[CFT] Likewise-open preliminary port

Tue Jun 21 08:30:03 UTC 2011

Hi everyone,

Over the past few weeks, I've been working on a Likewise-open [1] port and am 
starting to get something useable.

Technically speaking, the port builds fine on x86 and amd64 platforms (gcc-
only ATM) and is able to use libraries from the ports tree instead of the ones 
bundled in the source tarball.

Basic functionality has been tested : with a local account database (SQLite), 
I was able to retrieve account information through nsswitch as well as 
authenticate a user on sshd through PAM. The CIFS server also works : a local 
Likewise user is able to connect to it.

Anyway, I am not a Likewise expert and there are still several -important- 
tests to perform :
- Try to join an Active Directory server and use it as an authentication 
source, instead of the local SQLite DB
- Play with client-side commands (lwio-copy, lwio-fuse-mount) ; I could not 
get them work (see below) but I may have missed something
- Try advanced CIFS server configurations

Here are also remaining tasks that have to be done before the port can hit the 
tree :
- Write a rc.d startup script (probably a wrapper to the provided init.d 
scripts)
- Fix build with clang
- Try to build with Heimdal (?)

I would be pleased to get feedback from you... any help or comment is welcome 
!

--

Now, for those interested, here is a quick setup HOWTO :

0) Getting the port :
*********************

The port can be downloaded here :

http://people.freebsd.org/~martymac/ports/likewise-open-6.2.0.r59706-port.tgz

Un-tar it into /usr/ports/net :

# tar xz -C /usr/ports/net -f likewise-open-6.2.0.r59706-port.tgz

1) Building
***********

Likewise-open has only been tested with MIT Kerberos (security/krb5). You will 
need to specify KRB5_HOME when building this dependency to have the port set a 
correct rpath, thus avoid loading base-system Heimdal libraries at runtime and 
getting a mixed MIT/Heimdal Kerberos environment, which would lead to unstable 
behaviour.

The best way to do this is either to add :

KRB5_HOME=/usr/local

in your /etc/make.conf file, or build the likewise-open port this way :

# make KRB5_HOME=/usr/local install clean

It should build without errors.

2) Configuring
**************

Once installed, the first thing to do is to initialize the Likewise registry :

# /usr/local/etc/likewise-open/init.d/lwsmd start
# for file in /usr/local/etc/likewise-open/*.reg; do /usr/local/bin/lwregshell 
upgrade $file; done
# /usr/local/etc/likewise-open/init.d/lwsmd stop

The second thing to do is to check your hostname(1) is resolvable through 
getaddrinfo(3). You can do this by adding an appropriate record to your DNS 
server or a line in /etc/hosts.

Finally, configure the gss library by copying the provided mech file into 
/usr/local/etc/gss/mech :

# cp /usr/local/etc/likewise-open/gss/mech /usr/local/etc/gss/mech

That should be all needed (for basic testing).

3) Starting up :
****************

As no FreeBSD rc script is provided (yet), you'll have to use common scripts 
provided to start Likewise up. They work fine on FreeBSD :

# /usr/local/etc/likewise-open/init.d/lwsmd start
# /usr/local/bin/lwsm start eventlog
# /usr/local/bin/lwsm start srvsvc

You can check that each service is running with the following command :

# /usr/local/bin/lwsm list

4) Testing :
************

Once everything is running, let's configure nsswitch :

# /usr/local/bin/domainjoin-cli configure --enable nsswitch

This command will modify your /etc/nsswitch.conf file and add the lsass 
module. You might want to make a backup of this file before testing the 
command. The lsass module will delegate user and group identification to 
Likewise.

Then, you can try adding a user to Likewise's local SQLite account database :

# lw-add-user --home /home/test1 --shell /bin/sh test1
# lw-mod-user --enable-user --set-password 'abcd' test1

and create a home for him :

# mkdir /home/test1
# chown 2000:1800 /home/test1

Then you can check this user is recognized through nsswitch :

# id LAPTOP\\test1
uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users) 
groups=1800(LAPTOP\Likewise Users)
# id 2000
uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users) 
groups=1800(LAPTOP\Likewise Users)
# getent passwd
[...]
LAPTOP\Administrator:x:1500:1800::/:/bin/sh
LAPTOP\Guest:x:1501:1800::/tmp:/bin/sh
LAPTOP\test1:x:2000:1800::/home/test1:/bin/sh

You can then check that he is able to connect to the 'c$' CIFS share :

$ smbclient -U 'LAPTOP\test1' '//127.0.0.1/c$'

Now we can test authentication through PAM by enabling the pam module :

# /usr/local/bin/domainjoin-cli configure --enable pam

This command will modify your PAM (/etc/pam.d/*) configuration files. You may 
also back them up first.

Then you can try to authenticate through ssh, which should work :

$ ssh 'LAPTOP\test1 at 127.0.0.1'

You can then disable the PAM module by running :

# /usr/local/bin/domainjoin-cli configure --disable pam

or by manually reverting your PAM configuration files.

5) What does not work :
***********************

lwio-fuse-mount :
*****************

I have also tried to use the provided FUSE-based CIFS client (you have to 
choose to build it in the port's options), but it fails :

# kldload /usr/local/modules/fuse.ko
# lwio-fuse-mount --user 'LAPTOP\test1' --domain LAPTOP --path 
'//127.0.0.1/c$' /mnt/tmp
Password for LAPTOP\test1:
# ls /mnt/tmp
ls: /mnt/tmp: Input/output error

giving the following errors in /var/log/messages :

Jun  8 18:25:09 laptop lwio: [lwio] GSS-API error calling 
gss_init_sec_context: 851968 (Unspecified GSS failure.  Minor code may provide 
more information)
Jun  8 18:25:09 laptop lwio: [lwio] GSS-API error calling 
gss_init_sec_context: 100008 ()

I am not sure whether this fuse module should still work or not, see [2].

lwio-copy :
***********

Finally, I have tried the lwio-copy tool that didn't work either, giving 
exactly the same error messages as lwio-fuse-mount in logs :

# lwio-copy -u test1 -d LAPTOP '//127.0.0.1/c$/test' /tmp
Password:
Error: lwio-copy unsuccessfull
Please check if lwiod and lsassd running

Sometimes it also makes lwio die just after getting the previous messages :

Jun  8 18:25:09 laptop /usr/local/sbin/lwsmd: Restarting dead service: lwio 
(attempt 2/2)
Jun  8 18:25:09 laptop kernel: pid 1605 (lwsmd), uid 0: exited on signal 1

Here is a full backtrace of this crash :

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2891dec0 (LWP 100240)]
0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90, handle=0x535347, 
type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c)
    at ./../lwmsg/src/peer-session.c:599
599         if (!handle->valid)
(gdb) bt full
#0  0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90, 
handle=0x535347, type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c)
    at ./../lwmsg/src/peer-session.c:599
        status = LWMSG_STATUS_SUCCESS
        my_session = (PeerSession *) 0x28dd5f90
#1  0x280b374e in lwmsg_assoc_marshal_handle (mcontext=0x28b34790, 
attrs=0xbf8fb190, object=0xbf4f9cc8, transmit_object=0x28b34768,
    data=0x28ec58e8) at ./../lwmsg/src/assoc-marshal.c:86
        status = LWMSG_STATUS_SUCCESS
        handle = (void *) 0x535347
        transmit = (LWMsgHandleRep *) 0x28b34768
        session = (LWMsgSession *) 0x28dd5f90
        type = 0x0
        context = (const LWMsgContext *) 0x28dce780
        __FUNCTION__ = "lwmsg_assoc_marshal_handle"
#2  0x280bd436 in lwmsg_data_marshal_custom (context=0x28b34790, 
state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS",
    buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:377
        status = LWMSG_STATUS_SUCCESS
        transmit_object = (void *) 0x28b34768
        typeclass = (LWMsgTypeClass *) 0x280cee4c
        transmit_iter = {spec = 0x280cef40, kind = LWMSG_KIND_STRUCT, offset = 
0, size = 8, tag = 13803445756636645264, verify = 0,
  verify_data = 0xbf8fb4f0, attrs = {flags = 0, custom = 0, range_low = 0, 
range_high = 0, max_alloc = 0}, info = {kind_variant = {
      is_mask = 2}, kind_integer = {width = 2, sign = 3213865144}, 
kind_compound = {discrim = {offset = 2, size = 3213865144}},
    kind_indirect = {term = LWMSG_TERM_MEMBER, term_info = {member = {offset = 
3213865144, size = 671881508}, static_length = 3213865144},
      encoding = 0x28ecbf48 ""}, kind_custom = {typeclass = 0x2, typedata = 
0xbf8fb0b8}}, inner = 0x280cef4c, next = 0x0,
  dom_object = 0x280bee9c "\201Ã\020\017\001", meta = {type_name = 0x280cbd0f 
"LWMsgHandleRep", member_name = 0x0, container_name = 0x0},
  debug = {file = 0x0, line = 0}}
        my_state = {dominating_object = 0x0, map = 0xbf8fb3f4}
#3  0x280bdadc in lwmsg_data_marshal_internal (context=0x28b34790, 
state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS",
    buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:683
        status = LWMSG_STATUS_SUCCESS
#4  0x280bd548 in lwmsg_data_marshal_struct_member (context=0x28b34790, 
state=0xbf8fb3ec, struct_iter=0xbf8fb250, member_iter=0xbf8fb170,
    object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data-
marshal.c:441
        my_state = {dominating_object = 0xbf4f9cc8 "GSS", map = 0xbf8fb3f4}
        member_object = (unsigned char *) 0xbf4f9cc8 "GSS"
#5  0x280bd5ab in lwmsg_data_marshal_struct (context=0x28b34790, 
state=0xbf8fb3ec, iter=0xbf8fb250, object=0xbf4f9cc8 "GSS",
    buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:467
        status = LWMSG_STATUS_SUCCESS

I may have missed something when trying those two commands, e.g. I have not 
tried them in a domain mode, nor I have a KDC running ; I am not sure whether 
this is necessary or not for them to work.

6) Links :
**********

[1] http://www.likewiseopen.org
[2] http://lists.likewiseopen.org/pipermail/likewise-open-discuss/2009-
October/001309.html