HOWTO integrate a Samba fileserver into Active Directory
Adapted from instructions from Harri
Huttula AND "[Samba] Mini HowTo
AIX4.3.3-AD-Winbind" document.
http://lists.samba.org/archive/samba/2004-November/095699.html
Acknowledgements:
Harri Huttula,
Ben Schmaus
Overview: This document is a roadmap on how you to install Samba on AIX 4.3.3
with
a view to integrating Samba into your Active Directory environment.
======================== DOWNLOADS =================================
Download the following RPMs from:
(http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html)
(for AIX 4.3.3, visit: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/)
autoconf-2.53-1.aix4.3.noarch.rpm
automake-1.5-1.aix4.3.noarch.rpm
bash-2.05a-1.aix4.3.ppc.rpm
bison-1.34-2.aix4.3.ppc.rpm
db-3.3.11-3.aix4.3.ppc.rpm
flex-2.5.4a-6.aix4.3.ppc.rpm
gawk-3.1.0-2.aix4.3.ppc.rpm
gettext-0.10.39-2.aix4.3.ppc.rpm
glib-1.2.10-2.aix4.3.ppc.rpm
glib-devel-1.2.10-2.aix4.3.ppc.rpm
glib2-2.2.1-3.aix4.3.ppc.rpm
glib2-devel-2.2.1-3.aix4.3.ppc.rpm
gzip-1.2.4a-7.aix4.3.ppc.rpm
libtool-1.4.2-1.aix4.3.ppc.rpm
m4-1.4-14.aix4.3.ppc.rpm
make-3.79.1-3.aix4.3.ppc.rpm
openldap-2.0.21-4.aix4.3.ppc.rpm
openldap-devel-2.0.21-4.aix4.3.ppc.rpm
pkgconfig-0.15.0-1.aix4.3.ppc.rpm
rpm-3.0.5-30.aix4.3.ppc.rpm
sed-3.02-8.aix4.3.ppc.rpm
tar-1.13-4.aix4.3.ppc.rpm
Download openssl (from www.bullfreeware.com)
Download the following (some binaries and some source codes):
binutils.2.15.tar.Z (http://sunsite.lanet.lv/ftp/unix/aix-binaries/uclapub/binutils/RISC/4.2/exec/)
gcc.3.3.4.tar.Z (http://aixpdslib.seas.ucla.edu/packages/gcc.html)
krb5-1.3.5.tar.gz (http://web.mit.edu/kerberos/www/dist/)
openldap-2.2.3.tgz (http://www.openldap.org/software/download/)
samba-3.0.12pre1.tar.gz (http://www.samba.org)
================ INSTALLATION =======================================
Install rpm package manager (rpm.rte) with installp: (that's if you don't have
it installed already.
Issue rpm at the command line to check if you have it already)
installp -qacXgd rpm.rte rpm.rte (check your AIX installation disks)
Install the downloaded RPMs. If they are all in the same directory, you can do this by doing the following:
rpm -ivh --nodeps *.rpm
Update PATH and LD_LIBRARY_PATH:
PATH=/usr/linux/bin:/usr/local/bin:/usr/local/sbin:/usr/local/krb5-1.3.5/bin/:/usr/local/samba-3.0.12pre1/bin:/usr/local/samba-3.0.12pre1/sbin:$PATH
export PATH
LD_LIBRARY_PATH=/usr/lib:/usr/local/lib:/lib
export LD_LIBRARY_PATH
(the PATH lines for Samba and Kerberos are not strictly necessary - they
just allow you to run various binaries from any location on your system.
I actually added the lines to my /etc/profile file - you may not want
to do this)
Install binutils: (you need at least binutils.2.15.tar.Z
. Version 2.9.1
version causes "./config" to fail. The reason is that the "ld"
utility in v 2.9.1
does not "understand" the newer file-format used to store some of
the gcc libraries)
gzip -d binutils.2.15.tar.Z
cp binutils.2.15.tar /
tar -xvf binutils.2.15.tar
rm /binutils.2.15.tar
**Note** Untar the binutils from the / directory so the files are placed into
the proper locations.
OR cd /; tar -xvf /path/to/binutils.2.15.tar
Install gcc:
gzip -d gcc.3.3.4.tar.Z
cp gcc.3.3.4.tar /
tar -xvf gcc.3.3.4.tar
rm /gcc.3.3.4.tar
**Note** Untar the binutils from the / directory so the files are placed into
the proper locations.
cd /; tar -xvf /path/to/gcc.3.3.4.tar
Install openssl
chmod u+x openssl-0.9.6.7.exe
(use smit to install the program)
smit install
rm .toc openssl-0.9.6.7.bff openssl-0.9.6.7.??????????
Build and install Kerberos:
gzip -d krb5-1.3.5.tar.gz
tar -xvf krb5-1.3.5.tar
cd krb5-1.3.5/src
CPPFLAGS='-I/usr/local/include' ./configure --prefix=/usr/local/krb5-1.3.5 --enable-dns
--enable-dns-for-kdc --enable-dns-for-realm --disable-thread-support
make
make install
Build and install OpenLDAP:
gzip -d openldap-2.2.3.tgz
tar -xvf openldap-2.2.3.tar
cd openldap-2.2.3
./configure --disable-slurpd --disable-bdb --disable-slapd --without-threads
make depend
make
make install
Install libiconv:
For libiconv to "make" successfully, the following links must be
created for certain utilities from binutils-2.15
ln -s /usr/local/bin/gld /usr/local/bin/ld
ln -s /usr/local/bin/gas /usr/local/bin/as
gzip -d libiconv-1.9.1.tar.gz (source)
tar -xvf libiconv-1.9.1.tar
cd libiconv-1.9.1
./configure --prefix=/usr/local/libiconv-1.9.1
Install gettext-0.14.2 (source)
gzip -d gettext-0.14.2.tar.gz
tar -xvf gettext-0.14.2.tar
cd gettext-0.14.2
./configure --prefix=/usr/local/gettext-0.14.2 --with-libiconv-prefix=/usr/local/libiconv-1.9.1
Build and install Samba:
gzip -d samba-3.0.12pre1.tar.gz
tar -xvf samba-3.0.12pre1.tar
cd samba-3.0.12pre1
For Samba to compile successfully, use the default "ld" for AIX (/usr/bin/ld). This implies that you have to remove the links you created above to gld and gas
rm /usr/local/bin/ld
rm /usr/local/bin/as
You must delete or (comment out) the strlen function body from the util_str.c,
otherwise "make" will fail.
It is OK since AIX already has strnlen defined (probably from gcc). The file
is samba 3.0.12pre1/source/lib/util_str.c
or a similar path in your samba source directory.
#if !defined(HAVE_STRNLEN) || defined(BROKEN_STRNLEN)
/**
Some platforms don't have strnlen
**/
size_t strnlen(const char *s, size_t n)
{
int i;
for (i=0; s[i] && i<n; i++)
/* noop */ ;
return i;
}
#endif
HINT: lines 1554 - 1566 of the file (may change with different versions though)
LDFLAGS='-L/usr/local/openldap/lib' CPPFLAGS='-I/usr/local/openldap/include'
./configure --prefix=/usr/local/samba-3.0.12pre1 --with-ldap --with-ads --with-winbind
--with-krb5=/usr/local/krb5-1.3.5 --with-libiconv=/usr/local/libiconv-1.9.1
--with-acl --?????? (check con.txt)
make
make install
Configure Kerberos:
Edit /etc/krb5.conf to reflect the following (substitute DOMAIN.COM with your domain):
[logging]
default = FILE:/var/krb5/libs.log
#kdc = FILE:/var/krb5/kdc.log
#admin_server = FILE:/var/krb5/admin.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MY-DOMAIN.COM
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MY-DOMAIN.COM = {
default_domain = my-domain.com
kdc = my-domain-controller:88
admin_server = my-domain-controller:749
}
[domain_realm]
.my-domain.com = MY-DOMAIN.COM
my-domain.com = MY-DOMAIN.COM
#[kdc]
#profile = /var/krb5/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
Configure Samba
create your smb.conf file (usually under lib directory in
your samba install location
e.g., /usr/local/samba-3.0.12pre1/lib/smb.conf)
[global]
workgroup = MY-DOMAIN-NODOTCOM
server string = my-server-name
security = ADS
encrypt passwords = Yes
update encrypted = Yes
password server = my-domain-controller
username map = /var/samba3012/users.map
log file = /var/samba3012/log/log.%m
max log size = 50
dns proxy = No
wins server = 10.10.10.2
browseable = yes
show add printer wizard = no
realm = MY-REALM.COM
idmap uid = 15000-20000
idmap gid = 15000-20000
nt acl support = yes
[homes]
path = /home/%S
read only = No
create mask = 0755
browseable = No
[Printers]
comment = All printers
path = /var/samba3012/spool
printable = Yes
browseable = No
Edit /etc/inetd.conf file and add an entry for swat (if you use it) e.g.,
swat stream tcp nowait root
/usr/local/samba/bin/swat swat
and add the following to /etc/services
swat 901/tcp # Samba Web Admin
create any other directory you need e.g., for me, I created /var/samba3012
and /var/samba3012/log
because that’s where I want to store samba’s log files.
manually create domain-equivalent users on the Samba server.
INVESTIGATE AUTOMATIC CREATION OF USERS ON THE UNIX BOX WITH THE AUTOSCRIPTS
THAT COMES WITH SAMBA. some attempts will fail. You can create this manually by altering the
first 8 xters of the new user with a familiar name to an existing user. Since d machine is part of the domain,
users or HODs can manage their directory structures themselves by granting access to staff as desired.
what about groups - i assume they cannot
be created automatically? what about mappings btween unix groups and windows
groups? probably better to leave groups as is.
===============================================================================
Join your Samba server to the domain (Administrator%password
can be replaced by any username%password of any user that has permission to join
a computer to the domain)
net ads join -U Administrator%password
Installation Time: (taken on a not-busy IBM RS/6000
desktop)
./configure took 48 minutes
make took 30 minutes
make install took 2 minutes