On Sat, 7 Apr 2018 11:37:18 +0200 Mathieu Parent <math.par...@gmail.com> wrote:
Hi,
Most of this was done in Samba 4.8, but we still build with Heimdal in Debian.
There are two reasons:
- missing features [1]
The missing features needs to be evaluated really, - how relevant these actually
are these days. For example, "Computer GPO's are not applied" listed in that
wiki pages seems to work fine.
- fear to break things (especially on upgrade)
Things are easy to break indeed. But from the same wiki page it *seems* a
switch is
actually easy - the only thing needed is to create
/var/lib/samba/private/kdc.conf
file. I dunno how much this is true.
I hope that the feature gap will decrease in 4.9 and later, but we
probably won't migrate before buster+1 (i.e next-next stable)
How about buster+4? :))
Anyway, I implemented a build profile, pkg.samba.mitkrb5, to build whole samba
(with the experimental ad-dc support) with mit-krb5. Dunno how it will go..
Thanks,
/mjt
[1]: Samba DCs with MIT Kerberos KDC currently do not support:
- PKINIT support required for using smart cards
- Service for User to Self-service (S4U2self)
- Service for User to Proxy (S4U2proxy)
- Running as a Read only domain controller (RODC)
(https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC)
