Hi everyone, Over the past few weeks, I've been working on a Likewise-open [1] port and am starting to get something useable.
Technically speaking, the port builds fine on x86 and amd64 platforms (gcc- only ATM) and is able to use libraries from the ports tree instead of the ones bundled in the source tarball. Basic functionality has been tested : with a local account database (SQLite), I was able to retrieve account information through nsswitch as well as authenticate a user on sshd through PAM. The CIFS server also works : a local Likewise user is able to connect to it. Anyway, I am not a Likewise expert and there are still several -important- tests to perform : - Try to join an Active Directory server and use it as an authentication source, instead of the local SQLite DB - Play with client-side commands (lwio-copy, lwio-fuse-mount) ; I could not get them work (see below) but I may have missed something - Try advanced CIFS server configurations Here are also remaining tasks that have to be done before the port can hit the tree : - Write a rc.d startup script (probably a wrapper to the provided init.d scripts) - Fix build with clang - Try to build with Heimdal (?) I would be pleased to get feedback from you... any help or comment is welcome ! -- Now, for those interested, here is a quick setup HOWTO : 0) Getting the port : ********************* The port can be downloaded here : http://people.freebsd.org/~martymac/ports/likewise-open-6.2.0.r59706-port.tgz Un-tar it into /usr/ports/net : # tar xz -C /usr/ports/net -f likewise-open-6.2.0.r59706-port.tgz 1) Building *********** Likewise-open has only been tested with MIT Kerberos (security/krb5). You will need to specify KRB5_HOME when building this dependency to have the port set a correct rpath, thus avoid loading base-system Heimdal libraries at runtime and getting a mixed MIT/Heimdal Kerberos environment, which would lead to unstable behaviour. The best way to do this is either to add : KRB5_HOME=/usr/local in your /etc/make.conf file, or build the likewise-open port this way : # make KRB5_HOME=/usr/local install clean It should build without errors. 2) Configuring ************** Once installed, the first thing to do is to initialize the Likewise registry : # /usr/local/etc/likewise-open/init.d/lwsmd start # for file in /usr/local/etc/likewise-open/*.reg; do /usr/local/bin/lwregshell upgrade $file; done # /usr/local/etc/likewise-open/init.d/lwsmd stop The second thing to do is to check your hostname(1) is resolvable through getaddrinfo(3). You can do this by adding an appropriate record to your DNS server or a line in /etc/hosts. Finally, configure the gss library by copying the provided mech file into /usr/local/etc/gss/mech : # cp /usr/local/etc/likewise-open/gss/mech /usr/local/etc/gss/mech That should be all needed (for basic testing). 3) Starting up : **************** As no FreeBSD rc script is provided (yet), you'll have to use common scripts provided to start Likewise up. They work fine on FreeBSD : # /usr/local/etc/likewise-open/init.d/lwsmd start # /usr/local/bin/lwsm start eventlog # /usr/local/bin/lwsm start srvsvc You can check that each service is running with the following command : # /usr/local/bin/lwsm list 4) Testing : ************ Once everything is running, let's configure nsswitch : # /usr/local/bin/domainjoin-cli configure --enable nsswitch This command will modify your /etc/nsswitch.conf file and add the lsass module. You might want to make a backup of this file before testing the command. The lsass module will delegate user and group identification to Likewise. Then, you can try adding a user to Likewise's local SQLite account database : # lw-add-user --home /home/test1 --shell /bin/sh test1 # lw-mod-user --enable-user --set-password 'abcd' test1 and create a home for him : # mkdir /home/test1 # chown 2000:1800 /home/test1 Then you can check this user is recognized through nsswitch : # id LAPTOP\\test1 uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users) groups=1800(LAPTOP\Likewise Users) # id 2000 uid=2000(LAPTOP\test1) gid=1800(LAPTOP\Likewise Users) groups=1800(LAPTOP\Likewise Users) # getent passwd [...] LAPTOP\Administrator:x:1500:1800::/:/bin/sh LAPTOP\Guest:x:1501:1800::/tmp:/bin/sh LAPTOP\test1:x:2000:1800::/home/test1:/bin/sh You can then check that he is able to connect to the 'c$' CIFS share : $ smbclient -U 'LAPTOP\test1' '//127.0.0.1/c$' Now we can test authentication through PAM by enabling the pam module : # /usr/local/bin/domainjoin-cli configure --enable pam This command will modify your PAM (/etc/pam.d/*) configuration files. You may also back them up first. Then you can try to authenticate through ssh, which should work : $ ssh 'LAPTOP\test1@127.0.0.1' You can then disable the PAM module by running : # /usr/local/bin/domainjoin-cli configure --disable pam or by manually reverting your PAM configuration files. 5) What does not work : *********************** lwio-fuse-mount : ***************** I have also tried to use the provided FUSE-based CIFS client (you have to choose to build it in the port's options), but it fails : # kldload /usr/local/modules/fuse.ko # lwio-fuse-mount --user 'LAPTOP\test1' --domain LAPTOP --path '//127.0.0.1/c$' /mnt/tmp Password for LAPTOP\test1: # ls /mnt/tmp ls: /mnt/tmp: Input/output error giving the following errors in /var/log/messages : Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling gss_init_sec_context: 851968 (Unspecified GSS failure. Minor code may provide more information) Jun 8 18:25:09 laptop lwio: [lwio] GSS-API error calling gss_init_sec_context: 100008 () I am not sure whether this fuse module should still work or not, see [2]. lwio-copy : *********** Finally, I have tried the lwio-copy tool that didn't work either, giving exactly the same error messages as lwio-fuse-mount in logs : # lwio-copy -u test1 -d LAPTOP '//127.0.0.1/c$/test' /tmp Password: Error: lwio-copy unsuccessfull Please check if lwiod and lsassd running Sometimes it also makes lwio die just after getting the previous messages : Jun 8 18:25:09 laptop /usr/local/sbin/lwsmd: Restarting dead service: lwio (attempt 2/2) Jun 8 18:25:09 laptop kernel: pid 1605 (lwsmd), uid 0: exited on signal 1 Here is a full backtrace of this crash : Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 2891dec0 (LWP 100240)] 0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90, handle=0x535347, type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c) at ./../lwmsg/src/peer-session.c:599 599 if (!handle->valid) (gdb) bt full #0 0x280a9d50 in peer_resolve_handle_to_id (session=0x28dd5f90, handle=0x535347, type=0xbf8fb004, htype=0x28b34768, hid=0x28b3476c) at ./../lwmsg/src/peer-session.c:599 status = LWMSG_STATUS_SUCCESS my_session = (PeerSession *) 0x28dd5f90 #1 0x280b374e in lwmsg_assoc_marshal_handle (mcontext=0x28b34790, attrs=0xbf8fb190, object=0xbf4f9cc8, transmit_object=0x28b34768, data=0x28ec58e8) at ./../lwmsg/src/assoc-marshal.c:86 status = LWMSG_STATUS_SUCCESS handle = (void *) 0x535347 transmit = (LWMsgHandleRep *) 0x28b34768 session = (LWMsgSession *) 0x28dd5f90 type = 0x0 context = (const LWMsgContext *) 0x28dce780 __FUNCTION__ = "lwmsg_assoc_marshal_handle" #2 0x280bd436 in lwmsg_data_marshal_custom (context=0x28b34790, state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:377 status = LWMSG_STATUS_SUCCESS transmit_object = (void *) 0x28b34768 typeclass = (LWMsgTypeClass *) 0x280cee4c transmit_iter = {spec = 0x280cef40, kind = LWMSG_KIND_STRUCT, offset = 0, size = 8, tag = 13803445756636645264, verify = 0, verify_data = 0xbf8fb4f0, attrs = {flags = 0, custom = 0, range_low = 0, range_high = 0, max_alloc = 0}, info = {kind_variant = { is_mask = 2}, kind_integer = {width = 2, sign = 3213865144}, kind_compound = {discrim = {offset = 2, size = 3213865144}}, kind_indirect = {term = LWMSG_TERM_MEMBER, term_info = {member = {offset = 3213865144, size = 671881508}, static_length = 3213865144}, encoding = 0x28ecbf48 ""}, kind_custom = {typeclass = 0x2, typedata = 0xbf8fb0b8}}, inner = 0x280cef4c, next = 0x0, dom_object = 0x280bee9c "\201Ã\020\017\001", meta = {type_name = 0x280cbd0f "LWMsgHandleRep", member_name = 0x0, container_name = 0x0}, debug = {file = 0x0, line = 0}} my_state = {dominating_object = 0x0, map = 0xbf8fb3f4} #3 0x280bdadc in lwmsg_data_marshal_internal (context=0x28b34790, state=0xbf8fb13c, iter=0xbf8fb170, object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:683 status = LWMSG_STATUS_SUCCESS #4 0x280bd548 in lwmsg_data_marshal_struct_member (context=0x28b34790, state=0xbf8fb3ec, struct_iter=0xbf8fb250, member_iter=0xbf8fb170, object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data- marshal.c:441 my_state = {dominating_object = 0xbf4f9cc8 "GSS", map = 0xbf8fb3f4} member_object = (unsigned char *) 0xbf4f9cc8 "GSS" #5 0x280bd5ab in lwmsg_data_marshal_struct (context=0x28b34790, state=0xbf8fb3ec, iter=0xbf8fb250, object=0xbf4f9cc8 "GSS", buffer=0xbf8fb450) at ./../lwmsg/src/data-marshal.c:467 status = LWMSG_STATUS_SUCCESS I may have missed something when trying those two commands, e.g. I have not tried them in a domain mode, nor I have a KDC running ; I am not sure whether this is necessary or not for them to work. 6) Links : ********** [1] http://www.likewiseopen.org [2] http://lists.likewiseopen.org/pipermail/likewise-open-discuss/2009- October/001309.html Other links you may find useful : * Likewise Open Installation and Administration Guide : http://www.likewise.com/resources/documentation_library/manuals/open/likewise- open-guide.html * Likewise-CIFS user guide : http://www.likewise.com/resources/documentation_library/manuals/cifs/likewise- cifs-smb-file-server-guide.html * Forums : http://www.likewise.com/community/index.php/forums * Lists : http://lists.likewiseopen.org * Bug reports : http://lobugs.likewise.com Best regards, -- Ganael LAPLANCHE <ganael.laplan...@martymac.org> http://www.martymac.org | http://contribs.martymac.org FreeBSD: martymac <marty...@freebsd.org>, http://www.FreeBSD.org
signature.asc
Description: This is a digitally signed message part.
