On Mon, 2019-11-04 at 20:45 -0500, Nico Kadel-Garcia wrote: > On Mon, Nov 4, 2019 at 8:39 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > The problem with the Samba team's advice is that it essentially > > prevents the MIT Kerberos AD-DC implementation from getting any > > better. Without people using it, we can't know what needs to be fixed. > > The Red Hat FreeIPA team has been working on making this functionality > > work well with MIT Kerberos for nearly a decade. The main reason it's > > not in RHEL/CentOS 8 is because the functionality is too new for them > > to turn it on. > > I've been using Samba effectively for multi-platform integration and > account manage since 1996. This is not quite before Red Hat existed, > but it's close. d. I have never found FreeIPA to be useful in a > personal or professional environment. It relies on Samba for > integration with AD. Without robust integration with AD, I have no use > for FreeIPA. And I don't know *anyone* who uses a FreeIPA server. > > Perhaps it's time to drop FreeIPA? Perhaps it's time to learn to behave. > > Also, declaring that it is experimental is meaningless. What defines > > it as experimental? Is there any particular known massive breakage? > > We're not going to ship Heimdal Kerberos because the two Kerberos > > implementations are incompatible and supporting both would be a > > massive nightmare. > > That aounsa like a question for the Samba lists. I'm active over > there. Want me to double check the status? > > > At this point, the only way Samba Team will stop calling it > > experimental is when lots of folks are using it. That's why Fedora > > ships with it enabled. We have the opportunity to help make that > > better upstream. > > I think they're confused by the fact that Fedora and Red Hat, for > *years*, shipped with a "samba-dc" suite of packages that didn't > actually contain any software. The samba-dc packages basically said > "go away you silly English knighits or I shall taunt you a second > time". Samba-dc packages shouldnever have been published this way: it > would have been saner and safer to set a "Conflicts: samba-dc*" with > the primary samba package if these features were not enabled, rather > than publishing empty and useless packages. This is, in fact, what I > do with my published backports of Samba to RHEL with the dc enabled > with Heimdal.. I've been having some adventures with building those > lately due to modularity and the activation of zstd for RPM and the > instability of Fedora 31 in virtualized environments, but I received > workarounds from mock developers for that a few days ago. > > If people want to play with packages with the Heimdal libraries > enabled, I publish my RPM building repos over at > https://github.com/nkadel/samba4repo/. It's dependent on other > compatibility libraries due to gnutls requirements and some missing > libraries in RHEL 8, but I've had good seccess with it on various > tests with Fedora 30. Fedora 31..... has so far proven impossible for > me to keep alive in a virtualization environment long enough to > actually test. > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
