Samba 4 required heimcal if need ADs support. But heimcal is blocking mit-krb5 (as block are similar) There are some package like openssl which require mit-krb5 (not virtual/krb When that happen, it is either disable the kerberos on openssl of other package dependent on it. It would be better if we have an extra use flag that can use the internal heimcal library in samba4 to fix this until 1. Mit-Krb is supported by samba4 for full function. 2. All Package use the virtual/krb and not dependent directly on mit-krb5 or heimcal. Which both solution required a very long time to fix. Reproducible: Always Steps to Reproduce: 1. Emerge openssl with kerberos use flag 2. emerge samba-4.1.0-r1 3. Both mit-krb5 and heimcal will block each other.
Created attachment 362916 [details, diff] Add Internal heimcal library use flag. This can help to ease the hemical and mit-krb issue by using internal heimcal which is provided by samba4. With help from Polynomial-C I've manage to build samba-4 without any problem. Hope this will help other.
Created attachment 362918 [details, diff] Use bundled heimdal Update because of the reverse patch...
Dear All, Any update on this? Since we are not going to fix it in a short time... Thank You.
Created attachment 364642 [details, diff] for 4.1.2
Created attachment 364822 [details] ebuild with mit-krb5 support enabled please consider this ebuild, which enables the mit-krb5 kerberos support.
(In reply to Rambaldi from comment #5) > Created attachment 364822 [details] > ebuild with mit-krb5 support enabled In patch form: --- a/net-fs/samba/samba-4.1.2.ebuild +++ b/net-fs/samba/samba-4.1.2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/samba-4.1.2.ebuild,v 1.2 2013/11/27 20:53:24 pacho Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/samba-4.1.2.ebuild,v 1.3 2013/12/06 17:56:25 polynomial-c Exp $ EAPI=5 PYTHON_COMPAT=( python2_{6,7} ) @@ -24,9 +24,13 @@ # sys-apps/attr is an automagic dependency (see bug #489748) # dev-libs/libaio is an automagic dependency (see bug #489764) -# sys-libs/pam is an automagic dependency (see bug #489770) +# sys-libs/pam is an automagic dependency (see bug #489770) CDEPEND="${PYTHON_DEPS} - >=app-crypt/heimdal-1.5[-ssl] + virtual/krb5 + || ( + app-crypt/mit-krb5 + >=app-crypt/heimdal-1.5[-ssl] + ) dev-libs/iniparser dev-libs/libaio dev-libs/popt @@ -119,6 +123,8 @@ $(use_with syslog) \ $(use_with winbind) " + has_version "app-crypt/mit-krb5" && myconf+=" --with-system-mitkrb5" + use "ads" && myconf+=" --with-shared-modules=idmap_ad" CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" \ @@ -128,14 +134,11 @@ src_install() { waf-utils_src_install - # Seems like the build script gets the shebangs correct by itself - # (4.0.6) - #python_replicate_script \ - # "${D}/usr/sbin/samba_dnsupdate" \ - # "${D}/usr/sbin/samba_spnupdate" \ - # "${D}/usr/sbin/samba_upgradedns" \ - # "${D}/usr/sbin/samba_kcc" \ - # "${D}/usr/bin/samba-tool" + # install ldap schema for server (bug #491002) + if use ldap ; then + insinto /etc/openldap/schema + doins examples/LDAP/samba.schema + fi # Make all .so files executable find "${D}" -type f -name "*.so" -exec chmod +x {} +
(In reply to Rambaldi from comment #5) > Created attachment 364822 [details] > ebuild with mit-krb5 support enabled > > please consider this ebuild, which enables the mit-krb5 kerberos support. Getting it to use virtual-krb is not the issue. The issue is when build with mit-krb. You don't have any Samba AD function. In other words, it is an incomplete port. So there is no way you can have a complete replacement with Mit-Krb in a short time... Mit-Krb seem to have port for it. http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port A Copy of the status from the page Samba4 uses around 265 Heimdal symbols: 150 functions, 45 structs & typedefs, and 70 macros & enums. Of these, roughly half present problems for the port: 25 symbols have different definitions in the MIT & Heimdal trees. 110 symbols are missing from MIT's krb5 tree.
Very sorry, that's not right :-( --- a/net-fs/samba/samba-4.1.2.ebuild +++ b/net-fs/samba/samba-4.1.2.ebuild @@ -24,9 +24,13 @@ # sys-apps/attr is an automagic dependency (see bug #489748) # dev-libs/libaio is an automagic dependency (see bug #489764) -# sys-libs/pam is an automagic dependency (see bug #489770) +# sys-libs/pam is an automagic dependency (see bug #489770) CDEPEND="${PYTHON_DEPS} - >=app-crypt/heimdal-1.5[-ssl] + virtual/krb5 + || ( + app-crypt/mit-krb5 + >=app-crypt/heimdal-1.5[-ssl] + ) dev-libs/iniparser dev-libs/libaio dev-libs/popt @@ -119,6 +123,8 @@ $(use_with syslog) \ $(use_with winbind) " + has_version "app-crypt/mit-krb5" && myconf+=" --with-system-mitkrb5" + use "ads" && myconf+=" --with-shared-modules=idmap_ad" CPPFLAGS="-I/usr/include/et ${CPPFLAGS}" \
(In reply to Chan Min Wai from comment #7) > (In reply to Rambaldi from comment #5) > > Created attachment 364822 [details] > > ebuild with mit-krb5 support enabled > > > > please consider this ebuild, which enables the mit-krb5 kerberos support. > > > You don't have any Samba AD function. > In other words, it is an incomplete port. > So there is no way you can have a complete replacement with Mit-Krb in a > short time... > > Mit-Krb seem to have port for it. > http://k5wiki.kerberos.org/wiki/Projects/Samba4_Port > You are right that when complied against mit-krb5 you are missing feature, see [1] and [2]. Until that work is done, I would like to have the choice to start using samba/mit-krb5 already. [1] https://fedoraproject.org/wiki/Features/Samba4 [2] https://wiki.samba.org/index.php/Samba_Next_Goals
(In reply to eroen from comment #8) > + has_version "app-crypt/mit-krb5" && myconf+=" --with-system-mitkrb5" > + Using has_version to detect the lib installed, and setting config flags based on that, has in the past caused issues as it isn't deterministic. It would probably be better to have a use-flag to determine if mit-krb5 is to be used or not and set this flag (and the dependency) based on the flag. Otherwise, great work! Adding mit-krb5 support to samba is probably the best way to resolve this bug.
I was trying from a different way to completely remove mit-krb5. It was working. But later fail with some strange message. later found that if nsswitch.conf have any ldap in the options it will fail system wide. Something like Dec 10 19:48:52 localhost kernel: traps: getent[3691] general protection ip:7fd9b7a229f8 sp:a7e5ddc470aa4ca0 error:0 in ld-2.16.so[7fd9b7a0c000+21000] This make me think that we really need this...
(In reply to Chan Min Wai from comment #11) > > Dec 10 19:48:52 localhost kernel: traps: getent[3691] general protection > ip:7fd9b7a229f8 sp:a7e5ddc470aa4ca0 error:0 in ld-2.16.so[7fd9b7a0c000+21000] > > This make me think that we really need this... Get this fixed with the nss_ldap-265-r2 So back to this again. I'm writing a migration guide for this. https://wiki.gentoo.org/index.php?title=Samba4_Migrating/HOWTO
*** Bug 497202 has been marked as a duplicate of this bug. ***
Hello all, Can anyone build with ther bundled heimdal try to run tdbedit to see if they will see a segment fault? I've 2 VM with this issue and would like to double confirm. I've change one VM to support external heimdal and it don't have the segment fault issue. The MIT samba AD DC is on the way slowly according to https://lists.samba.org/archive/samba-technical/2014-August/101514.html Thank You.
(In reply to Chan Min Wai from comment #14) > Hello all, > > Can anyone build with ther bundled heimdal try to run > tdbedit > > to see if they will see a segment fault? > > I've 2 VM with this issue and would like to double confirm. > > I've change one VM to support external heimdal and it don't have the segment > fault issue. > > The MIT samba AD DC is on the way slowly according to > https://lists.samba.org/archive/samba-technical/2014-August/101514.html > > Thank You. Sorry should be ldbedit
(In reply to Chan Min Wai from comment #15) > (In reply to Chan Min Wai from comment #14) > > Hello all, > > > > Can anyone build with ther bundled heimdal try to run > > tdbedit > > > > to see if they will see a segment fault? > > > > I've 2 VM with this issue and would like to double confirm. > > > > I've change one VM to support external heimdal and it don't have the segment > > fault issue. > > > > The MIT samba AD DC is on the way slowly according to > > https://lists.samba.org/archive/samba-technical/2014-August/101514.html > > > > Thank You. > > > Sorry should be > ldbedit Please ignore this. As found that the old Ldflags was the cause of the issue. Remove and rebuild fix the issue...
So does the ebuild with bundled heimdal work with current samba4 (including AD support) or not?
*** Bug 542450 has been marked as a duplicate of this bug. ***
Why was samba-4 unmasked despite this issue still being unsolved? This will affect many gnome users, since gnome uses both mit-krb5 and samba...
(In reply to Alexandre Rostovtsev from comment #19) > Why was samba-4 unmasked despite this issue still being unsolved? Probably cause as long as it was masked nobody was wiling to spend some of their time on finding an acceptable solution for this problem. ...and on a not quite related note, I'd like to once again mention my hack from bug 447022 comment 3 - it's more of a vague idea, but perhaps someone will still be interested.
(In reply to Alexandre Rostovtsev from comment #19) > Why was samba-4 unmasked despite this issue still being unsolved? This will > affect many gnome users, since gnome uses both mit-krb5 and samba... Because with the release of samba-4.2 samba-3 was discontinued by upstream and I want to finally have some attention from other Gentoo devs. Masking away the problems forever is NO solution.
so what are we users are supposed to do? I resort to masking >=samba-4.0
(In reply to Anton Gubarkov from comment #22) > so what are we users are supposed to do? I resort to masking >=samba-4.0 I did the same.
Samba 4 masked here also. Too bad you had to force other devs to take a look at the issue with such a brutal and borked unmasking :-/ Hope this will be solved soon.
I guess using the bundled heimdal libraries might also be useful for setups which have heimdal installed with USE=ssl. So I would very much welcome a solution in that direction, unless someone is working on making that combination work with system libraries as well. I haven't found a bug report along those lines yet, don't even know where that -ssl requirement originated.
(In reply to Martin von Gagern from comment #25) > I guess using the bundled heimdal libraries might also be useful for setups > which have heimdal installed with USE=ssl. So I would very much welcome a > solution in that direction, unless someone is working on making that > combination work with system libraries as well. I haven't found a bug report > along those lines yet, don't even know where that -ssl requirement > originated. My hack is exactly about that. The source of that req is that heimdal[ssl] is API/ABI incompatible with heimdal[-ssl] (yet another badly written lib) - it lacks crypto API, as it uses openssl when built with 'ssl', so it doesn't need to reimplement it.
It appears that portage is broken in some weird way that makes these blockers non-deterministic. One time I get: [blocks B ] app-crypt/mit-krb5 ("app-crypt/mit-krb5" is hard blocking app-crypt/heimdal-1.5.3-r2) [blocks B ] <net-fs/samba-4.1.7 ("<net-fs/samba-4.1.7" is hard blocking sys-libs/ntdb-1.0-r1) [blocks B ] app-crypt/heimdal ("app-crypt/heimdal" is hard blocking app-crypt/mit-krb5-1.13.1) Another time emerge proposes to continue without any blockers at all…
(In reply to Dennis Schridde from comment #27) > Another time emerge proposes to continue without any blockers at all… … obviously skipping the samba update.
Created attachment 400930 [details, diff] Patch for version 4.1.17 Patch adapted from that presented for version 4.1.2
(In reply to Lars Wendler (Polynomial-C) from comment #21) > (In reply to Alexandre Rostovtsev from comment #19) > > Why was samba-4 unmasked despite this issue still being unsolved? This will > > affect many gnome users, since gnome uses both mit-krb5 and samba... > > Because with the release of samba-4.2 samba-3 was discontinued by upstream > and I want to finally have some attention from other Gentoo devs. Masking > away the problems forever is NO solution. Seriously? I just lost a day trying to break up a block-party thanks to this, when what I apparently should have done was just re-mask samba4 myself. (I don't even *use* samba, just have it as a default dependency for a few things. Think that's about to change) I accept using unstable makes me your beta-tester; I really *don't* accept being used as a pawn in intra-dev spats like this (or however you care to characterise what's going on here).
This is also blocked by bug #534432 as media-video/ffmpeg[abi_x86_32] depends on sys-fs/samba[abi_x86_32].
As I see it we currently have 2 possible solutions here: 1) use the bundled heimdal 2) mask samba4 again As far as I know those won't be possible in reasonable time: 3) implenet somthing like Debians multidev https://packages.debian.org/sid/heimdal-multidev 4) Make sure every package works with heimdal 5) Build samba4 with MIT kerberos https://wiki.samba.org/index.php/MIT_Build Masking samba is only a temporary solution, so I would vote for just enabling the bundeled heimdal. Using the bundled heimdal I get a working Samba4. So far I have only really tested the client side, but it will solve this bug for most users. We are using "testing" for a reason, so give us *something* to test, we are *not* interested in release politics.
Created attachment 404190 [details, diff] samba-4.1.17.ebuild.patch (IUSE+=system-heimdal) --with-system-mitkrb5 would be the best solution, but it needs some --bundled-libraries and I haven't figured out which yet. tdbedit is not in samba or pfl. if there is no objection I will have this committed in 3 days.
Hello all, I think we can narrow down some part. heimdal is only required when we need Samba be Active Directory, Domain Controller (ADS) Sorry as I'm not a programmer... Can we do it so that... Only when we build with the useflag "ads" then force "system-heimdal" to be enable. Otherwise we can use use mit-krb5 and not heimdal. I've try on both (on AD DC and also Files Member) Both are working fine under different krb. What is the benefit. By proper AD DC Design, we should have 2 or more AD DC and 1 or more file server... And most people are using it as file server thus, it would have minimal impact on over all system. As only AD DC system are affected. Your though?
(In reply to Alex Xu (Hello71) from comment #33) > Created attachment 404190 [details, diff] [details, diff] > samba-4.1.17.ebuild.patch (IUSE+=system-heimdal) > > --with-system-mitkrb5 would be the best solution, but it needs some > --bundled-libraries and I haven't figured out which yet. > > tdbedit is not in samba or pfl. > > if there is no objection I will have this committed in 3 days. Hey Alex! What were the objections you faced when trying to commit this?
(In reply to Dennis Schridde from comment #31) > This is also blocked by bug #534432 as media-video/ffmpeg[abi_x86_32] > depends on sys-fs/samba[abi_x86_32]. P.S: Could someone please set this bug-dependency?
(In reply to Dennis Schridde from comment #36) > (In reply to Dennis Schridde from comment #31) > > This is also blocked by bug #534432 as media-video/ffmpeg[abi_x86_32] > > depends on sys-fs/samba[abi_x86_32]. > > P.S: Could someone please set this bug-dependency? Sorry, wrong bug. Again.
strange, I thought I checked CC. (In reply to Chan Min Wai from comment #34) > Hello all, > > I think we can narrow down some part. > > heimdal is only required when we need Samba be Active Directory, Domain > Controller (ADS) > Sorry as I'm not a programmer... > > Can we do it so that... > Only when we build with the useflag "ads" then force "system-heimdal" to be > enable. > > Otherwise we can use use mit-krb5 and not heimdal. > > I've try on both (on AD DC and also Files Member) > > Both are working fine under different krb. > > What is the benefit. > > By proper AD DC Design, we should have 2 or more AD DC and 1 or more file > server... > > And most people are using it as file server thus, it would have minimal > impact on over all system. > > As only AD DC system are affected. > > Your though? IIRC, the pure mit-krb5 build still does not work properly in 4.1.18 with 1.13-r1; some symbols missing from heimdal. if you test it and it works (WITH --bundled-libraries=NONE) then we can put it in. (In reply to Dennis Schridde from comment #35) > (In reply to Alex Xu (Hello71) from comment #33) > > Created attachment 404190 [details, diff] [details, diff] [details, diff] > > samba-4.1.17.ebuild.patch (IUSE+=system-heimdal) > > > > --with-system-mitkrb5 would be the best solution, but it needs some > > --bundled-libraries and I haven't figured out which yet. > > > > tdbedit is not in samba or pfl. > > > > if there is no objection I will have this committed in 3 days. > > Hey Alex! What were the objections you faced when trying to commit this? I forgot to put myself in CC.
>=net-fs/samba-4.2.4-r1 have a system-mitkrb5 USE flag which enables use of app-crypt/mit-krb5 instead of app-crypt/heimdal.
Created attachment 459414 [details] Ebuild based on current stable that fixes this issue (+bundled-heimdal) This ebuild for Samba 4.2.14 should fix this issue, as well as #542462, #581614, and #594130. The changes in it should also be applicable to the Samba versions that are unstable.
No one's screaming about this anymore. Can we consider it WONTFIX?
> Resolution: --- → WONTFIX Any explanation why?
Because comment 41 was 6 months ago and nobody replied... if you have some more information or requests, please share them
