I have no idea what is required for openSUSE to switch to heimdal kerberos. In the past there has been made a decision to abandon heimdal in favor of MIT kerberos. The reasons for this are not known to me.
If you insist on going down this path here is some info that I pieced together so far.
After doing some digging around I found that the samba4 developers had better ties with the heimdal developers and thus choose to work with heimdal in their samba4 ad build.
It seems you first would have to figure out what the reasons for switching to MIT were in the first place, then also find out what dependencies are there in suse on the MIT kerberos and what the impact would be on them when they would make the switch.
For instance everything LDAP related is likely to receive an impact since that uses kerberos as well. Not to forget all the yast tools that work with it (samba/ldap/kerberos)
That’s just the packages I can come up with, I would not be surprised it there were more.
Also take into consideration that the samba devs are working on MIT compatibility see MIT Build - SambaWiki
It will be a matter of time before samba4 starts to work with MIT kerberos.
The question is which traject is the quicker one ?
openSUSE switching to MIT or samba4 obtaining MIT compatibility.
The one with the least work is the latter ofcourse.(for us lazy admins)
More things to consider come to mind, does it really matter that samba4 runs heimdal and the rest of suse runs MIT ?
I mean samba4 runs its heimdal kerberos internally, does it really conflict with the MIT kerberos ?
Can heimdal kerberos talk to mit kerberos ?
Can samba4 run alongside MIT kerberos on the same box, or does it need to be on seperate boxes ?
All these things require testing and checking out, the compatibility answer between kerberos and mit should be only a few google sessions away I think.
The others require testing.
Darn that’s already a lot to check out.
If you are still with me here comes more.
I’ve packaged my own samba4 with heimdal on the obs here :
https://build.opensuse.org/project/show?project=home%3Arobverduijn%3Asamba
And the repo is here :
Index of /repositories/home:/robverduijn:/samba
**
It’s not user friendly**, all startscripts are still missing (sysV and systemd) and no config examples.
I strongly suggest you use a vm for this.
how to configure samba4 can be read here :
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
A little tip, use the internal dns it really works great and it’s a lot easier to setup than the integration with bind or dnsmasq (which also work very well in combination with samba4 btw)
The use of the forwarder setting in the ad config eases everything up a lot.
Make sure you check this page for your filesystem settings :
https://wiki.samba.org/index.php/Samba_4/OS_Requirements
Especially the hints for gentoo, they explain a lot about the requirements.
(I more than once wished suse docs were on the level of gentoo or arch-linux, and thank the gods on my knees each time I see another ubuntu forum post suse is way above that of ubuntu)
A few tips when googling,
- make sure you check the date of the article, you can almost blindly ignore everything from before december 2012, the chances of anything being obsolete increase signifficantly before that date
- arch-linux and gentoo docs and forums contain highly valuable information, they simply know how to write good howtos and to explain the why things work some way
- AVOID all the ubuntu forums, they are so full of obsolete,flawed, incomplete and outright wrong tips its almost impossible to find anything usefull in there.
If you insist on digging ubuntu forums
* first check the date of the post, if its old stop reading
* second check the ubuntu release they talk about, if its old stop reading
the definition of old for ubuntu is anything that has been released more than 6 months ago, including the LTS releases
Hope this helps a bit
Rob
So from what your saying the only thing needed is to switch to a different type of kerberos and this should work ? I realize that this might be a massive change but still is it the only thing that needs to change ?