Thursday, June 9, 2011

Samba 4 AD Server on RedHat 6.1

My goal was to run Samba 4 on RHEL6 to provide basic AD services for a our local Windows 7 systems. I did an initial install on a machine not running SElinux just to see if I could get Samba4 and DNS working. I used the bind source rpm from Fedora 14 because the version is RHEL 6.0 did not have the proper DNSSEC support.

Another goal was to also keep SELinux enabled throughout the process of getting things up and running. For the most part, it is working but all of the samba4 directory structure is not properly labeled and the samba processes are running unconfined_u and initrc_t label. Guess I need to figure out how to create a brand new policy from a template or scratch. I highly recommend that you have the policycoreutils-python and setroubleshoot packages installed until you get things working and then remove setroubleshoot.


We are currently running alpha14 from source .tar.gz file installed in /usr/local. Although, I'd like to find a base .spec file to work on in the future.

I used the current instructions on the Samba Wiki to install and test functionality minus the extended file attributes as I'm thinking of joining non-AD host with the stock smb to provide filesharing and maybe printing.
https://wiki.samba.org/index.php/Samba4/HOWTO#Samba4_HOWTO


NOTE:  As of RHEL 6.1 you no longer need to use the bind packages from Fedora 14 as the version shipped with RHEL 6.1 is AOK. You will need ntp => 4.2.6 for the ntp-signd option to work... I downloaded the current stable release from ntp.org and used the RH 6.1 spec file, added --enable-ntp-signd just made adjustments to version, removed all the patch entries and finally adjusted build options along with packaged files.

I installed the following prior to building Samba :
gtkhtml setroubleshoot-server setroubleshoot-plugins policycoreutils-python   libsemange-python setools-libs-python setools-libs popt-devel libpcap-devel   sqlite-devel libidn-devel libxml2-devel libacl-devel libacl-devel mysql-devel   libsepol-devel libattr-devel keyutils-lib-devel zlib-devel  cyrus-sasl-devel

EDIT:  Full ntp.spec posted at the bottom of post now

#  ------- ntp.spec not a full diff -------- #
218c115
< --enable-linuxcaps
---
> --enable-linuxcaps --enable-ntp-signd
327a225
> %{_sbindir}/sntp
345,346c243,244
< %{_mandir}/man8/ntptime.8*
< %{_mandir}/man8/tickadj.8*
---
> %{_mandir}/man8/ntpdtime.8*
> #%{_mandir}/man8/tickadj.8*
352c250
< %{_mandir}/man8/ntp-wait.8*
---
> #%{_mandir}/man8/ntp-wait.8*
#  ------- ntp.spec not a full diff -------- #


Untar the tar file
cd samba-4.0.0alpha14/source4
./configure.developer
make
make quicktest
make install


chgrp named /usr/local/samba/private/dns
chgrp named /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
chmod 775 /usr/local/samba/private/dns


chcon -t named_conf_t /usr/local/samba/private/dns.keytab
chcon -t named_conf_t /usr/local/samba/private/named.conf.update
chcon -t named_var_run_t /usr/local/samba/private/dns
chcon -t named_var_run_t /usr/local/samba/private/dns/DOMAIN.REALM.zone

For some reason I was not able to change the context for the /usr/local/samba/var/run/ntp_signd directory to ntpd_t so I had to create a local policy for Samba to be able to provide time to the clients.

NOTE: I was trying to do this but nothing I did worked to change the context :( so a policy was needed )
chcon -u system_u -t ntpd_t /usr/local/samba/var/run/ntp_signd
chcon -u system_u -t ntpd_t /usr/local/samba/var/run/
chcon -t ntpd_t /usr/local/samba/var/run/ntp_signd/socket 


##################################################################
######  Contents of /etc/selinux/targeted/contexts/files/file_contexts.local ##########
##################################################################
/usr/local/samba/private/dns.keytab    system_u:object_r:named_conf_t:s0
/usr/local/samba/private/named.conf    system_u:object_r:named_conf_t:s0
/usr/local/samba/private/named.conf.update    system_u:object_r:named_conf_t:s0
/usr/local/samba/private/dns    system_u:object_r:named_var_run_t:s0
/usr/local/samba/private/dns/DOMAIN.REALM.zone    system_u:object_r:named_var_run_t:s0
/usr/local/samba/var/run/ntp_signd    system_u:object_r:ntpd_t:s0


################################################
###########  module build steps   ####################
################################################
##
## Look for specific errors for ntpd
##
tail -10 /var/log/audit/audit.log | audit2allow
OR
grep ntpd  /var/log/audit/audit.log | audit2allow


Once you are happy with the output of audit2allow just >> to samba4.te

checkmodule -M -m -o samba4.mod samba4.te 
semodule_package -o samba4.pp -m samba4.mod
semodule -i samba4.pp

# -------------  contents of samba4.te file -------------- #
module samba4 1.0;


require {
type ntpd_t;
type usr_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}


#============= ntpd_t ==============
allow ntpd_t usr_t:sock_file write;


#============= ntpd_t ==============
allow ntpd_t initrc_t:unix_stream_socket connectto;

# -------------  end of samba4.te file -------------- #


# ---------------- end of samba4 init.d script ----------------- #
#!/bin/bash
#
# samba4        Startup script for the Samba4 Server
#
# chkconfig: - 85 15
# description: The Samba4 Server the next generation SMB  \
#       server implementing FULL AD roles. 
# processname: samba
# pidfile: /usr/local/samba/var/run/samba.pid
#
### BEGIN INIT INFO
# Provides: samba4
# Required-Start: $local_fs $remote_fs $network $named
# Required-Stop: $local_fs $remote_fs $network
# Short-Description: start and stop Samba4 Server
# Description: The Samba4 Server the next generation SMB
#  server implementing FULL AD roles.
### END INIT INFO


# Source function library.
. /etc/rc.d/init.d/functions


if [ -f /etc/sysconfig/samba4 ]; then
        . /etc/sysconfig/samba4
fi


samba=${SAMBA-/usr/local/samba/sbin/samba}
prog=samba
pidfile=${PIDFILE-/usr/local/samba/var/run/samba.pid}
lockfile=${LOCKFILE-/var/lock/subsys/samba}
RETVAL=0


# So we just do it the way init scripts are expected to behave here.
start() {
        echo -n $"Starting $prog: "
        daemon --pidfile=${pidfile} $samba $OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL = 0 ] && touch ${lockfile}
        return $RETVAL
}


# Kill the processes
stop() {
echo -n $"Stopping $prog: "
killproc -p ${pidfile} -d 10 $samba
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}


# See how we were called.
case "$1" in
  start)
start
;;
  stop)
stop
;;
  status)
        status -p ${pidfile} $samba
RETVAL=$?
;;
  restart)
stop
start
;;
  *)
echo $"Usage: $prog {start|stop|restart}"
RETVAL=2
esac


exit $RETVAL
# ---------------- end of samba4 init.d script ----------------- #

# ---------------- full ntp.spec -------------------------------- #

Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p3
Release: 9
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
# include/ntif.h (not used) : BSD
# include/rsa_md5.h : BSD with advertising
# include/ntp_rfc2553.h : BSD with advertising
# libisc/inet_aton.c (not used) : BSD with advertising
# libntp/md5c.c : BSD with advertising
# libntp/mktime.c : BSD with advertising
# libntp/ntp_random.c : BSD with advertising
# libntp/memmove.c : BSD with advertising
# libntp/ntp_rfc2553.c : BSD with advertising
# libntp/adjtimex.c (not used) : BSD
# libopts/ : BSD or GPLv2+
# libparse/ : BSD
# ntpd/refclock_jjy.c: MIT
# ntpd/refclock_oncore.c : BEERWARE License (aka, Public Domain)
# ntpd/refclock_palisade.c : BSD with advertising
# ntpd/refclock_jupiter.c : BSD with advertising
# ntpd/refclock_mx4200.c : BSD with advertising
# ntpd/refclock_palisade.h : BSD with advertising
# ntpstat-0.2/ : GPLv2
# util/ansi2knr.c (not used) : GPL+
# sntp/ (not packaged) : MSNTP
License: (MIT and BSD and BSD with advertising) and GPLv2
Group: System Environment/Daemons
Source0: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-%{version}.tar.gz
Source1: ntp.conf
Source2: ntp.keys
Source3: ntpd.init
Source4: ntpd.sysconfig
Source5: ntpstat-0.2.tgz
Source6: ntp.step-tickers
Source7: ntpdate.init
Source8: ntp.cryptopw
Source9: ntpdate.sysconfig
Source10: ntp.dhclient


URL: http://www.ntp.org
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig /sbin/service
Requires(postun): /sbin/service
Requires: ntpdate = %{version}-%{release}
BuildRequires: libcap-devel openssl-devel libedit-devel perl-HTML-Parser
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)


%description
The Network Time Protocol (NTP) is used to synchronize a computer's
time with another reference time source. This package includes ntpd
(a daemon which continuously adjusts system time) and utilities used
to query and configure the ntpd daemon.


Perl scripts ntp-wait and ntptrace are in the ntp-perl package and
the ntpdate program is in the ntpdate package. The documentation is
in the ntp-doc package.


%package perl
Summary: NTP utilities written in perl
Group: Applications/System
Requires: %{name} = %{version}-%{release}
# perl introduced in 4.2.4p4-7
Obsoletes: %{name} < 4.2.4p4-7
%description perl
This package contains perl scripts ntp-wait and ntptrace.

%package -n ntpdate
Summary: Utility to set the date and time via NTP
Group: Applications/System
Requires(pre): shadow-utils 
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig /sbin/service


%description -n ntpdate
ntpdate is a program for retrieving the date and time from
NTP servers.


%package doc
Summary: NTP documentation
Group: Documentation
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
%description doc
This package contains NTP documentation in HTML format.

%define ntpdocdir %{_datadir}/doc/%{name}-%{version}


# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %define vendorzone fedora.}
%{?rhel: %define vendorzone rhel.}
%endif


%prep 
%setup -q -a 5




for f in COPYRIGHT; do
iconv -f iso8859-1 -t utf8 -o ${f}{_,} && touch -r ${f}{,_} && mv -f ${f}{_,}
done


%build
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
if echo 'int main () { return 0; }' | gcc -pie -fPIE -O2 -xc - -o pietest 2>/dev/null; then
./pietest && export CFLAGS="$CFLAGS -pie -fPIE"
rm -f pietest
fi
%configure \
--sysconfdir=%{_sysconfdir}/ntp/crypto \
--with-openssl-libdir=%{_libdir} \
--enable-all-clocks --enable-parse-clocks \
--enable-linuxcaps --enable-ntp-signd
echo '#define KEYFILE "%{_sysconfdir}/ntp/keys"' >> ntpdate/ntpdate.h
echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h


make %{?_smp_mflags}


sed -i 's|$ntpq = "ntpq"|$ntpq = "%{_sbindir}/ntpq"|' scripts/ntptrace
sed -i 's|ntpq -c |%{_sbindir}/ntpq -c |' scripts/ntp-wait


pushd html
../scripts/html2man
# remove adjacent blank lines
sed -i 's/^[\t\ ]*$//;/./,/^$/!d' man/man*/*.[58]
popd 


make -C ntpstat-0.2 CFLAGS="$CFLAGS"


%install
rm -rf $RPM_BUILD_ROOT


make DESTDIR=$RPM_BUILD_ROOT bindir=%{_sbindir} install


mkdir -p $RPM_BUILD_ROOT%{_mandir}/man{5,8}
rm -rf $RPM_BUILD_ROOT%{_mandir}/man1


pushd ntpstat-0.2
mkdir -p $RPM_BUILD_ROOT%{_bindir}
install -m 755 ntpstat $RPM_BUILD_ROOT%{_bindir}
install -m 644 ntpstat.1 $RPM_BUILD_ROOT%{_mandir}/man8/ntpstat.8
popd


# fix section numbers
sed -i 's/\(\.TH[a-zA-Z ]*\)[1-9]\(.*\)/\18\2/' $RPM_BUILD_ROOT%{_mandir}/man8/*.8
cp -r html/man/man[58] $RPM_BUILD_ROOT%{_mandir}


mkdir -p $RPM_BUILD_ROOT%{ntpdocdir}
cp -p COPYRIGHT ChangeLog NEWS $RPM_BUILD_ROOT%{ntpdocdir}


# prepare html documentation
find html | egrep '\.(html|css|txt|jpg|gif)$' | grep -v '/build/\|sntp' | \
cpio -pmd $RPM_BUILD_ROOT%{ntpdocdir}
find $RPM_BUILD_ROOT%{ntpdocdir} -type f | xargs chmod 644
find $RPM_BUILD_ROOT%{ntpdocdir} -type d | xargs chmod 755


pushd $RPM_BUILD_ROOT
mkdir -p .%{_sysconfdir}/{ntp/crypto,sysconfig,dhcp/dhclient.d} .%{_initrddir}
mkdir -p .%{_localstatedir}/{lib/ntp,log/ntpstats}
touch .%{_localstatedir}/lib/ntp/drift
sed -e 's|VENDORZONE\.|%{vendorzone}|' \
-e 's|ETCNTP|%{_sysconfdir}/ntp|' \
-e 's|VARNTP|%{_localstatedir}/lib/ntp|' \
< %{SOURCE1} > .%{_sysconfdir}/ntp.conf
touch -r %{SOURCE1} .%{_sysconfdir}/ntp.conf
install -p -m600 %{SOURCE2} .%{_sysconfdir}/ntp/keys
install -p -m755 %{SOURCE3} .%{_initrddir}/ntpd
install -p -m755 %{SOURCE7} .%{_initrddir}/ntpdate
install -p -m644 %{SOURCE4} .%{_sysconfdir}/sysconfig/ntpd
install -p -m644 %{SOURCE9} .%{_sysconfdir}/sysconfig/ntpdate
install -p -m644 %{SOURCE6} .%{_sysconfdir}/ntp/step-tickers
install -p -m600 %{SOURCE8} .%{_sysconfdir}/ntp/crypto/pw
install -p -m755 %{SOURCE10} .%{_sysconfdir}/dhcp/dhclient.d/ntp.sh
popd


%clean
rm -rf $RPM_BUILD_ROOT


%pre -n ntpdate
/usr/sbin/groupadd -g 38 ntp  2> /dev/null || :
/usr/sbin/useradd -u 38 -g 38 -s /sbin/nologin -M -r -d %{_sysconfdir}/ntp ntp 2>/dev/null || :


%post
/sbin/chkconfig --add ntpd
:


%post -n ntpdate
/sbin/chkconfig --add ntpdate
:


%preun
if [ "$1" -eq 0 ]; then
/sbin/service ntpd stop &> /dev/null
/sbin/chkconfig --del ntpd
fi
:


%preun -n ntpdate
if [ "$1" -eq 0 ]; then
/sbin/service ntpdate stop &> /dev/null
/sbin/chkconfig --del ntpdate
fi
:


%postun
if [ "$1" -ge 1 ]; then
/sbin/service ntpd condrestart &> /dev/null
fi
:


%files
%defattr(-,root,root)
%dir %{ntpdocdir}
%{ntpdocdir}/COPYRIGHT
%{ntpdocdir}/ChangeLog
%{ntpdocdir}/NEWS
%{_sbindir}/ntp-keygen
%{_sbindir}/ntpd
%{_sbindir}/ntpdc
%{_sbindir}/ntpq
%{_sbindir}/ntptime
%{_sbindir}/tickadj
%{_sbindir}/sntp
%{_initrddir}/ntpd
%config(noreplace) %{_sysconfdir}/sysconfig/ntpd
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/ntp.conf
%dir %attr(750,root,ntp) %{_sysconfdir}/ntp/crypto
%config(noreplace) %{_sysconfdir}/ntp/crypto/pw
%dir %{_sysconfdir}/dhcp/dhclient.d
%{_sysconfdir}/dhcp/dhclient.d/ntp.sh
%dir %attr(-,ntp,ntp) %{_localstatedir}/lib/ntp
%ghost %attr(644,ntp,ntp) %{_localstatedir}/lib/ntp/drift
%dir %attr(-,ntp,ntp) %{_localstatedir}/log/ntpstats
%{_bindir}/ntpstat
%{_mandir}/man5/*.5*
%{_mandir}/man8/ntp-keygen.8*
%{_mandir}/man8/ntpd.8*
%{_mandir}/man8/ntpdc.8*
%{_mandir}/man8/ntpq.8*
%{_mandir}/man8/ntpstat.8*
%{_mandir}/man8/ntpdtime.8*
#%{_mandir}/man8/tickadj.8*


%files perl
%defattr(-,root,root)
%{_sbindir}/ntp-wait
%{_sbindir}/ntptrace
#%{_mandir}/man8/ntp-wait.8*
%{_mandir}/man8/ntptrace.8*


%files -n ntpdate
%defattr(-,root,root)
%{_initrddir}/ntpdate
%config(noreplace) %{_sysconfdir}/sysconfig/ntpdate
%dir %{_sysconfdir}/ntp
%config(noreplace) %{_sysconfdir}/ntp/keys
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/ntp/step-tickers
%{_sbindir}/ntpdate
%{_mandir}/man8/ntpdate.8*


%files doc
%defattr(-,root,root)
%{ntpdocdir}/html


%changelog
* Wed Jun 1 2010 Your Name <joe@nowhere.me> 4.2.6p3-1
- using 4.2.6p3 stable as base based on RHEL6 specfile
- The exact same as redhat except built with --enable-ntp-signd

# ----------------- end of ntp.spec ----------------------- #

6 comments:

  1. I am trying to build ntp 4.2.6 for SL 6.1 but I am having no luck with the spec file. Please can you kindly post the spec file you used.

    Cheers

    ReplyDelete
  2. Ok, will try and post tomorrow as I don't have access to system right now.

    ReplyDelete
  3. Full ntp.spec at bottom of post. Make sure you install the RH/CentOS/SL 6.1 ntp src rpm or extract the files in order to rebuild.

    ReplyDelete
  4. For bind in RHEL 6.1+, the version is still 9.7.x, did you have to use the samba4 howto bind 9.7 directions or did they backport the samba-used 9.8 features to the RHEL 9.7x pkg?

    ReplyDelete
  5. I'm only running alpha 14 ( hoping to upgrade soon ) I'm thinking of testing the upgrade in VM's first. You might need bind 9.8?? That might a good question for the mailing list. I'll be posting updates as I upgrade too.

    ReplyDelete
  6. Thanx for the init script. It works like a charm on samba4.0.0_alpha21

    ReplyDelete