Install Procedure

1. Copy from hq1ap100:/usr/local/depot/samba to /usr/local on the destination server and untar them:
	ldap.tar
	heimdal-krb5.tar
	samba.tar	
2. Enable aio support (see notes below on this)
3. Copy from hq1ap100:/usr/local/depot/samba/smb and slapd to /etc/init.d on the destination server
4. Softlink in /etc/rc.d/rc2.d smb and slapd as S91slapd and S92smb
5. Add to /etc/services:

# kerberos ports
kerberos        88/udp          kdc             # Kerberos authentication--udp
kerberos        88/tcp          kdc             # Kerberos authentication--tcp
kerberos-sec    750/udp                         # Kerberos authentication--udp
kerberos-sec    750/tcp                         # Kerberos authentication--tcp
kerberos_master 751/udp                         # Kerberos authentication
kerberos_master 751/tcp                         # Kerberos authentication
kerberos-adm    749/tcp                         # Kerberos 5 admin/changepw
kerberos-adm    749/udp                         # Kerberos 5 admin/changepw
kpop            1109/tcp                        # Pop with Kerberos
kshell          544/tcp         cmd             # and remote shell
klogin          543/tcp                         # Kerberos authenticated rlogin
eklogin         2105/tcp                        # Kerberos encrypted rlogin
krb5_prop       754/tcp                         # Kerberos slave propagation
krb524          4444/tcp                        # Kerberos 5 to 4 ticket xlator
swat            901/tcp                         # samba swat

Note: Some of the kerberos entries are already in /etc/services, so clean up duplicates.  

6. Copy /usr/local/samba/lib/WINBIND /usr/lib/security
7. Modify /etc/security/user (see notes below on this)
8. Modify /usr/lib/security/methods.cfg (see notes below on this)
9. Have an NT Admin run net ads join -U<domain admin account>%<password>
10. Add to /.profile env PATH /usr/local/samba/bin and /usr/local/samba/sbin
11. Run smb start to start samba. 
12. Test by typing \\servername\public to see if you get access without prompting to the public folder.  Validate you can still log into the system with ssh.



				Build Procedure Used

Install gcc 4.0.2 for your os level (http://aixpdslib.seas.ucla.edu/categories/development.html)
Install libiconv 1.9.2 for your os level (http://aixpdslib.seas.ucla.edu/categories/development.html)
Install gnu make 3.80 and rename it gmake
Install m4 1.4.3
Install autoconf 2.59
Install bison 2.0

-----------------------
Install db-4.4.20
-----------------------
cd into dist
mkdir build
cd build
env CC="gcc -D_LINUX_SOURCE_COMPAT" ../configure \
--prefix=/usr/local/bdb \
--enable-static-yes --enable-shared=no
gmake
gmake install

--------------
openssl-0.9.8a
--------------
./config threads no-shared --prefix=/usr/local/ssl

gmake
gmake install

-----------------
cyrus-sasl-2.1.21
-----------------
Comment out line 111 in saslint.h: 
/* extern sasl_global_callbacks_t global_callbacks; */

env CC="gcc -D_LINUX_SOURCE_COMPAT" \
CPPFLAGS="-I/usr/include" \
LDFLAGS="-L/usr/lib" \
../configure --with-openssl=/usr/local/ssl \
--with-bdb-libdir=/usr/local/bdb/lib \
--with-bdb-incdir=/usr/local/bdb/include \
--disable-gssapi --prefix=/usr/local/cyrus-sasl
gmake
gmake install

---------------
openldap-2.3.11
---------------
mkdir build2
cd build2
env CC="gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE" \
CPPFLAGS="-I/usr/include -I/usr/local/bdb/include -I/usr/local/cyrus-sasl/include -I /usr/local/ssl/include" \
LDFLAGS="-L/usr/lib -L/usr/local/ssl/lib -L/usr/local/bdb/lib -lpthread" \
../configure --enable-dynamic --enable-spasswd \
--enable-bdb --enable-crypt --enable-slapd --enable-slurpd \
--with-cyrus-sasl=yes --with-tls=openssl --enable-rlookups \
--with-threads=posix --prefix=/usr/local/openldap \
--enable-shared=no --enable-static=yes \
--with-ssl=/usr/local/ssl --with-tls
gmake depend
gmake
gmake install

-----------------------
Heimdal-0.7 Kerberos
-----------------------
env CC="gcc -D_LINUX_SOURCE_COMPAT -D_THREAD_SAFE" \
../configure --prefix=/usr/local/heimdal-krb5 \
--prefix=/usr/local/heimdal-krb5 \
--with-openldap=/usr/local/openldap \
--with-openldap-lib=/usr/local/openldap/lib \
--with-openssl=/usr/local/ssl \
--with-openssl-lib=/usr/local/ssl/lib \
--with-openssl-include=/usr/local/ssl/include \
--enable-shared=no --enable-static=yes

gmake
gmake install

Enable AIO:
AIO support is installed in this package. If you have problems starting Samba,
try the following:

	$ lsdev -Cc posix_aio
	posix_aio0 Available  Posix Asynchronous I/O
	
If the above says "Defined" instead of "Available":
	
	$ mkdev -l posix_aio0
	posix_aio0 Available

	$ chdev -l posix_aio0 -a autoconfig=available -P
	posix_aio0 changed


-----------------------
Samba 3.0.21c
-----------------------
#!/bin/ksh -x

export LIBPATH=/usr/lib:/usr/local/lib:/opt/freeware/lib

env "CC=gcc" \
CFLAGS="-DPAM_AUTHTOK_RECOVER_ERR=PAM_AUTHTOK_RECOVERY_ERR -DPAM_EXTERN=extern -D_LINUX_SOURCE_COMPAT" \
CPPFLAGS="-I/usr/local/bdb/include -I/usr/local/ssl/include -I/usr/local/include -I/usr/local" \
LDFLAGS="-L/usr/local/bdb/lib -L/usr/local/cyrus-sasl/lib -L/usr/local/ssl/lib -L/usr/local/openldap/lib -L/usr/l
ocal/lib /usr/local/lib/libiconv.a /usr/local/lib/libintl.a -liconv -L/usr/lib -lc" \
../configure --prefix=/usr/local/samba --with-shared-modules=idmap_ad,idmap_rid --with-ads --with-ldap --with-pam
 --with-krb5=/usr/local/heimdal-krb5 --with-winbind --with-acl-support --with-utmp --with-quotas --with-sendfile-
support --with-aio-support --enable-shared=yes --disable-static --with-libiconv=/usr/local

/usr/local/bin/gmake
exit
/usr/local/bin/gmake install

for i in WINBIND pam_winbind.so; do
        if [ -f /usr/lib/security/$i ]; then
                mv /usr/lib/security/$i /usr/lib/security/$i.old
                chmod 555 nsswitch/$i
                cp nsswitch/$i /usr/lib/security
                rm /usr/lib/security/$i.old
        else
                cp nsswitch/$i /usr/lib/security
        fi
done

# Add to /usr/lib/security config file
#* PAM:
#*       program = /usr/lib/security/PAM
#
#WINBIND:
#        program = /usr/lib/security/WINBIND
#        options = authonly
#*        options = auth=PAM,db=BUILTIN



Changed in /etc/security/user for default:

SYSTEM = "WINBIND OR WINBIND[FAILURE] AND compat"


My smb.conf now looks like the following:

[global]
        workgroup = BCBSNC
        realm = BCBSNC.COM
        server string = User management Server
        security = ADS
        #idmap backend = rid:BCBSNC=100000-200000
        #idmap backend = ad
        password server = wdcmc01.bcbsnc.com
        log level = 10
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        name resolve order = hosts wins lmhosts bcast
        socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
        preferred master = No
        local master = No
        dns proxy = No
        wins server = svcmc02, svcmc03
        ldap ssl = no
        idmap uid = 100000-200000
        idmap gid = 100000-200000
        template shell = /bin/ksh
        template homedir = /home/%D/%U
        winbind separator = +
        winbind nested groups = Yes
        winbind use default domain = Yes
        aio read size = 1
        aio write size = 1

[homes]
        root preexec = [ ! -e /home/%D/%U ] && { /bin/mkdir -p /home/%D/%U; /bin/chmod 750 /home/%D/%U; /bin/chown %D+%U:st
aff /home/%D/%U; }
        path = /home/%D/%U
        valid users = %D+%U
        read only = No
        browseable = No

[public]
        path = /usr/local/samba/public
        valid users = "BCBSNC+domain users"
        write list = "BCBSNC+domain users"
        read only = No


[home]

        path = /home/%D/%u
        valid users = %S
        read only = No
        browseable = No

[samba]

        path = /usr/local/samba
        username = DOMAIN+mylogin
        valid users = DOMAIN+mylogin


My /usr/lib/security/methods.cfg:

NIS:

        program = /usr/lib/security/NIS
        program_64 = /usr/lib/security/NIS_64

DCE:

        program = /usr/lib/security/DCE

WINBIND:

        program = /usr/lib/security/WINBIND
        options = authonly
* options = auth=PAM,db=BUILTIN

* PAM:
* program = /usr/lib/security/PAM

Note: (I haven't had luck with pam either. It will not let me log in if I use
it too)


Enable LDAP (optional): -- I did not get this working other than I have an ldap server running with the schema, but getting
samba to use it has not worked

copied samba/source/example/LDAP/samba.schema to /usr/local/openldap/etc/openldap/schema folder 
Added to /usr/local/openldap/etc/slapd.conf:

# Samba required schemas
include /usr/local/openldap/etc/openldap/cosine.schema
include /usr/local/openldap/etc/openldap/inetorgperson.schema
include /usr/local/openldap/etc/openldap/nis.schema
include /usr/local/openldap/etc/openldap/samba.schema

#######################################################################
# BDB database definitions
#######################################################################
database        bdb
suffix          "dc=BCBSNC,dc=COM"
rootdn          "cn=Manager,dc=BCBSNC,dc=COM"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          tI1lfp4Ld@p
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/openldap/var/openldap-data
#######################################################################
# Cache
#######################################################################
# dbcachesize if database is ldbm instead of bdb
cachesize 40000
# dbcachesize 60000000
checkpoint 512 720
#######################################################################
# Samba Indexes
#######################################################################
index   objectClass     eq
index cn,sn,uid,displayName     pres,sub,eq
index uidNumber,gidNumber       eq
index sambaSID  eq
index sambaPrimaryGroupSID      eq
index objectClass       pres,eq
index sambaDomainName   eq
index rid,primaryGroupID        eq
index default   sub

access to *
        by self write
        by *    read

Made directory /usr/local/openldap/var/openldap-data and set chmod 700


Ran /usr/local/openldap/sbin/slapindex -f slapd.conf
Note: {SSHA}2EgvAmD9a6etIIroRCnXmH9HESpnfFa0


#!/bin/ksh

#mkssys -s smbd -G smb -p /usr/local/samba/sbin/smbd -u 0 -a "-F" -R -S -n 15 -f 3
#mkssys -s nmbd -G smb -p /usr/local/samba/sbin/nmbd -u 0 -a "-F" -R -S -n 15 -f 3
#mkssys -s winbindd -G smb -p /usr/local/samba/sbin/winbindd -u 0 -a "-F" -R -S -n 15 -f 3

case "$1" in
        start)
                /usr/local/samba/sbin/nmbd -D
                /usr/local/samba/sbin/winbindd -B
                /usr/local/samba/sbin/smbd -D

                #startsrc -s nmbd
                #startsrc -s winbindd
                #startsrc -s smbd
                ;;
        stop)
                for daemon in smbd winbindd nmbd; do
                        pid=`ps -ef | grep -v grep | grep /usr/local/samba/sbin/$daemon | awk '{ print $2 }'`
                        if [ ! -z "$pid" ]; then
                                echo "kill pid: $pid"
                                kill $pid
                        else
                                echo "Daemon $daemon is not running..."
                        fi
                done

                #stopsrc -s smbd
                #stopsrc -s winbindd
                #stopsrc -s nmbd

                ;;
        status)
                for daemon in smbd winbindd nmbd; do
                        pid=`ps -ef | grep -v grep | grep /usr/local/samba/sbin/$daemon | awk '{ print $2 }'`
                        if [ ! -z "$pid" ]; then
                                echo "Daemon $daemon is running..."
                        else
                                echo "Daemon $daemon is not running..."
                        fi
                done
                ;;

        *)      echo "$0 <stop|start|status>"
                ;;
esac