thr3ads.net - samba - [Samba] Here's a recipe for Samba+Active Directory on Solaris 9 [May 2006]

If this information is useful, please help other people find it:
Share via:
Dan Shearer
2006-May-13 09:55 UTC
[Samba] Here's a recipe for Samba+Active Directory on Solaris 9

Samba 3.0.22 on Solaris 9 with Active Directory
==============================================
Dan Shearer
Version 1.0
May 2006

Official Samba binaries for Solaris 9 are not enabled for ADS
support. Enabling ADS is much harder than it looks, mostly because of
the crazy Solaris 9 build environment.

Here is the simplest reproducable recipe I could find for ADS-enabled
Samba on a default fresh install of Solaris 9. Some concession has
been made for installs that are not default, but you might still need
to modify for your particular servers.

Tested with Heimdal Kerberos 0.7, OpenLDAP 2.3.20 and Samba 3.0.22 .

All three packages are in /opt/local (no namespace clashes luckily.)
This is a big glob, don't go adding to it :-) The point is to
demonstrate a known-working solution from which to work at your site.

Someone from sunfreeware.com (excellent site!) might want to create a
package to avoid this pain, in fact it would be good if sunfreeware
and the official Samba binaries could perhaps be coordinated. Let me
know if I can help.

This document was developed fairly empirically because I don't
know Solaris well. Most of the time went into discovering how to get
the environment right.


Overview of Steps
-----------------

Install OS plus particular patches.

Install *very* particular versions of packages from sunfreeware.com .

Install OpenLDAP libraries

Install Heimdal Kerberos. /etc/krb5/krb5.conf. Test with kinit
user@AD.REALM in capitals)

Install Samba, create smb.conf (test config file with testparm)

Join Samba Member Servers (net ads join -U Administrator )

List AD domain users (net ads user -U Administrator )

Test Security from Windows (browse, file access from Explorer right-click)

Optional: idmap using ridmap or a dedicated LDAP server.

At this point you will be able to use Samba as per the documentation,
having skipped the weeks of frustration people usually seem to spend
to get this going :-)

Solaris 9 Prep
--------------

Install from the first three CDs, accepting all defaults.

Install patches 112960-36, 112874-34, 112233-01, 112233-11 . This is a
dependency chain, the only thing really required is a new libnss that
will let Samba winbind work. On production machines, if you keep up
with Sun recommended patches you may have this already.

If you want to grow old quickly, attempt to build the entire GNU
toolchain on Solaris9!  Alternatively, be sensible and use the
following list of binaries packaged at http://sunfreeware.com :

gcc-3.3.2-sol9-sparc-local.gz

bison-1.34-sol7-sparc-local.gz (built for Solaris 7; no higher Bison
version or Heimdal breaks, no higher Solaris version or there is a
library problem on Solaris 9 . )

m4-1.4.2-sol9-sparc-local.gz

make-3.80-sol9-sparc-local.gz

db-4.2.52.NC-sol9-sparc-local.gz (no lower version or OpenLDAP breaks)

binutils-2.11.2-sol8-sparc-local.gz (built for Solaris 8, not built
for Solaris 9 but works fine)

flex-2.5.31-sol9-sparc-local.gz   (required for Heimdal build)

Set global time on your network using something like ntp! The Solaris
machines must be consistent with the Windows AD server to within 5
minutes, unless you reconfigure Kerberos to be less fussy. When
changing time manually, sometimes the Solaris date command gets
confused with what it is displaying (for example BST != GMT+1, GMT+1
time is displayed two hours in the past.)

The linker in ccs is bad news for Samba and probably everything else
so get rid of it. mv /usr/ccs/bin/ld /usr/ccs/bin/ld.off .

Sun gssapi won't work with Heimdal and probably not much else will
either. Heimdal provides its own. mv /usr/include/gssapi
/usr/include/old.gssapi

Don't run configure in any of OpenLDAP, Kerberos or Samba until all
the above modifications have been done.

Build OpenLDAP, Heimdal and Samba in that order.

A Comment on Libraries
----------------------

With crle, GNU automake scripts (ie configure) will find all libraries
present. LDFLAGS should be sufficient but isn't, and LD_LIBRARY_PATH
isn't always equivalent to crle although it looks like it should be.

When debugging, to check what libraries a particular program has been
linked against, use ldd. Be suspicious if, for example, ldd
/opt/local/bin/kinit doesn't have a reference to a BerkeleyDB db
library, or libgcc_s . Fix this with crle (using the commandline crle
itself gives you) something like this:

crle -c /var/ld/ld.config -l \
  /lib:/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB4.2/lib:/opt/local/lib

The foregoing problems are with non-default Solaris 9 installs. A
default install works as expected.

/usr/local/lib is used by all packages from sunfreeware.com.

Installing OpenLDAP
-------------------

Version 2.3.20 from openldap.org

./configure --prefix=/opt/local --disable-bdb --enable-null --without-tls \
CFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include" \
CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB/4.2/include" 

make depend
make
make install

Installing Heimdal
------------------

Version 0.7.0 from ftp://ftp.pdc.kth.se/pub/heimdal/src/

Solaris9 confuses Heimdal's configure script when it attempts to find
out what library functions are brokenin order to build libroken (nice
name, fellers.) Solaris 9 vasprintf and asprintf are defined in the
standard libraries but not the headers. At the end of this note is a
patch which turns on prototypes but does not build a replacement
function.

Apply the patch to configure using '"patch -u configure <
diffs"

(When approved by Solaris9 wizards we can make the change in the
autoconf configuration instead. Maybe I've misunderstood the problem.)

In the following, some non-default Solaris 9 installations need the
include directories specified. A Solaris 9 default install will find
include directories correctly and therefore FLAGS variables are not
needed.

./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4 \
CFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB.4.2/include" \
CPPFLAGS="-I/usr/local/include -I/usr/local/BerkeleyDB/4.2/include" \
LDFLAGS=-L/usr/local/lib

make
make install

NOTE: If you have previous versions of Heimdal libraries in the
library search path, configure will notice these and your next make
will link them to your new Heimdal. A common cause for this is
experimenting or making a mistake with the same Heimdal you are
attempting to build, so Heimdal programs end up referencing their own
libraries whereas if libraries of the same name hadn't existed they
would not have been linked at all. This might have side-effects.

So, always do a make uninstall before you do your next configure! If you
aren't sure, do this:

./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4
make uninstall
./configure --prefix=/opt/local --enable-dns --enable-shared --disable-krb4
make
make install

Installing Samba
----------------

Version 3.0.22 from samba.org

./configure --prefix=/opt/local --with-krb5=/opt/local \
--with-ads --with-pam --with-winbindd \
CFLAGS=-I/opt/local/include CPPFLAGS=-I/opt/local/include \
LDFLAGS=-L/opt/local/lib 

make
make install


Patch to Heimdal 0.7 configure
------------------------------


---cut---cut---cut---

--- backup.configure	Wed May 10 09:32:05 2006
+++ configure	Wed May 10 09:57:51 2006
@@ -29163,13 +29163,11 @@
 echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_working"
>&5
 echo "${ECHO_T}$ac_cv_func_snprintf_working" >&6
 
-if test "$ac_cv_func_snprintf_working" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_SNPRINTF 1
 _ACEOF
 
-fi
 if test "$ac_cv_func_snprintf_working" = yes; then
 
 if test "$ac_cv_func_snprintf+set" != set -o
"$ac_cv_func_snprintf" = yes; then
@@ -29228,14 +29226,12 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_snprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_snprintf_noproto" >&6
-if test "$ac_cv_func_snprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define NEED_SNPRINTF_PROTO 1
+#define NEED_SNPRINTF_PROTO 0
 _ACEOF
 
 fi
-fi
 
 fi
 
@@ -29311,13 +29307,11 @@
 echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_working"
>&5
 echo "${ECHO_T}$ac_cv_func_vsnprintf_working" >&6
 
-if test "$ac_cv_func_vsnprintf_working" = yes; then
 
 cat >>confdefs.h <<_ACEOF
 #define HAVE_VSNPRINTF 1
 _ACEOF
 
-fi
 if test "$ac_cv_func_vsnprintf_working" = yes; then
 
 if test "$ac_cv_func_vsnprintf+set" != set -o
"$ac_cv_func_vsnprintf" = yes; then
@@ -29376,14 +29370,12 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_vsnprintf_noproto" >&6
-if test "$ac_cv_func_vsnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define NEED_VSNPRINTF_PROTO 1
+#define NEED_VSNPRINTF_PROTO 0
 _ACEOF
 
 fi
-fi
 
 fi
 
@@ -30549,7 +30541,6 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_asprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_asprintf_noproto" >&6
-if test "$ac_cv_func_asprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
 #define NEED_ASPRINTF_PROTO 1
@@ -30556,7 +30547,6 @@
 _ACEOF
 
 fi
-fi
 
 if test "$ac_cv_func_vasprintf+set" != set -o
"$ac_cv_func_vasprintf" = yes; then
 echo "$as_me:$LINENO: checking if vasprintf needs a prototype"
>&5
@@ -30616,7 +30606,6 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_vasprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_vasprintf_noproto" >&6
-if test "$ac_cv_func_vasprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
 #define NEED_VASPRINTF_PROTO 1
@@ -30623,7 +30612,6 @@
 _ACEOF
 
 fi
-fi
 
 if test "$ac_cv_func_asnprintf+set" != set -o
"$ac_cv_func_asnprintf" = yes; then
 echo "$as_me:$LINENO: checking if asnprintf needs a prototype"
>&5
@@ -30683,14 +30671,12 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_asnprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_asnprintf_noproto" >&6
-if test "$ac_cv_func_asnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define NEED_ASNPRINTF_PROTO 1
+#define NEED_ASNPRINTF_PROTO 0
 _ACEOF
 
 fi
-fi
 
 if test "$ac_cv_func_vasnprintf+set" != set -o
"$ac_cv_func_vasnprintf" = yes; then
 echo "$as_me:$LINENO: checking if vasnprintf needs a prototype"
>&5
@@ -30750,14 +30736,12 @@
 fi
 echo "$as_me:$LINENO: result: $ac_cv_func_vasnprintf_noproto"
>&5
 echo "${ECHO_T}$ac_cv_func_vasnprintf_noproto" >&6
-if test "$ac_cv_func_vasnprintf_noproto" = yes; then
 
 cat >>confdefs.h <<\_ACEOF
-#define NEED_VASNPRINTF_PROTO 1
+#define NEED_VASNPRINTF_PROTO 0
 _ACEOF
 
 fi
-fi


---cut---cut---cut---
Apparently Analagous Threads

Search for more maybe matching threads
samba - May 2006 - Here's a recipe for Samba+Active Directory on Solaris 9

[Samba] Here's a recipe for Samba+Active Directory on Solaris 9

Apparently Analagous Threads

Wisdom of the Ancients
