samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

47 lines

1.2 KiB

Bash

Raw Normal View History

python: Add a simple pam_winbind test Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144 2017-04-05 15:59:39 +02:00			`#!/bin/sh`

			`PYTHON="$1"`
			`PAM_WRAPPER_SO_PATH="$2"`
			`shift 2`

python/samba/tests: don't use hardcoded names in pam_winbind tests Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 2017-06-09 14:52:59 +02:00			`DOMAIN="$1"`
			`export DOMAIN`
			`USERNAME="$2"`
			`export USERNAME`
			`PASSWORD="$3"`
			`export PASSWORD`
			`shift 3`

test_pam_winbind.sh: allow different pam_winbindd config options to be specified BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org> 2019-09-18 01:25:58 +02:00			`PAM_OPTIONS="$1"`
			`export PAM_OPTIONS`
			`shift 1`

build: Move pam_wrapper to third_party Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> 2017-11-24 13:34:25 +01:00			`PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper"`
python: Add a simple pam_winbind test Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144 2017-04-05 15:59:39 +02:00
nsswitch: reduce dependecies to private libraries and link static/builtin if possible Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so\| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 2021-07-01 12:08:16 +02:00			`pam_winbind="$BINDIR/plugins/pam_winbind.so"`
python: Add a simple pam_winbind test Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144 2017-04-05 15:59:39 +02:00			`service_dir="$SELFTEST_TMPDIR/pam_services"`
			`service_file="$service_dir/samba"`

			`mkdir $service_dir`
python: Reformat shell scripts shfmt -f python/ \| xargs shfmt -w -p -i 0 -fn Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2022-02-21 13:59:33 +01:00			`echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" >$service_file`
			`echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file`
			`echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file`
			`echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >>$service_file`
python: Add a simple pam_winbind test Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Apr 7 14:19:23 CEST 2017 on sn-devel-144 2017-04-05 15:59:39 +02:00
			`PAM_WRAPPER="1"`
			`export PAM_WRAPPER`
			`PAM_WRAPPER_SERVICE_DIR="$service_dir"`
			`export PAM_WRAPPER_SERVICE_DIR`
			`LD_PRELOAD="$LD_PRELOAD:$PAM_WRAPPER_SO_PATH"`
			`export LD_PRELOAD`

			`PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"}`
			`export PAM_WRAPPER_DEBUGLEVEL`

			`PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind`
			`exit_code=$?`

			`rm -rf $service_dir`

			`exit $exit_code`

47 lines 1.2 KiB Bash Raw Normal View History Unescape Escape

47 lines

1.2 KiB

Bash

Raw Normal View History