Hi All I managed to get it all working with only one source code change and some alterations to options.mk and PLIST (from Jorge’s repo - will submit a pull request). I’ve now got an installation of Samba 4.2.2 linked into my Windows based AD (as a member only) with user accounts hooked up correctly (so wbinfo/getent both work and agree). Users are being authenticated as expected and ZFS ACLs are being used to store Windows permissions.
I did have to resurrect the crle modifications in order to get the nss_winbind module working, since getent is a 32-bit application. Details here: https://github.com/joyent/smartos-live/issues/383#issuecomment-74183998 but I also had to copy over other supporting 32-bit libraries into the same /usr/local/lib folder, which ended up being: libintl.so.8 libwinbind-client-samba4.so libiconv.so.2 libreplace-samba4.so nss_winbind.so.1 (originally libnss_winbind.so) My smb.conf looks like: [global] workgroup = DOMAIN realm = DOMAIN.LOCAL server string = Samba %v (%h) interfaces = net*, lo bind interfaces only = Yes security = ADS password server = <domain controller> map untrusted to domain = yes log file = /var/log/log.%m load printers = no domain master = no winbind enum users = yes winbind enum groups = yes idmap config * : backend = tdb idmap config * : range = 100000-200000 idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 10000-20000 idmap config DOMAIN : schema_mode = rfc2307 idmap config DOMAIN : default = yes map acl inherit = yes winbind nested groups = yes inherit acls = yes acl group control = yes kerberos method = secrets and keytab winbind refresh tickets = Yes kernel oplocks = yes oplocks = yes [Stuff] path=/var/Share/Stuff read only = no writable = yes browseable = yes directory mask = 0775 nt acl support = yes inherit acls = no map acl inherit = yes store dos attributes = yes map archive = no map readonly = no hide dot files = yes hide files = /$*/~$*/ veto files = /Thumbs.db/.DS_Store/.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ hide special files = yes hide unreadable = yes hide unwriteable files = yes vfs objects = zfsacl posix locking = yes strict locking = no inherit owner = no delete veto files = yes nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes It’s worth noting that we use UNIX extensions for AD so all of our users have pre-defined UID/GIDs within the AD schema (known as RFC2307). YMMV if your using other idmap techniques, but I wouldn’t expect any issues. Unfortunately I don’t have time to test the shadow copy/ZFS snapshots functionality at this stage. - Dave On 7 Jul 2015, at 9:05 AM, David Finster <[email protected]<mailto:[email protected]>> wrote: I was experimenting with this last night and using Jorge’s repo as a basis for enabling AD member. Currently: [1231/2787] Compiling lib/uid_wrapper/uid_wrapper.c ../lib/uid_wrapper/uid_wrapper.c:1213:10: error: conflicting types for 'syscall' In file included from ../lib/uid_wrapper/uid_wrapper.c:31:0: /usr/include/sys/syscall.h:514:13: note: previous declaration of 'syscall' was here Waf: Leaving directory `/content/pkgsrc/pkgsrc-blackdot/samba/work/samba-4.2.2/bin' Build failed: -> task failed (err #1): {task: cc uid_wrapper.c -> uid_wrapper_1.o} Missing node signature for bld:///content/pkgsrc/pkgsrc-blackdot/samba/work/samba-4.2.2/lib/uid_wrapper/uid_wrapper_1.o (required by {task: cc_link uid_wrapper_1.o -> libuid-wrapper.so}) On 7 Jul 2015, at 9:00 AM, Nicholas Lee <[email protected]<mailto:[email protected]>> wrote: How is the AD member functionality working at the moment? Samba4 file server and kerberos/winbind? Shadow copy and zfs snaps? I haven't had a chance to look into it recently. Nicholas On 7 July 2015 at 04:02, Jorge Schrauwen <[email protected]<mailto:[email protected]>> wrote: I didn't have much success with using samba4 as AD server on SmartOS. Too be fair I did not look into it much as I was looking at using it as a file server only. Regards Jorge On 2015-07-06 11:43, Peter Kelm wrote: Jorge, Chris, Thanks a lot for your feedback. Also, sharing your setup instructions is highly appreciated and very helpful. I was trying to setup an AD CD in a SmartOS zone and followed these instructions: http://www.whitneytechnologies.com/?p=422 [1] Everything works as expected until: „samba-tool domain provision" When I try to „svcadm enable" the daemons after provisioning the domain I only get an error message in the log that starting failed. I also noticed that the „samba-tool" creates another smb.conf, but at /opt/local/etc/. Even linking the newly created smb.conf to /opt/local/etc/samba/ didn't help (so far). I tried to modify the manifest but that hasn't changed anything yet. I'll have to put things aside until I find time again to fiddle with my setup. Thanks again for your support! Peter Dipl.-Ing. Peter Kelm KELM ENGINEERING Karl-Bröger-Str. 46 91074 Herzogenaurach Germany Tel: +49 (9132) 745325<tel:%2B49%20%289132%29%20745325> Fax: +49 (9132) 9060596<tel:%2B49%20%289132%29%209060596> eMail: [email protected]<mailto:[email protected]> Am 05.07.2015 um 23:10 schrieb Jorge Schrauwen <[email protected]<mailto:sjorge%[email protected]>>: What problems are you having with pkgsrc samba? I recently switched from OmniOS Kernel CIFS to Samba 4.2.2 inside a SmartOS base64-lts zone and it turned out great. Performance is on-par with kernel CIFS. It even works better with my OS X Clients. On 2015-07-05 22:29, Chris Ridd wrote: On 5 Jul 2015, at 20:44, Peter Kelm <[email protected]<mailto:[email protected]>> wrote: I am fighting with getting Samba4 (pkgsrc) running in a SmartOS zone - so far with limited success :-((. I am running Samba 4.1.19 from pkgsrc successfully. My config is very simple though. What sort of problems are you having? When digging for a solution I found reports from Nexenta (e.g. from the 2014 Illumos day) about integrating SMB 2.1 (and 3.0) into Illumos. Does anyone know when such an enhancement could arrive in SmartOS? I never had much luck with the CIFS implementation back in OpenSolaris, though I am sure it has improved since then (eg lockups inside the kernel - only fixable by a reboot). Can you run it in a non global zone? Chris http://www.listbox.com<http://www.listbox.com/> [2] SMARTOS-DISCUSS | Archives [3] [4] | Modify [5] Your Subscription [2] Links: ------ [1] http://www.whitneytechnologies.com/?p=422 [2] http://www.listbox.com<http://www.listbox.com/> [3] https://www.listbox.com/member/archive/184463/=now [4] https://www.listbox.com/member/archive/rss/184463/26452851-88b650c7 [5] https://www.listbox.com/member/?& http://www.listbox.com<http://www.listbox.com/> smartos-discuss | Archives<https://www.listbox.com/member/archive/184463/=now> [https://www.listbox.com/images/feed-icon-10x10.jpg10f3ec5.jpg?uri=aHR0cHM6Ly93d3cubGlzdGJveC5jb20vaW1hZ2VzL2ZlZWQtaWNvbi0xMHgxMC5qcGc] <https://www.listbox.com/member/archive/rss/184463/25738179-216c4b5f> | Modify<https://www.listbox.com/member/?&;> Your Subscription [https://www.listbox.com/images/listbox-logo-small.png10f3ec5.png?uri=aHR0cHM6Ly93d3cubGlzdGJveC5jb20vaW1hZ2VzL2xpc3Rib3gtbG9nby1zbWFsbC5wbmc] <http://www.listbox.com/> ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
