On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote:> On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba > <samba at lists.samba.org> wrote: > > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote: > > > > > > Centos [6,7]* however does not have into current samba 4.x > > > version > > > fully support to AD DC (without rebuild the source with some few > > > changes): > > There are changes, but they're not outrageous. I've done some work > towards it, at https://github.com/nkadel/samba4repo/, but you really > wind up building up all the dependencies as well, and revising or > replacing the logic around different versions for internally or > externally built libraries. The structure there uses "mock" to build > all the relevant library RPMs as well, and put them in local > filesystem based yum repository. The requirement for gnutls-3.4.7 or > later made me throw in the towel for building current releases on > CentOS 7. I did not feel I had the time or tools to consider > replacing > the dependency chain for that critical security component. Recent > Fedora releases, have mostly new enough components.To be clear, we don't require GnuTLS 3.4.7, the check there just means we use an alternate implementation of 'BackupKey' if that isn't available. We do require a GnuTLS version, but not the really recent one. The issue was that the older versions had bugs, but if you (as Red Hat does) wish to avoid Heimdal, you have to use a recent GnuTLS instead.> > > You know that Samba 4.7 will have support to AD-DC with MIT > > > Kerberos? > > > > There is still a lot of work to do on that as I understand it, and > > even > > then it will require a very modern MIT Krb5, and probably not what > > is > > in RHEL. This will remain a long road, sorry. > > Yeah. I interviewed for a Red Hat QA role years ago, for the sssd > project, and they were interested that I knew personally a bunch of > the Kerberos authors and maintainers from my undergraduate days. If > any of them are unresponsive to queries from the Samba developers, > maybe I can help reach them? I'll mention their names privately if > you > like, I'm not sure spamming the list with their names would be > welcome.We have no issues with the communications with Red Hat's staff or the MIT krb5 team, and I probably shouldn't have spoken so authoritatively about the plans of my fellow team members at Red Hat who have put in the work here over around 6 years now. However, my point is that Samba demands a lot from the KDC, and it would shock me if we ever got to a stable spot where a current Samba AD DC happily used a RHEL-stable version of the MIT KDC while still supporting all the features. The two are likely to need to march in parallel, as we have with our internal Heimdal fork. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I was never able to build it in a way I feel comfortable on Fedora. I would want to build it using an RPM build process. I think I want an MIT build but I don't know what all I would need to build either way. I thought it was pretty close when I saw an MIT build in Fedora 23 with AD support. I was hoping it would have existed in Fedora Rawhide, but I still haven't seen it yet. Personally I don't care what distro I use. I use Fedora on my home server because they keep it up to date for the programs I use. I have an Ubuntu VM that I run my AD DC on and am not to happy about how slow Ubuntu updates things. They are still on samba 4.3.x and the kernel is ancient. The only reason I'm hoping for AD DC in fedora is I know I'll be seeing the latest samba with updates with in weeks instead of years. On Sat, Feb 18, 2017 at 9:44 PM, Andrew Bartlett via samba < samba at lists.samba.org> wrote:> On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote: > > On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba > > <samba at lists.samba.org> wrote: > > > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote: > > > > > > > > Centos [6,7]* however does not have into current samba 4.x > > > > version > > > > fully support to AD DC (without rebuild the source with some few > > > > changes): > > > > There are changes, but they're not outrageous. I've done some work > > towards it, at https://github.com/nkadel/samba4repo/, but you really > > wind up building up all the dependencies as well, and revising or > > replacing the logic around different versions for internally or > > externally built libraries. The structure there uses "mock" to build > > all the relevant library RPMs as well, and put them in local > > filesystem based yum repository. The requirement for gnutls-3.4.7 or > > later made me throw in the towel for building current releases on > > CentOS 7. I did not feel I had the time or tools to consider > > replacing > > the dependency chain for that critical security component. Recent > > Fedora releases, have mostly new enough components. > > To be clear, we don't require GnuTLS 3.4.7, the check there just means > we use an alternate implementation of 'BackupKey' if that isn't > available. We do require a GnuTLS version, but not the really recent > one. > > The issue was that the older versions had bugs, but if you (as Red Hat > does) wish to avoid Heimdal, you have to use a recent GnuTLS instead. > > > > > You know that Samba 4.7 will have support to AD-DC with MIT > > > > Kerberos? > > > > > > There is still a lot of work to do on that as I understand it, and > > > even > > > then it will require a very modern MIT Krb5, and probably not what > > > is > > > in RHEL. This will remain a long road, sorry. > > > > Yeah. I interviewed for a Red Hat QA role years ago, for the sssd > > project, and they were interested that I knew personally a bunch of > > the Kerberos authors and maintainers from my undergraduate days. If > > any of them are unresponsive to queries from the Samba developers, > > maybe I can help reach them? I'll mention their names privately if > > you > > like, I'm not sure spamming the list with their names would be > > welcome. > > We have no issues with the communications with Red Hat's staff or the > MIT krb5 team, and I probably shouldn't have spoken so authoritatively > about the plans of my fellow team members at Red Hat who have put in > the work here over around 6 years now. > > However, my point is that Samba demands a lot from the KDC, and it > would shock me if we ever got to a stable spot where a current Samba AD > DC happily used a RHEL-stable version of the MIT KDC while still > supporting all the features. The two are likely to need to march in > parallel, as we have with our internal Heimdal fork. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Il giorno dom, 19/02/2017 alle 21.17 -0700, Jeff Sadowski via samba ha scritto:> I was never able to build it in a wayI have rebuild samba from rpm source on Centos 7 (samba 4.4.4) and Fedora (samba 4.5.5) with this procedure:> > [lesca at dodo rpmbuild]$ cat rebuild.txt > # > > # Install Development ... > sudo yum -y groupinstall 'Development Tools' > # sudo dnf -y groupinstall 'Development Tools' # Fedora > > # Install yum/dnf utilitiy > sudo yum -y install rpm-build yum-utils createrepo > # sudo dnf -y install rpm-build yum-utils createrepo # Fedora > > # Download last samba source > # or download froma a centos mirror if vault don't work: http://bay.uchicago.edu/centos-vault/7.3.1611/ > yumdownloader --source samba > # dnf download --source samba # Fedora > > # Install samba source > rpm -ivh samba-4.*.src.rpm > > # Modify .spec file > sed -i \ > -e 's/%define main_release .*/&.1/' \ > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > -e 's/%global with_dc 0/%global with_dc 1/' \ > /home/lesca/rpmbuild/SPECS/samba.spec > > # samba 4.5.x (Fedora) do also this.... > sed -i \ > -e 's|^%.*libntvfs-samba4.so|# &\n%{_libdir}/samba/bind9/dlz_bind9_11.so\n%{_libdir}/samba/ldb/dsdb_notification.so\n%{_libdir}/samba/ldb/vlv.so|' \ > /home/lesca/rpmbuild/SPECS/samba.spec > > # Install Build dependence > sudo yum install -y gnutls-devel > sudo yum-builddep -y ./rpmbuild/SPECS/samba.spec > # sudo dnf builddep -y ./rpmbuild/SPECS/samba.spec # Fedora > > # Rebuild samba ... > rpmbuild --without clustering -ba ./rpmbuild/SPECS/samba.spec > > # Create repository ... > createrepo ./rpmbuild/RPMS > > # Copy all in some public place ... > rsync -avzR --delete ./rpmbuild/./{RPMS,SRPMS} 10.11.12.1:/var/www/html/samba4/rpmbuild/ > > # Follow HowTo for deploy... >hope this help -- Dario Lesca (inviato dal mio Linux Fedora 25 Workstation)
On Sun, 19 Feb 2017, Jeff Sadowski via samba wrote:> I was never able to build it in a way I feel comfortable on Fedora. I would > want to build it using an RPM build process. I think I want an MIT build > but I don't know what all I would need to build either way. I thought itWhat do you hope to gain from an MIT build? The MIT kerberos user tools (kinit, etc) operate just fine with keytabs generated by the Heimdal Samba KDC. I understand that the distro wants to ship a unified set of packages, but for end users doing their own builds, I don't think it really matters much. FWIW, I rebuilt the CentOS 7.2 Samba packages (samba-4.2.10-7) with DC support. It required building without MIT and with DC support, and also adding a the samba.service file that RH didn't include. I also increased the epoch so system updates with a newer version would never override my local build. I also had to add export LDB_MODULES_PATH=/usr/lib64/samba/ldb/ to my bash profile for the ldb tools to work. However, when I rebuilt the CentOS 7.3 packages (4.4.4-12.el7_3), I am unable to replicate with any of my older DCs (4.1 or 4.2 sernet, or my rebuilt CentOS 4.2.10 DCs). This happened even when I built straight from source, so I think either 4.4 requires some dependency that 7.3 doesn't meet, or there may be some issue with some dependency on 7.3 that wasn't an issue on 7.2. In case it's useful, this is the extent of my changes to the spec file: --- samba.spec 2017-01-17 11:21:48.000000000 -0600 +++ samba-dc.spec 2017-01-27 13:58:55.736213036 -0600 @@ -56,8 +56,8 @@ %global libwbc_alternatives_suffix -64 %endif -%global with_mitkrb5 1 -%global with_dc 0 +%global with_mitkrb5 0 +%global with_dc 1 %if %{with testsuite} # The testsuite only works with a full build right now. @@ -78,9 +78,9 @@ Release: %{samba_release} %if 0%{?rhel} -Epoch: 0 +Epoch: 4 %else -Epoch: 2 +Epoch: 4 %endif %if 0%{?epoch} > 0 @@ -879,7 +879,7 @@ %endif install -d -m 0755 %{buildroot}%{_unitdir} -for i in nmb smb winbind ; do +for i in nmb smb winbind samba ; do cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba at g' >tmp$i.service install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service done @@ -1515,6 +1515,7 @@ %{_datadir}/samba/setup %{_mandir}/man8/samba.8* %{_mandir}/man8/samba-tool.8* +%{_unitdir}/samba.service %else # with_dc %doc packaging/README.dc %endif # with_dc