On 29/01/2023 07:53, Mark Foley via samba wrote:> On Sat, 28 Jan 2023 12:42:17 -0500 Mark Foley wrote:
>
> Thanks for that extensive response!
>
> --Mark
>
> On Sat Jan 28 05:12:23 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote
>>
>> [deleted]
>
>> You should be able to find out if your Samba packages were built with
>> MIT by running:
>>
>> smbd -b | grep HAVE_LIBKADM5SRV_MIT
>>
>> You should get nothing returned if Samba was built using the built in
>> Heimdal. If this is the case, you need to check if you have the MIT
>> kerberos kdc installed and if so, I suggest you remove it, you can only
>> have one kdc.
>>
>> If you get back 'HAVE_LIBKADM5SRV_MIT', then your Samba
packages were
>> built with MIT. At this point you will need to decide if you can accept
>> using something that is experimental, or find slackware Samba packages
>> that are not built using MIT.
>
> I restored the previous Slackware 14.2 and Samba 4.8.2. I got back nothing
from
> that command, so I guess therefore Heimdal.
Yes, Heimdal.
>
> I ran the same command on a vanilla Slackware 15.0 (updated) and Samba
4.15.13
> system and did get back HAVE_LIBKADM5SRV_MIT, so the latest distro release
must
> therefore use MIT as Michael Tokarev wrote. That could explain some of my
> troubles trying to use the 4.8.2 configs on the in situ upgraded system.
No, they should have worked except for the problem of the distro
packages installing outside of /usr/local/samba (where a default
self-compile puts everything Samba). This means that when you tried to
start Samba, it started a binary in somewhere like /usr/sbin rather than
the one in somewhere in /usr/local/samba, it will also have started the
MIT kdc, but would not have had access to the Samba DB in /usr/local/samba.
>
> [deleted]
>
>> That wiki page is indeed for setting up a new domain, to join another
>> DC, you need this page:
>>
>>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> [deleted]
>
> My current plan is to set up this new, vanilla system as another DC. I
assume if
> I do that correctly I could then switch to this up-to-date DC as the
primary
> and take down the older 4.8.2 system, yes?
No such thing as a primary, all DC's are equal, it is just some DC's are
more equal than others because of the FSMO roles.
So, if you mean, can I join another DC, transfer all the FSMO roles to
this and then demote the existing DC, then yes.
>
> Will it work with MIT kerberos or should I try to use Heimdal?
Will it work with MIT, then yes, would I use it in production, then NO.
Using MIT on a Samba AD DC is still marked as experimental and, until
such time that the 'experimental' marker is removed, I cannot recommend
using a MIT DC in production.
This means that you have three choices:
Use the Slackware packages and hope you do not have problems, not
recommended, but it is your domain.
Build Samba yourself again on Slackware, this is, in my opinion, your
only real option if you want to stick with Slackware.
Use another distro, such as Debian Bullseye, where you can get the
latest Samba from backports.
Rowland
>
> --Mark
>