Re: Samba as AD DC
On Mon, 08 Sep 2014, Simone Caronni wrote: Hello, 2014-09-07 14:58 GMT-03:00 Simo Sorce s...@redhat.com: On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote: Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? It is current, and Samba in F20 will never have the AD bits. Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is proceeding well enough. if you're interested, I've written a blog post on how to enable Samba 4 AD functionality on a Fedora / RHEL system. All the bits are there, you simply need to rebuild the Samba package with domain controller support and create a service file for it: http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc/ Of course this re-enables the bundled Heimdal Kerberos implementation, but it's rock stable. Simo Sorce also promptly fixed an issue in the Kerberos libraries after I wrote it (thanks again!): http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc-update/ I've had it running for the past year without issues. Please note that things will not work well when both Heimdal and MIT libraries could be loaded into the same address space. This affects, for example, SSSD which uses many Samba libraries, including libldb, which will have some modules added from Samba AD DC that link against Heimdal but there are many more issues lurking around hard to detect and debug. Also, if you start using Heimdal-linked Samba binaries that expect Kerberos ccaches and SSSD linked with MIT Kerberos, you'll see problems because Heimdal does not understand certain features of MIT's ccaches. It is gonna break one way or another (including default type of ccaches in /etc/krb5.conf in Fedora, which is kernel keyring). -- / Alexander Bokovoy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Samba as AD DC
On Sep 7, 2014 11:58 AM, Simo Sorce s...@redhat.com wrote: On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote: Hi, Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? I mean is that page current: http://fedoraproject.org/wiki/Features/Samba4#Current_status ? Thanks in advance! It is current, and Samba in F20 will never have the AD bits. Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is proceeding well enough. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Is there a broadly scoped tracking bug for this effort, Simo? --Pete -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Samba as AD DC
Hello, 2014-09-07 14:58 GMT-03:00 Simo Sorce s...@redhat.com: On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote: Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? It is current, and Samba in F20 will never have the AD bits. Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is proceeding well enough. if you're interested, I've written a blog post on how to enable Samba 4 AD functionality on a Fedora / RHEL system. All the bits are there, you simply need to rebuild the Samba package with domain controller support and create a service file for it: http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc/ Of course this re-enables the bundled Heimdal Kerberos implementation, but it's rock stable. Simo Sorce also promptly fixed an issue in the Kerberos libraries after I wrote it (thanks again!): http://negativo17.org/samba-4-active-directory-with-bind-dlz-zones-dynamic-dns-updates-windows-static-rpc-update/ I've had it running for the past year without issues. Regards, --Simone -- You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson). The Stone Age came to an end not for a lack of stones; and the oil age will end, but not for a lack of oil. (Ahmed Zaki Yamani, former Saudi Minister of Oil) http://xkcd.com/229/ http://negativo17.org/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Samba as AD DC
Hi! Samba4 in Fedora can't be a AD DC still. You should rebuild srpm with proper spec changes or build it from sources. krege. Hi, Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? I mean is that page current: http://fedoraproject.org/wiki/Features/Samba4#Current_status ? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Samba as AD DC
On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote: Hi, Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? I mean is that page current: http://fedoraproject.org/wiki/Features/Samba4#Current_status ? Thanks in advance! It is current, and Samba in F20 will never have the AD bits. Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is proceeding well enough. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: Samba as AD DC
Thanks! 2014-09-07 14:58 GMT-03:00 Simo Sorce s...@redhat.com: On Sun, 2014-09-07 at 01:12 -0300, Sergio Belkin wrote: Hi, Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? I mean is that page current: http://fedoraproject.org/wiki/Features/Samba4#Current_status ? Thanks in advance! It is current, and Samba in F20 will never have the AD bits. Maybe F22, or perhaps even F21, the work to replace Heimdal with MIT is proceeding well enough. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Samba as AD DC
Hi, Is (Samba) Fedora 20 still not capable of being Active Directory Domain Controller? I mean is that page current: http://fedoraproject.org/wiki/Features/Samba4#Current_status ? Thanks in advance! -- -- Sergio Belkin http://www.sergiobelkin.com LPIC-2 Certified - http://www.lpi.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
