Hello, On 06.08.22 19:03, David Brownlee wrote:
With the latest samba4 the bundled heimdal no longer builds due to an updated bundled heimdal. From the samba 4.16.0 release notes | Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos | implementation. This snapshot has now been updated and will closely | match what will be released as Heimdal 8.0 shortly. | | This is a major update, previously we used a snapshot of Heimdal from | 2011, and brings important new Kerberos security features such as | Kerberos request armoring, known as FAST. This tunnels ticket | requests and replies that might be encrypted with a weak password | inside a wrapper built with a stronger password, say from a machine | account. jperkin added support to build with pkgsrc mit-krb5 which neatly avoids the issue for some systems, but NetBSD ships with heimdal which complicates matters there. There is a --with-system-heimdalkrb5 option, but that looks to also require at least --without-ad-dc to build, (There is a --with-experimental-mit-ad-dc, but that only works to build with an external mit-krb5). Anyone with heimdal-fu free to look at the samba4 build? :) David
Unfortunately, I am not familiar with the details and can only offer to help with testing. Still the question - sounds to me like there is a risk of losing AD-DC functionality when updating to Samba 4.16 on NetBSD. What are the priorities here? Is the AD-DC functionality subject of acceptande testing for updating Samba in pkgsrc, or in case of emergency - like if security updates in 4.16 require it - will this functionality be dropped in favor of security, even if the two are not directly related? Since NetBSD 9.99 supports Posix1e ACLs, I've been using Samba successfully as a Windows Domain Controller and would not want to sacrifice this feature.
Kind regards Matthias
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature