Hi Alex,
>The documentation is only conflicting if you are using it in a
conflicting way.
>
The choice of Kerberos library is important. Samba AD DC with MIT Kerberos still is broken regarding trust to FreeIPA.
It has no caveats or warnings on how samba is to be compiled/configured.
I thought Samba by default used Heimdal , but you warn that kerberos is the broken implementation.
>The changes were pushed out with various Samba releases but I'd recommend looking at
Samba 4.7+ -- at least that has all bugs we knew about fixed in Samba AD DC based on Heimdal
I am using samba 4.8.3 compiled from source , is it recommended to instead use the Redhat RPM one (currently appears to be 4.7.1 )
I configured with
>./configure --enable-debug --enable-selftest --with-ads --with-systemd --with-winbind
The other confusing parts, at least to me, in regards to Samba setup ... do you know a working configuration using the samba internal-dns , or do you have to use the bind9 DLZ backend? Regardless of the kerberos , I still think my preliminary issue is with DNS as I see the errors
>
ipa: ERROR:
Attempt to solve forest trust topology conflicts
[Fri Aug 10 11:58:43.125865 2018] [:error] [pid 6169]
> ipa: ERROR: non-public:
NTSTATUSError: (-1073741601, 'The specified domain did not exist.')
I understand this is the FreeIPA forum , and you can't be responsible for the documentation or limitations of Samba ... Its just YOUR documentation does say you can use Samba ... is that just in theory or is there an actual working case of it somewhere.
Most ALL of the documentation I've seen seems very specific to "Windows 2008 DC" (or similar) , am I chasing a wild goose chase, or is there some exact specific combination of how you configure Samba ( kerberos, DNS backend, etc) that it will work with FreeIPA.
Backing up to answer your basic question
>
What is your use case, in the first place?
> You want to run Samba AD DC and establish a trust from it to FreeIPA?
Yes, I am trying to implement a SSO solution for log on accounts for both windows10 clients and linux clients (and other web/Oauth services that already integrate into freeipa)
It was my understanding, that the current/only way to do this was
1) Run Samba AD that has Users accounts
2) establish trust from freeipa -> Samba