Solaris 11 include samba 3.6.25. I compiled samba 4.5.1 using GCC 4.8 and
gmake. Had set following env variables to make sure krb5.conf was found
# CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
# C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
After setting "client ldap sasl wrapping = plain" I was able to
join to a
Windows 2008 domain with samba 4.
The samba 4.5.1 "wbinfo -m" showed the domain. However "wbinfo
-u" did not
show any users.
This works OK with samba 3.6.25 .
With Samba 3
# testparm -v | grep signing
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client signing = required
client ipc signing = required
server signing = No
With samba4
# /usr/local/samba/bin/testparm -v | grep signing
Load smb config files from /usr/local/samba-4.5.1/etc/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client ipc signing = default
client signing = default
server signing = default
log.winbindd has
[2016/12/07 21:16:22.781818, 1, pid=1520, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
trustdom_list_done: Could not receive trusts for domain MYDOMAIN
both samba3 and samba4 create krb5.conf.MYDOMAIN files
#/usr/local/samba/var/lock/smb_krb5# cat krb5.conf.MYDOMAIN
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
dns_lookup_realm = false
[realms]
MYDOMAIN.COM = {
kdc = 192.168.x.y
kdc = 192.168.x.z
}
#:/usr/local/samba/var/lock/smb_krb5#
I would like to disable DES encryption. Or maybe have samba use the system
krb5.conf .
With samba3, wbinfo will not show users from "classic" trusted domains
but
will show users from AD trusted domains.
Beginning to think that I should have uninstalled samba3 before compiling
samba4 to make sure no conflicts between different versions of samba
libraries.
If I add
winbind rpc only = Yes
to smb.conf file then "wbinfo -u" will list users in the current
domain. It
won't list users in any trusted domains (including domains in the same
forest.) This indicates that the domain is having some issue retrieving
user names via LDAP.
The forest is 2008 function level. The domain was 2003 functional level
but I just raised that to 2008. The domain has Windows 2008 SP2 domain
controllers. The child domain has a Windows 2012 domain controller but is
also at the 2008 forest functional level. I upgrade registry in the Win
2008 SP2 domain controllers to disable DES.
Solaris 11 has both "solaris" ldap (not openldap) and openldap ldap.
The solaris ldap files should have been in the default path for the software
build.
I also set
create krb5 conf = No
to prevent samba recreating /usr/local/samba/var/lock/smb_krb5/krb5.conf
each time it restarted, since it would enable DES encryption by default.
Maybe I need to compile latest openldap and add to the C_INCLUDE_PATH and
CPLUS_INCLUDE_PATH variables.
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Wednesday, December 07, 2016 9:33 PM
To: 'Samba' <samba at lists.samba.org>
Subject: Samba 4.51 Solaris 11 AD client
Solaris 11 include samba 3.6.25. I compiled samba 4.5.1 using GCC 4.8 and
gmake. Had set following env variables to make sure krb5.conf was found
# CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
# C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
After setting "client ldap sasl wrapping = plain" I was able to
join to a
Windows 2008 domain with samba 4.
The samba 4.5.1 "wbinfo -m" showed the domain. However "wbinfo
-u" did not
show any users.
This works OK with samba 3.6.25 .
With Samba 3
# testparm -v | grep signing
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client signing = required
client ipc signing = required
server signing = No
With samba4
# /usr/local/samba/bin/testparm -v | grep signing
Load smb config files from /usr/local/samba-4.5.1/etc/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client ipc signing = default
client signing = default
server signing = default
log.winbindd has
[2016/12/07 21:16:22.781818, 1, pid=1520, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
trustdom_list_done: Could not receive trusts for domain MYDOMAIN
both samba3 and samba4 create krb5.conf.MYDOMAIN files
#/usr/local/samba/var/lock/smb_krb5# cat krb5.conf.MYDOMAIN
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
dns_lookup_realm = false
[realms]
MYDOMAIN.COM = {
kdc = 192.168.x.y
kdc = 192.168.x.z
}
#:/usr/local/samba/var/lock/smb_krb5#
I would like to disable DES encryption. Or maybe have samba use the system
krb5.conf .
With samba3, wbinfo will not show users from "classic" trusted domains
but
will show users from AD trusted domains.
Beginning to think that I should have uninstalled samba3 before compiling
samba4 to make sure no conflicts between different versions of samba
libraries.
When running "configure" prior to building samba, I noticed that the
ldap_initialize function (along with a few others) weren't found. The
"smbd -b" command (using the smbd I compiled)
The "smbd -b" command from the bundled samba (either samba 3 on
solaris
11 or samba 4 on linux) showed the following
# smbd -b | grep -i ldap
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_INIT_FD
HAVE_LDAP_OPT_SOCKBUF
HAVE_LDAP_SASL_WRAPPING
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_DEPRECATED
LDAP_SET_REBIND_PROC_ARGS
pdb_ldapsam_init
vfs_posixacl auth_sam auth_winbind auth_domain
auth_builtin vfs_default nss_info_template idmap_tdb
idmap_passdb idmap_nss idmap_ldap
#
When I compiled samba 4.5.1 I got the following
# /usr/local/samba/sbin/smbd -b | grep -i ldap
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_INIT
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_DEPRECATED
LDAP_SET_REBIND_PROC_ARGS
vfs_default auth_domain auth_builtin auth_sam
auth_winbind vfs_solarisacl pdb_smbpasswd pdb_tdbsam
pdb_wbc_sam auth_unix auth_wbc nss_info_template idmap_tdb
idmap_passdb idmap_nss pdb_samba_dsdb auth_samba4
vfs_dfs_samba4 pdb_ldapsam idmap_ldap
#
And looking at bin/config.log I could see the include path had
/usr/include first, so the Solaris native ldapclient (not openldap) was
being found first.
I remembered compiling Samba 3 on Solaris 10 had required that I build
openldap first, since Solaris 10 did not include openldap.
Downloaded the latest openldap, and compiled for client only (slapd not
enabled) into the /usr/local/samba-4.5.1 directory.
Set environmental variables as follows
LDFLAGS="-L /usr/local/samba-4.5.1/lib -L/usr/lib"
CFLAGS="-I /usr/local/samba-4.5.1/include -I/usr/include"
CPPFLAGS="-I /usr/local/samba-4.5.1/include
-I/usr/include"
export LDFLAGS CFLAGS CPPFLAGS
C_INCLUDE_PATH=/usr/local/samba-4.5.1/include:/usr/include:/usr/include/kerberosv5
CPLUS_INCLUDE_PATH=/usr/local/samba-4.5.1/include:/usr/include:/usr/include/kerberosv5
export C_INCLUDE_PATH CPLUS_INCLUDE_PATH
This fixed the issue of expected ldap functions not being found,.
I could have probably used the bundled openldap files instead
(/usr/include/openldap, /usr/openldap/lib)
Now, wbinfo -u will show the domain users even if I don't set "winbind
rpc only = Yes"
I don't see any trusted domains but I think I am making progress.
-------- Forwarded Message --------
Subject: RE: Samba 4.51 Solaris 11 AD client
Date: Sun, 11 Dec 2016 11:57:41 -0500
From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: gaiseric.vandal at gmail.com
To: 'Samba' <samba at lists.samba.org>
If I add
winbind rpc only = Yes
to smb.conf file then “wbinfo –u” will list users in the current
domain. It won’t list users in any trusted domains (including domains
in the same forest.) This indicates that the domain is having some
issue retrieving user names via LDAP.
The forest is 2008 function level. The domain was 2003 functional
level but I just raised that to 2008. The domain has Windows 2008 SP2
domain controllers. The child domain has a Windows 2012 domain
controller but is also at the 2008 forest functional level. I upgrade
registry in the Win 2008 SP2 domain controllers to disable DES.
Solaris 11 has both “solaris” ldap (not openldap) and openldap ldap. The
solaris ldap files should have been in the default path for the software
build.
I also set
create krb5 conf = No
to prevent samba recreating /usr/local/samba/var/lock/smb_krb5/krb5.conf
each time it restarted, since it would enable DES encryption by default.
Maybe I need to compile latest openldap and add to the C_INCLUDE_PATH
and CPLUS_INCLUDE_PATH variables.
*From:* Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
*Sent:* Wednesday, December 07, 2016 9:33 PM
*To:* 'Samba' <samba at lists.samba.org>
*Subject:* Samba 4.51 Solaris 11 AD client
Solaris 11 include samba 3.6.25. I compiled samba 4.5.1 using GCC 4.8
and gmake. Had set following env variables to make sure krb5.conf was found
# CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
# C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
After setting "client ldap sasl wrapping = plain" I was able to
join
to a Windows 2008 domain with samba 4.
The samba 4.5.1 “wbinfo –m” showed the domain. However “wbinfo –u” did
not show any users.
This works OK with samba 3.6.25 .
With Samba 3
# testparm -v | grep signing
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client signing = required
client ipc signing = required
server signing = No
With samba4
# /usr/local/samba/bin/testparm -v | grep signing
Load smb config files from /usr/local/samba-4.5.1/etc/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client ipc signing = default
client signing = default
server signing = default
log.winbindd has
[2016/12/07 21:16:22.781818, 1, pid=1520, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
trustdom_list_done: Could not receive trusts for domain MYDOMAIN
both samba3 and samba4 create krb5.conf.MYDOMAIN files
#/usr/local/samba/var/lock/smb_krb5# cat krb5.conf.MYDOMAIN
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
dns_lookup_realm = false
[realms]
MYDOMAIN.COM = {
kdc = 192.168.x.y
kdc = 192.168.x.z
}
#:/usr/local/samba/var/lock/smb_krb5#
I would like to disable DES encryption. Or maybe have samba use the
system krb5.conf .
With samba3, wbinfo will not show users from “classic” trusted domains
but will show users from AD trusted domains.
Beginning to think that I should have uninstalled samba3 before
compiling samba4 to make sure no conflicts between different versions of
samba libraries.