[CentOS] SAMBA as AD DC

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[CentOS] SAMBA as AD DC

Sergio Belkin
Hi folks,

Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If
it's not, what is the recommended way of doing? Compiling from sources?
Install packages from SerNet?

Thanks in advance!
--
--
Sergio Belkin  http://www.sergiobelkin.com
LPIC-2 Certified - http://www.lpi.org
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Aly Khimji
Yes Samba4 is capable of working as a AD domain controller and more.

See link.

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Aly
On Sep 6, 2014 4:16 PM, "Sergio Belkin" <[hidden email]> wrote:

> Hi folks,
>
> Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If
> it's not, what is the recommended way of doing? Compiling from sources?
> Install packages from SerNet?
>
> Thanks in advance!
> --
> --
> Sergio Belkin  http://www.sergiobelkin.com
> LPIC-2 Certified - http://www.lpi.org
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Sergio Belkin
Hmmmm perhaps I don't explain myself enough.

I already know that Samba "capable of working as a AD domain controller and
more".

I'm asking about the official packages of CentOS, I mean from official
repo's.


Thanks in advance


2014-09-06 18:01 GMT-03:00 Aly Khimji <[hidden email]>:

> Yes Samba4 is capable of working as a AD domain controller and more.
>
> See link.
>
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> Aly
> On Sep 6, 2014 4:16 PM, "Sergio Belkin" <[hidden email]> wrote:
>
> > Hi folks,
> >
> > Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller?
> If
> > it's not, what is the recommended way of doing? Compiling from sources?
> > Install packages from SerNet?
> >
> > Thanks in advance!
> > --
> > --
> > Sergio Belkin  http://www.sergiobelkin.com
> > LPIC-2 Certified - http://www.lpi.org
> > _______________________________________________
> > CentOS mailing list
> > [hidden email]
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos
>



--
--
Sergio Belkin  http://www.sergiobelkin.com
LPIC-2 Certified - http://www.lpi.org
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Aly Khimji
It would appear the samba4 DC isn't available for C7 just yet.

"As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos
infrastructure of choice, the Samba Active Directory Domain Controller
implementation is not available with MIT Kereberos at the moment."

Ref:
http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller

HTH

Aly
Hmmmm perhaps I don't explain myself enough.

I already know that Samba "capable of working as a AD domain controller and
more".

I'm asking about the official packages of CentOS, I mean from official
repo's.


Thanks in advance


2014-09-06 18:01 GMT-03:00 Aly Khimji <[hidden email]>:

> Yes Samba4 is capable of working as a AD domain controller and more.
>
> See link.
>
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> Aly
> On Sep 6, 2014 4:16 PM, "Sergio Belkin" <[hidden email]> wrote:
>
> > Hi folks,
> >
> > Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller?
> If
> > it's not, what is the recommended way of doing? Compiling from sources?
> > Install packages from SerNet?
> >
> > Thanks in advance!
> > --
> > --
> > Sergio Belkin  http://www.sergiobelkin.com
> > LPIC-2 Certified - http://www.lpi.org
> > _______________________________________________
> > CentOS mailing list
> > [hidden email]
> > http://lists.centos.org/mailman/listinfo/centos
> >
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos
>



--
--
Sergio Belkin  http://www.sergiobelkin.com
LPIC-2 Certified - http://www.lpi.org
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Frantisek Hanzlik
Aly Khimji wrote:

> It would appear the samba4 DC isn't available for C7 just yet.
>
> "As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos
> infrastructure of choice, the Samba Active Directory Domain Controller
> implementation is not available with MIT Kereberos at the moment."
>
> Ref:
> http://community.spiceworks.com/topic/535153-centos-7-samba-domain-controller
>
> HTH
>
> Aly
> Hmmmm perhaps I don't explain myself enough.
>
> I already know that Samba "capable of working as a AD domain controller and
> more".
>
> I'm asking about the official packages of CentOS, I mean from official
> repo's.
>
>
> Thanks in advance
>
>
> 2014-09-06 18:01 GMT-03:00 Aly Khimji <[hidden email]>:
>
>> Yes Samba4 is capable of working as a AD domain controller and more.
>>
>> See link.
>>
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>
>> Aly
>> On Sep 6, 2014 4:16 PM, "Sergio Belkin" <[hidden email]> wrote:
>>
>>> Hi folks,
>>>
>>> Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller?
>> If
>>> it's not, what is the recommended way of doing? Compiling from sources?
>>> Install packages from SerNet?
>>>
>>> Thanks in advance!
>>> --
>>> --
>>> Sergio Belkin  http://www.sergiobelkin.com
>>> LPIC-2 Certified - http://www.lpi.org

IMO there is _lot_ of Fedora/RHEL/Centos users (including me) which
does not use FreeIPA or other Kerberos-based stuff, but want use
Samba4 with AD enabled. For them it is not important whether they use
MIT or Heimdal Kerberos implementation. Then logical question:
Are somewhere for these distribution available (unofficial) Samba4
RPMs packages with Heimdal Kerberos?

I'm rather skeptic about near implementation MIT Kerberos in Samba4,
because this work has been going on for many years and still without
success (maybe nor any clear roadmap for it).

Franta Hanzlik
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

James Hogarth
On 7 Sep 2014 13:01, "Frantisek Hanzlik" <[hidden email]> wrote:
>
> Are somewhere for these distribution available (unofficial) Samba4
> RPMs packages with Heimdal Kerberos?
>

http://www.enterprisesamba.com

We use these at my workplace.

As for the MIT bit according to the samba technical list if it doesn't land
in 4.2 it will in 4.3 ...
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Frantisek Hanzlik
James Hogarth wrote:

> On 7 Sep 2014 13:01, "Frantisek Hanzlik" <[hidden email]> wrote:
>>
>> Are somewhere for these distribution available (unofficial) Samba4
>> RPMs packages with Heimdal Kerberos?
>>
>
> http://www.enterprisesamba.com
>
> We use these at my workplace.
>
> As for the MIT bit according to the samba technical list if it doesn't
> land in 4.2 it will in 4.3 ...

Hi James, thanks for reply. It seems as at SerNet's site have packages
for RHEL6/Centos6 only, not for RHEL7/Centos7 or any Fedora versions,
at least this.

Regarding to Samba4 with MIT in 4.2/4.3 - as I know, 4.2 still is not
even in rc, thus final release can be perhaps at the turn of the year.
And when time between releases is approx. 9 month, then we can wait around
for year...
I'll keep my fingers crossed, that it happen in 4.2

Franta Hanzlik
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

James Hogarth
On 8 Sep 2014 17:00, "Frantisek Hanzlik" <[hidden email]> wrote ...
>
> Hi James, thanks for reply. It seems as at SerNet's site have packages
> for RHEL6/Centos6 only, not for RHEL7/Centos7 or any Fedora versions,
> at least this.
>

Indeed but fortunately EL6 has many years ahead of it yet.

> Regarding to Samba4 with MIT in 4.2/4.3 - as I know, 4.2 still is not
> even in rc, thus final release can be perhaps at the turn of the year.

The rc is due Sep 15th last I heard.

> And when time between releases is approx. 9 month, then we can wait around
> for year...
> I'll keep my fingers crossed, that it happen in 4.2

Andrew Bartlett has expressed an opinion on the samba technical list that
he'd be in favour of a very short 4.2 cycle if it means getting these sort
of updates out.
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Markus Steinborn
In reply to this post by Frantisek Hanzlik
Frantisek Hanzlik wrote:
> Are somewhere for these distribution available (unofficial) Samba4
> RPMs packages with Heimdal Kerberos?
>
I am trying to build some - as I want them, too.

See http://rghost.net/57999078 for a xompressed tarball with the mock
result (i. e. srpm, rpm and build logs).

The package is working, but there is one problem I need help to fix it:

Starting samba by "systemctl start samba.service" or "service start
samba" seems to start samba, but if you try to join a domain from a
windows client, it will fail reproting that the rpc server is not available.

If you start samba by running "/usr/sbin/samba" from a console where
root is logged in, samba is working as expected: Windows clients can
join the domain.

Any idea how to fix that issue?


Thanks + Greetings from Germany

Markus Steinborn

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Rob Kampen-2
On 09/14/2014 06:39 AM, Markus Steinborn wrote:

> Frantisek Hanzlik wrote:
>> Are somewhere for these distribution available (unofficial) Samba4
>> RPMs packages with Heimdal Kerberos?
>>
> I am trying to build some - as I want them, too.
>
> See http://rghost.net/57999078 for a xompressed tarball with the mock
> result (i. e. srpm, rpm and build logs).
>
> The package is working, but there is one problem I need help to fix it:
>
> Starting samba by "systemctl start samba.service" or "service start
> samba" seems to start samba, but if you try to join a domain from a
> windows client, it will fail reproting that the rpc server is not
> available.
>
> If you start samba by running "/usr/sbin/samba" from a console where
> root is logged in, samba is working as expected: Windows clients can
> join the domain.
>
> Any idea how to fix that issue?
>
Would this be due to not starting the nmb service? Samba provide two
services smb AND nmb, you want to ensure both are running. HTH
>
> Thanks + Greetings from Germany
>
> Markus Steinborn
>
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Miguel Medalha
In reply to this post by Sergio Belkin
Why don't  you use Sernet Enterprise Samba?

They provide precompiled packages for a bunch of distros.
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Markus Steinborn
In reply to this post by Rob Kampen-2
Hi Rob,

Rob Kampen wrote:
> Would this be due to not starting the nmb service? Samba provide two
> services smb AND nmb, you want to ensure both are running. HTH
Well, for AC DC mode, starting samb and/or nmbd ussues an error saying
you would have to start "samba" instead - in this mode smbd and nmbd are
not supposed to be started directly.

And "ps xa" shows identical process lists for the working variant
"startet by "/usr/sbin/samba" and for the non working variant "/service
samba start".

But I also had an idea what to check: Turning selinux off did fix the
samba started by systemd. So it is a selinux issue.

Greetings

Markus Steinborn

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Markus Steinborn
In reply to this post by Miguel Medalha
Hi  Miguel

Miguel Medalha schrieb:
> Why don't  you use Sernet Enterprise Samba?
>
> They provide precompiled packages for a bunch of distros.
I've read in this list recently ( archived at
http://lists.centos.org/pipermail/centos/2014-September/145681.html 
)that they do not provide RPMs for RHEL/CentOS 7. So this seems not to
be an option.


Greetings

Markus
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

James Hogarth
On 14 September 2014 09:01, Markus Steinborn <[hidden email]> wrote:

> Hi  Miguel
>
> Miguel Medalha schrieb:
>
>> Why don't  you use Sernet Enterprise Samba?
>>
>> They provide precompiled packages for a bunch of distros.
>>
> I've read in this list recently ( archived at http://lists.centos.org/
> pipermail/centos/2014-September/145681.html )that they do not provide
> RPMs for RHEL/CentOS 7. So this seems not to be an option.
>
>
There's no 'need' to  be on C7 right now ...

If your requirement is "runs sernet samba for AD services" then C7 does not
meet that requirement at this time ...

C6 is supported till 2020 ... there's no hurry here.
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Miguel Medalha
In reply to this post by Sergio Belkin
>> Why don't  you use Sernet Enterprise Samba?

> (...) they do not provide RPMs for RHEL/CentOS 7. So this seems not to be an option.

As someone said before, you don't need to use "the latest and greatest" to run a functional service... On a production environment that is even often undesirable until things settle down...

Anyway, Sernet also provides a source rpm. Why not build up from that base?
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Arun Khan
On Mon, Sep 15, 2014 at 4:07 AM, Miguel Medalha <[hidden email]> wrote:
>>> Why don't  you use Sernet Enterprise Samba?
>
>> (...) they do not provide RPMs for RHEL/CentOS 7. So this seems not to be an option.
>
> As someone said before, you don't need to use "the latest and greatest" to run a functional service... On a production environment that is even often undesirable until things settle down...
>
> Anyway, Sernet also provides a source rpm. Why not build up from that base?

+1 However, the init scripts from the built RPMs may not be compatible
with C7 (systemd).
I believe the OP is having problems with starting the daemons not
building the Samba4.

The Sernet Samba4 packages work like a champ on C6.5.

-- Arun Khan
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Markus Steinborn
In reply to this post by Miguel Medalha
Hi Miguel,

Miguel Medalha wrote:
>>> Anyway, Sernet also provides a source rpm. Why not build up from
>>> that base?
>>>
CentOS 7 is using systemd - that would cause problems.


And anyway, I've used the package samba from CentOS-7 as base. This way,
incmpatibilites with base samba4 are minimized (same paths etc.).

I've already written in this thread: It has turned out that selinux is
the problem - turning off selinux helps.. But that is not really what
you want to...And since the problem is selinux, I am not sure if
Sernet's source would have anything changed.

Anyway, I do not think that my package is broken anymore since selinux
configuration is a different thing.


Greetings

Markus
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Daniel Walsh
What AVC's is SELinux giving you?

On 09/15/2014 02:48 AM, Markus Steinborn wrote:

> Hi Miguel,
>
> Miguel Medalha wrote:
>>>> Anyway, Sernet also provides a source rpm. Why not build up from
>>>> that base?
>>>>
> CentOS 7 is using systemd - that would cause problems.
>
>
> And anyway, I've used the package samba from CentOS-7 as base. This
> way, incmpatibilites with base samba4 are minimized (same paths etc.).
>
> I've already written in this thread: It has turned out that selinux is
> the problem - turning off selinux helps.. But that is not really what
> you want to...And since the problem is selinux, I am not sure if
> Sernet's source would have anything changed.
>
> Anyway, I do not think that my package is broken anymore since selinux
> configuration is a different thing.
>
>
> Greetings
>
> Markus
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Markus Steinborn
Hi Daniel,

Daniel J Walsh wrote:
> What AVC's is SELinux giving you?
Policy has been "enforcing" - and I see the folloqwing AVCs at the end
of my audit log - but those repeated several times:

type=AVC msg=audit(1410628837.928:422): avc:  denied  { connectto } for  
pid=2330 comm="smbd" path="/run/samba/winbindd/pipe"
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1410628852.301:430): avc:  denied  { connectto } for  
pid=2392 comm="smbd" path="/run/samba/ncalrpc/np/netlogon"
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


Greetings

Markus
_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
Reply | Threaded
Open this post in threaded view
|

Re: [CentOS] SAMBA as AD DC

Daniel Walsh

On 09/16/2014 10:50 AM, Markus Steinborn wrote:

> Hi Daniel,
>
> Daniel J Walsh wrote:
>> What AVC's is SELinux giving you?
> Policy has been "enforcing" - and I see the folloqwing AVCs at the end
> of my audit log - but those repeated several times:
>
> type=AVC msg=audit(1410628837.928:422): avc:  denied  { connectto }
> for  pid=2330 comm="smbd" path="/run/samba/winbindd/pipe"
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> type=AVC msg=audit(1410628852.301:430): avc:  denied  { connectto }
> for  pid=2392 comm="smbd" path="/run/samba/ncalrpc/np/netlogon"
> scontext=system_u:system_r:smbd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
>
This looks like you have something running as init_t that is listening
on "/run/samba/winbindd/pipe"

ps -eZ | grep init_t

>
> Greetings
>
> Markus
> _______________________________________________
> CentOS mailing list
> [hidden email]
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
[hidden email]
http://lists.centos.org/mailman/listinfo/centos
12