Bug 42624 - Samba 4.5 for UCS 4.1-4
Samba 4.5 for UCS 4.1-4
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P4 enhancement (vote)
: UCS 4.1-4
Assigned To: Arvid Requate
Stefan Gohmann
https://www.samba.org/samba/history/s...
:
: 40663 (view as bug list)
Depends on: 39633 42679
Blocks: 42846 40661 40662 42045 42115 42120
  Show dependency treegraph
 
Reported: 2016-10-11 12:38 CEST by Arvid Requate
Modified: 2017-04-24 18:28 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-10-11 12:38:45 CEST
We will build and integrate Samba 4.5 for UCS 4.1-5.
Comment 1 Arvid Requate univentionstaff 2016-10-27 22:01:20 CEST
Samba 4.5.1 has been packaged and built.
The UCS patches have been converted to the new .quilt format.

winexe currently doesn't build against Samba 4.5.1, no clue yet why.
Comment 2 Arvid Requate univentionstaff 2016-10-31 13:36:41 CET
The Samba release notes show a couple of points that we need to consider:

* The rewritten KCC implementation is now active by default (kccsrv:samba_kcc). While the new implementation certainly has it's benefits, we may want to avoid such a change in a UCS patch level release. See e.g. https://www.spinics.net/lists/samba/msg137379.html . I propose to postpone changing the default KCC to UCS 4.2.

* We need to run dbcheck during update:
https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

* Some 'samba-tool' subcommands require python-crypto and/or
python-m2crypto packages to be installed. So we need to add a dependency.

* We may also want to fix Bug 42079 Comment 4, if that is safely possible.
Comment 3 Arvid Requate univentionstaff 2016-10-31 17:41:32 CET
*** Bug 40661 has been marked as a duplicate of this bug. ***
Comment 4 Arvid Requate univentionstaff 2016-10-31 17:49:29 CET
* I've added a new UCR variable samba4/kccsrv/samba_kcc. If it's not set smb.conf now sets "kccsrv:samba_kcc = False" by default. I've added a comment to Bug 42045 to change the default for UCS 4.2 back to upstream behaviour.

* During updates the univention-samba4 postinst runs dbcheck --fix --yes

* python-samba already depends on python-crypto

* fixing Bug 42079 Comment 4 is not that easy, samba_upgradedns doesn't do it automatically

* Changelog added

TODO: winexe.
Comment 5 Arvid Requate univentionstaff 2016-11-01 21:41:40 CET
Ok, winexe is still a bit stubborn, but we a are making progress:

* The default easy rebuild using the newly built samba 4.5.1 Debian packages doesn't work any more, because some required header files have been marked as private by the samba team (e.g. smb_cli.h).

* In this case winexe recommends building directly with the upstream sources instead but this currently still fails while building libsmb_static.a:
=======================================================================
[3315/3802] Compiling default/smb_static/smb_static.objlist.empty.c
Waf: Leaving directory `/root/ucs4.1-4/winexe-2.0.1/samba/samba-4.5.1/bin'
Build failed: could not find 'smb_static/smb_static.objlist.empty.c' for 
        {task: cc smb_static.objlist.empty.c -> smb_static.objlist.empty_2.o}
=======================================================================

This ".empty.c" suffix seems to be an artefact of samba/buildtools/wafsamba/wafsamba.py to indicate that SAMBA_{LIBRARY,SUBSYSTEM} doesn't have any source files:
===========================================================================
From 8bd309d00eb8cd805b1fb164aed52ece9df6f01a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 19 Dec 2014 13:10:30 +0100
Subject: [PATCH 12/15] wafsamba: generate an empty.c file if a
 SAMBA_{LIBRARY,SUBSYSTEM} doesn't have any source files
===========================================================================

I'll have to dig a bit into the logic of the winexe-winexe-waf/source/smb_static/wscript_build file and e.g. compare with the build against samba 4.3.7, which worked fine.
Comment 6 Arvid Requate univentionstaff 2016-11-03 16:42:39 CET
New configure options:
  --with-libarchive

Removed configure options:
  --with-pam_smbpass

Disabled patches:
* 91_0004-lib-util-Move-event_add_idle-to-the-top-level.quilt.DISABLED
* 91_0005-s4-smbd-Add-idle-handler-to-check-for-over-size-logs.quilt.DISABLED
  => Don't apply any longer,
     introduced for Bug 26376 Comment 4
     Test showed that original problem seems to be solved upstream

New patches:
* 09_sambabug_11764_fix_build_without_cluster.quilt


To make winexe build I head to revert upstream patches that turned
libsmbclient-raw into a private library, otherwise the header files would not get built/installed. Same for libcli-smb, libcli-smb2, libcli-smb-composite, libsmb-transport, libcli-smb-common.
Patch: 99_revert_making_libcli-smb-raw_private.{patch,quilt}


To avoid 53_samba-common.30winbind.test failing during wbinfo --authenticate ( see https://lists.samba.org/archive/samba/2007-December/136913.html ) I have reverted the upstream change of default for "ntlm auth". Customers can adjusted it manually via: ucr set samba/ntlm/auth=no; /etc/init.d/samba restart
Patch: 99_keep_default_ntlm_auth_yes.quilt
Note: I didn't merge that patch to UCS 4.2-0 because we want to use the new default there.


Currently 54_smbtorture/05_samba_selftest fails, because there is a problem with shared libraries (rpath?) in the local build environement of that test. 54_smbtorture/01_smbtorture works though. No clue yet how to fix this:
=====================================================================
root@master10:~# ldd /opt/samba-4.5.1/bin/samba | grep "not found"
        libcluster.so.0 => not found
        libcliauth.so.0 => not found
        libservice.so.0 => not found
        libprocess-model.so.0 => not found
        libevents.so.0 => not found
        libgensec.so.0 => not found
        libsamba-debug.so.0 => not found
        libMESSAGING.so.0 => not found
        libndr-samba4.so.0 => not found
        libsamba-modules.so.0 => not found
=====================================================================

Closing for QA. Changelog entry added.
Comment 7 Arvid Requate univentionstaff 2016-11-03 18:33:09 CET
Interesting changes from 4.3.7 to 4.5.1:

https://www.samba.org/samba/history/samba-4.4.0.html:

* samba-tool domain demote --remove-other-dead-server

https://www.samba.org/samba/history/samba-4.5.0.html:

* Samba now supports tombstone reanimation
* Support for LDAP notification control
* Improved efficiency for DRS replication for large groups
* samba-tool dbcheck can now find and fix a missing or corrupted
   'deleted objects' container
* It is now possible to remove the DNS entries created with 'net ads register'
  with the matching 'net ads unregister' command, like so:
  kinit Administrator
  net ads dns register "foo.$(hostname -d)" 1.2.3.4
  net ads dns unregister "foo.$(hostname -d)"
* SmartCard/PKINIT improvements
* SMB 2.1 Leases enabled by default

KNOWN ISSUES
============

While a lot of schema replication bugs were fixed in this release
Bug 12204 - Samba fails to replicate schema 69
(https://bugzilla.samba.org/show_bug.cgi?id=12204) is still open.
The replication fails if more than 133 schema objects are added
at the same time.

More open bugs are listed at:
https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.5#All_bugs
Comment 8 Stefan Gohmann univentionstaff 2016-11-04 06:35:38 CET
(In reply to Arvid Requate from comment #6)
> To avoid 53_samba-common.30winbind.test failing during wbinfo --authenticate
> ( see https://lists.samba.org/archive/samba/2007-December/136913.html ) I
> have reverted the upstream change of default for "ntlm auth". Customers can
> adjusted it manually via: ucr set samba/ntlm/auth=no; /etc/init.d/samba
> restart
> Patch: 99_keep_default_ntlm_auth_yes.quilt
> Note: I didn't merge that patch to UCS 4.2-0 because we want to use the new
> default there.

The patch seems to be incomplete, the test still fails. I guess we need to revert these to as well:

-----------------------------------------------------------------------------
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 515ed05..c25ef5a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2630,7 +2630,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ClientLanManAuth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "ClientNTLMv2Auth", "True");
 	lpcfg_do_global_parameter(lp_ctx, "LanmanAuth", "False");
-	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "True");
+	lpcfg_do_global_parameter(lp_ctx, "NTLMAuth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "RawNTLMv2Auth", "False");
 	lpcfg_do_global_parameter(lp_ctx, "client use spnego principal", "False");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index df700bc..474f5a5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -690,7 +690,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_lanman_auth = false;	/* Do NOT use the LanMan hash if it is available */
 	Globals.client_plaintext_auth = false;	/* Do NOT use a plaintext password even if is requested by the server */
 	Globals.lanman_auth = false;	/* Do NOT use the LanMan hash, even if it is supplied */
-	Globals.ntlm_auth = true;	/* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+	Globals.ntlm_auth = false;	/* Do NOT use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
 	Globals.raw_ntlmv2_auth = false; /* Reject NTLMv2 without NTLMSSP */
 	Globals.client_ntlmv2_auth = true; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
 	/* Note, that we will also use NTLM2 session security (which is different), if it is available */
-- 
1.9.1
-----------------------------------------------------------------------------

Since it is a pure configuration option, I would like to change it in univention-samba and univention-samba4. That makes it easier for customers to test and to change the value.

I've removed the patch and Samba rebuilds. I've also split it into a separate bug: Bug #42847
Comment 9 Stefan Gohmann univentionstaff 2016-11-05 19:59:57 CET
After fixing Bug #42855, my tests look quite good:

 - Master, Backup, Slave, Member setup
 - DRS replication
 - Share access
 - GPO
 - Roaming profiles 
 - Windows 8.1 join
 - Password change at login
Comment 10 Stefan Gohmann univentionstaff 2016-11-05 20:02:16 CET
Felix mention it on Friday and I see it as well:

[2016/11/05 14:17:12.901705,  0, pid=5505] ../source3/lib/util.c:902(log_stack_trace)
  BACKTRACE: 25 stack frames:
   #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f6d4fda83ea]
   #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f6d4fda84c0]
   #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f6d522c968f]
   #3 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x170318) [0x7f6d51ed5318]
   #4 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x17063e) [0x7f6d51ed563e]
   #5 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7f6d4f767d42]
   #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x14a57e) [0x7f6d51eaf57e]
   #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x151dab) [0x7f6d51eb6dab]
   #8 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_req_error+0x22) [0x7f6d4e7e38b2]
   #9 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe8) [0x7f6d4e7e2f78]
   #10 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0xb300) [0x7f6d4e7e8300]
   #11 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9936) [0x7f6d4e7e6936]
   #12 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0xb5) [0x7f6d4e7e24e5]
   #13 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x27) [0x7f6d4e7e2757]
   #14 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x98a6) [0x7f6d4e7e68a6]
   #15 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x712) [0x7f6d51ea0472]
   #16 /usr/sbin/smbd(+0xbd94) [0x561d0d778d94]
   #17 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0xb56b) [0x7f6d4e7e856b]
   #18 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9936) [0x7f6d4e7e6936]
   #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0xb5) [0x7f6d4e7e24e5]
   #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x27) [0x7f6d4e7e2757]
   #21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x98a6) [0x7f6d4e7e68a6]
   #22 /usr/sbin/smbd(main+0x148b) [0x561d0d77547b]
   #23 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f6d4e46eead]
   #24 /usr/sbin/smbd(+0x8819) [0x561d0d775819]


Test systems: 10.201.43.1 and 10.201.43.2
Comment 12 Stefan Gohmann univentionstaff 2016-11-07 15:57:13 CET
(In reply to Arvid Requate from comment #11)
> See https://forge.univention.org/bugzilla/show_bug.cgi?id=39802

OK.

Everything else looks good:
 - Master, Backup, Slave, Member setup
 - DRS replication
 - Share access
 - GPO
 - Roaming profiles 
 - Windows 8.1 join
 - Password change at login

Changelog: OK
Comment 13 Stefan Gohmann univentionstaff 2016-11-08 13:26:41 CET
UCS 4.1-4 has been released:
 https://docs.software-univention.de/release-notes-4.1-4-en.html
 https://docs.software-univention.de/release-notes-4.1-4-de.html

If this error occurs again, please use "Clone This Bug".
Comment 14 Arvid Requate univentionstaff 2017-04-24 18:28:02 CEST
*** Bug 40663 has been marked as a duplicate of this bug. ***