[Samba] Offical RHEL AD DC on RHEL

Jeff Sadowski jeff.sadowski at gmail.com
Mon Feb 20 04:17:06 UTC 2017

I was never able to build it in a way I feel comfortable on Fedora. I would
want to build it using an RPM build process. I think I want an MIT build
but I don't know what all I would need to build either way. I thought it
was pretty close when I saw an MIT build in Fedora 23 with AD support. I
was hoping it would have existed in Fedora Rawhide, but I still haven't
seen it yet. Personally I don't care what distro I use. I use Fedora on my
home server because they keep it up to date for the programs I use. I have
an Ubuntu VM that I run my AD DC on and am not to happy about how slow
Ubuntu updates things. They are still on samba 4.3.x and the kernel is
ancient. The only reason I'm hoping for AD DC in fedora is I know I'll be
seeing the latest samba with updates with in weeks instead of years.

On Sat, Feb 18, 2017 at 9:44 PM, Andrew Bartlett via samba <
samba at lists.samba.org> wrote:

> On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote:
> > On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba
> > <samba at lists.samba.org> wrote:
> > > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:
> > > >
> > > > Centos [6,7]* however does not have into current samba 4.x
> > > > version
> > > > fully support to AD DC (without rebuild the source with some few
> > > > changes):
> >
> > There are changes, but they're not outrageous. I've done some work
> > towards it, at https://github.com/nkadel/samba4repo/, but you really
> > wind up building up all the dependencies as well, and revising or
> > replacing the logic around different versions for internally or
> > externally built libraries. The structure there uses "mock" to build
> > all the relevant library RPMs as well, and put them in local
> > filesystem based yum repository. The requirement for gnutls-3.4.7 or
> > later made me throw in the towel for building current releases on
> > CentOS 7. I did not feel I had the time or tools to consider
> > replacing
> > the dependency chain for that critical security component. Recent
> > Fedora releases, have mostly new enough components.
> To be clear, we don't require GnuTLS 3.4.7, the check there just means
> we use an alternate implementation of 'BackupKey' if that isn't
> available.  We do require a GnuTLS version, but not the really recent
> one.
> The issue was that the older versions had bugs, but if you (as Red Hat
> does) wish to avoid Heimdal, you have to use a recent GnuTLS instead.
> > > > You know that Samba 4.7 will have support to AD-DC with MIT
> > > > Kerberos?
> > >
> > > There is still a lot of work to do on that as I understand it, and
> > > even
> > > then it will require a very modern MIT Krb5, and probably not what
> > > is
> > > in RHEL.  This will remain a long road, sorry.
> >
> > Yeah. I interviewed for a Red Hat QA role years ago, for the sssd
> > project, and they were interested that I knew personally a bunch of
> > the Kerberos authors and maintainers from my undergraduate days. If
> > any of them are unresponsive to queries from the Samba developers,
> > maybe I can help reach them? I'll mention their names privately if
> > you
> > like, I'm not sure spamming the list with their names would be
> > welcome.
> We have no issues with the communications with Red Hat's staff or the
> MIT krb5 team, and I probably shouldn't have spoken so authoritatively
> about the plans of my fellow team members at Red Hat who have put in
> the work here over around 6 years now.
> However, my point is that Samba demands a lot from the KDC, and it
> would shock me if we ever got to a stable spot where a current Samba AD
> DC happily used a RHEL-stable version of the MIT KDC while still
> supporting all the features.  The two are likely to need to march in
> parallel, as we have with our internal Heimdal fork.
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list