From owner-freebsd-ports-bugs@freebsd.org Thu Aug 4 14:09:29 2016 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09B83BAEF0A for ; Thu, 4 Aug 2016 14:09:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D455E1558 for ; Thu, 4 Aug 2016 14:09:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u74E9S6k096452 for ; Thu, 4 Aug 2016 14:09:28 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 211142] net/samba4{2,3,4}: ADS option should enforce (imply) WANT_OPENLDAP_SASL Date: Thu, 04 Aug 2016 14:09:29 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: needs-patch, needs-qa X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: prj@rootwyrm.com X-Bugzilla-Status: Open X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? merge-quarterly? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2016 14:09:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D211142 --- Comment #2 from prj@rootwyrm.com --- As suggested by Kubilay, here is a (hopefully) better explanation of the problem and compatibility matrix. For Windows 2k8R2 and later domains, GSSAPI is essentially a requirement for domain join as they use Kerberos 5 as a key part of authentication. That includes for authenticated LDAP queries. Because of that, WANT_OPENLDAP_SASL should be enforced by the Samba ports when the ADS option is set. This is because 2k8R2 functional level and above domains should require Kerberos 5 capability in clients. LDAP queries without GSSAPI authentication should fail for machines joined to the domain. Therefore, the current defau= lt will not function as desired on currently supported versions of Active Directory. For forest roots running below the 2k8R2 functional level, the presence of GSSAPI in the client will not present any problems. So it stands to reason = that the Samba ports should at this point require openldap-sasl-client to align = with current supported versions of Active Directory rather than following /etc/make.conf settings as they do now. Patches have been prepared for security/sssd to address deficiencies in that port, including resolving the openldap-sasl-client requirement, but they de= pend on answering this question one way or the other first. The TL,DR being: Windows 2k8R2 Domains and above: minimum supported version, require GSSAPI Windows 2k8 Domains and below: unsupported, GSSAPI does not interfere --=20 You are receiving this mail because: You are the assignee for the bug.=