Samba 4 in RHEL 7.0 without AD capability?
Hi guys,
can some of your RH guys confirm or shed some light on this? I just stumled on some posts on samba lists today complaining about it.
Is that right? RH doesn't support Samba 4 AD? So to say, we have only possiblity for old 'classic' NTv4 domain on SAmba 4 on RHEL 7 so far?
I dont have test machine handy for RHEL 7 handy today., but i'm gonna try it soon
thanks for any info,
Responses
You're going to need to clarify your question - what functionality are you indicating is missing. Even in EL 6's Samba 3, winbind gave you the capability of interacting in native Windows 2008 mode and the cifs-utils let you mount using the fully kerberized/ticketed shares if you specified the right auth-options. If those are gone in Samba 4 on EL7, it would be a major regression.
Not surprising that RH would have chosen MIT over Heimdall: MIT's much older and has (probably more like "had" at this point) a reputation of being more mature and stable than Heimdall. While probably less a concern, today, than a decade ago, a decade ago is when various commercial UNIX and Linux vendors were choosing which libraries to integrate with. Thus, a number of other commercial UNIX vendors went with MIT (Sun, SGI and IBM), as well.
Even MicroSoft chose to leverage MIT's Kerberos when they created Active Directory. Translation: it's not so much that you can't do the types of things with MIT's Kerberos that the Samba4 folks are looking to do, it's that they chose to do their implementation against Heimdall, first.
The question is, "what type of infrastructure are you seeking to support". If you're in a mixed Windows/Linux environment - particularly if your Windows environment is using Exchange, SharePoint or other services that are tightly-integrated with Active Directory, you have to ask if the level of effort of moving off of Active Directory makes sense. If you've got tightly-coupled applications, you're generally better off simply using the AD client tools to bind your UNIX/Linux systems to Active Directory. While the Samba components that shipped with EL5 had some pretty significant limitations, the version that ships with EL6+ eliminates many of them.
Our organization would have used Samba had we not been trying to integrate with a large (100,000+ user objects), complex (multi-domain forests with different levels and types of trust symmetries). Instead, we were forced to use one of the third party tools (a couple had "open" variants back then). Thus, had we been looking to integrate today rather than nearly five years ago, Samba might have met our needs. As of today, however, there's enough manual and automated processes built around the third-party toolsets and those tools work well enough that it's not worth the engineering or operations hours to migrate off.
The Samba 4 release in RHEL 7 does not support the Active Directory Domain Controller role. It is however a good NT4 Style Primary Domain Controller, a decent SMB3 file server, etc. What's more interesting is that you CAN make Samba 4 from EL 7 work with FreeIPA for authentication via NTLM AND Kerberos. I already have implemented this using the stock Red Hat Packages and authentication works via FreeIPA using both MS-RPC authentication in NTLM form and Kerberised authentication. My curiosity is why do you need to implement Active Directory. If you need to implement Active Directory, why not use the original software? It's easier to maintain and slightly more stable than Samba.
I see that Razvan has accomplish what I am working on, but having some issues with. Razvan, could you possibly post instructions on how to make this work. Setting up Samba 4 as an AD is a royal pain, and I would prefer not to have to deal with it. We have tried following the instructions on the web but have had no success getting authentication working in Windows.
The latest Samba (4.7.0) claims to support AD DC with MIT Kerberos but the RHEL 7.5 Release Notes are not clear whether this feature is available or not from the RHEL 7.5 samba packages.
Marco/Kalang: I have been disappointed in the quality of RH support as of the last 2+ years, especially in Premium support. That said, take a look at https://www.howtoforge.com/tutorial/samba-4-with-active-directory-on-centos-7-rpm-based-installation-with-share-support/
That link contains a reference to a Samba branch (RPM and patched/maintained) complete with references to using EPEL and another repo called Wing (that has specific packages that are patched/compiled from source into current RPMs). The Wing repo appears to have the samba-tool compiled in, as it was removed from the official Samba branch for those MIT reasons (which didn't make sense), but they forward-ported the previous code just before the tool was removed and then patched and maintained the packages going forward to bring it current but include the samba-tool utility. It's worth a look.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
