Friday, January 02, 2009
Samba3: Upgrading to v3.2 on CentOS 5
CentOS 5 currently only has Samba 3.0.28 in their BASE repository. The DAG/RPMForge projects don't have updated Samba3 RPMs either (although I do see an OpenPkg RPM). So the question that I've been dealing with for the past few weeks is "where do I get newer Samba RPMs"?
Ideally, I would get these RPMs from a repository, so that I could be notified via "yum check-update" for when there are security / feature updates. While I don't mind the occasional source package in .tar.gz or .tar.bz2 format, they rapidly become a maintenance nightmare. Especially for security-sensitive packages like Samba which tend to be attack targets.
What I've found that looks promising is:
http://ftp.sernet.de/pub/samba/recent/centos/5/
Which has a .repo file and looks like it might be usable as a repository for yum. (See "Get the latest Samba from Sernet" for confirmation of this.)
# cd /etc/yum.repos.d/
# wget http://ftp.sernet.de/pub/samba/recent/centos/5/sernet-samba.repo
Now, the major change is that the RedHat/CentOS packages are named "samba.x86_64" while the sernet.de packages are named "samba3.x86_64". Also, the sernet.de folks don't sign their packages, so you will need to add "gpgcheck=0" to the end of the .repo file.
(At least, I don't think they do...)
Note: As always, before doing a major upgrade like this, make backups. At a minimum, make sure you have good backups of your Samba configuration files. We use FSVS with a SVN backend for all of our configuration files, which makes an excellent change tracking tool for Linux servers.
# yum remove samba.x86_64
# yum install samba3.x86_64
# service smb start
With luck, you should now be up and running with v3.2 of Samba. You can verify this by looking at the latest log file in the /var/log/samba/ directory.
Ideally, I would get these RPMs from a repository, so that I could be notified via "yum check-update" for when there are security / feature updates. While I don't mind the occasional source package in .tar.gz or .tar.bz2 format, they rapidly become a maintenance nightmare. Especially for security-sensitive packages like Samba which tend to be attack targets.
What I've found that looks promising is:
http://ftp.sernet.de/pub/samba/recent/centos/5/
Which has a .repo file and looks like it might be usable as a repository for yum. (See "Get the latest Samba from Sernet" for confirmation of this.)
# cd /etc/yum.repos.d/
# wget http://ftp.sernet.de/pub/samba/recent/centos/5/sernet-samba.repo
Now, the major change is that the RedHat/CentOS packages are named "samba.x86_64" while the sernet.de packages are named "samba3.x86_64". Also, the sernet.de folks don't sign their packages, so you will need to add "gpgcheck=0" to the end of the .repo file.
(At least, I don't think they do...)
Note: As always, before doing a major upgrade like this, make backups. At a minimum, make sure you have good backups of your Samba configuration files. We use FSVS with a SVN backend for all of our configuration files, which makes an excellent change tracking tool for Linux servers.
# yum remove samba.x86_64
# yum install samba3.x86_64
# service smb start
With luck, you should now be up and running with v3.2 of Samba. You can verify this by looking at the latest log file in the /var/log/samba/ directory.
Monday, October 24, 2005
Gentoo: emerge samba fails while compiling rpctorture.c
Got the following error while trying to emerge samba into my Gentoo box.
Here are my current USE flags:
I'm still searching for a solution to this issue. I've heard it has to do with trying to use the kerberos USE flag (which is not an optional flag for me). The closest possible solution in Google is on the Gentoo forums (Problems upgrading to Samba 3.0.14a-r2!). The user, "jpnag", posts a solution.
The solution involves editing the ebuild file for Samba. This is where you will need to become a bit more knowledgeable about how portage and emerge works (see "man make.conf" for details on some of this along with "man portage").
By default, portage downloads and installs packages under the "/usr/portage/" tree (defined by "PORTDIR=" in your "/etc/make.conf" file or "/etc/make.profile/make.defaults" file). There is also an optional define, "PORTDIR_OVERLAY=", which you can use to point at a tree containing user-built ebuild files that are not updated by "emerge --sync". Essentially, the second tree will overlay the first. So if you have "package X" in both trees, only the one in the overlay tree will get compiled.
Now to create the backup copy of the broken Samba ebuild. If you have not already added "PORTDIR_OVERLAY=" to your "make.conf" file, you should also do this.
Now hit [Ctrl-W] and type "src_compile", which will take you straight to the following code block:
Somewhere towards the start of the funciton, add the line "addpredict /etc/krb5.conf".
Create the ebuild digest (MD5 signatures) for the patched package.
(crosses fingers)
Compiling torture/rpctorture.c
make: *** Waiting for unfinished jobs....
torture/rpctorture.c:27: error: `global_myname' redeclared as different kind of symbol
include/proto.h:1019: error: previous declaration of `global_myname'
torture/rpctorture.c:57: warning: `struct client_info' declared inside parameter list
torture/rpctorture.c:57: warning: its scope is only this definition or declaration, which is probably not what you want
torture/rpctorture.c: In function `rpcclient_connect':
torture/rpctorture.c:62: error: dereferencing pointer to incomplete type
torture/rpctorture.c:62: error: dereferencing pointer to incomplete type
torture/rpctorture.c:63: error: dereferencing pointer to incomplete type
torture/rpctorture.c:66: error: dereferencing pointer to incomplete type
torture/rpctorture.c:66: error: dereferencing pointer to incomplete type
torture/rpctorture.c:68: error: dereferencing pointer to incomplete type
torture/rpctorture.c:68: error: dereferencing pointer to incomplete type
torture/rpctorture.c: At top level:
torture/rpctorture.c:90: warning: `struct client_info' declared inside parameter list
torture/rpctorture.c: In function `run_enums_test':
torture/rpctorture.c:96: warning: passing arg 1 of `rpcclient_connect' from incompatible pointer type
torture/rpctorture.c:102: error: dereferencing pointer to incomplete type
torture/rpctorture.c:102: error: dereferencing pointer to incomplete type
torture/rpctorture.c: At top level:
torture/rpctorture.c:134: warning: `struct client_info' declared inside parameter list
torture/rpctorture.c: In function `run_ntlogin_test':
torture/rpctorture.c:140: warning: passing arg 1 of `rpcclient_connect' from incompatible pointer type
torture/rpctorture.c:146: error: dereferencing pointer to incomplete type
torture/rpctorture.c:146: error: dereferencing pointer to incomplete type
torture/rpctorture.c: At top level:
torture/rpctorture.c:167: warning: `struct client_info' declared inside parameter list
torture/rpctorture.c: In function `main':
torture/rpctorture.c:233: error: storage size of `cli_info' isn't known
torture/rpctorture.c:377: error: `scope' undeclared (first use in this function)
torture/rpctorture.c:377: error: (Each undeclared identifier is reported only once
torture/rpctorture.c:377: error: for each function it appears in.)
torture/rpctorture.c:535: warning: passing arg 5 of `create_procs' from incompatible pointer type
torture/rpctorture.c:539: warning: passing arg 5 of `create_procs' from incompatible pointer type
make: *** [torture/rpctorture.o] Error 1
* rpctorture didn't build
running build
running build_py
running build_ext
--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/var/log/sandbox/sandbox-net-fs_-_samba-3.0.14a-r2-21241.log"
access_wr: /etc/krb5.conf
--------------------------------------------------------------------------------
# Here are my current USE flags:
# cat /etc/make.conf
# These settings were set by the catalyst build script that automatically built this stage
# Please consult /etc/make.conf.example for a more detailed example
CFLAGS="-Os -mcpu=i686"
CHOST="i386-pc-linux-gnu"
CXXFLAGS="${CFLAGS}"
MAKEOPTS="-j2"
GENTOO_MIRRORS="http://gentoo.osuosl.org/"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="apache2 kerberos ldap postgres samba -alsa -apm -arts -bitmap-fonts -gnome -gtk -gtk2 -kde -mad -mikmod -motif -opengl -oss -qt -quicktime -sdl -truetype -truetype-fonts -type1-fonts -X -xmms -xv"
# cat /etc/make.profile/make.defaults
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/profiles/default-linux/x86/2005.1/make.defaults,v 1.4 2005/08/29 22:20:25 wolf31o2 Exp $
USE="alsa apm arts avi berkdb bitmap-fonts crypt cups eds emboss encode fortran foomaticdb gdbm gif gnome gpm gstreamer gtk gtk2 imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mp3 mpeg ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl spell ssl tcpd truetype truetype-fonts type1-fonts vorbis X xml2 xmms xv zlib"
#I'm still searching for a solution to this issue. I've heard it has to do with trying to use the kerberos USE flag (which is not an optional flag for me). The closest possible solution in Google is on the Gentoo forums (Problems upgrading to Samba 3.0.14a-r2!). The user, "jpnag", posts a solution.
The solution involves editing the ebuild file for Samba. This is where you will need to become a bit more knowledgeable about how portage and emerge works (see "man make.conf" for details on some of this along with "man portage").
By default, portage downloads and installs packages under the "/usr/portage/" tree (defined by "PORTDIR=" in your "/etc/make.conf" file or "/etc/make.profile/make.defaults" file). There is also an optional define, "PORTDIR_OVERLAY=", which you can use to point at a tree containing user-built ebuild files that are not updated by "emerge --sync". Essentially, the second tree will overlay the first. So if you have "package X" in both trees, only the one in the overlay tree will get compiled.
Now to create the backup copy of the broken Samba ebuild. If you have not already added "PORTDIR_OVERLAY=" to your "make.conf" file, you should also do this.
# cd /etc
etc # echo 'PORTDIR_OVERLAY="/usr/local/portage"' >> /etc/make.conf
etc # cd /usr/local
local # ls /usr/portage/net-fs/samba/
local # mkdir portage ; cd portage
portage # mkdir net-fs ; cd net-fs
net-fs # mkdir samba ; cd samba
samba # cp -a /usr/portage/net-fs/samba/* .
samba # ls -l samba-3.0.14a-r2.ebuild
samba # nano -w samba-3.0.14a-r2.ebuildNow hit [Ctrl-W] and type "src_compile", which will take you straight to the following code block:
rc_compile() {
ebegin "Running autoconf"
autoconf
eend $?
local myconf
local mymods
local mylangs
if use xml || use xml2 ;
then
mymods="xml,${mymods}"
fiSomewhere towards the start of the funciton, add the line "addpredict /etc/krb5.conf".
src_compile() {
ebegin "Running autoconf"
autoconf
eend $?
local myconf
local mymods
local mylangs
addpredict /etc/krb5.conf
if use xml || use xml2 ;
then
mymods="xml,${mymods}"
fiCreate the ebuild digest (MD5 signatures) for the patched package.
samba # ebuild /usr/local/portage/net-fs/samba/samba-3.0.14a-r2.ebuild digest
>>> Generating digest file...
<<< samba-3.0.14a.tar.gz
<<< samba-vscan-0.3.6.tar.bz2
<<< samba-3-gentoo-0.3.3.tar.bz2
>>> Generating manifest file...
<<< ChangeLog
<<< metadata.xml
<<< samba-3.0.14a-r2.ebuild
<<< samba-3.0.14a-r3.ebuild
<<< samba-3.0.20-r1.ebuild
<<< samba-3.0.20a.ebuild
<<< samba-3.0.20b.ebuild
<<< files/digest-samba-3.0.14a-r2
<<< files/README.gentoo
<<< files/digest-samba-3.0.14a-r3
<<< files/digest-samba-3.0.20-r1
<<< files/digest-samba-3.0.20a
<<< files/digest-samba-3.0.20b
>>> Computed message digests.
samba # emerge -pv samba
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild N ] net-fs/samba-3.0.14a-r2 -acl +cups -doc +kerberos +ldap -libclamav -mysql -oav +pam +postgres +python -quotas +readline (-selinux) -winbind -xml +xml2 0 kB [1]
Total size of downloads: 0 kB
Portage overlays:
[1] /usr/local/portage
samba # emerge samba(crosses fingers)
Saturday, May 08, 2004
Gentoo Samba (round 3)
(previous post, samba round 2)
Well, after a busy week at work, I finally had time to log back into my little VIA EPIA server running Gentoo Linux. In my previous post, I had re-emerged the latest version of samba (v3), but I never had time to go back and try things out again after the emerge finished.
The original problem was that I couldn't find the "net" command, which turns out to be because I was using Samba v2 instead of Samba v3. I just logged into the box, su'd to root, and typed "net".
Bingo! I now have a "net" command!
So now I need to add the box to the ADS domain, and do all that other config stuff that I hadn't figured out yet. (Hint for newbies to a linux system, keep a running blog like this and use software like SecureCRT with logging enabled so that you can trace your steps.)
# kinit administrator@intra.tgharold.org
Password for administrator@intra.tgharold.org: ******
kinit(v5): KDC reply did not match expectations while getting initial credentials
Whoops, back to the KDC error... my /etc/krb5kdc/kdc.conf file looks fine at first glance, so does my /etc/krb5.conf file. Hmmm.... oh, wait, wrong kinit command, ADS domain must be in CAPS:
# kinit administrator@INTRA.TGHAROLD.ORG
Password for administrator@INTRA.TGHAROLD.ORG: ******
#
That did it! Next step is to join the ADS domain:
# net ads join
[2004/05/08 13:54:25, 0] param/loadparm.c:map_parameter(2410)
Unknown parameter encountered: "realm"
[2004/05/08 13:54:25, 0] param/loadparm.c:lp_do_parameter(3048)
Ignoring unknown parameter "realm"
[2004/05/08 13:54:25, 0] param/loadparm.c:map_parameter(2410)
Unknown parameter encountered: "ads server"
[2004/05/08 13:54:25, 0] param/loadparm.c:lp_do_parameter(3048)
Ignoring unknown parameter "ads server"
ADS support not compiled in
Looks like I missed another trick (no ADS support compiled in). FYI, running the following command should've given me a hint that something was still not ready:
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "realm"
Ignoring unknown parameter "realm"
Unknown parameter encountered: "ads server"
Ignoring unknown parameter "ads server"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = INTRA
netbios name = NAZUMI
server string = Samba Server %v
local master = No
domain master = No
Heh, but being lazy, I ignored the error messages and pressed onward. Back to google for a bit. Found the answer on the samba website 9.3.1. Possible errors "ADS support not compiled in": Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.
# find / -name config.cache
/usr/portage/app-admin/puregui/files/config.cache
Okay, skip that for the moment... let's go investigate my USE flags. A recommended tool for that is "ufed" (which if you don't have can be emerged by "emerge ufed"). It also shows one-liner descriptions of what each USE flag represents (or you can look at /usr/portage/profiles/use.desc). The only file modified by ufed is /etc/make.conf (represented by the 3rd position in the 3-character indicator after each USE flag).
# emerge info
Portage 2.0.50-r6 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.3)
=================================================================
System uname: 2.6.3 i686 VIA Samuel 2
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-Os -march=i586 -m3dnow -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-Os -march=i586 -m3dnow -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/ http://212.219.247.19/sites/www.ibiblio.org/gentoo/ http://212.219.247.18/sites/www.ibiblio.org/gentoo/ http://212.219.247.20/sites/www.ibiblio.org/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apm arts avi berkdb crypt cups encode foomaticdb gdbm gif gnome gpm gtk gtk2 imlib jpeg kde libg++ libwww mad mikmod motif mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
There's probably a good bit of stuff that I should remove from the USE= line, but I'm not entirely sure what's needed and what's not yet. I don't think I need to add "samba" there because I'm not interested in accessing other samba shares on the network (yet).
Okay, back to the main thread... reading the samba guide a bit more, it indicates that I need the kerberos development libraries installed. It looks like I have those installed:
# ls -1 /usr/lib/*krb*
/usr/lib/libgssapi_krb5.so
/usr/lib/libgssapi_krb5.so.2
/usr/lib/libgssapi_krb5.so.2.2
/usr/lib/libkrb5.so
/usr/lib/libkrb5.so.3
/usr/lib/libkrb5.so.3.2
Okay, so I need to do some digging... a lot of places recommend using "etcat" to query ebuild information to find out what use flags are available, what got used during the compile. However, in order to use etcat, you need to "emerge gentoolkit". Takes about 5 minutes to install (if that).
# etcat versions samba
[ Results for search key : samba ]
[ Candidate applications found : 7 ]
Only printing found installed programs.
* net-fs/samba :
[ ] 2.2.8a (0)
[M~ ] 3.0.0-r1 (0)
[M ] 3.0.1 (0)
[M~ ] 3.0.1-r1 (0)
[M~ ] 3.0.2a (0)
[M~ ] 3.0.2a-r1 (0)
[ I] 3.0.2a-r2 (0)
Shows that I have 3.0.3a-r2 installed ("I"). All of the other v3 are masked ("M") and/or tagged as unstable ("~").
#etcat uses samba
[ Colour Code : set unset ]
[ Legend : (U) Col 1 - Current USE flags ]
[ : (I) Col 2 - Installed With USE flags ]
U I [ Found these USE variables in : net-fs/samba-3.0.2a-r2 ]
- - kerberos : Adds kerberos support
- - mysql : Adds mySQL support
- - xml : Check/Support flag for XML library (version 1)
- - acl : Adds support for Access Control Lists
+ + cups : Add support for CUPS (Common Unix Printing System)
- - ldap : Adds LDAP support (Lightweight Directory Access Protocol)
+ + pam : Adds support PAM (Pluggable Authentication Modules)
+ + readline : enables support for libreadline, a GNU line-editing library that most everyone wants.
+ + python : Adds support/bindings for the Python language
- - oav : Adds support for anti-virus from the openantivirus.org project
A bit uglier... samba doesn't have kerberos support included. And looking back at the output of "emerge info" I see that the kerberos USE flag isn't listed there. This would be changed by the /etc/make.conf file (or using "ufed" to edit). The USE= line in my /etc/make.conf is empty, so I'll fire up ufed, tag kerberos, and save. Now, run the "etcat uses samba" again and notice that the kerberos USE flag now has a '+' under the 'U' column, but a '-' under the 'I' (installed) column. Since I can't find a config.cache file that looks like it belongs to samba, I'm just going to check the package status with emerge.
# emerge -p samba
(shows a "R" flag after the ebuild, looking at "man emerge" that indicates that the package is already installed, but that "emerge samba" again will recompile)
# emerge samba
(go away for a bit... samba takes a while to compile, 30-60 minutes or so)
# etcat uses samba
(now shows kerberos in green, as installed)
# testparm /etc/samba/smb.conf
(still complains about "realm" and "ads server" in the /etc/samba/smb.conf file)
Okay, so I'm not sure what the next step is... I'll have to google again later when I'm not as frustrated. Samba is still complaining that "ADS support is not compiled in". The only "config.cache" file on the system is from July 2001 and is not in the samba folder.
Update: The missing piece was that I hadn't configured both the kerberos and ldap USE flags in my make.conf file.
Well, after a busy week at work, I finally had time to log back into my little VIA EPIA server running Gentoo Linux. In my previous post, I had re-emerged the latest version of samba (v3), but I never had time to go back and try things out again after the emerge finished.
The original problem was that I couldn't find the "net" command, which turns out to be because I was using Samba v2 instead of Samba v3. I just logged into the box, su'd to root, and typed "net".
Bingo! I now have a "net" command!
So now I need to add the box to the ADS domain, and do all that other config stuff that I hadn't figured out yet. (Hint for newbies to a linux system, keep a running blog like this and use software like SecureCRT with logging enabled so that you can trace your steps.)
# kinit administrator@intra.tgharold.org
Password for administrator@intra.tgharold.org: ******
kinit(v5): KDC reply did not match expectations while getting initial credentials
Whoops, back to the KDC error... my /etc/krb5kdc/kdc.conf file looks fine at first glance, so does my /etc/krb5.conf file. Hmmm.... oh, wait, wrong kinit command, ADS domain must be in CAPS:
# kinit administrator@INTRA.TGHAROLD.ORG
Password for administrator@INTRA.TGHAROLD.ORG: ******
#
That did it! Next step is to join the ADS domain:
# net ads join
[2004/05/08 13:54:25, 0] param/loadparm.c:map_parameter(2410)
Unknown parameter encountered: "realm"
[2004/05/08 13:54:25, 0] param/loadparm.c:lp_do_parameter(3048)
Ignoring unknown parameter "realm"
[2004/05/08 13:54:25, 0] param/loadparm.c:map_parameter(2410)
Unknown parameter encountered: "ads server"
[2004/05/08 13:54:25, 0] param/loadparm.c:lp_do_parameter(3048)
Ignoring unknown parameter "ads server"
ADS support not compiled in
Looks like I missed another trick (no ADS support compiled in). FYI, running the following command should've given me a hint that something was still not ready:
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "realm"
Ignoring unknown parameter "realm"
Unknown parameter encountered: "ads server"
Ignoring unknown parameter "ads server"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = INTRA
netbios name = NAZUMI
server string = Samba Server %v
local master = No
domain master = No
Heh, but being lazy, I ignored the error messages and pressed onward. Back to google for a bit. Found the answer on the samba website 9.3.1. Possible errors "ADS support not compiled in": Samba must be reconfigured (remove config.cache) and recompiled (make clean all install) after the kerberos libs and headers are installed.
# find / -name config.cache
/usr/portage/app-admin/puregui/files/config.cache
Okay, skip that for the moment... let's go investigate my USE flags. A recommended tool for that is "ufed" (which if you don't have can be emerged by "emerge ufed"). It also shows one-liner descriptions of what each USE flag represents (or you can look at /usr/portage/profiles/use.desc). The only file modified by ufed is /etc/make.conf (represented by the 3rd position in the 3-character indicator after each USE flag).
# emerge info
Portage 2.0.50-r6 (default-x86-2004.0, gcc-3.3.2, glibc-2.3.2-r9, 2.6.3)
=================================================================
System uname: 2.6.3 i686 VIA Samuel 2
Gentoo Base System version 1.4.3.13
Autoconf: sys-devel/autoconf-2.58-r1
Automake: sys-devel/automake-1.7.7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-Os -march=i586 -m3dnow -fomit-frame-pointer"
CHOST="i586-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-Os -march=i586 -m3dnow -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs ccache sandbox"
GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/ http://212.219.247.19/sites/www.ibiblio.org/gentoo/ http://212.219.247.18/sites/www.ibiblio.org/gentoo/ http://212.219.247.20/sites/www.ibiblio.org/gentoo/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X apm arts avi berkdb crypt cups encode foomaticdb gdbm gif gnome gpm gtk gtk2 imlib jpeg kde libg++ libwww mad mikmod motif mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xv zlib"
There's probably a good bit of stuff that I should remove from the USE= line, but I'm not entirely sure what's needed and what's not yet. I don't think I need to add "samba" there because I'm not interested in accessing other samba shares on the network (yet).
Okay, back to the main thread... reading the samba guide a bit more, it indicates that I need the kerberos development libraries installed. It looks like I have those installed:
# ls -1 /usr/lib/*krb*
/usr/lib/libgssapi_krb5.so
/usr/lib/libgssapi_krb5.so.2
/usr/lib/libgssapi_krb5.so.2.2
/usr/lib/libkrb5.so
/usr/lib/libkrb5.so.3
/usr/lib/libkrb5.so.3.2
Okay, so I need to do some digging... a lot of places recommend using "etcat" to query ebuild information to find out what use flags are available, what got used during the compile. However, in order to use etcat, you need to "emerge gentoolkit". Takes about 5 minutes to install (if that).
# etcat versions samba
[ Results for search key : samba ]
[ Candidate applications found : 7 ]
Only printing found installed programs.
* net-fs/samba :
[ ] 2.2.8a (0)
[M~ ] 3.0.0-r1 (0)
[M ] 3.0.1 (0)
[M~ ] 3.0.1-r1 (0)
[M~ ] 3.0.2a (0)
[M~ ] 3.0.2a-r1 (0)
[ I] 3.0.2a-r2 (0)
Shows that I have 3.0.3a-r2 installed ("I"). All of the other v3 are masked ("M") and/or tagged as unstable ("~").
#etcat uses samba
[ Colour Code : set unset ]
[ Legend : (U) Col 1 - Current USE flags ]
[ : (I) Col 2 - Installed With USE flags ]
U I [ Found these USE variables in : net-fs/samba-3.0.2a-r2 ]
- - kerberos : Adds kerberos support
- - mysql : Adds mySQL support
- - xml : Check/Support flag for XML library (version 1)
- - acl : Adds support for Access Control Lists
+ + cups : Add support for CUPS (Common Unix Printing System)
- - ldap : Adds LDAP support (Lightweight Directory Access Protocol)
+ + pam : Adds support PAM (Pluggable Authentication Modules)
+ + readline : enables support for libreadline, a GNU line-editing library that most everyone wants.
+ + python : Adds support/bindings for the Python language
- - oav : Adds support for anti-virus from the openantivirus.org project
A bit uglier... samba doesn't have kerberos support included. And looking back at the output of "emerge info" I see that the kerberos USE flag isn't listed there. This would be changed by the /etc/make.conf file (or using "ufed" to edit). The USE= line in my /etc/make.conf is empty, so I'll fire up ufed, tag kerberos, and save. Now, run the "etcat uses samba" again and notice that the kerberos USE flag now has a '+' under the 'U' column, but a '-' under the 'I' (installed) column. Since I can't find a config.cache file that looks like it belongs to samba, I'm just going to check the package status with emerge.
# emerge -p samba
(shows a "R" flag after the ebuild, looking at "man emerge" that indicates that the package is already installed, but that "emerge samba" again will recompile)
# emerge samba
(go away for a bit... samba takes a while to compile, 30-60 minutes or so)
# etcat uses samba
(now shows kerberos in green, as installed)
# testparm /etc/samba/smb.conf
(still complains about "realm" and "ads server" in the /etc/samba/smb.conf file)
Okay, so I'm not sure what the next step is... I'll have to google again later when I'm not as frustrated. Samba is still complaining that "ADS support is not compiled in". The only "config.cache" file on the system is from July 2001 and is not in the samba folder.
Update: The missing piece was that I hadn't configured both the kerberos and ldap USE flags in my make.conf file.
Saturday, May 01, 2004
Gentoo Samba (round 2)
(Gentoo samba page, attempt #1)
Well, rebuilding the kernel didn't really do anything other then teach me how to rebuild the kernel... I'm still getting the "net: command not found" error when trying to add the box the AD domain. (And I'm not sure what I missed during the installation.)
I have noticed that "emerge samba" installed the 2.2.8a version of Samba instead of version 3... so now I need to find out how to install v3 on gentoo. According to the packages listing for samba, 3.0.2a-r2 is marked as stable as of Apr 29th. (Also useful is the graphical portage browser.)
# emerge sync
# emerge --pretend samba
Ah ha! Now it indicates that it will install net-fs/samba-3.0.2a-r2, but first there's a message that I need to update portage to the latest version.
# emerge search 'portage'
Shows me that I have 2.0.50-r1 and the latest is 2.0.50.r6 and that the size of the download is 219KB.
# emerge portage
# emerge samba
Well, rebuilding the kernel didn't really do anything other then teach me how to rebuild the kernel... I'm still getting the "net: command not found" error when trying to add the box the AD domain. (And I'm not sure what I missed during the installation.)
I have noticed that "emerge samba" installed the 2.2.8a version of Samba instead of version 3... so now I need to find out how to install v3 on gentoo. According to the packages listing for samba, 3.0.2a-r2 is marked as stable as of Apr 29th. (Also useful is the graphical portage browser.)
# emerge sync
# emerge --pretend samba
Ah ha! Now it indicates that it will install net-fs/samba-3.0.2a-r2, but first there's a message that I need to update portage to the latest version.
# emerge search 'portage'
Shows me that I have 2.0.50-r1 and the latest is 2.0.50.r6 and that the size of the download is 219KB.
# emerge portage
# emerge samba
Gentoo Kernel Rebuild (samba support)
Trying to compile a new kernel with samba support built in... I'll install this one as a different kernel image in the /boot folder. (See the Gentoo handbook for details on what is going on here.)
# cd /usr/src/linux
# make menuconfig
Go to File Systems, Network File Systems, and turn ON the SMB file system support. Exit and save.
# make && make modules_install
# mount /dev/hda1 /boot
# cp arch/i386/boot/bzImage /boot/kernel-2.6.3-20040501-samba
# cp System.map /boot/System.map-2.6.3-20040501-samba
# cp .config /boot/config-2.6.3-20040501-samba
Now, edit the grub configuration file (/boot/grub/grub.conf), and add the new kernel to the list. Here's what my new grub config file looks like:
default 0
timeout 30
title=Gentoo Linux 2.6.3 (Samba Support, May 1 2004)
root (hd0,0)
kernel /kernel-2.6.3-20040501-samba root=/dev/hda2
title=Gentoo Linux 2.6.3
root (hd0,0)
kernel /kernel-2.6.3-gentoo root=/dev/hda2
By leaving a 30 second timeout and leaving the old kernel information in the config file, I have a bit of a window to flip back to the previous kernel if needed. (Not my idea, saw it somewhere else on the web.)
# cd /usr/src/linux
# make menuconfig
Go to File Systems, Network File Systems, and turn ON the SMB file system support. Exit and save.
# make && make modules_install
# mount /dev/hda1 /boot
# cp arch/i386/boot/bzImage /boot/kernel-2.6.3-20040501-samba
# cp System.map /boot/System.map-2.6.3-20040501-samba
# cp .config /boot/config-2.6.3-20040501-samba
Now, edit the grub configuration file (/boot/grub/grub.conf), and add the new kernel to the list. Here's what my new grub config file looks like:
default 0
timeout 30
title=Gentoo Linux 2.6.3 (Samba Support, May 1 2004)
root (hd0,0)
kernel /kernel-2.6.3-20040501-samba root=/dev/hda2
title=Gentoo Linux 2.6.3
root (hd0,0)
kernel /kernel-2.6.3-gentoo root=/dev/hda2
By leaving a 30 second timeout and leaving the old kernel information in the config file, I have a bit of a window to flip back to the previous kernel if needed. (Not my idea, saw it somewhere else on the web.)
Gentoo Samba with ADS
Trying to setup my Samba box ("emerge samba") so that I can access the shares from Win2000 and WinXP machines in a Win2000 domain (Active Directory Services). One of the links indicates that I need MIT Kerberos 1.3.1, which can be installed with "emerge mit-krb5" (AFAICT). So I'll start with installing that... I also have the The Official Samba-3 HOWTO and Reference Guide book handy, although it's a bit sparse on exactly how to setup Samba to be a file server in an ADS environment.
(Note: you should emerge the mit-krb5 package prior to emerge the samba package... otherwise you'll have to recompile samba after the mit-krb5 package is installed if you want ADS support... per the official samba howto / reference guide book in the Bruce Peren's series, p 78, section 6.4.3.1.)
Things that I'll probably definitely configure in smb.conf (reading through the smb.conf.example file while mit-krb5 finishes compiling):
[global]
# section 1
netbios name = nezumi
server string = Samba Server %v
# section 7 (name resolution)
local master = no (don't be a master browser)
domain master = no (don't be a domain master browser)
wins support = no (don't be a wins server)
wins server = (my local wins server... not sure if I can list multiple, actually I lie - I don't have a WINS server on my home network, not going to put this line in)
Well, mit-krb5 is finished emerging in, time to test it out.
# kinit administrator@intra.tgharold.org
Password for administrator@intra.tgharold.org: ******
kinit(v5): KDC has no support for encryption type while getting initial credentials
Hmmm, got an error, should be easy to google for that. Looks like I need to edit the /etc/krb5.conf file, focusing on anywhere that it says "example". Basically, if your ADS domain is "intra.tgharold.org", then replace every occurence of "example.com" with "intra.tgharold.org". Which then gives me the next error:
kinit(v5): Clock skew too great while getting initial credentials
Okay, fixed time... next error! (Again, trying the kinit command.)
kinit(v5): KDC reply did not match expectations while getting initial credentials
That error indicates (according to trouble with fedora and active directory) that there is a case-issue with the principal name. Also, looking at my krb5.conf file again, I see that I forgot to replace the first "example.com =" occurence in the [realms] section. I also edited the /etc/krb5kdc/kdc.conf file, again changing any "EXAMPLE.COM" to "INTRA.TGHAROLD.ORG". Bingo! (and here's the trick... I was testing with the wrong kinit line, everything after the '@' needs to be uppercase)
# kinit administrator@INTRA.TGHAROLD.ORG
Password for administrator@INTRA.TGHAROLD.ORG: ******
That tested out perfectly. Back to Using Samba to Authenticate GNU/Linux Against Active Directory, next step is to configure the /etc/samba/smb.conf file for real. Here's my first attempt:
[global]
netbios name = nazumi
server string = Samba Server %v
local master = no
domain master = no
wins support = no
workgroup = INTRA
realm = INTRA.TGHAROLD.ORG
ads server = DC1.INTRA.TGHAROLD.ORG
security = ADS
encrypt passwords = yes
Save, exit, run the following command to join up with the ADS domain:
# net ads join
Whoops! "net" command not found... um... what did I forget? Er, forgot to install the samba-client package (which is named what?). Well, one note that I read indicates that after Kerberos is installed, you have to reinstall samba to have ADS support compiled in. To uninstall samba, it looks like the command is "emege unmerge samba" (to check before you jump, use "emerge --pretend unmerge samba"). Then "emerge samba" to recompile and re-install samba (probably have to redo the smb.conf file?). Another reason that I'm uninstalling/reinstalling samba is that the keywords "realm" and "ads server" caused complaints when I ran "testparm /etc/samba/smb.conf" to check my syntax.
Well, samba has finished... yet testparm still complains about the "realm" and "ads server" keywords in the smb.conf file. My next guess is that I need to recompile the kernel and make sure I have samba support installed.
Helpful links:
Authenticating to Samba share using "Active Directory Server"
[Samba] force user not working
(Note: you should emerge the mit-krb5 package prior to emerge the samba package... otherwise you'll have to recompile samba after the mit-krb5 package is installed if you want ADS support... per the official samba howto / reference guide book in the Bruce Peren's series, p 78, section 6.4.3.1.)
Things that I'll probably definitely configure in smb.conf (reading through the smb.conf.example file while mit-krb5 finishes compiling):
[global]
# section 1
netbios name = nezumi
server string = Samba Server %v
# section 7 (name resolution)
local master = no (don't be a master browser)
domain master = no (don't be a domain master browser)
wins support = no (don't be a wins server)
wins server = (my local wins server... not sure if I can list multiple, actually I lie - I don't have a WINS server on my home network, not going to put this line in)
Well, mit-krb5 is finished emerging in, time to test it out.
# kinit administrator@intra.tgharold.org
Password for administrator@intra.tgharold.org: ******
kinit(v5): KDC has no support for encryption type while getting initial credentials
Hmmm, got an error, should be easy to google for that. Looks like I need to edit the /etc/krb5.conf file, focusing on anywhere that it says "example". Basically, if your ADS domain is "intra.tgharold.org", then replace every occurence of "example.com" with "intra.tgharold.org". Which then gives me the next error:
kinit(v5): Clock skew too great while getting initial credentials
Okay, fixed time... next error! (Again, trying the kinit command.)
kinit(v5): KDC reply did not match expectations while getting initial credentials
That error indicates (according to trouble with fedora and active directory) that there is a case-issue with the principal name. Also, looking at my krb5.conf file again, I see that I forgot to replace the first "example.com =" occurence in the [realms] section. I also edited the /etc/krb5kdc/kdc.conf file, again changing any "EXAMPLE.COM" to "INTRA.TGHAROLD.ORG". Bingo! (and here's the trick... I was testing with the wrong kinit line, everything after the '@' needs to be uppercase)
# kinit administrator@INTRA.TGHAROLD.ORG
Password for administrator@INTRA.TGHAROLD.ORG: ******
That tested out perfectly. Back to Using Samba to Authenticate GNU/Linux Against Active Directory, next step is to configure the /etc/samba/smb.conf file for real. Here's my first attempt:
[global]
netbios name = nazumi
server string = Samba Server %v
local master = no
domain master = no
wins support = no
workgroup = INTRA
realm = INTRA.TGHAROLD.ORG
ads server = DC1.INTRA.TGHAROLD.ORG
security = ADS
encrypt passwords = yes
Save, exit, run the following command to join up with the ADS domain:
# net ads join
Whoops! "net" command not found... um... what did I forget? Er, forgot to install the samba-client package (which is named what?). Well, one note that I read indicates that after Kerberos is installed, you have to reinstall samba to have ADS support compiled in. To uninstall samba, it looks like the command is "emege unmerge samba" (to check before you jump, use "emerge --pretend unmerge samba"). Then "emerge samba" to recompile and re-install samba (probably have to redo the smb.conf file?). Another reason that I'm uninstalling/reinstalling samba is that the keywords "realm" and "ads server" caused complaints when I ran "testparm /etc/samba/smb.conf" to check my syntax.
Well, samba has finished... yet testparm still complains about the "realm" and "ads server" keywords in the smb.conf file. My next guess is that I need to recompile the kernel and make sure I have samba support installed.
Helpful links:
Authenticating to Samba share using "Active Directory Server"
[Samba] force user not working
Labels: ActiveDirectory, Gentoo, Samba
Sections:
Recent posts:
Setting up FreeNX/NX on CentOS 5
Setup sshd to run a second instance
Samba3: Upgrading to v3.2 on CentOS 5
LVM Maximum number of Physical Extents
Xen - Issues with Windows DomU client clocks
Annual Index:
Monthly archives:
2003/04
2003/05
2003/06
2003/07
2003/08
2003/09
2003/10
2003/11
2003/12
2004/01
2004/02
2004/03
2004/04
2004/05
2004/06
2004/07
2004/08
2004/09
2004/10
2004/11
2004/12
2005/01
2005/02
2005/03
2005/04
2005/05
2005/06
2005/07
2005/08
2005/09
2005/10
2005/11
2005/12
2006/01
2006/02
2006/03
2006/04
2006/05
2006/06
2006/07
2006/08
2006/09
2006/10
2006/11
2006/12
2007/01
2007/02
2007/03
2007/04
2007/05
2007/06
2007/07
2007/08
2007/12
2008/01
2008/03
2008/04
2008/05
2008/06
2008/07
2008/08
2008/09
2008/10
2008/11
2008/12
2009/01
Copyright 2003-2006, Thomas G. Harold, All Rights Reserved
