rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import samba-4.15.5-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:18:52 -04:00 committed by Stepan Oksanichenko
parent 9db6553941
commit 370637166c
28 changed files with 3418 additions and 11774 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.14.5.tar.xz
SOURCES/samba-4.15.5.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg

2
.samba.metadata
View File

@ -1,2 +1,2 @@
46925b3ed9f63b1b936f2271253fdccccbf1575f SOURCES/samba-4.14.5.tar.xz
f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

108
SOURCES/CVE-2016-2124.patch
View File

@ -1,108 +0,0 @@
From 2a961e883b624219a72f212c554d34a18f22d4d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2016 09:12:59 +0100
Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non
spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index 51e121bdce6b..391ee081fe62 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
NTSTATUS status;
enum smb_encryption_setting encryption_state =
cli_credentials_get_smb_encryption(io->in.credentials);
+ enum credentials_use_kerberos krb5_state =
+ cli_credentials_get_kerberos_state(io->in.credentials);
c = composite_create(session, session->transport->ev);
if (c == NULL) return NULL;
@@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
/* no session setup at all in earliest protocol varients */
if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ return c;
+ }
ZERO_STRUCT(io->out);
composite_done(c);
return c;
@@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
/* see what session setup interface we will use */
if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ return c;
+ }
status = session_setup_old(c, session, io, &state->req);
} else if (!session->transport->options.use_spnego ||
!(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ return c;
+ }
status = session_setup_nt1(c, session, io, &state->req);
} else {
struct tevent_req *subreq = NULL;
--
2.25.1
From 31a67554cf6c3d9368bef58d1249844f8eeb0059 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 27 Oct 2016 10:40:28 +0200
Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/cliconnect.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 853fb344bcd6..c01846ac8119 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1442,6 +1442,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
uint32_t in_sess_key = 0;
const char *in_native_os = NULL;
const char *in_native_lm = NULL;
+ enum credentials_use_kerberos krb5_state =
+ cli_credentials_get_kerberos_state(creds);
NTSTATUS status;
req = tevent_req_create(mem_ctx, &state,
@@ -1483,6 +1485,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return req;
}
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
+ DBG_WARNING("Kerberos authentication requested, but "
+ "the server does not support SPNEGO authentication\n");
+ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ return tevent_req_post(req, ev);
+ }
+
if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
/*
* SessionSetupAndX was introduced by LANMAN 1.0. So we skip
--
2.25.1

3771
SOURCES/CVE-2020-25717.patch
View File

File diff suppressed because it is too large Load Diff

4996
SOURCES/CVE-2021-23192.patch
View File

File diff suppressed because it is too large Load Diff

759
SOURCES/CVE-2021-44142-v4.14.patch
View File

@ -1,759 +0,0 @@
From 2f7332f6c283fbedbd859c79a3f74ca6e07aad46 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 13 Jan 2022 16:48:01 +0100
Subject: [PATCH 1/5] CVE-2021-44142: libadouble: add defines for icon lengths
From https://www.ietf.org/rfc/rfc1740.txt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
---
source3/lib/adouble.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/lib/adouble.h b/source3/lib/adouble.h
index 90a825c502e0..e3b9263a1f9a 100644
--- a/source3/lib/adouble.h
+++ b/source3/lib/adouble.h
@@ -101,6 +101,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t;
#define ADEDLEN_MACFILEI 4
#define ADEDLEN_PRODOSFILEI 8
#define ADEDLEN_MSDOSFILEI 2
+#define ADEDLEN_ICONBW 128
+#define ADEDLEN_ICONCOL 1024
#define ADEDLEN_DID 4
#define ADEDLEN_PRIVDEV 8
#define ADEDLEN_PRIVINO 8
--
2.34.1
From fc20cb8268af1203a331ba142b630d4dfb613478 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Sat, 20 Nov 2021 16:36:42 +0100
Subject: [PATCH 2/5] CVE-2021-44142: smbd: add Netatalk xattr used by
vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
---
source3/smbd/trans2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
index 70a492a96a8a..a200656b76cf 100644
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -45,6 +45,7 @@
#include "smb1_utils.h"
#include "libcli/smb/smb2_posix.h"
#include "lib/util/string_wrappers.h"
+#include "source3/lib/adouble.h"
#define DIR_ENTRY_SAFETY_MARGIN 4096
@@ -218,6 +219,7 @@ bool samba_private_attr_name(const char *unix_ea_name)
SAMBA_XATTR_DOS_ATTRIB,
SAMBA_XATTR_MARKER,
XATTR_NTACL_NAME,
+ AFPINFO_EA_NETATALK,
NULL
};
--
2.34.1
From 73302708170a71afce09ff42640ea4fceff4d08a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 Nov 2021 07:19:32 +0100
Subject: [PATCH 3/5] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
---
source3/lib/adouble.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
index 0ab9019cfb59..7875dd6f0df8 100644
--- a/source3/lib/adouble.c
+++ b/source3/lib/adouble.c
@@ -707,14 +707,27 @@ static bool ad_pack(struct vfs_handle_struct *handle,
static bool ad_unpack_xattrs(struct adouble *ad)
{
struct ad_xattr_header *h = &ad->adx_header;
+ size_t bufsize = talloc_get_size(ad->ad_data);
const char *p = ad->ad_data;
uint32_t hoff;
uint32_t i;
+ if (ad->ad_type != ADOUBLE_RSRC) {
+ return false;
+ }
+
if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
return true;
}
+ /*
+ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
+ * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
+ */
+ if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
+ return false;
+ }
+
/* 2 bytes padding */
hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
@@ -964,9 +977,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
ad->ad_eid[eid].ade_len = len;
}
- ok = ad_unpack_xattrs(ad);
- if (!ok) {
- return false;
+ if (ad->ad_type == ADOUBLE_RSRC) {
+ ok = ad_unpack_xattrs(ad);
+ if (!ok) {
+ return false;
+ }
}
return true;
--
2.34.1
From 0cfe02ac7ad197ea9fb4b19f296b73e5e7baf0af Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 25 Nov 2021 15:04:03 +0100
Subject: [PATCH 4/5] CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
[slow@samba.org: conflict due to missing test in selftest/tests.py]
---
selftest/knownfail.d/samba.unittests.adouble | 3 +
selftest/tests.py | 2 +
source3/lib/test_adouble.c | 389 +++++++++++++++++++
source3/wscript_build | 5 +
4 files changed, 399 insertions(+)
create mode 100644 selftest/knownfail.d/samba.unittests.adouble
create mode 100644 source3/lib/test_adouble.c
diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
new file mode 100644
index 000000000000..8b0314f2faec
--- /dev/null
+++ b/selftest/knownfail.d/samba.unittests.adouble
@@ -0,0 +1,3 @@
+^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
+^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
+^samba.unittests.adouble.parse_abouble_date2\(none\)
diff --git a/selftest/tests.py b/selftest/tests.py
index af1e46061852..f4a1056f1dc8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -427,3 +427,5 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
plantestsuite("samba.unittests.credentials", "none",
[os.path.join(bindir(), "default/auth/credentials/test_creds")])
+plantestsuite("samba.unittests.adouble", "none",
+ [os.path.join(bindir(), "test_adouble")])
diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c
new file mode 100644
index 000000000000..615c22469c91
--- /dev/null
+++ b/source3/lib/test_adouble.c
@@ -0,0 +1,389 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2021 Ralph Boehme <slow@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "adouble.c"
+#include <cmocka.h>
+
+static int setup_talloc_context(void **state)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ *state = frame;
+ return 0;
+}
+
+static int teardown_talloc_context(void **state)
+{
+ TALLOC_CTX *frame = *state;
+
+ TALLOC_FREE(frame);
+ return 0;
+}
+
+/*
+ * Basic and sane buffer.
+ */
+static uint8_t ad_basic[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x32, /* offset */
+ 0x00, 0x00, 0x00, 0x20, /* length */
+ /* adentry 2: Resourcefork */
+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
+ 0x00, 0x00, 0x00, 0x52, /* offset */
+ 0xff, 0xff, 0xff, 0x00, /* length */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+/*
+ * An empty FinderInfo entry.
+ */
+static uint8_t ad_finderinfo1[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
+ 0x00, 0x00, 0x00, 0x00, /* len: 0, so off+len don't exceed bufferlen */
+ /* adentry 2: Resourcefork */
+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
+ 0x00, 0x00, 0x00, 0x52, /* offset */
+ 0xff, 0xff, 0xff, 0x00, /* length */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+/*
+ * A dangerous FinderInfo with correct length exceeding buffer by one byte.
+ */
+static uint8_t ad_finderinfo2[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
+ 0x00, 0x00, 0x00, 0x20, /* len: 32, so off+len exceeds bufferlen by 1 */
+ /* adentry 2: Resourcefork */
+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
+ 0x00, 0x00, 0x00, 0x52, /* offset */
+ 0xff, 0xff, 0xff, 0x00, /* length */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+static uint8_t ad_finderinfo3[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */
+ 0x00, 0x00, 0x00, 0x1f, /* len: 31, so off+len don't exceed buf */
+ /* adentry 2: Resourcefork */
+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */
+ 0x00, 0x00, 0x00, 0x52, /* offset */
+ 0xff, 0xff, 0xff, 0x00, /* length */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+/*
+ * A dangerous name entry.
+ */
+static uint8_t ad_name[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x32, /* offset */
+ 0x00, 0x00, 0x00, 0x20, /* length */
+ /* adentry 2: Name */
+ 0x00, 0x00, 0x00, 0x03, /* eid: Name */
+ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */
+ 0x00, 0x00, 0x00, 0x01, /* len: 1, so off+len exceeds bufferlen */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+/*
+ * A empty ADEID_FILEDATESI entry.
+ */
+static uint8_t ad_date1[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x32, /* offset */
+ 0x00, 0x00, 0x00, 0x20, /* length */
+ /* adentry 2: Dates */
+ 0x00, 0x00, 0x00, 0x08, /* eid: dates */
+ 0x00, 0x00, 0x00, 0x52, /* off: end of buffer */
+ 0x00, 0x00, 0x00, 0x00, /* len: 0, empty entry, valid */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+/*
+ * A dangerous ADEID_FILEDATESI entry, invalid length.
+ */
+static uint8_t ad_date2[] = {
+ 0x00, 0x05, 0x16, 0x07, /* Magic */
+ 0x00, 0x02, 0x00, 0x00, /* Version */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x00, 0x00, 0x00, /* Filler */
+ 0x00, 0x02, /* Count */
+ /* adentry 1: FinderInfo */
+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */
+ 0x00, 0x00, 0x00, 0x32, /* offset */
+ 0x00, 0x00, 0x00, 0x20, /* length */
+ /* adentry 2: Dates */
+ 0x00, 0x00, 0x00, 0x08, /* eid: dates */
+ 0x00, 0x00, 0x00, 0x43, /* off: FinderInfo buf but one byte short */
+ 0x00, 0x00, 0x00, 0x0f, /* len: 15, so off+len don't exceed bufferlen */
+ /* FinderInfo data: 32 bytes */
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00,
+};
+
+static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx,
+ uint8_t *adbuf,
+ size_t adsize,
+ off_t filesize)
+{
+ struct adouble *ad = NULL;
+ bool ok;
+
+ ad = talloc_zero(mem_ctx, struct adouble);
+ ad->ad_data = talloc_zero_size(ad, adsize);
+ assert_non_null(ad);
+
+ memcpy(ad->ad_data, adbuf, adsize);
+
+ ok = ad_unpack(ad, 2, filesize);
+ if (!ok) {
+ return NULL;
+ }
+
+ return ad;
+}
+
+static void parse_abouble_basic(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+ char *p = NULL;
+
+ ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52);
+ assert_non_null(ad);
+
+ p = ad_get_entry(ad, ADEID_FINDERI);
+ assert_non_null(p);
+
+ return;
+}
+
+static void parse_abouble_finderinfo1(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+ char *p = NULL;
+
+ ad = parse_adouble(frame,
+ ad_finderinfo1,
+ sizeof(ad_finderinfo1),
+ 0xffffff52);
+ assert_non_null(ad);
+
+ p = ad_get_entry(ad, ADEID_FINDERI);
+ assert_null(p);
+
+ return;
+}
+
+static void parse_abouble_finderinfo2(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+
+ ad = parse_adouble(frame,
+ ad_finderinfo2,
+ sizeof(ad_finderinfo2),
+ 0xffffff52);
+ assert_null(ad);
+
+ return;
+}
+
+static void parse_abouble_finderinfo3(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+
+ ad = parse_adouble(frame,
+ ad_finderinfo3,
+ sizeof(ad_finderinfo3),
+ 0xffffff52);
+ assert_null(ad);
+
+ return;
+}
+
+static void parse_abouble_name(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+
+ ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52);
+ assert_null(ad);
+
+ return;
+}
+
+static void parse_abouble_date1(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+ char *p = NULL;
+
+ ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52);
+ assert_non_null(ad);
+
+ p = ad_get_entry(ad, ADEID_FILEDATESI);
+ assert_null(p);
+
+ return;
+}
+
+static void parse_abouble_date2(void **state)
+{
+ TALLOC_CTX *frame = *state;
+ struct adouble *ad = NULL;
+
+ ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52);
+ assert_null(ad);
+
+ return;
+}
+
+int main(int argc, char *argv[])
+{
+ int rc;
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test(parse_abouble_basic),
+ cmocka_unit_test(parse_abouble_finderinfo1),
+ cmocka_unit_test(parse_abouble_finderinfo2),
+ cmocka_unit_test(parse_abouble_finderinfo3),
+ cmocka_unit_test(parse_abouble_name),
+ cmocka_unit_test(parse_abouble_date1),
+ cmocka_unit_test(parse_abouble_date2),
+ };
+
+ if (argc == 2) {
+ cmocka_set_test_filter(argv[1]);
+ }
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+
+ rc = cmocka_run_group_tests(tests,
+ setup_talloc_context,
+ teardown_talloc_context);
+
+ return rc;
+}
diff --git a/source3/wscript_build b/source3/wscript_build
index a143477a5064..95e589cfc734 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1088,6 +1088,11 @@ bld.SAMBA3_SUBSYSTEM('ADOUBLE',
source='lib/adouble.c',
deps='STRING_REPLACE')
+bld.SAMBA3_BINARY('test_adouble',
+ source='lib/test_adouble.c',
+ deps='smbd_base STRING_REPLACE cmocka',
+ for_selftest=True)
+
bld.SAMBA3_SUBSYSTEM('STRING_REPLACE',
source='lib/string_replace.c')
--
2.34.1
From 793ca8c474a74f82745a266f4a4bf9e20443ad53 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 13 Jan 2022 17:03:02 +0100
Subject: [PATCH 5/5] CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow@samba.org>
---
selftest/knownfail.d/samba.unittests.adouble | 3 -
source3/lib/adouble.c | 115 ++++++++++++++++---
2 files changed, 101 insertions(+), 17 deletions(-)
delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
deleted file mode 100644
index 8b0314f2faec..000000000000
--- a/selftest/knownfail.d/samba.unittests.adouble
+++ /dev/null
@@ -1,3 +0,0 @@
-^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
-^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
-^samba.unittests.adouble.parse_abouble_date2\(none\)
diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
index 7875dd6f0df8..48cc0007c23c 100644
--- a/source3/lib/adouble.c
+++ b/source3/lib/adouble.c
@@ -269,6 +269,95 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
return ad->ad_eid[eid].ade_off = off;
}
+/*
+ * All entries besides FinderInfo and resource fork must fit into the
+ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
+ * if it contains marshalled xattrs, which we will fixup that in
+ * ad_convert(). The first 32 bytes however must also be part of the buffer.
+ *
+ * The resource fork is never accessed directly by the ad_data buf.
+ */
+static bool ad_entry_check_size(uint32_t eid,
+ size_t bufsize,
+ uint32_t off,
+ uint32_t got_len)
+{
+ struct {
+ off_t expected_len;
+ bool fixed_size;
+ bool minimum_size;
+ } ad_checks[] = {
+ [ADEID_DFORK] = {-1, false, false}, /* not applicable */
+ [ADEID_RFORK] = {-1, false, false}, /* no limit */
+ [ADEID_NAME] = {ADEDLEN_NAME, false, false},
+ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
+ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
+ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
+ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
+ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
+ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
+ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
+ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
+ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
+ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
+ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
+ [ADEID_DID] = {ADEDLEN_DID, true, false},
+ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
+ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
+ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
+ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
+ };
+
+ if (eid >= ADEID_MAX) {
+ return false;
+ }
+ if (got_len == 0) {
+ /* Entry present, but empty, allow */
+ return true;
+ }
+ if (ad_checks[eid].expected_len == 0) {
+ /*
+ * Shouldn't happen: implicitly initialized to zero because
+ * explicit initializer missing.
+ */
+ return false;
+ }
+ if (ad_checks[eid].expected_len == -1) {
+ /* Unused or no limit */
+ return true;
+ }
+ if (ad_checks[eid].fixed_size) {
+ if (ad_checks[eid].expected_len != got_len) {
+ /* Wrong size fo fixed size entry. */
+ return false;
+ }
+ } else {
+ if (ad_checks[eid].minimum_size) {
+ if (got_len < ad_checks[eid].expected_len) {
+ /*
+ * Too small for variable sized entry with
+ * minimum size.
+ */
+ return false;
+ }
+ } else {
+ if (got_len > ad_checks[eid].expected_len) {
+ /* Too big for variable sized entry. */
+ return false;
+ }
+ }
+ }
+ if (off + got_len < off) {
+ /* wrap around */
+ return false;
+ }
+ if (off + got_len > bufsize) {
+ /* overflow */
+ return false;
+ }
+ return true;
+}
+
/**
* Return a pointer to an AppleDouble entry
*
@@ -276,8 +365,15 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
**/
char *ad_get_entry(const struct adouble *ad, int eid)
{
+ size_t bufsize = talloc_get_size(ad->ad_data);
off_t off = ad_getentryoff(ad, eid);
size_t len = ad_getentrylen(ad, eid);
+ bool valid;
+
+ valid = ad_entry_check_size(eid, bufsize, off, len);
+ if (!valid) {
+ return NULL;
+ }
if (off == 0 || len == 0) {
return NULL;
@@ -914,20 +1010,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
return false;
}
- /*
- * All entries besides FinderInfo and resource fork
- * must fit into the buffer. FinderInfo is special as
- * it may be larger then the default 32 bytes (if it
- * contains marshalled xattrs), but we will fixup that
- * in ad_convert(). And the resource fork is never
- * accessed directly by the ad_data buf (also see
- * comment above) anyway.
- */
- if ((eid != ADEID_RFORK) &&
- (eid != ADEID_FINDERI) &&
- ((off + len) > bufsize)) {
- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
- eid, off, len));
+ ok = ad_entry_check_size(eid, bufsize, off, len);
+ if (!ok) {
+ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
+ "off [%"PRIu32"] len [%"PRIu32"]\n",
+ eid, bufsize, off, len);
return false;
}
--
2.34.1

231
SOURCES/samba-4-15-fix-autorid.patch Normal file
View File

@ -0,0 +1,231 @@
From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:06:30 +0100
Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
---
source3/winbindd/idmap_autorid.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index ad53b5810ee..c7d56a37684 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
config->maxranges = (dom->high_id - dom->low_id + 1) /
config->rangesize;
- if (config->maxranges == 0) {
- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
- "Increase uid range or decrease rangesize.\n"));
+ if (config->maxranges < 2) {
+ DBG_WARNING("Allowed idmap range is not a least double the "
+ "size of the rangesize. Please increase idmap "
+ "range.\n");
status = NT_STATUS_INVALID_PARAMETER;
goto error;
}
--
2.35.1
From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:07:50 +0100
Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
---
source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 98bcc219b1e..58ba46bc15f 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
return false; /* Keep scanning */
}
+static int idmap_config_int(const char *domname, const char *option, int def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return def;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_int(-1, config_option, option, def);
+ }
+}
+
static bool do_idmap_check(void)
{
struct idmap_domains *d;
@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
rc);
}
+ /* Check autorid backend */
+ if (strequal(lp_idmap_default_backend(), "autorid")) {
+ struct idmap_config *c = NULL;
+ bool found = false;
+
+ for (i = 0; i < d->count; i++) {
+ c = &d->c[i];
+
+ if (strequal(c->backend, "autorid")) {
+ found = true;
+ break;
+ }
+ }
+
+ if (found) {
+ uint32_t rangesize =
+ idmap_config_int("*", "rangesize", 100000);
+ uint32_t maxranges =
+ (c->high - c->low + 1) / rangesize;
+
+ if (maxranges < 2) {
+ fprintf(stderr,
+ "ERROR: The idmap autorid range "
+ "[%u-%u] needs to be at least twice as "
+ "big as the rangesize [%u]!"
+ "\n\n",
+ c->low,
+ c->high,
+ rangesize);
+ ok = false;
+ goto done;
+ }
+ }
+ }
+
+ /* Check for overlapping idmap ranges */
for (i = 0; i < d->count; i++) {
struct idmap_config *c = &d->c[i];
uint32_t j;
--
2.35.1
From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:05:19 +0100
Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
What we want to avoid:
$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
---
docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
index 6c4da1cad8a..980718f0bd4 100644
--- a/docs-xml/manpages/idmap_autorid.8.xml
+++ b/docs-xml/manpages/idmap_autorid.8.xml
@@ -48,7 +48,13 @@
and the corresponding map is discarded. It is
intended as a way to avoid accidental UID/GID
overlaps between local and remotely defined
- IDs.
+ IDs. Note that the range should be a multiple
+ of the rangesize and needs to be at least twice
+ as large in order to have sufficient id range
+ space for the mandatory BUILTIN domain.
+ With a default rangesize of 100000 the range
+ needs to span at least 200000.
+ This would be: range = 100000 - 299999.
</para></listitem>
</varlistentry>
--
2.35.1

477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch Normal file
View File

@ -0,0 +1,477 @@
From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 16:53:02 +0100
Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
testprogs/blackbox/test_net_ads.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 76b394b10a9..cfafb945b62 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -51,6 +51,12 @@ fi
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
+testit "local krb5.conf created" \
+ test -r \
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
+ failed=$((failed + 1))
+
testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
--
2.35.1
From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:03:40 +0100
Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 75beeef4a44..60fe03fd5d7 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
@@ -37,11 +37,11 @@
#define LIBADS_CCACHE_NAME "MEMORY:libads"
/*
- we use a prompter to avoid a crash bug in the kerberos libs when
+ we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
-static krb5_error_code
+static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
}
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
kerb_prompter, discard_const_p(char, password),
0, NULL, opt))) {
goto out;
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
}
if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
error_message(code)));
}
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
int time_offset,
const char *cache_name)
{
- return kerberos_kinit_password_ext(principal,
- password,
- time_offset,
- 0,
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
0,
cache_name,
False,
--
2.35.1
From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:04:34 +0100
Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()
This avoids useless allocations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 60fe03fd5d7..1bf149ef09b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
bool ok;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
- print_canonical_sockaddr_with_port(mem_ctx, pss));
+ char *kdc_str = NULL;
+ SMB_ASSERT(pss != NULL);
+
+ kdc_str = talloc_asprintf(mem_ctx,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(mem_ctx,
+ pss));
if (kdc_str == NULL) {
TALLOC_FREE(frame);
return NULL;
@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
}
- dc_addrs2 = talloc_zero_array(talloc_tos(),
- struct tsocket_address *,
- num_dcs);
-
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
TALLOC_FREE(kdc_str);
goto out;
}
+
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
+ struct tsocket_address *,
+ num_dcs);
if (dc_addrs2 == NULL) {
TALLOC_FREE(kdc_str);
goto out;
--
2.35.1
From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:10:47 +0100
Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1bf149ef09b..6a46d72a156 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
result = kdc_str;
out:
- DBG_DEBUG("Returning\n%s\n", kdc_str);
+ if (result != NULL) {
+ DBG_DEBUG("Returning\n%s\n", kdc_str);
+ } else {
+ DBG_NOTICE("Failed to get KDC ip address\n");
+ }
TALLOC_FREE(ip_sa_site);
TALLOC_FREE(ip_sa_nonsite);
--
2.35.1
From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:48:23 +0100
Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 6a46d72a156..d1c410ffa4b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
- kdc_str,
- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
- TALLOC_FREE(kdc_str);
+ new_kdc_str = talloc_asprintf_append(
+ kdc_str,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(
+ mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto out;
}
--
2.35.1
From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:56:58 +0100
Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d1c410ffa4b..aadc65a3edc 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
SMB_ASSERT(pss != NULL);
- kdc_str = talloc_asprintf(mem_ctx,
+ kdc_str = talloc_asprintf(frame,
"\t\tkdc = %s\n",
print_canonical_sockaddr_with_port(mem_ctx,
pss));
@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
*/
if (sitename) {
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
sitename,
&ip_sa_site,
@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
/* Get all KDC's. */
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
NULL,
&ip_sa_nonsite,
@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
kdc_str = new_kdc_str;
}
- result = kdc_str;
+ result = talloc_move(mem_ctx, &kdc_str);
out:
if (result != NULL) {
DBG_DEBUG("Returning\n%s\n", kdc_str);
@@ -597,8 +597,6 @@ out:
DBG_NOTICE("Failed to get KDC ip address\n");
}
- TALLOC_FREE(ip_sa_site);
- TALLOC_FREE(ip_sa_nonsite);
TALLOC_FREE(frame);
return result;
}
--
2.35.1
From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:57:18 +0100
Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str
This is allocated on the stackframe now!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index aadc65a3edc..2087dc1e6f9 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
print_canonical_sockaddr_with_port(mem_ctx,
pss));
if (kdc_str == NULL) {
- TALLOC_FREE(frame);
- return NULL;
+ goto out;
}
ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
if (!ok) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site %s search\n",
@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list (site-less) fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (count_site + count_nonsite < count_site) {
/* Wrap check. */
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
count_site + count_nonsite);
if (dc_addrs == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct tsocket_address *,
num_dcs);
if (dc_addrs2 == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
status = map_nt_error_from_unix(errno);
DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
addr, nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
}
@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
"%s\n", nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
--
2.35.1
From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 13:02:05 +0100
Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
NULL in get_kdc_ip_string()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 2087dc1e6f9..20dceeefb22 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
NTSTATUS status;
bool ok;
char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
SMB_ASSERT(pss != NULL);
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
+
kdc_str = talloc_asprintf(frame,
"\t\tkdc = %s\n",
- print_canonical_sockaddr_with_port(mem_ctx,
- pss));
+ canon_sockaddr);
if (kdc_str == NULL) {
goto out;
}
--
2.35.1
From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 13:10:06 +0100
Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf
We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 20dceeefb22..3fd86e87064 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
+ /*
+ * We do not have additional KDCs, but we have the one passed
+ * in via `pss`. So just use that one and leave.
+ */
+ result = talloc_move(mem_ctx, &kdc_str);
goto out;
}
--
2.35.1

411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch Normal file
View File

@ -0,0 +1,411 @@
From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 12:59:44 +0100
Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
path
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
---
source3/libads/authdata.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..c048510d480 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (cache_name) {
@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
--
2.35.1
From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:00:05 +0100
Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
---
lib/krb5_wrap/krb5_samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..42d4b950f80 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
--
2.35.1
From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 14:28:28 +0100
Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
debug macro
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
---
lib/krb5_wrap/krb5_samba.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 42d4b950f80..76c2dcd2126 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
--
2.35.1
From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:08:56 +0100
Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
kerberos_return_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
---
source3/libads/authdata.c | 22 +++++++++++++++++++++-
source3/libads/kerberos_proto.h | 2 ++
source3/utils/net_ads.c | 2 ++
source3/winbindd/winbindd_pam.c | 2 ++
4 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index c048510d480..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
+ }
+
if (cache_name) {
cc = cache_name;
}
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 8f993f9ba4c..c41fb0afe9c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 7606bfb4ecd..025a5cbc111 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
+ NULL,
+ NULL,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
--
2.35.1
From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:19:02 +0100
Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
entry
They will be used later to refresh the tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
---
source3/winbindd/winbindd.h | 2 ++
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
source3/winbindd/winbindd_pam.c | 14 ++++++++++----
source3/winbindd/winbindd_proto.h | 4 +++-
4 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index a6b2238cec1..dac4a1fa927 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
const char *service;
const char *username;
const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
struct WINBINDD_MEMORY_CREDS *cred_ptr;
int ref_count;
uid_t uid;
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c3077e21989..88847b1ab97 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request)
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 025a5cbc111..a24cef78440 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
bool ok;
*info6 = NULL;
@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
- NULL,
- NULL,
+ &canon_principal,
+ &canon_realm,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time(NULL),
ticket_lifetime,
renewal_until,
- false);
+ false,
+ canon_principal,
+ canon_realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- true);
+ true,
+ principal_s,
+ realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c0d653a6d77..16c23f3de40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request);
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
NTSTATUS remove_ccache(const char *username);
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
NTSTATUS winbindd_add_memory_creds(const char *username,
--
2.35.1
From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 14:28:44 +0100
Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
credentials
The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
---
source3/winbindd/winbindd_cred_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 88847b1ab97..6c65db6a73f 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -209,7 +209,7 @@ rekinit:
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
- entry->principal_name,
+ entry->canon_principal,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
--
2.35.1

51
SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch
View File

@ -1,51 +0,0 @@
From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 12 Nov 2021 19:06:01 +0200
Subject: [PATCH] IPA DC: add missing checks
When introducing FreeIPA support, two places were forgotten:
- schannel gensec module needs to be aware of IPA DC
- _lsa_QueryInfoPolicy should treat IPA DC as PDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
---
auth/gensec/schannel.c | 1 +
source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 0cdae141ead..6ebbe8f3179 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
+ case ROLE_IPA_DC:
return NT_STATUS_OK;
default:
return NT_STATUS_NOT_IMPLEMENTED;
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index d6d606ddeca..36774be3e32 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
switch (lp_server_role()) {
case ROLE_DOMAIN_PDC:
case ROLE_DOMAIN_BDC:
+ case ROLE_IPA_DC:
name = get_global_sam_name();
sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
if (!sid) {
--
2.33.1

1023
SOURCES/samba-4.14-del-dir-with-dangling-symlinks.patch
View File

File diff suppressed because it is too large Load Diff

39
SOURCES/samba-4.14-fix-domain-join-segfault.patch
View File

@ -1,39 +0,0 @@
From 0ef9fe22f56ef3ff202f88426c3ee48c15e4a71e Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 Nov 2021 11:59:45 +0100
Subject: [PATCH] smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
---
source3/libsmb/dsgetdcname.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index f8ae96109b71..5954e48d747b 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
talloc_move(dclist, &dcs[i].hostname);
--
2.33.1

227
SOURCES/samba-4.14-fix-username-map-script.patch
View File

@ -1,227 +0,0 @@
From 0e179b5f06988c576a1fff505c06920d51fe8ed4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Nov 2021 15:27:58 +0100
Subject: [PATCH 1/3] CVE-2020-25727: idmap_nss: verify that the name of the
sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
too feels better and make it easier to understand.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)
---
source3/winbindd/idmap_nss.c | 26 +++++++++++++++++++++-----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
index da50e2b4aa7..2729a0de3f3 100644
--- a/source3/winbindd/idmap_nss.c
+++ b/source3/winbindd/idmap_nss.c
@@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
for (i = 0; ids[i]; i++) {
struct group *gr;
enum lsa_SidType type;
- const char *p = NULL;
+ const char *_domain = NULL;
+ const char *_name = NULL;
+ char *domain = NULL;
char *name = NULL;
bool ret;
/* by default calls to winbindd are disabled
the following call will not recurse so this is safe */
(void)winbind_on();
- ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
- &p, &type);
+ ret = winbind_lookup_sid(talloc_tos(),
+ ids[i]->sid,
+ &_domain,
+ &_name,
+ &type);
(void)winbind_off();
- name = discard_const_p(char, p);
-
if (!ret) {
/* TODO: how do we know if the name is really not mapped,
* or something just failed ? */
@@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
continue;
}
+ domain = discard_const_p(char, _domain);
+ name = discard_const_p(char, _name);
+
+ if (!strequal(domain, dom->name)) {
+ struct dom_sid_buf buf;
+ DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
+ dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
+ sid_type_lookup(type), domain, name);
+ ids[i]->status = ID_UNMAPPED;
+ continue;
+ }
+
switch (type) {
case SID_NAME_USER: {
struct passwd *pw;
@@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
ids[i]->status = ID_UNKNOWN;
break;
}
+ TALLOC_FREE(domain);
TALLOC_FREE(name);
}
return NT_STATUS_OK;
--
2.34.1
From 704ae4b8308e9ae6c50e3548f98de65e97ab6aa6 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 12 Nov 2021 20:53:30 +1300
Subject: [PATCH 2/3] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent
uid' to make room for new accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)
---
nsswitch/nsstest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
index e2ee9fbf3af..45270cdc459 100644
--- a/nsswitch/nsstest.c
+++ b/nsswitch/nsstest.c
@@ -466,7 +466,7 @@ static void nss_test_errors(void)
printf("ERROR Non existent user gave error %d\n", last_error);
}
- pwd = getpwuid(0xFFF0);
+ pwd = getpwuid(0xFF00);
if (pwd || last_error != NSS_STATUS_NOTFOUND) {
total_errors++;
printf("ERROR Non existent uid gave error %d\n", last_error);
--
2.34.1
From 844723aa82cec67fd863fc327bde9fb04eab438d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 12 Nov 2021 16:10:31 +1300
Subject: [PATCH 3/3] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
mapping if the named based lookup fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Before the CVE-2020-25717 fixes we had a fallback from
getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
unpredictable.
Now we do the fallback based on sid_to_uid() followed by
getpwuid() on the returned uid.
This obsoletes 'username map [script]' based workaround adviced
for CVE-2020-25717, when nss_winbindd is not used or
idmap_nss is actually used.
In future we may decide to prefer or only do the SID/UID based
lookup, but for now we want to keep this unchanged as much as possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[metze@samba.org moved the new logic into the fallback codepath only
in order to avoid behavior changes as much as possible]
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e)
---
source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 065b525500f..7a97dd45f11 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1862,7 +1862,9 @@ const struct auth_session_info *get_session_info_system(void)
***************************************************************************/
static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
- const char *username, char **found_username,
+ const char *username,
+ const struct dom_sid *sid,
+ char **found_username,
struct passwd **pwd,
bool *username_was_mapped)
{
@@ -1897,6 +1899,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
}
passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
+ if (!passwd && !*username_was_mapped) {
+ struct dom_sid_buf buf;
+ uid_t uid;
+ bool ok;
+
+ DBG_DEBUG("Failed to find authenticated user %s via "
+ "getpwnam(), fallback to sid_to_uid(%s).\n",
+ dom_user, dom_sid_str_buf(sid, &buf));
+
+ ok = sid_to_uid(sid, &uid);
+ if (!ok) {
+ DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
+ dom_sid_str_buf(sid, &buf), dom_user);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ passwd = getpwuid_alloc(mem_ctx, uid);
+ if (!passwd) {
+ DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
+ (long long)uid,
+ dom_sid_str_buf(sid, &buf),
+ dom_user);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ real_username = talloc_strdup(mem_ctx, passwd->pw_name);
+ }
if (!passwd) {
DEBUG(3, ("Failed to find authenticated user %s via "
"getpwnam(), denying access.\n", dom_user));
@@ -2042,6 +2069,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
bool username_was_mapped;
struct passwd *pwd;
struct auth_serversupplied_info *result;
+ struct dom_sid sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
/*
@@ -2088,9 +2116,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
/* this call will try to create the user if necessary */
+ sid_copy(&sid, info3->base.domain_sid);
+ sid_append_rid(&sid, info3->base.rid);
+
nt_status = check_account(tmp_ctx,
nt_domain,
nt_username,
+ &sid,
&found_username,
&pwd,
&username_was_mapped);
--
2.34.1

41
SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch
View File

@ -1,41 +0,0 @@
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Nov 2021 20:50:20 +0100
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
---
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 42ddbfd2f44..9d54e462c42 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
2.33.1

298
SOURCES/samba-4.14-krb5pac.patch
View File

@ -1,298 +0,0 @@
From 97829843013e2f0d81b6ed61d155a04217e40205 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 1 Sep 2021 15:39:19 +1200
Subject: [PATCH 1/6] krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
---
librpc/idl/krb5pac.idl | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index fb360c1257f..3239d7656b6 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -112,7 +112,8 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UPN_DNS_INFO = 12
+ PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;
typedef struct {
@@ -128,6 +129,7 @@ interface krb5pac
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
2.33.1
From 99cc0e06e5fe2776371b808432af39de00f76cdf Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 1 Sep 2021 15:40:59 +1200
Subject: [PATCH 2/6] security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
---
librpc/idl/security.idl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 06bf7449a70..3df96dedbdd 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -295,6 +295,9 @@ interface security
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+
/*
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
--
2.33.1
From 693bcdb2f9b64af390d619c9b39293c581900151 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 29 Sep 2021 16:15:26 +1300
Subject: [PATCH 3/6] krb5pac.idl: Add missing buffer type values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
---
librpc/idl/krb5pac.idl | 3 +++
1 file changed, 3 insertions(+)
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 3239d7656b6..515150ab9cd 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -113,6 +113,9 @@ interface krb5pac
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;
--
2.33.1
From 97323751c1b6b97e72eb80b8b99485d94696b30b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 26 Oct 2021 20:33:38 +1300
Subject: [PATCH 4/6] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
librpc/idl/krb5pac.idl | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 515150ab9cd..7a8d16464eb 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -97,6 +97,16 @@ interface krb5pac
PAC_UPN_DNS_FLAGS flags;
} PAC_UPN_DNS_INFO;
+ typedef [bitmap32bit] bitmap {
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
+ } PAC_ATTRIBUTE_INFO_FLAGS;
+
+ typedef struct {
+ uint32 flags_length; /* length in bits */
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
+ } PAC_ATTRIBUTES_INFO;
+
typedef [public] struct {
PAC_LOGON_INFO *info;
} PAC_LOGON_INFO_CTR;
@@ -116,7 +126,8 @@ interface krb5pac
PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
PAC_TYPE_DEVICE_INFO = 14,
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
- PAC_TYPE_TICKET_CHECKSUM = 16
+ PAC_TYPE_TICKET_CHECKSUM = 16,
+ PAC_TYPE_ATTRIBUTES_INFO = 17
} PAC_TYPE;
typedef struct {
@@ -133,6 +144,7 @@ interface krb5pac
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
2.33.1
From 9867beabf3b0be026d900e26ac91af655fb50cfe Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 26 Oct 2021 20:33:49 +1300
Subject: [PATCH 5/6] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
librpc/idl/krb5pac.idl | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 7a8d16464eb..52fb40c4bbb 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -107,6 +107,10 @@ interface krb5pac
PAC_ATTRIBUTE_INFO_FLAGS flags;
} PAC_ATTRIBUTES_INFO;
+ typedef struct {
+ dom_sid sid;
+ } PAC_REQUESTER_SID;
+
typedef [public] struct {
PAC_LOGON_INFO *info;
} PAC_LOGON_INFO_CTR;
@@ -127,7 +131,8 @@ interface krb5pac
PAC_TYPE_DEVICE_INFO = 14,
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
PAC_TYPE_TICKET_CHECKSUM = 16,
- PAC_TYPE_ATTRIBUTES_INFO = 17
+ PAC_TYPE_ATTRIBUTES_INFO = 17,
+ PAC_TYPE_REQUESTER_SID = 18
} PAC_TYPE;
typedef struct {
@@ -145,6 +150,7 @@ interface krb5pac
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
[case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
2.33.1
From fb92457cfd11745be73660eb90519b625f6a5d97 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 27 Sep 2021 11:20:19 +1300
Subject: [PATCH 6/6] CVE-2020-25721 krb5pac: Add new buffers for
samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
librpc/ndr/ndr_krb5pac.c | 4 ++--
2 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 52fb40c4bbb..bbe4a253e3a 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -86,15 +86,29 @@ interface krb5pac
} PAC_CONSTRAINED_DELEGATION;
typedef [bitmap32bit] bitmap {
- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
} PAC_UPN_DNS_FLAGS;
+ typedef struct {
+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
+
+ typedef [nodiscriminant] union {
+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
+ [default];
+ } PAC_UPN_DNS_INFO_EX;
+
typedef struct {
[value(2*strlen_m(upn_name))] uint16 upn_name_size;
[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
[value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
PAC_UPN_DNS_FLAGS flags;
+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
} PAC_UPN_DNS_INFO;
typedef [bitmap32bit] bitmap {
@@ -160,7 +174,7 @@ interface krb5pac
typedef [public,nopush,nopull] struct {
PAC_TYPE type;
- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
/*
* We need to have two subcontexts to get the padding right,
* the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
index a9ae2c4a789..57b28df9e52 100644
--- a/librpc/ndr/ndr_krb5pac.c
+++ b/librpc/ndr/ndr_krb5pac.c
@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
if (ndr_flags & NDR_SCALARS) {
NDR_CHECK(ndr_push_align(ndr, 4));
NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
{
uint32_t _flags_save_PAC_INFO = ndr->flags;
ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
{
struct ndr_push *_ndr_info_pad;
struct ndr_push *_ndr_info;
- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
+ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
--
2.33.1

49
SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch
View File

@ -1,49 +0,0 @@
From 4b192aaf503ea7f5eba27b6e43edcfe54ac6c5a6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 26 May 2021 15:04:08 +0200
Subject: [PATCH] s3:modules: Reduce debug level if file doesn't exists on dfs
share
There is software out there trying to open desktop.ini in every
directory. Avoid spamming the logs with error messages.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun 18 18:14:11 UTC 2021 on sn-devel-184
(cherry picked from commit 4079efae76718a84a4cf24b6613cdc53cdb2dd39)
---
source3/modules/vfs_default.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 8d592bbad64..ea036b24ddf 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -476,10 +476,17 @@ static NTSTATUS vfswrap_read_dfs_pathat(struct vfs_handle_struct *handle,
status = NT_STATUS_OBJECT_TYPE_MISMATCH;
} else {
status = map_nt_error_from_unix(errno);
- DBG_ERR("Error reading "
- "msdfs link %s: %s\n",
- smb_fname->base_name,
- strerror(errno));
+ if (errno == ENOENT) {
+ DBG_NOTICE("Error reading "
+ "msdfs link %s: %s\n",
+ smb_fname->base_name,
+ strerror(errno));
+ } else {
+ DBG_ERR("Error reading "
+ "msdfs link %s: %s\n",
+ smb_fname->base_name,
+ strerror(errno));
+ }
}
goto err;
}
--
2.31.1

295
SOURCES/samba-4.14-recursive-delete-of-veto-files.patch
View File

@ -1,295 +0,0 @@
From 505e48439364c4027aa11aeda467bbd2060b89f4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 Oct 2021 15:06:20 -0700
Subject: [PATCH] s3: smbd: Add two tests showing recursive directory delete of
a directory containing veto file and msdfs links over SMB2.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0082d79a681b981154747dcde5713e1933b88f)
(cherry picked from commit dab3fa1d8c27e696afa15e071331f646e06d9706)
---
selftest/target/Samba3.pm | 16 ++
source3/script/tests/test_veto_rmdir.sh | 217 ++++++++++++++++++++++++
source3/selftest/tests.py | 3 +
3 files changed, 236 insertions(+)
create mode 100755 source3/script/tests/test_veto_rmdir.sh
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 14a1f1223b1..bbff9d74817 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1460,6 +1460,9 @@ sub setup_fileserver
my $bad_iconv_sharedir="$share_dir/bad_iconv";
push(@dirs, $bad_iconv_sharedir);
+ my $veto_sharedir="$share_dir/veto";
+ push(@dirs,$veto_sharedir);
+
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
kernel change notify = yes
@@ -1568,6 +1571,19 @@ sub setup_fileserver
comment = smb username is [%U]
vfs objects =
+[veto_files_nodelete]
+ path = $veto_sharedir
+ read only = no
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = no
+
+[veto_files_delete]
+ path = $veto_sharedir
+ msdfs root = yes
+ veto files = /veto_name*/
+ delete veto files = yes
+
[homes]
comment = Home directories
browseable = No
diff --git a/source3/script/tests/test_veto_rmdir.sh b/source3/script/tests/test_veto_rmdir.sh
new file mode 100755
index 00000000000..d3df8f1bba0
--- /dev/null
+++ b/source3/script/tests/test_veto_rmdir.sh
@@ -0,0 +1,217 @@
+#!/bin/sh
+#
+# Check smbclient can (or cannot) delete a directory containing veto files.
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
+#
+
+if [ $# -lt 6 ]; then
+cat <<EOF
+Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SHAREPATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER=${1}
+SERVER_IP=${2}
+USERNAME=${3}
+PASSWORD=${4}
+SHAREPATH=${5}
+SMBCLIENT=${6}
+shift 6
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+ADDARGS="$@"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+failed=0
+
+rmdir_path="$SHAREPATH/dir"
+
+test_veto_nodelete_rmdir()
+{
+ local veto_path="$rmdir_path/veto_name1"
+ local msdfs_link_path="$rmdir_path/dfs_link"
+ local tmpfile=$PREFIX/smbclient.in.$$
+
+ # Create rmdir directory.
+ mkdir -p "$rmdir_path"
+ # Create veto file underneath.
+ touch "$veto_path"
+ # Create msdfs link underneath.
+ ln -s "msdfs:$SERVER_IP\\ro-tmp" "$msdfs_link_path"
+
+ cat > "$tmpfile" <<EOF
+cd dir
+ls
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ if [ $ret != 0 ] ; then
+ echo "Failed accessing share veto_files_nodelete - $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should only see the dfs_link file.
+ echo "$out" | grep dfs_link
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "Failed to see dfs_link in share veto_files_nodelete"
+ echo "$out"
+ return 1
+ fi
+
+ # Now remove the dfs_link file.
+ rm -rf "$msdfs_link_path"
+
+ # Try and remove the directory, should fail with NT_STATUS_DIRECTORY_NOT_EMPTY.
+ cat > "$tmpfile" <<EOF
+rd dir
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ if [ $ret != 0 ] ; then
+ echo "Failed accessing share veto_files_nodelete - $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should get NT_STATUS_DIRECTORY_NOT_EMPTY.
+ echo "$out" | grep NT_STATUS_DIRECTORY_NOT_EMPTY
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "Failed to get error NT_STATUS_DIRECTORY_NOT_EMPTY in share veto_files_nodelete"
+ echo "$out"
+ return 1
+ fi
+
+ # remove the veto file - directory should now be empty.
+ rm -rf "$veto_path"
+
+ # Try and remove the directory, should now succeed.
+ cat > "$tmpfile" <<EOF
+rd dir
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ if [ $ret != 0 ] ; then
+ echo "Failed accessing share veto_files_nodelete - $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should get no NT_STATUS_ errors.
+ echo "$out" | grep NT_STATUS_
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo "Got error NT_STATUS_ in share veto_files_nodelete"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+test_veto_delete_rmdir()
+{
+ local veto_path="$rmdir_path/veto_name1"
+ local msdfs_link_path="$rmdir_path/dfs_link"
+ local tmpfile=$PREFIX/smbclient.in.$$
+
+ # Create rmdir directory.
+ mkdir -p "$rmdir_path"
+ # Create veto file underneath.
+ touch "$veto_path"
+ # Create msdfs link underneath.
+ ln -s "msdfs:$SERVER_IP\\ro-tmp" "$msdfs_link_path"
+
+ cat > "$tmpfile" <<EOF
+cd dir
+ls
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_delete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ if [ $ret != 0 ] ; then
+ echo "Failed accessing share veto_files_delete - $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should only see the dfs_link file.
+ echo "$out" | grep dfs_link
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "Failed to see dfs_link in share veto_files_delete"
+ echo "$out"
+ return 1
+ fi
+
+ # Now remove the dfs_link file.
+ rm -rf "$msdfs_link_path"
+
+ # Try and remove the directory, should now succeed.
+ cat > "$tmpfile" <<EOF
+rd dir
+quit
+EOF
+
+ local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_delete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval "$cmd")
+ ret=$?
+
+ # Check for smbclient error.
+ if [ $ret != 0 ] ; then
+ echo "Failed accessing share veto_files_delete - $ret"
+ echo "$out"
+ return 1
+ fi
+
+ # We should get no NT_STATUS_ errors.
+ echo "$out" | grep NT_STATUS_
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo "Got error NT_STATUS_ in share veto_files_delete"
+ echo "$out"
+ return 1
+ fi
+
+ return 0
+}
+
+testit "rmdir cannot delete directory containing a veto file" \
+ test_veto_nodelete_rmdir || failed=$(expr "$failed" + 1)
+
+rm -rf "$rmdir_path"
+
+testit "rmdir can delete directory containing a veto file" \
+ test_veto_delete_rmdir || failed=$(expr "$failed" + 1)
+
+rm -rf "$rmdir_path"
+
+exit "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 651be239825..82f32ec4232 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -498,6 +498,9 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.smbclient_iconv.CORE", env + "_smb1_done",
[os.path.join(samba3srcdir, "script/tests/test_smbclient_iconv.sh"),
'$SERVER', '$SERVER_IP', 'bad_iconv', '$USERNAME', '$PASSWORD', smbclient3, '-mCORE'])
+ plantestsuite("samba3.blackbox.test_veto_rmdir", env,
+ [os.path.join(samba3srcdir, "script/tests/test_veto_rmdir.sh"),
+ '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/veto', smbclient3])
#
# tar command tests
--
2.33.1

16
SOURCES/samba-4.14.5.tar.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmC14EsACgkQqplEL7aA
tiDWUA//b0Dj/dJozZY/Q6OI9UjPNL9nvPGqpKF0Sl2sW5jO1KWdcq1OZk+H6eO5
gaX9nuH8Qo/IMxVRIPZVW6lXwsLzSdAOhwPAV02D/feSNfuld078v5yN1My2x6gH
tmfEVXZJjNkObhLDz0Wgq3mxxKvwxSM4+q2SI9p2/Yk32+oT1l/EWT3WZRNa/I1x
MF8nr8p5BktPw7tQoITG/JhkWudfkPpvVA3LJYl+F0rjubMA3C3btvDNquPaNXQ0
Jr0nOt8+OKpsrtBb6ED0su7CWqbHHjc7lTKLepruqnHzllk5/Tcsu6APVRb8qjim
B2ElieWYJKQ7vBchjuSw/3ufqOsJdvckO4znGM1bUFDnCV0DDOXPE/U5QmjcoQqE
kJ36m53WnGCHR3JbL+rSjrB1m0ip8tViNraV+Ch2sXNlNvKYPNNo3cgX62nnDWJz
aLlncx0W1LpZ8mhYVv0AvdoVKBDygzxheye8Fssz3Wz5RDzZ6Vm0AoJwBm+G8v1k
u0MXMyvBv1KLpBLL27PJm2m7r6KIDB0v9PuLK5iF107omkSWfY/lMLQR2UFph8oH
uCwV5PiEy/ecBhBfo3KzUG5yJLBBayYB2vGcXJh4yRpAByppFbpo3csr6UZSEsU8
iImmN97Tg3QVd/FTn9qRiQ15NxzWC0XCE1glY87KqqC5kl5Lk9Y=
=i6jp
-----END PGP SIGNATURE-----

16
SOURCES/samba-4.15.5.tar.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
=oc6g
-----END PGP SIGNATURE-----

30
SOURCES/samba-ctdb-etcd-reclock.patch Normal file
View File

@ -0,0 +1,30 @@
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Tue, 27 Apr 2021 15:46:14 +1000
Subject: [PATCH] utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
---
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
index 000c6bb7208..7f5194eff0a 100755
--- a/ctdb/utils/etcd/ctdb_etcd_lock
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python3
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
--
2.31.1

764
SOURCES/samba-disable-ntlmssp.patch Normal file
View File

@ -0,0 +1,764 @@
From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 10 Dec 2021 16:08:04 +0100
Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
---
source3/utils/net_ads.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6ab4a0096b1..8f993f9ba4c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
char *cp;
const char *realm = NULL;
bool tried_closest_dc = false;
+ enum credentials_use_kerberos krb5_state =
+ CRED_USE_KERBEROS_DISABLED;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
ads->auth.password = smb_xstrdup(c->opt_password);
}
- ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ ads->auth.flags |= auth_flags;
+
+ /* The ADS code will handle FIPS mode */
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
/*
* If the username is of the form "name@realm",
* extract the realm and convert to upper case.
--
2.33.1
From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Wed, 8 Dec 2021 16:05:17 +0100
Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 60fa2bf80cb..b91e2d15bcf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
.disconnect = ads_sasl_gensec_disconnect
};
-/*
+/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
#endif /* HAVE_KRB5 */
-/*
+/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
- /* the server sent us the first part of the SPNEGO exchange in the negprot
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
+ got_kerberos_mechanism)
{
mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
}
/* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
+ if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
+ to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
--
2.33.1
From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Thu, 9 Dec 2021 13:43:08 +0100
Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
---
source3/libads/sasl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b91e2d15bcf..992f7022a69 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
"for %s/%s with user[%s] realm[%s]: %s, "
- "fallback to NTLMSSP\n",
+ "try to fallback to NTLMSSP\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
--
2.33.1
From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 7 Jan 2022 10:31:19 +0100
Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 992f7022a69..ea98aa47ecd 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s\n",
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
- ads_errstr(status)));
+ ads_errstr(status));
}
}
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
goto done;
}
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
- "try to fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
- ads_errstr(status)));
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
}
#endif
--
2.33.1
From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 11:13:06 +0100
Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
without kerberos)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
---
source3/libads/sasl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index ea98aa47ecd..1bcfe0490a8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
" disallowed.\n");
--
2.33.1
From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 15:33:46 +0100
Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
---
.../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
new file mode 100755
index 00000000000..2822ab29d14
--- /dev/null
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 USERNAME PASSWORD
+EOF
+exit 1;
+fi
+
+USERNAME=$1
+PASSWORD=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_testparm="$BINDIR/testparm"
+samba_net="$BINDIR/net"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
--
2.33.1
From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 4 Jan 2022 12:00:20 +0100
Subject: [PATCH 07/10] s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
---
source4/selftest/tests.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1e4b2ae6dd3..3a6a716f061 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
if have_gnutls_fips_mode_support:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
for env in ["ad_dc_fips", "ad_member_fips"]:
plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
--
2.33.1
From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:47:38 +0100
Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
---
source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 948c903f165..e415df347e6 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
- * when set to TRUE.
+ * when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
*
* Thanks to Ralf Haferkamp for input and testing - Guenther */
- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
- ADS_LDAP_MATCHING_RULE_BIT_AND,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
if (filter == NULL) {
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
struct wb_acct_info **info)
{
/*
- * This is a stub function only as we returned the domain
+ * This is a stub function only as we returned the domain
* local groups in enum_dom_groups() if the domain->native field
* was true. This is a simple performance optimization when
* using LDAP.
*
- * if we ever need to enumerate domain local groups separately,
+ * if we ever need to enumerate domain local groups separately,
* then this optimization in enum_dom_groups() will need
* to be split out
*/
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- const char *user_dn,
+ const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "invalid number of results (count=%d)\n",
+ "invalid number of results (count=%d)\n",
dom_sid_str_buf(sid, &buf),
count));
goto done;
}
if (!msg) {
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name,
dom_sid_str_buf(sid, &buf)));
goto done;
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
- /* there must always be at least one group in the token,
+ /* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
/* lookup what groups this user is a member of by DN search on
* "member" */
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
"not map any SIDs at all.\n"));
/* Don't handle this as an error here.
- * There is nothing left to do with respect to the
+ * There is nothing left to do with respect to the
* overall result... */
}
else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
NETR_TRUST_FLAG_IN_FOREST;
} else {
flags = NETR_TRUST_FLAG_IN_FOREST;
- }
+ }
result = cm_connect_netlogon(domain, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
- "for PIPE_NETLOGON (%s)\n",
+ "for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
--
2.33.1
From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:44:54 +0100
Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
---
source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
#include "../libds/common/flag_mapping.h"
#include "libsmb/samlogon_cache.h"
#include "passdb.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ADS_STATUS status;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
if (auth_realm == NULL) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
--
2.33.1
From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 21 Jan 2022 12:01:33 +0100
Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
---
source3/libnet/libnet_join.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 02705f1c70c..4c67e9af5c4 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
ADS_STATUS status;
ADS_STRUCT *my_ads = NULL;
char *cp;
+ enum credentials_use_kerberos krb5_state;
my_ads = ads_init(dns_domain_name,
netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
--
2.33.1

36
SOURCES/samba-disable-systemd-notifications.patch Normal file
View File

@ -0,0 +1,36 @@
From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
Date: Mon, 24 Jan 2022 22:14:31 -0500
Subject: [PATCH] printing/bgqd: Disable systemd notifications
samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
---
source3/printing/samba-bgqd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index f21327fc622..59ed0cc40db 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ /* main process will notify systemd */
+ daemon_sd_notifications(false);
+
if (!cmdline_daemon_cfg->fork) {
daemon_status(progname, "Starting process ... ");
} else {
--
2.34.1

64
SOURCES/samba-glibc-dns.patch Normal file
View File

@ -0,0 +1,64 @@
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Oct 2021 15:55:37 +0200
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
selftest/wscript | 2 +-
third_party/resolv_wrapper/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/selftest/wscript b/selftest/wscript
index a6be06c2ae9..85d9338489a 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
if os.environ.get('USE_NAMESPACES') is None:
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
env.OPTIONS += " --use-dns-faking"
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
index a7f18389b0f..7e369bd90b5 100644
--- a/third_party/resolv_wrapper/wscript
+++ b/third_party/resolv_wrapper/wscript
@@ -1,6 +1,7 @@
#!/usr/bin/env python
import os
+from waflib import Logs
VERSION="1.1.7"
@@ -49,6 +50,18 @@ def configure(conf):
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
+ Logs.warn("Detection for resolv_wrapper: "
+ "Only dns faking will be available")
+ else:
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
--
2.33.1

100
SOURCES/samba-password-change-prompt.patch Normal file
View File

@ -0,0 +1,100 @@
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 17 Nov 2021 09:56:09 +0100
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
---
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
nsswitch/pam_winbind.c | 12 ++++++++++--
nsswitch/pam_winbind.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 0bc288f91a1..bae9298fc32 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>pwd_change_prompt = yes|no</term>
+ <listitem><para>
+ Generate prompt for changing an expired password. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
</para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 720a4b90d85..06098dd07d8 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
ctrl |= WINBIND_MKHOMEDIR;
}
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+ }
+
config_from_pam:
/* step through arguments */
for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
else if (!strncasecmp(*v, "warn_pwd_expire",
strlen("warn_pwd_expire")))
ctrl |= WINBIND_WARN_PWD_EXPIRE;
+ else if (!strcasecmp(*v, "pwd_change_prompt"))
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
else if (type != PAM_WINBIND_CLEANUP) {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index c6786d65a4d..2f4a25729bd 100644
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do { \
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
#define WINBIND_MKHOMEDIR 0x00004000
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
#define _(string) dgettext(MODULE_NAME, string)
--
2.35.1

229
SOURCES/samba-printing-win7.patch Normal file
View File

@ -0,0 +1,229 @@
From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 22 Jan 2022 01:08:26 +0100
Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.
Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.
This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
---
librpc/rpc/dcesrv_auth.c | 5 +++++
librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
librpc/rpc/dcesrv_core.h | 2 ++
source3/rpc_server/rpc_config.c | 2 ++
source4/rpc_server/service_rpc.c | 10 ++++++++++
5 files changed, 37 insertions(+)
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index fec8df513a83..99d8e0162160 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
auth->auth_level = call->in_auth_info.auth_level;
auth->auth_context_id = call->in_auth_info.auth_context_id;
+ cb->auth.become_root();
status = cb->auth.gensec_prepare(
auth,
call,
&auth->gensec_security,
cb->auth.private_data);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
nt_errstr(status)));
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
{
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
const char *pdu = "<unknown>";
switch (call->pkt.ptype) {
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
return status;
}
+ cb->auth.become_root();
status = gensec_session_info(auth->gensec_security,
auth,
&auth->session_info);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n",
nt_errstr(status)));
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index d16159b0b6cd..ea91fc689b4a 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
struct dcerpc_binding *ep_2nd_description = NULL;
const char *endpoint = NULL;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
struct tevent_req *subreq = NULL;
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct tevent_req *subreq = NULL;
NTSTATUS status;
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
return NT_STATUS_OK;
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct tevent_req *subreq = NULL;
size_t i;
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index d8d5f9030959..0538442e0ce6 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
struct gensec_security **out,
void *private_data);
void *private_data;
+ void (*become_root)(void);
+ void (*unbecome_root)(void);
} auth;
struct {
NTSTATUS (*find)(
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 2f1a01da1c0b..289c4f398409 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -31,6 +31,8 @@
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = dcesrv_log_successful_authz,
.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
+ .auth.become_root = become_root,
+ .auth.unbecome_root = unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index d8c6746d7815..ebb50f8a7ef3 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -40,9 +40,19 @@
#include "../libcli/named_pipe_auth/npa_tstream.h"
#include "samba/process_model.h"
+static void skip_become_root(void)
+{
+}
+
+static void skip_unbecome_root(void)
+{
+}
+
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = log_successful_dcesrv_authz_event,
.auth.gensec_prepare = dcesrv_gensec_prepare,
+ .auth.become_root = skip_become_root,
+ .auth.unbecome_root = skip_unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
--
2.25.1

697
SOURCES/samba-s4u.patch Normal file
View File

@ -0,0 +1,697 @@
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
source4/kdc/mit_samba.c | 47 ++-------
source4/kdc/mit_samba.h | 6 +-
3 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..b1c7c5dcc5e 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *out_pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
- krb5_pac ipac = NULL;
- DATA_BLOB logon_data = { NULL, 0 };
+ krb5_keyblock *header_server_key = NULL;
+ krb5_key_data *impersonator_kd = NULL;
+ krb5_keyblock impersonator_key = {0};
krb5_error_code code;
+ krb5_pac pac;
+
+ *out_pac = NULL;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
- &ipac);
+ &pac);
if (code != 0) {
goto done;
}
- /* TODO: verify this is correct
- *
- * In the constrained delegation case, the PAC is from a service
- * ticket rather than a TGT; we must verify the server and KDC
- * signatures to assert that the server did not forge the PAC.
+ /*
+ * For constrained delegation in MIT version < 1.18 we aren't provided
+ * with the 2nd ticket server key to verify the PAC.
+ * We can workaround that by fetching the key from the client db entry,
+ * which is the impersonator account in that version.
+ * TODO: use the provided entry in the new 1.18 version.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- server_key,
- krbtgt_key);
+ /* The impersonator must be local. */
+ if (client == NULL) {
+ code = KRB5KDC_ERR_BADOPTION;
+ goto done;
+ }
+ /* Fetch and decrypt 2nd ticket server's current key. */
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+ &impersonator_kd);
+ if (code != 0) {
+ goto done;
+ }
+ code = krb5_dbe_decrypt_key_data(context, NULL,
+ impersonator_kd,
+ &impersonator_key, NULL);
+ if (code != 0) {
+ goto done;
+ }
+ header_server_key = &impersonator_key;
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
- }
- if (code != 0) {
- goto done;
+ header_server_key = krbtgt_key;
}
- /* check and update PAC */
- code = krb5_pac_parse(context,
- authdata[0]->contents,
- authdata[0]->length,
- pac);
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
+ header_server_key, NULL);
if (code != 0) {
goto done;
}
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
- client_princ,
client,
server,
krbtgt,
krbtgt_key,
- pac);
+ &pac);
+ if (code != 0) {
+ goto done;
+ }
+
+ *out_pac = pac;
+ pac = NULL;
done:
+ krb5_free_keyblock_contents(context, &impersonator_key);
krb5_free_authdata(context, authdata);
- krb5_pac_free(context, ipac);
- free(logon_data.data);
+ krb5_pac_free(context, pac);
return code;
}
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
+ krb5_const_principal pac_client;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- /* FIXME: We don't support S4U yet */
- if (flags & KRB5_KDB_FLAGS_S4U) {
- return KRB5_KDB_DBTYPE_NOSUP;
- }
-
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
ks_client_princ = client->princ;
}
+ /* In protocol transition, we are currently not provided with the tgt
+ * client name to verify the PAC, we could probably skip the name
+ * verification and just verify the signatures, but since we don't
+ * support cross-realm nor aliases, we can just use server->princ */
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ pac_client = server->princ;
+ } else {
+ pac_client = ks_client_princ;
+ }
+
if (client_entry == NULL) {
client_entry = client;
}
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ pac_client,
client_entry,
server,
krbtgt,
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
- if (code != 0) {
- goto done;
- }
-
- code = 0;
-
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
- char *target_name = NULL;
- bool is_enterprise;
- krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
- code = krb5_unparse_name(context, proxy, &target_name);
- if (code) {
- goto done;
- }
-
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
- code = mit_samba_check_s4u2proxy(mit_ctx,
- delegating_service,
- target_name,
- is_enterprise);
-
-done:
- free(target_name);
- return code;
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..acc3cba6254 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
- discard_const(client_principal),
+ client->princ,
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name)
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal)
{
-#if 1
- /*
- * This is disabled because mit_samba_update_pac_data() does not handle
- * S4U_DELEGATION_INFO
- */
-
- return KRB5KDC_ERR_BADOPTION;
-#else
- krb5_principal target_principal;
- int flags = 0;
- int ret;
-
- if (is_nt_enterprise_name) {
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
- }
-
- ret = krb5_parse_name_flags(ctx->context, target_name,
- flags, &target_principal);
- if (ret) {
- return ret;
- }
-
- ret = samba_kdc_check_s4u2proxy(ctx->context,
- ctx->db_ctx,
- skdc_entry,
- target_principal);
-
- krb5_free_principal(ctx->context, target_principal);
-
- return ret;
-#endif
+ struct samba_kdc_entry *server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ server_skdc_entry,
+ target_principal);
}
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index 636c77ec97c..9cb00c9610e 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name);
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal);
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.33.1
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
source4/auth/kerberos/kerberos_util.c | 11 --
3 files changed, 185 insertions(+), 13 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..791b417d5ba 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ bool cmp;
+ krb5_principal mod = NULL;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length -1] !=
+ b->data[0].data[b->data[0].length -1]) {
+ if (a->data[0].data[a->data[0].length -1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx, a, b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx, &init_creds,
+ init_principal,
+ init_password,
+ NULL, NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name. */
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index eab67f6d969..b5385c69a33 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
{
krb5_error_code ret;
const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
const char *self_service;
-#endif
const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
@@ -268,9 +266,7 @@ done:
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL
self_service = cli_credentials_get_self_service(credentials);
-#endif
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
#endif
if (password) {
if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
ccache,
princ,
@@ -342,12 +337,6 @@ done:
krb_options,
NULL,
&kdc_time);
-#else
- talloc_free(mem_ctx);
- (*error_string) = "INTERNAL error: s4u2 ops "
- "are not supported with MIT build yet";
- return EINVAL;
-#endif
} else {
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.33.1
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
---
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 8 ++++++--
source4/kdc/mit_samba.c | 3 +++
source4/kdc/sdb.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..d16b4c3329a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
+ * the canonical name in all lookups, and takes care to canonicalize
+ * only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index acc3cba6254..f0b9df8b613 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
+#if KRB5_KDB_API_VERSION >= 10
+ sflags |= SDB_F_FORCE_CANON;
+#endif
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
2.33.1

86
SOURCES/samba-4.14-fix-virus-scanner.patch → SOURCES/samba-virus_scanner.patch
View File

@ -1,7 +1,41 @@
From e4baa05c6f73b364843f0ddd5394bf4298aca0d7 Mon Sep 17 00:00:00 2001
From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Feb 2022 16:33:10 +0100
Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
We have the env variable SERVER_LOG_LEVEL which allows you to change
the log level on the command line. If we force -d0 this will not work.
make test TESTS="samba" SERVER_LOG_LEVEL=10
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
---
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index b901fd2677a..64a9a791a61 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2153,7 +2153,7 @@ sub make_bin_cmd
{
my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
- my @optargs = ("-d0");
+ my @optargs = ();
if (defined($options)) {
@optargs = split(/ /, $options);
}
--
2.34.1
From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 12:07:03 +0100
Subject: [PATCH 1/5] s3:modules: Implement dummy virus scanner that uses
Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
filename matching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -22,7 +56,7 @@ Reviewed-by: Andreas Schneider <asn@samba.org>
create mode 100644 source3/modules/vfs_virusfilter_dummy.c
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 524e7dfbad9..5ae8a02a369 100644
index 9fafe4e5d41..e6cbee7cd45 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -35,12 +35,14 @@
@ -61,7 +95,7 @@ index 524e7dfbad9..5ae8a02a369 100644
config->cache_entry_limit = lp_parm_int(
snum, "virusfilter", "cache entry limit", 100);
@@ -532,6 +541,9 @@ static int virusfilter_vfs_connect(
@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
case VIRUSFILTER_SCANNER_CLAMAV:
ret = virusfilter_clamav_init(config);
break;
@ -157,10 +191,10 @@ index 00000000000..03405cd6629
+ return 0;
+}
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 36b047ef79b..444a16f2cc0 100644
index 40df4539392..ff318c3fa06 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -598,6 +598,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
vfs_virusfilter_sophos.c
vfs_virusfilter_fsav.c
vfs_virusfilter_clamav.c
@ -172,10 +206,10 @@ index 36b047ef79b..444a16f2cc0 100644
2.34.1
From f3c9a2e7c524b25558550ed7fb1b7778975a3f2b Mon Sep 17 00:00:00 2001
From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 22:35:29 +0100
Subject: [PATCH 2/5] docs-xml:manpages: Document 'dummy' virusfilter and
Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
'virusfilter:infected files'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@ -225,10 +259,10 @@ index 329a35af68a..88f91d73a42 100644
2.34.1
From 3758a9612862c88a17ed20787b60346859c03eea Mon Sep 17 00:00:00 2001
From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:34:56 +0100
Subject: [PATCH 3/5] selftest: Fix trailing whitespace in Samba3.pm
Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -244,7 +278,7 @@ Reviewed-by: Andreas Schneider <asn@samba.org>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9a8c9ee2604..306783931e0 100755
index 64a9a791a61..7584a0e7ba9 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
@ -256,7 +290,7 @@ index 9a8c9ee2604..306783931e0 100755
return $out;
}
@@ -2205,7 +2205,7 @@ sub provision($$)
@@ -2426,7 +2426,7 @@ sub provision($$)
my $nmbdsockdir="$prefix_abs/nmbd";
unlink($nmbdsockdir);
@ -265,7 +299,7 @@ index 9a8c9ee2604..306783931e0 100755
## create the test directory layout
##
die ("prefix_abs = ''") if $prefix_abs eq "";
@@ -3057,7 +3057,7 @@ sub provision($$)
@@ -3290,7 +3290,7 @@ sub provision($$)
unless (open(PASSWD, ">$nss_wrapper_passwd")) {
warn("Unable to open $nss_wrapper_passwd");
return undef;
@ -278,10 +312,10 @@ index 9a8c9ee2604..306783931e0 100755
2.34.1
From e92fbd282c584cadcd0ed513c414b5377282ed64 Mon Sep 17 00:00:00 2001
From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:35:48 +0100
Subject: [PATCH 4/5] s3:selftest: Add test for virus scanner
Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -312,10 +346,10 @@ index 00000000000..6df3fd20627
+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 306783931e0..baec3347c7d 100755
index 7584a0e7ba9..c1d0c60d96a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1463,6 +1463,9 @@ sub setup_fileserver
@@ -1688,6 +1688,9 @@ sub setup_fileserver
my $veto_sharedir="$share_dir/veto";
push(@dirs,$veto_sharedir);
@ -325,7 +359,7 @@ index 306783931e0..baec3347c7d 100755
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
kernel change notify = yes
@@ -1588,6 +1591,15 @@ sub setup_fileserver
@@ -1813,6 +1816,15 @@ sub setup_fileserver
path = $veto_sharedir
delete veto files = yes
@ -472,12 +506,12 @@ index 00000000000..2234ea6ca89
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index c78c9ea4ab8..3c8976874e6 100755
index 701be011f70..6b146c76381 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1113,6 +1113,15 @@ plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver",
"$USERNAME", "$PASSWORD", "$SERVER",
smbclient3])
@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
'$SERVER_IP',
"tmp"])
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
@ -495,10 +529,10 @@ index c78c9ea4ab8..3c8976874e6 100755
2.34.1
From 3e1a57b6d8528d7aa4c46b8ac76bff034523b273 Mon Sep 17 00:00:00 2001
From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 7 Feb 2022 23:06:10 +0100
Subject: [PATCH 5/5] s3:modules: Fix virusfilter_vfs_openat
Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@ -530,10 +564,10 @@ index 6df3fd20627..00000000000
-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 5ae8a02a369..8c7e5323341 100644
index e6cbee7cd45..d1554967ad1 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -1304,21 +1304,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
*/
goto virusfilter_vfs_open_next;
}

374
SPECS/samba.spec
View File

@ -2,12 +2,16 @@
#
# To build and run the tests use:
#
# fedpkg local --with testsuite
# or
# rpmbuild --rebuild --with testsuite samba.src.rpm
#
%bcond_with testsuite
# Build with internal talloc, tevent, tdb and ldb.
#
# fedpkg local --with=testsuite --with=includelibs
# or
# rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm
#
%bcond_with includelibs
@ -15,6 +19,9 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
# Define _make_verbose if it doesn't exist (RHEL8)
%{!?_make_verbose:%define _make_verbose V=1 VERBOSE=1}
# Build with Active Directory Domain Controller support by default on Fedora
%if 0%{?fedora}
%bcond_without dc
@ -42,18 +49,21 @@
%bcond_without winexe
%endif
# Build vfs_ceph module by default on 64bit Fedora
# Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora
%if 0%{?fedora}
%ifarch aarch64 ppc64le s390x x86_64
%bcond_without vfs_cephfs
%bcond_without ceph_mutex
%else
%bcond_with vfs_cephfs
%bcond_with ceph_mutex
#endifarch
%endif
%else
%bcond_with vfs_cephfs
%bcond_with ceph_mutex
#endif fedora
%endif
@ -106,15 +116,29 @@
#endif fedora || rhel >= 8
%endif
# Build the ctdb-pcp-pmda package by default on Fedora
%if 0%{?fedora}
%bcond_without pcp_pmda
%else
%bcond_with pcp_pmda
%endif
# Build the etcd helpers by default on Fedora
%if 0%{?fedora}
%bcond_without etcd_mutex
%else
%bcond_with etcd_mutex
%endif
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global baserelease 10
%global baserelease 5
%global samba_version 4.14.5
%global talloc_version 2.3.2
%global tdb_version 1.4.3
%global tevent_version 0.10.2
%global ldb_version 2.3.0
%global samba_version 4.15.5
%global talloc_version 2.3.3
%global tdb_version 1.4.4
%global tevent_version 0.11.0
%global ldb_version 2.4.1
# This should be rc1 or nil
%global pre_release %nil
@ -177,19 +201,17 @@ Source14: samba.pamd
Source201: README.downgrade
Patch0: samba-4.14-raise-dfs-enoent-debug-level.patch
Patch1: CVE-2016-2124.patch
Patch2: CVE-2021-23192.patch
Patch3: CVE-2020-25717.patch
Patch4: samba-4.14-krb5pac.patch
Patch5: samba-4.14-fix-winbind-no-trusted-domain.patch
Patch6: samba-4.14-IPA-DC-add-missing-checks.patch
Patch7: samba-4.14-recursive-delete-of-veto-files.patch
Patch8: samba-4.14-del-dir-with-dangling-symlinks.patch
Patch9: samba-4.14-fix-username-map-script.patch
Patch10: samba-4.14-fix-domain-join-segfault.patch
Patch11: CVE-2021-44142-v4.14.patch
Patch12: samba-4.14-fix-virus-scanner.patch
Patch0: samba-s4u.patch
Patch1: samba-ctdb-etcd-reclock.patch
Patch2: samba-glibc-dns.patch
Patch3: samba-printing-win7.patch
Patch4: samba-disable-systemd-notifications.patch
Patch5: samba-disable-ntlmssp.patch
Patch6: samba-password-change-prompt.patch
Patch7: samba-virus_scanner.patch
Patch8: samba-4-15-fix-autorid.patch
Patch9: samba-4-15-fix-winbind-refresh-tickets.patch
Patch10: samba-4-15-fix-create-local-krb5-conf.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -297,6 +319,16 @@ BuildRequires: libcephfs-devel
BuildRequires: liburing-devel >= 0.4
%endif
%if %{with pcp_pmda}
BuildRequires: pcp-libs-devel
%endif
%if %{with ceph_mutex}
BuildRequires: librados-devel
%endif
%if %{with etcd_mutex}
BuildRequires: python3-etcd
%endif
%if %{with dc} || %{with testsuite}
# Add python3-iso8601 to avoid that the
# version in Samba is being packaged
@ -326,9 +358,13 @@ BuildRequires: python3-tdb >= %{tdb_version}
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: python3-ldb >= %{ldb_version}
BuildRequires: python3-ldb-devel >= %{ldb_version}
%else
%endif
%if %{with includelibs} || %{with testsuite}
# lmdb-devel is required for the mdb ldb module, if samba is configured
# to build includelibs we need lmdb-devel for building that module on our own
BuildRequires: lmdb-devel
#endif without testsuite
#endif without includelibs
%endif
%if %{with dc} || %{with testsuite}
@ -338,6 +374,7 @@ BuildRequires: ldb-tools
BuildRequires: python3-gpg
BuildRequires: python3-markdown
BuildRequires: python3-setproctitle
BuildRequires: python3-cryptography
BuildRequires: tdb-tools
%endif
@ -435,7 +472,7 @@ Obsoletes: ctdb-tests-debuginfo < %{samba_depver}
# endif with clustering
%endif
# If only build glusterfs for RHGS and Fedora, so obsolete it on other version
# We only build glusterfs for RHGS and Fedora, so obsolete it on other versions
# of the distro
%if %{without vfs_glusterfs}
Obsoletes: samba-vfs-glusterfs < %{samba_depver}
@ -456,6 +493,15 @@ Requires: samba-libs = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
# samba-tool needs python3-samba
Requires: python3-%{name} = %{samba_depver}
# samba-tool needs tdbbackup
Requires: tdb-tools
%if %{with dc}
# samba-tool needs mdb_copy for domain backup or upgrade provision
Requires: lmdb
%endif
Provides: bundled(libreplace)
%description common-tools
@ -477,10 +523,6 @@ Requires(post): libwbclient = %{samba_depver}
Requires: libwbclient = %{samba_depver}
%endif
# samba-tool needs tdbbackup
Requires: tdb-tools
# samba-tool needs mdb_copy
Requires: lmdb
Requires: ldb-tools
Requires: python3-setproctitle
# Force using libldb version to be the same as build version
@ -573,6 +615,7 @@ Samba VFS module for Ceph distributed storage system integration.
Summary: Samba VFS module for io_uring
Requires: %{name} = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Provides: bundled(libreplace)
@ -716,7 +759,7 @@ Summary: Samba python devel files
Requires: python3-%{name} = %{samba_depver}
%description -n python3-%{name}-devel
The python3-%{name}-devel package contains the Python 3 defel files.
The python3-%{name}-devel package contains the Python 3 devel files.
%package -n python3-samba-test
Summary: Samba Python libraries
@ -811,9 +854,12 @@ Summary: Samba winbind
Requires(pre): %{name}-common = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Requires(post): %{name}-common-libs = %{samba_depver}
Requires: %{name}-common-tools = %{samba_depver}
Requires: %{name}-client-libs = %{samba_depver}
Requires(post): %{name}-client-libs = %{samba_depver}
Requires: %{name}-libs = %{samba_depver}
Requires(post): %{name}-libs = %{samba_depver}
Requires: %{name}-winbind-modules = %{samba_depver}
%if %{with libwbclient}
@ -906,6 +952,7 @@ necessary to communicate to the Winbind Daemon
Summary: Samba Winexe Windows Binary
License: GPLv3
Requires: %{name}-client-libs = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
Provides: bundled(libreplace)
@ -973,6 +1020,45 @@ and use CTDB instead.
#endif with testsuite
%endif
%if %{with pcp_pmda}
%package -n ctdb-pcp-pmda
Summary: CTDB PCP pmda support
Requires: ctdb = %{samba_depver}
Requires: pcp-libs
%description -n ctdb-pcp-pmda
Performance Co-Pilot (PCP) support for CTDB
#endif with pcp_pmda
%endif
%if %{with etcd_mutex}
%package -n ctdb-etcd-mutex
Summary: CTDB ETCD mutex helper
Requires: ctdb = %{samba_depver}
Requires: python3-etcd
%description -n ctdb-etcd-mutex
Support for using an existing ETCD cluster as a mutex helper for CTDB
#endif with etcd_mutex
%endif
%if %{with ceph_mutex}
%package -n ctdb-ceph-mutex
Summary: CTDB ceph mutex helper
Requires: ctdb = %{samba_depver}
%description -n ctdb-ceph-mutex
Support for using an existing CEPH cluster as a mutex helper for CTDB
#endif with ceph_mutex
%endif
#endif with clustering
%endif
@ -1062,9 +1148,19 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold"
%endif
%if %{with testsuite}
--enable-selftest \
%endif
%if %{with pcp_pmda}
--enable-pmda \
%endif
%if %{with ceph_mutex}
--enable-ceph-reclock \
%endif
%if %{with etcd_mutex}
--enable-etcd-reclock \
%endif
--with-profiling-data \
--with-systemd \
--with-quotas \
--systemd-install-services \
--with-systemddir=/usr/lib/systemd/system \
--systemd-smb-extra=%{_systemd_extra} \
@ -1073,7 +1169,7 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold"
--systemd-samba-extra=%{_systemd_extra}
# Do not use %%make_build, make is just a wrapper around waf in Samba!
%{__make} %{?_smp_mflags} V=1
%{__make} %{?_smp_mflags} %{_make_verbose}
pushd pidl
%__perl Makefile.PL PREFIX=%{_prefix}
@ -1082,7 +1178,8 @@ pushd pidl
popd
%install
%make_install
# Do not use %%make_install, make is just a wrapper around waf in Samba!
%{__make} %{?_smp_mflags} %{_make_verbose} install DESTDIR=%{buildroot}
install -d -m 0755 %{buildroot}/usr/{sbin,bin}
install -d -m 0755 %{buildroot}%{_libdir}/security
@ -1170,12 +1267,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if %{without dc} && %{without testsuite}
for i in \
%{_libdir}/samba/libdfs-server-ad-samba4.so \
%{_libdir}/samba/libdnsserver-common-samba4.so \
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
%{_libdir}/samba/libscavenge-dns-records-samba4.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba_downgrade_db.8 \
%{_mandir}/man8/samba-tool.8 \
%{_mandir}/man8/samba-gpupdate.8 \
%{_libdir}/samba/ldb/ildap.so \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
@ -1526,6 +1621,8 @@ fi
%{_libdir}/samba/vfs/nfs4acl_xattr.so
%endif
%{_libexecdir}/samba/samba-bgqd
%dir %{_datadir}/samba
%dir %{_datadir}/samba/mdssvc
%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
@ -1537,6 +1634,7 @@ fi
%config(noreplace) %{_sysconfdir}/pam.d/samba
%{_mandir}/man1/smbstatus.1*
%{_mandir}/man8/eventlogadm.8*
%{_mandir}/man8/samba-bgqd.8*
%{_mandir}/man8/smbd.8*
%{_mandir}/man8/nmbd.8*
%{_mandir}/man8/vfs_acl_tdb.8*
@ -1587,9 +1685,8 @@ fi
%{_bindir}/cifsdd
%{_bindir}/dbwrap_tool
%{_bindir}/dumpmscat
%exclude %{_bindir}/findsmb
%{_bindir}/mvxattr
%{_bindir}/mdfind
%{_bindir}/mdsearch
%{_bindir}/nmblookup
%{_bindir}/oLschema2ldif
%{_bindir}/regdiff
@ -1616,9 +1713,8 @@ fi
%{_mandir}/man1/regpatch.1*
%{_mandir}/man1/regshell.1*
%{_mandir}/man1/regtree.1*
%exclude %{_mandir}/man1/findsmb.1*
%{_mandir}/man1/log2pcap.1*
%{_mandir}/man1/mdfind.1*
%{_mandir}/man1/mdsearch.1*
%{_mandir}/man1/mvxattr.1*
%{_mandir}/man1/rpcclient.1*
%{_mandir}/man1/sharesec.1*
@ -1699,12 +1795,11 @@ fi
%{_libdir}/samba/libclidns-samba4.so
%{_libdir}/samba/libcluster-samba4.so
%{_libdir}/samba/libcmdline-contexts-samba4.so
%{_libdir}/samba/libcmdline-credentials-samba4.so
%{_libdir}/samba/libcommon-auth-samba4.so
%{_libdir}/samba/libctdb-event-client-samba4.so
%{_libdir}/samba/libdbwrap-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
%{_libdir}/samba/libevents-samba4.so
%{_libdir}/samba/libflag-mapping-samba4.so
%{_libdir}/samba/libgenrand-samba4.so
@ -1758,7 +1853,6 @@ fi
%{_libdir}/samba/libtime-basic-samba4.so
%{_libdir}/samba/libtorture-samba4.so
%{_libdir}/samba/libtrusts-util-samba4.so
%{_libdir}/samba/libutil-cmdline-samba4.so
%{_libdir}/samba/libutil-reg-samba4.so
%{_libdir}/samba/libutil-setid-samba4.so
%{_libdir}/samba/libutil-tdb-samba4.so
@ -1784,7 +1878,7 @@ fi
%{_libdir}/samba/ldb/asq.so
%{_libdir}/samba/ldb/ldb.so
#%%{_libdir}/samba/ldb/mdb.so
%{_libdir}/samba/ldb/mdb.so
%{_libdir}/samba/ldb/paged_searches.so
%{_libdir}/samba/ldb/rdn_name.so
%{_libdir}/samba/ldb/sample.so
@ -1822,8 +1916,7 @@ fi
### COMMON-libs
%files common-libs
# common libraries
%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so
%{_libdir}/samba/libpopt-samba3-samba4.so
%{_libdir}/samba/libcmdline-samba4.so
%dir %{_libdir}/samba/ldb
@ -1836,6 +1929,7 @@ fi
%{_bindir}/net
%{_bindir}/pdbedit
%{_bindir}/profiles
%{_bindir}/samba-tool
%{_bindir}/smbcontrol
%{_bindir}/smbpasswd
%{_bindir}/testparm
@ -1844,13 +1938,13 @@ fi
%{_mandir}/man1/testparm.1*
%{_mandir}/man8/net.8*
%{_mandir}/man8/pdbedit.8*
%{_mandir}/man8/samba-tool.8*
%{_mandir}/man8/smbpasswd.8*
### DC
%if %{with dc} || %{with testsuite}
%files dc
%{_unitdir}/samba.service
%{_bindir}/samba-tool
%{_sbindir}/samba
%{_sbindir}/samba_dnsupdate
%{_sbindir}/samba_downgrade_db
@ -1918,7 +2012,6 @@ fi
%{_mandir}/man8/samba.8*
%{_mandir}/man8/samba_downgrade_db.8*
%{_mandir}/man8/samba-gpupdate.8*
%{_mandir}/man8/samba-tool.8*
%dir %{_datadir}/samba/admx
%{_datadir}/samba/admx/samba.admx
%dir %{_datadir}/samba/admx/en-US
@ -1961,7 +2054,6 @@ fi
%endif
%{_libdir}/libdcerpc-server.so.*
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%{_libdir}/samba/libscavenge-dns-records-samba4.so
@ -1970,8 +2062,6 @@ fi
%files dc-bind-dlz
%attr(770,root,named) %dir /var/lib/samba/bind-dns
%dir %{_libdir}/samba/bind9
%{_libdir}/samba/bind9/dlz_bind9.so
%{_libdir}/samba/bind9/dlz_bind9_9.so
%{_libdir}/samba/bind9/dlz_bind9_10.so
%{_libdir}/samba/bind9/dlz_bind9_11.so
%{_libdir}/samba/bind9/dlz_bind9_12.so
@ -2145,6 +2235,7 @@ fi
%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
%{_libdir}/samba/libdcerpc-samba4.so
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libshares-samba4.so
%{_libdir}/samba/libsmbpasswdparser-samba4.so
%{_libdir}/samba/libxattr-tdb-samba4.so
@ -2239,6 +2330,7 @@ fi
%{python3_sitearch}/samba/__pycache__/getopt.*.pyc
%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc
@ -2261,7 +2353,14 @@ fi
%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc
%{python3_sitearch}/samba/__pycache__/upgrade.*.pyc
%{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc
%{python3_sitearch}/samba/__pycache__/xattr.*.pyc
%{python3_sitearch}/samba/_glue.*.so
%{python3_sitearch}/samba/_ldb.*.so
@ -2290,6 +2389,7 @@ fi
%{python3_sitearch}/samba/dcerpc/idmap.*.so
%{python3_sitearch}/samba/dcerpc/initshutdown.*.so
%{python3_sitearch}/samba/dcerpc/irpc.*.so
%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so
%{python3_sitearch}/samba/dcerpc/krb5pac.*.so
%{python3_sitearch}/samba/dcerpc/lsa.*.so
%{python3_sitearch}/samba/dcerpc/messaging.*.so
@ -2318,9 +2418,12 @@ fi
%{python3_sitearch}/samba/descriptor.py
%{python3_sitearch}/samba/dnsresolver.py
%{python3_sitearch}/samba/drs_utils.py
%{python3_sitearch}/samba/dsdb.*.so
%{python3_sitearch}/samba/dsdb_dns.*.so
%{python3_sitearch}/samba/gensec.*.so
%{python3_sitearch}/samba/getopt.py
%{python3_sitearch}/samba/gpclass.py
%{python3_sitearch}/samba/gp_gnome_settings_ext.py
%{python3_sitearch}/samba/gp_scripts_ext.py
%{python3_sitearch}/samba/gp_sec_ext.py
%{python3_sitearch}/samba/gpo.*.so
@ -2331,6 +2434,7 @@ fi
%{python3_sitearch}/samba/messaging.*.so
%{python3_sitearch}/samba/ndr.py
%{python3_sitearch}/samba/net.*.so
%{python3_sitearch}/samba/net_s3.*.so
%{python3_sitearch}/samba/ntstatus.*.so
%{python3_sitearch}/samba/posix_eadb.*.so
%dir %{python3_sitearch}/samba/emulate
@ -2453,7 +2557,14 @@ fi
%{python3_sitearch}/samba/trust_utils.py
%{python3_sitearch}/samba/upgrade.py
%{python3_sitearch}/samba/upgradehelpers.py
%{python3_sitearch}/samba/vgp_access_ext.py
%{python3_sitearch}/samba/vgp_files_ext.py
%{python3_sitearch}/samba/vgp_issue_ext.py
%{python3_sitearch}/samba/vgp_motd_ext.py
%{python3_sitearch}/samba/vgp_openssh_ext.py
%{python3_sitearch}/samba/vgp_startup_scripts_ext.py
%{python3_sitearch}/samba/vgp_sudoers_ext.py
%{python3_sitearch}/samba/vgp_symlink_ext.py
%{python3_sitearch}/samba/werror.*.so
%{python3_sitearch}/samba/xattr.py
%{python3_sitearch}/samba/xattr_native.*.so
@ -2500,8 +2611,6 @@ fi
%{python3_sitearch}/samba/dcerpc/dnsserver.*.so
%{python3_sitearch}/samba/dckeytab.*.so
%{python3_sitearch}/samba/dsdb.*.so
%{python3_sitearch}/samba/dsdb_dns.*.so
%{python3_sitearch}/samba/domain_update.py
%{python3_sitearch}/samba/forest_update.py
%{python3_sitearch}/samba/ms_forest_updates_markdown.py
@ -2568,6 +2677,7 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc
@ -2575,6 +2685,8 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc
@ -2586,17 +2698,22 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/join.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc
@ -2632,10 +2749,12 @@ fi
%{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/security.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc
%{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc
@ -2670,7 +2789,7 @@ fi
%{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc
%{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc
@ -2686,7 +2805,7 @@ fi
%{python3_sitearch}/samba/tests/blackbox/bug13653.py
%{python3_sitearch}/samba/tests/blackbox/check_output.py
%{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py
%{python3_sitearch}/samba/tests/blackbox/mdfind.py
%{python3_sitearch}/samba/tests/blackbox/mdsearch.py
%{python3_sitearch}/samba/tests/blackbox/ndrdump.py
%{python3_sitearch}/samba/tests/blackbox/netads_json.py
%{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py
@ -2714,6 +2833,7 @@ fi
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc
@ -2733,6 +2853,7 @@ fi
%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py
%{python3_sitearch}/samba/tests/dcerpc/dnsserver.py
%{python3_sitearch}/samba/tests/dcerpc/integer.py
%{python3_sitearch}/samba/tests/dcerpc/lsa.py
%{python3_sitearch}/samba/tests/dcerpc/mdssvc.py
%{python3_sitearch}/samba/tests/dcerpc/misc.py
%{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py
@ -2748,6 +2869,7 @@ fi
%{python3_sitearch}/samba/tests/dcerpc/unix.py
%{python3_sitearch}/samba/tests/dckeytab.py
%{python3_sitearch}/samba/tests/dns.py
%{python3_sitearch}/samba/tests/dns_aging.py
%{python3_sitearch}/samba/tests/dns_base.py
%{python3_sitearch}/samba/tests/dns_forwarder.py
%dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers
@ -2758,6 +2880,8 @@ fi
%{python3_sitearch}/samba/tests/dns_tkey.py
%{python3_sitearch}/samba/tests/dns_wildcard.py
%{python3_sitearch}/samba/tests/dsdb.py
%{python3_sitearch}/samba/tests/dsdb_api.py
%{python3_sitearch}/samba/tests/dsdb_dns.py
%{python3_sitearch}/samba/tests/dsdb_lock.py
%{python3_sitearch}/samba/tests/dsdb_schema_attributes.py
%{python3_sitearch}/samba/tests/docs.py
@ -2777,9 +2901,11 @@ fi
%{python3_sitearch}/samba/tests/get_opt.py
%{python3_sitearch}/samba/tests/glue.py
%{python3_sitearch}/samba/tests/gpo.py
%{python3_sitearch}/samba/tests/gpo_member.py
%{python3_sitearch}/samba/tests/graph.py
%{python3_sitearch}/samba/tests/group_audit.py
%{python3_sitearch}/samba/tests/hostconfig.py
%{python3_sitearch}/samba/tests/imports.py
%{python3_sitearch}/samba/tests/join.py
%dir %{python3_sitearch}/samba/tests/kcc
%{python3_sitearch}/samba/tests/kcc/__init__.py
@ -2795,37 +2921,66 @@ fi
%{python3_sitearch}/samba/tests/kcc/ldif_import_export.py
%dir %{python3_sitearch}/samba/tests/krb5
%dir %{python3_sitearch}/samba/tests/krb5/__pycache__
%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/alias_tests.py
%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
%{python3_sitearch}/samba/tests/krb5/as_req_tests.py
%{python3_sitearch}/samba/tests/krb5/compatability_tests.py
%{python3_sitearch}/samba/tests/krb5/fast_tests.py
%{python3_sitearch}/samba/tests/krb5/kcrypto.py
%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
%{python3_sitearch}/samba/tests/krb5/salt_tests.py
%{python3_sitearch}/samba/tests/krb5/simple_tests.py
%{python3_sitearch}/samba/tests/krb5/spn_tests.py
%{python3_sitearch}/samba/tests/krb5/test_ccache.py
%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py
%{python3_sitearch}/samba/tests/krb5/test_ldap.py
%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
%{python3_sitearch}/samba/tests/krb5/test_rpc.py
%{python3_sitearch}/samba/tests/krb5/test_smb.py
%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
%{python3_sitearch}/samba/tests/krb5_credentials.py
%{python3_sitearch}/samba/tests/ldap_raw.py
%{python3_sitearch}/samba/tests/ldap_referrals.py
%{python3_sitearch}/samba/tests/ldap_spn.py
%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
%{python3_sitearch}/samba/tests/libsmb.py
%{python3_sitearch}/samba/tests/loadparm.py
%{python3_sitearch}/samba/tests/lsa_string.py
%{python3_sitearch}/samba/tests/messaging.py
%{python3_sitearch}/samba/tests/ndr.py
%{python3_sitearch}/samba/tests/netbios.py
%{python3_sitearch}/samba/tests/netcmd.py
%{python3_sitearch}/samba/tests/net_join_no_spnego.py
@ -2861,6 +3016,7 @@ fi
%{python3_sitearch}/samba/tests/s3passdb.py
%{python3_sitearch}/samba/tests/s3registry.py
%{python3_sitearch}/samba/tests/s3windb.py
%{python3_sitearch}/samba/tests/s3_net_join.py
%{python3_sitearch}/samba/tests/samba3sam.py
%{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py
%dir %{python3_sitearch}/samba/tests/samba_tool
@ -2877,6 +3033,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc
@ -2888,6 +3045,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc
@ -2911,6 +3069,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/forest.py
%{python3_sitearch}/samba/tests/samba_tool/fsmo.py
%{python3_sitearch}/samba/tests/samba_tool/gpo.py
%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py
%{python3_sitearch}/samba/tests/samba_tool/group.py
%{python3_sitearch}/samba/tests/samba_tool/help.py
%{python3_sitearch}/samba/tests/samba_tool/join.py
@ -2922,6 +3081,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py
%{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py
%{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py
%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py
%{python3_sitearch}/samba/tests/samba_tool/rodc.py
%{python3_sitearch}/samba/tests/samba_tool/schema.py
%{python3_sitearch}/samba/tests/samba_tool/sites.py
@ -2937,6 +3097,7 @@ fi
%{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py
%{python3_sitearch}/samba/tests/samdb.py
%{python3_sitearch}/samba/tests/samdb_api.py
%{python3_sitearch}/samba/tests/sddl.py
%{python3_sitearch}/samba/tests/security.py
%{python3_sitearch}/samba/tests/segfault.py
%{python3_sitearch}/samba/tests/smb.py
@ -3080,6 +3241,7 @@ fi
%{_libexecdir}/ctdb/ctdb_recovery_helper
%{_libexecdir}/ctdb/ctdb_takeover_helper
%{_libexecdir}/ctdb/smnotify
%{_libexecdir}/ctdb/tdb_mutex_check
%dir %{_localstatedir}/lib/ctdb/
%dir %{_localstatedir}/lib/ctdb/persistent
@ -3910,6 +4072,33 @@ fi
#endif with selftest
%endif
%if %{with pcp_pmda}
%files -n ctdb-pcp-pmda
%dir %{_localstatedir}/lib/pcp/pmdas/ctdb
%{_localstatedir}/lib/pcp/pmdas/ctdb/Install
%{_localstatedir}/lib/pcp/pmdas/ctdb/README
%{_localstatedir}/lib/pcp/pmdas/ctdb/Remove
%{_localstatedir}/lib/pcp/pmdas/ctdb/domain.h
%{_localstatedir}/lib/pcp/pmdas/ctdb/help
%{_localstatedir}/lib/pcp/pmdas/ctdb/pmdactdb
%{_localstatedir}/lib/pcp/pmdas/ctdb/pmns
#endif with pcp_pmda
%endif
%if %{with etcd_mutex}
%files -n ctdb-etcd-mutex
%{_libexecdir}/ctdb/ctdb_etcd_lock
%{_mandir}/man7/ctdb-etcd.7.gz
#endif with etcd_mutex
%endif
%if %{with ceph_mutex}
%files -n ctdb-ceph-mutex
%{_libexecdir}/ctdb/ctdb_mutex_ceph_rados_helper
%{_mandir}/man7/ctdb_mutex_ceph_rados_helper.7.gz
#endif with ceph_mutex
%endif
#endif with clustering
%endif
@ -3921,36 +4110,75 @@ fi
%endif
%changelog
* Tue Feb 22 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.14.5-10
- resolves: rhbz#2029417 - Fix virusfilter_vfs_openat: Not scanned: Directory or special file
* Wed Mar 16 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-5
- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a
single IP address.
* Thu Jan 27 2022 Andreas Schneider <asn@redhat.com> - 4.14.5-9
- resolves: rhbz#2046174 - Fix username map script regression of CVE-2020-25717
- resolves: rhbz#2046160 - Fix possible segfault while joining a domain
- resolves: rhbz#2046152 - Fix CVE-2021-44142
* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-4
- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh
* Thu Dec 02 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.14.5-8
- resolves: rhbz#2026717 - Dir containing dangling symlinks cannot be deleted
* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-3
- related: rhbz#1979959 - Fix typo in testparm output
* Mon Nov 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-7
- related: rhbz#2021171 - Fix CVE-2020-25717
* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-2
- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-1
- resolves: #1995849 - [RFE] Change change password change prompt phrasing
- resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file
* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-0
- Update to Samba 4.15.5
- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
- resolves: rhbz#2046127 - Fix CVE-2021-44141
- resolves: rhbz#2046153 - Fix CVE-2021-44142
- resolves: rhbz#2044404 - Printing no longer works on Windows 7
- resolves: rhbz#2043154 - Fix systemd notifications
- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads)
* Fri Jan 21 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-0
- Update to Samba 4.15.4
- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
- resolves: rhbz#2039153 - Fix CVE-2021-20316
- resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth
- resolves: rhbz#2039157 - Fix CVE-2021-43566
- resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7
- resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain
- resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED
* Thu Dec 16 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.3-1
- related: rhbz#2013596 - Rebase to version 4.15.3
- resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind
- resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired
* Fri Dec 03 2021 Andreas Schneider <asn@redhat.com> - 4.15.2-2
- related: rhbz#2013596 - Remove unneeded lmdb dependency
* Thu Nov 25 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.2-1
- resolves: rhbz#2013596 - Rebase to version 4.15.2
- resolves: rhbz#1999294 - Remove noisy error message in winbindd
- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth
with one-way trusts
- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks
* Mon Nov 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-14
- related: rbhz#2019674 - Fix CVE-2020-25717
- Fix running ktest (selftest)
* Sat Nov 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.14.5-6
- related: rhbz#2021171 - Fix CVE-2020-25717
* Sat Nov 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.14.5-13
- related: rbhz#2019674 - Fix CVE-2020-25717
- Add missing checks for IPA DC server role
* Tue Nov 09 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-5
- resolves: rhbz#2021493 - Add missing PAC buffer types to krb5pac.idl
- related: rbhz#2021171 - Fix regression with 'allow trusted domains = no'
* Wed Nov 10 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-12
- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no'
* Fri Nov 05 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-4
- resolves: rhbz#2021163
Fix CVE-2016-2124
- resolves: rhbz#2021167
Fix CVE-2021-23192
- resolves: rhbz#2021171
Fix CVE-2020-25717
* Tue Nov 09 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-11
- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl
* Fri Nov 05 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-3
- resolves: rhbz#2019662 - Fix CVE-2016-2124
- resolves: rhbz#2019668 - Fix CVE-2021-23192
- resolves: rbhz#2019674 - Fix CVE-2020-25717
* Tue Jul 13 2021 Andreas Schneider <asn@redhat.com> - 4.14.4-2
- related: rhbz#1980346 - Rebuild for libtalloc 0.11.0