Samba for Freeradius 2.x

pszafer · Jan 9, 2013, 5:15 PM

Hello,

For almost a year I have well working configuration - samba (exactly ntlm_auth) cooperating with freeradius. Then I chose a simplier and faster way to install it.
I made some guide how to install it on other pfSense machines (http://goo.gl/bVAEB).

And now I have to implement the same thing on another router, but this time, if it is possible, I would like to go more complicated way, but hopefully with pfSense package in the end.

As far as I understand, I should do following things:

make BSD port for "samba for freeradius"
create pbi package from that port
create tbz package for 2.0 pfSense
create GUI files for Samba
create little patch for freeradius package

Is it correct?

And last question - can I use original samba sources (~34 MB) with configuration like that:

./configure --prefix=/tmp/samba2/ --disable-smbtorture4 --disable-cups --disable-pie --disable-fam --disable-old-ctdb --disable-avahi --without-mandir --without-krb5 --with-ads --with-ldap --with-wbclient --with-winbind --without-libsmbclient

and after install in post-install script removing unnecessary files;
or rather cut samba sources from unnecessary files (more complicated for me, but less space).

Thanks in advance for help

Nachtfalke · Jan 9, 2013, 8:21 PM

I do not know how this .pbi and .tbz magic is working on the pfsense servers ;) but perhaps this will help you:
http://forum.pfsense.org/index.php/topic,50498.0.html

As far as I understand it - you do not need to build/make the .tbz and .pbi by hand. This will be done automatically if you do the correct entries in this file:
https://github.com/bsdperimeter/pfsense-packages/blob/master/pkg_config.8.xml
And the perhaps just ask jimp to start the builder (which does the magic) and on the next day there are the .tbz and .pbi files ;-)

Another possibility could be to ask marcelloc - he built the .pbi files for me in the past on his own server. That was for testing the new package/functions before do the real work on pfsense server.

So you points 1,2 and 3 will be done "nearly" automatically if you understand how.
Point 4 and 5 - you are welcom to do that and/or implement that in freeradius2 package.
Perhaps it would make sense to create a second package like "freeradius2-smb". So that there is no need to install freeradius2 with samba if you do not need it. But if you need it - then just install the "freeradius2-smb" package which adds the neccessary binaries and the GUI.

Sorry that I could not help you much more but I am really interested in that feature :D

pszafer · Jan 10, 2013, 6:13 PM

Hi Nachtfalke! I hoped You will be interested in this feature :)

I think that better make GUI for Samba and little patch to freeradius (after properly installing Samba it's only one change in configuration and maybe one check box in GUI, I'll write it later).

So I will try to make GUI for Samba and this patch and the same time ask jimp about some explanation (maybe there are some arguments against building Samba for all community).

Nachtfalke · Jan 10, 2013, 3:44 PM

I will help you on freeradius.inc if you have any questions. But probably you know more about php and coding than me ;)

marcelloc · Jan 14, 2013, 2:20 PM

pszafer,

the basic steps to compile/write/test new packages on pfsense is:

Install a freebsd 8.1 for 2.0.x builds or a 8.3 for 2.1 builds
Install ports via portsnap fetch && portsnap upgrade(maybe a portsnap extract on first time run)
define packages destination folder, folowing this page
Compile your packages using ports, in your case /usr/ports/net/samba36
type make config to select your compile options, then type make package
copy tbz files created to a web server or pfsense server and do a pkg_add to install it

This way you can test/create a gui for it, the next step is to publish it on github.

att,
Marcello Coutinho

pszafer · Jan 14, 2013, 5:41 PM

Hello Marcelloc,

Thank You for your post!

I did most of steps you wrote before. I installed samba from sources in /tmp directory on FreeBSD 8.3. I removed as much files as I can by hand (rm command), because with configure I can't define not to install some executables, even if I know that ntlm_auth (one of main programs to authenticate with Active Directory) doesn't use them.
Then I used script from Polish bsd site:


#! /bin/sh
for i in `find $1 -type d`; do
if [ "$i" != "$1" ]; then
for j in `ls $i`; do
if [ ! -d $i/$j ]; then
echo $i/$j
fi
done
fi
done
#--------------------

sh create_list.sh > files
find /tmp/samba -type d > directories

removed beginning of path (/tmp/samba)

cat files | cut -b 10- > new_files
cat directories | cut -b 10- > new_dirs

removed lines:

bin
include
lib
share/doc

after that simple sort:

cat new_files | sort > packing_list
cat new_dirs | sort > directories

added

@name, @cwd, @srcdir, @dirrm

and in the end:

pkg_create -f packing_list -c description1 -d description2 sambaforfreeradius.tbz

I have tbz file and can install it successfully.
As I understand now I should create GUI config and then I could publish it on github (my own github or bsdperimeter?)?

Am I correct or your steps are necessary and only way to create package for pfSense?

Another question I have on my mind, can I make changes in the other packet by installing Samba (make changes in freeradius.inc file)

marcelloc · Jan 15, 2013, 11:54 AM

@pszafer:

As I understand now I should create GUI config and then I could publish it on github (my own github or bsdperimeter?)?
Am I correct or your steps are necessary and only way to create package for pfSense?

To publish on github you need all make options you've used on ports, as it must be compiled by core-team.
Take a look on pkg_config.8.xml

@pszafer:

Another question I have on my mind, can I make changes in the other packet by installing Samba (make changes in freeradius.inc file)

You can but it's better to talk to it's package maintainer.
You can create a patch file and let user apply/remove it or check it on install process.

Nachtfalke · Jan 15, 2013, 3:53 PM

You are allowed to add things to freeradius.inc if you need to.
But I would suggest to make it optional - in any way - to use samba or not. Some people probably do not want and need samba on their pfsense.

pszafer · Jan 18, 2013, 11:08 AM

Nachtfalke, definitely it would be optional and as you will see today or tomorrow it wouldn't be a big change.

–---
I've just made patch for freeradius2.
Haven't check it yet, but want to show the idea.

Just need to check if samba is installed and if true then in file etc/raddb/modules/mschap uncomment line ntlm_auth with proper line.
Rest of work will do samba package

Here is the link - http://pastebin.com/CS8fupvz.
I'll check it today.

pszafer · Feb 1, 2013, 8:17 PM

@Marcelloc

I have questions to you or someone from CoreTeam.
1. Should I create dependencies packages like talloc, tbd?
2. Is there any possibility to create post-installation script to remove some unnecessary files from samba package or maybe it is possible to create my own samba "light" for freeradius port.
I have samba created following your instructions, but there are a few files really don't needed.

marcelloc · Feb 1, 2013, 9:15 PM

The post install script can be done on package install process as IIIRC it install packages before xml files.

pszafer · Feb 13, 2013, 5:23 PM

I'm half way of making samba pkg work.

@Marcelloc, I have problem. In pfsense 2.1 packages are installing in /usr/pbi/*.
While creating tbz package, can I change the installation destination directory of package to /usr/pbi/samba?

By default it is installed in /usr/local with it's all dependencies.

Here is link to repository where I'm creating package - https://github.com/pszafer/SambaForFreeradiusPFSENSE