CentOS 7 Repositories: Signing RPMs and RPMs creating the repository

[davy]

Good morning,

I have a few constructive remarks Things to do regarding the Samba repository for CentOS 7:

• Why not sign the repository's RPMs? You're using Jenkins, a plugin allows you to do it automatically;
• An RPM that allows you to create the repository with its GPG key (once the first point is settled) is a common and very practical practice; this would allow you to create the repository with a simple:

  Code: Select all

  rpm -ivh --nosignature http://samba.tranquil.it/centos7/tis-samba-release-1-1.el7.centos.x86_64.rpm

  (see the RPM source code that enables the creation of the elrepo repository, For example) ;
• The stable in http://samba.tranquil.it/centos7/ points to samba-4.7.6 and not samba-4.8.0.

Freely,

Davy Defaud

[dcardon]

Hello Davy,

I have a few constructive remarks Things to do regarding the Samba repository for CentOS 7:

• Why not sign the repository's RPMs? You're using Jenkins, a plugin allows you to do it automatically;

More due to lack of time than anything else. The wiki is based on the Debian repositories, so we've properly signed them to ensure the tutorials run smoothly. The RPMs are copies of those we use with our clients.

[*] An RPM allowing the repository to be created with its GPG key (once the first point is settled) is a common and very practical practice; this would allow the repository to be created with a simple:

Code: Select all

rpm -ivh --nosignature http://samba.tranquil.it/centos7/tis-samba-release-1-1.el7.centos.x86_64.rpm

(see the RPM source code that enables the creation of the elrepo repository, For example) ;
[*] the link stable In http://samba.tranquil.it/centos7/ points to samba-4.7.6 and not samba-4.8.0.
[/list]

This is intentional. There's a bug with in-place upgrades to version 4.8.0 that will corrupt your LDB database; see my email https://lists.samba.org/archive/samba/2...14858.htmlWe don't want to encourage people to shoot themselves in the foot. We should be able to change the link when version 4.8.1 is released.

Sincerely,

Denis

[davy]

Hi Denis,

I was surprised not to have received a reply to my message. I was expecting an email notification, but I just realized that you have to specify that you want to receive one…

So, thank you for your reply. I saw that the tranquil.it RPM repository for Samba 4.8.0 had been renamed "DO_NOT_USE_samba-4.8.0," and I suspected something was up. Version 4.8.2 has been released, so I assume (in fact, I hope ) that RPM packages will be available very soon. I need to establish a trust relationship between a new Samba domain and an existing Active Directory. Actually, I would have preferred to create a child Samba subdomain of the AD domain, but the code author confirmed that this is unfortunately not yet supported:
https://lists.samba.org/archive/samba/2 ... 15381.html

In the meantime, Samba 4.8.0 is causing me a lot of trouble, and the problem you pointed out might be related. So, I'm taking the liberty of asking you for an "ETA" (Electronic Time to Release) for RPM packages of version 4.8.2. I have no concerns about its stability, since I'm already in an unstable situation and it's a brand new Samba AD that I can still tinker with. Being a guinea pig doesn't bother me in this case.

Sincerely,

Davy

[vcardon]

Actually, I would have preferred to create a Samba subdomain as a child of the AD domain, but the code author confirmed that this is unfortunately not yet supported:
https://lists.samba.org/archive/samba/2 ... 15381.html

And Davy, the RODC support as Andrew describes it was funded by your taxes, with money from the Ministry of Culture which has 170 sites and 8000 agents in Samba-AD, it's a super cool use of public money, and the funniest thing is that it works.

Moreover, a large part of the improvements in 4.8 and 4.9 are sponsored by the Ministry of the Environment and the Ministry of Finance, in addition to other sponsors that we know but cannot disclose.

Trust relationships are coming, and as Andrew points out, even when they exist it's better to have a single domain in all cases, safer and easier to manage.

Sincerely.

[davy]

And Davy, the RODC support, as Andrew describes it, was funded by your taxes, with money from the Ministry of Culture, which has 170 sites and 8,000 Samba-AD staff. It's a really cool use of public funds, and the best part is, it works.

Furthermore, a large portion of the improvements in versions 4.8 and 4.9 are sponsored by the Ministry of the Environment and the Ministry of Finance, in addition to other sponsors we know about but cannot disclose.

Hi Vincent,

I am delighted that our taxes are being used for the development of Samba, for the benefit of all. I wish the government's actions had been more coordinated, as the Ministries of Defense and National Education are far less virtuous, unfortunately! And yet they are the most strategic, one concerning our security and independence, the other the early learning that will instill bad habits…

Trust relationships are coming, and as Andrew points out, even when they exist it's better to have a single domain in all cases, safer and easier to manage.

I must admit that I prefer the idea of ​​having child domains with their own GPOs and other settings related to geographical locations, while maintaining centralized user authentication on the central Active Directory. But, well, as things stand, I'm afraid I don't have much of a choice.

Regarding the Tranquil IT RPM repository, Denis didn't seem opposed to my suggestions (signing RPMs and creating an RPM to automatically create the repository). Do you plan to do this, or do you think it's not worth the effort? Finally, one last question: since a 4.8.0 repository was created very early on, I expected to see a 4.8.2 version released just as soon. Is this currently in development, or not planned for the near future?

Sincerely,

Davy

[Bruce Vrieling]

Hello,

I saw you were talking about Samba 4.8 and I wondered if it was ok if I made a request about your RPM packages. (And I hope this is ok that it is in English.)

One of the great new features of Samba 4.8 is that it allows Samba to act as a Time Machine Backup server for Apple devices via the new samba "fruity" extensions. However, these extensions are not currently enabled in your RPM packages (at least not in the 4.8 DO_NOT_USE versions you posted). Would you be willing to make a slight modification to the Samba .spec file you use in order to enable these extensions? Around line 827, add these lines:

--enable-spotlight \
--enable-avahi \

Thank you for your consideration.

...Bruce

[vcardon]

I wish the government's actions had been more coordinated, because the Ministries of Defense and National Education are far less virtuous, unfortunately! And yet they are the most strategic, one concerning our security and independence, the other the early learning that will lead to bad habits…

With WAPT having passed security certification, some things become clearer. The Ministry of Defense is more or less obligated to use Common Criteria certified products, and currently that's Windows for Active Directory. However, some people are asking questions and starting to take an interest in Samba-AD, particularly among military equipment manufacturers.

Samba is currently undergoing a First Level Security Certification with ANSSI, a first step towards CCs.

Finally, don't worry more than necessary; the role of the Ministry of Education is solely to provide teachers. It's the Regional Councils that equip the high schools, the Departmental Councils that equip the middle schools, and the municipalities that equip the primary schools. They often know that real opportunities exist with open source. Microsoft's lobbying remains very strong and effective. Sometimes even our best service proposal won't prevail against a 97% discount on license prices.

Sincerely.

Vincent