On Mon, 02 Sep 2019, Nico Kadel-Garcia wrote:
On Mon, Sep 2, 2019 at 9:25 PM Robert Marcano
> On 9/2/19 4:52 PM, Nico Kadel-Garcia wrote:
> > On Mon, Sep 2, 2019 at 3:33 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> >> On Mon, 02 Sep 2019, Dario Lesca wrote:
> >>> Il giorno lun, 02/09/2019 alle 11.26 -0400, Robert Marcano ha scritto:
> >>>> I switched to run Samba DCs on a container with non Fedora / RHEL /
> >>>> CentOS provided RPMs.
> >>> Thank Robert for reply.
> >>> Then why don't release samba compiled with Heimdal kerberos?
> >>> Just change a flag in build time, and all can use it into a production
> >>> environment.
> >> We do not support Heimdal builds in Fedora. It is not possible to reuse
> >> components of Samba built against Heimdal within other applications
> >> compiled against MIT Kerberos. This is, in particular, a show-stopper
> >> for FreeIPA and SSSD integration.
> > My personal experience is that this is not true. sssd in a recent
> > Fedora (Fedora 29 last year) works just fine against an honest-to-god
> > Samba 4.9 domain controller on RHEL 7. I've not tested tested it with
> > samba 4.11rc2 yeat, as I'm still working on that port. sssd also works
> > against a real AD controller. sssd does not rely on a freeipa server.
> > It has genuinely unfortunate behavior of pre-downloading the *entire*
> > LDAP tree, and breaking if it can't complete this, but that's another
> > issue that won't be visible in most small test environments with local
> > domain controllers.
> The parent poster is refering to having two Kerberos implementations on
> the same process, not from two different machines. For example, an
> application linking against Samba libraries with Heimdal and at the same
> time linking with system MIT Kerberos for another features of that
> application unrelated with Samba.
Sorry to sound critical, but this is irrelevant because, to use domain
controller enabled Samba, it compiles its own internal Kerberos. There
are other system libraries which Samba shares, such as libtalloc and
libldb, but for the comain controller. As best I can tell with sssd,
it's not been a problem. I did not run FreeIPA at all after some
failed attempts, and found with Samba compatible completely with AD
and the clients able to work, I had no use for it. So the libraries
did not overlap.
SSSD itself is buildable against Heimdal. However, for quite a
features it uses MIT Kerberos-provided APIs that do not exist in Heimdal.
This means that when it is built against Heimdal, you cannot use those
features (2FA support, prompting in Kerberos clients, etc).
If you have SSSD built against MIT Kerberos and Samba AD built against
internal Heimdal version, the tools from Samba AD would be linked to
Heimdal libraries. This also means they would be expecting Kerberos
credential cache format the same way as Heimdal expects. If those
credential caches produced by SSSD or a normal kinit (which is MIT
Kerberos in Fedora), they may lose some details/flags or be simply
inaccessible. For example, Heimdal does not know anything about KEYRING
and DIR credential cache types. Also, there is a difference in flags
stored in FILE ccaches.
If FreeIPA were dropped from Fedora, would there remain any reason to
prefer MIT Kerberos over Heimdal Kerberos? It's not that I object to
the MIT Kerberos, I know several of the authors personally as old
friends. But that's not a reason to prefer the software.
As I said, you are in
you own right to build infrastructure as you want.
For example, in modules or in COPR. As a group of maintainers for MIT
Kerberos, Samba, FreeIPA, and SSSD in Fedora we are trying to deliver a
uniform working solution that spans servers and workstations altogether.
As far as I know, one biggest missing piece for Samba AD DC with MIT
backend is a bug with GPO enforcement that is tracked upstream. There
are few others but they are of lesser importance.
When we decided to mark MIT backend for Samba AD as experimental at
Samba upstream, it was our decision (mine and Andrew Bartlett) to allow
MIT support to brew a bit at a slower pace. Samba team's opinion is to
get rid of Heimdal integration eventually and concentrate on a single
supported Kerberos implementation -- MIT Kerberos. It takes time and is
currently suspended due to crypto consolidation work we are doing for
various reasons but we'll get there. There are not so many developers
who are willing to work on core infrastructure components.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland