CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured).
The samba wiki Readme First page states, "Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9."
Is there any way to use a yum command to install Bind9 with gss-spnego enabled?
I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server?
If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked.
Thanks for your time and patience.
On 04/16/2015 12:53 AM, Mike wrote:
CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured).
The samba wiki Readme First page states, "Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9."
Is there any way to use a yum command to install Bind9 with gss-spnego enabled?
I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server?
If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked.
Thanks for your time and patience.
That is a bind build option, the only way to enable it is to build it.
Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7?
Hi Johnny,
Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme:
Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources.
I do want to use samba as an AD DC. Does the above not apply to CentOS distro?
Thanks for reading. On Apr 16, 2015 4:35 AM, "Johnny Hughes" johnny@centos.org wrote:
On 04/16/2015 12:53 AM, Mike wrote:
CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured).
The samba wiki Readme First page states, "Some distributions like . . .
Red
Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using
BIND
as DNS backend on your Samba DC. This circumstance requires to self
compile
BIND9."
Is there any way to use a yum command to install Bind9 with gss-spnego enabled?
I'm worried about installing from source and creating future problems
when
trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server?
If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked.
Thanks for your time and patience.
That is a bind build option, the only way to enable it is to build it.
Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7?
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 04/16/2015 06:33 AM, Mike wrote:
Hi Johnny,
Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme:
Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources.
I do want to use samba as an AD DC. Does the above not apply to CentOS distro?
Thanks for reading. On Apr 16, 2015 4:35 AM, "Johnny Hughes" johnny@centos.org wrote:
On 04/16/2015 12:53 AM, Mike wrote:
CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured).
The samba wiki Readme First page states, "Some distributions like . . .
Red
Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using
BIND
as DNS backend on your Samba DC. This circumstance requires to self
compile
BIND9."
Is there any way to use a yum command to install Bind9 with gss-spnego enabled?
I'm worried about installing from source and creating future problems
when
trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server?
If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked.
Thanks for your time and patience.
That is a bind build option, the only way to enable it is to build it.
Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7?
Nope, you are correct. The samba in CentOS-7 currently does not work as a Active Directory Domain Controller. If you already have a domain controller, you can make the CentOS-7 samba connect to that DC and serve as a File or Print server.
So, if you want a linux samba DC, then that would mean that you will need to use sernet and maintain bind yourself for that feature.
Whether that is safe or not is up to you.
I have no idea specifically about the GSS-SPNEGO .. I can tell you that if you look at current bind spec file, you can see in lines 409-412 how/why "--disable-isc-spnego" gets selected.
I do not know what the answer is, if gssapi and gss-spnego can coexist, of if one is better than the other in a give situation, etc.
BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the "bind" sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security.
On Thu, Apr 16, 2015 at 9:29 AM, Johnny Hughes johnny@centos.org wrote:
On 04/16/2015 06:33 AM, Mike wrote:
BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the "bind" sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security.
Sounds like good advice for me to follow up on. Thanks for the thoughtful response. :-)
Mike
On 16 Apr 2015 14:29, "Johnny Hughes" johnny@centos.org wrote:
On 04/16/2015 06:33 AM, Mike wrote:
Hi Johnny,
Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme:
Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies
on
MIT Kerberos which isn't supported by Samba yet. In this case build
Samba
yourself or use the packages from SerNet or other reliable sources.
I do want to use samba as an AD DC. Does the above not apply to CentOS distro?
Thanks for reading. On Apr 16, 2015 4:35 AM, "Johnny Hughes" johnny@centos.org wrote:
On 04/16/2015 12:53 AM, Mike wrote:
CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7
(to be
configured).
The samba wiki Readme First page states, "Some distributions like . .
.
Red
Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using
BIND
as DNS backend on your Samba DC. This circumstance requires to self
compile
BIND9."
Is there any way to use a yum command to install Bind9 with gss-spnego enabled?
This was required for kerberos secured updates prior to el7.1 and el6.6 ...
The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in.
On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth james.hogarth@gmail.com wrote:
This was required for kerberos secured updates prior to el7.1 and el6.6 ...
The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in. _______________________________________________
James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere.
| | | | | | | | | | | | | | |
I installed bind-9.9.4 package from the CentOS repo. I've been reading the Changes and Readme file but don't see where this issue is addressed.
Can you point me to the centOS announcements or release notes that deal with the bind package and gss-spnego. I'd like to try to understand and possibly aggregate the right info to send to the samba wiki maintainers.
| | | | | | | | | | | | | | | | | | | | | | | | |
named -V on the installed package produces:
BIND 9.9.4-RedHat-9.9.4-18.el7_1.1 (Extended Support Version) id:8f9657aa built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
<<<SNIP>>>
'--with-gssapi=yes' '--disable-isc-spnego'
using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.9.1 END
Does the above output show that gss-spnego is actually enabled? Thanks for your help.
On 17 Apr 2015 00:42, "Mike" 1100100@gmail.com wrote:
On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth james.hogarth@gmail.com wrote:
This was required for kerberos secured updates prior to el7.1 and el6.6
...
The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to
be
compiled in. _______________________________________________
James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere.
| | | | | | | | | | | | | | |
I installed bind-9.9.4 package from the CentOS repo. I've been reading the Changes and Readme file but don't see where this issue is addressed.
Can you point me to the centOS announcements or release notes that deal with the bind package and gss-spnego. I'd like to try to understand and possibly aggregate the right info to
send
to the samba wiki maintainers.
| | | | | | | | | | | | | | | | | | | | | | | | |
It wasn't the bind package directly but rather an issue with the libkrb5 libraries.
This is the specific bug that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1087068
I'll get the samba wiki updated to make this clear.
On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hogarth@gmail.com wrote:
It wasn't the bind package directly but rather an issue with the libkrb5 libraries.
This is the specific bug that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1087068
I'll get the samba wiki updated to make this clear.
Zoinks! I didn't realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba software.
On 17 Apr 2015 13:04, "Mike" 1100100@gmail.com wrote:
On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hogarth@gmail.com wrote:
It wasn't the bind package directly but rather an issue with the libkrb5 libraries.
This is the specific bug that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1087068
I'll get the samba wiki updated to make this clear.
Zoinks! I didn't realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba
software.
Just to be clear I don't do that.
However I have had a fair bit of my professional life in the realm of samba in an AD context on CentOS this past year.
I happen to know someone who does maintain that wiki though so will give him the heads up over drinks in a few weeks ;)
K, clear. Still very much appreciative of your experience and insight. I'm a wannabe who never has enough time amongst my duties to get my sys-admin skills tight.
Cheers,
Mike
On Fri, Apr 17, 2015 at 9:36 AM, James Hogarth james.hogarth@gmail.com wrote:
On 17 Apr 2015 13:04, "Mike" 1100100@gmail.com wrote:
On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hogarth@gmail.com wrote:
It wasn't the bind package directly but rather an issue with the
libkrb5
libraries.
This is the specific bug that fixed the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1087068
I'll get the samba wiki updated to make this clear.
Zoinks! I didn't realize I was corresponding with the fellow who
actually
maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba
software.
Just to be clear I don't do that.
However I have had a fair bit of my professional life in the realm of samba in an AD context on CentOS this past year.
I happen to know someone who does maintain that wiki though so will give him the heads up over drinks in a few weeks ;) _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
James Hogarth -
Johnny Hughes -
Mike