|
Bugzilla – Full Text Bug Listing |
| Summary: | samba4 package is missing the 'samba-tool' | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Forgotten User -UpQBLGEK9 <forgotten_-UpQBLGEK9> |
| Component: | Samba | Assignee: | The 'Opening Windows to a Wider World' guys <samba-maintainers> |
| Status: | RESOLVED FIXED | QA Contact: | The 'Opening Windows to a Wider World' guys <samba-maintainers> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | aj, bjoernv, bruno, david.mulder, ddiss, diego.ercolani, forgotten_FNja4poqqR, forgotten_Ku1lZ_yaEZ, forgotten_lRV-kbNID1, gleixner, j.peter0123, jmcdonough, kiv, motionseverywhere, samba-maintainers, scabrero, tim.eberhardt |
| Version: | 13.2 Beta 1 | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE 13.2 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Forgotten User -UpQBLGEK9
2012-12-17 09:15:33 UTC
Hello, After studying the spec file from samba4 for some time I've noticed that the entire source4 dir is not compiled into the package. This directory contains the samba-tool program. Rob Verduijn samba-tool is only of use for a Samba 4 AD DC, while our packages are for the samba 4 file server. An AD DC build uses a static version of the Heimdal Kerberos implementation, while SUSE uses the shipped system-wide MIT Kerberos. Hello, Samba 4 can be compiled with MIT kerberos in stead of heimdal kerberos. After hitting the open build service to package it myself, i noticed there is a build option to use MIT kerberos in stead of heimdal kerberos, thus rendering the kerberos argument void. Therefore I reopened this ticket. the entire samba4 source4 tree is missing from the build (including samba-tool). It can be build with MIT kerberos (I've done it myself with samba 4.0.3) opensuse would be able to take advantage off all the cool samba4 features. Rob Verduijn changed the release to 12.3 beta 1 since it's also missing in that one Thanks for your contribution! Please file a submit request from your project against the network:samba:TESTING/samba project. Please close this defect report as soon as you filed your submit request. Hello, I did not branch my project from your samba testing project, since the complexity of the samba package was rather overwhelming when I first started my package attempts. But this is some time ago and I've been hitting the build service quite heavy since then. I will give it another shot and see if I can branch and include the new functionality. Feel free to peek at my package in my repo here : https://build.opensuse.org/project/show?project=home%3Arobverduijn%3Asamba All packages are branced from yours (samba:TESTING) except samba. Give me some time to get to grips with your samba packaging style, i cannot guarantee/promise any time to delivery since I have to do this in my own spare time. Rob It seems I was jumping to soon. I've been doing some local builds with the --with-system-mitkrb5 option enabled, but then the system builds a lot but not the /usr/sbin/samba binary (required for the ad mode) and the samba-tool is also still missing. It only builds the samba4 client and the samba3 code base. The only advantage of this is I guess that you could simplify the samba package a bit (maybi a bit less pushing and popping dirs), but besides that we would have to wait for the samba folks to adjust their code more to become fully compatible with the MIT-kerberos. Rob I've been looking at your package for some time now. I've tried adding a pushd/popd for the source4 to your package, but this fails mainly due to the fact that there is no autogen.sh like there is for the source3 directory. I get the impression that it needs a major overhaul to enable compiling the source4 directory since it needs a different approach in my oppinion. ( no pushd and popd but build it from the root folder and adjust for exceptions for older builds from there. ) Which would lead to such a major change to the package that I doubt that would be accepted. Besides the acceptance this also requires a serious amount of time, more time than I got to spare. What is your view on this matter ? Please point us to any real issue which is caused by using pushd and popd while the RPM build process. If there are we have a need to change the current build approach. Please describe your goals and wishes. What are you trying to achieve? Maybe we have to consider to keep track such wishes, new directions, design goals, and any other type of enhancements as part of the feature tracking tool we use for openSUSE, https://features.openSUSE.org/ If you think that's the way to go please create a new feature request and add a link to it to this report. Hello, Because I think we got a misunderstanding let me clarify my reasoning and my goals. A while ago I saw that the samba:STABLE contained samba4. I was rejoiced because now I can run samba4 on opensuse. (Wrong line of thought I know now, due to the mit/heimdal kerberos problem.) So I tried and found that the howtos from wiki.samba.org were all talking about samba-tool and that it was not available in the suse build. Thus I created this ticket. you told me about the heimdal/mit problem. I saw that somewhere between samba4.0.0 and 4.0.3 the --with-system-mitkrb5 options was created. I found out that this was only for the samba3 tools and samba4 client. I reported this to you and you replied , put out a submit request. I have branched your samba package and tried to put the --with-system-mitkrb5 option in there. Which I failed to do mainly due to the complexity of the samba package. So I'm not going to put out a submit request since I can't get it to compile for me on the obs using your package as a base. Since I sense a bit of lack of support for this feature I'm going to stick with my own build package and leave the samba package building to you. Hi Rob, (In reply to comment #10) > Hello, > > Because I think we got a misunderstanding let me clarify my reasoning and my > goals. > > A while ago I saw that the samba:STABLE contained samba4. I was rejoiced > because now I can run samba4 on opensuse. > (Wrong line of thought I know now, due to the mit/heimdal kerberos problem.) > > So I tried and found that the howtos from wiki.samba.org were all talking about > samba-tool and that it was not available in the suse build. > > Thus I created this ticket. > you told me about the heimdal/mit problem. > > I saw that somewhere between samba4.0.0 and 4.0.3 the --with-system-mitkrb5 > options was created. > > I found out that this was only for the samba3 tools and samba4 client. > > I reported this to you and you replied , put out a submit request. > > I have branched your samba package and tried to put the --with-system-mitkrb5 > option in there. Which I failed to do mainly due to the complexity of the samba > package. > > So I'm not going to put out a submit request since I can't get it to compile > for me on the obs using your package as a base. > > Since I sense a bit of lack of support for this feature I'm going to stick with > my own build package and leave the samba package building to you. Please don't interpret this push-back as lack of support for packaging Samba 4 with AD domain controller support. Speaking for myself (and hopefully a number of other openSUSE community members), I'd be very glad to see this feature added. Particularly if the new packages were to cater to openSUSE users upgrading from Samba 3.x based environments. Given the extent of the changes, I'd propose maintaining an AD DC enabled build repository in parallel to the traditional non-DC packages. This would allow for sufficient testing before roll-out, as well as provide a base for integration with external dependencies (YaST etc.). Hello, I have no doubt there is a lot of demand for the 'samba4 ad controller' support. I've found a lot of the annoyances that samba3 has where dealt with in samba4. But as long as the heimdal/MIT kerberos problem isn't solved I think your idea for an AD DC enabled build is a good one. I would suggest adding another build that uses the --with-system-mitkrb5 switch, since that one restricts the build to the samba3 binaries and samba4 client only. (since it's not used in samba:TESTING) I think the community will apreciate the availability of the packages even if they are :"use at your own risk". It will allow everybody to try it and see what it's worth. Just make sure it is known that it will be a serious problem when its not a dedicated server. (big warning when enabling samba4 ad and again when starting up, links to website with warnings all over the screen and in the logs) Also if you want me to help in getting the package on the level of quality or any other opensuse community member a bit more info from the side of opensuse would be apreciated. Regarding all the magic that is required on how to build samba3/4 deserves some more attention, why are certain buildrequirements needed and why is this option on and that one off. Or why the mit/heimdal kerberos thing is an issue, and maybe an explanation on why MIT and not heimdal for system wide use in opensuse. (just to name a few that come to mind) I know a few of the answers from redhat/fedora for those that don't : http://fedoraproject.org/wiki/Features/Samba4 https://wiki.samba.org/index.php/Samba4/MIT_KDC Regards Rob *** Bug 821826 has been marked as a duplicate of this bug. *** My bug noted as duplicate. and I'm fully aware of the thread (especially the heimdal/MIT war). So first the samba package should use now the waf samba method. Previous packager could help a lot the community by adding (at choice) comments in the spec file (What is important, why/who/when choice of doing things like they are is done) A clear description about the limits : say samba4 will be only a file server, don't count on AD with our package. And handle feedback of community about it. (Ad support as replacement is certainly the looong awaiting feature) I would like to thanks Rob for his try. feature open https://features.opensuse.org/315083 Hi, Did the idea 'AD DC enabled build' in the obs die a quiet death or is this still an option ? Rob p.s. I see that the bug is reopened, I must have missed the 'this bug is closed' email. *** Bug 818981 has been marked as a duplicate of this bug. *** *** Bug 844349 has been marked as a duplicate of this bug. *** Hello again, It's been over a year since I first opened this bug and I know the samba-tool isn't going to happen on suse before mit kerberos has been patched to support the required features for a samba dc or samba4 patched to be able to deal with mit kerberos. I guess they both need work for this to happen. I was rather curious, and google finds no page that is not at least as old as the first entry of this bug. How far along are we towards a samba4 dc running on mit kerberos ? Any links towards some page that is not older than this incident are apreciated. Rob Verduijn Changed to 13.2 beta1 I am surprised that years later we have Samba 4.4 on Tumbleweed and samba-tool is still missing. Is there any progress on this? We're planning on a Project with SLES as AD DC. But not having AD DC Support in Samba is a killer here. I would be happy to have AD DC Support in the testing branch first, so I can at least deliver some results to the Project Managers. By the time the Project goes live we sure are at SPE2 or even SLE13 already (mid 2017) and then the AD DC Support Needs to be in the official package already. So I kindly ask for Progress on the matter, as mentioned in the Feature from two years ago already: "offer an open implementation of AD/DC to companies and customers. Be the first to do it? Having it integrated quickly in openSUSE, will benefit also SUSE for SLES12 time" (In reply to Michael Melcher from comment #22) > Is there any progress on this? > > We're planning on a Project with SLES as AD DC. But not having AD DC Support > in Samba is a killer here. > > I would be happy to have AD DC Support in the testing branch first, so I can > at least deliver some results to the Project Managers. By the time the > Project goes live we sure are at SPE2 or even SLE13 already (mid 2017) and > then the AD DC Support Needs to be in the official package already. > > So I kindly ask for Progress on the matter, as mentioned in the Feature from > two years ago already: > "offer an open implementation of AD/DC to companies and customers. Be the > first to do it? Having it integrated quickly in openSUSE, will benefit also > SUSE for SLES12 time" It would be time for adding AD DC support for Samba4 in openSUSE/SUSE. This bug/"lack of feature" is originated from 3 years ago. We are working on an openSUSE based server distribution for educational institutes, it's main focus is that is OSS based, freely available, and it gets the updates from the official openSUSE repositories. This system uses Samba server, so it can be the domain controller for the Windows clients. But without AD DC support newer windows clients can't join the domain, only archaic client, which are no longer in use (except Win7 with a registry modification, but most of them are upgraded to Win10). So it would be great to have a fully functional Samba4 in openSUSE, because with this partial version, the usability in certain environments of an openSUSE/SUSE server can be limited by this lack. Until MIT kerberos is supported in the AD DC, we simply will not ship anything related to the AD DC code. As samba-tool is only relevant in this case, it will not be added. (In reply to James McDonough from comment #25) > Until MIT kerberos is supported in the AD DC, we simply will not ship > anything related to the AD DC code. As samba-tool is only relevant in this > case, it will not be added. Why Samba AD DC works perfectly with MIT Kerberos in Ubuntu 16.04? ubuntu@ubuntu-xenial:~$ ldd /usr/sbin/smbd|grep krb5 libkrb5samba.so.0 => /usr/lib/x86_64-linux-gnu/samba/libkrb5samba.so.0 (0x00007ff41e772000) libauthkrb5.so.0 => /usr/lib/x86_64-linux-gnu/samba/libauthkrb5.so.0 (0x00007ff41c3a0000) libndr-krb5pac.so.0 => /usr/lib/x86_64-linux-gnu/libndr-krb5pac.so.0 (0x00007ff418d64000) libkrb5-samba4.so.26 => /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26 (0x00007ff417ccd000) libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007ff41640e000) libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007ff413de2000) libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007ff413220000) libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007ff412de5000) (In reply to Björn Voigt from comment #26) > Why Samba AD DC works perfectly with MIT Kerberos in Ubuntu 16.04? > smbd is providing only the file services, which they have apparently linked against the mit libs. However, the 'samba' binary itself uses an embedded heimdal kdc. That's the part we won't support. It is likely to not even show up in ldd as it is probably linked in. Work is currently being done to make this part work with the mit kdc, but that is not yet in any released branch. I'll be working on separate, totally unsupported packaging of a build with the embedded heimdal, but it won't be in the official repos before MIT is supported upstream. (In reply to James McDonough from comment #27) > (In reply to Björn Voigt from comment #26) > > Why Samba AD DC works perfectly with MIT Kerberos in Ubuntu 16.04? > > > smbd is providing only the file services, which they have apparently linked > against the mit libs. > > However, the 'samba' binary itself uses an embedded heimdal kdc. That's the > part we won't support. It is likely to not even show up in ldd as it is > probably linked in. > > Work is currently being done to make this part work with the mit kdc, but > that is not yet in any released branch. > > I'll be working on separate, totally unsupported packaging of a build with > the embedded heimdal, but it won't be in the official repos before MIT is > supported upstream. Is this repo available with the embedded Heimdal? It could be useful. And/or could it be possible to provide an official repo with a Samba4 version without any Kerberos support, but with AD DC support? It would be very useful to get a version that has all the AD DC functions. Educational institutes rarely use kerberos, but most of them are using newer Windows clients, which can’t join an NT style domain. Hi all, It's been a while. In the other week I got an email from the samba notification list. 4.7.0 was released However the interesting bit was in the release notes: https://www.samba.org/samba/history/samba-4.7.0.html I noticed this bit : Samba AD with MIT Kerberos -------------------------- After four years of development, Samba finally supports compiling and running Samba AD with MIT Kerberos. You can enable it with: ./configure --with-system-mitkrb5 Samba requires version 1.15.1 of MIT Kerberos to build with AD DC support. The krb5-devel and krb5-server packages are required. The feature set is not on par with the Heimdal build but the most important things, like forest and external trusts, are working. Samba uses the KDC binary provided by MIT Kerberos. Missing features, compared to Heimdal, are: * PKINIT support * S4U2SELF/S4U2PROXY support * RODC support (not fully working with Heimdal either) The Samba AD process will take care of starting the MIT KDC and it will load a KDB (Kerberos Database) driver to access the Samba AD database. When provisioning an AD DC using 'samba-tool' it will take care of creating a correct kdc.conf file for the MIT KDC. For further details, see: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC As James McDonough mentioned in comment 25. Until MIT kerberos is supported in the AD DC, we simply will not ship anything related to the AD DC code. It is now being shipped with MIT-kerberos supported AD DC. Looking forward to the release on suse :-P Rob Verduijn > It is now being shipped with MIT-kerberos supported AD DC. > > Looking forward to the release on suse :-P We're working on getting this in tumbleweed, you can see some of the progress in the project here: https://build.opensuse.org/package/show/home%3Ascabrero%3Abranches%3Amit-kdc/samba (In reply to David Mulder from comment #30) > > It is now being shipped with MIT-kerberos supported AD DC. > > > > Looking forward to the release on suse :-P > > We're working on getting this in tumbleweed, you can see some of the > progress in the project here: > https://build.opensuse.org/package/show/home%3Ascabrero%3Abranches%3Amit-kdc/ > samba You could also try out the experimental packages: sudo zypper ar https://download.opensuse.org/repositories/home:/scabrero:/branches:/mit-kdc/openSUSE_Tumbleweed/ sudo zypper in samba-kdc Samba 4.7 has been released for Tumbleweed. We had wait so long, but finally some thing positive had happen in Tumbleweed. It is good to see Samba 4.7 has been released for Tumbleweed. But now is 2018 and probably in May openSUSE 15 may be released. Could you please inform about any chance to have at least Samba 4.7 to be released for openSUSE 15? A lot of people are looking desperately to have working Samba AD DC from openSUSE instead from Ubunto only. (In reply to Krasimir Ivanov from comment #33) > We had wait so long, but finally some thing positive had happen in > Tumbleweed. It is good to see Samba 4.7 has been released for Tumbleweed. > > But now is 2018 and probably in May openSUSE 15 may be released. > > Could you please inform about any chance to have at least Samba 4.7 to be > released for openSUSE 15? > > A lot of people are looking desperately to have working Samba AD DC from > openSUSE instead from Ubunto only. Hi Krasimir, openSUSE Leap 15 will ship samba 4.7 with AD DC functionality enabled. |