On Sun, 28 Jun 2020 16:39:44 +0100 Sam Morris <s...@robots.org.uk> wrote: ...
Since running Samba AD DC built with MIT Kerberos is still an experimental feature, it's not a good idea to switch the whole source package over wholesale. But I wonder if it would be possible to build only smbcliennt with the system libkrb5, so that it can take advantage of these features (in particular, credential cache types other than FILE)?
Currently, this is not possible, because almost all binary packages built from samba source in Debian depend on common samba-libs package, and the dependency is strict (= exact binary version). This is because samba-libs is a massive thing which contains everything, all libraries needed by any other binary in samba, including all internal libraries. In particular, smbclient and libsmbclient both depends on samba-libs (of the exact binary version of samba-libs). And samba-libs package highly depends on the configuration. In 4.16 I tried to move libraries which are only used in a single binary package, to that package out of samba-libs. This way, for example, winbind package got a few libs. Bit this is nothing really. But samba-libs needs to be split further, into something like samba-common-libs, samba-client-libs, and so on. This way, we may have some of them independent on the kerberos implementation used - say, samba-common-libs, whicih can be used by both heimdal-using samba server packages and mitkrb5-using smbclient. Or alternatively, another set of samba-libs - ie, another package of samba-libs, say, samba-libs-mitkrb5 - needs to be created. This quickly becomes rather ugly and unmanageable. I think the only more or less realistic way to go is to split samba-libs into subcomponents. Actually, samba-common-bin and samba packages also needs to be split further into multiple pieces. For example, that needs to be samba-ad-dc, samba-ad-dc-provision (for /usr/share/samba/setup/*), maybe samba-krb5-printing, maybe python3-samba-ad-dc (from python3-samba) and so on. This is not a huge work really, but it needs to be done in order to allow to mix and match things. Besides, I implemented pkg.samba.mitkrb5 build profile for samba package, maybe this one will help somehow. But it builds everything with mit-krb5, including the experimental ad-dc code. Thanks, /mjt