diff --git a/.gitignore b/.gitignore index 41cd890..a32ae18 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.15.5.tar.xz +SOURCES/samba-4.16.4.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index b1ff8f6..620213e 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz +c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch deleted file mode 100644 index f63464c..0000000 --- a/SOURCES/samba-4-15-fix-autorid.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:06:30 +0100 -Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) ---- - source3/winbindd/idmap_autorid.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c -index ad53b5810ee..c7d56a37684 100644 ---- a/source3/winbindd/idmap_autorid.c -+++ b/source3/winbindd/idmap_autorid.c -@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) - config->maxranges = (dom->high_id - dom->low_id + 1) / - config->rangesize; - -- if (config->maxranges == 0) { -- DEBUG(1, ("Allowed uid range is smaller than rangesize. " -- "Increase uid range or decrease rangesize.\n")); -+ if (config->maxranges < 2) { -+ DBG_WARNING("Allowed idmap range is not a least double the " -+ "size of the rangesize. Please increase idmap " -+ "range.\n"); - status = NT_STATUS_INVALID_PARAMETER; - goto error; - } --- -2.35.1 - - -From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:07:50 +0100 -Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) ---- - source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index 98bcc219b1e..58ba46bc15f 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, - return false; /* Keep scanning */ - } - -+static int idmap_config_int(const char *domname, const char *option, int def) -+{ -+ int len = snprintf(NULL, 0, "idmap config %s", domname); -+ -+ if (len == -1) { -+ return def; -+ } -+ { -+ char config_option[len+1]; -+ snprintf(config_option, sizeof(config_option), -+ "idmap config %s", domname); -+ return lp_parm_int(-1, config_option, option, def); -+ } -+} -+ - static bool do_idmap_check(void) - { - struct idmap_domains *d; -@@ -157,6 +172,42 @@ static bool do_idmap_check(void) - rc); - } - -+ /* Check autorid backend */ -+ if (strequal(lp_idmap_default_backend(), "autorid")) { -+ struct idmap_config *c = NULL; -+ bool found = false; -+ -+ for (i = 0; i < d->count; i++) { -+ c = &d->c[i]; -+ -+ if (strequal(c->backend, "autorid")) { -+ found = true; -+ break; -+ } -+ } -+ -+ if (found) { -+ uint32_t rangesize = -+ idmap_config_int("*", "rangesize", 100000); -+ uint32_t maxranges = -+ (c->high - c->low + 1) / rangesize; -+ -+ if (maxranges < 2) { -+ fprintf(stderr, -+ "ERROR: The idmap autorid range " -+ "[%u-%u] needs to be at least twice as " -+ "big as the rangesize [%u]!" -+ "\n\n", -+ c->low, -+ c->high, -+ rangesize); -+ ok = false; -+ goto done; -+ } -+ } -+ } -+ -+ /* Check for overlapping idmap ranges */ - for (i = 0; i < d->count; i++) { - struct idmap_config *c = &d->c[i]; - uint32_t j; --- -2.35.1 - - -From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:05:19 +0100 -Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) ---- - docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml -index 6c4da1cad8a..980718f0bd4 100644 ---- a/docs-xml/manpages/idmap_autorid.8.xml -+++ b/docs-xml/manpages/idmap_autorid.8.xml -@@ -48,7 +48,13 @@ - and the corresponding map is discarded. It is - intended as a way to avoid accidental UID/GID - overlaps between local and remotely defined -- IDs. -+ IDs. Note that the range should be a multiple -+ of the rangesize and needs to be at least twice -+ as large in order to have sufficient id range -+ space for the mandatory BUILTIN domain. -+ With a default rangesize of 100000 the range -+ needs to span at least 200000. -+ This would be: range = 100000 - 299999. - - - --- -2.35.1 - diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch deleted file mode 100644 index 93c2caa..0000000 --- a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch +++ /dev/null @@ -1,411 +0,0 @@ -From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 12:59:44 +0100 -Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error - path - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) ---- - source3/libads/authdata.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index dd21d895fc2..c048510d480 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; -+ DATA_BLOB tkt = data_blob_null; -+ DATA_BLOB tkt_wrapped = data_blob_null; -+ DATA_BLOB ap_rep = data_blob_null; -+ DATA_BLOB sesskey1 = data_blob_null; - const char *auth_princ = NULL; - const char *cc = "MEMORY:kerberos_return_pac"; - struct auth_session_info *session_info; -@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - ZERO_STRUCT(sesskey1); - - if (!name || !pass) { -- return NT_STATUS_INVALID_PARAMETER; -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto out; - } - - if (cache_name) { -@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - - if (expire_time && renew_till_time && - (*expire_time == 0) && (*renew_till_time == 0)) { -- return NT_STATUS_INVALID_LOGON_TYPE; -+ status = NT_STATUS_INVALID_LOGON_TYPE; -+ goto out; - } - - ret = ads_krb5_cli_get_ticket(mem_ctx, --- -2.35.1 - - -From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:00:05 +0100 -Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug - macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) ---- - lib/krb5_wrap/krb5_samba.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..42d4b950f80 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - goto done; - } - -- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); -+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); - - /* FIXME: we should not fall back to defaults */ - ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); --- -2.35.1 - - -From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:28 +0100 -Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer - debug macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) ---- - lib/krb5_wrap/krb5_samba.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 42d4b950f80..76c2dcd2126 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - - ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); - if (ret) { -- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); -+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " -+ "for client '%s' and service '%s' failed: %s\n", -+ ccache_string, client_string, service_string, -+ error_message(ret)); - goto done; - } - --- -2.35.1 - - -From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:08:56 +0100 -Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from - kerberos_return_pac() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) ---- - source3/libads/authdata.c | 22 +++++++++++++++++++++- - source3/libads/kerberos_proto.h | 2 ++ - source3/utils/net_ads.c | 2 ++ - source3/winbindd/winbindd_pam.c | 2 ++ - 4 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index c048510d480..bf9a2335445 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **_pac_data_ctr) - { - krb5_error_code ret; -@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_context; - struct loadparm_context *lp_ctx; - struct PAC_DATA_CTR *pac_data_ctr = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); -@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - goto out; - } - -+ if (_canon_principal != NULL) { -+ *_canon_principal = NULL; -+ } -+ -+ if (_canon_realm != NULL) { -+ *_canon_realm = NULL; -+ } -+ - if (cache_name) { - cc = cache_name; - } -@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - request_pac, - add_netbios_addr, - renewable_time, -- NULL, NULL, NULL, -+ tmp_ctx, -+ &canon_principal, -+ &canon_realm, - &status); - if (ret) { - DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", -@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - } - - *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); -+ if (_canon_principal != NULL) { -+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); -+ } -+ if (_canon_realm != NULL) { -+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); -+ } - - out: - talloc_free(tmp_ctx); -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index 3d7b5bc074b..807381248c8 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **pac_data_ctr); - - /* The following definitions come from libads/krb5_setpw.c */ -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 8f993f9ba4c..c41fb0afe9c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch - 2592000, /* one month */ - impersonate_princ_s, - local_service, -+ NULL, -+ NULL, - pac_data_ctr); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 7606bfb4ecd..025a5cbc111 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -+ NULL, -+ NULL, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); --- -2.35.1 - - -From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:19:02 +0100 -Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache - entry - -They will be used later to refresh the tickets. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) ---- - source3/winbindd/winbindd.h | 2 ++ - source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- - source3/winbindd/winbindd_pam.c | 14 ++++++++++---- - source3/winbindd/winbindd_proto.h | 4 +++- - 4 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index a6b2238cec1..dac4a1fa927 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { - const char *service; - const char *username; - const char *realm; -+ const char *canon_principal; -+ const char *canon_realm; - struct WINBINDD_MEMORY_CREDS *cred_ptr; - int ref_count; - uid_t uid; -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index c3077e21989..88847b1ab97 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request) -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm) - { - struct WINBINDD_CCACHE_ENTRY *entry = NULL; - struct timeval t; -@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - goto no_mem; - } - } -+ if (canon_principal != NULL) { -+ entry->canon_principal = talloc_strdup(entry, canon_principal); -+ if (entry->canon_principal == NULL) { -+ goto no_mem; -+ } -+ } -+ if (canon_realm != NULL) { -+ entry->canon_realm = talloc_strdup(entry, canon_realm); -+ if (entry->canon_realm == NULL) { -+ goto no_mem; -+ } -+ } - - entry->ccname = talloc_strdup(entry, ccname); - if (!entry->ccname) { -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 025a5cbc111..a24cef78440 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - const char *local_service; - uint32_t i; - struct netr_SamInfo6 *info6_copy = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - bool ok; - - *info6 = NULL; -@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -- NULL, -- NULL, -+ &canon_principal, -+ &canon_realm, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); -@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - time(NULL), - ticket_lifetime, - renewal_until, -- false); -+ false, -+ canon_principal, -+ canon_realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", -@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, - time(NULL), - time(NULL) + lp_winbind_cache_time(), - time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, -- true); -+ true, -+ principal_s, -+ realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed " -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h -index c0d653a6d77..16c23f3de40 100644 ---- a/source3/winbindd/winbindd_proto.h -+++ b/source3/winbindd/winbindd_proto.h -@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request); -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm); - NTSTATUS remove_ccache(const char *username); - struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); - NTSTATUS winbindd_add_memory_creds(const char *username, --- -2.35.1 - - -From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:44 +0100 -Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the - credentials - -The principal name stored in the winbindd ccache entry might be an -enterprise principal name if enterprise principals are enabled. Use -the canonical name to renew the credentials. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) ---- - source3/winbindd/winbindd_cred_cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index 88847b1ab97..6c65db6a73f 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -209,7 +209,7 @@ rekinit: - set_effective_uid(entry->uid); - - ret = smb_krb5_renew_ticket(entry->ccname, -- entry->principal_name, -+ entry->canon_principal, - entry->service, - &new_start); - #if defined(DEBUG_KRB5_TKT_RENEWAL) --- -2.35.1 - diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc deleted file mode 100644 index 4e31e62..0000000 --- a/SOURCES/samba-4.15.5.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA -tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX -KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9 -j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt -b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY -0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v -/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj -+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9 -g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y -5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ -f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB -OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo= -=oc6g ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch new file mode 100644 index 0000000..337be97 --- /dev/null +++ b/SOURCES/samba-4.16-waf-crypto.patch @@ -0,0 +1,77 @@ +From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:24:04 +0200 +Subject: [PATCH 1/2] waf: Check for GnuTLS earlier + +As GnuTLS is an essential part we need to check for it early so we can react on +GnuTLS features in other wscripts. + +Signed-off-by: Andreas Schneider +--- + wscript | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wscript b/wscript +index d8220b35095..5b85d9a1682 100644 +--- a/wscript ++++ b/wscript +@@ -189,6 +189,8 @@ def configure(conf): + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + ++ conf.PROCESS_SEPARATE_RULE('system_gnutls') ++ + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) +@@ -297,8 +299,6 @@ def configure(conf): + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + +- conf.PROCESS_SEPARATE_RULE('system_gnutls') +- + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') +-- +2.35.1 + + +From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:25:31 +0200 +Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS + provides the cipher + +Signed-off-by: Andreas Schneider +--- + third_party/wscript | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/third_party/wscript b/third_party/wscript +index 1f4bc1ce1d7..a17c15bcaa7 100644 +--- a/third_party/wscript ++++ b/third_party/wscript +@@ -5,7 +5,8 @@ from waflib import Options + def configure(conf): + conf.RECURSE('cmocka') + conf.RECURSE('popt') +- conf.RECURSE('aesni-intel') ++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ conf.RECURSE('aesni-intel') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + conf.RECURSE('socket_wrapper') + conf.RECURSE('nss_wrapper') +@@ -18,7 +19,8 @@ def configure(conf): + def build(bld): + bld.RECURSE('cmocka') + bld.RECURSE('popt') +- bld.RECURSE('aesni-intel') ++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ bld.RECURSE('aesni-intel') + if bld.CONFIG_GET('SOCKET_WRAPPER'): + bld.RECURSE('socket_wrapper') + if bld.CONFIG_GET('NSS_WRAPPER'): +-- +2.35.1 + diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc new file mode 100644 index 0000000..96aba0e --- /dev/null +++ b/SOURCES/samba-4.16.4.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA +tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3 +WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE +dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF +xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX +bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2 +gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A +2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a +KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK +qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S +muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5 +bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8= +=6kYO +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-ctdb-etcd-reclock.patch b/SOURCES/samba-ctdb-etcd-reclock.patch deleted file mode 100644 index 2a55408..0000000 --- a/SOURCES/samba-ctdb-etcd-reclock.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001 -From: Martin Schwenke -Date: Tue, 27 Apr 2021 15:46:14 +1000 -Subject: [PATCH] utils: Use Python 3 - -Due to the number of flake8 and pylint warnings it is unclear if the -source has Python 3 incompatibilities. These will be cleaned up in -subsequent commits. - -Signed-off-by: "L.P.H. van Belle" -Reviewed-by: Martin Schwenke -Reviewed-by: David Disseldorp -Reviewed-by: Jose A. Rivera ---- - ctdb/utils/etcd/ctdb_etcd_lock | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock -index 000c6bb7208..7f5194eff0a 100755 ---- a/ctdb/utils/etcd/ctdb_etcd_lock -+++ b/ctdb/utils/etcd/ctdb_etcd_lock -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python3 - # - # This program is free software: you can redistribute it and/or modify - # it under the terms of the GNU General Public License as published by --- -2.31.1 - diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch deleted file mode 100644 index d80e85b..0000000 --- a/SOURCES/samba-disable-ntlmssp.patch +++ /dev/null @@ -1,764 +0,0 @@ -From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 10 Dec 2021 16:08:04 +0100 -Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) ---- - source3/utils/net_ads.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 6ab4a0096b1..8f993f9ba4c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, - char *cp; - const char *realm = NULL; - bool tried_closest_dc = false; -+ enum credentials_use_kerberos krb5_state = -+ CRED_USE_KERBEROS_DISABLED; - - /* lp_realm() should be handled by a command line param, - However, the join requires that realm be set in smb.conf -@@ -650,10 +652,28 @@ retry: - ads->auth.password = smb_xstrdup(c->opt_password); - } - -- ads->auth.flags |= auth_flags; - SAFE_FREE(ads->auth.user_name); - ads->auth.user_name = smb_xstrdup(c->opt_user_name); - -+ ads->auth.flags |= auth_flags; -+ -+ /* The ADS code will handle FIPS mode */ -+ krb5_state = cli_credentials_get_kerberos_state(c->creds); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } -+ - /* - * If the username is of the form "name@realm", - * extract the realm and convert to upper case. --- -2.33.1 - - -From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 8 Dec 2021 16:05:17 +0100 -Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 60fa2bf80cb..b91e2d15bcf 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -1,18 +1,18 @@ --/* -+/* - Unix SMB/CIFS implementation. - ads sasl code - Copyright (C) Andrew Tridgell 2001 -- -+ - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. -- -+ - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. -- -+ - You should have received a copy of the GNU General Public License - along with this program. If not, see . - */ -@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { - .disconnect = ads_sasl_gensec_disconnect - }; - --/* -+/* - perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can - we fit on one socket??) - */ -@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, - - #endif /* HAVE_KRB5 */ - --/* -+/* - this performs a SASL/SPNEGO bind - */ - static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) -@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - file_save("sasl_spnego.dat", blob.data, blob.length); - #endif - -- /* the server sent us the first part of the SPNEGO exchange in the negprot -+ /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || - OIDs[0] == NULL) { -@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - #ifdef HAVE_KRB5 - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && -- got_kerberos_mechanism) -+ got_kerberos_mechanism) - { - mech = "KRB5"; - -@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - "calling kinit\n", ads_errstr(status))); - } - -- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); -+ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", -@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - } - - /* only fallback to NTLMSSP if allowed */ -- if (ADS_ERR_OK(status) || -+ if (ADS_ERR_OK(status) || - !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { - goto done; - } -@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - #endif - - /* lets do NTLMSSP ... this has the big advantage that we don't need -- to sync clocks, and we don't rely on special versions of the krb5 -+ to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", --- -2.33.1 - - -From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 9 Dec 2021 13:43:08 +0100 -Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) ---- - source3/libads/sasl.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index b91e2d15bcf..992f7022a69 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " - "for %s/%s with user[%s] realm[%s]: %s, " -- "fallback to NTLMSSP\n", -+ "try to fallback to NTLMSSP\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; -+ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" -+ " disallowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_USE_KERBEROS_DISABLED, - p.service, p.hostname, --- -2.33.1 - - -From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 7 Jan 2022 10:31:19 +0100 -Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 992f7022a69..ea98aa47ecd 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - p.service, p.hostname, - blob); - if (!ADS_ERR_OK(status)) { -- DEBUG(0,("kinit succeeded but " -- "ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s\n", -+ DBG_ERR("kinit succeeded but " -+ "SPNEGO bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -- ads_errstr(status))); -+ ads_errstr(status)); - } - } - -@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - goto done; - } - -- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s, " -- "try to fallback to NTLMSSP\n", -- p.service, p.hostname, -- ads->auth.user_name, -- ads->auth.realm, -- ads_errstr(status))); -+ DBG_WARNING("SASL bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s, " -+ "try to fallback to NTLMSSP\n", -+ p.service, p.hostname, -+ ads->auth.user_name, -+ ads->auth.realm, -+ ads_errstr(status)); - } - #endif - --- -2.33.1 - - -From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 11:13:06 +0100 -Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds - without kerberos) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) ---- - source3/libads/sasl.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index ea98aa47ecd..1bcfe0490a8 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - -+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { -+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { - DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" - " disallowed.\n"); --- -2.33.1 - - -From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 15:33:46 +0100 -Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) ---- - .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ - 1 file changed, 41 insertions(+) - create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh - -diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -new file mode 100755 -index 00000000000..2822ab29d14 ---- /dev/null -+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -@@ -0,0 +1,41 @@ -+#!/bin/sh -+# Blackbox tests for diabing NTLMSSP for ldap clinet connections -+# Copyright (c) 2022 Pavel Filipenský -+ -+if [ $# -lt 2 ]; then -+cat <&1 || failed=`expr $failed + 1` -+ -+# We should be allowed to use NTLM for connecting -+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+GNUTLS_FORCE_FIPS_MODE=1 -+export GNUTLS_FORCE_FIPS_MODE -+ -+# Checks that testparm reports: Weak crypto is disallowed -+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` -+ -+# We should not be allowed to use NTLM for connecting -+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+unset GNUTLS_FORCE_FIPS_MODE -+ -+exit $failed --- -2.33.1 - - -From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 4 Jan 2022 12:00:20 +0100 -Subject: [PATCH 07/10] s4:selftest: plan test suite - samba4.blackbox.test_weak_disable_ntlmssp_ldap -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) ---- - source4/selftest/tests.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 1e4b2ae6dd3..3a6a716f061 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo - - if have_gnutls_fips_mode_support: - plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) -+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) - - for env in ["ad_dc_fips", "ad_member_fips"]: - plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) --- -2.33.1 - - -From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:47:38 +0100 -Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) ---- - source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- - 1 file changed, 19 insertions(+), 19 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 948c903f165..e415df347e6 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user_list: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * According to Section 5.1(4) of RFC 2251 if a value of a type is it's - * default value, it MUST be absent. In case of extensible matching the - * "dnattr" boolean defaults to FALSE and so it must be only be present -- * when set to TRUE. -+ * when set to TRUE. - * - * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a - * filter using bitwise matching rule then the buggy AD fails to decode -@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * - * Thanks to Ralf Haferkamp for input and testing - Guenther */ - -- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", -+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", - ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, -- ADS_LDAP_MATCHING_RULE_BIT_AND, -+ ADS_LDAP_MATCHING_RULE_BIT_AND, - enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); - - if (filter == NULL) { -@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); - - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - struct wb_acct_info **info) - { - /* -- * This is a stub function only as we returned the domain -+ * This is a stub function only as we returned the domain - * local groups in enum_dom_groups() if the domain->native field - * was true. This is a simple performance optimization when - * using LDAP. - * -- * if we ever need to enumerate domain local groups separately, -+ * if we ever need to enumerate domain local groups separately, - * then this optimization in enum_dom_groups() will need - * to be split out - */ -@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, - tokenGroups are not available. */ - static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, -- const char *user_dn, -+ const char *user_dn, - struct dom_sid *primary_group, - uint32_t *p_num_groups, struct dom_sid **user_sids) - { -@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - if (count != 1) { - status = NT_STATUS_UNSUCCESSFUL; - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " -- "invalid number of results (count=%d)\n", -+ "invalid number of results (count=%d)\n", - dom_sid_str_buf(sid, &buf), - count)); - goto done; - } - - if (!msg) { -- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", -+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", - dom_sid_str_buf(sid, &buf))); - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - } - - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { -- DEBUG(1,("%s: No primary group for sid=%s !?\n", -+ DEBUG(1,("%s: No primary group for sid=%s !?\n", - domain->name, - dom_sid_str_buf(sid, &buf))); - goto done; -@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - - count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); - -- /* there must always be at least one group in the token, -+ /* there must always be at least one group in the token, - unless we are talking to a buggy Win2k server */ - - /* actually this only happens when the machine account has no read -@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - /* lookup what groups this user is a member of by DN search on - * "member" */ - -- status = lookup_usergroups_member(domain, mem_ctx, user_dn, -+ status = lookup_usergroups_member(domain, mem_ctx, user_dn, - &primary_group, - &num_groups, user_sids); - *p_num_groups = num_groups; -@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " - "not map any SIDs at all.\n")); - /* Don't handle this as an error here. -- * There is nothing left to do with respect to the -+ * There is nothing left to do with respect to the - * overall result... */ - } - else if (!NT_STATUS_IS_OK(status)) { -@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, - NETR_TRUST_FLAG_IN_FOREST; - } else { - flags = NETR_TRUST_FLAG_IN_FOREST; -- } -+ } - - result = cm_connect_netlogon(domain, &cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("trusted_domains: Could not open a connection to %s " -- "for PIPE_NETLOGON (%s)\n", -+ "for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); - return NT_STATUS_UNSUCCESSFUL; - } --- -2.33.1 - - -From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:44:54 +0100 -Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) ---- - source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index e415df347e6..6f01ef6e334 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -34,6 +34,7 @@ - #include "../libds/common/flag_mapping.h" - #include "libsmb/samlogon_cache.h" - #include "passdb.h" -+#include "auth/credentials/credentials.h" - - #ifdef HAVE_ADS - -@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ADS_STATUS status; - struct sockaddr_storage dc_ss; - fstring dc_name; -+ enum credentials_use_kerberos krb5_state; - - if (auth_realm == NULL) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); -@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ads->auth.renewable = renewable; - ads->auth.password = password; - -- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - ads->auth.realm = SMB_STRDUP(auth_realm); - if (!strupper_m(ads->auth.realm)) { --- -2.33.1 - - -From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 21 Jan 2022 12:01:33 +0100 -Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 - -(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) ---- - source3/libnet/libnet_join.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 02705f1c70c..4c67e9af5c4 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - ADS_STATUS status; - ADS_STRUCT *my_ads = NULL; - char *cp; -+ enum credentials_use_kerberos krb5_state; - - my_ads = ads_init(dns_domain_name, - netbios_domain_name, -@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - if (user_name) { - SAFE_FREE(my_ads->auth.user_name); --- -2.33.1 - diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch deleted file mode 100644 index 9e57630..0000000 --- a/SOURCES/samba-disable-systemd-notifications.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 -From: "FeRD (Frank Dana)" -Date: Mon, 24 Jan 2022 22:14:31 -0500 -Subject: [PATCH] printing/bgqd: Disable systemd notifications - -samba-bgqd daemon is started by existing Samba daemons. When running -under systemd, those daemons control systemd notifications and -samba-bgqd messages need to be silenced. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 - -Signed-off-by: FeRD (Frank Dana) -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) ---- - source3/printing/samba-bgqd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c -index f21327fc622..59ed0cc40db 100644 ---- a/source3/printing/samba-bgqd.c -+++ b/source3/printing/samba-bgqd.c -@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) - - log_stdout = (debug_get_log_type() == DEBUG_STDOUT); - -+ /* main process will notify systemd */ -+ daemon_sd_notifications(false); -+ - if (!cmdline_daemon_cfg->fork) { - daemon_status(progname, "Starting process ... "); - } else { --- -2.34.1 - diff --git a/SOURCES/samba-glibc-dns.patch b/SOURCES/samba-glibc-dns.patch deleted file mode 100644 index c01d481..0000000 --- a/SOURCES/samba-glibc-dns.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Oct 2021 15:55:37 +0200 -Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34 - -With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper -anymore. The res_* symbols have been moved from libresolv to libc. We are not -able to intercept any traffic inside of libc. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - selftest/wscript | 2 +- - third_party/resolv_wrapper/wscript | 13 +++++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/selftest/wscript b/selftest/wscript -index a6be06c2ae9..85d9338489a 100644 ---- a/selftest/wscript -+++ b/selftest/wscript -@@ -252,7 +252,7 @@ def cmd_testonly(opt): - if os.environ.get('USE_NAMESPACES') is None: - env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH') - -- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'): -+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'): - env.OPTIONS += " --use-dns-faking" - - if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): -diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript -index a7f18389b0f..7e369bd90b5 100644 ---- a/third_party/resolv_wrapper/wscript -+++ b/third_party/resolv_wrapper/wscript -@@ -1,6 +1,7 @@ - #!/usr/bin/env python - - import os -+from waflib import Logs - - VERSION="1.1.7" - -@@ -49,6 +50,18 @@ def configure(conf): - if conf.CONFIG_SET('HAVE_RES_NCLOSE'): - conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1) - -+ # If we find res_nquery in libc, we can't do resolv.conf redirect -+ conf.CHECK_FUNCS('res_nquery __res_nquery') -+ if (conf.CONFIG_SET('HAVE_RES_NQUERY') -+ or conf.CONFIG_SET('HAVE___RES_NQUERY')): -+ Logs.warn("Detection for resolv_wrapper: " -+ "Only dns faking will be available") -+ else: -+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ - conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True) --- -2.33.1 - diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch deleted file mode 100644 index 5dee86c..0000000 --- a/SOURCES/samba-password-change-prompt.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 17 Nov 2021 09:56:09 +0100 -Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to - off). - -This change disables the prompt for the change of an expired password by -default (using the PAM_RADIO_TYPE mechanism if present). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) ---- - docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ - nsswitch/pam_winbind.c | 12 ++++++++++-- - nsswitch/pam_winbind.h | 1 + - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml -index 0bc288f91a1..bae9298fc32 100644 ---- a/docs-xml/manpages/pam_winbind.conf.5.xml -+++ b/docs-xml/manpages/pam_winbind.conf.5.xml -@@ -194,6 +194,13 @@ - - - -+ -+ pwd_change_prompt = yes|no -+ -+ Generate prompt for changing an expired password. Defaults to "no". -+ -+ -+ - - - -diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c -index 720a4b90d85..06098dd07d8 100644 ---- a/nsswitch/pam_winbind.c -+++ b/nsswitch/pam_winbind.c -@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, - ctrl |= WINBIND_MKHOMEDIR; - } - -+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; -+ } -+ - config_from_pam: - /* step through arguments */ - for (i=argc,v=argv; i-- > 0; ++v) { -@@ -522,6 +526,8 @@ config_from_pam: - else if (!strncasecmp(*v, "warn_pwd_expire", - strlen("warn_pwd_expire"))) - ctrl |= WINBIND_WARN_PWD_EXPIRE; -+ else if (!strcasecmp(*v, "pwd_change_prompt")) -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; - else if (type != PAM_WINBIND_CLEANUP) { - __pam_log(pamh, ctrl, LOG_ERR, - "pam_parse: unknown option: %s", *v); -@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h -index c6786d65a4d..2f4a25729bd 100644 ---- a/nsswitch/pam_winbind.h -+++ b/nsswitch/pam_winbind.h -@@ -157,6 +157,7 @@ do { \ - #define WINBIND_WARN_PWD_EXPIRE 0x00002000 - #define WINBIND_MKHOMEDIR 0x00004000 - #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 -+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 - - #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) - #define _(string) dgettext(MODULE_NAME, string) --- -2.35.1 - diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch deleted file mode 100644 index d1a6b6a..0000000 --- a/SOURCES/samba-printing-win7.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 22 Jan 2022 01:08:26 +0100 -Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls - -This is important for the source3/rpc_server code as it might -be called embedded in smbd and may not run as root with access -to our private tdb/ldb files. - -Note this is only really needed for 4.15 and older, as -we no longer run the rpc_server embedded in smbd, -but we better be consistent for now. - -This should be able to fix the problem the printing no longer works -on Windows 7 with 2021-10 monthly rollup patch (KB5006743). - -Windows uses NTLMSSP with privacy at the DCERPC layer on top -of NCACN_NP (smb). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) ---- - librpc/rpc/dcesrv_auth.c | 5 +++++ - librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ - librpc/rpc/dcesrv_core.h | 2 ++ - source3/rpc_server/rpc_config.c | 2 ++ - source4/rpc_server/service_rpc.c | 10 ++++++++++ - 5 files changed, 37 insertions(+) - -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index fec8df513a83..99d8e0162160 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) - auth->auth_level = call->in_auth_info.auth_level; - auth->auth_context_id = call->in_auth_info.auth_context_id; - -+ cb->auth.become_root(); - status = cb->auth.gensec_prepare( - auth, - call, - &auth->gensec_security, - cb->auth.private_data); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", - nt_errstr(status))); -@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) - NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - { - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - const char *pdu = ""; - - switch (call->pkt.ptype) { -@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - return status; - } - -+ cb->auth.become_root(); - status = gensec_session_info(auth->gensec_security, - auth, - &auth->session_info); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to establish session_info: %s\n", - nt_errstr(status))); -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index d16159b0b6cd..ea91fc689b4a 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - struct dcerpc_binding *ep_2nd_description = NULL; - const char *endpoint = NULL; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct dcerpc_ack_ctx *ack_features = NULL; - struct tevent_req *subreq = NULL; -@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - { - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct tevent_req *subreq = NULL; - NTSTATUS status; - -@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - return NT_STATUS_OK; - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - struct ncacn_packet *pkt = &call->ack_pkt; - uint32_t extra_flags = 0; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct tevent_req *subreq = NULL; - size_t i; -@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h -index d8d5f9030959..0538442e0ce6 100644 ---- a/librpc/rpc/dcesrv_core.h -+++ b/librpc/rpc/dcesrv_core.h -@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { - struct gensec_security **out, - void *private_data); - void *private_data; -+ void (*become_root)(void); -+ void (*unbecome_root)(void); - } auth; - struct { - NTSTATUS (*find)( -diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c -index 2f1a01da1c0b..289c4f398409 100644 ---- a/source3/rpc_server/rpc_config.c -+++ b/source3/rpc_server/rpc_config.c -@@ -31,6 +31,8 @@ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = dcesrv_log_successful_authz, - .auth.gensec_prepare = dcesrv_auth_gensec_prepare, -+ .auth.become_root = become_root, -+ .auth.unbecome_root = unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - -diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c -index d8c6746d7815..ebb50f8a7ef3 100644 ---- a/source4/rpc_server/service_rpc.c -+++ b/source4/rpc_server/service_rpc.c -@@ -40,9 +40,19 @@ - #include "../libcli/named_pipe_auth/npa_tstream.h" - #include "samba/process_model.h" - -+static void skip_become_root(void) -+{ -+} -+ -+static void skip_unbecome_root(void) -+{ -+} -+ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = log_successful_dcesrv_authz_event, - .auth.gensec_prepare = dcesrv_gensec_prepare, -+ .auth.become_root = skip_become_root, -+ .auth.unbecome_root = skip_unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - --- -2.25.1 - diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch index 8e84d96..5d3cb55 100644 --- a/SOURCES/samba-s4u.patch +++ b/SOURCES/samba-s4u.patch @@ -1,4 +1,4 @@ -From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:25:03 +0300 Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support @@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 71 insertions(+), 106 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index f35210669c2..b1c7c5dcc5e 100644 +index 793fe366c35..22534c09974 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, krb5_keyblock *krbtgt_key, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, @@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644 mit_ctx = ks_get_context(context); if (mit_ctx == NULL) { -@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, @@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { goto done; } -@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = mit_samba_reget_pac(mit_ctx, context, flags, @@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644 return code; } -@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **pac_auth_data = NULL; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644 krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; -@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; @@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* -@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ks_client_princ = client->princ; } @@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (client_entry == NULL) { client_entry = client; } -@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, code = ks_verify_pac(context, flags, @@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644 client_entry, server, krbtgt, -@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, is_as_req ? "AS-REQ" : "TGS-REQ", client_name); code = krb5_pac_sign(context, pac, authtime, ks_client_princ, @@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); goto done; -@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, KRB5_AUTHDATA_IF_RELEVANT, authdata, signed_auth_data); @@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644 done: if (client_entry != NULL && client_entry != client) { ks_free_principal(context, client_entry); -@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, +@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, * server; -> delegating service * proxy; -> target principal */ @@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 4239332f0d9..acc3cba6254 100644 +index cb72b5de294..03c2c2ea1de 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, +@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, context, *pac, server->princ, @@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644 deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Update delegation info failed: %s\n", -@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, } int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644 static krb5_error_code mit_samba_change_pwd_error(krb5_context context, diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 636c77ec97c..9cb00c9610e 100644 +index 4431e82a1b2..9370ab533af 100644 --- a/source4/kdc/mit_samba.h +++ b/source4/kdc/mit_samba.h -@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, DATA_BLOB *e_data); int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -333,10 +333,10 @@ index 636c77ec97c..9cb00c9610e 100644 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, char *pwd, -- -2.33.1 +2.37.1 -From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:35:30 +0300 Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build @@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 185 insertions(+), 13 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..791b417d5ba 100644 +index 4321f07ca09..3fd95e47fca 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c -@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, +@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, return 0; } @@ -546,7 +546,7 @@ index fff5b4e2a22..791b417d5ba 100644 #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index eab67f6d969..b5385c69a33 100644 +index a66b7465530..c8573f52bd9 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, @@ -611,66 +611,23 @@ index 544d9d853cc..c14d8c72d8c 100644 ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, ccache, -- -2.33.1 +2.37.1 -From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 19 Sep 2020 14:16:20 +0200 Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code --- - source4/heimdal/lib/hdb/hdb.h | 1 + - source4/kdc/db-glue.c | 8 ++++++-- - source4/kdc/mit_samba.c | 3 +++ - source4/kdc/sdb.h | 1 + - 4 files changed, 11 insertions(+), 2 deletions(-) + source4/kdc/mit_samba.c | 3 +++ + 1 file changed, 3 insertions(+) -diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h -index 5ef9d9565f3..dafaffc6c2d 100644 ---- a/source4/heimdal/lib/hdb/hdb.h -+++ b/source4/heimdal/lib/hdb/hdb.h -@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ - #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ - - /* hdb_capability_flags */ - #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index aff74f2ee71..d16b4c3329a 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - } - } - -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { -+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { - krb5_clear_error_message(context); - goto out; - } -- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { -+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ - * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants -+ * the canonical name in all lookups, and takes care to canonicalize -+ * only when appropriate. - */ - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index acc3cba6254..f0b9df8b613 100644 +index 03c2c2ea1de..30fade56531 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, +@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } @@ -680,18 +637,6 @@ index acc3cba6254..f0b9df8b613 100644 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_INCLUDE_PAC)) { /* -diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h -index c929acccce6..a9115ec23d7 100644 ---- a/source4/kdc/sdb.h -+++ b/source4/kdc/sdb.h -@@ -116,6 +116,7 @@ struct sdb_entry_ex { - #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ - #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ - - void sdb_free_entry(struct sdb_entry_ex *e); - void free_sdb_entry(struct sdb_entry *s); -- -2.33.1 +2.37.1 diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch deleted file mode 100644 index 6e243da..0000000 --- a/SOURCES/samba-virus_scanner.patch +++ /dev/null @@ -1,597 +0,0 @@ -From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Feb 2022 16:33:10 +0100 -Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd - -We have the env variable SERVER_LOG_LEVEL which allows you to change -the log level on the command line. If we force -d0 this will not work. - -make test TESTS="samba" SERVER_LOG_LEVEL=10 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) ---- - selftest/target/Samba3.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b901fd2677a..64a9a791a61 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -2153,7 +2153,7 @@ sub make_bin_cmd - { - my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; - -- my @optargs = ("-d0"); -+ my @optargs = (); - if (defined($options)) { - @optargs = split(/ /, $options); - } --- -2.34.1 - - -From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 12:07:03 +0100 -Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses - filename matching -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1) ---- - source3/modules/vfs_virusfilter.c | 12 +++++ - source3/modules/vfs_virusfilter_common.h | 4 ++ - source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++ - source3/modules/wscript_build | 1 + - 4 files changed, 75 insertions(+) - create mode 100644 source3/modules/vfs_virusfilter_dummy.c - -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index 9fafe4e5d41..e6cbee7cd45 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -35,12 +35,14 @@ - - enum virusfilter_scanner_enum { - VIRUSFILTER_SCANNER_CLAMAV, -+ VIRUSFILTER_SCANNER_DUMMY, - VIRUSFILTER_SCANNER_FSAV, - VIRUSFILTER_SCANNER_SOPHOS - }; - - static const struct enum_list scanner_list[] = { - { VIRUSFILTER_SCANNER_CLAMAV, "clamav" }, -+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" }, - { VIRUSFILTER_SCANNER_FSAV, "fsav" }, - { VIRUSFILTER_SCANNER_SOPHOS, "sophos" }, - { -1, NULL } -@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect( - int snum = SNUM(handle->conn); - struct virusfilter_config *config = NULL; - const char *exclude_files = NULL; -+ const char *infected_files = NULL; - const char *temp_quarantine_dir_mode = NULL; - const char *infected_file_command = NULL; - const char *scan_error_command = NULL; -@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect( - set_namearray(&config->exclude_files, exclude_files); - } - -+ infected_files = lp_parm_const_string( -+ snum, "virusfilter", "infected files", NULL); -+ if (infected_files != NULL) { -+ set_namearray(&config->infected_files, infected_files); -+ } -+ - config->cache_entry_limit = lp_parm_int( - snum, "virusfilter", "cache entry limit", 100); - -@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( - case VIRUSFILTER_SCANNER_CLAMAV: - ret = virusfilter_clamav_init(config); - break; -+ case VIRUSFILTER_SCANNER_DUMMY: -+ ret = virusfilter_dummy_init(config); -+ break; - default: - DBG_ERR("Unhandled scanner %d\n", backend); - return -1; -diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h -index f71b0b949a7..463a9d74e9c 100644 ---- a/source3/modules/vfs_virusfilter_common.h -+++ b/source3/modules/vfs_virusfilter_common.h -@@ -83,6 +83,9 @@ struct virusfilter_config { - /* Exclude files */ - name_compare_entry *exclude_files; - -+ /* Infected files */ -+ name_compare_entry *infected_files; -+ - /* Scan result cache */ - struct virusfilter_cache *cache; - int cache_entry_limit; -@@ -149,5 +152,6 @@ struct virusfilter_backend { - int virusfilter_sophos_init(struct virusfilter_config *config); - int virusfilter_fsav_init(struct virusfilter_config *config); - int virusfilter_clamav_init(struct virusfilter_config *config); -+int virusfilter_dummy_init(struct virusfilter_config *config); - - #endif /* _VIRUSFILTER_COMMON_H */ -diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c -new file mode 100644 -index 00000000000..03405cd6629 ---- /dev/null -+++ b/source3/modules/vfs_virusfilter_dummy.c -@@ -0,0 +1,58 @@ -+/* -+ Samba-VirusFilter VFS modules -+ Dummy scanner with infected files support. -+ Copyright (C) 2022 Pavel Filipenský -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "modules/vfs_virusfilter_utils.h" -+ -+static virusfilter_result virusfilter_dummy_scan( -+ struct vfs_handle_struct *handle, -+ struct virusfilter_config *config, -+ const struct files_struct *fsp, -+ char **reportp) -+{ -+ bool ok; -+ -+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp)); -+ ok = is_in_path(fsp->fsp_name->base_name, -+ config->infected_files, -+ false); -+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN; -+} -+ -+static struct virusfilter_backend_fns virusfilter_backend_dummy = { -+ .connect = NULL, -+ .disconnect = NULL, -+ .scan_init = NULL, -+ .scan = virusfilter_dummy_scan, -+ .scan_end = NULL, -+}; -+ -+int virusfilter_dummy_init(struct virusfilter_config *config) -+{ -+ struct virusfilter_backend *backend = NULL; -+ -+ backend = talloc_zero(config, struct virusfilter_backend); -+ if (backend == NULL) { -+ return -1; -+ } -+ -+ backend->fns = &virusfilter_backend_dummy; -+ backend->name = "dummy"; -+ config->backend = backend; -+ return 0; -+} -diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build -index 40df4539392..ff318c3fa06 100644 ---- a/source3/modules/wscript_build -+++ b/source3/modules/wscript_build -@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', - vfs_virusfilter_sophos.c - vfs_virusfilter_fsav.c - vfs_virusfilter_clamav.c -+ vfs_virusfilter_dummy.c - ''', - deps='samba-util VFS_VIRUSFILTER_UTILS', - init_function='', --- -2.34.1 - - -From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 22:35:29 +0100 -Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and - 'virusfilter:infected files' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969) ---- - docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml -index 329a35af68a..88f91d73a42 100644 ---- a/docs-xml/manpages/vfs_virusfilter.8.xml -+++ b/docs-xml/manpages/vfs_virusfilter.8.xml -@@ -48,6 +48,10 @@ - scanner - clamav, the ClamAV - scanner -+ dummy, dummy scanner used in -+ tests. Checks against the infected files -+ parameter and flags any name that matches as infected. -+ - - - -@@ -264,6 +268,14 @@ - - - -+ -+ virusfilter:infected files = empty -+ -+ Files that virusfilter dummy flags as infected. -+ If this option is not set, the default is empty. -+ -+ -+ - - virusfilter:block access on error = false - --- -2.34.1 - - -From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:34:56 +0100 -Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a) ---- - selftest/target/Samba3.pm | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 64a9a791a61..7584a0e7ba9 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -188,7 +188,7 @@ sub getlog_env_app($$$) - close(LOG); - - return "" if $out eq $title; -- -+ - return $out; - } - -@@ -2426,7 +2426,7 @@ sub provision($$) - my $nmbdsockdir="$prefix_abs/nmbd"; - unlink($nmbdsockdir); - -- ## -+ ## - ## create the test directory layout - ## - die ("prefix_abs = ''") if $prefix_abs eq ""; -@@ -3290,7 +3290,7 @@ sub provision($$) - unless (open(PASSWD, ">$nss_wrapper_passwd")) { - warn("Unable to open $nss_wrapper_passwd"); - return undef; -- } -+ } - print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false - $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false - pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false --- -2.34.1 - - -From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:35:48 +0100 -Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544) ---- - selftest/knownfail.d/virus_scanner | 2 + - selftest/target/Samba3.pm | 12 ++ - source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++ - source3/selftest/tests.py | 9 ++ - 4 files changed, 147 insertions(+) - create mode 100644 selftest/knownfail.d/virus_scanner - create mode 100755 source3/script/tests/test_virus_scanner.sh - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -new file mode 100644 -index 00000000000..6df3fd20627 ---- /dev/null -+++ b/selftest/knownfail.d/virus_scanner -@@ -0,0 +1,2 @@ -+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') -+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 7584a0e7ba9..c1d0c60d96a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1688,6 +1688,9 @@ sub setup_fileserver - my $veto_sharedir="$share_dir/veto"; - push(@dirs,$veto_sharedir); - -+ my $virusfilter_sharedir="$share_dir/virusfilter"; -+ push(@dirs,$virusfilter_sharedir); -+ - my $ip4 = Samba::get_ipv4_addr("FILESERVER"); - my $fileserver_options = " - kernel change notify = yes -@@ -1813,6 +1816,15 @@ sub setup_fileserver - path = $veto_sharedir - delete veto files = yes - -+[virusfilter] -+ path = $virusfilter_sharedir -+ vfs objects = acl_xattr virusfilter -+ virusfilter:scanner = dummy -+ virusfilter:min file size = 0 -+ virusfilter:infected files = *infected* -+ virusfilter:infected file action = rename -+ virusfilter:scan on close = yes -+ - [homes] - comment = Home directories - browseable = No -diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh -new file mode 100755 -index 00000000000..2234ea6ca89 ---- /dev/null -+++ b/source3/script/tests/test_virus_scanner.sh -@@ -0,0 +1,124 @@ -+#!/bin/sh -+# Copyright (c) 2022 Pavel Filipenský -+# shellcheck disable=1091 -+ -+if [ $# -lt 4 ]; then -+cat <fsp_flags.modified -+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/infected.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}" -+ -+ # check that virusfilter:rename prefix/suffix was added -+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then -+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing." -+ return 1 -+ fi -+ -+ # check that file was not uploaded -+ if [ -f "${sharedir}/infected.upload.txt" ]; then -+ echo "ERROR: {sharedir}/${smbfile} should not exist." -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_read() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_write() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+testit "check_infected_read" check_infected_read || failed=$((failed + 1)) -+testit "check_infected_write" check_infected_write || failed=$((failed + 1)) -+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1)) -+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1)) -+ -+testok "$0" "$failed" -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 701be011f70..6b146c76381 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", - '$SERVER_IP', - "tmp"]) - -+env = 'fileserver' -+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), -+ [os.path.join(samba3srcdir, -+ "script/tests/test_virus_scanner.sh"), -+ '$SERVER_IP', -+ "virusfilter", -+ '$LOCAL_PATH', -+ smbclient3]) -+ - for env in ['fileserver', 'simpleserver']: - plantestsuite("samba3.blackbox.smbclient.encryption", env, - [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"), --- -2.34.1 - - -From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 7 Feb 2022 23:06:10 +0100 -Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184 - -(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c) ---- - selftest/knownfail.d/virus_scanner | 2 -- - source3/modules/vfs_virusfilter.c | 6 +++--- - 2 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/virus_scanner - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -deleted file mode 100644 -index 6df3fd20627..00000000000 ---- a/selftest/knownfail.d/virus_scanner -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') --^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index e6cbee7cd45..d1554967ad1 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, - */ - goto virusfilter_vfs_open_next; - } -- ret = S_ISREG(smb_fname->st.st_ex_mode); -+ ret = S_ISREG(sbuf.st_ex_mode); - if (ret == 0) { - DBG_INFO("Not scanned: Directory or special file: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->max_file_size > 0 && -- smb_fname->st.st_ex_size > config->max_file_size) -+ sbuf.st_ex_size > config->max_file_size) - { - DBG_INFO("Not scanned: file size > max file size: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->min_file_size > 0 && -- smb_fname->st.st_ex_size < config->min_file_size) -+ sbuf.st_ex_size < config->min_file_size) - { - DBG_INFO("Not scanned: file size < min file size: %s/%s\n", - cwd_fname, fname); --- -2.34.1 - diff --git a/SOURCES/samba.abignore b/SOURCES/samba.abignore new file mode 100644 index 0000000..718059d --- /dev/null +++ b/SOURCES/samba.abignore @@ -0,0 +1,5 @@ +################################################# +# This is a grouping library without any code +################################################# +[suppress_file] +file_name_regexp=.*libdcerpc-samr\\.so.* diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 47b704e..9d452c6 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -52,7 +52,9 @@ # Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 +# ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172 +#%%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 s390x x86_64 %bcond_without vfs_cephfs %bcond_without ceph_mutex %else @@ -69,7 +71,7 @@ # Build vfs_gluster module by default on 64bit Fedora %global is_rhgs 0 -%if "%{dist}" == ".el8rhgs" || "%{dist}" == ".el9rhgs" +%if "%{dist}" == ".el7rhgs" || "%{dist}" == ".el8rhgs" %global is_rhgs 1 %endif @@ -132,13 +134,13 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 4 +%global baserelease 2 -%global samba_version 4.15.5 +%global samba_version 4.16.4 %global talloc_version 2.3.3 -%global tdb_version 1.4.4 -%global tevent_version 0.11.0 -%global ldb_version 2.4.1 +%global tdb_version 1.4.6 +%global tevent_version 0.12.0 +%global ldb_version 2.5.2 # This should be rc1 or nil %global pre_release %nil @@ -198,19 +200,13 @@ Source11: smb.conf.vendor Source12: smb.conf.example Source13: pam_winbind.conf Source14: samba.pamd +Source15: samba.abignore Source201: README.downgrade Patch0: samba-s4u.patch -Patch1: samba-ctdb-etcd-reclock.patch -Patch2: samba-glibc-dns.patch -Patch3: samba-printing-win7.patch -Patch4: samba-disable-systemd-notifications.patch -Patch5: samba-disable-ntlmssp.patch -Patch6: samba-password-change-prompt.patch -Patch7: samba-virus_scanner.patch -Patch8: samba-4-15-fix-autorid.patch -Patch9: samba-4-15-fix-winbind-refresh-tickets.patch +# https://gitlab.com/samba-team/samba/-/merge_requests/2477 +Patch1: samba-4.16-waf-crypto.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -332,7 +328,7 @@ BuildRequires: python3-etcd # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} @@ -369,12 +365,18 @@ BuildRequires: lmdb-devel %if %{with dc} || %{with testsuite} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} -BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle BuildRequires: python3-cryptography + +%if %{without includelibs} BuildRequires: tdb-tools +BuildRequires: ldb-tools +#endif without includelibs +%endif + +#endif with dc || with testsuite %endif # filter out perl requirements pulled in from examples in the docdir. @@ -433,8 +435,10 @@ SMB/CIFS clients. Summary: Files used by both Samba servers and clients BuildArch: noarch -Requires(post): systemd +Requires(post): (systemd-standalone-tmpfiles or systemd) +%if 0%{?fedora} Recommends: logrotate +%endif Provides: samba4-common = %{samba_depver} Obsoletes: samba4-common < %{samba_depver} @@ -497,6 +501,8 @@ Requires: python3-%{name} = %{samba_depver} # samba-tool needs tdbbackup Requires: tdb-tools %if %{with dc} +# samba-tool needs python3-samba-dc on a full build +Requires: python3-%{name}-dc = %{samba_depver} # samba-tool needs mdb_copy for domain backup or upgrade provision Requires: lmdb %endif @@ -512,6 +518,8 @@ SMB/CIFS clients. %package dc Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -552,6 +560,7 @@ The samba-dc-provision package provides files to setup a domain controller ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -567,9 +576,11 @@ link against the SMB, RPC and other protocols. ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} Requires: %{name}-dc = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} Requires: bind Provides: bundled(libreplace) @@ -585,6 +596,9 @@ name server related details of Samba AD. Summary: Developer tools for Samba libraries Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -599,6 +613,7 @@ libraries in the Samba suite. %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Provides: bundled(libreplace) @@ -731,10 +746,12 @@ library. ### PYTHON3 %package -n python3-%{name} Summary: Samba Python3 libraries -Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Requires: python3-talloc Requires: python3-tevent Requires: python3-tdb @@ -773,6 +790,8 @@ If you want to run full set of Samba tests, you need to install this package. %if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-dc-libs = %{samba_depver} Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc @@ -1026,6 +1045,7 @@ and use CTDB instead. Summary: CTDB PCP pmda support Requires: ctdb = %{samba_depver} Requires: pcp-libs +Requires: %{name}-client-libs = %{samba_depver} %description -n ctdb-pcp-pmda Performance Co-Pilot (PCP) support for CTDB @@ -1067,6 +1087,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 +# Ensure we rely on GnuTLS and do not build any other crypto code shipping with +# the sources. +rm -rf third_party/{aesni-intel,heimdal} +rm -f lib/crypto/{aes,rijndael}*.c + %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1081,7 +1106,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - #endif with includelibs %endif -%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} +%global _samba_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 @@ -1620,7 +1645,17 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1634,6 +1669,7 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* +%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1648,6 +1684,7 @@ fi %{_mandir}/man8/vfs_crossrename.8* %{_mandir}/man8/vfs_default_quota.8* %{_mandir}/man8/vfs_dirsort.8* +%{_mandir}/man8/vfs_expand_msdfs.8* %{_mandir}/man8/vfs_extd_audit.8* %{_mandir}/man8/vfs_fake_perms.8* %{_mandir}/man8/vfs_fileid.8* @@ -1858,7 +1895,6 @@ fi %if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so #endif without libwbclient %endif @@ -2066,6 +2102,7 @@ fi %{_libdir}/samba/bind9/dlz_bind9_12.so %{_libdir}/samba/bind9/dlz_bind9_14.so %{_libdir}/samba/bind9/dlz_bind9_16.so +%{_libdir}/samba/bind9/dlz_bind9_18.so #endif with dc %endif @@ -2238,6 +2275,9 @@ fi %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so +%{_libdir}/samba/libREG-FULL-samba4.so +%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so +%{_libdir}/samba/libRPC-WORKER-samba4.so ### LIBSMBCLIENT %if %{with libsmbclient} @@ -2257,7 +2297,6 @@ fi %if %{with libwbclient} %files -n libwbclient %{_libdir}/samba/wbclient/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2328,7 +2367,11 @@ fi %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc @@ -2444,7 +2487,11 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py +%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp_chromium_ext.py %{python3_sitearch}/samba/gp_ext_loader.py +%{python3_sitearch}/samba/gp_firefox_ext.py +%{python3_sitearch}/samba/gp_firewalld_ext.py %{python3_sitearch}/samba/gp_msgs_ext.py %{python3_sitearch}/samba/gp_smb_conf_ext.py %{python3_sitearch}/samba/gp_sudoers_ext.py @@ -2761,6 +2808,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc @@ -2929,15 +2977,17 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc @@ -2954,26 +3004,28 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py %{python3_sitearch}/samba/tests/krb5/rodc_tests.py -%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py -%{python3_sitearch}/samba/tests/krb5/spn_tests.py -%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_ldap.py %{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py %{python3_sitearch}/samba/tests/krb5/test_rpc.py %{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py -%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py @@ -3037,6 +3089,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc @@ -3073,6 +3126,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py %{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/join_member.py %{python3_sitearch}/samba/tests/samba_tool/ntacl.py %{python3_sitearch}/samba/tests/samba_tool/ou.py %{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py @@ -3104,6 +3158,7 @@ fi %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py %{python3_sitearch}/samba/tests/source.py +%{python3_sitearch}/samba/tests/source_chars.py %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py @@ -3125,7 +3180,6 @@ fi %{_mandir}/man1/masktest.1* %{_mandir}/man1/ndrdump.1* %{_mandir}/man1/smbtorture.1* -%{_mandir}/man1/vfstest.1* %if %{with testsuite} # files to ignore in testsuite mode @@ -4109,6 +4163,40 @@ fi %endif %changelog +* Thu Aug 25 2022 Andreas Schneider - 4.16.4-2 +- resolves: rhbz#2120956 - Do not require samba package in python3-samba + +* Thu Jul 28 2022 Andreas Schneider - 4.16.4-1 +- Rebase to version 4.16.4 +- resolves: rhbz#2108331 - Fix CVE-2022-32742 + +* Mon Jul 18 2022 Pavel Filipenský - 4.16.3-0 +- related: rhbz#2077468 - Rebase Samba to 4.16.3 +- resolves: rhbz#2106672 - The pcap background queue process should not be stopped +- resolves: rhbz#2106263 - Fix crash in rpcd_classic +- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name + +* Tue Jun 14 2022 Pavel Filipenský - 4.16.2-1 +- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout + +* Mon Jun 13 2022 Pavel Filipenský - 4.16.2-0 +- Fix rpminspect abidiff +- related: rhbz#2077468 - Rebase Samba to 4.16.2 + +* Mon May 02 2022 Pavel Filipenský - 4.16.1-0 +- Update to Samba 4.16.1 +- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release + +* Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 +- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls + +* Wed Apr 20 2022 Pavel Filipenský - 4.15.5-7 +- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error + +* Wed Apr 13 2022 Pavel Filipenský - 4.15.5-6 +- resolves: rhbz#2059151 - Fix username map for unix groups +- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. + * Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 - resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh