1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

63 Commits

Author SHA1 Message Date
Stefan Metzmacher
66e90b7391 nsswitch: reduce dependecies to private libraries and link static/builtin if possible
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Stefan Metzmacher
419ca68de0 nsswitch: explicitly mark NSS_STATUS _nss_winbind_* symbols as _PUBLIC_ on Linux
The symbols which are used via dlopen()/dlsym() need to be exported,
in future we'll do hide all other symbols.

On other platforms, which are implemented as wrappers above the
Linux implementation, we mark the symbols as _PRIVATE_

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-11-30 15:53:34 +00:00
Andreas Schneider
387bb56bcd nsswitch: Migrate wbinfo to new cmdline option parser
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-20 23:26:32 +00:00
Jeremy Allison
728dd396f8 nsswitch: Add an async DNS kerberos locator plugin.
Used in production on a large customer site.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-10-08 15:07:30 +00:00
Andrew Bartlett
6107c79c90 build: Do not build selftest binaries for builds without --enable-selftest
Add new for_selftest option to SAMBA_BINARY() and SAMBA3_BINARY()

This allows us to be much more consistent (at least in the core Samba)
and documents clearly why the binary should not be installed.

Not modified are
 - test_lp_load
 - notifyd-tests
 - gendrandperf
 - test* from examples/libsmbclient
 - dbwrap_torture
 - split_tokens
 - locktest2
 - msgtest
 - msg_sink
 - msg_source
 - versiontest
 - rpc_open_tcp
 - test_headers

As these are not tested in selftest so any change would also be
untested.  Of course they probably should be added in a different
MR.

Also not modified (because they are not tests, nor part of the
build system) are:
 - smb2mount
 - notifydd
 - log2pacp
 - debug2html
 - smbfilter
 - destroy_netlogon_creds_cli
 - spotlight2*
 - tevent_glib_tracker

These do however appear to be untested.

For now, the source4 forked client tools are left unchanged:
 - smbclient4
 - nmblookup4

Finally, the heimdal binaries are left as install=False as
they are either part of the build system or end-user tools
that we just don't want to install.  These are however tested.

The motivation is commit like c34ec003b7
and da87fa998a, which are both totally
correct but are not needed if the selftest is not run on MacOS.

There are likely other platforms or build environments where building
our test binaries is more pain than valuable, see for example also
https://lists.samba.org/archive/samba/2019-November/227137.html

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Fri Nov 22 11:48:59 UTC 2019 on sn-devel-184
2019-11-22 11:48:59 +00:00
Isaac Boukris
d473f1e38c nsswitch: Link stress-nss-libwbclient against pthread
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14140

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2019-10-16 09:33:32 +00:00
Ralph Wuerthner
b5ea7946f8 nsswitch: add test for parallel NSS & libwbclient calls
Signed-off-by: Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-11-01 01:59:10 +01:00
Alexander Bokovoy
8a7411633e nsswitch/wscript_build: update to handle waf 2.0.4
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-09-05 06:37:23 +02:00
Volker Lendecke
3c9b88ba1c nsswitch: Remove IRIX support
According to wikipedia, IRIX has seen the last patch update in August 2006. As
of now, www.sgi.com is unreachable. Probably this code has not been built in
years. If someone wants to revive it, it can be found in the git history.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-07-24 20:36:50 +02:00
Andreas Schneider
4a7e0f259b krb5_plugin: Move krb5 locator plugin to krb5_plugin subdir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-27 16:00:19 +02:00
Andreas Schneider
eba2eb8a15 krb5_plugin: Install plugins to krb5 modules dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2018-06-27 16:00:19 +02:00
Andreas Schneider
5e89a23ffa krb5_plugin: Add winbind localauth plugin for MIT Kerberos
Applications (like OpenSSH) don't know about users and and
their relationship to Kerberos principals. This plugin allows that
Kerberos principals can be validated against local user accounts.

Administrator@WURST.WORLD -> WURST\Administrator

https://web.mit.edu/kerberos/krb5-latest/doc/plugindev/localauth.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13480

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jun 21 15:52:02 CEST 2018 on sn-devel-144
2018-06-21 15:52:02 +02:00
Andreas Schneider
d8a5565ae6 waf: Explicitly link against libnss_wins.so
If we do not specify replace as a depencency here, it will not link to
libreplace using an rpath.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Jim McDonough <jmcd@samba.org>

Autobuild-User(master): Jim McDonough <jmcd@samba.org>
Autobuild-Date(master): Tue Sep 20 08:00:08 CEST 2016 on sn-devel-144
2016-09-20 08:00:08 +02:00
Andreas Schneider
5ab1452436 nss_wins: Use libwbclient to query wins server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11563

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2015-10-26 21:23:21 +01:00
Björn Jacke
a997c7780e nss_wins: add module for FreeBSD
Thanks to Timur Bakeyev <timur@FreeBSD.org> for the patch.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11493

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Ralph Böhme <rb@sernet.de>
2015-09-11 00:34:30 +02:00
Stefan Metzmacher
575b093dac nsswitch: fix soname of linux nss_*.so.2 modules
Bug: https://bugzilla.samba.org/show_bug.cgi?id=9299

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-12-19 13:15:12 +01:00
Jeremy Allison
8bbf901f93 Replace all uses of iniparser with tiniparser.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
2014-08-14 21:27:13 +02:00
Björn Jacke
0b4af49d27 waf: fix the name of the WINBIND "nss" module on AIX
on AIX this is actually not called NSS and PAM, this is combined im LAM (loadable
authentication module)

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 12 13:32:28 CEST 2014 on sn-devel-104
2014-06-12 13:32:28 +02:00
Andreas Schneider
d407446ddc Remove special socket_wrapper code.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-04-17 14:56:06 +02:00
Christian Ambach
20b64eae75 waf: replace dependency to libintl with samba_intl
Signed-off-by: Christian Ambach <ambi@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Christian Ambach <ambi@samba.org>
Autobuild-Date(master): Mon Aug 12 00:46:34 CEST 2013 on sn-devel-104
2013-08-12 00:46:34 +02:00
Richard Sharpe
11d1286323 Correct the name of the nss_winbind module for FreeBSD by creating a symlink
from the FreeBSD required name to the built module.

Signed-off-by: Timur Bakeyev <timur@FreeBSD.org>
Reviewed-by: Andrew Bartlett <abartlett@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>

Autobuild-User(master): Richard Sharpe <sharpe@samba.org>
Autobuild-Date(master): Fri Mar  8 05:04:04 CET 2013 on sn-devel-104
2013-03-08 05:04:04 +01:00
Andrew Bartlett
f22e15d9d5 build: Do not install testing binaries
These binaries are for developer or selftest use, and are not
supported for installation onto the system.  The autoconf build does
not install these binaries, and so neither should the waf build.

Andrew Bartlett

Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Nov 22 12:00:36 CET 2012 on sn-devel-104
2012-11-22 12:00:36 +01:00
Andreas Schneider
1f017efeed waf: Create a libnss_winbind.so symlink.
This fixes bug #9299.
2012-10-22 09:04:21 +02:00
Andrew Bartlett
1f267ca10e nsswitch: Build nss_winbind on all supported platforms
This matches what the autoconf build can do.

Andrew Bartlett
2012-10-03 14:25:57 +02:00
Andrew Bartlett
0e037bfc60 selftest: Always build a linux-style nss_winbind for nss_wrapper 2012-10-03 14:25:57 +02:00
Ira Cooper
6dbe0aad26 s3: Fix libnss_winbind.so's build on Illumos/Solaris
Due to not building and linking in the winbind_nss_solaris bits in addition
to the linux bits, nss was broken on Solaris.

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Sun Sep 30 22:56:30 CEST 2012 on sn-devel-104
2012-09-30 22:56:29 +02:00
Günther Deschner
5f05eacd27 allow to use system iniparser library.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Wed May  9 17:38:33 CEST 2012 on sn-devel-104
2012-05-09 17:38:33 +02:00
Andrew Bartlett
078db8f6c9 build: build wbinfo only once in the waf build
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Sat Oct  8 04:52:03 CEST 2011 on sn-devel-104
2011-10-08 04:52:03 +02:00
Ewoud Kohl van Wijngaarden
2d6571d2e5 Add missing com_err dependencies
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Thu Oct  6 02:10:21 CEST 2011 on sn-devel-104
2011-10-06 02:10:21 +02:00
Günther Deschner
e68c4f4b33 waf: install pam modules in PAMMODULESDIR.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Tue Sep  6 11:09:45 CEST 2011 on sn-devel-104
2011-09-06 11:09:45 +02:00
Kai Blin
05d00ed479 nsswitch: Fix build check logic
Only build pam_winbind.so if we want pam modules _and_ have the libs

Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Sun May  8 23:56:33 CEST 2011 on sn-devel-104
2011-05-08 23:56:33 +02:00
Andrew Tridgell
a493bf9103 nsswitch: depend on dl
The previous merge in this area didn't preserve the 'dl' depedency,
which may be required on some platforms.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-02-18 17:00:34 +11:00
Günther Deschner
bc83400d81 nsswitch: make wb_reqtrans a common subsystem.
Guenther
2011-02-17 00:52:42 +01:00
Günther Deschner
743b13b8e0 s3-waf: make most of the nsswitch common.
Guenther
2011-02-17 00:52:42 +01:00
Günther Deschner
9867b7bf34 s4-waf: move wbinfo buildrule to winbind.
Will be moved back later, once we have a more common samba-util.so

Guenther
2011-02-17 00:52:16 +01:00
Stefan Metzmacher
b79c0e1adb Revert "nsswitch Add talloc depencency for nsstest"
This reverts commit 640028d158.

This is not needed anymore.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Jan  4 09:38:57 CET 2011 on sn-devel-104
2011-01-04 09:38:57 +01:00
Andrew Bartlett
640028d158 nsswitch Add talloc depencency for nsstest
nsstest does not use talloc, but it includes talloc.h via includes.h,
and so without this it cannot find the right internal header.

This wasn't noticed before, as most linux developer boxes have a talloc.h.

The issue was reported by Adam Tauno Williams <awilliam at whitemice.org>

Andrew Bartlett
2011-01-04 14:41:38 +11:00
Günther Deschner
ba21b6e3d4 s4-waf: nsstest only needs replace.
Guenther

Autobuild-User: Günther Deschner <gd@samba.org>
Autobuild-Date: Thu Dec 16 11:40:52 CET 2010 on sn-devel-104
2010-12-16 11:40:52 +01:00
Matthieu Patou
24cac449a1 build: change lib order to fix build on netbsd
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sun Dec 12 10:54:02 CET 2010 on sn-devel-104
2010-12-12 10:54:02 +01:00
Björn Jacke
ffc3f943cd s4/waf: add intl dependency for nss_winnbind
needed to fix a build issue on NetBSD and other platforms

Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Wed Dec  1 16:15:19 CET 2010 on sn-devel-104
2010-12-01 16:15:19 +01:00
Jelmer Vernooij
8cf61377aa waf: Remove lib prefix from libraries manually. 2010-10-26 10:17:17 -07:00
Jelmer Vernooij
d9cbcdd410 s4: Drop duplicate 'lib' prefix for private libraries. 2010-10-26 10:17:16 -07:00
Jelmer Vernooij
a57bd4e2d8 s4: Rename WBCLIENT to wbclient. 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
833480d3ad s4: Rename LIBSAMBA-* to libsamba-* 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
ca16d805bd s4: Rename LIBSECURITY{_SESSION,} to libsecurity{_session,} 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
2bcd7f6827 waf: Rename LIBWINBIND-CLIENT to libwinbind-client 2010-10-24 00:20:04 +00:00
Jelmer Vernooij
2933fac7c7 s4: Rename NSS_WRAPPER to nss_wrapper.
Only link to nss_wrapper when it is enabled.

Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Oct 23 23:05:44 UTC 2010 on sn-devel-104
2010-10-23 23:05:43 +00:00
Jelmer Vernooij
9757a0c54c s4: Rename UID_WRAPPER to uid_wrapper.
Only link to uid_wrapper when it is enabled.
2010-10-23 22:24:06 +00:00
Andrew Tridgell
323c1a8679 nsswitch: make LIBWINBIND-CLIENT a private library 2010-10-21 19:03:25 +11:00
Andrew Bartlett
a879a4610d libcli/auth Merge source4/libcli/security and util_sid.c into the common code
This should ensure we only have one copy of these core functions
in the tree.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-14 02:35:05 +00:00