Operating System Requirements: Difference between revisions

From SambaWiki
(→‎File System Support: fix up my last change, as TMPDIR is not consulted for where to test a file)
m (Updated link)
(28 intermediate revisions by 9 users not shown)
Line 1: Line 1:
* [[Package Dependencies Required to Build Samba]]
== Development libraries and Programs ==
* [[File_System_Support|File System Support]]
=== Required : ===
These packages are required for a successful build of samba 4
* Python -- A good portion of Samba is written using python, including the build system itself (waf).

=== Recommended optional development libraries and Programs: ===
In most distributions these libraries will be labeled with a lib*-dev or lib*-devel, for example for the Debian or Ubuntu acl would be libacl1-dev, but in Fedora, RHEL, CentOS, and openSUSE its named libacl-devel.
* acl -- Required for a successful AD DC deployment. If this library is not included, samba will build successfully, however you will not be able to change ACL's from the windows frontend. You will receive and error when you provision and if you manually create the smb.conf with +s3fs, you will get '''Access is denied.''' from windows on any attempt to change ACL's.
* xattr
* blkid
* gnutls
* readline
* openldap -- Required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail. Also see [[Samba4/samba-tool/domain/classicupgrade/HOWTO|samba-tool domain classicupgrade]]
* cups -- for printer sharing support
* bsd or setproctitle - for process title updating support

* xsltproc and docbook XSL stylesheets -- Required for building man pages and other documentation

== Distribution Setup ==
The examples following will cover all of these libraries. It will also cover bind, kerberos, and file system tools. If you plan to use the internal DNS server, you do not need bind, but you do still need the package that contains the nsupdate binary.

=== Debian or Ubuntu ===
# apt-get install build-essential libacl1-dev libattr1-dev \
libblkid-dev libgnutls-dev libreadline-dev python-dev \
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev

Note: docbook-xsl, xsltproc, and inkscape may be required for building the man pages.

Note: if you need '''pam winbind''' support you will need the <tt>libpam0g-dev package</tt> installed.

==== Enabling Dynamically Loadable Zones (DLZ) with Bind on Debian Lenny ====

If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind.
If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev

$ apt-get install libkrb5-dev libssl-dev
$ tar -zxvf bind9.x.x.tar.gz
$ cd bind9.x.x


$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes


$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes

$ make
$ make install

=== Fedora ===

# yum install libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig libattr-devel \

=== Red Hat Enterprise Linux or CentOS ===

# yum install gcc libacl-devel libblkid-devel gnutls-devel \
readline-devel python-devel gdb pkgconfig krb5-workstation \
zlib-devel setroubleshoot-server \
setroubleshoot-plugins policycoreutils-python \
libsemanage-python setools-libs-python setools-libs \
popt-devel libpcap-devel sqlite-devel libidn-devel \
libxml2-devel libacl-devel libsepol-devel libattr-devel \
keyutils-libs-devel cyrus-sasl-devel cups-devel

Note: docbook-style-xsl.noarch and libxslt.x86_64 may be required for the man pages to get installed correctly.

=== openSUSE ===

# zypper install libacl-devel python-selinux autoconf make \
python-devel gdb sqlite3-devel libgnutls-devel binutils \
policycoreutils-python setools-libs selinux-policy \
setools-libs popt-devel libpcap-devel keyutils-devel \
libidn-devel libxml2-devel libacl-devel libsepol-devel \
libattr-devel zlib-devel cyrus-sasl-devel gcc \
krb5-client openldap2-devel libopenssl-devel\
bind-utils bind-lib

=== Gentoo ===
Please note that the following sections assume at least an intermediate understanding of the Gentoo packaging system.

==== Python ====
Gentoo uses python-3 as the default python interpreter, but at this time Samba requires python-2 (2.4.2 or greater) The following set of commands will install and set up python-2 as the default python interpreter.

# emerge --ask --noreplace '<dev-lang/python-3'
# eselect python set python2.7
# python-updater

==== Kerberos ====
On Gentoo, you have two choices for a kerberos implementation, '''app-crypt/mit-krb5''' and '''app-crypt/heimdal'''. Unfortunately the two implementations can not be installed at the same time. Currently, the Samba developers recommend using '''app-crypt/heimdal'''. So you must first uninstall '''app-crypt/mit-krb5''' (if installed,) then install '''app-crypt/heimdal''' and rebuild any packages that were using the old kerberos implementation.

# emerge --unmerge --ask app-crypt/mit-krb5
# emerge --ask app-crypt/heimdal
# revdep-rebuild -- -ask

==== Bind ====
To enable automatic zone management, '''net-dns/bind''' and '''net-dns/bind-tools''' should be emerged with the USE flags for '''berkdb''', '''dlz''' and '''gssapi''' set. To enable them permanently, add the following to '''/etc/package.use''':

net-dns/bind berkdb dlz gssapi
net-dns/bind-tools gssapi

Then, emerge '''net-dns/bind''':

# emerge --ask net-dns/bind net-dns/bind-tools

Note that if you have problems with samba's gssapi updates to bind, try using the alternate kerberos implementation of app-crypt/mit-krb5.

==== Samba-supplied Libraries (tdb/ldb/tevent) ====
There are a few Samba libraries that need to be installed, note that these packages might be keyworded as unstable, so you might need to add the following to your '''/etc/package.keywords''':


Additionally, Samba requires '''sys-libs/tdb''' and '''sys-libs/talloc''' to be emerged with the USE flag '''python''' set. To enable this permanently, add the following to '''/etc/package.use''':

sys-libs/tdb python
sys-libs/talloc python

Note: In new(er) installations of gentoo, the above files will be located in '''/etc/portage/''', i.e. '''/etc/portage/package.keywords''' and '''/etc/portage/package.use'''. They may be symlinked to '''/etc''' for backward compatibility.

Now, emerge the packages:

# emerge --ask '=sys-libs/talloc-2.0.7' '=sys-libs/tdb-1.2.10' '=sys-libs/tevent-0.9.17' '=sys-libs/ldb-1.1.12'

Note that ebuilds for the required versions of the above packages might not be availiable in the portage tree. In this case, check [https://bugs.gentoo.org/ Gentoo's Bugzilla] for updated ebuilds.

==== Other Misc. Build/Run Dependencies ====
To ensure a successful Samba-4 installation, there are a few other packages that should be installed, as shown below:

# emerge --ask net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn

FIXME: Are dev-python/dnspython net-dns/libidn still required?

== File System Support ==

To use the advanced features of Samba4 you need a filesystem that
supports both the "user" and "system" xattr namespaces.

You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support.

=== ext3/ext4 File System ===

If you are using either ext3 or ext4 for your file system you will need to
include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab. For example:

/dev/hda3 /home ext3 user_xattr,acl,barrier=1 1 1

Simply change ext3 to ext4 if you are using it. Normally you will want to just modify the existing line to add those options. Please use caution when modifying your fstab as it can lead to an un-bootable system if the wrong thing is modified.

The '''barrier=1''' option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled.

You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL
options for your filesystem. For ext3 (change the 3 to a 4 for ext4) that means you need:


If you are running a Linux 2.6 (or greater) kernel with CONFIG_IKCONFIG_PROC
defined you can check this with the following command:

$ zgrep CONFIG_EXT3_FS /proc/config.gz

=== File Systems without xattr support ===

If you don't have a filesystem with xattr support, then you can
simulate it by adding the following line to your smb.conf:

posix:eadb = /usr/local/samba/eadb.tdb

that will place all extra file attributes (NT ACLs, DOS EAs, streams
etc), in that tdb. It is not efficient, and doesn't scale well, but at
least it gives you a choice when you don't have a modern filesystem.

=== Testing your filesystem ===

To test your filesystem support, install the 'attr' package and run
the following 4 commands as root:

# touch test.txt
# setfattr -n user.test -v test test.txt
# setfattr -n security.test -v test2 test.txt
# getfattr -d test.txt
# getfattr -n security.test -d test.txt

You should see output like this:

# file: test.txt

# file: test.txt

For ACL testing do the following as root:
# touch test3.txt
# setfacl -m g:adm:rwx test3.txt
# getfacl test3.txt

and you should get a line like <tt>group:adm:rwx</tt> in your output.

If you get any "Operation not supported" errors then it means your
kernel is not configured correctly, or your filesystem is not mounted
with the right options.

If you get any "Operation not permitted" errors then it probably means
you didn't try the test as root.

If you are using the posix:eadb option then you don't need to test your filesystem in this manner.

Latest revision as of 16:33, 27 April 2017