samba - Aug 2017 - Samba 4.7rc4. (Debian Stretch Amd64 packages/sources available)

Hai, 
 
Can anyone ( one of the devs)  tell if its safe for a samba 4.7rc4 to join and
samba 4.6(.7) AD DC domain.
Any do/donts, im asking so i can test a DC join, but i want to test in my
production even, since that are the best tests.
First test of a clean ADDC install looks ok. 
 
Aand yes, i have already made 3 backups of the DC's, already when i go
testing.  i can restore quickly.   ;-)
 
If someone wants to test these 4.7rc4 Debian Stretch packages
The changelog is a not fully complete, im collecting all changes, for the next
4.7.

Stretch experimental (TESTING/NOT FOR PRODUCTION): 
Currently samba 4.7 RC4, first builds only AMD64 packages and sources are now
available for testing.

Current package list Debian Stretch Experimental samba 4.7rc4: klik here 
The buildlogs and change logs :
http://downloads.van-belle.nl/samba4/Buildlogs/stretch-experimental/ 
I used the following build parameters.
conf_args = \
                --prefix=/usr \
                --enable-fhs \
                --sysconfdir=/etc \
                --localstatedir=/var \
                --libexecdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
                --with-privatedir=/var/lib/samba/private \
                --with-smbpasswd-file=/etc/samba/smbpasswd \
                --with-piddir=/var/run/samba \
                --with-pammodulesdir=/lib/$(DEB_HOST_MULTIARCH)/security \
                --with-pam \
                --with-syslog \
                --with-utmp \
                --with-winbind \
               
--with-shared-modules=idmap_rid,idmap_ad,idmap_adex,idmap_hash,idmap_ldap,idmap_tdb2,vfs_dfs_samba4,auth_samba4
\
                --with-automount \
                --with-ldap \
                --with-ads \
                --with-dnsupdate \
                --with-gpgme \
                --libdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
                --with-modulesdir=/usr/lib/$(DEB_HOST_MULTIARCH)/samba \
                --datadir=/usr/share \
                --with-lockdir=/var/run/samba \
                --with-statedir=/var/lib/samba \
                --with-cachedir=/var/cache/samba \
                --enable-avahi \
                --disable-rpath \
                --disable-rpath-install \
               
--bundled-libraries=NONE,pytevent,iniparser,roken,wind,hx509,asn1,heimbase,hcrypto,krb5,gssapi,heimntlm,hdb,kdc,com_err,compile_et,asn1_compile
\
                --builtin-libraries=replace,ccan,samba-cluster-support \
                --minimum-library-version="$(shell ./debian/autodeps.py
--minimum-library-version)" \
                --with-cluster-support \
                --with-socketpath=/var/run/ctdb/ctdbd.socket \
                --with-logdir=/var/log/ctdb \
                --enable-spotlight \
                --with-system-mitkrb5
                --with-systemd
                --with python2,python3

compaired to the normal debian builds, i've added : 
                --enable-spotlight \
                --with-system-mitkrb5
and changed    --with python2  to   --with python2,python3
 
 
Beware, these need lots of testing, if you detect problems, please report them. 
and please run this, so i can analyse all needed settings when needed. and mail
the samba-debug.txt

LOGFILE=/tmp/samba-debug.txt 
for config in /etc/hosts /etc/resolv.conf /etc/samba/smb.conf
/etc/samba/dhcp.conf /etc/bind/named.conf /etc/bind/named.conf.options
/etc/bind/named.conf.local ; do
  if [ -f $config ]; then
      echo "-- BEGIN $config --">> $LOGFILE
      cat $config >> $LOGFILE
      echo "-- END $config --" >> $LOGFILE
  else
    echo "-- $config not present  -- " >> $LOGFILE
  fi
done
 
echo "-- BEGIN kerberos checks --" >> $LOGFILE
klist -ke >>$LOGFILE
 
( if you have extra test, please do add them ) 
 
 
I cant stressout enough...  keep these away from you production setup. 
That i'm testing in my production, should not give you a wildcard todo that
also. If you break you production setup, your on your own.
 
>>>   You cannot use these for upgrading a previous samba, setup clean.
this is due incompatible packages between samba 4.6 and samba 4.7. 
<<<<
>>> for samba 4.7 packages like, tdb/ldb, are getting optimized for a
multi threaded samba, these packages are only in the repo :
stretch-experimental. <<<
 
The repo stretch-experimental  contains a backport of krb5 ( to 1.15.1 ), you
see its set to -bpo, but its not in the stretch-backports.
This way it does not get in the way of the current stable packages of my repo. 

You cannot mix the stretch-experimental repo with the others, except the
backports line. ( ! BEWARE, DONT UPGRADE YOUR SAMBA 4.5 or 4.6, i've not
tested this.)
These packages can and will...   if needed will destroy you server, ;-)  if you
dont follow above advice.
but we need some testing of the packages. 


A howto very quickly install these 4.7rc4 on a debian stretch amd64
( do no more the show below, its not needed, below results in a working AD DC
server. )
 
Install a clean debian stretch, configure /etc/hosts and /etc/resolv.conf 
add the repo : 
echo "deb http://apt.van-belle.nl/debian stretch-backports main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
echo "deb http://apt.van-belle.nl/debian stretch-experimental main contrib
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list wget -O -
http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -
apt-get update && apt-get upgrade -y


# test install samba 4.7rc4, AD DC with bind9_DLZ
apt-get install samba winbind krb5-kdc ntp bind9 -y
configure your time server.  (
https://wiki.samba.org/index.php/Time_Synchronisation  : see:  Set up the
ntpd.conf File on a DC )

# after the install, disable these services. 
# the default samba installs a samba standalone server. 
systemctl disable smbd.service nmbd.service winbind.service

# and stop services. 
systemctl stop smbd.service nmbd.service winbind.service ntp.service
bind9.service

# provisioning samba. 
move the old smb.conf out of the way. 
mv /etc/samba/smb.conf{,.before-provisioning}

samba-tool domain provision --interactive 
or with 
samba-tool domain provision --server-role=dc --dns-backend=BIND9_DLZ
--realm=SAMDOM.EXAMPLE.COM --domain=SAMDOM --adminpass=Passw0rd --use-rfc2307

# configure bind. (https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
)
# for debian. 
named.conf (options):  auth-nxdomain yes;
named.conf (options):  add ( and adjust to your network settings the part
below )

 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
 # IP addresses and network ranges allowed to query the DNS server:
    allow-query {
        127.0.0.1;
        10.99.1.0/24;
    };

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {
        127.0.0.1;
        10.1.1.0/24;
    };

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    # Disable zone transfers 
    allow-transfer {
        none;
    };
---------- ENDS HERE 

named.conf.local, add 
include "/var/lib/samba/private/named.conf";

# you bind setup is read now. 
#( optional : systemctl unmask bind9.service , systemctl enable bind9.service )
systemctl start bind9.service
check: cat /var/log/daemon.log| grep dlz 

Example: 
Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone
'internal.example.com'
Aug 17 11:38:40 ossec named[455]: samba_dlz: configured writeable zone
'_msdcs.internal.example.com'

Now i did add the folloing to the debian default /etc/krb5.conf 
default_keytab_name = /var/lib/samba/private/secrets.keytab
resulting in : 
[libdefaults]
        default_realm = INTERNAL.EXAMPLE.COM
        default_keytab_name = /var/lib/samba/private/secrets.keytab
( and below here all things debian all ready did set, you can keep it. )

Last, start samba in AD mode. 
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

I suggest, now clear your logs and reboot and check logs again. 
Now go abuse your new AD.  ;-) 

Have fun with these. 

Questions, just ask? 
 
 
Greetz, 
 
Louis

On Thu, 2017-08-17 at 12:35 +0200, L.P.H. van Belle via samba
wrote:
> Can anyone ( one of the devs)  tell if its safe for a samba 4.7rc4 to join
and samba 4.6(.7) AD DC domain.
I have no particular concerns about doing that.  

On your configure line:
>                --with python2,python3
I'm not sure what you think that does.  I'm not aware of that being a
valid syntax.

Finally, while you may do what you like with your packages, the MIT
Krb5 KDC should not be enabled for the official Debian packages if you
are hoping to propose them there, as RODC support is not available with
the MIT KDC. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> Verzonden: donderdag 17 augustus 2017 20:57
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4.7rc4. (Debian Stretch Amd64 
> packages/sources available)
> 
> On Thu, 2017-08-17 at 12:35 +0200, L.P.H. van Belle via samba wrote:
> > Can anyone ( one of the devs)  tell if its safe for a samba 
> 4.7rc4 to join and samba 4.6(.7) AD DC domain. 
> 
> I have no particular concerns about doing that.  
Ok, great, i'll go test more things for these  4.7rc (MIT-enabled) packages.
A question on this, to be sure, if added, will it upgrade my samba DB or is it
staying at 4.6 level.
Or how is determent when the samba db is upgraded when you add a new DC. 
When a higer samba version is added? or when the dc with FSMO DC is upgrade? 
I know its against recommendations to run different versions of the DC's. 
> 
> On your configure line:
> 
> >                --with python2,python3
To my believe, it do what i says, --with python2,python3  enable python 2 and 3
support.
I hoped to be safe with this, keep python2 support and enable 3 also. 
Jessie also had 2.7 and 3.4 but it defaults to 2.7. 
The debian wiki is a bit unclear about stretch 2.7 and 3.5 but the default is
left out. :-(
https://wiki.debian.org/Python 

If im interpeting that wrong, then i would like to know the preffered python for
samba 4.7 (python 2.7 or 3.5)
I saw on technical some thing going to python 3 but this debian build still used
2.7.
So im bit unclear about this. 
> > I'm not sure what you think that does.  I'm not aware of that 
> being a valid syntax.
> 
> Finally, while you may do what you like with your packages, the MIT
> Krb5 KDC should not be enabled for the official Debian 
> packages if you are hoping to propose them there, as RODC 
> support is not available with the MIT KDC. 
Yes, i know wbout het missing PKINIT RODC and S4u2... Support.  ( im not useing
that as far as i know.)
I did read the "WHATSNEW" ;-)  and no, these will not go to official
debian.
At least not the mit version. This samba 4.7rc4 with MIT support stays in my
personal repo.
It gives people at least the option to (more easy) test things bit more quickly
for 4.7
but thank you for pointing this out. 

Now i can make a new one also with heimdal support, to keep inline with the
official debian and a -MIT version to test with.


Thanks for you time and knowledge... 

Greetz, 

Louis

On Fri, 2017-08-18 at 11:11 +0200, L.P.H. van Belle
wrote:
> > -----Oorspronkelijk bericht-----
> > Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> > Verzonden: donderdag 17 augustus 2017 20:57
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba 4.7rc4. (Debian Stretch Amd64 
> > packages/sources available)
> > 
> > On Thu, 2017-08-17 at 12:35 +0200, L.P.H. van Belle via samba wrote:
> > > Can anyone ( one of the devs)  tell if its safe for a samba 
> > 
> > 4.7rc4 to join and samba 4.6(.7) AD DC domain. 
> > 
> > I have no particular concerns about doing that.  
> 
> Ok, great, i'll go test more things for these  4.7rc (MIT-enabled)
packages.
> A question on this, to be sure, if added, will it upgrade my samba DB or is
it staying at 4.6 level.
> Or how is determent when the samba db is upgraded when you add a new DC. 
> When a higer samba version is added? or when the dc with FSMO DC is
upgrade?
> I know its against recommendations to run different versions of the
DC's.
The DB of the new domain will be in a slightly new (but backward
compatible) format.  The domain isn't upgraded.  We may have a
functional level upgrade tool in the future, but currently all Samba
domains (at the same FL from provision time) are essentially the same
across versions since 4.0.2 (or so). 
> > On your configure line:
> > 
> > >                 --with python2,python3
> 
> To my believe, it do what i says, --with python2,python3  enable python 2
and 3 support.
I think you want:

--extra-python=/usr/bin/python3

> I hoped to be safe with this, keep python2 support and enable 3 also. 
> Jessie also had 2.7 and 3.4 but it defaults to 2.7. 
> The debian wiki is a bit unclear about stretch 2.7 and 3.5 but the default
is left out. :-(
> https://wiki.debian.org/Python 
> 
> If im interpeting that wrong, then i would like to know the preffered
python for samba 4.7 (python 2.7 or 3.5)
> I saw on technical some thing going to python 3 but this debian build still
used 2.7.
> So im bit unclear about this. 
Python 2 is the only supported python for the AD DC.  Python 3 support
is under development, and supports some things, particularly for
FreeIPA.
> > > I'm not sure what you think that does.  I'm not aware of
that
> > 
> > being a valid syntax.
> > 
> > Finally, while you may do what you like with your packages, the MIT
> > Krb5 KDC should not be enabled for the official Debian 
> > packages if you are hoping to propose them there, as RODC 
> > support is not available with the MIT KDC. 
> 
> Yes, i know wbout het missing PKINIT RODC and S4u2... Support.  ( im not
useing that as far as i know.)
> I did read the "WHATSNEW" ;-)  and no, these will not go to
official debian.
> At least not the mit version. This samba 4.7rc4 with MIT support stays in
my personal repo.
> It gives people at least the option to (more easy) test things bit more
quickly for 4.7
> but thank you for pointing this out. 
> 
> Now i can make a new one also with heimdal support, to keep inline with the
official debian and a -MIT version to test with.
> 
> 
> Thanks for you time and knowledge... 
Thanks for your time on the Debian packages.

Andrew Bartlett
> Greetz, 
> 
> Louis
> 
> 
> 
> 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hello Andrew,  

First, thank you for the very quick reply. 
...  
> > When a higer samba version is added? or when the dc with 
> FSMO DC is upgrade? 
> > I know its against recommendations to run different 
> versions of the DC's. 
> 
> The DB of the new domain will be in a slightly new (but backward
> compatible) format.  The domain isn't upgraded.  We may have 
> a functional level upgrade tool in the future, but currently 
> all Samba domains (at the same FL from provision time) are 
> essentially the same across versions since 4.0.2 (or so). 
Great that helps a lot, then i can safely make the debian heimdal package and
add a new 4.7 ADDC.
I want the multi threaded support :-)) 
> 
> > > On your configure line:
> > > 
> > > >                 --with python2,python3
> > 
> > To my believe, it do what i says, --with python2,python3  
> enable python 2 and 3 support. 
> 
> I think you want:
> 
> --extra-python=/usr/bin/python3
Yes, i did see that option but i want not sure, im setting that then when
needed.
> 
> 
> > I hoped to be safe with this, keep python2 support and enable 3 also. 
> > Jessie also had 2.7 and 3.4 but it defaults to 2.7. 
> > The debian wiki is a bit unclear about stretch 2.7 and 3.5 but the 
> > default is left out. :-( https://wiki.debian.org/Python
> > 
> > If im interpeting that wrong, then i would like to know the preffered 
> > python for samba 4.7 (python 2.7 or 3.5) I saw on technical some thing
> > going to python 3 but this debian build still used 2.7.
> > So im bit unclear about this. 
> 
> Python 2 is the only supported python for the AD DC.  Python 
> 3 support is under development, and supports some things, 
> particularly for FreeIPA.
Ah, new thing learn here, i didnt know only python 2 supports AD DC.

Is it still advisable to enable the python3, or just stick to 2.7 and wait for
samba to be fully ready.
Do we missing features if i dont enable python3. 

What you do guys preffer, enable both, or only 2.7 ( and dont take debian in
this )
I want a pure developers mind set. What helps the best for you guys? 


Best regards, 

Louis