rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix idmap_ad with trusted domains

Browse Source 
resolves: RHEL-45842
This commit is contained in:
Pavel Filipenský 2024-08-02 14:57:45 +02:00
parent 9568bfd920
commit 30dda95ee2
5 changed files with 214 additions and 1552 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1065
samba-4.19-fix-smbget-auth.patch
View File

File diff suppressed because it is too large Load Diff

106
samba-4.19-fix-smbget-debug.patch
View File

@ -1,106 +0,0 @@
From 21d8c1b2dabf8dd5a65de14816c6701e9c81de44 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 5 Dec 2023 15:46:48 +0100
Subject: [PATCH 1/2] s3:tests: Add smbget test for
smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e)
---
source3/script/tests/test_smbget.sh | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 46c1f4a68a5..bdc62a71eff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -145,6 +145,22 @@ test_singlefile_smburl()
return 0
}
+test_singlefile_smburl2()
+{
+ clear_download_area
+ $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: RC does not match, expected: 0'
+ return 1
+ fi
+ cmp --silent $WORKDIR/testfile ./testfile
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: file content does not match'
+ return 1
+ fi
+ return 0
+}
+
test_singlefile_authfile()
{
clear_download_area
@@ -499,6 +515,10 @@ testit "download single file with --update and UPN" test_singlefile_U_UPN ||
testit "download single file with smb URL" test_singlefile_smburl ||
failed=$(expr $failed + 1)
+testit "download single file with smb URL including domain" \
+ test_singlefile_smburl2 ||
+ failed=$(expr $failed + 1)
+
testit "download single file with authfile" test_singlefile_authfile ||
failed=$(expr $failed + 1)
--
2.43.0
From e19fa9d75ee70ec23e70f166ee70241c116f7bf5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 08:48:34 +0100
Subject: [PATCH 2/2] s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d)
---
source3/utils/smbget.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index 5c99dcf918a..8d98ba24602 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -849,6 +849,7 @@ int main(int argc, char **argv)
uint32_t gensec_features;
bool use_wbccache = false;
SMBCCTX *smb_ctx = NULL;
+ int dbg_lvl = -1;
int rc;
smb_init_locale();
@@ -922,13 +923,16 @@ int main(int argc, char **argv)
samba_cmdline_burn(argc, argv);
+ /* smbc_new_context() will set the log level to 0 */
+ dbg_lvl = debuglevel_get();
+
smb_ctx = smbc_new_context();
if (smb_ctx == NULL) {
fprintf(stderr, "Unable to initialize libsmbclient\n");
ok = false;
goto done;
}
- smbc_setDebug(smb_ctx, debuglevel_get());
+ smbc_setDebug(smb_ctx, dbg_lvl);
rc = smbc_setConfiguration(smb_ctx, lp_default_path());
if (rc < 0) {
--
2.43.0

265
samba-4.19-redhat.patch
View File

@ -1,7 +1,7 @@
From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 17 Aug 2023 01:05:54 +0300
Subject: [PATCH 01/25] gp: Support more global trust directories
Subject: [PATCH 01/28] gp: Support more global trust directories
In addition to the SUSE global trust directory, add support for RHEL and
Debian-based distributions (including Ubuntu).
@ -60,13 +60,13 @@ index 312c8ddf467..1b90ab46e90 100644
# Symlink the certs to global trust dir
dst = os.path.join(global_trust_dir, os.path.basename(src))
--
2.41.0
2.45.2
From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 17 Aug 2023 01:09:28 +0300
Subject: [PATCH 02/25] gp: Support update-ca-trust helper
Subject: [PATCH 02/28] gp: Support update-ca-trust helper
This is used on RHEL/Fedora instead of update-ca-certificates. They
behave similarly so it's enough to change the command name.
@ -104,13 +104,13 @@ index 1b90ab46e90..cefdafa21b2 100644
Popen([update]).wait()
# Setup Certificate Auto Enrollment
--
2.41.0
2.45.2
From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 11 Aug 2023 18:46:42 +0300
Subject: [PATCH 03/25] gp: Change root cert extension suffix
Subject: [PATCH 03/28] gp: Change root cert extension suffix
On Ubuntu, certificates must end in '.crt' in order to be considered by
the `update-ca-certificates` helper.
@ -138,13 +138,13 @@ index cefdafa21b2..c562722906b 100644
w.write(cert)
root_certs.append(dest)
--
2.41.0
2.45.2
From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:06:43 +0300
Subject: [PATCH 04/25] gp: Test with binary content for certificate data
Subject: [PATCH 04/28] gp: Test with binary content for certificate data
This fails all GPO-related tests that call `gpupdate --rsop`.
@ -216,13 +216,13 @@ index 00000000000..0aad59607c2
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:20:11 +0300
Subject: [PATCH 05/25] gp: Convert CA certificates to base64
Subject: [PATCH 05/28] gp: Convert CA certificates to base64
I don't know whether this applies universally, but in our case the
contents of `es['cACertificate'][0]` are binary, so cleanly converting
@ -289,13 +289,13 @@ index 0aad59607c2..00000000000
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:16:23 +0300
Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes
Subject: [PATCH 06/28] gp: Test adding new cert templates enforces changes
Ensure that cepces-submit reporting additional templates and re-applying
will enforce the updated policy.
@ -422,13 +422,13 @@ index 00000000000..4edc1dce730
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:37:17 +0300
Subject: [PATCH 07/25] gp: Template changes should invalidate cache
Subject: [PATCH 07/28] gp: Template changes should invalidate cache
If certificate templates are added or removed, the autoenroll extension
should react to this and reapply the policy. Previously this wasn't
@ -487,13 +487,13 @@ index 4edc1dce730..00000000000
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 18 Aug 2023 17:26:59 +0300
Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy
Subject: [PATCH 08/28] gp: Test disabled enrollment unapplies policy
For this we need to stage a Registry.pol file with certificate
autoenrollment enabled, but with checkboxes unticked.
@ -588,13 +588,13 @@ index 00000000000..83bc9f0ac1f
@@ -0,0 +1 @@
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Wed, 16 Aug 2023 12:33:59 +0300
Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove
Subject: [PATCH 09/28] gp: Send list of keys instead of dict to remove
`cache_get_all_attribute_values` returns a dict whereas we need to pass
a list of keys to `remove`. These will be interpolated in the gpdb search.
@ -634,13 +634,13 @@ index 83bc9f0ac1f..00000000000
@@ -1 +0,0 @@
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext
--
2.41.0
2.45.2
From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 9 Jan 2024 08:50:01 +0100
Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't
Subject: [PATCH 10/28] python:gp: Print a nice message if cepces-submit can't
be found
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552
@ -691,13 +691,13 @@ index 64c35782ae8..08d1a7348cd 100644
def getca(ca, url, trust_dir):
--
2.41.0
2.45.2
From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Mon, 8 Jan 2024 18:05:08 +0200
Subject: [PATCH 11/25] gpo: Test certificate policy without NDES
Subject: [PATCH 11/28] gpo: Test certificate policy without NDES
As of 8231eaf856b, the NDES feature is no longer required on Windows, as
cert auto-enroll can use the certificate from the LDAP request.
@ -895,13 +895,13 @@ index 00000000000..f1e590bc7d8
@@ -0,0 +1 @@
+^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes
--
2.41.0
2.45.2
From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Thu, 18 Jan 2024 20:23:24 +0200
Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing
Subject: [PATCH 12/28] gpo: Decode base64 root cert before importing
The reasoning behind this is described in the previous commit message,
but essentially this should either be wrapped in certificate blocks and
@ -948,13 +948,13 @@ index f1e590bc7d8..00000000000
@@ -1 +0,0 @@
-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes
--
2.41.0
2.45.2
From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001
From: Gabriel Nagy <gabriel.nagy@canonical.com>
Date: Fri, 19 Jan 2024 11:36:19 +0200
Subject: [PATCH 13/25] gpo: Do not get templates list on first run
Subject: [PATCH 13/28] gpo: Do not get templates list on first run
This is a visual fix and has no impact on functionality apart from
cleaner log messages.
@ -997,13 +997,13 @@ index cd5e54f1110..559c903e1a2 100644
if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE:
self.unapply(guid, attribute, old_val)
--
2.41.0
2.45.2
From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@samba.org>
Date: Fri, 5 Jan 2024 08:47:07 -0700
Subject: [PATCH 14/25] gp: Skip site GP list if no site is found
Subject: [PATCH 14/28] gp: Skip site GP list if no site is found
[MS-GPOL] 3.2.5.1.4 Site Search says if the site
search returns ERROR_NO_SITENAME, the GP site
@ -1065,13 +1065,13 @@ index 617ef79350c..babd8f90748 100644
# (L)ocal
gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy",
--
2.41.0
2.45.2
From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 14:14:30 +0100
Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit
Subject: [PATCH 15/28] python:gp: Avoid path check for cepces-submit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1111,13 +1111,13 @@ index 559c903e1a2..7325d5132cf 100644
'%s --server=%s --auth=%s' % (cepces_submit,
ca['hostname'], auth)],
--
2.41.0
2.45.2
From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 14:07:47 +0100
Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment
Subject: [PATCH 16/28] python:gp: Improve logging for certificate enrollment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1171,13 +1171,13 @@ index 7325d5132cf..a25a9678587 100644
getcert = which('getcert')
cepces_submit = find_cepces_submit()
--
2.41.0
2.45.2
From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:04:36 +0100
Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists
Subject: [PATCH 17/28] python:gp: Do not print an error, if CA already exists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1217,13 +1217,13 @@ index a25a9678587..0b23cd688db 100644
for template in supported_templates:
attrs = fetch_template_attrs(ldb, template)
--
2.41.0
2.45.2
From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:05:02 +0100
Subject: [PATCH 18/25] python:gp: Do not print an error if template already
Subject: [PATCH 18/28] python:gp: Do not print an error if template already
exists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1264,13 +1264,13 @@ index 0b23cd688db..db681cb6f69 100644
data['templates'].append(nickname)
if update is not None:
--
2.41.0
2.45.2
From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:05:24 +0100
Subject: [PATCH 19/25] python:gp: Log an error if update fails
Subject: [PATCH 19/28] python:gp: Log an error if update fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1301,13 +1301,13 @@ index db681cb6f69..c8ad2039dc6 100644
log.warn('certmonger and cepces must be installed for ' +
'certificate auto enrollment to work')
--
2.41.0
2.45.2
From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jan 2024 15:46:24 +0100
Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid
Subject: [PATCH 20/28] python:gp: Improve working of log messages to avoid
confusion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1354,13 +1354,13 @@ index c8ad2039dc6..2b7f7d22c2b 100644
log.warn('Installing the server certificate only.')
der_certificate = base64.b64decode(ca['cACertificate'])
--
2.41.0
2.45.2
From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Jan 2024 17:46:30 +0100
Subject: [PATCH 21/25] python:gp: Fix logging with gp
Subject: [PATCH 21/28] python:gp: Fix logging with gp
This allows enable INFO level logging with: `samba-gpupdate -d3`
@ -1396,13 +1396,13 @@ index a74a8707d50..c3de32825db 100644
logger.setLevel(logging.CRITICAL)
if log_level == 1:
--
2.41.0
2.45.2
From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001
From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Wed, 13 Mar 2024 13:55:41 +0100
Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad
Subject: [PATCH 22/28] docs-xml: Add parameter all_groupmem to idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -1438,13 +1438,13 @@ index b364bbfa231..de6d36afe95 100644
<listitem><para>This parameter is a list of OUs from
which objects will not be mapped via the ad idmap
--
2.41.0
2.45.2
From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001
From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Tue, 12 Mar 2024 13:20:24 +0100
Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem()
Subject: [PATCH 23/28] s3:winbindd: Improve performance of lookup_groupmem()
in idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1521,13 +1521,13 @@ index d7a665abbc6..e625aa6473f 100644
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("%s: add_primary_group_members failed: %s\n",
--
2.41.0
2.45.2
From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001
From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Mon, 25 Mar 2024 22:38:18 +0100
Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to
Subject: [PATCH 24/28] selftest: Add "winbind expand groups = 1" to
setup_ad_member_idmap_ad
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1537,7 +1537,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
(backported from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a)
---
selftest/target/Samba3.pm | 1 +
1 file changed, 1 insertion(+)
@ -1555,13 +1555,13 @@ index 44ac4a5901a..606c65f8ab1 100755
my $ret = $self->provision(
--
2.41.0
2.45.2
From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001
From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 14 Mar 2024 15:24:21 +0100
Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to
Subject: [PATCH 25/28] tests: Add a test for "all_groups=no" to
test_idmap_ad.sh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -1628,5 +1628,160 @@ index 7ae112ada71..1d4bd395ba9 100755
changetype: delete
EOF
--
2.41.0
2.45.2
From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:51:53 +0200
Subject: [PATCH 26/28] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs
IP
Remove the requirement to provide an IP address. We should look up the
IP of the KDC and use it for the specified realm/workgroup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb)
---
source3/libads/kerberos.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 50f4a6de3c6..ddf97c11973 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *kdc_str = NULL;
char *canon_sockaddr = NULL;
- SMB_ASSERT(pss != NULL);
-
- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
- if (canon_sockaddr == NULL) {
- goto out;
- }
+ if (pss != NULL) {
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
- kdc_str = talloc_asprintf(frame,
- "\t\tkdc = %s\n",
- canon_sockaddr);
- if (kdc_str == NULL) {
- goto out;
- }
+ kdc_str = talloc_asprintf(frame,
+ "\t\tkdc = %s\n",
+ canon_sockaddr);
+ if (kdc_str == NULL) {
+ goto out;
+ }
- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
- if (!ok) {
- goto out;
+ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
+ if (!ok) {
+ goto out;
+ }
}
/*
--
2.45.2
From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:53:51 +0200
Subject: [PATCH 27/28] s3:libads: Do not fail if we don't get an IP passed
down
The IP should be optional and we should look it up if not provided.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2)
---
source3/libads/kerberos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index ddf97c11973..f74d8eb567c 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -704,7 +704,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
return false;
}
- if (domain == NULL || pss == NULL) {
+ if (domain == NULL) {
return false;
}
--
2.45.2
From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 13:54:24 +0200
Subject: [PATCH 28/28] s3:winbind: Fix idmap_ad creating an invalid local
krb5.conf
In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee)
---
source3/winbindd/idmap_ad.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index 5c9fe07db95..b8002825161 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -320,7 +320,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
struct tldap_context **pld)
{
struct netr_DsRGetDCNameInfo *dcinfo;
- struct sockaddr_storage dcaddr;
+ struct sockaddr_storage dcaddr = {
+ .ss_family = AF_UNSPEC,
+ };
+ struct sockaddr_storage *pdcaddr = NULL;
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
struct tldap_context *ld;
@@ -362,9 +365,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
* create_local_private_krb5_conf_for_domain() can deal with
* sitename==NULL
*/
+ if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
+ {
+ pdcaddr = &dcaddr;
+ }
ok = create_local_private_krb5_conf_for_domain(
- lp_realm(), lp_workgroup(), sitename, &dcaddr);
+ lp_realm(), lp_workgroup(), sitename, pdcaddr);
TALLOC_FREE(sitename);
if (!ok) {
DBG_DEBUG("Could not create private krb5.conf\n");
--
2.45.2

5
samba.spec
View File

@ -147,7 +147,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.19.4
%global baserelease 4
%global baserelease 5
# This should be rc1 or %%nil
%global pre_release %nil
@ -4479,6 +4479,9 @@ fi
%endif
%changelog
* Fri Aug 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-5
- resolves: RHEL-45842 - Fix idmap_ad with trusted domains
* Thu May 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-4
- related: RHEL-33813 - Undo wrong changes in rpminspect.yaml

325
v4-19-fix-force-user.patch
View File

@ -1,325 +0,0 @@
From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Sep 2023 16:29:46 +0200
Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 ++
selftest/target/Samba3.pm | 1 +
2 files changed, 3 insertions(+)
create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
new file mode 100644
index 00000000000..b515400cd90
--- /dev/null
+++ b/selftest/knownfail.d/forceuser_trusteddomains
@@ -0,0 +1,2 @@
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 39831afc599..85e69e4b72d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1689,6 +1689,7 @@ sub setup_simpleserver
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
+ allow trusted domains = no
[vfs_aio_pthread]
path = $prefix_abs/share
--
2.43.0
From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Sep 2023 12:50:32 +0200
Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
---
source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 32 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 293523f4272..e5863d2272b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
status = make_user_info_map(mem_ctx, user_info,
- smb_name, client_domain,
+ smb_name, client_domain,
workstation_name,
remote_address,
local_address,
"SamLogon",
- lm_pwd_len ? &lm_blob : NULL,
+ lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
uint32_t logon_parameters,
- const uchar chal[8],
- const uchar lm_interactive_pwd[16],
+ const uchar chal[8],
+ const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
nt_status = make_user_info_map(
mem_ctx,
- user_info,
+ user_info,
smb_name, client_domain, workstation_name,
remote_address,
local_address,
@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
+ const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
/* We can't do an NT hash here, as the password needs to be
case insensitive */
- local_nt_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
} else {
- local_lm_blob = data_blob_null;
- local_nt_blob = data_blob_null;
+ local_lm_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
}
plaintext_password_string = talloc_strndup(talloc_tos(),
@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
}
ret = make_user_info(mem_ctx,
- user_info, smb_name, smb_name, client_domain, client_domain,
+ user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_address,
@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
nt_status = make_user_info(mem_ctx,
user_info,
- "","",
- "","",
- "",
+ "","",
+ "","",
+ "",
remote_address,
local_address,
service_description,
- NULL, NULL,
- NULL, NULL,
+ NULL, NULL,
+ NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
@@ -1258,7 +1258,7 @@ done:
}
session_info->unique_session_token = GUID_random();
-
+
*session_info_out = talloc_move(mem_ctx, &session_info);
TALLOC_FREE(frame);
return NT_STATUS_OK;
@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
*pwd = passwd;
/* This is pointless -- there is no support for differing
- unix and windows names. Make sure to always store the
+ unix and windows names. Make sure to always store the
one we actually looked up and succeeded. Have I mentioned
- why I hate the 'winbind use default domain' parameter?
+ why I hate the 'winbind use default domain' parameter?
--jerry */
*found_username = talloc_strdup( mem_ctx, real_username );
@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
}
/****************************************************************************
- Wrapper to allow the getpwnam() call to strip the domain name and
- try again in case a local UNIX user is already there. Also run through
+ Wrapper to allow the getpwnam() call to strip the domain name and
+ try again in case a local UNIX user is already there. Also run through
the username if we fallback to the username only.
****************************************************************************/
@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
char *p = NULL;
const char *username = NULL;
- /* we only save a copy of the username it has been mangled
+ /* we only save a copy of the username it has been mangled
by winbindd use default domain */
*p_save_username = NULL;
- /* don't call map_username() here since it has to be done higher
+ /* don't call map_username() here since it has to be done higher
up the stack so we don't call it multiple times */
username = talloc_strdup(mem_ctx, domuser);
@@ -2068,10 +2068,10 @@ username_only:
}
/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon
+ Make a server_info struct from the info3 returned by a domain logon
***************************************************************************/
-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct dom_sid sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- /*
+ /*
Here is where we should check the list of
- trusted domains, and verify that the SID
+ trusted domains, and verify that the SID
matches.
*/
--
2.43.0
From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 30 Nov 2023 10:54:07 +0100
Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 --
source3/auth/auth_util.c | 17 ++++++++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
deleted file mode 100644
index b515400cd90..00000000000
--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index e5863d2272b..2a35fea5061 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "dom_sid.h"
#include "includes.h"
#include "auth.h"
#include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct dom_sid tmp_sid;
struct auth_session_info *session_info = NULL;
struct unixid *ids;
+ bool is_allowed = false;
/* Ensure we can't possible take a code path leading to a
* null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ is_allowed = true;
+ }
+
+ /* Check if we have extra info about the user. */
+ if (dom_sid_in_domain(&global_sid_Unix_Users,
+ &server_info->extra.user_sid) ||
+ dom_sid_in_domain(&global_sid_Unix_Groups,
+ &server_info->extra.pgid_sid))
+ {
+ is_allowed = true;
+ }
+
+ if (!is_allowed) {
DBG_NOTICE("Authentication failed for user [%s] "
"from firewalled domain [%s]\n",
server_info->info3->base.account_name.string,
--
2.43.0