RHEL 8 is still lacking a Samba Active Directory package

On the other edge of the blade: discontinue the Samba DC option will generate:

  • fellows that will abandon the distro for some other one which provide it
  • possible fellows who are looking for an upgrade/migration platform (like the 3-Sme server guy landed few days ago) from their current distro to another one with the same integration options will put out NS from the list (why they should migrate to something that will leave a feature that they have?)
  • possible fellows that are running away from Microsoft solutions (and related privacy issues… Did you try recently to add an user on Win10 1803 or 1809? Security questions are not editable … and if you want add a user without store any information you have to deal with “old but gold” NET USE syntax… i’m afraid of the next version who could force you to register a Microsoft Account (as Android and MacOS/iOS currently do)

Leaving the feature will cut a bigger rope than IBM/RedHat’s sliced for RHEL8. They’re big enough for not being interested on SMB/Windows customers (potentially higher revenues).
But SMB seems core adopters for this distro, and core business for Nethesis.

IMVHO: leave AD Controller is not an option.
Or better: project should find/integrate a Killer Application that will make consider AD not that necessary. But i have no idea of what this could be…

1 Like

To give up AD controller is not an option IMO.

Documentation states:
If an LDAP account provider is selected or there is no account provider at all, any access to shared folders is considered as Guest access so that everyone is allowed to read and write its content.

That said, NS wouldn’t be able to provide ACLs to SMB shares. NS is meant for SME, Small and Medium Enterprises. I can’t imagine a SME, that has no need for any SMB-share with ACLs.

Hello, all,

Sorry to resurrect this thread, just stumbled across it. Thanks for your good thoughts.

I feel your pain…

Our use case is that we’ve been limping along with a centos 6 build with an old version of sernet samba, like version 4.1.xx as a ADDC for our small business network. Works fine, but on ancient hardware, overdue to replace.

We’ve been looking for a replacement, waiting for Centos8 or Samba to support SambaAD on Centos, and was looking at nethserver, but it looks like I’m still caught out. I suppose we will try Ubuntu with Samba-dc, my impression is that it works and is supported. I guess that doesn’t help you.

A couple of thoughts, perhaps they are naive…

Firstly, there is a service and software company in France called Tranquil.it that supports a version of Samba as a Domain Controller. They apparently are building a Samba which works on Centos 7 and debian, and are maintaining rpms and debs, for their clients, and hosting it for the community version. They have a build of 4.8.9 as recently as May this year.

They are hosting the RPMs: http://azzurro.ezplanet.net/el7/

They have some support via a forum, wiki and mailing list (in French) Google translate helps with this.

There is very interesting documentation
https://samba.tranquil.it/doc/fr/index.html

Their wiki is a good link to their builds
https://dev.tranquil.it/wiki/Samba4

The also have a discussion of how to compile for MITKerberos.
https://dev.tranquil.it/wiki/SAMBA_-_Compiler_samba_avec_MIT_Kerberos

I’m not certain that they have gotten around the samba4 / MIT kerberos bugs and limitations such as of GPO’s not being applied.

They apparently have quite a bit of skill implementing Samba4AD as a solution, I don’t know how actively they are supporting Centos 7, let alone how they will handle Centos8.

Just thinking they may be a good resource, or possibly a partner that could build and support your samba4 rpms.

Good Luck, I would appreciate any feedback,

2 Likes

Hi Peter welcome to NethServer community and thank you for your post!

Why didn’t you consider NS7? What features are you lacking?

1 Like

Hi Davide, thanks for checking in.

I guess I am considering ns7, though I haven’t really been concerned about a supported distro. We use the basics, DNS, DHCP, NTP, SMB, GPO, ADDC, MySql. all of which has been baked into Centos til this issue with samba-dc. We started with centos 4 and samba3 nt4 domains, then built a centos6 with samba4.whatever build sernet last released as open source. Webmin, whatever desktop, bash and rsync is plenty for our admin access. Truth is we hardly ever touch it, and the hardware we have it on barely runs at idle. We’ll probably run our next DC on a windows 10 hyper-v instance on a low power server, and maybe spin a backup DC on a cloud instance.

We have a couple of dozen windows desktops authenticating from a single physical location. We install a handful of apps on them with Group Policy, and set a few things like dsn’s and drive mappings, and we value centralized acl management. We have maybe a scant TB of files, mostly photos and video. The whole thing is behind a fire wall. Our email, backups, most of our shared files are mostly with google/ g-suite and and a hosted web server off-site which has cpanel and runs drupal and civicrm.

Our client hardware is any-old used $100 dell desktop with windows 10. We need windows for our in-house vba apps, quickbooks, adobe. When one craps out, we drop another on the user, join the domain, pull the memory and a few parts out of the machine and recycle it.

Our hardware is a 10 or 12 year old xeon superserver, which really needs replacing. It burns like 400 watts at idle, and sounds like a leaf blower. I figured we’d skip a generation, go to centos 8 since we’ve never really been able to get past the REHL7 / samba 4-dc / mit vs Heimdal thing for the DC.

Of course, even though we’re fairly snug behind the firewall, I shouldn’t be running unpatched apps, and I don’t really want to build my own Samba. so I should have a provider for samba security updates.

I think the conclusions of your users, above describes us also. I understand that those of us who are interested in an opensource alternative for domain authentication and provisioning of windows desktops are by definition technically capable, low profit, avoiding spending thousands a year to support through a var. I get that larger companies like MS, RH, Samba+ aren’t interested in supporting us.

I’m glad Nethserver is focused on the small business market, and I’d be glad to go with NethServer. I may be able to contribute a bit to the community as well.

How did you get around the ADDC thing with Centos 7?

1 Like

We have two instances of Samba. The first upstream/rhel one is the file server, and the second one runs the DC in a Linux container with its own IP address.

There’s plenty of discussions in this forum about this choice. Just as a starter: I still don't get why Samba has to be run in a container

The file server receives official rhel patches. We recompile the DC from the Samba vanilla source code which ships all the security patches we need. Their dev lifecycle has been sustainable so far and even minor upgrades of the DC ran smoothly, far better than rhel minor upgrades!

Here we’re discussing two distinct levels of issues with AD:

  1. the complexity of our architecture, required to be an all-in-one distro, compatible with previous ns6 version
  2. the complexity of an AD network, a nightmare for a support team, even for Red Hat’s one :smiley:
1 Like

Very interesting. Thanks for pointing out that discussion. I’m also looking at your documentation. Sorry I don’t really have time to install and really look at it. I appreciate your help in understanding your environment.

It actually makes some sense to keep ADDC separate instance from file serving, its recommended by samba anyway.

I see you are nspawn for the container. Re-reading @robb post above I’m understanding you are using heimdal binaries on your fedora container, and robb is considering you use a debian container, and you could use debian packages for samba, without building from source.

Is that correct?

So you might have some support/ configuration issues related to the supporting a non-fedora container, but the advantage is if there are issues with the debian Samba-ad build, you know where to find bug reports (at debian/ubuntu/samba)

It seems to me that MIT support in Samba-AD is sitting dead in the water at this time, and RH’s position may mean that Samba has little interest in working much more on AD support for RH. It works fine on Heimdal, why take the time to fix for MIT/ RH who doesn’t care?

How does sernet get around this, they claim to have full ad on centos7. Do they have some way to have heimdal coexist with MIT, or do they have fixes to the bugs that they aren’t upstreaming, or are they just not reporting that GPO doesn’t work on their build?

Thanks again for your time helping me understand, Davide

I have also looked pretty closely at the freeBSD arena, freenas and whatnot. They have nice vm/jail web management, and ZFS is very interesting, but although they offer commercial support, it seems that their community user base are largely hobbyists and media-server guys, the community support may not provide many clues with SME use cases similar to ours. And FreeBSD seems to have a pretty grumpy developer base, is way big and scattered, and slow and political about moving forward. Since the license is totally free, I think many distros take the code, add their own applications and fixes, and never give back to the source. So far I’m opting to stay with a fedora or debian based system, namely CentOS and Ubuntu.

I suppose that my next step would be to try the debian side, say at ubuntu-bionic. I would probably use Hyper-v to host the vm for testing.

If you are considering using a debian nspawn container in the future for your samba-ad, I could of some help to you in testing our use-case, and helping with documentation. This assumes that spawning ubuntu-bionic, handling networking and management, upgrading and backup of the clients is straightforward.

This would give you an alternate module to FS7-DC for testing and consideration. If Samba or RH perfects and supports AD in the future on MIT, then the option exists to have your all in one server, but users who prefer to containerize their servers are free to do so. I pretty much like the idea of containerized services over an all in one solution.

Assuming that’s successful, over time, I’d be interested in getting BindDLZ in place on the DC, having BIND, DHCP, NTP modules where replication/ clustering and failover could be implemented.

I’m also interested in MySql or MariaDB servers, and i’m very curious about Percona, especially for their Backup, Monitoring and other tools.

I guess people just use samba 3.x as a shorthand for NT4 domains, and samba 4.x as Samba-ADDC domains (server2003/2008/2012) all are available from a single samba 4.x codebase. I also think people often confuse file/ Printer / acl sharing (which is about the same from nt4 to AD) with domain management and provisioning of windows clients.

Domain management has a couple of parts: Authentication and rights (operate about the same from the admins perspective from NT4 to AD, but provide the security enhancements of kdc and the convenience of central database with LDAP) compared to client provisioning parts (central management of GPO’s, software installation, etc) The client provisioning parts (With a LDAP/ Kerberos foundation) and the concepts of Member servers, replication with FSMO roles which define AD server hierarchy, replication, and provide methods for the admin to build redundancy and recovery options.

NT4 server used PDC/ BDC roles which are more limiting. AD uses dns rather than netbios.

I suspect that the fact that RH/Centos 6 never built Samba4, then Centos7 supplied samba 4x (but without DC) makes it that much more confusing. Centos 6 users could rely on sernet’s 4.x rpm repos until they made them payware and stopped supporting security changes freely at that level.

I think neither of us considered that path, to avoid dealing with two different upstream/ecosystems.

Instead we’re already building Samba DC with default builtin Heimdal libraries. It is even possible to make them co-exists on the same system with a MIT install, thanks to samba build --prefix= option: this possibility could even simplify the current nspawn container by removing the need of a complete filesystem / dir for it. That would simplify system upgrades.

The technical challenge is preserving simplicity and backward compatibility of the ns8 architecture.

BIND could be considered, but it’s too early to say it: a working prototype is needed, preferably running on a CentOS 8.

I’ve found an article on installing Samba on CentOS 8. Perhaps it could help.

https://linuxconfig.org/install-samba-on-redhat-8

1 Like

RH decision on Samba is a well known POLITICAL decision.
Nothing else is involved.

For projects like NS I say AD is vital for their target audience. So a better solution has to be found.
I wonder if the project needs to keep being based on CentOS (but I open another can of worms I know).

2 Likes

We know it very well, but without CentOS/RedHat support this is not an easy choice.
We should start a new journey alone and we have to be aware of what it really means

I understand.
So no other distro fulfills the (rest of) your requirements?
(I say “rest” for obvious reasons - it doesn’t fulfill THIS one at least :smiley:)

Please note that Samba in the next NethServer major version is very important.

2 Likes

Maybe it means that NethServer will be the ONE?
(A matrix reference)

Saying that, the target audience can grow more, hopefully.

Sticking to CentOS is anyway a quite good path, even with bad/not shared decision who took.

But we have to face that “shared folders” suits homes, maybe small offices, because it does not scale well, or scale at all.
It don’t scale for outsourcing. And it don’t scale for setup outside premises. Or mobile devices.
Yes, you can make it work (VPN and fast connections) but the current status is that applications (web or not) are the day-to-day use.
Even Microsoft faded to something different (SharePoint has its own success, just like Exchange, which now is quite more reliable and functional as mail/application server), still offering shared folders.
I hope that nethserver will persist with container for let users still have that option. But the LDAP-Centric current structure is the key to evolve without revolution the project.
Because authentication can be delivered via LDAP to any kind of authentication server, currently (better using TLS).
Don’t mind to keep track of the evolution of X500 too…

1 Like

Hi to all,
it looks like CentOS 8 isn’t supporting samba active directory and won’t support it at the future.
I think there are several servers out there which run samba active directory with Nethserver 7.
I created this thread to collect ideas, how to solve this. Here should erase a list of these ideas:

  • a container with debian and samba ad at the Nethserver8 installation (best way choosing it from software-center)
  • a second virtual machine with debian or nethserver 7 (till it’s not supported anymore)
  • another base for Nethserver 8 (I think that’s not so easy, because everything must be “converted” to the new distro and every developer has to do a lot of extra work)

Thanks to all who will spend their ideas here. Perhaps it can be a solution implemented by the @dev_team without loosing the advantage of using upstream-updates.

Michael

2 Likes

Hi Michael, the current Samba AD implementation of NS7 is not using an RPM from CentOS: I think it’s possible to continue like we are doing it right now…

We could ask ourselves if going on by this way is enough, or bad or whatever.

3 Likes

Hi @davidep,
thanks for your post. I thought it will be a problem after a conversation at FOSDEM two years ago and reading the following thread:

But perhaps we however could collect some good ideas how to implement it at the future.

2 Likes