Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

samba: Switch back to builtin Heimdal Kerberos #85362

Merged
merged 1 commit into from Jul 23, 2020
Merged

samba: Switch back to builtin Heimdal Kerberos #85362

merged 1 commit into from Jul 23, 2020

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Apr 16, 2020
edited

When not building with the experimental (!!) system MIT Kerberos, Samba
will use the builtin Heimdal Kerberos. For this reason, enableKerberos =
true will still include a krb5 implementation, built right into Samba.

There is no benefit in using MIT krb5, however it has some downsides
like not being able to assign computer GPOs 1.

The ArchWiki 2 also mentions this in their installation section.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @Izorkin @abbradar

@dasJ
Copy link
Member Author

dasJ commented Apr 16, 2020
edited

@GrahamcOfBorg test samba

@dasJ
samba: Switch back to builtin Heimdal Kerberos
a3bfbbf 
When not building with the experimental (!!) system MIT Kerberos, Samba
will use the builtin Heimdal Kerberos. For this reason, enableKerberos =
true will still include a krb5 implementation, built right into Samba.

There is no benefit in using MIT krb5, however it has some downsides
like not being able to assign computer GPOs [1].

The ArchWiki [2] also mentions this in their installation section.

[1]: https://lists.samba.org/archive/samba/2018-July/216779.html
[2]: https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller
@ofborg ofborg bot requested a review from aneeshusa April 16, 2020 10:25
@ajs124
Copy link
Member

ajs124 commented May 19, 2020

@aneeshusa what do you think about this?

@dasJ dasJ requested review from Lassulus and adisbladis May 22, 2020 11:51
@dasJ
Copy link
Member Author

dasJ commented Jul 12, 2020

Introduced here: #13514

@dasJ dasJ requested a review from flokli July 20, 2020 22:36
@flokli
Copy link
Contributor

flokli commented Jul 21, 2020

@dasJ I am not really familiar with this piece of software - maybe @abbradar can shed some light on this?

Is there a way this can be added as a regression test to the VM test, so one can see what's going wrong (and is fixed)?

@dasJ
Copy link
Member Author

dasJ commented Jul 21, 2020

Weeeell the problems occur when assigning computer GPOs (which is usually done with the Windows tooling) and Windows computers don't apply them for some reason

@dasJ
Copy link
Member Author

dasJ commented Jul 23, 2020

To be more clear: I don't think a regression test is feasible, since it would require setting up an ActiveDirectory (not supported by the module and impossible because of #86002), creating GPOs, and assigning them to computers.
For the test, I'd either have to run a Windows VM, join the AD, and see the GPOs not getting applied, or painfully reverse engineer the correct RPC calls from samba (and probably wireshark).
I doubt this problem will occur again since we are currently running Samba ADs on customer sites and we'd probably notice regressions very quickly ;)

@flokli
Copy link
Contributor

flokli commented Jul 23, 2020

Fair enough - given there has been another approval and no objections, let's merge this 👍

@flokli flokli merged commit b4784db into NixOS:master Jul 23, 2020
@ajs124 ajs124 deleted the fix-samba-kerberos branch July 23, 2020 12:37
@aneeshusa aneeshusa mentioned this pull request Oct 4, 2020
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Izorkin Izorkin Izorkin approved these changes

@aneeshusa aneeshusa Awaiting requested review from aneeshusa

@Lassulus Lassulus Awaiting requested review from Lassulus

@adisbladis adisbladis Awaiting requested review from adisbladis

@flokli flokli Awaiting requested review from flokli

Assignees
No one assigned
Labels
10.rebuild-darwin: 11-100 10.rebuild-linux: 101-500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dasJ @ajs124 @flokli @Izorkin