Skip to content

samba: Switch back to builtin Heimdal Kerberos #85362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 23, 2020
Merged

samba: Switch back to builtin Heimdal Kerberos #85362

merged 1 commit into from
Jul 23, 2020
+3 −9

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Apr 16, 2020
edited
Loading

When not building with the experimental (!!) system MIT Kerberos, Samba
will use the builtin Heimdal Kerberos. For this reason, enableKerberos =
true will still include a krb5 implementation, built right into Samba.

There is no benefit in using MIT krb5, however it has some downsides
like not being able to assign computer GPOs 1.

The ArchWiki 2 also mentions this in their installation section.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @Izorkin @abbradar

Sorry, something went wrong.

@dasJ
Copy link
Member Author

dasJ commented Apr 16, 2020
edited
Loading

@GrahamcOfBorg test samba

@dasJ dasJ force-pushed the fix-samba-kerberos branch from e5367ed to 6d3dde9 Compare April 16, 2020 10:14
@dasJ
samba: Switch back to builtin Heimdal Kerberos

Verified

This commit was signed with the committer’s verified signature. The key has expired.
dasJ Janne Heß
GPG key ID: 69165158F05265DF
Expired
Verified
Learn about vigilant mode
a3bfbbf 
When not building with the experimental (!!) system MIT Kerberos, Samba
will use the builtin Heimdal Kerberos. For this reason, enableKerberos =
true will still include a krb5 implementation, built right into Samba.

There is no benefit in using MIT krb5, however it has some downsides
like not being able to assign computer GPOs [1].

The ArchWiki [2] also mentions this in their installation section.

[1]: https://lists.samba.org/archive/samba/2018-July/216779.html
[2]: https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller
@dasJ dasJ force-pushed the fix-samba-kerberos branch from 6d3dde9 to a3bfbbf Compare April 16, 2020 10:18
@ofborg ofborg bot requested a review from aneeshusa April 16, 2020 10:25
@ajs124
Copy link
Member

ajs124 commented May 19, 2020

@aneeshusa what do you think about this?

@dasJ dasJ requested review from Lassulus and adisbladis May 22, 2020 11:51
@dasJ
Copy link
Member Author

dasJ commented Jul 12, 2020

Introduced here: #13514

@dasJ dasJ requested a review from flokli July 20, 2020 22:36
@flokli
Copy link
Contributor

flokli commented Jul 21, 2020

@dasJ I am not really familiar with this piece of software - maybe @abbradar can shed some light on this?

Is there a way this can be added as a regression test to the VM test, so one can see what's going wrong (and is fixed)?

@dasJ
Copy link
Member Author

dasJ commented Jul 21, 2020

Weeeell the problems occur when assigning computer GPOs (which is usually done with the Windows tooling) and Windows computers don't apply them for some reason

@dasJ
Copy link
Member Author

dasJ commented Jul 23, 2020

To be more clear: I don't think a regression test is feasible, since it would require setting up an ActiveDirectory (not supported by the module and impossible because of #86002), creating GPOs, and assigning them to computers.
For the test, I'd either have to run a Windows VM, join the AD, and see the GPOs not getting applied, or painfully reverse engineer the correct RPC calls from samba (and probably wireshark).
I doubt this problem will occur again since we are currently running Samba ADs on customer sites and we'd probably notice regressions very quickly ;)

@flokli
Copy link
Contributor

flokli commented Jul 23, 2020

Fair enough - given there has been another approval and no objections, let's merge this 👍

@flokli flokli merged commit b4784db into NixOS:master Jul 23, 2020
@ajs124 ajs124 deleted the fix-samba-kerberos branch July 23, 2020 12:37
@aneeshusa aneeshusa mentioned this pull request Oct 4, 2020
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Izorkin Izorkin

@aneeshusa aneeshusa

@Lassulus Lassulus

@adisbladis adisbladis

@flokli flokli

Assignees
No one assigned
Labels
10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dasJ @ajs124 @flokli @Izorkin