[Samba] Share permission problem if user is member in more than 16 groups on AD

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jul 15 07:32:37 MDT 2010


I compiled Samba 3.4.x on Solaris 10.    (I have a Samba 3.4.x pdc with 
two Samba 3.0.x BDC's.)  Samba 3.0.x DC"s will not support Windows 7 
clients (don't have any yet but it is probably inevitable) and doesn't 
seem to support trusts with Windows 2003 Native domains (at least it 
didn't for me.)


If you following the opensolaris forums  it seems unlikely that there 
will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or 
OpenSolaris in  the near future.   I don't think it really is a 
licensing or even major technical issue.     There is seems to more 
interest in CIFS project as an alternative to Samba.   Oracle/Sun sells 
a NAS server that runs on opensolaris and users CIFS so I don't think 
they have much interest in Samba.  I don't see Oracle/Sun paying any one 
work on Samba 3.4.x or 3.5.x integration when they have "better" 
solutions and more important priorities.

To be specific, Samba doesn't require OpenLDAP but it does require LDAP 
with certain functionality.    The Solaris-bundled Samba does use 
OpenLDAP.   But if you are compiling it yourself  OpenLDAP is the way to 
do it.   Easiest to just get the openldap precompiled from blastwave or 
sunfreeware.com.   And there is precompiled Samba available from 
Sunfreeware and Blastwave but it may lack the features you need, so you 
probably need  to compile anyway.

If you don't need AD support, then then the Sun ldap client 
functionality should be sufficient.


I didn't know about the NGROUPS_MAX option.  I would have disabled it if 
I had known, since I am subject to the 16 group NFS v3 limit.  (What I 
really need to do is switch to NFS v4 and use kerberos authentication 
for NFS clients.)

The OpenSolaris developer build (from earlier this year-  not the 
official release from last year-  has updated GCC and other tools that 
may make compiling easier.   Gcc from Sun (and even Sunfreeware) use 
"/usr/ccs/bin/ld" as the linker.    You may need to renamed the file and 
symlink it to gld (gnu linker.)     Samba compiling also requires that 
you get set the CPPFLAGS and LDFLAGS as well.

e.g.


     PATH=/usr/swf/bin:/usr/ccs/bin:$PATH
     PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH
     LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH
     LD_LIBRARY_PATH=/usr/local/samba-    3.4.5:$LD_LIBRARY_PATH

     export LD_LIBRARY_PATH
     export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include 
-I/usr/include"
     export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib 
-L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib"




I posted questions/results to the list earlier this year about my 
experiences.











On 07/14/2010 05:38 PM, Mārcis Lielturks wrote:
>
>
> On 15 July 2010 00:28, Jeremy Allison <jra at samba.org 
> <mailto:jra at samba.org>> wrote:
>
>     On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
>     > Thanks, machine wont provide NFS or ssh login services, so
>     fiddling with max
>     > groups should do no harm!
>     >
>     > I googled a bit at found that samba should be recompiled to take
>     advantage
>     > of new NGROUPS_MAX. "./configure" logs also suggested that
>     NGROUPS_MAX is
>     > evaluated only at compile time.
>
>     Yep. Recompilation should do the trick once the kernel understands
>     large numbers of groups.
>
>     > Can anybody share experience on compiling samba on OpenSolaris?
>     What's the
>     > most painless way? I'm considering to use latest 3.5.5 but maybe
>     I should
>     > use same version Sun (Oracle) is using - 3.0.37? I have to set
>     up Samba on 2
>     > servers, which already replicate storage, so ID mapping must be
>     consistent
>     > between both Samba servers. Servers have to provide shares also
>     to trusted
>     > domains, but 3.0.37 doesn't have idmap_hash and seems that
>     idmap_rid is not
>     > supported to provide mappings for more than one domain, so
>     anything newer
>     > than 3.0.37 sounds like the right choice.
>
>     The only reason they use 3.0.x is they're still unable to cope
>     with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
>     Linux has been shipping GPLv3 Samba for a while. But it's a big
>     company, you can't expect one part to know what another part is
>     up to :-).
>
> Yeah, I read about that, but still, I was thinking that as they ship 
> 3.0.37, it should also be easier to compile because OS has all that's 
> necessary for 3.0.37. Newer Samba versions may have some dependencies 
> (new libs or newer version of libs), that might be harder to satisfy. 
> I have never compiled samba so far and all I know at the moment (from 
> documentation) is that AD support requires krb5 and openldap 
> development libraries and files.
>
>
>     Jeremy.
>
>
>
>
> -- 
> ML



More information about the samba mailing list