On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia
wrote:> On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett <abartlet at
samba.org> wrote:
> > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote:
> >
> > > I actually hope that the "--with-experimental-ad-dc"
option will work
> > > well, as it seems to in Fedora 29. I'm not holding my breath
for it.
> >
> > I'm sorry if my hints have not been strong enough:
> >
> > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET.
>
> Jeremy, I'm not the one who introduced this. It's not apparent from
my
> git history, but I imported those settings straight from the Fedora 29
> SRPM, which uses precisely those settings.
I'm Andrew. I'll explain a bit more why Fedora upstream is not a good
guide here.
> > Your end users don't know we lack security support for this mode,
and
> > do not have the resources to even fix the well known bugs in a timely
> > manner. It remains as a base for a future development effort from
some
> > well-funded partner who needs it.
>
> Right. Thank you, and I'll try to reach upstream about this. Please
> don't blame me for activating that one, I've been working to
backport
> from Fedora 29.
Upstream won't fix it, except to disable the AD DC again. They are, by
corporate edict, not permitted to ship our internal Heimdal.
> > As we know Red Hat doesn't need it any more, so who this will be
is an
> > open question.
>
> That, I'm unclear on. RHEL 7's "samba-dc" RPM packages
don't actually
> contain a domain controller, just empty RPMs with README files saying
> "we don't actually contain a domain controller", which I find
> confusing and disappointing. I build these as a hobby, and have been
> doing this sort of thing since SunOS 4.1.2, to see what the features
> of the latest releases are and as a hook for people who might need
> them for production use. Red Hat is welcome to them. I grabbed the
> latest 4.9.3 from Fedora, with surprise to see that the with_dc had
> been enabled in the latest release with precisely those settings.
>
> I'm happy to pass along your comments in a bugzilla for Fedora and
> discourage their use of this unsupported feature.
The maintainers are Samba Team members, they know the situation very
well.
https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/
The problem is the gap between Fedora, and even un-official packages
for RHEL/CentOS, as while few servers run on Fedora, people will use
these packages as an AD DC, hit the bugs in the MIT KDC, then come here
about it.
If you only want to do a pure backport (and not adjust the packages),
it would be safer, for the RHEL backport packages, to also turn off the
AD DC like RHEL does.
It is great to have more diversity in package sources for RPM users,
and I thank you for providing them! I just have some strong feelings
about unsupported code in what I hope becomes a popular package source.
I hope this clarifies things,
Andrew Bartlett
-
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba