On 01/31/2013 12:39 PM, Thomas Trepl wrote:
> Hi,
>
> On 01/28/2013 06:48 PM, Thomas Trepl wrote (in another thread):
>> Well, dropping heimdal was for sure not without a reason. At least at the
>> moment, for me its not quite a problem to continue without as Samba4 seems
>> to support mit-krb5 well (which means so far, it compiles well against
>> it).
>>
>> For the moment, I think there's no real pressure to get heimdal back -
>> except you what it. I'll continue my survey of Samba4 for the moment with
>> mit-krb5. They have prepared enough challenges to master, one is their
>> waf build system, the dns stuff and such. Maybe, if interests are there,
>> we could rethink that when Samba4 manages it to get into the book.
> It turns out that this is no longer true. Seems so that AD-controller
> functionality is indeed only available when having Heimdal around. Even Samba4
> compiles well against mit-krb5, it disables building AD-DC functionality (even
> though the build log says that AD support gets compiled in. Maybe true for
> becoming an AD member, but the controller part isn't built/installed. You can
> check that simply whether samba-tool gets installed or not).
>
> Also the Arch developers came across this issue and build their Samba4 packet
> with the bundled heimdal package and there is/was a discussion on the Samba ML
> in order to get over that issue. Currently, there seems to be no way to get
> AD-DC functionality with using any krb package except (the bundled?) Heimdal.
>
> I put the "bundled" in parenthesis as I currently do not have a standalone
> Heimdal installation (and will do a fresh build of {,B}LFS next time to have a
> clean environment without mit-krb5 leavings around. Unfortunatly I missed to
> take a snapshot of the VM before installing mit-krb5 and such).
>
> I'm just testing with
>
> LINKFLAGS="-ltirpc" ./configure \
> --prefix=/usr \
> --sysconfdir=/etc \
> --localstatedir=/var \
> --with-piddir=/run \
> --enable-fhs \
> --enable-nss-wrapper \
> --enable-socket-wrapper \
> --disable-rpath-install \
> --dns-backend=SAMBA_INTERNAL --with-dnsupdate \
> --without-pam \
> --with-ads --with-ldap --with-swat --with-winbind --enable-gnutls
>
> Just in case someone is interested in building an AD controller...
>
Hmm...I forget exactly how it works technically, but an NTLM ticket
needs to be "attached" (for lack of a better word) to the kerberos
ticket. I remember reading about it a few years ago, but this was the
part that Microsoft did not give back to MIT when they used their
kerberos implementation to design Windows 2000. It was a bit of a sore
spot for MIT for a while. This is not the same article that I had read
so long ago, but it gives a brief overview.
http://www.networkworld.com/news/2000/0511kerberos.html Notice the date,
a lot has changed since then, and Microsoft has given quite a bit of
help to the Samba 4 devs (I'm not sure how that arrangement came about).
At any rate, I guess Heimdal must have some feature not present in the
MIT reference implementation.
-- DJ
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
