about summary refs log tree commit diff
path: root/pkgs/servers/samba
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/servers/samba')
-rw-r--r--pkgs/servers/samba/3.x.nix9
-rw-r--r--pkgs/servers/samba/4.x-fix-ctdb-deps.patch13
-rw-r--r--pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch15
-rw-r--r--pkgs/servers/samba/4.x-no-persistent-install.patch53
-rw-r--r--pkgs/servers/samba/4.x.nix57
-rw-r--r--pkgs/servers/samba/master.nix29
-rw-r--r--pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch20
7 files changed, 123 insertions, 73 deletions
diff --git a/pkgs/servers/samba/3.x.nix b/pkgs/servers/samba/3.x.nix
index e2818a1f6484..91b1c8f95c1c 100644
--- a/pkgs/servers/samba/3.x.nix
+++ b/pkgs/servers/samba/3.x.nix
@@ -25,6 +25,12 @@ stdenv.mkDerivation rec {
     sha256 = "0l9pz2m67vf398q3c2dwn8jwdxsjb20igncf4byhv6yq5dzqlb4g";
   };
 
+  patches = [(fetchurl {
+    url = "https://download.samba.org/pub/samba/patches/security/"
+        + "samba-3.6.25-security-2015-12-16.patch";
+    sha256 = "00dcjcn577825mfdwdp76jfy5kcrqw3s4d5c41gqdq5gfcdbmqdb";
+  })];
+
   buildInputs = [ readline pam openldap popt iniparser libunwind fam acl cups ]
     ++ stdenv.lib.optional useKerberos kerberos;
 
@@ -85,5 +91,8 @@ stdenv.mkDerivation rec {
     homepage = http://www.samba.org/;
     description = "The standard Windows interoperability suite of programs for Linux and Unix";
     platforms = stdenv.lib.platforms.linux;
+    knownVulnerabilities = [
+      "Numerous CVEs and no patches from upstream for 3.x since 2014."
+    ];
   };
 }
diff --git a/pkgs/servers/samba/4.x-fix-ctdb-deps.patch b/pkgs/servers/samba/4.x-fix-ctdb-deps.patch
deleted file mode 100644
index 338863484124..000000000000
--- a/pkgs/servers/samba/4.x-fix-ctdb-deps.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/ctdb/wscript b/ctdb/wscript
-index 3e2a992..3fe15cc 100755
---- a/ctdb/wscript
-+++ b/ctdb/wscript
-@@ -568,7 +568,7 @@ def build(bld):
-                          source='ib/ibwrapper_test.c',
-                          includes='include include/internal',
-                          deps='''replace talloc ctdb-client ctdb-common
--                                 ctdb-system''' +
-+                                 ctdb-system ctdb-common-util''' +
-                               ib_deps,
-                          install_path='${CTDB_TEST_LIBDIR}')
- 
diff --git a/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch b/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch
new file mode 100644
index 000000000000..7e3652dbe7b7
--- /dev/null
+++ b/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch
@@ -0,0 +1,15 @@
+diff -ru3 samba-4.4.6/dynconfig/wscript samba-4.4.6-new/dynconfig/wscript
+--- samba-4.4.6/dynconfig/wscript	2016-01-26 14:45:46.000000000 +0300
++++ samba-4.4.6-new/dynconfig/wscript	2016-10-15 22:21:18.159705132 +0300
+@@ -416,11 +416,3 @@
+                         public_headers=os_path_relpath(os.path.join(Options.launch_dir, version_header), bld.curdir),
+                         header_path='samba',
+                         cflags=cflags)
+-
+-    # install some extra empty directories
+-    bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}");
+-    bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}")
+-    bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}");
+-
+-    # these might be on non persistent storage
+-    bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}")
diff --git a/pkgs/servers/samba/4.x-no-persistent-install.patch b/pkgs/servers/samba/4.x-no-persistent-install.patch
index c3e013f7862b..1c360f6b2c77 100644
--- a/pkgs/servers/samba/4.x-no-persistent-install.patch
+++ b/pkgs/servers/samba/4.x-no-persistent-install.patch
@@ -1,26 +1,7 @@
-diff --git a/dynconfig/wscript b/dynconfig/wscript
-index aa4e66e..d53f433 100755
---- a/dynconfig/wscript
-+++ b/dynconfig/wscript
-@@ -379,9 +379,9 @@ def build(bld):
-                         cflags=cflags)
- 
-     # install some extra empty directories
--    bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}");
--    bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}")
--    bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}");
-+    #bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}");
-+    #bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}")
-+    #bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}");
- 
-     # these might be on non persistent storage
--    bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}")
-+    #bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}")
-diff --git a/ctdb/wscript b/ctdb/wscript
-index 3e2a992..1b93a4d 100755
---- a/ctdb/wscript
-+++ b/ctdb/wscript
-@@ -473,10 +473,10 @@ def build(bld):
+diff -ru3 samba-4.4.6/ctdb/wscript samba-4.4.6-new/ctdb/wscript
+--- samba-4.4.6/ctdb/wscript	2016-09-22 09:42:48.000000000 +0300
++++ samba-4.4.6-new/ctdb/wscript	2016-10-15 23:31:13.932088237 +0300
+@@ -581,7 +581,7 @@
      for t in etc_subdirs:
          files = SUBDIR_MODE('%s/%s' % (configdir, t), trim_path=configdir)
          for fmode in files:
@@ -28,12 +9,8 @@ index 3e2a992..1b93a4d 100755
 +            bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % fmode[0],
                                destname=fmode[0], chmod=fmode[1])
  
--    bld.INSTALL_FILES(bld.env.CTDB_ETCDIR, 'config/functions',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/functions',
-                       destname='functions')
- 
-     etc_scripts = [
-@@ -489,18 +489,18 @@ def build(bld):
+     bld.SAMBA_GENERATOR('ctdb-functions',
+@@ -601,23 +601,19 @@
      ]
  
      for t in etc_scripts:
@@ -41,8 +18,12 @@ index 3e2a992..1b93a4d 100755
 +        bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % t,
                            destname=t, chmod=0755)
  
--    bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'config/ctdb.sudoers',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'config/ctdb.sudoers',
+     bld.SAMBA_GENERATOR('ctdb-sudoers',
+                         source='config/ctdb.sudoers',
+                         target='ctdb.sudoers',
+                         rule='sed %s ${SRC} > ${TGT}' % (sed_cmdline))
+-    bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
++    bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
                        destname='ctdb')
  
 -    bld.INSTALL_FILES('${CTDB_ETCDIR}/notify.d', 'config/notify.d.README',
@@ -52,9 +33,7 @@ index 3e2a992..1b93a4d 100755
 -    bld.install_dir(bld.env.CTDB_LOGDIR)
 -    bld.install_dir(bld.env.CTDB_RUNDIR)
 -    bld.install_dir(bld.env.CTDB_VARDIR)
-+    #bld.install_dir(bld.env.CTDB_LOGDIR)
-+    #bld.install_dir(bld.env.CTDB_RUNDIR)
-+    #bld.install_dir(bld.env.CTDB_VARDIR)
- 
-     sed_expr = 's/@PACKAGE_VERSION@/%s/g' % VERSION
-     t = bld.SAMBA_GENERATOR('ctdb-pc',
+-
+     # Unit tests
+     ctdb_unit_tests = [
+         'db_hash_test',
diff --git a/pkgs/servers/samba/4.x.nix b/pkgs/servers/samba/4.x.nix
index 2e8f8a67fd42..ee14ec6443bf 100644
--- a/pkgs/servers/samba/4.x.nix
+++ b/pkgs/servers/samba/4.x.nix
@@ -1,11 +1,11 @@
 { lib, stdenv, fetchurl, python, pkgconfig, perl, libxslt, docbook_xsl
-, docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc, ntdb, tdb, tevent
-, ldb, popt, iniparser, libbsd, libarchive, libiconv, gettext
-, kerberos, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs
+, fetchpatch
+, docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc
+, popt, iniparser, libbsd, libarchive, libiconv, gettext
+, krb5Full, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs
 , gnutls, libgcrypt, libgpgerror
 , ncurses, libunwind, libibverbs, librdmacm, systemd
 
-, enableKerberos ? false
 , enableInfiniband ? false
 , enableLDAP ? false
 , enablePrinting ? false
@@ -14,30 +14,39 @@
 , enableRegedit ? true
 , enableCephFS ? false
 , enableGlusterFS ? false
+, enableAcl ? (!stdenv.isDarwin)
+, enablePam ? (!stdenv.isDarwin)
 }:
 
 with lib;
 
 stdenv.mkDerivation rec {
-  name = "samba-4.3.0";
+  name = "samba-${version}";
+  version = "4.7.6";
 
   src = fetchurl {
     url = "mirror://samba/pub/samba/stable/${name}.tar.gz";
-    sha256 = "0qyvmjl8p8fnyhibwivhxxkm67nxxaj4lp35jni9l7gcknrbdnyq";
+    sha256 = "0vkxqp3wh7bpn1fd45lznmrpn2ma1fq75yq28vi08rggr07y7v8y";
   };
 
+  outputs = [ "out" "dev" "man" ];
+
   patches =
     [ ./4.x-no-persistent-install.patch
-      ./4.x-fix-ctdb-deps.patch
+      ./patch-source3__libads__kerberos_keytab.c.patch
+      ./4.x-no-persistent-install-dynconfig.patch
+      (fetchpatch {
+        url = "https://patch-diff.githubusercontent.com/raw/samba-team/samba/pull/107.patch";
+        sha256 = "0r6q34vjj0bdzmcbnrkad9rww58k4krbwicv4gs1g3dj49skpvd6";
+      })
     ];
 
   buildInputs =
     [ python pkgconfig perl libxslt docbook_xsl docbook_xml_dtd_42 /*
-      docbook_xml_dtd_45 */ readline talloc ntdb tdb tevent ldb popt iniparser
-      libbsd libarchive zlib acl fam libiconv gettext libunwind
+      docbook_xml_dtd_45 */ readline talloc popt iniparser
+      libbsd libarchive zlib fam libiconv gettext libunwind krb5Full
     ]
-    ++ optionals stdenv.isLinux [ libaio pam systemd ]
-    ++ optional enableKerberos kerberos
+    ++ optionals stdenv.isLinux [ libaio systemd ]
     ++ optionals (enableInfiniband && stdenv.isLinux) [ libibverbs librdmacm ]
     ++ optional enableLDAP openldap
     ++ optional (enablePrinting && stdenv.isLinux) cups
@@ -45,7 +54,9 @@ stdenv.mkDerivation rec {
     ++ optional enableDomainController gnutls
     ++ optional enableRegedit ncurses
     ++ optional (enableCephFS && stdenv.isLinux) libceph
-    ++ optional (enableGlusterFS && stdenv.isLinux) glusterfs;
+    ++ optional (enableGlusterFS && stdenv.isLinux) glusterfs
+    ++ optional enableAcl acl
+    ++ optional enablePam pam;
 
   postPatch = ''
     # Removes absolute paths in scripts
@@ -58,23 +69,23 @@ stdenv.mkDerivation rec {
   configureFlags =
     [ "--with-static-modules=NONE"
       "--with-shared-modules=ALL"
+      "--with-system-mitkrb5"
+      "--with-system-mitkdc" "${krb5Full}"
       "--enable-fhs"
       "--sysconfdir=/etc"
       "--localstatedir=/var"
-      "--bundled-libraries=${if enableKerberos && kerberos != null &&
-        kerberos.implementation == "heimdal" then "NONE" else "com_err"}"
-      "--private-libraries=NONE"
-      "--builtin-libraries=replace"
     ]
-    ++ optional (enableKerberos && kerberos != null &&
-      kerberos.implementation == "krb5") "--with-system-mitkrb5"
     ++ optional (!enableDomainController) "--without-ad-dc"
-    ++ optionals (!enableLDAP) [ "--without-ldap" "--without-ads" ];
-
-  enableParallelBuilding = true;
+    ++ optionals (!enableLDAP) [ "--without-ldap" "--without-ads" ]
+    ++ optional (!enableAcl) "--without-acl-support"
+    ++ optional (!enablePam) "--without-pam";
 
-  stripAllList = [ "bin" "sbin" ];
+  # To build in parallel.
+  buildPhase = "python buildtools/bin/waf build -j $NIX_BUILD_CORES";
 
+  # Some libraries don't have /lib/samba in RPATH but need it.
+  # Use find -type f -executable -exec echo {} \; -exec sh -c 'ldd {} | grep "not found"' \;
+  # Looks like a bug in installer scripts.
   postFixup = ''
     export SAMBA_LIBS="$(find $out -type f -name \*.so -exec dirname {} \; | sort | uniq)"
     read -r -d "" SCRIPT << EOF || true
@@ -85,7 +96,7 @@ stdenv.mkDerivation rec {
     patchelf --set-rpath "\$ALL_LIBS" "\$BIN" 2>/dev/null || exit $?;
     patchelf --shrink-rpath "\$BIN";
     EOF
-    find $out -type f -exec $SHELL -c "$SCRIPT" \;
+    find $out -type f -name \*.so -exec $SHELL -c "$SCRIPT" \;
   '';
 
   meta = with stdenv.lib; {
diff --git a/pkgs/servers/samba/master.nix b/pkgs/servers/samba/master.nix
new file mode 100644
index 000000000000..df1f9feb4de5
--- /dev/null
+++ b/pkgs/servers/samba/master.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub
+, samba4
+, nettle
+} :
+
+  (samba4.overrideAttrs(oldAttrs: rec {
+    name = "samba-unstable-${version}";
+    version = "2018-03-09";
+
+    src = fetchFromGitHub {
+      owner = "samba-team";
+      repo = "samba";
+      rev = "9e954bcbf43d67a18ee55f84cda0b09028f96b92";
+      sha256 = "07j1pwm4kax6pq21gq9gpmp7dhj5afdyvkhgyl3yz334mb41q11g";
+    };
+
+    # Remove unnecessary install flags, same as <4.8 patch
+    postPatch = oldAttrs.postPatch + ''
+      sed -i '423,433d' dynconfig/wscript
+    '';
+
+    patches = [ ./4.x-no-persistent-install.patch ];
+    buildInputs = [ nettle ] ++ oldAttrs.buildInputs;
+    meta.branch = "master";
+  })).override {
+    # samba4.8+ removed the ability to disable LDAP.
+    # Enable for base derivation here:
+    enableLDAP = true;
+  }
diff --git a/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch b/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch
new file mode 100644
index 000000000000..9f6577c65c14
--- /dev/null
+++ b/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch
@@ -0,0 +1,20 @@
+--- old/source3/libads/kerberos_keytab.c	2017-12-23 14:23:53.247467000 +0100
++++ new/source3/libads/kerberos_keytab.c	2017-12-23 18:57:07.135340000 +0100
+@@ -32,8 +32,6 @@
+ 
+ #ifdef HAVE_KRB5
+ 
+-#ifdef HAVE_ADS
+-
+ /* This MAX_NAME_LEN is a constant defined in krb5.h */
+ #ifndef MAX_KEYTAB_NAME_LEN
+ #define MAX_KEYTAB_NAME_LEN 1100
+@@ -85,6 +83,8 @@
+ 	return ret;
+ }
+ 
++#ifdef HAVE_ADS
++
+ /**********************************************************************
+  Adds a single service principal, i.e. 'host' to the system keytab
+ ***********************************************************************/
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-19 14:36:33 +0000