samba - Dec 2018 - RHEL7/Centos7 with Samba AD

Hi All,

I know RHEL has bad press here but I'd like to share a different opinion 
(works for me) and maybe share some of my settings.
BTW, Those views are my own, not those of my employer.

I run a small AD at home. The setup is as follows:
- two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on 
SPECs from TranquilIT/Fedora).
- several Win10 laptops joined to the domain.
- several RHEL7.6 clients/Machines running 'realmd' and joined to the 
domain. The AD users can log into those machines and their Linux account 
gets mapped appropriately.

I set policies from a Win10 VM using RSAT and since there is a lot of 
litterature on the excellent Samba wiki and on the net, this wasn't too 
difficult for the Win* noob in me.

It's been running great so far but because I'm rebuilding the rpms
myself
and actually using 'realmd' I feel a little like I am in uncharted 
territory. At least, the RHEL7 part is familiar to me. :)

First, I needed to make a few changes to the client Linux systems: 
a slightly modified krb5 client config and a custom sssd config once they 
were joined ('realm join ...') to the AD domain.

The most important part was that the RHEL7 hosts wouldn't be heavily 
modified, except for the two AD DCs which run a custom build of Samba, of 
course.

For sssd, I used the following (customized file):
------------------------------------------------------
[sssd]
domains = ad.lasthome.solace.krynn
config_file_version = 2
services = nss, pam, pac

[domain/ad.lasthome.solace.krynn]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad

ad_gpo_access_control = disabled
override_gid = 100

ad_domain = ad.lasthome.solace.krynn
krb5_realm = AD.LASTHOME.SOLACE.KRYNN
realmd_tags = manages-system joined-with-samba

#
cache_credentials = True
krb5_store_password_if_offline = True
ldap_id_mapping = False
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /export/home/%u@%d
ldap_referrals = False
ignore_group_members = True

[nss]

[pam]
------------------------------------------------------

For realmd, it was only a matter of following the documentation, which 
resulted in
# realm join --automatic-id-mapping=no ad.lasthome.solace.krynn -U administrator
[...]
# realm list
ad.lasthome.solace.krynn
   type: kerberos
   realm-name: AD.LASTHOME.SOLACE.KRYNN
   domain-name: ad.lasthome.solace.krynn
   configured: kerberos-member
   server-software: active-directory
   client-software: sssd
   required-package: oddjob
   required-package: oddjob-mkhomedir
   required-package: sssd
   required-package: adcli
   required-package: samba-common-tools
   login-formats: %U
   login-policy: allow-realm-logins

So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as 
clients or DCs. I still have a few details to work out (how to move the 
Samba servers from local auth to AD auth, etc.. mostly because it's not 
my area of expertise) but it's been working fine for me so far.

The only area of concern on el7 is to find a -reliable- Samba RPM builder 
for el7. So far, I've tried:

- TranquilIT - https://dev.tranquil.it/wiki/Samba4
Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide 
source rpms unless you complain a lot.

- http://azzurro.ezplanet.net : Seems pretty much out of updates

- http://wing-net.ddo.jp/wing : Web page still up but I've been unable to 
pull down rpms from them for months.

Any non-inflamatory comments are welcome! :)

Vincent

Pretty much the same (CentOS7), including using sssd to join linux domain
members, as I don't have many and it was easier for me to understand (and
find documentation for) than winbind at the time.

As noted, the key to it is either building Samba4 from sources, or finding
somebody to do it for us (Thanks to the Tranquil.IT team) -- in both cases,
using Heimdal instead of MIT Kerberos.

And lastly, the Wing repo is down permanently.  I found a note from the
site maintainer that he was discontinuing it a while back (it's in Japanese
and the link is in the archives somewhere).



Kris Lou
klou at themusiclink.net


On Thu, Dec 6, 2018 at 11:35 AM Vincent S. Cojot via samba <
samba at lists.samba.org> wrote:
>
> Hi All,
>
> I know RHEL has bad press here but I'd like to share a different
opinion
> (works for me) and maybe share some of my settings.
> BTW, Those views are my own, not those of my employer.
>
> I run a small AD at home. The setup is as follows:
> - two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on
> SPECs from TranquilIT/Fedora).
> - several Win10 laptops joined to the domain.
> - several RHEL7.6 clients/Machines running 'realmd' and joined to
the
> domain. The AD users can log into those machines and their Linux account
> gets mapped appropriately.
>
> I set policies from a Win10 VM using RSAT and since there is a lot of
> litterature on the excellent Samba wiki and on the net, this wasn't too
> difficult for the Win* noob in me.
>
> It's been running great so far but because I'm rebuilding the rpms
myself
> and actually using 'realmd' I feel a little like I am in uncharted
> territory. At least, the RHEL7 part is familiar to me. :)
>
> First, I needed to make a few changes to the client Linux systems:
> a slightly modified krb5 client config and a custom sssd config once they
> were joined ('realm join ...') to the AD domain.
>
> The most important part was that the RHEL7 hosts wouldn't be heavily
> modified, except for the two AD DCs which run a custom build of Samba, of
> course.
>
> For sssd, I used the following (customized file):
> ------------------------------------------------------
> [sssd]
> domains = ad.lasthome.solace.krynn
> config_file_version = 2
> services = nss, pam, pac
>
> [domain/ad.lasthome.solace.krynn]
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> ad_gpo_access_control = disabled
> override_gid = 100
>
> ad_domain = ad.lasthome.solace.krynn
> krb5_realm = AD.LASTHOME.SOLACE.KRYNN
> realmd_tags = manages-system joined-with-samba
>
> #
> cache_credentials = True
> krb5_store_password_if_offline = True
> ldap_id_mapping = False
> use_fully_qualified_names = False
> default_shell = /bin/bash
> fallback_homedir = /export/home/%u@%d
> ldap_referrals = False
> ignore_group_members = True
>
> [nss]
>
> [pam]
> ------------------------------------------------------
>
> For realmd, it was only a matter of following the documentation, which
> resulted in
> # realm join --automatic-id-mapping=no ad.lasthome.solace.krynn -U
> administrator
> [...]
> # realm list
> ad.lasthome.solace.krynn
>    type: kerberos
>    realm-name: AD.LASTHOME.SOLACE.KRYNN
>    domain-name: ad.lasthome.solace.krynn
>    configured: kerberos-member
>    server-software: active-directory
>    client-software: sssd
>    required-package: oddjob
>    required-package: oddjob-mkhomedir
>    required-package: sssd
>    required-package: adcli
>    required-package: samba-common-tools
>    login-formats: %U
>    login-policy: allow-realm-logins
>
> So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> clients or DCs. I still have a few details to work out (how to move the
> Samba servers from local auth to AD auth, etc.. mostly because it's not
> my area of expertise) but it's been working fine for me so far.
>
> The only area of concern on el7 is to find a -reliable- Samba RPM builder
> for el7. So far, I've tried:
>
> - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> source rpms unless you complain a lot.
>
> - http://azzurro.ezplanet.net : Seems pretty much out of updates
>
> - http://wing-net.ddo.jp/wing : Web page still up but I've been unable
to
> pull down rpms from them for months.
>
> Any non-inflamatory comments are welcome! :)
>
> Vincent
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 6 Dec 2018 14:11:53 -0500 (EST)
"Vincent S. Cojot via samba" <samba at lists.samba.org> wrote:
> 
> Hi All,
> 
> I know RHEL has bad press here but I'd like to share a different
> opinion (works for me) and maybe share some of my settings.
> BTW, Those views are my own, not those of my employer.
No, RHEL doesn't get bad press here, but it uses its own tools with
Samba and as such, Samba cannot support these tools, that is red-hats
job. What Samba can do is support its own tools that do the same job.
> 
> I run a small AD at home. The setup is as follows:
> - two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based
> on SPECs from TranquilIT/Fedora).
> - several Win10 laptops joined to the domain.
> - several RHEL7.6 clients/Machines running 'realmd' and joined to
the
> domain. The AD users can log into those machines and their Linux
> account gets mapped appropriately.
If you install Samba, you get samba-tool & net, both of these will do
more than 'realmd' will.

Rowland

On Thu, 2018-12-06 at 14:11 -0500, Vincent S. Cojot via samba
wrote:
> Hi All,
> 
> I know RHEL has bad press here but I'd like to share a different
opinion
> (works for me) and maybe share some of my settings.
> BTW, Those views are my own, not those of my employer.
> 
> I run a small AD at home. The setup is as follows:
> - two AD DCs (RHEL7.6 KVM virtual machines + Samba 4.8.7 rpms based on 
> SPECs from TranquilIT/Fedora).
To be clear, Tranquil IT use the internal Heimdal Kerberos.  That is
all the 'bad press' about using Fedora for the AD DC is about.  Also,
many assumed that the packages in Fedora would go directly to RHEL as a
supported feature, but they made it clear that this won't happen with
this statement:

https://bugzilla.redhat.com/show_bug.cgi?id=910464

I'm sad they are not shipping it, not just for the validation, but
because the distribution model of support subscriptions could really
have helped fill in some of our documentation holes and rough edges.  

Red Hat made an amazing effort to get Samba to totally switch the
Kerberos implementation on which it is based over to MIT.  They have a
strict internal rule not to have two Kerberos implementations, and they
started with MIT and financially back that, ensuring it is maintained. 
It is very good for what they need it for in FreeIPA and the rest of
their distribution.

Sadly the transition for Samba wasn't finished, and the final issues
are just enough to be a real problems in production.  (And the time it
has taken to fix those indicates that there not the resources for the
Samba Team to promise it as a fully supported feature).

"
Samba 4.7 and later versions have shipped with code to support building
the Samba AD DC using MIT Kerberos.  Since the time of the release a
number of issues, including security issues, have been found by real-
world use.  However sadly the Samba Team has not been able to resource
the resolution of these issues to a standard that we are happy with,
and so this release marks this mode more clearly as experimental.  

As an experimental feature, we will not be issuing security patches for
this feature, including for:

 S4U2Self crash with MIT KDC build    
 https://bugzilla.samba.org/show_bug.cgi?id=13571

For further information, please see 
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
"

(a non-security patch for this has been issued however, thankfully).

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
<samba at lists.samba.org> wrote:
> So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> clients or DCs. I still have a few details to work out (how to move the
> Samba servers from local auth to AD auth, etc.. mostly because it's not
> my area of expertise) but it's been working fine for me so far.
>
> The only area of concern on el7 is to find a -reliable- Samba RPM builder
> for el7. So far, I've tried:
>
> - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> source rpms unless you complain a lot.
>
> - http://azzurro.ezplanet.net : Seems pretty much out of updates
>
> - http://wing-net.ddo.jp/wing : Web page still up but I've been unable
to
> pull down rpms from them for months.
>
> Any non-inflamatory comments are welcome! :)
There is my toolchain over at https://github.com/nkadel/samba4repo/ .
I've found that Samba 4.9 with the domain controller requires gnutls
4.3.7 or better, which makes a *big* problem for RHEL 7. But you're
welcome to play with the tools and set up a samba-4.8.x branch.

The recent complete switchover from python 2 to python3 is going to
cause even more problems. The SCLO python packages are quite painful
and short of critical modules, which makes a huge toolchain build to
assemble them, and the python36 now in EPEL did not work well for me
last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
better python 3 support.

>
> Vincent
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba
wrote:
> On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> <samba at lists.samba.org> wrote:
> 
> > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> > clients or DCs. I still have a few details to work out (how to move
the
> > Samba servers from local auth to AD auth, etc.. mostly because
it's not
> > my area of expertise) but it's been working fine for me so far.
> > 
> > The only area of concern on el7 is to find a -reliable- Samba RPM
builder
> > for el7. So far, I've tried:
> > 
> > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> > source rpms unless you complain a lot.
> > 
> > - http://azzurro.ezplanet.net : Seems pretty much out of updates
> > 
> > - http://wing-net.ddo.jp/wing : Web page still up but I've been
unable to
> > pull down rpms from them for months.
> > 
> > Any non-inflamatory comments are welcome! :)
> 
> There is my toolchain over at https://github.com/nkadel/samba4repo/ .
> I've found that Samba 4.9 with the domain controller requires gnutls
> 4.3.7 or better, which makes a *big* problem for RHEL 7. But you're
> welcome to play with the tools and set up a samba-4.8.x branch.
Can you get me some more details on that?  It isn't deliberate. 
> The recent complete switchover from python 2 to python3 is going to
> cause even more problems. The SCLO python packages are quite painful
> and short of critical modules, which makes a huge toolchain build to
> assemble them, and the python36 now in EPEL did not work well for me
> last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
> better python 3 support.
Yeah, we know it will be a pain.  That is why there will still be a
fallback to python2 for 4.10 in March, but after that we can't sustain
the support for interpreting the same code as python2 and python3, and
will go pure py3.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba