From 4cb733e145a83865eab09c0555b5486f4bd27924 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Jan 2019 02:31:10 +0100 Subject: [PATCH 1/6] wscript: separate embedded_heimdal from system_heimdal This allows to default (embedded_heimdal) to build even with a broken krb5-config file from Heimdal. In the system_heimdal case we parse the content of krb5-config instead of just executing it. This fails on FreeBSD 12 as krb5-config contains iso-8859-1 characters, which can't be parsed as unicode python buffers when using python3. Fixing the system_heimdal case is a task for another day, I guess it will only work once we imported a current heimdal version and actually tested the system_heimdal case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 8061983d4882f3ba3f12da71443b035d7b672eec) --- source4/heimdal_build/wscript_configure | 94 ----------------------- wscript | 11 +-- wscript_configure_embedded_heimdal | 1 + wscript_configure_system_heimdal | 99 +++++++++++++++++++++++++ 4 files changed, 104 insertions(+), 101 deletions(-) create mode 100644 wscript_configure_embedded_heimdal create mode 100644 wscript_configure_system_heimdal diff --git a/source4/heimdal_build/wscript_configure b/source4/heimdal_build/wscript_configure index 4d4e6a0cff9..903fb5139db 100644 --- a/source4/heimdal_build/wscript_configure +++ b/source4/heimdal_build/wscript_configure @@ -164,97 +164,3 @@ conf.define('HAVE_KRB5_PRINCIPAL_GET_TYPE', 1) conf.define('HAVE_KRB5_WARNX', 1) conf.define('HAVE_KRB5_PROMPT_TYPE', 1) -heimdal_includedirs = [] -heimdal_libdirs = [] -krb5_config = conf.find_program("krb5-config.heimdal", var="HEIMDAL_KRB5_CONFIG") -if not krb5_config: - krb5_config = conf.find_program("krb5-config", var="HEIMDAL_KRB5_CONFIG") -if krb5_config: - # Not ideal, but seems like the best way to get at these paths: - f = open(krb5_config[0], 'r') - try: - for l in f: - if l.startswith("libdir="): - heimdal_libdirs.append(l.strip()[len("libdir="):]) - elif l.startswith("includedir="): - include_path = l.strip()[len("includedir="):] - heimdal_includedirs.append(include_path) - conf.define('HEIMDAL_KRB5_TYPES_PATH', - include_path + "/krb5-types.h") - finally: - f.close() - -def check_system_heimdal_lib(name, functions='', headers='', onlyif=None): - # Only use system library if the user requested the bundled one not be - # used. - if conf.LIB_MAY_BE_BUNDLED(name): - return False - setattr(conf.env, "CPPPATH_%s" % name.upper(), heimdal_includedirs) - setattr(conf.env, "LIBPATH_%s" % name.upper(), heimdal_libdirs) - if not conf.CHECK_BUNDLED_SYSTEM(name, checkfunctions=functions, headers=headers, - onlyif=onlyif): - return False - conf.define('USING_SYSTEM_%s' % name.upper(), 1) - return True - -def check_system_heimdal_binary(name): - if conf.LIB_MAY_BE_BUNDLED(name): - return False - if not conf.find_program(name, var=name.upper()): - return False - conf.define('USING_SYSTEM_%s' % name.upper(), 1) - return True - -check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h") - -if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"): - conf.env.CPPPATH_ROKEN_HOSTCC = conf.env.CPPPATH_ROKEN - conf.env.LIBPATH_ROKEN_HOSTCC = conf.env.LIBPATH_ROKEN - conf.env.LIB_ROKEN_HOSTCC = "roken" - conf.SET_TARGET_TYPE("ROKEN_HOSTCC", 'SYSLIB') - -# Make sure HAVE_CONFIG_H is unset, as the system Heimdal headers use it -# and include config.h if it is set, resulting in failure (since config.h -# doesn't yet exist) - -DEFINES = list(conf.env.DEFINES) -conf.undefine("HAVE_CONFIG_H") -while "HAVE_CONFIG_H=1" in conf.env.DEFINES: - conf.env.DEFINES.remove("HAVE_CONFIG_H=1") -try: - check_system_heimdal_lib("wind", "wind_stringprep", "wind.h", onlyif="roken") - check_system_heimdal_lib("hx509", "hx509_bitstring_print", "hx509.h", onlyif="roken wind") - check_system_heimdal_lib("asn1", "initialize_asn1_error_table", "asn1_err.h", onlyif="roken com_err") - check_system_heimdal_lib("heimbase", "heim_cmp", "heimbase.h", onlyif="roken") - check_system_heimdal_lib("hcrypto", "MD4_Init", "hcrypto/md4.h", - onlyif="asn1 roken com_err") - if check_system_heimdal_lib("krb5", "krb5_anyaddr", "krb5.h", - onlyif="roken wind asn1 hx509 hcrypto com_err heimbase"): - conf.CHECK_FUNCS_IN('krb5_free_unparsed_name', 'krb5', headers="krb5.h") - check_system_heimdal_lib("gssapi", "gss_oid_to_name", "gssapi.h", - onlyif="hcrypto asn1 roken krb5 com_err wind") - check_system_heimdal_lib("heimntlm", "heim_ntlm_ntlmv2_key", "heimntlm.h", - onlyif="roken hcrypto krb5") - if check_system_heimdal_lib("hdb", "hdb_db_dir", "krb5.h hdb.h", - onlyif="roken krb5 hcrypto com_err wind"): - conf.CHECK_CODE(''' - #include - int main(void) { hdb_enctype2key(NULL, NULL, NULL, 0, NULL); } - ''', - define='HDB_ENCTYPE2KEY_TAKES_KEYSET', - addmain=False, - lib='hdb', - msg='Checking whether hdb_enctype2key takes a keyset argument', - local_include=False) - - check_system_heimdal_lib("kdc", "kdc_log", "kdc.h", - onlyif="roken krb5 hdb asn1 heimntlm hcrypto com_err wind heimbase") -finally: - conf.env.DEFINES = DEFINES - -# With the proper checks in place we should be able to build against the system libtommath. -#if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'): -# conf.define('USING_SYSTEM_TOMMATH', 1) - -check_system_heimdal_binary("compile_et") -check_system_heimdal_binary("asn1_compile") diff --git a/wscript b/wscript index e38a8e9aecf..4a5fc421baa 100644 --- a/wscript +++ b/wscript @@ -246,14 +246,11 @@ def configure(conf): 'hx509', 'wind', 'gssapi', 'hcrypto', 'krb5', 'heimbase', 'asn1_compile', 'compile_et', 'kdc', 'hdb', 'heimntlm') + conf.PROCESS_SEPARATE_RULE('system_heimdal') + + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') - # Only process heimdal_build for non-MIT KRB5 builds - # When MIT KRB5 checks are done as above, conf.env.KRB5_VENDOR will be set - # to the lowcased output of 'krb5-config --vendor'. - # If it is not set or the output is 'heimdal', we are dealing with - # system-provided or embedded Heimdal build - if conf.CONFIG_GET('KRB5_VENDOR') in (None, 'heimdal'): - conf.RECURSE('source4/heimdal_build') conf.RECURSE('source4/lib/tls') conf.RECURSE('source4/dsdb/samdb/ldb_modules') conf.RECURSE('source4/ntvfs/sysdep') diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal new file mode 100644 index 00000000000..8c55ae2a938 --- /dev/null +++ b/wscript_configure_embedded_heimdal @@ -0,0 +1 @@ +conf.RECURSE('source4/heimdal_build') diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal new file mode 100644 index 00000000000..0ff6dad2f55 --- /dev/null +++ b/wscript_configure_system_heimdal @@ -0,0 +1,99 @@ +import sys +from waflib import Logs + +conf.RECURSE('source4/heimdal_build') + +heimdal_includedirs = [] +heimdal_libdirs = [] +krb5_config = conf.find_program("krb5-config.heimdal", var="HEIMDAL_KRB5_CONFIG") +if not krb5_config: + krb5_config = conf.find_program("krb5-config", var="HEIMDAL_KRB5_CONFIG") +if krb5_config: + # Not ideal, but seems like the best way to get at these paths: + f = open(krb5_config[0], 'r') + try: + for l in f: + if l.startswith("libdir="): + heimdal_libdirs.append(l.strip()[len("libdir="):]) + elif l.startswith("includedir="): + include_path = l.strip()[len("includedir="):] + heimdal_includedirs.append(include_path) + conf.define('HEIMDAL_KRB5_TYPES_PATH', + include_path + "/krb5-types.h") + finally: + f.close() + +def check_system_heimdal_lib(name, functions='', headers='', onlyif=None): + # Only use system library if the user requested the bundled one not be + # used. + if conf.LIB_MAY_BE_BUNDLED(name): + return False + setattr(conf.env, "CPPPATH_%s" % name.upper(), heimdal_includedirs) + setattr(conf.env, "LIBPATH_%s" % name.upper(), heimdal_libdirs) + if not conf.CHECK_BUNDLED_SYSTEM(name, checkfunctions=functions, headers=headers, + onlyif=onlyif): + return False + conf.define('USING_SYSTEM_%s' % name.upper(), 1) + return True + +def check_system_heimdal_binary(name): + if conf.LIB_MAY_BE_BUNDLED(name): + return False + if not conf.find_program(name, var=name.upper()): + return False + conf.define('USING_SYSTEM_%s' % name.upper(), 1) + return True + +check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h") + +if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"): + conf.env.CPPPATH_ROKEN_HOSTCC = conf.env.CPPPATH_ROKEN + conf.env.LIBPATH_ROKEN_HOSTCC = conf.env.LIBPATH_ROKEN + conf.env.LIB_ROKEN_HOSTCC = "roken" + conf.SET_TARGET_TYPE("ROKEN_HOSTCC", 'SYSLIB') + +# Make sure HAVE_CONFIG_H is unset, as the system Heimdal headers use it +# and include config.h if it is set, resulting in failure (since config.h +# doesn't yet exist) + +DEFINES = list(conf.env.DEFINES) +conf.undefine("HAVE_CONFIG_H") +while "HAVE_CONFIG_H=1" in conf.env.DEFINES: + conf.env.DEFINES.remove("HAVE_CONFIG_H=1") +try: + check_system_heimdal_lib("wind", "wind_stringprep", "wind.h", onlyif="roken") + check_system_heimdal_lib("hx509", "hx509_bitstring_print", "hx509.h", onlyif="roken wind") + check_system_heimdal_lib("asn1", "initialize_asn1_error_table", "asn1_err.h", onlyif="roken com_err") + check_system_heimdal_lib("heimbase", "heim_cmp", "heimbase.h", onlyif="roken") + check_system_heimdal_lib("hcrypto", "MD4_Init", "hcrypto/md4.h", + onlyif="asn1 roken com_err") + if check_system_heimdal_lib("krb5", "krb5_anyaddr", "krb5.h", + onlyif="roken wind asn1 hx509 hcrypto com_err heimbase"): + conf.CHECK_FUNCS_IN('krb5_free_unparsed_name', 'krb5', headers="krb5.h") + check_system_heimdal_lib("gssapi", "gss_oid_to_name", "gssapi.h", + onlyif="hcrypto asn1 roken krb5 com_err wind") + check_system_heimdal_lib("heimntlm", "heim_ntlm_ntlmv2_key", "heimntlm.h", + onlyif="roken hcrypto krb5") + if check_system_heimdal_lib("hdb", "hdb_db_dir", "krb5.h hdb.h", + onlyif="roken krb5 hcrypto com_err wind"): + conf.CHECK_CODE(''' + #include + int main(void) { hdb_enctype2key(NULL, NULL, NULL, 0, NULL); } + ''', + define='HDB_ENCTYPE2KEY_TAKES_KEYSET', + addmain=False, + lib='hdb', + msg='Checking whether hdb_enctype2key takes a keyset argument', + local_include=False) + + check_system_heimdal_lib("kdc", "kdc_log", "kdc.h", + onlyif="roken krb5 hdb asn1 heimntlm hcrypto com_err wind heimbase") +finally: + conf.env.DEFINES = DEFINES + +# With the proper checks in place we should be able to build against the system libtommath. +#if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'): +# conf.define('USING_SYSTEM_TOMMATH', 1) + +check_system_heimdal_binary("compile_et") +check_system_heimdal_binary("asn1_compile") -- 2.17.0 From f71dbc41f5308c9d46cda69748f8abde6ad22226 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Wed, 30 Oct 2019 13:15:48 -0700 Subject: [PATCH 2/6] wscript: Fix build with system heimdal Ubuntu has heimdal include files in /usr/include/heimdal. As the kerberos include files are pulled into many files through indirect includes, add the discovered include paths to EXTRA_INCLUDES to always have them available. Also set USING_SYSTEM_KRB5 when enabling the system heimdal build, to correctly handle the inclusion of the krb5-types.h file. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett (cherry picked from commit be2d90b60d19eca408b60fe4e1b49f9b418f1b97) --- wscript_configure_system_heimdal | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal index 0ff6dad2f55..235fa1912b7 100644 --- a/wscript_configure_system_heimdal +++ b/wscript_configure_system_heimdal @@ -18,6 +18,7 @@ if krb5_config: elif l.startswith("includedir="): include_path = l.strip()[len("includedir="):] heimdal_includedirs.append(include_path) + conf.ADD_EXTRA_INCLUDES(include_path) conf.define('HEIMDAL_KRB5_TYPES_PATH', include_path + "/krb5-types.h") finally: @@ -97,3 +98,5 @@ finally: check_system_heimdal_binary("compile_et") check_system_heimdal_binary("asn1_compile") + +conf.define('USING_SYSTEM_KRB5', 1) -- 2.17.0 From 9dfcd83fb782d6e05c4684603c18eb05271260ea Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 9 Nov 2019 15:36:32 +0000 Subject: [PATCH 3/6] selftest: system-heimdal: workaround upstream "host" canon bug BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Isaac Boukris Reviewed-by: Christof Schmitt Reviewed-by: Andrew Bartlett (cherry picked from commit 15ddd95d94688ed742a2965c4b269d7c84e2d858) --- selftest/target/Samba.pm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 3fe53f94a2c..3b47a9f9589 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -240,6 +240,7 @@ sub mk_krb5_conf($$) $ctx->{dnsname}, $ctx->{domain}, $ctx->{kdc_ipv4}); + my $lc_domain = lc($ctx->{domain}); print KRB5CONF " #Generated krb5.conf for $ctx->{realm} @@ -254,6 +255,12 @@ sub mk_krb5_conf($$) # This is especially required by samba3.raw.session krb5 and # reauth tests clockskew = 5 + + name_canon_rules=as-is:realm=$ctx->{realm} + name_canon_rules=as-is:realm=$ctx->{dnsname} + name_canon_rules=as-is:realm=$ctx->{domain} + name_canon_rules=as-is:realm=$lc_domain + # We are running on the same machine, do not correct # system clock differences kdc_timesync = 0 -- 2.17.0 From aa5c9f09901e2aa95a0f349da632b9749124b64e Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Nov 2019 13:08:28 -0700 Subject: [PATCH 4/6] krb5_plugin: Use C99 initializer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett (cherry picked from commit 1aef796e302058ad3327613964fa89abaf940c1c) --- nsswitch/krb5_plugin/winbind_krb5_locator.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/nsswitch/krb5_plugin/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c index 518c871b248..a31c0822370 100644 --- a/nsswitch/krb5_plugin/winbind_krb5_locator.c +++ b/nsswitch/krb5_plugin/winbind_krb5_locator.c @@ -409,10 +409,10 @@ static krb5_error_code smb_krb5_locator_lookup(void *private_data, #endif const krb5plugin_service_locate_ftable SMB_KRB5_LOCATOR_SYMBOL_NAME = { - 0, /* version */ - smb_krb5_locator_init, - smb_krb5_locator_close, - smb_krb5_locator_lookup, + .minor_version = 0, + .init = smb_krb5_locator_init, + .fini = smb_krb5_locator_close, + .lookup = smb_krb5_locator_lookup, }; #endif -- 2.17.0 From d00dab572cbd15faae056d46324d4c57e90c7ef9 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 11 Nov 2019 13:37:25 -0700 Subject: [PATCH 5/6] krb5_plugin: Fix developer build with newer heimdal system library Newer heimdal versions provide a different locator plugin interface. The function pointer for the old method has been renamed. Use an ifdef to initialize the correct pointer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett (cherry picked from commit 85d23236200dbe013c09a4f23d982ef1baac240d) --- nsswitch/krb5_plugin/winbind_krb5_locator.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nsswitch/krb5_plugin/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c index a31c0822370..d08cdf72a59 100644 --- a/nsswitch/krb5_plugin/winbind_krb5_locator.c +++ b/nsswitch/krb5_plugin/winbind_krb5_locator.c @@ -412,7 +412,11 @@ const krb5plugin_service_locate_ftable SMB_KRB5_LOCATOR_SYMBOL_NAME = { .minor_version = 0, .init = smb_krb5_locator_init, .fini = smb_krb5_locator_close, +#ifdef KRB5_PLUGIN_LOCATE_VERSION_2 + .old_lookup = smb_krb5_locator_lookup, +#else .lookup = smb_krb5_locator_lookup, +#endif }; #endif -- 2.17.0 From bee3fb7e76469cc87f5b4a47482e7d58358a2d10 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Wed, 30 Oct 2019 13:45:55 -0700 Subject: [PATCH 6/6] autobuild: Add test for build with system heimdal library The configure option --with-system-heimdalkrb5 requires --without-ad-dc. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14179 Signed-off-by: Christof Schmitt Reviewed-by: Andrew Bartlett (cherry picked from commit 7965a204d68196acddf553959bb3407125baf31d) --- script/autobuild.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/script/autobuild.py b/script/autobuild.py index 67c18a1aa35..5f55f7a9093 100755 --- a/script/autobuild.py +++ b/script/autobuild.py @@ -40,6 +40,7 @@ builddirs = { "samba-nt4": ".", "samba-nt4-py2": ".", "samba-fileserver": ".", + "samba-ktest-heimdal": ".", "samba-xc": ".", "samba-o3": ".", "samba-ctdb": ".", @@ -144,6 +145,16 @@ tasks = { "--include-env=fileserver'", "text/plain"), ("check-clean-tree", "script/clean-source-tree.sh", "text/plain")], + "samba-ktest-heimdal": [ + ("random-sleep", "script/random-sleep.sh 60 600", "text/plain"), + ("configure", "./configure.developer --without-ad-dc --with-system-heimdalkrb5 --with-selftest-prefix=./bin/ab" + samba_configure_params, "text/plain"), + ("make", "make -j", "text/plain"), + ("test", "make test FAIL_IMMEDIATELY=1 " + "TESTS='${PY3_ONLY}" + "--include-env=ktest'", "text/plain"), + ("check-clean-tree", "script/clean-source-tree.sh", "text/plain"), + ], + # We split out this so the isolated ad_dc tests do not wait for ad_dc_ntvfs tests (which are long) "samba-ad-dc": [("random-sleep", "script/random-sleep.sh 60 600", "text/plain"), ("configure", "./configure.developer --with-selftest-prefix=./bin/ab" + samba_configure_params, "text/plain"), -- 2.17.0