[Samba] Join as DC requires libacl, not avail on Solaris

Thomas Schulz schulz at adi.com
Wed Mar 5 11:26:14 MST 2014 

> On Tue, 2014-03-04 at 20:49 -0500, Thomas Schulz wrote:
>>> On Tue, 2014-03-04 at 11:05 -0500, Thomas Schulz wrote:
>>>>> Andrew Bartlett wrote:
>>>>> The best way to extend Samba's OS support in the AD DC is to provide
>>>>> tested patches. 
>>>> 
>>>> Unfortunately this is way beyond my ability to work on. Quite awhile ago
>>>> I was a programmer, but my last major work was written in Fortran. I make
>>>> small changes in programs written in C, but nothing of the scope that
>>>> would be required here.
>>>> 
>>>>> On Monday, March 03, 2014 11:30 PM, Thomas Schulz wrote:
>>>>>> I am going to admit defeat here and use a Linux box as my additional
>>>>>> domain controller. It looks like Samba 4.1.5 does not understand the
>>>>>> Solaris ACL system. This may be related to Bug 10362. I have concluded
>>>>>> from this and the other problems that I have had that the Samba team
>>>>>> does not have access to a Solaris box for development and that Oricle
>>>>>> is not providing any support for Samba. Fortunately Samba does work
>>>>>> as a file server on Solaris.
>>>>> 
>>>>> Hi Thomas,
>>>>> 
>>>>> You've given up too early. I now have a samba 4.1.5 instance that is 
>>>>> joined to my domain and has replicated the AD and even accessed through 
>>>>> ADUC.
>>>>> 
>>>>> Attaching patches that will enable you to bypass the provision test of 
>>>>> your sysvol share.
>>>>> 
>>>>> Note: You must create a smb.conf with a sysvol share defined.
>>>>> 
>>>>> After provisioning, you will have to edit smb.conf and add zfsacls 
>>>>> module to the sysvol share and otherwise configure the share for zfs 
>>>>> before you start samba.
>>>>> 
>>>>> regards,
>>>>> 
>>>>> Christopher
>>>> 
>>>> I have saved these patches. However all of our file systems are currently
>>>> UFS file systems. 
>>> 
>>> If you are using UFS, it is expected to work.  Can you download current
>>> git master and confirm if configure runs without any special options?
>>> We now bail if we don't detect posix ACLs at that point.  
>>> 
>>> If that fails, then your bin/config.log might be of assistance in
>>> working out why we didn't find the posix ACL headers, plus information
>>> on where the ACL functions are to be found on your system.
>>> 
>>> Andrew Bartlett
>> 
>> I will download that as soon as I get into the office in the morning.
>> What I can get to right now are the output lines from configure that
>> mention ACLs.
>> 
>> Checking for header acl/libacl.h : no 
>> Checking for header sys/acl.h    : yes 
>> Checking for _acl                : ok 
>> Checking for __acl               : not found 
>> Checking for _facl               : ok 
>> Checking for __facl              : not found 
>> Checking for library acl         : not found 
>> Checking for acl_get_file        : not found 
>> Checking for POSIX ACL support   : not found 
>> Checking for header sys/acl.h    : yes 
>> Checking for _acl                : ok 
>> Checking for __acl               : not found 
>> Checking for _facl               : ok 
>> Checking for __facl              : not found 
>> Checking for library acl         : not found 
>> Checking for acl_get_file        : not found 
>> Checking for POSIX ACL support   : not found 
>> 
>> That output matches what I find while looking around. I do not find any
>> library specifically for ACLs. And acl_get_file is not found in sys/acl.h.
>> Note that this is Solaris 10. I believe that there is a Solaris 11, but
>> I do not have that.
> 
> The issue is that we don't seem to realise your system is solaris.
> 
> Can you please run
> 
> python -c "import sys; print sys.platform"
> 
> Then try the attached patch and let me know if that fixes it.
> 
> Thanks,
> 
> Andrew Bartlett

Perhaps misunderstanding which version that I should patch, I tried patching
4.1.5. I now see that the patch is for the development version. So I tried
a different patch:

--- wscript.orig        Thu Dec  5 04:16:48 2013
+++ wscript     Wed Mar  5 11:37:59 2014
@@ -410,7 +410,7 @@
                Logs.info('Using UnixWare ACLs')
                 conf.DEFINE('HAVE_UNIXWARE_ACLS',1)
                 default_static_modules.extend(TO_LIST('vfs_solarisacl'))
-       elif (host_os.rfind('solaris') > -1) and conf.CHECK_FUNCS_IN('sec', 'facl'):
+       elif (host_os.rfind('sunos5') > -1) and conf.CHECK_FUNCS_IN('sec', 'facl'):
                Logs.info('Using solaris ACLs')
                 conf.DEFINE('HAVE_SOLARIS_ACLS',1)
                 default_static_modules.extend(TO_LIST('vfs_solarisacl'))

The difference in the output from configure is:

--- samba-4.1.5.i386gcc.pt/conflog      Mon Feb 24 15:07:04 2014
+++ samba-4.1.5.i386gcc.2pt//conflog    Wed Mar  5 11:57:20 2014
@@ -1061,6 +1061,8 @@
 Checking if can we convert from CP850 to UCS-2LE    : ok 
 Checking if can we convert from UTF-8 to UCS-2LE    : ok 
 building on sunos5
+Checking for library facl                           : not found 
+Checking for sec                                    : not found 
 Checking for library acl                            : not found 
 Checking for acl_get_file                           : not found 
 Checking for POSIX ACL support                      : not found 
@@ -2216,6 +2218,8 @@
 Checking if can we convert from CP850 to UCS-2LE    : ok 
 Checking if can we convert from UTF-8 to UCS-2LE    : ok 
 building on sunos5
+Checking for library facl                           : not found 
+Checking for sec                                    : not found 
 Checking for library acl                            : not found 
 Checking for acl_get_file                           : not found 
 Checking for POSIX ACL support                      : not found 

So that did not have the desired result. I am still trying to figure out
how to use git.

Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list