Web lists-archives.com

Re: [Samba] RHEL7/Centos7 with Samba AD




On Tue, 11 Dec 2018 18:54:48 +1300
Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote:
> > On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett
> > <abartlet@xxxxxxxxx> wrote:
> > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
> > > 
> > > > I actually hope that the "--with-experimental-ad-dc" option
> > > > will work well, as it seems to in Fedora 29. I'm not holding my
> > > > breath for it.
> > > 
> > > I'm sorry if my hints have not been strong enough:
> > > 
> > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.
> > 
> > Jeremy, I'm not the one who introduced this. It's not apparent from
> > my git history, but I imported those settings straight from the
> > Fedora 29 SRPM, which uses precisely those settings.
> 
> I'm Andrew.  I'll explain a bit more why Fedora upstream is not a good
> guide here.
> 
> > > Your end users don't know we lack security support for this mode,
> > > and do not have the resources to even fix the well known bugs in
> > > a timely manner.  It remains as a base for a future development
> > > effort from some well-funded partner who needs it.
> > 
> > Right. Thank you, and I'll try to reach upstream about this. Please
> > don't blame me for activating that one, I've been working to
> > backport from Fedora 29.
> 
> Upstream won't fix it, except to disable the AD DC again.  They are,
> by corporate edict, not permitted to ship our internal Heimdal. 
> 
> > > As we know Red Hat doesn't need it any more, so who this will be
> > > is an open question.
> > 
> > That, I'm unclear on. RHEL 7's "samba-dc" RPM packages don't
> > actually contain a domain controller, just empty RPMs with README
> > files saying "we don't actually contain a domain controller", which
> > I find confusing and disappointing. I build these as a hobby, and
> > have been doing this sort of thing since SunOS 4.1.2, to see what
> > the features of the latest releases are and as a hook for people
> > who might need them for production use. Red Hat is welcome to them.
> > I grabbed the latest 4.9.3 from Fedora, with surprise to see that
> > the with_dc had been enabled in the latest release with precisely
> > those settings.
> > 
> > I'm happy to pass along your comments in a bugzilla for Fedora and
> > discourage their use of this unsupported feature.
> 
> The maintainers are Samba Team members, they know the situation very
> well.  
> https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/
> 
> The problem is the gap between Fedora, and even un-official packages
> for RHEL/CentOS, as while few servers run on Fedora, people will use
> these packages as an AD DC, hit the bugs in the MIT KDC, then come
> here about it. 
> 
> If you only want to do a pure backport (and not adjust the packages),
> it would be safer, for the RHEL backport packages, to also turn off
> the AD DC like RHEL does. 
> 
> It is great to have more diversity in package sources for RPM users,
> and I thank you for providing them!  I just have some strong feelings
> about unsupported code in what I hope becomes a popular package
> source.
> 
> I hope this clarifies things,
> 
> Andrew Bartlett
> - 
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
> 
> 
> 

I will be even more blunt, it seems that RHEL will never ship a
version of Samba that you can use as a an AD DC, see here (near the
bottom):

https://bugzilla.redhat.com/show_bug.cgi?id=910464

If you use MIT kerberos, there are numerous problems you will hit, so,
use it for testing by all means, but never use it in production.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba