Univention Bugzilla – Bug 42624
Samba 4.5 for UCS 4.1-4
Last modified: 2017-04-24 18:28:02 CEST
We will build and integrate Samba 4.5 for UCS 4.1-5.
Samba 4.5.1 has been packaged and built. The UCS patches have been converted to the new .quilt format. winexe currently doesn't build against Samba 4.5.1, no clue yet why.
The Samba release notes show a couple of points that we need to consider: * The rewritten KCC implementation is now active by default (kccsrv:samba_kcc). While the new implementation certainly has it's benefits, we may want to avoid such a change in a UCS patch level release. See e.g. https://www.spinics.net/lists/samba/msg137379.html . I propose to postpone changing the default KCC to UCS 4.2. * We need to run dbcheck during update: https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes * Some 'samba-tool' subcommands require python-crypto and/or python-m2crypto packages to be installed. So we need to add a dependency. * We may also want to fix Bug 42079 Comment 4, if that is safely possible.
*** Bug 40661 has been marked as a duplicate of this bug. ***
* I've added a new UCR variable samba4/kccsrv/samba_kcc. If it's not set smb.conf now sets "kccsrv:samba_kcc = False" by default. I've added a comment to Bug 42045 to change the default for UCS 4.2 back to upstream behaviour. * During updates the univention-samba4 postinst runs dbcheck --fix --yes * python-samba already depends on python-crypto * fixing Bug 42079 Comment 4 is not that easy, samba_upgradedns doesn't do it automatically * Changelog added TODO: winexe.
Ok, winexe is still a bit stubborn, but we a are making progress: * The default easy rebuild using the newly built samba 4.5.1 Debian packages doesn't work any more, because some required header files have been marked as private by the samba team (e.g. smb_cli.h). * In this case winexe recommends building directly with the upstream sources instead but this currently still fails while building libsmb_static.a: ======================================================================= [3315/3802] Compiling default/smb_static/smb_static.objlist.empty.c Waf: Leaving directory `/root/ucs4.1-4/winexe-2.0.1/samba/samba-4.5.1/bin' Build failed: could not find 'smb_static/smb_static.objlist.empty.c' for {task: cc smb_static.objlist.empty.c -> smb_static.objlist.empty_2.o} ======================================================================= This ".empty.c" suffix seems to be an artefact of samba/buildtools/wafsamba/wafsamba.py to indicate that SAMBA_{LIBRARY,SUBSYSTEM} doesn't have any source files: =========================================================================== From 8bd309d00eb8cd805b1fb164aed52ece9df6f01a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze at samba.org> Date: Fri, 19 Dec 2014 13:10:30 +0100 Subject: [PATCH 12/15] wafsamba: generate an empty.c file if a SAMBA_{LIBRARY,SUBSYSTEM} doesn't have any source files =========================================================================== I'll have to dig a bit into the logic of the winexe-winexe-waf/source/smb_static/wscript_build file and e.g. compare with the build against samba 4.3.7, which worked fine.
New configure options: --with-libarchive Removed configure options: --with-pam_smbpass Disabled patches: * 91_0004-lib-util-Move-event_add_idle-to-the-top-level.quilt.DISABLED * 91_0005-s4-smbd-Add-idle-handler-to-check-for-over-size-logs.quilt.DISABLED => Don't apply any longer, introduced for Bug 26376 Comment 4 Test showed that original problem seems to be solved upstream New patches: * 09_sambabug_11764_fix_build_without_cluster.quilt To make winexe build I head to revert upstream patches that turned libsmbclient-raw into a private library, otherwise the header files would not get built/installed. Same for libcli-smb, libcli-smb2, libcli-smb-composite, libsmb-transport, libcli-smb-common. Patch: 99_revert_making_libcli-smb-raw_private.{patch,quilt} To avoid 53_samba-common.30winbind.test failing during wbinfo --authenticate ( see https://lists.samba.org/archive/samba/2007-December/136913.html ) I have reverted the upstream change of default for "ntlm auth". Customers can adjusted it manually via: ucr set samba/ntlm/auth=no; /etc/init.d/samba restart Patch: 99_keep_default_ntlm_auth_yes.quilt Note: I didn't merge that patch to UCS 4.2-0 because we want to use the new default there. Currently 54_smbtorture/05_samba_selftest fails, because there is a problem with shared libraries (rpath?) in the local build environement of that test. 54_smbtorture/01_smbtorture works though. No clue yet how to fix this: ===================================================================== root@master10:~# ldd /opt/samba-4.5.1/bin/samba | grep "not found" libcluster.so.0 => not found libcliauth.so.0 => not found libservice.so.0 => not found libprocess-model.so.0 => not found libevents.so.0 => not found libgensec.so.0 => not found libsamba-debug.so.0 => not found libMESSAGING.so.0 => not found libndr-samba4.so.0 => not found libsamba-modules.so.0 => not found ===================================================================== Closing for QA. Changelog entry added.
Interesting changes from 4.3.7 to 4.5.1: https://www.samba.org/samba/history/samba-4.4.0.html: * samba-tool domain demote --remove-other-dead-server https://www.samba.org/samba/history/samba-4.5.0.html: * Samba now supports tombstone reanimation * Support for LDAP notification control * Improved efficiency for DRS replication for large groups * samba-tool dbcheck can now find and fix a missing or corrupted 'deleted objects' container * It is now possible to remove the DNS entries created with 'net ads register' with the matching 'net ads unregister' command, like so: kinit Administrator net ads dns register "foo.$(hostname -d)" 1.2.3.4 net ads dns unregister "foo.$(hostname -d)" * SmartCard/PKINIT improvements * SMB 2.1 Leases enabled by default KNOWN ISSUES ============ While a lot of schema replication bugs were fixed in this release Bug 12204 - Samba fails to replicate schema 69 (https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open. The replication fails if more than 133 schema objects are added at the same time. More open bugs are listed at: https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs
(In reply to Arvid Requate from comment #6) > To avoid 53_samba-common.30winbind.test failing during wbinfo --authenticate > ( see https://lists.samba.org/archive/samba/2007-December/136913.html ) I > have reverted the upstream change of default for "ntlm auth". Customers can > adjusted it manually via: ucr set samba/ntlm/auth=no; /etc/init.d/samba > restart > Patch: 99_keep_default_ntlm_auth_yes.quilt > Note: I didn't merge that patch to UCS 4.2-0 because we want to use the new > default there. The patch seems to be incomplete, the test still fails. I guess we need to revert these to as well: ----------------------------------------------------------------------------- diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 515ed05..c25ef5a 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True"); lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False"); - lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True"); + lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False"); lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False"); lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index df700bc..474f5a5 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -690,7 +690,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.client_lanman_auth = false; /* Do NOT use the LanMan hash if it is available */ Globals.client_plaintext_auth = false; /* Do NOT use a plaintext password even if is requested by the server */ Globals.lanman_auth = false; /* Do NOT use the LanMan hash, even if it is supplied */ - Globals.ntlm_auth = true; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ + Globals.ntlm_auth = false; /* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */ Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */ Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */ /* Note, that we will also use NTLM2 session security (which is different), if it is available */ -- 1.9.1 ----------------------------------------------------------------------------- Since it is a pure configuration option, I would like to change it in univention-samba and univention-samba4. That makes it easier for customers to test and to change the value. I've removed the patch and Samba rebuilds. I've also split it into a separate bug: Bug #42847
After fixing Bug #42855, my tests look quite good: - Master, Backup, Slave, Member setup - DRS replication - Share access - GPO - Roaming profiles - Windows 8.1 join - Password change at login
Felix mention it on Friday and I see it as well: [2016/11/05 14:17:12.901705, 0, pid=5505] ../source3/lib/util.c:902(log_stack_trace) BACKTRACE: 25 stack frames: #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f6d4fda83ea] #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f6d4fda84c0] #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f6d522c968f] #3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x170318) [0x7f6d51ed5318] #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x17063e) [0x7f6d51ed563e] #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7f6d4f767d42] #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x14a57e) [0x7f6d51eaf57e] #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x151dab) [0x7f6d51eb6dab] #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_req_error+0x22) [0x7f6d4e7e38b2] #9 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe8) [0x7f6d4e7e2f78] #10 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0xb300) [0x7f6d4e7e8300] #11 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9936) [0x7f6d4e7e6936] #12 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0xb5) [0x7f6d4e7e24e5] #13 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x27) [0x7f6d4e7e2757] #14 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x98a6) [0x7f6d4e7e68a6] #15 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x712) [0x7f6d51ea0472] #16 /usr/sbin/smbd(+0xbd94) [0x561d0d778d94] #17 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0xb56b) [0x7f6d4e7e856b] #18 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9936) [0x7f6d4e7e6936] #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0xb5) [0x7f6d4e7e24e5] #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x27) [0x7f6d4e7e2757] #21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x98a6) [0x7f6d4e7e68a6] #22 /usr/sbin/smbd(main+0x148b) [0x561d0d77547b] #23 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f6d4e46eead] #24 /usr/sbin/smbd(+0x8819) [0x561d0d775819] Test systems: 10.201.43.1 and 10.201.43.2
See https://forge.univention.org/bugzilla/show_bug.cgi?id=39802
(In reply to Arvid Requate from comment #11) > See https://forge.univention.org/bugzilla/show_bug.cgi?id=39802 OK. Everything else looks good: - Master, Backup, Slave, Member setup - DRS replication - Share access - GPO - Roaming profiles - Windows 8.1 join - Password change at login Changelog: OK
UCS 4.1-4 has been released: https://docs.software-univention.de/release-notes-4.1-4-en.html https://docs.software-univention.de/release-notes-4.1-4-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 40663 has been marked as a duplicate of this bug. ***