samba - Jul 2006 - Fedora packages or Enterprise packages of Samba on RHEL4?

Hello,
 

Can somebody of the Samba team explain me the difference of Fedora packages
or Enterprise packages ( <http://enterprisesamba.com/>
http://enterprisesamba.com/) of Samba on Red Hat Enterprise Linux 4?

I tried to find any information about this subject, but googleing doesn't
help me.

 

The standard Samba package (3.0.10EL) of RHEL4 doesn't communicate with a
W2k3 server SP1, while "security=ads" on Samba. This is solved in
Samba
version 3.0.14a, so I want to use this package; I use this version on all my
RHL9 servers and this package is very stable!

 

First I tried the RHEL4 packages from enterprisesamba.com, but these
packages always ended up with the error message "Segmentation fault"
while I
used "net ads join"; I recompiled the source of this package because I
have
to use the default Kerberos of RHEL4 (which is MIT instead of Heimdal) .
Version 3.0.22 of enterprisesamba doesn't have this problem, but it has the
problem that "security=ads" can't be used (look at thread
<http://lists.samba.org/archive/samba/2006-May/120688.html>
http://lists.samba.org/archive/samba/2006-May/120688.html). I need to use
Kerberos on Samba, so "security=domain" (and use NTLM as
authentication
mechanism) is no option for me .

 

Therefore I compiled the Fedora source package on RHEL4 (Fedora is the
playground of RHEL as we all know ;) and this went well. I installed the
Samba rpm's and configured Samba as I have it on RHL9 and started the Samba
daemons (smbd, nmbd and winbindd). The Fedora Samba package is working well
on RHEl4, my XP clients can connect to the shares and I see no error
messages appearing in my Samba logs.

 

I'd like to continue with the Fedora Samba package on my RHEL4 server, but
I'd like to know why or why NOT to use it! (and why I have to use the
packages of enterprisesamba.com)

 

Please advise.

 

Best regards,

Alex.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex de Vaal wrote:
>  
> Can somebody of the Samba team explain me the difference 
> of Fedora packages or Enterprise packages
> (http://enterprisesamba.com/) of Samba on Red
> Hat Enterprise Linux 4?
...
> First I tried the RHEL4 packages from enterprisesamba.com, 
> but these packages always ended up with the error
> message "Segmentation fault" while I used "net ads
join";
If you need support for the SerNet packages, you will have
to contact SerNet.
> Therefore I compiled the Fedora source package on RHEL4;
> this went well.
...
> I'd like to continue with the Fedora Samba package on 
> my RHEL4 server, but I'd like to know why or why NOT
> to use it! (and why I have to use the packages of
> enterprisesamba.com)
The Fedora specfile provided with Samba is compatible
with RHEL4.  I don't build RHEL4 packages only because
IMO if you pay for support for RedHat, installing non-vendor
supplied packages would void your support agreement.

Althought I could provide RPMS for the lates version
of CentOS which should be binary comatible with RHEL4
systems.

While I'm at it, is there any pressing need for 64-bit
rpms as well?




cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtNtRIR7qMdg1EfYRAisqAKDja37hQJsPyRdnflsgIefpmdCdBACg6iBC
HrDJ2aTmeSFe5WkZa6UlxH0=8Vw4
-----END PGP SIGNATURE-----

Hi Alex,
On 2006-07-11 at 11:19 +0200 Alex de Vaal sent off:
> Can somebody of the Samba team explain me the difference of Fedora packages
> or Enterprise packages ( <http://enterprisesamba.com/>
> http://enterprisesamba.com/) of Samba on Red Hat Enterprise Linux 4?
> 
> I tried to find any information about this subject, but googleing
doesn't
> help me.
Red Hat provides updated packages for RHEL from time to time. You can 
of course use the Fodora packages of the Fedora version that your RHEL 
is based on but you cannot expect support for it from Red hat. The packages
from http://enterprisesamba.com/ are not from Red Hat but they are from SerNet.
The issues you had with the kerberos support are solved in the meantime. You
can read http://enterprisesamba.com/ for more details about the SerNet Samba
packages. If you have problems with the SerNet packages you can contact me
or samba@sernet.de directly.


Cheers
Bjoern
-- 
Bj?rn Jacke,  SerNet Service Network GmbH
Phone: +49-(0)551-370000-0,  Fax: +49-(0)551-370000-9

At 04:19 AM 7/11/2006, Alex de Vaal wrote:
>The standard Samba package (3.0.10EL) of RHEL4 doesn't communicate with
a
>W2k3 server SP1, while "security=ads" on Samba. This is solved in
Samba
>version 3.0.14a, so I want to use this package; I use this version on all my
>RHL9 servers and this package is very stable!
>...
>I'd like to continue with the Fedora Samba package on my RHEL4 server,
but
>I'd like to know why or why NOT to use it! (and why I have to use the
>packages of enterprisesamba.com)
>
>Please advise.
OK, my advice is to do the following:

1) Grab the latest 3.0.23 tarball from one of the Samba mirrors
2) expand it into a directory on your RHEL4 systems where you've been 
building packages
3) cd ./samba-3.0.23/packaging/RHEL/
4) exec the command: ". makerpms.sh"
5) when the package build is finished: cd /usr/src/redhat/RPMS/i386/

You should have a nice set of up-to-date packages for your RHEL4 
system in this directory.   Thanks to Jerry and all the others for 
the attention in the last couple versions to the RHEL packaging...

There are two caveats with this:

a) The cache directory is moved from /var/cache/samba/ to 
/var/lib/samba/.   This move does not adjust the SELinux labels when 
it creates the new directory, and since it copies files - the files 
are created with the incorrect labels inherited from the new 
directory.      I only had to do it once, but IIRC - executing "mv 
/var/cache/samba /var/lib" before installing the new packages worked 
for me on a new system.

b) The smbd and nmbd services run fine under the standard RHEL4 
selinux-policy-targeted ruleset.   However, winbindd rules aren't in 
this set, and will fail if SELinux is enabled/enforcing.    If you 
are running winbindd, (which you probably are in ads mode) you can 
deal with this problem in a number of ways:
1) disable SELinux:   setenforce 0
2) There is a way to disable SELinux enforcement on a per 
application/service basis, but I don't recall how to do that right 
now.   A Google search should turn it up, however...
3) Add custom SELinux rules for winbindd:
         * Install selinux-policy-targeted-sources
         * cd /etc/selinux/targeted/src/policy/domains/misc/
         * create a file called something like "winbind_add.te" (I 
believe the ".te" is important...) with the following contents:

-----------------
allow mysqld_t winbind_tmp_t:dir getattr;
allow ntpd_t winbind_tmp_t:dir getattr;
allow winbind_t etc_runtime_t:file { getattr read };
allow winbind_t proc_t:file { getattr read };
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
-----------------

         * cd ../..
               (should be /etc/selinux/targeted/src/policy/ )
         * run the command: "make load"

This will load some additional rules that will allow winbindd to run 
without any (significant) AVC errors.   This should only need to be done once.



Don Meyer                                           <dlmeyer@uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759