This recent Microsoft's Patch https://lists.samba.org/archive/samba/2016-August/202197.html
disable password change for Domain Controller NT4 Style.
IMHO, It may be time to enable support to AD-DC mode, or release another renamed packages with AD-DC support enable.
The samba.src is ready for this:
I have try to download the samba.src rpm, modify the spec file like this:
> sed \ > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > -e 's/%global with_dc 0/%global with_dc 1/' \ > ~/rpmbuild/SPECS/samba.spec
rebuild the package, install it on a test server and configure it in AC-DC mode.
It seems work fine.
My question is:
There is some hope that in the short this flags are enable by default?
Many thanks for your reply
On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote:
This recent Microsoft's Patch https://lists.samba.org/archive/samba/2016-August/202197.html
disable password change for Domain Controller NT4 Style.
It is not knew that Microsoft dropped support for NT4 style domain controllers. Windows 7 was the last version which supported it. For newer versions there existed just some hacks.
IMHO, It may be time to enable support to AD-DC mode, or release another renamed packages with AD-DC support enable.
As Fedora and RHEL are using MIT Kerberos as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kerberos at the moment.
Since several years I'm working on the migration to MIT Kerberos, but it is a huge task.
See the talks Günther and I have given at the SambaXP conferences during the last years. For example:
https://sambaxp.org/archive_data/SambaXP2014-DATA/wed/track2/ Andreas_Schneider-TheroadtoMITKerberossupport.pdf
The samba.src is ready for this:
I have try to download the samba.src rpm, modify the spec file like
this: > sed \ > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > -e 's/%global with_dc 0/%global with_dc 1/' \ > ~/rpmbuild/SPECS/samba.spec
rebuild the package, install it on a test server and configure it in AC-DC mode.
It seems work fine.
But this uses Heimdal Kerberos and not MIT Kerberos which can lead to issues in the system.
My question is:
There is some hope that in the short this flags are enable by default?
Many thanks for your reply
Yes, we will enable Samba AD as soon as I'm done with porting it to MIT Kerberos. This will hopefully be the case next year.
Best regards,
-- andreas
On Tue, Aug 30, 2016 at 5:35 AM, Andreas Schneider asn@redhat.com wrote:
On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote:
My question is:
There is some hope that in the short this flags are enable by default?
Many thanks for your reply
Yes, we will enable Samba AD as soon as I'm done with porting it to MIT Kerberos. This will hopefully be the case next year.
Isn't this already working with MIT Kerberos, though? I recall seeing some Google+ posts showing it off...
On Tue, Aug 30, 2016 at 5:35 AM, Andreas Schneider asn@redhat.com wrote:
On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote:
This recent Microsoft's Patch https://lists.samba.org/archive/samba/2016-August/202197.html
disable password change for Domain Controller NT4 Style.
It is not knew that Microsoft dropped support for NT4 style domain controllers. Windows 7 was the last version which supported it. For newer versions there existed just some hacks.
IMHO, It may be time to enable support to AD-DC mode, or release another renamed packages with AD-DC support enable.
As Fedora and RHEL are using MIT Kerberos as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kerberos at the moment.
Since several years I'm working on the migration to MIT Kerberos, but it is a huge task.
Then, in order to support full domain controller support, stop holding up Samba builds on this basis. The integral Kerberos libraries in Samba when compiled for domain controller support work well, and are well segregated from the RHEL and Fedora provided Kerberos support.
See the talks Günther and I have given at the SambaXP conferences during the last years. For example:
https://sambaxp.org/archive_data/SambaXP2014-DATA/wed/track2/ Andreas_Schneider-TheroadtoMITKerberossupport.pdf
The samba.src is ready for this:
I have try to download the samba.src rpm, modify the spec file like
this: > sed \ > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > -e 's/%global with_dc 0/%global with_dc 1/' \ > ~/rpmbuild/SPECS/samba.spec
rebuild the package, install it on a test server and configure it in AC-DC mode.
It seems work fine.
But this uses Heimdal Kerberos and not MIT Kerberos which can lead to issues in the system.
Yes. It works well in my personal testing, and the libraries are pretty well segregated from the system Kerberos. I was publishing backports for RHEL 6 and 7 use until the recent gnutls requirements exceeded anything I could backport to RHEL 7, but traces of my old build and testing structure, with submodules for individual dependencies, are at https://github.com/nkadel/samba4repo
My question is:
There is some hope that in the short this flags are enable by default?
Many thanks for your reply
Yes, we will enable Samba AD as soon as I'm done with porting it to MIT Kerberos. This will hopefully be the case next year.
That would be great. But this has been a long-term request, and I'm not personally going to hold my breath waiting for it to be completed. As you point out, it's a lot of work, and for people who want real Samba domain controllers there is an option that works well.
Best regards,
-- andreas
-- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Il giorno mar, 30/08/2016 alle 11.35 +0200, Andreas Schneider ha scritto:
On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote:
This recent Microsoft's Patch https://lists.samba.org/archive/samba/2016-August/202197.html
disable password change for Domain Controller NT4 Style.
It is not knew that Microsoft dropped support for NT4 style domain controllers. Windows 7 was the last version which supported it. For newer versions there existed just some hacks.
Thanks Andreas your reply.
Yes, NT4 style it is still supported, but the last MS patch have disable the password change (... It is not supported by the Kerberos protocol ... It is not secure to change disabled or locked-out user account passwords by using NTLM) https://support.microsoft.com/en-us/kb/3167679
IMHO, It may be time to enable support to AD-DC mode, or release another renamed packages with AD-DC support enable.
As Fedora and RHEL are using MIT Kerberos as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kerberos at the moment.
Since several years I'm working on the migration to MIT Kerberos, but it is a huge task.
See the talks Günther and I have given at the SambaXP conferences during the last years. For example:
https://sambaxp.org/archive_data/SambaXP2014-DATA/wed/track2/ Andreas_Schneider-TheroadtoMITKerberossupport.pdf
Thanks, very interesting.
The samba.src is ready for this:
I have try to download the samba.src rpm, modify the spec file like
this: > sed \ > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > -e 's/%global with_dc 0/%global with_dc 1/' \ > ~/rpmbuild/SPECS/samba.spec
rebuild the package, install it on a test server and configure it in AC-DC mode.
It seems work fine.
But this uses Heimdal Kerberos and not MIT Kerberos which can lead to issues in the system.
Also if build samba from source use Heimdal Kerberos.
Many Fedora / Centos / RedHat users who want to use ADDC on this kind of Linux, since it is not supported by default, build the samba from source. An example: https://thingsdomakesense.wordpress.com/2016/04/27/installing-samba-4-4-2-ad...
If is the same thinks, I think it's better rebuild RPM with this support on a different isolate host and install/update new samba-ADDC rpm on all production servers, rather than install development tools and dependency packages on every production server and compile samba from source and update it each time.
Or it's something wrong in this my reasoning?
My question is:
There is some hope that in the short this flags are enable by default?
Many thanks for your reply
Yes, we will enable Samba AD as soon as I'm done with porting it to MIT Kerberos. This will hopefully be the case next year.
This is a good news. Then, where possible, it's better wait.
There is some alfa/beta for test it?
Many thanks for reply.
Best regard.
-- Dario Lesca (inviato dal mio Linux Fedora 24 Workstation)
devel@lists.stg.fedoraproject.org