1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/nsswitch/wscript_build

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

177 lines
6.0 KiB
Plaintext
Raw Normal View History

#!/usr/bin/env python
from waflib import Utils
import sys
host_os = sys.platform
bld.SAMBA_BINARY('nsstest',
source='nsstest.c',
deps='replace dl',
build: Do not build selftest binaries for builds without --enable-selftest Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY() This allows us to be much more consistent (at least in the core Samba) and documents clearly why the binary should not be installed. Not modified are - test_lp_load - notifyd-tests - gendrandperf - test* from examples/libsmbclient - dbwrap_torture - split_tokens - locktest2 - msgtest - msg_sink - msg_source - versiontest - rpc_open_tcp - test_headers As these are not tested in selftest so any change would also be untested. Of course they probably should be added in a different MR. Also not modified (because they are not tests, nor part of the build system) are: - smb2mount - notifydd - log2pacp - debug2html - smbfilter - destroy_netlogon_creds_cli - spotlight2* - tevent_glib_tracker These do however appear to be untested. For now, the source4 forked client tools are left unchanged: - smbclient4 - nmblookup4 Finally, the heimdal binaries are left as install=False as they are either part of the build system or end-user tools that we just don't want to install. These are however tested. The motivation is commit like c34ec003b7d45aa4196ff93a0ac29694b25e5309 and da87fa998ab71328f30bcdf5b41aee8675aee48a, which are both totally correct but are not needed if the selftest is not run on MacOS. There are likely other platforms or build environments where building our test binaries is more pain than valuable, see for example also https://lists.samba.org/archive/samba/2019-November/227137.html Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 00:06:57 +03:00
for_selftest=True
)
if bld.CONFIG_SET('HAVE_PTHREAD'):
bld.SAMBA_BINARY('stress-nss-libwbclient',
source='stress-nss-libwbclient.c',
deps='wbclient pthread',
build: Do not build selftest binaries for builds without --enable-selftest Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY() This allows us to be much more consistent (at least in the core Samba) and documents clearly why the binary should not be installed. Not modified are - test_lp_load - notifyd-tests - gendrandperf - test* from examples/libsmbclient - dbwrap_torture - split_tokens - locktest2 - msgtest - msg_sink - msg_source - versiontest - rpc_open_tcp - test_headers As these are not tested in selftest so any change would also be untested. Of course they probably should be added in a different MR. Also not modified (because they are not tests, nor part of the build system) are: - smb2mount - notifydd - log2pacp - debug2html - smbfilter - destroy_netlogon_creds_cli - spotlight2* - tevent_glib_tracker These do however appear to be untested. For now, the source4 forked client tools are left unchanged: - smbclient4 - nmblookup4 Finally, the heimdal binaries are left as install=False as they are either part of the build system or end-user tools that we just don't want to install. These are however tested. The motivation is commit like c34ec003b7d45aa4196ff93a0ac29694b25e5309 and da87fa998ab71328f30bcdf5b41aee8675aee48a, which are both totally correct but are not needed if the selftest is not run on MacOS. There are likely other platforms or build environments where building our test binaries is more pain than valuable, see for example also https://lists.samba.org/archive/samba/2019-November/227137.html Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Isaac Boukris <iboukris@samba.org> Autobuild-User(master): Isaac Boukris <iboukris@samba.org> Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 00:06:57 +03:00
for_selftest=True
)
# The nss_wrapper code relies strictly on the linux implementation and
# name, so compile but do not install a copy under this name.
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_wrapper_winbind',
cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
source='winbind_nss_linux.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='libnss_wrapper_winbind.so.2',
install=False,
vnum='2')
# FIXME: original was *linux* | gnu* | k*bsd*-gnu | kopensolaris*-gnu)
# the search for .rfind('gnu') covers gnu* and *-gnu is that too broad?
if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
keep_underscore=True,
cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
source='winbind_nss_linux.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='libnss_winbind.so.2',
soname='libnss_winbind.so.2',
vnum='2')
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA3_PLUGIN('nss_wins',
keep_underscore=True,
cflags='-D_PUBLIC_ON_LINUX_=_PUBLIC_',
source='wins.c',
deps='wbclient replace',
realname='libnss_wins.so.2',
soname='libnss_wins.so.2',
vnum='2')
elif (host_os.rfind('freebsd') > -1):
# FreeBSD winbind client is implemented as a wrapper around
# the Linux version.
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
source='winbind_nss_linux.c winbind_nss_freebsd.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='nss_winbind.so.1',
vnum='1')
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA3_PLUGIN('nss_wins',
source='wins.c wins_freebsd.c',
deps='''wbclient''',
realname='nss_wins.so.1',
vnum='1')
elif (host_os.rfind('netbsd') > -1):
# NetBSD winbind client is implemented as a wrapper
# around the Linux version. It needs getpwent_r() to
# indicate libc's use of the correct nsdispatch API.
if bld.CONFIG_SET("HAVE_GETPWENT_R"):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
source='winbind_nss_linux.c winbind_nss_netbsd.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='libnss_winbind.so')
elif Utils.unversioned_sys_platform() == 'sunos':
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
source='winbind_nss_solaris.c winbind_nss_linux.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='nss_winbind.so.1',
vnum='1')
elif (host_os.rfind('hpux') > -1):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
source='winbind_nss_linux.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='libnss_winbind.so')
elif (host_os.rfind('aix') > -1):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('nss_winbind',
source='winbind_nss_aix.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='wbclient',
realname='WINBIND')
if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('pamwinbind',
source='pam_winbind.c',
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
deps='talloc wbclient tiniparser pam samba_intl',
2010-10-24 03:23:53 +04:00
cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
realname='pam_winbind.so',
install_path='${PAMMODULESDIR}'
2010-10-24 03:23:53 +04:00
)
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
if bld.CONFIG_GET("USING_SYSTEM_KRB5"):
# If we build locator plugins for a
# system library we should use builtin
# linking of our own subsystems,
# while we may link to the system
# krb5 libraries.
winbind_krb5_require_builtin_deps = True
else:
# If we build locator plugins for our own heimdal
# version we don't want to do builtin linking.
# As we're already using private libraries
# it's not a problem...
winbind_krb5_require_builtin_deps = False
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('winbind_krb5_locator',
source='krb5_plugin/winbind_krb5_locator.c',
deps='wbclient krb5 com_err',
require_builtin_deps=winbind_krb5_require_builtin_deps,
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
# libkrb5.so scans it's plugin directories for files
# and calls dlopen()/dlsym() on them. The actual path
# depends on MIT vs. Heimdal.
#
# The async_dns_krb5_locator don't use winbind,
# instead it uses almost all of samba directly,
# which means everything will be injected
# into all processes using the libkrb5.so.
#
# See https://bugzilla.samba.org/show_bug.cgi?id=14780
# why this is a bad idea.
#
# We install this plugin (and also the other krb5 plugins)
# under Samba's MODULESDIR, it's not available to
# libkrb5.so by default.
#
# Packagers should leave it that way and allow admins
# to create symlinks for the plugins they actually want
# to be used.
bld.SAMBA_PLUGIN('async_dns_krb5_locator',
source='krb5_plugin/async_dns_krb5_locator.c',
deps='''
talloc
addns
samba_intl
libsmb
smbconf
KRBCLIENT
smbd_base
krb5
com_err
''',
require_builtin_deps=False,
realname='async_dns_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-07-01 13:08:16 +03:00
bld.SAMBA_PLUGIN('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
deps='wbclient krb5 com_err',
require_builtin_deps=winbind_krb5_require_builtin_deps,
realname='winbind_krb5_localauth.so',
install_path='${MODULESDIR}/krb5')
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
deps='talloc tevent LIBASYNC_REQ'
)
bld.SAMBA_BINARY('wbinfo',
source='wbinfo.c',
deps='samba-util LIBCLI_AUTH popt cmdline wbclient LIBAFS_SETTOKEN'
)