Re: Please, IMHO, resolve in some way the Samba MIT kerberos problem.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On ma, 04 marras 2019, Dario Lesca wrote:

Too many people (like also me) try to use samba-dc on fedora for deploy
a production AD DC controller, without know that MIT kerberos is
experimental and some useful things cannot work (es. win to win
access).

An recent last example:
https://lists.samba.org/archive/samba/2019-November/226845.html

On 01/11/2019 22:23, Vex Mage wrote:
> The script is expecting dpkg however this is a Red Hat
> derived distro (Fedora Server.)

Where did you get the Samba packages from ?

If they are the default OS packages, then you should stop using
them, they use MIT kerberos and are experimental.


There is many approach for resolve this issue:

a) Stop use MIT kerberos and rebuild samba with Heimdal Kerberos.
b) Produce a samba alternative package version (like, for example,
firefox-x11) build it with Heimdal Kerberos (es samba-hk-*)
c) Stop enable DC on Fedora, like RH/Centos do.
d) Notify users at the end of the installation that Fedora Samba DC is
experimental.
e) Solve the problems that make MIT kerberos experimental and put us in
a position to ask for help on the samba team.
f) ... some other proposal ?

What is the best approach chosen by Fedora ?


As we discussed few months ago, our approach is (e). We are working
already at both MIT Kerberos and Samba upstreams to solve the remaining
bits that do not allow full productization of MIT backend.

I can add a patch for (d) but it doesn't change the situation because a
work still need to be done. The are only few people who have the
knowledge to get it fixed and they are already involved in this work.

And no, building a Heimdal version is not a solution for a distribution.
Please look at the previous discussion for arguments. If somebody else
wants to support that type of a build, there are already means within
Fedora project infrastructure to be able to provide such builds.
Availability is not an issue -- actual support of a build is what nobody
is going to provide. I'd be glad to be mistaken but there is nobody who
is willing to take that load on themselves.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux