[Samba] Compile 3.5.4 on Opensolaris snv_134
Marcis Lielturks
marcis.lielturks at gmail.com
Mon Jul 19 00:42:42 MDT 2010
Hi!
Here's comparison of "net ads join" output, between my first build of
samba 3.5.4 that gave "pkcs 11 error" and second build, that is failing
with "rpc: Logon failure". Can anyone comment on differences. I'm
starting to think, that the "diff -u" output say's that 2nd build is
failing sooner than the first build did. As you can see there's a lot of
missing lines with "sasl", "ldap" and "krb5".
MMM
On 07/16/10 04:34 PM, Gaiseric Vandal wrote:
> Which version of Samba? I had more trouble with Samba 3.5.x. And I
> have never managed to get Samba to compile with sun cc. I figured
> Samba was written with gcc in mind.
>
>
> The "failed to lookup DC info for domain 'mydomain.COM' over rpc:
> Logon failure' " message is interesting - not sure if you are getting
> login errors before lookup errors. Is you samba server configure to
> use your AD server as the DNS server? What version of windows is the
> AD server? What domain/foreset mode is your AD server in?
>
> In the "windows" world clients can locate the the login server via
> specific resource records in DNS. I don't know if Samba does this do
> or is still relying on netbios. I had one AD domain that was in
> NT4-compatibility mode and one AD domain that was in Windows 2003
> native mode. Changing the client DNS settings on the samba machine
> seemed to help with locating the "2003 native" mode. DC.
>
>
>
> On 07/16/2010 05:29 AM, Marcis Lielturks wrote:
>> Hi!
>>
>> First of all, thanks for replies to all ;)!
>>
>> Using GCC was a fail for me - too much errors and 2 additional things
>> must be compiled (tdb & talloc) . I only managed to compile using
>> Sun's cc and gmake and will stick to them. I'm a bit further now. Now
>> I don't get PKCS 11 erros, when trying to do "net ads join". I
>> recompiled openldap with slapd (but with null backend) and "-lpkcs11"
>> in LDFLAGS (I think this is what helped). However now I'm getting
>> following when doing "net ads join"
>>
>> [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex)
>> lp_load_ex: refreshing parameters
>> [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals)
>> Initialising global parameters
>> [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files)
>> rlimit_max: rlimit_max (256) below minimum Windows limit (16384)
>> [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process)
>> params.c:pm_process() - Processing configuration file
>> "/opt/samba/lib/smb.conf"
>> [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section)
>> Processing section "[global]"
>> [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface)
>> added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255
>> netmask=255.255.255.0
>> [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join)
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> in: struct libnet_JoinCtx
>> dc_name : NULL
>> machine_name : 'SAMBA-DEV'
>> domain_name : *
>> domain_name : 'mydomain.COM'
>> account_ou : NULL
>> admin_account : 'Administrator'
>> admin_password : *
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
>> os_version : NULL
>> os_name : NULL
>> create_upn : 0x00 (0)
>> upn : NULL
>> modify_config : 0x00 (0)
>> ads : NULL
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon)
>> cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT
>> [2010/07/16 12:17:00.141661, 3]
>> libsmb/cliconnect.c:2201(cli_start_connection)
>> Connecting to host=BORED.mydomain.com
>> [2010/07/16 12:17:00.141828, 3]
>> lib/util_sock.c:974(open_socket_out_send)
>> Connecting to 192.168.0.94 at port 445
>> [2010/07/16 12:17:00.143207, 3]
>> libsmb/cliconnect.c:991(cli_session_setup_spnego)
>> Doing spnego session setup (blob length=107)
>> [2010/07/16 12:17:00.143274, 3]
>> libsmb/cliconnect.c:1019(cli_session_setup_spnego)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.2.840.113554.1.2.2.3
>> got OID=1.3.6.1.4.1.311.2.2.10
>> [2010/07/16 12:17:00.143302, 3]
>> libsmb/cliconnect.c:1029(cli_session_setup_spnego)
>> got principal=bored$@mydomain.COM
>> [2010/07/16 12:17:00.143856, 3]
>> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge)
>> Got challenge flags:
>> [2010/07/16 12:17:00.143870, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x62898215
>> [2010/07/16 12:17:00.143883, 3]
>> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge)
>> NTLMSSP: Set final flags:
>> [2010/07/16 12:17:00.143894, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x60088215
>> [2010/07/16 12:17:00.143984, 3]
>> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init)
>> NTLMSSP Sign/Seal - Initialising with flags:
>> [2010/07/16 12:17:00.143997, 3]
>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0x60088215
>> [2010/07/16 12:17:00.177128, 3]
>> libsmb/cliconnect.c:1249(cli_session_setup)
>> SPNEGO login failed: Logon failure
>> [2010/07/16 12:17:00.177159, 1]
>> libsmb/cliconnect.c:2307(cli_full_connection)
>> failed session setup with NT_STATUS_LOGON_FAILURE
>> [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join)
>> libnet_Join:
>> libnet_JoinCtx: struct libnet_JoinCtx
>> out: struct libnet_JoinCtx
>> account_name : NULL
>> netbios_domain_name : NULL
>> dns_domain_name : NULL
>> forest_name : NULL
>> dn : NULL
>> domain_sid : NULL
>> domain_sid : (NULL SID)
>> modified_config : 0x00 (0)
>> error_string : 'failed to lookup DC info
>> for domain 'mydomain.COM' over rpc: Logon failure'
>> domain_is_ad : 0x00 (0)
>> result : WERR_LOGON_FAILURE
>> [2010/07/16 12:17:00.177442, 2] utils/net.c:916(main)
>>
>>
>> Intersting is that if I supply wrong username output doesn't differ
>> much. Below you can see differences (I stripped time to be able to
>> use diff).
>>
>> --- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300
>> +++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300
>> @@ -19,7 +19,7 @@
>> domain_name : *
>> domain_name : 'mydomain.COM'
>> account_ou : NULL
>> - admin_account : 'Administrator'
>> + admin_account : 'Adminisdgasgasdtor'
>> admin_password : *
>> machine_password : NULL
>> join_flags : 0x00000023 (35)
>> @@ -43,8 +43,6 @@
>> debug : 0x01 (1)
>> use_kerberos : 0x00 (0)
>> secure_channel_type : SEC_CHAN_WKSTA (2)
>> - libads/cldap.c:97(ads_cldap_netlogon)
>> - cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT
>> libsmb/cliconnect.c:2201(cli_start_connection)
>> Connecting to host=BORED.ProServe.com
>> lib/util_sock.c:974(open_socket_out_send)
>>
>>
>> Maybe I'm missing some rpc things? "smbd -b | tail -2" says:
>>
>> Builtin modules:
>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc
>> rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl
>> rpc_ntsvcs rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss
>> rpc_eventlog rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss
>> idmap_rid idmap_hash nss_info_template auth_sam auth_unix
>> auth_winbind auth_wbc auth_server auth_domain auth_builtin
>> auth_netlogond vfs_default vfs_solarisacl vfs_zfsacl
>>
>>
>> MMM
>>
>> On 07/15/10 04:32 PM, Gaiseric Vandal wrote:
>>> I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc
>>> with two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support
>>> Windows 7 clients (don't have any yet but it is probably inevitable)
>>> and doesn't seem to support trusts with Windows 2003 Native domains
>>> (at least it didn't for me.)
>>>
>>>
>>> If you following the opensolaris forums it seems unlikely that
>>> there will be compiled build of 3.4.x or 3.5.x of samba in Solaris
>>> 10 or OpenSolaris in the near future. I don't think it really is
>>> a licensing or even major technical issue. There is seems to
>>> more interest in CIFS project as an alternative to Samba.
>>> Oracle/Sun sells a NAS server that runs on opensolaris and users
>>> CIFS so I don't think they have much interest in Samba. I don't see
>>> Oracle/Sun paying any one work on Samba 3.4.x or 3.5.x integration
>>> when they have "better" solutions and more important priorities.
>>>
>>> To be specific, Samba doesn't require OpenLDAP but it does require
>>> LDAP with certain functionality. The Solaris-bundled Samba does
>>> use OpenLDAP. But if you are compiling it yourself OpenLDAP is
>>> the way to do it. Easiest to just get the openldap precompiled
>>> from blastwave or sunfreeware.com. And there is precompiled Samba
>>> available from Sunfreeware and Blastwave but it may lack the
>>> features you need, so you probably need to compile anyway.
>>>
>>> If you don't need AD support, then then the Sun ldap client
>>> functionality should be sufficient.
>>>
>>>
>>> I didn't know about the NGROUPS_MAX option. I would have disabled
>>> it if I had known, since I am subject to the 16 group NFS v3 limit.
>>> (What I really need to do is switch to NFS v4 and use kerberos
>>> authentication for NFS clients.)
>>>
>>> The OpenSolaris developer build (from earlier this year- not the
>>> official release from last year- has updated GCC and other tools
>>> that may make compiling easier. Gcc from Sun (and even
>>> Sunfreeware) use "/usr/ccs/bin/ld" as the linker. You may need to
>>> renamed the file and symlink it to gld (gnu linker.) Samba
>>> compiling also requires that you get set the CPPFLAGS and LDFLAGS as
>>> well.
>>>
>>> e.g.
>>>
>>>
>>> PATH=/usr/swf/bin:/usr/ccs/bin:$PATH
>>> PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH
>>> LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH
>>> LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH
>>>
>>> export LD_LIBRARY_PATH
>>> export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include
>>> -I/usr/include"
>>> export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib
>>> -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib"
>>>
>>>
>>>
>>>
>>> I posted questions/results to the list earlier this year about my
>>> experiences.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 07/14/2010 05:38 PM, Mārcis Lielturks wrote:
>>>>
>>>>
>>>> On 15 July 2010 00:28, Jeremy Allison <jra at samba.org
>>>> <mailto:jra at samba.org>> wrote:
>>>>
>>>> On Thu, Jul 15, 2010 at 12:26:05AM +0300, Mārcis Lielturks wrote:
>>>> > Thanks, machine wont provide NFS or ssh login services, so
>>>> fiddling with max
>>>> > groups should do no harm!
>>>> >
>>>> > I googled a bit at found that samba should be recompiled to take
>>>> advantage
>>>> > of new NGROUPS_MAX. "./configure" logs also suggested that
>>>> NGROUPS_MAX is
>>>> > evaluated only at compile time.
>>>>
>>>> Yep. Recompilation should do the trick once the kernel understands
>>>> large numbers of groups.
>>>>
>>>> > Can anybody share experience on compiling samba on OpenSolaris?
>>>> What's the
>>>> > most painless way? I'm considering to use latest 3.5.5 but maybe
>>>> I should
>>>> > use same version Sun (Oracle) is using - 3.0.37? I have to set
>>>> up Samba on 2
>>>> > servers, which already replicate storage, so ID mapping must be
>>>> consistent
>>>> > between both Samba servers. Servers have to provide shares also
>>>> to trusted
>>>> > domains, but 3.0.37 doesn't have idmap_hash and seems that
>>>> idmap_rid is not
>>>> > supported to provide mappings for more than one domain, so
>>>> anything newer
>>>> > than 3.0.37 sounds like the right choice.
>>>>
>>>> The only reason they use 3.0.x is they're still unable to cope
>>>> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle
>>>> Linux has been shipping GPLv3 Samba for a while. But it's a big
>>>> company, you can't expect one part to know what another part is
>>>> up to :-).
>>>>
>>>> Yeah, I read about that, but still, I was thinking that as they
>>>> ship 3.0.37, it should also be easier to compile because OS has all
>>>> that's necessary for 3.0.37. Newer Samba versions may have some
>>>> dependencies (new libs or newer version of libs), that might be
>>>> harder to satisfy. I have never compiled samba so far and all I
>>>> know at the moment (from documentation) is that AD support requires
>>>> krb5 and openldap development libraries and files.
>>>>
>>>>
>>>> Jeremy.
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> ML
>>>
>
More information about the samba
mailing list