On Tue, Sep 3, 2019 at 2:43 PM Robbie Harwood <rharwood@xxxxxxxxxx> wrote: > > Nico Kadel-Garcia <nkadel@xxxxxxxxx> writes: > > > Robert Marcano <robert@xxxxxxxxxxxxxxxxx> wrote: > >> Nico Kadel-Garcia wrote: > >>> Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote: > >>>> On Mon, 02 Sep 2019, Dario Lesca wrote: > >>>>> Il giorno lun, 02/09/2019 alle 11.26 -0400, Robert Marcano ha scritto: > >>>>>> > >>>>>> I switched to run Samba DCs on a container with non Fedora / RHEL / > >>>>>> CentOS provided RPMs. > >>>>> > >>>>> Thank Robert for reply. > >>>>> > >>>>> Then why don't release samba compiled with Heimdal kerberos? > >>>>> > >>>>> Just change a flag in build time, and all can use it into a production > >>>>> environment. > >>>> We do not support Heimdal builds in Fedora. It is not possible to reuse > >>>> components of Samba built against Heimdal within other applications > >>>> compiled against MIT Kerberos. This is, in particular, a show-stopper > >>>> for FreeIPA and SSSD integration. > >>> > >>> My personal experience is that this is not true. sssd in a recent > >>> Fedora (Fedora 29 last year) works just fine against an honest-to-god > >>> Samba 4.9 domain controller on RHEL 7. I've not tested tested it with > >>> samba 4.11rc2 yeat, as I'm still working on that port. sssd also works > >>> against a real AD controller. sssd does not rely on a freeipa server. > >>> It has genuinely unfortunate behavior of pre-downloading the *entire* > >>> LDAP tree, and breaking if it can't complete this, but that's another > >>> issue that won't be visible in most small test environments with local > >>> domain controllers. > >> > >> The parent poster is refering to having two Kerberos implementations > >> on the same process, not from two different machines. For example, an > >> application linking against Samba libraries with Heimdal and at the > >> same time linking with system MIT Kerberos for another features of > >> that application unrelated with Samba. > > > > Sorry to sound critical, but this is irrelevant because, to use domain > > controller enabled Samba, it compiles its own internal Kerberos. There > > are other system libraries which Samba shares, such as libtalloc and > > libldb, but for the comain controller. As best I can tell with sssd, > > it's not been a problem. I did not run FreeIPA at all after some > > failed attempts, and found with Samba compatible completely with AD > > and the clients able to work, I had no use for it. So the libraries > > did not overlap. > > If FreeIPA were dropped from Fedora, would there remain any reason to > > prefer MIT Kerberos over Heimdal Kerberos? It's not that I object to > > the MIT Kerberos, I know several of the authors personally as old > > friends. But that's not a reason to prefer the software. > > Hi, your Fedora krb5 maintainer here. I have met and work with several > Heimdal developers, and have nothing against them or their project; > they generally do good work. And you present some reasons to prefer MIT krb5 overall. Fair enough. I do note that "dropping FreeIPA" didn't get mentioned. Is it the primary component of Fedora that relies specifically on MIT krb5? > If you find something in Heimdal that you need from MIT krb5, I'm happy > to discuss it (over bugzilla); I'm very active in upstream development > and standardization work. > > Thanks, > --Robbie > -- > Robbie Harwood > Kerberos Development Lead > Security Engineering Team > Red Hat, Inc. > Boston, MA, US All of which is cool, thank you. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
