Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

Samba - General mailing list
G'Day,

I've been looking at our minimum python version for the AD DC.

We have some patches currently being proposed to help us become
compatible with the modern Python3, and one aspect (PyCapsule) would be
easier to do if we restricted Samba to requiring Python 2.7 as a
minimum.

The wrinkle comes from our good friends at Red Hat, which found itself
caught with Python 2.6 on RHEL6.  Naturally additional python versions
can be installed from third parties, just as folks have done for RHEL5
for some time, but it isn't 'just there' and the various online HOWTO
solutions look much more complicated than an RPM install.  

My questions are:
 - do you deploy Samba as an AD DC on RHEL6 or CentOS 6?
 - If so, would an upgrade to RHEL7 be likely before you deploy Samba
4.7 in late 2017?

or

 - do you deploy Samba as an AD DC on another platform without Python
2.7?

(This is to inform me in a parallel thread I'm having with metze over
the Python3 patches).

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

Samba - General mailing list
Hello Andrew,

Presently we have two Windows2008R2 DC’s and one Samba4 (v4.1.13, CentOS6) DC.   We plan on moving the server to CentOS7 this summer and upgrading to v4.6.x (when it comes out).

We’re almost done phasing out all our CentOS6 servers...

So I guess we’ll be ready for 4.7 when it comes out if Python 2.7 is a minimum requirement.

It’s nice that the Samba developers take the time to ask our opinion on this change.

Thank You!

> On Feb 17, 2017, at 1:53 PM, Andrew Bartlett via samba <[hidden email]> wrote:
>
> G'Day,
>
> I've been looking at our minimum python version for the AD DC.
>
> We have some patches currently being proposed to help us become
> compatible with the modern Python3, and one aspect (PyCapsule) would be
> easier to do if we restricted Samba to requiring Python 2.7 as a
> minimum.
>
> The wrinkle comes from our good friends at Red Hat, which found itself
> caught with Python 2.6 on RHEL6.  Naturally additional python versions
> can be installed from third parties, just as folks have done for RHEL5
> for some time, but it isn't 'just there' and the various online HOWTO
> solutions look much more complicated than an RPM install.  
>
> My questions are:
>  - do you deploy Samba as an AD DC on RHEL6 or CentOS 6?
> - If so, would an upgrade to RHEL7 be likely before you deploy Samba
> 4.7 in late 2017?
>
> or
>
> - do you deploy Samba as an AD DC on another platform without Python
> 2.7?
>
> (This is to inform me in a parallel thread I'm having with metze over
> the Python3 patches).
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno sab, 18/02/2017 alle 07.53 +1300, Andrew Bartlett via samba
ha scritto:
>  - If so, would an upgrade to RHEL7 be likely before you deploy Samba
> 4.7 in late 2017?

RHEL/Centos 7.3 (last today update) already has python 2.7.x,
RHEL/Centos 6 not.
 
> [lesca@server-dati ~]$ cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core) 
> [lesca@server-dati ~]$ python --version
> Python 2.7.5
> [lesca@server-dati ~]$ 

Centos [6,7]* however does not have into current samba 4.x version
fully support to AD DC (without rebuild the source with some few
changes):

> [lesca@dodo ~]$ rpm -ql samba-dc
> /usr/share/doc/samba-dc
> /usr/share/doc/samba-dc/README.dc
> [lesca@dodo ~]$ cat /usr/share/doc/samba-dc/README.dc
> MIT Kerberos 5 Support
> =======================
> ...The Samba build in Fedora is using MIT Kerberos
> implementation in order to allow system-wide interoperability between
> both desktop and server applications running on the same machine.
>
> At the moment the Samba Active Directory Domain Controller
> implementation is not available with MIT Kereberos. FreeIPA and Samba
> Team members are currently working on Samba MIT Kerberos support as
> this is a requirement for a GNU/Linux distribution integration of
> Samba AD DC features.
>
> We have just finished migrating the file server and all client
> utilities to MIT Kerberos.  The result of this work is available in
> samba-* packages in Fedora. We'll provide Samba AD DC functionality
> as soon as its support of MIT Kerberos KDC will be ready.

How do you deploy samba AD DC on Centos?

Manually rebuild it or ...

You know that Samba 4.7 will have support to AD-DC with MIT Kerberos?

Thank for reply

--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

Samba - General mailing list
On Sat, 18 Feb 2017 10:36:18 +0100
Dario Lesca via samba <[hidden email]> wrote:

> RHEL/Centos 7.3 (last today update) already has python 2.7.x,
> RHEL/Centos 6 not.

Yes, this is well known and is what the question was all about, are you using
RHEL/Centos 6 now and planning to upgrade to version 7 before
September ?
 

>
> > [lesca@dodo ~]$ rpm -ql samba-dc
> > /usr/share/doc/samba-dc
> > /usr/share/doc/samba-dc/README.dc
> > [lesca@dodo ~]$ cat /usr/share/doc/samba-dc/README.dc
> > MIT Kerberos 5 Support
> > =======================
> > At the moment the Samba Active Directory Domain Controller
> > implementation is not available with MIT Kereberos. FreeIPA and
> > Samba Team members are currently working on Samba MIT Kerberos
> > support as this is a requirement for a GNU/Linux distribution
> > integration of Samba AD DC features.

The last part of that statement is plainly not correct, the 'GNU/Linux'
part that is. It is available on Debian, which, last time I looked, was
a 'GNU/Linux' distribution, it should be 'Red-Hat/Linux distribution'

> How do you deploy samba AD DC on Centos?
>
> Manually rebuild it or ...
>
> You know that Samba 4.7 will have support to AD-DC with MIT Kerberos?
>

This is in the hands of the Red-Hat guys mainly, but 4.6 isn't out yet
and the question isn't if Samba 4.7 will support MIT, but will
RHEL/Centos 7 support an AD DC when Samba releases a version that
supports MIT

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Minimum python 2.7 (not on RHEL6) for Samba 4.7 AD DC?

Samba - General mailing list
Il giorno sab, 18/02/2017 alle 10.10 +0000, Rowland Penny via samba ha
scritto:
> This is in the hands of the Red-Hat guys mainly, but 4.6 isn't out
> yet
> and the question isn't if Samba 4.7 will support MIT, but will
> RHEL/Centos 7 support an AD DC when Samba releases a version that
> supports MIT
>
> Rowland

You have been very clear.

Many Thank Rowland
--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Offical RHEL AD DC on RHEL

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:

>
> Centos [6,7]* however does not have into current samba 4.x version 
> fully support to AD DC (without rebuild the source with some few
> changes):
>
> > [lesca@dodo ~]$ rpm -ql samba-dc
> > /usr/share/doc/samba-dc
> > /usr/share/doc/samba-dc/README.dc
> > [lesca@dodo ~]$ cat /usr/share/doc/samba-dc/README.dc
> > MIT Kerberos 5 Support
> > =======================
> > ...The Samba build in Fedora is using MIT Kerberos
> > implementation in order to allow system-wide interoperability
> > between
> > both desktop and server applications running on the same machine.
> >
> > At the moment the Samba Active Directory Domain Controller
> > implementation is not available with MIT Kereberos. FreeIPA and
> > Samba
> > Team members are currently working on Samba MIT Kerberos support as
> > this is a requirement for a GNU/Linux distribution integration of
> > Samba AD DC features.
> >
> > We have just finished migrating the file server and all client
> > utilities to MIT Kerberos.  The result of this work is available in
> > samba-* packages in Fedora. We'll provide Samba AD DC functionality
> > as soon as its support of MIT Kerberos KDC will be ready.
>
> How do you deploy samba AD DC on Centos?
>
> Manually rebuild it or ...

Yes, or find a package by a third party.  

> You know that Samba 4.7 will have support to AD-DC with MIT Kerberos?

There is still a lot of work to do on that as I understand it, and even
then it will require a very modern MIT Krb5, and probably not what is
in RHEL.  This will remain a long road, sorry.

Even with all that, users of Samba as an AD DC often wish to obtain a
version (due to bug fixes and new features) that is much more current
than shipping when a RHEL freezes, so I wonder if it will really be
that much use anyway.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba
<[hidden email]> wrote:
> On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:
>>
>> Centos [6,7]* however does not have into current samba 4.x version
>> fully support to AD DC (without rebuild the source with some few
>> changes):

There are changes, but they're not outrageous. I've done some work
towards it, at https://github.com/nkadel/samba4repo/, but you really
wind up building up all the dependencies as well, and revising or
replacing the logic around different versions for internally or
externally built libraries. The structure there uses "mock" to build
all the relevant library RPMs as well, and put them in local
filesystem based yum repository. The requirement for gnutls-3.4.7 or
later made me throw in the towel for building current releases on
CentOS 7. I did not feel I had the time or tools to consider replacing
the dependency chain for that critical security component. Recent
Fedora releases, have mostly new enough components.

The RPM's for Fedora rawhide, or my work, could be a good starting
point. Not much other software uses libtalloc or similar libraries, so
it may wiser to simply build the RPM with the internal versions.  The
last time I updated them at all, I restarted my .spec files and
patches with those from Fedora rawhide.  But the library requirements
can be quite difficult to compile an even slightly older RPM based
environment. Unfortunately, the last time I worked with it, I got
bogged down in getting dnf to successfully use the locally built up
dependency yum repository, and finally had to yield for other demands
on my time. At this point, if I go back to trying, I'd throw out all
the library dependencies and just compile the libraries internally.
Since Samba seemed to be the only component using the lobtalloc and
similar libraries, they made no sense to me to compile separately, as
RHEL and thus CentOS have been doing.

This has me looking back into the past. The first time I did a Samba
port to new OS was..... for Samba 4.1.2? In 1993, I think? To get file
shares and printing working from a Sparc 2 at a lab doing cochlear
implant research. I needed to force people to stop using their own
personal printing options and get them through a printer queue I could
monitor. I also used to get the Windows boxes to write data to
something we could back up reliably, since the human medical research
data was not repeatable.

>> You know that Samba 4.7 will have support to AD-DC with MIT Kerberos?
>
> There is still a lot of work to do on that as I understand it, and even
> then it will require a very modern MIT Krb5, and probably not what is
> in RHEL.  This will remain a long road, sorry.

Yeah. I interviewed for a Red Hat QA role years ago, for the sssd
project, and they were interested that I knew personally a bunch of
the Kerberos authors and maintainers from my undergraduate days. If
any of them are unresponsive to queries from the Samba developers,
maybe I can help reach them? I'll mention their names privately if you
like, I'm not sure spamming the list with their names would be
welcome.

> Even with all that, users of Samba as an AD DC often wish to obtain a
> version (due to bug fixes and new features) that is much more current
> than shipping when a RHEL freezes, so I wonder if it will really be
> that much use anyway.

See above about gnutls 3.

> Thanks,
>
> Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote:

> On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba
> <[hidden email]> wrote:
> > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:
> > >
> > > Centos [6,7]* however does not have into current samba 4.x
> > > version
> > > fully support to AD DC (without rebuild the source with some few
> > > changes):
>
> There are changes, but they're not outrageous. I've done some work
> towards it, at https://github.com/nkadel/samba4repo/, but you really
> wind up building up all the dependencies as well, and revising or
> replacing the logic around different versions for internally or
> externally built libraries. The structure there uses "mock" to build
> all the relevant library RPMs as well, and put them in local
> filesystem based yum repository. The requirement for gnutls-3.4.7 or
> later made me throw in the towel for building current releases on
> CentOS 7. I did not feel I had the time or tools to consider
> replacing
> the dependency chain for that critical security component. Recent
> Fedora releases, have mostly new enough components.

To be clear, we don't require GnuTLS 3.4.7, the check there just means
we use an alternate implementation of 'BackupKey' if that isn't
available.  We do require a GnuTLS version, but not the really recent
one.

The issue was that the older versions had bugs, but if you (as Red Hat
does) wish to avoid Heimdal, you have to use a recent GnuTLS instead.

> > > You know that Samba 4.7 will have support to AD-DC with MIT
> > > Kerberos?
> >
> > There is still a lot of work to do on that as I understand it, and
> > even
> > then it will require a very modern MIT Krb5, and probably not what
> > is
> > in RHEL.  This will remain a long road, sorry.
>
> Yeah. I interviewed for a Red Hat QA role years ago, for the sssd
> project, and they were interested that I knew personally a bunch of
> the Kerberos authors and maintainers from my undergraduate days. If
> any of them are unresponsive to queries from the Samba developers,
> maybe I can help reach them? I'll mention their names privately if
> you
> like, I'm not sure spamming the list with their names would be
> welcome.

We have no issues with the communications with Red Hat's staff or the
MIT krb5 team, and I probably shouldn't have spoken so authoritatively
about the plans of my fellow team members at Red Hat who have put in
the work here over around 6 years now.  

However, my point is that Samba demands a lot from the KDC, and it
would shock me if we ever got to a stable spot where a current Samba AD
DC happily used a RHEL-stable version of the MIT KDC while still
supporting all the features.  The two are likely to need to march in
parallel, as we have with our internal Heimdal fork.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
I was never able to build it in a way I feel comfortable on Fedora. I would
want to build it using an RPM build process. I think I want an MIT build
but I don't know what all I would need to build either way. I thought it
was pretty close when I saw an MIT build in Fedora 23 with AD support. I
was hoping it would have existed in Fedora Rawhide, but I still haven't
seen it yet. Personally I don't care what distro I use. I use Fedora on my
home server because they keep it up to date for the programs I use. I have
an Ubuntu VM that I run my AD DC on and am not to happy about how slow
Ubuntu updates things. They are still on samba 4.3.x and the kernel is
ancient. The only reason I'm hoping for AD DC in fedora is I know I'll be
seeing the latest samba with updates with in weeks instead of years.

On Sat, Feb 18, 2017 at 9:44 PM, Andrew Bartlett via samba <
[hidden email]> wrote:

> On Sat, 2017-02-18 at 19:47 -0500, Nico Kadel-Garcia wrote:
> > On Sat, Feb 18, 2017 at 12:58 PM, Andrew Bartlett via samba
> > <[hidden email]> wrote:
> > > On Sat, 2017-02-18 at 10:36 +0100, Dario Lesca via samba wrote:
> > > >
> > > > Centos [6,7]* however does not have into current samba 4.x
> > > > version
> > > > fully support to AD DC (without rebuild the source with some few
> > > > changes):
> >
> > There are changes, but they're not outrageous. I've done some work
> > towards it, at https://github.com/nkadel/samba4repo/, but you really
> > wind up building up all the dependencies as well, and revising or
> > replacing the logic around different versions for internally or
> > externally built libraries. The structure there uses "mock" to build
> > all the relevant library RPMs as well, and put them in local
> > filesystem based yum repository. The requirement for gnutls-3.4.7 or
> > later made me throw in the towel for building current releases on
> > CentOS 7. I did not feel I had the time or tools to consider
> > replacing
> > the dependency chain for that critical security component. Recent
> > Fedora releases, have mostly new enough components.
>
> To be clear, we don't require GnuTLS 3.4.7, the check there just means
> we use an alternate implementation of 'BackupKey' if that isn't
> available.  We do require a GnuTLS version, but not the really recent
> one.
>
> The issue was that the older versions had bugs, but if you (as Red Hat
> does) wish to avoid Heimdal, you have to use a recent GnuTLS instead.
>
> > > > You know that Samba 4.7 will have support to AD-DC with MIT
> > > > Kerberos?
> > >
> > > There is still a lot of work to do on that as I understand it, and
> > > even
> > > then it will require a very modern MIT Krb5, and probably not what
> > > is
> > > in RHEL.  This will remain a long road, sorry.
> >
> > Yeah. I interviewed for a Red Hat QA role years ago, for the sssd
> > project, and they were interested that I knew personally a bunch of
> > the Kerberos authors and maintainers from my undergraduate days. If
> > any of them are unresponsive to queries from the Samba developers,
> > maybe I can help reach them? I'll mention their names privately if
> > you
> > like, I'm not sure spamming the list with their names would be
> > welcome.
>
> We have no issues with the communications with Red Hat's staff or the
> MIT krb5 team, and I probably shouldn't have spoken so authoritatively
> about the plans of my fellow team members at Red Hat who have put in
> the work here over around 6 years now.
>
> However, my point is that Samba demands a lot from the KDC, and it
> would shock me if we ever got to a stable spot where a current Samba AD
> DC happily used a RHEL-stable version of the MIT KDC while still
> supporting all the features.  The two are likely to need to march in
> parallel, as we have with our internal Heimdal fork.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
Il giorno dom, 19/02/2017 alle 21.17 -0700, Jeff Sadowski via samba ha
scritto:
> I was never able to build it in a way

I have rebuild samba from rpm source on Centos 7 (samba 4.4.4) and
Fedora (samba  4.5.5) with this procedure:

> > [lesca@dodo rpmbuild]$ cat rebuild.txt
> #
>
> # Install Development ...
> sudo yum -y groupinstall 'Development Tools'
> # sudo dnf -y groupinstall 'Development Tools' # Fedora
>
> # Install yum/dnf utilitiy
> sudo yum -y install rpm-build yum-utils createrepo
> # sudo dnf -y install rpm-build yum-utils createrepo # Fedora
>
> # Download last samba source
> # or download froma a centos mirror if vault don't work: http://bay.uchicago.edu/centos-vault/7.3.1611/
> yumdownloader --source samba
> # dnf download --source samba # Fedora
>
> # Install samba source
> rpm -ivh samba-4.*.src.rpm
>
> # Modify .spec file
> sed -i \
> -e 's/%define main_release .*/&.1/' \
> -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \
> -e 's/%global with_dc 0/%global with_dc 1/' \
> /home/lesca/rpmbuild/SPECS/samba.spec
>
> # samba 4.5.x (Fedora) do also this....
> sed -i \
> -e 's|^%.*libntvfs-samba4.so|# &\n%{_libdir}/samba/bind9/dlz_bind9_11.so\n%{_libdir}/samba/ldb/dsdb_notification.so\n%{_libdir}/samba/ldb/vlv.so|' \
> /home/lesca/rpmbuild/SPECS/samba.spec
>
> # Install Build dependence
> sudo yum install -y gnutls-devel
> sudo yum-builddep -y ./rpmbuild/SPECS/samba.spec
> # sudo dnf builddep -y ./rpmbuild/SPECS/samba.spec # Fedora
>
> # Rebuild samba ...
> rpmbuild --without clustering -ba ./rpmbuild/SPECS/samba.spec
>
> # Create repository ...
> createrepo ./rpmbuild/RPMS
>
> # Copy all in some public place ...
> rsync -avzR --delete ./rpmbuild/./{RPMS,SRPMS} 10.11.12.1:/var/www/html/samba4/rpmbuild/
>
> # Follow HowTo for deploy... 
>

hope this help

--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
On Mon, Feb 20, 2017 at 1:50 AM, Dario Lesca via samba <
[hidden email]> wrote:

> Il giorno dom, 19/02/2017 alle 21.17 -0700, Jeff Sadowski via samba ha
> scritto:
> > I was never able to build it in a way
>
> I have rebuild samba from rpm source on Centos 7 (samba 4.4.4) and
> Fedora (samba  4.5.5) with this procedure:
>
> > > [lesca@dodo rpmbuild]$ cat rebuild.txt
> > #
> >
> > # Install Development ...
> > sudo yum -y groupinstall 'Development Tools'
> > # sudo dnf -y groupinstall 'Development Tools' # Fedora
> >
> > # Install yum/dnf utilitiy
> > sudo yum -y install rpm-build yum-utils createrepo
> > # sudo dnf -y install rpm-build yum-utils createrepo # Fedora
> >
> > # Download last samba source
> > # or download froma a centos mirror if vault don't work:
> http://bay.uchicago.edu/centos-vault/7.3.1611/
> > yumdownloader --source samba
> > # dnf download --source samba # Fedora
> >
> > # Install samba source
> > rpm -ivh samba-4.*.src.rpm
> >
> > # Modify .spec file
> > sed -i \
> >       -e 's/%define main_release .*/&.1/' \
> >       -e 's/%global with_mitkrb5 1/%global with_mitkrb5 0/' \
> >       -e 's/%global with_dc 0/%global with_dc 1/' \
> >       /home/lesca/rpmbuild/SPECS/samba.spec
> >
> > # samba 4.5.x (Fedora) do also this....
> > sed -i \
> >       -e 's|^%.*libntvfs-samba4.so|# &\n%{_libdir}/samba/bind9/dlz_
> bind9_11.so\n%{_libdir}/samba/ldb/dsdb_notification.so\n%{_libdir}/samba/ldb/vlv.so|'
> \
> >       /home/lesca/rpmbuild/SPECS/samba.spec
> >
>

Thank you. I think this was the part I was having the most issues with.
It will also be helpful having everything I need installed like the rest of
what you sent me has.
Would rawhide be the best place to try this or should I back off to 25 or
26 (I think rawhide is beyond the breakpoint for 26)?


> > # Install Build dependence
> > sudo yum install -y gnutls-devel
> > sudo yum-builddep -y ./rpmbuild/SPECS/samba.spec
> > # sudo dnf builddep -y ./rpmbuild/SPECS/samba.spec # Fedora
> >
> > # Rebuild samba ...
> > rpmbuild --without clustering -ba ./rpmbuild/SPECS/samba.spec
> >
> > # Create repository ...
> > createrepo ./rpmbuild/RPMS
> >
> > # Copy all in some public place ...
> > rsync -avzR --delete ./rpmbuild/./{RPMS,SRPMS} 10.11.12.1:/var/www/html/
> samba4/rpmbuild/
> >
> > # Follow HowTo for deploy...
> >
>
> hope this help
>
> --
> Dario Lesca
> (inviato dal mio Linux Fedora 25 Workstation)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
Il giorno lun, 20/02/2017 alle 07.09 -0700, Jeff Sadowski via samba ha
scritto:

> > > sed -i \
> > >        -e 's|^%.*libntvfs-samba4.so|#
> > > &\n%{_libdir}/samba/bind9/dlz_
> >
> > bind9_11.so\n%{_libdir}/samba/ldb/dsdb_notification.so\n%{_libdir}/
> > samba/ldb/vlv.so|'
> > \
> > >        /home/lesca/rpmbuild/SPECS/samba.spec
> > >
>
> Thank you. I think this was the part I was having the most issues
> with.
> It will also be helpful having everything I need installed like the
> rest of what you sent me has.
> Would rawhide be the best place to try this or should I back off to
> 25 or 26 (I think rawhide is beyond the breakpoint for 26)?
 
This kind of change (add some new files to files session) comes from
some my humble attempts to rebuild the package.

I think this type of rebuild (with_mitkrb5 0 + with_dc 1) is not fully
tested, and consequently the samba.spec files some times is non set
property and aligned with the new feature included by samba team.

Then I do not know which is the best place to put these changes, you
can rebuild it on a your machine

it would be helpful if the maintainer of samba.spec put into it an 'if
dc' (or something like that) so the people do not have to edit the spec
file every time but simply use, for example, a '--with_dc' option

IMHO: If samba support Heimdal, samba must rebuilt in this way. Then,
when the porting to MIT will be finished, People will decide if use
Heimdal or MIT. In most cases, a samba server lives its own life and
must not be integrated with other services or servers using MIT

But this is my humble opinion

Thanks.

--
Dario Lesca
(inviato dal mio Linux Fedora 25 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sun, 19 Feb 2017, Jeff Sadowski via samba wrote:

> I was never able to build it in a way I feel comfortable on Fedora. I would
> want to build it using an RPM build process. I think I want an MIT build
> but I don't know what all I would need to build either way. I thought it

What do you hope to gain from an MIT build?  The MIT kerberos user tools
(kinit, etc) operate just fine with keytabs generated by the Heimdal Samba
KDC.  I understand that the distro wants to ship a unified set of
packages, but for end users doing their own builds, I don't think it
really matters much.

FWIW, I rebuilt the CentOS 7.2 Samba packages (samba-4.2.10-7) with DC
support.  It required building without MIT and with DC support, and also
adding a the samba.service file that RH didn't include.  I also increased
the epoch so system updates with a newer version would never override my
local build.

I also had to add

export LDB_MODULES_PATH=/usr/lib64/samba/ldb/

to my bash profile for the ldb tools to work.

However, when I rebuilt the CentOS 7.3 packages (4.4.4-12.el7_3), I am
unable to replicate with any of my older DCs (4.1 or 4.2 sernet, or my
rebuilt CentOS 4.2.10 DCs).  This happened even when I built straight from
source, so I think either 4.4 requires some dependency that 7.3
doesn't meet, or there may be some issue with some dependency on 7.3
that wasn't an issue on 7.2.

In case it's useful, this is the extent of my changes to the spec file:

--- samba.spec 2017-01-17 11:21:48.000000000 -0600
+++ samba-dc.spec 2017-01-27 13:58:55.736213036 -0600
@@ -56,8 +56,8 @@
  %global libwbc_alternatives_suffix -64
  %endif

-%global with_mitkrb5 1
-%global with_dc 0
+%global with_mitkrb5 0
+%global with_dc 1

  %if %{with testsuite}
  # The testsuite only works with a full build right now.
@@ -78,9 +78,9 @@
  Release:        %{samba_release}

  %if 0%{?rhel}
-Epoch:          0
+Epoch:          4
  %else
-Epoch:          2
+Epoch:          4
  %endif

  %if 0%{?epoch} > 0
@@ -879,7 +879,7 @@
  %endif

  install -d -m 0755 %{buildroot}%{_unitdir}
-for i in nmb smb winbind ; do
+for i in nmb smb winbind samba ; do
      cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service
      install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
  done
@@ -1515,6 +1515,7 @@
  %{_datadir}/samba/setup
  %{_mandir}/man8/samba.8*
  %{_mandir}/man8/samba-tool.8*
+%{_unitdir}/samba.service
  %else # with_dc
  %doc packaging/README.dc
  %endif # with_dc


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
On Tue, Feb 21, 2017 at 7:43 AM, Sketch <[hidden email]> wrote:

> On Sun, 19 Feb 2017, Jeff Sadowski via samba wrote:
>
> I was never able to build it in a way I feel comfortable on Fedora. I would
>> want to build it using an RPM build process. I think I want an MIT build
>> but I don't know what all I would need to build either way. I thought it
>>
>
> What do you hope to gain from an MIT build?  The MIT kerberos user tools
> (kinit, etc) operate just fine with keytabs generated by the Heimdal Samba
> KDC.  I understand that the distro wants to ship a unified set of packages,
> but for end users doing their own builds, I don't think it really matters
> much.
>

Nothing really, I think I'll do it how Dario Lesca showed me with building
the packages.
I'm was just hoping the MIT build with AD DC support would just start
showing up in at least in Fedora Rawhide
so I don't have to build it myself at all.
If I can script build it similar to how Dario Lesca built it I can live
with that for now I guess.

Or maybe I'll install a centos and use Nico Kadel-Garcia's repo that he
shared. Although I'm not sure what version he is on.

I just want a reliable AD DC and as much as I complain about my Ubuntu
implementation I really haven't had a problem with it.
I would like to create a second DC and replicate but I don't know how well
that will work.

I think I need to rebuild bind as well because I want to use it how I did
in ubuntu. I seem to recall it needing something built in to work with
samba.


> FWIW, I rebuilt the CentOS 7.2 Samba packages (samba-4.2.10-7) with DC
> support.  It required building without MIT and with DC support, and also
> adding a the samba.service file that RH didn't include.  I also increased
> the epoch so system updates with a newer version would never override my
> local build.
>

Ouch, changing epoch wouldn't that cause all sorts of havoc with keeping
client times and server times synced?
Maybe there is a better way to distinguish the package name so it doesn't
think it is an upgrade?
Maybe build it as ADDC-samba-4.X.X so fedora won't try to update it?


> I also had to add
>
> export LDB_MODULES_PATH=/usr/lib64/samba/ldb/
>
> to my bash profile for the ldb tools to work.
>
> However, when I rebuilt the CentOS 7.3 packages (4.4.4-12.el7_3), I am
> unable to replicate with any of my older DCs (4.1 or 4.2 sernet, or my
> rebuilt CentOS 4.2.10 DCs).  This happened even when I built straight from
> source, so I think either 4.4 requires some dependency that 7.3 doesn't
> meet, or there may be some issue with some dependency on 7.3 that wasn't an
> issue on 7.2.
>

I think Fedora will be OK with building later versions as it keeps packages
a little better up to date.
Yeah replication is my fear. I'm hoping if I get to a version that supports
replication better.
I thought samba 4.6 is suppose to have replication correct?
or 4.7rcX? or is replication still something I need to do manually with an
rsync?

I'm hoping all I need to do to replicate is to join the domain and promote
it to a DC. Will that work?
(My current DC is 4.3.11-Ubuntu)


> In case it's useful, this is the extent of my changes to the spec file:
>
> --- samba.spec  2017-01-17 11:21:48.000000000 -0600
> +++ samba-dc.spec       2017-01-27 13:58:55.736213036 -0600
> @@ -56,8 +56,8 @@
>  %global libwbc_alternatives_suffix -64
>  %endif
>
> -%global with_mitkrb5 1
> -%global with_dc 0
> +%global with_mitkrb5 0
> +%global with_dc 1
>
>  %if %{with testsuite}
>  # The testsuite only works with a full build right now.
> @@ -78,9 +78,9 @@
>  Release:        %{samba_release}
>
>  %if 0%{?rhel}
> -Epoch:          0
> +Epoch:          4
>  %else
> -Epoch:          2
> +Epoch:          4
>  %endif
>
>  %if 0%{?epoch} > 0
> @@ -879,7 +879,7 @@
>  %endif
>
>  install -d -m 0755 %{buildroot}%{_unitdir}
> -for i in nmb smb winbind ; do
> +for i in nmb smb winbind samba ; do
>      cat packaging/systemd/$i.service | sed -e 's@
> \[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/
> samba/krb5cc_samba@g' >tmp$i.service
>      install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
>  done
> @@ -1515,6 +1515,7 @@
>  %{_datadir}/samba/setup
>  %{_mandir}/man8/samba.8*
>  %{_mandir}/man8/samba-tool.8*
> +%{_unitdir}/samba.service
>  %else # with_dc
>  %doc packaging/README.dc
>  %endif # with_dc
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Offical RHEL AD DC on RHEL

Samba - General mailing list
On Tue, 21 Feb 2017, Jeff Sadowski via samba wrote:

> On Tue, Feb 21, 2017 at 7:43 AM, Sketch <[hidden email]> wrote:
>
>>  I also increased the epoch so system updates with a newer version
>> would never override my local build.
>
> Ouch, changing epoch wouldn't that cause all sorts of havoc with keeping
> client times and server times synced?
> Maybe there is a better way to distinguish the package name so it doesn't
> think it is an upgrade?
> Maybe build it as ADDC-samba-4.X.X so fedora won't try to update it?

In thise case, epoch is just an extra RPM tag used to enforce versioning,
nothing to do with time.  You could also rename the package instead, but
the samba package already uses the epoch tag anyway (set differently for
RHEL and Fedora, for some reason).

https://ask.fedoraproject.org/en/question/6987/whats-the-meaning-of-the-number-which-appears-sometimes-when-i-use-yum-to-install-a-fedora-package-before-a-colon-at-the-beginning-of-the-name-of-the/

> I think Fedora will be OK with building later versions as it keeps packages
> a little better up to date.
> Yeah replication is my fear. I'm hoping if I get to a version that supports
> replication better.
> I thought samba 4.6 is suppose to have replication correct?
> or 4.7rcX? or is replication still something I need to do manually with an
> rsync?
>
> I'm hoping all I need to do to replicate is to join the domain and promote
> it to a DC. Will that work?

That should work.  Replication generally works fine, but they have made
fixes and improvements over time, so the newer (stable) version you run,
the better.  The only times I have really had any issues in production was
with 4.1, and that was mostly only with manual deletion of objects with
ldbedit not getting replicated.  I'm not really sure what's going on with
4.4 or newer on CentOS 7.3.  As far as I know, there should be no
replication issues with older versions.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba