request for enhancement for samba4 domain controller support to be included in RHEL
1.) Who is the customer?
Linking support cases to this bz for tracking
2.) What is the exact nature of the problem trying to be solved with this request?
Customers would like to manage there windows workstation infrastructure using RHEL as the AD server.
3.) What, if any, business requirements are satisfied by this request?
Leveraging RHEL subscriptions so there is no need to purchase additional windows servers licenses.
4.) List the functional requirement(s) for performing the action(s) that are not presently possible.
Currently unable to create and AD infrastructure using RHEL server side.
5.) Each functional requirement must have clear acceptance criteria so Red Hat understands what success looks like.
Success will be managing windows workstations using Active Directory that is run on a RHEL server.
6.) What is the desired release vehicle to satisfy these requirements? Major or Minor release?
Whatever is most appropriate depending on the technical nature of the current limitations of samba4 using mit kerberos.
7.) Please justify with reference to the release vehicle policy described in the RHEL Inclusion Criteria wiki page
This depends on upstream and also work from engineering. no specific major or minor release specified at this time.
8.) What package(s) are affected by this RFE?
Need single sign-on for all workstations regardless of host OS. RHEL IPA can mangage UNIX/Linux domains and share account data with AD. AD lives in an essentially MS exclusive world where support for other environments is usually broken if it is there at all. RHEL with IPA and Samba4 can provide better cross platform support than MS-AD does. With Samba ported to so many environments, there is far better understanding of non-MS environments in that community than there is in the MS camp. This expertise should be leveraged.
Military customers often use a single MS windows guest VM to act as the AD DC, even in tactical environments. It would be great to offer this functionality in RHEL and eliminate the need for the Windows VM.
Cross-filed case #01285697 on the Red Hat customer portal as it seems to
affect us, too.
Dear Red Hat
Do Samba 4x provide audit tools such as Event Viewer?
We need to audit some events such as: domain user login/logoff, change/reset password, create/delete user, domain computer shutdown/restart...
It is crucial requirement for security!
I followed this link:
But maybe it can not logging above events in domain AD
Samba has basic protocol support for the two eventlog protocols (MS-EVEN and MS-EVEN6) and some server side support tools for filling up eventlog databases (eventlogadm) but currently no event viewer GUI. There are also some ideas how to record audit events in the fashion Windows does but no full implementation of that is available right now.
Thanks for your info!
I also want to know 2 AD features in Samba4x
High Availability tech
1. DFS is usable?
2. AD Read-only DC
I tested this feature but I not succeed at Credential caching stage
I think I'm not enough samba knowledge for configuration 1 and 2
Also some replicate operations need to improve
3. AD Multi-site
I found some bugs such as
Can you confirm they are verified?
Thank you for your best effort about AD alternative solution
a) DFS features are available on the same level as current Samba in RHEL 7.1. I'm
sure there will be more bug fixes and improvements by upstream anytime soon.
b) This is not supported by upstream yet. We do not have an ETA for this.
c) Nobody is working on RODC support right now. Upstream is aware that it is non
working. No ETA for this item. The focus is to support trusted domains first.
thanks the last question is about backup/restore
As I know Samba4 is highly recommend using additional DC as AD backup solution
Is there effort for more tools or features for backup/restore on single DC?
*** Bug 1651036 has been marked as a duplicate of this bug. ***
From what I can see at RHEL 8 beta , there is no Samba AD domain controller
support, yet. Why?
Red Hat has evaluated the RFE and came to conclusion that including Samba AD DC into Red Hat Enterprise Linux would create a significant support challenge due to complexity and broad set of the use cases that are expected to be supported by the solution. To avoid undesirable customer experience, Red Hat will not include Samba AD DC into Red Hat Enterprise Linux in any foreseeable future. Based on this conclusion this RFE is now being closed.
Red Hat acknowledges the value of Samba AD DC to Red Hat customers and welcomes partners that have targeted expertise in this area to join forces to provide an integrated Identity Management solution for heterogeneous environments that would meet the variety of customer use cases. All interested parties are welcome to contact Red Hat via available communication channels.
Based on the feedback and desire of Red Hat customers to invest into development of this technology, or if market conditions or partner integration will not be sufficient to meet customer requirements, Red Hat might reconsider its position in future.
This is really depressing.
Red Hat's FreeIPA team and Samba have been working on making this possible for many years. And now it's not even going to ship in RHEL 8?
I was really hoping for RHEL IdM to be able to fully replace AD just out of the box.
I'm supremely disappointed that Red Hat has elected to not offer this with RHEL 8, as it's a major missed opportunity.