On Tue, Aug 30, 2016 at 5:35 AM, Andreas Schneider <asn@xxxxxxxxxx> wrote: > On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote: >> This recent Microsoft's Patch >> https://lists.samba.org/archive/samba/2016-August/202197.html >> >> disable password change for Domain Controller NT4 Style. > > It is not knew that Microsoft dropped support for NT4 style domain > controllers. Windows 7 was the last version which supported it. For newer > versions there existed just some hacks. > >> IMHO, It may be time to enable support to AD-DC mode, or release >> another renamed packages with AD-DC support enable. > > As Fedora and RHEL are using MIT Kerberos as its Kerberos infrastructure of > choice, the Samba Active Directory Domain Controller implementation is not > available with MIT Kerberos at the moment. > > Since several years I'm working on the migration to MIT Kerberos, but it is a > huge task. Then, in order to support full domain controller support, stop holding up Samba builds on this basis. The integral Kerberos libraries in Samba when compiled for domain controller support work well, and are well segregated from the RHEL and Fedora provided Kerberos support. > See the talks Günther and I have given at the SambaXP conferences during the > last years. For example: > > https://sambaxp.org/archive_data/SambaXP2014-DATA/wed/track2/ > Andreas_Schneider-TheroadtoMITKerberossupport.pdf > > >> The samba.src is ready for this: >> >> I have try to download the samba.src rpm, modify the spec file like >> >> this: >> > sed \ >> > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ >> > -e 's/%global with_dc 0/%global with_dc 1/' \ >> > ~/rpmbuild/SPECS/samba.spec >> >> rebuild the package, install it on a test server and configure it in >> AC-DC mode. >> >> It seems work fine. > > But this uses Heimdal Kerberos and not MIT Kerberos which can lead to issues > in the system. Yes. It works well in my personal testing, and the libraries are pretty well segregated from the system Kerberos. I was publishing backports for RHEL 6 and 7 use until the recent gnutls requirements exceeded anything I could backport to RHEL 7, but traces of my old build and testing structure, with submodules for individual dependencies, are at https://github.com/nkadel/samba4repo >> My question is: >> >> There is some hope that in the short this flags are enable by default? >> >> Many thanks for your reply > > Yes, we will enable Samba AD as soon as I'm done with porting it to MIT > Kerberos. This will hopefully be the case next year. That would be great. But this has been a long-term request, and I'm not personally going to hold my breath waiting for it to be completed. As you point out, it's a lot of work, and for people who want real Samba domain controllers there is an option that works well. > Best regards, > > > -- andreas > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
