Re: Fixing the Jessie Main Server?

To: debian-edu@lists.debian.org
Subject: Re: Fixing the Jessie Main Server?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 26 Aug 2014 06:40:30 +0200
Message-id: <[🔎] 20140826044030.GZ14886@ulrik.uio.no>
In-reply-to: <[🔎] 20140825082018.GA2555@localhost.localdomain>
References: <[🔎] 2flegw9ejw0.fsf@diskless.uio.no> <[🔎] 20140825082018.GA2555@localhost.localdomain>

[Wolfgang Schweer]
> Not quite sure, but I guess that the failure is due to Samba (v. 4.1.11) 
> now running as Active Directory Domain Controller by default. Seems to 
> be that additional statements must be contained in smb-debian-edu.conf 
> to tell Samba to work as NT4-style PDC like before in wheezy:
> 
> # configure as NT4-style PDC
>    server role = classic primary domain controller
>    acl allow execute always = true

Great.  I'll upload it as soon as the current package migrate to
testing today or tomorrow.

> I'm wondering, if it wouldn't be good to set up Samba as AD DC, but
> for the moment I've tested the forced NT4-style role and was able to
> add a Samba account for the first user using smbpasswd -a <first
> user>. The modified account showed up in the ldap tree and smbclient
> -L tjener now lists the homedir share. Fix committed to git.

If I understand correctly, setting up Samba as a Active Directory
Domain Controller would provide both a LDAP and Kerberos server, in
addition to the LDAP and Kerberos server we already provide.  Can this
be done in a way that allow the LDAP servers to stay in sync?  Can we
have a trust relation between the Kerberos servers?

I am not against, but suspect that if we do not get the two services
to work together, we would be better off when enabling Samba as a AD
DC by switching completely to the LDAP and Kerberos service provided
by Samba.  That would require quite a lot of changes to our
infrastructure, and I am unsure if it would be possible for our users
to migrate user passwords from our MIT Kerberos setup to the Samba/AD
Kerberos database.  Anyone know?

Btw, regarding our Kerberos error on the main server, Andreas B. Mundt
just mentioned on IRC that <URL: https://bugs.debian.org/758992> would
probably hit us too.  It affect Kerberos with LDAP backend when using
systemd.

He also mentioned that our cups test might always fail because cups is
socket activated with systemd, thus not running unless something try
to use it. :)

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Fixing the Jessie Main Server?
  - From: Wolfgang Schweer <wschweer@arcor.de>
- Re: Fixing the Jessie Main Server?
  - From: "Andreas B. Mundt" <andi@debian.org>

References:
- Fixing the Jessie Main Server?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Fixing the Jessie Main Server?
  - From: Wolfgang Schweer <wschweer@arcor.de>

Prev by Date: Bug#758188: fixed
Next by Date: Processed: Bug#757532 marked as pending
Previous by thread: Re: Fixing the Jessie Main Server?
Next by thread: Re: Fixing the Jessie Main Server?
Index(es):
- Date
- Thread