diff --git a/samba-4-15-fix-autorid.patch b/samba-4-15-fix-autorid.patch new file mode 100644 index 0000000..c90c0ce --- /dev/null +++ b/samba-4-15-fix-autorid.patch @@ -0,0 +1,231 @@ +From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:06:30 +0100 +Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) +--- + source3/winbindd/idmap_autorid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c +index ad53b5810ee..c7d56a37684 100644 +--- a/source3/winbindd/idmap_autorid.c ++++ b/source3/winbindd/idmap_autorid.c +@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) + config->maxranges = (dom->high_id - dom->low_id + 1) / + config->rangesize; + +- if (config->maxranges == 0) { +- DEBUG(1, ("Allowed uid range is smaller than rangesize. " +- "Increase uid range or decrease rangesize.\n")); ++ if (config->maxranges < 2) { ++ DBG_WARNING("Allowed idmap range is not a least double the " ++ "size of the rangesize. Please increase idmap " ++ "range.\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto error; + } +-- +2.35.1 + + +From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:07:50 +0100 +Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) +--- + source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 98bcc219b1e..58ba46bc15f 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, + return false; /* Keep scanning */ + } + ++static int idmap_config_int(const char *domname, const char *option, int def) ++{ ++ int len = snprintf(NULL, 0, "idmap config %s", domname); ++ ++ if (len == -1) { ++ return def; ++ } ++ { ++ char config_option[len+1]; ++ snprintf(config_option, sizeof(config_option), ++ "idmap config %s", domname); ++ return lp_parm_int(-1, config_option, option, def); ++ } ++} ++ + static bool do_idmap_check(void) + { + struct idmap_domains *d; +@@ -157,6 +172,42 @@ static bool do_idmap_check(void) + rc); + } + ++ /* Check autorid backend */ ++ if (strequal(lp_idmap_default_backend(), "autorid")) { ++ struct idmap_config *c = NULL; ++ bool found = false; ++ ++ for (i = 0; i < d->count; i++) { ++ c = &d->c[i]; ++ ++ if (strequal(c->backend, "autorid")) { ++ found = true; ++ break; ++ } ++ } ++ ++ if (found) { ++ uint32_t rangesize = ++ idmap_config_int("*", "rangesize", 100000); ++ uint32_t maxranges = ++ (c->high - c->low + 1) / rangesize; ++ ++ if (maxranges < 2) { ++ fprintf(stderr, ++ "ERROR: The idmap autorid range " ++ "[%u-%u] needs to be at least twice as" ++ "big as the rangesize [%u]!" ++ "\n\n", ++ c->low, ++ c->high, ++ rangesize); ++ ok = false; ++ goto done; ++ } ++ } ++ } ++ ++ /* Check for overlapping idmap ranges */ + for (i = 0; i < d->count; i++) { + struct idmap_config *c = &d->c[i]; + uint32_t j; +-- +2.35.1 + + +From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:05:19 +0100 +Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) +--- + docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml +index 6c4da1cad8a..980718f0bd4 100644 +--- a/docs-xml/manpages/idmap_autorid.8.xml ++++ b/docs-xml/manpages/idmap_autorid.8.xml +@@ -48,7 +48,13 @@ + and the corresponding map is discarded. It is + intended as a way to avoid accidental UID/GID + overlaps between local and remotely defined +- IDs. ++ IDs. Note that the range should be a multiple ++ of the rangesize and needs to be at least twice ++ as large in order to have sufficient id range ++ space for the mandatory BUILTIN domain. ++ With a default rangesize of 100000 the range ++ needs to span at least 200000. ++ This would be: range = 100000 - 299999. + + + +-- +2.35.1 + diff --git a/samba.spec b/samba.spec index 8d088f3..3168f31 100644 --- a/samba.spec +++ b/samba.spec @@ -132,7 +132,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 101 +%global baserelease 102 %global samba_version 4.15.5 %global talloc_version 2.3.3 @@ -209,6 +209,7 @@ Patch4: samba-disable-systemd-notifications.patch Patch5: samba-disable-ntlmssp.patch Patch6: samba-password-change-prompt.patch Patch7: samba-virus_scanner.patch +Patch8: samba-4-15-fix-autorid.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -4107,6 +4108,9 @@ fi %endif %changelog +* Thu Feb 17 2022 Andreas Schneider - 4.15.5-102 +- resolves: rhbz#2044231 - Improve idmap autorid sanity checks and documentation + * Mon Feb 14 2022 Pavel Filipenský - 4.15.5-101 - resolves: #2050111 - [RFE] Change change password change prompt phrasing - resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file