Stefan
--
www.invis-server.org

Stefan Schäfer
Ludwigstr. 1-3
63679 Schotten
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Nico Kadel-Garcia
2016-07-25 05:38:44 UTC
Permalink
Post by Stefan Schäfer
Hi List,
I do my best to ask my question in english. ;-)
Samba4 integrated heimdal kerberos to do the kerberos work for
Active Directory. Some Linux Distributions like fedora/RedHat and
openSUSE/SUSE don't accept heimdal even if it is shipped inside
samba.
Their argument is that heimdal isn't maintained since 2012.
Compiling samba against MIT krb5 results in Samba-Packages without
AD.
Result: Active Directory is impossible with the Disitribution
packages of samba.with the above mentioned Linux distributions.
"We are intending to make possible use of AD DC functionality with
MIT Kerberos but this is longer term project that requires
cooperation between Samba, MIT, and FreeIPA."
which means never, in my opinion."
No you're wrong about that. Andreas, Guenther and Alexander
at Redhat are working diligently every day towards this. We're planning
to get to that sooner rather than later.
Post by Stefan Schäfer
Is the heimdal code inside of samba4 maintained by the samba team or
is this unmaintained static code?
Maintained. If it's in Samba we are responsible.
Once it's working with MIT we'll eventually remove
it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
Post by Stefan Schäfer
Are there considerations about using MIT krb5 inside samba4 instead
of heimdal?
Talk to Andreas, Guenther and Alexander for the latest.
Post by Stefan Schäfer
The intention of our project "invis-server" is to bring samba 4 with
AD DC functionality into openSUSE. Therefor we need arguments for
the coming discussion.
Hurrah ! I'm really glad to hear this ! If you could
coordinate with the people doing the Heimdal -> MIT
work then we can get there faster.
Cheers,
Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-07-29 04:13:41 UTC
Permalink
I would like to start testing this? I saw a few months back Alexander
Bokovoy Released a build for F23 and I started using that. Now that F24 is
out I have to look for a way to upgrade. Is there a build for rawhide with
this? The standard samba-ad package for rawhide that install still doesn't
come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
automatically disables ad support it seems as samba-tool is missing unless
I remove that option. Is this going to be fixed in 4.5.0? Should I download
the source code for 4.5.0 and do I need a bunch of patches that I get
somewhere? I'm a regular Fedora user and I am having difficulties seeing
how to put this all together.
Post by Nico Kadel-Garcia
Post by Stefan Schäfer
Hi List,
I do my best to ask my question in english. ;-)
Samba4 integrated heimdal kerberos to do the kerberos work for
Active Directory. Some Linux Distributions like fedora/RedHat and
openSUSE/SUSE don't accept heimdal even if it is shipped inside
samba.
Their argument is that heimdal isn't maintained since 2012.
Compiling samba against MIT krb5 results in Samba-Packages without
AD.
Result: Active Directory is impossible with the Disitribution
packages of samba.with the above mentioned Linux distributions.
"We are intending to make possible use of AD DC functionality with
MIT Kerberos but this is longer term project that requires
cooperation between Samba, MIT, and FreeIPA."
which means never, in my opinion."
No you're wrong about that. Andreas, Guenther and Alexander
at Redhat are working diligently every day towards this. We're planning
to get to that sooner rather than later.
Post by Stefan Schäfer
Is the heimdal code inside of samba4 maintained by the samba team or
is this unmaintained static code?
Maintained. If it's in Samba we are responsible.
Once it's working with MIT we'll eventually remove
it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
Post by Stefan Schäfer
Are there considerations about using MIT krb5 inside samba4 instead
of heimdal?
Talk to Andreas, Guenther and Alexander for the latest.
Post by Stefan Schäfer
The intention of our project "invis-server" is to bring samba 4 with
AD DC functionality into openSUSE. Therefor we need arguments for
the coming discussion.
Hurrah ! I'm really glad to hear this ! If you could
coordinate with the people doing the Heimdal -> MIT
work then we can get there faster.
Cheers,
Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-07-29 04:15:32 UTC
Permalink
correction samba-dc still doesn't come with samba-tool
Post by Jeff Sadowski
I would like to start testing this? I saw a few months back Alexander
Bokovoy Released a build for F23 and I started using that. Now that F24
is out I have to look for a way to upgrade. Is there a build for rawhide
with this? The standard samba-ad package for rawhide that install still
doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
automatically disables ad support it seems as samba-tool is missing unless
I remove that option. Is this going to be fixed in 4.5.0? Should I download
the source code for 4.5.0 and do I need a bunch of patches that I get
somewhere? I'm a regular Fedora user and I am having difficulties seeing
how to put this all together.
Post by Nico Kadel-Garcia
Post by Stefan Schäfer
Hi List,
I do my best to ask my question in english. ;-)
Samba4 integrated heimdal kerberos to do the kerberos work for
Active Directory. Some Linux Distributions like fedora/RedHat and
openSUSE/SUSE don't accept heimdal even if it is shipped inside
samba.
Their argument is that heimdal isn't maintained since 2012.
Compiling samba against MIT krb5 results in Samba-Packages without
AD.
Result: Active Directory is impossible with the Disitribution
packages of samba.with the above mentioned Linux distributions.
"We are intending to make possible use of AD DC functionality with
MIT Kerberos but this is longer term project that requires
cooperation between Samba, MIT, and FreeIPA."
which means never, in my opinion."
No you're wrong about that. Andreas, Guenther and Alexander
at Redhat are working diligently every day towards this. We're planning
to get to that sooner rather than later.
Post by Stefan Schäfer
Is the heimdal code inside of samba4 maintained by the samba team or
is this unmaintained static code?
Maintained. If it's in Samba we are responsible.
Once it's working with MIT we'll eventually remove
it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
Post by Stefan Schäfer
Are there considerations about using MIT krb5 inside samba4 instead
of heimdal?
Talk to Andreas, Guenther and Alexander for the latest.
Post by Stefan Schäfer
The intention of our project "invis-server" is to bring samba 4 with
AD DC functionality into openSUSE. Therefor we need arguments for
the coming discussion.
Hurrah ! I'm really glad to hear this ! If you could
coordinate with the people doing the Heimdal -> MIT
work then we can get there faster.
Cheers,
Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-08-01 14:27:45 UTC
Permalink
As we wanted to test last Samba version we had to compile Samba manually
once 4.3.0 went out.
As we wanted to continue to deploy Samba using system's package manager, we
decided to built our own RPM.
As I hate RPM, I had to learn. As I'm lazy, I tried to not waste too much
time learning RPM.

So I downloaded .spec from Sernet's package 4.2.x, I modified that .spec to
match new Samba version and I used rpmbuild to build my RPMs (our systems
are Centos 7).

This needed some time but is working since 4.3.0 went out, which is already
a bunch of months and also a bunch of version recompiled using the same
.spec, each time with some little adjustments.

And now we have one .spec which is used once per Samba version. Generated
RPMs can be used for our AD DC and also for our file servers.

Cheers.
Post by Jeff Sadowski
correction samba-dc still doesn't come with samba-tool
Post by Jeff Sadowski
I would like to start testing this? I saw a few months back Alexander
Bokovoy Released a build for F23 and I started using that. Now that F24
is out I have to look for a way to upgrade. Is there a build for rawhide
with this? The standard samba-ad package for rawhide that install still
doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
automatically disables ad support it seems as samba-tool is missing
unless
Post by Jeff Sadowski
I remove that option. Is this going to be fixed in 4.5.0? Should I
download
Post by Jeff Sadowski
the source code for 4.5.0 and do I need a bunch of patches that I get
somewhere? I'm a regular Fedora user and I am having difficulties seeing
how to put this all together.
Post by Nico Kadel-Garcia
Post by Stefan Schäfer
Hi List,
I do my best to ask my question in english. ;-)
Samba4 integrated heimdal kerberos to do the kerberos work for
Active Directory. Some Linux Distributions like fedora/RedHat and
openSUSE/SUSE don't accept heimdal even if it is shipped inside
samba.
Their argument is that heimdal isn't maintained since 2012.
Compiling samba against MIT krb5 results in Samba-Packages without
AD.
Result: Active Directory is impossible with the Disitribution
packages of samba.with the above mentioned Linux distributions.
"We are intending to make possible use of AD DC functionality with
MIT Kerberos but this is longer term project that requires
cooperation between Samba, MIT, and FreeIPA."
which means never, in my opinion."
No you're wrong about that. Andreas, Guenther and Alexander
at Redhat are working diligently every day towards this. We're
planning
Post by Jeff Sadowski
Post by Nico Kadel-Garcia
to get to that sooner rather than later.
Post by Stefan Schäfer
Is the heimdal code inside of samba4 maintained by the samba team or
is this unmaintained static code?
Maintained. If it's in Samba we are responsible.
Once it's working with MIT we'll eventually remove
it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
Post by Stefan Schäfer
Are there considerations about using MIT krb5 inside samba4 instead
of heimdal?
Talk to Andreas, Guenther and Alexander for the latest.
Post by Stefan Schäfer
The intention of our project "invis-server" is to bring samba 4 with
AD DC functionality into openSUSE. Therefor we need arguments for
the coming discussion.
Hurrah ! I'm really glad to hear this ! If you could
coordinate with the people doing the Heimdal -> MIT
work then we can get there faster.
Cheers,
Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeff Sadowski
2016-08-01 16:37:20 UTC
Permalink
updating Fedora-rawhide this morning I see 4.5.0rc1 has arrived. And still
no samba-tool so I looked at installing from source with
dnf download --source samba
rpm -i samba*src.rpm
looking at the spec file I see a section

%if ! %with_dc
--without-ad-dc \
%endif

How do I tell rpmbuild with_dc?
Post by mathias dufresne
As we wanted to test last Samba version we had to compile Samba manually
once 4.3.0 went out.
As we wanted to continue to deploy Samba using system's package manager,
we decided to built our own RPM.
As I hate RPM, I had to learn. As I'm lazy, I tried to not waste too much
time learning RPM.
So I downloaded .spec from Sernet's package 4.2.x, I modified that .spec
to match new Samba version and I used rpmbuild to build my RPMs (our
systems are Centos 7).
This needed some time but is working since 4.3.0 went out, which is
already a bunch of months and also a bunch of version recompiled using the
same .spec, each time with some little adjustments.
And now we have one .spec which is used once per Samba version. Generated
RPMs can be used for our AD DC and also for our file servers.
Cheers.
Post by Jeff Sadowski
correction samba-dc still doesn't come with samba-tool
Post by Jeff Sadowski
I would like to start testing this? I saw a few months back Alexander
Bokovoy Released a build for F23 and I started using that. Now that F24
is out I have to look for a way to upgrade. Is there a build for rawhide
with this? The standard samba-ad package for rawhide that install still
doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5
automatically disables ad support it seems as samba-tool is missing
unless
Post by Jeff Sadowski
I remove that option. Is this going to be fixed in 4.5.0? Should I
download
Post by Jeff Sadowski
the source code for 4.5.0 and do I need a bunch of patches that I get
somewhere? I'm a regular Fedora user and I am having difficulties seeing
how to put this all together.
Post by Nico Kadel-Garcia
Post by Stefan Schäfer
Hi List,
I do my best to ask my question in english. ;-)
Samba4 integrated heimdal kerberos to do the kerberos work for
Active Directory. Some Linux Distributions like fedora/RedHat and
openSUSE/SUSE don't accept heimdal even if it is shipped inside
samba.
Their argument is that heimdal isn't maintained since 2012.
Compiling samba against MIT krb5 results in Samba-Packages without
AD.
Result: Active Directory is impossible with the Disitribution
packages of samba.with the above mentioned Linux distributions.
"We are intending to make possible use of AD DC functionality with
MIT Kerberos but this is longer term project that requires
cooperation between Samba, MIT, and FreeIPA."
which means never, in my opinion."
No you're wrong about that. Andreas, Guenther and Alexander
at Redhat are working diligently every day towards this. We're
planning
Post by Jeff Sadowski
Post by Nico Kadel-Garcia
to get to that sooner rather than later.
Post by Stefan Schäfer
Is the heimdal code inside of samba4 maintained by the samba team or
is this unmaintained static code?
Maintained. If it's in Samba we are responsible.
Once it's working with MIT we'll eventually remove
it from our tree though.
I really wish you luck with that, becuase it's been an ongoing problem
in Fedora. The Red Hat personnel I personally met working with
Kerberos were pretty tightly focused on SSSD, which seems to me to be
a fairly silly re-implementation of what Samba already does more
broadly and more consistently.
Post by Stefan Schäfer
Are there considerations about using MIT krb5 inside samba4 instead
of heimdal?
Talk to Andreas, Guenther and Alexander for the latest.
Post by Stefan Schäfer
The intention of our project "invis-server" is to bring samba 4 with
AD DC functionality into openSUSE. Therefor we need arguments for
the coming discussion.
Hurrah ! I'm really glad to hear this ! If you could
coordinate with the people doing the Heimdal -> MIT
work then we can get there faster.
Cheers,
Jeremy.
I'd also encourage you to take a look at the Fedora "rawhide"
buindles, for tracing of changed components for RPM. And if you like,
you might even take a look at my DC enabled ports over at
https://github.com/nkadel/samba4repo and
https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Nico Kadel-Garcia
2016-08-02 00:30:29 UTC
Permalink
Post by Jeff Sadowski
updating Fedora-rawhide this morning I see 4.5.0rc1 has arrived. And still
no samba-tool so I looked at installing from source with
dnf download --source samba
rpm -i samba*src.rpm
looking at the spec file I see a section
%if ! %with_dc
--without-ad-dc \
%endif
How do I tell rpmbuild with_dc?
The simplest is to define it in your personal "$HOME//rpmmacros" when
building your test compilation. The second simplest is to use the
"rpmbuild --define" options. Look up the variations of "--define" in
the rpmbuild documentation or via google search for more intelligible
desriptions than I can provide right now.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Search results for '[Samba] Heimdal Kerberos in Samba4' (Questions and Answers)
3
replies
how to connect windows 2003 sever and linux system ?
started 2008-12-07 03:21:21 UTC
computer networking
Loading...