From a3bfbbf8a0d0d7109741ae55069a1f7df2c65147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Thu, 16 Apr 2020 12:04:22 +0200 Subject: [PATCH] samba: Switch back to builtin Heimdal Kerberos When not building with the experimental (!!) system MIT Kerberos, Samba will use the builtin Heimdal Kerberos. For this reason, enableKerberos = true will still include a krb5 implementation, built right into Samba. There is no benefit in using MIT krb5, however it has some downsides like not being able to assign computer GPOs [1]. The ArchWiki [2] also mentions this in their installation section. [1]: https://lists.samba.org/archive/samba/2018-July/216779.html [2]: https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller --- pkgs/servers/samba/4.x.nix | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/pkgs/servers/samba/4.x.nix b/pkgs/servers/samba/4.x.nix index 1d6951bb8c1c..af2c25545023 100644 --- a/pkgs/servers/samba/4.x.nix +++ b/pkgs/servers/samba/4.x.nix @@ -30,7 +30,6 @@ , enableProfiling ? true , enableMDNS ? false, avahi , enableDomainController ? false, gpgme, lmdb -, enableKerberos ? true, krb5Full , enableRegedit ? true, ncurses , enableCephFS ? false, libceph , enableGlusterFS ? false, glusterfs, libuuid @@ -91,7 +90,6 @@ stdenv.mkDerivation rec { ++ optional (enablePrinting && stdenv.isLinux) cups ++ optional enableMDNS avahi ++ optionals enableDomainController [ gpgme lmdb ] - ++ optional enableKerberos krb5Full ++ optional enableRegedit ncurses ++ optional (enableCephFS && stdenv.isLinux) libceph ++ optionals (enableGlusterFS && stdenv.isLinux) [ glusterfs libuuid ] @@ -115,13 +113,9 @@ stdenv.mkDerivation rec { "--sysconfdir=/etc" "--localstatedir=/var" "--disable-rpath" - ] ++ singleton (if enableDomainController - then "--with-experimental-mit-ad-dc" - else "--without-ad-dc") - ++ optionals enableKerberos [ - "--with-system-mitkrb5" - "--with-system-mitkdc=${krb5Full}" - ] ++ optionals (!enableLDAP) [ + ] ++ optional (!enableDomainController) + "--without-ad-dc" + ++ optionals (!enableLDAP) [ "--without-ldap" "--without-ads" ] ++ optional enableProfiling "--with-profiling-data"