From 33becdc606c926113511666fac843daed943d78f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 4 Dec 2023 16:09:00 +0100 Subject: [PATCH] Fix force user/group issues with 'allow trusted domains = yes' resolves: RHEL-2118 --- ...-4.19-fix-force-user-trusted-domains.patch | 325 ++++++++++++++++++ samba.spec | 3 + 2 files changed, 328 insertions(+) create mode 100644 samba-4.19-fix-force-user-trusted-domains.patch diff --git a/samba-4.19-fix-force-user-trusted-domains.patch b/samba-4.19-fix-force-user-trusted-domains.patch new file mode 100644 index 0000000..70b081f --- /dev/null +++ b/samba-4.19-fix-force-user-trusted-domains.patch @@ -0,0 +1,325 @@ +From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Sep 2023 16:29:46 +0200 +Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no' + firewalls Unix User|Group + +UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver) +REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4) +--- + selftest/knownfail.d/forceuser_trusteddomains | 2 ++ + selftest/target/Samba3.pm | 1 + + 2 files changed, 3 insertions(+) + create mode 100644 selftest/knownfail.d/forceuser_trusteddomains + +diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains +new file mode 100644 +index 00000000000..b515400cd90 +--- /dev/null ++++ b/selftest/knownfail.d/forceuser_trusteddomains +@@ -0,0 +1,2 @@ ++samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver ++samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 39831afc599..85e69e4b72d 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1689,6 +1689,7 @@ sub setup_simpleserver + vfs objects = xattr_tdb streams_depot + change notify = no + server smb encrypt = off ++ allow trusted domains = no + + [vfs_aio_pthread] + path = $prefix_abs/share +-- +2.43.0 + + +From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 8 Sep 2023 12:50:32 +0200 +Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd) +--- + source3/auth/auth_util.c | 64 ++++++++++++++++++++-------------------- + 1 file changed, 32 insertions(+), 32 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 293523f4272..e5863d2272b 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx, + } + + /**************************************************************************** +- Create an auth_usersupplied_data, making the DATA_BLOBs here. ++ Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrypt and encrypt the passwords. + ****************************************************************************/ + + bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, + struct auth_usersupplied_info **user_info, +- const char *smb_name, +- const char *client_domain, ++ const char *smb_name, ++ const char *client_domain, + const char *workstation_name, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, +@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, + DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len); + + status = make_user_info_map(mem_ctx, user_info, +- smb_name, client_domain, ++ smb_name, client_domain, + workstation_name, + remote_address, + local_address, + "SamLogon", +- lm_pwd_len ? &lm_blob : NULL, ++ lm_pwd_len ? &lm_blob : NULL, + nt_pwd_len ? &nt_blob : NULL, + NULL, NULL, NULL, + AUTH_PASSWORD_RESPONSE); +@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx, + } + + /**************************************************************************** +- Create an auth_usersupplied_data, making the DATA_BLOBs here. ++ Create an auth_usersupplied_data, making the DATA_BLOBs here. + Decrypt and encrypt the passwords. + ****************************************************************************/ + + bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, + struct auth_usersupplied_info **user_info, +- const char *smb_name, +- const char *client_domain, ++ const char *smb_name, ++ const char *client_domain, + const char *workstation_name, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, + uint32_t logon_parameters, +- const uchar chal[8], +- const uchar lm_interactive_pwd[16], ++ const uchar chal[8], ++ const uchar lm_interactive_pwd[16], + const uchar nt_interactive_pwd[16]) + { + struct samr_Password lm_pwd; +@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, + + nt_status = make_user_info_map( + mem_ctx, +- user_info, ++ user_info, + smb_name, client_domain, workstation_name, + remote_address, + local_address, +@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx, + + bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, + struct auth_usersupplied_info **user_info, +- const char *smb_name, ++ const char *smb_name, + const char *client_domain, + const struct tsocket_address *remote_address, + const struct tsocket_address *local_address, +@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, + + /* We can't do an NT hash here, as the password needs to be + case insensitive */ +- local_nt_blob = data_blob_null; ++ local_nt_blob = data_blob_null; + } else { +- local_lm_blob = data_blob_null; +- local_nt_blob = data_blob_null; ++ local_lm_blob = data_blob_null; ++ local_nt_blob = data_blob_null; + } + + plaintext_password_string = talloc_strndup(talloc_tos(), +@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx, + } + + ret = make_user_info(mem_ctx, +- user_info, smb_name, smb_name, client_domain, client_domain, ++ user_info, smb_name, smb_name, client_domain, client_domain, + get_remote_machine_name(), + remote_address, + local_address, +@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx, + + nt_status = make_user_info(mem_ctx, + user_info, +- "","", +- "","", +- "", ++ "","", ++ "","", ++ "", + remote_address, + local_address, + service_description, +- NULL, NULL, +- NULL, NULL, ++ NULL, NULL, ++ NULL, NULL, + NULL, + AUTH_PASSWORD_RESPONSE); + +@@ -1258,7 +1258,7 @@ done: + } + + session_info->unique_session_token = GUID_random(); +- ++ + *session_info_out = talloc_move(mem_ctx, &session_info); + TALLOC_FREE(frame); + return NT_STATUS_OK; +@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, + *pwd = passwd; + + /* This is pointless -- there is no support for differing +- unix and windows names. Make sure to always store the ++ unix and windows names. Make sure to always store the + one we actually looked up and succeeded. Have I mentioned +- why I hate the 'winbind use default domain' parameter? ++ why I hate the 'winbind use default domain' parameter? + --jerry */ + + *found_username = talloc_strdup( mem_ctx, real_username ); +@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, + } + + /**************************************************************************** +- Wrapper to allow the getpwnam() call to strip the domain name and +- try again in case a local UNIX user is already there. Also run through ++ Wrapper to allow the getpwnam() call to strip the domain name and ++ try again in case a local UNIX user is already there. Also run through + the username if we fallback to the username only. + ****************************************************************************/ + +@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, + char *p = NULL; + const char *username = NULL; + +- /* we only save a copy of the username it has been mangled ++ /* we only save a copy of the username it has been mangled + by winbindd use default domain */ + *p_save_username = NULL; + +- /* don't call map_username() here since it has to be done higher ++ /* don't call map_username() here since it has to be done higher + up the stack so we don't call it multiple times */ + + username = talloc_strdup(mem_ctx, domuser); +@@ -2068,10 +2068,10 @@ username_only: + } + + /*************************************************************************** +- Make a server_info struct from the info3 returned by a domain logon ++ Make a server_info struct from the info3 returned by a domain logon + ***************************************************************************/ + +-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, ++NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + const char *sent_nt_username, + const char *domain, + struct auth_serversupplied_info **server_info, +@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, + struct dom_sid sid; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + +- /* ++ /* + Here is where we should check the list of +- trusted domains, and verify that the SID ++ trusted domains, and verify that the SID + matches. + */ + +-- +2.43.0 + + +From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 30 Nov 2023 10:54:07 +0100 +Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a + local token + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce) +--- + selftest/knownfail.d/forceuser_trusteddomains | 2 -- + source3/auth/auth_util.c | 17 ++++++++++++++++- + 2 files changed, 16 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains + +diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains +deleted file mode 100644 +index b515400cd90..00000000000 +--- a/selftest/knownfail.d/forceuser_trusteddomains ++++ /dev/null +@@ -1,2 +0,0 @@ +-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver +-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index e5863d2272b..2a35fea5061 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -21,6 +21,7 @@ + along with this program. If not, see . + */ + ++#include "dom_sid.h" + #include "includes.h" + #include "auth.h" + #include "lib/util_unixsids.h" +@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + struct dom_sid tmp_sid; + struct auth_session_info *session_info = NULL; + struct unixid *ids; ++ bool is_allowed = false; + + /* Ensure we can't possible take a code path leading to a + * null deref. */ +@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + return NT_STATUS_LOGON_FAILURE; + } + +- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) { ++ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) { ++ is_allowed = true; ++ } ++ ++ /* Check if we have extra info about the user. */ ++ if (dom_sid_in_domain(&global_sid_Unix_Users, ++ &server_info->extra.user_sid) || ++ dom_sid_in_domain(&global_sid_Unix_Groups, ++ &server_info->extra.pgid_sid)) ++ { ++ is_allowed = true; ++ } ++ ++ if (!is_allowed) { + DBG_NOTICE("Authentication failed for user [%s] " + "from firewalled domain [%s]\n", + server_info->info3->base.account_name.string, +-- +2.43.0 + diff --git a/samba.spec b/samba.spec index ecff5b0..b7331d6 100644 --- a/samba.spec +++ b/samba.spec @@ -243,6 +243,8 @@ Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore +Patch0: samba-4.19-fix-force-user-trusted-domains.patch + Requires(pre): /usr/sbin/groupadd Requires(pre): %{name}-common = %{samba_depver} @@ -4481,6 +4483,7 @@ fi CVE-2023-4091 CVE-2023-42669 - resolves: RHEL-18030 - Logging Format Enhancement - resolves: RHEL-1960 - Fix smbget issues with DFS shares +- resolves: RHEL-2118 - Fix force user/group issues with 'allow trusted domains = yes' * Thu Aug 17 2023 Andreas Schneider - 4.18.6-100 - related: rhbz#2190415 - Update to version 4.18.6