Re: [Samba] 3.3 and 3.4 compile failure on dbwrap

[Jeff Block]

We have a local include file, db.h which has fetch and store defined.

Our db.h, from a BerkeleyDB 4.8.26 install, contains the following:
#define fetch(a)__db_dbm_fetch(a)
#define store(a, b) __db_dbm_store(a, b)

My guess is that these are causing the problem.

Jeff


On 3/15/10 12:24 PM, Volker Lendecke volker.lende...@sernet.de wrote:

 On Fri, Mar 12, 2010 at 01:13:05PM -0800, Block, Jeff wrote:
 I thought this message would have been added to my previous thread:
 http://lists.samba.org/archive/samba/2010-February/153608.html
 
 In any case, it's solaris 9.  Further details on the issue I was having are
 in the link.
 
 Great. We have workarounds for many platforms already that
 pollute the name space with macros. Can you find out which
 #include defines fetch and store and to what they are
 mapped? fetch and store are pretty generic functions
 that I'm really reluctant to avoid using in Samba...
 
 Volker




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.3 and 3.4 compile failure on dbwrap

[Jeff Block]

After talking with a programmer here, we were able to figure out the
problem.
lib/dbwrap.c was using fetch and store in functions which were colliding
with previously defined macros with the same names.  We were able to resolve
the issue by undefining the macros after the include lines in dbwrap.c:

#undef fetch
#undef store

Compile errors with either fetch or store name collisions were seen in
the following as well:
lib/dbwrap_util.c
passdb/secrets.c
passdb/pdb_tdb.c
groupdb/mapping_tdb.c
smbd/connection.c
smbd/session.c
locking/locking.c
locking/brlock.c
locking/posix.c
smbd/notify_internal.c
utils/net_idmap.c
modules/vfs_xattr_tdb.c
modules/vfs_acl_tdb.c

All these were fixed with one or both of the undef's.

Hope this helps if anyone else hits this issue.

Jeff Block
Programmer / Analyst
Radiology Research Computing
University of California, San Francisco
(415) 476-1709



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.3 and 3.4 compile failure on dbwrap

[Jeff Block]

I thought this message would have been added to my previous thread:
http://lists.samba.org/archive/samba/2010-February/153608.html

In any case, it's solaris 9.  Further details on the issue I was having are
in the link.

Jeff


On 3/12/10 12:54 PM, Volker Lendecke volker.lende...@sernet.de wrote:

 On Fri, Mar 12, 2010 at 12:37:05PM -0800, Jeff Block wrote:
 After talking with a programmer here, we were able to figure out the
 problem.
 lib/dbwrap.c was using fetch and store in functions which were colliding
 with previously defined macros with the same names.  We were able to resolve
 the issue by undefining the macros after the include lines in dbwrap.c:
 
 #undef fetch
 #undef store
 
 What platform is it?
 
 Volker



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.3 and 3.4 compile failure on dbwrap

[Jeff Block]

On 2/5/10 6:23 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote:
 I also have problems using this gcc bundled with the Sun freeware tools
 (/usr/sfw/bin/gcc.)  I had more luck with using gcc from
 sunfreeware.com.  In hindsight I think it may have just been a  matter
 of setting CPPFLAGS and LDFLAGS correctly.You may also find that the
 samba build on sunfreeware meets your needs.  (zfs support seems lacking
 -  which shouldn't matter for solaris 9, and you may still need to
 compile the nss_winbind modules.)

 I also installed OpenLDAP from Sunfreeware.com.  The Solaris native ldap
 client does not seem to have full functionality for Active Directory
 support (may not be an issue for you.)   I think Sun compiles Samba
 using a Mozilla LDAP SDK.
 
 This is how I ended up compiling Samba using Sunfreeware GCC.
 
 #PATH=/usr/swf/bin:/usr/ccs/bin:$PATH
 #PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH
 #LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH
 #LD_LIBRARY_PATH=/usr/local/samba-3.4.5:$LD_LIBRARY_PATH
 #export LD_LIBRARY_PATH
 
 #export CPPFLAGS=-I/usr/local/include -I/usr/local/ssl/include
 -I/usr/include
 #export LDFLAGS=-L/usr/local/ssl/lib -R/usr/local/ssl/lib
 -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib
 
 #./configure --prefix=/usr/local/samba-3.4.5
 --with-shared-modules=vfs_zfsacl
 --with-privatedir=/etc/samba/private   --with-lockdir=/var/samba/locks
 --with-configdir=/etc/samba --enable-nss-wrapper
 
 #make
 #make install
 
 I think I may need to have manually copied nss_winbind.so.1 file to
 /usr/local/samba-3.4.5/lib
 
 
 On 02/04/10 17:51, Jeff Block wrote:
 
 I'm having problems compiling a newer version of samba (3.3.x or 3.4.x) on
 solaris 9.  We are currently running 3.0.23d and have been putting off
 upgrading for far to long.
 
 I've tried gcc and sun studio 12 cc with the same issues when it comes to
 compiling dbwrap.c.  I can't seem to find anything on google that's related
 to my issue.
 
 Here's my configure line when using gcc:
 
 ./configure --prefix=/netopt --with-automount \
 --with-configdir=/usr/local/samba --localstatedir=/var/log/samba \
 --infodir=/netopt/share/info --mandir=/netopt/share/man \
 --with-privatedir=/usr/local/samba/private --with-krb5=/netopt \
 --with-libiconv=/netopt --with-utmp --with-winbind CC=gcc \
 CFLAGS='-I/netopt/include' LD=gcc LDFLAGS='-L/netopt/lib -R/netopt/lib' \
 --with-syslog-facility=local7
 

 When it finally gets to compiling dbwrap.c, here's what I see:
 
 Compiling lib/dbwrap.c
 lib/dbwrap.c:58:46: macro fetch passed 4 arguments, but takes just 1
 lib/dbwrap.c: In function `dbwrap_fallback_parse_record':
 lib/dbwrap.c:58: warning: assignment makes integer from pointer without a
 cast
 lib/dbwrap.c:186:38: macro store passed 3 arguments, but takes just 2
 lib/dbwrap.c: In function `dbwrap_store':
 lib/dbwrap.c:186: error: incompatible types in assignment
 lib/dbwrap.c:196:41: macro fetch passed 4 arguments, but takes just 1
 lib/dbwrap.c: In function `dbwrap_fetch':
 lib/dbwrap.c:196: warning: comparison between pointer and integer
 The following command failed:
 gcc -I../lib/zlib -I/netopt/include -I/netopt/include -I.
 -I/opt/src/freeware/samba-3.4.5/source3
 -I/opt/src/freeware/samba-3.4.5/source3/iniparser/src -Iinclude -I./include
 -I. -I. -I./../lib/replace -I./../lib/talloc -I./../lib/tevent
 -I./../lib/tdb/include -I./libaddns -I./librpc -I./.. -DHAVE_CONFIG_H
 -I/netopt/include -D_LARGEFILE_SOURCE -D_REENTRANT -D_FILE_OFFSET_BITS=64
 -I/netopt/include -DLDAP_DEPRECATED -DSUNOS5
 -I/opt/src/freeware/samba-3.4.5/source3/lib -I.. -I../source4
 -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c lib/dbwrap.c -o lib/dbwrap.o
 make: *** [lib/dbwrap.o] Error 1
 
 
Thanks for the advice, but unfortunately I'm still having problems.

I am using a compiled version of gcc (3.4.3).

My LDFLAGS and CFLAGS are:
CFLAGS='-I/netopt/include' LDFLAGS='-L/netopt/lib -R/netopt/lib'
This is generally what I use as /netopt is basically our /usr/local.  I'm
not sure why /usr/lib would need to be added here.  Isn't that just implied?

I added --enable-nss-wrapper and made sure that ssl libs could be found
(which you specifically added to your FLAGS) but I'm still getting a failure
on dbwrap.c.

I'm wondering if there is some lib or something that needs to be updated on
my end.  But, I'm not sure how to determine what that is.

Thanks for any further help on this.

Jeff



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba as a PDC with LDAP and Kerberos

[Jeff Block]

I'm a little confused on one section here...  Where are your passwords being
stored?  kerberos?  If so, how does samba look there?  What is the
significance of the {SASL}USER at REALM in LDAP?  Is there another password
store that you are syncing with krb?

Sorry for my ignorance here but after hours and hours of trying different
things, I'm unable to use my kerberos backend with samba.

Thanks in advance.


FM Wrote:

Hello,
My setup :
Windows stations
SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)

All users (posix and ldap) are in Openldap.
All my ldap password are : {SASL}USER at REALM
I use saslauthd so I can connect to ldap using simplebind with password
in KERBEROS
this password CANNOT be changed (denied by the slapd.access.conf file)

Samba cannot use MIt kerberos for the password so my little trick :
I create a perl scrip using Authen::Krb5::Admin that use un keytab for
authentifiaction :krb5_update_pwd.pl

in the smb.conf :
ldap passwd sync = No
unix password sync = Yes
passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
%n\n *passwd:*all*authentication*tokens*updated*successfully*
passwd chat = *Password:* %n\n *Again:* %n\n *Changed*

So when Windows users change their password(from the change password
option in Windows), SAMBA called /krb5_update_pwd.pl that also update
the KERBEROS password.

Linux users just have to use :
smbpasswd -r PDC_SERVER
That command update SAMBA password and again it called
/krb5_update_pwd.pl to sync the kerberos password

I know there are some short comings (password policies for example). But
it's the closer i get :-)

Hope this can help :-)



Ti Leggett wrote:
 Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
 backend and use pam_smbpass to keep the passwords sync'd between the
 Kerberos side and the Samba side? That way the Windows clients join the
 domain using only the LDAP information not knowing about the Kerberos
 side of things?
 
 I just removed the Kerberos information from my Windows client and tried
 only using, as far as I can tell, the LDAP information and the client
 still comes back saying the user name is unknown.
 
 On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
 
Ok, so I'm just trying to figure out my options here. I can:

- Use local accounts and local passwords
- Use Kerberos for authentication, but only with local user accounts
- Use a Samba PDC with and LDAP backend for accounts and password if and
only if the windows clients are not bound to a Kerberos realm

Is this correct? In the third case, let's say I have a way to sync
Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?

Or what am I missing? I know I can't create an AD domain, but I'm not
trying to. AD is combination of a lot more than just Kerberos and LDAP.

I'm curios how Apple does what seems to be just this with their
OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
Samba 3.0 (at least they claim it's only this).


On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote:

Ti Leggett wrote:

I've been searching and researching this and I can't seem to find the
answers I'm looking for. I'd like to setup a Samba PDC that Windows
clients will join. The PDC will use an LDAP backend to get authorization
information (username, home directory, etc). The authentication portion
is handled by an MIT Kerberos KDC. I think I'm  real close to having it
all together but I'm not sure. I have the Windows client setup to point
at my KDC so authentication *should* be coming from there once the
authorization portion is going.

Hehehe, it's been a year trying to do that... but no way! I'm sorry to
tell you, but what you want is a replacement of AD... in no way windows
will know about ldap and mit, without an AD domain.


So first question is, are sambaLMPassword and sambaNTPassword still
needed in LDAP for each user?

Here's the output from ksetup /dumpstate:

Machine is not configured to log on to an external KDC. Probably a
workgroup member
EXAMPLE.COM:
kdc = kdc1 server
kdc = kdc2 server
kpasswd = kpasswd server
Realm Flags = 0x0 none
No user mappings defined.

Users must be somewhere to get HKEY_LOCAL* work... and they should be
local users (the MIT-KDC authentication works this way).


Second, here's what I have in LDAP so far:
[...]
I've done a smbpasswd -w hidden samba_server password

I can do a net getlocalsid and it will get the correct SID out of LDAP.

Correct.


However, when I try to join my Windows client to the EXAMPLE.COM domain,
I can see the ldap queries happening, but the Windows client reports an
invalid username.

Yes. Active Directory is not there... and it wants AD. In no way you can
fake AD, even though it's kerberos, ldap and smb + natural-flavours...



 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as a PDC with LDAP and Kerberos

[Jeff Block]

I've seen some people using ldap password set as {SASL}USER at REALM
Is there a way to have samba use sasl for authentication?

Currently, my kerberos db is synchronizing with sasl so if I can get samba
and my windows clients to authenticate using sasl, then I don't need to keep
password hashes in ldap.

Is this possible?

Thanks.


On 6/6/05 6:13 PM, Ti Leggett [EMAIL PROTECTED] wrote:

 Basically a windows client can't authenticate against a Kerberos server
 *and* get user information out LDAP without using AD. You can
 authenticate against Kerberos and have local user accounts or you can
 have user accounts in LDAP and use some other authentication mechanism.
 The way I'm doing it is storing user's Windows passwords in LDAP as
 sambaNTPassword and storing *nix/OS X passwords in Kerberos. To get
 around having different passwords for the different architectures you
 can write a script that will be the change password script in samba and
 a replacement for passwd under *nix. This script would add/change the
 password in both LDAP and Kerberos keeping them synced.
 
 FW is referring to such a perl script using Authen::Krb5,
 Crypt::SmbHash, and Net::LDAP.
 
 The Kerberos options you see in Samba are only for having Samba
 authenticate against an AD server.
 
 There are some things in the works for going the other way if you're
 using Heimdal (see the archive), but I have no experience with Heimdal
 or this solution.
 
 On Mon, 2005-06-06 at 10:03 -0700, Jeff Block wrote:
 I'm a little confused on one section here...  Where are your passwords being
 stored?  kerberos?  If so, how does samba look there?  What is the
 significance of the {SASL}USER at REALM in LDAP?  Is there another password
 store that you are syncing with krb?
 
 Sorry for my ignorance here but after hours and hours of trying different
 things, I'm unable to use my kerberos backend with samba.
 
 Thanks in advance.
 
 
 FM Wrote:
 
 Hello,
 My setup :
 Windows stations
 SAMBA3+OPENLDAP 2.2.x +KERBEROS (MIT)
 
 All users (posix and ldap) are in Openldap.
 All my ldap password are : {SASL}USER at REALM
 I use saslauthd so I can connect to ldap using simplebind with password
 in KERBEROS
 this password CANNOT be changed (denied by the slapd.access.conf file)
 
 Samba cannot use MIt kerberos for the password so my little trick :
 I create a perl scrip using Authen::Krb5::Admin that use un keytab for
 authentifiaction :krb5_update_pwd.pl
 
 in the smb.conf :
ldap passwd sync = No
unix password sync = Yes
passwd program = /usr/local/sbin/krb5_update_pwd.pl -u %u
 %n\n *passwd:*all*authentication*tokens*updated*successfully*
passwd chat = *Password:* %n\n *Again:* %n\n *Changed*
 
 So when Windows users change their password(from the change password
 option in Windows), SAMBA called /krb5_update_pwd.pl that also update
 the KERBEROS password.
 
 Linux users just have to use :
 smbpasswd -r PDC_SERVER
 That command update SAMBA password and again it called
 /krb5_update_pwd.pl to sync the kerberos password
 
 I know there are some short comings (password policies for example). But
 it's the closer i get :-)
 
 Hope this can help :-)
 
 
 
 Ti Leggett wrote:
 Let me rephrase a bit. Is there a way to use Samba as a PDC with an LDAP
 backend and use pam_smbpass to keep the passwords sync'd between the
 Kerberos side and the Samba side? That way the Windows clients join the
 domain using only the LDAP information not knowing about the Kerberos
 side of things?
 
 I just removed the Kerberos information from my Windows client and tried
 only using, as far as I can tell, the LDAP information and the client
 still comes back saying the user name is unknown.
 
 On Sat, 2005-04-23 at 08:07 -0500, Ti Leggett wrote:
 
 Ok, so I'm just trying to figure out my options here. I can:
 
 - Use local accounts and local passwords
 - Use Kerberos for authentication, but only with local user accounts
 - Use a Samba PDC with and LDAP backend for accounts and password if and
 only if the windows clients are not bound to a Kerberos realm
 
 Is this correct? In the third case, let's say I have a way to sync
 Kerberos passwords and LDAP sambaNTPasswords. Shouldn't it work then?
 
 Or what am I missing? I know I can't create an AD domain, but I'm not
 trying to. AD is combination of a lot more than just Kerberos and LDAP.
 
 I'm curios how Apple does what seems to be just this with their
 OpenDirectory, which is only MIT Kerberos, OpenLDAP, Cyrus SASL, and
 Samba 3.0 (at least they claim it's only this).
 
 
 On Fri, 2005-04-22 at 18:52 -0500, Franco Sensei wrote:
 
 Ti Leggett wrote:
 
 I've been searching and researching this and I can't seem to find the
 answers I'm looking for. I'd like to setup a Samba PDC that Windows
 clients will join. The PDC will use an LDAP backend to get authorization
 information (username, home directory, etc). The authentication portion
 is handled by an MIT Kerberos KDC. I think I'm  real close to having it
 all together