[Samba] RHEL7/Centos7 with Samba AD

Rowland Penny rpenny at samba.org
Tue Dec 11 09:12:16 UTC 2018 

On Tue, 11 Dec 2018 18:54:48 +1300
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote:
> > On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett
> > <abartlet at samba.org> wrote:
> > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
> > > 
> > > > I actually hope that the "--with-experimental-ad-dc" option
> > > > will work well, as it seems to in Fedora 29. I'm not holding my
> > > > breath for it.
> > > 
> > > I'm sorry if my hints have not been strong enough:
> > > 
> > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.
> > 
> > Jeremy, I'm not the one who introduced this. It's not apparent from
> > my git history, but I imported those settings straight from the
> > Fedora 29 SRPM, which uses precisely those settings.
> 
> I'm Andrew.  I'll explain a bit more why Fedora upstream is not a good
> guide here.
> 
> > > Your end users don't know we lack security support for this mode,
> > > and do not have the resources to even fix the well known bugs in
> > > a timely manner.  It remains as a base for a future development
> > > effort from some well-funded partner who needs it.
> > 
> > Right. Thank you, and I'll try to reach upstream about this. Please
> > don't blame me for activating that one, I've been working to
> > backport from Fedora 29.
> 
> Upstream won't fix it, except to disable the AD DC again.  They are,
> by corporate edict, not permitted to ship our internal Heimdal. 
> 
> > > As we know Red Hat doesn't need it any more, so who this will be
> > > is an open question.
> > 
> > That, I'm unclear on. RHEL 7's "samba-dc" RPM packages don't
> > actually contain a domain controller, just empty RPMs with README
> > files saying "we don't actually contain a domain controller", which
> > I find confusing and disappointing. I build these as a hobby, and
> > have been doing this sort of thing since SunOS 4.1.2, to see what
> > the features of the latest releases are and as a hook for people
> > who might need them for production use. Red Hat is welcome to them.
> > I grabbed the latest 4.9.3 from Fedora, with surprise to see that
> > the with_dc had been enabled in the latest release with precisely
> > those settings.
> > 
> > I'm happy to pass along your comments in a bugzilla for Fedora and
> > discourage their use of this unsupported feature.
> 
> The maintainers are Samba Team members, they know the situation very
> well.  
> https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/
> 
> The problem is the gap between Fedora, and even un-official packages
> for RHEL/CentOS, as while few servers run on Fedora, people will use
> these packages as an AD DC, hit the bugs in the MIT KDC, then come
> here about it. 
> 
> If you only want to do a pure backport (and not adjust the packages),
> it would be safer, for the RHEL backport packages, to also turn off
> the AD DC like RHEL does. 
> 
> It is great to have more diversity in package sources for RPM users,
> and I thank you for providing them!  I just have some strong feelings
> about unsupported code in what I hope becomes a popular package
> source.
> 
> I hope this clarifies things,
> 
> Andrew Bartlett
> - 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
> 
> 
> 

I will be even more blunt, it seems that RHEL will never ship a
version of Samba that you can use as a an AD DC, see here (near the
bottom):

https://bugzilla.redhat.com/show_bug.cgi?id=910464

If you use MIT kerberos, there are numerous problems you will hit, so,
use it for testing by all means, but never use it in production.

Rowland

More information about the samba mailing list