Kees van Vloten
2022-Jan-15 13:51 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
On 15-01-2022 14:05, Rowland Penny via samba wrote:> On Fri, 2022-01-14 at 20:16 +0000, Rowland Penny via samba wrote: >> On Fri, 2022-01-14 at 15:07 -0500, Luc Lalonde wrote: >>> Interesting... You didn't have problems with missing dependancies? >> No, just added the repo, installed pam_krb5 and configured >> /etc/security/pam_winbind.conf >> >>> They're really pushing you to use SSSD: >> Well they would, it is theirs. >> >>> pam_krb5 >>> >>> This PAM module provides Kerberos-based authentication. From the >>> very >>> beginning of its existence the SSSD project was targeting >>> replacing >>> pam_krb5 on the system. SSSD has offered Kerberos authentication >>> for >>> years, but also much more. With the release of Red Hat Enterprise >>> Linux >>> 7.4 SSSD has the features that we believe users need from the >>> standard >>> pam_krb5 module, and we felt ready to add it to the set of >>> deprecated >>> PAM modules. >>> >>> Taken from (you need an account to read it, a free dev account will >>> do): >>> >>> https://access.redhat.com/solutions/4256011 >> As far as I remember, the pam_krb5 they removed was their version, >> which wasn't very good, and had nothing to do with version that >> Debian >> uses. >> >> I just need to wait until tomorrow and see if my ticket is renewed, >> as >> on Debian. >> >> Rowland > Oh, I hate red-hat, No samba-tool (which I can understand because of no > DC code) and ldbsearch doesn't have '-P' > > Looks like I need to find an uptodate repo with Samba DC packages. > > Rowland > > > >Perhaps this: https://github.com/nkadel/samba4repo/ It was mentioned on 12-11-2021 on the list. - Kees
Rowland Penny
2022-Jan-15 14:10 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
On Sat, 2022-01-15 at 14:51 +0100, Kees van Vloten via samba wrote:> > > > > > > > Perhaps this: https://github.com/nkadel/samba4repo/ > > It was mentioned on 12-11-2021 on the list. > > - Kees >I ended up using the Tranquil IT repo, which provides Samba 4.15.3 and by running: sudo samba-tool dns zonelist rpidc1 -P I got my dns zones returned, which shows that winbind is updating the machine ticket. There is one strange problem, ldbsearch (provided by ldb-tools) still doesn't know about '-P'. I am sure that if was going to use a red-hat based distro, I could find a fix for this, but I have no reason to try and fix it. To myself, the red-hat distro's are just horrible, yes there are things to try and make it easier but Debian is so much easier to use and it all works out of the box. Rowland
Nico Kadel-Garcia
2022-Jan-15 15:26 UTC
[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
On Sat, Jan 15, 2022 at 8:52 AM Kees van Vloten via samba <samba at lists.samba.org> wrote:> > On 15-01-2022 14:05, Rowland Penny via samba wrote: > > On Fri, 2022-01-14 at 20:16 +0000, Rowland Penny via samba wrote: > >> On Fri, 2022-01-14 at 15:07 -0500, Luc Lalonde wrote: > >>> Interesting... You didn't have problems with missing dependancies? > >> No, just added the repo, installed pam_krb5 and configured > >> /etc/security/pam_winbind.conf > >> > >>> They're really pushing you to use SSSD: > >> Well they would, it is theirs. > >> > >>> pam_krb5 > >>> > >>> This PAM module provides Kerberos-based authentication. From the > >>> very > >>> beginning of its existence the SSSD project was targeting > >>> replacing > >>> pam_krb5 on the system. SSSD has offered Kerberos authentication > >>> for > >>> years, but also much more. With the release of Red Hat Enterprise > >>> Linux > >>> 7.4 SSSD has the features that we believe users need from the > >>> standard > >>> pam_krb5 module, and we felt ready to add it to the set of > >>> deprecated > >>> PAM modules. > >>> > >>> Taken from (you need an account to read it, a free dev account will > >>> do): > >>> > >>> https://access.redhat.com/solutions/4256011 > >> As far as I remember, the pam_krb5 they removed was their version, > >> which wasn't very good, and had nothing to do with version that > >> Debian > >> uses. > >> > >> I just need to wait until tomorrow and see if my ticket is renewed, > >> as > >> on Debian. > >> > >> Rowland > > Oh, I hate red-hat, No samba-tool (which I can understand because of no > > DC code) and ldbsearch doesn't have '-P' > > > > Looks like I need to find an uptodate repo with Samba DC packages. > > > > Rowland > > > > > > > > > Perhaps this: https://github.com/nkadel/samba4repo/ > > It was mentioned on 12-11-2021 on the list. > > - KeesI've not been publishing binaries, and I've not updated it successfully to 4.15.3 for RHEL 7. There are some python dependency issues that made me bang my head on the table. I'm about ready to discard RHEL 7 as a supported platform, the work of integrating the backported gnutls and other tools is getting to be more work than I care to do. Is the MIT kerberos integration good enough to rely on for RHEL 8 yet, in which case a lot of the work of handling Heimdal Kerberos goes away.