[Samba] Share permission problem if user is member in more than 16 groups on AD
gaiseric.vandal at gmail.com
Thu Jul 15 07:32:37 MDT 2010
I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc with
two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support Windows 7
clients (don't have any yet but it is probably inevitable) and doesn't
seem to support trusts with Windows 2003 Native domains (at least it
didn't for me.)
If you following the opensolaris forums it seems unlikely that there
will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or
OpenSolaris in the near future. I don't think it really is a
licensing or even major technical issue. There is seems to more
interest in CIFS project as an alternative to Samba. Oracle/Sun sells
a NAS server that runs on opensolaris and users CIFS so I don't think
they have much interest in Samba. I don't see Oracle/Sun paying any one
work on Samba 3.4.x or 3.5.x integration when they have "better"
solutions and more important priorities.
To be specific, Samba doesn't require OpenLDAP but it does require LDAP
with certain functionality. The Solaris-bundled Samba does use
OpenLDAP. But if you are compiling it yourself OpenLDAP is the way to
do it. Easiest to just get the openldap precompiled from blastwave or
sunfreeware.com. And there is precompiled Samba available from
Sunfreeware and Blastwave but it may lack the features you need, so you
probably need to compile anyway.
If you don't need AD support, then then the Sun ldap client
functionality should be sufficient.
I didn't know about the NGROUPS_MAX option. I would have disabled it if
I had known, since I am subject to the 16 group NFS v3 limit. (What I
really need to do is switch to NFS v4 and use kerberos authentication
for NFS clients.)
The OpenSolaris developer build (from earlier this year- not the
official release from last year- has updated GCC and other tools that
may make compiling easier. Gcc from Sun (and even Sunfreeware) use
"/usr/ccs/bin/ld" as the linker. You may need to renamed the file and
symlink it to gld (gnu linker.) Samba compiling also requires that
you get set the CPPFLAGS and LDFLAGS as well.
export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include
export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib
-L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib"
I posted questions/results to the list earlier this year about my
On 07/14/2010 05:38 PM, Mārcis Lielturks wrote:
> On 15 July 2010 00:28, Jeremy Allison <jra at samba.org
> <mailto:jra at samba.org>> wrote:
> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
> > Thanks, machine wont provide NFS or ssh login services, so
> fiddling with max
> > groups should do no harm!
> > I googled a bit at found that samba should be recompiled to take
> > of new NGROUPS_MAX. "./configure" logs also suggested that
> NGROUPS_MAX is
> > evaluated only at compile time.
> Yep. Recompilation should do the trick once the kernel understands
> large numbers of groups.
> > Can anybody share experience on compiling samba on OpenSolaris?
> What's the
> > most painless way? I'm considering to use latest 3.5.5 but maybe
> I should
> > use same version Sun (Oracle) is using - 3.0.37? I have to set
> up Samba on 2
> > servers, which already replicate storage, so ID mapping must be
> > between both Samba servers. Servers have to provide shares also
> to trusted
> > domains, but 3.0.37 doesn't have idmap_hash and seems that
> idmap_rid is not
> > supported to provide mappings for more than one domain, so
> anything newer
> > than 3.0.37 sounds like the right choice.
> The only reason they use 3.0.x is they're still unable to cope
> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
> Linux has been shipping GPLv3 Samba for a while. But it's a big
> company, you can't expect one part to know what another part is
> up to :-).
> Yeah, I read about that, but still, I was thinking that as they ship
> 3.0.37, it should also be easier to compile because OS has all that's
> necessary for 3.0.37. Newer Samba versions may have some dependencies
> (new libs or newer version of libs), that might be harder to satisfy.
> I have never compiled samba so far and all I know at the moment (from
> documentation) is that AD support requires krb5 and openldap
> development libraries and files.
More information about the samba