Hi folks: Is able SAMBA on CentOS 7 to work as Active Directory Domain Controller? If it’s not, what is the recommended way of doing? Compiling from sources? Install packages from SerNet?
Thanks in advance!
23 thoughts on - SAMBA As AD DC
Yes Samba4 is capable of working as a AD domain controller and more.
I already know that Samba “capable of working as a AD domain controller and more”.
I’m asking about the official packages of CentOS, I mean from official repo’s.
Thanks in advance
2014-09-06 18:01 GMT-03:00 Aly Khimji :
It would appear the samba4 DC isn’t available for C7 just yet.
“As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kereberos at the moment.”
I already know that Samba “capable of working as a AD domain controller and more”.
I’m asking about the official packages of CentOS, I mean from official repo’s.
Thanks in advance
2014-09-06 18:01 GMT-03:00 Aly Khimji :
Aly Khimji wrote:
IMO there is _lot_ of Fedora/RHEL/CentOS users (including me) which does not use FreeIPA or other Kerberos-based stuff, but want use Samba4 with AD enabled. For them it is not important whether they use MIT or Heimdal Kerberos implementation. Then logical question:
Are somewhere for these distribution available (unofficial) Samba4
RPMs packages with Heimdal Kerberos?
I’m rather skeptic about near implementation MIT Kerberos in Samba4, because this work has been going on for many years and still without success (maybe nor any clear roadmap for it).
As for the MIT bit according to the samba technical list if it doesn’t land in 4.2 it will in 4.3 …
James Hogarth wrote:
Hi James, thanks for reply. It seems as at SerNet’s site have packages for RHEL6/CentOS6 only, not for RHEL7/CentOS7 or any Fedora versions, at least this.
Regarding to Samba4 with MIT in 4.2/4.3 – as I know, 4.2 still is not even in rc, thus final release can be perhaps at the turn of the year. And when time between releases is approx. 9 month, then we can wait around for year… I’ll keep my fingers crossed, that it happen in 4.2
Franta Hanzlik
On 8 Sep 2014 17:00, “Frantisek Hanzlik” wrote …
Indeed but fortunately EL6 has many years ahead of it yet.
The rc is due Sep 15th last I heard.
Andrew Bartlett has expressed an opinion on the samba technical list that he’d be in favour of a very short 4.2 cycle if it means getting these sort of updates out.
Frantisek Hanzlik wrote:
I am trying to build some – as I want them, too.
See http://rghost.net/57999078 for a xompressed tarball with the mock result (i. e. srpm, rpm and build logs).
The package is working, but there is one problem I need help to fix it:
Starting samba by “systemctl start samba.service” or “service start samba” seems to start samba, but if you try to join a domain from a windows client, it will fail reproting that the rpc server is not available.
If you start samba by running “/usr/sbin/samba” from a console where root is logged in, samba is working as expected: Windows clients can join the domain.
Any idea how to fix that issue?
Thanks + Greetings from Germany
Markus Steinborn
Would this be due to not starting the nmb service? Samba provide two services smb AND nmb, you want to ensure both are running. HTH
Why don’t you use Sernet Enterprise Samba?
They provide precompiled packages for a bunch of distros.
Hi Rob,
Rob Kampen wrote:
Well, for AC DC mode, starting samb and/or nmbd ussues an error saying you would have to start “samba” instead – in this mode smbd and nmbd are not supposed to be started directly.
And “ps xa” shows identical process lists for the working variant
“startet by “/usr/sbin/samba” and for the non working variant “/service samba start”.
But I also had an idea what to check: Turning selinux off did fix the samba started by systemd. So it is a selinux issue.
If your requirement is “runs sernet samba for AD services” then C7 does not meet that requirement at this time …
C6 is supported till 2020 … there’s no hurry here.
As someone said before, you don’t need to use “the latest and greatest” to run a functional service… On a production environment that is even often undesirable until things settle down…
Anyway, Sernet also provides a source rpm. Why not build up from that base?
+1 However, the init scripts from the built RPMs may not be compatible with C7 (systemd). I believe the OP is having problems with starting the daemons not building the Samba4.
The Sernet Samba4 packages work like a champ on C6.5.
— Arun Khan
Hi Miguel,
Miguel Medalha wrote:
CentOS 7 is using systemd – that would cause problems.
And anyway, I’ve used the package samba from CentOS-7 as base. This way, incmpatibilites with base samba4 are minimized (same paths etc.).
I’ve already written in this thread: It has turned out that selinux is the problem – turning off selinux helps.. But that is not really what you want to…And since the problem is selinux, I am not sure if Sernet’s source would have anything changed.
Anyway, I do not think that my package is broken anymore since selinux configuration is a different thing.
Greetings
Markus
What AVC’s is SELinux giving you?
Hi Daniel,
Daniel J Walsh wrote:
Policy has been “enforcing” – and I see the folloqwing AVCs at the end of my audit log – but those repeated several times:
Il giorno ven, 11/09/2015 alle 14.25 +0200, Oscar Osta Pueyo ha scritto:
Ok, thanks for reply.
I read from last message of discussion:
This means that that never will be a samba-ad for redhat/CentOS.
Then, if I as I understand the reply, with CentOS7 + Samba 4 in old NT4
-DC mode + Kerberos + FreeIPA ( I do not know what it is FreeIPA) it’s possible setup a Linux PDC working with all versions of Windows client, without changing the registry into win7/8 to join to domain?
I’m not a guru of Linux, someone can point me to the right way?
Many thanks Dario
I have been building a Samba4 AD on CentOS7 (actually C7-armv7 beta)
using the sernet rpms.
This is Samba 4.2. It includes their Kerberos, ldap, and internal DNS.
You MUST use their Kerberos and strongly recommend their ldap. I am using the Bind 9.9 that comes with C7; not to hard to integrate. I am also using the C& dhcpd.
WRT Samba 4.3 and MIT Kerberos. Samba 4.3 has shipped. But MIT
Kerberos support did not make it into the initial release. Sernet has not released a 4.3 ver to date.
The wiki is quite good. Particularly as I have been asking lots of newbie questions and Marc has been busy incorporating the obvious answers into the wiki :)
23 thoughts on - SAMBA As AD DC
Yes Samba4 is capable of working as a AD domain controller and more.
See link.
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
Aly
Hmmmm perhaps I don’t explain myself enough.
I already know that Samba “capable of working as a AD domain controller and more”.
I’m asking about the official packages of CentOS, I mean from official repo’s.
Thanks in advance
2014-09-06 18:01 GMT-03:00 Aly Khimji:
It would appear the samba4 DC isn’t available for C7 just yet.
“As Fedora and RHEL are using MIT Kerberos implementation as its Kerberos infrastructure of choice, the Samba Active Directory Domain Controller implementation is not available with MIT Kereberos at the moment.”
Ref:
http://community.spiceworks.com/topic/535153-CentOS-7-samba-domain-controller
HTH
Aly Hmmmm perhaps I don’t explain myself enough.
I already know that Samba “capable of working as a AD domain controller and more”.
I’m asking about the official packages of CentOS, I mean from official repo’s.
Thanks in advance
2014-09-06 18:01 GMT-03:00 Aly Khimji:
Aly Khimji wrote:
IMO there is _lot_ of Fedora/RHEL/CentOS users (including me) which does not use FreeIPA or other Kerberos-based stuff, but want use Samba4 with AD enabled. For them it is not important whether they use MIT or Heimdal Kerberos implementation. Then logical question:
Are somewhere for these distribution available (unofficial) Samba4
RPMs packages with Heimdal Kerberos?
I’m rather skeptic about near implementation MIT Kerberos in Samba4, because this work has been going on for many years and still without success (maybe nor any clear roadmap for it).
Franta Hanzlik
http://www.enterprisesamba.com
We use these at my workplace.
As for the MIT bit according to the samba technical list if it doesn’t land in 4.2 it will in 4.3 …
James Hogarth wrote:
Hi James, thanks for reply. It seems as at SerNet’s site have packages for RHEL6/CentOS6 only, not for RHEL7/CentOS7 or any Fedora versions, at least this.
Regarding to Samba4 with MIT in 4.2/4.3 – as I know, 4.2 still is not even in rc, thus final release can be perhaps at the turn of the year. And when time between releases is approx. 9 month, then we can wait around for year… I’ll keep my fingers crossed, that it happen in 4.2
Franta Hanzlik
On 8 Sep 2014 17:00, “Frantisek Hanzlik” wrote …
Indeed but fortunately EL6 has many years ahead of it yet.
The rc is due Sep 15th last I heard.
Andrew Bartlett has expressed an opinion on the samba technical list that he’d be in favour of a very short 4.2 cycle if it means getting these sort of updates out.
Frantisek Hanzlik wrote:
I am trying to build some – as I want them, too.
See http://rghost.net/57999078 for a xompressed tarball with the mock result (i. e. srpm, rpm and build logs).
The package is working, but there is one problem I need help to fix it:
Starting samba by “systemctl start samba.service” or “service start samba” seems to start samba, but if you try to join a domain from a windows client, it will fail reproting that the rpc server is not available.
If you start samba by running “/usr/sbin/samba” from a console where root is logged in, samba is working as expected: Windows clients can join the domain.
Any idea how to fix that issue?
Thanks + Greetings from Germany
Markus Steinborn
Would this be due to not starting the nmb service? Samba provide two services smb AND nmb, you want to ensure both are running. HTH
Why don’t you use Sernet Enterprise Samba?
They provide precompiled packages for a bunch of distros.
Hi Rob,
Rob Kampen wrote:
Well, for AC DC mode, starting samb and/or nmbd ussues an error saying you would have to start “samba” instead – in this mode smbd and nmbd are not supposed to be started directly.
And “ps xa” shows identical process lists for the working variant
“startet by “/usr/sbin/samba” and for the non working variant “/service samba start”.
But I also had an idea what to check: Turning selinux off did fix the samba started by systemd. So it is a selinux issue.
Greetings
Markus Steinborn
Hi Miguel
Miguel Medalha schrieb:
I’ve read in this list recently ( archived at http://lists.CentOS.org/pipermail/CentOS/2014-September/145681.html
)that they do not provide RPMs for RHEL/CentOS 7. So this seems not to be an option.
Greetings
Markus
There’s no ‘need’ to be on C7 right now …
If your requirement is “runs sernet samba for AD services” then C7 does not meet that requirement at this time …
C6 is supported till 2020 … there’s no hurry here.
As someone said before, you don’t need to use “the latest and greatest” to run a functional service… On a production environment that is even often undesirable until things settle down…
Anyway, Sernet also provides a source rpm. Why not build up from that base?
+1 However, the init scripts from the built RPMs may not be compatible with C7 (systemd). I believe the OP is having problems with starting the daemons not building the Samba4.
The Sernet Samba4 packages work like a champ on C6.5.
— Arun Khan
Hi Miguel,
Miguel Medalha wrote:
CentOS 7 is using systemd – that would cause problems.
And anyway, I’ve used the package samba from CentOS-7 as base. This way, incmpatibilites with base samba4 are minimized (same paths etc.).
I’ve already written in this thread: It has turned out that selinux is the problem – turning off selinux helps.. But that is not really what you want to…And since the problem is selinux, I am not sure if Sernet’s source would have anything changed.
Anyway, I do not think that my package is broken anymore since selinux configuration is a different thing.
Greetings
Markus
What AVC’s is SELinux giving you?
Hi Daniel,
Daniel J Walsh wrote:
Policy has been “enforcing” – and I see the folloqwing AVCs at the end of my audit log – but those repeated several times:
type=AVC msg=audit(1410628837.928:422): avc: denied { connectto } for
pid#30 comm=”smbd” path=”/run/samba/winbindd/pipe”
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=AVC msg=audit(1410628852.301:430): avc: denied { connectto } for
pid#92 comm=”smbd” path=”/run/samba/ncalrpc/np/netlogon”
scontext=system_u:system_r:smbd_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
Greetings
Markus
This looks like you have something running as init_t that is listening on “/run/samba/winbindd/pipe”
ps -eZ | grep init_t
Il giorno lun, 08/09/2014 alle 20.03 +0100, James Hogarth ha scritto:
There is some news for this tread?
Samba 4.3 is out:
https://www.samba.org/samba/history/samba-4.3.0.html
and into Fedora Development there’s already new package:
https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/x86_64/os/Packages/s/
But the “samba-ad” package still missing.
Someone have more info?
Many thanks
Hello,
It is a decision of red hat over MIT or Heimdal. Red hat chooses MIT and Samba 4 AD chooses Heimdal.
You have more info in https://access.redhat.com/discussions/1235263
Regards,
Il giorno ven, 11/09/2015 alle 14.25 +0200, Oscar Osta Pueyo ha scritto:
Ok, thanks for reply.
I read from last message of discussion:
This means that that never will be a samba-ad for redhat/CentOS.
Then, if I as I understand the reply, with CentOS7 + Samba 4 in old NT4
-DC mode + Kerberos + FreeIPA ( I do not know what it is FreeIPA) it’s possible setup a Linux PDC working with all versions of Windows client, without changing the registry into win7/8 to join to domain?
I’m not a guru of Linux, someone can point me to the right way?
Many thanks Dario
I have been building a Samba4 AD on CentOS7 (actually C7-armv7 beta)
using the sernet rpms.
https://portal.enterprisesamba.com/
Though we had to build an armv7 distro from sernet sources:
http://repo.shivaserv.fr/CentOS/7/
This is Samba 4.2. It includes their Kerberos, ldap, and internal DNS.
You MUST use their Kerberos and strongly recommend their ldap. I am using the Bind 9.9 that comes with C7; not to hard to integrate. I am also using the C& dhcpd.
WRT Samba 4.3 and MIT Kerberos. Samba 4.3 has shipped. But MIT
Kerberos support did not make it into the initial release. Sernet has not released a 4.3 ver to date.
There is pretty good help on the Samba list:
https://lists.samba.org/mailman/options/samba
The wiki is quite good. Particularly as I have been asking lots of newbie questions and Marc has been busy incorporating the obvious answers into the wiki :)
https://wiki.samba.org/index.php/User_Documentation