Il giorno mar, 30/08/2016 alle 11.35 +0200, Andreas Schneider ha scritto: > On Monday, 29 August 2016 18:16:26 CEST Dario Lesca wrote: > > > > This recent Microsoft's Patch > > https://lists.samba.org/archive/samba/2016-August/202197.html > > > > disable password change for Domain Controller NT4 Style. > > It is not knew that Microsoft dropped support for NT4 style domain > controllers. Windows 7 was the last version which supported it. For > newer versions there existed just some hacks. Thanks Andreas your reply. Yes, NT4 style it is still supported, but the last MS patch have disable the password change (... It is not supported by the Kerberos protocol ... It is not secure to change disabled or locked-out user account passwords by using NTLM) https://support.microsoft.com/en-us/kb/3167679 > > IMHO, It may be time to enable support to AD-DC mode, or release > > another renamed packages with AD-DC support enable. > > As Fedora and RHEL are using MIT Kerberos as its Kerberos > infrastructure of choice, the Samba Active Directory Domain > Controller implementation is not available with MIT Kerberos at the > moment. > > Since several years I'm working on the migration to MIT Kerberos, but > it is a huge task. > > See the talks Günther and I have given at the SambaXP conferences > during the last years. For example: > > https://sambaxp.org/archive_data/SambaXP2014-DATA/wed/track2/ > Andreas_Schneider-TheroadtoMITKerberossupport.pdf > Thanks, very interesting. > > The samba.src is ready for this: > > > > I have try to download the samba.src rpm, modify the spec file like > > > > this: > > > sed \ > > > -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \ > > > -e 's/%global with_dc 0/%global with_dc 1/' \ > > > ~/rpmbuild/SPECS/samba.spec > > > > rebuild the package, install it on a test server and configure it > > in AC-DC mode. > > > > It seems work fine. > > But this uses Heimdal Kerberos and not MIT Kerberos which can lead to > issues in the system. Also if build samba from source use Heimdal Kerberos. Many Fedora / Centos / RedHat users who want to use ADDC on this kind of Linux, since it is not supported by default, build the samba from source. An example: https://thingsdomakesense.wordpress.com/2016/04/27/installing-samba-4-4-2-ad-dc-on-centos-7-1511-2/ If is the same thinks, I think it's better rebuild RPM with this support on a different isolate host and install/update new samba-ADDC rpm on all production servers, rather than install development tools and dependency packages on every production server and compile samba from source and update it each time. Or it's something wrong in this my reasoning? > > My question is: > > > > There is some hope that in the short this flags are enable by > > default? > > > > Many thanks for your reply > > Yes, we will enable Samba AD as soon as I'm done with porting it to > MIT Kerberos. This will hopefully be the case next year. This is a good news. Then, where possible, it's better wait. There is some alfa/beta for test it? Many thanks for reply. Best regard. -- Dario Lesca (inviato dal mio Linux Fedora 24 Workstation) -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
