On Mon, Nov 4, 2019 at 8:39 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > The problem with the Samba team's advice is that it essentially > prevents the MIT Kerberos AD-DC implementation from getting any > better. Without people using it, we can't know what needs to be fixed. > The Red Hat FreeIPA team has been working on making this functionality > work well with MIT Kerberos for nearly a decade. The main reason it's > not in RHEL/CentOS 8 is because the functionality is too new for them > to turn it on. I've been using Samba effectively for multi-platform integration and account manage since 1996. This is not quite before Red Hat existed, but it's close. d. I have never found FreeIPA to be useful in a personal or professional environment. It relies on Samba for integration with AD. Without robust integration with AD, I have no use for FreeIPA. And I don't know *anyone* who uses a FreeIPA server. Perhaps it's time to drop FreeIPA? > Also, declaring that it is experimental is meaningless. What defines > it as experimental? Is there any particular known massive breakage? > We're not going to ship Heimdal Kerberos because the two Kerberos > implementations are incompatible and supporting both would be a > massive nightmare. That aounsa like a question for the Samba lists. I'm active over there. Want me to double check the status? > At this point, the only way Samba Team will stop calling it > experimental is when lots of folks are using it. That's why Fedora > ships with it enabled. We have the opportunity to help make that > better upstream. I think they're confused by the fact that Fedora and Red Hat, for *years*, shipped with a "samba-dc" suite of packages that didn't actually contain any software. The samba-dc packages basically said "go away you silly English knighits or I shall taunt you a second time". Samba-dc packages shouldnever have been published this way: it would have been saner and safer to set a "Conflicts: samba-dc*" with the primary samba package if these features were not enabled, rather than publishing empty and useless packages. This is, in fact, what I do with my published backports of Samba to RHEL with the dc enabled with Heimdal.. I've been having some adventures with building those lately due to modularity and the activation of zstd for RPM and the instability of Fedora 31 in virtualized environments, but I received workarounds from mock developers for that a few days ago. If people want to play with packages with the Heimdal libraries enabled, I publish my RPM building repos over at https://github.com/nkadel/samba4repo/. It's dependent on other compatibility libraries due to gnutls requirements and some missing libraries in RHEL 8, but I've had good seccess with it on various tests with Fedora 30. Fedora 31..... has so far proven impossible for me to keep alive in a virtualization environment long enough to actually test. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
