From 30dda95ee2c1b44bca81c38114b9e8fca8ad3bcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Fri, 2 Aug 2024 14:57:45 +0200 Subject: [PATCH] Fix idmap_ad with trusted domains resolves: RHEL-45842 --- samba-4.19-fix-smbget-auth.patch | 1065 ----------------------------- samba-4.19-fix-smbget-debug.patch | 106 --- samba-4.19-redhat.patch | 265 +++++-- samba.spec | 5 +- v4-19-fix-force-user.patch | 325 --------- 5 files changed, 214 insertions(+), 1552 deletions(-) delete mode 100644 samba-4.19-fix-smbget-auth.patch delete mode 100644 samba-4.19-fix-smbget-debug.patch delete mode 100644 v4-19-fix-force-user.patch diff --git a/samba-4.19-fix-smbget-auth.patch b/samba-4.19-fix-smbget-auth.patch deleted file mode 100644 index 499075f..0000000 --- a/samba-4.19-fix-smbget-auth.patch +++ /dev/null @@ -1,1065 +0,0 @@ -From 3b25f764e714dee0327fd4f068bd14650f7e7ab4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 09:18:26 +0100 -Subject: [PATCH 01/13] s3:tests: Fix authentication with smbget_user in smbget - tests - -Currently the smget share is broken. We set `guest ok = yes` so if you -specify invalid names, the authentication will still succeed as we -are mapped to guest. - -The smbget_user is a local ad_member user. We need to set the -workstation as the "domain" for the user. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit c14c5dec09fe1c86b29b3091ad521e73a2e1c3e9) ---- - source3/script/tests/test_smbget.sh | 28 ++++++++++++++-------------- - 1 file changed, 14 insertions(+), 14 deletions(-) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index bdc62a71eff..5ab35a03e24 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -72,7 +72,7 @@ test_singlefile_guest() - test_singlefile_U() - { - clear_download_area -- $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -132,7 +132,7 @@ test_singlefile_U_domain() - test_singlefile_smburl() - { - clear_download_area -- $SMBGET --workgroup $DOMAIN smb://$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile -+ $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -148,7 +148,7 @@ test_singlefile_smburl() - test_singlefile_smburl2() - { - clear_download_area -- $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile" -+ $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile" - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -165,7 +165,7 @@ test_singlefile_authfile() - { - clear_download_area - cat >"${TMPDIR}/authfile" << EOF --username = $USERNAME -+username = ${SERVER}/${USERNAME} - password = $PASSWORD - EOF - $SMBGET --verbose --authentication-file="${TMPDIR}/authfile" smb://$SERVER_IP/smbget/testfile -@@ -186,7 +186,7 @@ EOF - test_recursive_U() - { - clear_download_area -- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ -+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -207,7 +207,7 @@ test_recursive_existing_dir() - { - clear_download_area - mkdir dir1 -- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ -+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -230,7 +230,7 @@ test_recursive_with_empty() - # create some additional empty directories - mkdir -p $WORKDIR/dir001/dir002/dir003 - mkdir -p $WORKDIR/dir004/dir005/dir006 -- $SMBGET --verbose --recursive -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/ -+ $SMBGET --verbose --recursive -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/ - rc=$? - rm -rf $WORKDIR/dir001 - rm -rf $WORKDIR/dir004 -@@ -260,7 +260,7 @@ test_resume() - clear_download_area - cp $WORKDIR/testfile . - truncate -s 1024 testfile -- $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -279,7 +279,7 @@ test_resume_modified() - { - clear_download_area - dd if=/dev/urandom bs=1024 count=2 of=testfile -- $SMBGET --verbose --resume -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --resume -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 1 ]; then - echo 'ERROR: RC does not match, expected: 1' - return 1 -@@ -291,14 +291,14 @@ test_resume_modified() - test_update() - { - clear_download_area -- $SMBGET --verbose -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 - fi - - # secondary download should pass -- $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -308,7 +308,7 @@ test_update() - # touch source to trigger new download - sleep 2 - touch -m $WORKDIR/testfile -- $SMBGET --verbose --update -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --update -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -397,7 +397,7 @@ test_limit_rate() - test_encrypt() - { - clear_download_area -- $SMBGET --verbose --encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -409,7 +409,7 @@ test_encrypt() - fi - - clear_download_area -- $SMBGET --verbose --client-protection=encrypt -U$USERNAME%$PASSWORD smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --client-protection=encrypt -U${SERVER}/${USERNAME}%$PASSWORD smb://$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 --- -2.43.0 - - -From a61c1ed2e21640a60b219b8efb16fed7ddfbce7c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 8 Dec 2023 13:06:27 +0100 -Subject: [PATCH 02/13] selftest: Remove trailing tabs/white spaces in - Samba4.pm - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a2af6946f5e53b7d954aa54d3d115dbe4975b1c4) ---- - selftest/target/Samba4.pm | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index a10c1313322..e559bf888a9 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -559,7 +559,7 @@ sub provision_raw_prepare($$$$$$$$$$$$$$) - warn("Unable to clean up"); - } - -- -+ - my $swiface = Samba::get_interface($hostname); - - $ctx->{prefix} = $prefix; -@@ -1034,7 +1034,7 @@ replace: userPrincipalName - userPrincipalName: testallowed upn\@$ctx->{realm} - replace: servicePrincipalName - servicePrincipalName: host/testallowed --- -+- - "; - close($ldif); - unless ($? == 0) { -@@ -1057,7 +1057,7 @@ servicePrincipalName: host/testallowed - changetype: modify - replace: userPrincipalName - userPrincipalName: testdenied_upn\@$ctx->{realm}.upn --- -+- - "; - close($ldif); - unless ($? == 0) { -@@ -2225,7 +2225,7 @@ sub provision_chgdcpass($$) - warn("Unable to add wins configuration"); - return undef; - } -- -+ - # Remove secrets.tdb from this environment to test that we - # still start up on systems without the new matching - # secrets.tdb records. --- -2.43.0 - - -From 4177d6b866f8a0a72ebe208c5025ad643a2610d8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 8 Dec 2023 13:07:19 +0100 -Subject: [PATCH 03/13] selftest: Add DOMAIN_ADMIN and DOMAIN_USER variables - -We should start using those in future. So we can distinguish which -privileges we want. Currently DC_USERNAME is the Administrator. Whatever -possible should use DOMIAN_USER instead. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 56d0c3a0263ed166452c129219e7a391ba4d014c) ---- - selftest/target/Samba.pm | 4 ++++ - selftest/target/Samba3.pm | 24 ++++++++++++++++++++++++ - selftest/target/Samba4.pm | 8 ++++++++ - 3 files changed, 36 insertions(+) - -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm -index b959db493ca..e4bd6a0d5d2 100644 ---- a/selftest/target/Samba.pm -+++ b/selftest/target/Samba.pm -@@ -947,6 +947,10 @@ my @exported_envvars = ( - "PASSWORD", - "DC_USERNAME", - "DC_PASSWORD", -+ "DOMAIN_ADMIN", -+ "DOMAIN_ADMIN_PASSWORD", -+ "DOMAIN_USER", -+ "DOMAIN_USER_PASSWORD", - - # UID/GID for rfc2307 mapping tests - "UID_RFC2307TEST", -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 85e69e4b72d..8755d0a2f1f 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1006,6 +1006,10 @@ sub provision_ad_member - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - # forest trust - $ret->{TRUST_F_BOTH_SERVER} = $trustvars_f->{SERVER}; -@@ -1171,6 +1175,10 @@ sub setup_ad_member_rfc2307 - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - return $ret; - } -@@ -1267,6 +1275,10 @@ sub setup_admem_idmap_autorid - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - return $ret; - } -@@ -1366,6 +1378,10 @@ sub setup_ad_member_idmap_rid - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - return $ret; - } -@@ -1466,6 +1482,10 @@ sub setup_ad_member_idmap_ad - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; - $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; -@@ -1558,6 +1578,10 @@ sub setup_ad_member_oneway - $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME}; - $ret->{DC_USERNAME} = $dcvars->{USERNAME}; - $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; -+ $ret->{DOMAIN_ADMIN} = $dcvars->{DOMAIN_ADMIN}; -+ $ret->{DOMAIN_ADMIN_PASSWORD} = $dcvars->{DOMAIN_ADMIN_PASSWORD}; -+ $ret->{DOMAIN_USER} = $dcvars->{DOMAIN_USER}; -+ $ret->{DOMAIN_USER_PASSWORD} = $dcvars->{DOMAIN_USER_PASSWORD}; - - $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; - $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index e559bf888a9..cbaacce48da 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -587,6 +587,10 @@ sub provision_raw_prepare($$$$$$$$$$$$$$) - $ctx->{realm} = uc($realm); - $ctx->{dnsname} = lc($realm); - $ctx->{samsid} = $samsid; -+ $ctx->{domain_admin} = "Administrator"; -+ $ctx->{domain_admin_password} = $password; -+ $ctx->{domain_user} = "alice"; -+ $ctx->{domain_user_password} = "Secret007"; - - $ctx->{functional_level} = $functional_level; - -@@ -906,6 +910,10 @@ nogroup:x:65534:nobody - DOMAIN => $ctx->{domain}, - USERNAME => $ctx->{username}, - DC_USERNAME => $ctx->{username}, -+ DOMAIN_ADMIN => $ctx->{domain_admin}, -+ DOMAIN_ADMIN_PASSWORD => $ctx->{domain_admin_password}, -+ DOMAIN_USER => $ctx->{domain_user}, -+ DOMAIN_USER_PASSWORD => $ctx->{domain_user_password}, - REALM => $ctx->{realm}, - DNSNAME => $ctx->{dnsname}, - SAMSID => $ctx->{samsid}, --- -2.43.0 - - -From c5839fd47591e46431d56091f151f22a5e35d16c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 09:45:54 +0100 -Subject: [PATCH 04/13] s3:tests: Pass down a normal domain user for - test_smbget.sh - -It is better to test with a normal user than administrator. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 337034e675aaeb366d360a791ec0d003426230af) ---- - source3/script/tests/test_smbget.sh | 22 ++++++++++++---------- - source3/selftest/tests.py | 2 ++ - 2 files changed, 14 insertions(+), 10 deletions(-) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 5ab35a03e24..257291b18ff 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -16,9 +16,11 @@ DOMAIN=${3} - REALM=${4} - USERNAME=${5} - PASSWORD=${6} --WORKDIR=${7} --SMBGET="$VALGRIND ${8}" --shift 8 -+DOMAIN_USER=${7} -+DOMAIN_USER_PASSWORD=${8} -+WORKDIR=${9} -+SMBGET="$VALGRIND ${10}" -+shift 10 - - TMPDIR="$SELFTEST_TMPDIR" - -@@ -89,7 +91,7 @@ test_singlefile_U_UPN() - { - clear_download_area - -- ${SMBGET} --verbose -U"${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \ -+ ${SMBGET} --verbose -U"${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \ - "smb://${SERVER_IP}/smbget/testfile" - ret=${?} - if [ ${ret} -ne 0 ]; then -@@ -111,7 +113,7 @@ test_singlefile_U_domain() - { - clear_download_area - -- ${SMBGET} --verbose -U"${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \ -+ ${SMBGET} --verbose -U"${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \ - "smb://${SERVER_IP}/smbget/testfile" - ret=${?} - if [ ${ret} -ne 0 ]; then -@@ -132,7 +134,7 @@ test_singlefile_U_domain() - test_singlefile_smburl() - { - clear_download_area -- $SMBGET --workgroup $DOMAIN smb://${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile -+ $SMBGET --workgroup $DOMAIN smb://${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -148,7 +150,7 @@ test_singlefile_smburl() - test_singlefile_smburl2() - { - clear_download_area -- $SMBGET "smb://$DOMAIN;${USERNAME}:$PASSWORD@$SERVER_IP/smbget/testfile" -+ $SMBGET "smb://$DOMAIN;${DOMAIN_USER}:$DOMAIN_USER_PASSWORD@$SERVER_IP/smbget/testfile" - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -343,7 +345,7 @@ test_msdfs_link_domain() - { - clear_download_area - -- ${SMBGET} --verbose "-U${DOMAIN}/${DC_USERNAME}%${DC_PASSWORD}" \ -+ ${SMBGET} --verbose "-U${DOMAIN}/${DOMAIN_USER}%${DOMAIN_USER_PASSWORD}" \ - "smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file" - ret=$? - if [ ${ret} -ne 0 ]; then -@@ -358,7 +360,7 @@ test_msdfs_link_upn() - { - clear_download_area - -- ${SMBGET} --verbose "-U${DC_USERNAME}@${REALM}%${DC_PASSWORD}" \ -+ ${SMBGET} --verbose "-U${DOMAIN_USER}@${REALM}%${DOMAIN_USER_PASSWORD}" \ - "smb://${SERVER}/msdfs-share/deeppath/msdfs-src2/readable_file" - ret=$? - if [ ${ret} -ne 0 ]; then -@@ -433,7 +435,7 @@ test_kerberos() - KRB5CCNAME="FILE:${KRB5CCNAME_PATH}" - export KRB5CCNAME - kerberos_kinit "${samba_kinit}" \ -- "${DC_USERNAME}@${REALM}" "${DC_PASSWORD}" -+ "${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}" - - $SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \ - smb://$SERVER/smbget/testfile -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 5a784f1c5aa..973384f8c53 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -931,6 +931,8 @@ plantestsuite("samba3.blackbox.smbget", - '$REALM', - 'smbget_user', - '$PASSWORD', -+ '$DOMAIN_USER', -+ '$DOMAIN_USER_PASSWORD', - '$LOCAL_PATH/smbget', - smbget - ]) --- -2.43.0 - - -From 43f8a0acbcda931efb40403b15ef4c8d8ec94c8b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 10:51:32 +0100 -Subject: [PATCH 05/13] s3:tests: Fix test_kerberos in smbget tests - -We switched to a temporary directory, so $PREFIX doesn't exist. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 62b0b79ce065246417996dec61afa6a10f6ab99b) ---- - source3/script/tests/test_smbget.sh | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 257291b18ff..5b65db89a26 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -429,13 +429,17 @@ test_kerberos() - { - clear_download_area - -- KRB5CCNAME_PATH="$PREFIX/smget_krb5ccache" -+ KRB5CCNAME_PATH="${TMPDIR}/smget_krb5ccache" - rm -f "${KRB5CCNAME_PATH}" - - KRB5CCNAME="FILE:${KRB5CCNAME_PATH}" - export KRB5CCNAME - kerberos_kinit "${samba_kinit}" \ - "${DOMAIN_USER}@${REALM}" "${DOMAIN_USER_PASSWORD}" -+ if [ $? -ne 0 ]; then -+ echo 'Failed to get Kerberos ticket' -+ return 1 -+ fi - - $SMBGET --verbose --use-krb5-ccache="${KRB5CCNAME}" \ - smb://$SERVER/smbget/testfile --- -2.43.0 - - -From 26be99f6ac11bd3c6cfd737b332ee3aca660b390 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 11:43:33 +0100 -Subject: [PATCH 06/13] s3:tests: Fix the test_kerberos_trust in smbget - testsuite - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 468fb05d6357779228e411076e286abcdb70cf96) ---- - source3/script/tests/test_smbget.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 5b65db89a26..50e8cea3900 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -465,7 +465,7 @@ test_kerberos_trust() - - $SMBGET --verbose --use-kerberos=required \ - -U"${TRUST_F_BOTH_USERNAME}@${TRUST_F_BOTH_REALM}%${TRUST_F_BOTH_PASSWORD}" \ -- smb://$SERVER/smbget/testfile -+ smb://$SERVER.${REALM}/smbget/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 --- -2.43.0 - - -From 0cbea3a4c5b7f5356c209ba2826f01506b40f1f8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 13:11:46 +0100 -Subject: [PATCH 07/13] s3:tests: Remove the non-working - test_kerberos_upn_denied of smbget - -See TODO code comment for details. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 1a04fd255c2c94e01bda9840bfd6b372007bb3c7) ---- - source3/script/tests/test_smbget.sh | 52 +++++++++++++++++------------ - 1 file changed, 30 insertions(+), 22 deletions(-) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 50e8cea3900..1956fc5b38e 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -480,26 +480,34 @@ test_kerberos_trust() - return 0 - } - --test_kerberos_upn_denied() --{ -- clear_download_area -- -- $SMBGET --verbose --use-kerberos=required \ -- -U"testdenied_upn@${REALM}.upn%${PASSWORD}" \ -- "smb://${SERVER}/smbget/testfile" -- if [ $? -ne 0 ]; then -- echo 'ERROR: RC does not match, expected: 0' -- return 1 -- fi -- -- cmp --silent $WORKDIR/testfile ./testfile -- if [ $? -ne 0 ]; then -- echo 'ERROR: file content does not match' -- return 1 -- fi -- -- return 0 --} -+# TODO FIXME -+# This test does not work, as we can't tell the libsmb code that the -+# principal is an enterprice principal. We need support for enterprise -+# principals in kerberos_kinit_password_ext() and a way to pass it via the -+# credenitals structure and commandline options. -+# It works if you do: kinit -E testdenied_upn@${REALM}.upn -+# -+# test_kerberos_upn_denied() -+# { -+# set -x -+# clear_download_area -+# -+# $SMBGET --verbose --use-kerberos=required \ -+# -U"testdenied_upn@${REALM}.upn%${DC_PASSWORD}" \ -+# "smb://${SERVER}.${REALM}/smbget/testfile" -d10 -+# if [ $? -ne 0 ]; then -+# echo 'ERROR: RC does not match, expected: 0' -+# return 1 -+# fi -+# -+# cmp --silent $WORKDIR/testfile ./testfile -+# if [ $? -ne 0 ]; then -+# echo 'ERROR: file content does not match' -+# return 1 -+# fi -+# -+# return 0 -+# } - - create_test_data - -@@ -567,8 +575,8 @@ testit "kerberos" test_kerberos || - testit "kerberos_trust" test_kerberos_trust || - failed=$((failed + 1)) - --testit "kerberos_upn_denied" test_kerberos_upn_denied || -- failed=$((failed + 1)) -+# testit "kerberos_upn_denied" test_kerberos_upn_denied || -+# failed=$((failed + 1)) - - clear_download_area - --- -2.43.0 - - -From b3d5792525df99cf149ce08392c359fb97f68ec5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Dec 2023 09:47:14 +0100 -Subject: [PATCH 08/13] s3:tests: Fix smbget test - -Time to fix the smget share to not have `guest ok = yes` set. A new -[smbget_guest] will be used for guest only tests. This way we can -correctly test different authentication mechanisms. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit c46769f3f10d21ed802e17aa79ae17e345168e63) ---- - selftest/target/Samba3.pm | 4 ++++ - source3/script/tests/test_smbget.sh | 8 ++++---- - 2 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 8755d0a2f1f..2c69993c56a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -3587,6 +3587,10 @@ sub provision($$) - [smbget] - path = $smbget_sharedir - comment = smb username is [%U] -+ -+[smbget_guest] -+ path = $smbget_sharedir -+ comment = smb username is [%U] - guest ok = yes - - include = $aliceconfdir/%U.conf -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 1956fc5b38e..0af28c6ff89 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -57,8 +57,8 @@ clear_download_area() - test_singlefile_guest() - { - clear_download_area -- echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile" -- $SMBGET --verbose --guest smb://$SERVER_IP/smbget/testfile -+ echo "$SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile" -+ $SMBGET --verbose --guest smb://$SERVER_IP/smbget_guest/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 -@@ -376,9 +376,9 @@ test_msdfs_link_upn() - test_limit_rate() - { - clear_download_area -- echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile" -+ echo "$SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile" - time_begin=$(date +%s) -- $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget/testfile -+ $SMBGET --verbose --guest --limit-rate 100 smb://$SERVER_IP/smbget_guest/testfile - if [ $? -ne 0 ]; then - echo 'ERROR: RC does not match, expected: 0' - return 1 --- -2.43.0 - - -From b40c350a6550946129aadbace4e6cecc219c666a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 6 Dec 2023 13:16:26 +0100 -Subject: [PATCH 09/13] auth:creds:tests: Add test for password callback - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit ab4b25964a43a1ef550f10580ad395e178fe647e) ---- - auth/credentials/tests/test_creds.c | 32 +++++++++++++++++++++++++++++ - selftest/knownfail.d/creds | 1 + - 2 files changed, 33 insertions(+) - create mode 100644 selftest/knownfail.d/creds - -diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c -index a2f9642bfe0..414dd46a6b0 100644 ---- a/auth/credentials/tests/test_creds.c -+++ b/auth/credentials/tests/test_creds.c -@@ -285,6 +285,37 @@ static void torture_creds_gensec_feature(void **state) - assert_int_equal(creds->gensec_features, GENSEC_FEATURE_SIGN); - } - -+static const char *torture_get_password(struct cli_credentials *creds) -+{ -+ return talloc_strdup(creds, "SECRET"); -+} -+ -+static void torture_creds_password_callback(void **state) -+{ -+ TALLOC_CTX *mem_ctx = *state; -+ struct cli_credentials *creds = NULL; -+ const char *password = NULL; -+ enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; -+ bool ok; -+ -+ creds = cli_credentials_init(mem_ctx); -+ assert_non_null(creds); -+ -+ ok = cli_credentials_set_domain(creds, "WURST", CRED_SPECIFIED); -+ assert_true(ok); -+ ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); -+ assert_true(ok); -+ -+ ok = cli_credentials_set_password_callback(creds, torture_get_password); -+ assert_true(ok); -+ assert_int_equal(creds->password_obtained, CRED_CALLBACK); -+ -+ password = cli_credentials_get_password_and_obtained(creds, -+ &pwd_obtained); -+ assert_int_equal(pwd_obtained, CRED_CALLBACK_RESULT); -+ assert_string_equal(password, "SECRET"); -+} -+ - int main(int argc, char *argv[]) - { - int rc; -@@ -296,6 +327,7 @@ int main(int argc, char *argv[]) - cmocka_unit_test(torture_creds_parse_string), - cmocka_unit_test(torture_creds_krb5_state), - cmocka_unit_test(torture_creds_gensec_feature), -+ cmocka_unit_test(torture_creds_password_callback) - }; - - if (argc == 2) { -diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds -new file mode 100644 -index 00000000000..09491f22c65 ---- /dev/null -+++ b/selftest/knownfail.d/creds -@@ -0,0 +1 @@ -+^samba.unittests.credentials.torture_creds_password_callback.none --- -2.43.0 - - -From 42f5976603f2dfab9e3179535f9d137014621b54 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 6 Dec 2023 13:06:42 +0100 -Subject: [PATCH 10/13] auth:creds: Fix - cli_credentials_get_password_and_obtained() with callback - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 1041dae03f0f7e9e2b6b4a649eb1d298a34ce699) ---- - auth/credentials/credentials.c | 4 +++- - selftest/knownfail.d/creds | 1 - - 2 files changed, 3 insertions(+), 2 deletions(-) - delete mode 100644 selftest/knownfail.d/creds - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index 0485cc4e64e..8cabdd8d1c3 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -465,11 +465,13 @@ _PUBLIC_ const char * - cli_credentials_get_password_and_obtained(struct cli_credentials *cred, - enum credentials_obtained *obtained) - { -+ const char *password = cli_credentials_get_password(cred); -+ - if (obtained != NULL) { - *obtained = cred->password_obtained; - } - -- return cli_credentials_get_password(cred); -+ return password; - } - - /* Set a password on the credentials context, including an indication -diff --git a/selftest/knownfail.d/creds b/selftest/knownfail.d/creds -deleted file mode 100644 -index 09491f22c65..00000000000 ---- a/selftest/knownfail.d/creds -+++ /dev/null -@@ -1 +0,0 @@ --^samba.unittests.credentials.torture_creds_password_callback.none --- -2.43.0 - - -From 619185a178f00bbf88a853309225773b02fdbda4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 6 Dec 2023 13:26:43 +0100 -Subject: [PATCH 11/13] auth:creds: Add - cli_credentials_get_domain_and_obtained() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit a7622bc7db093558c6f6e3da4d2a899a764dec09) ---- - auth/credentials/credentials.c | 22 ++++++++++++++++++++++ - auth/credentials/credentials.h | 3 +++ - auth/credentials/tests/test_creds.c | 6 ++++++ - 3 files changed, 31 insertions(+) - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index 8cabdd8d1c3..7a00279b8b4 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -738,6 +738,28 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred) - return cred->domain; - } - -+/** -+ * @brief Obtain the domain for this credential context. -+ * -+ * @param[in] cred The credential context. -+ * -+ * @param[out] obtained A pointer to store the obtained information. -+ * -+ * @return The domain name or NULL if an error occurred. -+ */ -+_PUBLIC_ const char *cli_credentials_get_domain_and_obtained( -+ struct cli_credentials *cred, -+ enum credentials_obtained *obtained) -+{ -+ const char *domain = cli_credentials_get_domain(cred); -+ -+ if (obtained != NULL) { -+ *obtained = cred->domain_obtained; -+ } -+ -+ return domain; -+} -+ - - _PUBLIC_ bool cli_credentials_set_domain(struct cli_credentials *cred, - const char *val, -diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h -index c3a048ecc8d..c5ffe536e07 100644 ---- a/auth/credentials/credentials.h -+++ b/auth/credentials/credentials.h -@@ -127,6 +127,9 @@ int cli_credentials_get_keytab(struct cli_credentials *cred, - struct loadparm_context *lp_ctx, - struct keytab_container **_ktc); - const char *cli_credentials_get_domain(struct cli_credentials *cred); -+const char *cli_credentials_get_domain_and_obtained( -+ struct cli_credentials *cred, -+ enum credentials_obtained *obtained); - struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); - void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, - struct loadparm_context *lp_ctx); -diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c -index 414dd46a6b0..2cb2e6d0e34 100644 ---- a/auth/credentials/tests/test_creds.c -+++ b/auth/credentials/tests/test_creds.c -@@ -48,6 +48,7 @@ static void torture_creds_init(void **state) - const char *username = NULL; - const char *domain = NULL; - const char *password = NULL; -+ enum credentials_obtained dom_obtained = CRED_UNINITIALISED; - enum credentials_obtained usr_obtained = CRED_UNINITIALISED; - enum credentials_obtained pwd_obtained = CRED_UNINITIALISED; - bool ok; -@@ -65,6 +66,11 @@ static void torture_creds_init(void **state) - domain = cli_credentials_get_domain(creds); - assert_string_equal(domain, "WURST"); - -+ domain = cli_credentials_get_domain_and_obtained(creds, -+ &dom_obtained); -+ assert_int_equal(dom_obtained, CRED_SPECIFIED); -+ assert_string_equal(domain, "WURST"); -+ - username = cli_credentials_get_username(creds); - assert_null(username); - ok = cli_credentials_set_username(creds, "brot", CRED_SPECIFIED); --- -2.43.0 - - -From a72e035090075ff1b36c5d67daf5f601277bceaa Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 6 Dec 2023 15:58:08 +0100 -Subject: [PATCH 12/13] s3:tests: Add interactive smbget test for password - entry - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 5b38f3be8cb986aa2db3aab5c3c3d2e8739893ce) ---- - source3/script/tests/test_smbget.sh | 32 +++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 0af28c6ff89..74050f6951a 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -29,6 +29,7 @@ incdir=$(dirname $0)/../../../testprogs/blackbox - . "${incdir}/common_test_fns.inc" - - samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) -+samba_texpect="${BINDIR}/texpect" - - create_test_data() - { -@@ -163,6 +164,33 @@ test_singlefile_smburl2() - return 0 - } - -+test_singlefile_smburl_interactive() -+{ -+ clear_download_area -+ -+ tmpfile="$(mktemp --tmpdir="${TMPDIR}" expect_XXXXXXXXXX)" -+ -+ cat >"${tmpfile}" < -Date: Wed, 6 Dec 2023 13:16:53 +0100 -Subject: [PATCH 13/13] s3:utils: Fix auth callback with smburl - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15532 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit f2f7ed419e03e5ae8cc85f42af5b2bcf91abefe2) ---- - source3/utils/smbget.c | 40 ++++++++++++++++++++++++++++++++++------ - 1 file changed, 34 insertions(+), 6 deletions(-) - -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index 8d98ba24602..598607ea391 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -114,20 +114,48 @@ static void get_auth_data_with_context_fn(SMBCCTX *ctx, - const char *username = NULL; - const char *password = NULL; - const char *domain = NULL; -+ enum credentials_obtained obtained = CRED_UNINITIALISED; - -- username = cli_credentials_get_username(creds); -+ username = cli_credentials_get_username_and_obtained(creds, &obtained); - if (username != NULL) { -- strncpy(usr, username, usr_len - 1); -+ bool overwrite = false; -+ if (usr[0] == '\0') { -+ overwrite = true; -+ } -+ if (obtained >= CRED_CALLBACK_RESULT) { -+ overwrite = true; -+ } -+ if (overwrite) { -+ strncpy(usr, username, usr_len - 1); -+ } - } - -- password = cli_credentials_get_password(creds); -+ password = cli_credentials_get_password_and_obtained(creds, &obtained); - if (password != NULL) { -- strncpy(pwd, password, pwd_len - 1); -+ bool overwrite = false; -+ if (usr[0] == '\0') { -+ overwrite = true; -+ } -+ if (obtained >= CRED_CALLBACK_RESULT) { -+ overwrite = true; -+ } -+ if (overwrite) { -+ strncpy(pwd, password, pwd_len - 1); -+ } - } - -- domain = cli_credentials_get_domain(creds); -+ domain = cli_credentials_get_domain_and_obtained(creds, &obtained); - if (domain != NULL) { -- strncpy(dom, domain, dom_len - 1); -+ bool overwrite = false; -+ if (usr[0] == '\0') { -+ overwrite = true; -+ } -+ if (obtained >= CRED_CALLBACK_RESULT) { -+ overwrite = true; -+ } -+ if (overwrite) { -+ strncpy(dom, domain, dom_len - 1); -+ } - } - - smbc_set_credentials_with_fallback(ctx, domain, username, password); --- -2.43.0 - diff --git a/samba-4.19-fix-smbget-debug.patch b/samba-4.19-fix-smbget-debug.patch deleted file mode 100644 index b837fea..0000000 --- a/samba-4.19-fix-smbget-debug.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 21d8c1b2dabf8dd5a65de14816c6701e9c81de44 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 5 Dec 2023 15:46:48 +0100 -Subject: [PATCH 1/2] s3:tests: Add smbget test for - smb://DOAMIN;user%password@server/share/file - -This is supported according to the smbget manpage! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e) ---- - source3/script/tests/test_smbget.sh | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh -index 46c1f4a68a5..bdc62a71eff 100755 ---- a/source3/script/tests/test_smbget.sh -+++ b/source3/script/tests/test_smbget.sh -@@ -145,6 +145,22 @@ test_singlefile_smburl() - return 0 - } - -+test_singlefile_smburl2() -+{ -+ clear_download_area -+ $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile" -+ if [ $? -ne 0 ]; then -+ echo 'ERROR: RC does not match, expected: 0' -+ return 1 -+ fi -+ cmp --silent $WORKDIR/testfile ./testfile -+ if [ $? -ne 0 ]; then -+ echo 'ERROR: file content does not match' -+ return 1 -+ fi -+ return 0 -+} -+ - test_singlefile_authfile() - { - clear_download_area -@@ -499,6 +515,10 @@ testit "download single file with --update and UPN" test_singlefile_U_UPN || - testit "download single file with smb URL" test_singlefile_smburl || - failed=$(expr $failed + 1) - -+testit "download single file with smb URL including domain" \ -+ test_singlefile_smburl2 || -+ failed=$(expr $failed + 1) -+ - testit "download single file with authfile" test_singlefile_authfile || - failed=$(expr $failed + 1) - --- -2.43.0 - - -From e19fa9d75ee70ec23e70f166ee70241c116f7bf5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 6 Dec 2023 08:48:34 +0100 -Subject: [PATCH 2/2] s3:utils: Fix setting the debug level - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d) ---- - source3/utils/smbget.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index 5c99dcf918a..8d98ba24602 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -849,6 +849,7 @@ int main(int argc, char **argv) - uint32_t gensec_features; - bool use_wbccache = false; - SMBCCTX *smb_ctx = NULL; -+ int dbg_lvl = -1; - int rc; - - smb_init_locale(); -@@ -922,13 +923,16 @@ int main(int argc, char **argv) - - samba_cmdline_burn(argc, argv); - -+ /* smbc_new_context() will set the log level to 0 */ -+ dbg_lvl = debuglevel_get(); -+ - smb_ctx = smbc_new_context(); - if (smb_ctx == NULL) { - fprintf(stderr, "Unable to initialize libsmbclient\n"); - ok = false; - goto done; - } -- smbc_setDebug(smb_ctx, debuglevel_get()); -+ smbc_setDebug(smb_ctx, dbg_lvl); - - rc = smbc_setConfiguration(smb_ctx, lp_default_path()); - if (rc < 0) { --- -2.43.0 - diff --git a/samba-4.19-redhat.patch b/samba-4.19-redhat.patch index 7ec74d1..f9317c9 100644 --- a/samba-4.19-redhat.patch +++ b/samba-4.19-redhat.patch @@ -1,7 +1,7 @@ From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:05:54 +0300 -Subject: [PATCH 01/25] gp: Support more global trust directories +Subject: [PATCH 01/28] gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). @@ -60,13 +60,13 @@ index 312c8ddf467..1b90ab46e90 100644 # Symlink the certs to global trust dir dst = os.path.join(global_trust_dir, os.path.basename(src)) -- -2.41.0 +2.45.2 From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:09:28 +0300 -Subject: [PATCH 02/25] gp: Support update-ca-trust helper +Subject: [PATCH 02/28] gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. @@ -104,13 +104,13 @@ index 1b90ab46e90..cefdafa21b2 100644 Popen([update]).wait() # Setup Certificate Auto Enrollment -- -2.41.0 +2.45.2 From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 11 Aug 2023 18:46:42 +0300 -Subject: [PATCH 03/25] gp: Change root cert extension suffix +Subject: [PATCH 03/28] gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. @@ -138,13 +138,13 @@ index cefdafa21b2..c562722906b 100644 w.write(cert) root_certs.append(dest) -- -2.41.0 +2.45.2 From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:06:43 +0300 -Subject: [PATCH 04/25] gp: Test with binary content for certificate data +Subject: [PATCH 04/28] gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. @@ -216,13 +216,13 @@ index 00000000000..0aad59607c2 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:20:11 +0300 -Subject: [PATCH 05/25] gp: Convert CA certificates to base64 +Subject: [PATCH 05/28] gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting @@ -289,13 +289,13 @@ index 0aad59607c2..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:16:23 +0300 -Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes +Subject: [PATCH 06/28] gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. @@ -422,13 +422,13 @@ index 00000000000..4edc1dce730 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:37:17 +0300 -Subject: [PATCH 07/25] gp: Template changes should invalidate cache +Subject: [PATCH 07/28] gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't @@ -487,13 +487,13 @@ index 4edc1dce730..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:26:59 +0300 -Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy +Subject: [PATCH 08/28] gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. @@ -588,13 +588,13 @@ index 00000000000..83bc9f0ac1f @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:33:59 +0300 -Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove +Subject: [PATCH 09/28] gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. @@ -634,13 +634,13 @@ index 83bc9f0ac1f..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.41.0 +2.45.2 From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 9 Jan 2024 08:50:01 +0100 -Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't +Subject: [PATCH 10/28] python:gp: Print a nice message if cepces-submit can't be found BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 @@ -691,13 +691,13 @@ index 64c35782ae8..08d1a7348cd 100644 def getca(ca, url, trust_dir): -- -2.41.0 +2.45.2 From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 8 Jan 2024 18:05:08 +0200 -Subject: [PATCH 11/25] gpo: Test certificate policy without NDES +Subject: [PATCH 11/28] gpo: Test certificate policy without NDES As of 8231eaf856b, the NDES feature is no longer required on Windows, as cert auto-enroll can use the certificate from the LDAP request. @@ -895,13 +895,13 @@ index 00000000000..f1e590bc7d8 @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.41.0 +2.45.2 From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 18 Jan 2024 20:23:24 +0200 -Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing +Subject: [PATCH 12/28] gpo: Decode base64 root cert before importing The reasoning behind this is described in the previous commit message, but essentially this should either be wrapped in certificate blocks and @@ -948,13 +948,13 @@ index f1e590bc7d8..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.41.0 +2.45.2 From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 19 Jan 2024 11:36:19 +0200 -Subject: [PATCH 13/25] gpo: Do not get templates list on first run +Subject: [PATCH 13/28] gpo: Do not get templates list on first run This is a visual fix and has no impact on functionality apart from cleaner log messages. @@ -997,13 +997,13 @@ index cd5e54f1110..559c903e1a2 100644 if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: self.unapply(guid, attribute, old_val) -- -2.41.0 +2.45.2 From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 5 Jan 2024 08:47:07 -0700 -Subject: [PATCH 14/25] gp: Skip site GP list if no site is found +Subject: [PATCH 14/28] gp: Skip site GP list if no site is found [MS-GPOL] 3.2.5.1.4 Site Search says if the site search returns ERROR_NO_SITENAME, the GP site @@ -1065,13 +1065,13 @@ index 617ef79350c..babd8f90748 100644 # (L)ocal gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", -- -2.41.0 +2.45.2 From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:14:30 +0100 -Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit +Subject: [PATCH 15/28] python:gp: Avoid path check for cepces-submit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1111,13 +1111,13 @@ index 559c903e1a2..7325d5132cf 100644 '%s --server=%s --auth=%s' % (cepces_submit, ca['hostname'], auth)], -- -2.41.0 +2.45.2 From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:07:47 +0100 -Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment +Subject: [PATCH 16/28] python:gp: Improve logging for certificate enrollment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1171,13 +1171,13 @@ index 7325d5132cf..a25a9678587 100644 getcert = which('getcert') cepces_submit = find_cepces_submit() -- -2.41.0 +2.45.2 From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:04:36 +0100 -Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists +Subject: [PATCH 17/28] python:gp: Do not print an error, if CA already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1217,13 +1217,13 @@ index a25a9678587..0b23cd688db 100644 for template in supported_templates: attrs = fetch_template_attrs(ldb, template) -- -2.41.0 +2.45.2 From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:02 +0100 -Subject: [PATCH 18/25] python:gp: Do not print an error if template already +Subject: [PATCH 18/28] python:gp: Do not print an error if template already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1264,13 +1264,13 @@ index 0b23cd688db..db681cb6f69 100644 data['templates'].append(nickname) if update is not None: -- -2.41.0 +2.45.2 From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:24 +0100 -Subject: [PATCH 19/25] python:gp: Log an error if update fails +Subject: [PATCH 19/28] python:gp: Log an error if update fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1301,13 +1301,13 @@ index db681cb6f69..c8ad2039dc6 100644 log.warn('certmonger and cepces must be installed for ' + 'certificate auto enrollment to work') -- -2.41.0 +2.45.2 From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:46:24 +0100 -Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid +Subject: [PATCH 20/28] python:gp: Improve working of log messages to avoid confusion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1354,13 +1354,13 @@ index c8ad2039dc6..2b7f7d22c2b 100644 log.warn('Installing the server certificate only.') der_certificate = base64.b64decode(ca['cACertificate']) -- -2.41.0 +2.45.2 From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 29 Jan 2024 17:46:30 +0100 -Subject: [PATCH 21/25] python:gp: Fix logging with gp +Subject: [PATCH 21/28] python:gp: Fix logging with gp This allows enable INFO level logging with: `samba-gpupdate -d3` @@ -1396,13 +1396,13 @@ index a74a8707d50..c3de32825db 100644 logger.setLevel(logging.CRITICAL) if log_level == 1: -- -2.41.0 +2.45.2 -From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001 +From 14ceb0b5f2f954bbabdaf78b8185fc515e3c8294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Wed, 13 Mar 2024 13:55:41 +0100 -Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad +Subject: [PATCH 22/28] docs-xml: Add parameter all_groupmem to idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1438,13 +1438,13 @@ index b364bbfa231..de6d36afe95 100644 This parameter is a list of OUs from which objects will not be mapped via the ad idmap -- -2.41.0 +2.45.2 -From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001 +From ac4184c8c3220263cb6f1a46a012533ed1c4e047 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 12 Mar 2024 13:20:24 +0100 -Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem() +Subject: [PATCH 23/28] s3:winbindd: Improve performance of lookup_groupmem() in idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1521,13 +1521,13 @@ index d7a665abbc6..e625aa6473f 100644 if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("%s: add_primary_group_members failed: %s\n", -- -2.41.0 +2.45.2 -From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001 +From d0e2002efcc37055b35c351a6b936e6ab89fad32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 25 Mar 2024 22:38:18 +0100 -Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to +Subject: [PATCH 24/28] selftest: Add "winbind expand groups = 1" to setup_ad_member_idmap_ad MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1537,7 +1537,7 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 Signed-off-by: Pavel Filipenský Reviewed-by: Andreas Schneider -(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) +(backported from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) --- selftest/target/Samba3.pm | 1 + 1 file changed, 1 insertion(+) @@ -1555,13 +1555,13 @@ index 44ac4a5901a..606c65f8ab1 100755 my $ret = $self->provision( -- -2.41.0 +2.45.2 -From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001 +From 9625b6aed981aa4e70fe11d9d1acdb54db7591a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 14 Mar 2024 15:24:21 +0100 -Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to +Subject: [PATCH 25/28] tests: Add a test for "all_groups=no" to test_idmap_ad.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1628,5 +1628,160 @@ index 7ae112ada71..1d4bd395ba9 100755 changetype: delete EOF -- -2.41.0 +2.45.2 + + +From e5890e63c35a4a5af29ae16e6dd734c4a3a304cc Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 28 May 2024 13:51:53 +0200 +Subject: [PATCH 26/28] s3:libads: Allow get_kdc_ip_string() to lookup the KDCs + IP + +Remove the requirement to provide an IP address. We should look up the +IP of the KDC and use it for the specified realm/workgroup. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 28aa0b815baf4668e3df01d52597c40fd430e2fb) +--- + source3/libads/kerberos.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 50f4a6de3c6..ddf97c11973 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -437,23 +437,23 @@ static char *get_kdc_ip_string(char *mem_ctx, + char *kdc_str = NULL; + char *canon_sockaddr = NULL; + +- SMB_ASSERT(pss != NULL); +- +- canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); +- if (canon_sockaddr == NULL) { +- goto out; +- } ++ if (pss != NULL) { ++ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); ++ if (canon_sockaddr == NULL) { ++ goto out; ++ } + +- kdc_str = talloc_asprintf(frame, +- "\t\tkdc = %s\n", +- canon_sockaddr); +- if (kdc_str == NULL) { +- goto out; +- } ++ kdc_str = talloc_asprintf(frame, ++ "\t\tkdc = %s\n", ++ canon_sockaddr); ++ if (kdc_str == NULL) { ++ goto out; ++ } + +- ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); +- if (!ok) { +- goto out; ++ ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); ++ if (!ok) { ++ goto out; ++ } + } + + /* +-- +2.45.2 + + +From 96a1ecd8db249fa03db60259cf76fdef9c1bd749 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 28 May 2024 13:53:51 +0200 +Subject: [PATCH 27/28] s3:libads: Do not fail if we don't get an IP passed + down + +The IP should be optional and we should look it up if not provided. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2) +--- + source3/libads/kerberos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index ddf97c11973..f74d8eb567c 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -704,7 +704,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + return false; + } + +- if (domain == NULL || pss == NULL) { ++ if (domain == NULL) { + return false; + } + +-- +2.45.2 + + +From 4934642b7a7d92c6d81ba25ef6e4b66e3805f708 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 28 May 2024 13:54:24 +0200 +Subject: [PATCH 28/28] s3:winbind: Fix idmap_ad creating an invalid local + krb5.conf + +In case of a trusted domain, we are providing the realm of the primary +trust but specify the KDC IP of the trusted domain. This leads to +Kerberos ticket requests to the trusted domain KDC which doesn't know +about the machine account. However we need a ticket from our primary +trust KDC. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(backported from commit 8989aa47b7493e6b7978c2efc4a40c781e9a2aee) +--- + source3/winbindd/idmap_ad.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c +index 5c9fe07db95..b8002825161 100644 +--- a/source3/winbindd/idmap_ad.c ++++ b/source3/winbindd/idmap_ad.c +@@ -320,7 +320,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, + struct tldap_context **pld) + { + struct netr_DsRGetDCNameInfo *dcinfo; +- struct sockaddr_storage dcaddr; ++ struct sockaddr_storage dcaddr = { ++ .ss_family = AF_UNSPEC, ++ }; ++ struct sockaddr_storage *pdcaddr = NULL; + struct cli_credentials *creds; + struct loadparm_context *lp_ctx; + struct tldap_context *ld; +@@ -362,9 +365,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx, + * create_local_private_krb5_conf_for_domain() can deal with + * sitename==NULL + */ ++ if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup())) ++ { ++ pdcaddr = &dcaddr; ++ } + + ok = create_local_private_krb5_conf_for_domain( +- lp_realm(), lp_workgroup(), sitename, &dcaddr); ++ lp_realm(), lp_workgroup(), sitename, pdcaddr); + TALLOC_FREE(sitename); + if (!ok) { + DBG_DEBUG("Could not create private krb5.conf\n"); +-- +2.45.2 diff --git a/samba.spec b/samba.spec index 66e2545..9b584bc 100644 --- a/samba.spec +++ b/samba.spec @@ -147,7 +147,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.19.4 -%global baserelease 4 +%global baserelease 5 # This should be rc1 or %%nil %global pre_release %nil @@ -4479,6 +4479,9 @@ fi %endif %changelog +* Fri Aug 02 2024 Pavel Filipenský - 4.19.4-5 +- resolves: RHEL-45842 - Fix idmap_ad with trusted domains + * Thu May 02 2024 Pavel Filipenský - 4.19.4-4 - related: RHEL-33813 - Undo wrong changes in rpminspect.yaml diff --git a/v4-19-fix-force-user.patch b/v4-19-fix-force-user.patch deleted file mode 100644 index 70b081f..0000000 --- a/v4-19-fix-force-user.patch +++ /dev/null @@ -1,325 +0,0 @@ -From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Sep 2023 16:29:46 +0200 -Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no' - firewalls Unix User|Group - -UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver) -REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4) ---- - selftest/knownfail.d/forceuser_trusteddomains | 2 ++ - selftest/target/Samba3.pm | 1 + - 2 files changed, 3 insertions(+) - create mode 100644 selftest/knownfail.d/forceuser_trusteddomains - -diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains -new file mode 100644 -index 00000000000..b515400cd90 ---- /dev/null -+++ b/selftest/knownfail.d/forceuser_trusteddomains -@@ -0,0 +1,2 @@ -+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver -+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 39831afc599..85e69e4b72d 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1689,6 +1689,7 @@ sub setup_simpleserver - vfs objects = xattr_tdb streams_depot - change notify = no - server smb encrypt = off -+ allow trusted domains = no - - [vfs_aio_pthread] - path = $prefix_abs/share --- -2.43.0 - - -From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 8 Sep 2023 12:50:32 +0200 -Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd) ---- - source3/auth/auth_util.c | 64 ++++++++++++++++++++-------------------- - 1 file changed, 32 insertions(+), 32 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 293523f4272..e5863d2272b 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, - } - - /**************************************************************************** -- Create an auth_usersupplied_data, making the DATA_BLOBs here. -+ Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrypt and encrypt the passwords. - ****************************************************************************/ - - bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, - struct auth_usersupplied_info **user_info, -- const char *smb_name, -- const char *client_domain, -+ const char *smb_name, -+ const char *client_domain, - const char *workstation_name, - const struct tsocket_address *remote_address, - const struct tsocket_address *local_address, -@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, - DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); - - status = make_user_info_map(mem_ctx, user_info, -- smb_name, client_domain, -+ smb_name, client_domain, - workstation_name, - remote_address, - local_address, - "SamLogon", -- lm_pwd_len ? &lm_blob : NULL, -+ lm_pwd_len ? &lm_blob : NULL, - nt_pwd_len ? &nt_blob : NULL, - NULL, NULL, NULL, - AUTH_PASSWORD_RESPONSE); -@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, - } - - /**************************************************************************** -- Create an auth_usersupplied_data, making the DATA_BLOBs here. -+ Create an auth_usersupplied_data, making the DATA_BLOBs here. - Decrypt and encrypt the passwords. - ****************************************************************************/ - - bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, - struct auth_usersupplied_info **user_info, -- const char *smb_name, -- const char *client_domain, -+ const char *smb_name, -+ const char *client_domain, - const char *workstation_name, - const struct tsocket_address *remote_address, - const struct tsocket_address *local_address, - uint32_t logon_parameters, -- const uchar chal[8], -- const uchar lm_interactive_pwd[16], -+ const uchar chal[8], -+ const uchar lm_interactive_pwd[16], - const uchar nt_interactive_pwd[16]) - { - struct samr_Password lm_pwd; -@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, - - nt_status = make_user_info_map( - mem_ctx, -- user_info, -+ user_info, - smb_name, client_domain, workstation_name, - remote_address, - local_address, -@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, - - bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, - struct auth_usersupplied_info **user_info, -- const char *smb_name, -+ const char *smb_name, - const char *client_domain, - const struct tsocket_address *remote_address, - const struct tsocket_address *local_address, -@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, - - /* We can't do an NT hash here, as the password needs to be - case insensitive */ -- local_nt_blob = data_blob_null; -+ local_nt_blob = data_blob_null; - } else { -- local_lm_blob = data_blob_null; -- local_nt_blob = data_blob_null; -+ local_lm_blob = data_blob_null; -+ local_nt_blob = data_blob_null; - } - - plaintext_password_string = talloc_strndup(talloc_tos(), -@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, - } - - ret = make_user_info(mem_ctx, -- user_info, smb_name, smb_name, client_domain, client_domain, -+ user_info, smb_name, smb_name, client_domain, client_domain, - get_remote_machine_name(), - remote_address, - local_address, -@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx, - - nt_status = make_user_info(mem_ctx, - user_info, -- "","", -- "","", -- "", -+ "","", -+ "","", -+ "", - remote_address, - local_address, - service_description, -- NULL, NULL, -- NULL, NULL, -+ NULL, NULL, -+ NULL, NULL, - NULL, - AUTH_PASSWORD_RESPONSE); - -@@ -1258,7 +1258,7 @@ done: - } - - session_info->unique_session_token = GUID_random(); -- -+ - *session_info_out = talloc_move(mem_ctx, &session_info); - TALLOC_FREE(frame); - return NT_STATUS_OK; -@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, - *pwd = passwd; - - /* This is pointless -- there is no support for differing -- unix and windows names. Make sure to always store the -+ unix and windows names. Make sure to always store the - one we actually looked up and succeeded. Have I mentioned -- why I hate the 'winbind use default domain' parameter? -+ why I hate the 'winbind use default domain' parameter? - --jerry */ - - *found_username = talloc_strdup( mem_ctx, real_username ); -@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, - } - - /**************************************************************************** -- Wrapper to allow the getpwnam() call to strip the domain name and -- try again in case a local UNIX user is already there. Also run through -+ Wrapper to allow the getpwnam() call to strip the domain name and -+ try again in case a local UNIX user is already there. Also run through - the username if we fallback to the username only. - ****************************************************************************/ - -@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, - char *p = NULL; - const char *username = NULL; - -- /* we only save a copy of the username it has been mangled -+ /* we only save a copy of the username it has been mangled - by winbindd use default domain */ - *p_save_username = NULL; - -- /* don't call map_username() here since it has to be done higher -+ /* don't call map_username() here since it has to be done higher - up the stack so we don't call it multiple times */ - - username = talloc_strdup(mem_ctx, domuser); -@@ -2068,10 +2068,10 @@ username_only: - } - - /*************************************************************************** -- Make a server_info struct from the info3 returned by a domain logon -+ Make a server_info struct from the info3 returned by a domain logon - ***************************************************************************/ - --NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, -+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - const char *sent_nt_username, - const char *domain, - struct auth_serversupplied_info **server_info, -@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - struct dom_sid sid; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); - -- /* -+ /* - Here is where we should check the list of -- trusted domains, and verify that the SID -+ trusted domains, and verify that the SID - matches. - */ - --- -2.43.0 - - -From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 30 Nov 2023 10:54:07 +0100 -Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a - local token - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce) ---- - selftest/knownfail.d/forceuser_trusteddomains | 2 -- - source3/auth/auth_util.c | 17 ++++++++++++++++- - 2 files changed, 16 insertions(+), 3 deletions(-) - delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains - -diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains -deleted file mode 100644 -index b515400cd90..00000000000 ---- a/selftest/knownfail.d/forceuser_trusteddomains -+++ /dev/null -@@ -1,2 +0,0 @@ --samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver --samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index e5863d2272b..2a35fea5061 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -21,6 +21,7 @@ - along with this program. If not, see . - */ - -+#include "dom_sid.h" - #include "includes.h" - #include "auth.h" - #include "lib/util_unixsids.h" -@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - struct dom_sid tmp_sid; - struct auth_session_info *session_info = NULL; - struct unixid *ids; -+ bool is_allowed = false; - - /* Ensure we can't possible take a code path leading to a - * null deref. */ -@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - return NT_STATUS_LOGON_FAILURE; - } - -- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { -+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) { -+ is_allowed = true; -+ } -+ -+ /* Check if we have extra info about the user. */ -+ if (dom_sid_in_domain(&global_sid_Unix_Users, -+ &server_info->extra.user_sid) || -+ dom_sid_in_domain(&global_sid_Unix_Groups, -+ &server_info->extra.pgid_sid)) -+ { -+ is_allowed = true; -+ } -+ -+ if (!is_allowed) { - DBG_NOTICE("Authentication failed for user [%s] " - "from firewalled domain [%s]\n", - server_info->info3->base.account_name.string, --- -2.43.0 -