Family Blog | Maxx Lobo | Shelly Huck | Frank Miles

SAMBA:Winbind:Access Control List - Mini How-to

by Brent Norris

Written: 11/9/01

Things you will need:

• For Easier Installation: My Samba Rpm with ACL enabled
• Newest kernel (goto Kernel.org)
• Alan Cox's -ac patches (Not a requirement, but recommended)
• ACL Patch and Extended Attributes Patch
• Newest e2fsprogs
• Utilities to use Access Control Lists
• Fileutils and the binary patch for them.
• And of Course... A Linux Box

1. Introduction

Why do you want to mess with this stuff?

Does no one go for Geek Factor anymore? Well the first thing is this... Someday you are hopefully going to work for a company (Yeah I know hard to beleive isn't it?). Unless you are lucky enough to get in with a company that uses linux exclusively then you are going to have to work with Windows in some form or another. Since most companies that use Windows aren't going to have their network working all around Workgroups chances are that you are also going to have to work with a Domain. This stuff that we are about to wade into will make samba work better with Domains and bring you to the point that you could slip a linux machine in as a fileserver and no one would ever know the difference.

What is this stuff?

I'll take a second to explain what these three things are and what they do for you. SAMBA: The short version of what samba is is this: Samba is a software package that lets Linux talk to Windows for shares and printing. For the longer version see samba.org. Winbind: This is new to SAMBA 2.2.2, it is the daemon that allows samba to map windows domain users and groups to linux users and groups. It is a big step in the direction of integrating Samba into the windows domain. Access Control Lists: this is the next big piece in the pie. This allows you to set windows security lists for shares and directories, instead of being limited to the one user, one group, everyone permissions that you normally have for linux.

2. Setting up SAMBA itself

If you have the RPM that I created with the ACL stuff already compiled in then you are on your way. First grab that tar files for the ACL addons from the link above and install them on the machine. This is quite easy and should amount to nothing more than untaring them, cd into the resulting directory and running the following commands: ./configure, make, and make install. Ok now copy the libacl.so.0 from /usr/local/libs to both /usr/lib/ and /lib (WIP:Yes I know this is somewhat of a hack, but I haven't taken the time to figure out where it needs to be yet) Next shutdown samba (/etc/init.d/smb stop) and remove all the samba packages that are installed on your machine. The package that you are going to install will replace them. Now perform a rpm -i samba-2.2.2-20011013.i386-acl.rpm this will install the ACL installed SAMBA on your machine. If for some reason you get an error stating that SAMBA needs to have libacl.so.0 installed then go ahead and perform a rpm -i --nodeps samba-2.2.2-20011013.i386-acl.rpm WARNING!!! Installing rpms with the --nodeps option can seriously mess up your system. Perform only if you know what you are doing in the given situation. (WIP:This goes with the previous WIP). SAMBA has now been installed on your machine. Configure it to join up with your domain as directed in the DOMAIN.txt file that comes with SAMBA. You need to rejoin your machine to the domain if you have upgraded from any version of SAMBA as it uses a new system to store the machine SID.

3. Setting up Winbind

This space left blank intentionally :). For right now use the winbind.txt file that comes with this version of SAMBA. It is a good reference and will take you through it rather easily.

The one thing I will tell you as a helpful hint is this... if you are on a domain with a large amount of accounts and groups turn off enum users and enum groups this will greatly speed up login times and such.

4. Access Control Lists

For this section you will have to re-compile the kernel to work with ACLs. Again it isn't hard just go slow and check what you are doing.

What to do

1. Un{b/g}zip and untar the kernel source into the /usr/src
2. Un{b/g}zip Alan's patch.
3. cd into the resulting /usr/src/linux directory.
4. Run the following command: patch -p1 < ../patch-ac# This will apply Alan's patch to the fresh kernel source.
5. This would be a good time to go ahead and set your machine up for ext3 filesystems as well. See my howto.
6. Untar the two patches for ACL and Extended File Attributes in /usr/src
7. Apply the Extended Attributes patch in the /usr/src/linux directory with the command patch -p1 << ../linux-2.4.13-ac8-ea-0.7.23.patch then do the same for the ACL patch
8. Do a make menuconfig and configure your kernel to work with your machine
9. Under the filesystem sub-menu select Extended filesystem attributes, Extended user attributes, Posix Access Control Lists, (if using ext3: Extended attributes for ext3, Extended attribute block sharing for ext3), Extended attributes for ext2, Extended attribute block sharing for ext2
10. Compile the kernel in the usual way.
11. Don't forget to add it to lilo.
12. select your new kernel

Search BrentNorris.net

• Journal
• Resume
• Gallery