[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Sun Aug 14 12:17:46 UTC 2016


Am 13.08.2016 um 22:47 schrieb Rainer Meier via samba:
> OK, I actually now feel a bit bad on this. As we did a lot of 
> debugging without actually finding any solutions my focus went more 
> and more into direction of code bug somewhere in Samba/Kerberos area.
>
> I found some references that Samba uses an internal specific version 
> of Heimdal. Though it looks like the Gentoo developers went to disable 
> the built-in Heimdal implementation if favor of a system-wide Heimdal. 
> Currently Gentoo uses Heimdal 1.5.3-r2. On the official page 
> (http://www.h5l.org/) I see only release 1.5.2 officially listed (??).
> Moreover I found the samba package enforces disabling SSL on Heimdal. 
> This seems to be required as the built-in Heimdal crypto library 
> (hcrypto) is built only if openssl support is disabled in Heimdal. I 
> left this unchanged then.
>
>
> So I went deeper and found the Samba ebuild to explicitly disable 
> bundled packages (configure options):
>
>         --bundled-libraries=NONE
>         --builtin-libraries=NONE
>
>
> I quickly removed both lines. The effect was that Samba now fails to 
> compile complaining about tgt_use_strongest_session_key. I found this 
> to be an issue of a patch applied by the Gentoo team:
>
> --- samba-4.2.3/source4/kdc/kdc.c
> +++ samba-4.2.3/source4/kdc/kdc.c
> @@ -967,9 +967,9 @@
>          * The old behavior in the _kdc_get_preferred_key()
>          * function is use_strongest_server_key=TRUE.
>          */
> -       kdc->config->as_use_strongest_session_key = false;
> +       kdc->config->tgt_use_strongest_session_key = false;
>         kdc->config->preauth_use_strongest_session_key = false;
> -       kdc->config->tgs_use_strongest_session_key = false;
> +       kdc->config->svc_use_strongest_session_key = false;
>         kdc->config->use_strongest_server_key = true;
>
> As I am using bundled/built-in Heimdal now I simply also removed this 
> patch.
>
> Now Samba compiled and seems to work. Even my group policies seem to 
> apply correctly.
>
>
> So as a result it looks like Samba works well with the built-in 
> (perhaps modified?) Heimdal library but does not with the Gentoo 
> Heimdal 1.5.3 ebuild. I am not sure if the patch listed above is 
> actually correct. So I went back disabling bundled and built-in 
> libraries again and leaving the patch disabled.
>
> This breaks the build:
>
> ../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no 
> member named ‘as_use_strongest_session_key’
>   kdc->config->as_use_strongest_session_key = false;
>              ^
> ../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no 
> member named ‘tgs_use_strongest_session_key’
>   kdc->config->tgs_use_strongest_session_key = false;
>
>
> Well, I am not sure if the built-in Heimdal within the Samba package 
> is patched/modified in any way. In general I would say Samba should 
> work with a system-wide Heimdal installation too which is obviously 
> not the case. Though this might be an insufficiency of the Gentoo 
> Heimdal ebuild. I think actually the Gentoo team is right that a 
> system-wide Heimdal should be used and not bundled libraries - if 
> possible. Though there seems to be some incompatibility.
>
>
> So currently my solution is to use a custom ebuild allowing bundled 
> libraries and removing the custom Gentoo patch.
>
> # diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild
> 93c93
> <       "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
> ---
>>       # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
> 143,144c143,144
> <               --bundled-libraries=NONE
> <               --builtin-libraries=NONE
> ---
>>               # --bundled-libraries=NONE
>>               # --builtin-libraries=NONE
> 258a259
>>
>
> I will report this to the Gentoo team so they can perhaps investigate 
> on how to fix Samba using system-wide Heimdal.
>
>
> Many many thanks to the people involved here helping me to debug the 
> issue. I have learned a lot about Sabma internals and perhaps this is 
> helpful for others too. I still don't know exactly what goes wrong as 
> the complete Samba build of Gentoo works fine and the logs don't show 
> something which is obviously wrong.
>
> With best regards,
> Rainer
>
Glad you firgured it out and thank you for the detailed infos. There was 
an discussion here about the move to mit kerberos in the future. Heimdal 
is not actively developed any more, so the samba team manages required 
modifications internally.
I remember I got the unknown mech error messages related to missing sasl 
libraries when using ldap-tools.