The Samba-Bugzilla – Bug 8717
Support for system MIT Kerberos
Last modified: 2012-05-29 12:59:26 UTC
For most vendors it is a MUST that Samba supports a MIT system kerberos library
which is the most common kerberos library shiped with todays Linux systems.
- MIT Kerberos and Heimdal have different features, for distributions
that standardize on MIT Kerberos we want all kerberized applications to
have the MIT feature set.
For example in 1.10 MIT added a new dir base credential cache, if samba
binaries are linked against Heimdal the client utilities will fail to
properly operate on a system where the new MIT credential caches are
There are other features that present the same issue either on the
client or on the file server side.
- All libraries in a system that use the MIT kerberos implementation and
also provide some form of kerberos support are dynamically linked to the
MIT libraries, for example openldap libraries.
Although we try to hide the Heimdal symbols with linker tricks it is
really not good practice to link both libraries in the same binary as a
change in dependencies within samba can very easily cause issues later
Other important reasons particularly important for vendors are:
- security issues and security fixes
- software certifications
It is evident that we cannot switch using MIT instead of Heimdal everywhere in Samba immediately.
Therefor we propose a step-by-step approach that starts with the samba client
One of the first steps would be to re-enable the system kerberos checks which have been created during the s3-waf build. These checks allow to detect MIT as well as Heimdal sufficiently and they activate abstraction code for missing functionality.
Also the build system should allow the to link at least the client krb5 users (at least the s3 ones) against a system (MIT) kerberos library as a next step.
In the (s3) smb server (session setup) as well as in the rpc server a lot of effort has already been put into consolidating the usage of gensec so that supporting a system (MIT) kerberos library is probably just a question of creating an appropriate backend.
This is an important showstopper for releasing samba 4.0
Fixed in master and samba4 alpha21.