samba - Aug 2016 - Samba 4.2.14 Group Policy (GPO) sync error

Am 13.08.2016 um 22:47 schrieb Rainer Meier via samba:
> OK, I actually now feel a bit bad on this. As we did a lot of 
> debugging without actually finding any solutions my focus went more 
> and more into direction of code bug somewhere in Samba/Kerberos area.
>
> I found some references that Samba uses an internal specific version 
> of Heimdal. Though it looks like the Gentoo developers went to disable 
> the built-in Heimdal implementation if favor of a system-wide Heimdal. 
> Currently Gentoo uses Heimdal 1.5.3-r2. On the official page 
> (http://www.h5l.org/) I see only release 1.5.2 officially listed (??).
> Moreover I found the samba package enforces disabling SSL on Heimdal. 
> This seems to be required as the built-in Heimdal crypto library 
> (hcrypto) is built only if openssl support is disabled in Heimdal. I 
> left this unchanged then.
>
>
> So I went deeper and found the Samba ebuild to explicitly disable 
> bundled packages (configure options):
>
>         --bundled-libraries=NONE
>         --builtin-libraries=NONE
>
>
> I quickly removed both lines. The effect was that Samba now fails to 
> compile complaining about tgt_use_strongest_session_key. I found this 
> to be an issue of a patch applied by the Gentoo team:
>
> --- samba-4.2.3/source4/kdc/kdc.c
> +++ samba-4.2.3/source4/kdc/kdc.c
> @@ -967,9 +967,9 @@
>          * The old behavior in the _kdc_get_preferred_key()
>          * function is use_strongest_server_key=TRUE.
>          */
> -       kdc->config->as_use_strongest_session_key = false;
> +       kdc->config->tgt_use_strongest_session_key = false;
>         kdc->config->preauth_use_strongest_session_key = false;
> -       kdc->config->tgs_use_strongest_session_key = false;
> +       kdc->config->svc_use_strongest_session_key = false;
>         kdc->config->use_strongest_server_key = true;
>
> As I am using bundled/built-in Heimdal now I simply also removed this 
> patch.
>
> Now Samba compiled and seems to work. Even my group policies seem to 
> apply correctly.
>
>
> So as a result it looks like Samba works well with the built-in 
> (perhaps modified?) Heimdal library but does not with the Gentoo 
> Heimdal 1.5.3 ebuild. I am not sure if the patch listed above is 
> actually correct. So I went back disabling bundled and built-in 
> libraries again and leaving the patch disabled.
>
> This breaks the build:
>
> ../source4/kdc/kdc.c:970:13: error: ‘krb5_kdc_configuration’ has no 
> member named ‘as_use_strongest_session_key’
>   kdc->config->as_use_strongest_session_key = false;
>              ^
> ../source4/kdc/kdc.c:972:13: error: ‘krb5_kdc_configuration’ has no 
> member named ‘tgs_use_strongest_session_key’
>   kdc->config->tgs_use_strongest_session_key = false;
>
>
> Well, I am not sure if the built-in Heimdal within the Samba package 
> is patched/modified in any way. In general I would say Samba should 
> work with a system-wide Heimdal installation too which is obviously 
> not the case. Though this might be an insufficiency of the Gentoo 
> Heimdal ebuild. I think actually the Gentoo team is right that a 
> system-wide Heimdal should be used and not bundled libraries - if 
> possible. Though there seems to be some incompatibility.
>
>
> So currently my solution is to use a custom ebuild allowing bundled 
> libraries and removing the custom Gentoo patch.
>
> # diff /usr/portage/net-fs/samba/samba-4.2.14.ebuild samba-4.2.14.ebuild
> 93c93
> <       "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
> ---
>>       # "${FILESDIR}/${PN}-4.2.3-heimdal_compilefix.patch"
> 143,144c143,144
> <               --bundled-libraries=NONE
> <               --builtin-libraries=NONE
> ---
>>               # --bundled-libraries=NONE
>>               # --builtin-libraries=NONE
> 258a259
>>
>
> I will report this to the Gentoo team so they can perhaps investigate 
> on how to fix Samba using system-wide Heimdal.
>
>
> Many many thanks to the people involved here helping me to debug the 
> issue. I have learned a lot about Sabma internals and perhaps this is 
> helpful for others too. I still don't know exactly what goes wrong as 
> the complete Samba build of Gentoo works fine and the logs don't show 
> something which is obviously wrong.
>
> With best regards,
> Rainer
>
Glad you firgured it out and thank you for the detailed infos. There was 
an discussion here about the move to mit kerberos in the future. Heimdal 
is not actively developed any more, so the samba team manages required 
modifications internally.
I remember I got the unknown mech error messages related to missing sasl 
libraries when using ldap-tools.

> Heimdal is not actively developed any more, so the samba team manages
required
> modifications internally.
> I remember I got the unknown mech error messages related to missing sasl
> libraries when using ldap-tools.
Well, the situation is a bit weird. Looks like at least the Gentoo team 
is not fully aware about the modifications or their Heimdal is not 
completely compatible. On the other hand also the Samba build scritps 
seem not to verify the functionality completely. Moreover even at log 
level 10 there is no clear message logged about any malfunction.

Moreover it looks like the Samba team relies on the hcrypto library 
while even the Heimdal team seems to prefer OpenSSL on systems where it 
is available. Samba should perhaps use OpenSSL (if available) too rather 
than relying on hcrypto library. Especially since OpenSSL is maintained.

I am not fully into details right now but it seems to be common sense to 
me that if you rely on some modifications with bundled libraries AND you 
provide an option to disable this bundling that some verification 
(version, functionality) of the external libraries should be done.

Anyway let's see what Gentoo developers come up with to fix this issue 
for future ebuilds.
Perhaps this problem will be solved by the Samba team too by switching 
to mit-krb5 or developing their own kerberos implementation. I don't 
know the plans here.

Thank Rainer,

I've been stuck on this issue for 1 months...

This is a bit stupid :(...

Regards,
Min Wai

On Mon, Aug 15, 2016 at 3:02 PM, Rainer Meier via samba <
samba at lists.samba.org> wrote:
> Heimdal is not actively developed any more, so the samba team manages
>> required
>> modifications internally.
>> I remember I got the unknown mech error messages related to missing
sasl
>> libraries when using ldap-tools.
>>
>
> Well, the situation is a bit weird. Looks like at least the Gentoo team is
> not fully aware about the modifications or their Heimdal is not completely
> compatible. On the other hand also the Samba build scritps seem not to
> verify the functionality completely. Moreover even at log level 10 there is
> no clear message logged about any malfunction.
>
> Moreover it looks like the Samba team relies on the hcrypto library while
> even the Heimdal team seems to prefer OpenSSL on systems where it is
> available. Samba should perhaps use OpenSSL (if available) too rather than
> relying on hcrypto library. Especially since OpenSSL is maintained.
>
> I am not fully into details right now but it seems to be common sense to
> me that if you rely on some modifications with bundled libraries AND you
> provide an option to disable this bundling that some verification (version,
> functionality) of the external libraries should be done.
>
> Anyway let's see what Gentoo developers come up with to fix this issue
for
> future ebuilds.
> Perhaps this problem will be solved by the Samba team too by switching to
> mit-krb5 or developing their own kerberos implementation. I don't know
the
> plans here.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>