Solaris9 Samba ADS
From Granizada
Contents |
Samba 3.0.22 on Solaris 9 with Active Directory
Recipe Version 1.0
Original May 2006
Revised July 2006
| Note | |
|---|---|
| Quite a few people seem to want this work extended and updated. I'm agreeable, but it isn't very enjoyable (Solaris version 9??) so you'll need to employ me to do so. I'd be very glad to get patches and updates, and to cooperate with the good people at sunfreeware.com. |
Official Samba binaries for Solaris 9 are not enabled for ADS support. Enabling ADS is much harder than it looks, mostly because of the crazy Solaris 9 build environment. This is the simplest reproducable recipe I could create for ADS-enabled Samba on a default fresh install of Solaris 9. Some concession has been made for installs that are not default, but you might still need to modify for your particular servers.
It was tested with Heimdal Kerberos 0.7, OpenLDAP 2.3.20 and Samba 3.0.22. All three packages go in /opt/local (no namespace clashes luckily.) This is a big glob that just works, so don't go adding to it :-) The point is to demonstrate a known-working solution as a starting point for your site.
Someone from sunfreeware.com (excellent site!) might want to create a package to avoid this pain, in fact it would be good if sunfreeware and the official Samba binaries could perhaps be coordinated.
This document was developed fairly empirically. Most of the time went into discovering how to get the environment right, and regressing versions until I found the magic formula.
Overview of Steps
- Install OS plus particular patches.
- Install very particular versions of packages from sunfreeware.com .
- Install OpenLDAP libraries
- Install Heimdal Kerberos. /etc/krb5/krb5.conf. Test with kinit user at AD.REALM in capitals)
- Install Samba, create smb.conf (test config file with testparm)
- Join Samba Member Servers (net ads join -U Administrator )
- List AD domain users (net ads user -U Administrator )
- Test Security from Windows (browse, file access from Explorer right-click)
- Optional: idmap using ridmap or a dedicated LDAP server.
At this point you will be able to use Samba as per the documentation, having skipped the weeks of frustration people usually seem to spend to get this going on Solaris9 :-)
Solaris 9 Prep
Install from the first three CDs, accepting all defaults.
Install patches 112960-36, 112874-34, 112233-01, 112233-11 . This is a dependency chain, the only thing really required is a new libnss that will let Samba winbind work. On production machines, if you keep up with Sun recommended patches you may have this already.
If you want to grow old quickly, attempt to build the entire GNU toolchain on Solaris9! Alternatively, be sensible and use the following list of binaries packaged at http://sunfreeware.com :
- gcc-3.3.2-sol9-sparc-local.gz
- bison-1.34-sol7-sparc-local.gz (built for Solaris 7; no higher Bison version or Heimdal breaks, no higher Solaris version or there is a library problem on Solaris 9. Try to imagine the effort it took to determine that you need to regress two OS versions and several package versions.)
- m4-1.4.2-sol9-sparc-local.gz
- make-3.80-sol9-sparc-local.gz
- db-4.2.52.NC-sol9-sparc-local.gz (no lower version or OpenLDAP breaks)
- binutils-2.11.2-sol8-sparc-local.gz (built for Solaris 8, not built for Solaris 9 but works fine)
- flex-2.5.31-sol9-sparc-local.gz (required for Heimdal build)
Set global time on your network using something like ntp! The Solaris machines must be consistent with the Windows AD server to within 5 minutes, unless you reconfigure Kerberos to be less fussy. When changing time manually, sometimes the Solaris date command gets confused with what it is displaying (for example BST != GMT+1, GMT+1 time is displayed two hours in the past.)
The linker in ccs is bad news for Samba and probably everything else so get rid of it. mv /usr/ccs/bin/ld /usr/ccs/bin/ld.off .
Sun gssapi won't work with Heimdal and probably not much else will either. Heimdal provides its own. mv /usr/include/gssapi /usr/include/old.gssapi
Don't run configure in any of OpenLDAP, Kerberos or Samba until all the above modifications have been done.
Build OpenLDAP, Heimdal and Samba in that order.
A Comment on Libraries
With crle, GNU automake scripts (ie configure) will find all libraries present. LDFLAGS should be sufficient but isn't, and LD_LIBRARY_PATH isn't always equivalent to crle although it looks like it should be.
When debugging, to check what libraries a particular program has been linked against, use ldd. Be suspicious if, for example, ldd /opt/local/bin/kinit doesn't have a reference to a BerkeleyDB db library, or libgcc_s . Fix this with crle (using the commandline crle itself gives you) something like this:
crle -c /var/ld/ld.config -l \ /lib:/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB4.2/lib:/opt/local/lib
The foregoing problems are with non-default Solaris 9 installs. A default install works as expected.
/usr/local/lib is used by all packages from sunfreeware.com.
Installing OpenLDAP
Version 2.3.20 from openldap.org
./configure --prefix=/opt/local --disable-bdb --enable-null --without-tls \ CFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include" \ CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB/4.2/include" make depend make make install
Installing Heimdal
Version 0.7.0 from ftp://ftp.pdc.kth.se/pub/heimdal/src/
Solaris9 confuses Heimdal's configure script when it attempts to find out what library functions are brokenin order to build libroken (nice name, fellers.) Solaris 9 vasprintf and asprintf are defined in the standard libraries but not the headers. At the end of this note is a patch which turns on prototypes but does not build a replacement function.
Apply the patch to configure using '"patch -u configure < diffs"
In the following, some non-default Solaris 9 installations need the include directories specified. A Solaris 9 default install will find include directories correctly and therefore FLAGS variables are not needed.
./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4 \ CFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include" \ CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB/4.2/include" \ LDFLAGS=-L/usr/local/lib make make install
NOTE: If you have previous versions of Heimdal libraries in the library search path, configure will notice these and your next make will link them to your new Heimdal. A common cause for this is experimenting or making a mistake with the same Heimdal you are attempting to build, so Heimdal programs end up referencing their own libraries whereas if libraries of the same name hadn't existed they would not have been linked at all. This might have side-effects.
So, always do a make uninstall before you do your next configure! If you aren't sure, do this:
./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4 make uninstall ./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4 make make install
Installing Samba
Version 3.0.22 from samba.org
./configure --prefix=/opt/local --with-krb5=/opt/local \ --with-ads --with-pam --with-winbindd \ CFLAGS=-I/opt/local/include CPPFLAGS=-I/opt/local/include \ LDFLAGS=-L/opt/local/lib make make install
Patch to Heimdal 0.7 configure
---cut---cut---cut---
--- backup.configure Wed May 10 09:32:05 2006
+++ configure Wed May 10 09:57:51 2006
@@ -29163,13 +29163,11 @@
echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_working" >&5
echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
-if test "$ac_cv_func_snprintf_working" = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_SNPRINTF 1
_ACEOF
-fi
if test "$ac_cv_func_snprintf_working" = yes; then
if test "$ac_cv_func_snprintf+set" != set -o "$ac_cv_func_snprintf" = yes; then
@@ -29228,14 +29226,12 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
-if test "$ac_cv_func_snprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
-#define NEED_SNPRINTF_PROTO 1
+#define NEED_SNPRINTF_PROTO 0
_ACEOF
fi
-fi
fi
@@ -29311,13 +29307,11 @@
echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_working" >&5
echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
-if test "$ac_cv_func_vsnprintf_working" = yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_VSNPRINTF 1
_ACEOF
-fi
if test "$ac_cv_func_vsnprintf_working" = yes; then
if test "$ac_cv_func_vsnprintf+set" != set -o "$ac_cv_func_vsnprintf" = yes; then
@@ -29376,14 +29370,12 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
-if test "$ac_cv_func_vsnprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
-#define NEED_VSNPRINTF_PROTO 1
+#define NEED_VSNPRINTF_PROTO 0
_ACEOF
fi
-fi
fi
@@ -30549,7 +30541,6 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_asprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6
-if test "$ac_cv_func_asprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
#define NEED_ASPRINTF_PROTO 1
@@ -30556,7 +30547,6 @@
_ACEOF
fi
-fi
if test "$ac_cv_func_vasprintf+set" != set -o "$ac_cv_func_vasprintf" = yes; then
echo "$as_me:$LINENO: checking if vasprintf needs a prototype" >&5
@@ -30616,7 +30606,6 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_vasprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6
-if test "$ac_cv_func_vasprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
#define NEED_VASPRINTF_PROTO 1
@@ -30623,7 +30612,6 @@
_ACEOF
fi
-fi
if test "$ac_cv_func_asnprintf+set" != set -o "$ac_cv_func_asnprintf" = yes; then
echo "$as_me:$LINENO: checking if asnprintf needs a prototype" >&5
@@ -30683,14 +30671,12 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_asnprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6
-if test "$ac_cv_func_asnprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
-#define NEED_ASNPRINTF_PROTO 1
+#define NEED_ASNPRINTF_PROTO 0
_ACEOF
fi
-fi
if test "$ac_cv_func_vasnprintf+set" != set -o "$ac_cv_func_vasnprintf" = yes; then
echo "$as_me:$LINENO: checking if vasnprintf needs a prototype" >&5
@@ -30750,14 +30736,12 @@
fi
echo "$as_me:$LINENO: result: $ac_cv_func_vasnprintf_noproto" >&5
echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6
-if test "$ac_cv_func_vasnprintf_noproto" = yes; then
cat >>confdefs.h <<\_ACEOF
-#define NEED_VASNPRINTF_PROTO 1
+#define NEED_VASNPRINTF_PROTO 0
_ACEOF
fi
-fi
---cut---cut---cut---
  
| This content is licensed under the Creative Commons Attribution ShareAlike License v. 2.5: http://creativecommons.org/licenses/by-sa/2.5/ |
| GFDL: Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". (shearer.org uses but does not currently recommend the GDFL and here's the explanation why. ) |
Categories: OSS | HOWTO