On 9/2/19 4:52 PM, Nico Kadel-Garcia wrote:
On Mon, Sep 2, 2019 at 3:33 PM Alexander Bokovoy <abokovoy@xxxxxxxxxx> wrote:
On Mon, 02 Sep 2019, Dario Lesca wrote:
Il giorno lun, 02/09/2019 alle 11.26 -0400, Robert Marcano ha scritto:
I switched to run Samba DCs on a container with non Fedora / RHEL /
CentOS provided RPMs.
Thank Robert for reply.
Then why don't release samba compiled with Heimdal kerberos?
Just change a flag in build time, and all can use it into a production
environment.
We do not support Heimdal builds in Fedora. It is not possible to reuse
components of Samba built against Heimdal within other applications
compiled against MIT Kerberos. This is, in particular, a show-stopper
for FreeIPA and SSSD integration.
My personal experience is that this is not true. sssd in a recent
Fedora (Fedora 29 last year) works just fine against an honest-to-god
Samba 4.9 domain controller on RHEL 7. I've not tested tested it with
samba 4.11rc2 yeat, as I'm still working on that port. sssd also works
against a real AD controller. sssd does not rely on a freeipa server.
It has genuinely unfortunate behavior of pre-downloading the *entire*
LDAP tree, and breaking if it can't complete this, but that's another
issue that won't be visible in most small test environments with local
domain controllers.
The parent poster is refering to having two Kerberos implementations on
the same process, not from two different machines. For example, an
application linking against Samba libraries with Heimdal and at the same
time linking with system MIT Kerberos for another features of that
application unrelated with Samba.
Freeipa..... I started setting up, realized it was going to take
months to replace existing structures and gain me *absolutely nothing*
compared to using the built-in AD or Samba systems already in my
network, and maybe tuning them slightly better.
If someone want test MIT version re-change the flag and rebuild it by
himself .. or release also a samba suite with a specific name (es.
samba-mit-...).
Samba DC is a useful solution in soma case, It is an inconvenience that
we must switch to another distro o use a third part repos because this
suite into Fedora/RHEL/Centos is a experimental version
You may create your own COPR repository and support your own build
there. It is up to you to support that solution.
In the case of Samba, the support community is quite large. It's been
an active free software project, used worldwide and across multiple
operating systems, since the 1990's. I can vouch for that personally,
I published my first port of it for SunOS in roughly 1998. Nearly
every bulk storage device in the world uses it to provide CIFS
fileshares, many of those bulk storage devices with full domain
controller services available if not activated. It's one of the
cheapest ways to replace an AD domain controller.
FreeIPA.... does not have anywhere near the user and developer
community for servers. And sssd.... well, I've used it for Fedora and
RHEL, because it's a convenient wrapper for what I used to have to do
with the "net ads" command from Samba and is useful for admins who
can't be bothered to put more than one command in a shell script. But
its configurations are confusing, Do not get me *going* on the
interactions of sssd with the very limited "authconfig" command line
tool. And you really, really don't want to get me going on how sssd
insists on pre-loading *all* the upstream LDAP trees, works for 30
seconds and then crashes when the pre-load times out, and there is no
fix or way to restart *just that sssd LDAP sub-daemon*. The sssd damon
wrapping customized sssd subdamons, instead of simply using the
built-in system LDAP daemons is destabilizing and completely
unnecessary.
I'll take a Samba client in a heartbeat over the sssd mess in any even
slightly complex environment. And since the upstream for both sssd and
Samba clients can be the more popular and more supportable AD or Samba
server, there has been little point to more than the most casual look
at a FreeIPA server.
Are there any significant sets of systems or clients reliant on
FreeIPA specific features? Because maintaining it does not seem worth
the developer effort if not client specifically requires it. I realize
it may be a big vendor project over at Red Hat, but does *anyone* use
it out of a specific software need?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
Sorry to chew on your employer, who are very helpful generally and
whose work I normally appreciate. sssd and freeipa have not been
examples of Red Hat's best work and community integration
Nico Kadel-Garcia
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx