Web lists-archives.com

Re: [Samba] RHEL7/Centos7 with Samba AD




On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett <abartlet@xxxxxxxxx> wrote:
>
> On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
>
> >
> > I actually hope that the "--with-experimental-ad-dc" option will work
> > well, as it seems to in Fedora 29. I'm not holding my breath for it.
>
> I'm sorry if my hints have not been strong enough:
>
> PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.

Jeremy, I'm not the one who introduced this. It's not apparent from my
git history, but I imported those settings straight from the Fedora 29
SRPM, which uses precisely those settings.

> Your end users don't know we lack security support for this mode, and
> do not have the resources to even fix the well known bugs in a timely
> manner.  It remains as a base for a future development effort from some
> well-funded partner who needs it.

Right. Thank you, and I'll try to reach upstream about this. Please
don't blame me for activating that one, I've been working to backport
from Fedora 29.

> As we know Red Hat doesn't need it any more, so who this will be is an
> open question.

That, I'm unclear on. RHEL 7's "samba-dc" RPM packages don't actually
contain a domain controller, just empty RPMs with README files saying
"we don't actually contain a domain controller", which I find
confusing and disappointing. I build these as a hobby, and have been
doing this sort of thing since SunOS 4.1.2, to see what the features
of the latest releases are and as a hook for people who might need
them for production use. Red Hat is welcome to them. I grabbed the
latest 4.9.3 from Fedora, with surprise to see that the with_dc had
been enabled in the latest release with precisely those settings.

I'm happy to pass along your comments in a bugzilla for Fedora and
discourage their use of this unsupported feature.

> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba