[Samba] Samba 4.51 Solaris 11 AD client

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Dec 12 19:31:56 UTC 2016 

When running "configure" prior to  building samba, I noticed that the 
ldap_initialize function (along with a few others) weren't found.   The 
"smbd -b" command (using the smbd I compiled)


The "smbd -b" command from the bundled samba (either samba 3 on solaris 
11 or samba 4 on linux) showed the following


              # smbd -b | grep -i ldap
                HAVE_LDAP_H
                HAVE_LDAP
                HAVE_LDAP_ADD_RESULT_ENTRY
                HAVE_LDAP_INIT
                HAVE_LDAP_INITIALIZE
                HAVE_LDAP_INIT_FD
                HAVE_LDAP_OPT_SOCKBUF
                HAVE_LDAP_SASL_WRAPPING
                HAVE_LDAP_SET_REBIND_PROC
                HAVE_LIBLDAP
                LDAP_DEPRECATED
                LDAP_SET_REBIND_PROC_ARGS
                pdb_ldapsam_init
                vfs_posixacl auth_sam auth_winbind auth_domain
            auth_builtin vfs_default nss_info_template idmap_tdb
            idmap_passdb idmap_nss idmap_ldap
            #



When I compiled samba 4.5.1  I got the following


              # /usr/local/samba/sbin/smbd -b | grep -i ldap
                HAVE_LDAP_H
                HAVE_LDAP
                HAVE_LDAP_INIT
                HAVE_LDAP_SET_REBIND_PROC
                HAVE_LIBLDAP
                LDAP_DEPRECATED
                LDAP_SET_REBIND_PROC_ARGS
                vfs_default auth_domain auth_builtin auth_sam
            auth_winbind vfs_solarisacl pdb_smbpasswd pdb_tdbsam
            pdb_wbc_sam auth_unix auth_wbc nss_info_template idmap_tdb
            idmap_passdb idmap_nss pdb_samba_dsdb auth_samba4
            vfs_dfs_samba4 pdb_ldapsam idmap_ldap
            #


And looking at bin/config.log I could see the include path had 
/usr/include first, so the Solaris native ldapclient (not openldap) was 
being found first.

I remembered compiling Samba 3 on Solaris 10 had required that I build 
openldap first, since Solaris 10 did not include openldap.

Downloaded the latest openldap, and compiled for client only (slapd not 
enabled) into the /usr/local/samba-4.5.1 directory.

Set environmental variables as follows

            LDFLAGS="-L /usr/local/samba-4.5.1/lib  -L/usr/lib"
            CFLAGS="-I /usr/local/samba-4.5.1/include  -I/usr/include"
            CPPFLAGS="-I /usr/local/samba-4.5.1/include -I/usr/include"
            export LDFLAGS  CFLAGS CPPFLAGS
            C_INCLUDE_PATH=/usr/local/samba-4.5.1/include:/usr/include:/usr/include/kerberosv5
            CPLUS_INCLUDE_PATH=/usr/local/samba-4.5.1/include:/usr/include:/usr/include/kerberosv5
            export  C_INCLUDE_PATH  CPLUS_INCLUDE_PATH



This fixed the issue of expected ldap functions not being found,.

I could have probably used the bundled  openldap  files instead 
(/usr/include/openldap, /usr/openldap/lib)

Now, wbinfo -u will show the domain users even if I don't set "winbind 
rpc only = Yes"

I don't see any trusted domains but I think I am making progress.



-------- Forwarded Message --------
Subject: 	RE: Samba 4.51 Solaris 11 AD client
Date: 	Sun, 11 Dec 2016 11:57:41 -0500
From: 	Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: 	gaiseric.vandal at gmail.com
To: 	'Samba' <samba at lists.samba.org>



If I add

   winbind rpc only = Yes

to smb.conf file then “wbinfo –u” will list users in the current 
domain.  It won’t list users in any trusted domains (including domains 
in the same forest.)  This indicates that the domain is having some 
issue retrieving user names via LDAP.

The forest is 2008  function level.  The domain was 2003 functional 
level but I just raised that to 2008.    The domain has Windows 2008 SP2 
domain controllers.   The child domain has a Windows 2012 domain 
controller but is also at the 2008 forest functional level.   I upgrade 
registry in the Win 2008 SP2 domain controllers to disable DES.

Solaris 11 has both “solaris” ldap (not openldap) and openldap ldap. The 
solaris ldap files should have been in the default path for the software 
build.

I also set

create krb5 conf = No

to prevent samba recreating /usr/local/samba/var/lock/smb_krb5/krb5.conf 
each time it restarted, since it would enable DES encryption by default.

Maybe I need to compile latest openldap and add to the C_INCLUDE_PATH 
and CPLUS_INCLUDE_PATH variables.

*From:* Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
*Sent:* Wednesday, December 07, 2016 9:33 PM
*To:* 'Samba' <samba at lists.samba.org>
*Subject:* Samba 4.51 Solaris 11 AD client

Solaris 11 include samba 3.6.25.  I compiled samba 4.5.1 using GCC 4.8 
and gmake.  Had set following env variables to make sure krb5.conf was found

# CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/

# C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/

After setting  "client ldap sasl wrapping = plain"   I was able to join 
to a Windows 2008 domain with samba 4.

The samba 4.5.1 “wbinfo –m” showed the domain.  However “wbinfo –u” did 
not show any users.

This works OK with samba 3.6.25 .

With Samba 3

# testparm -v | grep signing

Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)

Processing section "[homes]"

Processing section "[printers]"

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

         client signing = required

         client ipc signing = required

         server signing = No

With samba4

# /usr/local/samba/bin/testparm -v | grep signing

Load smb config files from /usr/local/samba-4.5.1/etc/smb.conf

rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)

Processing section "[homes]"

Processing section "[printers]"

Loaded services file OK.

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

         client ipc signing = default

         client signing = default

         server signing = default

log.winbindd has

[2016/12/07 21:16:22.781818,  1, pid=1520, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)

trustdom_list_done: Could not receive trusts for domain MYDOMAIN

both samba3 and samba4 create krb5.conf.MYDOMAIN files

#/usr/local/samba/var/lock/smb_krb5# cat krb5.conf.MYDOMAIN

[libdefaults]

default_realm = MYDOMAIN.COM

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
RC4-HMAC DES-CBC-CRC DES-CBC-MD5

default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
RC4-HMAC DES-CBC-CRC DES-CBC-MD5

preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
RC4-HMAC DES-CBC-CRC DES-CBC-MD5

dns_lookup_realm = false

[realms]

MYDOMAIN.COM = {

                 kdc = 192.168.x.y

                 kdc = 192.168.x.z

         }

#:/usr/local/samba/var/lock/smb_krb5#

I would like to disable DES encryption.   Or maybe have samba use the 
system krb5.conf .

With samba3, wbinfo will not show users from “classic” trusted domains 
but will show users from AD trusted domains.

Beginning to think that I should have uninstalled samba3 before 
compiling samba4 to make sure no conflicts between different versions of 
samba libraries.

More information about the samba mailing list