Samba 4 in RHEL 7.0 without AD capability?

Latest response

Hi guys,
can some of your RH guys confirm or shed some light on this? I just stumled on some posts on samba lists today complaining about it.

Is that right? RH doesn't support Samba 4 AD? So to say, we have only possiblity for old 'classic' NTv4 domain on SAmba 4 on RHEL 7 so far?

I dont have test machine handy for RHEL 7 handy today., but i'm gonna try it soon

thanks for any info,

Responses

You're going to need to clarify your question - what functionality are you indicating is missing. Even in EL 6's Samba 3, winbind gave you the capability of interacting in native Windows 2008 mode and the cifs-utils let you mount using the fully kerberized/ticketed shares if you specified the right auth-options. If those are gone in Samba 4 on EL7, it would be a major regression.

Hi,
so to repeate my question:
Do the Samba4 packages provide AD (active directory) functionality? Because the binary samba-tool is not present which you need for domain provisioning.


From Samba list:
Hi, there is nothing wrong with the samba-dc-4.1.1-37.el7_0.x86_64 package, how could there be, it only contains one file /usr/share/doc/samba-dc-4.1.1/README.dc

Try reading it, this confirms what you fear, you cannot have a samba4 DC with the official samba packages, so you are going to have to compile it yourself, but this might be easier said than done due to the kerberos problem, might just be easier to install Debian on the server


Is my question clear now?

Thank You

Hi, so FYI,
after searchin and searchin through internet forums (centos, sl), samba lists .. the SAMBA AD implemetation in RHEL could get squeezed into one quick explanation:

Fedora and RHEL are using MIT Kerberos implementation as its Kerberos infrastructure of choice.
While the Samba Active Directory Domain Controller implementation is the Heimdal and so not available with MIT Kereberos at the moment.
Only way to have full Samba4 functionality on RHEL now, is to compile from source.

I'm not surprised the RH guys dont want to change Kerberos implementation because of Samba, as it is interwoven with many other OS related things, but it would surely help, if RH would maybe said something about ETA? Or progress?

I dont have much hope of RH to answer here, you can look at it as rhetoricall question. I'll just raise ticket.

BTW. is IPA getting more like competitor to Samba4 then the co-player? The information are often misleading as both IPA and Samba4 evolves (particularly with MIT and Heimdal kerberos deps).

Anyway, cheers :]

Not surprising that RH would have chosen MIT over Heimdall: MIT's much older and has (probably more like "had" at this point) a reputation of being more mature and stable than Heimdall. While probably less a concern, today, than a decade ago, a decade ago is when various commercial UNIX and Linux vendors were choosing which libraries to integrate with. Thus, a number of other commercial UNIX vendors went with MIT (Sun, SGI and IBM), as well.

Even MicroSoft chose to leverage MIT's Kerberos when they created Active Directory. Translation: it's not so much that you can't do the types of things with MIT's Kerberos that the Samba4 folks are looking to do, it's that they chose to do their implementation against Heimdall, first.

Well ..
truth be told i'm starting to have a headache off this.

many Linux distributions still do not support Samba4 well:
- Samba on Fedora/Redhat/CentOS does not support AD-DC mode.
- Samba on Ubuntu does not have CTDB (i.e. no cluster support).
- Sernet does not offer a package for CentOS 7, only for 6.
...
..

And i'll have to decide which way to move the infrastructure in not so distant future and truth be told, it's hard.
IPA?
Samba4?
IPA + Samba4?
Which type of domain?

On top of it all, it seams to me like SAmba and IPA becomes a little bit of competitors instead of co-operators..? And there is lot of balast info floating on internet as the IPA and SAmba4 evolves in past years.

And then life of sysadmin is said to be easy.. maybe i should go bookshopping and buy 'M$ fast & easy' (blasphemy!) :p

The question is, "what type of infrastructure are you seeking to support". If you're in a mixed Windows/Linux environment - particularly if your Windows environment is using Exchange, SharePoint or other services that are tightly-integrated with Active Directory, you have to ask if the level of effort of moving off of Active Directory makes sense. If you've got tightly-coupled applications, you're generally better off simply using the AD client tools to bind your UNIX/Linux systems to Active Directory. While the Samba components that shipped with EL5 had some pretty significant limitations, the version that ships with EL6+ eliminates many of them.

Our organization would have used Samba had we not been trying to integrate with a large (100,000+ user objects), complex (multi-domain forests with different levels and types of trust symmetries). Instead, we were forced to use one of the third party tools (a couple had "open" variants back then). Thus, had we been looking to integrate today rather than nearly five years ago, Samba might have met our needs. As of today, however, there's enough manual and automated processes built around the third-party toolsets and those tools work well enough that it's not worth the engineering or operations hours to migrate off.

Well..
pretty much all mixed up. 500 users. Windows appl servers, Linux servers for everything else. Windows clients (CAD stations), Linux clients (CAE/FEM - crash testing).

No MS AD, all runs through Samba. No Exchange, Zimbra instead.

1.
Samba 3.6.9 PDC (with 3 BDC) for windows clients 'looking to' 389 DS (authentication backend with other 389 slave replicator)
2.
SSSD for linux clients (and servers) authentication again 'looking to' 389 DS

Pretty neat, working nice - well it did, untill ..

Problem? Yes! Windows clients LAN speeds. Samba 3 does NOT implement SMB2 fully and SMB3 protocal not at all. Windows 7 dont like being forced back to SMB1.

Samba3 is also at EOL. Samba team said clearly, they will end Samba3 support when Samba 4.2 is out. Now is Samba4 RC2. So it's gonna be really SOON.

Now with Windows 7 replaced Windows XP clients LAN speeds are dropping and i'm not able to do much about it (if samba3 had those backported .. my lustfull wish)..

I need SMB3 (for win 8,10 to retains speed ..) ->> Samba 4
But i also need to think about Linux clients --> IPA

And everything has to work together like orchestra (of course) .. what are those lazy IT guys doing again, the NET is so SLOW! :P

Now you see, my hair's about to turn white :]].

Karel, maybe you can try with Zentyal which has samba4 + full AD support.

The Samba 4 release in RHEL 7 does not support the Active Directory Domain Controller role. It is however a good NT4 Style Primary Domain Controller, a decent SMB3 file server, etc. What's more interesting is that you CAN make Samba 4 from EL 7 work with FreeIPA for authentication via NTLM AND Kerberos. I already have implemented this using the stock Red Hat Packages and authentication works via FreeIPA using both MS-RPC authentication in NTLM form and Kerberised authentication. My curiosity is why do you need to implement Active Directory. If you need to implement Active Directory, why not use the original software? It's easier to maintain and slightly more stable than Samba.

I see that Razvan has accomplish what I am working on, but having some issues with. Razvan, could you possibly post instructions on how to make this work. Setting up Samba 4 as an AD is a royal pain, and I would prefer not to have to deal with it. We have tried following the instructions on the web but have had no success getting authentication working in Windows.

Test

Test

The latest Samba (4.7.0) claims to support AD DC with MIT Kerberos but the RHEL 7.5 Release Notes are not clear whether this feature is available or not from the RHEL 7.5 samba packages.

Infact there is no samba-tool command to do domain provisioning

Marco/Kalang: I have been disappointed in the quality of RH support as of the last 2+ years, especially in Premium support. That said, take a look at https://www.howtoforge.com/tutorial/samba-4-with-active-directory-on-centos-7-rpm-based-installation-with-share-support/

That link contains a reference to a Samba branch (RPM and patched/maintained) complete with references to using EPEL and another repo called Wing (that has specific packages that are patched/compiled from source into current RPMs). The Wing repo appears to have the samba-tool compiled in, as it was removed from the official Samba branch for those MIT reasons (which didn't make sense), but they forward-ported the previous code just before the tool was removed and then patched and maintained the packages going forward to bring it current but include the samba-tool utility. It's worth a look.

Please see the EzPlanet Repo, this repo provides the latest samba 4.8 with Domain Controller capabilities for CentOS and RHEL 7: http://www.ezplanet.net/xwiki/bin/view/EzPlanetRepo/