[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing the Jessie Main Server?

[Wolfgang Schweer]
> Not quite sure, but I guess that the failure is due to Samba (v. 4.1.11) 
> now running as Active Directory Domain Controller by default. Seems to 
> be that additional statements must be contained in smb-debian-edu.conf 
> to tell Samba to work as NT4-style PDC like before in wheezy:
> # configure as NT4-style PDC
>    server role = classic primary domain controller
>    acl allow execute always = true

Great.  I'll upload it as soon as the current package migrate to
testing today or tomorrow.

> I'm wondering, if it wouldn't be good to set up Samba as AD DC, but
> for the moment I've tested the forced NT4-style role and was able to
> add a Samba account for the first user using smbpasswd -a <first
> user>. The modified account showed up in the ldap tree and smbclient
> -L tjener now lists the homedir share. Fix committed to git.

If I understand correctly, setting up Samba as a Active Directory
Domain Controller would provide both a LDAP and Kerberos server, in
addition to the LDAP and Kerberos server we already provide.  Can this
be done in a way that allow the LDAP servers to stay in sync?  Can we
have a trust relation between the Kerberos servers?

I am not against, but suspect that if we do not get the two services
to work together, we would be better off when enabling Samba as a AD
DC by switching completely to the LDAP and Kerberos service provided
by Samba.  That would require quite a lot of changes to our
infrastructure, and I am unsure if it would be possible for our users
to migrate user passwords from our MIT Kerberos setup to the Samba/AD
Kerberos database.  Anyone know?

Btw, regarding our Kerberos error on the main server, Andreas B. Mundt
just mentioned on IRC that <URL: https://bugs.debian.org/758992> would
probably hit us too.  It affect Kerberos with LDAP backend when using

He also mentioned that our cups test might always fail because cups is
socket activated with systemd, thus not running unless something try
to use it. :)

Happy hacking
Petter Reinholdtsen

Reply to: