For most vendors it is a MUST that Samba supports a MIT system kerberos library which is the most common kerberos library shiped with todays Linux systems. Technical reasons: - MIT Kerberos and Heimdal have different features, for distributions that standardize on MIT Kerberos we want all kerberized applications to have the MIT feature set. For example in 1.10 MIT added a new dir base credential cache, if samba binaries are linked against Heimdal the client utilities will fail to properly operate on a system where the new MIT credential caches are being used. There are other features that present the same issue either on the client or on the file server side. - All libraries in a system that use the MIT kerberos implementation and also provide some form of kerberos support are dynamically linked to the MIT libraries, for example openldap libraries. Although we try to hide the Heimdal symbols with linker tricks it is really not good practice to link both libraries in the same binary as a change in dependencies within samba can very easily cause issues later on. Other important reasons particularly important for vendors are: - security issues and security fixes - maintainability - software certifications It is evident that we cannot switch using MIT instead of Heimdal everywhere in Samba immediately. Therefor we propose a step-by-step approach that starts with the samba client components. One of the first steps would be to re-enable the system kerberos checks which have been created during the s3-waf build. These checks allow to detect MIT as well as Heimdal sufficiently and they activate abstraction code for missing functionality. Also the build system should allow the to link at least the client krb5 users (at least the s3 ones) against a system (MIT) kerberos library as a next step. In the (s3) smb server (session setup) as well as in the rpc server a lot of effort has already been put into consolidating the usage of gensec so that supporting a system (MIT) kerberos library is probably just a question of creating an appropriate backend. This is an important showstopper for releasing samba 4.0
Fixed in master and samba4 alpha21.