Go Back   The macosxhints Forums > OS X Help Requests > UNIX - Newcomers



Reply
 
Thread Tools Rating: Thread Rating: 3 votes, 5.00 average. Display Modes
Old 02-04-2005, 05:29 PM   #1
joshturse
Prospect
 
Join Date: Aug 2002
Posts: 9
Samba

I am trying to/would like to install a Samba version later than 3.0.7 on machines running OS X 10.3.7 to plug a security hole. Problem is, after downloading, running ./configure and make, I get an error:

Quote:
Using FLAGS = -O -Iinclude -I/Users/josh/Desktop/samba/samba-3.0.8/source/include -I/Users/josh/Desktop/samba/samba-3.0.8/source/ubiqx -I/Users/josh/Desktop/samba/samba-3.0.8/source/smbwrapper -I. -I/sw/include -I/Users/josh/Desktop/samba/samba-3.0.8/source
LIBS = -lresolv -ldl -liconv
LDSHFLAGS = -bundle -undefined dynamic_lookup -L/sw/lib
LDFLAGS = -L/sw/lib
Compiling libsmb/clikrb5.c
libsmb/clikrb5.c: In function `krb5_locate_kdc':
libsmb/clikrb5.c:209: error: `krb5_krbhst_handle' undeclared (first use in this function)
libsmb/clikrb5.c:209: error: (Each undeclared identifier is reported only once
libsmb/clikrb5.c:209: error: for each function it appears in.)
libsmb/clikrb5.c:209: error: parse error before "hnd"
libsmb/clikrb5.c:210: error: `krb5_krbhst_info' undeclared (first use in this function)
libsmb/clikrb5.c:210: error: `hinfo' undeclared (first use in this function)
libsmb/clikrb5.c:219: error: `KRB5_KRBHST_KDC' undeclared (first use in this function)
libsmb/clikrb5.c:219: error: `hnd' undeclared (first use in this function)
make: *** [libsmb/clikrb5.o] Error 1

Yes, I do have a fink installation in /sw

Yes, I have googled things like "Mac OS X" +samba …

Ideas, links, thoughts?
joshturse is offline   Reply With Quote
Old 02-04-2005, 05:35 PM   #2
hayne
Site Admin
 
Join Date: Jan 2002
Location: Montreal
Posts: 32,403
Quote:
Originally Posted by joshturse
I am trying to/would like to install a Samba version later than 3.0.7 on machines running OS X 10.3.7 to plug a security hole.

What security hole? Apple usually is very fast in sending out updates if there are any security problems in the apps that ship with OS X.
Please inform us of the details.
Sorry not be of any help with your compilation problem - these things are sometimes complicated.
hayne is offline   Reply With Quote
Old 02-04-2005, 07:57 PM   #3
joshturse
Prospect
 
Join Date: Aug 2002
Posts: 9
Samba Security Holes

For reasons that I am not a liberty to say, we have performed a port scan of several systems in my work environment. We used the tool, Nessus to do the scan. The only high risk item identified was Samba shares. Here's an example of a warning. I am listing the rest, in lesser detail, but with links, below:

Quote:
The remote Samba server, according to its version number, may be vulnerable
to a remote Denial Of Service vulnerability and a remote buffer overflow.
The Wild Card DoS vulnerability may allow an attacker to make the remote
server consume excessive CPU cycles.
The QFILEPATHINFO Remote buffer overflow vulnerability may allow an attacker
to execute code on the server.

An attacker needs a valid account or enough credentials to exploit those
flaws.

Solution : upgrade to Samba 3.0.8
See also : http://us4.samba.org/samba/security/CAN-2004-0882.html
See also : http://us4.samba.org/samba/security/CAN-2004-0930.html
Risk factor : High
CVE : CAN-2004-0930, CAN-2004-0882
BID : 11624, 11678
Nessus ID : 15705

Holes from Samba:
http://cgi.nessus.org/nessus_id.php3?id=15705
http://cgi.nessus.org/nessus_id.php3?id=15985
http://cgi.nessus.org/nessus_id.php3?id=10396
http://cgi.nessus.org/nessus_id.php3?id=15394

Warnings:
http://www.nessus.org/plugins/index....ingle&id=15985
http://cgi.nessus.org/nessus_id.php3?id=10859
http://cgi.nessus.org/nessus_id.php3?id=10395
http://www.nessus.org/plugins/index....ingle&id=10860
http://cgi.nessus.org/nessus_id.php3?id=14381
http://cgi.nessus.org/nessus_id.php3?id=14711
http://cgi.nessus.org/nessus_id.php3?id=10397
http://cgi.nessus.org/nessus_id.php3?id=10150


The solution listed is to upgrade Samba...but I can find no information on how.
joshturse is offline   Reply With Quote
Old 02-05-2005, 02:14 AM   #4
AntiGenX
Prospect
 
Join Date: Feb 2005
Posts: 45
Probably a silly question, but just to be sure.. Is there a configure script included? Did you run the run it first?
AntiGenX is offline   Reply With Quote
Old 02-05-2005, 11:55 AM   #5
joshturse
Prospect
 
Join Date: Aug 2002
Posts: 9
I followed the directions:

Run autogen.sh (included with the Samba source)
Run ./configure --prefix=/usr/local/samba
followed by make

There were some clues at this post there'd be problems: http://lists.apple.com/archives/unix.../msg00031.html

I don't understand the 'setenv' part of that post. When I man setenv, it says it's built in to Bash, but issuing setenv from the command prompt results in
Quote:
-bash: setenv: command not found

Lastly, I do have Fink installed (which is why I can't do this simple task of compiling my own software), and I'm a bit worried that something in /sw/lib (the location of library files installed under Fink) may be affecting the process.

Last edited by joshturse; 02-05-2005 at 12:25 PM. Reason: typo
joshturse is offline   Reply With Quote
Old 02-05-2005, 04:54 PM   #6
AntiGenX
Prospect
 
Join Date: Feb 2005
Posts: 45
Quote:
Originally Posted by joshturse
I followed the directions:

Run autogen.sh (included with the Samba source)
Run ./configure --prefix=/usr/local/samba
followed by make

There were some clues at this post there'd be problems: http://lists.apple.com/archives/unix.../msg00031.html

I don't understand the 'setenv' part of that post. When I man setenv, it says it's built in to Bash, but issuing setenv from the command prompt results in

Lastly, I do have Fink installed (which is why I can't do this simple task of compiling my own software), and I'm a bit worried that something in /sw/lib (the location of library files installed under Fink) may be affecting the process.

This is a tough one... I downloaded the samba source file and tried to duplicate it myself. I get the same error. (in case you're wondering, I don't have fink installed, and it shouldn't interfere anyhow) I also tried 3.0.11 and received the same error.

What I have learned so far is:

It looks like the code inside libsmb/clikrb5.c is referring to a typedef'd struct that isn't defined in any header file. The offending code relates to Kerberos 5, which leads me to believe it's either something that missing from /usr/include or the configure script is not finding something correctly. I came to this conclusion because the entire code is wrapped inside
Code:
#if !defined(HAVE_KRB5_LOCATE_KDC)
.

I'll dig a little further to see what I can find...
AntiGenX is offline   Reply With Quote
Old 02-05-2005, 06:30 PM   #7
AntiGenX
Prospect
 
Join Date: Feb 2005
Posts: 45
OK it looks like the problem is in the OS X implementation of Kerberos 5.

After some exhaustive research (and a blown Saturday afternoon) I think I have a fix for you. The folks at darwinports have a patch committed to their CVS server for version 3.0.10. (You'd have to check for version 3.0.8) I'd recommend grabbing the samba 3.0.10 snapshot/patches from their CVS server and applying the patches. That should fix any problems you're having with the compile. You'll have to use 3.0.10 instead of 3.0.8 if they don't have a patch, but that shouldn't cause any problems.

Check out this link for relevant information.


Hope that helps...

-Jonathan

Last edited by AntiGenX; 02-05-2005 at 09:14 PM. Reason: Reason: Too much fat-fingering... (corrected typos)
AntiGenX is offline   Reply With Quote
Old 02-05-2005, 09:15 PM   #8
AntiGenX
Prospect
 
Join Date: Feb 2005
Posts: 45
As an aleternative, you could try and compile the MIT Kerberos library to supercede OS X's version, but I can't say for sure that would work.

-Jonathan
AntiGenX is offline   Reply With Quote
Old 02-07-2005, 03:50 PM   #9
joshturse
Prospect
 
Join Date: Aug 2002
Posts: 9
Thanks for the host of suggestions. I did install darwinports, tried installing samba from them, but it failed and I had no idea why.

So…

I grabbed the patch as suggested, read the man page for patch and
> patch /path/to/samba/samba-3.0.10/source/libsmb/clikrb5.c /path/to/patch/patch-libsmb_clikrb5.c

So far, so good. Then
> autogen.sh
> ./configure --prefix=/usr/local/samba --libdir=/usr/lib > configure.out 2> configure.err && make > make.out 2> make.err
> make install


./configure still gives autoconf errors:

configure: WARNING: rpcsvc/yp_prot.h: present but cannot be compiled
configure: WARNING: rpcsvc/yp_prot.h: check for missing prerequisite headers?
configure: WARNING: rpcsvc/yp_prot.h: see the Autoconf documentation
configure: WARNING: rpcsvc/yp_prot.h: section "Present But Cannot Be Compiled"
configure: WARNING: rpcsvc/yp_prot.h: proceeding with the preprocessor's result
configure: WARNING: rpcsvc/yp_prot.h: in the future, the compiler will take precedence
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ##
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: running as non-root will disable some tests


The errors from the install are attached, but are all related to cups. It seems like disabling cups during the configure should take care of the install errors?
Attached Files
File Type: txt install.txt (14.1 KB, 332 views)
joshturse is offline   Reply With Quote
Old 02-07-2005, 04:44 PM   #10
joshturse
Prospect
 
Join Date: Aug 2002
Posts: 9
That worked.

Now, to figure out how to get it to run...
joshturse is offline   Reply With Quote
Old 02-07-2005, 06:34 PM   #11
AntiGenX
Prospect
 
Join Date: Feb 2005
Posts: 45
I wouldn't worry about the autoconf warnings... I seems to just be a warning that the autoconfig script maintainer needs to update their autoconf script.

Here's what the autoconf documentation has to say about it:

Quote:
17.7 Header Present But Cannot Be Compiled

The most important guideline to bear in mind when checking for features is to mimic as much as possible the intended use. Unfortunately, old versions of AC_CHECK_HEADER and AC_CHECK_HEADERS failed to follow this idea, and called the preprocessor, instead of the compiler, to check for headers. As a result, incompatibilities between headers went unnoticed during configuration, and maintainers finally had to deal with this issue elsewhere.

As of Autoconf 2.56 both checks are performed, and configure complains loudly if the compiler and the preprocessor do not agree. For the time being the result used is that of Chapter 17: Frequent Autoconf Questions, with answers 199 the preprocessor, to give maintainers time to adjust their ‘configure.ac’, but in the near future, only the compiler will be considered.

AntiGenX is offline   Reply With Quote
Old 03-01-2005, 10:55 AM   #12
bluehz
MVP
 
Join Date: Jan 2002
Posts: 1,562
I was able to successfully build the Samba 3.0.11 source using the Darwin ports patch (without Darwin Ports installed) using the the following info:

1. Download source code and darwin ports patch, patch source code
2. Build and install
3. Reconfigure System to disabled default Samba and instead use newly installed Samba 3.0.11.
Code:
#!/bin/sh

# user defined build location
build="~/Samba_build"

# make build dir
mkdir $build
cd $build

# Download the Samba 3.0.11 source code
# visit http://www.samba.org/ to find the closest download URL
curl -O http://us2.samba.org/samba/ftp/samba-3.0.11.tar.gz
tar -zxvf samba-3.0.11.tar.gz

# Download the Darwin Ports patch for the Samba 3.0.11 source
curl -O http://darwinports.opendarwin.org/darwinports/dports/net/samba3/files/patch-libsmb_clikrb5.c

# Patch the source code
patch -b samba-3.0.11/source/libsmb/clikrb5.c -i patch-libsmb_clikrb5.c

# Build
cd samba-3.0.11/source

# If you are building with Fink installed - you can leave CUPS enabled
# use this configure
./configure --with-mandir=/usr/local/man --with-winbind --enable-cups \
--with-configdir=/etc --with-logfilebase=/var/log \ --with-piddir=/private/var/run --with-libiconv=/usr --with-ads \
--with-automount --without-pam --without-pam_smbpass --with-utmp \ --with-manpages-langs=en --with-spinlocks --with-krb5=/usr

# If you are building without Fink installed - use this configure with 
# CUPS disabled
# ./configure --with-configdir=/etc --with-logfilebase=/var/log \
# --with-mandir=/usr/local/man --with-winbind --disable-cups \
# --with-piddir=/private/var/run --with-libiconv=/usr --with-ads \
# --with-automount  --without-pam --without-pam_smbpass --with-utmp \
# --with-manpages-langs=en --with-spinlocks --with-krb5=/usr

# This installs Samba in self-contained directory
# /usr/local/samba
make
sudo make install

#######################
# POST INSTALLATION AND SETUP #
#######################

# Must be done as root
su

# Post installation
mkdir -p /usr/local/samba/var/db/smb
chmod 755 /usr/local/samba/var/db/smb
cp ../packaging/Fedora/smb.conf /etc/smb.conf.sample
chmod 644 /etc/smb.conf.sample
touch /usr/local/samba/lib/lmhosts.sample
touch /usr/local/samba/var/db/smb/secrets.tdb.sample

# The built-in Mac OS X Samba should be disabled and the newly installed
# Samba enabled in the xinetd scripts
# 
# You will need to modify the following files to point to your newly installed
# /private/etc/xinetd.d/smbd
# /private/etc/xinetd.d/swat
# /private/etc/xinetd.d/nmbd
# /private/etc/xinetd.d/smb-direct

# Backup xinetd scripts
cd /etc/xinetd.d
tar -czvf samba-orig.tgz smbd nmbd swat smb-direct

# Modify xinetd scripts
cp -p nmbd nmbd.bu && sed 's/\/usr\/sbin\/nmbd/\/usr\/local\/samba\/sbin\/nmbd/g' nmbd.bu > nmbd && rm nmbd.bu
cp -p smbd smbd.bu && sed 's/\/usr\/sbin\/smbd/\/usr\/local\/samba\/sbin\/smbd/g' smbd.bu > smbd && rm smbd.bu
cp -p smb-direct smb-direct.bu && sed 's/\/usr\/sbin\/smbd/\/usr\/local\/samba\/sbin\/smbd/g' smb-direct.bu > smb-direct && rm smb-direct.bu
cp -p swat swat.bu && sed 's/\/usr\/sbin\/swat/\/usr\/local\/samba\/sbin\/swat/g' swat.bu > swat && rm swat.bu
NOTES
1. This installation does NOT move or alter the default Mac OS X Samba binaries, it only alters the xinetd scripts to point to your newly build Samba located in the self-contained directory at /usr/local/samba. Because of this - if you wish to directly launch any of the samba binaries (e.g. smbclient, smbstatus, etc) you will need to address them with their full path (e.g. /usr/local/samba/bin/smbstatus) otherwise you will be using the older Mac OS X default samba binaries. You could of course alter the configuration script to replace the Mac OS X binaries if you so desired.

2. Recommend a restart after installation - I tried restarting xinetd, etc but it still did not seem to recognize new binaries until after a restart.

3. For some reason - warning msgs are generated using this version of samba - but they appear to be harmless: Warnings read:

init_iconv: Conversion from CP850 to UTF-8-MAC not supported
init_iconv: Attempting to replace with conversion from ASCII to ASCII
init_iconv: Conversion from UTF8 to UTF-8-MAC not supported
init_iconv: Attempting to replace with conversion from ASCII to ASCII
et.al.

I have tried several variations of charset settings in the smb.conf, but none seem to fix the warnings. If anyone has any ideas on this - please post.

4. This installation will not replace your current /etc/smb.conf configuration file, but it does add a sample configuration at /etc/smb-sample.conf if you need to use it. Adjust your conf as desired. My current config that is working well with this Samba 3.0.11 is approx:
Code:
[global]
guest account = unknown
encrypt passwords = yes
auth methods = guest opendirectory
passdb backend = opendirectorysam guest
printer admin = @admin, @staff
server string = Mac OS X
use spnego = no
client ntlmv2 auth = no
workgroup = MY_WORKGROUP
;wins server = XXX.XXX.XXX.XXX
security = USER
hide dot files = no

; recommended http://www.macintouch.com/panreader54.html
; fix the network config so it doesn't stall out
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=64240 SO_SNDBUF=8576
; allow unicode file names (for things like bullets)
unix charset = UTF-8
display charset = UTF-8
dos charset = ASCII

getwd cache = no
hosts deny = ALL EXCEPT XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
map to guest = Bad User
local master = no

[homes]
comment = User Home Directories
browseable = yes
read only = no

etc...
5. I am not sure why this will build WITH CUPS if you have Fink installed and will not build WITH CUPS if you don't. Haven't had time to investigate. Obviously some headers or something included in the Fink dir (/sw). I also can not vouch that the configure script is the 100% best configure for Mac OS X. All I can vouch for is that after a days worth of trial and error building - the above configure strings will build a functioning Samba 3.0.11 install that works in Mac OS X 10.3.8. Also note that I have no Windows machines, only Linux and other Mac OS X machines on my network - so I have only tested with those accessing the server.

Last edited by bluehz; 04-18-2011 at 05:14 PM.
bluehz is offline   Reply With Quote
Old 03-02-2005, 10:38 AM   #13
LC
Prospect
 
Join Date: Nov 2003
Location: San Jose, CA USA
Posts: 18
nicely done

Good job!

A small suggestion ... in your sed script, where it has a bunch of
escaped slashes in the pathnames -- you can avoid needing those
backslashes if you use an alternate delimiter, instead of the "/";
for example, "sed 's#/usr/local/#/foo#' instead of "sed 's/\/usr\/...
(I usually use something like %, #, or @ Larry.
LC is offline   Reply With Quote
Old 03-02-2005, 10:42 AM   #14
bluehz
MVP
 
Join Date: Jan 2002
Posts: 1,562
Thanks for the info! So can I deduce from your example that the first occurance of the char sets the the delim...

sed 's#... would set the delim to #
sed 's@... would set the delim to @
etc...

Quote:
Originally Posted by LC
Good job!

A small suggestion ... in your sed script, where it has a bunch of
escaped slashes in the pathnames -- you can avoid needing those
backslashes if you use an alternate delimiter, instead of the "/";
for example, "sed 's#/usr/local/#/foo#' instead of "sed 's/\/usr\/...
(I usually use something like %, #, or @ Larry.

bluehz is offline   Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 11:20 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.