From 060d218f82af9070a8e79cefe1093f9b0e6bd7b8 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Fri, 31 Jul 2020 16:51:09 +0800 Subject: samba: upgrade 4.10.15 -> 4.10.17 This is a security release in order to address the following defects: CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results. CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. Also backport 3 patches to fix build error with musl. Signed-off-by: Yi Zhao Signed-off-by: Khem Raj (cherry picked from commit 1609df11530ebb73de863d0c705e16107015dbe3) Signed-off-by: Armin Kuster --- .../0001-util-Simplify-input-validation.patch | 59 ++++ ...ild-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch | 79 +++++ ...cate-larger-buffer-if-getpwuid_r-returns-.patch | 50 +++ .../recipes-connectivity/samba/samba_4.10.15.bb | 336 -------------------- .../recipes-connectivity/samba/samba_4.10.17.bb | 339 +++++++++++++++++++++ 5 files changed, 527 insertions(+), 336 deletions(-) create mode 100644 meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch delete mode 100644 meta-networking/recipes-connectivity/samba/samba_4.10.15.bb create mode 100644 meta-networking/recipes-connectivity/samba/samba_4.10.17.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch new file mode 100644 index 0000000000..e724c04bcd --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/0001-util-Simplify-input-validation.patch @@ -0,0 +1,59 @@ +From f9d9ba6cd06aca053c747c399ba700db80b1623c Mon Sep 17 00:00:00 2001 +From: Martin Schwenke +Date: Tue, 9 Jun 2020 11:52:50 +1000 +Subject: [PATCH 1/3] util: Simplify input validation + +It appears that snprintf(3) is being used for input validation. +However, this seems like overkill because it causes szPath to be +copied an extra time. The mostly likely protections being sought +here, according to https://cwe.mitre.org/data/definitions/20.html, +look to be DoS attacks involving CPU and memory usage. A simpler +check that uses strnlen(3) can mitigate against both of these and is +simpler. + +Signed-off-by: Martin Schwenke +Reviewed-by: Volker Lendecke +Reviewed-by: Bjoern Jacke +(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229) + +Upstream-Status:Backport +[https://gitlab.com/samba-team/samba/-/commit/f9d9ba6cd06aca053c747c399ba700db80b1623c] + +Signed-off-by: Yi Zhao +--- + lib/util/util_paths.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index c0ee5c32c30..dec91772d9e 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -69,21 +69,20 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) + struct passwd pwd = {0}; + struct passwd *pwdbuf = NULL; + char buf[NSS_BUFLEN_PASSWD] = {0}; ++ size_t len; + int rc; + + rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); + if (rc != 0 || pwdbuf == NULL ) { +- int len_written; + const char *szPath = getenv("HOME"); + if (szPath == NULL) { + return NULL; + } +- len_written = snprintf(buf, sizeof(buf), "%s", szPath); +- if (len_written >= sizeof(buf) || len_written < 0) { +- /* Output was truncated or an error. */ ++ len = strnlen(szPath, PATH_MAX); ++ if (len >= PATH_MAX) { + return NULL; + } +- return talloc_strdup(mem_ctx, buf); ++ return talloc_strdup(mem_ctx, szPath); + } + + return talloc_strdup(mem_ctx, pwd.pw_dir); +-- +2.17.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch new file mode 100644 index 0000000000..dcd79044ae --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch @@ -0,0 +1,79 @@ +From 57bd719af1f138f44f71b2078995452582da0da6 Mon Sep 17 00:00:00 2001 +From: Martin Schwenke +Date: Fri, 5 Jun 2020 21:52:23 +1000 +Subject: [PATCH 2/3] util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWD + +NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use +sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX. + +Use a dynamically allocated buffer instead of trying to cram all of +the logic into the declarations. This will come in useful later +anyway. + +Signed-off-by: Martin Schwenke +Reviewed-by: Volker Lendecke +Reviewed-by: Bjoern Jacke +(cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b) + +Upstream-Status:Backport +[https://gitlab.com/samba-team/samba/-/commit/57bd719af1f138f44f71b2078995452582da0da6] + +Signed-off-by: Yi Zhao +--- + lib/util/util_paths.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index dec91772d9e..9bc6df37e5d 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -68,24 +68,41 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) + { + struct passwd pwd = {0}; + struct passwd *pwdbuf = NULL; +- char buf[NSS_BUFLEN_PASSWD] = {0}; ++ char *buf = NULL; ++ char *out = NULL; ++ long int initlen; + size_t len; + int rc; + +- rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); ++ initlen = sysconf(_SC_GETPW_R_SIZE_MAX); ++ if (initlen == -1) { ++ len = 1024; ++ } else { ++ len = (size_t)initlen; ++ } ++ buf = talloc_size(mem_ctx, len); ++ if (buf == NULL) { ++ return NULL; ++ } ++ ++ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); + if (rc != 0 || pwdbuf == NULL ) { + const char *szPath = getenv("HOME"); + if (szPath == NULL) { +- return NULL; ++ goto done; + } + len = strnlen(szPath, PATH_MAX); + if (len >= PATH_MAX) { + return NULL; + } +- return talloc_strdup(mem_ctx, szPath); ++ out = talloc_strdup(mem_ctx, szPath); ++ goto done; + } + +- return talloc_strdup(mem_ctx, pwd.pw_dir); ++ out = talloc_strdup(mem_ctx, pwd.pw_dir); ++done: ++ TALLOC_FREE(buf); ++ return out; + } + + char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d) +-- +2.17.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch new file mode 100644 index 0000000000..53a3f67814 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch @@ -0,0 +1,50 @@ +From 016e08ca07f86af9e0131a908a2df116bcb9a48e Mon Sep 17 00:00:00 2001 +From: Martin Schwenke +Date: Fri, 5 Jun 2020 22:05:42 +1000 +Subject: [PATCH 3/3] util: Reallocate larger buffer if getpwuid_r() returns + ERANGE + +Signed-off-by: Martin Schwenke +Reviewed-by: Volker Lendecke +Reviewed-by: Bjoern Jacke + +Autobuild-User(master): Martin Schwenke +Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184 + +(cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c) + +Upstream-Status:Backport +[https://gitlab.com/samba-team/samba/-/commit/016e08ca07f86af9e0131a908a2df116bcb9a48e] + +Signed-off-by: Yi Zhao +--- + lib/util/util_paths.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index 9bc6df37e5d..72cc0aab8de 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -86,6 +86,19 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) + } + + rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); ++ while (rc == ERANGE) { ++ size_t newlen = 2 * len; ++ if (newlen < len) { ++ /* Overflow */ ++ goto done; ++ } ++ len = newlen; ++ buf = talloc_realloc_size(mem_ctx, buf, len); ++ if (buf == NULL) { ++ goto done; ++ } ++ rc = getpwuid_r(getuid(), &pwd, buf, len, &pwdbuf); ++ } + if (rc != 0 || pwdbuf == NULL ) { + const char *szPath = getenv("HOME"); + if (szPath == NULL) { +-- +2.17.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb deleted file mode 100644 index 01250cb43f..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.15.bb +++ /dev/null @@ -1,336 +0,0 @@ -HOMEPAGE = "https://www.samba.org/" -SECTION = "console/network" - -LICENSE = "GPL-3.0+ & LGPL-3.0+ & GPL-2.0+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ - file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=bfccfe952269fff2b407dd11f2f3083b \ - file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6 " - -SAMBA_MIRROR = "http://samba.org/samba/ftp" -MIRRORS += "\ -${SAMBA_MIRROR} http://mirror.internode.on.net/pub/samba \n \ -${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \ -" - -SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ - file://smb.conf \ - file://16-do-not-check-xsltproc-manpages.patch \ - file://20-do-not-import-target-module-while-cross-compile.patch \ - file://21-add-config-option-without-valgrind.patch \ - file://netdb_defines.patch \ - file://glibc_only.patch \ - file://iconv-4.7.0.patch \ - file://dnsserver-4.7.0.patch \ - file://smb_conf-4.7.0.patch \ - file://volatiles.03_samba \ - file://0001-waf-add-support-of-cross_compile.patch \ - file://0001-lib-replace-wscript-Avoid-generating-nested-main-fun.patch \ - file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \ - file://0001-Add-options-to-configure-the-use-of-libbsd.patch \ - file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ - " -SRC_URI_append_libc-musl = " \ - file://samba-pam.patch \ - file://samba-4.3.9-remove-getpwent_r.patch \ - file://cmocka-uintptr_t.patch \ - file://0001-samba-fix-musl-lib-without-innetgr.patch \ - " - -SRC_URI[md5sum] = "67e9f6b8c5140475641bf5121c93b3d4" -SRC_URI[sha256sum] = "0b8b62558b62fbb121015f28f40fae0f07522710b6bef77c508b51bb6914ced9" - -UPSTREAM_CHECK_REGEX = "samba\-(?P4\.10(\.\d+)+).tar.gz" - -inherit systemd waf-samba cpan-base perlnative update-rc.d -# remove default added RDEPENDS on perl -RDEPENDS_${PN}_remove = "perl" - -DEPENDS += "readline virtual/libiconv zlib popt libtalloc libtdb libtevent libldb libaio libpam libtasn1 jansson" - -inherit features_check -REQUIRED_DISTRO_FEATURES = "pam" - -DEPENDS_append_libc-musl = " libtirpc" -CFLAGS_append_libc-musl = " -I${STAGING_INCDIR}/tirpc" -LDFLAGS_append_libc-musl = " -ltirpc" - -INITSCRIPT_NAME = "samba" -INITSCRIPT_PARAMS = "start 20 3 5 . stop 20 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}-base ${PN}-ad-dc winbind" -SYSTEMD_SERVICE_${PN}-base = "nmb.service smb.service" -SYSTEMD_SERVICE_${PN}-ad-dc = "${@bb.utils.contains('PACKAGECONFIG', 'ad-dc', 'samba.service', '', d)}" -SYSTEMD_SERVICE_winbind = "winbind.service" - -# There are prerequisite settings to enable ad-dc, so disable the service by default. -# Reference: -# https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller -SYSTEMD_AUTO_ENABLE_${PN}-ad-dc = "disable" - -#cross_compile cannot use preforked process, since fork process earlier than point subproces.popen -#to cross Popen -export WAF_NO_PREFORK="yes" - -# Use krb5. Build active domain controller. -# -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd zeroconf', d)} \ - acl cups ad-dc gnutls ldap mitkrb5 \ -" - -RDEPENDS_${PN}-ctdb-tests += "bash util-linux-getopt" - -PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl" -PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin" -PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups" -PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap" -PACKAGECONFIG[sasl] = ",,cyrus-sasl" -PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd" -PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi" -PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi" -PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind," -PACKAGECONFIG[lttng] = "--with-lttng, --without-lttng,lttng-ust" -PACKAGECONFIG[archive] = "--with-libarchive, --without-libarchive, libarchive" -PACKAGECONFIG[libunwind] = ", , libunwind" -PACKAGECONFIG[gpgme] = ",--without-gpgme,," -PACKAGECONFIG[lmdb] = ",--without-ldb-lmdb,lmdb," -PACKAGECONFIG[libbsd] = "--with-libbsd, --without-libbsd, libbsd" - -# Building the AD (Active Directory) DC (Domain Controller) requires GnuTLS, -# And ad-dc doesn't work with mitkrb5 for versions prior to 4.7.0 according to: -# http://samba.2283325.n4.nabble.com/samba-4-6-6-Unknown-dependency-kdc-in-service-kdc-objlist-td4722096.html -# So the working combination is: -# 1) ad-dc: enable, gnutls: enable, mitkrb5: disable -# 2) ad-dc: disable, gnutls: enable/disable, mitkrb5: enable -# -# We are now at 4.7.0, so take the above with a grain of salt. We do not need to know where -# krb5kdc is unless ad-dc is enabled, but we tell configure anyhow. -# -PACKAGECONFIG[ad-dc] = "--with-experimental-mit-ad-dc,--without-ad-dc,," -PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls," -PACKAGECONFIG[mitkrb5] = "--with-system-mitkrb5 --with-system-mitkdc=/usr/sbin/krb5kdc,,krb5," - -SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2" -SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4" -SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4" -SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODULES}" - -# These libraries are supposed to replace others supplied by packages, but decorate the names of -# .so files so there will not be a conflict. This is not done consistantly, so be very careful -# when adding to this list. -# -SAMBA4_LIBS="heimdal,cmocka,NONE" - -EXTRA_OECONF += "--enable-fhs \ - --with-piddir=/run \ - --with-sockets-dir=/run/samba \ - --with-modulesdir=${libdir}/samba \ - --with-lockdir=${localstatedir}/lib/samba \ - --with-cachedir=${localstatedir}/lib/samba \ - --disable-rpath-install \ - --with-shared-modules=${SAMBA4_MODULES} \ - --bundled-libraries=${SAMBA4_LIBS} \ - ${@oe.utils.conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \ - --with-cluster-support \ - --with-profiling-data \ - --with-libiconv=${STAGING_DIR_HOST}${prefix} \ - --with-pam --with-pammodulesdir=${base_libdir}/security \ - " - -LDFLAGS += "-Wl,-z,relro,-z,now ${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}" - -do_install_append() { - for section in 1 5 7; do - install -d ${D}${mandir}/man$section - install -m 0644 ctdb/doc/*.$section ${D}${mandir}/man$section - done - for section in 1 5 7 8; do - install -d ${D}${mandir}/man$section - install -m 0644 docs/manpages/*.$section ${D}${mandir}/man$section - done - - install -d ${D}${systemd_system_unitdir} - install -m 0644 ${S}/bin/default/packaging/systemd/*.service ${D}${systemd_system_unitdir}/ - sed -e 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' \ - -e 's,/etc/sysconfig/samba,${sysconfdir}/default/samba,' \ - -i ${D}${systemd_system_unitdir}/*.service - - if [ "${@bb.utils.contains('PACKAGECONFIG', 'ad-dc', 'yes', 'no', d)}" = "no" ]; then - rm -f ${D}${systemd_system_unitdir}/samba.service - fi - - install -d ${D}${sysconfdir}/tmpfiles.d - install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf - echo "d ${localstatedir}/log/samba 0755 root root -" \ - >> ${D}${sysconfdir}/tmpfiles.d/samba.conf - install -d ${D}${sysconfdir}/init.d - install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba - sed -e 's,/opt/samba/bin,${sbindir},g' \ - -e 's,/opt/samba/smb.conf,${sysconfdir}/samba/smb.conf,g' \ - -e 's,/opt/samba/log,${localstatedir}/log/samba,g' \ - -e 's,/etc/init.d/samba.server,${sysconfdir}/init.d/samba,g' \ - -e 's,/usr/bin,${base_bindir},g' \ - -i ${D}${sysconfdir}/init.d/samba - - install -d ${D}${sysconfdir}/samba - echo "127.0.0.1 localhost" > ${D}${sysconfdir}/samba/lmhosts - install -m644 ${WORKDIR}/smb.conf ${D}${sysconfdir}/samba/smb.conf - install -D -m 644 ${WORKDIR}/volatiles.03_samba ${D}${sysconfdir}/default/volatiles/03_samba - - install -d ${D}${sysconfdir}/default - install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/default/samba - - # the items are from ctdb/tests/run_tests.sh - for d in onnode takeover tool eventscripts cunit simple complex; do - testdir=${D}${datadir}/ctdb-tests/$d - install -d $testdir - cp ${S}/ctdb/tests/$d/*.sh $testdir - cp -r ${S}/ctdb/tests/$d/scripts ${S}/ctdb/tests/$d/stubs $testdir || true - done - - # fix file-rdeps qa warning - if [ -f ${D}${bindir}/onnode ]; then - sed -i 's:\(#!/bin/\)bash:\1sh:' ${D}${bindir}/onnode - fi - - chmod 0750 ${D}${sysconfdir}/sudoers.d || true - rm -rf ${D}/run ${D}${localstatedir}/run ${D}${localstatedir}/log - - for f in samba-gpupdate samba_upgradedns samba_spnupdate samba_kcc samba_dnsupdate; do - if [ -f "${D}${sbindir}/$f" ]; then - sed -i -e 's,${PYTHON},/usr/bin/env python3,g' ${D}${sbindir}/$f - fi - done - if [ -f "${D}${bindir}/samba-tool" ]; then - sed -i -e 's,${PYTHON},/usr/bin/env python3,g' ${D}${bindir}/samba-tool - fi - -} - -PACKAGES =+ "${PN}-python3 ${PN}-pidl \ - ${PN}-dsdb-modules ${PN}-testsuite registry-tools \ - winbind \ - ${PN}-common ${PN}-base ${PN}-ad-dc ${PN}-ctdb-tests \ - smbclient ${PN}-client ${PN}-server ${PN}-test" - -python samba_populate_packages() { - def module_hook(file, pkg, pattern, format, basename): - pn = d.getVar('PN') - d.appendVar('RRECOMMENDS_%s-base' % pn, ' %s' % pkg) - - mlprefix = d.getVar('MLPREFIX') or '' - pam_libdir = d.expand('${base_libdir}/security') - pam_pkgname = mlprefix + 'pam-plugin%s' - do_split_packages(d, pam_libdir, '^pam_(.*)\.so$', pam_pkgname, 'PAM plugin for %s', extra_depends='', prepend=True) - - libdir = d.getVar('libdir') - do_split_packages(d, libdir, '^lib(.*)\.so\..*$', 'lib%s', 'Samba %s library', extra_depends='${PN}-common', prepend=True, allow_links=True) - pkglibdir = '%s/samba' % libdir - do_split_packages(d, pkglibdir, '^lib(.*)\.so$', 'lib%s', 'Samba %s library', extra_depends='${PN}-common', prepend=True) - moduledir = '%s/samba/auth' % libdir - do_split_packages(d, moduledir, '^(.*)\.so$', 'samba-auth-%s', 'Samba %s authentication backend', hook=module_hook, extra_depends='', prepend=True) - moduledir = '%s/samba/pdb' % libdir - do_split_packages(d, moduledir, '^(.*)\.so$', 'samba-pdb-%s', 'Samba %s password backend', hook=module_hook, extra_depends='', prepend=True) -} - -PACKAGESPLITFUNCS_prepend = "samba_populate_packages " -PACKAGES_DYNAMIC = "samba-auth-.* samba-pdb-.*" - -RDEPENDS_${PN} += "${PN}-base ${PN}-python3 ${PN}-dsdb-modules python3" -RDEPENDS_${PN}-python3 += "pytalloc python3-tdb" - -FILES_${PN}-base = "${sbindir}/nmbd \ - ${sbindir}/smbd \ - ${sysconfdir}/init.d \ - ${systemd_system_unitdir}/nmb.service \ - ${systemd_system_unitdir}/smb.service" - -FILES_${PN}-ad-dc = "${sbindir}/samba \ - ${systemd_system_unitdir}/samba.service \ - ${libdir}/krb5/plugins/kdb/samba.so \ -" -RDEPENDS_${PN}-ad-dc = "krb5-kdc" - -FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \ - ${bindir}/ctdb_run_cluster_tests \ - ${sysconfdir}/ctdb/nodes \ - ${datadir}/ctdb-tests \ - ${datadir}/ctdb/tests \ - ${localstatedir}/lib/ctdb \ - " - -FILES_${BPN}-common = "${sysconfdir}/default \ - ${sysconfdir}/samba \ - ${sysconfdir}/tmpfiles.d \ - ${localstatedir}/lib/samba \ - ${localstatedir}/spool/samba \ -" - -FILES_${PN} += "${libdir}/vfs/*.so \ - ${libdir}/charset/*.so \ - ${libdir}/*.dat \ - ${libdir}/auth/*.so \ - ${datadir}/ctdb/events/* \ -" - -FILES_${PN}-dsdb-modules = "${libdir}/samba/ldb" - -FILES_${PN}-testsuite = "${bindir}/gentest \ - ${bindir}/locktest \ - ${bindir}/masktest \ - ${bindir}/ndrdump \ - ${bindir}/smbtorture" - -FILES_registry-tools = "${bindir}/regdiff \ - ${bindir}/regpatch \ - ${bindir}/regshell \ - ${bindir}/regtree" - -FILES_winbind = "${sbindir}/winbindd \ - ${bindir}/wbinfo \ - ${bindir}/ntlm_auth \ - ${libdir}/samba/idmap \ - ${libdir}/samba/nss_info \ - ${libdir}/winbind_krb5_locator.so \ - ${libdir}/winbind-krb5-localauth.so \ - ${sysconfdir}/init.d/winbind \ - ${systemd_system_unitdir}/winbind.service" - -FILES_${PN}-python3 = "${PYTHON_SITEPACKAGES_DIR}" - -FILES_smbclient = "${bindir}/cifsdd \ - ${bindir}/rpcclient \ - ${bindir}/smbcacls \ - ${bindir}/smbclient \ - ${bindir}/smbcquotas \ - ${bindir}/smbget \ - ${bindir}/smbspool \ - ${bindir}/smbtar \ - ${bindir}/smbtree \ - ${libdir}/samba/smbspool_krb5_wrapper" - -RDEPENDS_${PN}-pidl_append = " perl" -FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse" - -RDEPENDS_${PN}-client = "\ - smbclient \ - winbind \ - registry-tools \ - ${PN}-pidl \ - " - -ALLOW_EMPTY_${PN}-client = "1" - -RDEPENDS_${PN}-server = "\ - ${PN} \ - winbind \ - registry-tools \ - " - -ALLOW_EMPTY_${PN}-server = "1" - -RDEPENDS_${PN}-test = "\ - ${PN}-ctdb-tests \ - ${PN}-testsuite \ - " - -ALLOW_EMPTY_${PN}-test = "1" diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb new file mode 100644 index 0000000000..3ae5afbe95 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.17.bb @@ -0,0 +1,339 @@ +HOMEPAGE = "https://www.samba.org/" +SECTION = "console/network" + +LICENSE = "GPL-3.0+ & LGPL-3.0+ & GPL-2.0+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504 \ + file://${COREBASE}/meta/files/common-licenses/LGPL-3.0;md5=bfccfe952269fff2b407dd11f2f3083b \ + file://${COREBASE}/meta/files/common-licenses/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6 " + +SAMBA_MIRROR = "http://samba.org/samba/ftp" +MIRRORS += "\ +${SAMBA_MIRROR} http://mirror.internode.on.net/pub/samba \n \ +${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \ +" + +SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ + file://smb.conf \ + file://16-do-not-check-xsltproc-manpages.patch \ + file://20-do-not-import-target-module-while-cross-compile.patch \ + file://21-add-config-option-without-valgrind.patch \ + file://netdb_defines.patch \ + file://glibc_only.patch \ + file://iconv-4.7.0.patch \ + file://dnsserver-4.7.0.patch \ + file://smb_conf-4.7.0.patch \ + file://volatiles.03_samba \ + file://0001-waf-add-support-of-cross_compile.patch \ + file://0001-lib-replace-wscript-Avoid-generating-nested-main-fun.patch \ + file://0002-util_sec.c-Move-__thread-variable-to-global-scope.patch \ + file://0001-Add-options-to-configure-the-use-of-libbsd.patch \ + file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \ + file://0001-util-Simplify-input-validation.patch \ + file://0002-util-Fix-build-on-FreeBSD-by-avoiding-NSS_BUFLEN_PAS.patch \ + file://0003-util-Reallocate-larger-buffer-if-getpwuid_r-returns-.patch \ + " +SRC_URI_append_libc-musl = " \ + file://samba-pam.patch \ + file://samba-4.3.9-remove-getpwent_r.patch \ + file://cmocka-uintptr_t.patch \ + file://0001-samba-fix-musl-lib-without-innetgr.patch \ + " + +SRC_URI[md5sum] = "f69cac9ba5035ee60257520a209a0a83" +SRC_URI[sha256sum] = "03dc9758e7bfa2faf7cdeb45b4d40997e2ee16a41e71996aa666bc069e70ba3e" + +UPSTREAM_CHECK_REGEX = "samba\-(?P4\.10(\.\d+)+).tar.gz" + +inherit systemd waf-samba cpan-base perlnative update-rc.d +# remove default added RDEPENDS on perl +RDEPENDS_${PN}_remove = "perl" + +DEPENDS += "readline virtual/libiconv zlib popt libtalloc libtdb libtevent libldb libaio libpam libtasn1 jansson" + +inherit features_check +REQUIRED_DISTRO_FEATURES = "pam" + +DEPENDS_append_libc-musl = " libtirpc" +CFLAGS_append_libc-musl = " -I${STAGING_INCDIR}/tirpc" +LDFLAGS_append_libc-musl = " -ltirpc" + +INITSCRIPT_NAME = "samba" +INITSCRIPT_PARAMS = "start 20 3 5 . stop 20 0 1 6 ." + +SYSTEMD_PACKAGES = "${PN}-base ${PN}-ad-dc winbind" +SYSTEMD_SERVICE_${PN}-base = "nmb.service smb.service" +SYSTEMD_SERVICE_${PN}-ad-dc = "${@bb.utils.contains('PACKAGECONFIG', 'ad-dc', 'samba.service', '', d)}" +SYSTEMD_SERVICE_winbind = "winbind.service" + +# There are prerequisite settings to enable ad-dc, so disable the service by default. +# Reference: +# https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller +SYSTEMD_AUTO_ENABLE_${PN}-ad-dc = "disable" + +#cross_compile cannot use preforked process, since fork process earlier than point subproces.popen +#to cross Popen +export WAF_NO_PREFORK="yes" + +# Use krb5. Build active domain controller. +# +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd zeroconf', d)} \ + acl cups ad-dc gnutls ldap mitkrb5 \ +" + +RDEPENDS_${PN}-ctdb-tests += "bash util-linux-getopt" + +PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl" +PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin" +PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups" +PACKAGECONFIG[ldap] = "--with-ldap,--without-ldap,openldap" +PACKAGECONFIG[sasl] = ",,cyrus-sasl" +PACKAGECONFIG[systemd] = "--with-systemd,--without-systemd,systemd" +PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi" +PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi" +PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind," +PACKAGECONFIG[lttng] = "--with-lttng, --without-lttng,lttng-ust" +PACKAGECONFIG[archive] = "--with-libarchive, --without-libarchive, libarchive" +PACKAGECONFIG[libunwind] = ", , libunwind" +PACKAGECONFIG[gpgme] = ",--without-gpgme,," +PACKAGECONFIG[lmdb] = ",--without-ldb-lmdb,lmdb," +PACKAGECONFIG[libbsd] = "--with-libbsd, --without-libbsd, libbsd" + +# Building the AD (Active Directory) DC (Domain Controller) requires GnuTLS, +# And ad-dc doesn't work with mitkrb5 for versions prior to 4.7.0 according to: +# http://samba.2283325.n4.nabble.com/samba-4-6-6-Unknown-dependency-kdc-in-service-kdc-objlist-td4722096.html +# So the working combination is: +# 1) ad-dc: enable, gnutls: enable, mitkrb5: disable +# 2) ad-dc: disable, gnutls: enable/disable, mitkrb5: enable +# +# We are now at 4.7.0, so take the above with a grain of salt. We do not need to know where +# krb5kdc is unless ad-dc is enabled, but we tell configure anyhow. +# +PACKAGECONFIG[ad-dc] = "--with-experimental-mit-ad-dc,--without-ad-dc,," +PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls," +PACKAGECONFIG[mitkrb5] = "--with-system-mitkrb5 --with-system-mitkdc=/usr/sbin/krb5kdc,,krb5," + +SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2" +SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4" +SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4" +SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODULES}" + +# These libraries are supposed to replace others supplied by packages, but decorate the names of +# .so files so there will not be a conflict. This is not done consistantly, so be very careful +# when adding to this list. +# +SAMBA4_LIBS="heimdal,cmocka,NONE" + +EXTRA_OECONF += "--enable-fhs \ + --with-piddir=/run \ + --with-sockets-dir=/run/samba \ + --with-modulesdir=${libdir}/samba \ + --with-lockdir=${localstatedir}/lib/samba \ + --with-cachedir=${localstatedir}/lib/samba \ + --disable-rpath-install \ + --with-shared-modules=${SAMBA4_MODULES} \ + --bundled-libraries=${SAMBA4_LIBS} \ + ${@oe.utils.conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \ + --with-cluster-support \ + --with-profiling-data \ + --with-libiconv=${STAGING_DIR_HOST}${prefix} \ + --with-pam --with-pammodulesdir=${base_libdir}/security \ + " + +LDFLAGS += "-Wl,-z,relro,-z,now ${@bb.utils.contains('DISTRO_FEATURES', 'ld-is-gold', ' -fuse-ld=bfd ', '', d)}" + +do_install_append() { + for section in 1 5 7; do + install -d ${D}${mandir}/man$section + install -m 0644 ctdb/doc/*.$section ${D}${mandir}/man$section + done + for section in 1 5 7 8; do + install -d ${D}${mandir}/man$section + install -m 0644 docs/manpages/*.$section ${D}${mandir}/man$section + done + + install -d ${D}${systemd_system_unitdir} + install -m 0644 ${S}/bin/default/packaging/systemd/*.service ${D}${systemd_system_unitdir}/ + sed -e 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' \ + -e 's,/etc/sysconfig/samba,${sysconfdir}/default/samba,' \ + -i ${D}${systemd_system_unitdir}/*.service + + if [ "${@bb.utils.contains('PACKAGECONFIG', 'ad-dc', 'yes', 'no', d)}" = "no" ]; then + rm -f ${D}${systemd_system_unitdir}/samba.service + fi + + install -d ${D}${sysconfdir}/tmpfiles.d + install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf + echo "d ${localstatedir}/log/samba 0755 root root -" \ + >> ${D}${sysconfdir}/tmpfiles.d/samba.conf + install -d ${D}${sysconfdir}/init.d + install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba + sed -e 's,/opt/samba/bin,${sbindir},g' \ + -e 's,/opt/samba/smb.conf,${sysconfdir}/samba/smb.conf,g' \ + -e 's,/opt/samba/log,${localstatedir}/log/samba,g' \ + -e 's,/etc/init.d/samba.server,${sysconfdir}/init.d/samba,g' \ + -e 's,/usr/bin,${base_bindir},g' \ + -i ${D}${sysconfdir}/init.d/samba + + install -d ${D}${sysconfdir}/samba + echo "127.0.0.1 localhost" > ${D}${sysconfdir}/samba/lmhosts + install -m644 ${WORKDIR}/smb.conf ${D}${sysconfdir}/samba/smb.conf + install -D -m 644 ${WORKDIR}/volatiles.03_samba ${D}${sysconfdir}/default/volatiles/03_samba + + install -d ${D}${sysconfdir}/default + install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/default/samba + + # the items are from ctdb/tests/run_tests.sh + for d in onnode takeover tool eventscripts cunit simple complex; do + testdir=${D}${datadir}/ctdb-tests/$d + install -d $testdir + cp ${S}/ctdb/tests/$d/*.sh $testdir + cp -r ${S}/ctdb/tests/$d/scripts ${S}/ctdb/tests/$d/stubs $testdir || true + done + + # fix file-rdeps qa warning + if [ -f ${D}${bindir}/onnode ]; then + sed -i 's:\(#!/bin/\)bash:\1sh:' ${D}${bindir}/onnode + fi + + chmod 0750 ${D}${sysconfdir}/sudoers.d || true + rm -rf ${D}/run ${D}${localstatedir}/run ${D}${localstatedir}/log + + for f in samba-gpupdate samba_upgradedns samba_spnupdate samba_kcc samba_dnsupdate; do + if [ -f "${D}${sbindir}/$f" ]; then + sed -i -e 's,${PYTHON},/usr/bin/env python3,g' ${D}${sbindir}/$f + fi + done + if [ -f "${D}${bindir}/samba-tool" ]; then + sed -i -e 's,${PYTHON},/usr/bin/env python3,g' ${D}${bindir}/samba-tool + fi + +} + +PACKAGES =+ "${PN}-python3 ${PN}-pidl \ + ${PN}-dsdb-modules ${PN}-testsuite registry-tools \ + winbind \ + ${PN}-common ${PN}-base ${PN}-ad-dc ${PN}-ctdb-tests \ + smbclient ${PN}-client ${PN}-server ${PN}-test" + +python samba_populate_packages() { + def module_hook(file, pkg, pattern, format, basename): + pn = d.getVar('PN') + d.appendVar('RRECOMMENDS_%s-base' % pn, ' %s' % pkg) + + mlprefix = d.getVar('MLPREFIX') or '' + pam_libdir = d.expand('${base_libdir}/security') + pam_pkgname = mlprefix + 'pam-plugin%s' + do_split_packages(d, pam_libdir, '^pam_(.*)\.so$', pam_pkgname, 'PAM plugin for %s', extra_depends='', prepend=True) + + libdir = d.getVar('libdir') + do_split_packages(d, libdir, '^lib(.*)\.so\..*$', 'lib%s', 'Samba %s library', extra_depends='${PN}-common', prepend=True, allow_links=True) + pkglibdir = '%s/samba' % libdir + do_split_packages(d, pkglibdir, '^lib(.*)\.so$', 'lib%s', 'Samba %s library', extra_depends='${PN}-common', prepend=True) + moduledir = '%s/samba/auth' % libdir + do_split_packages(d, moduledir, '^(.*)\.so$', 'samba-auth-%s', 'Samba %s authentication backend', hook=module_hook, extra_depends='', prepend=True) + moduledir = '%s/samba/pdb' % libdir + do_split_packages(d, moduledir, '^(.*)\.so$', 'samba-pdb-%s', 'Samba %s password backend', hook=module_hook, extra_depends='', prepend=True) +} + +PACKAGESPLITFUNCS_prepend = "samba_populate_packages " +PACKAGES_DYNAMIC = "samba-auth-.* samba-pdb-.*" + +RDEPENDS_${PN} += "${PN}-base ${PN}-python3 ${PN}-dsdb-modules python3" +RDEPENDS_${PN}-python3 += "pytalloc python3-tdb" + +FILES_${PN}-base = "${sbindir}/nmbd \ + ${sbindir}/smbd \ + ${sysconfdir}/init.d \ + ${systemd_system_unitdir}/nmb.service \ + ${systemd_system_unitdir}/smb.service" + +FILES_${PN}-ad-dc = "${sbindir}/samba \ + ${systemd_system_unitdir}/samba.service \ + ${libdir}/krb5/plugins/kdb/samba.so \ +" +RDEPENDS_${PN}-ad-dc = "krb5-kdc" + +FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \ + ${bindir}/ctdb_run_cluster_tests \ + ${sysconfdir}/ctdb/nodes \ + ${datadir}/ctdb-tests \ + ${datadir}/ctdb/tests \ + ${localstatedir}/lib/ctdb \ + " + +FILES_${BPN}-common = "${sysconfdir}/default \ + ${sysconfdir}/samba \ + ${sysconfdir}/tmpfiles.d \ + ${localstatedir}/lib/samba \ + ${localstatedir}/spool/samba \ +" + +FILES_${PN} += "${libdir}/vfs/*.so \ + ${libdir}/charset/*.so \ + ${libdir}/*.dat \ + ${libdir}/auth/*.so \ + ${datadir}/ctdb/events/* \ +" + +FILES_${PN}-dsdb-modules = "${libdir}/samba/ldb" + +FILES_${PN}-testsuite = "${bindir}/gentest \ + ${bindir}/locktest \ + ${bindir}/masktest \ + ${bindir}/ndrdump \ + ${bindir}/smbtorture" + +FILES_registry-tools = "${bindir}/regdiff \ + ${bindir}/regpatch \ + ${bindir}/regshell \ + ${bindir}/regtree" + +FILES_winbind = "${sbindir}/winbindd \ + ${bindir}/wbinfo \ + ${bindir}/ntlm_auth \ + ${libdir}/samba/idmap \ + ${libdir}/samba/nss_info \ + ${libdir}/winbind_krb5_locator.so \ + ${libdir}/winbind-krb5-localauth.so \ + ${sysconfdir}/init.d/winbind \ + ${systemd_system_unitdir}/winbind.service" + +FILES_${PN}-python3 = "${PYTHON_SITEPACKAGES_DIR}" + +FILES_smbclient = "${bindir}/cifsdd \ + ${bindir}/rpcclient \ + ${bindir}/smbcacls \ + ${bindir}/smbclient \ + ${bindir}/smbcquotas \ + ${bindir}/smbget \ + ${bindir}/smbspool \ + ${bindir}/smbtar \ + ${bindir}/smbtree \ + ${libdir}/samba/smbspool_krb5_wrapper" + +RDEPENDS_${PN}-pidl_append = " perl" +FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse" + +RDEPENDS_${PN}-client = "\ + smbclient \ + winbind \ + registry-tools \ + ${PN}-pidl \ + " + +ALLOW_EMPTY_${PN}-client = "1" + +RDEPENDS_${PN}-server = "\ + ${PN} \ + winbind \ + registry-tools \ + " + +ALLOW_EMPTY_${PN}-server = "1" + +RDEPENDS_${PN}-test = "\ + ${PN}-ctdb-tests \ + ${PN}-testsuite \ + " + +ALLOW_EMPTY_${PN}-test = "1" -- cgit 1.2.3-korg