From c41228519a3902dd0453d3c80af0d172c86267b1 Mon Sep 17 00:00:00 2001 From: Vieri Date: Wed, 23 Jan 2019 13:30:18 +0100 Subject: [PATCH] net-fs/samba: pam+winbind authentication PAM winbind authentication configuration. Closes: https://bugs.gentoo.org/590374 Tested-by: Vieri Signed-off-by: Vieri Fixes: 0eef165 (net-fs/samba: pam+winbind authentication) Package-Manager: Portage-2.3.51, Repoman-2.3.11 Closes: https://github.com/gentoo/gentoo/pull/10578 Signed-off-by: Lars Wendler --- .../samba/files/4.4/system-auth-winbind.pam | 18 ++ ..._rc1.ebuild => samba-4.10.0_rc1-r1.ebuild} | 16 +- ...a-4.7.12.ebuild => samba-4.7.12-r1.ebuild} | 18 +- net-fs/samba/samba-4.8.6-r3.ebuild | 301 ++++++++++++++++++ ...mba-4.8.8.ebuild => samba-4.8.8-r1.ebuild} | 18 +- ...mba-4.9.4.ebuild => samba-4.9.4-r1.ebuild} | 18 +- 6 files changed, 382 insertions(+), 7 deletions(-) create mode 100644 net-fs/samba/files/4.4/system-auth-winbind.pam rename net-fs/samba/{samba-4.10.0_rc1.ebuild => samba-4.10.0_rc1-r1.ebuild} (95%) rename net-fs/samba/{samba-4.7.12.ebuild => samba-4.7.12-r1.ebuild} (95%) create mode 100644 net-fs/samba/samba-4.8.6-r3.ebuild rename net-fs/samba/{samba-4.8.8.ebuild => samba-4.8.8-r1.ebuild} (95%) rename net-fs/samba/{samba-4.9.4.ebuild => samba-4.9.4-r1.ebuild} (95%) diff --git a/net-fs/samba/files/4.4/system-auth-winbind.pam b/net-fs/samba/files/4.4/system-auth-winbind.pam new file mode 100644 index 000000000000..8d6746b7aeb6 --- /dev/null +++ b/net-fs/samba/files/4.4/system-auth-winbind.pam @@ -0,0 +1,18 @@ +#%PAM-1.0 +# $Id$ + +auth required pam_env.so +auth sufficient pam_winbind.so +auth sufficient pam_unix.so likeauth nullok use_first_pass +auth required pam_deny.so + +account sufficient pam_winbind.so +account required pam_unix.so + +password required pam_cracklib.so retry=3 +password sufficient pam_unix.so nullok use_authtok md5 shadow +password required pam_deny.so + +session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 +session required pam_limits.so +session required pam_unix.so diff --git a/net-fs/samba/samba-4.10.0_rc1.ebuild b/net-fs/samba/samba-4.10.0_rc1-r1.ebuild similarity index 95% rename from net-fs/samba/samba-4.10.0_rc1.ebuild rename to net-fs/samba/samba-4.10.0_rc1-r1.ebuild index 65badeb07824..58029da8000a 100644 --- a/net-fs/samba/samba-4.10.0_rc1.ebuild +++ b/net-fs/samba/samba-4.10.0_rc1-r1.ebuild @@ -5,7 +5,7 @@ EAPI=6 PYTHON_COMPAT=( python3_{4,5,6,7} ) PYTHON_REQ_USE='threads(+),xml(+)' -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam MY_PV="${PV/_rc/rc}" MY_P="${PN}-${MY_PV}" @@ -272,6 +272,20 @@ multilib_src_install() { systemd_dounit "${FILESDIR}"/winbindd.service systemd_dounit "${FILESDIR}"/samba.service fi + + if use pam and use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf || die + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/lock/samba + keepdir /var/log/samba + keepdir /var/run/{ctdb,samba} } multilib_src_test() { diff --git a/net-fs/samba/samba-4.7.12.ebuild b/net-fs/samba/samba-4.7.12-r1.ebuild similarity index 95% rename from net-fs/samba/samba-4.7.12.ebuild rename to net-fs/samba/samba-4.7.12-r1.ebuild index 25a31e5776ab..ce0c7421f11b 100644 --- a/net-fs/samba/samba-4.7.12.ebuild +++ b/net-fs/samba/samba-4.7.12-r1.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2018 Gentoo Authors +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 PYTHON_COMPAT=( python2_7 ) PYTHON_REQ_USE='threads(+),xml(+)' -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd eutils +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd eutils pam MY_PV="${PV/_rc/rc}" MY_P="${PN}-${MY_PV}" @@ -298,6 +298,20 @@ multilib_src_install() { systemd_dounit "${FILESDIR}"/winbindd.service systemd_dounit "${FILESDIR}"/samba.service fi + + if use pam and use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf || die + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/lock/samba + keepdir /var/log/samba + keepdir /var/run/{ctdb,samba} } multilib_src_test() { diff --git a/net-fs/samba/samba-4.8.6-r3.ebuild b/net-fs/samba/samba-4.8.6-r3.ebuild new file mode 100644 index 000000000000..66090c5d8072 --- /dev/null +++ b/net-fs/samba/samba-4.8.6-r3.ebuild @@ -0,0 +1,301 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +PYTHON_COMPAT=( python2_7 ) +PYTHON_REQ_USE='threads(+),xml(+)' + +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam + +MY_PV="${PV/_rc/rc}" +MY_P="${PN}-${MY_PV}" + +SRC_PATH="stable" +[[ ${PV} = *_rc* ]] && SRC_PATH="rc" + +SRC_URI="mirror://samba/${SRC_PATH}/${MY_P}.tar.gz" +[[ ${PV} = *_rc* ]] || \ +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~x86" + +DESCRIPTION="Samba Suite Version 4" +HOMEPAGE="https://www.samba.org/" +LICENSE="GPL-3" + +SLOT="0" + +IUSE="acl addc addns ads ceph client cluster cups debug dmapi fam gnutls gpg iprint ldap pam python +quota selinux syslog system-heimdal +system-mitkrb5 systemd test winbind zeroconf" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/samba-4.0/policy.h + /usr/include/samba-4.0/dcerpc_server.h + /usr/include/samba-4.0/ctdb.h + /usr/include/samba-4.0/ctdb_client.h + /usr/include/samba-4.0/ctdb_protocol.h + /usr/include/samba-4.0/ctdb_private.h + /usr/include/samba-4.0/ctdb_typesafe_cb.h + /usr/include/samba-4.0/ctdb_version.h +) + +# sys-apps/attr is an automagic dependency (see bug #489748) +CDEPEND=" + >=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}] + dev-lang/perl:= + dev-libs/libaio[${MULTILIB_USEDEP}] + dev-libs/libbsd[${MULTILIB_USEDEP}] + dev-libs/iniparser:0 + dev-libs/popt[${MULTILIB_USEDEP}] + dev-python/subunit[${PYTHON_USEDEP},${MULTILIB_USEDEP}] + >=dev-util/cmocka-1.1.1[${MULTILIB_USEDEP}] + net-libs/libnsl:=[${MULTILIB_USEDEP}] + sys-apps/attr[${MULTILIB_USEDEP}] + >=sys-libs/ldb-1.3.6[ldap(+)?,python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}] + =sys-libs/talloc-2.1.11[python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}] + >=sys-libs/tdb-1.3.15[python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}] + >=sys-libs/tevent-0.9.36[python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}] + sys-libs/zlib[${MULTILIB_USEDEP}] + virtual/libiconv + pam? ( virtual/pam ) + acl? ( virtual/acl ) + addns? ( + net-dns/bind-tools[gssapi] + dev-python/dnspython:=[${PYTHON_USEDEP}] + ) + ceph? ( sys-cluster/ceph ) + cluster? ( + net-libs/rpcsvc-proto + !dev-db/ctdb + ) + cups? ( net-print/cups ) + debug? ( dev-util/lttng-ust ) + dmapi? ( sys-apps/dmapi ) + fam? ( virtual/fam ) + gnutls? ( + dev-libs/libgcrypt:0 + >=net-libs/gnutls-1.4.0 + ) + gpg? ( app-crypt/gpgme ) + ldap? ( net-nds/openldap[${MULTILIB_USEDEP}] ) + system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] ) + system-mitkrb5? ( >=app-crypt/mit-krb5-1.15.1[${MULTILIB_USEDEP}] ) + systemd? ( sys-apps/systemd:0= ) +" +DEPEND="${CDEPEND} + ${PYTHON_DEPS} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + net-libs/libtirpc[${MULTILIB_USEDEP}] + virtual/pkgconfig + || ( + net-libs/rpcsvc-proto + =sys-libs/nss_wrapper-1.1.3 + >=net-dns/resolv_wrapper-1.1.4 + >=net-libs/socket_wrapper-1.1.7 + >=sys-libs/uid_wrapper-1.2.1 + ) + )" +RDEPEND="${CDEPEND} + python? ( ${PYTHON_DEPS} ) + client? ( net-fs/cifs-utils[ads?] ) + selinux? ( sec-policy/selinux-samba ) + !dev-perl/Parse-Yapp +" + +REQUIRED_USE=" + addc? ( python gnutls winbind ) + addns? ( python ) + ads? ( acl gnutls ldap winbind ) + cluster? ( ads ) + gpg? ( addc ) + test? ( python ) + ?? ( system-heimdal system-mitkrb5 ) + ${PYTHON_REQUIRED_USE} +" + +# the test suite is messed, it uses system-installed samba +# bits instead of what was built, tests things disabled via use +# flags, and generally just fails to work in a way ebuilds could +# rely on in its current state +RESTRICT="test" + +S="${WORKDIR}/${MY_P}" + +PATCHES=( + "${FILESDIR}/${PN}-4.4.0-pam.patch" + "${FILESDIR}/${PN}-4.5.1-compile_et_fix.patch" + "${FILESDIR}/${PN}-4.8.6-no-pydsdb-when-no-addc.patch" +) + +#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)" +CONFDIR="${FILESDIR}/4.4" + +WAF_BINARY="${S}/buildtools/bin/waf" + +SHAREDMODS="" + +pkg_setup() { + python-single-r1_pkg_setup + if use cluster ; then + SHAREDMODS="idmap_rid,idmap_tdb2,idmap_ad" + elif use ads ; then + SHAREDMODS="idmap_ad" + fi +} + +src_prepare() { + default + + # un-bundle dnspython + sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die + + # unbundle iso8601 unless tests are enabled + use test || sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die + + # ugly hackaround for bug #592502 + cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die + + sed -e 's:::' \ + -i source4/dsdb/samdb/ldb_modules/password_hash.c \ + || die + + # Friggin' WAF shit + multilib_copy_sources +} + +multilib_src_configure() { + # when specifying libs for samba build you must append NONE to the end to + # stop it automatically including things + local bundled_libs="NONE" + if ! use system-heimdal && ! use system-mitkrb5 ; then + bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" + fi + + local myconf=( + --enable-fhs + --sysconfdir="${EPREFIX}/etc" + --localstatedir="${EPREFIX}/var" + --with-modulesdir="${EPREFIX}/usr/$(get_libdir)/samba" + --with-piddir="${EPREFIX}/run/${PN}" + --bundled-libraries="${bundled_libs}" + --builtin-libraries=NONE + --disable-rpath + --disable-rpath-install + --nopyc + --nopyo + $(multilib_native_use_with acl acl-support) + $(multilib_native_usex addc '' '--without-ad-dc') + $(multilib_native_use_with addns dnsupdate) + $(multilib_native_use_with ads) + $(multilib_native_use_enable ceph cephfs) + $(multilib_native_use_with cluster cluster-support) + $(multilib_native_use_enable cups) + $(multilib_native_use_with dmapi) + $(multilib_native_use_with fam) + $(multilib_native_use_with gpg gpgme) + $(multilib_native_use_enable iprint) + $(multilib_native_use_with pam) + $(multilib_native_usex pam "--with-pammodulesdir=${EPREFIX}/$(get_libdir)/security" '') + $(multilib_native_use_with quota quotas) + $(multilib_native_use_with syslog) + $(multilib_native_use_with systemd) + $(multilib_native_use_with winbind) + $(multilib_native_usex python '' '--disable-python') + $(multilib_native_use_enable zeroconf avahi) + $(multilib_native_usex test '--enable-selftest' '') + $(usex system-mitkrb5 '--with-system-mitkrb5' '') + $(use_enable gnutls) + $(use_with debug lttng) + $(use_with ldap) + ) + multilib_is_native_abi && myconf+=( --with-shared-modules=${SHAREDMODS} ) + + CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \ + waf-utils_src_configure ${myconf[@]} +} + +multilib_src_compile() { + waf-utils_src_compile +} + +multilib_src_install() { + waf-utils_src_install + + # Make all .so files executable + find "${ED}" -type f -name "*.so" -exec chmod +x {} + + + if multilib_is_native_abi ; then + # install ldap schema for server (bug #491002) + if use ldap ; then + insinto /etc/openldap/schema + doins examples/LDAP/samba.schema + fi + + # create symlink for cups (bug #552310) + if use cups ; then + dosym ../../../bin/smbspool /usr/libexec/cups/backend/smb + fi + + # install example config file + insinto /etc/samba + doins examples/smb.conf.default + + # Fix paths in example file (#603964) + sed \ + -e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \ + -e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \ + -e '/path =/s@/usr/local/samba/lib/@/var/lib/samba/@' \ + -e '/path =/s@/usr/local/samba/@/var/lib/samba/@' \ + -e '/path =/s@/usr/spool/samba@/var/spool/samba@' \ + -i "${ED%/}"/etc/samba/smb.conf.default || die + + # Install init script and conf.d file + newinitd "${CONFDIR}/samba4.initd-r1" samba + newconfd "${CONFDIR}/samba4.confd" samba + + systemd_dotmpfilesd "${FILESDIR}"/samba.conf + systemd_dounit "${FILESDIR}"/nmbd.service + systemd_dounit "${FILESDIR}"/smbd.{service,socket} + systemd_newunit "${FILESDIR}"/smbd_at.service 'smbd@.service' + systemd_dounit "${FILESDIR}"/winbindd.service + systemd_dounit "${FILESDIR}"/samba.service + fi + + if use pam and use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf || die + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/lock/samba + keepdir /var/log/samba + keepdir /var/run/{ctdb,samba} +} + +multilib_src_test() { + if multilib_is_native_abi ; then + "${WAF_BINARY}" test || die "test failed" + fi +} + +pkg_postinst() { + ewarn "Be aware the this release contains the best of all of Samba's" + ewarn "technology parts, both a file server (that you can reasonably expect" + ewarn "to upgrade existing Samba 3.x releases to) and the AD domain" + ewarn "controller work previously known as 'samba4'." + + elog "For further information and migration steps make sure to read " + elog "https://samba.org/samba/history/${P}.html " + elog "https://wiki.samba.org/index.php/Samba4/HOWTO " +} diff --git a/net-fs/samba/samba-4.8.8.ebuild b/net-fs/samba/samba-4.8.8-r1.ebuild similarity index 95% rename from net-fs/samba/samba-4.8.8.ebuild rename to net-fs/samba/samba-4.8.8-r1.ebuild index 1d5b5c8adae5..6376062b6f9e 100644 --- a/net-fs/samba/samba-4.8.8.ebuild +++ b/net-fs/samba/samba-4.8.8-r1.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2018 Gentoo Authors +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 PYTHON_COMPAT=( python2_7 ) PYTHON_REQ_USE='threads(+),xml(+)' -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam MY_PV="${PV/_rc/rc}" MY_P="${PN}-${MY_PV}" @@ -267,6 +267,20 @@ multilib_src_install() { systemd_dounit "${FILESDIR}"/winbindd.service systemd_dounit "${FILESDIR}"/samba.service fi + + if use pam and use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf || die + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/lock/samba + keepdir /var/log/samba + keepdir /var/run/{ctdb,samba} } multilib_src_test() { diff --git a/net-fs/samba/samba-4.9.4.ebuild b/net-fs/samba/samba-4.9.4-r1.ebuild similarity index 95% rename from net-fs/samba/samba-4.9.4.ebuild rename to net-fs/samba/samba-4.9.4-r1.ebuild index 4a1864afed93..663fc4ceffcd 100644 --- a/net-fs/samba/samba-4.9.4.ebuild +++ b/net-fs/samba/samba-4.9.4-r1.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2018 Gentoo Authors +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 PYTHON_COMPAT=( python2_7 ) PYTHON_REQ_USE='threads(+),xml(+)' -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd +inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam MY_PV="${PV/_rc/rc}" MY_P="${PN}-${MY_PV}" @@ -271,6 +271,20 @@ multilib_src_install() { systemd_dounit "${FILESDIR}"/winbindd.service systemd_dounit "${FILESDIR}"/samba.service fi + + if use pam and use winbind ; then + newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind + # bugs #376853 and #590374 + insinto /etc/security + doins examples/pam_winbind/pam_winbind.conf || die + fi + + keepdir /var/cache/samba + keepdir /var/lib/ctdb + keepdir /var/lib/samba/{bind-dns,private} + keepdir /var/lock/samba + keepdir /var/log/samba + keepdir /var/run/{ctdb,samba} } multilib_src_test() { -- 2.26.2