diff options
Diffstat (limited to '')
-rw-r--r-- | wscript | 563 | ||||
-rw-r--r-- | wscript_build | 163 | ||||
-rw-r--r-- | wscript_build_embedded_heimdal | 4 | ||||
-rw-r--r-- | wscript_build_system_heimdal | 4 | ||||
-rw-r--r-- | wscript_build_system_mitkrb5 | 3 | ||||
-rw-r--r-- | wscript_configure_embedded_heimdal | 8 | ||||
-rw-r--r-- | wscript_configure_system_gnutls | 87 | ||||
-rw-r--r-- | wscript_configure_system_heimdal | 94 | ||||
-rw-r--r-- | wscript_configure_system_mitkrb5 | 357 |
9 files changed, 1283 insertions, 0 deletions
@@ -0,0 +1,563 @@ +#!/usr/bin/env python + +top = '.' +out = 'bin' + +APPNAME='samba' +VERSION=None + +import sys, os, tempfile +sys.path.insert(0, top+"/buildtools/wafsamba") +import shutil +import wafsamba, samba_dist, samba_git, samba_version, samba_utils +from waflib import Options, Scripting, Logs, Context, Errors +from waflib.Tools import bison + +samba_dist.DIST_DIRS('.') +samba_dist.DIST_BLACKLIST('.gitignore .bzrignore source4/selftest/provisions') + +# install in /usr/local/samba by default +default_prefix = Options.default_prefix = '/usr/local/samba' + +# This callback optionally takes a list of paths as arguments: +# --with-system_mitkrb5 /path/to/krb5 /another/path +def system_mitkrb5_callback(option, opt, value, parser): + setattr(parser.values, option.dest, True) + value = [] + for arg in parser.rargs: + # stop on --foo like options + if arg[:2] == "--" and len(arg) > 2: + break + value.append(arg) + if len(value)>0: + del parser.rargs[:len(value)] + setattr(parser.values, option.dest, value) + +def options(opt): + opt.BUILTIN_DEFAULT('NONE') + opt.PRIVATE_EXTENSION_DEFAULT('samba4') + opt.RECURSE('lib/replace') + opt.RECURSE('dynconfig') + opt.RECURSE('packaging') + opt.RECURSE('lib/ldb') + opt.RECURSE('selftest') + opt.RECURSE('source4/dsdb/samdb/ldb_modules') + opt.RECURSE('pidl') + opt.RECURSE('source3') + opt.RECURSE('lib/util') + opt.RECURSE('lib/crypto') + opt.RECURSE('ctdb') + +# Optional Libraries +# ------------------ +# +# Most of the calls to opt.add_option() use default=True for the --with case +# +# To assist users and distributors to build Samba with the full feature +# set, the build system will abort if our dependent libraries and their +# header files are not found on the target system. This will mean for +# example, that xattr, acl and ldap headers must be installed for the +# default build to complete. The configure system will check for these +# headers, and the error message will indicate the option (such as +# --without-acl-support) that can be specified to skip this requirement. +# +# This will assist users and in particular distributors in building fully +# functional packages, while allowing those on systems truly without these +# facilities to continue to build Samba after careful consideration. +# +# It also ensures our container image generation in bootstrap/ is correct +# as otherwise a missing package there would just silently work + + opt.samba_add_onoff_option('pthreadpool', with_name="enable", without_name="disable", default=True) + + opt.add_option('--with-system-mitkrb5', + help='build Samba with system MIT Kerberos. ' + + 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config', + action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False) + + opt.add_option('--with-experimental-mit-ad-dc', + help='Enable the experimental MIT Kerberos-backed AD DC. ' + + 'Note that security patches are not issued for this configuration', + action='store_true', + dest='with_experimental_mit_ad_dc', + default=False) + + opt.add_option('--with-system-mitkdc', + help=('Specify the path to the krb5kdc binary from MIT Kerberos'), + type="string", + dest='with_system_mitkdc', + default=None) + + opt.add_option('--with-system-heimdalkrb5', + help=('build Samba with system Heimdal Kerberos. ' + + 'Requires --without-ad-dc' and + 'conflicts with --with-system-mitkrb5'), + action='store_true', + dest='with_system_heimdalkrb5', + default=False) + + opt.add_option('--without-ad-dc', + help='disable AD DC functionality (enables only Samba FS (File Server, Winbind, NMBD) and client utilities.', + action='store_true', dest='without_ad_dc', default=False) + + opt.add_option('--with-pie', + help=("Build Position Independent Executables " + + "(default if supported by compiler)"), + action="store_true", dest='enable_pie') + opt.add_option('--without-pie', + help=("Disable Position Independent Executable builds"), + action="store_false", dest='enable_pie') + + opt.add_option('--with-relro', + help=("Build with full RELocation Read-Only (RELRO)" + + "(default if supported by compiler)"), + action="store_true", dest='enable_relro') + opt.add_option('--without-relro', + help=("Disable RELRO builds"), + action="store_false", dest='enable_relro') + + gr = opt.option_group('developer options') + + opt.load('python') # options for disabling pyc or pyo compilation + # enable options related to building python extensions + + opt.add_option('--with-json', + action='store_true', dest='with_json', + help=("Build with JSON support (default=True). This " + "requires the jansson development headers.")) + opt.add_option('--without-json', + action='store_false', dest='with_json', + help=("Build without JSON support.")) + + opt.samba_add_onoff_option('smb1-server', + dest='with_smb1server', + help=("Build smbd with SMB1 support (default=yes).")) + +def configure(conf): + version = samba_version.load_version(env=conf.env) + + conf.DEFINE('CONFIG_H_IS_FROM_SAMBA', 1) + conf.DEFINE('_SAMBA_BUILD_', version.MAJOR, add_to_cflags=True) + conf.DEFINE('HAVE_CONFIG_H', 1, add_to_cflags=True) + + if Options.options.developer: + conf.ADD_CFLAGS('-DDEVELOPER -DDEBUG_PASSWORD') + conf.env.DEVELOPER = True + # if we are in a git tree without a pre-commit hook, install a + # simple default. + # we need git for 'waf dist' + githooksdir = None + conf.find_program('git', var='GIT') + if 'GIT' in conf.env: + githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0], + msg='Finding githooks directory', + define=None, + on_target=False) + if githooksdir and os.path.isdir(githooksdir): + pre_commit_hook = os.path.join(githooksdir, 'pre-commit') + if not os.path.exists(pre_commit_hook): + Logs.info("Installing script/git-hooks/pre-commit-hook as %s" % + pre_commit_hook) + shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'), + pre_commit_hook) + + conf.ADD_EXTRA_INCLUDES('#include/public #source4 #lib #source4/lib #source4/include #include #lib/replace') + + conf.env.replace_add_global_pthread = True + conf.RECURSE('lib/replace') + + conf.RECURSE('examples/fuse') + conf.RECURSE('examples/winexe') + + conf.SAMBA_CHECK_PERL(mandatory=True) + conf.find_program('xsltproc', var='XSLTPROC') + + if conf.env.disable_python: + if not (Options.options.without_ad_dc): + raise Errors.WafError('--disable-python requires --without-ad-dc') + + conf.SAMBA_CHECK_PYTHON() + conf.SAMBA_CHECK_PYTHON_HEADERS() + + if sys.platform == 'darwin' and not conf.env['HAVE_ENVIRON_DECL']: + # Mac OSX needs to have this and it's also needed that the python is compiled with this + # otherwise you face errors about common symbols + if not conf.CHECK_SHLIB_W_PYTHON("Checking if -fno-common is needed"): + conf.ADD_CFLAGS('-fno-common') + if not conf.CHECK_SHLIB_W_PYTHON("Checking if -undefined dynamic_lookup is not need"): + conf.env.append_value('cshlib_LINKFLAGS', ['-undefined', 'dynamic_lookup']) + + if sys.platform == 'darwin': + conf.ADD_LDFLAGS('-framework CoreFoundation') + + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + + conf.PROCESS_SEPARATE_RULE('system_gnutls') + + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) + conf.CHECK_FUNCS_IN('inflateInit2', 'z') + + if conf.CHECK_FOR_THIRD_PARTY(): + conf.RECURSE('third_party') + else: + + if not conf.CHECK_POPT(): + raise Errors.WafError('popt development packages have not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_POPT', 1) + + if not conf.CHECK_CMOCKA(): + raise Errors.WafError('cmocka development packages has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_CMOCKA', 1) + + if conf.CONFIG_GET('ENABLE_SELFTEST'): + if not conf.CHECK_SOCKET_WRAPPER(): + raise Errors.WafError('socket_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_SOCKET_WRAPPER', 1) + + if not conf.CHECK_NSS_WRAPPER(): + raise Errors.WafError('nss_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_NSS_WRAPPER', 1) + + if not conf.CHECK_RESOLV_WRAPPER(): + raise Errors.WafError('resolv_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_RESOLV_WRAPPER', 1) + + if not conf.CHECK_UID_WRAPPER(): + raise Errors.WafError('uid_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_UID_WRAPPER', 1) + + if not conf.CHECK_PAM_WRAPPER(): + raise Errors.WafError('pam_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.') + else: + conf.define('USING_SYSTEM_PAM_WRAPPER', 1) + + conf.RECURSE('lib/ldb') + + if conf.CHECK_LDFLAGS(['-Wl,--wrap=test']): + conf.env['HAVE_LDWRAP'] = True + conf.define('HAVE_LDWRAP', 1) + + if not (Options.options.without_ad_dc): + conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) + + # Check for flex before doing the embedded heimdal checks so we can bail if we don't have it. + Logs.info("Checking for flex") + conf.find_program('flex', var='FLEX') + if conf.env['FLEX']: + conf.CHECK_COMMAND('%s --version' % conf.env.FLEX[0], + msg='Using flex version', + define=None, + on_target=False) + conf.env.FLEXFLAGS = ['-t'] + + # #line statements in these generated files cause issues for lcov + conf.env.FLEXFLAGS += ["--noline"] + + Logs.info("Checking for bison") + bison.configure(conf) + if conf.env['BISON']: + conf.CHECK_COMMAND('%s --version | head -n1' % conf.env.BISON[0], + msg='Using bison version', + define=None, + on_target=False) + + # #line statements in these generated files cause issues for lcov + conf.env.BISONFLAGS += ["--no-line"] + + if Options.options.with_system_mitkrb5: + if not Options.options.with_experimental_mit_ad_dc and \ + not Options.options.without_ad_dc: + raise Errors.WafError('The MIT Kerberos build of Samba as an AD DC ' + + 'is experimental. Therefore ' + '--with-system-mitkrb5 requires either ' + + '--with-experimental-mit-ad-dc or ' + + '--without-ad-dc') + + conf.PROCESS_SEPARATE_RULE('system_mitkrb5') + + if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): + conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) + + if Options.options.with_system_heimdalkrb5: + if Options.options.with_system_mitkrb5: + raise Errors.WafError('--with-system-heimdalkrb5 conflicts with ' + + '--with-system-mitkrb5') + if not Options.options.without_ad_dc: + raise Errors.WafError('--with-system-heimdalkrb5 requires ' + + '--without-ad-dc') + conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken', + 'hx509', 'wind', 'gssapi', 'hcrypto', + 'krb5', 'heimbase', 'asn1_compile', + 'compile_et', 'kdc', 'hdb', 'heimntlm') + conf.PROCESS_SEPARATE_RULE('system_heimdal') + + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') + conf.RECURSE('lib/util/charset') + conf.RECURSE('source4/auth') + conf.RECURSE('nsswitch') + conf.RECURSE('libcli/smbreadline') + conf.RECURSE('lib/crypto') + conf.RECURSE('pidl') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + if not (Options.options.without_ad_dc): + conf.DEFINE('WITH_NTVFS_FILESERVER', 1) + conf.RECURSE('testsuite/unittests') + + if Options.options.with_pthreadpool: + if conf.CONFIG_SET('HAVE_PTHREAD'): + conf.DEFINE('WITH_PTHREADPOOL', '1') + else: + Logs.warn("pthreadpool support cannot be enabled when pthread support was not found") + conf.undefine('WITH_PTHREADPOOL') + + conf.SET_TARGET_TYPE('jansson', 'EMPTY') + + if Options.options.with_json != False: + if conf.CHECK_CFG(package='jansson', args='--cflags --libs', + msg='Checking for jansson'): + conf.CHECK_FUNCS_IN('json_object', 'jansson') + + if not conf.CONFIG_GET('HAVE_JSON_OBJECT'): + if Options.options.with_json != False: + conf.fatal("Jansson JSON support not found. " + "Try installing libjansson-dev or jansson-devel. " + "Otherwise, use --without-json to build without " + "JSON support. " + "JSON support is required for the JSON " + "formatted audit log feature, the AD DC, and " + "the JSON printers of the net utility") + if not Options.options.without_ad_dc: + raise Errors.WafError('--without-json requires --without-ad-dc. ' + 'Jansson JSON library is required for ' + 'building the AD DC') + Logs.info("Building without Jansson JSON log support") + + conf.RECURSE('source3') + conf.RECURSE('lib/texpect') + conf.RECURSE('python') + if conf.env.with_ctdb: + conf.RECURSE('ctdb') + conf.RECURSE('lib/socket') + conf.RECURSE('lib/mscat') + conf.RECURSE('packaging') + + conf.SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS() + + # gentoo always adds this. We want our normal build to be as + # strict as the strictest OS we support, so adding this here + # allows us to find problems on our development hosts faster. + # It also results in faster load time. + + if conf.CHECK_LDFLAGS('-Wl,--as-needed'): + conf.env.append_unique('LINKFLAGS', '-Wl,--as-needed') + + if not conf.CHECK_NEED_LC("-lc not needed"): + conf.ADD_LDFLAGS('-lc', testflags=False) + + if not conf.CHECK_CODE('#include "tests/summary.c"', + define='SUMMARY_PASSES', + addmain=False, + msg='Checking configure summary'): + raise Errors.WafError('configure summary failed') + + if Options.options.enable_pie != False: + if Options.options.enable_pie == True: + need_pie = True + else: + # not specified, only build PIEs if supported by compiler + need_pie = False + if conf.check_cc(cflags='-fPIE', ldflags='-pie', mandatory=need_pie, + msg="Checking compiler for PIE support"): + conf.env['ENABLE_PIE'] = True + + if Options.options.enable_relro != False: + if Options.options.enable_relro == True: + need_relro = True + else: + # not specified, only build RELROs if supported by compiler + need_relro = False + if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro, + msg="Checking compiler for full RELRO support"): + conf.env['ENABLE_RELRO'] = True + + if conf.CONFIG_GET('ENABLE_SELFTEST') and \ + Options.options.with_smb1server == False and \ + Options.options.without_ad_dc != True: + conf.fatal('--without-smb1-server cannot be specified with ' + '--enable-selftest/--enable-developer if ' + '--without-ad-dc is NOT set!') + + if Options.options.with_smb1server != False: + conf.DEFINE('WITH_SMB1SERVER', '1') + + # + # FreeBSD is broken. It doesn't include 'extern char **environ' + # in any shared library, but statically inside crt0.o. + # + # If we're running on a FreeBSD with the GNU linker ld we + # can get around this by explicitly telling the linker to + # ignore 'environ' as an unresolved symbol in a shared library. + # + # However, the clang linker ld.lld-XX is broken in that it + # doesn't have that option. + # + # First try to see if have '-Wl,--ignore-unresolved-symbol,environ' + # and just use that if so. + # + # If not, we have to use '-Wl,--allow-shlib-undefined' instead + # and remove all instances of '-Wl,-no-undefined'. + + if sys.platform.startswith('freebsd'): + # Do we have Wl,--ignore-unresolved-symbol,environ ? + flag_added = conf.ADD_LDFLAGS('-Wl,--ignore-unresolved-symbol,environ', testflags=True) + if not flag_added: + # No, fall back to -Wl,--allow-shlib-undefined. + conf.ADD_LDFLAGS('-Wl,--allow-shlib-undefined', testflags=True) + # Remove any uses of '-Wl,-no-undefined' + conf.env['EXTRA_LDFLAGS'] = list(filter(('-Wl,-no-undefined').__ne__, conf.env['EXTRA_LDFLAGS'])) + # And make sure we don't try and remove it again when 'allow_undefined_symbols=true' + conf.env.undefined_ldflags = [] + + conf.SAMBA_CONFIG_H('include/config.h') + +def etags(ctx): + '''build TAGS file using etags''' + from waflib import Utils + source_root = os.path.dirname(Context.g_module.root_path) + cmd = 'rm -f %s/TAGS && (find %s -name "*.[ch]" | egrep -v \.inst\. | xargs -n 100 etags -a)' % (source_root, source_root) + print("Running: %s" % cmd) + status = os.system(cmd) + if os.WEXITSTATUS(status): + raise Errors.WafError('etags failed') + +def ctags(ctx): + "build 'tags' file using ctags" + from waflib import Utils + source_root = os.path.dirname(Context.g_module.root_path) + cmd = 'ctags --python-kinds=-i $(find %s -name "*.[ch]" | grep -v "*_proto\.h" | egrep -v \.inst\.) $(find %s -name "*.py")' % (source_root, source_root) + print("Running: %s" % cmd) + status = os.system(cmd) + if os.WEXITSTATUS(status): + raise Errors.WafError('ctags failed') + + +# putting this here enabled build in the list +# of commands in --help +def build(bld): + '''build all targets''' + samba_version.load_version(env=bld.env, is_install=bld.is_install) + + +def pydoctor(ctx): + '''build python apidocs''' + bp = os.path.abspath('bin/python') + mpaths = {} + modules = ['talloc', 'tdb', 'ldb'] + for m in modules: + f = os.popen("PYTHONPATH=%s python -c 'import %s; print %s.__file__'" % (bp, m, m), 'r') + try: + mpaths[m] = f.read().strip() + finally: + f.close() + mpaths['main'] = bp + cmd = ('PYTHONPATH=%(main)s pydoctor --introspect-c-modules --project-name=Samba ' + '--project-url=http://www.samba.org --make-html --docformat=restructuredtext ' + '--add-package bin/python/samba ' + ''.join('--add-module %s ' % n for n in modules)) + cmd = cmd % mpaths + print("Running: %s" % cmd) + status = os.system(cmd) + if os.WEXITSTATUS(status): + raise Errors.WafError('pydoctor failed') + + +def pep8(ctx): + '''run pep8 validator''' + cmd='PYTHONPATH=bin/python pep8 -r bin/python/samba' + print("Running: %s" % cmd) + status = os.system(cmd) + if os.WEXITSTATUS(status): + raise Errors.WafError('pep8 failed') + + +def wafdocs(ctx): + '''build wafsamba apidocs''' + from samba_utils import recursive_dirlist + os.system('pwd') + list = recursive_dirlist('../buildtools/wafsamba', '.', pattern='*.py') + + print(list) + cmd='PYTHONPATH=bin/python pydoctor --project-name=wafsamba --project-url=http://www.samba.org --make-html --docformat=restructuredtext' +\ + "".join(' --add-module %s' % f for f in list) + print("Running: %s" % cmd) + status = os.system(cmd) + if os.WEXITSTATUS(status): + raise Errors.WafError('wafdocs failed') + + +def dist(): + '''makes a tarball for distribution''' + sambaversion = samba_version.load_version(env=None) + + os.system("make -C ctdb manpages") + samba_dist.DIST_FILES('ctdb/doc:ctdb/doc', extend=True) + + os.system("DOC_VERSION='" + sambaversion.STRING + "' " + Context.g_module.top + "/release-scripts/build-manpages-nogit") + samba_dist.DIST_FILES('bin/docs:docs', extend=True) + + if sambaversion.IS_SNAPSHOT: + # write .distversion file and add to tar + if not os.path.isdir(Context.g_module.out): + os.makedirs(Context.g_module.out) + distversionf = tempfile.NamedTemporaryFile(mode='w', prefix='.distversion',dir=Context.g_module.out) + for field in sambaversion.vcs_fields: + distveroption = field + '=' + str(sambaversion.vcs_fields[field]) + distversionf.write(distveroption + '\n') + distversionf.flush() + samba_dist.DIST_FILES('%s:.distversion' % distversionf.name, extend=True) + + samba_dist.dist() + distversionf.close() + else: + samba_dist.dist() + + +def distcheck(): + '''test that distribution tarball builds and installs''' + samba_version.load_version(env=None) + +def wildcard_cmd(cmd): + '''called on a unknown command''' + from samba_wildcard import run_named_build_task + run_named_build_task(cmd) + +def main(): + from samba_wildcard import wildcard_main + + wildcard_main(wildcard_cmd) +Scripting.main = main + +def reconfigure(ctx): + '''reconfigure if config scripts have changed''' + import samba_utils + samba_utils.reconfigure(ctx) + + +if os.path.isdir(os.path.join(top, ".git")): + # Check if there are submodules that are checked out but out of date. + for submodule, status in samba_git.read_submodule_status(top): + if status == "out-of-date": + raise Errors.WafError("some submodules are out of date. Please run 'git submodule update'") diff --git a/wscript_build b/wscript_build new file mode 100644 index 0000000..35e0d64 --- /dev/null +++ b/wscript_build @@ -0,0 +1,163 @@ +#!/usr/bin/env python + +# top level waf build script for samba4 + +from waflib import Options +import os +srcdir = "." + +import samba_version + +bld.env.suffix3 = "3" +bld.env.suffix4 = "4" + +# create separate build groups for building the asn1 and et compiler, then +# building the C from ASN1 and IDL, and finally the main build process +bld.SETUP_BUILD_GROUPS() +bld.AUTOCLEANUP_STALE_FILES() + +# enable building of public headers in the build tree +bld.env.build_public_headers = 'include/public' + +# these are includes which appear in public headers, but with #ifdef conditional +# compilation, so they are safe +bld.env.public_headers_skip = ['lib/param/param_proto.h', 'lib/param/param_functions.h'] + +version=samba_version.load_version(bld.env, is_install=bld.is_install) +bld.SAMBA_MKVERSION('version.h') + +# bld.ENABLE_MAGIC_ORDERING() + +bld.env.ABS_TOP_SRCDIR = bld.srcnode.abspath() + '/docs-xml' +bld.env.ABS_TOP_BUILDDIR = bld.bldnode.abspath() + '/docs-xml' +bld.CONFIGURE_FILE('docs-xml/build/catalog.xml', + ABS_TOP_BUILDDIR = bld.env.ABS_TOP_BUILDDIR, + ABS_TOP_SRCDIR=bld.env.ABS_TOP_SRCDIR) +bld.env.DOC_VERSION=version.STRING +bld.CONFIGURE_FILE('docs-xml/build/DTD/samba.build.version', + DOC_VERSION=bld.env.DOC_VERSION) +bld.RECURSE('docs-xml') + +# This needs to be earlier than anything containing IDL +# That in turn allows the build rules for fuzz_ndr_X to be +# near the code +bld.RECURSE('lib/fuzzing') + +bld.RECURSE('lib/replace') +bld.RECURSE('lib/socket') +bld.RECURSE('lib/talloc') +bld.RECURSE('lib/tevent') +bld.RECURSE('lib/texpect') +bld.RECURSE('lib/addns') +bld.RECURSE('lib/ldb') +bld.RECURSE('lib/param') +bld.RECURSE('lib/printer_driver') +bld.RECURSE('lib/audit_logging') +bld.RECURSE('lib/messaging') +bld.RECURSE('dynconfig') +bld.RECURSE('lib/util/charset') +bld.RECURSE('python') +bld.RECURSE('source4/param') +bld.RECURSE('source4/librpc') +bld.RECURSE('source4/dsdb') +bld.RECURSE('source4/samba') +bld.RECURSE('source4/cluster') +bld.RECURSE('source4/libnet') +bld.RECURSE('source4/auth') +bld.RECURSE('auth') +bld.RECURSE('auth/kerberos') +bld.RECURSE('nsswitch') +bld.RECURSE('nsswitch/libwbclient') +bld.RECURSE('source4/lib/samba3') +bld.RECURSE('source4/lib/socket') +bld.RECURSE('lib/ldb-samba') +bld.RECURSE('source4/lib/tls') +bld.RECURSE('source4/lib/registry') +bld.RECURSE('source4/lib/messaging') +bld.RECURSE('source4/lib/events') +if bld.CHECK_FOR_THIRD_PARTY(): + bld.RECURSE('third_party') +bld.RECURSE('source4/lib/stream') +bld.RECURSE('lib/afs') +bld.RECURSE('lib/util') +bld.RECURSE('lib/tdb_wrap') +bld.RECURSE('lib/tdr') +bld.RECURSE('lib/tsocket') +bld.RECURSE('lib/crypto') +bld.RECURSE('lib/torture') +bld.RECURSE('libgpo') +bld.RECURSE('source4/lib/com') +bld.RECURSE('source4/dns_server') +bld.RECURSE('source4/echo_server') +bld.RECURSE('source4/smb_server') +bld.RECURSE('source4/rpc_server') +bld.RECURSE('source4/ldap_server') +bld.RECURSE('source4/winbind') +bld.RECURSE('source4/nbt_server') +bld.RECURSE('source4/wrepl_server') +bld.RECURSE('source4/cldap_server') +bld.RECURSE('source4/ntp_signd') +bld.RECURSE('source4/utils/oLschema2ldif') +bld.RECURSE('source4/ntvfs') +bld.RECURSE('source4/torture') +bld.RECURSE('librpc') +bld.RECURSE('source4') +bld.RECURSE('source4/libcli') +bld.RECURSE('libcli/smb') +bld.RECURSE('libcli/util') +bld.RECURSE('libcli/cldap') +bld.RECURSE('lib/smbconf') +bld.RECURSE('lib/async_req') +bld.RECURSE('lib/dbwrap') +bld.RECURSE('libcli/security') +bld.RECURSE('libcli/ldap') +bld.RECURSE('libcli/nbt') +bld.RECURSE('libcli/netlogon') +bld.RECURSE('libcli/auth') +bld.RECURSE('libcli/lsarpc') +bld.RECURSE('libcli/drsuapi') +bld.RECURSE('libcli/echo') +bld.RECURSE('libcli/dns') +bld.RECURSE('libcli/samsync') +bld.RECURSE('libcli/registry') +bld.RECURSE('libcli/http') +bld.RECURSE('lib/mscat') +bld.RECURSE('lib/cmdline') +bld.RECURSE('source4/lib/policy') +bld.RECURSE('libcli/named_pipe_auth') +if bld.CONFIG_GET('ENABLE_SELFTEST'): + bld.RECURSE('testsuite/unittests') + +if bld.CONFIG_GET('KRB5_VENDOR') in (None, 'heimdal'): + if bld.CONFIG_GET("HEIMDAL_KRB5_CONFIG") and bld.CONFIG_GET("USING_SYSTEM_KRB5"): + # When both HEIMDAL_KRB5_CONFIG and KRB5_CONFIG are set and not equal, + # it means one is Heimdal-specific (krb5-config.heimdal, for example) + # and there is system heimdal + bld.PROCESS_SEPARATE_RULE('system_heimdal') + else: + bld.PROCESS_SEPARATE_RULE('embedded_heimdal') +else: + bld.PROCESS_SEPARATE_RULE('system_mitkrb5') + +bld.RECURSE('libcli/smbreadline') +if bld.AD_DC_BUILD_IS_ENABLED(): + bld.RECURSE('source4/setup') + bld.RECURSE('source4/kdc') +if bld.env.with_ctdb: + bld.RECURSE('ctdb') +bld.RECURSE('source4/scripting') +bld.RECURSE('pidl') +bld.RECURSE('lib') +bld.RECURSE('libds/common') +bld.RECURSE('lib/pthreadpool') +bld.RECURSE('source3') +bld.RECURSE('dfs_server') +bld.RECURSE('file_server') +bld.RECURSE('lib/krb5_wrap') +bld.RECURSE('packaging') + +bld.RECURSE('testsuite/headers') + +bld.SYMBOL_CHECK() +bld.DUP_SYMBOL_CHECK() + diff --git a/wscript_build_embedded_heimdal b/wscript_build_embedded_heimdal new file mode 100644 index 0000000..0536e21 --- /dev/null +++ b/wscript_build_embedded_heimdal @@ -0,0 +1,4 @@ +from waflib import Logs + +Logs.info("\tSelected embedded Heimdal build") +bld.RECURSE('third_party/heimdal_build') diff --git a/wscript_build_system_heimdal b/wscript_build_system_heimdal new file mode 100644 index 0000000..1fc738e --- /dev/null +++ b/wscript_build_system_heimdal @@ -0,0 +1,4 @@ +from waflib import Logs + +Logs.info("\tSelected system Heimdal build") +bld.RECURSE('third_party/heimdal_build') diff --git a/wscript_build_system_mitkrb5 b/wscript_build_system_mitkrb5 new file mode 100644 index 0000000..1fbf3ef --- /dev/null +++ b/wscript_build_system_mitkrb5 @@ -0,0 +1,3 @@ +from waflib import Logs + +Logs.info("\tSelected system MIT krb5 libraries, Heimdal use is disabled") diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal new file mode 100644 index 0000000..6066f2b --- /dev/null +++ b/wscript_configure_embedded_heimdal @@ -0,0 +1,8 @@ +if not conf.env['FLEX']: + conf.fatal("Embedded Heimdal build requires flex but it was not found. Install flex or use --with-system-mitkrb5 or --with-system-heimdalkrb5") + +if not conf.env['BISON']: + conf.fatal("Embedded Heimdal build requires bison but it was not found. Install bison or use --with-system-mitkrb5 or --with-system-heimdalkrb5") + +conf.define('USING_EMBEDDED_HEIMDAL', 1) +conf.RECURSE('third_party/heimdal_build') diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls new file mode 100644 index 0000000..176585c --- /dev/null +++ b/wscript_configure_system_gnutls @@ -0,0 +1,87 @@ +from waflib import Logs +import os + +def parse_version(v): + return tuple(map(int, (v.split(".")))) + +gnutls_min_required_version = "3.4.7" + +conf.CHECK_FUNCS('getrandom', headers='sys/random.h') +if not conf.CONFIG_SET('HAVE_GETRANDOM'): + gnutls_min_required_version = "3.7.2" + +gnutls_required_version = gnutls_min_required_version + +conf.CHECK_CFG(package='gnutls', + args=('"gnutls >= %s" --cflags --libs' % gnutls_required_version), + msg='Checking for GnuTLS >= %s' % gnutls_required_version, + mandatory=True) + +gnutls_version_str = conf.cmd_and_log(conf.env.PKGCONFIG + ['--modversion', 'gnutls']).strip() +gnutls_version = parse_version(gnutls_version_str) + +# Define gnutls as a system library +conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') + +# Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat +conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls') + +# Check for gnutls_set_default_priority_append (>= 3.6.3) +conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls') + +# Check for gnutls_pbkdf2 (>= 3.6.13) +conf.CHECK_FUNCS_IN('gnutls_pbkdf2', 'gnutls') + +# Check for gnutls_aead_cipher_encryptv2 +# +# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed +# in 3.6.11, see: +# +# https://gitlab.com/gnutls/gnutls/-/merge_requests/1085 +# +# 3.6.10 - 3.6.14 have a severe memory leak with AES-CCM +# https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 +if (gnutls_version > parse_version('3.6.10')): + if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'): + conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1) + if (gnutls_version > parse_version('3.6.14')): + conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1) + +if (gnutls_version < parse_version('3.5.2')): + conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1) + +# Check if gnutls has fips mode support +# gnutls_fips140_mode_enabled() is available since 3.3.0 +fragment = ''' +#include <gnutls/gnutls.h> +#include <stdlib.h> + +int main(void) +{ + unsigned int ok; + + ok = gnutls_fips140_mode_enabled(); + + return !ok; +} +''' + +os.environ['GNUTLS_FORCE_FIPS_MODE'] = '1' +conf.CHECK_CODE(fragment, + 'HAVE_GNUTLS_FIPS_MODE_SUPPORTED', + execute=True, + addmain=False, + add_headers=False, + lib='gnutls', + msg='Checking for gnutls fips mode support') +del os.environ['GNUTLS_FORCE_FIPS_MODE'] + +if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'): + conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1) +else: + Logs.warn('No gnutls support for AES CFB8') + +if conf.CHECK_VALUEOF('GNUTLS_MAC_AES_CMAC_128', headers='gnutls/gnutls.h'): + conf.DEFINE('HAVE_GNUTLS_AES_CMAC', 1) +else: + Logs.warn('No gnutls support for AES CMAC') diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal new file mode 100644 index 0000000..6033dad --- /dev/null +++ b/wscript_configure_system_heimdal @@ -0,0 +1,94 @@ +import sys +from waflib import Logs + +conf.RECURSE('third_party/heimdal_build') + +heimdal_includedirs = [] +heimdal_libdirs = [] +krb5_config = conf.find_program("krb5-config.heimdal", var="HEIMDAL_KRB5_CONFIG") +if not krb5_config: + krb5_config = conf.find_program("krb5-config", var="HEIMDAL_KRB5_CONFIG") +if krb5_config: + # Not ideal, but seems like the best way to get at these paths: + f = open(krb5_config[0], 'r') + try: + for l in f: + if l.startswith("libdir="): + heimdal_libdirs.append(l.strip()[len("libdir="):]) + elif l.startswith("includedir="): + include_path = l.strip()[len("includedir="):] + heimdal_includedirs.append(include_path) + conf.ADD_EXTRA_INCLUDES(include_path) + conf.define('HEIMDAL_KRB5_TYPES_PATH', + include_path + "/krb5-types.h") + finally: + f.close() + +def check_system_heimdal_lib(name, functions='', headers='', onlyif=None): + # Only use system library if the user requested the bundled one not be + # used. + if conf.LIB_MAY_BE_BUNDLED(name): + return False + setattr(conf.env, "CPPPATH_%s" % name.upper(), heimdal_includedirs) + setattr(conf.env, "LIBPATH_%s" % name.upper(), heimdal_libdirs) + if not conf.CHECK_BUNDLED_SYSTEM(name, checkfunctions=functions, headers=headers, + onlyif=onlyif): + return False + conf.define('USING_SYSTEM_%s' % name.upper(), 1) + return True + +def check_system_heimdal_binary(name): + if conf.LIB_MAY_BE_BUNDLED(name): + return False + if not conf.find_program(name, var=name.upper()): + return False + conf.define('USING_SYSTEM_%s' % name.upper(), 1) + return True + +check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h") + +if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"): + conf.env.CPPPATH_ROKEN_HOSTCC = conf.env.CPPPATH_ROKEN + conf.env.LIBPATH_ROKEN_HOSTCC = conf.env.LIBPATH_ROKEN + conf.env.LIB_ROKEN_HOSTCC = "roken" + conf.SET_TARGET_TYPE("ROKEN_HOSTCC", 'SYSLIB') + +# Make sure HAVE_CONFIG_H is unset, as the system Heimdal headers use it +# and include config.h if it is set, resulting in failure (since config.h +# doesn't yet exist) + +DEFINES = list(conf.env.DEFINES) +conf.undefine("HAVE_CONFIG_H") +while "HAVE_CONFIG_H=1" in conf.env.DEFINES: + conf.env.DEFINES.remove("HAVE_CONFIG_H=1") +try: + check_system_heimdal_lib("wind", "wind_stringprep", "wind.h", onlyif="roken") + check_system_heimdal_lib("hx509", "hx509_bitstring_print", "hx509.h", onlyif="roken wind") + check_system_heimdal_lib("asn1", "initialize_asn1_error_table", "asn1_err.h", onlyif="roken com_err") + check_system_heimdal_lib("heimbase", "heim_cmp", "heimbase.h", onlyif="roken") + check_system_heimdal_lib("hcrypto", "MD4_Init", "hcrypto/md4.h", + onlyif="asn1 roken com_err") + if check_system_heimdal_lib("krb5", "krb5_anyaddr", "krb5.h", + onlyif="roken wind asn1 hx509 hcrypto com_err heimbase"): + conf.CHECK_FUNCS_IN('krb5_free_unparsed_name', 'krb5', headers="krb5.h") + check_system_heimdal_lib("gssapi", "gss_oid_to_name", "gssapi.h", + onlyif="hcrypto asn1 roken krb5 com_err wind") + check_system_heimdal_lib("heimntlm", "heim_ntlm_ntlmv2_key", "heimntlm.h", + onlyif="roken hcrypto krb5") + check_system_heimdal_lib("hdb", "hdb_db_dir", "krb5.h hdb.h", + onlyif="roken krb5 hcrypto com_err wind") + check_system_heimdal_lib("kdc", "kdc_log", "kdc.h", + onlyif="roken krb5 hdb asn1 heimntlm hcrypto com_err wind heimbase") +finally: + conf.env.DEFINES = DEFINES + +# With the proper checks in place we should be able to build against the system libtommath. +#if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'): +# conf.define('USING_SYSTEM_TOMMATH', 1) + +check_system_heimdal_binary("compile_et") +check_system_heimdal_binary("asn1_compile") + +conf.env.KRB5_VENDOR = 'heimdal' +conf.define('USING_SYSTEM_KRB5', 1) +conf.define('USING_SYSTEM_HEIMDAL', 1) diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 new file mode 100644 index 0000000..9b18d5d --- /dev/null +++ b/wscript_configure_system_mitkrb5 @@ -0,0 +1,357 @@ +import sys +from waflib import Logs, Options, Errors + +# Check for kerberos +have_gssapi=False + +krb5_min_required_version = "1.9" + +# Requried versions +krb5_required_version = krb5_min_required_version +if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + krb5_required_version = "1.19" + +def parse_version(v): + return tuple(map(int, (v.split(".")))) + +def krb5_define_syslib(conf, lib, deps): + found = 'FOUND_SYSTEMLIB_' + lib + if found in conf.env: + return + conf.SET_TARGET_TYPE(lib, 'SYSLIB') + conf.SET_SYSLIB_DEPS(lib, deps) + conf.env[found] = True + +Logs.info("Looking for kerberos features") +conf.find_program('krb5-config.heimdal', var='HEIMDAL_KRB5_CONFIG') + +if isinstance(Options.options.with_system_mitkrb5, list): + path_krb5_config = [x+'/bin' for x in Options.options.with_system_mitkrb5] +else: + path_krb5_config = None + +conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err") +conf.CHECK_FUNCS_IN('_et_list', 'com_err') +conf.CHECK_HEADERS('com_err.h', lib='com_err') + +conf.find_program('krb5-config', path_list=path_krb5_config, var='KRB5_CONFIG') +if conf.env.KRB5_CONFIG: + vendor = conf.cmd_and_log(conf.env.KRB5_CONFIG+['--vendor']) + conf.env.KRB5_VENDOR = vendor.strip().lower() + if conf.env.KRB5_VENDOR == 'heimdal': + raise Errors.WafError('--with-system-mitkrb5 cannot be used with system heimdal') + + if conf.CHECK_CFG(path=conf.env.KRB5_CONFIG, args="--cflags --libs", + package="", uselib_store="KRB5"): + if 'krb5' in conf.env['LIB_KRB5']: + krb5_define_syslib(conf, "krb5", conf.env['LIB_KRB5']) + if 'k5crypto' in conf.env['LIB_KRB5']: + krb5_define_syslib(conf, "k5crypto", conf.env['LIB_GSSAPI']) + else: + raise Errors.WafError('Unable to find required krb5 library!') + + if conf.CHECK_CFG(path=conf.env.KRB5_CONFIG, args="--cflags --libs", + package="gssapi", uselib_store="GSSAPI"): + krb5_define_syslib(conf, "gssapi", conf.env['LIB_GSSAPI']) + if 'gssapi_krb5' in conf.env['LIB_GSSAPI']: + krb5_define_syslib(conf, "gssapi_krb5", conf.env['LIB_GSSAPI']) + else: + raise Errors.WafError('Unable to find required gssapi library!') + + if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + if conf.CHECK_CFG(path=conf.env.KRB5_CONFIG, args="--cflags --libs", + package="gssrpc", uselib_store="GSSRPC"): + krb5_define_syslib(conf, "gssrpc", conf.env['LIB_GSSRPC']) + + if conf.CHECK_CFG(path=conf.env.KRB5_CONFIG, args="--cflags --libs", + package="kdb", uselib_store="KDB5"): + krb5_define_syslib(conf, "kdb5", conf.env['LIB_KDB5']) + conf.CHECK_HEADERS('kdb.h', lib='kdb5') + else: + raise Errors.WafError('Unable to find required kdb5 library!') + + if conf.CHECK_CFG(path=conf.env.KRB5_CONFIG, args="--cflags --libs", + package="kadm-server", uselib_store="KADM5SRV_MIT"): + krb5_define_syslib(conf, + "kadm5srv_mit", + conf.env['LIB_KADM5SRV_MIT']) + conf.CHECK_FUNCS_IN('kadm5_init', 'kadm5srv_mit') + else: + raise Errors.WafError('Unable to find required kadm5srv_mit ' + 'library!') + + conf.define('USING_SYSTEM_KRB5', 1) + del conf.env.HEIMDAL_KRB5_CONFIG + krb5_conf_version = conf.cmd_and_log(conf.env.KRB5_CONFIG+['--version']).strip() + + krb5_version = krb5_conf_version.split()[-1] + + # drop '-prerelease' suffix + if krb5_version.find('-') > 0: + krb5_version = krb5_version.split("-")[0] + + if parse_version(krb5_version) < parse_version(krb5_required_version): + Logs.error('ERROR: The MIT KRB5 build with Samba AD requires at least %s. %s has been found and cannot be used' % (krb5_required_version, krb5_version)) + Logs.error('ERROR: If you want to just build Samba FS (File Server) use the option --without-ad-dc which requires version %s' % (krb5_min_required_version)) + Logs.error('ERROR: You may try to build with embedded Heimdal Kerberos by not specifying --with-system-mitkrb5') + sys.exit(1) + else: + Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) + + if parse_version(krb5_version) < parse_version('1.20'): + conf.DEFINE('HAVE_MIT_KRB5_PRE_1_20', 1) + if parse_version(krb5_version) >= parse_version('1.20'): + conf.DEFINE('HAVE_MIT_KRB5_1_20', 1) + conf.define('USING_SYSTEM_MITKRB5', '"%s"' % krb5_version) + +conf.CHECK_HEADERS('krb5.h krb5/locate_plugin.h', lib='krb5') +conf.CHECK_HEADERS('krb5.h krb5/localauth_plugin.h', lib='krb5') +possible_gssapi_headers="gssapi.h gssapi/gssapi_generic.h gssapi/gssapi.h gssapi/gssapi_ext.h gssapi/gssapi_krb5.h gssapi/gssapi_oid.h" +conf.CHECK_HEADERS(possible_gssapi_headers, lib='gssapi') + +conf.CHECK_FUNCS_IN('krb5_encrypt_data', 'k5crypto') +conf.CHECK_FUNCS_IN('des_set_key','crypto') +conf.CHECK_FUNCS_IN('copy_Authenticator', 'asn1') +conf.CHECK_FUNCS_IN('roken_getaddrinfo_hostspec', 'roken') + +conf.CHECK_HEADERS('profile.h', lib='krb5') + +if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi gssapi_krb5'): + have_gssapi=True + +if not have_gssapi: + if conf.env.KRB5_CONFIG and conf.env.KRB5_CONFIG != 'heimdal': + Logs.error("ERROR: WAF build with MIT Krb5 requires working GSSAPI implementation") + sys.exit(1) + +conf.CHECK_FUNCS_IN(''' + gss_wrap_iov + gss_krb5_import_cred + gss_get_name_attribute + gss_mech_krb5 + gss_oid_equal + gss_inquire_sec_context_by_oid + gsskrb5_extract_authz_data_from_sec_context + gss_krb5_export_lucid_sec_context + gss_import_cred gss_export_cred + gss_acquire_cred_from + ''', 'gssapi gssapi_krb5') +conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', + headers=possible_gssapi_headers, lib='gssapi gssapi_krb5') +conf.CHECK_FUNCS(''' + krb5_auth_con_getrecvsubkey + krb5_auth_con_getsendsubkey + krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes + krb5_set_default_tgs_ktypes krb5_principal2salt + krb5_c_string_to_key krb5_get_pw_salt krb5_string_to_key_salt krb5_auth_con_setkey + krb5_auth_con_setuseruserkey krb5_get_permitted_enctypes + krb5_get_default_in_tkt_etypes krb5_free_data_contents + krb5_principal_get_comp_string krb5_free_unparsed_name + krb5_free_keytab_entry_contents krb5_kt_free_entry krb5_krbhst_init + krb5_krbhst_get_addrinfo + krb5_crypto_init krb5_crypto_destroy + krb5_c_verify_checksum krb5_principal_compare_any_realm + krb5_parse_name_norealm krb5_princ_size krb5_get_init_creds_opt_set_pac_request + krb5_get_renewed_creds krb5_free_error_contents + initialize_krb5_error_table krb5_get_init_creds_opt_alloc + krb5_get_init_creds_opt_free krb5_get_init_creds_opt_get_error + krb5_enctype_to_string krb5_fwd_tgt_creds krb5_auth_con_set_req_cksumtype + krb5_get_creds_opt_alloc krb5_get_creds_opt_set_impersonate krb5_get_creds + krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm + krb5_get_init_creds_keyblock krb5_get_init_creds_keytab + krb5_make_principal krb5_build_principal_alloc_va + krb5_cc_get_lifetime krb5_cc_retrieve_cred + krb5_cc_copy_creds + krb5_free_checksum_contents krb5_c_make_checksum krb5_create_checksum + krb5_config_get_bool_default krb5_get_profile + krb5_data_copy + krb5_init_keyblock krb5_principal_set_realm krb5_principal_get_type + krb5_principal_set_type + krb5_warnx + krb5_get_prompt_types + krb5_mk_req_extended krb5_kt_compare + ''', + lib='krb5 k5crypto', + headers='krb5.h') +conf.CHECK_DECLS('''krb5_get_credentials_for_user + krb5_auth_con_set_req_cksumtype''', + headers='krb5.h', lib='krb5', always=True) +conf.CHECK_VARIABLE('AP_OPTS_USE_SUBKEY', headers='krb5.h', lib='krb5') +conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h', lib='krb5') +conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h', lib='krb5') +conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h', lib='krb5') +conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5', mandatory=True) +conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5', mandatory=True) +conf.CHECK_DECLS('KRB5_PDU_NONE', reverse=True, headers='krb5.h', lib='krb5') +conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key', + headers='krb5.h', + lib='krb5', + define='HAVE_KRB5_KEYTAB_ENTRY_KEY') +conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'keyblock', + headers='krb5.h', + lib='krb5', + define='HAVE_KRB5_KEYTAB_ENTRY_KEYBLOCK') +conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'magic', + headers='krb5.h', + lib='krb5', + define='HAVE_MAGIC_IN_KRB5_ADDRESS') +conf.CHECK_STRUCTURE_MEMBER('krb5_address', 'addrtype', + headers='krb5.h', + lib='krb5', + define='HAVE_ADDRTYPE_IN_KRB5_ADDRESS') +conf.CHECK_STRUCTURE_MEMBER('krb5_ap_req', 'ticket', + headers='krb5.h', + lib='krb5', + define='HAVE_TICKET_POINTER_IN_KRB5_AP_REQ') +conf.CHECK_STRUCTURE_MEMBER('krb5_prompt', 'type', + headers='krb5.h', + lib='krb5', + define='HAVE_KRB5_PROMPT_TYPE') +conf.CHECK_CODE('krb5_trace_info', 'HAVE_KRB5_TRACE_INFO', + headers='krb5.h', lib='krb5') +conf.CHECK_CODE('struct krb5_trace_info', 'HAVE_KRB5_TRACE_INFO_STRUCT', + headers='krb5.h', lib='krb5') +conf.CHECK_TYPE('krb5_encrypt_block', headers='krb5.h', lib='krb5') + +conf.CHECK_CODE(''' + krb5_context ctx; + krb5_get_init_creds_opt *opt = NULL; + krb5_get_init_creds_opt_free(ctx, opt); + ''', + 'KRB5_CREDS_OPT_FREE_REQUIRES_CONTEXT', + headers='krb5.h', link=False, + lib='krb5', + msg="Checking whether krb5_get_init_creds_opt_free takes a context argument") +conf.CHECK_CODE(''' + const krb5_data *pkdata; + krb5_context context; + krb5_principal principal; + pkdata = krb5_princ_component(context, principal, 0); + ''', + 'HAVE_KRB5_PRINC_COMPONENT', + headers='krb5.h', lib='krb5', + msg="Checking whether krb5_princ_component is available") + +conf.CHECK_CODE(''' + int main(void) { + char buf[256]; + krb5_enctype_to_string(1, buf, 256); + return 0; + }''', + 'HAVE_KRB5_ENCTYPE_TO_STRING_WITH_SIZE_T_ARG', + headers='krb5.h', lib='krb5 k5crypto', + addmain=False, cflags=conf.env['WERROR_CFLAGS'], + msg="Checking whether krb5_enctype_to_string takes size_t argument") + +conf.CHECK_CODE(''' + int main(void) { + krb5_context context = NULL; + char *str = NULL; + krb5_enctype_to_string(context, 1, &str); + if (str) free (str); + return 0; + }''', + 'HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG', + headers='krb5.h stdlib.h', lib='krb5', + addmain=False, cflags=conf.env['WERROR_CFLAGS'], + msg="Checking whether krb5_enctype_to_string takes krb5_context argument") +conf.CHECK_CODE(''' + int main(void) { + krb5_context ctx = NULL; + krb5_principal princ = NULL; + const char *str = krb5_princ_realm(ctx, princ)->data; + return 0; + }''', + 'HAVE_KRB5_PRINC_REALM', + headers='krb5.h', lib='krb5', + addmain=False, + msg="Checking whether the macro krb5_princ_realm is defined") +conf.CHECK_CODE(''' + int main(void) { + krb5_context context; + krb5_principal principal; + const char *realm; realm = krb5_principal_get_realm(context, principal); + return 0; + }''', + 'HAVE_KRB5_PRINCIPAL_GET_REALM', + headers='krb5.h', lib='krb5', + addmain=False, + msg="Checking whether krb5_principal_get_realm is defined") +conf.CHECK_CODE(''' + krb5_enctype enctype; + enctype = ENCTYPE_ARCFOUR_HMAC_MD5; + ''', + '_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', + headers='krb5.h', lib='krb5', + msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available"); +conf.CHECK_CODE(''' + krb5_enctype enctype; + enctype = ENCTYPE_ARCFOUR_HMAC_MD5_56; + ''', + '_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', + headers='krb5.h', lib='krb5', + msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_MD5_56 key type definition is available"); +conf.CHECK_CODE(''' + krb5_keytype keytype; + keytype = KEYTYPE_ARCFOUR_56; + ''', + '_HAVE_KEYTYPE_ARCFOUR_56', + headers='krb5.h', lib='krb5', + msg="Checking whether the HAVE_KEYTYPE_ARCFOUR_56 key type definition is available"); +if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'): + conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5', '1') +if conf.CONFIG_SET('_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56') and conf.CONFIG_SET('_HAVE_KEYTYPE_ARCFOUR_56'): + conf.DEFINE('HAVE_ENCTYPE_ARCFOUR_HMAC_MD5_56', '1') + +conf.CHECK_CODE(''' + krb5_enctype enctype; + enctype = ENCTYPE_ARCFOUR_HMAC; + ''', + 'HAVE_ENCTYPE_ARCFOUR_HMAC', + headers='krb5.h', lib='krb5', + msg="Checking whether the ENCTYPE_ARCFOUR_HMAC key type definition is available"); +conf.CHECK_CODE(''' + krb5_enctype enctype; + enctype = ENCTYPE_ARCFOUR_HMAC_EXP; + ''', + 'HAVE_ENCTYPE_ARCFOUR_HMAC_EXP', + headers='krb5.h', lib='krb5', + msg="Checking whether the ENCTYPE_ARCFOUR_HMAC_EXP key type definition is available"); + +conf.CHECK_CODE(''' + krb5_context context; + krb5_keytab keytab; + krb5_init_context(&context); + return krb5_kt_resolve(context, "WRFILE:api", &keytab); + ''', + 'HAVE_WRFILE_KEYTAB', + headers='krb5.h', lib='krb5', execute=True, + msg="Checking whether the WRFILE -keytab is supported"); +# Check for KRB5_DEPRECATED handling +conf.CHECK_CODE('''#define KRB5_DEPRECATED 1 + #include <krb5.h>''', + 'HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER', addmain=False, + link=False, + lib='krb5', + msg="Checking for KRB5_DEPRECATED define taking an identifier") + +conf.CHECK_CODE(''' + krb5_creds creds; + creds.flags.b.initial = 0; + ''', + 'HAVE_FLAGS_IN_KRB5_CREDS', + headers='krb5.h', lib='krb5', execute=False, + msg="Checking whether krb5_creds have flags property") + +# Check for MIT KDC +if conf.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): + Logs.info("Looking for MIT KDC") + conf.DEFINE('SAMBA_USES_MITKDC', 1); + + kdc_path_list = [ '/usr/sbin', '/usr/lib/mit/sbin'] + + if getattr(Options.options, 'with_system_mitkdc', None): + conf.DEFINE('MIT_KDC_PATH', '"' + Options.options.with_system_mitkdc + '"') + else: + conf.find_program('krb5kdc', path_list=kdc_path_list, var='MIT_KDC_BINARY', mandatory=True) + conf.DEFINE('MIT_KDC_PATH', '"' + " ".join(conf.env.MIT_KDC_BINARY) + '"') |