[Samba] Fedora packages or Enterprise packages of Samba on RHEL4?

Wed Jul 12 14:44:17 GMT 2006

At 04:19 AM 7/11/2006, Alex de Vaal wrote:
>The standard Samba package (3.0.10EL) of RHEL4 doesn't communicate with a
>W2k3 server SP1, while "security=ads" on Samba. This is solved in Samba
>version 3.0.14a, so I want to use this package; I use this version on all my
>RHL9 servers and this package is very stable!
>...
>I'd like to continue with the Fedora Samba package on my RHEL4 server, but
>I'd like to know why or why NOT to use it! (and why I have to use the
>packages of enterprisesamba.com)
>
>Please advise.

OK, my advice is to do the following:

1) Grab the latest 3.0.23 tarball from one of the Samba mirrors
2) expand it into a directory on your RHEL4 systems where you've been 
building packages
3) cd ./samba-3.0.23/packaging/RHEL/
4) exec the command: ". makerpms.sh"
5) when the package build is finished: cd /usr/src/redhat/RPMS/i386/

You should have a nice set of up-to-date packages for your RHEL4 
system in this directory.   Thanks to Jerry and all the others for 
the attention in the last couple versions to the RHEL packaging...

There are two caveats with this:

a) The cache directory is moved from /var/cache/samba/ to 
/var/lib/samba/.   This move does not adjust the SELinux labels when 
it creates the new directory, and since it copies files - the files 
are created with the incorrect labels inherited from the new 
directory.      I only had to do it once, but IIRC - executing "mv 
/var/cache/samba /var/lib" before installing the new packages worked 
for me on a new system.

b) The smbd and nmbd services run fine under the standard RHEL4 
selinux-policy-targeted ruleset.   However, winbindd rules aren't in 
this set, and will fail if SELinux is enabled/enforcing.    If you 
are running winbindd, (which you probably are in ads mode) you can 
deal with this problem in a number of ways:
1) disable SELinux:   setenforce 0
2) There is a way to disable SELinux enforcement on a per 
application/service basis, but I don't recall how to do that right 
now.   A Google search should turn it up, however...
3) Add custom SELinux rules for winbindd:
         * Install selinux-policy-targeted-sources
         * cd /etc/selinux/targeted/src/policy/domains/misc/
         * create a file called something like "winbind_add.te" (I 
believe the ".te" is important...) with the following contents:

-----------------
allow mysqld_t winbind_tmp_t:dir getattr;
allow ntpd_t winbind_tmp_t:dir getattr;
allow winbind_t etc_runtime_t:file { getattr read };
allow winbind_t proc_t:file { getattr read };
allow winbind_t etc_t:file write;
allow winbind_t samba_etc_t:file write;
allow winbind_t initrc_t:process { signal signull };
allow winbind_t initrc_var_run_t:file { lock read };
allow winbind_t var_lib_t:dir { search getattr };
allow winbind_t samba_log_t:dir { create setattr };
allow winbind_t unconfined_t:fifo_file read;
allow winbind_t var_lib_t:dir search;
-----------------

         * cd ../..
               (should be /etc/selinux/targeted/src/policy/ )
         * run the command: "make load"

This will load some additional rules that will allow winbindd to run 
without any (significant) AVC errors.   This should only need to be done once.

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 