Another goal was to also keep SELinux enabled throughout the process of getting things up and running. For the most part, it is working but all of the samba4 directory structure is not properly labeled and the samba processes are running unconfined_u and initrc_t label. Guess I need to figure out how to create a brand new policy from a template or scratch. I highly recommend that you have the policycoreutils-python and setroubleshoot packages installed until you get things working and then remove setroubleshoot.
We are currently running alpha14 from source .tar.gz file installed in /usr/local. Although, I'd like to find a base .spec file to work on in the future.
I used the current instructions on the Samba Wiki to install and test functionality minus the extended file attributes as I'm thinking of joining non-AD host with the stock smb to provide filesharing and maybe printing.
https://wiki.samba.org/index.php/Samba4/HOWTO#Samba4_HOWTO
NOTE: As of RHEL 6.1 you no longer need to use the bind packages from Fedora 14 as the version shipped with RHEL 6.1 is AOK. You will need ntp => 4.2.6 for the ntp-signd option to work... I downloaded the current stable release from ntp.org and used the RH 6.1 spec file, added --enable-ntp-signd just made adjustments to version, removed all the patch entries and finally adjusted build options along with packaged files.
I installed the following prior to building Samba :
gtkhtml setroubleshoot-server setroubleshoot-plugins policycoreutils-python libsemange-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libacl-devel mysql-devel libsepol-devel libattr-devel keyutils-lib-devel zlib-devel cyrus-sasl-devel
EDIT: Full ntp.spec posted at the bottom of post now
# ------- ntp.spec not a full diff -------- #
218c115
< --enable-linuxcaps
---
> --enable-linuxcaps --enable-ntp-signd
327a225
> %{_sbindir}/sntp
345,346c243,244
< %{_mandir}/man8/ntptime.8*
< %{_mandir}/man8/tickadj.8*
---
> %{_mandir}/man8/ntpdtime.8*
> #%{_mandir}/man8/tickadj.8*
352c250
< %{_mandir}/man8/ntp-wait.8*
---
> #%{_mandir}/man8/ntp-wait.8*
# ------- ntp.spec not a full diff -------- #
Untar the tar file
cd samba-4.0.0alpha14/source4
./configure.developer
make
make quicktest
make install
chgrp named /usr/local/samba/private/dns
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns
chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/DOMAIN.REALM.zone
For some reason I was not able to change the context for the /usr/local/samba/var/run/ntp_signd directory to ntpd_t so I had to create a local policy for Samba to be able to provide time to the clients.
NOTE: I was trying to do this but nothing I did worked to change the context :( so a policy was needed )
chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd
chcon -u system_u -t ntpd_t /usr/local/samba/var/run/
chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket
##################################################################
###### Contents of /etc/selinux/targeted/contexts/files/file_contexts.local ##########
##################################################################
/usr/local/samba/private/dns.keytab system_u:object_r:named_conf_t:s0
/usr/local/samba/private/named.conf system_u:object_r:named_conf_t:s0
/usr/local/samba/private/named.conf.update system_u:object_r:named_conf_t:s0
/usr/local/samba/private/dns system_u:object_r:named_var_run_t:s0
/usr/local/samba/private/dns/DOMAIN.REALM.zone system_u:object_r:named_var_run_t:s0
/usr/local/samba/var/run/ntp_signd system_u:object_r:ntpd_t:s0
################################################
########### module build steps ####################
################################################
##
## Look for specific errors for ntpd
##
tail -10 /var/log/audit/audit.log | audit2allow
OR
grep ntpd /var/log/audit/audit.log | audit2allow
Once you are happy with the output of audit2allow just >> to samba4.te
checkmodule -M -m -o samba4.mod samba4.te
semodule_package -o samba4.pp -m samba4.mod
semodule -i samba4.pp
# ------------- contents of samba4.te file -------------- #
module samba4 1.0;
require {
type ntpd_t;
type usr_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;
#============= ntpd_t ==============
allow ntpd_t initrc_t:unix_stream_socket connectto;
# ------------- end of samba4.te file -------------- #
# ---------------- end of samba4 init.d script ----------------- #
#!/bin/bash
#
# samba4 Startup script for the Samba4 Server
#
# chkconfig: - 85 15
# description: The Samba4 Server the next generation SMB \
# server implementing FULL AD roles.
# processname: samba
# pidfile: /usr/local/samba/var/run/samba.pid
#
### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $local_fs $remote_fs $network $named
# Required-Stop: $local_fs $remote_fs $network
# Short-Description: start and stop Samba4 Server
# Description: The Samba4 Server the next generation SMB
# server implementing FULL AD roles.
### END INIT INFO
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/samba4 ]; then
. /etc/sysconfig/samba4
fi
samba=${SAMBA-/usr/local/samba/sbin/samba}
prog=samba
pidfile=${PIDFILE-/usr/local/samba/var/run/samba.pid}
lockfile=${LOCKFILE-/var/lock/subsys/samba}
RETVAL=0
# So we just do it the way init scripts are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon --pidfile=${pidfile} $samba $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
# Kill the processes
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d 10 $samba
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status -p ${pidfile} $samba
RETVAL=$?
;;
restart)
stop
start
;;
*)
echo $"Usage: $prog {start|stop|restart}"
RETVAL=2
esac
exit $RETVAL
# ---------------- end of samba4 init.d script ----------------- #
# ---------------- full ntp.spec -------------------------------- #
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p3
Release: 9
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
# include/ntif.h (not used) : BSD
# include/rsa_md5.h : BSD with advertising
# include/ntp_rfc2553.h : BSD with advertising
# libisc/inet_aton.c (not used) : BSD with advertising
# libntp/md5c.c : BSD with advertising
# libntp/mktime.c : BSD with advertising
# libntp/ntp_random.c : BSD with advertising
# libntp/memmove.c : BSD with advertising
# libntp/ntp_rfc2553.c : BSD with advertising
# libntp/adjtimex.c (not used) : BSD
# libopts/ : BSD or GPLv2+
# libparse/ : BSD
# ntpd/refclock_jjy.c: MIT
# ntpd/refclock_oncore.c : BEERWARE License (aka, Public Domain)
# ntpd/refclock_palisade.c : BSD with advertising
# ntpd/refclock_jupiter.c : BSD with advertising
# ntpd/refclock_mx4200.c : BSD with advertising
# ntpd/refclock_palisade.h : BSD with advertising
# ntpstat-0.2/ : GPLv2
# util/ansi2knr.c (not used) : GPL+
# sntp/ (not packaged) : MSNTP
License: (MIT and BSD and BSD with advertising) and GPLv2
Group: System Environment/Daemons
Source0: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-%{version}.tar.gz
Source1: ntp.conf
Source2: ntp.keys
Source3: ntpd.init
Source4: ntpd.sysconfig
Source5: ntpstat-0.2.tgz
Source6: ntp.step-tickers
Source7: ntpdate.init
Source8: ntp.cryptopw
Source9: ntpdate.sysconfig
Source10: ntp.dhclient
URL: http://www.ntp.org
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig /sbin/service
Requires(postun): /sbin/service
Requires: ntpdate = %{version}-%{release}
BuildRequires: libcap-devel openssl-devel libedit-devel perl-HTML-Parser
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%description
The Network Time Protocol (NTP) is used to synchronize a computer's
time with another reference time source. This package includes ntpd
(a daemon which continuously adjusts system time) and utilities used
to query and configure the ntpd daemon.
Perl scripts ntp-wait and ntptrace are in the ntp-perl package and
the ntpdate program is in the ntpdate package. The documentation is
in the ntp-doc package.
%package perl
Summary: NTP utilities written in perl
Group: Applications/System
Requires: %{name} = %{version}-%{release}
# perl introduced in 4.2.4p4-7
Obsoletes: %{name} < 4.2.4p4-7
%description perl
This package contains perl scripts ntp-wait and ntptrace.
%package -n ntpdate
Summary: Utility to set the date and time via NTP
Group: Applications/System
Requires(pre): shadow-utils
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig /sbin/service
%description -n ntpdate
ntpdate is a program for retrieving the date and time from
NTP servers.
%package doc
Summary: NTP documentation
Group: Documentation
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description doc
This package contains NTP documentation in HTML format.
%define ntpdocdir %{_datadir}/doc/%{name}-%{version}
# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %define vendorzone fedora.}
%{?rhel: %define vendorzone rhel.}
%endif
%prep
%setup -q -a 5
for f in COPYRIGHT; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} && touch -r ${f}{,_} && mv -f ${f}{_,}
done
%build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
if echo 'int main () { return 0; }' | gcc -pie -fPIE -O2 -xc - -o pietest 2>/dev/null; then
./pietest && export CFLAGS="$CFLAGS -pie -fPIE"
rm -f pietest
fi
%configure \
--sysconfdir=%{_sysconfdir}/ntp/crypto \
--with-openssl-libdir=%{_libdir} \
--enable-all-clocks --enable-parse-clocks \
--enable-linuxcaps --enable-ntp-signd
echo '#define KEYFILE "%{_sysconfdir}/ntp/keys"' >> ntpdate/ntpdate.h
echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h
make %{?_smp_mflags}
sed -i 's|$ntpq = "ntpq"|$ntpq = "%{_sbindir}/ntpq"|' scripts/ntptrace
sed -i 's|ntpq -c |%{_sbindir}/ntpq -c |' scripts/ntp-wait
pushd html
../scripts/html2man
# remove adjacent blank lines
sed -i 's/^[\t\ ]*$//;/./,/^$/!d' man/man*/*.[58]
popd
make -C ntpstat-0.2 CFLAGS="$CFLAGS"
%install
rm -rf $RPM_BUILD_ROOT
make DESTDIR=$RPM_BUILD_ROOT bindir=%{_sbindir} install
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{5,8}
rm -rf $RPM_BUILD_ROOT%{_mandir}/man1
pushd ntpstat-0.2
mkdir -p $RPM_BUILD_ROOT%{_bindir}
install -m 755 ntpstat $RPM_BUILD_ROOT%{_bindir}
install -m 644 ntpstat.1 $RPM_BUILD_ROOT%{_mandir}/man8/ntpstat.8
popd
# fix section numbers
sed -i 's/\(\.TH[a-zA-Z ]*\)[1-9]\(.*\)/\18\2/' $RPM_BUILD_ROOT%{_mandir}/man8/*.8
cp -r html/man/man[58] $RPM_BUILD_ROOT%{_mandir}
mkdir -p $RPM_BUILD_ROOT%{ntpdocdir}
cp -p COPYRIGHT ChangeLog NEWS $RPM_BUILD_ROOT%{ntpdocdir}
# prepare html documentation
find html | egrep '\.(html|css|txt|jpg|gif)$' | grep -v '/build/\|sntp' | \
cpio -pmd $RPM_BUILD_ROOT%{ntpdocdir}
find $RPM_BUILD_ROOT%{ntpdocdir} -type f | xargs chmod 644
find $RPM_BUILD_ROOT%{ntpdocdir} -type d | xargs chmod 755
pushd $RPM_BUILD_ROOT
mkdir -p .%{_sysconfdir}/{ntp/crypto,sysconfig,dhcp/dhclient.d} .%{_initrddir}
mkdir -p .%{_localstatedir}/{lib/ntp,log/ntpstats}
touch .%{_localstatedir}/lib/ntp/drift
sed -e 's|VENDORZONE\.|%{vendorzone}|' \
-e 's|ETCNTP|%{_sysconfdir}/ntp|' \
-e 's|VARNTP|%{_localstatedir}/lib/ntp|' \
< %{SOURCE1} > .%{_sysconfdir}/ntp.conf
touch -r %{SOURCE1} .%{_sysconfdir}/ntp.conf
install -p -m600 %{SOURCE2} .%{_sysconfdir}/ntp/keys
install -p -m755 %{SOURCE3} .%{_initrddir}/ntpd
install -p -m755 %{SOURCE7} .%{_initrddir}/ntpdate
install -p -m644 %{SOURCE4} .%{_sysconfdir}/sysconfig/ntpd
install -p -m644 %{SOURCE9} .%{_sysconfdir}/sysconfig/ntpdate
install -p -m644 %{SOURCE6} .%{_sysconfdir}/ntp/step-tickers
install -p -m600 %{SOURCE8} .%{_sysconfdir}/ntp/crypto/pw
install -p -m755 %{SOURCE10} .%{_sysconfdir}/dhcp/dhclient.d/ntp.sh
popd
%clean
rm -rf $RPM_BUILD_ROOT
%pre -n ntpdate
/usr/sbin/groupadd -g 38 ntp 2> /dev/null || :
/usr/sbin/useradd -u 38 -g 38 -s /sbin/nologin -M -r -d %{_sysconfdir}/ntp ntp 2>/dev/null || :
%post
/sbin/chkconfig --add ntpd
:
%post -n ntpdate
/sbin/chkconfig --add ntpdate
:
%preun
if [ "$1" -eq 0 ]; then
/sbin/service ntpd stop &> /dev/null
/sbin/chkconfig --del ntpd
fi
:
%preun -n ntpdate
if [ "$1" -eq 0 ]; then
/sbin/service ntpdate stop &> /dev/null
/sbin/chkconfig --del ntpdate
fi
:
%postun
if [ "$1" -ge 1 ]; then
/sbin/service ntpd condrestart &> /dev/null
fi
:
%files
%defattr(-,root,root)
%dir %{ntpdocdir}
%{ntpdocdir}/COPYRIGHT
%{ntpdocdir}/ChangeLog
%{ntpdocdir}/NEWS
%{_sbindir}/ntp-keygen
%{_sbindir}/ntpd
%{_sbindir}/ntpdc
%{_sbindir}/ntpq
%{_sbindir}/ntptime
%{_sbindir}/tickadj
%{_sbindir}/sntp
%{_initrddir}/ntpd
%config(noreplace) %{_sysconfdir}/sysconfig/ntpd
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/ntp.conf
%dir %attr(750,root,ntp) %{_sysconfdir}/ntp/crypto
%config(noreplace) %{_sysconfdir}/ntp/crypto/pw
%dir %{_sysconfdir}/dhcp/dhclient.d
%{_sysconfdir}/dhcp/dhclient.d/ntp.sh
%dir %attr(-,ntp,ntp) %{_localstatedir}/lib/ntp
%ghost %attr(644,ntp,ntp) %{_localstatedir}/lib/ntp/drift
%dir %attr(-,ntp,ntp) %{_localstatedir}/log/ntpstats
%{_bindir}/ntpstat
%{_mandir}/man5/*.5*
%{_mandir}/man8/ntp-keygen.8*
%{_mandir}/man8/ntpd.8*
%{_mandir}/man8/ntpdc.8*
%{_mandir}/man8/ntpq.8*
%{_mandir}/man8/ntpstat.8*
%{_mandir}/man8/ntpdtime.8*
#%{_mandir}/man8/tickadj.8*
%files perl
%defattr(-,root,root)
%{_sbindir}/ntp-wait
%{_sbindir}/ntptrace
#%{_mandir}/man8/ntp-wait.8*
%{_mandir}/man8/ntptrace.8*
%files -n ntpdate
%defattr(-,root,root)
%{_initrddir}/ntpdate
%config(noreplace) %{_sysconfdir}/sysconfig/ntpdate
%dir %{_sysconfdir}/ntp
%config(noreplace) %{_sysconfdir}/ntp/keys
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/ntp/step-tickers
%{_sbindir}/ntpdate
%{_mandir}/man8/ntpdate.8*
%files doc
%defattr(-,root,root)
%{ntpdocdir}/html
%changelog
* Wed Jun 1 2010 Your Name <joe@nowhere.me> 4.2.6p3-1
- using 4.2.6p3 stable as base based on RHEL6 specfile
- The exact same as redhat except built with --enable-ntp-signd
# ----------------- end of ntp.spec ----------------------- #