[Samba] AD/DC on EL8/Centos8 etc

[Nick Howitt]

On 15/06/2021 16:04, Rowland penny via samba wrote:
>
> On 15/06/2021 15:39, Nick Howitt via samba wrote:
>>
>>
>> On 15/06/2021 13:17, Denis CARDON via samba wrote:
>>>
>>> Hi Nick,
>>>
>>> Le 15/06/2021 à 13:13, Nick Howitt via samba a écrit :
>>>> Hi Gents,
>>>> Do you know if anyone is maintaining packages for 
>>>> EL8/Centos8/AlmaLinux8 etc with AD/DC support compiled in?
>>>
>>> we have packages for EL8 for Samba 4.12 / 4.13 / 4.14 at 
>>> https://samba.tranquil.it/redhat8/ with EL7 / EL8 documentation at 
>>> https://dev.tranquil.it/samba/en/samba_config_server/redhat8/server_install_samba_centos.html 
>>> . They are compiled and tested on AlmaLinux8. The spec file are 
>>> ported from latest Fedora replacing MIT Kerberos with Heimdal and a 
>>> dozen other small fixes. Note : they are some libs that may be 
>>> incompatible with existing stuff (like libldb) so it is better to 
>>> have a dedicated VM for your DC.
>>>
>>> You can also take a look at Samba+ rpm packages from SetNet.
>>>
>>> Cheers,
>>>
>>> Denis
>>>
>>>
>>>> Regards,
>>>> Nick
>> Very interesting. Can I ask why you maintain them? Also what are the 
>> issues with the incompatible files?
>>
>> My interest is that my distro, ClearOS is looking at AlmaLinux as a 
>> possible parent for ClearOS 8, but they need to work on a Directory 
>> product. Currently they use OpenLDAP in 7.x, but the EL8 preferred 
>> version is Directory 389. ClearOS currently use NT4 domains in 7.x 
>> (which Roland rightly complains about), but I'd like to explore Samba 
>> AD/DC in 8.x as well as a more conventional LDAP product.
>
>
> Come on, please get my name correct 😁
>
Hello Rowland,
Ugh! Mea culpa.
> Also I don't complain about NT4 domains, I just point out that they 
> are going away and AD is easier.
M$ didn't particularly care when their Windoze 1709 update broke joining 
NT4 domains and took a year to fix it. The writing is on the wall. You 
have to make a particular registry edit to get Outlook to work with NT4 
and so on. I don't want to face the flack when M$ take it one stage further.
>
> If you use AD, then you probably do not need ldap, I don't know 
> whether you have noticed, but Samba AD comes with ldap built in.
Yes, I am aware of that but for many ClearOS users, I think an AD/DC is 
OTT e.g. I only use it for simple file sharing and so on.
>
>>
>> At the same time ClearOS is used as a file server and the (strong) 
>> recommendation from Samba is not to do AD/DC and file serving on the 
>> same box, and, if you must, run one of them in Docker/Podman or a VM. 
>> AD/DC upgrades between major versions seem to be best done by running 
>> up a new DC and joining it to the old and then demoting the old one. 
>> This gives an interesting (problematic) upgrade route on a single box.
>
>
> The problem is that there are problems using a Samba AD DC as 
> fileserver, however it is possible, if you can work around the 
> problems e.g. you must use acl_xattr||||
It could be possible. I guess that is what Zentyal do.
>
> Having said that, it would be better if your Clearos machine could act 
> like a Windows DC (and Windows recommends only using a DC for 
> authentication) and for Clearos to supply a client version as well.
Yes, but traditionally we have been a one box solution similar to 
Zentyal. It won't be my decision. Also it appears the recommended Samba 
upgrade path is to spin up another DC, join the domain and demote the 
original. A third box is then needed unless you can do some cute 
VM/Docker/Podman maniplation from outside the VM/container.

Nick
>
> Rowland