Hi Johnny, Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme: Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources. I do want to use samba as an AD DC. Does the above not apply to CentOS distro? Thanks for reading. On Apr 16, 2015 4:35 AM, "Johnny Hughes" <johnny at centos.org> wrote:> On 04/16/2015 12:53 AM, Mike wrote: > > CentOS 7.1503 installed. > > Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be > > configured). > > > > The samba wiki Readme First page states, "Some distributions like . . . > Red > > Hat Enterprise Linux (and clones), ship BIND9 packages with disabled > > GSS-SPNEGO option, which is required for signed DNS updates when using > BIND > > as DNS backend on your Samba DC. This circumstance requires to self > compile > > BIND9." > > > > Is there any way to use a yum command to install Bind9 with gss-spnego > > enabled? > > > > I'm worried about installing from source and creating future problems > when > > trying to update other CentOS packages that may be affected by the source > > install of Bind9. Is it safe to obtain a bind9 source tarball for install > > on an rpm-based CentOS 7 server? > > > > If anyone has installed Bind for use with Samba 4 on CentOS 7, please let > > me know what worked. > > > > Thanks for your time and patience. > > That is a bind build option, the only way to enable it is to build it. > > Is there some reason you don't want to use the samba-4.1 that is shipped > in CentOS-7? > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >
On 04/16/2015 06:33 AM, Mike wrote:> Hi Johnny, > > Thank you for your response. I thought to choose the sernet package > because of the following stated in Samba Readme: > > Samba packages shipped in some distributions like e. g. Fedora, RHEL may > not be able to be used as Samba AD DC, because the distribution relies on > MIT Kerberos which isn't supported by Samba yet. In this case build Samba > yourself or use the packages from SerNet or other reliable sources. > > I do want to use samba as an AD DC. > Does the above not apply to CentOS distro? > > Thanks for reading. > On Apr 16, 2015 4:35 AM, "Johnny Hughes" <johnny at centos.org> wrote: > >> On 04/16/2015 12:53 AM, Mike wrote: >>> CentOS 7.1503 installed. >>> Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be >>> configured). >>> >>> The samba wiki Readme First page states, "Some distributions like . . . >> Red >>> Hat Enterprise Linux (and clones), ship BIND9 packages with disabled >>> GSS-SPNEGO option, which is required for signed DNS updates when using >> BIND >>> as DNS backend on your Samba DC. This circumstance requires to self >> compile >>> BIND9." >>> >>> Is there any way to use a yum command to install Bind9 with gss-spnego >>> enabled? >>> >>> I'm worried about installing from source and creating future problems >> when >>> trying to update other CentOS packages that may be affected by the source >>> install of Bind9. Is it safe to obtain a bind9 source tarball for install >>> on an rpm-based CentOS 7 server? >>> >>> If anyone has installed Bind for use with Samba 4 on CentOS 7, please let >>> me know what worked. >>> >>> Thanks for your time and patience. >> >> That is a bind build option, the only way to enable it is to build it. >> >> Is there some reason you don't want to use the samba-4.1 that is shipped >> in CentOS-7?Nope, you are correct. The samba in CentOS-7 currently does not work as a Active Directory Domain Controller. If you already have a domain controller, you can make the CentOS-7 samba connect to that DC and serve as a File or Print server. So, if you want a linux samba DC, then that would mean that you will need to use sernet and maintain bind yourself for that feature. Whether that is safe or not is up to you. I have no idea specifically about the GSS-SPNEGO .. I can tell you that if you look at current bind spec file, you can see in lines 409-412 how/why "--disable-isc-spnego" gets selected. I do not know what the answer is, if gssapi and gss-spnego can coexist, of if one is better than the other in a give situation, etc. BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the "bind" sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20150416/d4855f8d/attachment-0001.sig>
On Thu, Apr 16, 2015 at 9:29 AM, Johnny Hughes <johnny at centos.org> wrote:> On 04/16/2015 06:33 AM, Mike wrote: > > > BUT .. If I was going to solve this problem, I would do so asking the > sernet guys and I would rebuild the "bind" sources in CentOS with the > proper configure switches so it would likely still meet all the other > software requires for CentOS that bind needs to meet. You could also > then only track when CentOS releases a new bind (because RH has released > new source code) .. and thereby not have to track bind upstream tarball > releases for security. > > >Sounds like good advice for me to follow up on. Thanks for the thoughtful response. :-) Mike
On 16 Apr 2015 14:29, "Johnny Hughes" <johnny at centos.org> wrote:> > On 04/16/2015 06:33 AM, Mike wrote: > > Hi Johnny, > > > > Thank you for your response. I thought to choose the sernet package > > because of the following stated in Samba Readme: > > > > Samba packages shipped in some distributions like e. g. Fedora, RHEL may > > not be able to be used as Samba AD DC, because the distribution relieson> > MIT Kerberos which isn't supported by Samba yet. In this case buildSamba> > yourself or use the packages from SerNet or other reliable sources. > > > > I do want to use samba as an AD DC. > > Does the above not apply to CentOS distro? > > > > Thanks for reading. > > On Apr 16, 2015 4:35 AM, "Johnny Hughes" <johnny at centos.org> wrote: > > > >> On 04/16/2015 12:53 AM, Mike wrote: > >>> CentOS 7.1503 installed. > >>> Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7(to be> >>> configured). > >>> > >>> The samba wiki Readme First page states, "Some distributions like . ..> >> Red > >>> Hat Enterprise Linux (and clones), ship BIND9 packages with disabled > >>> GSS-SPNEGO option, which is required for signed DNS updates when using > >> BIND > >>> as DNS backend on your Samba DC. This circumstance requires to self > >> compile > >>> BIND9." > >>> > >>> Is there any way to use a yum command to install Bind9 with gss-spnego > >>> enabled? > >>>This was required for kerberos secured updates prior to el7.1 and el6.6 ... The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in.