From owner-freebsd-ports@FreeBSD.ORG Tue Jun 21 08:30:02 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2DF0106566C for ; Tue, 21 Jun 2011 08:30:02 +0000 (UTC) (envelope-from ganael.laplanche@martymac.org) Received: from mail-interne2.pasteur.fr (mail-interne2.pasteur.fr [157.99.64.81]) by mx1.freebsd.org (Postfix) with ESMTP id 425008FC0C for ; Tue, 21 Jun 2011 08:30:02 +0000 (UTC) Received: from langres.sis.pasteur.fr (localhost [127.0.0.1]) by mail-interne2.pasteur.fr (Postfix) with ESMTP id 32FA4E0533; Tue, 21 Jun 2011 10:10:12 +0200 (CEST) X-Virus-Scanned: amavisd-new at pasteur.fr Received: from camembert.sis.pasteur.fr (camembert.sis.pasteur.fr [157.99.64.43]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail-interne2.pasteur.fr (Postfix) with ESMTPS id 0E313E0532; Tue, 21 Jun 2011 10:10:11 +0200 (CEST) From: Ganael Laplanche Organization: Martymac.org To: freebsd-ports@freebsd.org Date: Tue, 21 Jun 2011 10:09:23 +0200 User-Agent: KMail/1.13.6 (FreeBSD/8.2-RELEASE; KDE/4.6.1; amd64; ; ) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1817627.KntyaYb46T"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201106211009.32633.ganael.laplanche@martymac.org> Subject: [CFT] Likewise-open preliminary port X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2011 08:30:03 -0000 --nextPart1817627.KntyaYb46T Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi everyone, Over the past few weeks, I've been working on a Likewise-open [1] port and = am=20 starting to get something useable. Technically speaking, the port builds fine on x86 and amd64 platforms (gcc- only ATM) and is able to use libraries from the ports tree instead of the o= nes=20 bundled in the source tarball. Basic functionality has been tested : with a local account database (SQLite= ),=20 I was able to retrieve account information through nsswitch as well as=20 authenticate a user on sshd through PAM. The CIFS server also works : a loc= al=20 Likewise user is able to connect to it. Anyway, I am not a Likewise expert and there are still several -important-= =20 tests to perform : =2D Try to join an Active Directory server and use it as an authentication= =20 source, instead of the local SQLite DB =2D Play with client-side commands (lwio-copy, lwio-fuse-mount) ; I could n= ot=20 get them work (see below) but I may have missed something =2D Try advanced CIFS server configurations Here are also remaining tasks that have to be done before the port can hit = the=20 tree : =2D Write a rc.d startup script (probably a wrapper to the provided init.d= =20 scripts) =2D Fix build with clang =2D Try to build with Heimdal (?) I would be pleased to get feedback from you... any help or comment is welco= me=20 ! =2D- Now, for those interested, here is a quick setup HOWTO : 0) Getting the port : ********************* The port can be downloaded here : http://people.freebsd.org/~martymac/ports/likewise-open-6.2.0.r59706-port.t= gz Un-tar it into /usr/ports/net : # tar xz -C /usr/ports/net -f likewise-open-6.2.0.r59706-port.tgz 1) Building *********** Likewise-open has only been tested with MIT Kerberos (security/krb5). You w= ill=20 need to specify KRB5_HOME when building this dependency to have the port se= t a=20 correct rpath, thus avoid loading base-system Heimdal libraries at runtime = and=20 getting a mixed MIT/Heimdal Kerberos environment, which would lead to unsta= ble=20 behaviour. The best way to do this is either to add : KRB5_HOME=3D/usr/local in your /etc/make.conf file, or build the likewise-open port this way : # make KRB5_HOME=3D/usr/local install clean It should build without errors. 2) Configuring ************** Once installed, the first thing to do is to initialize the Likewise registr= y : # /usr/local/etc/likewise-open/init.d/lwsmd start # for file in /usr/local/etc/likewise-open/*.reg; do /usr/local/bin/lwregsh= ell=20 upgrade $file; done # /usr/local/etc/likewise-open/init.d/lwsmd stop The second thing to do is to check your hostname(1) is resolvable through=20 getaddrinfo(3). You can do this by adding an appropriate record to your DNS= =20 server or a line in /etc/hosts. =46inally, configure the gss library by copying the provided mech file into= =20 /usr/local/etc/gss/mech : # cp /usr/local/etc/likewise-open/gss/mech /usr/local/etc/gss/mech That should be all needed (for basic testing). 3) Starting up : **************** As no FreeBSD rc script is provided (yet), you'll have to use common script= s=20 provided to start Likewise up. They work fine on FreeBSD : # /usr/local/etc/likewise-open/init.d/lwsmd start # /usr/local/bin/lwsm start eventlog # /usr/local/bin/lwsm start srvsvc You can check that each service is running with the following command : # /usr/local/bin/lwsm list 4) Testing : ************ Once everything is running, let's configure nsswitch : # /usr/local/bin/domainjoin-cli configure --enable nsswitch This command will modify your /etc/nsswitch.conf file and add the lsass=20 module. You might want to make a backup of this file before testing the=20 command. The lsass module will delegate user and group identification to=20 Likewise. Then, you can try adding a user to Likewise's local SQLite account database= : # lw-add-user --home /home/test1 --shell /bin/sh test1 # lw-mod-user --enable-user --set-password 'abcd' test1 and create a home for him : # mkdir /home/test1 # chown 2000:1800 /home/test1 Then you can check this user is recognized through nsswitch : # id LAPTOP\\test1 uid=3D2000(LAPTOP\test1) gid=3D1800(LAPTOP\Likewise Users)=20 groups=3D1800(LAPTOP\Likewise Users) # id 2000 uid=3D2000(LAPTOP\test1) gid=3D1800(LAPTOP\Likewise Users)=20 groups=3D1800(LAPTOP\Likewise Users) # getent passwd [...] LAPTOP\Administrator:x:1500:1800::/:/bin/sh LAPTOP\Guest:x:1501:1800::/tmp:/bin/sh LAPTOP\test1:x:2000:1800::/home/test1:/bin/sh You can then check that he is able to connect to the 'c$' CIFS share : $ smbclient -U 'LAPTOP\test1' '//127.0.0.1/c$' Now we can test authentication through PAM by enabling the pam module : # /usr/local/bin/domainjoin-cli configure --enable pam This command will modify your PAM (/etc/pam.d/*) configuration files. You m= ay=20 also back them up first. Then you can try to authenticate through ssh, which should work : $ ssh 'LAPTOP\test1@127.0.0.1' You can then disable the PAM module by running : # /usr/local/bin/domainjoin-cli configure --disable pam or by manually reverting your PAM configuration files. 5) What does not work : *********************** lwio-fuse-mount : ***************** I have also tried to use the provided FUSE-based CIFS client (you have to=20 choose to build it in the port's options), but it fails : # kldload /usr/local/modules/fuse.ko # lwio-fuse-mount --user 'LAPTOP\test1' --domain LAPTOP --path=20 '//127.0.0.1/c$' /mnt/tmp Password for LAPTOP\test1: # ls /mnt/tmp ls: /mnt/tmp: Input/output error giving the following errors in /var/log/messages : Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling=20 gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may prov= ide=20 more information) Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling=20 gss_init_sec_context: 100008 () I am not sure whether this fuse module should still work or not, see [2]. lwio-copy : *********** =46inally, I have tried the lwio-copy tool that didn't work either, giving= =20 exactly the same error messages as lwio-fuse-mount in logs : # lwio-copy -u test1 -d LAPTOP '//127.0.0.1/c$/test' /tmp Password: Error: lwio-copy unsuccessfull Please check if lwiod and lsassd running Sometimes it also makes lwio die just after getting the previous messages : Jun 8 18:25:09 laptop /usr/local/sbin/lwsmd: Restarting dead service: lwio= =20 (attempt 2/2) Jun 8 18:25:09 laptop kernel: pid 1605 (lwsmd), uid 0: exited on signal 1 Here is a full backtrace of this crash : Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 2891dec0 (LWP 100240)] 0x280a9d50 in peer_resolve_handle_to_id (session=3D0x28dd5f90, handle=3D0x5= 35347,=20 type=3D0xbf8fb004, htype=3D0x28b34768, hid=3D0x28b3476c) at ./../lwmsg/src/peer-session.c:599 599 if (!handle->valid) (gdb) bt full #0 0x280a9d50 in peer_resolve_handle_to_id (session=3D0x28dd5f90,=20 handle=3D0x535347, type=3D0xbf8fb004, htype=3D0x28b34768, hid=3D0x28b3476c) at ./../lwmsg/src/peer-session.c:599 status =3D LWMSG_STATUS_SUCCESS my_session =3D (PeerSession *) 0x28dd5f90 #1 0x280b374e in lwmsg_assoc_marshal_handle (mcontext=3D0x28b34790,=20 attrs=3D0xbf8fb190, object=3D0xbf4f9cc8, transmit_object=3D0x28b34768, data=3D0x28ec58e8) at ./../lwmsg/src/assoc-marshal.c:86 status =3D LWMSG_STATUS_SUCCESS handle =3D (void *) 0x535347 transmit =3D (LWMsgHandleRep *) 0x28b34768 session =3D (LWMsgSession *) 0x28dd5f90 type =3D 0x0 context =3D (const LWMsgContext *) 0x28dce780 __FUNCTION__ =3D "lwmsg_assoc_marshal_handle" #2 0x280bd436 in lwmsg_data_marshal_custom (context=3D0x28b34790,=20 state=3D0xbf8fb13c, iter=3D0xbf8fb170, object=3D0xbf4f9cc8 "GSS", buffer=3D0xbf8fb450) at ./../lwmsg/src/data-marshal.c:377 status =3D LWMSG_STATUS_SUCCESS transmit_object =3D (void *) 0x28b34768 typeclass =3D (LWMsgTypeClass *) 0x280cee4c transmit_iter =3D {spec =3D 0x280cef40, kind =3D LWMSG_KIND_STRUCT,= offset =3D=20 0, size =3D 8, tag =3D 13803445756636645264, verify =3D 0, verify_data =3D 0xbf8fb4f0, attrs =3D {flags =3D 0, custom =3D 0, range_l= ow =3D 0,=20 range_high =3D 0, max_alloc =3D 0}, info =3D {kind_variant =3D { is_mask =3D 2}, kind_integer =3D {width =3D 2, sign =3D 3213865144},= =20 kind_compound =3D {discrim =3D {offset =3D 2, size =3D 3213865144}}, kind_indirect =3D {term =3D LWMSG_TERM_MEMBER, term_info =3D {member = =3D {offset =3D=20 3213865144, size =3D 671881508}, static_length =3D 3213865144}, encoding =3D 0x28ecbf48 ""}, kind_custom =3D {typeclass =3D 0x2, type= data =3D=20 0xbf8fb0b8}}, inner =3D 0x280cef4c, next =3D 0x0, dom_object =3D 0x280bee9c "\201=C3\020\017\001", meta =3D {type_name =3D = 0x280cbd0f=20 "LWMsgHandleRep", member_name =3D 0x0, container_name =3D 0x0}, debug =3D {file =3D 0x0, line =3D 0}} my_state =3D {dominating_object =3D 0x0, map =3D 0xbf8fb3f4} #3 0x280bdadc in lwmsg_data_marshal_internal (context=3D0x28b34790,=20 state=3D0xbf8fb13c, iter=3D0xbf8fb170, object=3D0xbf4f9cc8 "GSS", buffer=3D0xbf8fb450) at ./../lwmsg/src/data-marshal.c:683 status =3D LWMSG_STATUS_SUCCESS #4 0x280bd548 in lwmsg_data_marshal_struct_member (context=3D0x28b34790,=20 state=3D0xbf8fb3ec, struct_iter=3D0xbf8fb250, member_iter=3D0xbf8fb170, object=3D0xbf4f9cc8 "GSS", buffer=3D0xbf8fb450) at ./../lwmsg/src/data- marshal.c:441 my_state =3D {dominating_object =3D 0xbf4f9cc8 "GSS", map =3D 0xbf8= fb3f4} member_object =3D (unsigned char *) 0xbf4f9cc8 "GSS" #5 0x280bd5ab in lwmsg_data_marshal_struct (context=3D0x28b34790,=20 state=3D0xbf8fb3ec, iter=3D0xbf8fb250, object=3D0xbf4f9cc8 "GSS", buffer=3D0xbf8fb450) at ./../lwmsg/src/data-marshal.c:467 status =3D LWMSG_STATUS_SUCCESS I may have missed something when trying those two commands, e.g. I have not= =20 tried them in a domain mode, nor I have a KDC running ; I am not sure wheth= er=20 this is necessary or not for them to work. 6) Links : ********** [1] http://www.likewiseopen.org [2] http://lists.likewiseopen.org/pipermail/likewise-open-discuss/2009- October/001309.html Other links you may find useful : * Likewise Open Installation and Administration Guide : http://www.likewise.com/resources/documentation_library/manuals/open/like= wise- open-guide.html * Likewise-CIFS user guide : http://www.likewise.com/resources/documentation_library/manuals/cifs/like= wise- cifs-smb-file-server-guide.html * Forums : http://www.likewise.com/community/index.php/forums * Lists : http://lists.likewiseopen.org * Bug reports : http://lobugs.likewise.com Best regards, =2D-=20 Ganael LAPLANCHE http://www.martymac.org | http://contribs.martymac.org =46reeBSD: martymac , http://www.FreeBSD.org --nextPart1817627.KntyaYb46T Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iEYEABECAAYFAk4AUbwACgkQdX7V8BC4c5HakwCgv9dskKslOa0dP3hcRDyWP6ne sG4AoKzHYHJIG6UqG4Btl18SW92VTNRZ =8H7b -----END PGP SIGNATURE----- --nextPart1817627.KntyaYb46T--