Quantcast

[WHATSNEW] Samba AD with MIT Kerberos + Version change

classic Classic list List threaded Threaded
73 messages Options
1234
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
Hi,

as you can build Samba AD with MIT Kerberos now, I propose to change the
version number to 5.0.0.

It is time that we stop talking about Samba 3 and Samba 4.


The attachd patch adds a section for Samba AD with MIT KRB5 to WHATSNEW and
changes the version number.


Review and push much appreciated!


Thanks,


        Andreas

whatsnew_5.0.patch.txt (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sun, 30 Apr 2017 09:45:42 +0200
Andreas Schneider via samba-technical <[hidden email]>
wrote:

> Hi,
>
> as you can build Samba AD with MIT Kerberos now, I propose to change
> the version number to 5.0.0.
>
> It is time that we stop talking about Samba 3 and Samba 4.
>
>
> The attachd patch adds a section for Samba AD with MIT KRB5 to
> WHATSNEW and changes the version number.
>
>
> Review and push much appreciated!
>
>
> Thanks,
>
>
> Andreas

Sorry, but NACK!

Just because you have got MIT kerberos working with a Samba AD DC (and
great respect to you for doing so) isn't a good enough reason to bump
the version up to 5. If Heimdal was removed at the same time perhaps,
but, from my understanding, this cannot be done yet.

I also think that more warning needs to be given before such a big jump
happens.

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sun, Apr 30, 2017 at 09:22:56AM +0100, Rowland Penny via samba-technical wrote:

> On Sun, 30 Apr 2017 09:45:42 +0200
> Andreas Schneider via samba-technical <[hidden email]>
> wrote:
>
> > Hi,
> >
> > as you can build Samba AD with MIT Kerberos now, I propose to change
> > the version number to 5.0.0.
> >
> > It is time that we stop talking about Samba 3 and Samba 4.
> >
> >
> > The attachd patch adds a section for Samba AD with MIT KRB5 to
> > WHATSNEW and changes the version number.
> >
> >
> > Review and push much appreciated!
> >
> >
> > Thanks,
> >
> >
> > Andreas
>
> Sorry, but NACK!
>
> Just because you have got MIT kerberos working with a Samba AD DC (and
> great respect to you for doing so) isn't a good enough reason to bump
> the version up to 5. If Heimdal was removed at the same time perhaps,
> but, from my understanding, this cannot be done yet.

Actually I think that's a really good metric for moving to
Samba5 !

Let's do the change when we finally git remove the Heimdal
code :-).

And this is notice ?

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sun, 30 Apr 2017 08:43:59 -0700
Jeremy Allison <[hidden email]> wrote:

> On Sun, Apr 30, 2017 at 09:22:56AM +0100, Rowland Penny via
> samba-technical wrote:
> > On Sun, 30 Apr 2017 09:45:42 +0200
> > Andreas Schneider via samba-technical
> > <[hidden email]> wrote:
> >
> > > Hi,
> > >
> > > as you can build Samba AD with MIT Kerberos now, I propose to
> > > change the version number to 5.0.0.
> > >
> > > It is time that we stop talking about Samba 3 and Samba 4.
> > >
> > >
> > > The attachd patch adds a section for Samba AD with MIT KRB5 to
> > > WHATSNEW and changes the version number.
> > >
> > >
> > > Review and push much appreciated!
> > >
> > >
> > > Thanks,
> > >
> > >
> > > Andreas
> >
> > Sorry, but NACK!
> >
> > Just because you have got MIT kerberos working with a Samba AD DC
> > (and great respect to you for doing so) isn't a good enough reason
> > to bump the version up to 5. If Heimdal was removed at the same
> > time perhaps, but, from my understanding, this cannot be done yet.
>
> Actually I think that's a really good metric for moving to
> Samba5 !
>
> Let's do the change when we finally git remove the Heimdal
> code :-).

That's basically what I said, move to MIT instead of Heimdal and change
the version to 5 at the same time.

>
> And this is notice ?

How about putting something on the Samba webpage, it would make a
change from all the out of date info ;-)

The other question is, How do I use MIT instead of Heimdal on debian ?

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
>
> That's basically what I said, move to MIT instead of Heimdal and change
> the version to 5 at the same time.

Yes, we are in violent agreement :-).

> How about putting something on the Samba webpage, it would make a
> change from all the out of date info ;-)

That's a really good idea !

> The other question is, How do I use MIT instead of Heimdal on debian ?

I know you need MIT 1.15.1 which is the *very latest*
release. Not sure if that's in debian yet (it's not
in Ubuntu 17.04).

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sun, 30 Apr 2017 09:30:21 -0700
Jeremy Allison <[hidden email]> wrote:

> On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
> >
> > That's basically what I said, move to MIT instead of Heimdal and
> > change the version to 5 at the same time.
>
> Yes, we are in violent agreement :-).
>
> > How about putting something on the Samba webpage, it would make a
> > change from all the out of date info ;-)
>
> That's a really good idea !
>
> > The other question is, How do I use MIT instead of Heimdal on
> > debian ?
>
> I know you need MIT 1.15.1 which is the *very latest*
> release. Not sure if that's in debian yet (it's not
> in Ubuntu 17.04).

OK, I will ask that question in a different way, what packages do you
need to install on Fedora to compile Samba as an AD DC using MIT ?

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Sunday, 30 April 2017 18:42:19 CEST Rowland Penny wrote:

> On Sun, 30 Apr 2017 09:30:21 -0700
>
> Jeremy Allison <[hidden email]> wrote:
> > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
> > > That's basically what I said, move to MIT instead of Heimdal and
> > > change the version to 5 at the same time.
> >
> > Yes, we are in violent agreement :-).
> >
> > > How about putting something on the Samba webpage, it would make a
> > > change from all the out of date info ;-)
> >
> > That's a really good idea !
> >
> > > The other question is, How do I use MIT instead of Heimdal on
> > > debian ?
> >
> > I know you need MIT 1.15.1 which is the *very latest*
> > release. Not sure if that's in debian yet (it's not
> > in Ubuntu 17.04).
>
> OK, I will ask that question in a different way, what packages do you
> need to install on Fedora to compile Samba as an AD DC using MIT ?

On Fedora 25 have to install the packages krb5-devel and krb5-server.

It also works on openSUSE Tumbleweed and you have to install the packages
krb5-devel and krb5-server.


Cheers,


        Andreas

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On (30/04/17 16:59), Rowland Penny via samba-technical wrote:

>On Sun, 30 Apr 2017 08:43:59 -0700
>Jeremy Allison <[hidden email]> wrote:
>
>> On Sun, Apr 30, 2017 at 09:22:56AM +0100, Rowland Penny via
>> samba-technical wrote:
>> > On Sun, 30 Apr 2017 09:45:42 +0200
>> > Andreas Schneider via samba-technical
>> > <[hidden email]> wrote:
>> >
>> > > Hi,
>> > >
>> > > as you can build Samba AD with MIT Kerberos now, I propose to
>> > > change the version number to 5.0.0.
>> > >
>> > > It is time that we stop talking about Samba 3 and Samba 4.
>> > >
>> > >
>> > > The attachd patch adds a section for Samba AD with MIT KRB5 to
>> > > WHATSNEW and changes the version number.
>> > >
>> > >
>> > > Review and push much appreciated!
>> > >
>> > >
>> > > Thanks,
>> > >
>> > >
>> > > Andreas
>> >
>> > Sorry, but NACK!
>> >
>> > Just because you have got MIT kerberos working with a Samba AD DC
>> > (and great respect to you for doing so) isn't a good enough reason
>> > to bump the version up to 5. If Heimdal was removed at the same
>> > time perhaps, but, from my understanding, this cannot be done yet.
>>
>> Actually I think that's a really good metric for moving to
>> Samba5 !
>>
>> Let's do the change when we finally git remove the Heimdal
>> code :-).
>
>That's basically what I said, move to MIT instead of Heimdal and change
>the version to 5 at the same time.
>
>>
>> And this is notice ?
>
>How about putting something on the Samba webpage, it would make a
>change from all the out of date info ;-)
>
>The other question is, How do I use MIT instead of Heimdal on debian ?
>
Looks like debian testing has MIT krb5-1.15.1
https://packages.debian.org/stretch/libkrb5-3
https://packages.debian.org/source/stretch/krb5

LS

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Sun, 30 Apr 2017 17:42:19 +0100
Rowland Penny via samba-technical <[hidden email]>
wrote:

> On Sun, 30 Apr 2017 09:30:21 -0700
> Jeremy Allison <[hidden email]> wrote:
>
> > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
> > >
> > > That's basically what I said, move to MIT instead of Heimdal and
> > > change the version to 5 at the same time.
> >
> > Yes, we are in violent agreement :-).
> >
> > > How about putting something on the Samba webpage, it would make a
> > > change from all the out of date info ;-)
> >
> > That's a really good idea !
> >
> > > The other question is, How do I use MIT instead of Heimdal on
> > > debian ?
> >
> > I know you need MIT 1.15.1 which is the *very latest*
> > release. Not sure if that's in debian yet (it's not
> > in Ubuntu 17.04).
>
> OK, I will ask that question in a different way, what packages do you
> need to install on Fedora to compile Samba as an AD DC using MIT ?
>
> Rowland
>

There seems to be a problem on debian stretch:

./configure --with-system-mitkrb5

leads to this:

Checking for kdb                                                                  : yes
Checking for gssapi                                                               : yes
ERROR: MIT KRB5 build with Samba AD requires at least 1.15.1. 1.15 has been found and cannot be used
ERROR: If you want to just build Samba FS use the option --without-ad-dc which requires version 1.9
ERROR: You may try to build with embedded Heimdal Kerebros by not
specifying --with-system-mitkrb5

But when you check the installed package, you get this:

dpkg -s libkrb5-dev
Package: libkrb5-dev
Status: install ok installed
Priority: extra
Section: libdevel
Installed-Size: 173
Maintainer: Sam Hartman <[hidden email]>
Architecture: amd64
Source: krb5
Version: 1.15-1
Replaces: krb5-multidev (<< 1.8+dfsg~alpha1-3)
Depends: krb5-multidev (= 1.15-1)
Suggests: krb5-doc
Conflicts: heimdal-dev
Description: headers and development libraries for MIT Kerberos
 Kerberos is a system for authenticating users and services on a network.
 Kerberos is a trusted third-party service.  That means that there is a
 third party (the Kerberos server) that is trusted by all the entities on
 the network (users and services, usually called "principals").
 .
 This is the MIT reference implementation of Kerberos V5.
 .
 This package contains the symlinks, headers, and development libraries
 needed to compile and link programs that use the Kerberos libraries.
Homepage: http://web.mit.edu/kerberos/

It would seem that 'Version: 1.15-1' isn't the same as the version that
Samba AD requires, which is 'at least 1.15.1' ;-)

To me it looks like Samba requires a dot between the package minor
version and revision i.e. 15.1, but debian uses a dash '-' instead.

Rowland
 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:

> On Sun, 30 Apr 2017 17:42:19 +0100
> Rowland Penny via samba-technical <[hidden email]>
> wrote:
>
> > On Sun, 30 Apr 2017 09:30:21 -0700
> > Jeremy Allison <[hidden email]> wrote:
> >
> > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny wrote:
> > > >
> > > > That's basically what I said, move to MIT instead of Heimdal and
> > > > change the version to 5 at the same time.
> > >
> > > Yes, we are in violent agreement :-).
> > >
> > > > How about putting something on the Samba webpage, it would make a
> > > > change from all the out of date info ;-)
> > >
> > > That's a really good idea !
> > >
> > > > The other question is, How do I use MIT instead of Heimdal on
> > > > debian ?
> > >
> > > I know you need MIT 1.15.1 which is the *very latest*
> > > release. Not sure if that's in debian yet (it's not
> > > in Ubuntu 17.04).
> >
> > OK, I will ask that question in a different way, what packages do you
> > need to install on Fedora to compile Samba as an AD DC using MIT ?
> >
> > Rowland
> >
>
> There seems to be a problem on debian stretch:
>
> ./configure --with-system-mitkrb5
>
> leads to this:
>
> Checking for kdb                                                                  : yes
> Checking for gssapi                                                               : yes
> ERROR: MIT KRB5 build with Samba AD requires at least 1.15.1. 1.15 has been found and cannot be used
> ERROR: If you want to just build Samba FS use the option --without-ad-dc which requires version 1.9
> ERROR: You may try to build with embedded Heimdal Kerebros by not
> specifying --with-system-mitkrb5
>
> But when you check the installed package, you get this:
>
> dpkg -s libkrb5-dev
> Package: libkrb5-dev
> Status: install ok installed
> Priority: extra
> Section: libdevel
> Installed-Size: 173
> Maintainer: Sam Hartman <[hidden email]>
> Architecture: amd64
> Source: krb5
> Version: 1.15-1
This is version 1.15, not 1.15.1.


> It would seem that 'Version: 1.15-1' isn't the same as the version that
> Samba AD requires, which is 'at least 1.15.1' ;-)
Yes, 1.15 is 1.15.0.

> To me it looks like Samba requires a dot between the package minor
> version and revision i.e. 15.1, but debian uses a dash '-' instead.
No, this is really an older version than required. A dash is for build
number, e.g. it is "1.15, Debian build 1".

--
/ Alexander Bokovoy

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Mon, 01 May 2017 22:44:59 +0200
Andreas Schneider <[hidden email]> wrote:

> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
> > On Mon, 1 May 2017 17:58:20 +0300
> >
> > Alexander Bokovoy <[hidden email]> wrote:
> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
> > > > On Sun, 30 Apr 2017 17:42:19 +0100
> > > > Rowland Penny via samba-technical
> > > > <[hidden email]>
> > > >
> > > > wrote:
> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
> > > > >
> > > > > Jeremy Allison <[hidden email]> wrote:
> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
> > > > > > wrote:
> > > > > > > That's basically what I said, move to MIT instead of
> > > > > > > Heimdal and change the version to 5 at the same time.
> > > > > >
> > > > > > Yes, we are in violent agreement :-).
> > > > > >
> > > > > > > How about putting something on the Samba webpage, it would
> > > > > > > make a change from all the out of date info ;-)
> > > > > >
> > > > > > That's a really good idea !
> > > > > >
> > > > > > > The other question is, How do I use MIT instead of
> > > > > > > Heimdal on debian ?
> > > > > >
> > > > > > I know you need MIT 1.15.1 which is the *very latest*
> > > > > > release. Not sure if that's in debian yet (it's not
> > > > > > in Ubuntu 17.04).
> > > > >
> > > > > OK, I will ask that question in a different way, what
> > > > > packages do you need to install on Fedora to compile Samba as
> > > > > an AD DC using MIT ?
> > > > >
> > > > > Rowland
> > > >
> > > > There seems to be a problem on debian stretch:
> > > >
> > > > ./configure --with-system-mitkrb5
> > > >
> > > > leads to this:
> > > >
> > > > Checking for
> > > > kdb                                                                  :
> > > > yes Checking for
> > > > gssapi                                                               :
> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
> > > > want to just build Samba FS use the option --without-ad-dc
> > > > which requires version 1.9 ERROR: You may try to build with
> > > > embedded Heimdal Kerebros by not specifying
> > > > --with-system-mitkrb5
> > > >
> > > > But when you check the installed package, you get this:
> > > >
> > > > dpkg -s libkrb5-dev
> > > > Package: libkrb5-dev
> > > > Status: install ok installed
> > > > Priority: extra
> > > > Section: libdevel
> > > > Installed-Size: 173
> > > > Maintainer: Sam Hartman <[hidden email]>
> > > > Architecture: amd64
> > > > Source: krb5
> > > > Version: 1.15-1
> > >
> > > This is version 1.15, not 1.15.1.
> > >
> > > > It would seem that 'Version: 1.15-1' isn't the same as the
> > > > version that Samba AD requires, which is 'at least 1.15.1' ;-)
> > >
> > > Yes, 1.15 is 1.15.0.
> > >
> > > > To me it looks like Samba requires a dot between the package
> > > > minor version and revision i.e. 15.1, but debian uses a dash
> > > > '-' instead.
> > >
> > > No, this is really an older version than required. A dash is for
> > > build number, e.g. it is "1.15, Debian build 1".
> >
> > Thanks for clarifying that ;-)
> >
> > In which case and as I cannot find 1.15.1 packages for debian, I
> > return to my stance that we shouldn't bump the Samba version to 5,
> > because we will just be switching from not being able to build an
> > AD DC on red-hat, to not being able to build an AD DC on debian
> > based systems :-(
>
> Debian has just to update their package. MIT Kerberos 1.15 has a
> major flaw, it is not able to release memory allocated by a KDB
> module.
>
> It might work as standalone but not with any project which provides
> their own KDB module it is not useable.
>
> Debian could easily apply the two relevant to patches to address the
> issue on their MIT Keberos package and lower the required version
> number for MIT Kerberos in Samba.
>

I am not saying that debian cannot update MIT kerberos, in fact I think
they should, but until they do, it is not possible to build an AD DC on
debian using MIT kerberos.

>
> Also, Samba AD with MIT Kerberos has not been released yet. It is
> likely that Debian has MIT Kerberos 1.15.1 when the next Samba vesion
> ships and that's in September.

Yes and until debian ships 1.15.1 (or later), then the next version of
Samba should be 4.7.0

>
>
> The Heimdal version used by Samba is from 2011!

Yes, I know, and as such needs to be replaced, but it can only be
replaced when most distro's have MIT 1.15.1. I personally think that
Samba should move to 5.0.0 only when Heimdal is removed.

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On (02/05/17 08:05), Rowland Penny via samba-technical wrote:

>On Mon, 01 May 2017 22:44:59 +0200
>Andreas Schneider <[hidden email]> wrote:
>
>> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
>> > On Mon, 1 May 2017 17:58:20 +0300
>> >
>> > Alexander Bokovoy <[hidden email]> wrote:
>> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
>> > > > On Sun, 30 Apr 2017 17:42:19 +0100
>> > > > Rowland Penny via samba-technical
>> > > > <[hidden email]>
>> > > >
>> > > > wrote:
>> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
>> > > > >
>> > > > > Jeremy Allison <[hidden email]> wrote:
>> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
>> > > > > > wrote:
>> > > > > > > That's basically what I said, move to MIT instead of
>> > > > > > > Heimdal and change the version to 5 at the same time.
>> > > > > >
>> > > > > > Yes, we are in violent agreement :-).
>> > > > > >
>> > > > > > > How about putting something on the Samba webpage, it would
>> > > > > > > make a change from all the out of date info ;-)
>> > > > > >
>> > > > > > That's a really good idea !
>> > > > > >
>> > > > > > > The other question is, How do I use MIT instead of
>> > > > > > > Heimdal on debian ?
>> > > > > >
>> > > > > > I know you need MIT 1.15.1 which is the *very latest*
>> > > > > > release. Not sure if that's in debian yet (it's not
>> > > > > > in Ubuntu 17.04).
>> > > > >
>> > > > > OK, I will ask that question in a different way, what
>> > > > > packages do you need to install on Fedora to compile Samba as
>> > > > > an AD DC using MIT ?
>> > > > >
>> > > > > Rowland
>> > > >
>> > > > There seems to be a problem on debian stretch:
>> > > >
>> > > > ./configure --with-system-mitkrb5
>> > > >
>> > > > leads to this:
>> > > >
>> > > > Checking for
>> > > > kdb                                                                  :
>> > > > yes Checking for
>> > > > gssapi                                                               :
>> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
>> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
>> > > > want to just build Samba FS use the option --without-ad-dc
>> > > > which requires version 1.9 ERROR: You may try to build with
>> > > > embedded Heimdal Kerebros by not specifying
>> > > > --with-system-mitkrb5
>> > > >
>> > > > But when you check the installed package, you get this:
>> > > >
>> > > > dpkg -s libkrb5-dev
>> > > > Package: libkrb5-dev
>> > > > Status: install ok installed
>> > > > Priority: extra
>> > > > Section: libdevel
>> > > > Installed-Size: 173
>> > > > Maintainer: Sam Hartman <[hidden email]>
>> > > > Architecture: amd64
>> > > > Source: krb5
>> > > > Version: 1.15-1
>> > >
>> > > This is version 1.15, not 1.15.1.
>> > >
>> > > > It would seem that 'Version: 1.15-1' isn't the same as the
>> > > > version that Samba AD requires, which is 'at least 1.15.1' ;-)
>> > >
>> > > Yes, 1.15 is 1.15.0.
>> > >
>> > > > To me it looks like Samba requires a dot between the package
>> > > > minor version and revision i.e. 15.1, but debian uses a dash
>> > > > '-' instead.
>> > >
>> > > No, this is really an older version than required. A dash is for
>> > > build number, e.g. it is "1.15, Debian build 1".
>> >
>> > Thanks for clarifying that ;-)
>> >
>> > In which case and as I cannot find 1.15.1 packages for debian, I
>> > return to my stance that we shouldn't bump the Samba version to 5,
>> > because we will just be switching from not being able to build an
>> > AD DC on red-hat, to not being able to build an AD DC on debian
>> > based systems :-(
>>
>> Debian has just to update their package. MIT Kerberos 1.15 has a
>> major flaw, it is not able to release memory allocated by a KDB
>> module.
>>
>> It might work as standalone but not with any project which provides
>> their own KDB module it is not useable.
>>
>> Debian could easily apply the two relevant to patches to address the
>> issue on their MIT Keberos package and lower the required version
>> number for MIT Kerberos in Samba.
>>
>
>I am not saying that debian cannot update MIT kerberos, in fact I think
>they should, but until they do, it is not possible to build an AD DC on
>debian using MIT kerberos.
>
Debian (Stretch) testing is in freeze since 5th January 2017.
The best would be file a bug to debian and let krb5 maintainers
to decide whether it is acceptable to update krb5 there.

Maybe they didn't consider to update because of missing reason.
And samba-dc + krb5 might be a good reason :-)

LS

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tue, 2 May 2017 10:47:47 +0200
Lukas Slebodnik <[hidden email]> wrote:

> On (02/05/17 08:05), Rowland Penny via samba-technical wrote:
> >On Mon, 01 May 2017 22:44:59 +0200
> >Andreas Schneider <[hidden email]> wrote:
> >
> >> On Monday, 1 May 2017 20:12:31 CEST Rowland Penny wrote:
> >> > On Mon, 1 May 2017 17:58:20 +0300
> >> >
> >> > Alexander Bokovoy <[hidden email]> wrote:
> >> > > On ma, 01 touko 2017, Rowland Penny via samba-technical wrote:
> >> > > > On Sun, 30 Apr 2017 17:42:19 +0100
> >> > > > Rowland Penny via samba-technical
> >> > > > <[hidden email]>
> >> > > >
> >> > > > wrote:
> >> > > > > On Sun, 30 Apr 2017 09:30:21 -0700
> >> > > > >
> >> > > > > Jeremy Allison <[hidden email]> wrote:
> >> > > > > > On Sun, Apr 30, 2017 at 04:59:01PM +0100, Rowland Penny
> >> > > > > > wrote:
> >> > > > > > > That's basically what I said, move to MIT instead of
> >> > > > > > > Heimdal and change the version to 5 at the same time.
> >> > > > > >
> >> > > > > > Yes, we are in violent agreement :-).
> >> > > > > >
> >> > > > > > > How about putting something on the Samba webpage, it
> >> > > > > > > would make a change from all the out of date info ;-)
> >> > > > > >
> >> > > > > > That's a really good idea !
> >> > > > > >
> >> > > > > > > The other question is, How do I use MIT instead of
> >> > > > > > > Heimdal on debian ?
> >> > > > > >
> >> > > > > > I know you need MIT 1.15.1 which is the *very latest*
> >> > > > > > release. Not sure if that's in debian yet (it's not
> >> > > > > > in Ubuntu 17.04).
> >> > > > >
> >> > > > > OK, I will ask that question in a different way, what
> >> > > > > packages do you need to install on Fedora to compile Samba
> >> > > > > as an AD DC using MIT ?
> >> > > > >
> >> > > > > Rowland
> >> > > >
> >> > > > There seems to be a problem on debian stretch:
> >> > > >
> >> > > > ./configure --with-system-mitkrb5
> >> > > >
> >> > > > leads to this:
> >> > > >
> >> > > > Checking for
> >> > > > kdb                                                                  :
> >> > > > yes Checking for
> >> > > > gssapi                                                               :
> >> > > > yes ERROR: MIT KRB5 build with Samba AD requires at least
> >> > > > 1.15.1. 1.15 has been found and cannot be used ERROR: If you
> >> > > > want to just build Samba FS use the option --without-ad-dc
> >> > > > which requires version 1.9 ERROR: You may try to build with
> >> > > > embedded Heimdal Kerebros by not specifying
> >> > > > --with-system-mitkrb5
> >> > > >
> >> > > > But when you check the installed package, you get this:
> >> > > >
> >> > > > dpkg -s libkrb5-dev
> >> > > > Package: libkrb5-dev
> >> > > > Status: install ok installed
> >> > > > Priority: extra
> >> > > > Section: libdevel
> >> > > > Installed-Size: 173
> >> > > > Maintainer: Sam Hartman <[hidden email]>
> >> > > > Architecture: amd64
> >> > > > Source: krb5
> >> > > > Version: 1.15-1
> >> > >
> >> > > This is version 1.15, not 1.15.1.
> >> > >
> >> > > > It would seem that 'Version: 1.15-1' isn't the same as the
> >> > > > version that Samba AD requires, which is 'at least
> >> > > > 1.15.1' ;-)
> >> > >
> >> > > Yes, 1.15 is 1.15.0.
> >> > >
> >> > > > To me it looks like Samba requires a dot between the package
> >> > > > minor version and revision i.e. 15.1, but debian uses a dash
> >> > > > '-' instead.
> >> > >
> >> > > No, this is really an older version than required. A dash is
> >> > > for build number, e.g. it is "1.15, Debian build 1".
> >> >
> >> > Thanks for clarifying that ;-)
> >> >
> >> > In which case and as I cannot find 1.15.1 packages for debian, I
> >> > return to my stance that we shouldn't bump the Samba version to
> >> > 5, because we will just be switching from not being able to
> >> > build an AD DC on red-hat, to not being able to build an AD DC
> >> > on debian based systems :-(
> >>
> >> Debian has just to update their package. MIT Kerberos 1.15 has a
> >> major flaw, it is not able to release memory allocated by a KDB
> >> module.
> >>
> >> It might work as standalone but not with any project which provides
> >> their own KDB module it is not useable.
> >>
> >> Debian could easily apply the two relevant to patches to address
> >> the issue on their MIT Keberos package and lower the required
> >> version number for MIT Kerberos in Samba.
> >>
> >
> >I am not saying that debian cannot update MIT kerberos, in fact I
> >think they should, but until they do, it is not possible to build an
> >AD DC on debian using MIT kerberos.
> >
> Debian (Stretch) testing is in freeze since 5th January 2017.
> The best would be file a bug to debian and let krb5 maintainers
> to decide whether it is acceptable to update krb5 there.
>
> Maybe they didn't consider to update because of missing reason.
> And samba-dc + krb5 might be a good reason :-)
>
> LS

OK, bug reported:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861651

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, 2 May 2017 13:46:46 +0200
L.P.H. van Belle <[hidden email]> wrote:

> Hai Rowland.
>
> If you want to test with a jessie 1.15.1
>
> Get an amd64 build here.
>
> http://downloads.van-belle.nl/samba4/jessie-krb5-1.15.1.tar.gz
> Debs, sources, buildlogs, are all in the tar.gz.
>
> And now you can easy reproduce these on you Devuan.
>
>
> Greetz,
>
> Louis

OK, things move on, whilst trying to build MIT krb5, I got the above,
so rather than re-invent the wheel, I have used them, thanks Louis ;-)

I now have a test MIT DC in a VM, but (there is always a but, isn't
there ;-) ) I cannot kinit. When I try, I get this:

kinit Administrator
kinit: Cannot contact any KDC for realm 'TEST.TLD' while getting
initial credentials

Am I now supposed to start the MIT kdc ?

If I do try to start it, I get:

service krb5-kdc start
[....] Starting Kerberos KDC: krb5kdckrb5kdc: cannot initialize realm TEST.TLD - see log file for details
 failed!

and there is this in auth.log:

May  2 16:25:35 devtestdc krb5kdc[7911]: Cannot open DB2 database
'/var/lib/krb5kdc/principal': No such file or directory - while
initializing database for realm TEST.TLD

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tuesday, 2 May 2017 17:40:20 CEST Rowland Penny via samba-technical wrote:

> On Tue, 2 May 2017 13:46:46 +0200
>
> L.P.H. van Belle <[hidden email]> wrote:
> > Hai Rowland.
> >
> > If you want to test with a jessie 1.15.1
> >
> > Get an amd64 build here.
> >
> > http://downloads.van-belle.nl/samba4/jessie-krb5-1.15.1.tar.gz
> > Debs, sources, buildlogs, are all in the tar.gz.
> >
> > And now you can easy reproduce these on you Devuan.
> >
> >
> > Greetz,
> >
> > Louis
>
> OK, things move on, whilst trying to build MIT krb5, I got the above,
> so rather than re-invent the wheel, I have used them, thanks Louis ;-)
>
> I now have a test MIT DC in a VM, but (there is always a but, isn't
> there ;-) ) I cannot kinit. When I try, I get this:
>
> kinit Administrator
> kinit: Cannot contact any KDC for realm 'TEST.TLD' while getting
> initial credentials

The MIT library (kinit) needs to find the KDC. It does this via DNS service
lookup. Samba has its own DNS server so I think your DNS server configured in
/etc/resolv.confis not 127.0.0.1 so it can't find the KDC.

The other option is that in /etc/krb5.conf you specify the kdc ip address for
the realm.

> Am I now supposed to start the MIT kdc ?

Nope.

> If I do try to start it, I get:
>
> service krb5-kdc start
> [....] Starting Kerberos KDC: krb5kdckrb5kdc: cannot initialize realm
> TEST.TLD - see log file for details failed!
>
> and there is this in auth.log:
>
> May  2 16:25:35 devtestdc krb5kdc[7911]: Cannot open DB2 database
> '/var/lib/krb5kdc/principal': No such file or directory - while
> initializing database for realm TEST.TLD

I've provisioned the AD DC with samba-tool which created /var/kerberos/
krb5kdc/kdc.conf for me. It looks like your system has a different kdc.conf.
So you can create it at a special location during provision and set it with
the 'mit kdc config' options.



        Andreas


        Andreas

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tue, 02 May 2017 18:01:01 +0200
Andreas Schneider <[hidden email]> wrote:

> The MIT library (kinit) needs to find the KDC. It does this via DNS
> service lookup. Samba has its own DNS server so I think your DNS
> server configured in /etc/resolv.confis not 127.0.0.1 so it can't
> find the KDC.

I had the computers IP as the nameserver in resolv.conf, chenging it to
127.0.0.1 didn't help.

>
> The other option is that in /etc/krb5.conf you specify the kdc ip
> address for the realm.

To save me time trying to find out how to do this, can you tell me how ?

>
> > Am I now supposed to start the MIT kdc ?
>
> Nope.
>

OK, I will give up trying to ;-)

>
> I've provisioned the AD DC with samba-tool which
> created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> system has a different kdc.conf. So you can create it at a special
> location during provision and set it with the 'mit kdc config'
> options.

I have '/etc/krb5kdc/kdc.conf' , which contains:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    TEST.TLD = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

Do I need all of that, or only some of it, or do I need to add something
to it ?

I also take it that I need to provision again, but this time add
'--kdc-config-dir=/etc/krb5kdc/kdc.conf'

Rowland

>
>
>
> Andreas
>
>
> Andreas


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:

> On Tue, 02 May 2017 18:01:01 +0200
>
> Andreas Schneider <[hidden email]> wrote:
> > The MIT library (kinit) needs to find the KDC. It does this via DNS
> > service lookup. Samba has its own DNS server so I think your DNS
> > server configured in /etc/resolv.confis not 127.0.0.1 so it can't
> > find the KDC.
>
> I had the computers IP as the nameserver in resolv.conf, chenging it to
> 127.0.0.1 didn't help.

Then it should work if you create the kdc.conf correctly. See below.

>
> > The other option is that in /etc/krb5.conf you specify the kdc ip
> > address for the realm.
>
> To save me time trying to find out how to do this, can you tell me how ?
>
> > > Am I now supposed to start the MIT kdc ?
> >
> > Nope.
>
> OK, I will give up trying to ;-)
>
> > I've provisioned the AD DC with samba-tool which
> > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > system has a different kdc.conf. So you can create it at a special
> > location during provision and set it with the 'mit kdc config'
> > options.
>
> I have '/etc/krb5kdc/kdc.conf' , which contains:
>
> [kdcdefaults]
>     kdc_ports = 750,88
>
> [realms]
>     TEST.TLD = {
>         database_name = /var/lib/krb5kdc/principal
>         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
>         acl_file = /etc/krb5kdc/kadm5.acl
>         key_stash_file = /etc/krb5kdc/stash
>         kdc_ports = 750,88
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         master_key_type = des3-hmac-sha1
>         #supported_enctypes = aes256-cts:normal aes128-cts:normal
>         default_principal_flags = +preauth
>     }
>
> Do I need all of that, or only some of it, or do I need to add something
> to it ?
>
> I also take it that I need to provision again, but this time add
> '--kdc-config-dir=/etc/krb5kdc/kdc.conf'

Every distro has a different default locaction for the kdc.conf. I've added
support for Fedora and openSUSE. So we might want do add more of them. Not
sure if we really can but that's why there is --kdc-config-dir


However to get it working use:

samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/


That should create it at the correct location.



        Andreas

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tue, 02 May 2017 18:33:26 +0200
Andreas Schneider <[hidden email]> wrote:

> On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> > On Tue, 02 May 2017 18:01:01 +0200
> >
> > Andreas Schneider <[hidden email]> wrote:
> > > The MIT library (kinit) needs to find the KDC. It does this via
> > > DNS service lookup. Samba has its own DNS server so I think your
> > > DNS server configured in /etc/resolv.confis not 127.0.0.1 so it
> > > can't find the KDC.
> >
> > I had the computers IP as the nameserver in resolv.conf, chenging
> > it to 127.0.0.1 didn't help.
>
> Then it should work if you create the kdc.conf correctly. See below.
>
> >
> > > The other option is that in /etc/krb5.conf you specify the kdc ip
> > > address for the realm.
> >
> > To save me time trying to find out how to do this, can you tell me
> > how ?
> >
> > > > Am I now supposed to start the MIT kdc ?
> > >
> > > Nope.
> >
> > OK, I will give up trying to ;-)
> >
> > > I've provisioned the AD DC with samba-tool which
> > > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > > system has a different kdc.conf. So you can create it at a special
> > > location during provision and set it with the 'mit kdc config'
> > > options.
> >
> > I have '/etc/krb5kdc/kdc.conf' , which contains:
> >
> > [kdcdefaults]
> >     kdc_ports = 750,88
> >
> > [realms]
> >     TEST.TLD = {
> >         database_name = /var/lib/krb5kdc/principal
> >         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> >         acl_file = /etc/krb5kdc/kadm5.acl
> >         key_stash_file = /etc/krb5kdc/stash
> >         kdc_ports = 750,88
> >         max_life = 10h 0m 0s
> >         max_renewable_life = 7d 0h 0m 0s
> >         master_key_type = des3-hmac-sha1
> >         #supported_enctypes = aes256-cts:normal aes128-cts:normal
> >         default_principal_flags = +preauth
> >     }
> >
> > Do I need all of that, or only some of it, or do I need to add
> > something to it ?
> >
> > I also take it that I need to provision again, but this time add
> > '--kdc-config-dir=/etc/krb5kdc/kdc.conf'
>
> Every distro has a different default locaction for the kdc.conf. I've
> added support for Fedora and openSUSE. So we might want do add more
> of them. Not sure if we really can but that's why there is
> --kdc-config-dir
>
>
> However to get it working use:
>
> samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/
>
>
> That should create it at the correct location.
>
>
>
> Andreas

OK, I will give it a try ;-)

Thanks for the help.

Rowland

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Tue, 02 May 2017 18:33:26 +0200
Andreas Schneider <[hidden email]> wrote:

> On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> > On Tue, 02 May 2017 18:01:01 +0200
> >
> > Andreas Schneider <[hidden email]> wrote:
> > > The MIT library (kinit) needs to find the KDC. It does this via
> > > DNS service lookup. Samba has its own DNS server so I think your
> > > DNS server configured in /etc/resolv.confis not 127.0.0.1 so it
> > > can't find the KDC.
> >
> > I had the computers IP as the nameserver in resolv.conf, chenging
> > it to 127.0.0.1 didn't help.
>
> Then it should work if you create the kdc.conf correctly. See below.
>
> >
> > > The other option is that in /etc/krb5.conf you specify the kdc ip
> > > address for the realm.
> >
> > To save me time trying to find out how to do this, can you tell me
> > how ?
> >
> > > > Am I now supposed to start the MIT kdc ?
> > >
> > > Nope.
> >
> > OK, I will give up trying to ;-)
> >
> > > I've provisioned the AD DC with samba-tool which
> > > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > > system has a different kdc.conf. So you can create it at a special
> > > location during provision and set it with the 'mit kdc config'
> > > options.
> >
> > I have '/etc/krb5kdc/kdc.conf' , which contains:
> >
> > [kdcdefaults]
> >     kdc_ports = 750,88
> >
> > [realms]
> >     TEST.TLD = {
> >         database_name = /var/lib/krb5kdc/principal
> >         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> >         acl_file = /etc/krb5kdc/kadm5.acl
> >         key_stash_file = /etc/krb5kdc/stash
> >         kdc_ports = 750,88
> >         max_life = 10h 0m 0s
> >         max_renewable_life = 7d 0h 0m 0s
> >         master_key_type = des3-hmac-sha1
> >         #supported_enctypes = aes256-cts:normal aes128-cts:normal
> >         default_principal_flags = +preauth
> >     }
> >
> > Do I need all of that, or only some of it, or do I need to add
> > something to it ?
> >
> > I also take it that I need to provision again, but this time add
> > '--kdc-config-dir=/etc/krb5kdc/kdc.conf'
>
> Every distro has a different default locaction for the kdc.conf. I've
> added support for Fedora and openSUSE. So we might want do add more
> of them. Not sure if we really can but that's why there is
> --kdc-config-dir
>
>
> However to get it working use:
>
> samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/
>
>
> That should create it at the correct location.

Sorry but it didn't work, kinit still cannot find the kdc.

I am provisioning with:

samba-tool domain provision --use-rfc2307 --realm=TEST.TLD
--domain=TEST --server-role=dc --kdc-config-dir=/etc/krb5kdc/
--adminpass=xxxxxxxxxx

You seem to be saying that the 'kdc.conf' should be created by the
provision, this isn't happening for me. I have moved the original one
out of the way and tried again, I didn't get the 'kdc.conf' created.

What do expect the 'kdc.conf' to contain ?

Rowland


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [WHATSNEW] Samba AD with MIT Kerberos + Version change

Samba - samba-technical mailing list
On Tuesday, 2 May 2017 19:18:31 CEST Rowland Penny wrote:

> On Tue, 02 May 2017 18:33:26 +0200
>
> Andreas Schneider <[hidden email]> wrote:
> > On Tuesday, 2 May 2017 18:28:23 CEST Rowland Penny wrote:
> > > On Tue, 02 May 2017 18:01:01 +0200
> > >
> > > Andreas Schneider <[hidden email]> wrote:
> > > > The MIT library (kinit) needs to find the KDC. It does this via
> > > > DNS service lookup. Samba has its own DNS server so I think your
> > > > DNS server configured in /etc/resolv.confis not 127.0.0.1 so it
> > > > can't find the KDC.
> > >
> > > I had the computers IP as the nameserver in resolv.conf, chenging
> > > it to 127.0.0.1 didn't help.
> >
> > Then it should work if you create the kdc.conf correctly. See below.
> >
> > > > The other option is that in /etc/krb5.conf you specify the kdc ip
> > > > address for the realm.
> > >
> > > To save me time trying to find out how to do this, can you tell me
> > > how ?
> > >
> > > > > Am I now supposed to start the MIT kdc ?
> > > >
> > > > Nope.
> > >
> > > OK, I will give up trying to ;-)
> > >
> > > > I've provisioned the AD DC with samba-tool which
> > > > created /var/kerberos/ krb5kdc/kdc.conf for me. It looks like your
> > > > system has a different kdc.conf. So you can create it at a special
> > > > location during provision and set it with the 'mit kdc config'
> > > > options.
> > >
> > > I have '/etc/krb5kdc/kdc.conf' , which contains:
> > >
> > > [kdcdefaults]
> > >
> > >     kdc_ports = 750,88
> > >
> > > [realms]
> > >
> > >     TEST.TLD = {
> > >    
> > >         database_name = /var/lib/krb5kdc/principal
> > >         admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
> > >         acl_file = /etc/krb5kdc/kadm5.acl
> > >         key_stash_file = /etc/krb5kdc/stash
> > >         kdc_ports = 750,88
> > >         max_life = 10h 0m 0s
> > >         max_renewable_life = 7d 0h 0m 0s
> > >         master_key_type = des3-hmac-sha1
> > >         #supported_enctypes = aes256-cts:normal aes128-cts:normal
> > >         default_principal_flags = +preauth
> > >    
> > >     }
> > >
> > > Do I need all of that, or only some of it, or do I need to add
> > > something to it ?
> > >
> > > I also take it that I need to provision again, but this time add
> > > '--kdc-config-dir=/etc/krb5kdc/kdc.conf'
> >
> > Every distro has a different default locaction for the kdc.conf. I've
> > added support for Fedora and openSUSE. So we might want do add more
> > of them. Not sure if we really can but that's why there is
> > --kdc-config-dir
> >
> >
> > However to get it working use:
> >
> > samba-tool domain provision --kdc-config-dir=/etc/krb5kdc/
> >
> >
> > That should create it at the correct location.
>
> Sorry but it didn't work, kinit still cannot find the kdc.
>
> I am provisioning with:
>
> samba-tool domain provision --use-rfc2307 --realm=TEST.TLD
> --domain=TEST --server-role=dc --kdc-config-dir=/etc/krb5kdc/
> --adminpass=xxxxxxxxxx
>
> You seem to be saying that the 'kdc.conf' should be created by the
> provision, this isn't happening for me. I have moved the original one
> out of the way and tried again, I didn't get the 'kdc.conf' created.
>
> What do expect the 'kdc.conf' to contain ?
>
> Rowland

The samba-tool should print where it creates the kdc.conf file. Did you check
the log message from samba-tool?



1234
Loading...