On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote:> On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett <abartlet at samba.org> wrote: > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote: > > > > > I actually hope that the "--with-experimental-ad-dc" option will work > > > well, as it seems to in Fedora 29. I'm not holding my breath for it. > > > > I'm sorry if my hints have not been strong enough: > > > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET. > > Jeremy, I'm not the one who introduced this. It's not apparent from my > git history, but I imported those settings straight from the Fedora 29 > SRPM, which uses precisely those settings.I'm Andrew. I'll explain a bit more why Fedora upstream is not a good guide here.> > Your end users don't know we lack security support for this mode, and > > do not have the resources to even fix the well known bugs in a timely > > manner. It remains as a base for a future development effort from some > > well-funded partner who needs it. > > Right. Thank you, and I'll try to reach upstream about this. Please > don't blame me for activating that one, I've been working to backport > from Fedora 29.Upstream won't fix it, except to disable the AD DC again. They are, by corporate edict, not permitted to ship our internal Heimdal.> > As we know Red Hat doesn't need it any more, so who this will be is an > > open question. > > That, I'm unclear on. RHEL 7's "samba-dc" RPM packages don't actually > contain a domain controller, just empty RPMs with README files saying > "we don't actually contain a domain controller", which I find > confusing and disappointing. I build these as a hobby, and have been > doing this sort of thing since SunOS 4.1.2, to see what the features > of the latest releases are and as a hook for people who might need > them for production use. Red Hat is welcome to them. I grabbed the > latest 4.9.3 from Fedora, with surprise to see that the with_dc had > been enabled in the latest release with precisely those settings. > > I'm happy to pass along your comments in a bugzilla for Fedora and > discourage their use of this unsupported feature.The maintainers are Samba Team members, they know the situation very well. https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/ The problem is the gap between Fedora, and even un-official packages for RHEL/CentOS, as while few servers run on Fedora, people will use these packages as an AD DC, hit the bugs in the MIT KDC, then come here about it. If you only want to do a pure backport (and not adjust the packages), it would be safer, for the RHEL backport packages, to also turn off the AD DC like RHEL does. It is great to have more diversity in package sources for RPM users, and I thank you for providing them! I just have some strong feelings about unsupported code in what I hope becomes a popular package source. I hope this clarifies things, Andrew Bartlett - Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, 11 Dec 2018 18:54:48 +1300 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote: > > On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett > > <abartlet at samba.org> wrote: > > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote: > > > > > > > I actually hope that the "--with-experimental-ad-dc" option > > > > will work well, as it seems to in Fedora 29. I'm not holding my > > > > breath for it. > > > > > > I'm sorry if my hints have not been strong enough: > > > > > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET. > > > > Jeremy, I'm not the one who introduced this. It's not apparent from > > my git history, but I imported those settings straight from the > > Fedora 29 SRPM, which uses precisely those settings. > > I'm Andrew. I'll explain a bit more why Fedora upstream is not a good > guide here. > > > > Your end users don't know we lack security support for this mode, > > > and do not have the resources to even fix the well known bugs in > > > a timely manner. It remains as a base for a future development > > > effort from some well-funded partner who needs it. > > > > Right. Thank you, and I'll try to reach upstream about this. Please > > don't blame me for activating that one, I've been working to > > backport from Fedora 29. > > Upstream won't fix it, except to disable the AD DC again. They are, > by corporate edict, not permitted to ship our internal Heimdal. > > > > As we know Red Hat doesn't need it any more, so who this will be > > > is an open question. > > > > That, I'm unclear on. RHEL 7's "samba-dc" RPM packages don't > > actually contain a domain controller, just empty RPMs with README > > files saying "we don't actually contain a domain controller", which > > I find confusing and disappointing. I build these as a hobby, and > > have been doing this sort of thing since SunOS 4.1.2, to see what > > the features of the latest releases are and as a hook for people > > who might need them for production use. Red Hat is welcome to them. > > I grabbed the latest 4.9.3 from Fedora, with surprise to see that > > the with_dc had been enabled in the latest release with precisely > > those settings. > > > > I'm happy to pass along your comments in a bugzilla for Fedora and > > discourage their use of this unsupported feature. > > The maintainers are Samba Team members, they know the situation very > well. > https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/ > > The problem is the gap between Fedora, and even un-official packages > for RHEL/CentOS, as while few servers run on Fedora, people will use > these packages as an AD DC, hit the bugs in the MIT KDC, then come > here about it. > > If you only want to do a pure backport (and not adjust the packages), > it would be safer, for the RHEL backport packages, to also turn off > the AD DC like RHEL does. > > It is great to have more diversity in package sources for RPM users, > and I thank you for providing them! I just have some strong feelings > about unsupported code in what I hope becomes a popular package > source. > > I hope this clarifies things, > > Andrew Bartlett > - > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > >I will be even more blunt, it seems that RHEL will never ship a version of Samba that you can use as a an AD DC, see here (near the bottom): https://bugzilla.redhat.com/show_bug.cgi?id=910464 If you use MIT kerberos, there are numerous problems you will hit, so, use it for testing by all means, but never use it in production. Rowland
On Tue, Dec 11, 2018 at 12:54 AM Andrew Bartlett <abartlet at samba.org> wrote:> > On Tue, 2018-12-11 at 00:42 -0500, Nico Kadel-Garcia wrote: > > On Mon, Dec 10, 2018 at 8:58 PM Andrew Bartlett <abartlet at samba.org> wrote: > > > On Mon, 2018-12-10 at 20:53 -0500, Nico Kadel-Garcia wrote: > > > > > > > I actually hope that the "--with-experimental-ad-dc" option will work > > > > well, as it seems to in Fedora 29. I'm not holding my breath for it. > > > > > > I'm sorry if my hints have not been strong enough: > > > > > > PLEASE DO NOT BUILD RPMS OF SAMBA WITH THIS SET. > > > > Jeremy, I'm not the one who introduced this. It's not apparent from my > > git history, but I imported those settings straight from the Fedora 29 > > SRPM, which uses precisely those settings. > > I'm Andrew. I'll explain a bit more why Fedora upstream is not a good > guide here.Gods. Sorry about that, I've occasionally pitched in on Samba ports since.... 1993, with SunOS 4.1.2, I think? I should know your name better than that.> Upstream won't fix it, except to disable the AD DC again. They are, by > corporate edict, not permitted to ship our internal Heimdal.Yeah. I got that part.> The maintainers are Samba Team members, they know the situation very > well. > https://docs.fedoraproject.org/en-US/fedora/f29/release-notes/sysadmin/File_Servers/ > > The problem is the gap between Fedora, and even un-official packages > for RHEL/CentOS, as while few servers run on Fedora, people will use > these packages as an AD DC, hit the bugs in the MIT KDC, then come here > about it.Then I really wish they'd stop publishing empty packages labeled "samba-dc". It's confusing and irksome.> If you only want to do a pure backport (and not adjust the packages), > it would be safer, for the RHEL backport packages, to also turn off the > AD DC like RHEL does.The whole point of the backports for RHEL is to enable the full domain controller feature list. I've followed your advice, and it is compiling well with Heimdal enabled for both Fedora and for RHEL 7. Doing it the way you said, and allowing the Heimdal Kerberos to be used for the dc is working well in my limited testing.> It is great to have more diversity in package sources for RPM users, > and I thank you for providing them! I just have some strong feelings > about unsupported code in what I hope becomes a popular package source.I agree with the philosophy, and had not appreciated the risk that I was importing from the current Fedora upstream practices.> I hope this clarifies things,It does.
On Fri, 2018-12-14 at 22:24 -0500, Nico Kadel-Garcia wrote:> > If you only want to do a pure backport (and not adjust the packages), > > it would be safer, for the RHEL backport packages, to also turn off the > > AD DC like RHEL does. > > The whole point of the backports for RHEL is to enable the full domain > controller feature list. I've followed your advice, and it is > compiling well with Heimdal enabled for both Fedora and for RHEL 7. > Doing it the way you said, and allowing the Heimdal Kerberos to be > used for the dc is working well in my limited testing. > > > It is great to have more diversity in package sources for RPM users, > > and I thank you for providing them! I just have some strong feelings > > about unsupported code in what I hope becomes a popular package source. > > I agree with the philosophy, and had not appreciated the risk that I > was importing from the current Fedora upstream practices.Thank you so much, and thank you for working on this. It will be great to be able to point Fedora and RHEL users at another package source with a Heimdal enabled AD DC. Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba