Re: [Samba] 3.3 and 3.4 compile failure on dbwrap
We have a local include file, db.h which has fetch and store defined. Our db.h, from a BerkeleyDB 4.8.26 install, contains the following: #define fetch(a)__db_dbm_fetch(a) #define store(a, b) __db_dbm_store(a, b) My guess is that these are causing the problem. Jeff On 3/15/10 12:24 PM, Volker Lendecke volker.lende...@sernet.de wrote: On Fri, Mar 12, 2010 at 01:13:05PM -0800, Block, Jeff wrote: I thought this message would have been added to my previous thread: http://lists.samba.org/archive/samba/2010-February/153608.html In any case, it's solaris 9. Further details on the issue I was having are in the link. Great. We have workarounds for many platforms already that pollute the name space with macros. Can you find out which #include defines fetch and store and to what they are mapped? fetch and store are pretty generic functions that I'm really reluctant to avoid using in Samba... Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3 and 3.4 compile failure on dbwrap
After talking with a programmer here, we were able to figure out the problem. lib/dbwrap.c was using fetch and store in functions which were colliding with previously defined macros with the same names. We were able to resolve the issue by undefining the macros after the include lines in dbwrap.c: #undef fetch #undef store Compile errors with either fetch or store name collisions were seen in the following as well: lib/dbwrap_util.c passdb/secrets.c passdb/pdb_tdb.c groupdb/mapping_tdb.c smbd/connection.c smbd/session.c locking/locking.c locking/brlock.c locking/posix.c smbd/notify_internal.c utils/net_idmap.c modules/vfs_xattr_tdb.c modules/vfs_acl_tdb.c All these were fixed with one or both of the undef's. Hope this helps if anyone else hits this issue. Jeff Block Programmer / Analyst Radiology Research Computing University of California, San Francisco (415) 476-1709 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3 and 3.4 compile failure on dbwrap
I thought this message would have been added to my previous thread: http://lists.samba.org/archive/samba/2010-February/153608.html In any case, it's solaris 9. Further details on the issue I was having are in the link. Jeff On 3/12/10 12:54 PM, Volker Lendecke volker.lende...@sernet.de wrote: On Fri, Mar 12, 2010 at 12:37:05PM -0800, Jeff Block wrote: After talking with a programmer here, we were able to figure out the problem. lib/dbwrap.c was using fetch and store in functions which were colliding with previously defined macros with the same names. We were able to resolve the issue by undefining the macros after the include lines in dbwrap.c: #undef fetch #undef store What platform is it? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.3 and 3.4 compile failure on dbwrap
On 2/5/10 6:23 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: I also have problems using this gcc bundled with the Sun freeware tools (/usr/sfw/bin/gcc.) I had more luck with using gcc from sunfreeware.com. In hindsight I think it may have just been a matter of setting CPPFLAGS and LDFLAGS correctly.You may also find that the samba build on sunfreeware meets your needs. (zfs support seems lacking - which shouldn't matter for solaris 9, and you may still need to compile the nss_winbind modules.) I also installed OpenLDAP from Sunfreeware.com. The Solaris native ldap client does not seem to have full functionality for Active Directory support (may not be an issue for you.) I think Sun compiles Samba using a Mozilla LDAP SDK. This is how I ended up compiling Samba using Sunfreeware GCC. #PATH=/usr/swf/bin:/usr/ccs/bin:$PATH #PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH #LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH #LD_LIBRARY_PATH=/usr/local/samba-3.4.5:$LD_LIBRARY_PATH #export LD_LIBRARY_PATH #export CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include -I/usr/include #export LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib #./configure --prefix=/usr/local/samba-3.4.5 --with-shared-modules=vfs_zfsacl --with-privatedir=/etc/samba/private --with-lockdir=/var/samba/locks --with-configdir=/etc/samba --enable-nss-wrapper #make #make install I think I may need to have manually copied nss_winbind.so.1 file to /usr/local/samba-3.4.5/lib On 02/04/10 17:51, Jeff Block wrote: I'm having problems compiling a newer version of samba (3.3.x or 3.4.x) on solaris 9. We are currently running 3.0.23d and have been putting off upgrading for far to long. I've tried gcc and sun studio 12 cc with the same issues when it comes to compiling dbwrap.c. I can't seem to find anything on google that's related to my issue. Here's my configure line when using gcc: ./configure --prefix=/netopt --with-automount \ --with-configdir=/usr/local/samba --localstatedir=/var/log/samba \ --infodir=/netopt/share/info --mandir=/netopt/share/man \ --with-privatedir=/usr/local/samba/private --with-krb5=/netopt \ --with-libiconv=/netopt --with-utmp --with-winbind CC=gcc \ CFLAGS='-I/netopt/include' LD=gcc LDFLAGS='-L/netopt/lib -R/netopt/lib' \ --with-syslog-facility=local7 When it finally gets to compiling dbwrap.c, here's what I see: Compiling lib/dbwrap.c lib/dbwrap.c:58:46: macro fetch passed 4 arguments, but takes just 1 lib/dbwrap.c: In function `dbwrap_fallback_parse_record': lib/dbwrap.c:58: warning: assignment makes integer from pointer without a cast lib/dbwrap.c:186:38: macro store passed 3 arguments, but takes just 2 lib/dbwrap.c: In function `dbwrap_store': lib/dbwrap.c:186: error: incompatible types in assignment lib/dbwrap.c:196:41: macro fetch passed 4 arguments, but takes just 1 lib/dbwrap.c: In function `dbwrap_fetch': lib/dbwrap.c:196: warning: comparison between pointer and integer The following command failed: gcc -I../lib/zlib -I/netopt/include -I/netopt/include -I. -I/opt/src/freeware/samba-3.4.5/source3 -I/opt/src/freeware/samba-3.4.5/source3/iniparser/src -Iinclude -I./include -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tevent -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H -I/netopt/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64 -I/netopt/include -DLDAP_DEPRECATED -DSUNOS5 -I/opt/src/freeware/samba-3.4.5/source3/lib -I.. -I../source4 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/dbwrap.c -o lib/dbwrap.o make: *** [lib/dbwrap.o] Error 1 Thanks for the advice, but unfortunately I'm still having problems. I am using a compiled version of gcc (3.4.3). My LDFLAGS and CFLAGS are: CFLAGS='-I/netopt/include' LDFLAGS='-L/netopt/lib -R/netopt/lib' This is generally what I use as /netopt is basically our /usr/local. I'm not sure why /usr/lib would need to be added here. Isn't that just implied? I added --enable-nss-wrapper and made sure that ssl libs could be found (which you specifically added to your FLAGS) but I'm still getting a failure on dbwrap.c. I'm wondering if there is some lib or something that needs to be updated on my end. But, I'm not sure how to determine what that is. Thanks for any further help on this. Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba as a PDC with LDAP and Kerberos
I'm a little confused on one section here... Where are your passwords being stored? kerberos? If so, how does samba look there? What is the significance of the {SASL}USER at REALM in LDAP? Is there another password store that you are syncing with krb? Sorry for my ignorance here but after hours and hours of trying different things, I'm unable to use my kerberos backend with samba. Thanks in advance. FM Wrote: Hello, My setup : Windows stations SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT) All users (posix and ldap) are in Openldap. All my ldap password are : {SASL}USER at REALM I use saslauthd so I can connect to ldap using simplebind with password in KERBEROS this password CANNOT be changed (denied by the slapd.access.conf file) Samba cannot use MIt kerberos for the password so my little trick : I create a perl scrip using Authen::Krb5::Admin that use un keytab for authentifiaction :krb5_update_pwd.pl in the smb.conf : ldap passwd sync = No unix password sync = Yes passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat = *Password:* %n\n *Again:* %n\n *Changed* So when Windows users change their password(from the change password option in Windows), SAMBA called /krb5_update_pwd.pl that also update the KERBEROS password. Linux users just have to use : smbpasswd -r PDC_SERVER That command update SAMBA password and again it called /krb5_update_pwd.pl to sync the kerberos password I know there are some short comings (password policies for example). But it's the closer i get :-) Hope this can help :-) Ti Leggett wrote: Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP backend and use pam_smbpass to keep the passwords sync'd between the Kerberos side and the Samba side? That way the Windows clients join the domain using only the LDAP information not knowing about the Kerberos side of things? I just removed the Kerberos information from my Windows client and tried only using, as far as I can tell, the LDAP information and the client still comes back saying the user name is unknown. On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote: Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together but I'm not sure. I have the Windows client setup to point at my KDC so authentication *should* be coming from there once the authorization portion is going. Hehehe, it's been a year trying to do that... but no way! I'm sorry to tell you, but what you want is a replacement of AD... in no way windows will know about ldap and mit, without an AD domain. So first question is, are sambaLMPassword and sambaNTPassword still needed in LDAP for each user? Here's the output from ksetup /dumpstate: Machine is not configured to log on to an external KDC. Probably a workgroup member EXAMPLE.COM: kdc = kdc1 server kdc = kdc2 server kpasswd = kpasswd server Realm Flags = 0x0 none No user mappings defined. Users must be somewhere to get HKEY_LOCAL* work... and they should be local users (the MIT-KDC authentication works this way). Second, here's what I have in LDAP so far: [...] I've done a smbpasswd -w hidden samba_server password I can do a net getlocalsid and it will get the correct SID out of LDAP. Correct. However, when I try to join my Windows client to the EXAMPLE.COM domain, I can see the ldap queries happening, but the Windows client reports an invalid username. Yes. Active Directory is not there... and it wants AD. In no way you can fake AD, even though it's kerberos, ldap and smb + natural-flavours... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as a PDC with LDAP and Kerberos
I've seen some people using ldap password set as {SASL}USER at REALM Is there a way to have samba use sasl for authentication? Currently, my kerberos db is synchronizing with sasl so if I can get samba and my windows clients to authenticate using sasl, then I don't need to keep password hashes in ldap. Is this possible? Thanks. On 6/6/05 6:13 PM, Ti Leggett [EMAIL PROTECTED] wrote: Basically a windows client can't authenticate against a Kerberos server *and* get user information out LDAP without using AD. You can authenticate against Kerberos and have local user accounts or you can have user accounts in LDAP and use some other authentication mechanism. The way I'm doing it is storing user's Windows passwords in LDAP as sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get around having different passwords for the different architectures you can write a script that will be the change password script in samba and a replacement for passwd under *nix. This script would add/change the password in both LDAP and Kerberos keeping them synced. FW is referring to such a perl script using Authen::Krb5, Crypt::SmbHash, and Net::LDAP. The Kerberos options you see in Samba are only for having Samba authenticate against an AD server. There are some things in the works for going the other way if you're using Heimdal (see the archive), but I have no experience with Heimdal or this solution. On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote: I'm a little confused on one section here... Where are your passwords being stored? kerberos? If so, how does samba look there? What is the significance of the {SASL}USER at REALM in LDAP? Is there another password store that you are syncing with krb? Sorry for my ignorance here but after hours and hours of trying different things, I'm unable to use my kerberos backend with samba. Thanks in advance. FM Wrote: Hello, My setup : Windows stations SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT) All users (posix and ldap) are in Openldap. All my ldap password are : {SASL}USER at REALM I use saslauthd so I can connect to ldap using simplebind with password in KERBEROS this password CANNOT be changed (denied by the slapd.access.conf file) Samba cannot use MIt kerberos for the password so my little trick : I create a perl scrip using Authen::Krb5::Admin that use un keytab for authentifiaction :krb5_update_pwd.pl in the smb.conf : ldap passwd sync = No unix password sync = Yes passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat = *Password:* %n\n *Again:* %n\n *Changed* So when Windows users change their password(from the change password option in Windows), SAMBA called /krb5_update_pwd.pl that also update the KERBEROS password. Linux users just have to use : smbpasswd -r PDC_SERVER That command update SAMBA password and again it called /krb5_update_pwd.pl to sync the kerberos password I know there are some short comings (password policies for example). But it's the closer i get :-) Hope this can help :-) Ti Leggett wrote: Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP backend and use pam_smbpass to keep the passwords sync'd between the Kerberos side and the Samba side? That way the Windows clients join the domain using only the LDAP information not knowing about the Kerberos side of things? I just removed the Kerberos information from my Windows client and tried only using, as far as I can tell, the LDAP information and the client still comes back saying the user name is unknown. On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote: Ok, so I'm just trying to figure out my options here. I can: - Use local accounts and local passwords - Use Kerberos for authentication, but only with local user accounts - Use a Samba PDC with and LDAP backend for accounts and password if and only if the windows clients are not bound to a Kerberos realm Is this correct? In the third case, let's say I have a way to sync Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then? Or what am I missing? I know I can't create an AD domain, but I'm not trying to. AD is combination of a lot more than just Kerberos and LDAP. I'm curios how Apple does what seems to be just this with their OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and Samba 3.0 (at least they claim it's only this). On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote: Ti Leggett wrote: I've been searching and researching this and I can't seem to find the answers I'm looking for. I'd like to setup a Samba PDC that Windows clients will join. The PDC will use an LDAP backend to get authorization information (username, home directory, etc). The authentication portion is handled by an MIT Kerberos KDC. I think I'm real close to having it all together