samba - Dec 2018 - RHEL7/Centos7 with Samba AD

On Sun, 2018-12-09 at 17:20 -0500, Nico Kadel-Garcia
wrote:
> On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet at
samba.org> wrote:
> > On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba wrote:
> > > On Thu, Dec 6, 2018 at 2:35 PM Vincent S. Cojot via samba
> > > <samba at lists.samba.org> wrote:
> > > 
> > > > So, IMHO RHEL7/Centos7 does just fine in a Samba AD/DC setup
either as
> > > > clients or DCs. I still have a few details to work out (how
to move the
> > > > Samba servers from local auth to AD auth, etc.. mostly
because it's not
> > > > my area of expertise) but it's been working fine for me
so far.
> > > > 
> > > > The only area of concern on el7 is to find a -reliable-
Samba RPM builder
> > > > for el7. So far, I've tried:
> > > > 
> > > > - TranquilIT - https://dev.tranquil.it/wiki/Samba4
> > > > Their latest 4.8.x rpms are stuck on 4.8.5 and they
don't provide
> > > > source rpms unless you complain a lot.
> > > > 
> > > > - http://azzurro.ezplanet.net : Seems pretty much out of
updates
> > > > 
> > > > - http://wing-net.ddo.jp/wing : Web page still up but
I've been unable to
> > > > pull down rpms from them for months.
> > > > 
> > > > Any non-inflamatory comments are welcome! :)
> > > 
> > > There is my toolchain over at
https://github.com/nkadel/samba4repo/ .
> > > I've found that Samba 4.9 with the domain controller requires
gnutls
> > > 4.3.7 or better, which makes a *big* problem for RHEL 7. But
you're
> > > welcome to play with the tools and set up a samba-4.8.x branch.
> > 
> > Can you get me some more details on that?  It isn't deliberate.
> 
> The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
> checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
> conf.env.AD_DC_IS_ENABLED. 
Correct.  But this is experimental in any case.  If you don't specify
--with-system-mitkrb5 it should allow an older version. 
> Patching that to set the checks for 3.3.29
> gets a report of a missing dependency for "hx509" in
> "dcerpc_backupkey".  So I assume that the check for tnutls 3.4.7
was a
> legitimate requirement check. And that's about as deep as I can go
> with that issue for right now.
Again, this is due to attempting to use the MIT Krb5 stuff.  Don't do
that. 
> I've instead, for short-term work, created some hooks to compile 4.8.7
> for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
> and I'll see if I can test it in the next few days.
Please ensure it uses the internal Heimdal Kerberos. 
> > > The recent complete switchover from python 2 to python3 is going
to
> > > cause even more problems. The SCLO python packages are quite
painful
> > > and short of critical modules, which makes a huge toolchain build
to
> > > assemble them, and the python36 now in EPEL did not work well for
me
> > > last time I tried. Frankly, RHEL 8 is overdue with gnutls updates
and
> > > better python 3 support.
> > 
> > Yeah, we know it will be a pain.  That is why there will still be a
> > fallback to python2 for 4.10 in March, but after that we can't
sustain
> > the support for interpreting the same code as python2 and python3, and
> > will go pure py3.
> > 
> > Andrew Bartlett
> 
> I do appreciate the difficulty. Fedora is switching almost completely
> over to Python 3 for Fedora 30, and Fedora 29 has good integration of
> Python 3 already, so it should be straightforward there and for RHEL
> 8..
Except for the MIT Kerberos stuff, of course. :-)

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sun, Dec 9, 2018 at 5:25 PM Andrew Bartlett <abartlet at samba.org>
wrote:
>
> On Sun, 2018-12-09 at 17:20 -0500, Nico Kadel-Garcia wrote:
> > On Sat, Dec 8, 2018 at 12:34 AM Andrew Bartlett <abartlet at
samba.org> wrote:
> > > On Fri, 2018-12-07 at 23:32 -0500, Nico Kadel-Garcia via samba
wrote:
> > The first issue is in sourc4/lib/tls/wscro[t. which has hardcoded
> > checks for gnutls >= 3.4.7 linked to with_system_mitkrb5 and
> > conf.env.AD_DC_IS_ENABLED.
>
> Correct.  But this is experimental in any case.  If you don't specify
> --with-system-mitkrb5 it should allow an older version.
It builds and seems to work under Fedora 29 with these options:

--with-system-mitkrb5 \
--with-experimental-mit-ad-dc \

Leaving those in place for RHEL 7, well, that seems to have been the
source of the issue. I've eliminated, added in the hooks to include
the various additional libraries generated, and it *seems* be be much
happier.
> > I've instead, for short-term work, created some hooks to compile
4.8.7
> > for RHEL 7. That may be helpful to folks who do want a dc for RHEL 7,
> > and I'll see if I can test it in the next few days.
>
> Please ensure it uses the internal Heimdal Kerberos.
This seems to have resolved the compilation issue. I don't anticipate
that RHEL will be willing to tolerate this and include these changes
for their commercial release, due to their reluctance to include a
second Kerberos library, or to support a competitor for their Free IPA
project.
> > I do appreciate the difficulty. Fedora is switching almost completely
> > over to Python 3 for Fedora 30, and Fedora 29 has good integration of
> > Python 3 already, so it should be straightforward there and for RHEL
> > 8..
>
> Except for the MIT Kerberos stuff, of course. :-)
>
> Andrew Bartlett
I actually hope that the "--with-experimental-ad-dc" option will work
well, as it seems to in Fedora 29. I'm not holding my breath for it.

On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
> 
> I actually hope that the "--with-experimental-ad-dc" option will
work
> well, as it seems to in Fedora 29. I'm not holding my breath for it.
I'm sorry if my hints have not been strong enough:  

PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.

Your end users don't know we lack security support for this mode, and
do not have the resources to even fix the well known bugs in a timely
manner.  It remains as a base for a future development effort from some
well-funded partner who needs it.  

As we know Red Hat doesn't need it any more, so who this will be is an
open question. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba