Samba ad dc ( active directory domain controller )

matthewGear · February 1, 2024, 4:02am

Hey Everyone! I’m back Per our previous conversations, I have modified the installer and updated a lot of the scripting… I am still cleaning up the “echo”… But I wanted to thank everyone for your guidance and help in making a much better script than I had. I would be most appreciative if someone wanted to provide some feedback on this new installer. I also added a monitoring agent that compares the @System (local) repo to the upstream repo for samba versions and creates a notification to run a command to allow the system to update itself. I have tested this and it seems to work pretty nice. Any comments, suggestions, would be welcome. Or, if you want to give it a spin, feel free! GitHub - fumatchu/RADS: Rocky Active Directory Install Script to build Samba AD Servers

bunkobugsy · April 15, 2024, 1:30pm

In samba.spec replace python3-pyasn1 with python38-pyasn1 >= 0.4.8 but it still won’t build, so in samba-4.18.6.tar.xz in wscript_configure_system_mitkrb5 change krb5_required_version = “1.19” to “1.18” otherwise it won’t even build on Rocky 9.3 or with updates from Index of /results/ligenix/enterprise-samba-AD-DC/epel-8-x86_64/03257261-krb5/
and use mock -r rocky+epel-8-x86_64

bunkobugsy · April 16, 2024, 6:49am

Great howto. Any news/eta on the samba-dc package request, would really be more trusted than the (problematic) self built one.

hortimech · April 16, 2024, 7:31am

The problem with using MIT 1.18 is that it isn’t supported by Samba on the experimental versions 4.18.x , you should be using 1.20, better still, build with the builtin Heimdal.

bunkobugsy · April 16, 2024, 7:51am

Specfile %global required_mit_krb5 1.18
wscript_configure_system_mitkrb5 fails to correctly detect installed updates from Index of /results/ligenix/enterprise-samba-AD-DC/epel-8-x86_64/03257261-krb5/ even though krb5-config --version shows Kerberos 5 release 1.19.2
Removed --with-system-mitkrb5 from specfile but Heimdal build errored out.
Please advise. Thank you.

I briefly tested latest Razdc based on Rocky 8.9 with 4.14.14 samba built from source and it seems to work with default Kerberos 1.18.2.

hortimech · April 18, 2024, 8:16am

The latest Samba version is 4.20.0 and it requires MIT 1.21, 4.14.14 is no longer supported by Samba and ANY Samba version that uses MIT is classed as experimental.

When I get chance I will try to build Samba on Rocky, but I am a bit busy at the moment.

hortimech · April 18, 2024, 5:23pm

OK, I have built Samba 4.20.0 in a fully updated Rocky Linux 8 VM. This was successful, but I only downloaded the tarball and ran ‘./configure’, ‘make’ and ‘make install’, so everything ended up in /usr/local/samba.

This meant that I didn’t build with MIT, the build used the built in Heimdal.
I also ran the bootstrap script that is in the bootstrap/generated-dists/centos8s/ directory found in the root of the unpacked tarball, this ensured all the required packages were installed.

bunkobugsy · April 18, 2024, 9:07pm

Great, thanks. So this isn’t upstream then. One has to watch samba.org for new releases and rebuild when needed. Would still like to have missing packages built and released by Rocky.

hortimech · April 19, 2024, 7:47am

New Samba versions are released every six months, 4.20.0 was released at the end of March, so 4.21.0 will be released approx end of August.
In between major releases there are other releases, for bug fixes, security etc. These are usually every six weeks and are for the last three versions, so this means that:
4.20.x will get all fixes
4.19.x will just get bug fixes and security fixes
4.18.x will just get security fixes

Any other older versions will not get any fixes directly from Samba and rely on distros backporting fixes.

The majority of work centres around Heimdal, though periodically MIT does get a mention, for this reason the use of MIT is still classed as experimental on a Samba AD DC.

All Samba releases are reported on the samba and samba-technical mailing lists.

I hope this helps

ligenix · May 13, 2024, 1:06pm

Samba 4.16.x requires MIT krb5 1.19 to build AD DC.

Samba 4.20.x requires MIT krb5 1.21 and relies on OpenSSL 3.0, so EL8 is now a dead end.

I’ve rebuilt a complete stack for EL9 that contains all the necessary src.rpm with no tweak to apply at this time.

hortimech · May 14, 2024, 10:33am

Not quite true, Samba 4.x.x requires mit krb5 to build an experimental AD DC, if you want a production ready DC, do not install krb5-kdc and build Samba with its supplied Heimdal.

ligenix · May 14, 2024, 7:37pm

Well, MIT krb5 is still considered experimental to build AD DC but this feature is provided since Samba 4.7 which already gives a strong feedback

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

hortimech · May 14, 2024, 8:38pm

Using MIT kerberos to build a Samba AD DC has always been classed as experimental, ever since Samba 4.0.0 was released, nearly 12 years ago. In all that time, a MIT Samba kdc hasn’t had the same capabilities as a Heimdal one.

I am not saying do not provide Samba MIT packages, just be honest and say they are, from the Samba point of view, experimental.

As for ‘a strong feedback’, sorry but I cannot agree with that, there are very few questions about MIT on the samba mailing list, it comes up occasionally, but not often.

ligenix · May 15, 2024, 2:52am

i’m interested in a Samba AD DC, secure and fully integrated into the operating system. From this point of vue, Samba 4.20 with MIT Kerberos 1.21 and OpenSSL 3.0 on EL9, with only conditional build to enable, is a shape mature enough to deal with, even if it is still mark as experimental.

hortimech · May 15, 2024, 6:48am

If you want to use a Samba AD DC built with MIT, then great, that is is your decision, but I wouldn’t use one in production, it isn’t fully supported by Samba.

Also, if you later decide to make your Samba packages available to others, you should be honest and say they are experimental.

ligenix · May 15, 2024, 4:32pm

I added this information in my COPR repository mentioned above.

Last this is my decision but thank you for your useful comments.

ligenix · May 15, 2024, 4:39pm

And if you are looking for Samba AD DC built with Heimdal kerberos you can install Tranquil IT packages provided for both EL and Debian :

https://samba.tranquil.it/

bunkobugsy · October 16, 2024, 6:58am

Latest 4.19.4-5 MIT build seems to work just fine, thanks. Just one question: when upstream source gets updated, does rebuilding require your intervention or updated source is imported and built automatically by fedora copr? #2 - [Package Request] samba - meta - Rocky Enterprise Software Foundation Git Service doesn’t seem to come along. I’d like to stick to Rocky8 official samba version but with DC.

hortimech · October 16, 2024, 9:17am

The problem with using Samba 4.19.x is that it now only gets security fixes from Samba and the MIT components do not even get them.

I might keep harping on about this, but using MIT with Samba is still classed as experimental, Ligenix has a link on his copr page pointing to a samba post made by Alexander Bokovoy, that post was from two and half years ago and the use of MIT is still marked as experimental today

I cannot recommend using a MIT DC in production, it will not at present get any kdc security updates from Samba.

bunkobugsy · October 16, 2024, 9:55am

Could you provide a repo for Rocky 8 with Heimdal Samba-DC built and maintained from EL8 upstream source that is rpm packaged and doesn’t need to be built from source? Thanks