samba.git/nsswitch/libwbclient/wscript, branch master Unnamed repository; edit this file 'description' to name the repository. nsswitch: leverage TLS if available in favour over global locking 2023-01-05T11:33:37+00:00 Ralph Boehme slow@samba.org 2022-11-06T15:57:27+00:00 642a4452ce5b3333c50e41e54bc6ca779686ecc3 The global locking can lead to deadlocks when using nscd: when processing the first request in winbind, when we know we call into code that will recurse into winbind we call winbind_off() which sets an environment variable which is later checked here in the nsswitch module. But with nscd in the stack, we don't see the env variable in nsswitch, so when we try to acquire the global lock again, it is already locked and we deadlock. By using a thread specific winbindd_context, plus a few other thread local global variables, we don't need a global lock anymore. Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
The global locking can lead to deadlocks when using nscd: when processing the
first request in winbind, when we know we call into code that will recurse into
winbind we call winbind_off() which sets an environment variable which is later
checked here in the nsswitch module.

But with nscd in the stack, we don't see the env variable in nsswitch, so when
we try to acquire the global lock again, it is already locked and we deadlock.

By using a thread specific winbindd_context, plus a few other thread local global
variables, we don't need a global lock anymore.

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
libwbclient: add wbc[Ctx]ChangeTrustCredentialsAt() 2022-12-21T19:10:35+00:00 Ralph Boehme slow@samba.org 2022-11-22T11:00:14+00:00 682216aa29eda70885c7756927ebfbe88d655aa4 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
nsswitch: reduce dependecies to private libraries and link static/builtin if possible 2021-11-30T15:53:34+00:00 Stefan Metzmacher metze@samba.org 2021-07-01T10:08:16+00:00 66e90b7391bd404580f3919c4f2b8625c9c89c0e Over the last month I got more and more reports, that it's not possible to use a custom Samba version on systems with sssd being installed, which depends on some specific samba libraries installed in the system. One major problem is that the custom libnss_winbind.so.2 depends on the libreplace-samba4.so of the custom build and also injects an RPATH into the running process. When sssd uses any nss library call it will get this, when it then tries to load some of its plugins via dlopen(), e.g. ldd /usr/lib64/sssd/libsss_ad.so| grep samba libsamba-util.so.0 => /lib64/libsamba-util.so.0 libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so libsamba-errors.so.1 => /lib64/libsamba-errors.so.1 libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so When that loads dlopen() will fail as a soname libreplace-samba4.so is already loaded, but the symbol version within the other one don't match, as the contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3. This is just an example and similar things can happen in all situations where we provide libraries, which are potentially injected into every process of the running system. These should only depend on libc.so and related basic system libraries in order to avoid the problem. We have the following libraries, which are in the that category: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so - async_dns_krb5_locator.so The rules of library loading are really complex and symbol versioning is not enough to solve it, only the combination of unique soname and unique symbol version suffix seem to solve the problem, but injecting an RPATH is still a problem. In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM() definitions with 'hide_symbols=True' in order to do some static linking of selected components, e.g. bld.SAMBA_SUBSYSTEM('replace-hidden', source=REPLACE_SOURCE, group='base_libraries', hide_symbols=True, deps='dl attr' + extra_libs) It's relatively simple to get to the point where the following are completely static: - libnss_winbind.so.2 - libnss_wins.so.2 - pam_winbind.so - winbind_krb5_locator.so But 'async_dns_krb5_locator.so' links in almost everything! It seems we install the krb5 plugins into our own $MODULESDIR/krb5/, so it may not be so critical, as long it's the admin who created the desired symlinks into the location the kerberos libraries search for plugins. Note the at least the locator plugins are always loaded without any configuration, every .so in a special path are loaded with dlopen(). This is done by every application using kerberos, so we load a lot of samba libraries into them. Packagers should not put async_dns_krb5_locator.so (nor a symlink) into the path that's reachable by libkrb5.so. As a longterm solution we may want to change async_dns_krb5_locator.so to use a helper process with posix_spawn() instead of doing everything within the process. Note I added hiden_symbols=True to the nss modules for Linux and FreeBSD only, because these are the only platforms I'm able to test on. We most likely should do the same on other platforms, but some with access to the platform should provide a tested patch. In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with '-hidden', I added the 'provide_builtin_linking=True' option, as the logic is very similar to what we already have with the '--builtin-libraries=BUILTIN_LIBRARIES' configure option. SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order to make it more strict that these plugins can't be used as normal depedency by other subsystems and libraries. While being there it was easy enough to make libwbclient.so also standalone without dependecies to other samba libraries. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Over the last month I got more and more reports,
that it's not possible to use a custom Samba version
on systems with sssd being installed, which depends on some
specific samba libraries installed in the system.

One major problem is that the custom libnss_winbind.so.2
depends on the libreplace-samba4.so of the custom build
and also injects an RPATH into the running process.
When sssd uses any nss library call it will get this,
when it then tries to load some of its plugins via dlopen(),
e.g.

ldd /usr/lib64/sssd/libsss_ad.so| grep samba

   libsamba-util.so.0 => /lib64/libsamba-util.so.0
   libreplace-samba4.so => /usr/lib64/samba/libreplace-samba4.so
   libsamba-security-samba4.so => /usr/lib64/samba/libsamba-security-samba4.so
   libsamba-errors.so.1 => /lib64/libsamba-errors.so.1
   libsamba-debug-samba4.so => /usr/lib64/samba/libsamba-debug-samba4.so
   libgenrand-samba4.so => /usr/lib64/samba/libgenrand-samba4.so
   libsocket-blocking-samba4.so => /usr/lib64/samba/libsocket-blocking-samba4.so
   libtime-basic-samba4.so => /usr/lib64/samba/libtime-basic-samba4.so
   libsys-rw-samba4.so => /usr/lib64/samba/libsys-rw-samba4.so
   libiov-buf-samba4.so => /usr/lib64/samba/libiov-buf-samba4.so

When that loads dlopen() will fail as a soname libreplace-samba4.so is
already loaded, but the symbol version within the other one don't match, as the
contain the exact version, e.g. replace_dummy@@SAMBA_4.13.3.

This is just an example and similar things can happen in all situations
where we provide libraries, which are potentially injected into every
process of the running system. These should only depend on libc.so and
related basic system libraries in order to avoid the problem.

We have the following libraries, which are in the that category:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so
- async_dns_krb5_locator.so

The rules of library loading are really complex and symbol versioning
is not enough to solve it, only the combination of unique soname and
unique symbol version suffix seem to solve the problem, but injecting
an RPATH is still a problem.

In order to solve the problem I experimented with adding SAMBA_SUBSYSTEM()
definitions with 'hide_symbols=True' in order to do some static linking
of selected components, e.g.

   bld.SAMBA_SUBSYSTEM('replace-hidden',
                       source=REPLACE_SOURCE,
                       group='base_libraries',
                       hide_symbols=True,
                       deps='dl attr' + extra_libs)

It's relatively simple to get to the point where the following are
completely static:

- libnss_winbind.so.2
- libnss_wins.so.2
- pam_winbind.so
- winbind_krb5_locator.so

But 'async_dns_krb5_locator.so' links in almost everything!
It seems we install the krb5 plugins into our own $MODULESDIR/krb5/,
so it may not be so critical, as long it's the admin who created
the desired symlinks into the location the kerberos libraries search
for plugins. Note the at least the locator plugins are always loaded
without any configuration, every .so in a special path are loaded with dlopen().
This is done by every application using kerberos, so we load a lot of samba libraries
into them.

Packagers should not put async_dns_krb5_locator.so (nor a symlink) into
the path that's reachable by libkrb5.so.

As a longterm solution we may want to change async_dns_krb5_locator.so
to use a helper process with posix_spawn() instead of doing everything
within the process.

Note I added hiden_symbols=True to the nss modules for Linux and
FreeBSD only, because these are the only platforms I'm able to test
on. We most likely should do the same on other platforms, but some
with access to the platform should provide a tested patch.

In order to avoid manual definitions of SAMBA_SUBSYSTEMS() with
'-hidden', I added the 'provide_builtin_linking=True' option,
as the logic is very similar to what we already have with the
'--builtin-libraries=BUILTIN_LIBRARIES' configure option.

SAMBA_PLUGIN() is used in order to use SAMBA_LIBRARY() in order
to make it more strict that these plugins can't be used as
normal depedency by other subsystems and libraries.

While being there it was easy enough to make libwbclient.so
also standalone without dependecies to other samba libraries.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
nsswitch/libwbclient: explicitly mark all wbc* symbols as _PUBLIC_ 2021-11-30T15:53:34+00:00 Stefan Metzmacher metze@samba.org 2021-10-12T12:30:09+00:00 62d05a81087029d93ba0cf81c11e5b244d788aef Some private functions from wbclient_internal.h already leaked into the ABI. With hide_symbols=True we make sure this doesn't happen again. Having wbcRequestResponse[Priv]() as part of the ABI helps us in order to hide winbindd_[priv_]request_response() soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Some private functions from wbclient_internal.h already
leaked into the ABI. With hide_symbols=True we make sure
this doesn't happen again.

Having wbcRequestResponse[Priv]() as part of the ABI helps us
in order to hide winbindd_[priv_]request_response() soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14780

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
lib: relicense smb_strtoul(l) under LGPLv3 2020-08-03T22:21:02+00:00 Ralph Boehme slow@samba.org 2020-07-03T06:11:20+00:00 23274717563b19684c52f8a909f528f608dafd7c Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Aug 3 22:21:04 UTC 2020 on sn-devel-184 
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug  3 22:21:04 UTC 2020 on sn-devel-184
libwbclient: Use wrapper for string to integer conversion 2019-03-01T00:32:11+00:00 Swen Schillig swen@linux.ibm.com 2019-01-29T13:21:25+00:00 ea7231dcc0b50c535f913f0542d600d0b2119a21 In order to detect an value overflow error during the string to integer conversion with strtoul/strtoull, the errno variable must be set to zero before the execution and checked after the conversion is performed. This is achieved by using the wrapper function strtoul_err and strtoull_err. Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Ralph Böhme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
In order to detect an value overflow error during
the string to integer conversion with strtoul/strtoull,
the errno variable must be set to zero before the execution and
checked after the conversion is performed. This is achieved by
using the wrapper function strtoul_err and strtoull_err.

Signed-off-by: Swen Schillig <swen@linux.ibm.com>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
wbclient: Add wbcSetClientProcessName() 2018-11-12T08:50:25+00:00 Andreas Schneider asn@samba.org 2018-11-02T17:57:05+00:00 1834513ebe394f4e5111665a21df652e59b3b0b6 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
nsswitch/libwbclient/wscript: import from waflib 2018-09-05T04:37:25+00:00 Alexander Bokovoy ab@samba.org 2018-06-15T13:20:34+00:00 d00ba4003125898d0c4928ac6ad205bad79ee3c2 Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libwbclient: Add "authoritative" to wbcAuthErrorInfo 2017-03-07T08:15:17+00:00 Volker Lendecke vl@samba.org 2017-01-29T16:51:53+00:00 a6f4e603063b540f37a1b8774dd9253dd595a913 smbd needs to react to "authoritative" Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
smbd needs to react to "authoritative"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
libwbclient: Implement wbc[Ctx]UnixIdsToSids 2016-02-22T19:29:15+00:00 Volker Lendecke vl@samba.org 2015-08-14T09:55:37+00:00 171931cf7de4fcccf6d2e1e7b6520a44b21d21ee Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>