RHEL 8 is still lacking a Samba Active Directory package

(Rob Bosch) #21

I must say that the discussion with Niels de Vos from RH/Storage group and the Samba guy was giving lots of hints opportunities and directions. But When reading some more about creating Samba packages, especially with MIT Kerberos, I feel we are diving in a very uncertain future.

A few things that I want to mention. From the Samba wiki I read that MIT Kerberos support is still experimental. Besides that there are quite some features still not supported. I know, they MAY be supported in the future, but currently they are not:

Known Limitations of MIT Kerberos Support in Samba
Samba DCs with MIT Kerberos KDC currently do not support:

  • PKINIT support required for using smart cards
  • Service for User to Self-service (S4U2self)
  • Service for User to Proxy (S4U2proxy)
  • Running as a Read only domain controller (RODC)
  • Authentication Audit logging
  • Computer GPO’s are not applied, see Bug 13516**

At first glance these unsupported features seem to be a showstopper.

On the other hand, I would like to raise the question: If we are to build the packages ourselves, Why not build them with Heimdal Kerberos (like the .deb distro’s are doing)? We currently run the linux container with the Heimdal packages and the .deb distro’s already have a few years of experience with this. You can consider MIT as superior any time, but if it lacks the features we need, we just can’t use it. (just being pragmatic here)

Alternatively we can keep things as we have now: a linux container running samba4 AD. But I understand it is quite difficult to develop using this option.

Another thing to consider is the problems when Samba4 AD and Samba FS are running on the same instance. @davidep mentioned that there were quite some stability issues and a server needed regular (service)restarts to remain stable. I think this needs more investigation before being able to make a weighed decision in what option to choose.

The last option: dropping Samba4 AD to me seems a showstopper too. We have a LOT of Windows (Small Business) Server replacements in our community. A lot of our members are going to or have migrated from an AD environment. Their client machines are mostly (probably 95%+) Windows based. UNLESS there is a viable windows client management option (I don’t know any I and I don’t think there is) I don’t see we can drop Samab4 AD support.

Some things that need to be investigated:

  • Current status of MIT Kerberos implementation in Samba (some of the samba wikipages mentioning MIT kerberos date back to 2012)
  • Impact on creating Samba4 packages ourselves (either MIT or Heimdal kerberos)
  • Limitations for either MIT and Heimdal kerberos

any other thoughts?

(Charles) #22

Thank you @davidep for taking the time to answer my questions.

(Davide Principi) split this topic #23

6 posts were split to a new topic: How many NS installations use Samba DC

(Davide Principi) #27

That’s annoying but I don’t think they are real showstoppers. Should be fixed anyway…

(Enrique D) #28

I have one DC at our office, still struggling with a win2012-r2+sqls 2008-r2 to migrate on the new DC/NS.
I wonder if I need to begin to ask for quotes to M$. :worried:
Is sad to read about red hat and their decision.
Hopefully NethServer will stay on the way to support DC.

How many NS installations use Samba DC
(Michael Kicks) #29

On the other edge of the blade: discontinue the Samba DC option will generate:

  • fellows that will abandon the distro for some other one which provide it
  • possible fellows who are looking for an upgrade/migration platform (like the 3-Sme server guy landed few days ago) from their current distro to another one with the same integration options will put out NS from the list (why they should migrate to something that will leave a feature that they have?)
  • possible fellows that are running away from Microsoft solutions (and related privacy issues… Did you try recently to add an user on Win10 1803 or 1809? Security questions are not editable … and if you want add a user without store any information you have to deal with “old but gold” NET USE syntax… i’m afraid of the next version who could force you to register a Microsoft Account (as Android and MacOS/iOS currently do)

Leaving the feature will cut a bigger rope than IBM/RedHat’s sliced for RHEL8. They’re big enough for not being interested on SMB/Windows customers (potentially higher revenues).
But SMB seems core adopters for this distro, and core business for Nethesis.

IMVHO: leave AD Controller is not an option.
Or better: project should find/integrate a Killer Application that will make consider AD not that necessary. But i have no idea of what this could be…

(Ralf Jeckel) #30

To give up AD controller is not an option IMO.

Documentation states:
If an LDAP account provider is selected or there is no account provider at all, any access to shared folders is considered as Guest access so that everyone is allowed to read and write its content.

That said, NS wouldn’t be able to provide ACLs to SMB shares. NS is meant for SME, Small and Medium Enterprises. I can’t imagine a SME, that has no need for any SMB-share with ACLs.