diff --git a/0109-dcerpc-make-sure-forest-trust-info-structure-version.patch b/0109-dcerpc-make-sure-forest-trust-info-structure-version.patch new file mode 100644 index 0000000..df0bb2a --- /dev/null +++ b/0109-dcerpc-make-sure-forest-trust-info-structure-version.patch @@ -0,0 +1,108 @@ +From 7d4b5541b2de30a91cd1f14b790bfa33dca8ea5f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 8 Sep 2025 18:57:09 +0300 +Subject: [PATCH] dcerpc: make sure forest trust info structure version is 1 + +[MS-DRSR] 5.64 FOREST_TRUST_INFORMATION defines version of the +ForestTrustInfo structure as 1. We didn't set it so it was defaulting to +zero. Samba validates the version number and rejects ForestTrustInfo +structures from FreeIPA. + +Make sure new structures are always set to version 1 and old strutures +fixed up to have version 1. + +Fixes: https://pagure.io/freeipa/issue/9852 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Julien Rische +--- + daemons/ipa-sam/ipa_sam.c | 38 +++++++++++++++++++++++++++++++++++++- + ipaserver/dcerpc.py | 1 + + 2 files changed, 38 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 26f8e89ecc0107c4ab66dc1321f8afb5e1ce7b2f..3b8fc90fbfc6b8ed1afcc753dde1d5bb25d76aba 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -30,6 +30,8 @@ char *smb_xstrdup(const char *s); + #include + + #include ++#include ++#include + + #include + +@@ -101,7 +103,6 @@ struct unixid { + enum id_type type; + }/* [public] */; + +-enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */ + bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */ + /* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */ + bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */ +@@ -2422,6 +2423,36 @@ static bool get_uint32_t_from_ldap_msg(struct ipasam_private *ipasam_state, + return true; + } + ++static bool repack_pdb_forest_trust_info(struct pdb_trusted_domain *td) ++{ ++ struct ForestTrustInfo *fti = NULL; ++ enum ndr_err_code ndr_err = 0; ++ /* ++ * Fix-up the version field as Samba expects it. ++ * We need to unpack the blob, change, and pack it again ++ */ ++ fti = talloc(td, struct ForestTrustInfo); ++ if (fti == NULL) { ++ return false; ++ } ++ ndr_err = ndr_pull_struct_blob_all(&td->trust_forest_trust_info, td, fti, ++ (ndr_pull_flags_fn_t)ndr_pull_ForestTrustInfo); ++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { ++ TALLOC_FREE(fti); ++ return false; ++ } ++ ++ fti->version = 1; ++ ++ talloc_free(td->trust_forest_trust_info.data); ++ td->trust_forest_trust_info = data_blob_null; ++ ++ ndr_err = ndr_push_struct_blob(&td->trust_forest_trust_info, td, fti, ++ (ndr_push_flags_fn_t)ndr_push_ForestTrustInfo); ++ TALLOC_FREE(fti); ++ return NDR_ERR_CODE_IS_SUCCESS(ndr_err); ++} ++ + static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + struct ipasam_private *ipasam_state, + LDAPMessage *entry, +@@ -2614,6 +2645,11 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + LDAP_ATTRIBUTE_TRUST_FOREST_TRUST_INFO, + &td->trust_forest_trust_info)) { + DEBUG(9, ("Failed to set forest trust info.\n")); ++ } else { ++ res = repack_pdb_forest_trust_info(td); ++ if (!res) { ++ return false; ++ } + } + + *_td = td; +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 3344ea226e3cba61912e717f9c375612bb4707e0..b75c4fccfb3693d1fc5c2db2bb11837e312400ae 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1658,6 +1658,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): + + ftinfo.count = len(ftinfo_records) + ftinfo.records = ftinfo_records ++ ftinfo.version = 1 + result['ftinfo_data'] = ndr_pack(ftinfo) + return result + +-- +2.51.0 + diff --git a/0110-dcerpc-Support-Samba-4.23.patch b/0110-dcerpc-Support-Samba-4.23.patch new file mode 100644 index 0000000..d1b1e19 --- /dev/null +++ b/0110-dcerpc-Support-Samba-4.23.patch @@ -0,0 +1,64 @@ +From 486558c63e4b0db6673e863a6bd89e885f8106dd Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 8 Sep 2025 18:59:50 +0300 +Subject: [PATCH] dcerpc: Support Samba 4.23 + +Samba 4.23 ignores trust to PIM and 'within the forest' domains. It +didn't know what to do with them in past as well but starting with 4.23 +the domain trust entries which have trust attributes with +LSA_TRUST_ATTRIBUTE_PIM_TRUST and LSA_TRUST_ATTRIBUTE_WITHIN_FOREST bits +set will be ignored. + +FreeIPA did default to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST for domains +stored with trusted attributes set to 0 or missing. This was behavior in +past for Samba as well. Since FreeIPA only supports forest trust and an +external trust, in both cases we should set explicit LSA trust attribute +bits: + - LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE for the forest trust + - LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE for the external trust + +Fixes: https://pagure.io/freeipa/issue/9852 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Julien Rische +--- + daemons/ipa-sam/ipa_sam.c | 8 ++++---- + ipaserver/dcerpc.py | 2 ++ + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 3b8fc90fbfc6b8ed1afcc753dde1d5bb25d76aba..9fb4db4c5231de1fdf9b6550beea776142590cc8 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -2594,10 +2594,10 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + TALLOC_FREE(td); + return false; + } +- if (td->trust_attributes == 0) { +- /* attribute wasn't present, this is a subdomain within the +- * parent forest */ +- td->trust_attributes = LSA_TRUST_ATTRIBUTE_WITHIN_FOREST; ++ if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) { ++ /* attribute wasn't present and this is not a subdomain within ++ * the parent forest */ ++ td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE; + } + + res = get_uint32_t_from_ldap_msg(ipasam_state, entry, +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index b75c4fccfb3693d1fc5c2db2bb11837e312400ae..1182f128b4988bc699fe7a40d4834f1bead82cf5 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1362,6 +1362,8 @@ class TrustDomainInstance: + info.trust_attributes = 0 + if trust_external: + info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE ++ else: ++ info.trust_attributes |= lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE + + try: + dname = lsa.String() +-- +2.51.0 + diff --git a/0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch b/0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch new file mode 100644 index 0000000..b7599fb --- /dev/null +++ b/0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch @@ -0,0 +1,136 @@ +From fcd0f0c6e07200e90628f108c7566b0ede7879b8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 11 Sep 2025 13:52:41 +0300 +Subject: [PATCH] ipasam: simplify error handling in fill_pdb_trusted_domain + +Related: https://pagure.io/freeipa/issue/9852 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Julien Rische +--- + daemons/ipa-sam/ipa_sam.c | 44 ++++++++++++++++++--------------------- + 1 file changed, 20 insertions(+), 24 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 9fb4db4c5231de1fdf9b6550beea776142590cc8..ea85a7f430e67750059182b191497f4d2a2b73dc 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -2507,7 +2507,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + rc = ldap_str2dn(strdn, &dn, LDAP_DN_FORMAT_LDAPV3); + if (rc) { + free(strdn); +- return false; ++ res = false; ++ goto done; + } + + for (count = 0; dn[count] != NULL; count++); +@@ -2519,8 +2520,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + strdn, ipasam_state->trust_dn)); + ldap_dnfree(dn); + free(strdn); +- TALLOC_FREE(td); +- return false; ++ res = false; ++ goto done; + + } + +@@ -2543,7 +2544,8 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + dummy, &sid); + TALLOC_FREE(dummy); + if (err != IDMAP_SUCCESS) { +- return false; ++ res = false; ++ goto done; + } + sid_copy(&td->security_identifier, sid); + talloc_free(sid); +@@ -2583,16 +2585,14 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + LDAP_ATTRIBUTE_TRUST_DIRECTION, + &td->trust_direction); + if (!res) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + + res = get_uint32_t_from_ldap_msg(ipasam_state, entry, + LDAP_ATTRIBUTE_TRUST_ATTRIBUTES, + &td->trust_attributes); + if (!res) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) { + /* attribute wasn't present and this is not a subdomain within +@@ -2604,8 +2604,7 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + LDAP_ATTRIBUTE_TRUST_TYPE, + &td->trust_type); + if (!res) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + if (td->trust_type == 0) { + /* attribute wasn't present, set default value */ +@@ -2614,28 +2613,24 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + + td->trust_posix_offset = talloc_zero(td, uint32_t); + if (td->trust_posix_offset == NULL) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + res = get_uint32_t_from_ldap_msg(ipasam_state, entry, + LDAP_ATTRIBUTE_TRUST_POSIX_OFFSET, + td->trust_posix_offset); + if (!res) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + + td->supported_enc_type = talloc_zero(td, uint32_t); + if (td->supported_enc_type == NULL) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + res = get_uint32_t_from_ldap_msg(ipasam_state, entry, + LDAP_ATTRIBUTE_SUPPORTED_ENC_TYPE, + td->supported_enc_type); + if (!res) { +- TALLOC_FREE(td); +- return false; ++ goto done; + } + if (*td->supported_enc_type == 0) { + *td->supported_enc_type = ipasam_state->supported_enctypes; +@@ -2647,14 +2642,15 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, + DEBUG(9, ("Failed to set forest trust info.\n")); + } else { + res = repack_pdb_forest_trust_info(td); +- if (!res) { +- return false; +- } + } + +- *_td = td; +- +- return true; ++done: ++ if (res) { ++ *_td = td; ++ } else { ++ TALLOC_FREE(td); ++ } ++ return res; + } + + static NTSTATUS ipasam_get_trusted_domain(struct pdb_methods *methods, +-- +2.51.0 + diff --git a/0112-ipasam-address-signedness-warnings.patch b/0112-ipasam-address-signedness-warnings.patch new file mode 100644 index 0000000..69713c8 --- /dev/null +++ b/0112-ipasam-address-signedness-warnings.patch @@ -0,0 +1,53 @@ +From cb36c3d9969ce0c0beacb43c7d4ea29da652c499 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 11 Sep 2025 13:57:46 +0300 +Subject: [PATCH] ipasam: address signedness warnings + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Julien Rische +--- + daemons/ipa-sam/ipa_sam.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index ea85a7f430e67750059182b191497f4d2a2b73dc..55a3a03a57f18856140a62d32fde744876c5e635 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -236,15 +236,13 @@ static void idmap_talloc_free(void *ptr, void *pvt) + + static void sid_copy(struct dom_sid *dst, const struct dom_sid *src) + { +- size_t c; +- + memset(dst, 0, sizeof(*dst)); + + dst->sid_rev_num = src->sid_rev_num; + dst->num_auths = src->num_auths; + memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth)); + +- for (c = 0; c < src->num_auths; c++) { ++ for (int8_t c = 0; c < src->num_auths; c++) { + dst->sub_auths[c] = src->sub_auths[c]; + } + } +@@ -3249,7 +3247,6 @@ static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods, + { + NTSTATUS status; + struct pdb_trusted_domain **td; +- int i; + + status = ipasam_enum_trusted_domains(methods, mem_ctx, + num_domains, &td); +@@ -3267,7 +3264,7 @@ static NTSTATUS ipasam_enum_trusteddoms(struct pdb_methods *methods, + goto fail; + } + +- for (i = 0; i < *num_domains; i++) { ++ for (uint32_t i = 0; i < *num_domains; i++) { + struct trustdom_info *dom_info; + + dom_info = talloc(*domains, struct trustdom_info); +-- +2.51.0 + diff --git a/0113-ipasam-define-prototypes.patch b/0113-ipasam-define-prototypes.patch new file mode 100644 index 0000000..9364b19 --- /dev/null +++ b/0113-ipasam-define-prototypes.patch @@ -0,0 +1,34 @@ +From fc40c7cdcfa3e59d5122248f3ed9faa135de22a6 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 11 Sep 2025 13:58:03 +0300 +Subject: [PATCH] ipasam: define prototypes + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Julien Rische +--- + daemons/ipa-sam/ipa_sam.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 55a3a03a57f18856140a62d32fde744876c5e635..839a621ef9a185c5c07c4c2c24f627e1ef8ab43a 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -5380,12 +5380,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method, + return NT_STATUS_OK; + } + ++NTSTATUS samba_module_init(void); + NTSTATUS samba_module_init(void) + { + return smb_register_passdb(PASSDB_INTERFACE_VERSION, "ipasam", + pdb_init_ipasam); + } + ++NTSTATUS samba_init_module(void); + NTSTATUS samba_init_module(void) + { + return smb_register_passdb(PASSDB_INTERFACE_VERSION, "ipasam", +-- +2.51.0 + diff --git a/0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch b/0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch new file mode 100644 index 0000000..4b1bb67 --- /dev/null +++ b/0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch @@ -0,0 +1,74 @@ +From 4645f5f00b476e6e3030d1a1cc3c73f3f9614ee7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 18 Sep 2025 18:20:11 +0300 +Subject: [PATCH] ipasam: remove definitions which included from ndr_drsblobs.h + +Do not need to have duplicates as we include them. They used to be not +exported by Samba but not anymore. + +Signed-off-by: Alexander Bokovoy +--- + daemons/ipa-sam/ipa_sam.c | 47 --------------------------------------- + 1 file changed, 47 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 839a621ef9a185c5c07c4c2c24f627e1ef8ab43a..c43ffddbbdd69123b5d568a937fbc12d138243d1 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -43,53 +43,6 @@ char *smb_xstrdup(const char *s); + #include "ipa_pwd.h" + #include "ipa_mspac.h" + +-/* from drsblobs.h */ +-struct AuthInfoNone { +- uint32_t size;/* [value(0)] */ +-}; +- +-struct AuthInfoNT4Owf { +- uint32_t size;/* [value(16)] */ +- struct samr_Password password; +-}; +- +-struct AuthInfoClear { +- uint32_t size; +- uint8_t *password; +-}; +- +-struct AuthInfoVersion { +- uint32_t size;/* [value(4)] */ +- uint32_t version; +-}; +- +-union AuthInfo { +- struct AuthInfoNone none;/* [case(TRUST_AUTH_TYPE_NONE)] */ +- struct AuthInfoNT4Owf nt4owf;/* [case(TRUST_AUTH_TYPE_NT4OWF)] */ +- struct AuthInfoClear clear;/* [case(TRUST_AUTH_TYPE_CLEAR)] */ +- struct AuthInfoVersion version;/* [case(TRUST_AUTH_TYPE_VERSION)] */ +-}/* [nodiscriminant] */; +- +-struct AuthenticationInformation { +- NTTIME LastUpdateTime; +- enum lsa_TrustAuthType AuthType; +- union AuthInfo AuthInfo;/* [switch_is(AuthType)] */ +- DATA_BLOB _pad;/* [flag(LIBNDR_FLAG_ALIGN4)] */ +-}/* [public] */; +- +-struct AuthenticationInformationArray { +- uint32_t count; +- struct AuthenticationInformation *array; +-}/* [gensize,nopush,public,nopull] */; +- +-struct trustAuthInOutBlob { +- uint32_t count; +- uint32_t current_offset;/* [value((count>0)?12:0)] */ +- uint32_t previous_offset;/* [value((count>0)?12+ndr_size_AuthenticationInformationArray(¤t,ndr->flags):0)] */ +- struct AuthenticationInformationArray current;/* [subcontext_size((previous_offset)-(current_offset)),subcontext(0)] */ +- struct AuthenticationInformationArray previous;/* [subcontext(0),flag(LIBNDR_FLAG_REMAINING)] */ +-}/* [gensize,public,nopush] */; +- + /* from generated idmap.h - hopefully OK */ + enum id_type { + ID_TYPE_NOT_SPECIFIED, +-- +2.51.0 + diff --git a/freeipa.spec b/freeipa.spec index 79ba886..56e6221 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -69,7 +69,7 @@ %global krb5_kdb_version 9.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 -%global samba_version 4.22.2 +%global samba_version 4.23.0 %global slapi_nis_version 0.56.4 %global python_ldap_version 3.1.0-1 %if 0%{?rhel} < 9 @@ -231,7 +231,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 22%{?rc_version:.%rc_version}%{?dist} +Release: 23%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -363,6 +363,12 @@ Patch0105: 0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch Patch0106: 0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch Patch0107: 0107-dns-disable-all-previous-Unbound-configuration-befor.patch Patch0108: 0108-ipatests-add-extensions-to-server-certificates-for-C.patch +Patch0109: 0109-dcerpc-make-sure-forest-trust-info-structure-version.patch +Patch0110: 0110-dcerpc-Support-Samba-4.23.patch +Patch0111: 0111-ipasam-simplify-error-handling-in-fill_pdb_trusted_d.patch +Patch0112: 0112-ipasam-address-signedness-warnings.patch +Patch0113: 0113-ipasam-define-prototypes.patch +Patch0114: 0114-ipasam-remove-definitions-which-included-from-ndr_dr.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -2016,6 +2022,9 @@ fi %endif %changelog +* Thu Sep 18 2025 Florence Blanc-Renaud - 4.12.2-23 +- Related: RHEL-114548 Rebase Samba to the latest 4.23.x release + * Mon Aug 25 2025 Florence Blanc-Renaud - 4.12.2-22 - Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate