Web lists-archives.com

Re: [Samba] RHEL7/Centos7 with Samba AD




On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet@xxxxxxxxx> wrote:
>
> On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba wrote:
> > On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> > <samba@xxxxxxxxxxxxxxx> wrote:
> >
> > > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> > > clients or DCs. I still have a few details to work out (how to move the
> > > Samba servers from local auth to AD auth, etc.. mostly because it's not
> > > my area of expertise) but it's been working fine for me so far.
> > >
> > > The only area of concern on el7 is to find a -reliable- Samba RPM builder
> > > for el7. So far, I've tried:
> > >
> > > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > > Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> > > source rpms unless you complain a lot.
> > >
> > > - http://azzurro.ezplanet.net : Seems pretty much out of updates
> > >
> > > - http://wing-net.ddo.jp/wing : Web page still up but I've been unable to
> > > pull down rpms from them for months.
> > >
> > > Any non-inflamatory comments are welcome! :)
> >
> > There is my toolchain over at https://github.com/nkadel/samba4repo/ .
> > I've found that Samba 4.9 with the domain controller requires gnutls
> > 4.3.7 or better, which makes a *big* problem for RHEL 7. But you're
> > welcome to play with the tools and set up a samba-4.8.x branch.
>
> Can you get me some more details on that?  It isn't deliberate.

The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
conf.env.AD_DC_IS_ENABLED. Patching that to set the checks for 3.3.29
gets a report of a missing dependency for "hx509" in
"dcerpc_backupkey".  So I assume that the check for tnutls 3.4.7 was a
legitimate requirement check. And that's about as deep as I can go
with that issue for right now.

I've instead, for short-term work, created some hooks to compile 4.8.7
for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
and I'll see if I can test it in the next few days.

> > The recent complete switchover from python 2 to python3 is going to
> > cause even more problems. The SCLO python packages are quite painful
> > and short of critical modules, which makes a huge toolchain build to
> > assemble them, and the python36 now in EPEL did not work well for me
> > last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
> > better python 3 support.
>
> Yeah, we know it will be a pain.  That is why there will still be a
> fallback to python2 for 4.10 in March, but after that we can't sustain
> the support for interpreting the same code as python2 and python3, and
> will go pure py3.
>
> Andrew Bartlett

I do appreciate the difficulty. Fedora is switching almost completely
over to Python 3 for Fedora 30, and Fedora 29 has good integration of
Python 3 already, so it should be straightforward there and for RHEL
8..

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba