Make your own free website on Tripod.com

HOWTO integrate a Samba fileserver into Active Directory

Adapted from instructions from Harri Huttula AND "[Samba] Mini HowTo AIX4.3.3-AD-Winbind" document.
http://lists.samba.org/archive/samba/2004-November/095699.html

Acknowledgements: Harri Huttula, Ben Schmaus
Overview: This document is a roadmap on how you to install Samba on AIX 4.3.3 with a view to integrating Samba into your Active Directory environment.

======================== DOWNLOADS =================================
Download the following RPMs from:
(http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html)
(for AIX 4.3.3, visit: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/)
autoconf-2.53-1.aix4.3.noarch.rpm
automake-1.5-1.aix4.3.noarch.rpm
bash-2.05a-1.aix4.3.ppc.rpm
bison-1.34-2.aix4.3.ppc.rpm
db-3.3.11-3.aix4.3.ppc.rpm
flex-2.5.4a-6.aix4.3.ppc.rpm
gawk-3.1.0-2.aix4.3.ppc.rpm
gettext-0.10.39-2.aix4.3.ppc.rpm
glib-1.2.10-2.aix4.3.ppc.rpm
glib-devel-1.2.10-2.aix4.3.ppc.rpm
glib2-2.2.1-3.aix4.3.ppc.rpm
glib2-devel-2.2.1-3.aix4.3.ppc.rpm
gzip-1.2.4a-7.aix4.3.ppc.rpm
libtool-1.4.2-1.aix4.3.ppc.rpm
m4-1.4-14.aix4.3.ppc.rpm
make-3.79.1-3.aix4.3.ppc.rpm
openldap-2.0.21-4.aix4.3.ppc.rpm
openldap-devel-2.0.21-4.aix4.3.ppc.rpm
pkgconfig-0.15.0-1.aix4.3.ppc.rpm
rpm-3.0.5-30.aix4.3.ppc.rpm
sed-3.02-8.aix4.3.ppc.rpm
tar-1.13-4.aix4.3.ppc.rpm

Download openssl (from www.bullfreeware.com)

Download the following (some binaries and some source codes):

binutils.2.15.tar.Z (http://sunsite.lanet.lv/ftp/unix/aix-binaries/uclapub/binutils/RISC/4.2/exec/)
gcc.3.3.4.tar.Z (http://aixpdslib.seas.ucla.edu/packages/gcc.html)
krb5-1.3.5.tar.gz (http://web.mit.edu/kerberos/www/dist/)
openldap-2.2.3.tgz (http://www.openldap.org/software/download/)
samba-3.0.12pre1.tar.gz (http://www.samba.org)

================ INSTALLATION =======================================

Install rpm package manager (rpm.rte) with installp: (that's if you don't have it installed already.
Issue rpm at the command line to check if you have it already)

installp -qacXgd rpm.rte rpm.rte  (check your AIX installation disks)

Install the downloaded RPMs. If they are all in the same directory, you can do this by doing the following:

rpm -ivh --nodeps *.rpm


Update PATH and LD_LIBRARY_PATH:

PATH=/usr/linux/bin:/usr/local/bin:/usr/local/sbin:/usr/local/krb5-1.3.5/bin/:/usr/local/samba-3.0.12pre1/bin:/usr/local/samba-3.0.12pre1/sbin:$PATH
export PATH
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib
export LD_LIBRARY_PATH

(the PATH lines for Samba and Kerberos are not strictly necessary - they just allow you to run various binaries from any location on your system.
I actually added the lines to my /etc/profile file - you may not want to do this)

Install binutils: (you need at least binutils.2.15.tar.Z . Version 2.9.1 version causes "./config" to fail. The reason is that the "ld" utility in v 2.9.1
does not "understand" the newer file-format used to store some of the gcc libraries)

gzip -d binutils.2.15.tar.Z
cp binutils.2.15.tar /
tar -xvf binutils.2.15.tar
rm /binutils.2.15.tar
**Note** Untar the binutils from the / directory so the files are placed into the proper locations.
OR cd /; tar -xvf /path/to/binutils.2.15.tar


Install gcc:

gzip -d gcc.3.3.4.tar.Z
cp gcc.3.3.4.tar /
tar -xvf gcc.3.3.4.tar
rm /gcc.3.3.4.tar
**Note** Untar the binutils from the / directory so the files are placed into the proper locations.
cd /; tar -xvf /path/to/gcc.3.3.4.tar

Install openssl

chmod u+x openssl-0.9.6.7.exe
(use smit to install the program)
smit install
rm .toc openssl-0.9.6.7.bff openssl-0.9.6.7.??????????

Build and install Kerberos:

gzip -d krb5-1.3.5.tar.gz
tar -xvf krb5-1.3.5.tar
cd krb5-1.3.5/src
CPPFLAGS='-I/usr/local/include' ./configure --prefix=/usr/local/krb5-1.3.5 --enable-dns --enable-dns-for-kdc --enable-dns-for-realm --disable-thread-support
make
make install

Build and install OpenLDAP:

gzip -d openldap-2.2.3.tgz
tar -xvf openldap-2.2.3.tar
cd openldap-2.2.3
./configure --disable-slurpd --disable-bdb --disable-slapd --without-threads
make depend
make
make install

Install libiconv:
For libiconv to "make" successfully, the following links must be created for certain utilities from binutils-2.15
ln -s /usr/local/bin/gld /usr/local/bin/ld
ln -s /usr/local/bin/gas /usr/local/bin/as

gzip -d libiconv-1.9.1.tar.gz (source)
tar -xvf libiconv-1.9.1.tar
cd libiconv-1.9.1
./configure --prefix=/usr/local/libiconv-1.9.1


Install gettext-0.14.2 (source)

gzip -d gettext-0.14.2.tar.gz
tar -xvf gettext-0.14.2.tar
cd gettext-0.14.2
./configure --prefix=/usr/local/gettext-0.14.2 --with-libiconv-prefix=/usr/local/libiconv-1.9.1


Build and install Samba:

gzip -d samba-3.0.12pre1.tar.gz
tar -xvf samba-3.0.12pre1.tar
cd samba-3.0.12pre1

For Samba to compile successfully, use the default "ld" for AIX (/usr/bin/ld). This implies that you have to remove the links you created above to gld and gas

rm /usr/local/bin/ld
rm /usr/local/bin/as

You must delete or (comment out) the strlen function body from the util_str.c, otherwise "make" will fail.
It is OK since AIX already has strnlen defined (probably from gcc). The file is samba 3.0.12pre1/source/lib/util_str.c
or a similar path in your samba source directory.

#if !defined(HAVE_STRNLEN) || defined(BROKEN_STRNLEN)
/**
Some platforms don't have strnlen
**/

size_t strnlen(const char *s, size_t n)
{
int i;
for (i=0; s[i] && i<n; i++)
/* noop */ ;
return i;
}
#endif

HINT: lines 1554 - 1566 of the file (may change with different versions though)

LDFLAGS='-L/usr/local/openldap/lib' CPPFLAGS='-I/usr/local/openldap/include' ./configure --prefix=/usr/local/samba-3.0.12pre1 --with-ldap --with-ads --with-winbind --with-krb5=/usr/local/krb5-1.3.5 --with-libiconv=/usr/local/libiconv-1.9.1 --with-acl --?????? (check con.txt)
make
make install


Configure Kerberos:

Edit /etc/krb5.conf to reflect the following (substitute DOMAIN.COM with your domain):

[logging]
default = FILE:/var/krb5/libs.log
#kdc = FILE:/var/krb5/kdc.log
#admin_server = FILE:/var/krb5/admin.log

[libdefaults]
ticket_lifetime = 24000
default_realm = MY-DOMAIN.COM
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
MY-DOMAIN.COM = {
default_domain = my-domain.com
kdc = my-domain-controller:88
admin_server = my-domain-controller:749
}

[domain_realm]
.my-domain.com = MY-DOMAIN.COM
my-domain.com = MY-DOMAIN.COM

#[kdc]
#profile = /var/krb5/kdc.conf

[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

Configure Samba

create your smb.conf file (usually under lib directory in your samba install location
e.g., /usr/local/samba-3.0.12pre1/lib/smb.conf)

[global]
workgroup = MY-DOMAIN-NODOTCOM
server string = my-server-name
security = ADS
encrypt passwords = Yes
update encrypted = Yes
password server = my-domain-controller
username map = /var/samba3012/users.map
log file = /var/samba3012/log/log.%m
max log size = 50
dns proxy = No
wins server = 10.10.10.2
browseable = yes
show add printer wizard = no
realm = MY-REALM.COM
idmap uid = 15000-20000
idmap gid = 15000-20000
nt acl support = yes

[homes]
path = /home/%S
read only = No
create mask = 0755
browseable = No

[Printers]
comment = All printers
path = /var/samba3012/spool
printable = Yes
browseable = No


Edit /etc/inetd.conf file and add an entry for swat (if you use it) e.g.,
swat    stream    tcp    nowait    root    /usr/local/samba/bin/swat    swat

and add the following to /etc/services
swat    901/tcp     # Samba Web Admin

create any other directory you need e.g., for me, I created /var/samba3012 and /var/samba3012/log
because that’s where I want to store samba’s log files.

manually create domain-equivalent users on the Samba server.

INVESTIGATE AUTOMATIC CREATION OF USERS ON THE UNIX BOX WITH THE AUTOSCRIPTS

THAT COMES WITH SAMBA. some attempts will fail. You can create this manually by altering the

first 8 xters of the new user with a familiar name to an existing user. Since d machine is part of the domain,

users or HODs can manage their directory structures themselves by granting access to staff as desired.

what about groups - i assume they cannot be created automatically? what about mappings btween unix groups and windows groups? probably better to leave groups as is.
===============================================================================

Join your Samba server to the domain (Administrator%password can be replaced by any username%password of any user that has permission to join a computer to the domain)
net ads join -U Administrator%password

Installation Time: (taken on a not-busy IBM RS/6000 desktop)
./configure took 48 minutes
make took 30 minutes
make install took 2 minutes