Operating System Requirements: Difference between revisions
(→File System Support: fix up my last change, as TMPDIR is not consulted for where to test a file)
|Line 143:||Line 143:|
supports both the "user" and "system" xattr namespaces.
supports both the "user" and "system" xattr namespaces.
You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file
You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file the . to have ACL and XATTR support.
=== ext3/ext4 File System ===
=== ext3/ext4 File System ===
Revision as of 00:59, 15 April 2013
Development libraries and Programs
These packages are required for a successful build of samba 4
- Python -- A good portion of Samba is written using python, including the build system itself (waf).
Recommended optional development libraries and Programs:
In most distributions these libraries will be labeled with a lib*-dev or lib*-devel, for example for the Debian or Ubuntu acl would be libacl1-dev, but in Fedora, RHEL, CentOS, and openSUSE its named libacl-devel.
- acl -- Required for a successful AD DC deployment. If this library is not included, samba will build successfully, however you will not be able to change ACL's from the windows frontend. You will receive and error when you provision and if you manually create the smb.conf with +s3fs, you will get Access is denied. from windows on any attempt to change ACL's.
- openldap -- Required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail. Also see samba-tool domain classicupgrade
- cups -- for printer sharing support
- bsd or setproctitle - for process title updating support
- xsltproc and docbook XSL stylesheets -- Required for building man pages and other documentation
The examples following will cover all of these libraries. It will also cover bind, kerberos, and file system tools. If you plan to use the internal DNS server, you do not need bind, but you do still need the package that contains the nsupdate binary.
Debian or Ubuntu
# apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev
Note: docbook-xsl, xsltproc, and inkscape may be required for building the man pages.
Note: if you need pam winbind support you will need the libpam0g-dev package installed.
Enabling Dynamically Loadable Zones (DLZ) with Bind on Debian Lenny
If you also want to use Dynamically Loadable Zones (DLZ) then you should add the corresponding option (dlopen) depending on your version of bind. If you are about to compile a downloaded tarball you might need these libraries: libkrb5-dev and libssl-dev
$ apt-get install libkrb5-dev libssl-dev $ tar -zxvf bind9.x.x.tar.gz $ cd bind9.x.x
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlz-dlopen=yes
$ ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
$ make $ make install
# yum install libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig libattr-devel \ krb5-workstation
Red Hat Enterprise Linux or CentOS
# yum install gcc libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig krb5-workstation \ zlib-devel setroubleshoot-server \ setroubleshoot-plugins policycoreutils-python \ libsemanage-python setools-libs-python setools-libs \ popt-devel libpcap-devel sqlite-devel libidn-devel \ libxml2-devel libacl-devel libsepol-devel libattr-devel \ keyutils-libs-devel cyrus-sasl-devel cups-devel
Note: docbook-style-xsl.noarch and libxslt.x86_64 may be required for the man pages to get installed correctly.
# zypper install libacl-devel python-selinux autoconf make \ python-devel gdb sqlite3-devel libgnutls-devel binutils \ policycoreutils-python setools-libs selinux-policy \ setools-libs popt-devel libpcap-devel keyutils-devel \ libidn-devel libxml2-devel libacl-devel libsepol-devel \ libattr-devel zlib-devel cyrus-sasl-devel gcc \ krb5-client openldap2-devel libopenssl-devel\ bind-utils bind-lib
Please note that the following sections assume at least an intermediate understanding of the Gentoo packaging system.
Gentoo uses python-3 as the default python interpreter, but at this time Samba requires python-2 (2.4.2 or greater) The following set of commands will install and set up python-2 as the default python interpreter.
# emerge --ask --noreplace '<dev-lang/python-3' # eselect python set python2.7 # python-updater
On Gentoo, you have two choices for a kerberos implementation, app-crypt/mit-krb5 and app-crypt/heimdal. Unfortunately the two implementations can not be installed at the same time. Currently, the Samba developers recommend using app-crypt/heimdal. So you must first uninstall app-crypt/mit-krb5 (if installed,) then install app-crypt/heimdal and rebuild any packages that were using the old kerberos implementation.
# emerge --unmerge --ask app-crypt/mit-krb5 # emerge --ask app-crypt/heimdal # revdep-rebuild -- -ask
To enable automatic zone management, net-dns/bind and net-dns/bind-tools should be emerged with the USE flags for berkdb, dlz and gssapi set. To enable them permanently, add the following to /etc/package.use:
net-dns/bind berkdb dlz gssapi net-dns/bind-tools gssapi
Then, emerge net-dns/bind:
# emerge --ask net-dns/bind net-dns/bind-tools
Note that if you have problems with samba's gssapi updates to bind, try using the alternate kerberos implementation of app-crypt/mit-krb5.
Samba-supplied Libraries (tdb/ldb/tevent)
There are a few Samba libraries that need to be installed, note that these packages might be keyworded as unstable, so you might need to add the following to your /etc/package.keywords:
~sys-libs/tevent-0.9.17 ~sys-libs/tdb-1.2.10 ~sys-libs/ldb-1.1.12 ~sys-libs/talloc-2.0.7
Additionally, Samba requires sys-libs/tdb and sys-libs/talloc to be emerged with the USE flag python set. To enable this permanently, add the following to /etc/package.use:
sys-libs/tdb python sys-libs/talloc python
Note: In new(er) installations of gentoo, the above files will be located in /etc/portage/, i.e. /etc/portage/package.keywords and /etc/portage/package.use. They may be symlinked to /etc for backward compatibility.
Now, emerge the packages:
# emerge --ask '=sys-libs/talloc-2.0.7' '=sys-libs/tdb-1.2.10' '=sys-libs/tevent-0.9.17' '=sys-libs/ldb-1.1.12'
Note that ebuilds for the required versions of the above packages might not be availiable in the portage tree. In this case, check Gentoo's Bugzilla for updated ebuilds.
Other Misc. Build/Run Dependencies
To ensure a successful Samba-4 installation, there are a few other packages that should be installed, as shown below:
# emerge --ask net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn
FIXME: Are dev-python/dnspython net-dns/libidn still required?
File System Support
To use the advanced features of Samba4 you need a filesystem that supports both the "user" and "system" xattr namespaces.
You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support.
ext3/ext4 File System
If you are using either ext3 or ext4 for your file system you will need to include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab. For example:
/dev/hda3 /home ext3 user_xattr,acl,barrier=1 1 1
Simply change ext3 to ext4 if you are using it. Normally you will want to just modify the existing line to add those options. Please use caution when modifying your fstab as it can lead to an un-bootable system if the wrong thing is modified.
The barrier=1 option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled.
You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL options for your filesystem. For ext3 (change the 3 to a 4 for ext4) that means you need:
CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_SECURITY=y CONFIG_EXT3_FS_POSIX_ACL=y
If you are running a Linux 2.6 (or greater) kernel with CONFIG_IKCONFIG_PROC defined you can check this with the following command:
$ zgrep CONFIG_EXT3_FS /proc/config.gz
File Systems without xattr support
If you don't have a filesystem with xattr support, then you can simulate it by adding the following line to your smb.conf:
posix:eadb = /usr/local/samba/eadb.tdb
that will place all extra file attributes (NT ACLs, DOS EAs, streams etc), in that tdb. It is not efficient, and doesn't scale well, but at least it gives you a choice when you don't have a modern filesystem.
Testing your filesystem
To test your filesystem support, install the 'attr' package and run the following 4 commands as root:
# touch test.txt # setfattr -n user.test -v test test.txt # setfattr -n security.test -v test2 test.txt # getfattr -d test.txt # getfattr -n security.test -d test.txt
You should see output like this:
# file: test.txt user.test="test"
# file: test.txt security.test="test2"
For ACL testing do the following as root:
# touch test3.txt # setfacl -m g:adm:rwx test3.txt # getfacl test3.txt
and you should get a line like group:adm:rwx in your output.
If you get any "Operation not supported" errors then it means your kernel is not configured correctly, or your filesystem is not mounted with the right options.
If you get any "Operation not permitted" errors then it probably means you didn't try the test as root.
If you are using the posix:eadb option then you don't need to test your filesystem in this manner.