Created attachment 193537 [details] Enable krb5kdc in samba48 The attached patch allows samba 4.8 to act as an AD DC on a system using MIT kerberos (security/krb5). For details, see: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC It uses the option GSSAPI_MIT to build samba --with-system-mitkrb5. As domain provisioning seems broken at the moment, this is a bit complicated to test -- I provisioned a domain using samba47 4.7.3 from SVN revision 456521 with a similar patch (also attached) and upgraded to samba48 afterwards, so far, it seems to work.
Created attachment 193538 [details] enable krb5kdc in samba47-4.7.3
Thanks a lot, Felix! Much appreciated!
On a second thought, as this does more than just using GSSAPI implemented by MIT-krb5, it might make more sense to use a different option here -- maybe a radio group KDC with the options KDC_INTERNAL (which is a heimdal one) vs KDC_MIT? OTOH, GSSAPI_* is often used from make.conf and if you're building a system based on MIT kerberos, it probably makes sense to have samba use the MIT KDC? So, which one would be better? I could update the patch if necessary.
(In reply to Felix Palmen from comment #3) I've taken OPTIONS_SINGLE approach, but can you, please, reply my mail regarding need of the post-install-GSSAPI_MIT-on?
Samba 4.8 now comes with the GSSAPI_MIT option. Please, try it and check how does it work for you.