66e90b7391
Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> |
||
---|---|---|
.github | ||
auth | ||
bootstrap | ||
buildtools | ||
coverity | ||
ctdb | ||
dfs_server | ||
docs-xml | ||
dynconfig | ||
examples | ||
file_server | ||
include | ||
lib | ||
libcli | ||
libds/common | ||
libgpo | ||
librpc | ||
nsswitch | ||
packaging | ||
pidl | ||
python | ||
release-scripts | ||
script | ||
selftest | ||
source3 | ||
source4 | ||
testdata | ||
testprogs | ||
tests | ||
testsuite | ||
third_party | ||
wintest | ||
.bzrignore | ||
.editorconfig | ||
.gitattributes | ||
.gitignore | ||
.gitlab-ci-coverage-runners.yml | ||
.gitlab-ci-coverage.yml | ||
.gitlab-ci-default-runners.yml | ||
.gitlab-ci-default.yml | ||
.gitlab-ci-main.yml | ||
.gitlab-ci-private.yml | ||
.gitlab-ci.yml | ||
.testr.conf | ||
.ycm_extra_conf.py | ||
callcatcher-exceptions.grep | ||
configure | ||
configure.developer | ||
COPYING | ||
GPG_AA99442FB680B620_replaces_6F33915B6568B7EA.txt | ||
Makefile | ||
PFIF.txt | ||
README.cifs-utils | ||
README.Coding.md | ||
README.contributing | ||
README.md | ||
SECURITY.md | ||
setup.cfg | ||
VERSION | ||
VFS-License-clarification.txt | ||
WHATSNEW.txt | ||
wscript | ||
wscript_build | ||
wscript_build_embedded_heimdal | ||
wscript_build_system_heimdal | ||
wscript_build_system_mitkrb5 | ||
wscript_configure_embedded_heimdal | ||
wscript_configure_system_gnutls | ||
wscript_configure_system_heimdal | ||
wscript_configure_system_mitkrb5 |
About Samba
Samba is the standard Windows interoperability suite of programs for Linux and Unix. Samba is Free Software licensed under the GNU General Public License and the Samba project is a member of the Software Freedom Conservancy. Since 1992, Samba has provided secure, stable and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux and many others. Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.
For the AD DC implementation a full HOWTO is provided at: https://wiki.samba.org/index.php/Samba4/HOWTO
Community guidelines can be read at: https://wiki.samba.org/index.php/How_to_do_Samba:_Nicely
This software is freely distributable under the GNU public license, a copy of which you should have received with this software (in a file called COPYING).
CONTRIBUTIONS
Please see https://wiki.samba.org/index.php/Contribute for detailed set-by-step instructions on how to submit a patch for Samba via GitLab.
Samba's GitLab mirror is at https://gitlab.com/samba-team/samba
OUR CONTRIBUTORS
See https://www.samba.org/samba/team/ for details of the Samba Team, as well as details of all those currently active in Samba development.
If you like a particular feature then look through the git change-log (on the web at https://gitweb.samba.org/?p=samba.git;a=summary) and see who added it, then send them an email.
Remember that free software of this kind lives or dies by the response we get. If no one tells us they like it then we'll probably move onto something else.
MORE INFO
DOCUMENTATION
There is quite a bit of documentation included with the package, including man pages and the wiki at https://wiki.samba.org
If you would like to help with our documentation, please contribute that improved content to the wiki, we are moving as much content there as possible.
MAILING LIST
Please do NOT send subscription/unsubscription requests to the lists!
There is a mailing list for discussion of Samba. For details go to https://lists.samba.org/ or send mail to samba-subscribe@lists.samba.org
There is also an announcement mailing list where new versions are announced. To subscribe go to https://lists.samba.org/ or send mail to samba-announce-subscribe@lists.samba.org. All announcements also go to the samba list, so you only need to be on one.
For details of other Samba mailing lists and for access to archives, see https://lists.samba.org/
MAILING LIST ETIQUETTE
A few tips when submitting to this or any mailing list.
-
Make your subject short and descriptive. Avoid the words "help" or "Samba" in the subject. The readers of this list already know that a) you need help, and b) you are writing about samba (of course, you may need to distinguish between Samba PDC and other file sharing software). Avoid phrases such as "what is" and "how do i". Some good subject lines might look like "Slow response with Excel files" or "Migrating from Samba PDC to NT PDC".
-
If you include the original message in your reply, trim it so that only the relevant lines, enough to establish context, are included. Chances are (since this is a mailing list) we've already read the original message.
-
Trim irrelevant headers from the original message in your reply. All we need to see is a) From, b) Date, and c) Subject. We don't even really need the Subject, if you haven't changed it. Better yet is to just preface the original message with "On [date] [someone] wrote:".
-
Please don't reply to or argue about spam, spam filters or viruses on any Samba lists. We do have a spam filtering system that is working quite well thank you very much but occasionally unwanted messages slip through. Deal with it.
-
Never say "Me too." It doesn't help anyone solve the problem. Instead, if you ARE having the same problem, give more information. Have you seen something that the other writer hasn't mentioned, which may be helpful?
-
If you ask about a problem, then come up with the solution on your own or through another source, by all means post it. Someone else may have the same problem and is waiting for an answer, but never hears of it.
-
Give as much relevant information as possible such as Samba release number, OS, kernel version, etc...
-
RTFM. Google.
WEBSITE
A Samba website has been setup with lots of useful info. Connect to:
As well as general information and documentation, this also has searchable archives of the mailing list and links to other useful resources such as the wiki.