(Created page with "== Availability of Samba AD DC features to Fedora == === Introduction === Fedora 18+ users show big interest in Samba AD DC functionality being available on Fedora. This page...") |
|||
Line 26: | Line 26: | ||
==== Server modes ==== | ==== Server modes ==== | ||
{{admon/note|security | {{admon/note|security mode ''user''|File servers in security mode ''user'' are fully supported and will be in future.}} | ||
{{admon/caution|security | |||
{{admon/caution|security | {{admon/caution|security mode ''share''|THIS IS DEPRECATED!!! Please move to security mode ''user'' for current configurations. This feature is really old and shouldn't be used anymore. It has been already removed in Samba 4.0.}} | ||
{{admon/note|security | |||
{{admon/caution|security mode ''server''|THIS IS DEPRECATED!!! Please move to security mode ''user'' for current configurations. It has been already removed in Samba 4.0.}} | |||
{{admon/note|security mode ''ads''|We only support configurations where winbind is running. smbd without winbind is '''unsupported'''.}} | |||
===== Trusts ===== | ===== Trusts ===== |
Revision as of 19:30, 22 November 2013
Availability of Samba AD DC features to Fedora
Introduction
Fedora 18+ users show big interest in Samba AD DC functionality being available on Fedora. This page serves as a current tracker of our progress in bringing Samba AD DC features to Fedora.
Executive summary
Samba in Fedora 18+ cannot yet be used for AD DC configuration
Supported setups in current Fedora releases starting with Fedora 18
General
We don't support deprecated options from Samba earlier than 4.0 if there are replacements for them. Please migrate to new options. Feel free to ask about correct config files in general samba mailing lists because these are not specific to Fedora.
Client
Winbind and related tools (security=ads (Active Directory) and security=domain (NT4-style Domain Controller))
We support all winbind setups especially having a Linux client joined to an Active Directory domain. (We don't plan to have client GPO support yet). This includes all tools needed to get information out of a Domain like wbinfo, joining and managing accounts with the 'net' command and pam_winbind for logging in.
We also support Samba as a NT4 domain member for existing installations (security = domain)
Client libraries
The following libraries are supported: libsmbclient, libsmbsharemodes, libnetapi and libwbclient. They are needed by Desktop Environments or Display Managers for logging in.
Also for user login: libnss_winbind.so, libnss_wins.so and pam_winbind.so.
Server modes
Trusts
Please also note that Samba AD DC configurations, whether it hosted on other platforms or your own compiled version, do not currently support forest level trusts to another Active Directory-compatible setup. Thus, they cannot be used to establish trust with FreeIPA deployments yet.
Printing
We fully support Samba as a print server with cups and lprng backend.
LDAP integration
Configuring Samba PDC with ldapsam
PASSDB module is supported. However, use of smbldap-tools
is unsupported. As we don't package them, if you can prove that it is a samba issue (providing logs, backtraces, reproducer) we are fine fixing Samba-specific issues.
Samba DCE libraries
Every Samba library used by Fedora packages is supported. External usage is not supported if it is not explicitly stated below. We support libraries used by openchange
evolution-mapi
, FreeIPA and SSSD.
Additionally we support all public libraries of the samba-libs package.
Progress since Fedora 18
- Unified Samba package set is provided. Each package is prefixed with
samba-
. There are no separate samba-*
and samba4-*
package sets anymore.
- Samba 4.x is built with MIT Kerberos for Samba server modes outlined above.
- Work has started Samba upstream on bringing newer embedded Heimdal build to Samba so that there is less difference between MIT Kerberos and Heimdal APIs. Once this done, we'll be able to gradually extend parts of Samba AD DC to turn on.
- Work is being done on allowing use of MIT Kerberos KDC instead of embedded Heimdal KDC within Samba AD DC. This will be done with the help of CWrap project which provides preloading libraries to divert certain networking and identity-related functions to separate processes. Original versions of these libraries are used within Samba to perform functional tests of whole Samba suite.
- Work has started to extend Samba AD DC to allow forest trust setup with another forests.
Please note that most work is done directly Samba upstream. You can check Samba planning outline at https://wiki.samba.org/index.php/Samba_Next_Goals