Bug 8717 - Support for system MIT Kerberos
Summary: Support for system MIT Kerberos
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Build (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Tridgell
QA Contact: samba4-qa@samba.org
Depends on:
Blocks: 8622
  Show dependency treegraph
Reported: 2012-01-24 13:41 UTC by Guenther Deschner
Modified: 2012-05-29 12:59 UTC (History)
5 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2012-01-24 13:41:44 UTC
For most vendors it is a MUST that Samba supports a MIT system kerberos library
which is the most common kerberos library shiped with todays Linux systems.

Technical reasons:

- MIT Kerberos and Heimdal have different features, for distributions
that standardize on MIT Kerberos we want all kerberized applications to
have the MIT feature set.
For example in 1.10 MIT added a new dir base credential cache, if samba
binaries are linked against Heimdal the client utilities will fail to
properly operate on a system where the new MIT credential caches are
being used.
There are other features that present the same issue either on the
client or on the file server side.

- All libraries in a system that use the MIT kerberos implementation and
also provide some form of kerberos support are dynamically linked to the
MIT libraries, for example openldap libraries.
Although we try to hide the Heimdal symbols with linker tricks it is
really not good practice to link both libraries in the same binary as a
change in dependencies within samba can very easily cause issues later

Other important reasons particularly important for vendors are:
- security issues and security fixes
- maintainability
- software certifications

It is evident that we cannot switch using MIT instead of Heimdal everywhere in Samba immediately.
Therefor we propose a step-by-step approach that starts with the samba client

One of the first steps would be to re-enable the system kerberos checks which have been created during the s3-waf build. These checks allow to detect MIT as well as Heimdal sufficiently and they activate abstraction code for missing functionality.

Also the build system should allow the to link at least the client krb5 users (at least the s3 ones) against a system (MIT) kerberos library as a next step.

In the (s3) smb server (session setup) as well as in the rpc server a lot of effort has already been put into consolidating the usage of gensec so that supporting a system (MIT) kerberos library is probably just a question of creating an appropriate backend.

This is an important showstopper for releasing samba 4.0
Comment 1 Alexander Bokovoy 2012-05-29 12:59:26 UTC
Fixed in master and samba4 alpha21.