UnixWare 7.1.4 Maintenance Pack 3 Samba Supplement Release Notes ********************************************************** Dear SCO Customer, The UnixWare 7.1.4 Maintenance Pack 3 Samba Supplement is an optional update for your UnixWare 7.1.4 Maintenance Pack 3 system. Contents ======== I) Introduction II) Overview III) Before Installing this Supplement IV) Installing this Supplement V) Removing this Supplement VI) Supplement Notes and Limitations ---------------------------------------------------------------------------- I. Introduction ================ Samba is a standardized technology used to support Microsoft file and print sharing on UnixWare and many other platforms. In addition to enabling Windows/UNIX(R) resource sharing, Samba provides consistent user administration throughout the Microsoft/UNIX environment. When used in concert with PAM and NSS, Samba also enables common cross-platform system authentication. For more information about Samba capabilities, configuration options, and general usage, please review the following materials from the Samba Team: + The Official Samba-3 HOWTO and Reference Guide: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection + Samba-3 By Example: http://us1.samba.org/samba/docs/man/Samba-Guide/ Additionally, the /info directory of the Samba Supplement CD provides the following procedures for configuring your UnixWare Samba server: + HOWTO: Join a UnixWare 7.1.4mp3 Samba system to an NT4 style Domain /info/DOMAIN_JOIN/Domain_Join_HOWTO.html + HOWTO: Samba Primary Domain Controller on SCO UnixWare 7.1.4 /info/PDC/PDC_HOWTO.html For your convenience, complete configuration files for each HOWTO are included in their respective directories. II. Overview ============= This supplement provides a collection of UnixWare packages to enable a greatly enhanced and more robust Samba environment than previously offered in any SCO product. Please note: 1) This supplement consists of these previously released packages: Package Samba Name Description UW714 UW714MP3 Supplement ======= =========== ===== ======== ========== openssl The OpenSSL Package 0.9.7i - 0.9.7i ptf9052 The UnixWare 7.1.4 - - ptf9052h Maintenance Pack 3 Supplement along with these revised UnixWare 7.1.4 open source packages: Package Samba Name Description UW714 UW714MP3 Supplement ======= =========== ===== ======== ========== db The Berkeley DB 4.1 4.1.25 4.4.20 Library package openldap The OpenLDAP 2.1.22 2.1.22-01 2.3.27 (includes the previous release pam_ldap-180 and revised openldap and nss_ldap-257) samba The Samba Package 3.0.0 3.0.10 3.0.24 (includes revised samba and smbldap-tools 0.9.2) perl The Perl 5.8.3 - 5.8.8 Programming Language Package perlmods The Additional 5.8.3 - 5.8.8 Modules for Perl Package and these new for UnixWare 7.1.4 open source packages: Package Samba Name Description UW714 UW714MP3 Supplement ======= =========== ===== ======== ========== heimdal The Heimdal - - 0.6.6 Kerberos 5 Implementation Package readline The GNU Readline - - 5.1 Library Package 2) An install.sh script is provided to simplify the installation, as described in the "Installing this Supplement" section below. Use of this script is highly recommended. By default, this script first confirms that UW 7.1.4 MP3 is installed. It then installs, in order: ptf9052 (if the latest version is not already installed) and then the needed open source packages. The script handles all installation permutation issues. 3) The info directory on this CD contains the release notes for PTF 9052h along with examples for setting up a Samba environment. ---------------------------------------------------------------------------- III. Before Installing this Supplement ======================================= 1. To install the entire supplement you must first install UnixWare 7.1.4 Maintenance Pack 3 (MP3). 2. IMPORTANT: Upgrading OpenLDAP from version 2.1.22 or 2.1.22-01 to version 2.3.27 will result in any existing OpenLDAP database data no longer being accessible. To make existing data accessible, the database should be backed up before the upgrade and then restored following the upgrade. The following procedure can be used to backup an existing OpenLDAP database: 1) Log in as root. 2) Stop the slapd daemon, if running, to ensure a consistent backup. # kill `ps -e | grep slapd | awk '{print $1}'` 3) Create an ldif backup file. # slapcat -l /var/openldap-data/openldap.ldif After the OpenLDAP upgrade, the OpenLDAP database backup can be restored using the following procedure: 1) Log in as root. 2) Restore configuration file changes. Note: As part of the upgrade process, the OpenLDAP configuration and schema files will be overwritten by the new default files, requiring that any changes be manually remade to /etc/openldap/*.conf and /etc/openldap/schema/*.schema. The previous versions of these files are saved with the suffix ".pre2.3.27": # ls -1 /etc/openldap DB_CONFIG.example ldap.conf ldap.conf.default ldap.conf.pre2.3.27 schema slapd.conf slapd.conf.default slapd.conf.pre2.3.27 # ls -1 /etc/openldap/schema README corba.schema corba.schema.default corba.schema.pre2.3.27 ... 3) Create an empty database directory. # cd /var # mv openldap-data openldap-data.bak # mkdir openldap-data # chmod 700 openldap-data 4) Restore the ldif backup file: # slapadd -l /var/openldap-data.bak/openldap.ldif A warning will display, although it doesn't affect the restoration of the database: bdb_db_open: Warning - No DB_CONFIG file found in directory /var/openldap-data: (2) Expect poor performance for suffix dc=my-domain,dc=com. DB_CONFIG.example can be used to create /var/openldap-data/DB_CONFIG, to avoid warnings as with the slapadd command above. See /usr/share/db/doc/index.html for more information. ---------------------------------------------------------------------------- IV. Installing this Supplement =============================== 1) Log in as root. 2) Download the uw714samba.iso supplement from http://www.sco.com/support/update/download/release.php?rid=195 3) In the directory where you downloaded the uw714samba.iso file, enter: # mount `marry -a uw714samba.iso` /install 4) Change directory to /install: # cd /install 5) Do one of the following: A) (highly recommended) To install the entire supplement enter: # ./install.sh [-nv] This will show you a menu screen listing the names of the packages that should be installed. Typically all of the supplement's packages are listed and selected for installation. The exception is if the current or a later version of a package is already installed on your system. The optional -n (non-interactive) flag skips the menu screen and proceeds to install the default selection of packages. The optional -v (verbose) flag provides more status information during the installation. B) To individually install packages, enter: # ./install.sh [packages] where packages can be any of the packages listed in Section I. 6) After all desired packages are installed, reboot the system by typing: # shutdown -i6 -g0 -y At this point the supplement will be installed but not enabled. 7) Samba and OpenLDAP ship in a disabled state by default. The SWAT interface on port 901 will still function and can start and configure the samba daemons; however, they will not start on boot. To enable Samba and OpenLDAP to start on boot, run: # /etc/init.d/samba enable # /etc/init.d/openldap enable Please note that it is strongly advised that you ensure these services are properly configured before attempting to enable or start them. ---------------------------------------------------------------------------- V. Removing this Supplement ============================ To remove this supplement remove each component via: 1) Log in as root 2) For each package that you want to remove: pkgrm 3) Reboot the system by typing: # shutdown -i6 -g0 -y ---------------------------------------------------------------------------- VI. Supplement Notes and Limitations ===================================== 1. If you are upgrading from earlier versions of the db, openldap, or samba packages, then note that the earlier libraries remain on your system. This is to enable applications that statically linked with these libraries to continue to function. However, to avoid any security issues with the earlier version's library you may want to remove these old libraries: db: /usr/lib/libdb-4.1.a /usr/lib/libdb-4.1.so /usr/lib/libdb-4.1.so.0 /usr/lib/libdb-4.1.so.0.0.0 openldap: /usr/lib/liblber.so.2.0.122 /usr/lib/libldap.so.2 /usr/lib/libldap.so.2.0.122 /usr/lib/libldap_r.so.2 /usr/lib/libldap_r.so.2.0.122 samba: /usr/lib/samba/lib/charset/CP437.so /usr/lib/samba/lib/charset/CP850.so /usr/lib/samba/lib/libsmbclient.a /usr/lib/samba/lib/libsmbclient.so /usr/lib/samba/lib/libsmbclient.so.0 /usr/lib/samba/lib/libsmbclient.so.0.1 /usr/lib/samba/lib/vfs/audit.so /usr/lib/samba/lib/vfs/cap.so /usr/lib/samba/lib/vfs/default_quota.so /usr/lib/samba/lib/vfs/expand_msdfs.so /usr/lib/samba/lib/vfs/extd_audit.so /usr/lib/samba/lib/vfs/fake_perms.so /usr/lib/samba/lib/vfs/full_audit.so /usr/lib/samba/lib/vfs/netatalk.so /usr/lib/samba/lib/vfs/readonly.so /usr/lib/samba/lib/vfs/recycle.so /usr/lib/samba/lib/vfs/shadow_copy.so To remove an old library: /usr/sbin/removef rm After removing all the old libraries for package then enter: /usr/sbin/removef -f For example /usr/sbin/removef db /usr/lib/libdb-4.1.a /usr/sbin/removef db /usr/lib/libdb-4.1.so /usr/sbin/removef db /usr/lib/libdb-4.1.so.0 /usr/sbin/removef db /usr/lib/libdb-4.1.so.0.0.0 rm /usr/lib/libdb-4.1.a rm /usr/lib/libdb-4.1.so rm /usr/lib/libdb-4.1.so.0 rm /usr/lib/libdb-4.1.so.0.0.0 /usr/sbin/removef -f db 2. If you are upgrading perl and/or perlmods from the previous UnixWare version (5.8.3) then please note: A. If you installed your own individual perl modules for perl 5.8.3, you need to reinstall them for the new version of perl (5.8.8). This is because the perl modules are placed in directories named for the installed perl version number. B. Various 5.8.3 files and directories remain on your system. This is to enable applications that rely on that specific version of perl or perlmods to continue to function. However, to avoid any security issues, you may want to remove these files. To do so, log in as root and run this procedure: cd /var/sadm/pkg/perlmods/install chmod 744 cleanup.sh ./cleanup.sh > cleanup.sh.out 2>&1 chmod 644 cleanup.sh cd /var/sadm/pkg/perl/install chmod 744 cleanup.sh ./cleanup.sh > cleanup.sh.out 2>&1 chmod 644 cleanup.sh 3. Installing the new version of the samba package automatically copies the existing samba configuration (if one exists) from the previous release's /usr/lib/samba/lib/smb.conf and /usr/lib/samba/private/* files. The copied files are under /etc/samba. For your convenience, symlinks for the binaries and the smb.conf file are left in the old /usr/lib/samba locations. However, if your prior configuration specified any alternate or additional configuration files (e.g., a usermap file), they need to be copied separately. Also note, if the new samba version is removed your current configuration will not be restored to the previous /usr/lib/samba/lib location. When downgrading, administrators are advised to backup all configuration files before removing the new samba package. 4. This release alters some of UnixWare's previous conventions. The following changes have been made: + Samba is disabled by default after it is installed and must be manually enabled via: /etc/init.d/samba enable + Samba start-up script has been relocated from: /etc/dinit.d/S99samba to: /etc/rc2.d/S98samba + Samba configuration files are now located in: /etc/samba + Samba daemon binaries are now located in: /usr/sbin + Samba administration and user binaries are located in: /usr/bin + Samba logs are located in: /var/log/samba + Samba is now compiled with the LDAP and ADS options. + OpenLDAP binaries (slapd and slurpd) are now located in: /usr/sbin The old /usr/libexec locations are symlinked for compatibility. + Heimdal binaries are located in subdirectories of: /usr/lib/heimdal The kinit and klist binaries are symlinked in /usr/bin. 5. The samba package in this supplement provides Samba 3.0.24 plus these security fixes from the Samba community: CVE-2007-2444.patch, Local SID/Name translation bug can result in user privilege elevation CVE-2007-2446.patch, Multiple Heap Overflows Allow Remote Code Execution CVE-2007-2447.patch, Remote Command Injection Vulnerability 6. This supplement provides three packages (openldap, samba, and ptf9052) that contain extra PAM modules. If you have configured any PAM services to use modules provided by any of these packages, and then uninstall the package(s), any service configured to use the uninstalled module(s) will fail. This will prevent that service from successfully logging in. If local console logins are affected, pkgrm will abort. Each package that provides extra PAM modules attempts to detect this scenario. If detected, you are offered the option to abort the package removal. If you do not abort, a warning is displayed at the conclusion of the package removal. If the above warnings are ignored, and you lose the ability to log in via any remote service, you will need to first locally reboot your system. Then enter the following commands into the bootloader to bring your system up in single-user mode: INITSTATE=s b Once booted in single-user mode you need to reconfigure your PAM service(s), and remove the offending module(s) from the configuration file(s). 7. The Samba supplement updates various packages as noted in the Overview section above. You may have other packages installed that depend on these upgraded packages. If you then want to remove these upgraded packages: You will have to remove the dependent packages before removing some packages installed by the Samba supplement. pkgrm informs you of such dependencies. See the "Removing this Supplement" section above for package removal instructions. If you then want to reinstall your system configuration to match what it was before installing this supplement, reinstall the packages from your original UnixWare 7.1.4 and UnixWare 7.1.4 MP3 media. 8. There was a feature added by the Samba team that automatically disables any shares that do not have an explicitly set path. Thus, if you initially define any shares through the SWAT interface, they automatically get an extra "available = no" parameter added to their service definition. Once the share is defined you may remove the "available = no" attribute either manually from the smb.conf, or via SWAT by toggling the setting under the service definition from the "SHARES" tab. This will then enable your service. 9. This release includes version 0.9.2 of smbldap-tools. This set of perl based utilities allows samba to manipulate an LDAP database on the fly. This functionality is necessary for adding domain users, machine accounts, and performing other such administrative tasks. Please refer to the PDC HOWTO in the /info/PDC directory of the supplement CD or the examples in the /etc/smbldap-tools/examples directory for proper usage. ---------------------------------------------------------------------------- Document Issued: October 2007 Copyright (c) 2007 The SCO Group, Inc. All rights reserved.