[Samba] AD/DC on EL8/Centos8 etc

Rowland penny rpenny at samba.org
Tue Jun 15 15:30:22 UTC 2021

On 15/06/2021 16:21, Nick Howitt via samba wrote:
> On 15/06/2021 16:04, Rowland penny via samba wrote:
>> On 15/06/2021 15:39, Nick Howitt via samba wrote:
>>> On 15/06/2021 13:17, Denis CARDON via samba wrote:
>>>> Hi Nick,
>>>> Le 15/06/2021 à 13:13, Nick Howitt via samba a écrit :
>>>>> Hi Gents,
>>>>> Do you know if anyone is maintaining packages for 
>>>>> EL8/Centos8/AlmaLinux8 etc with AD/DC support compiled in?
>>>> we have packages for EL8 for Samba 4.12 / 4.13 / 4.14 at 
>>>> https://samba.tranquil.it/redhat8/ with EL7 / EL8 documentation at 
>>>> https://dev.tranquil.it/samba/en/samba_config_server/redhat8/server_install_samba_centos.html 
>>>> . They are compiled and tested on AlmaLinux8. The spec file are 
>>>> ported from latest Fedora replacing MIT Kerberos with Heimdal and a 
>>>> dozen other small fixes. Note : they are some libs that may be 
>>>> incompatible with existing stuff (like libldb) so it is better to 
>>>> have a dedicated VM for your DC.
>>>> You can also take a look at Samba+ rpm packages from SetNet.
>>>> Cheers,
>>>> Denis
>>>>> Regards,
>>>>> Nick
>>> Very interesting. Can I ask why you maintain them? Also what are the 
>>> issues with the incompatible files?
>>> My interest is that my distro, ClearOS is looking at AlmaLinux as a 
>>> possible parent for ClearOS 8, but they need to work on a Directory 
>>> product. Currently they use OpenLDAP in 7.x, but the EL8 preferred 
>>> version is Directory 389. ClearOS currently use NT4 domains in 7.x 
>>> (which Roland rightly complains about), but I'd like to explore 
>>> Samba AD/DC in 8.x as well as a more conventional LDAP product.
>> Come on, please get my name correct 😁
> Hello Rowland,
> Ugh! Mea culpa.
>> Also I don't complain about NT4 domains, I just point out that they 
>> are going away and AD is easier.
> M$ didn't particularly care when their Windoze 1709 update broke 
> joining NT4 domains and took a year to fix it. The writing is on the 
> wall. You have to make a particular registry edit to get Outlook to 
> work with NT4 and so on. I don't want to face the flack when M$ take 
> it one stage further.

I take it that you have missed that Samba has started to deprecate NT4 
domains, never mind Windows, Samba is going to remove them.

>> If you use AD, then you probably do not need ldap, I don't know 
>> whether you have noticed, but Samba AD comes with ldap built in.
> Yes, I am aware of that but for many ClearOS users, I think an AD/DC 
> is OTT e.g. I only use it for simple file sharing and so on.

Try looking at Karoshi, they do something somewhat similar to Clearos, 
but on Ubuntu.

>>> At the same time ClearOS is used as a file server and the (strong) 
>>> recommendation from Samba is not to do AD/DC and file serving on the 
>>> same box, and, if you must, run one of them in Docker/Podman or a 
>>> VM. AD/DC upgrades between major versions seem to be best done by 
>>> running up a new DC and joining it to the old and then demoting the 
>>> old one. This gives an interesting (problematic) upgrade route on a 
>>> single box.
>> The problem is that there are problems using a Samba AD DC as 
>> fileserver, however it is possible, if you can work around the 
>> problems e.g. you must use acl_xattr||||
> It could be possible. I guess that is what Zentyal do.

That is another OS, there is also Univention.

>> Having said that, it would be better if your Clearos machine could 
>> act like a Windows DC (and Windows recommends only using a DC for 
>> authentication) and for Clearos to supply a client version as well.
> Yes, but traditionally we have been a one box solution similar to 
> Zentyal. It won't be my decision. Also it appears the recommended 
> Samba upgrade path is to spin up another DC, join the domain and 
> demote the original. A third box is then needed unless you can do some 
> cute VM/Docker/Podman maniplation from outside the VM/container.

I use Louis's repo and just upgrade as normal, the problems really start 
if you compile Samba yourself.


More information about the samba mailing list