MIT kerberos vs heimdal

Tomasz Pala gotar at
Fri Feb 20 01:57:59 CET 2015

On Sun, Feb 08, 2015 at 11:36:42 +0100, Jan Rękorajski wrote:

>> > But that's not the point, you missed the most important issue (system
>> > MIT makes samba4 useless):
> APIs and ABIs in Heimdal and MIT are different. Samba uses Heimdal to do
> AD DC kerberos. It does not build with MIT. Fedora distributes samba4
> without Kerberos, makeing it effectively a samba3 PDC. The whole point
> of samba4 is it being full fledged MS AD DC. Is that explanation clear enough?

OK, I see now. So let's do some logic:

samba	R: heimdal-libs-server	fine; note nothing else requires this lib!

openldap-overlay-smbk5pwd, python-samba, samba, samba-libs
	R: heimdal-libs-common	fine; also, nothing else requires these!

samba-libs are required by other samba subpackages (incl. libsmbclient) only

- so all we need to crosscheck is libsmbclient vs heimdal-libs:

poldek:/all-avail> desc -B libsmbclient-4.1.14-1.x86_64 

Package:        libsmbclient-4.1.14-1.x86_64
Required(by):   cifs-utils, fusesmb, gmerlin-avdecoder, gmplayer,
gnome-control-center, gnome-vfs2-libs, gvfs-smb, kde4-kdebase-runtime,
mencoder, mpd, mpd, mplayer, mpv, mpv-client-libs,
perl-Filesys-SmbClient, [*samba*], vlc, xbmc, xine-input-smb

Which one of those require heimdal-libs as well?

cifs-utils, gnome-control-center, gnome-vfs2-libs

These 3 might (should?) to be compiled using heimdal-libs.
I've also checked what requires heimdal-devel, gnome-vfs2-devel, samba-devel 
and libsmbclient-devel and haven't seen any clashes.

My point is - assuming I haven't forgot about anything (considering my last mail
about versioned symbols) we could safely:

1. compile samba against heimdal to have AD (as an exception!),
2. compile everything else against MIT,
2a. except the things that require KRB+SMB itself as a precaution (i.e.
    the three packages mentioned earlier) (???)


1. there might be situations where:

binary	-> MIT KRB
	-> lib1	-> MIT KRB
	-> lib2 -> lib*smb* -> heimdal KRB

but this would be valid since all KRB symbols are versioned and there
should be no path for any kerberos struct passing between lib1 and lib2
(only between binary and lib1).

2. every possible lib2 that uses both SMB _and_ KRB uses heimdal
(currently gnome-vfs2-libs only).

In other words: if we want samba-server using heimdal, it does NOT mean
we need to build everything else using heimdal; client-server protocol
effectively separates different API and ABI, symbol versioning separates
ABI pulled in within single code executed.

>> >> > and that's crucial now Samba is a real AD server. Just read README.dc
>> >> > from Fedora's samba package, it's so pathetic it still makes me
>> >> > laugh my ass off.
>> >> >
>> >> > That were the reasons we switched to Heimdal.
>> Wasn't that the reason THEY have created FreeIPA for AD?
> Who are THEY?

Fedora guys. As a solution for such heroic (or brain damaged) hackery
required for setting up AD services you've mentioned they've ended up in
FreeIPA. Isn't that better than our approach? Honestly I won't be
capable of setting AD on PLD if I need to (well, mostly because I don't
have any windows system to do step-by-step environment debugging) - MIT
or heimdal, no difference, won't work and pld-doc doesn't help.

Tomasz Pala <gotar at>

More information about the pld-devel-en mailing list