diff options
Diffstat (limited to 'pkgs/servers/samba')
-rw-r--r-- | pkgs/servers/samba/3.x.nix | 9 | ||||
-rw-r--r-- | pkgs/servers/samba/4.x-fix-ctdb-deps.patch | 13 | ||||
-rw-r--r-- | pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch | 15 | ||||
-rw-r--r-- | pkgs/servers/samba/4.x-no-persistent-install.patch | 53 | ||||
-rw-r--r-- | pkgs/servers/samba/4.x.nix | 57 | ||||
-rw-r--r-- | pkgs/servers/samba/master.nix | 29 | ||||
-rw-r--r-- | pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch | 20 |
7 files changed, 123 insertions, 73 deletions
diff --git a/pkgs/servers/samba/3.x.nix b/pkgs/servers/samba/3.x.nix index e2818a1f6484..91b1c8f95c1c 100644 --- a/pkgs/servers/samba/3.x.nix +++ b/pkgs/servers/samba/3.x.nix @@ -25,6 +25,12 @@ stdenv.mkDerivation rec { sha256 = "0l9pz2m67vf398q3c2dwn8jwdxsjb20igncf4byhv6yq5dzqlb4g"; }; + patches = [(fetchurl { + url = "https://download.samba.org/pub/samba/patches/security/" + + "samba-3.6.25-security-2015-12-16.patch"; + sha256 = "00dcjcn577825mfdwdp76jfy5kcrqw3s4d5c41gqdq5gfcdbmqdb"; + })]; + buildInputs = [ readline pam openldap popt iniparser libunwind fam acl cups ] ++ stdenv.lib.optional useKerberos kerberos; @@ -85,5 +91,8 @@ stdenv.mkDerivation rec { homepage = http://www.samba.org/; description = "The standard Windows interoperability suite of programs for Linux and Unix"; platforms = stdenv.lib.platforms.linux; + knownVulnerabilities = [ + "Numerous CVEs and no patches from upstream for 3.x since 2014." + ]; }; } diff --git a/pkgs/servers/samba/4.x-fix-ctdb-deps.patch b/pkgs/servers/samba/4.x-fix-ctdb-deps.patch deleted file mode 100644 index 338863484124..000000000000 --- a/pkgs/servers/samba/4.x-fix-ctdb-deps.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/ctdb/wscript b/ctdb/wscript -index 3e2a992..3fe15cc 100755 ---- a/ctdb/wscript -+++ b/ctdb/wscript -@@ -568,7 +568,7 @@ def build(bld): - source='ib/ibwrapper_test.c', - includes='include include/internal', - deps='''replace talloc ctdb-client ctdb-common -- ctdb-system''' + -+ ctdb-system ctdb-common-util''' + - ib_deps, - install_path='${CTDB_TEST_LIBDIR}') - diff --git a/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch b/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch new file mode 100644 index 000000000000..7e3652dbe7b7 --- /dev/null +++ b/pkgs/servers/samba/4.x-no-persistent-install-dynconfig.patch @@ -0,0 +1,15 @@ +diff -ru3 samba-4.4.6/dynconfig/wscript samba-4.4.6-new/dynconfig/wscript +--- samba-4.4.6/dynconfig/wscript 2016-01-26 14:45:46.000000000 +0300 ++++ samba-4.4.6-new/dynconfig/wscript 2016-10-15 22:21:18.159705132 +0300 +@@ -416,11 +416,3 @@ + public_headers=os_path_relpath(os.path.join(Options.launch_dir, version_header), bld.curdir), + header_path='samba', + cflags=cflags) +- +- # install some extra empty directories +- bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}"); +- bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}") +- bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}"); +- +- # these might be on non persistent storage +- bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}") diff --git a/pkgs/servers/samba/4.x-no-persistent-install.patch b/pkgs/servers/samba/4.x-no-persistent-install.patch index c3e013f7862b..1c360f6b2c77 100644 --- a/pkgs/servers/samba/4.x-no-persistent-install.patch +++ b/pkgs/servers/samba/4.x-no-persistent-install.patch @@ -1,26 +1,7 @@ -diff --git a/dynconfig/wscript b/dynconfig/wscript -index aa4e66e..d53f433 100755 ---- a/dynconfig/wscript -+++ b/dynconfig/wscript -@@ -379,9 +379,9 @@ def build(bld): - cflags=cflags) - - # install some extra empty directories -- bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}"); -- bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}") -- bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}"); -+ #bld.INSTALL_DIRS("", "${CONFIGDIR} ${PRIVATE_DIR} ${LOGFILEBASE}"); -+ #bld.INSTALL_DIRS("", "${PRIVATE_DIR} ${PRIVILEGED_SOCKET_DIR}") -+ #bld.INSTALL_DIRS("", "${STATEDIR} ${CACHEDIR}"); - - # these might be on non persistent storage -- bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}") -+ #bld.INSTALL_DIRS("", "${LOCKDIR} ${PIDDIR} ${SOCKET_DIR}") -diff --git a/ctdb/wscript b/ctdb/wscript -index 3e2a992..1b93a4d 100755 ---- a/ctdb/wscript -+++ b/ctdb/wscript -@@ -473,10 +473,10 @@ def build(bld): +diff -ru3 samba-4.4.6/ctdb/wscript samba-4.4.6-new/ctdb/wscript +--- samba-4.4.6/ctdb/wscript 2016-09-22 09:42:48.000000000 +0300 ++++ samba-4.4.6-new/ctdb/wscript 2016-10-15 23:31:13.932088237 +0300 +@@ -581,7 +581,7 @@ for t in etc_subdirs: files = SUBDIR_MODE('%s/%s' % (configdir, t), trim_path=configdir) for fmode in files: @@ -28,12 +9,8 @@ index 3e2a992..1b93a4d 100755 + bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % fmode[0], destname=fmode[0], chmod=fmode[1]) -- bld.INSTALL_FILES(bld.env.CTDB_ETCDIR, 'config/functions', -+ bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/functions', - destname='functions') - - etc_scripts = [ -@@ -489,18 +489,18 @@ def build(bld): + bld.SAMBA_GENERATOR('ctdb-functions', +@@ -601,23 +601,19 @@ ] for t in etc_scripts: @@ -41,8 +18,12 @@ index 3e2a992..1b93a4d 100755 + bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % t, destname=t, chmod=0755) -- bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'config/ctdb.sudoers', -+ bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'config/ctdb.sudoers', + bld.SAMBA_GENERATOR('ctdb-sudoers', + source='config/ctdb.sudoers', + target='ctdb.sudoers', + rule='sed %s ${SRC} > ${TGT}' % (sed_cmdline)) +- bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers', ++ bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers', destname='ctdb') - bld.INSTALL_FILES('${CTDB_ETCDIR}/notify.d', 'config/notify.d.README', @@ -52,9 +33,7 @@ index 3e2a992..1b93a4d 100755 - bld.install_dir(bld.env.CTDB_LOGDIR) - bld.install_dir(bld.env.CTDB_RUNDIR) - bld.install_dir(bld.env.CTDB_VARDIR) -+ #bld.install_dir(bld.env.CTDB_LOGDIR) -+ #bld.install_dir(bld.env.CTDB_RUNDIR) -+ #bld.install_dir(bld.env.CTDB_VARDIR) - - sed_expr = 's/@PACKAGE_VERSION@/%s/g' % VERSION - t = bld.SAMBA_GENERATOR('ctdb-pc', +- + # Unit tests + ctdb_unit_tests = [ + 'db_hash_test', diff --git a/pkgs/servers/samba/4.x.nix b/pkgs/servers/samba/4.x.nix index 2e8f8a67fd42..ee14ec6443bf 100644 --- a/pkgs/servers/samba/4.x.nix +++ b/pkgs/servers/samba/4.x.nix @@ -1,11 +1,11 @@ { lib, stdenv, fetchurl, python, pkgconfig, perl, libxslt, docbook_xsl -, docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc, ntdb, tdb, tevent -, ldb, popt, iniparser, libbsd, libarchive, libiconv, gettext -, kerberos, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs +, fetchpatch +, docbook_xml_dtd_42, docbook_xml_dtd_45, readline, talloc +, popt, iniparser, libbsd, libarchive, libiconv, gettext +, krb5Full, zlib, openldap, cups, pam, avahi, acl, libaio, fam, libceph, glusterfs , gnutls, libgcrypt, libgpgerror , ncurses, libunwind, libibverbs, librdmacm, systemd -, enableKerberos ? false , enableInfiniband ? false , enableLDAP ? false , enablePrinting ? false @@ -14,30 +14,39 @@ , enableRegedit ? true , enableCephFS ? false , enableGlusterFS ? false +, enableAcl ? (!stdenv.isDarwin) +, enablePam ? (!stdenv.isDarwin) }: with lib; stdenv.mkDerivation rec { - name = "samba-4.3.0"; + name = "samba-${version}"; + version = "4.7.6"; src = fetchurl { url = "mirror://samba/pub/samba/stable/${name}.tar.gz"; - sha256 = "0qyvmjl8p8fnyhibwivhxxkm67nxxaj4lp35jni9l7gcknrbdnyq"; + sha256 = "0vkxqp3wh7bpn1fd45lznmrpn2ma1fq75yq28vi08rggr07y7v8y"; }; + outputs = [ "out" "dev" "man" ]; + patches = [ ./4.x-no-persistent-install.patch - ./4.x-fix-ctdb-deps.patch + ./patch-source3__libads__kerberos_keytab.c.patch + ./4.x-no-persistent-install-dynconfig.patch + (fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/samba-team/samba/pull/107.patch"; + sha256 = "0r6q34vjj0bdzmcbnrkad9rww58k4krbwicv4gs1g3dj49skpvd6"; + }) ]; buildInputs = [ python pkgconfig perl libxslt docbook_xsl docbook_xml_dtd_42 /* - docbook_xml_dtd_45 */ readline talloc ntdb tdb tevent ldb popt iniparser - libbsd libarchive zlib acl fam libiconv gettext libunwind + docbook_xml_dtd_45 */ readline talloc popt iniparser + libbsd libarchive zlib fam libiconv gettext libunwind krb5Full ] - ++ optionals stdenv.isLinux [ libaio pam systemd ] - ++ optional enableKerberos kerberos + ++ optionals stdenv.isLinux [ libaio systemd ] ++ optionals (enableInfiniband && stdenv.isLinux) [ libibverbs librdmacm ] ++ optional enableLDAP openldap ++ optional (enablePrinting && stdenv.isLinux) cups @@ -45,7 +54,9 @@ stdenv.mkDerivation rec { ++ optional enableDomainController gnutls ++ optional enableRegedit ncurses ++ optional (enableCephFS && stdenv.isLinux) libceph - ++ optional (enableGlusterFS && stdenv.isLinux) glusterfs; + ++ optional (enableGlusterFS && stdenv.isLinux) glusterfs + ++ optional enableAcl acl + ++ optional enablePam pam; postPatch = '' # Removes absolute paths in scripts @@ -58,23 +69,23 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-static-modules=NONE" "--with-shared-modules=ALL" + "--with-system-mitkrb5" + "--with-system-mitkdc" "${krb5Full}" "--enable-fhs" "--sysconfdir=/etc" "--localstatedir=/var" - "--bundled-libraries=${if enableKerberos && kerberos != null && - kerberos.implementation == "heimdal" then "NONE" else "com_err"}" - "--private-libraries=NONE" - "--builtin-libraries=replace" ] - ++ optional (enableKerberos && kerberos != null && - kerberos.implementation == "krb5") "--with-system-mitkrb5" ++ optional (!enableDomainController) "--without-ad-dc" - ++ optionals (!enableLDAP) [ "--without-ldap" "--without-ads" ]; - - enableParallelBuilding = true; + ++ optionals (!enableLDAP) [ "--without-ldap" "--without-ads" ] + ++ optional (!enableAcl) "--without-acl-support" + ++ optional (!enablePam) "--without-pam"; - stripAllList = [ "bin" "sbin" ]; + # To build in parallel. + buildPhase = "python buildtools/bin/waf build -j $NIX_BUILD_CORES"; + # Some libraries don't have /lib/samba in RPATH but need it. + # Use find -type f -executable -exec echo {} \; -exec sh -c 'ldd {} | grep "not found"' \; + # Looks like a bug in installer scripts. postFixup = '' export SAMBA_LIBS="$(find $out -type f -name \*.so -exec dirname {} \; | sort | uniq)" read -r -d "" SCRIPT << EOF || true @@ -85,7 +96,7 @@ stdenv.mkDerivation rec { patchelf --set-rpath "\$ALL_LIBS" "\$BIN" 2>/dev/null || exit $?; patchelf --shrink-rpath "\$BIN"; EOF - find $out -type f -exec $SHELL -c "$SCRIPT" \; + find $out -type f -name \*.so -exec $SHELL -c "$SCRIPT" \; ''; meta = with stdenv.lib; { diff --git a/pkgs/servers/samba/master.nix b/pkgs/servers/samba/master.nix new file mode 100644 index 000000000000..df1f9feb4de5 --- /dev/null +++ b/pkgs/servers/samba/master.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, fetchFromGitHub +, samba4 +, nettle +} : + + (samba4.overrideAttrs(oldAttrs: rec { + name = "samba-unstable-${version}"; + version = "2018-03-09"; + + src = fetchFromGitHub { + owner = "samba-team"; + repo = "samba"; + rev = "9e954bcbf43d67a18ee55f84cda0b09028f96b92"; + sha256 = "07j1pwm4kax6pq21gq9gpmp7dhj5afdyvkhgyl3yz334mb41q11g"; + }; + + # Remove unnecessary install flags, same as <4.8 patch + postPatch = oldAttrs.postPatch + '' + sed -i '423,433d' dynconfig/wscript + ''; + + patches = [ ./4.x-no-persistent-install.patch ]; + buildInputs = [ nettle ] ++ oldAttrs.buildInputs; + meta.branch = "master"; + })).override { + # samba4.8+ removed the ability to disable LDAP. + # Enable for base derivation here: + enableLDAP = true; + } diff --git a/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch b/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch new file mode 100644 index 000000000000..9f6577c65c14 --- /dev/null +++ b/pkgs/servers/samba/patch-source3__libads__kerberos_keytab.c.patch @@ -0,0 +1,20 @@ +--- old/source3/libads/kerberos_keytab.c 2017-12-23 14:23:53.247467000 +0100 ++++ new/source3/libads/kerberos_keytab.c 2017-12-23 18:57:07.135340000 +0100 +@@ -32,8 +32,6 @@ + + #ifdef HAVE_KRB5 + +-#ifdef HAVE_ADS +- + /* This MAX_NAME_LEN is a constant defined in krb5.h */ + #ifndef MAX_KEYTAB_NAME_LEN + #define MAX_KEYTAB_NAME_LEN 1100 +@@ -85,6 +83,8 @@ + return ret; + } + ++#ifdef HAVE_ADS ++ + /********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab + ***********************************************************************/ |