Re: [CentOS] Install Bind with gss-spnego enabled
On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hoga...@gmail.com wrote: It wasn't the bind package directly but rather an issue with the libkrb5 libraries. This is the specific bug that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1087068 I'll get the samba wiki updated to make this clear. Zoinks! I didn't realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba software. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On 17 Apr 2015 13:04, Mike 1100...@gmail.com wrote: On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hoga...@gmail.com wrote: It wasn't the bind package directly but rather an issue with the libkrb5 libraries. This is the specific bug that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1087068 I'll get the samba wiki updated to make this clear. Zoinks! I didn't realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba software. Just to be clear I don't do that. However I have had a fair bit of my professional life in the realm of samba in an AD context on CentOS this past year. I happen to know someone who does maintain that wiki though so will give him the heads up over drinks in a few weeks ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On 17 Apr 2015 00:42, Mike 1100...@gmail.com wrote: On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth james.hoga...@gmail.com wrote: This was required for kerberos secured updates prior to el7.1 and el6.6 ... The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in. ___ James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere. | | | | | | | | | | | | | | | I installed bind-9.9.4 package from the CentOS repo. I've been reading the Changes and Readme file but don't see where this issue is addressed. Can you point me to the centOS announcements or release notes that deal with the bind package and gss-spnego. I'd like to try to understand and possibly aggregate the right info to send to the samba wiki maintainers. | | | | | | | | | | | | | | | | | | | | | | | | | It wasn't the bind package directly but rather an issue with the libkrb5 libraries. This is the specific bug that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1087068 I'll get the samba wiki updated to make this clear. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
K, clear. Still very much appreciative of your experience and insight. I'm a wannabe who never has enough time amongst my duties to get my sys-admin skills tight. Cheers, Mike On Fri, Apr 17, 2015 at 9:36 AM, James Hogarth james.hoga...@gmail.com wrote: On 17 Apr 2015 13:04, Mike 1100...@gmail.com wrote: On Fri, Apr 17, 2015 at 7:46 AM, James Hogarth james.hoga...@gmail.com wrote: It wasn't the bind package directly but rather an issue with the libkrb5 libraries. This is the specific bug that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1087068 I'll get the samba wiki updated to make this clear. Zoinks! I didn't realize I was corresponding with the fellow who actually maintains this section of the Samba Wiki. :-) Thanks for your expertise and synergy between the OS and the Samba software. Just to be clear I don't do that. However I have had a fair bit of my professional life in the realm of samba in an AD context on CentOS this past year. I happen to know someone who does maintain that wiki though so will give him the heads up over drinks in a few weeks ;) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On 04/16/2015 12:53 AM, Mike wrote: CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9. Is there any way to use a yum command to install Bind9 with gss-spnego enabled? I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server? If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked. Thanks for your time and patience. That is a bind build option, the only way to enable it is to build it. Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7? signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
Hi Johnny, Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme: Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources. I do want to use samba as an AD DC. Does the above not apply to CentOS distro? Thanks for reading. On Apr 16, 2015 4:35 AM, Johnny Hughes joh...@centos.org wrote: On 04/16/2015 12:53 AM, Mike wrote: CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9. Is there any way to use a yum command to install Bind9 with gss-spnego enabled? I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server? If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked. Thanks for your time and patience. That is a bind build option, the only way to enable it is to build it. Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On 04/16/2015 06:33 AM, Mike wrote: Hi Johnny, Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme: Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources. I do want to use samba as an AD DC. Does the above not apply to CentOS distro? Thanks for reading. On Apr 16, 2015 4:35 AM, Johnny Hughes joh...@centos.org wrote: On 04/16/2015 12:53 AM, Mike wrote: CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9. Is there any way to use a yum command to install Bind9 with gss-spnego enabled? I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server? If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked. Thanks for your time and patience. That is a bind build option, the only way to enable it is to build it. Is there some reason you don't want to use the samba-4.1 that is shipped in CentOS-7? Nope, you are correct. The samba in CentOS-7 currently does not work as a Active Directory Domain Controller. If you already have a domain controller, you can make the CentOS-7 samba connect to that DC and serve as a File or Print server. So, if you want a linux samba DC, then that would mean that you will need to use sernet and maintain bind yourself for that feature. Whether that is safe or not is up to you. I have no idea specifically about the GSS-SPNEGO .. I can tell you that if you look at current bind spec file, you can see in lines 409-412 how/why --disable-isc-spnego gets selected. I do not know what the answer is, if gssapi and gss-spnego can coexist, of if one is better than the other in a give situation, etc. BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the bind sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On Thu, Apr 16, 2015 at 9:29 AM, Johnny Hughes joh...@centos.org wrote: On 04/16/2015 06:33 AM, Mike wrote: BUT .. If I was going to solve this problem, I would do so asking the sernet guys and I would rebuild the bind sources in CentOS with the proper configure switches so it would likely still meet all the other software requires for CentOS that bind needs to meet. You could also then only track when CentOS releases a new bind (because RH has released new source code) .. and thereby not have to track bind upstream tarball releases for security. Sounds like good advice for me to follow up on. Thanks for the thoughtful response. :-) Mike ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On 16 Apr 2015 14:29, Johnny Hughes joh...@centos.org wrote: On 04/16/2015 06:33 AM, Mike wrote: Hi Johnny, Thank you for your response. I thought to choose the sernet package because of the following stated in Samba Readme: Samba packages shipped in some distributions like e. g. Fedora, RHEL may not be able to be used as Samba AD DC, because the distribution relies on MIT Kerberos which isn't supported by Samba yet. In this case build Samba yourself or use the packages from SerNet or other reliable sources. I do want to use samba as an AD DC. Does the above not apply to CentOS distro? Thanks for reading. On Apr 16, 2015 4:35 AM, Johnny Hughes joh...@centos.org wrote: On 04/16/2015 12:53 AM, Mike wrote: CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9. Is there any way to use a yum command to install Bind9 with gss-spnego enabled? This was required for kerberos secured updates prior to el7.1 and el6.6 ... The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Install Bind with gss-spnego enabled
On Thu, Apr 16, 2015 at 6:03 PM, James Hogarth james.hoga...@gmail.com wrote: This was required for kerberos secured updates prior to el7.1 and el6.6 ... The problem in the underlying kerberos libraries was resolved so that kerberos based updates worked with gss again and spnego doesn't need to be compiled in. ___ James, thank you for your reply. This sounds like good news for me; I can stay planted in the accepted CentOS repo. biosphere. | | | | | | | | | | | | | | | I installed bind-9.9.4 package from the CentOS repo. I've been reading the Changes and Readme file but don't see where this issue is addressed. Can you point me to the centOS announcements or release notes that deal with the bind package and gss-spnego. I'd like to try to understand and possibly aggregate the right info to send to the samba wiki maintainers. | | | | | | | | | | | | | | | | | | | | | | | | | named -V on the installed package produces: BIND 9.9.4-RedHat-9.9.4-18.el7_1.1 (Extended Support Version) id:8f9657aa built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' SNIP '--with-gssapi=yes' '--disable-isc-spnego' using OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013 using libxml2 version: 2.9.1 END Does the above output show that gss-spnego is actually enabled? Thanks for your help. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Install Bind with gss-spnego enabled
CentOS 7.1503 installed. Installed Samba 4 from sernet: Version 4.1.17-SerNet-RedHat-11.el7 (to be configured). The samba wiki Readme First page states, Some distributions like . . . Red Hat Enterprise Linux (and clones), ship BIND9 packages with disabled GSS-SPNEGO option, which is required for signed DNS updates when using BIND as DNS backend on your Samba DC. This circumstance requires to self compile BIND9. Is there any way to use a yum command to install Bind9 with gss-spnego enabled? I'm worried about installing from source and creating future problems when trying to update other CentOS packages that may be affected by the source install of Bind9. Is it safe to obtain a bind9 source tarball for install on an rpm-based CentOS 7 server? If anyone has installed Bind for use with Samba 4 on CentOS 7, please let me know what worked. Thanks for your time and patience. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
