Bug 910464 - [RFE] Add Samba AD domain controller support
Summary: [RFE] Add Samba AD domain controller support
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: samba   
(Show other bugs)
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: alpha
: 8.1
Assignee: Andreas Schneider
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Keywords: FutureFeature
: 1651036 (view as bug list)
Depends On: 1378373
Blocks: 1203710 1400961 1451294 1398314
TreeView+ depends on / blocked
 
Reported: 2013-02-12 17:26 UTC by Jeremy Agee
Modified: 2019-04-16 14:01 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-11-26 09:43:03 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3705031 None None None 2018-11-29 09:15 UTC

Description Jeremy Agee 2013-02-12 17:26:08 UTC
request for enhancement for samba4 domain controller support to be included in RHEL

1.) Who is the customer?
Linking support cases to this bz for tracking

2.) What is the exact nature of the problem trying to be solved with this request?
Customers would like to manage there windows workstation infrastructure using RHEL as the AD server.

3.) What, if any, business requirements are satisfied by this request?
Leveraging RHEL subscriptions so there is no need to purchase additional windows servers licenses.

4.) List the functional requirement(s) for performing the action(s) that are not presently possible.
Currently unable to create and AD infrastructure using RHEL server side.

5.) Each functional requirement must have clear acceptance criteria so Red Hat understands what success looks like.
Success will be managing windows workstations using Active Directory that is run on a RHEL server.

6.) What is the desired release vehicle to satisfy these requirements? Major or Minor release?
Whatever is most appropriate depending on the technical nature of the current limitations of samba4 using mit kerberos.

7.) Please justify with reference to the release vehicle policy described in the RHEL Inclusion Criteria wiki page
This depends on upstream and also work from engineering. no specific major or minor release specified at this time.

8.) What package(s) are affected by this RFE?
samba4

Comment 3 Roger Odle 2013-09-06 18:23:29 UTC
Need single sign-on for all workstations regardless of host OS.  RHEL IPA can mangage UNIX/Linux domains and share account data with AD.  AD lives in an essentially MS exclusive world where support for other environments is usually broken if it is there at all.  RHEL with IPA and Samba4 can provide better cross platform support than MS-AD does.  With Samba ported to so many environments, there is far better understanding of non-MS environments in that community than there is in the MS camp.  This expertise should be leveraged.

Comment 4 Rich Lucente 2013-09-12 19:57:48 UTC
Military customers often use a single MS windows guest VM to act as the AD DC, even in tactical environments.  It would be great to offer this functionality in RHEL and eliminate the need for the Windows VM.

Comment 5 Robert Scheck 2014-11-12 11:04:06 UTC
Cross-filed case #01285697 on the Red Hat customer portal as it seems to
affect us, too.

Comment 6 Trung Hieu 2015-03-11 07:40:52 UTC
Dear Red Hat

Do Samba 4x provide audit tools such as Event Viewer?
We need to audit some events such as: domain user login/logoff, change/reset password, create/delete user, domain computer shutdown/restart...

It is crucial requirement for security!

I followed this link:
https://wiki.samba.org/index.php/Event_Logging

But maybe it can not logging above events in domain AD

Comment 7 Guenther Deschner 2015-03-11 08:18:10 UTC
Hi Trung,

Samba has basic protocol support for the two eventlog protocols (MS-EVEN and MS-EVEN6) and some server side support tools for filling up eventlog databases (eventlogadm) but currently no event viewer GUI. There are also some ideas how to record audit events in the fashion Windows does but no full implementation of that is available right now.

Comment 8 Trung Hieu 2015-03-12 03:27:35 UTC
Thanks for your info!

I also want to know 2 AD features in Samba4x

High Availability tech 

1. DFS is usable?
https://wiki.samba.org/index.php/DFS

2. AD Read-only DC
https://wiki.samba.org/index.php/Samba4_DRS_TODO_List
I tested this feature but I not succeed at Credential caching stage
I think I'm not enough samba knowledge for configuration 1 and 2
Also some replicate operations need to improve

3. AD Multi-site
I found some bugs such as
https://bugzilla.samba.org/show_bug.cgi?id=10419
https://bugzilla.samba.org/show_bug.cgi?id=10251
Can you confirm they are verified?

Thank you for your best effort about AD alternative solution

Comment 9 Andreas Schneider 2015-03-12 07:59:56 UTC
Hi Trung,

a) DFS features are available on the same level as current Samba in RHEL 7.1. I'm
   sure there will be more bug fixes and improvements by upstream anytime soon.

b) This is not supported by upstream yet. We do not have an ETA for this.

c) Nobody is working on RODC support right now. Upstream is aware that it is non
   working. No ETA for this item. The focus is to support trusted domains first.

Comment 10 Trung Hieu 2015-03-12 09:08:27 UTC
thanks the last question is about backup/restore

As I know Samba4 is highly recommend using additional DC as AD backup solution

https://wiki.samba.org/index.php/Backup_and_Recovery

Is there effort for more tools or features for backup/restore on single DC?

Comment 21 Andreas Schneider 2018-11-19 15:50:49 UTC
*** Bug 1651036 has been marked as a duplicate of this bug. ***

Comment 22 Robert Scheck 2018-11-21 09:28:04 UTC
From what I can see at RHEL 8 beta [1], there is no Samba AD domain controller
support, yet. Why?

[1] http://downloads.redhat.com/redhat/rhel/rhel-8-beta/baseos/x86_64/Packages/

Comment 23 Martin Kosek 2018-11-26 09:43:03 UTC
Red Hat has evaluated the RFE and came to conclusion that including Samba AD DC into Red Hat Enterprise Linux would create a significant support challenge due to complexity and broad set of the use cases that are expected to be supported by the solution. To avoid undesirable customer experience, Red Hat will not include Samba AD DC into Red Hat Enterprise Linux in any foreseeable future. Based on this conclusion this RFE is now being closed.

Red Hat acknowledges the value of Samba AD DC to Red Hat customers and welcomes partners that have targeted expertise in this area to join forces to provide an integrated Identity Management solution for heterogeneous environments that would meet the variety of customer use cases. All interested parties are welcome to contact Red Hat via available communication channels.

Based on the feedback and desire of Red Hat customers to invest into development of this technology, or if market conditions or partner integration will not be sufficient to meet customer requirements, Red Hat might reconsider its position in future.

Comment 24 Neal Gompa 2018-11-27 01:20:51 UTC
This is really depressing.

Red Hat's FreeIPA team and Samba have been working on making this possible for many years. And now it's not even going to ship in RHEL 8?

I was really hoping for RHEL IdM to be able to fully replace AD just out of the box.

I'm supremely disappointed that Red Hat has elected to not offer this with RHEL 8, as it's a major missed opportunity.


Note You need to log in before you can comment on or make changes to this bug.