Jeff Ross wrote:
Hi all,
I need a version of samba that is compiled with both ldap and kerberos
so that my samba server can join a MS Windows 2003 Active Directory domain.
After hacking on the port to make my own flavor, I have been unable to
get around the same problem others have had (from stfa) in that
configure seems unable to find the OpenBSD in-tree krbv headers and
library files.
The problem seems to be that OpenBSD splits kerberosV into two separate
places. Header files are in /usr/include/kerberosV, and library files
are in /usr/lib/. Samba's configure is also looking for a krb5-config
file that doesn't seem to exist on a standard OpenBSD -current install.
The easiest way for me to compile Samba with both ldap and kerberos has
been to download the latest heimdal sources from
http://www.h5l.org/dist/src/, untar them, run ./configure && make &&
sudo make install. The standard location for heimdal is in
/usr/heimdal, with the library files in /usr/heindal/lib and the header
files in /usr/heimdal/include. The krb5-config program (which turns out
to be a shell script) is in /usr/heimdal/bin.
I've altered the ports Makefile to add my own ads flavor by adding:
.if ${FLAVOR:L:Mads}
CONFIGURE_ARGS+= --with-ldap --with-ads --with-krb5=/usr/heimdal
LIB_DEPENDS+= ldap,lber::databases/openldap
BUILD_DEPENDS+= ::misc/libutf8
.else
CONFIGURE_ARGS+= --without-ldap --without-ads
.endif
To contribute a version of samba that is built with both ldap and
kerberos support would it be better to a) use the standard in-tree
version of kerberosV and patch the configure program in samba to find
the in-tree version files. That still doesn't include the krb5-config
shell script, but I haven't yet looked into what it does or why it's
needed.
Or b), should I submit a new port of heimdal for use with samba and make
it a requirement for the new ads flavor, just like openldap is for the
existing ldap flavor. I'd imagine that heimdal ought to be installed in
usr/local/, which would then alter my samba Makefile addition as well.
That would also keep it second in line in the normal path search.
Heimdal is released under a three clause BSD license, and I was able to
configure and install it without patching or altering anything.
One thing for sure, until this I'd forgotten what a PITA it can be to
get a program compiled and running. I'm used to pkg_add and going back
was awful!
Thanks,
Jeff Ross
Following up on this...
I'm having a hard time getting kerberos linked in. For simplicities
sake, I'd really like to stick with the in-tree version of kerberosV
(which is heimdal-0.7.2/OpenBSD).
To work around the problem of the kerberosV header and library files
being in separate locations, I've added the following to the Makefiles
pre-configure section:
@rm -rf /usr/local/kerberos
@mkdir /usr/local/kerberos
@ln -s /usr/include/kerberosV /usr/local/kerberos/include
@ln -s /usr/lib/ /usr/local/kerberos/lib
Then my flavor section has the following:
.if ${FLAVOR:L:Mads}
CONFIGURE_ARGS+= --with-ldap --with-ads --with-krb5=/usr/local/kerberos
LIB_DEPENDS+= ldap,lber::databases/openldap
BUILD_DEPENDS+= ::misc/libutf8
.else
CONFIGURE_ARGS+= --without-ldap --without-ads
.endif
This actually does what I'd hoped. configure is now able to find the
krbv library and header files, but it seems that the in-tree version of
kerberosV is missing some needed functionality. Here's the relevant
chunk of configure's output:
checking for krb5_addresses type... yes
checking whether krb5_mk_error takes 3 arguments MIT or 9 Heimdal... no
configure: WARNING: krb5_mk_req_extended not found in -lkrb5
configure: WARNING: no CREATE_KEY_FUNCTIONS detected
configure: WARNING: no GET_ENCTYPES_FUNCTIONS detected
configure: WARNING: no KT_FREE_FUNCTION detected
configure: WARNING: no KRB5_VERIFY_CHECKSUM_FUNCTION detected
configure: WARNING: no KRB5_AP_REQ_FREE_FUNCTION detected
configure: WARNING: no KRB5_AP_REQ_DECODING_FUNCTION detected
configure: error: krb5 libs don't have all features required for Active
Directory support
Okay, I have no idea how to fix this, so it's on to method b, installing
the latest heimdal from source. This time I build heimdal with
./configure \
--prefix=/usr/local/heimdal \
--sysconfdir=/etc
so it gets installed in a better place than its standard /usr/heimdal.
I modify my samba-ads Makefile to this:
.if ${FLAVOR:L:Mads}
CONFIGURE_ARGS+= --with-ldap --with-ads --with-krb5=/usr/local/heimdal
LIB_DEPENDS+= ldap,lber::databases/openldap
BUILD_DEPENDS+= ::misc/libutf8
.else
CONFIGURE_ARGS+= --without-ldap --without-ads
.endif
This allows configure to complete its job, and samba builds without issue.
The binaries, though, throw an library mismatch error when run.
[EMAIL PROTECTED]:/usr/ports/net/samba_ads/w-samba-3.0.28-ads/fake-i386-ads/usr/local/libexec
$ smbd -b | grep KRB | more
smbd:/usr/lib/libkrb5.so.16.0: /usr/local/heimdal/lib/libkrb5.so.24.0 :
WARNING: symbol(krb5_acc_ops) size mismatch, relink your program
smbd:/usr/lib/libkrb5.so.16.0: /usr/local/heimdal/lib/libkrb5.so.24.0 :
WARNING: symbol(krb5_fcc_ops) size mismatch, relink your program
So, even though the krb5 path is set to /usr/local/heimdal, samba is
using the in-tree library files anyway!
This is where I'm at right now, and would sure appreciate a nudge in the
right direction to force samba to link against the correct library
files. The binary files do start and run, but I won't be able to test
them until later tonight.
Thanks for reading!
Jeff Ross
