[Samba] RHEL7/Centos7 with Samba AD

Nico Kadel-Garcia nkadel at gmail.com
Sat Dec 15 03:24:31 UTC 2018 

On Tue, Dec 11, 2018 at 12:54 AM Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote:
> > On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett <abartlet at samba.org> wrote:
> > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
> > >
> > > > I actually hope that the "--with-experimental-ad-dc" option will work
> > > > well, as it seems to in Fedora 29. I'm not holding my breath for it.
> > >
> > > I'm sorry if my hints have not been strong enough:
> > >
> > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.
> >
> > Jeremy, I'm not the one who introduced this. It's not apparent from my
> > git history, but I imported those settings straight from the Fedora 29
> > SRPM, which uses precisely those settings.
>
> I'm Andrew.  I'll explain a bit more why Fedora upstream is not a good
> guide here.

Gods. Sorry about that, I've occasionally pitched in on Samba ports
since.... 1993, with SunOS 4.1.2, I think? I should know your name
better than that.

> Upstream won't fix it, except to disable the AD DC again.  They are, by
> corporate edict, not permitted to ship our internal Heimdal.

Yeah. I got that part.

> The maintainers are Samba Team members, they know the situation very
> well.
> https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/
>
> The problem is the gap between Fedora, and even un-official packages
> for RHEL/CentOS, as while few servers run on Fedora, people will use
> these packages as an AD DC, hit the bugs in the MIT KDC, then come here
> about it.

Then I really wish they'd stop publishing empty packages labeled
"samba-dc".  It's confusing and irksome.

> If you only want to do a pure backport (and not adjust the packages),
> it would be safer, for the RHEL backport packages, to also turn off the
> AD DC like RHEL does.

The whole point of the backports for RHEL is to enable the full domain
controller feature list. I've followed your advice, and it is
compiling well with Heimdal enabled for both Fedora and for RHEL 7.
Doing it the way you said, and allowing the Heimdal Kerberos to be
used for the dc is working well in my limited testing.

> It is great to have more diversity in package sources for RPM users,
> and I thank you for providing them!  I just have some strong feelings
> about unsupported code in what I hope becomes a popular package source.

I agree with the philosophy, and had not appreciated the risk that I
was importing from the current Fedora upstream practices.

> I hope this clarifies things,

It does.

More information about the samba mailing list