Samba

[joshturse]

I am trying to/would like to install a Samba version later than 3.0.7 on machines running OS X 10.3.7 to plug a security hole. Problem is, after downloading, running ./configure and make, I get an error:

Quote: Using FLAGS = -O -Iinclude -I/Users/josh/Desktop/samba/samba-3.0.8/source/include -I/Users/josh/Desktop/samba/samba-3.0.8/source/ubiqx -I/Users/josh/Desktop/samba/samba-3.0.8/source/smbwrapper -I. -I/sw/include -I/Users/josh/Desktop/samba/samba-3.0.8/source LIBS = -lresolv -ldl -liconv LDSHFLAGS = -bundle -undefined dynamic_lookup -L/sw/lib LDFLAGS = -L/sw/lib Compiling libsmb/clikrb5.c libsmb/clikrb5.c: In function `krb5_locate_kdc': libsmb/clikrb5.c:209: error: `krb5_krbhst_handle' undeclared (first use in this function) libsmb/clikrb5.c:209: error: (Each undeclared identifier is reported only once libsmb/clikrb5.c:209: error: for each function it appears in.) libsmb/clikrb5.c:209: error: parse error before "hnd" libsmb/clikrb5.c:210: error: `krb5_krbhst_info' undeclared (first use in this function) libsmb/clikrb5.c:210: error: `hinfo' undeclared (first use in this function) libsmb/clikrb5.c:219: error: `KRB5_KRBHST_KDC' undeclared (first use in this function) libsmb/clikrb5.c:219: error: `hnd' undeclared (first use in this function) make: *** [libsmb/clikrb5.o] Error 1

Yes, I do have a fink installation in /sw

Yes, I have googled things like "Mac OS X" +samba …

Ideas, links, thoughts?

[hayne]

Quote: Originally Posted by joshturse I am trying to/would like to install a Samba version later than 3.0.7 on machines running OS X 10.3.7 to plug a security hole.

What security hole? Apple usually is very fast in sending out updates if there are any security problems in the apps that ship with OS X.
Please inform us of the details.
Sorry not be of any help with your compilation problem - these things are sometimes complicated.

[joshturse]

For reasons that I am not a liberty to say, we have performed a port scan of several systems in my work environment. We used the tool, Nessus to do the scan. The only high risk item identified was Samba shares. Here's an example of a warning. I am listing the rest, in lesser detail, but with links, below:

Quote: The remote Samba server, according to its version number, may be vulnerable to a remote Denial Of Service vulnerability and a remote buffer overflow. The Wild Card DoS vulnerability may allow an attacker to make the remote server consume excessive CPU cycles. The QFILEPATHINFO Remote buffer overflow vulnerability may allow an attacker to execute code on the server. An attacker needs a valid account or enough credentials to exploit those flaws. Solution : upgrade to Samba 3.0.8 See also : http://us4.samba.org/samba/security/CAN-2004-0882.html See also : http://us4.samba.org/samba/security/CAN-2004-0930.html Risk factor : High CVE : CAN-2004-0930, CAN-2004-0882 BID : 11624, 11678 Nessus ID : 15705

Holes from Samba:
http://cgi.nessus.org/nessus_id.php3?id=15705
http://cgi.nessus.org/nessus_id.php3?id=15985
http://cgi.nessus.org/nessus_id.php3?id=10396
http://cgi.nessus.org/nessus_id.php3?id=15394

Warnings:
http://www.nessus.org/plugins/index....ingle&id=15985
http://cgi.nessus.org/nessus_id.php3?id=10859
http://cgi.nessus.org/nessus_id.php3?id=10395
http://www.nessus.org/plugins/index....ingle&id=10860
http://cgi.nessus.org/nessus_id.php3?id=14381
http://cgi.nessus.org/nessus_id.php3?id=14711
http://cgi.nessus.org/nessus_id.php3?id=10397
http://cgi.nessus.org/nessus_id.php3?id=10150


The solution listed is to upgrade Samba...but I can find no information on how.

[AntiGenX]

Probably a silly question, but just to be sure.. Is there a configure script included? Did you run the run it first?

[joshturse]

I followed the directions:

Run autogen.sh (included with the Samba source)
Run ./configure --prefix=/usr/local/samba
followed by make

There were some clues at this post there'd be problems: http://lists.apple.com/archives/unix.../msg00031.html

I don't understand the 'setenv' part of that post. When I man setenv, it says it's built in to Bash, but issuing setenv from the command prompt results in

Quote: -bash: setenv: command not found

Lastly, I do have Fink installed (which is why I can't do this simple task of compiling my own software), and I'm a bit worried that something in /sw/lib (the location of library files installed under Fink) may be affecting the process.

[AntiGenX]

Quote: Originally Posted by joshturse I followed the directions: Run autogen.sh (included with the Samba source) Run ./configure --prefix=/usr/local/samba followed by make There were some clues at this post there'd be problems: http://lists.apple.com/archives/unix.../msg00031.html I don't understand the 'setenv' part of that post. When I man setenv, it says it's built in to Bash, but issuing setenv from the command prompt results in Lastly, I do have Fink installed (which is why I can't do this simple task of compiling my own software), and I'm a bit worried that something in /sw/lib (the location of library files installed under Fink) may be affecting the process.

This is a tough one... I downloaded the samba source file and tried to duplicate it myself. I get the same error. (in case you're wondering, I don't have fink installed, and it shouldn't interfere anyhow) I also tried 3.0.11 and received the same error.

What I have learned so far is:

It looks like the code inside libsmb/clikrb5.c is referring to a typedef'd struct that isn't defined in any header file. The offending code relates to Kerberos 5, which leads me to believe it's either something that missing from /usr/include or the configure script is not finding something correctly. I came to this conclusion because the entire code is wrapped inside

Code:

#if !defined(HAVE_KRB5_LOCATE_KDC)

.

I'll dig a little further to see what I can find...

[AntiGenX]

OK it looks like the problem is in the OS X implementation of Kerberos 5.

After some exhaustive research (and a blown Saturday afternoon) I think I have a fix for you. The folks at darwinports have a patch committed to their CVS server for version 3.0.10. (You'd have to check for version 3.0.8) I'd recommend grabbing the samba 3.0.10 snapshot/patches from their CVS server and applying the patches. That should fix any problems you're having with the compile. You'll have to use 3.0.10 instead of 3.0.8 if they don't have a patch, but that shouldn't cause any problems.

Check out this link for relevant information.


Hope that helps...

-Jonathan

[AntiGenX]

As an aleternative, you could try and compile the MIT Kerberos library to supercede OS X's version, but I can't say for sure that would work.

-Jonathan

[joshturse]

Thanks for the host of suggestions. I did install darwinports, tried installing samba from them, but it failed and I had no idea why.

So…

I grabbed the patch as suggested, read the man page for patch and
> patch /path/to/samba/samba-3.0.10/source/libsmb/clikrb5.c /path/to/patch/patch-libsmb_clikrb5.c

So far, so good. Then
> autogen.sh
> ./configure --prefix=/usr/local/samba --libdir=/usr/lib > configure.out 2> configure.err && make > make.out 2> make.err
> make install

./configure still gives autoconf errors:

configure: WARNING: rpcsvc/yp_prot.h: present but cannot be compiled
configure: WARNING: rpcsvc/yp_prot.h: check for missing prerequisite headers?
configure: WARNING: rpcsvc/yp_prot.h: see the Autoconf documentation
configure: WARNING: rpcsvc/yp_prot.h: section "Present But Cannot Be Compiled"
configure: WARNING: rpcsvc/yp_prot.h: proceeding with the preprocessor's result
configure: WARNING: rpcsvc/yp_prot.h: in the future, the compiler will take precedence
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: ## Report this to the AC_PACKAGE_NAME lists. ##
configure: WARNING: ## ------------------------------------------ ##
configure: WARNING: running as non-root will disable some tests


The errors from the install are attached, but are all related to cups. It seems like disabling cups during the configure should take care of the install errors?

[joshturse]

That worked.

Now, to figure out how to get it to run...

[AntiGenX]

I wouldn't worry about the autoconf warnings... I seems to just be a warning that the autoconfig script maintainer needs to update their autoconf script.

Here's what the autoconf documentation has to say about it:

Quote: 17.7 Header Present But Cannot Be Compiled The most important guideline to bear in mind when checking for features is to mimic as much as possible the intended use. Unfortunately, old versions of AC_CHECK_HEADER and AC_CHECK_HEADERS failed to follow this idea, and called the preprocessor, instead of the compiler, to check for headers. As a result, incompatibilities between headers went unnoticed during configuration, and maintainers finally had to deal with this issue elsewhere. As of Autoconf 2.56 both checks are performed, and configure complains loudly if the compiler and the preprocessor do not agree. For the time being the result used is that of Chapter 17: Frequent Autoconf Questions, with answers 199 the preprocessor, to give maintainers time to adjust their ‘configure.ac’, but in the near future, only the compiler will be considered.

[bluehz]

I was able to successfully build the Samba 3.0.11 source using the Darwin ports patch (without Darwin Ports installed) using the the following info:

1. Download source code and darwin ports patch, patch source code
2. Build and install
3. Reconfigure System to disabled default Samba and instead use newly installed Samba 3.0.11.

Code:

#!/bin/sh

# user defined build location
build="~/Samba_build"

# make build dir
mkdir $build
cd $build

# Download the Samba 3.0.11 source code
# visit http://www.samba.org/ to find the closest download URL
curl -O http://us2.samba.org/samba/ftp/samba-3.0.11.tar.gz
tar -zxvf samba-3.0.11.tar.gz

# Download the Darwin Ports patch for the Samba 3.0.11 source
curl -O http://darwinports.opendarwin.org/darwinports/dports/net/samba3/files/patch-libsmb_clikrb5.c

# Patch the source code
patch -b samba-3.0.11/source/libsmb/clikrb5.c -i patch-libsmb_clikrb5.c

# Build
cd samba-3.0.11/source

# If you are building with Fink installed - you can leave CUPS enabled
# use this configure
./configure --with-mandir=/usr/local/man --with-winbind --enable-cups \
--with-configdir=/etc --with-logfilebase=/var/log \ --with-piddir=/private/var/run --with-libiconv=/usr --with-ads \
--with-automount --without-pam --without-pam_smbpass --with-utmp \ --with-manpages-langs=en --with-spinlocks --with-krb5=/usr

# If you are building without Fink installed - use this configure with 
# CUPS disabled
# ./configure --with-configdir=/etc --with-logfilebase=/var/log \
# --with-mandir=/usr/local/man --with-winbind --disable-cups \
# --with-piddir=/private/var/run --with-libiconv=/usr --with-ads \
# --with-automount  --without-pam --without-pam_smbpass --with-utmp \
# --with-manpages-langs=en --with-spinlocks --with-krb5=/usr

# This installs Samba in self-contained directory
# /usr/local/samba
make
sudo make install

#######################
# POST INSTALLATION AND SETUP #
#######################

# Must be done as root
su

# Post installation
mkdir -p /usr/local/samba/var/db/smb
chmod 755 /usr/local/samba/var/db/smb
cp ../packaging/Fedora/smb.conf /etc/smb.conf.sample
chmod 644 /etc/smb.conf.sample
touch /usr/local/samba/lib/lmhosts.sample
touch /usr/local/samba/var/db/smb/secrets.tdb.sample

# The built-in Mac OS X Samba should be disabled and the newly installed
# Samba enabled in the xinetd scripts
# 
# You will need to modify the following files to point to your newly installed
# /private/etc/xinetd.d/smbd
# /private/etc/xinetd.d/swat
# /private/etc/xinetd.d/nmbd
# /private/etc/xinetd.d/smb-direct

# Backup xinetd scripts
cd /etc/xinetd.d
tar -czvf samba-orig.tgz smbd nmbd swat smb-direct

# Modify xinetd scripts
cp -p nmbd nmbd.bu && sed 's/\/usr\/sbin\/nmbd/\/usr\/local\/samba\/sbin\/nmbd/g' nmbd.bu > nmbd && rm nmbd.bu
cp -p smbd smbd.bu && sed 's/\/usr\/sbin\/smbd/\/usr\/local\/samba\/sbin\/smbd/g' smbd.bu > smbd && rm smbd.bu
cp -p smb-direct smb-direct.bu && sed 's/\/usr\/sbin\/smbd/\/usr\/local\/samba\/sbin\/smbd/g' smb-direct.bu > smb-direct && rm smb-direct.bu
cp -p swat swat.bu && sed 's/\/usr\/sbin\/swat/\/usr\/local\/samba\/sbin\/swat/g' swat.bu > swat && rm swat.bu

NOTES
1. This installation does NOT move or alter the default Mac OS X Samba binaries, it only alters the xinetd scripts to point to your newly build Samba located in the self-contained directory at /usr/local/samba. Because of this - if you wish to directly launch any of the samba binaries (e.g. smbclient, smbstatus, etc) you will need to address them with their full path (e.g. /usr/local/samba/bin/smbstatus) otherwise you will be using the older Mac OS X default samba binaries. You could of course alter the configuration script to replace the Mac OS X binaries if you so desired.

2. Recommend a restart after installation - I tried restarting xinetd, etc but it still did not seem to recognize new binaries until after a restart.

3. For some reason - warning msgs are generated using this version of samba - but they appear to be harmless: Warnings read:

init_iconv: Conversion from CP850 to UTF-8-MAC not supported
init_iconv: Attempting to replace with conversion from ASCII to ASCII
init_iconv: Conversion from UTF8 to UTF-8-MAC not supported
init_iconv: Attempting to replace with conversion from ASCII to ASCII
et.al.

I have tried several variations of charset settings in the smb.conf, but none seem to fix the warnings. If anyone has any ideas on this - please post.

4. This installation will not replace your current /etc/smb.conf configuration file, but it does add a sample configuration at /etc/smb-sample.conf if you need to use it. Adjust your conf as desired. My current config that is working well with this Samba 3.0.11 is approx:

Code:

[global]
guest account = unknown
encrypt passwords = yes
auth methods = guest opendirectory
passdb backend = opendirectorysam guest
printer admin = @admin, @staff
server string = Mac OS X
use spnego = no
client ntlmv2 auth = no
workgroup = MY_WORKGROUP
;wins server = XXX.XXX.XXX.XXX
security = USER
hide dot files = no

; recommended http://www.macintouch.com/panreader54.html
; fix the network config so it doesn't stall out
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=64240 SO_SNDBUF=8576
; allow unicode file names (for things like bullets)
unix charset = UTF-8
display charset = UTF-8
dos charset = ASCII

getwd cache = no
hosts deny = ALL EXCEPT XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
map to guest = Bad User
local master = no

[homes]
comment = User Home Directories
browseable = yes
read only = no

etc...

5. I am not sure why this will build WITH CUPS if you have Fink installed and will not build WITH CUPS if you don't. Haven't had time to investigate. Obviously some headers or something included in the Fink dir (/sw). I also can not vouch that the configure script is the 100% best configure for Mac OS X. All I can vouch for is that after a days worth of trial and error building - the above configure strings will build a functioning Samba 3.0.11 install that works in Mac OS X 10.3.8. Also note that I have no Windows machines, only Linux and other Mac OS X machines on my network - so I have only tested with those accessing the server.

[LC]

Good job!

A small suggestion ... in your sed script, where it has a bunch of
escaped slashes in the pathnames -- you can avoid needing those
backslashes if you use an alternate delimiter, instead of the "/";
for example, "sed 's#/usr/local/#/foo#' instead of "sed 's/\/usr\/...
(I usually use something like %, #, or @ Larry.

[bluehz]

Thanks for the info! So can I deduce from your example that the first occurance of the char sets the the delim...

sed 's#... would set the delim to #
sed 's@... would set the delim to @
etc...

Quote: Originally Posted by LC Good job! A small suggestion ... in your sed script, where it has a bunch of escaped slashes in the pathnames -- you can avoid needing those backslashes if you use an alternate delimiter, instead of the "/"; for example, "sed 's#/usr/local/#/foo#' instead of "sed 's/\/usr\/... (I usually use something like %, #, or @ Larry.