Samba ad dc ( active directory domain controller )

Hey Everyone! I’m back :slight_smile: Per our previous conversations, I have modified the installer and updated a lot of the scripting… I am still cleaning up the “echo”… But I wanted to thank everyone for your guidance and help in making a much better script than I had. I would be most appreciative if someone wanted to provide some feedback on this new installer. I also added a monitoring agent that compares the @System (local) repo to the upstream repo for samba versions and creates a notification to run a command to allow the system to update itself. I have tested this and it seems to work pretty nice. Any comments, suggestions, would be welcome. Or, if you want to give it a spin, feel free! GitHub - fumatchu/RADS: Rocky Active Directory Install Script to build Samba AD Servers

1 Like

In samba.spec replace python3-pyasn1 with python38-pyasn1 >= 0.4.8 but it still won’t build, so in samba-4.18.6.tar.xz in wscript_configure_system_mitkrb5 change krb5_required_version = “1.19” to “1.18” otherwise it won’t even build on Rocky 9.3 or with updates from Index of /results/ligenix/enterprise-samba-AD-DC/epel-8-x86_64/03257261-krb5/
and use mock -r rocky+epel-8-x86_64

Great howto. Any news/eta on the samba-dc package request, would really be more trusted than the (problematic) self built one.

The problem with using MIT 1.18 is that it isn’t supported by Samba on the experimental versions 4.18.x , you should be using 1.20, better still, build with the builtin Heimdal.

Specfile %global required_mit_krb5 1.18
wscript_configure_system_mitkrb5 fails to correctly detect installed updates from Index of /results/ligenix/enterprise-samba-AD-DC/epel-8-x86_64/03257261-krb5/ even though krb5-config --version shows Kerberos 5 release 1.19.2
Removed --with-system-mitkrb5 from specfile but Heimdal build errored out.
Please advise. Thank you.

I briefly tested latest Razdc based on Rocky 8.9 with 4.14.14 samba built from source and it seems to work with default Kerberos 1.18.2.

The latest Samba version is 4.20.0 and it requires MIT 1.21, 4.14.14 is no longer supported by Samba and ANY Samba version that uses MIT is classed as experimental.

When I get chance I will try to build Samba on Rocky, but I am a bit busy at the moment.

2 Likes

OK, I have built Samba 4.20.0 in a fully updated Rocky Linux 8 VM. This was successful, but I only downloaded the tarball and ran ‘./configure’, ‘make’ and ‘make install’, so everything ended up in /usr/local/samba.

This meant that I didn’t build with MIT, the build used the built in Heimdal.
I also ran the bootstrap script that is in the bootstrap/generated-dists/centos8s/ directory found in the root of the unpacked tarball, this ensured all the required packages were installed.

2 Likes

Great, thanks. So this isn’t upstream then. One has to watch samba.org for new releases and rebuild when needed. Would still like to have missing packages built and released by Rocky.

1 Like

New Samba versions are released every six months, 4.20.0 was released at the end of March, so 4.21.0 will be released approx end of August.
In between major releases there are other releases, for bug fixes, security etc. These are usually every six weeks and are for the last three versions, so this means that:
4.20.x will get all fixes
4.19.x will just get bug fixes and security fixes
4.18.x will just get security fixes

Any other older versions will not get any fixes directly from Samba and rely on distros backporting fixes.

The majority of work centres around Heimdal, though periodically MIT does get a mention, for this reason the use of MIT is still classed as experimental on a Samba AD DC.

All Samba releases are reported on the samba and samba-technical mailing lists.

I hope this helps

2 Likes

Samba 4.16.x requires MIT krb5 1.19 to build AD DC.

Samba 4.20.x requires MIT krb5 1.21 and relies on OpenSSL 3.0, so EL8 is now a dead end.

I’ve rebuilt a complete stack for EL9 that contains all the necessary src.rpm with no tweak to apply at this time.

Not quite true, Samba 4.x.x requires mit krb5 to build an experimental AD DC, if you want a production ready DC, do not install krb5-kdc and build Samba with its supplied Heimdal.

1 Like

Well, MIT krb5 is still considered experimental to build AD DC but this feature is provided since Samba 4.7 which already gives a strong feedback

https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

Using MIT kerberos to build a Samba AD DC has always been classed as experimental, ever since Samba 4.0.0 was released, nearly 12 years ago. In all that time, a MIT Samba kdc hasn’t had the same capabilities as a Heimdal one.

I am not saying do not provide Samba MIT packages, just be honest and say they are, from the Samba point of view, experimental.

As for ‘a strong feedback’, sorry but I cannot agree with that, there are very few questions about MIT on the samba mailing list, it comes up occasionally, but not often.

i’m interested in a Samba AD DC, secure and fully integrated into the operating system. From this point of vue, Samba 4.20 with MIT Kerberos 1.21 and OpenSSL 3.0 on EL9, with only conditional build to enable, is a shape mature enough to deal with, even if it is still mark as experimental.

If you want to use a Samba AD DC built with MIT, then great, that is is your decision, but I wouldn’t use one in production, it isn’t fully supported by Samba.

Also, if you later decide to make your Samba packages available to others, you should be honest and say they are experimental.

I added this information in my COPR repository mentioned above.

Last this is my decision but thank you for your useful comments.

And if you are looking for Samba AD DC built with Heimdal kerberos you can install Tranquil IT packages provided for both EL and Debian :

https://samba.tranquil.it/

1 Like