On Mon, Sep 2, 2019 at 3:33 PM Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote: > > On Mon, 02 Sep 2019, Dario Lesca wrote: > >Il giorno lun, 02/09/2019 alle 11.26 -0400, Robert Marcano ha scritto: > >> I switched to run Samba DCs on a container with non Fedora / RHEL / > >> CentOS provided RPMs. > > > >Thank Robert for reply. > > > >Then why don't release samba compiled with Heimdal kerberos? > > > >Just change a flag in build time, and all can use it into a production > >environment. > We do not support Heimdal builds in Fedora. It is not possible to reuse > components of Samba built against Heimdal within other applications > compiled against MIT Kerberos. This is, in particular, a show-stopper > for FreeIPA and SSSD integration. My personal experience is that this is not true. sssd in a recent Fedora (Fedora 29 last year) works just fine against an honest-to-god Samba 4.9 domain controller on RHEL 7. I've not tested tested it with samba 4.11rc2 yeat, as I'm still working on that port. sssd also works against a real AD controller. sssd does not rely on a freeipa server. It has genuinely unfortunate behavior of pre-downloading the *entire* LDAP tree, and breaking if it can't complete this, but that's another issue that won't be visible in most small test environments with local domain controllers. Freeipa..... I started setting up, realized it was going to take months to replace existing structures and gain me *absolutely nothing* compared to using the built-in AD or Samba systems already in my network, and maybe tuning them slightly better. > >If someone want test MIT version re-change the flag and rebuild it by > >himself .. or release also a samba suite with a specific name (es. > >samba-mit-...). > > > >Samba DC is a useful solution in soma case, It is an inconvenience that > >we must switch to another distro o use a third part repos because this > >suite into Fedora/RHEL/Centos is a experimental version > You may create your own COPR repository and support your own build > there. It is up to you to support that solution. In the case of Samba, the support community is quite large. It's been an active free software project, used worldwide and across multiple operating systems, since the 1990's. I can vouch for that personally, I published my first port of it for SunOS in roughly 1998. Nearly every bulk storage device in the world uses it to provide CIFS fileshares, many of those bulk storage devices with full domain controller services available if not activated. It's one of the cheapest ways to replace an AD domain controller. FreeIPA.... does not have anywhere near the user and developer community for servers. And sssd.... well, I've used it for Fedora and RHEL, because it's a convenient wrapper for what I used to have to do with the "net ads" command from Samba and is useful for admins who can't be bothered to put more than one command in a shell script. But its configurations are confusing, Do not get me *going* on the interactions of sssd with the very limited "authconfig" command line tool. And you really, really don't want to get me going on how sssd insists on pre-loading *all* the upstream LDAP trees, works for 30 seconds and then crashes when the pre-load times out, and there is no fix or way to restart *just that sssd LDAP sub-daemon*. The sssd damon wrapping customized sssd subdamons, instead of simply using the built-in system LDAP daemons is destabilizing and completely unnecessary. I'll take a Samba client in a heartbeat over the sssd mess in any even slightly complex environment. And since the upstream for both sssd and Samba clients can be the more popular and more supportable AD or Samba server, there has been little point to more than the most casual look at a FreeIPA server. Are there any significant sets of systems or clients reliant on FreeIPA specific features? Because maintaining it does not seem worth the developer effort if not client specifically requires it. I realize it may be a big vendor project over at Red Hat, but does *anyone* use it out of a specific software need? > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland Sorry to chew on your employer, who are very helpful generally and whose work I normally appreciate. sssd and freeipa have not been examples of Red Hat's best work and community integration Nico Kadel-Garcia _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
