On 16 Apr 2015 14:29, "Johnny Hughes" <johnny at centos.org> wrote:> > On 04/16/2015 06:33 AM, Mike wrote: > > Hi Johnny, > > > > Thank you for your response. I thought to choose the sernet package > > because of the following stated in Samba Readme: > > > > Samba packages shipped in some distributions like e. g. Fedora, RHEL may > > not be able to be used as Samba AD DC, because the distribution relieson> > MIT Kerberos which isn't supported by Samba yet. In this case buildSamba> > yourself or use the packages from SerNet or other reliable sources. > > > > I do want to use samba as an AD DC. > > Does the above not apply to CentOS distro? > > > > Thanks for reading. > > On Apr 16, 2015 4:35 AM, "Johnny Hughes" <johnny at centos.org> wrote: > > > >> On 04/16/2015 12:53 AM, Mike wrote: > >>> CentOS 7.1503 installed. > >>> Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7(to be> >>> configured). > >>> > >>> The samba wiki Readme First page states, "Some distributions like . ..> >> Red > >>> Hat Enterprise Linux (and clones), ship BIND9 packages with disabled > >>> GSS-SPNEGO option, which is required for signed DNS updates when using > >> BIND > >>> as DNS backend on your Samba DC. This circumstance requires to self > >> compile > >>> BIND9." > >>> > >>> Is there any way to use a yum command to install Bind9 with gss-spnego > >>> enabled? > >>>This was required for kerberos secured updates prior to el7.1 and el6.6 ... The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in.
On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth <james.hogarth at gmail.com> wrote:> This was required for kerberos secured updates prior to el7.1 and el6.6 ... > > The problem in the underlying kerberos libraries was resolved so that > kerberos based updates worked with gss again and spnego doesn't need to be > compiled in. > _______________________________________________ >James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere. | | | | | | | | | | | | | | | I installed bind-9.9.4 package from the CentOS repo. I've been reading the Changes and Readme file but don't see where this issue is addressed. Can you point me to the centOS announcements or release notes that deal with the bind package and gss-spnego. I'd like to try to understand and possibly aggregate the right info to send to the samba wiki maintainers. | | | | | | | | | | | | | | | | | | | | | | | | | named -V on the installed package produces: BIND 9.9.4-RedHat-9.9.4-18.el7_1.1 (Extended Support Version) <id:8f9657aa> built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' <<<SNIP>>> '--with-gssapi=yes' '--disable-isc-spnego' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.9.1 END Does the above output show that gss-spnego is actually enabled? Thanks for your help.
On 17 Apr 2015 00:42, "Mike" <1100100 at gmail.com> wrote:> > On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth <james.hogarth at gmail.com> > wrote: > > > This was required for kerberos secured updates prior to el7.1 and el6.6...> > > > The problem in the underlying kerberos libraries was resolved so that > > kerberos based updates worked with gss again and spnego doesn't need tobe> > compiled in. > > _______________________________________________ > > > > > James, thank you for your reply. > This sounds like good news for me; I can stay planted in the accepted > CentOS repo. biosphere. > > | | | | | | | | | | | | | | | > > I installed bind-9.9.4 package from the CentOS repo. > I've been reading the Changes and Readme file but don't see where this > issue is addressed. > > Can you point me to the centOS announcements or release notes that deal > with the bind package and gss-spnego. > I'd like to try to understand and possibly aggregate the right info tosend> to the samba wiki maintainers. > > | | | | | | | | | | | | | | | | | | | | | | | | | >It wasn't the bind package directly but rather an issue with the libkrb5 libraries. This is the specific bug that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1087068 I'll get the samba wiki updated to make this clear.