[Samba] Join as DC requires libacl, not avail on Solaris

Thomas Schulz schulz at adi.com
Wed Mar 5 14:29:37 MST 2014 

> On Tue, 2014-03-04 at 20:49 -0500, Thomas Schulz wrote:
>>> On Tue, 2014-03-04 at 11:05 -0500, Thomas Schulz wrote:
>>>>> Andrew Bartlett wrote:
>>>>> The best way to extend Samba's OS support in the AD DC is to provide
>>>>> tested patches. 
>>>> 
>>>> Unfortunately this is way beyond my ability to work on. Quite awhile ago
>>>> I was a programmer, but my last major work was written in Fortran. I make
>>>> small changes in programs written in C, but nothing of the scope that
>>>> would be required here.
>>>> 
>>>>> On Monday, March 03, 2014 11:30 PM, Thomas Schulz wrote:
>>>>>> I am going to admit defeat here and use a Linux box as my additional
>>>>>> domain controller. It looks like Samba 4.1.5 does not understand the
>>>>>> Solaris ACL system. This may be related to Bug 10362. I have concluded
>>>>>> from this and the other problems that I have had that the Samba team
>>>>>> does not have access to a Solaris box for development and that Oricle
>>>>>> is not providing any support for Samba. Fortunately Samba does work
>>>>>> as a file server on Solaris.
>>>>> 
>>>>> Hi Thomas,
>>>>> 
>>>>> You've given up too early. I now have a samba 4.1.5 instance that is 
>>>>> joined to my domain and has replicated the AD and even accessed through 
>>>>> ADUC.
>>>>> 
>>>>> Attaching patches that will enable you to bypass the provision test of 
>>>>> your sysvol share.
>>>>> 
>>>>> Note: You must create a smb.conf with a sysvol share defined.
>>>>> 
>>>>> After provisioning, you will have to edit smb.conf and add zfsacls 
>>>>> module to the sysvol share and otherwise configure the share for zfs 
>>>>> before you start samba.
>>>>> 
>>>>> regards,
>>>>> 
>>>>> Christopher
>>>> 
>>>> I have saved these patches. However all of our file systems are currently
>>>> UFS file systems. 
>>> 
>>> If you are using UFS, it is expected to work.  Can you download current
>>> git master and confirm if configure runs without any special options?
>>> We now bail if we don't detect posix ACLs at that point.  
>>> 
>>> If that fails, then your bin/config.log might be of assistance in
>>> working out why we didn't find the posix ACL headers, plus information
>>> on where the ACL functions are to be found on your system.
>>> 
>>> Andrew Bartlett
>> 
>> I will download that as soon as I get into the office in the morning.
>> What I can get to right now are the output lines from configure that
>> mention ACLs.
>> 
>> Checking for header acl/libacl.h : no 
>> Checking for header sys/acl.h    : yes 
>> Checking for _acl                : ok 
>> Checking for __acl               : not found 
>> Checking for _facl               : ok 
>> Checking for __facl              : not found 
>> Checking for library acl         : not found 
>> Checking for acl_get_file        : not found 
>> Checking for POSIX ACL support   : not found 
>> Checking for header sys/acl.h    : yes 
>> Checking for _acl                : ok 
>> Checking for __acl               : not found 
>> Checking for _facl               : ok 
>> Checking for __facl              : not found 
>> Checking for library acl         : not found 
>> Checking for acl_get_file        : not found 
>> Checking for POSIX ACL support   : not found 
>> 
>> That output matches what I find while looking around. I do not find any
>> library specifically for ACLs. And acl_get_file is not found in sys/acl.h.
>> Note that this is Solaris 10. I believe that there is a Solaris 11, but
>> I do not have that.
> 
> The issue is that we don't seem to realise your system is solaris.
> 
> Can you please run
> 
> python -c "import sys; print sys.platform"
> 
> Then try the attached patch and let me know if that fixes it.
> 
> Thanks,
> 
> Andrew Bartlett

Perhaps misunderstanding which version that I should patch, I tried patching
4.1.5. I now see that the patch is for the development version. So I tried
a different patch:

--- wscript.orig        Thu Dec  5 04:16:48 2013
+++ wscript     Wed Mar  5 11:37:59 2014
@@ -410,7 +410,7 @@
                Logs.info('Using UnixWare ACLs')
                 conf.DEFINE('HAVE_UNIXWARE_ACLS',1)
                 default_static_modules.extend(TO_LIST('vfs_solarisacl'))
-       elif (host_os.rfind('solaris') > -1) and conf.CHECK_FUNCS_IN('sec', 'facl'):
+       elif (host_os.rfind('sunos5') > -1) and conf.CHECK_FUNCS_IN('sec', 'facl'):
                Logs.info('Using solaris ACLs')
                 conf.DEFINE('HAVE_SOLARIS_ACLS',1)
                 default_static_modules.extend(TO_LIST('vfs_solarisacl'))

The difference in the output from configure is:

--- samba-4.1.5.i386gcc.pt/conflog      Mon Feb 24 15:07:04 2014
+++ samba-4.1.5.i386gcc.2pt//conflog    Wed Mar  5 11:57:20 2014
@@ -1061,6 +1061,8 @@
 Checking if can we convert from CP850 to UCS-2LE    : ok 
 Checking if can we convert from UTF-8 to UCS-2LE    : ok 
 building on sunos5
+Checking for library facl                           : not found 
+Checking for sec                                    : not found 
 Checking for library acl                            : not found 
 Checking for acl_get_file                           : not found 
 Checking for POSIX ACL support                      : not found 
@@ -2216,6 +2218,8 @@
 Checking if can we convert from CP850 to UCS-2LE    : ok 
 Checking if can we convert from UTF-8 to UCS-2LE    : ok 
 building on sunos5
+Checking for library facl                           : not found 
+Checking for sec                                    : not found 
 Checking for library acl                            : not found 
 Checking for acl_get_file                           : not found 
 Checking for POSIX ACL support                      : not found 

So that did not have the desired result. I am still trying to figure out
how to use git.

**************************** More information **************************

I got the git master. Without the patch configure ends with:
building on sunos5
Checking for library acl                                                                        : not found 
Checking for acl_get_file                                                                       : not found 
Checking for POSIX ACL support                                                                  : not found 
/home/projects/tools/samba/testmaster/source3/wscript:470: error:
ACL support not found. Try installing libacl1-dev or libacl-devel.
Otherwise, use --without-acl-support to build without ACL support.
ACL support is required to change permissions from Windows clients.

With the patch configure ends with:
building on sunos5
Checking for library acl                                                                        : not found 
Checking for acl_get_file                                                                       : not found 
Checking for POSIX ACL support                                                                  : not found 
Checking for library facl                                                                       : not found 
Checking for sec                                                                                : not found 
Checking for library acl_get_fd                                                                 : not found 
Checking for pacl                                                                               : not found 
/home/projects/tools/samba/testmaster/source3/wscript:470: error:
ACL support not found. Try installing libacl1-dev or libacl-devel.
Otherwise, use --without-acl-support to build without ACL support.
ACL support is required to change permissions from Windows clients.


Tom Schulz
Applied Dynamics Intl.
schulz at adi.com

More information about the samba mailing list