[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Sat Aug 13 20:47:34 UTC 2016

OK, I actually now feel a bit bad on this. As we did a lot of debugging 
without actually finding any solutions my focus went more and more into 
direction of code bug somewhere in Samba/Kerberos area.

I found some references that Samba uses an internal specific version of 
Heimdal. Though it looks like the Gentoo developers went to disable the 
built-in Heimdal implementation if favor of a system-wide Heimdal. 
Currently Gentoo uses Heimdal 1.5.3-r2. On the official page 
(http://www.h5l.org/) I see only release 1.5.2 officially listed (??).
Moreover I found the samba package enforces disabling SSL on Heimdal. 
This seems to be required as the built-in Heimdal crypto library 
(hcrypto) is built only if openssl support is disabled in Heimdal. I 
left this unchanged then.

So I went deeper and found the Samba ebuild to explicitly disable 
bundled packages (configure options):


I quickly removed both lines. The effect was that Samba now fails to 
compile complaining about tgt_use_strongest_session_key. I found this to 
be an issue of a patch applied by the Gentoo team:

--- samba-4.2.3/source4/kdc/kdc.c
+++ samba-4.2.3/source4/kdc/kdc.c
@@ -967,9 +967,9 @@
          * The old behavior in the _kdc_get_preferred_key()
          * function is use_strongest_server_key=TRUE.
-       kdc->config->as_use_strongest_session_key = false;
+       kdc->config->tgt_use_strongest_session_key = false;
         kdc->config->preauth_use_strongest_session_key = false;
-       kdc->config->tgs_use_strongest_session_key = false;
+       kdc->config->svc_use_strongest_session_key = false;
         kdc->config->use_strongest_server_key = true;

As I am using bundled/built-in Heimdal now I simply also removed this patch.

Now Samba compiled and seems to work. Even my group policies seem to 
apply correctly.

So as a result it looks like Samba works well with the built-in (perhaps 
modified?) Heimdal library but does not with the Gentoo Heimdal 1.5.3 
ebuild. I am not sure if the patch listed above is actually correct. So 
I went back disabling bundled and built-in libraries again and leaving 
the patch disabled.

This breaks the build:

../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no 
member named ‘as_use_strongest_session_key’
   kdc->config->as_use_strongest_session_key = false;
../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no 
member named ‘tgs_use_strongest_session_key’
   kdc->config->tgs_use_strongest_session_key = false;

Well, I am not sure if the built-in Heimdal within the Samba package is 
patched/modified in any way. In general I would say Samba should work 
with a system-wide Heimdal installation too which is obviously not the 
case. Though this might be an insufficiency of the Gentoo Heimdal 
ebuild. I think actually the Gentoo team is right that a system-wide 
Heimdal should be used and not bundled libraries - if possible. Though 
there seems to be some incompatibility.

So currently my solution is to use a custom ebuild allowing bundled 
libraries and removing the custom Gentoo patch.

# diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild
<       "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
>       # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
<               --bundled-libraries=NONE
<               --builtin-libraries=NONE
>               # --bundled-libraries=NONE
>               # --builtin-libraries=NONE

I will report this to the Gentoo team so they can perhaps investigate on 
how to fix Samba using system-wide Heimdal.

Many many thanks to the people involved here helping me to debug the 
issue. I have learned a lot about Sabma internals and perhaps this is 
helpful for others too. I still don't know exactly what goes wrong as 
the complete Samba build of Gentoo works fine and the logs don't show 
something which is obviously wrong.

With best regards,

More information about the samba mailing list