I must say that the discussion with Niels de Vos from RH/Storage group and the Samba guy was giving lots of hints opportunities and directions. But When reading some more about creating Samba packages, especially with MIT Kerberos, I feel we are diving in a very uncertain future.
A few things that I want to mention. From the Samba wiki I read that MIT Kerberos support is still experimental. Besides that there are quite some features still not supported. I know, they MAY be supported in the future, but currently they are not:
Known Limitations of MIT Kerberos Support in Samba
Samba DCs with MIT Kerberos KDC currently do not support:
- PKINIT support required for using smart cards
- Service for User to Self-service (S4U2self)
- Service for User to Proxy (S4U2proxy)
- Running as a Read only domain controller (RODC)
- Authentication Audit logging
- Computer GPO’s are not applied, see Bug 13516**
At first glance these unsupported features seem to be a showstopper.
On the other hand, I would like to raise the question: If we are to build the packages ourselves, Why not build them with Heimdal Kerberos (like the .deb distro’s are doing)? We currently run the linux container with the Heimdal packages and the .deb distro’s already have a few years of experience with this. You can consider MIT as superior any time, but if it lacks the features we need, we just can’t use it. (just being pragmatic here)
Alternatively we can keep things as we have now: a linux container running samba4 AD. But I understand it is quite difficult to develop using this option.
Another thing to consider is the problems when Samba4 AD and Samba FS are running on the same instance. @davidep mentioned that there were quite some stability issues and a server needed regular (service)restarts to remain stable. I think this needs more investigation before being able to make a weighed decision in what option to choose.
The last option: dropping Samba4 AD to me seems a showstopper too. We have a LOT of Windows (Small Business) Server replacements in our community. A lot of our members are going to or have migrated from an AD environment. Their client machines are mostly (probably 95%+) Windows based. UNLESS there is a viable windows client management option (I don’t know any I and I don’t think there is) I don’t see we can drop Samab4 AD support.
Some things that need to be investigated:
- Current status of MIT Kerberos implementation in Samba (some of the samba wikipages mentioning MIT kerberos date back to 2012)
- Impact on creating Samba4 packages ourselves (either MIT or Heimdal kerberos)
- Limitations for either MIT and Heimdal kerberos
any other thoughts?