[CFT] Likewise-open preliminary port
Ganael Laplanche
ganael.laplanche at martymac.org
Tue Jun 21 08:30:03 UTC 2011
Hi everyone,
Over the past few weeks, I've been working on a Likewise-open [1] port and am
starting to get something useable.
Technically speaking, the port builds fine on x86 and amd64 platforms (gcc-
only ATM) and is able to use libraries from the ports tree instead of the ones
bundled in the source tarball.
Basic functionality has been tested : with a local account database (SQLite),
I was able to retrieve account information through nsswitch as well as
authenticate a user on sshd through PAM. The CIFS server also works : a local
Likewise user is able to connect to it.
Anyway, I am not a Likewise expert and there are still several -important-
tests to perform :
- Try to join an Active Directory server and use it as an authentication
source, instead of the local SQLite DB
- Play with client-side commands (lwio-copy, lwio-fuse-mount) ; I could not
get them work (see below) but I may have missed something
- Try advanced CIFS server configurations
Here are also remaining tasks that have to be done before the port can hit the
tree :
- Write a rc.d startup script (probably a wrapper to the provided init.d
scripts)
- Fix build with clang
- Try to build with Heimdal (?)
I would be pleased to get feedback from you... any help or comment is welcome
!
--
Now, for those interested, here is a quick setup HOWTO :
0) Getting the port :
*********************
The port can be downloaded here :
http://people.freebsd.org/~martymac/ports/likewise-open-6.2.0.r59706-port.tgz
Un-tar it into /usr/ports/net :
# tar xz -C /usr/ports/net -f likewise-open-6.2.0.r59706-port.tgz
1) Building
***********
Likewise-open has only been tested with MIT Kerberos (security/krb5). You will
need to specify KRB5_HOME when building this dependency to have the port set a
correct rpath, thus avoid loading base-system Heimdal libraries at runtime and
getting a mixed MIT/Heimdal Kerberos environment, which would lead to unstable
behaviour.
The best way to do this is either to add :
KRB5_HOME=/usr/local
in your /etc/make.conf file, or build the likewise-open port this way :
# make KRB5_HOME=/usr/local install clean
It should build without errors.
2) Configuring
**************
Once installed, the first thing to do is to initialize the Likewise registry :
# /usr/local/etc/likewise-open/init.d/lwsmd start
# for file in /usr/local/etc/likewise-open/*.reg; do /usr/local/bin/lwregshell
upgrade $file; done
# /usr/local/etc/likewise-open/init.d/lwsmd stop
The second thing to do is to check your hostname(1) is resolvable through
getaddrinfo(3). You can do this by adding an appropriate record to your DNS
server or a line in /etc/hosts.
Finally, configure the gss library by copying the provided mech file into
/usr/local/etc/gss/mech :
# cp /usr/local/etc/likewise-open/gss/mech /usr/local/etc/gss/mech
That should be all needed (for basic testing).
3) Starting up :
****************
As no FreeBSD rc script is provided (yet), you'll have to use common scripts
provided to start Likewise up. They work fine on FreeBSD :
# /usr/local/etc/likewise-open/init.d/lwsmd start
# /usr/local/bin/lwsm start eventlog
# /usr/local/bin/lwsm start srvsvc
You can check that each service is running with the following command :
# /usr/local/bin/lwsm list
4) Testing :
************
Once everything is running, let's configure nsswitch :
# /usr/local/bin/domainjoin-cli configure --enable nsswitch
This command will modify your /etc/nsswitch.conf file and add the lsass
module. You might want to make a backup of this file before testing the
command. The lsass module will delegate user and group identification to
Likewise.
Then, you can try adding a user to Likewise's local SQLite account database :
# lw-add-user --home /home/test1 --shell /bin/sh test1
# lw-mod-user --enable-user --set-password 'abcd' test1
and create a home for him :
# mkdir /home/test1
# chown 2000:1800 /home/test1
Then you can check this user is recognized through nsswitch :
# id LAPTOP\\test1
uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users)
groups=1800(LAPTOP\Likewise Users)
# id 2000
uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users)
groups=1800(LAPTOP\Likewise Users)
# getent passwd
[...]
LAPTOP\Administrator:x:1500:1800::/:/bin/sh
LAPTOP\Guest:x:1501:1800::/tmp:/bin/sh
LAPTOP\test1:x:2000:1800::/home/test1:/bin/sh
You can then check that he is able to connect to the 'c$' CIFS share :
$ smbclient -U 'LAPTOP\test1' '//127.0.0.1/c$'
Now we can test authentication through PAM by enabling the pam module :
# /usr/local/bin/domainjoin-cli configure --enable pam
This command will modify your PAM (/etc/pam.d/*) configuration files. You may
also back them up first.
Then you can try to authenticate through ssh, which should work :
$ ssh 'LAPTOP\test1 at 127.0.0.1'
You can then disable the PAM module by running :
# /usr/local/bin/domainjoin-cli configure --disable pam
or by manually reverting your PAM configuration files.
5) What does not work :
***********************
lwio-fuse-mount :
*****************
I have also tried to use the provided FUSE-based CIFS client (you have to
choose to build it in the port's options), but it fails :
# kldload /usr/local/modules/fuse.ko
# lwio-fuse-mount --user 'LAPTOP\test1' --domain LAPTOP --path
'//127.0.0.1/c$' /mnt/tmp
Password for LAPTOP\test1:
# ls /mnt/tmp
ls: /mnt/tmp: Input/output error
giving the following errors in /var/log/messages :
Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling
gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide
more information)
Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling
gss_init_sec_context: 100008 ()
I am not sure whether this fuse module should still work or not, see [2].
lwio-copy :
***********
Finally, I have tried the lwio-copy tool that didn't work either, giving
exactly the same error messages as lwio-fuse-mount in logs :
# lwio-copy -u test1 -d LAPTOP '//127.0.0.1/c$/test' /tmp
Password:
Error: lwio-copy unsuccessfull
Please check if lwiod and lsassd running
Sometimes it also makes lwio die just after getting the previous messages :
Jun 8 18:25:09 laptop /usr/local/sbin/lwsmd: Restarting dead service: lwio
(attempt 2/2)
Jun 8 18:25:09 laptop kernel: pid 1605 (lwsmd), uid 0: exited on signal 1
Here is a full backtrace of this crash :
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2891dec0 (LWP 100240)]
0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90, handle=0x535347,
type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c)
at ./../lwmsg/src/peer-session.c:599
599 if (!handle->valid)
(gdb) bt full
#0 0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90,
handle=0x535347, type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c)
at ./../lwmsg/src/peer-session.c:599
status = LWMSG_STATUS_SUCCESS
my_session = (PeerSession *) 0x28dd5f90
#1 0x280b374e in lwmsg_assoc_marshal_handle (mcontext=0x28b34790,
attrs=0xbf8fb190, object=0xbf4f9cc8, transmit_object=0x28b34768,
data=0x28ec58e8) at ./../lwmsg/src/assoc-marshal.c:86
status = LWMSG_STATUS_SUCCESS
handle = (void *) 0x535347
transmit = (LWMsgHandleRep *) 0x28b34768
session = (LWMsgSession *) 0x28dd5f90
type = 0x0
context = (const LWMsgContext *) 0x28dce780
__FUNCTION__ = "lwmsg_assoc_marshal_handle"
#2 0x280bd436 in lwmsg_data_marshal_custom (context=0x28b34790,
state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS",
buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:377
status = LWMSG_STATUS_SUCCESS
transmit_object = (void *) 0x28b34768
typeclass = (LWMsgTypeClass *) 0x280cee4c
transmit_iter = {spec = 0x280cef40, kind = LWMSG_KIND_STRUCT, offset =
0, size = 8, tag = 13803445756636645264, verify = 0,
verify_data = 0xbf8fb4f0, attrs = {flags = 0, custom = 0, range_low = 0,
range_high = 0, max_alloc = 0}, info = {kind_variant = {
is_mask = 2}, kind_integer = {width = 2, sign = 3213865144},
kind_compound = {discrim = {offset = 2, size = 3213865144}},
kind_indirect = {term = LWMSG_TERM_MEMBER, term_info = {member = {offset =
3213865144, size = 671881508}, static_length = 3213865144},
encoding = 0x28ecbf48 ""}, kind_custom = {typeclass = 0x2, typedata =
0xbf8fb0b8}}, inner = 0x280cef4c, next = 0x0,
dom_object = 0x280bee9c "\201Ã\020\017\001", meta = {type_name = 0x280cbd0f
"LWMsgHandleRep", member_name = 0x0, container_name = 0x0},
debug = {file = 0x0, line = 0}}
my_state = {dominating_object = 0x0, map = 0xbf8fb3f4}
#3 0x280bdadc in lwmsg_data_marshal_internal (context=0x28b34790,
state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS",
buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:683
status = LWMSG_STATUS_SUCCESS
#4 0x280bd548 in lwmsg_data_marshal_struct_member (context=0x28b34790,
state=0xbf8fb3ec, struct_iter=0xbf8fb250, member_iter=0xbf8fb170,
object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data-
marshal.c:441
my_state = {dominating_object = 0xbf4f9cc8 "GSS", map = 0xbf8fb3f4}
member_object = (unsigned char *) 0xbf4f9cc8 "GSS"
#5 0x280bd5ab in lwmsg_data_marshal_struct (context=0x28b34790,
state=0xbf8fb3ec, iter=0xbf8fb250, object=0xbf4f9cc8 "GSS",
buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:467
status = LWMSG_STATUS_SUCCESS
I may have missed something when trying those two commands, e.g. I have not
tried them in a domain mode, nor I have a KDC running ; I am not sure whether
this is necessary or not for them to work.
6) Links :
**********
[1] http://www.likewiseopen.org
[2] http://lists.likewiseopen.org/pipermail/likewise-open-discuss/2009-
October/001309.html
Other links you may find useful :
* Likewise Open Installation and Administration Guide :
http://www.likewise.com/resources/documentation_library/manuals/open/likewise-
open-guide.html
* Likewise-CIFS user guide :
http://www.likewise.com/resources/documentation_library/manuals/cifs/likewise-
cifs-smb-file-server-guide.html
* Forums :
http://www.likewise.com/community/index.php/forums
* Lists :
http://lists.likewiseopen.org
* Bug reports :
http://lobugs.likewise.com
Best regards,
--
Ganael LAPLANCHE <ganael.laplanche at martymac.org>
http://www.martymac.org | http://contribs.martymac.org
FreeBSD: martymac <martymac at FreeBSD.org>, http://www.FreeBSD.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20110621/1136eebf/attachment.pgp
More information about the freebsd-ports
mailing list