On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote:> On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote: >> Hi List, >> >> I do my best to ask my question in english. ;-) >> >> Samba4 integrated heimdal kerberos to do the kerberos work for >> Active Directory. Some Linux Distributions like fedora/RedHat and >> openSUSE/SUSE don't accept heimdal even if it is shipped inside >> samba. >> >> Their argument is that heimdal isn't maintained since 2012. >> Compiling samba against MIT krb5 results in Samba-Packages without >> AD. >> >> Result: Active Directory is impossible with the Disitribution >> packages of samba.with the above mentioned Linux distributions. >> >> Fedoras way to solve this is: >> >> "We are intending to make possible use of AD DC functionality with >> MIT Kerberos but this is longer term project that requires >> cooperation between Samba, MIT, and FreeIPA." >> which means never, in my opinion." > > No you're wrong about that. Andreas, Guenther and Alexander > at Redhat are working diligently every day towards this. We're planning > to get to that sooner rather than later. > >> My questions: >> >> Is the heimdal code inside of samba4 maintained by the samba team or >> is this unmaintained static code? > > Maintained. If it's in Samba we are responsible. > Once it's working with MIT we'll eventually remove > it from our tree though.I really wish you luck with that, becuase it's been an ongoing problem in Fedora. The Red Hat personnel I personally met working with Kerberos were pretty tightly focused on SSSD, which seems to me to be a fairly silly re-implementation of what Samba already does more broadly and more consistently.>> Are there considerations about using MIT krb5 inside samba4 instead >> of heimdal? > > Talk to Andreas, Guenther and Alexander for the latest. > >> The intention of our project "invis-server" is to bring samba 4 with >> AD DC functionality into openSUSE. Therefor we need arguments for >> the coming discussion. > > Hurrah ! I'm really glad to hear this ! If you could > coordinate with the people doing the Heimdal -> MIT > work then we can get there faster. > > Cheers, > > Jeremy.I'd also encourage you to take a look at the Fedora "rawhide" buindles, for tracing of changed components for RPM. And if you like, you might even take a look at my DC enabled ports over at https://github.com/nkadel/samba4repo and https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5
I would like to start testing this? I saw a few months back Alexander Bokovoy Released a build for F23 and I started using that. Now that F24 is out I have to look for a way to upgrade. Is there a build for rawhide with this? The standard samba-ad package for rawhide that install still doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5 automatically disables ad support it seems as samba-tool is missing unless I remove that option. Is this going to be fixed in 4.5.0? Should I download the source code for 4.5.0 and do I need a bunch of patches that I get somewhere? I'm a regular Fedora user and I am having difficulties seeing how to put this all together. On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote: > > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote: > >> Hi List, > >> > >> I do my best to ask my question in english. ;-) > >> > >> Samba4 integrated heimdal kerberos to do the kerberos work for > >> Active Directory. Some Linux Distributions like fedora/RedHat and > >> openSUSE/SUSE don't accept heimdal even if it is shipped inside > >> samba. > >> > >> Their argument is that heimdal isn't maintained since 2012. > >> Compiling samba against MIT krb5 results in Samba-Packages without > >> AD. > >> > >> Result: Active Directory is impossible with the Disitribution > >> packages of samba.with the above mentioned Linux distributions. > >> > >> Fedoras way to solve this is: > >> > >> "We are intending to make possible use of AD DC functionality with > >> MIT Kerberos but this is longer term project that requires > >> cooperation between Samba, MIT, and FreeIPA." > >> which means never, in my opinion." > > > > No you're wrong about that. Andreas, Guenther and Alexander > > at Redhat are working diligently every day towards this. We're planning > > to get to that sooner rather than later. > > > >> My questions: > >> > >> Is the heimdal code inside of samba4 maintained by the samba team or > >> is this unmaintained static code? > > > > Maintained. If it's in Samba we are responsible. > > Once it's working with MIT we'll eventually remove > > it from our tree though. > > I really wish you luck with that, becuase it's been an ongoing problem > in Fedora. The Red Hat personnel I personally met working with > Kerberos were pretty tightly focused on SSSD, which seems to me to be > a fairly silly re-implementation of what Samba already does more > broadly and more consistently. > > >> Are there considerations about using MIT krb5 inside samba4 instead > >> of heimdal? > > > > Talk to Andreas, Guenther and Alexander for the latest. > > > >> The intention of our project "invis-server" is to bring samba 4 with > >> AD DC functionality into openSUSE. Therefor we need arguments for > >> the coming discussion. > > > > Hurrah ! I'm really glad to hear this ! If you could > > coordinate with the people doing the Heimdal -> MIT > > work then we can get there faster. > > > > Cheers, > > > > Jeremy. > > I'd also encourage you to take a look at the Fedora "rawhide" > buindles, for tracing of changed components for RPM. And if you like, > you might even take a look at my DC enabled ports over at > https://github.com/nkadel/samba4repo and > https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
correction samba-dc still doesn't come with samba-tool On Thu, Jul 28, 2016 at 10:13 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I would like to start testing this? I saw a few months back Alexander > Bokovoy Released a build for F23 and I started using that. Now that F24 > is out I have to look for a way to upgrade. Is there a build for rawhide > with this? The standard samba-ad package for rawhide that install still > doesn't come with samba-tool. And compiling samba 4.4.5 with-mit-krb5 > automatically disables ad support it seems as samba-tool is missing unless > I remove that option. Is this going to be fixed in 4.5.0? Should I download > the source code for 4.5.0 and do I need a bunch of patches that I get > somewhere? I'm a regular Fedora user and I am having difficulties seeing > how to put this all together. > > On Sun, Jul 24, 2016 at 11:38 PM, Nico Kadel-Garcia <nkadel at gmail.com> > wrote: > >> On Fri, Jul 22, 2016 at 12:25 PM, Jeremy Allison <jra at samba.org> wrote: >> > On Fri, Jul 22, 2016 at 02:54:05PM +0200, Stefan Schäfer wrote: >> >> Hi List, >> >> >> >> I do my best to ask my question in english. ;-) >> >> >> >> Samba4 integrated heimdal kerberos to do the kerberos work for >> >> Active Directory. Some Linux Distributions like fedora/RedHat and >> >> openSUSE/SUSE don't accept heimdal even if it is shipped inside >> >> samba. >> >> >> >> Their argument is that heimdal isn't maintained since 2012. >> >> Compiling samba against MIT krb5 results in Samba-Packages without >> >> AD. >> >> >> >> Result: Active Directory is impossible with the Disitribution >> >> packages of samba.with the above mentioned Linux distributions. >> >> >> >> Fedoras way to solve this is: >> >> >> >> "We are intending to make possible use of AD DC functionality with >> >> MIT Kerberos but this is longer term project that requires >> >> cooperation between Samba, MIT, and FreeIPA." >> >> which means never, in my opinion." >> > >> > No you're wrong about that. Andreas, Guenther and Alexander >> > at Redhat are working diligently every day towards this. We're planning >> > to get to that sooner rather than later. >> > >> >> My questions: >> >> >> >> Is the heimdal code inside of samba4 maintained by the samba team or >> >> is this unmaintained static code? >> > >> > Maintained. If it's in Samba we are responsible. >> > Once it's working with MIT we'll eventually remove >> > it from our tree though. >> >> I really wish you luck with that, becuase it's been an ongoing problem >> in Fedora. The Red Hat personnel I personally met working with >> Kerberos were pretty tightly focused on SSSD, which seems to me to be >> a fairly silly re-implementation of what Samba already does more >> broadly and more consistently. >> >> >> Are there considerations about using MIT krb5 inside samba4 instead >> >> of heimdal? >> > >> > Talk to Andreas, Guenther and Alexander for the latest. >> > >> >> The intention of our project "invis-server" is to bring samba 4 with >> >> AD DC functionality into openSUSE. Therefor we need arguments for >> >> the coming discussion. >> > >> > Hurrah ! I'm really glad to hear this ! If you could >> > coordinate with the people doing the Heimdal -> MIT >> > work then we can get there faster. >> > >> > Cheers, >> > >> > Jeremy. >> >> I'd also encourage you to take a look at the Fedora "rawhide" >> buindles, for tracing of changed components for RPM. And if you like, >> you might even take a look at my DC enabled ports over at >> https://github.com/nkadel/samba4repo and >> https://github.com/nkadel/samba-4.3.x-srpm/tree/nkadel-4.4.5 >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
On Thu, Jul 28, 2016 at 10:13:41PM -0600, Jeff Sadowski wrote:> I would like to start testing this? I saw a few months back Alexander > Bokovoy Released a build for F23 and I started using that. Now that F24 is > out I have to look for a way to upgrade. Is there a build for rawhide with > this? The standard samba-ad package for rawhide that install still doesn't > come with samba-tool. And compiling samba 4.4.5 with-mit-krb5 > automatically disables ad support it seems as samba-tool is missing unless > I remove that option. Is this going to be fixed in 4.5.0? Should I download > the source code for 4.5.0 and do I need a bunch of patches that I get > somewhere? I'm a regular Fedora user and I am having difficulties seeing > how to put this all together.Bug Alexander - he should be able to give you current patches relating to this. Not sure if it's complete yet though.