On Mon, 08 Sep 2014, Simone Caronni wrote:
Hello,
2014-09-07 14:58 GMT-03:00 Simo Sorce <s...@redhat.com>:
On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote:
> Is (Samba) Fedora 20 still not capable of being Active Directory Domain
> Controller?
It is current, and Samba in F20 will never have the AD bits.
Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is
proceeding well enough.
if you're interested, I've written a blog post on how to enable Samba 4 AD
functionality on a Fedora / RHEL system. All the bits are there, you simply
need to rebuild the Samba package with domain controller support and create
a service file for it:
http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc/
Of course this re-enables the bundled Heimdal Kerberos implementation, but
it's rock stable. Simo Sorce also promptly fixed an issue in the Kerberos
libraries after I wrote it (thanks again!):
http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc-update/
I've had it running for the past year without issues.
Please note that things will not work well when both Heimdal and MIT
libraries could be loaded into the same address space. This affects, for
example, SSSD which uses many Samba libraries, including libldb, which
will have some modules added from Samba AD DC that link against Heimdal
but there are many more issues lurking around hard to detect and debug.
Also, if you start using Heimdal-linked Samba binaries that expect
Kerberos ccaches and SSSD linked with MIT Kerberos, you'll see problems
because Heimdal does not understand certain features of MIT's ccaches.
It is gonna break one way or another (including default type of ccaches
in /etc/krb5.conf in Fedora, which is kernel keyring).
--
/ Alexander Bokovoy
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
