[Samba] Offical RHEL AD DC on RHEL

Andrew Bartlett abartlet at samba.org
Sun Feb 19 04:44:07 UTC 2017

On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote:
> On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba
> <samba at lists.samba.org> wrote:
> > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:
> > > 
> > > Centos [6,7]* however does not have into current samba 4.x
> > > version
> > > fully support to AD DC (without rebuild the source with some few
> > > changes):
> There are changes, but they're not outrageous. I've done some work
> towards it, at https://github.com/nkadel/samba4repo/, but you really
> wind up building up all the dependencies as well, and revising or
> replacing the logic around different versions for internally or
> externally built libraries. The structure there uses "mock" to build
> all the relevant library RPMs as well, and put them in local
> filesystem based yum repository. The requirement for gnutls-3.4.7 or
> later made me throw in the towel for building current releases on
> CentOS 7. I did not feel I had the time or tools to consider
> replacing
> the dependency chain for that critical security component. Recent
> Fedora releases, have mostly new enough components.

To be clear, we don't require GnuTLS 3.4.7, the check there just means
we use an alternate implementation of 'BackupKey' if that isn't
available.  We do require a GnuTLS version, but not the really recent

The issue was that the older versions had bugs, but if you (as Red Hat
does) wish to avoid Heimdal, you have to use a recent GnuTLS instead.

> > > You know that Samba 4.7 will have support to AD-DC with MIT
> > > Kerberos?
> > 
> > There is still a lot of work to do on that as I understand it, and
> > even
> > then it will require a very modern MIT Krb5, and probably not what
> > is
> > in RHEL.  This will remain a long road, sorry.
> Yeah. I interviewed for a Red Hat QA role years ago, for the sssd
> project, and they were interested that I knew personally a bunch of
> the Kerberos authors and maintainers from my undergraduate days. If
> any of them are unresponsive to queries from the Samba developers,
> maybe I can help reach them? I'll mention their names privately if
> you
> like, I'm not sure spamming the list with their names would be
> welcome.

We have no issues with the communications with Red Hat's staff or the
MIT krb5 team, and I probably shouldn't have spoken so authoritatively
about the plans of my fellow team members at Red Hat who have put in
the work here over around 6 years now.  

However, my point is that Samba demands a lot from the KDC, and it
would shock me if we ever got to a stable spot where a current Samba AD
DC happily used a RHEL-stable version of the MIT KDC while still
supporting all the features.  The two are likely to need to march in
parallel, as we have with our internal Heimdal fork. 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list