Updating Samba to 4.3.11_1

Sat Jul 23 23:09:26 UTC 2016

On 23 Jul, Karl Denninger wrote:
> On 7/23/2016 10:13, Gerard Seibert wrote:
>> On Sat, 23 Jul 2016 09:29:59 -0500, Karl Denninger stated:
>>
>>> Caution: This advice is WRONG.  If you have a RUNNING Samba 4.3 do NOT
>>> deinstall it before attempting to build the CVE-patched version.
>>>
>>> I followed the above advice on failure to build the latest Samba 4.3
>>> and now have NO samba server software on the machine; I get to recover
>> >from last snapshot now (or attempt to load it via pkg), as the build
>>> STILL fails in the same place following deinstall with errors in
>>> undefined references to BIO_ calls.
>>>
>>> Since Samba is a *very* widely used piece of software *and* the upgrade
>>> is broken the maintainer either needs to get this fixed pronto or the
>>> port needs to be marked broken so that people don't get hosed in this
>>> fashion on 11-BETA{1|2}.
>>>
>>> Good thing it's the weekend and I can afford the lack of SMB server on
>>> this network at the present time without being lynched.
>> Sorry, but my experience was very different from yours. I deleted the
>> old version of Samba43, deactivated it in rc.conf, rebooted the machine
>> and installed the new version. I reactivated it in rc.conf and manually
>> started it. Everything worked fine. Are you absolutely sure you deleted
>> it? Try "make clean" before rebuilding the port and see if that helps.
> Yes, I'm sure; I did a pkg delete before starting and a make clean.
> 
> Results (this is consistent and repeatable):
> 
> Waf: Entering directory `/usr/ports/net/samba43/work/samba-4.3.11/bin'
>         Selected embedded Heimdal build
> [3604/3871] Linking default/source3/client/smbclient
> runner cc default/source3/client/client_162.o
> default/source3/client/clitar_162.o
> default/source3/client/dnsbrowse_162.o
> default/libcli/smbreadline/smbreadline_1.o -o
> /usr/ports/net/samba43/work/samba-4.3.11/bin/default/source3/client/smbclient
> -fstack-protector -pie -Wl,-z,relro,-z,now -lpthread -Wl,-no-undefined
> -Wl,--export-dynamic -Wl,--as-needed
> -Wl,-rpath,/usr/ports/net/samba43/work/samba-4.3.11/bin/shared
> -Wl,-rpath,/usr/ports/net/samba43/work/samba-4.3.11/bin/shared/private
> -Ldefault/libds/common -Ldefault/auth -Ldefault/source4/lib/socket
> -Ldefault/libcli/nbt -Ldefault/lib/ldb-samba -Ldefault/nsswitch
> -Ldefault/source4/auth/kerberos -Ldefault/source4/dsdb
> -Ldefault/source4/libcli/ldap -Ldefault/source4/lib/events
> -Ldefault/libcli/registry -Ldefault/lib/tdb_wrap
> -Ldefault/source4/librpc -Ldefault/lib/param -Ldefault/auth/credentials
> -Ldefault/nsswitch/libwbclient -Ldefault/auth/gensec
> -Ldefault/lib/krb5_wrap -Ldefault/libcli/auth -Ldefault/libcli/cldap
> -Ldefault/libcli/ldap -Ldefault/lib/addns
> -Ldefault/source4/heimdal_build -Ldefault/lib -Ldefault/librpc
> -Ldefault/libcli/smb -Ldefault/lib/dbwrap -Ldefault/lib/socket
> -Ldefault/libcli/util -Ldefault/libcli/security -Ldefault/source3
> -Ldefault/lib/replace -Ldefault/lib/util -L/usr/local/lib -Wl,-Bdynamic
> -ltalloc-report-samba4 -ltevent-util -lreplace-samba4
> -lmessages-dgm-samba4 -lsamba-security-samba4 -lerrors-samba4
> -lsamba3-util-samba4 -lsys-rw-samba4 -lutil-tdb-samba4
> -linterfaces-samba4 -lpopt-samba3-samba4 -lsamba-util
> -lsocket-blocking-samba4 -lmessages-util-samba4 -llibsmb-samba4
> -lmsrpc3-samba4 -lserver-id-db-samba4 -ldbwrap-samba4 -liov-buf-samba4
> -lsmbconf -lcli-smb-common-samba4 -lsamba-cluster-support-samba4
> -ldcerpc-samba-samba4 -lndr-standard -lmsghdr-samba4
> -lsamba-sockets-samba4 -lndr -lsamba-debug-samba4 -lutil-cmdline-samba4
> -ltime-basic-samba4 -lutil-setid-samba4 -lgenrand-samba4 -lkrb5-samba4
> -laddns-samba4 -lgssapi-samba4 -lcli-ldap-common-samba4
> -lcli-cldap-samba4 -lcliauth-samba4 -lkrb5samba-samba4 -lgse-samba4
> -lgensec -lwbclient -lsamba-credentials -lndr-samba-samba4
> -lsamba-hostconfig -lndr-nbt -ldcerpc-binding -lndr-samba4
> -ltdb-wrap-samba4 -lsmbregistry-samba4 -lCHARSET3-samba4
> -lutil-reg-samba4 -lsmb-transport-samba4 -lroken-samba4 -levents-samba4
> -lsecrets3-samba4 -lheimbase-samba4 -lcom_err-samba4 -lasn1-samba4
> -lhx509-samba4 -lhcrypto-samba4 -lwind-samba4 -lasn1util-samba4
> -lcli-ldap-samba4 -lsamba-modules-samba4 -lsamdb -lauthkrb5-samba4
> -lwinbind-client-samba4 -lsamdb-common-samba4 -lldbsamba-samba4
> -lndr-krb5pac -lserver-role-samba4 -lsmbd-shim-samba4 -lcli-nbt-samba4
> -lnetif-samba4 -lauth-sam-reply-samba4 -lflag-mapping-samba4 -lutil -lz
> -lgnutls -lldb -ltalloc -lldap -llber -liconv -lmd -lrt -lexecinfo
> -lncurses -ltdb -lpopt -larchive -lcrypt -ltevent -lreadline
> //usr/local/lib/libssl.so.8: undefined reference to
> `BIO_dgram_sctp_msg_waiting'
> //usr/local/lib/libssl.so.8: undefined reference to `BIO_dgram_is_sctp'
> //usr/local/lib/libssl.so.8: undefined reference to
> `BIO_dgram_sctp_wait_for_dry'
> cc: error: linker command failed with exit code 1 (use -v to see invocation)
> Waf: Leaving directory `/usr/ports/net/samba43/work/samba-4.3.11/bin'
> Build failed:  -> task failed (err #1):

That's a different error than the one in the PR.

> Now let's remove the openssl port and....
> 
> .....
> 
> 
> Waf: Leaving directory `/usr/ports/net/samba43/work/samba-4.3.11/bin'
> 'build' finished successfully (39.249s)
> 
> Yep.
> 
> That's (badly) broken, because there are plenty of people (myself
> included) that *need* the newer openssl version on our systems and with
> or without it in /etc/make.conf declared as default *the newer version
> libraries still get picked up and blow up the Samba build.*

I've got this in my poudriere make.conf:
	WITH_OPENSSL_PORT=yes
	DEFAULT_VERSIONS+=ssl=openssl
and I haven't run into any build problems with samba43 on either FreeBSD
10 or 11 (though my last build on 11 was a few weeks ago).

What's interestinga about this error is that the samba43 Makefile has no
mention of ssl, and the link command above doesn't list -lssl, so why is
libssl getting hauled in?  Also, why aren't you seeing this error on
other things that use openssl from ports?

BIO_dgram_is_sctp is defined by the ports version of libcrpto.so.8,
which libssl is linked against, so that should be resolving the symbol.