samba - Jun 2025 - both Samba-4.9.5 AD DC upgrade to Samba current (4.22.*) - questions

On Sun, 29 Jun 2025 23:26:40 +0200
Franta Hanzl?k <franta at hanzlici.cz> wrote:
> 
> Hello Luis, Peter and Rowland,
> many thanks for quick response, valuable advice and references to 
> samba.bigbird.es (it will take some time to absorb it all)!
> 
> I have a small addition to this:
> 
> - By using the demotion of the old DC and its permanent removal from
> the network and subsequent inclusion of a new VM with the same
> hostname, IP, etc., I aimed to achieve the same external
> characteristic and behavior after the upgrade as the original system
> had. And I would probably not need to use a temporary VM - the new DC
> would replace the old one 1:1. Or am I wrong?
> 
Using a temporary DC is for safety purposes only, you could just
replace the DCs one by one, the only thing you have to realise is that
even if the the replacement DCs use the same hostname and ipaddress,
they will be new DCs. In any case, non of the computers in your domain
care what hostname or ipaddress your DCs have, they will find them via
DNS.
> - Both VMs are small, serving only as DCs, no fileserver,
> printserver, etc. And yes, on the current (old) system we use rfc2307
> (so on each DC there is "idmap_ldb:use rfc2307 = yes" in
smb.conf,
> and on the two Samba fileservers is "idmap config DOMAIN:backend >
ad" in smb.conf). rfc2307 is used for Linux clients, their POSIX
> attributes such as UID, GID, homedir. I thought until now that if
> Linux clients also authenticate to Samba AD, then it is necessary to
> use rfc2307. Are you saying it is different, that rfc2307 can be
> canceled? 
Yes, here is myself on a Unix domain member:

getent passwd rowland
rowland:*:11104:10513:Rowland Penny:/home/rowland:/bin/bash

I use the 'rid' backend and as long as you use the same 'idmap
config'
lines on all Unix domain members, you will always get the same IDS, not
that it matters, Samba will map your accounts to IDs on that system,
even if you use different ranges.

Think about it, if you do not add rfc2307 attributes, a user on a DC
will get an ID in the 3000000 range, on a Unix domain member they will
get an ID inside whatever 'DOMAIN' range you set in the smb.conf file
and on Windows, well they do not care, they use the SID (which is what
Samba is really using). They will all be the same user and Samba (and
Windows) knows who they are.
> The "rid" idmap backend will then be used on the
> fileserver instead of ad? And will tools like RSAT on Windows or
> samba-tool on Linux also allow us to enter POSIX parameters? Or are
> they assigned somehow automatically
What POSIX parameters ?
The 'rid' idmap backend calculates Unix IDs from the RID
You can set the users home directory and shell with template lines in the
smb.conf file.

Anything else isn't really required.
> On the current old system we
> enter POSIX parameters manually, so some simplification or automation
> would be welcome...
With the 'rid' backend, you just create the user, after that it just
works.
> 
> Regarding using Debian distro - we have been using Fedora for a long
> time now because we know it. And we compile Samba packages for DC
> ourselves, with Heimdal Kerberos (Fedora has MIT, I'm not sure how
> suitable it is for production deployment, I think it is still marked
> as experimental). I don't know if switching to Debian would cause
> some confusion and damage, when it will be new for us. IMO there will
> not be much difference in functionality, although support in Debian
> is probably greater today than in Fedora.
In my opinion, the problem with Fedora is, they are not honest. The use
of MIT for the kdc on a Samba AD DC is experimental and redhat is on
record of saying there will never be Samba packages for RHEL that can
be provisioned as an AD DC, but they do not and will not tell their
users this.

You can easily switch to Debian, just install Debian 12 in a VM,
install Samba from bookworm-backports and you will get the latest Samba
version (4.22.2 at present), just join this and it will work.

Rowland

Hi Rowland, thank for clarification!

On Mon, 30 Jun 2025 08:46:42 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Sun, 29 Jun 2025 23:26:40 +0200
> Franta Hanzl?k <franta at hanzlici.cz> wrote:
> > 
[...]
> > 
> > Regarding using Debian distro - we have been using Fedora for a long
> > time now because we know it. And we compile Samba packages for DC
> > ourselves, with Heimdal Kerberos (Fedora has MIT, I'm not sure how
> > suitable it is for production deployment, I think it is still marked
> > as experimental). I don't know if switching to Debian would cause
> > some confusion and damage, when it will be new for us. IMO there will
> > not be much difference in functionality, although support in Debian
> > is probably greater today than in Fedora.  
> 
> In my opinion, the problem with Fedora is, they are not honest. The use
> of MIT for the kdc on a Samba AD DC is experimental and redhat is on
> record of saying there will never be Samba packages for RHEL that can
> be provisioned as an AD DC, but they do not and will not tell their
> users this.
> 
> You can easily switch to Debian, just install Debian 12 in a VM,
> install Samba from bookworm-backports and you will get the latest Samba
> version (4.22.2 at present), just join this and it will work.
> 
> Rowland
> -- 
From what I've gleaned from the Fedora mailing list and website and 
the internet, I get the impression that Fedora's status on using Heimdal 
or MIT Kerberos is roughly:
- Heimdal Kerberos doesn't have all the features the team needs (but 
 that probably applies to the old pre-7.x versions from 7+ years ago)

- MIT Kerberos fit better into their FreeIPA (Identity, Policy, Audit) 
 project.

- and maybe it's also their effort to maintain more control over 
 FreeIPA and possibly related projects.

In the long run, switching to Debian would probably be a better option, 
but right now it would mean a bit more of a burden.
We'll think about it...
-- 
Thank Yoy, Franta Hanzlik