[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Sat Aug 13 20:47:34 UTC 2016
OK, I actually now feel a bit bad on this. As we did a lot of debugging
without actually finding any solutions my focus went more and more into
direction of code bug somewhere in Samba/Kerberos area.
I found some references that Samba uses an internal specific version of
Heimdal. Though it looks like the Gentoo developers went to disable the
built-in Heimdal implementation if favor of a system-wide Heimdal.
Currently Gentoo uses Heimdal 1.5.3-r2. On the official page
(http://www.h5l.org/) I see only release 1.5.2 officially listed (??).
Moreover I found the samba package enforces disabling SSL on Heimdal.
This seems to be required as the built-in Heimdal crypto library
(hcrypto) is built only if openssl support is disabled in Heimdal. I
left this unchanged then.
So I went deeper and found the Samba ebuild to explicitly disable
bundled packages (configure options):
--bundled-libraries=NONE
--builtin-libraries=NONE
I quickly removed both lines. The effect was that Samba now fails to
compile complaining about tgt_use_strongest_session_key. I found this to
be an issue of a patch applied by the Gentoo team:
--- samba-4.2.3/source4/kdc/kdc.c
+++ samba-4.2.3/source4/kdc/kdc.c
@@ -967,9 +967,9 @@
* The old behavior in the _kdc_get_preferred_key()
* function is use_strongest_server_key=TRUE.
*/
- kdc->config->as_use_strongest_session_key = false;
+ kdc->config->tgt_use_strongest_session_key = false;
kdc->config->preauth_use_strongest_session_key = false;
- kdc->config->tgs_use_strongest_session_key = false;
+ kdc->config->svc_use_strongest_session_key = false;
kdc->config->use_strongest_server_key = true;
As I am using bundled/built-in Heimdal now I simply also removed this patch.
Now Samba compiled and seems to work. Even my group policies seem to
apply correctly.
So as a result it looks like Samba works well with the built-in (perhaps
modified?) Heimdal library but does not with the Gentoo Heimdal 1.5.3
ebuild. I am not sure if the patch listed above is actually correct. So
I went back disabling bundled and built-in libraries again and leaving
the patch disabled.
This breaks the build:
../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no
member named ‘as_use_strongest_session_key’
kdc->config->as_use_strongest_session_key = false;
^
../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no
member named ‘tgs_use_strongest_session_key’
kdc->config->tgs_use_strongest_session_key = false;
Well, I am not sure if the built-in Heimdal within the Samba package is
patched/modified in any way. In general I would say Samba should work
with a system-wide Heimdal installation too which is obviously not the
case. Though this might be an insufficiency of the Gentoo Heimdal
ebuild. I think actually the Gentoo team is right that a system-wide
Heimdal should be used and not bundled libraries - if possible. Though
there seems to be some incompatibility.
So currently my solution is to use a custom ebuild allowing bundled
libraries and removing the custom Gentoo patch.
# diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild
93c93
< "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
---
> # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
143,144c143,144
< --bundled-libraries=NONE
< --builtin-libraries=NONE
---
> # --bundled-libraries=NONE
> # --builtin-libraries=NONE
258a259
>
I will report this to the Gentoo team so they can perhaps investigate on
how to fix Samba using system-wide Heimdal.
Many many thanks to the people involved here helping me to debug the
issue. I have learned a lot about Sabma internals and perhaps this is
helpful for others too. I still don't know exactly what goes wrong as
the complete Samba build of Gentoo works fine and the logs don't show
something which is obviously wrong.
With best regards,
Rainer
More information about the samba
mailing list