samba - Dec 2018 - RHEL7/Centos7 with Samba AD

On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba
wrote:
> On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> <samba at lists.samba.org> wrote:
> 
> > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup either as
> > clients or DCs. I still have a few details to work out (how to move
the
> > Samba servers from local auth to AD auth, etc.. mostly because
it's not
> > my area of expertise) but it's been working fine for me so far.
> > 
> > The only area of concern on el7 is to find a -reliable- Samba RPM
builder
> > for el7. So far, I've tried:
> > 
> > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > Their latest 4.8.x rpms are stuck on 4.8.5 and they don't provide
> > source rpms unless you complain a lot.
> > 
> > - http://azzurro.ezplanet.net : Seems pretty much out of updates
> > 
> > - http://wing-net.ddo.jp/wing : Web page still up but I've been
unable to
> > pull down rpms from them for months.
> > 
> > Any non-inflamatory comments are welcome! :)
> 
> There is my toolchain over at https://github.com/nkadel/samba4repo/ .
> I've found that Samba 4.9 with the domain controller requires gnutls
> 4.3.7 or better, which makes a *big* problem for RHEL 7. But you're
> welcome to play with the tools and set up a samba-4.8.x branch.
Can you get me some more details on that?  It isn't deliberate. 
> The recent complete switchover from python 2 to python3 is going to
> cause even more problems. The SCLO python packages are quite painful
> and short of critical modules, which makes a huge toolchain build to
> assemble them, and the python36 now in EPEL did not work well for me
> last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
> better python 3 support.
Yeah, we know it will be a pain.  That is why there will still be a
fallback to python2 for 4.10 in March, but after that we can't sustain
the support for interpreting the same code as python2 and python3, and
will go pure py3.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba wrote:
> > On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> > <samba at lists.samba.org> wrote:
> >
> > > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup
either as
> > > clients or DCs. I still have a few details to work out (how to
move the
> > > Samba servers from local auth to AD auth, etc.. mostly because
it's not
> > > my area of expertise) but it's been working fine for me so
far.
> > >
> > > The only area of concern on el7 is to find a -reliable- Samba RPM
builder
> > > for el7. So far, I've tried:
> > >
> > > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > > Their latest 4.8.x rpms are stuck on 4.8.5 and they don't
provide
> > > source rpms unless you complain a lot.
> > >
> > > - http://azzurro.ezplanet.net : Seems pretty much out of updates
> > >
> > > - http://wing-net.ddo.jp/wing : Web page still up but I've
been unable to
> > > pull down rpms from them for months.
> > >
> > > Any non-inflamatory comments are welcome! :)
> >
> > There is my toolchain over at https://github.com/nkadel/samba4repo/ .
> > I've found that Samba 4.9 with the domain controller requires
gnutls
> > 4.3.7 or better, which makes a *big* problem for RHEL 7. But
you're
> > welcome to play with the tools and set up a samba-4.8.x branch.
>
> Can you get me some more details on that?  It isn't deliberate.
The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
conf.env.AD_DC_IS_ENABLED. Patching that to set the checks for 3.3.29
gets a report of a missing dependency for "hx509" in
"dcerpc_backupkey".  So I assume that the check for tnutls 3.4.7 was a
legitimate requirement check. And that's about as deep as I can go
with that issue for right now.

I've instead, for short-term work, created some hooks to compile 4.8.7
for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
and I'll see if I can test it in the next few days.
> > The recent complete switchover from python 2 to python3 is going to
> > cause even more problems. The SCLO python packages are quite painful
> > and short of critical modules, which makes a huge toolchain build to
> > assemble them, and the python36 now in EPEL did not work well for me
> > last time I tried. Frankly, RHEL 8 is overdue with gnutls updates and
> > better python 3 support.
>
> Yeah, we know it will be a pain.  That is why there will still be a
> fallback to python2 for 4.10 in March, but after that we can't sustain
> the support for interpreting the same code as python2 and python3, and
> will go pure py3.
>
> Andrew Bartlett
I do appreciate the difficulty. Fedora is switching almost completely
over to Python 3 for Fedora 30, and Fedora 29 has good integration of
Python 3 already, so it should be straightforward there and for RHEL
8..

On Sun, 2018-12-09 at 17:20 -0500, Nico Kadel-Garcia
wrote:
> On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet at
samba.org> wrote:
> > On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba wrote:
> > > On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> > > <samba at lists.samba.org> wrote:
> > > 
> > > > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup
either as
> > > > clients or DCs. I still have a few details to work out (how
to move the
> > > > Samba servers from local auth to AD auth, etc.. mostly
because it's not
> > > > my area of expertise) but it's been working fine for me
so far.
> > > > 
> > > > The only area of concern on el7 is to find a -reliable-
Samba RPM builder
> > > > for el7. So far, I've tried:
> > > > 
> > > > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > > > Their latest 4.8.x rpms are stuck on 4.8.5 and they
don't provide
> > > > source rpms unless you complain a lot.
> > > > 
> > > > - http://azzurro.ezplanet.net : Seems pretty much out of
updates
> > > > 
> > > > - http://wing-net.ddo.jp/wing : Web page still up but
I've been unable to
> > > > pull down rpms from them for months.
> > > > 
> > > > Any non-inflamatory comments are welcome! :)
> > > 
> > > There is my toolchain over at
https://github.com/nkadel/samba4repo/ .
> > > I've found that Samba 4.9 with the domain controller requires
gnutls
> > > 4.3.7 or better, which makes a *big* problem for RHEL 7. But
you're
> > > welcome to play with the tools and set up a samba-4.8.x branch.
> > 
> > Can you get me some more details on that?  It isn't deliberate.
> 
> The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
> checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
> conf.env.AD_DC_IS_ENABLED. 
Correct.  But this is experimental in any case.  If you don't specify
--with-system-mitkrb5 it should allow an older version. 
> Patching that to set the checks for 3.3.29
> gets a report of a missing dependency for "hx509" in
> "dcerpc_backupkey".  So I assume that the check for tnutls 3.4.7
was a
> legitimate requirement check. And that's about as deep as I can go
> with that issue for right now.
Again, this is due to attempting to use the MIT Krb5 stuff.  Don't do
that. 
> I've instead, for short-term work, created some hooks to compile 4.8.7
> for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
> and I'll see if I can test it in the next few days.
Please ensure it uses the internal Heimdal Kerberos. 
> > > The recent complete switchover from python 2 to python3 is going
to
> > > cause even more problems. The SCLO python packages are quite
painful
> > > and short of critical modules, which makes a huge toolchain build
to
> > > assemble them, and the python36 now in EPEL did not work well for
me
> > > last time I tried. Frankly, RHEL 8 is overdue with gnutls updates
and
> > > better python 3 support.
> > 
> > Yeah, we know it will be a pain.  That is why there will still be a
> > fallback to python2 for 4.10 in March, but after that we can't
sustain
> > the support for interpreting the same code as python2 and python3, and
> > will go pure py3.
> > 
> > Andrew Bartlett
> 
> I do appreciate the difficulty. Fedora is switching almost completely
> over to Python 3 for Fedora 30, and Fedora 29 has good integration of
> Python 3 already, so it should be straightforward there and for RHEL
> 8..
Except for the MIT Kerberos stuff, of course. :-)

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Hi Nico & all,

I'm currently updating my samba4 rpms to 4.8.8 and I noticed that I needed 
to add a new (not in 4.8.7) dependency to my spec file:

%{_libdir}/samba/libcmdline-contexts-samba4.so

(not too sure in which rpm to add that one but I guess I'll see how it 
goes).

Where's your samba-4.8.x spec rpms tree? Is this:
https://github.com/nkadel/samba-4.9.x-srpm/tree/nkadel-4.8.7

Once I figure out how to consume your repo, I'll probably submit a PR. :)

Thanks,

Vincent