Compiling Samba 3.0.13 With Active Directory Support on Mac OS 10.3.8

Assumptions:

1. Apple Developer Tools are installed
2. Interoperability with OpenDirectory is not desired, nor is it used for other services
3. A Microsoft Windows Active Directory (AD) Domain is functioning on the local network
4. The user is familiar with Microsoft Windows AD, Mac OS X, UNIX, and Samba
5. The native Samba service is disabled
6. The user performs the following instructions as root

Installation:

1. Obtain samba-3.0.13.tar.gz from samba.org, and extract the source.
2. Obtain necessary patches from: Apple or download them here.
   • 000-build-issues.diff
   • 105-util_sock.c.diff
   • 110-cli.diff
   • 112-tdbtool.c.diff
   • 113-cups-remote-printing.diff
   • 114-Kerberos.diff
   • 115-nmbd_responserecordsdb.diff
   • 116-oplocks.diff
   • 119-rcvwindow.diff
   • 120-startuptime.diff
3. From the terminal, apply the patches (ignore failures) via the command: patch < <patch_name>
4. Edit /source/configure: Comment out line 5014, LDFLAGS="$LDFLAGS -L/sw/lib"
5. Configure, with appropriate options: <samba_dir>/source/configure --disable-cups --with-ads --with-winbind
   If CUPS support is necessary you will need to install the CUPS source, or at least the headers.
6. Compile: <samba_dir>/source/make -sss
   If this error is encountered during the build:
   
   ibsmb/clientgen.c:363: error: parse error before '}' token
   make: *** [libsmb/clientgen.o] Error 1
   
   Remove the extra "}" at line 366 of <samba_dir>/source/libsmb/clientgen.c
7. Install (default installation directory is /usr/local): <samba_dir>/source/make install
8. Create supplementary directories:
   1. mkdir <install_directory>/var/log
   2. mkdir <install_directory>/var/spool

Configuration:

This is a two part process: first, we must configure Samba to work with the authentication methods available in Mac OS X; secondly, we need to edit smb.conf to reflect the structure of the Active Directory in place on the local network.

1. Part I. lookupd
   Because the authentication back-end to the AD used by Samba is not yet ported to Mac OS X we have to make do with a rather nasty hack, which involves writing our own master.passwd and group files. Remember, we're assuming that interoperability with OpenDirectory is neither desired, nor is it required by other services. Why are we so adamant on this point? Because we're going to strip-out all authentication methods except for Netinfo, Cache, and Flat Files. If you require OpenDirectory support then man lookupd is your friend.

   WARNING: BY FOLLOWING THESE INSTRUCTIONS YOU RUN THE RISK OF INADVERTENTLY LOCKING ALL USERS OUT OF THE COMPUTER.

   1. Create a directory for lookupd config files: mkdir /etc/lookupd
   2. Create necessary config files. These files tell lookupd where to look for authentication information. The following assumes that you've installed samba to /usr/local/samba (default).
      1. touch /etc/lookupd/users
      2. touch /etc/lookupd/groups
      3. echo "LookupOrder Cache NI FF FF:/usr/local/samba/lib" > /etc/lookupd/users
   3. We've just told lookupd to search the files /usr/local/samba/lib/master.passwd, and /usr/local/samba/lib/group for a list of valid users and groups on the system, in addition to the standard methods. Now, we need to actually create these files, and fill them with something useful:
      1. touch <install_directory>/lib/master.passwd
      2. touch <install_directory>/lib/group
   4. These files follow the standard UNIX (BSD at least) format. As we'll be letting samba take care of verifying the user passwords with the AD controller, we can leave the password entry blank in master.passwd. As an example, we'll create user and group entries for two accounts: Administrator, and test_user. In master.passwd add the following lines, ending with a blank line:
      Administrator:*:10000:10000::0:0:ADS User:/Users/Administrator:/usr/bin/false
      test_user:*:10001:10001::0:0:ADS User:/Users/test_user:/usr/bin/false
      ------->*Blank Line*
      
      In group add the following lines, ending with a blank line:
      Administrator:*:10000:
      test_user:*:10001:
      ------->*Blank Line*
      
      Now, you'll need to do this for every user you wish to grant access to the samba server. (Scripting might be a good idea. ;]) You'll also need to create home directories for each user. See this document for an explanation on how to add more users, and create home directories.
   5. Before we can create any home directories we'll need to let lookupd know about the configuration changes: kill -HUP <PID of lookupd> (The PID of lookupd can be found in /var/run/lookupd.pid)
   6. To ensure that everything worked as expected we'll need to query the password and group databases. Luckily, samba includes a utility for this that we'll need to compile:
      1. cd <samba_dir>/testsuite/nsswitch
      2. gcc -o getent getent.c
         
         To check the password (user) database: ./getent passwd
         Which should list all of the users on the system, including the two we just added:
         ...
         Administrator:*:10000:10000:ADS User:/Users/Administrator:/usr/bin/false
         test_user:*:10001:10001:ADS User:/Users/eggers:/usr/bin/false
         
         To check the group database: ./getent group
         Which should list all of the groups on the system, including the two we just added:
         ...
         Administrator:*:10000:
         test_user:*:10001:
         
         If you don't receive something similar to the above, then you've made a mistake somewhere. (Did you remember those blank lines?)
   7. Assuming that everything went OK, we'll create home directories for our two example users:
      1. mkdir /Users/Administrator
      2. chown -R Administrator:Administrator /Users/Administrator
      3. mkdir /Users/test_user
      4. chown -R test_user:test_user /Users/test_user
   
   
2. Part II. Edit smb.conf
   Since we're assuming a working knowledge of both Samba and Active Directory we'll provide a minimal smb.conf file for AD integration--edit to suit your tastes. This file should reside in <install_dir>/lib.

   The script referenced by the line root preexec is a shell script that I use to create home directories and populate them with directories of my choosing. It is available here.

Integration: Joining Samba to the Active Directory

NOTE: Ensure that the samba server uses the AD DNS, and that the samba server has a forward and reverse look-up on the AD DNS.

1. From the terminal generate a kerberos ticket for a user with permission to add computers to the domain, Administrator in our case: kinit Administrator@ADS_REALM (This must be the fully qualified name of the AD realm in caps!)
2. Perform the join:
   1. cd <install_dir>/bin (This is very important, if you don't change directories then you'll probably end up joining the native version of samba to the domain, and not the one that you compiled.)
   2. ./net ads join -U Administrator
      
      Test the join via:
      ./net ads testjoin
      
      If everything went as planned then you should receive:
      "Join is OK"

Final Notes: Start-up Scripts

In order for the samba suite to start upon boot you'll need to add a few scripts to /Library/StartupItems. I've provided the necessary scripts here. To install the start-up scripts:

1. tar -zxf StartupItems.Samba.tgz
2. mv Samba /Library/StartupItems
   
   You should reboot to ensure that the scripts worked.

A script for starting/stopping samba, and associated daemons, is provided here.