Operating System Requirements: Difference between revisions
From SambaWiki
Mmuehlfeld (talk | contribs) m (moved Samba 4/OS Requirements to OS Requirements: Because the page describes the requirements for Samba in general I rename the page to "OS Requirements") |
Mmuehlfeld (talk | contribs) (Face-lifting the page (structure, formattings, text changes, etc.)) |
||
| Line 1: | Line 1: | ||
= File System Support = |
|||
== Development libraries and Programs == |
|||
=== Required : === |
|||
These packages are required for a successful build of samba 4 |
|||
* Python -- A good portion of Samba is written using python, including the build system itself (waf). |
|||
To use the advanced features of Samba, you need a filesystem that supports both the "user" and "system" xattr namespace. You need this support on file systems that you will share through Samba. |
|||
=== Recommended optional development libraries and Programs: === |
|||
In most distributions these libraries will be labeled with a lib*-dev or lib*-devel, for example for the Debian or Ubuntu acl would be libacl1-dev, but in Fedora, RHEL, CentOS, and openSUSE its named libacl-devel. |
|||
* acl -- Required for a successful AD DC deployment. If this library is not included, samba will build successfully, however you will not be able to change ACL's from the windows frontend. You will receive and error when you provision and if you manually create the smb.conf with +s3fs, you will get '''Access is denied.''' from windows on any attempt to change ACL's. |
|||
* xattr |
|||
* blkid |
|||
* gnutls |
|||
* readline |
|||
* openldap -- Required to build the Samba3 components with LDAP support. Lacking this library the build will complete but attempts to provision (via upgrade) an Active Directory domain from an existing Samba3 LDAP backend will fail. Also see [[Samba_Classic_Upgrade_(NT4-style_domain_to_AD)|samba-tool domain classicupgrade]] |
|||
* cups -- for printer sharing support |
|||
* bsd or setproctitle - for process title updating support |
|||
For Samba Active Directory Domain Controllers, „samba-tool“ tests during the provisioning the xattr support for /usr/local/samba/var/locks/sysvol/. |
|||
* xsltproc and docbook XSL stylesheets -- Required for building man pages and other documentation |
|||
== Distribution Setup == |
|||
The examples following will cover all of these libraries. It will also cover bind, kerberos, and file system tools. If you plan to use the internal DNS server, you do not need bind, but you do still need the package that contains the nsupdate binary. For DNS setup and management see [[DNS Administration]]. |
|||
== ext3 == |
|||
=== fstab === |
|||
For filesystems of that type shared by Samba, add the following options to your /etc/fstab: |
|||
/dev/... /srv/samba/demo ext3 <u>user_xattr,acl,barrier=1</u> 1 1 |
|||
Note: The „barrier=1“ option ensures that tdb transactions are safe against unexpected power loss. |
|||
Please be careful modifying your fstab. It can lead into an unbootable system! |
|||
=== Kernel support === |
|||
Ensure that your kernel has the following options enabled: |
|||
CONFIG_EXT3_FS_XATTR=y |
|||
CONFIG_EXT3_FS_SECURITY=y |
|||
CONFIG_EXT3_FS_POSIX_ACL=y |
|||
== ext4 == |
|||
=== fstab === |
|||
For filesystems of that type shared by Samba, add the following options to your /etc/fstab: |
|||
/dev/... /srv/samba/demo ext4 <u>user_xattr,acl,barrier=1</u> 1 1 |
|||
Note: The „barrier=1“ option ensures that tdb transactions are safe against unexpected power loss. |
|||
Please be careful modifying your fstab. It can lead into an unbootable system! |
|||
=== Kernel support === |
|||
Ensure that your kernel has the following options enabled: |
|||
CONFIG_EXT4_FS_XATTR=y |
|||
CONFIG_EXT4_FS_SECURITY=y |
|||
CONFIG_EXT4_FS_POSIX_ACL=y |
|||
== XFS == |
|||
=== fstab === |
|||
No special mount options are required in your fstab. |
|||
=== Kernel support === |
|||
Ensure that your kernel has the following options enabled: |
|||
CONFIG_XFS_POSIX_ACL=y |
|||
== File Systems without xattr support == |
|||
'''Note: This is not recommended!!!''' |
|||
If you don't have a filesystem with xattr support, you can simulate it by adding the following line to your smb.conf: |
|||
posix:eadb = /usr/local/samba/private/eadb.tdb |
|||
This will place all extra file attributes (NT ACLs, DOS EAs, streams, etc), in that tdb. |
|||
'''Note: Because it is not efficient and doesn't scale well it should not be used in production!''' |
|||
== Testing your filesystem == |
|||
''Note: This is not required for [[#File_Systems_without_xattr_support|file systems without xattr support]].'' |
|||
Before you start testing, ensure, that you have the „attr“ package installed! |
|||
Run the following commands as root to test xattr support: |
|||
# touch test.txt |
|||
# setfattr -n user.test -v test test.txt |
|||
# setfattr -n security.test -v test2 test.txt |
|||
The following commands should return the shown output: |
|||
# getfattr -d test.txt |
|||
# file: test.txt |
|||
user.test="test" |
|||
# getfattr -n security.test -d test.txt |
|||
# file: test.txt |
|||
security.test="test2" |
|||
Run the following commands as root to test extended ACL support: |
|||
# touch test.txt |
|||
# setfacl -m g:adm:rwx test.txt |
|||
The following command should return the shown output: |
|||
# getfacl test.txt |
|||
# file: test.txt |
|||
# owner: root |
|||
# group: root |
|||
user::rw- |
|||
group::r-- |
|||
group:adm:rwx |
|||
mask::rwx |
|||
other::r-- |
|||
Note: Getting an "Operation not supported" error means your kernel is not configured correctly or your filesystem is not mounted with the correct options. |
|||
Note: Getting an "Operation not permitted" error means you didn't run the commands as user „root“. |
|||
= Required Libraries and programs = |
|||
Depending on your distribution, the package name of the following libraries and programs may differ. Typically they are labled with lib*-dev or lib*-devel. See [[#Distribution_specific_package_installation|Distribution specific package installation]]. |
|||
<u>Required:</u> |
|||
* python |
|||
:A good portion of Samba is written using python, including the build system itself (waf). |
|||
<u>(Recommended) Optional:</u> |
|||
* acl |
|||
:Required for a successfull Samba AD DC deployment! On Member Servers it is required to use the complete set of Windows ACLs. |
|||
* xattr |
|||
:Required for a successfull Samba AD DC deployment! On Member Servers it is required to use the complete set of Windows ACLs. |
|||
* blkid |
|||
* gnutls |
|||
* readline |
|||
* cups |
|||
:Required for CUPS printer sharing support. |
|||
* bsd or setproctitle |
|||
:Required for process title updating support. |
|||
* xsltproc |
|||
:Required for building man pages and other documentation. |
|||
* docbook |
|||
:Required for building man pages and other documentation. |
|||
* openldap |
|||
:Required to build the Samba NT4-style PDC components with LDAP support and Active Directory Member Server support. Also required for the [[Samba_Classic_Upgrade_(NT4-style_domain_to_AD)|Samba classicupgrade]]. |
|||
== Distribution specific package installation == |
|||
The following examples will cover all of the required libraries and programs. It will also cover BIND, kerberos and file system tools. If you plan to use the internal DNS server, you do not need BIND, but you do still need the package that contains the „nsupdate“ binary. |
|||
=== Debian / Ubuntu === |
|||
# apt-get install build-essential libacl1-dev libattr1-dev \ |
# apt-get install build-essential libacl1-dev libattr1-dev \ |
||
libblkid-dev libgnutls-dev libreadline-dev python-dev \ |
libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \ |
||
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ |
python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ |
||
dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl |
dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl |
||
Note: docbook-xsl, xsltproc, and inkscape may be required for building the man pages. |
|||
Note: if you need '''pam winbind''' support you will need the <tt>libpam0g-dev package</tt> installed. |
|||
=== Fedora === |
=== Fedora === |
||
| Line 36: | Line 192: | ||
krb5-workstation |
krb5-workstation |
||
=== Red Hat Enterprise Linux or CentOS === |
|||
=== Red Hat Enterprise Linux / CentOS / Scientific Linux === |
|||
# yum install gcc libacl-devel libblkid-devel gnutls-devel \ |
# yum install gcc libacl-devel libblkid-devel gnutls-devel \ |
||
| Line 47: | Line 204: | ||
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils |
keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils |
||
Note: docbook-style-xsl.noarch and libxslt.x86_64 may be required for the man pages to get installed correctly. |
|||
=== openSUSE === |
=== openSUSE === |
||
| Line 59: | Line 216: | ||
krb5-client openldap2-devel libopenssl-devel\ |
krb5-client openldap2-devel libopenssl-devel\ |
||
bind-utils bind-lib |
bind-utils bind-lib |
||
=== Gentoo === |
=== Gentoo === |
||
Please note that the following sections assume at least an intermediate understanding of the Gentoo packaging system. |
Please note that the following sections assume at least an intermediate understanding of the Gentoo packaging system. |
||
==== Python ==== |
==== Python ==== |
||
Gentoo uses python-3 as the default python interpreter, but at this time Samba requires python-2 (2.4.2 or greater) The following set of commands will install and set up python-2 as the default python interpreter. |
|||
Gentoo uses Python 3 as the default python interpreter, but at this time Samba requires Python 2 (2.4.2 or later). The following set of commands will install and set up Python 2 as the default python interpreter. |
|||
# emerge --ask --noreplace '<dev-lang/python-3' |
# emerge --ask --noreplace '<dev-lang/python-3' |
||
# eselect python set python2.7 |
# eselect python set python2.7 |
||
# python-updater |
# python-updater |
||
==== Kerberos ==== |
==== Kerberos ==== |
||
On Gentoo, you have two choices for a kerberos implementation, '''app-crypt/mit-krb5''' and '''app-crypt/heimdal'''. Unfortunately the two implementations can not be installed at the same time. Currently, the Samba developers recommend using '''app-crypt/heimdal'''. So you must first uninstall '''app-crypt/mit-krb5''' (if installed,) then install '''app-crypt/heimdal''' and rebuild any packages that were using the old kerberos implementation. |
|||
On Gentoo, you have two choices for a kerberos implementation, app-crypt/mit-krb5 and app-crypt/heimdal. Unfortunately the two implementations can not be installed at the same time. Currently, the Samba only supports app-crypt/heimdal. So you must first uninstall app-crypt/mit-krb5, if installed. Then install app-crypt/heimdal and rebuild any packages that were using the previous kerberos implementation. |
|||
# emerge --unmerge --ask app-crypt/mit-krb5 |
# emerge --unmerge --ask app-crypt/mit-krb5 |
||
# emerge --ask app-crypt/heimdal |
# emerge --ask app-crypt/heimdal |
||
# revdep-rebuild -- -ask |
# revdep-rebuild -- -ask |
||
==== Bind ==== |
==== Bind ==== |
||
To enable automatic zone management, '''net-dns/bind''' and '''net-dns/bind-tools''' should be emerged with the USE flags for '''berkdb''', '''dlz''' and '''gssapi''' set. To enable them permanently, add the following to '''/etc/package.use''': |
|||
To enable automatic zone management, net-dns/bind and net-dns/bind-tools should be emerged with the USE flags for berkdb, dlz and gssapi set. To enable them permanently, add the following to /etc/package.use: |
|||
net-dns/bind berkdb dlz gssapi |
net-dns/bind berkdb dlz gssapi |
||
net-dns/bind-tools gssapi |
net-dns/bind-tools gssapi |
||
Then, emerge |
Then, emerge net-dns/bind: |
||
# emerge --ask net-dns/bind net-dns/bind-tools |
# emerge --ask net-dns/bind net-dns/bind-tools |
||
Note that if you have problems with samba's gssapi updates to bind, try using the alternate kerberos implementation of app-crypt/mit-krb5. |
|||
==== Samba-supplied Libraries (tdb/ldb/tevent) ==== |
==== Samba-supplied Libraries (tdb/ldb/tevent) ==== |
||
There are a few Samba libraries that need to be installed, note that these packages might be keyworded as unstable, so you might need to add the following to your '''/etc/package.keywords''': |
|||
There are a few Samba libraries that need to be installed. Note that these packages might be keyworded as unstable, so you might need to add the following to your /etc/package.keywords: |
|||
~sys-libs/tevent-0.9.17 |
~sys-libs/tevent-0.9.17 |
||
| Line 97: | Line 267: | ||
~sys-libs/talloc-2.0.7 |
~sys-libs/talloc-2.0.7 |
||
Additionally, Samba requires |
Additionally, Samba requires sys-libs/tdb and sys-libs/talloc to be emerged with the USE flag python set. To enable this permanently, add the following to /etc/package.use: |
||
sys-libs/tdb python |
sys-libs/tdb python |
||
sys-libs/talloc python |
sys-libs/talloc python |
||
Note: In new(er) installations of |
Note: In new(er) installations of Gentoo, the above files will be located in /etc/portage/, i.e. /etc/portage/package.keywords and /etc/portage/package.use. They may be symlinked to /etc for backward compatibility. |
||
Now, emerge the packages: |
Now, emerge the packages: |
||
| Line 108: | Line 278: | ||
# emerge --ask '=sys-libs/talloc-2.0.7' '=sys-libs/tdb-1.2.10' '=sys-libs/tevent-0.9.17' '=sys-libs/ldb-1.1.12' |
# emerge --ask '=sys-libs/talloc-2.0.7' '=sys-libs/tdb-1.2.10' '=sys-libs/tevent-0.9.17' '=sys-libs/ldb-1.1.12' |
||
Note that ebuilds for the required versions of the above packages might not be availiable in the portage tree. |
Note that ebuilds for the required versions of the above packages might not be availiable in the portage tree. In this case, check [https://bugs.gentoo.org/ Gentoo's Bugzilla] for updated ebuilds. |
||
==== Other Misc. Build/Run Dependencies ==== |
|||
To ensure a successful Samba-4 installation, there are a few other packages that should be installed, as shown below: |
|||
# emerge --ask net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn |
|||
==== Other Misc. Build/Run Dependencies ==== |
|||
FIXME: Are dev-python/dnspython net-dns/libidn still required? |
|||
To ensure a successful Samba 4 installation, there are a few other packages that should be installed, as shown below: |
|||
== File System Support == |
|||
# emerge --ask net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn |
|||
FIXME: Are dev-python/dnspython net-dns/libidn still required? |
|||
To use the advanced features of Samba4 you need a filesystem that |
|||
supports both the "user" and "system" xattr namespaces. |
|||
You need this support on file systems that you will share with samba. For many users that will be their /home volume. However the 'samba-tool' provision command also tests support by creating a temporary file in the 'sysvol'. This might be /usr/local/samba for a local install, or might be somewhere else. That filesystem also needs to have ACL and XATTR support. |
|||
=== ext3/ext4 File System === |
|||
If you are using either ext3 or ext4 for your file system you will need to |
|||
include the options "user_xattr","acl" and "barrier=1" in your /etc/fstab. For example: |
|||
/dev/hda3 /home ext3 user_xattr,acl,barrier=1 1 1 |
|||
Simply change ext3 to ext4 if you are using it. Normally you will want to just modify the existing line to add those options. Please use caution when modifying your fstab as it can lead to an un-bootable system if the wrong thing is modified. |
|||
The '''barrier=1''' option ensures that tdb transactions are safe against unexpected power loss. A number of sites have corrupted their AD database in sam.ldb by not having this option enabled. |
|||
You also need to compile your kernel with the XATTR, SECURITY, and POSIX_ACL |
|||
options for your filesystem. For ext3 (change the 3 to a 4 for ext4) that means you need: |
|||
CONFIG_EXT3_FS_XATTR=y |
|||
CONFIG_EXT3_FS_SECURITY=y |
|||
CONFIG_EXT3_FS_POSIX_ACL=y |
|||
If you are running a Linux 2.6 (or greater) kernel with CONFIG_IKCONFIG_PROC |
|||
defined you can check this with the following command: |
|||
$ zgrep CONFIG_EXT3_FS /proc/config.gz |
|||
=== File Systems without xattr support === |
|||
If you don't have a filesystem with xattr support, then you can |
|||
simulate it by adding the following line to your smb.conf: |
|||
posix:eadb = /usr/local/samba/eadb.tdb |
|||
that will place all extra file attributes (NT ACLs, DOS EAs, streams |
|||
etc), in that tdb. It is not efficient, and doesn't scale well, but at |
|||
least it gives you a choice when you don't have a modern filesystem. |
|||
=== Testing your filesystem === |
|||
To test your filesystem support, install the 'attr' package and run |
|||
the following 4 commands as root: |
|||
# touch test.txt |
|||
# setfattr -n user.test -v test test.txt |
|||
# setfattr -n security.test -v test2 test.txt |
|||
# getfattr -d test.txt |
|||
# getfattr -n security.test -d test.txt |
|||
You should see output like this: |
|||
# file: test.txt |
|||
user.test="test" |
|||
# file: test.txt |
|||
security.test="test2" |
|||
For ACL testing do the following as root: |
|||
# touch test3.txt |
|||
# setfacl -m g:adm:rwx test3.txt |
|||
# getfacl test3.txt |
|||
and you should get a line like <tt>group:adm:rwx</tt> in your output. |
|||
If you get any "Operation not supported" errors then it means your |
|||
kernel is not configured correctly, or your filesystem is not mounted |
|||
with the right options. |
|||
If you get any "Operation not permitted" errors then it probably means |
|||
you didn't try the test as root. |
|||
If you are using the posix:eadb option then you don't need to test your filesystem in this manner. |
|||
Revision as of 22:17, 27 May 2014
File System Support
To use the advanced features of Samba, you need a filesystem that supports both the "user" and "system" xattr namespace. You need this support on file systems that you will share through Samba.
For Samba Active Directory Domain Controllers, „samba-tool“ tests during the provisioning the xattr support for /usr/local/samba/var/locks/sysvol/.
ext3
fstab
For filesystems of that type shared by Samba, add the following options to your /etc/fstab:
/dev/... /srv/samba/demo ext3 user_xattr,acl,barrier=1 1 1
Note: The „barrier=1“ option ensures that tdb transactions are safe against unexpected power loss.
Please be careful modifying your fstab. It can lead into an unbootable system!
Kernel support
Ensure that your kernel has the following options enabled:
CONFIG_EXT3_FS_XATTR=y CONFIG_EXT3_FS_SECURITY=y CONFIG_EXT3_FS_POSIX_ACL=y
ext4
fstab
For filesystems of that type shared by Samba, add the following options to your /etc/fstab:
/dev/... /srv/samba/demo ext4 user_xattr,acl,barrier=1 1 1
Note: The „barrier=1“ option ensures that tdb transactions are safe against unexpected power loss.
Please be careful modifying your fstab. It can lead into an unbootable system!
Kernel support
Ensure that your kernel has the following options enabled:
CONFIG_EXT4_FS_XATTR=y CONFIG_EXT4_FS_SECURITY=y CONFIG_EXT4_FS_POSIX_ACL=y
XFS
fstab
No special mount options are required in your fstab.
Kernel support
Ensure that your kernel has the following options enabled:
CONFIG_XFS_POSIX_ACL=y
File Systems without xattr support
Note: This is not recommended!!!
If you don't have a filesystem with xattr support, you can simulate it by adding the following line to your smb.conf:
posix:eadb = /usr/local/samba/private/eadb.tdb
This will place all extra file attributes (NT ACLs, DOS EAs, streams, etc), in that tdb.
Note: Because it is not efficient and doesn't scale well it should not be used in production!
Testing your filesystem
Note: This is not required for file systems without xattr support.
Before you start testing, ensure, that you have the „attr“ package installed!
Run the following commands as root to test xattr support:
# touch test.txt # setfattr -n user.test -v test test.txt # setfattr -n security.test -v test2 test.txt
The following commands should return the shown output:
# getfattr -d test.txt # file: test.txt user.test="test" # getfattr -n security.test -d test.txt # file: test.txt security.test="test2"
Run the following commands as root to test extended ACL support:
# touch test.txt # setfacl -m g:adm:rwx test.txt
The following command should return the shown output:
# getfacl test.txt # file: test.txt # owner: root # group: root user::rw- group::r-- group:adm:rwx mask::rwx other::r--
Note: Getting an "Operation not supported" error means your kernel is not configured correctly or your filesystem is not mounted with the correct options.
Note: Getting an "Operation not permitted" error means you didn't run the commands as user „root“.
Required Libraries and programs
Depending on your distribution, the package name of the following libraries and programs may differ. Typically they are labled with lib*-dev or lib*-devel. See Distribution specific package installation.
Required:
- python
- A good portion of Samba is written using python, including the build system itself (waf).
(Recommended) Optional:
- acl
- Required for a successfull Samba AD DC deployment! On Member Servers it is required to use the complete set of Windows ACLs.
- xattr
- Required for a successfull Samba AD DC deployment! On Member Servers it is required to use the complete set of Windows ACLs.
- blkid
- gnutls
- readline
- cups
- Required for CUPS printer sharing support.
- bsd or setproctitle
- Required for process title updating support.
- xsltproc
- Required for building man pages and other documentation.
- docbook
- Required for building man pages and other documentation.
- openldap
- Required to build the Samba NT4-style PDC components with LDAP support and Active Directory Member Server support. Also required for the Samba classicupgrade.
Distribution specific package installation
The following examples will cover all of the required libraries and programs. It will also cover BIND, kerberos and file system tools. If you plan to use the internal DNS server, you do not need BIND, but you do still need the package that contains the „nsupdate“ binary.
Debian / Ubuntu
# apt-get install build-essential libacl1-dev libattr1-dev \ libblkid-dev libgnutls-dev libreadline-dev python-dev libpam0g-dev \ python-dnspython gdb pkg-config libpopt-dev libldap2-dev \ dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
Fedora
# yum install libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig libattr-devel \ krb5-workstation
Red Hat Enterprise Linux / CentOS / Scientific Linux
# yum install gcc libacl-devel libblkid-devel gnutls-devel \ readline-devel python-devel gdb pkgconfig krb5-workstation \ zlib-devel setroubleshoot-server libaio-devel \ setroubleshoot-plugins policycoreutils-python \ libsemanage-python setools-libs-python setools-libs \ popt-devel libpcap-devel sqlite-devel libidn-devel \ libxml2-devel libacl-devel libsepol-devel libattr-devel \ keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils
openSUSE
# zypper install libacl-devel python-selinux autoconf make \
python-devel gdb sqlite3-devel libgnutls-devel binutils \
policycoreutils-python setools-libs selinux-policy \
setools-libs popt-devel libpcap-devel keyutils-devel \
libidn-devel libxml2-devel libacl-devel libsepol-devel \
libattr-devel zlib-devel cyrus-sasl-devel gcc \
krb5-client openldap2-devel libopenssl-devel\
bind-utils bind-lib
Gentoo
Please note that the following sections assume at least an intermediate understanding of the Gentoo packaging system.
Python
Gentoo uses Python 3 as the default python interpreter, but at this time Samba requires Python 2 (2.4.2 or later). The following set of commands will install and set up Python 2 as the default python interpreter.
# emerge --ask --noreplace '<dev-lang/python-3' # eselect python set python2.7 # python-updater
Kerberos
On Gentoo, you have two choices for a kerberos implementation, app-crypt/mit-krb5 and app-crypt/heimdal. Unfortunately the two implementations can not be installed at the same time. Currently, the Samba only supports app-crypt/heimdal. So you must first uninstall app-crypt/mit-krb5, if installed. Then install app-crypt/heimdal and rebuild any packages that were using the previous kerberos implementation.
# emerge --unmerge --ask app-crypt/mit-krb5 # emerge --ask app-crypt/heimdal # revdep-rebuild -- -ask
Bind
To enable automatic zone management, net-dns/bind and net-dns/bind-tools should be emerged with the USE flags for berkdb, dlz and gssapi set. To enable them permanently, add the following to /etc/package.use:
net-dns/bind berkdb dlz gssapi net-dns/bind-tools gssapi
Then, emerge net-dns/bind:
# emerge --ask net-dns/bind net-dns/bind-tools
Samba-supplied Libraries (tdb/ldb/tevent)
There are a few Samba libraries that need to be installed. Note that these packages might be keyworded as unstable, so you might need to add the following to your /etc/package.keywords:
~sys-libs/tevent-0.9.17 ~sys-libs/tdb-1.2.10 ~sys-libs/ldb-1.1.12 ~sys-libs/talloc-2.0.7
Additionally, Samba requires sys-libs/tdb and sys-libs/talloc to be emerged with the USE flag python set. To enable this permanently, add the following to /etc/package.use:
sys-libs/tdb python sys-libs/talloc python
Note: In new(er) installations of Gentoo, the above files will be located in /etc/portage/, i.e. /etc/portage/package.keywords and /etc/portage/package.use. They may be symlinked to /etc for backward compatibility.
Now, emerge the packages:
# emerge --ask '=sys-libs/talloc-2.0.7' '=sys-libs/tdb-1.2.10' '=sys-libs/tevent-0.9.17' '=sys-libs/ldb-1.1.12'
Note that ebuilds for the required versions of the above packages might not be availiable in the portage tree. In this case, check Gentoo's Bugzilla for updated ebuilds.
Other Misc. Build/Run Dependencies
To ensure a successful Samba 4 installation, there are a few other packages that should be installed, as shown below:
# emerge --ask net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn
FIXME: Are dev-python/dnspython net-dns/libidn still required?