Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 04 Aug 2016 14:09:29 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 211142] net/samba4{2,3,4}: ADS option should enforce (imply) WANT_OPENLDAP_SASL
Message-ID:  <bug-211142-13-1CjKvc2w9z@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-211142-13@https.bugs.freebsd.org/bugzilla/>
References:  <bug-211142-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211142

--- Comment #2 from prj@rootwyrm.com ---
As suggested by Kubilay, here is a (hopefully) better explanation of the
problem and compatibility matrix.

For Windows 2k8R2 and later domains, GSSAPI is essentially a requirement for
domain join as they use Kerberos 5 as a key part of authentication. That
includes for authenticated LDAP queries. Because of that, WANT_OPENLDAP_SASL
should be enforced by the Samba ports when the ADS option is set.
This is because 2k8R2 functional level and above domains should require
Kerberos 5 capability in clients. LDAP queries without GSSAPI authentication
should fail for machines joined to the domain. Therefore, the current defau=
lt
will not function as desired on currently supported versions of Active
Directory.
For forest roots running below the 2k8R2 functional level, the presence of
GSSAPI in the client will not present any problems. So it stands to reason =
that
the Samba ports should at this point require openldap-sasl-client to align =
with
current supported versions of Active Directory rather than following
/etc/make.conf settings as they do now.

Patches have been prepared for security/sssd to address deficiencies in that
port, including resolving the openldap-sasl-client requirement, but they de=
pend
on answering this question one way or the other first.

The TL,DR being:
Windows 2k8R2 Domains and above: minimum supported version, require GSSAPI
Windows 2k8 Domains and below: unsupported, GSSAPI does not interfere

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-211142-13-1CjKvc2w9z>