From 27abf006c5aac752d69e30606b38e4f8c10d1fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pave.filipensky@gmail.com>
Date: Wed, 13 Apr 2022 13:08:32 +0200
Subject: [PATCH] Fix username map for unix groups

resolves: rhbz#2074891 - Fix username map for unix groups
---
 samba-4-15-username-map.patch | 321 ++++++++++++++++++++++++++++++++++
 samba.spec                    |   6 +-
 2 files changed, 326 insertions(+), 1 deletion(-)
 create mode 100644 samba-4-15-username-map.patch

diff --git a/samba-4-15-username-map.patch b/samba-4-15-username-map.patch
new file mode 100644
index 0000000..0687115
--- /dev/null
+++ b/samba-4-15-username-map.patch
@@ -0,0 +1,321 @@
+From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 1 Apr 2022 15:56:30 +0200
+Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Noel Power <npower@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a)
+---
+ selftest/target/Samba3.pm | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 62fb3d1e39e..b0ea9804c50 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss
+ 	my $extra_member_options = "
+ 	# bob:x:65521:65531:localbob gecos:/:/bin/false
+ 	# jane:x:65520:65531:localjane gecos:/:/bin/false
++	# jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false
++	# jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false
+ 	idmap config $dcvars->{DOMAIN} : backend = nss
+-	idmap config $dcvars->{DOMAIN} : range = 65520-65521
++	idmap config $dcvars->{DOMAIN} : range = 65518-65521
+ 
+ 	# Support SMB1 so that we can use posix_whoami().
+ 	client min protocol = CORE
+@@ -2532,6 +2534,8 @@ sub provision($$)
+ 	my ($uid_slashuser);
+ 	my ($uid_localbob);
+ 	my ($uid_localjane);
++	my ($uid_localjackthemapper);
++	my ($uid_localjacknomapper);
+ 
+ 	if ($unix_uid < 0xffff - 13) {
+ 		$max_uid = 0xffff;
+@@ -2554,6 +2558,8 @@ sub provision($$)
+ 	$uid_slashuser = $max_uid - 13;
+ 	$uid_localbob = $max_uid - 14;
+ 	$uid_localjane = $max_uid - 15;
++	$uid_localjackthemapper = $max_uid - 16;
++	$uid_localjacknomapper = $max_uid - 17;
+ 
+ 	if ($unix_gids[0] < 0xffff - 8) {
+ 		$max_gid = 0xffff;
+@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+ slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
+ bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false
+ jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false
++jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false
++jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false
+ ";
+ 	if ($unix_uid != 0) {
+ 		print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user:
+ 	createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ 	createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ 	createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
++	createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper");
++	createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper");
+ 
+ 	open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+ 	print DNS_UPDATE_LIST "A $server. $server_ip\n";
+-- 
+2.34.1
+
+
+From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 08:30:23 +0200
+Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and
+ "jacknomappergroup"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d)
+---
+ selftest/target/Samba3.pm | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index b0ea9804c50..131034a0e07 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -2527,6 +2527,8 @@ sub provision($$)
+ 	my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
+ 	my ($gid_userdup, $gid_everyone);
+ 	my ($gid_force_user);
++	my ($gid_jackthemapper);
++	my ($gid_jacknomapper);
+ 	my ($uid_user1);
+ 	my ($uid_user2);
+ 	my ($uid_gooduser);
+@@ -2575,6 +2577,8 @@ sub provision($$)
+ 	$gid_userdup = $max_gid - 6;
+ 	$gid_everyone = $max_gid - 7;
+ 	$gid_force_user = $max_gid - 8;
++	$gid_jackthemapper = $max_gid - 9;
++	$gid_jacknomapper = $max_gid - 10;
+ 
+ 	##
+ 	## create conffile
+@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins:
+ userdup:x:$gid_userdup:$unix_name
+ everyone:x:$gid_everyone:
+ force_user:x:$gid_force_user:
++jackthemappergroup:x:$gid_jackthemapper:jackthemapper
++jacknomappergroup:x:$gid_jacknomapper:jacknomapper
+ ";
+ 	if ($unix_gids[0] != 0) {
+ 		print GROUP "root:x:$gid_root:
+-- 
+2.34.1
+
+
+From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 08:31:41 +0200
+Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for
+ jackthemappergroup
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Only for environment ad_member_idmap_nss.
+
+* !jacknompapper = \@jackthemappergroup
+  jackthemaper from group jackthemappergroup is mapped to jacknompapper
+
+* !root = jacknomappergroup
+  since there is no '@' or '+' prefix, it is not an UNIX group mapping
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979)
+---
+ selftest/target/Samba3.pm | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 131034a0e07..8d309f9c99a 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss
+ 
+ 	open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+ 	print USERMAP "
++!jacknomapper = \@jackthemappergroup
++!root = jacknomappergroup
+ root = $dcvars->{DOMAIN}/root
+ bob = $dcvars->{DOMAIN}/bob
+ ";
+-- 
+2.34.1
+
+
+From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Tue, 5 Apr 2022 14:04:52 +0200
+Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0)
+---
+ selftest/knownfail.d/usernamemap         |  1 +
+ source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++
+ source3/selftest/tests.py                |  2 ++
+ 3 files changed, 31 insertions(+)
+ create mode 100644 selftest/knownfail.d/usernamemap
+ create mode 100755 source3/script/tests/test_usernamemap.sh
+
+diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
+new file mode 100644
+index 00000000000..1c720fe892d
+--- /dev/null
++++ b/selftest/knownfail.d/usernamemap
+@@ -0,0 +1 @@
++samba3.blackbox.smbclient_usernamemap.jacknomapper
+diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh
+new file mode 100755
+index 00000000000..3a3344a8781
+--- /dev/null
++++ b/source3/script/tests/test_usernamemap.sh
+@@ -0,0 +1,28 @@
++#!/bin/sh
++#
++# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
++#
++# Tests for "username map" smb.conf parameter for UNIX groups
++
++if [ $# -lt 2 ]; then
++cat <<EOF
++Usage: test_usernamemap.sh SERVER SMBCLIENT
++EOF
++exit 1;
++fi
++
++SERVER="$1"
++SMBCLIENT="$2"
++SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
++
++incdir=$(dirname "$0")/../../../testprogs/blackbox
++. "${incdir}"/subunit.sh
++
++failed=0
++
++# jackthemapper is mapped to jacknomapper, so we need jacknomapper password
++testit "jackthemapper" "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jackthemapper%nOmApsEcrEt" -c ls || failed=$((failed + 1))
++# jacknomapper is not mapped, so we need jacknomapper password
++testit "jacknomapper"  "${SMBCLIENT}" //"${SERVER}"/tmp -U"${SERVER}/jacknomapper%nOmApsEcrEt"  -c ls || failed=$((failed + 1))
++
++testok "$0" "${failed}"
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 06c71363d5b..390e77ad41d 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -393,6 +393,8 @@ plantestsuite("samba3.blackbox.smbclient_basic.SMB2_10", "nt4_dc_schannel", [os.
+ plantestsuite("samba3.blackbox.smbclient_basic.SMB3_02", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_02"])
+ plantestsuite("samba3.blackbox.smbclient_basic.SMB3_11", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mSMB3_11"])
+ 
++plantestsuite("samba3.blackbox.smbclient_usernamemap", "ad_member_idmap_nss:local", [os.path.join(samba3srcdir, "script/tests/test_usernamemap.sh"), '$SERVER', smbclient3])
++
+ plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
+ for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
+     if "NT1" in options or "LANMAN2" in options:
+-- 
+2.34.1
+
+
+From e1bb74a5fe7f0b4f5f16da5c355973e94f7a07ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
+Date: Fri, 25 Mar 2022 11:11:50 +0100
+Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041
+
+Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Noel Power <npower@samba.org>
+
+Autobuild-User(master): Noel Power <npower@samba.org>
+Autobuild-Date(master): Thu Apr  7 09:49:44 UTC 2022 on sn-devel-184
+
+(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4)
+---
+ selftest/knownfail.d/usernamemap |  1 -
+ source3/auth/user_util.c         | 12 +++++++-----
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+ delete mode 100644 selftest/knownfail.d/usernamemap
+
+diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap
+deleted file mode 100644
+index 1c720fe892d..00000000000
+--- a/selftest/knownfail.d/usernamemap
++++ /dev/null
+@@ -1 +0,0 @@
+-samba3.blackbox.smbclient_usernamemap.jacknomapper
+diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c
+index 70b4f320c5e..aa765c2a692 100644
+--- a/source3/auth/user_util.c
++++ b/source3/auth/user_util.c
+@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+ 		return false;
+ 	}
+ 
+-	DBG_DEBUG("Checking user %s in list\n", user);
+-
+ 	while (*list) {
+ 		const char *p = *list;
+-		bool ok;
++		bool check_unix_group = false;
++
++		DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list);
+ 
+ 		/* Check raw username */
+ 		if (strequal(user, p)) {
+@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list)
+ 		}
+ 
+ 		while (*p == '@' || *p == '&' || *p == '+') {
++			if (*p == '@' || *p == '+') {
++				check_unix_group = true;
++			}
+ 			p++;
+ 		}
+ 
+-		ok = user_in_group(user, p);
+-		if (ok) {
++		if (check_unix_group && user_in_group(user, p)) {
+ 			return true;
+ 		}
+ 
+-- 
+2.34.1
+
diff --git a/samba.spec b/samba.spec
index e53fbfe..8fd7515 100644
--- a/samba.spec
+++ b/samba.spec
@@ -132,7 +132,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 104
+%global baserelease 105
 
 %global samba_version 4.15.5
 %global talloc_version 2.3.3
@@ -211,6 +211,7 @@ Patch6:         samba-password-change-prompt.patch
 Patch7:         samba-virus_scanner.patch
 Patch8:         samba-4-15-fix-autorid.patch
 Patch9:         samba-4-15-fix-winbind-refresh-tickets.patch
+Patch10:        samba-4-15-username-map.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -4109,6 +4110,9 @@ fi
 %endif
 
 %changelog
+* Wed Apr 13 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-105
+- resolves: rhbz#2074891 - Fix username map for unix groups
+
 * Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-104
 - resolves: rhbz#2057500 - Fix winbind kerberos ticket refresh