On Mon, Nov 4, 2019 at 8:33 AM Dario Lesca <d.lesca@xxxxxxxxxx> wrote: > > Too many people (like also me) try to use samba-dc on fedora for deploy > a production AD DC controller, without know that MIT kerberos is > experimental and some useful things cannot work (es. win to win > access). > > An recent last example: > https://lists.samba.org/archive/samba/2019-November/226845.html > > On 01/11/2019 22:23, Vex Mage wrote: > > > The script is expecting dpkg however this is a Red Hat > > > derived distro (Fedora Server.) > > > > Where did you get the Samba packages from ? > > > > If they are the default OS packages, then you should stop using > > them, they use MIT kerberos and are experimental. > > There is many approach for resolve this issue: > > a) Stop use MIT kerberos and rebuild samba with Heimdal Kerberos. > b) Produce a samba alternative package version (like, for example, > firefox-x11) build it with Heimdal Kerberos (es samba-hk-*) > c) Stop enable DC on Fedora, like RH/Centos do. > d) Notify users at the end of the installation that Fedora Samba DC is > experimental. > e) Solve the problems that make MIT kerberos experimental and put us in > a position to ask for help on the samba team. > f) ... some other proposal ? > > What is the best approach chosen by Fedora ? > The problem with the Samba team's advice is that it essentially prevents the MIT Kerberos AD-DC implementation from getting any better. Without people using it, we can't know what needs to be fixed. The Red Hat FreeIPA team has been working on making this functionality work well with MIT Kerberos for nearly a decade. The main reason it's not in RHEL/CentOS 8 is because the functionality is too new for them to turn it on. Also, declaring that it is experimental is meaningless. What defines it as experimental? Is there any particular known massive breakage? We're not going to ship Heimdal Kerberos because the two Kerberos implementations are incompatible and supporting both would be a massive nightmare. At this point, the only way Samba Team will stop calling it experimental is when lots of folks are using it. That's why Fedora ships with it enabled. We have the opportunity to help make that better upstream. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
