[Samba] AD/DC on EL8/Centos8 etc

Rowland penny rpenny at samba.org
Tue Jun 15 15:04:56 UTC 2021 

On 15/06/2021 15:39, Nick Howitt via samba wrote:
>
>
> On 15/06/2021 13:17, Denis CARDON via samba wrote:
>>
>> Hi Nick,
>>
>> Le 15/06/2021 à 13:13, Nick Howitt via samba a écrit :
>>> Hi Gents,
>>> Do you know if anyone is maintaining packages for 
>>> EL8/Centos8/AlmaLinux8 etc with AD/DC support compiled in?
>>
>> we have packages for EL8 for Samba 4.12 / 4.13 / 4.14 at 
>> https://samba.tranquil.it/redhat8/ with EL7 / EL8 documentation at 
>> https://dev.tranquil.it/samba/en/samba_config_server/redhat8/server_install_samba_centos.html 
>> . They are compiled and tested on AlmaLinux8. The spec file are 
>> ported from latest Fedora replacing MIT Kerberos with Heimdal and a 
>> dozen other small fixes. Note : they are some libs that may be 
>> incompatible with existing stuff (like libldb) so it is better to 
>> have a dedicated VM for your DC.
>>
>> You can also take a look at Samba+ rpm packages from SetNet.
>>
>> Cheers,
>>
>> Denis
>>
>>
>>> Regards,
>>> Nick
> Very interesting. Can I ask why you maintain them? Also what are the 
> issues with the incompatible files?
>
> My interest is that my distro, ClearOS is looking at AlmaLinux as a 
> possible parent for ClearOS 8, but they need to work on a Directory 
> product. Currently they use OpenLDAP in 7.x, but the EL8 preferred 
> version is Directory 389. ClearOS currently use NT4 domains in 7.x 
> (which Roland rightly complains about), but I'd like to explore Samba 
> AD/DC in 8.x as well as a more conventional LDAP product.


Come on, please get my name correct 😁

Also I don't complain about NT4 domains, I just point out that they are 
going away and AD is easier.

If you use AD, then you probably do not need ldap, I don't know whether 
you have noticed, but Samba AD comes with ldap built in.

>
> At the same time ClearOS is used as a file server and the (strong) 
> recommendation from Samba is not to do AD/DC and file serving on the 
> same box, and, if you must, run one of them in Docker/Podman or a VM. 
> AD/DC upgrades between major versions seem to be best done by running 
> up a new DC and joining it to the old and then demoting the old one. 
> This gives an interesting (problematic) upgrade route on a single box.


The problem is that there are problems using a Samba AD DC as 
fileserver, however it is possible, if you can work around the problems 
e.g. you must use acl_xattr||||

Having said that, it would be better if your Clearos machine could act 
like a Windows DC (and Windows recommends only using a DC for 
authentication) and for Clearos to supply a client version as well.

Rowland

More information about the samba mailing list