[Samba] Heimdal Kerberos in Samba4

Jeff Sadowski jeff.sadowski at gmail.com
Mon Aug 1 16:37:20 UTC 2016 

updating Fedora-rawhide this morning I see 4.5.0rc1 has arrived. And still
no samba-tool so I looked at installing from source with
dnf download --source samba
rpm -i samba*src.rpm
looking at the spec file I see a section

%if ! %with_dc
        --without-ad-dc \
%endif

How do I tell rpmbuild with_dc?




On Mon, Aug 1, 2016 at 8:27 AM, mathias dufresne <infractory at gmail.com>
wrote:

> As we wanted to test last Samba version we had to compile Samba manually
> once 4.3.0 went out.
> As we wanted to continue to deploy Samba using system's package manager,
> we decided to built our own RPM.
> As I hate RPM, I had to learn. As I'm lazy, I tried to not waste too much
> time learning RPM.
>
> So I downloaded .spec from Sernet's package 4.2.x, I modified that .spec
> to match new Samba version and I used rpmbuild to build my RPMs (our
> systems are Centos 7).
>
> This needed some time but is working since 4.3.0 went out, which is
> already a bunch of months and also a bunch of version recompiled using the
> same .spec, each time with some little adjustments.
>
> And now we have one .spec which is used once per Samba version. Generated
> RPMs can be used for our AD DC and also for our file servers.
>
> Cheers.
>
> 2016-07-29 6:15 GMT+02:00 Jeff Sadowski <jeff.sadowski at gmail.com>:
>
>> correction samba-dc still doesn't come with samba-tool
>>
>> On Thu, Jul 28, 2016 at 10:13 PM, Jeff Sadowski <jeff.sadowski at gmail.com>
>> wrote:
>>
>> > I would like to start testing this? I saw a few months back Alexander
>> > Bokovoy  Released a build for F23 and I started using that. Now that F24
>> > is out I have to look for a way to upgrade. Is there a build for rawhide
>> > with this? The standard samba-ad package for rawhide that install still
>> > doesn't come with samba-tool.  And compiling samba 4.4.5 with-mit-krb5
>> > automatically disables ad support it seems as samba-tool is missing
>> unless
>> > I remove that option. Is this going to be fixed in 4.5.0? Should I
>> download
>> > the source code for 4.5.0 and do I need a bunch of patches that I get
>> > somewhere? I'm a regular Fedora user and I am having difficulties seeing
>> > how to put this all together.
>> >
>> > On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com>
>> > wrote:
>> >
>> >> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org>
>> wrote:
>> >> > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote:
>> >> >> Hi List,
>> >> >>
>> >> >> I do my best to ask my question in english. ;-)
>> >> >>
>> >> >> Samba4 integrated heimdal kerberos to do the kerberos work for
>> >> >> Active Directory. Some Linux Distributions like fedora/RedHat and
>> >> >> openSUSE/SUSE don't accept heimdal even if it is shipped inside
>> >> >> samba.
>> >> >>
>> >> >> Their argument is that heimdal isn't maintained since 2012.
>> >> >> Compiling samba against MIT krb5 results in Samba-Packages without
>> >> >> AD.
>> >> >>
>> >> >> Result: Active Directory is impossible with the Disitribution
>> >> >> packages of samba.with the above mentioned Linux distributions.
>> >> >>
>> >> >> Fedoras way to solve this is:
>> >> >>
>> >> >> "We are intending to make possible use of AD DC functionality with
>> >> >> MIT Kerberos but this is longer term project that requires
>> >> >> cooperation between Samba, MIT, and FreeIPA."
>> >> >> which means never, in my opinion."
>> >> >
>> >> > No you're wrong about that. Andreas, Guenther and Alexander
>> >> > at Redhat are working diligently every day towards this. We're
>> planning
>> >> > to get to that sooner rather than later.
>> >> >
>> >> >> My questions:
>> >> >>
>> >> >> Is the heimdal code inside of samba4 maintained by the samba team or
>> >> >> is this unmaintained static code?
>> >> >
>> >> > Maintained. If it's in Samba we are responsible.
>> >> > Once it's working with MIT we'll eventually remove
>> >> > it from our tree though.
>> >>
>> >> I really wish you luck with that, becuase it's been an ongoing problem
>> >> in Fedora. The Red Hat personnel I personally met working with
>> >> Kerberos were pretty tightly focused on SSSD, which seems to me to be
>> >> a fairly silly re-implementation of what Samba already does more
>> >> broadly and more consistently.
>> >>
>> >> >> Are there considerations about using MIT krb5 inside samba4 instead
>> >> >> of heimdal?
>> >> >
>> >> > Talk to Andreas, Guenther and Alexander for the latest.
>> >> >
>> >> >> The intention of our project "invis-server" is to bring samba 4 with
>> >> >> AD DC functionality into openSUSE. Therefor we need arguments for
>> >> >> the coming discussion.
>> >> >
>> >> > Hurrah ! I'm really glad to hear this ! If you could
>> >> > coordinate with the people doing the Heimdal -> MIT
>> >> > work then we can get there faster.
>> >> >
>> >> > Cheers,
>> >> >
>> >> >         Jeremy.
>> >>
>> >> I'd also encourage you to take a look at the Fedora "rawhide"
>> >> buindles, for tracing of changed components for RPM. And if you like,
>> >> you might even take a look at my DC enabled ports over at
>> >> https://github.com/nkadel/samba4repo and
>> >> https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
>> >>
>> >> --
>> >> To unsubscribe from this list go to the following URL and read the
>> >> instructions:  https://lists.samba.org/mailman/options/samba
>> >>
>> >
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list