[CentOS] Install Bind with gss-spnego enabled

Thu Apr 16 13:29:24 UTC 2015
Johnny Hughes <johnny at centos.org>

On 04/16/2015 06:33 AM, Mike wrote:
> Hi Johnny,
> 
> Thank you for your response.  I thought to choose the sernet package
> because of the following stated in Samba Readme:
> 
> Samba packages shipped in some distributions like e. g. Fedora, RHEL may
> not be able to be used as Samba AD DC, because the distribution relies on
> MIT Kerberos which isn't supported by Samba yet. In this case build Samba
> yourself or use the packages from SerNet or other reliable sources.
> 
> I do want to use samba as an AD DC.
> Does the above not apply to CentOS distro?
> 
> Thanks for reading.
> On Apr 16, 2015 4:35 AM, "Johnny Hughes" <johnny at centos.org> wrote:
> 
>> On 04/16/2015 12:53 AM, Mike wrote:
>>> CentOS 7.1503 installed.
>>> Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be
>>> configured).
>>>
>>> The samba wiki Readme First page states, "Some distributions like . . .
>> Red
>>> Hat Enterprise Linux (and clones), ship BIND9 packages with disabled
>>> GSS-SPNEGO option, which is required for signed DNS updates when using
>> BIND
>>> as DNS backend on your Samba DC. This circumstance requires to self
>> compile
>>> BIND9."
>>>
>>> Is there any way to use a yum command to install Bind9 with gss-spnego
>>> enabled?
>>>
>>> I'm worried about installing from source and creating future problems
>> when
>>> trying to update other CentOS packages that may be affected by the source
>>> install of Bind9. Is it safe to obtain a bind9 source tarball for install
>>> on an rpm-based CentOS 7 server?
>>>
>>> If anyone has installed Bind for use with Samba 4 on CentOS 7, please let
>>> me know what worked.
>>>
>>> Thanks for your time and patience.
>>
>> That is a bind build option, the only way to enable it is to build it.
>>
>> Is there some reason you don't want to use the samba-4.1 that is shipped
>> in CentOS-7?

Nope, you are correct.  The samba in CentOS-7 currently does not work as
a Active Directory Domain Controller.  If you already have a domain
controller, you can make the CentOS-7 samba connect to that DC and serve
as a File or Print server.

So, if you want a linux samba DC, then that would mean that you will
need to use sernet and maintain bind yourself for that feature.

Whether that is safe or not is up to you.

I have no idea specifically about the GSS-SPNEGO .. I can tell you that
if you look at current bind spec file, you can see in lines 409-412
how/why "--disable-isc-spnego" gets selected.

I do not know what the answer is, if gssapi and gss-spnego can coexist,
of if one is better than the other in a give situation, etc.

BUT .. If I was going to solve this problem, I would do so asking the
sernet guys and I would rebuild the "bind" sources in CentOS with the
proper configure switches so it would likely still meet all the other
software requires for CentOS that bind needs to meet.  You could also
then only track when CentOS releases a new bind (because RH has released
new source code) .. and thereby not have to track bind upstream tarball
releases for security.






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20150416/d4855f8d/attachment-0005.sig>