Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Samba 4 AD DC using MIT Kerberos?
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Tue May 23, 2017 3:21 am    Post subject: Samba 4 AD DC using MIT Kerberos? Reply with quote

Samba is still using Heimdal by default, I believe, but MIT Kerberos is a compile-time option. Has anyone successfully built the latest Samba with MIT Kerberos and implemented it as a (roughly) Active-Directory compatible domain controller?

I've done it with Heimdal, but not as above. How about you losers (those few of you who even understand what I'm asking)?

Bonus points for bind9 dlz with dynamic DNS and reverse lookup zone.
Back to top
View user's profile Send private message
wildhorse
Tux's lil' helper
Tux's lil' helper


Joined: 16 Mar 2006
Posts: 149
Location: Estados Unidos De América

PostPosted: Fri May 26, 2017 9:35 am    Post subject: Reply with quote

MIT Kerberos yes, addc no.

These are my USE options for net-fs/samba-4.6.3:
Code:
acl addns ads client cups gnutls ldap pam python syslog system-mitkrb5 winbind
-addc -cluster -dmapi -fam -gpg -iprint -quota (-selinux) (-system-heimdal) -systemd {-test} -zeroconf"
PYTHON_TARGETS="python2_7"


Put whatever samba specific option you need into /etc/portage/package.use, like
Code:
net-fs/samba -addc addns aio client python server smbclient winbind system-mitkrb5


I had to apply a simple patch to make it work. Haven't checked it recently, but I presume that patch may still be needed.
Add a file /etc/portage/env/package_samba.conf
Code:
CFLAGS="${CFLAGS} -DHDB_ERR_WRONG_REALM=(36150299L)"
CXXFLAGS="${CXXFLAGS} -DHDB_ERR_WRONG_REALM=(36150299L)"


These are the Kerberos packages:
app-crypt/mit-krb5-1.14.4 (abi_x86_64 doc keyutils nls pkinit threads xinetd)
virtual/krb5-0-r1 (abi_x86_64)

For the sake of completeness, here are some options from my /etc/portage/make.conf (on an Intel i7-2600 machine):
Code:
MAKEOPTS="-j8"
CFLAGS="-pipe -march=sandybridge -mtune=sandybridge -maes -mavx -mmmx -mpopcnt -msse -msse2 -msse3 -msse4.1 -msse4.2 -mssse3 -O2 -fno-strict-overflow -floop-parallelize-all -ftree-parallelize-loops=4 -flto -ffat-lto-objects -pthread"
CXXFLAGS="-pipe -march=sandybridge -mtune=sandybridge -maes -mavx -mmmx -mpopcnt -msse -msse2 -msse3 -msse4.1 -msse4.2 -mssse3 -O2 -fno-strict-overflow -floop-parallelize-all -ftree-parallelize-loops=4 -flto -ffat-lto-objects -pthread"
FFLAGS="-pipe -march=sandybridge -mtune=sandybridge -maes -mavx -mmmx -mpopcnt -msse -msse2 -msse3 -msse4.1 -msse4.2 -mssse3 -O2 -fno-strict-overflow -floop-parallelize-all -ftree-parallelize-loops=4 -flto -ffat-lto-objects -pthread"
LDFLAGS="${LDFLAGS} -flto -pthread"
LIBS="-lgomp"

CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3"

CHOST="x86_64-pc-linux-gnu"
(the mmx options are actually for x86-32, never mind)

Add to /etc/portage/package.keywords
Code:
=net-fs/samba-4.6.3 ~amd64
/etc/portage/package.keywords:=net-fs/samba-4.6.3 **


and to /etc/portage/package.unmask
Code:
=net-fs/samba-4.6.3

(assuming that is the version you want and that it is still masked)

I could not build samba with the USE option addc (Enable Active Directory Domain Controller support). Forgot why, but couldn't care less. By now I have switched almost all machines (Linux, VMS, and Windows) to NFS.

The gcc version is 7.1.0-r1 and the kernel sys-kernel/gentoo-sources version 4.10.17 (4.11 won't work with the latest Nvidia X11 driver yet).

All that works on my Banana Pi systems as well. Enjoy your weekend project.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Fri May 26, 2017 9:44 am    Post subject: Reply with quote

Thank you for the detailed answer and useful information.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Tue May 30, 2017 2:55 am    Post subject: Reply with quote

So, "no" I guess.
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 428
Location: The Maldives

PostPosted: Tue May 30, 2017 8:02 pm    Post subject: Reply with quote

Yes.

I tried it too.
I put the CPU in the fridge,
I miss treated my keyboard with way too much chr(13).chr(10),
I put my whole harddisk as swap and did a /dev/null/zero on it
I then re-formatted the drive with the new FS youranidiot.cramit.def
I then did a stage3 tarball from when jesus was a new religion
Then I did all that jazz with make.conf and package.* with >crack-lib/bclib-9999*
Then after the compile and reboot I got this:
Code:

Cannot boot
  root=/dev/iamallwaysright/zero-uuid/

cause of failed encrypted password: waytogowithpasswordsdoood01


Now I am on Windows 10 and a half...
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Wed May 31, 2017 2:11 am    Post subject: Reply with quote

:lol:

You're a funny guy. Funny like clown.
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 428
Location: The Maldives

PostPosted: Wed May 31, 2017 6:22 pm    Post subject: Reply with quote

8O What?! I don't have a clown suite. I never wear that green themed thing the 16:th of mars. Where did you get that from?
Just a lot of hooey. :roll:

Then again, I knew that one would come back to haunt me.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Fri Jun 02, 2017 6:36 am    Post subject: Reply with quote

patrix_neo wrote:
8O What?! I don't have a clown suite. I never wear that green themed thing the 16:th of mars.

I finally translated this:
"I don't have a clown suit. I don't even wear green on St. Patrick's day.
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 428
Location: The Maldives

PostPosted: Fri Jun 02, 2017 2:54 pm    Post subject: Reply with quote

What? Are you losing your # mind?! This is a first. Maybe you are getting stupid.
I did corr-read my post and thought: Why did I not write as I thought it out?
Well, I must be the flyin' riddler...
Back to top
View user's profile Send private message
wildhorse
Tux's lil' helper
Tux's lil' helper


Joined: 16 Mar 2006
Posts: 149
Location: Estados Unidos De América

PostPosted: Sat Jun 03, 2017 10:43 am    Post subject: Reply with quote

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Quote:
Samba as an AD DC only supports:
* the integrated LDAP server as AD back end. For details, see the frequently asked question (FAQ) Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
* the Heimdal Kerberos key distribution center (KDC). The AD-compatible Heimdal KDC is included in Samba and automatically installed.
Preparing the Installation
Code:
# rm /etc/krb5.conf


The makers of Samba decided that you have to use Heimdal if you want to use Samba as an ADDC. When I tried to compile Samba with Kerberos instead of Heimdal, I found that Heimdal was not compatbile with the original Kerberos. Fixing Samba for Kerberos would have taken too much time. Such effort would also be futile, because the makers of Samba have no intention to support a Samba ADDC with Kerberos.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Sat Jun 03, 2017 1:42 pm    Post subject: Reply with quote

wildhorse wrote:
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Quote:
Samba as an AD DC only supports:
* the integrated LDAP server as AD back end. For details, see the frequently asked question (FAQ) Does Samba AD DCs Support OpenLDAP or Other LDAP Servers as Back End?
* the Heimdal Kerberos key distribution center (KDC). The AD-compatible Heimdal KDC is included in Samba and automatically installed.
Preparing the Installation
Code:
# rm /etc/krb5.conf


The makers of Samba decided that you have to use Heimdal if you want to use Samba as an ADDC. When I tried to compile Samba with Kerberos instead of Heimdal, I found that Heimdal was not compatbile with the original Kerberos. Fixing Samba for Kerberos would have taken too much time. Such effort would also be futile, because the makers of Samba have no intention to support a Samba ADDC with Kerberos.

So, "no", I guess.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Mon Jul 03, 2017 5:33 pm    Post subject: Reply with quote

Bunch of lame-ass so-called Linux gurus. You people should all be using Macs.
Back to top
View user's profile Send private message
cokey
Advocate
Advocate


Joined: 23 Apr 2004
Posts: 3343

PostPosted: Tue Jul 04, 2017 1:05 am    Post subject: Reply with quote

You can do it all... with the Add Roles and Features part of Server Manager
_________________
"Sex: breakfast of champions" - James Hunt
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 429

PostPosted: Tue Jul 04, 2017 5:05 am    Post subject: Reply with quote

At least with respect to MIT krb5 and Samba, the Samba wiki is out of date. Its still not possible to use MIT krb5 on a Samba AD (at least not in any released version), although on the other hand i don't think possible to even use a stock Heimdal version either. There's a mix of both MIT and Heimdal code in the Samba code base; the Heimdal bits are slowly being excised for MIT ones.

I don't know what the exact status is; the MIT Build page hasn't been updated in 3 years.The original reason Samba picked Heimdal was because it had the necessary "hooks" to add Windows-specific data (in particular the PAC) to Kerberos. MIT krb5 has since gained a few hooks of its own, but I don;t know whether its now sufficient to build an AD DC off of or not.
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 4784
Location: The Peanut Gallery

PostPosted: Tue Jul 04, 2017 1:29 pm    Post subject: Re: Samba 4 AD DC using MIT Kerberos? Reply with quote

Bones McCracker wrote:
Bonus points for bind9 dlz with dynamic DNS and reverse lookup zone.
You can do that part much more efficiently with a patched djbdns (and a cache for localhost queries from the same server.)
One bit I recall: it needs to be authoritative for the domain, which is fine as it's only for LAN usage.
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 428
Location: The Maldives

PostPosted: Tue Jul 04, 2017 6:09 pm    Post subject: Reply with quote

BK - you need to step up and git that samba!
As we say in the gentoo community...fix it if you want a feature. No one is gonna give it to you for free. You georgean bstrd.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Tue Jul 04, 2017 10:40 pm    Post subject: Reply with quote

No. I want you to do it for me.
Back to top
View user's profile Send private message
jodalein
n00b
n00b


Joined: 13 Jun 2013
Posts: 8

PostPosted: Wed Aug 09, 2017 12:47 pm    Post subject: Reply with quote

after around 2 weeks im nearly done with that :evil:


bind9 dlz with dynamic updates

gpos user shares working....
finaly ...
it was really crappy some days, but now ... well done well done

btw i needed 3 input sources to get this done with gentoo.
samba 4.6.6
Back to top
View user's profile Send private message
erm67
Apprentice
Apprentice


Joined: 01 Nov 2005
Posts: 184
Location: somewhere in Renziland.

PostPosted: Thu Aug 10, 2017 6:48 am    Post subject: Reply with quote

Does samba emerge using LTO now?
_________________
True ignorance is not the absence of knowledge, but the refusal to acquire it.
A posse ad esse non valet consequentia
Πάντα ῥεῖ
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Thu Aug 10, 2017 10:38 pm    Post subject: Reply with quote

jodalein wrote:
after around 2 weeks im nearly done with that :evil:


bind9 dlz with dynamic updates

gpos user shares working....
finaly ...
it was really crappy some days, but now ... well done well done

btw i needed 3 input sources to get this done with gentoo.
samba 4.6.6

So where are you putting the how-to?
Back to top
View user's profile Send private message
jodalein
n00b
n00b


Joined: 13 Jun 2013
Posts: 8

PostPosted: Thu Aug 17, 2017 8:06 am    Post subject: Reply with quote

cause still configure the server for productive use.
we change our old pdc to ad/dc and there is a lot of stuff to do
Shares / DNS / Gropus

and i only have a copy past text file at Moment without any Document infos only what to do and what commands need to let it run

if its enough for you i can share it later
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Thu Aug 17, 2017 11:24 pm    Post subject: Reply with quote

Yes. You confirm you are using MIT Kerberos?
Back to top
View user's profile Send private message
jodalein
n00b
n00b


Joined: 13 Jun 2013
Posts: 8

PostPosted: Wed Aug 30, 2017 3:59 pm    Post subject: Reply with quote

https://forums.gentoo.org/viewtopic-p-8112218.html#8112218
Back to top
View user's profile Send private message
patrix_neo
Guru
Guru


Joined: 08 Jan 2004
Posts: 428
Location: The Maldives

PostPosted: Fri Sep 01, 2017 7:58 pm    Post subject: Reply with quote

Bones McCracker wrote:
No. I want you to do it for me.


Like bringing out the trash?
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1604
Location: U.S.A.

PostPosted: Sat Sep 02, 2017 4:28 pm    Post subject: Reply with quote

patrix_neo wrote:
Bones McCracker wrote:
No. I want you to do it for me.


Like bringing out the trash?

More like how I made you read a book for me.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum