Sunday, October 30, 2005

Solaris, Samba, and Kerberos

This past week I was asked to encourage a few Solaris admins to implement Samba using Kerberos. The reason was that they needed to authenticate against Microsoft Active Directory and the Microsoft Admins had disabled NT LANMAN as a security measure.

I thought no big deal. I have a spare Linux box let me see if I can get it going there and I will send them the config and everybody will be happy. As you can guess things did not go that smoothly. It turns out Sun has a bug up their butt and did not put in Kerberos support for Samba. Yes, Kerberos is there and so is Samba but they left out support for using them together. Here is the forum post. I will quote just in case they decide to delete it for the purpose of rewriting history (nobody does that do they?).

"Samba, Active Directory, Kerberos and Solaris 10
Author: Tclark Posts: 18 Registered: 2/22/05 Mar 9, 2005 4:36 PM

You may have seen some posts on these topics in the past either from myself or my associates. Let me summarize what I have found so far and then ask for some guidance.

It appears that Samba 3.0.04 which ships with the Solaris 10 release does NOT support full integration into an Active Directory environment. This appears to be due to a lack of Kerberos support in the Sun compiled version.

I have been advised to move to 3.0.10 or 3.0.11 to get that full support for AD, however it appears that you cannot compile this with the libraries shipped with Solaris 10 because that is where the Kerberos support is missing.

In discussing this with Sun Support I have been told that Sun a) Does NOT support Active Directory and b) may NEVER support it! The reason I was told was that Microsoft's code is not "open" and Sun did not want to invest the time to make it work only to have MS change the code. In all fairness I am not sure I believe that explanation.

So, I am trying to understand why this is so difficult? It is my understanding that all you need are the right set of libraries to compile with the readily available source from Am I missing something?

If you have any comments or suggestions I'd like to hear them. Thanks in advance.


2nd Post

"Re: Solaris 10 and Samba
Author: Tclark Posts: 18 Registered: 2/22/05 Mar 18, 2005 9:42 AM (reply 4 of 4)
While Samba is included with S10 contrary to Sun's marketing information it does not support Active Directory out of the box. As others have stated you must recompile the source with the appropriate (read not Sun supplied) libs.

According to Sun support they do not support AD with Samba 3.0.04 may never support AD with Samba. I found this to be an interesting answer in light of all the Sun marketing material that clearly states AD support with Samba 3.x.

Oh and if you compile it yourself, Sun says they won't support you. I think Sun has a lot to learn about supporting Open Source code like Samba."

So now I have sent the Solaris admins down a river without a paddle. They have to go out and research compiling Open LDAP, Kerberos, and Samba to get it working. I fell bad but not for the reasons that you think. I don't feel bad for causing them more work. I feel bad for the Solaris admins because Sun screwed them. The Microsoft admins responsible for Active Directory were right. They required that the Solaris admins support good security by not using NT LANMAN authentication when Kerberos was available. Sun was responsible for this mess. They tried to take a cheap shot at Microsoft but instead screwed their own customer base and pissed off a bunch of Solaris admins who really would rather be working on Linux anyways.

(NOTE: Comments are welcome but keep them on topic. Additional insight or information on the topic is appreciated! Off topic posts or fake comments with links will be deleted)