CVE-2020-25719 heimdal:kdc: Move fetching krbtgt entry to before enctype selection
[Samba.git] / wscript
blobd8220b350959f8e47c3ce72f66f3e3cd1399c71a
1 #!/usr/bin/env python
3 top = '.'
4 out = 'bin'
6 APPNAME='samba'
7 VERSION=None
9 import sys, os, tempfile
10 sys.path.insert(0, top+"/buildtools/wafsamba")
11 import shutil
12 import wafsamba, samba_dist, samba_git, samba_version, samba_utils
13 from waflib import Options, Scripting, Logs, Context, Errors
14 from waflib.Tools import bison
16 samba_dist.DIST_DIRS('.')
17 samba_dist.DIST_BLACKLIST('.gitignore .bzrignore source4/selftest/provisions')
19 # install in /usr/local/samba by default
20 default_prefix = Options.default_prefix = '/usr/local/samba'
22 # This callback optionally takes a list of paths as arguments:
23 # --with-system_mitkrb5 /path/to/krb5 /another/path
24 def system_mitkrb5_callback(option, opt, value, parser):
25 setattr(parser.values, option.dest, True)
26 value = []
27 for arg in parser.rargs:
28 # stop on --foo like options
29 if arg[:2] == "--" and len(arg) > 2:
30 break
31 value.append(arg)
32 if len(value)>0:
33 del parser.rargs[:len(value)]
34 setattr(parser.values, option.dest, value)
36 def options(opt):
37 opt.BUILTIN_DEFAULT('NONE')
38 opt.PRIVATE_EXTENSION_DEFAULT('samba4')
39 opt.RECURSE('lib/replace')
40 opt.RECURSE('dynconfig')
41 opt.RECURSE('packaging')
42 opt.RECURSE('lib/ldb')
43 opt.RECURSE('selftest')
44 opt.RECURSE('source4/dsdb/samdb/ldb_modules')
45 opt.RECURSE('pidl')
46 opt.RECURSE('source3')
47 opt.RECURSE('lib/util')
48 opt.RECURSE('lib/crypto')
49 opt.RECURSE('ctdb')
51 # Optional Libraries
52 # ------------------
54 # Most of the calls to opt.add_option() use default=True for the --with case
56 # To assist users and distributors to build Samba with the full feature
57 # set, the build system will abort if our dependent libraries and their
58 # header files are not found on the target system. This will mean for
59 # example, that xattr, acl and ldap headers must be installed for the
60 # default build to complete. The configure system will check for these
61 # headers, and the error message will indicate the option (such as
62 # --without-acl-support) that can be specified to skip this requirement.
64 # This will assist users and in particular distributors in building fully
65 # functional packages, while allowing those on systems truly without these
66 # facilities to continue to build Samba after careful consideration.
68 # It also ensures our container image generation in bootstrap/ is correct
69 # as otherwise a missing package there would just silently work
71 opt.samba_add_onoff_option('pthreadpool', with_name="enable", without_name="disable", default=True)
73 opt.add_option('--with-system-mitkrb5',
74 help='build Samba with system MIT Kerberos. ' +
75 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config',
76 action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False)
78 opt.add_option('--with-experimental-mit-ad-dc',
79 help='Enable the experimental MIT Kerberos-backed AD DC. ' +
80 'Note that security patches are not issued for this configuration',
81 action='store_true',
82 dest='with_experimental_mit_ad_dc',
83 default=False)
85 opt.add_option('--with-system-mitkdc',
86 help=('Specify the path to the krb5kdc binary from MIT Kerberos'),
87 type="string",
88 dest='with_system_mitkdc',
89 default=None)
91 opt.add_option('--with-system-heimdalkrb5',
92 help=('build Samba with system Heimdal Kerberos. ' +
93 'Requires --without-ad-dc' and
94 'conflicts with --with-system-mitkrb5'),
95 action='store_true',
96 dest='with_system_heimdalkrb5',
97 default=False)
99 opt.add_option('--without-ad-dc',
100 help='disable AD DC functionality (enables only Samba FS (File Server, Winbind, NMBD) and client utilities.',
101 action='store_true', dest='without_ad_dc', default=False)
103 opt.add_option('--with-pie',
104 help=("Build Position Independent Executables " +
105 "(default if supported by compiler)"),
106 action="store_true", dest='enable_pie')
107 opt.add_option('--without-pie',
108 help=("Disable Position Independent Executable builds"),
109 action="store_false", dest='enable_pie')
111 opt.add_option('--with-relro',
112 help=("Build with full RELocation Read-Only (RELRO)" +
113 "(default if supported by compiler)"),
114 action="store_true", dest='enable_relro')
115 opt.add_option('--without-relro',
116 help=("Disable RELRO builds"),
117 action="store_false", dest='enable_relro')
119 gr = opt.option_group('developer options')
121 opt.load('python') # options for disabling pyc or pyo compilation
122 # enable options related to building python extensions
124 opt.add_option('--with-json',
125 action='store_true', dest='with_json',
126 help=("Build with JSON support (default=True). This "
127 "requires the jansson development headers."))
128 opt.add_option('--without-json',
129 action='store_false', dest='with_json',
130 help=("Build without JSON support."))
132 def configure(conf):
133 version = samba_version.load_version(env=conf.env)
135 conf.DEFINE('CONFIG_H_IS_FROM_SAMBA', 1)
136 conf.DEFINE('_SAMBA_BUILD_', version.MAJOR, add_to_cflags=True)
137 conf.DEFINE('HAVE_CONFIG_H', 1, add_to_cflags=True)
139 if Options.options.developer:
140 conf.ADD_CFLAGS('-DDEVELOPER -DDEBUG_PASSWORD')
141 conf.env.DEVELOPER = True
142 # if we are in a git tree without a pre-commit hook, install a
143 # simple default.
144 # we need git for 'waf dist'
145 githooksdir = None
146 conf.find_program('git', var='GIT')
147 if 'GIT' in conf.env:
148 githooksdir = conf.CHECK_COMMAND('%s rev-parse --git-path hooks' % conf.env.GIT[0],
149 msg='Finding githooks directory',
150 define=None,
151 on_target=False)
152 if githooksdir and os.path.isdir(githooksdir):
153 pre_commit_hook = os.path.join(githooksdir, 'pre-commit')
154 if not os.path.exists(pre_commit_hook):
155 Logs.info("Installing script/git-hooks/pre-commit-hook as %s" %
156 pre_commit_hook)
157 shutil.copy(os.path.join(Context.g_module.top, 'script/git-hooks/pre-commit-hook'),
158 pre_commit_hook)
160 conf.ADD_EXTRA_INCLUDES('#include/public #source4 #lib #source4/lib #source4/include #include #lib/replace')
162 conf.env.replace_add_global_pthread = True
163 conf.RECURSE('lib/replace')
165 conf.RECURSE('examples/fuse')
166 conf.RECURSE('examples/winexe')
168 conf.SAMBA_CHECK_PERL(mandatory=True)
169 conf.find_program('xsltproc', var='XSLTPROC')
171 if conf.env.disable_python:
172 if not (Options.options.without_ad_dc):
173 raise Errors.WafError('--disable-python requires --without-ad-dc')
175 conf.SAMBA_CHECK_PYTHON()
176 conf.SAMBA_CHECK_PYTHON_HEADERS()
178 if sys.platform == 'darwin' and not conf.env['HAVE_ENVIRON_DECL']:
179 # Mac OSX needs to have this and it's also needed that the python is compiled with this
180 # otherwise you face errors about common symbols
181 if not conf.CHECK_SHLIB_W_PYTHON("Checking if -fno-common is needed"):
182 conf.ADD_CFLAGS('-fno-common')
183 if not conf.CHECK_SHLIB_W_PYTHON("Checking if -undefined dynamic_lookup is not need"):
184 conf.env.append_value('cshlib_LINKFLAGS', ['-undefined', 'dynamic_lookup'])
186 if sys.platform == 'darwin':
187 conf.ADD_LDFLAGS('-framework CoreFoundation')
189 conf.RECURSE('dynconfig')
190 conf.RECURSE('selftest')
192 conf.CHECK_CFG(package='zlib', minversion='1.2.3',
193 args='--cflags --libs',
194 mandatory=True)
195 conf.CHECK_FUNCS_IN('inflateInit2', 'z')
197 if conf.CHECK_FOR_THIRD_PARTY():
198 conf.RECURSE('third_party')
199 else:
201 if not conf.CHECK_POPT():
202 raise Errors.WafError('popt development packages have not been found.\nIf third_party is installed, check that it is in the proper place.')
203 else:
204 conf.define('USING_SYSTEM_POPT', 1)
206 if not conf.CHECK_CMOCKA():
207 raise Errors.WafError('cmocka development packages has not been found.\nIf third_party is installed, check that it is in the proper place.')
208 else:
209 conf.define('USING_SYSTEM_CMOCKA', 1)
211 if conf.CONFIG_GET('ENABLE_SELFTEST'):
212 if not conf.CHECK_SOCKET_WRAPPER():
213 raise Errors.WafError('socket_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
214 else:
215 conf.define('USING_SYSTEM_SOCKET_WRAPPER', 1)
217 if not conf.CHECK_NSS_WRAPPER():
218 raise Errors.WafError('nss_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
219 else:
220 conf.define('USING_SYSTEM_NSS_WRAPPER', 1)
222 if not conf.CHECK_RESOLV_WRAPPER():
223 raise Errors.WafError('resolv_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
224 else:
225 conf.define('USING_SYSTEM_RESOLV_WRAPPER', 1)
227 if not conf.CHECK_UID_WRAPPER():
228 raise Errors.WafError('uid_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
229 else:
230 conf.define('USING_SYSTEM_UID_WRAPPER', 1)
232 if not conf.CHECK_PAM_WRAPPER():
233 raise Errors.WafError('pam_wrapper package has not been found.\nIf third_party is installed, check that it is in the proper place.')
234 else:
235 conf.define('USING_SYSTEM_PAM_WRAPPER', 1)
237 conf.RECURSE('lib/ldb')
239 if conf.CHECK_LDFLAGS(['-Wl,--wrap=test']):
240 conf.env['HAVE_LDWRAP'] = True
241 conf.define('HAVE_LDWRAP', 1)
243 if not (Options.options.without_ad_dc):
244 conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
246 # Check for flex before doing the embedded heimdal checks so we can bail if we don't have it.
247 Logs.info("Checking for flex")
248 conf.find_program('flex', var='FLEX')
249 if conf.env['FLEX']:
250 conf.CHECK_COMMAND('%s --version' % conf.env.FLEX[0],
251 msg='Using flex version',
252 define=None,
253 on_target=False)
254 conf.env.FLEXFLAGS = ['-t']
256 # #line statements in these generated files cause issues for lcov
257 conf.env.FLEXFLAGS += ["--noline"]
259 Logs.info("Checking for bison")
260 bison.configure(conf)
261 if conf.env['BISON']:
262 conf.CHECK_COMMAND('%s --version | head -n1' % conf.env.BISON[0],
263 msg='Using bison version',
264 define=None,
265 on_target=False)
267 # #line statements in these generated files cause issues for lcov
268 conf.env.BISONFLAGS += ["--no-line"]
270 if Options.options.with_system_mitkrb5:
271 if not Options.options.with_experimental_mit_ad_dc and \
272 not Options.options.without_ad_dc:
273 raise Errors.WafError('The MIT Kerberos build of Samba as an AD DC ' +
274 'is experimental. Therefore '
275 '--with-system-mitkrb5 requires either ' +
276 '--with-experimental-mit-ad-dc or ' +
277 '--without-ad-dc')
279 conf.PROCESS_SEPARATE_RULE('system_mitkrb5')
281 if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
282 conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
284 if Options.options.with_system_heimdalkrb5:
285 if Options.options.with_system_mitkrb5:
286 raise Errors.WafError('--with-system-heimdalkrb5 conflicts with ' +
287 '--with-system-mitkrb5')
288 if not Options.options.without_ad_dc:
289 raise Errors.WafError('--with-system-heimdalkrb5 requires ' +
290 '--without-ad-dc')
291 conf.env.SYSTEM_LIBS += ('heimdal', 'asn1', 'com_err', 'roken',
292 'hx509', 'wind', 'gssapi', 'hcrypto',
293 'krb5', 'heimbase', 'asn1_compile',
294 'compile_et', 'kdc', 'hdb', 'heimntlm')
295 conf.PROCESS_SEPARATE_RULE('system_heimdal')
297 if not conf.CONFIG_GET('KRB5_VENDOR'):
298 conf.PROCESS_SEPARATE_RULE('embedded_heimdal')
300 conf.PROCESS_SEPARATE_RULE('system_gnutls')
302 conf.RECURSE('source4/dsdb/samdb/ldb_modules')
303 conf.RECURSE('source4/ntvfs/sysdep')
304 conf.RECURSE('lib/util')
305 conf.RECURSE('lib/util/charset')
306 conf.RECURSE('source4/auth')
307 conf.RECURSE('nsswitch')
308 conf.RECURSE('libcli/smbreadline')
309 conf.RECURSE('lib/crypto')
310 conf.RECURSE('pidl')
311 if conf.CONFIG_GET('ENABLE_SELFTEST'):
312 if not (Options.options.without_ad_dc):
313 conf.DEFINE('WITH_NTVFS_FILESERVER', 1)
314 conf.RECURSE('testsuite/unittests')
316 if Options.options.with_pthreadpool:
317 if conf.CONFIG_SET('HAVE_PTHREAD'):
318 conf.DEFINE('WITH_PTHREADPOOL', '1')
319 else:
320 Logs.warn("pthreadpool support cannot be enabled when pthread support was not found")
321 conf.undefine('WITH_PTHREADPOOL')
323 conf.SET_TARGET_TYPE('jansson', 'EMPTY')
325 if Options.options.with_json != False:
326 if conf.CHECK_CFG(package='jansson', args='--cflags --libs',
327 msg='Checking for jansson'):
328 conf.CHECK_FUNCS_IN('json_object', 'jansson')
330 if not conf.CONFIG_GET('HAVE_JSON_OBJECT'):
331 if Options.options.with_json != False:
332 conf.fatal("Jansson JSON support not found. "
333 "Try installing libjansson-dev or jansson-devel. "
334 "Otherwise, use --without-json to build without "
335 "JSON support. "
336 "JSON support is required for the JSON "
337 "formatted audit log feature, the AD DC, and "
338 "the JSON printers of the net utility")
339 if not Options.options.without_ad_dc:
340 raise Errors.WafError('--without-json requires --without-ad-dc. '
341 'Jansson JSON library is required for '
342 'building the AD DC')
343 Logs.info("Building without Jansson JSON log support")
345 conf.RECURSE('source3')
346 conf.RECURSE('lib/texpect')
347 conf.RECURSE('python')
348 if conf.env.with_ctdb:
349 conf.RECURSE('ctdb')
350 conf.RECURSE('lib/socket')
351 conf.RECURSE('lib/mscat')
352 conf.RECURSE('packaging')
354 conf.SAMBA_CHECK_UNDEFINED_SYMBOL_FLAGS()
356 # gentoo always adds this. We want our normal build to be as
357 # strict as the strictest OS we support, so adding this here
358 # allows us to find problems on our development hosts faster.
359 # It also results in faster load time.
361 if conf.CHECK_LDFLAGS('-Wl,--as-needed'):
362 conf.env.append_unique('LINKFLAGS', '-Wl,--as-needed')
364 if not conf.CHECK_NEED_LC("-lc not needed"):
365 conf.ADD_LDFLAGS('-lc', testflags=False)
367 if not conf.CHECK_CODE('#include "tests/summary.c"',
368 define='SUMMARY_PASSES',
369 addmain=False,
370 msg='Checking configure summary'):
371 raise Errors.WafError('configure summary failed')
373 if Options.options.enable_pie != False:
374 if Options.options.enable_pie == True:
375 need_pie = True
376 else:
377 # not specified, only build PIEs if supported by compiler
378 need_pie = False
379 if conf.check_cc(cflags='-fPIE', ldflags='-pie', mandatory=need_pie,
380 msg="Checking compiler for PIE support"):
381 conf.env['ENABLE_PIE'] = True
383 if Options.options.enable_relro != False:
384 if Options.options.enable_relro == True:
385 need_relro = True
386 else:
387 # not specified, only build RELROs if supported by compiler
388 need_relro = False
389 if conf.check_cc(cflags='', ldflags='-Wl,-z,relro,-z,now', mandatory=need_relro,
390 msg="Checking compiler for full RELRO support"):
391 conf.env['ENABLE_RELRO'] = True
394 # FreeBSD is broken. It doesn't include 'extern char **environ'
395 # in any shared library, but statically inside crt0.o.
397 # If we're running on a FreeBSD with the GNU linker ld we
398 # can get around this by explicitly telling the linker to
399 # ignore 'environ' as an unresolved symbol in a shared library.
401 # However, the clang linker ld.lld-XX is broken in that it
402 # doesn't have that option.
404 # First try to see if have '-Wl,--ignore-unresolved-symbol,environ'
405 # and just use that if so.
407 # If not, we have to use '-Wl,--allow-shlib-undefined' instead
408 # and remove all instances of '-Wl,-no-undefined'.
410 if sys.platform.startswith('freebsd'):
411 # Do we have Wl,--ignore-unresolved-symbol,environ ?
412 flag_added = conf.ADD_LDFLAGS('-Wl,--ignore-unresolved-symbol,environ', testflags=True)
413 if not flag_added:
414 # No, fall back to -Wl,--allow-shlib-undefined.
415 conf.ADD_LDFLAGS('-Wl,--allow-shlib-undefined', testflags=True)
416 # Remove any uses of '-Wl,-no-undefined'
417 conf.env['EXTRA_LDFLAGS'] = list(filter(('-Wl,-no-undefined').__ne__, conf.env['EXTRA_LDFLAGS']))
418 # And make sure we don't try and remove it again when 'allow_undefined_symbols=true'
419 conf.env.undefined_ldflags = []
421 conf.SAMBA_CONFIG_H('include/config.h')
423 def etags(ctx):
424 '''build TAGS file using etags'''
425 from waflib import Utils
426 source_root = os.path.dirname(Context.g_module.root_path)
427 cmd = 'rm -f %s/TAGS && (find %s -name "*.[ch]" | egrep -v \.inst\. | xargs -n 100 etags -a)' % (source_root, source_root)
428 print("Running: %s" % cmd)
429 status = os.system(cmd)
430 if os.WEXITSTATUS(status):
431 raise Errors.WafError('etags failed')
433 def ctags(ctx):
434 "build 'tags' file using ctags"
435 from waflib import Utils
436 source_root = os.path.dirname(Context.g_module.root_path)
437 cmd = 'ctags --python-kinds=-i $(find %s -name "*.[ch]" | grep -v "*_proto\.h" | egrep -v \.inst\.) $(find %s -name "*.py")' % (source_root, source_root)
438 print("Running: %s" % cmd)
439 status = os.system(cmd)
440 if os.WEXITSTATUS(status):
441 raise Errors.WafError('ctags failed')
444 # putting this here enabled build in the list
445 # of commands in --help
446 def build(bld):
447 '''build all targets'''
448 samba_version.load_version(env=bld.env, is_install=bld.is_install)
451 def pydoctor(ctx):
452 '''build python apidocs'''
453 bp = os.path.abspath('bin/python')
454 mpaths = {}
455 modules = ['talloc', 'tdb', 'ldb']
456 for m in modules:
457 f = os.popen("PYTHONPATH=%s python -c 'import %s; print %s.__file__'" % (bp, m, m), 'r')
458 try:
459 mpaths[m] = f.read().strip()
460 finally:
461 f.close()
462 mpaths['main'] = bp
463 cmd = ('PYTHONPATH=%(main)s pydoctor --introspect-c-modules --project-name=Samba '
464 '--project-url=http://www.samba.org --make-html --docformat=restructuredtext '
465 '--add-package bin/python/samba ' + ''.join('--add-module %s ' % n for n in modules))
466 cmd = cmd % mpaths
467 print("Running: %s" % cmd)
468 status = os.system(cmd)
469 if os.WEXITSTATUS(status):
470 raise Errors.WafError('pydoctor failed')
473 def pep8(ctx):
474 '''run pep8 validator'''
475 cmd='PYTHONPATH=bin/python pep8 -r bin/python/samba'
476 print("Running: %s" % cmd)
477 status = os.system(cmd)
478 if os.WEXITSTATUS(status):
479 raise Errors.WafError('pep8 failed')
482 def wafdocs(ctx):
483 '''build wafsamba apidocs'''
484 from samba_utils import recursive_dirlist
485 os.system('pwd')
486 list = recursive_dirlist('../buildtools/wafsamba', '.', pattern='*.py')
488 print(list)
489 cmd='PYTHONPATH=bin/python pydoctor --project-name=wafsamba --project-url=http://www.samba.org --make-html --docformat=restructuredtext' +\
490 "".join(' --add-module %s' % f for f in list)
491 print("Running: %s" % cmd)
492 status = os.system(cmd)
493 if os.WEXITSTATUS(status):
494 raise Errors.WafError('wafdocs failed')
497 def dist():
498 '''makes a tarball for distribution'''
499 sambaversion = samba_version.load_version(env=None)
501 os.system("make -C ctdb manpages")
502 samba_dist.DIST_FILES('ctdb/doc:ctdb/doc', extend=True)
504 os.system("DOC_VERSION='" + sambaversion.STRING + "' " + Context.g_module.top + "/release-scripts/build-manpages-nogit")
505 samba_dist.DIST_FILES('bin/docs:docs', extend=True)
507 if sambaversion.IS_SNAPSHOT:
508 # write .distversion file and add to tar
509 if not os.path.isdir(Context.g_module.out):
510 os.makedirs(Context.g_module.out)
511 distversionf = tempfile.NamedTemporaryFile(mode='w', prefix='.distversion',dir=Context.g_module.out)
512 for field in sambaversion.vcs_fields:
513 distveroption = field + '=' + str(sambaversion.vcs_fields[field])
514 distversionf.write(distveroption + '\n')
515 distversionf.flush()
516 samba_dist.DIST_FILES('%s:.distversion' % distversionf.name, extend=True)
518 samba_dist.dist()
519 distversionf.close()
520 else:
521 samba_dist.dist()
524 def distcheck():
525 '''test that distribution tarball builds and installs'''
526 samba_version.load_version(env=None)
528 def wildcard_cmd(cmd):
529 '''called on a unknown command'''
530 from samba_wildcard import run_named_build_task
531 run_named_build_task(cmd)
533 def main():
534 from samba_wildcard import wildcard_main
536 wildcard_main(wildcard_cmd)
537 Scripting.main = main
539 def reconfigure(ctx):
540 '''reconfigure if config scripts have changed'''
541 import samba_utils
542 samba_utils.reconfigure(ctx)
545 if os.path.isdir(os.path.join(top, ".git")):
546 # Check if there are submodules that are checked out but out of date.
547 for submodule, status in samba_git.read_submodule_status(top):
548 if status == "out-of-date":
549 raise Errors.WafError("some submodules are out of date. Please run 'git submodule update'")