Solaris on x86 - Samba on Solaris 10 in native ADS environment
Despite crowing about Solaris 10 and integration with Active Directory, this is not quite ready for prime time.
Here's the issue:
In a native Active Directory Services environment (as opposed to 'mixed mode'), Samba on Solaris 10 cannot create an AD entry for the system. It turns out that the Sun provided Samba binaries arenot compiled with ADS support. ****.
So, time to rebuild Samba. Here, it turns out that Sun's native Kerberos support only talks GSS-API (for good and correct reasons, of course) but Samba prefers the older (and largely undocumented) MIT krb5.so interface. ****.
So, time to build Kerberos. Both the MIT and Heimdal variations file in their compile, for reasons I won't bother elaborating on, because once you get over that hurdle, you still have to deal with the lack of LDAP interface libraries.
So, time to build OpenLDAP...
The long and the short of it is that I now have a Thumper that will not place nicely in our AD environment, so I cannot provide CIFS to our users from it.
Has anyone succeeded in getting Samba built on Solaris 10 x86 (11/06) with full ADS support? Are there pointers to docs that will help?
Chris
[1217 byte] By [
CDollmonta] at [2007-11-26 23:26:11]
# 1
Ive done it on solaris 10/sparc.
And as far as I recall, it just worked.
I build my own version of
openssl
gettext
libiconv
openldap
kerberos
getext and libiconv are a bit tricky as theres a circular depencency.
So you have build one, then the other, then the first again.
But its not clear if not doing that would break things.
Or that everything on that list is essential
But thats what I did, and it worked.
So if you tell us what error your getting, maybe we can suggest something.
# 2
OK. Following your hints, I was able to get OpenLDAP and Kerberos built. I was also able to get a successful configure on the Samba source tree.
However, the compile now fails with:
Linking bin/smbd
Undefinedfirst referenced
symbolin file
create_kerberos_key_from_string_direct libsmb/clikrb5.o
error_messagelibsmb/cliconnect.o (symbol belongs to implicit dependency /opt/krb5-1.6/lib/libcom_err.so.3)
ld: fatal: Symbol referencing errors. No output written to bin/smbd
collect2: ld returned 1 exit status
*** Error code 1
I'm sure this is a simple setting. When I built Kerberos, I gave it it's own path and referenced the lib path in LD_LIBRARY_PATH. I also tried specifying the Kerberos libs with --with-krb5=/opt/krb5-1.6.
Finally, note that the notes in this message:
http://lists.samba.org/archive/samba/2006-December/127705.html
were very helpful in getting me this far.
Chris
# 3
Looks like your picking up the wrong kerberos libraries.
Unfortunately, sun decided to add a special -R flag to the linker thats different to any other unix out there. Heaps of software doesnt know to add the -R flags and gets screwed up.
Its the worst decision that sun ever made...
They should have made the -R value default to the -L value and you could override it if you needed. But they didnt...
Heres the commands we use to configure samba
CPPFLAGS=-I/usr/local/openldap/include\ -I/usr/local/ssl/include
LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/openldap/lib -R/usr/local/openldap/lib -L/usr/local/libiconv/lib -R/usr/local/libiconv/lib"
export LDFLAGS CPPFLAGS
cd source
./configure --prefix=/usr/local/samba --with-ldapsaml --with-libiconv=/usr/local/libiconv
\
--with-automount --with-ads --with-krb5=/usr/local/krb5 --with-quotas --with-utmp \
--with-logfilebase=/var/samba --with-acl-support
make
# 4
Of course your battle is only just beginning :-)
Once you have it built, I found getting a "net ads join" command to work can be a struggle.
You need to have a properly configured krb5.conf file.
And its fussy about having your fully qualified domain name in /etc/hosts and
/etc/inet/ipnodes
# 5
Thanks again for all the help, but I'm still getting the same Kerberos error. I made the suggested changes, and here's how things are looking now:
bash-3.00# echo $CPPFLAGS
-I/usr/local/ssl/include -I/opt/openldap-2.3.34/include
bash-3.00# echo $LDFLAGS
-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/opt/openldap-2.3.34/lib -R/opt/openldap-2.3.34/lib
bash-3.00# ./configure --prefix=/opt/samba-3.0.24 --with-ldapsaml --with-libiconv=../../libiconv-1.11 --with-ads --with-krb5=/opt/krb5-1.6 --with-quotas --with-logfilebase=/var/samba --with-acl-support
Note that libiconv is in /usr/local/lib already--not that I think it matters in this case.
I have a feeling we're this close to getting this resolved. Once I get this on our test system, I'll repeat the procedure on the production box and write it up for BigAdmin. This should not be so difficult...
Thanks again.
Chris
# 6
You may need to go back and recompile something else with a shared library that you compiled against kerberos.
Shared libraries remember the linker flags they were compiled with.
Try doing an ldd on the .so files for any shared libraries your using and seeing if any come up with a reference to the wrong kerberos.
You might want to try with kerberos 1.5 instead of 1.6. I havent tried compiling it against 1.6.
# 7
OK. Based on a hint from the Samba group, I nuked the Samba source tree, re-extracted the tarball, and started the Samba configure from scratch.
Everything configured and built properly, and all is now installed.
But, when I do:
"net join ads -U adminguy@AD.NET"
I get:
[2007/04/03 14:27:33, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Illegal byte sequence
ADS join did not work, falling back to RPC...
Unable to find a suitable server
Unable to find a suitable server
Argh!!!!!!
:)
Chris
# 8
Don't say I didnt warn you :-)
Thats a new error message to me.
Heres the interesting section of a working krb5.conf
[libdefaults]
default_realm = IC.ANU.EDU.AU
[realms]
IC.ANU.EDU.AU = {
kdc = icdc01.anu.edu.au
kdc = icdc02.anu.edu.au
kdc = icdc03.anu.edu.au
admin_server = icdc01.anu.edu.au
}
[domain_realm]
.ic.anu.edu.au = IC.ANU.EDU.AU
ic.anu.edu.au = IC.ANU.EDU.AU
.anu.edu.au = IC.ANU.EDU.AU
anu.edu.au = IC.ANU.EDU.AU
You also need to make sure that you have your fully qualified domain name specified first in /etc/hosts and /etc/inet/ipnodes
# 9
I've confirmed that the built krb bins and libs work with the krb5.conf for the AD domain. I can kinit and get a ticket, then klist to confirm the ticket. I will try the changes to krb5.conf you recommend. WHat part of the world are you in?Chris
# 10
I would have thought the .au's on all the domain names would have been a bit of a give away :-)/
# 11
Immediately after sending that note, I noticed that. Two things came to mind:1) He's in Australia.2) He's going to make some kind of crack about this.:)Chris
# 12
Major progess! After going back and fixing some DNS ****, adding entries to hosts and whatnot, I now get this:
[2007/04/04 17:12:46, 0] libads/kerberos.c:ads_kinit_password(208)
kerberos_kinit_password VILI-SB$@NW.NET failed: Client not found in Kerberos database
[2007/04/04 17:12:46, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Client not found in Kerberos database
Note that kinit and klist work just find, and the Kerberos that Samba was built against is first in the path.
I know we're getting close now. I'm googling(tm) for solutions but I'm wondering if you have any off the top of your head.
BTW, 'net ads info' works. 'net ads status' returns 'no machine account', which makes sense...
Chris
# 13
Even more progress. Now I get:
Using short domain name -- NWB
Failed to set servicePrincipalNames. Please ensure that
the DNS domain of this server matches the AD domain,
Or rejoin with using Domain Admin credentials.
Disabled account for 'VILI' in realm 'NW.NET'
Apparently, this is caused by a DNS snafu (big surprise) in which "Either (a) the fqdn of the local machine (the one you are joining to
the domain) is not set correctly or (b) is set to a domain
outside the AD domain name and you are not a domain admin."
Any idea how to correct this?
Chris
Message was edited by:
CDollmont
PS: I'm sticking with this tonight--I feel I'm really close now and I'm watching periodically for messages. I feel I can break the back of this problem tonight, so I'm willing to stay up as late as I have to!
C
# 14
bash-3.00# net ads join -U _djf_djf's password:Using short domain name -- NWBJoined 'VILI' to realm 'NW.NET''Nuff said...Except for 'Thank you'.Now it's time to go write all this up for BigAdmin. Urgh.:c:
