CVE-2020-25719 mit-samba: If we use client_princ, always lookup the db entry
[Samba.git] / wscript
bloba84e55242159f38e4a61d40bedb3d981171fabd0
1 #!/usr/bin/env python
3 top = '.'
4 out = 'bin'
6 APPNAME='samba'
7 VERSION=None
9 import sys, os, tempfile
10 sys.path.insert(0, top+"/buildtools/wafsamba")
11 import shutil
12 import wafsamba, samba_dist, samba_git, samba_version, samba_utils
13 from waflib import Options, Scripting, Logs, Context, Errors
15 samba_dist.DIST_DIRS('.')
16 samba_dist.DIST_BLACKLIST('.gitignore .bzrignore source4/selftest/provisions')
18 # install in /usr/local/samba by default
19 default_prefix = Options.default_prefix = '/usr/local/samba'
21 # This callback optionally takes a list of paths as arguments:
22 # --with-system_mitkrb5 /path/to/krb5 /another/path
23 def system_mitkrb5_callback(option, opt, value, parser):
24 setattr(parser.values, option.dest, True)
25 value = []
26 for arg in parser.rargs:
27 # stop on --foo like options
28 if arg[:2] == "--" and len(arg) > 2:
29 break
30 value.append(arg)
31 if len(value)>0:
32 del parser.rargs[:len(value)]
33 setattr(parser.values, option.dest, value)
35 def options(opt):
36 opt.BUILTIN_DEFAULT('NONE')
37 opt.PRIVATE_EXTENSION_DEFAULT('samba4')
38 opt.RECURSE('lib/replace')
39 opt.RECURSE('dynconfig')
40 opt.RECURSE('packaging')
41 opt.RECURSE('lib/ldb')
42 opt.RECURSE('selftest')
43 opt.RECURSE('source4/dsdb/samdb/ldb_modules')
44 opt.RECURSE('pidl')
45 opt.RECURSE('source3')
46 opt.RECURSE('lib/util')
47 opt.RECURSE('lib/crypto')
48 opt.RECURSE('ctdb')
50 # Optional Libraries
51 # ------------------
53 # Most of the calls to opt.add_option() use default=True for the --with case
55 # To assist users and distributors to build Samba with the full feature
56 # set, the build system will abort if our dependent libraries and their
57 # header files are not found on the target system. This will mean for
58 # example, that xattr, acl and ldap headers must be installed for the
59 # default build to complete. The configure system will check for these
60 # headers, and the error message will indicate the option (such as
61 # --without-acl-support) that can be specified to skip this requirement.
63 # This will assist users and in particular distributors in building fully
64 # functional packages, while allowing those on systems truly without these
65 # facilities to continue to build Samba after careful consideration.
67 # It also ensures our container image generation in bootstrap/ is correct
68 # as otherwise a missing package there would just silently work
70 opt.samba_add_onoff_option('pthreadpool', with_name="enable", without_name="disable", default=True)
72 opt.add_option('--with-system-mitkrb5',
73 help='build Samba with system MIT Kerberos. ' +
74 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config',
75 action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False)
77 opt.add_option('--with-experimental-mit-ad-dc',
78 help='Enable the experimental MIT Kerberos-backed AD DC. ' +
79 'Note that security patches are not issued for this configuration',
80 action='store_true',
81 dest='with_experimental_mit_ad_dc',
82 default=False)
84 opt.add_option('--with-system-mitkdc',
85 help=('Specify the path to the krb5kdc binary from MIT Kerberos'),
86 type="string",
87 dest='with_system_mitkdc',
88 default=None)
90 opt.add_option('--with-system-heimdalkrb5',
91 help=('build Samba with system Heimdal Kerberos. ' +
92 'Requires --without-ad-dc' and
93 'conflicts with --with-system-mitkrb5'),
94 action='store_true',
95 dest='with_system_heimdalkrb5',
96 default=False)
98 opt.add_option('--without-ad-dc',
99 help='disable AD DC functionality (enables only Samba FS (File Server, Winbind, NMBD) and client utilities.',
100 action='store_true', dest='without_ad_dc', default=False)
102 opt.add_option('--with-ntvfs-fileserver',
103 help='enable the deprecated NTVFS file server from the original Samba4 branch (default if --enable-selftest specified). Conflicts with --with-system-mitkrb5 and --without-ad-dc',
104 action='store_true', dest='with_ntvfs_fileserver')
106 opt.add_option('--without-ntvfs-fileserver',
107 help='disable the deprecated NTVFS file server from the original Samba4 branch',
108 action='store_false', dest='with_ntvfs_fileserver')
110 opt.add_option('--with-pie',
111 help=("Build Position Independent Executables " +
112 "(default if supported by compiler)"),
113 action="store_true", dest='enable_pie')
114 opt.add_option('--without-pie',
115 help=("Disable Position Independent Executable builds"),
116 action="store_false", dest='enable_pie')
118 opt.add_option('--with-relro',
119 help=("Build with full RELocation Read-Only (RELRO)" +
120 "(default if supported by compiler)"),
121 action="store_true", dest='enable_relro')
122 opt.add_option('--without-relro',
123 help=("Disable RELRO builds"),
124 action="store_false", dest='enable_relro')
126 gr = opt.option_group('developer options')
128 opt.load('python') # options for disabling pyc or pyo compilation
129 # enable options related to building python extensions
131 opt.add_option('--with-json',
132 action='store_true', dest='with_json',
133 help=("Build with JSON support (default=True). This "
134 "requires the jansson development headers."))
135 opt.add_option('--without-json',
136 action='store_false', dest='with_json',
137 help=("Build without JSON support."))
139 def configure(conf):
140 version = samba_version.load_version(env=conf.env)
142 conf.DEFINE('CONFIG_H_IS_FROM_SAMBA', 1)
143 conf.DEFINE('_SAMBA_BUILD_', version.MAJOR, add_to_cflags=True)
144 conf.DEFINE('HAVE_CONFIG_H', 1, add_to_cflags=True)
146 if Options.options.developer:
147 conf.ADD_CFLAGS('-DDEVELOPER -DDEBUG_PASSWORD')
148 conf.env.DEVELOPER = True
149 # if we are in a git tree without a pre-commit hook, install a
150 # simple default.
151 # we need git for 'waf dist'
152 githooksdir = None
153 conf.find_program('git', var='GIT')
154 if 'GIT' in conf.env:
155 githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0],
156 msg='Finding githooks directory',
157 define=None,
158 on_target=False)
159 if githooksdir and os.path.isdir(githooksdir):
160 pre_commit_hook = os.path.join(githooksdir, 'pre-commit')
161 if not os.path.exists(pre_commit_hook):
162 Logs.info("Installing script/git-hooks/pre-commit-hook as %s" %
163 pre_commit_hook)
164 shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'),
165 pre_commit_hook)
167 conf.ADD_EXTRA_INCLUDES('#include/public #source4 #lib #source4/lib #source4/include #include #lib/replace')
169 conf.env.replace_add_global_pthread = True
170 conf.RECURSE('lib/replace')
172 conf.RECURSE('examples/fuse')
173 conf.RECURSE('examples/winexe')
175 conf.SAMBA_CHECK_PERL(mandatory=True)
176 conf.find_program('xsltproc', var='XSLTPROC')
178 if conf.env.disable_python:
179 if not (Options.options.without_ad_dc):
180 raise Errors.WafError('--disable-python requires --without-ad-dc')
182 conf.SAMBA_CHECK_PYTHON()
183 conf.SAMBA_CHECK_PYTHON_HEADERS()
185 if sys.platform == 'darwin' and not conf.env['HAVE_ENVIRON_DECL']:
186 # Mac OSX needs to have this and it's also needed that the python is compiled with this
187 # otherwise you face errors about common symbols
188 if not conf.CHECK_SHLIB_W_PYTHON("Checking if -fno-common is needed"):
189 conf.ADD_CFLAGS('-fno-common')
190 if not conf.CHECK_SHLIB_W_PYTHON("Checking if -undefined dynamic_lookup is not need"):
191 conf.env.append_value('cshlib_LINKFLAGS', ['-undefined', 'dynamic_lookup'])
193 if sys.platform == 'darwin':
194 conf.ADD_LDFLAGS('-framework CoreFoundation')
196 conf.RECURSE('dynconfig')
197 conf.RECURSE('selftest')
199 conf.CHECK_CFG(package='zlib', minversion='1.2.3',
200 args='--cflags --libs',
201 mandatory=True)
202 conf.CHECK_FUNCS_IN('inflateInit2', 'z')
204 if conf.CHECK_FOR_THIRD_PARTY():
205 conf.RECURSE('third_party')
206 else:
208 if not conf.CHECK_POPT():
209 raise Errors.WafError('popt development packages have not been found.\nIf third_party is installed, check that it is in the proper place.')
210 else:
211 conf.define('USING_SYSTEM_POPT', 1)
213 if not conf.CHECK_CMOCKA():
214 raise Errors.WafError('cmocka development packages has not been found.\nIf third_party is installed, check that it is in the proper place.')
215 else:
216 conf.define('USING_SYSTEM_CMOCKA', 1)
218 if conf.CONFIG_GET('ENABLE_SELFTEST'):
219 if not conf.CHECK_SOCKET_WRAPPER():
220 raise Errors.WafError('socket_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
221 else:
222 conf.define('USING_SYSTEM_SOCKET_WRAPPER', 1)
224 if not conf.CHECK_NSS_WRAPPER():
225 raise Errors.WafError('nss_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
226 else:
227 conf.define('USING_SYSTEM_NSS_WRAPPER', 1)
229 if not conf.CHECK_RESOLV_WRAPPER():
230 raise Errors.WafError('resolv_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
231 else:
232 conf.define('USING_SYSTEM_RESOLV_WRAPPER', 1)
234 if not conf.CHECK_UID_WRAPPER():
235 raise Errors.WafError('uid_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
236 else:
237 conf.define('USING_SYSTEM_UID_WRAPPER', 1)
239 if not conf.CHECK_PAM_WRAPPER():
240 raise Errors.WafError('pam_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
241 else:
242 conf.define('USING_SYSTEM_PAM_WRAPPER', 1)
244 conf.RECURSE('lib/ldb')
246 if conf.CHECK_LDFLAGS(['-Wl,--wrap=test']):
247 conf.env['HAVE_LDWRAP'] = True
248 conf.define('HAVE_LDWRAP', 1)
250 if not (Options.options.without_ad_dc):
251 conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
253 if Options.options.with_system_mitkrb5:
254 if not Options.options.with_experimental_mit_ad_dc and \
255 not Options.options.without_ad_dc:
256 raise Errors.WafError('The MIT Kerberos build of Samba as an AD DC ' +
257 'is experimental. Therefore '
258 '--with-system-mitkrb5 requires either ' +
259 '--with-experimental-mit-ad-dc or ' +
260 '--without-ad-dc')
262 conf.PROCESS_SEPARATE_RULE('system_mitkrb5')
264 if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
265 conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
267 if Options.options.with_system_heimdalkrb5:
268 if Options.options.with_system_mitkrb5:
269 raise Errors.WafError('--with-system-heimdalkrb5 conflicts with ' +
270 '--with-system-mitkrb5')
271 if not Options.options.without_ad_dc:
272 raise Errors.WafError('--with-system-heimdalkrb5 requires ' +
273 '--without-ad-dc')
274 conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken',
275 'hx509', 'wind', 'gssapi', 'hcrypto',
276 'krb5', 'heimbase', 'asn1_compile',
277 'compile_et', 'kdc', 'hdb', 'heimntlm')
278 conf.PROCESS_SEPARATE_RULE('system_heimdal')
280 if not conf.CONFIG_GET('KRB5_VENDOR'):
281 conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
283 conf.PROCESS_SEPARATE_RULE('system_gnutls')
285 conf.RECURSE('source4/dsdb/samdb/ldb_modules')
286 conf.RECURSE('source4/ntvfs/sysdep')
287 conf.RECURSE('lib/util')
288 conf.RECURSE('lib/util/charset')
289 conf.RECURSE('source4/auth')
290 conf.RECURSE('nsswitch')
291 conf.RECURSE('libcli/smbreadline')
292 conf.RECURSE('lib/crypto')
293 conf.RECURSE('pidl')
294 if conf.CONFIG_GET('ENABLE_SELFTEST'):
295 if Options.options.with_ntvfs_fileserver != False:
296 if not (Options.options.without_ad_dc):
297 conf.DEFINE('WITH_NTVFS_FILESERVER', 1)
298 if Options.options.with_ntvfs_fileserver == False:
299 if not (Options.options.without_ad_dc):
300 raise Errors.WafError('--without-ntvfs-fileserver conflicts with --enable-selftest while building the AD DC')
301 conf.RECURSE('testsuite/unittests')
303 if Options.options.with_ntvfs_fileserver == True:
304 if Options.options.without_ad_dc:
305 raise Errors.WafError('--with-ntvfs-fileserver conflicts with --without-ad-dc')
306 conf.DEFINE('WITH_NTVFS_FILESERVER', 1)
308 if Options.options.with_pthreadpool:
309 if conf.CONFIG_SET('HAVE_PTHREAD'):
310 conf.DEFINE('WITH_PTHREADPOOL', '1')
311 else:
312 Logs.warn("pthreadpool support cannot be enabled when pthread support was not found")
313 conf.undefine('WITH_PTHREADPOOL')
315 conf.SET_TARGET_TYPE('jansson', 'EMPTY')
317 if Options.options.with_json != False:
318 if conf.CHECK_CFG(package='jansson', args='--cflags --libs',
319 msg='Checking for jansson'):
320 conf.CHECK_FUNCS_IN('json_object', 'jansson')
322 if not conf.CONFIG_GET('HAVE_JSON_OBJECT'):
323 if Options.options.with_json != False:
324 conf.fatal("Jansson JSON support not found. "
325 "Try installing libjansson-dev or jansson-devel. "
326 "Otherwise, use --without-json to build without "
327 "JSON support. "
328 "JSON support is required for the JSON "
329 "formatted audit log feature, the AD DC, and "
330 "the JSON printers of the net utility")
331 if not Options.options.without_ad_dc:
332 raise Errors.WafError('--without-json requires --without-ad-dc. '
333 'Jansson JSON library is required for '
334 'building the AD DC')
335 Logs.info("Building without Jansson JSON log support")
337 conf.RECURSE('source3')
338 conf.RECURSE('lib/texpect')
339 conf.RECURSE('python')
340 if conf.env.with_ctdb:
341 conf.RECURSE('ctdb')
342 conf.RECURSE('lib/socket')
343 conf.RECURSE('lib/mscat')
344 conf.RECURSE('packaging')
346 conf.SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS()
348 # gentoo always adds this. We want our normal build to be as
349 # strict as the strictest OS we support, so adding this here
350 # allows us to find problems on our development hosts faster.
351 # It also results in faster load time.
353 if conf.CHECK_LDFLAGS('-Wl,--as-needed'):
354 conf.env.append_unique('LINKFLAGS', '-Wl,--as-needed')
356 if not conf.CHECK_NEED_LC("-lc not needed"):
357 conf.ADD_LDFLAGS('-lc', testflags=False)
359 if not conf.CHECK_CODE('#include "tests/summary.c"',
360 define='SUMMARY_PASSES',
361 addmain=False,
362 msg='Checking configure summary'):
363 raise Errors.WafError('configure summary failed')
365 if Options.options.enable_pie != False:
366 if Options.options.enable_pie == True:
367 need_pie = True
368 else:
369 # not specified, only build PIEs if supported by compiler
370 need_pie = False
371 if conf.check_cc(cflags='-fPIE', ldflags='-pie', mandatory=need_pie,
372 msg="Checking compiler for PIE support"):
373 conf.env['ENABLE_PIE'] = True
375 if Options.options.enable_relro != False:
376 if Options.options.enable_relro == True:
377 need_relro = True
378 else:
379 # not specified, only build RELROs if supported by compiler
380 need_relro = False
381 if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro,
382 msg="Checking compiler for full RELRO support"):
383 conf.env['ENABLE_RELRO'] = True
385 conf.SAMBA_CONFIG_H('include/config.h')
387 def etags(ctx):
388 '''build TAGS file using etags'''
389 from waflib import Utils
390 source_root = os.path.dirname(Context.g_module.root_path)
391 cmd = 'rm -f %s/TAGS && (find %s -name "*.[ch]" | egrep -v \.inst\. | xargs -n 100 etags -a)' % (source_root, source_root)
392 print("Running: %s" % cmd)
393 status = os.system(cmd)
394 if os.WEXITSTATUS(status):
395 raise Errors.WafError('etags failed')
397 def ctags(ctx):
398 "build 'tags' file using ctags"
399 from waflib import Utils
400 source_root = os.path.dirname(Context.g_module.root_path)
401 cmd = 'ctags --python-kinds=-i $(find %s -name "*.[ch]" | grep -v "*_proto\.h" | egrep -v \.inst\.) $(find %s -name "*.py")' % (source_root, source_root)
402 print("Running: %s" % cmd)
403 status = os.system(cmd)
404 if os.WEXITSTATUS(status):
405 raise Errors.WafError('ctags failed')
408 # putting this here enabled build in the list
409 # of commands in --help
410 def build(bld):
411 '''build all targets'''
412 samba_version.load_version(env=bld.env, is_install=bld.is_install)
415 def pydoctor(ctx):
416 '''build python apidocs'''
417 bp = os.path.abspath('bin/python')
418 mpaths = {}
419 modules = ['talloc', 'tdb', 'ldb']
420 for m in modules:
421 f = os.popen("PYTHONPATH=%s python -c 'import %s; print %s.__file__'" % (bp, m, m), 'r')
422 try:
423 mpaths[m] = f.read().strip()
424 finally:
425 f.close()
426 mpaths['main'] = bp
427 cmd = ('PYTHONPATH=%(main)s pydoctor --introspect-c-modules --project-name=Samba '
428 '--project-url=http://www.samba.org --make-html --docformat=restructuredtext '
429 '--add-package bin/python/samba ' + ''.join('--add-module %s ' % n for n in modules))
430 cmd = cmd % mpaths
431 print("Running: %s" % cmd)
432 status = os.system(cmd)
433 if os.WEXITSTATUS(status):
434 raise Errors.WafError('pydoctor failed')
437 def pep8(ctx):
438 '''run pep8 validator'''
439 cmd='PYTHONPATH=bin/python pep8 -r bin/python/samba'
440 print("Running: %s" % cmd)
441 status = os.system(cmd)
442 if os.WEXITSTATUS(status):
443 raise Errors.WafError('pep8 failed')
446 def wafdocs(ctx):
447 '''build wafsamba apidocs'''
448 from samba_utils import recursive_dirlist
449 os.system('pwd')
450 list = recursive_dirlist('../buildtools/wafsamba', '.', pattern='*.py')
452 print(list)
453 cmd='PYTHONPATH=bin/python pydoctor --project-name=wafsamba --project-url=http://www.samba.org --make-html --docformat=restructuredtext' +\
454 "".join(' --add-module %s' % f for f in list)
455 print("Running: %s" % cmd)
456 status = os.system(cmd)
457 if os.WEXITSTATUS(status):
458 raise Errors.WafError('wafdocs failed')
461 def dist():
462 '''makes a tarball for distribution'''
463 sambaversion = samba_version.load_version(env=None)
465 os.system("make -C ctdb manpages")
466 samba_dist.DIST_FILES('ctdb/doc:ctdb/doc', extend=True)
468 os.system("DOC_VERSION='" + sambaversion.STRING + "' " + Context.g_module.top + "/release-scripts/build-manpages-nogit")
469 samba_dist.DIST_FILES('bin/docs:docs', extend=True)
471 if sambaversion.IS_SNAPSHOT:
472 # write .distversion file and add to tar
473 if not os.path.isdir(Context.g_module.out):
474 os.makedirs(Context.g_module.out)
475 distversionf = tempfile.NamedTemporaryFile(mode='w', prefix='.distversion',dir=Context.g_module.out)
476 for field in sambaversion.vcs_fields:
477 distveroption = field + '=' + str(sambaversion.vcs_fields[field])
478 distversionf.write(distveroption + '\n')
479 distversionf.flush()
480 samba_dist.DIST_FILES('%s:.distversion' % distversionf.name, extend=True)
482 samba_dist.dist()
483 distversionf.close()
484 else:
485 samba_dist.dist()
488 def distcheck():
489 '''test that distribution tarball builds and installs'''
490 samba_version.load_version(env=None)
492 def wildcard_cmd(cmd):
493 '''called on a unknown command'''
494 from samba_wildcard import run_named_build_task
495 run_named_build_task(cmd)
497 def main():
498 from samba_wildcard import wildcard_main
500 wildcard_main(wildcard_cmd)
501 Scripting.main = main
503 def reconfigure(ctx):
504 '''reconfigure if config scripts have changed'''
505 import samba_utils
506 samba_utils.reconfigure(ctx)
509 if os.path.isdir(os.path.join(top, ".git")):
510 # Check if there are submodules that are checked out but out of date.
511 for submodule, status in samba_git.read_submodule_status(top):
512 if status == "out-of-date":
513 raise Errors.WafError("some submodules are out of date. Please run 'git submodule update'")