[Samba] AD/DC on EL8/Centos8 etc
rpenny at samba.org
Tue Jun 15 15:30:22 UTC 2021
On 15/06/2021 16:21, Nick Howitt via samba wrote:
> On 15/06/2021 16:04, Rowland penny via samba wrote:
>> On 15/06/2021 15:39, Nick Howitt via samba wrote:
>>> On 15/06/2021 13:17, Denis CARDON via samba wrote:
>>>> Hi Nick,
>>>> Le 15/06/2021 à 13:13, Nick Howitt via samba a écrit :
>>>>> Hi Gents,
>>>>> Do you know if anyone is maintaining packages for
>>>>> EL8/Centos8/AlmaLinux8 etc with AD/DC support compiled in?
>>>> we have packages for EL8 for Samba 4.12 / 4.13 / 4.14 at
>>>> https://samba.tranquil.it/redhat8/ with EL7 / EL8 documentation at
>>>> . They are compiled and tested on AlmaLinux8. The spec file are
>>>> ported from latest Fedora replacing MIT Kerberos with Heimdal and a
>>>> dozen other small fixes. Note : they are some libs that may be
>>>> incompatible with existing stuff (like libldb) so it is better to
>>>> have a dedicated VM for your DC.
>>>> You can also take a look at Samba+ rpm packages from SetNet.
>>> Very interesting. Can I ask why you maintain them? Also what are the
>>> issues with the incompatible files?
>>> My interest is that my distro, ClearOS is looking at AlmaLinux as a
>>> possible parent for ClearOS 8, but they need to work on a Directory
>>> product. Currently they use OpenLDAP in 7.x, but the EL8 preferred
>>> version is Directory 389. ClearOS currently use NT4 domains in 7.x
>>> (which Roland rightly complains about), but I'd like to explore
>>> Samba AD/DC in 8.x as well as a more conventional LDAP product.
>> Come on, please get my name correct 😁
> Hello Rowland,
> Ugh! Mea culpa.
>> Also I don't complain about NT4 domains, I just point out that they
>> are going away and AD is easier.
> M$ didn't particularly care when their Windoze 1709 update broke
> joining NT4 domains and took a year to fix it. The writing is on the
> wall. You have to make a particular registry edit to get Outlook to
> work with NT4 and so on. I don't want to face the flack when M$ take
> it one stage further.
I take it that you have missed that Samba has started to deprecate NT4
domains, never mind Windows, Samba is going to remove them.
>> If you use AD, then you probably do not need ldap, I don't know
>> whether you have noticed, but Samba AD comes with ldap built in.
> Yes, I am aware of that but for many ClearOS users, I think an AD/DC
> is OTT e.g. I only use it for simple file sharing and so on.
Try looking at Karoshi, they do something somewhat similar to Clearos,
but on Ubuntu.
>>> At the same time ClearOS is used as a file server and the (strong)
>>> recommendation from Samba is not to do AD/DC and file serving on the
>>> same box, and, if you must, run one of them in Docker/Podman or a
>>> VM. AD/DC upgrades between major versions seem to be best done by
>>> running up a new DC and joining it to the old and then demoting the
>>> old one. This gives an interesting (problematic) upgrade route on a
>>> single box.
>> The problem is that there are problems using a Samba AD DC as
>> fileserver, however it is possible, if you can work around the
>> problems e.g. you must use acl_xattr||||
> It could be possible. I guess that is what Zentyal do.
That is another OS, there is also Univention.
>> Having said that, it would be better if your Clearos machine could
>> act like a Windows DC (and Windows recommends only using a DC for
>> authentication) and for Clearos to supply a client version as well.
> Yes, but traditionally we have been a one box solution similar to
> Zentyal. It won't be my decision. Also it appears the recommended
> Samba upgrade path is to spin up another DC, join the domain and
> demote the original. A third box is then needed unless you can do some
> cute VM/Docker/Podman maniplation from outside the VM/container.
I use Louis's repo and just upgrade as normal, the problems really start
if you compile Samba yourself.
More information about the samba