Web lists-archives.com

Re: [Samba] RHEL7/Centos7 with Samba AD




On Sun, 2018-12-09 at 17:20 -0500, Nico Kadel-Garcia wrote:
> On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet@xxxxxxxxx> wrote:
> > On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba wrote:
> > > On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> > > <samba@xxxxxxxxxxxxxxx> wrote:
> > > 
> > > > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> > > > clients or DCs. I still have a few details to work out (how to move the
> > > > Samba servers from local auth to AD auth, etc.. mostly because it's not
> > > > my area of expertise) but it's been working fine for me so far.
> > > > 
> > > > The only area of concern on el7 is to find a -reliable- Samba RPM builder
> > > > for el7. So far, I've tried:
> > > > 
> > > > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > > > Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> > > > source rpms unless you complain a lot.
> > > > 
> > > > - http://azzurro.ezplanet.net : Seems pretty much out of updates
> > > > 
> > > > - http://wing-net.ddo.jp/wing : Web page still up but I've been unable to
> > > > pull down rpms from them for months.
> > > > 
> > > > Any non-inflamatory comments are welcome! :)
> > > 
> > > There is my toolchain over at https://github.com/nkadel/samba4repo/ .
> > > I've found that Samba 4.9 with the domain controller requires gnutls
> > > 4.3.7 or better, which makes a *big* problem for RHEL 7. But you're
> > > welcome to play with the tools and set up a samba-4.8.x branch.
> > 
> > Can you get me some more details on that?  It isn't deliberate.
> 
> The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
> checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
> conf.env.AD_DC_IS_ENABLED. 

Correct.  But this is experimental in any case.  If you don't specify
--with-system-mitkrb5 it should allow an older version. 

> Patching that to set the checks for 3.3.29
> gets a report of a missing dependency for "hx509" in
> "dcerpc_backupkey".  So I assume that the check for tnutls 3.4.7 was a
> legitimate requirement check. And that's about as deep as I can go
> with that issue for right now.

Again, this is due to attempting to use the MIT Krb5 stuff.  Don't do
that. 

> I've instead, for short-term work, created some hooks to compile 4.8.7
> for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
> and I'll see if I can test it in the next few days.

Please ensure it uses the internal Heimdal Kerberos. 

> > > The recent complete switchover from python 2 to python3 is going to
> > > cause even more problems. The SCLO python packages are quite painful
> > > and short of critical modules, which makes a huge toolchain build to
> > > assemble them, and the python36 now in EPEL did not work well for me
> > > last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
> > > better python 3 support.
> > 
> > Yeah, we know it will be a pain.  That is why there will still be a
> > fallback to python2 for 4.10 in March, but after that we can't sustain
> > the support for interpreting the same code as python2 and python3, and
> > will go pure py3.
> > 
> > Andrew Bartlett
> 
> I do appreciate the difficulty. Fedora is switching almost completely
> over to Python 3 for Fedora 30, and Fedora 29 has good integration of
> Python 3 already, so it should be straightforward there and for RHEL
> 8..

Except for the MIT Kerberos stuff, of course. :-)

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba