From 370637166cb2a06fff503a7c5589d0c0c30d5aae Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:18:52 -0400 Subject: [PATCH] import samba-4.15.5-5.el8 --- .gitignore | 2 +- .samba.metadata | 2 +- SOURCES/CVE-2016-2124.patch | 108 - SOURCES/CVE-2020-25717.patch | 3771 ------------- SOURCES/CVE-2021-23192.patch | 4996 ----------------- SOURCES/CVE-2021-44142-v4.14.patch | 759 --- SOURCES/samba-4-15-fix-autorid.patch | 231 + ...amba-4-15-fix-create-local-krb5-conf.patch | 477 ++ ...mba-4-15-fix-winbind-refresh-tickets.patch | 411 ++ ...samba-4.14-IPA-DC-add-missing-checks.patch | 51 - ...-4.14-del-dir-with-dangling-symlinks.patch | 1023 ---- .../samba-4.14-fix-domain-join-segfault.patch | 39 - .../samba-4.14-fix-username-map-script.patch | 227 - ...a-4.14-fix-winbind-no-trusted-domain.patch | 41 - SOURCES/samba-4.14-krb5pac.patch | 298 - ...ba-4.14-raise-dfs-enoent-debug-level.patch | 49 - ...-4.14-recursive-delete-of-veto-files.patch | 295 - SOURCES/samba-4.14.5.tar.asc | 16 - SOURCES/samba-4.15.5.tar.asc | 16 + SOURCES/samba-ctdb-etcd-reclock.patch | 30 + SOURCES/samba-disable-ntlmssp.patch | 764 +++ .../samba-disable-systemd-notifications.patch | 36 + SOURCES/samba-glibc-dns.patch | 64 + SOURCES/samba-password-change-prompt.patch | 100 + SOURCES/samba-printing-win7.patch | 229 + SOURCES/samba-s4u.patch | 697 +++ ...canner.patch => samba-virus_scanner.patch} | 86 +- SPECS/samba.spec | 374 +- 28 files changed, 3418 insertions(+), 11774 deletions(-) delete mode 100644 SOURCES/CVE-2016-2124.patch delete mode 100644 SOURCES/CVE-2020-25717.patch delete mode 100644 SOURCES/CVE-2021-23192.patch delete mode 100644 SOURCES/CVE-2021-44142-v4.14.patch create mode 100644 SOURCES/samba-4-15-fix-autorid.patch create mode 100644 SOURCES/samba-4-15-fix-create-local-krb5-conf.patch create mode 100644 SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch delete mode 100644 SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch delete mode 100644 SOURCES/samba-4.14-del-dir-with-dangling-symlinks.patch delete mode 100644 SOURCES/samba-4.14-fix-domain-join-segfault.patch delete mode 100644 SOURCES/samba-4.14-fix-username-map-script.patch delete mode 100644 SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch delete mode 100644 SOURCES/samba-4.14-krb5pac.patch delete mode 100644 SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch delete mode 100644 SOURCES/samba-4.14-recursive-delete-of-veto-files.patch delete mode 100644 SOURCES/samba-4.14.5.tar.asc create mode 100644 SOURCES/samba-4.15.5.tar.asc create mode 100644 SOURCES/samba-ctdb-etcd-reclock.patch create mode 100644 SOURCES/samba-disable-ntlmssp.patch create mode 100644 SOURCES/samba-disable-systemd-notifications.patch create mode 100644 SOURCES/samba-glibc-dns.patch create mode 100644 SOURCES/samba-password-change-prompt.patch create mode 100644 SOURCES/samba-printing-win7.patch create mode 100644 SOURCES/samba-s4u.patch rename SOURCES/{samba-4.14-fix-virus-scanner.patch => samba-virus_scanner.patch} (87%) diff --git a/.gitignore b/.gitignore index 0db09e0..41cd890 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.14.5.tar.xz +SOURCES/samba-4.15.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 707bb47..b1ff8f6 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -46925b3ed9f63b1b936f2271253fdccccbf1575f SOURCES/samba-4.14.5.tar.xz +f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/CVE-2016-2124.patch b/SOURCES/CVE-2016-2124.patch deleted file mode 100644 index a4e015d..0000000 --- a/SOURCES/CVE-2016-2124.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 2a961e883b624219a72f212c554d34a18f22d4d1 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 24 Nov 2016 09:12:59 +0100 -Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non - spnego authentication if we require kerberos - -We should not send NTLM[v2] data on the wire if the user asked for kerberos -only. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 - -Signed-off-by: Stefan Metzmacher ---- - source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c -index 51e121bdce6b..391ee081fe62 100644 ---- a/source4/libcli/smb_composite/sesssetup.c -+++ b/source4/libcli/smb_composite/sesssetup.c -@@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se - NTSTATUS status; - enum smb_encryption_setting encryption_state = - cli_credentials_get_smb_encryption(io->in.credentials); -+ enum credentials_use_kerberos krb5_state = -+ cli_credentials_get_kerberos_state(io->in.credentials); - - c = composite_create(session, session->transport->ev); - if (c == NULL) return NULL; -@@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se - - /* no session setup at all in earliest protocol varients */ - if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { -+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { -+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ return c; -+ } - ZERO_STRUCT(io->out); - composite_done(c); - return c; -@@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se - - /* see what session setup interface we will use */ - if (session->transport->negotiate.protocol < PROTOCOL_NT1) { -+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { -+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ return c; -+ } - status = session_setup_old(c, session, io, &state->req); - } else if (!session->transport->options.use_spnego || - !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { -+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { -+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ return c; -+ } - status = session_setup_nt1(c, session, io, &state->req); - } else { - struct tevent_req *subreq = NULL; --- -2.25.1 - - -From 31a67554cf6c3d9368bef58d1249844f8eeb0059 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 27 Oct 2016 10:40:28 +0200 -Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego - authentication if we require kerberos - -We should not send NTLM[v2] nor plaintext data on the wire if the user -asked for kerberos only. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/cliconnect.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 853fb344bcd6..c01846ac8119 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1442,6 +1442,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, - uint32_t in_sess_key = 0; - const char *in_native_os = NULL; - const char *in_native_lm = NULL; -+ enum credentials_use_kerberos krb5_state = -+ cli_credentials_get_kerberos_state(creds); - NTSTATUS status; - - req = tevent_req_create(mem_ctx, &state, -@@ -1483,6 +1485,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, - return req; - } - -+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { -+ DBG_WARNING("Kerberos authentication requested, but " -+ "the server does not support SPNEGO authentication\n"); -+ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ return tevent_req_post(req, ev); -+ } -+ - if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { - /* - * SessionSetupAndX was introduced by LANMAN 1.0. So we skip --- -2.25.1 - diff --git a/SOURCES/CVE-2020-25717.patch b/SOURCES/CVE-2020-25717.patch deleted file mode 100644 index 7ffaa23..0000000 --- a/SOURCES/CVE-2020-25717.patch +++ /dev/null @@ -1,3771 +0,0 @@ -From 5ec536b3549edf118d2f88ca8a9265878a7c9fc5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 18:04:55 +0200 -Subject: [PATCH 01/39] selftest/Samba3: remove unused close(USERMAP); calls - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett - -[abartlet@samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c - as offline login tests are not in Samba 4.14] ---- - selftest/target/Samba3.pm | 4 ---- - 1 file changed, 4 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b0910433940..914b8d40c89 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -771,7 +771,6 @@ sub provision_ad_member - - mkdir($_, 0777) foreach(@dirs); - -- close(USERMAP); - $ret->{DOMAIN} = $dcvars->{DOMAIN}; - $ret->{REALM} = $dcvars->{REALM}; - $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -920,7 +919,6 @@ sub setup_ad_member_rfc2307 - - $ret or return undef; - -- close(USERMAP); - $ret->{DOMAIN} = $dcvars->{DOMAIN}; - $ret->{REALM} = $dcvars->{REALM}; - $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -1018,7 +1016,6 @@ sub setup_ad_member_idmap_rid - - $ret or return undef; - -- close(USERMAP); - $ret->{DOMAIN} = $dcvars->{DOMAIN}; - $ret->{REALM} = $dcvars->{REALM}; - $ret->{DOMSID} = $dcvars->{DOMSID}; -@@ -1118,7 +1115,6 @@ sub setup_ad_member_idmap_ad - - $ret or return undef; - -- close(USERMAP); - $ret->{DOMAIN} = $dcvars->{DOMAIN}; - $ret->{REALM} = $dcvars->{REALM}; - $ret->{DOMSID} = $dcvars->{DOMSID}; --- -2.33.1 - - -From 6ad8a242a682abd7baa1e4d3672bb24c9e65ab0b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 5 Oct 2021 16:42:00 +0200 -Subject: [PATCH 02/39] selftest/Samba3: replace (winbindd => "yes", skip_wait - => 1) with (winbindd => "offline") - -This is much more flexible and concentrates the logic in a single place. - -We'll use winbindd => "offline" in other places soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de) ---- - selftest/target/Samba3.pm | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 914b8d40c89..9534d06b597 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -827,7 +827,7 @@ sub provision_ad_member - nmbd => "yes", - winbindd => "yes", - smbd => "yes")) { -- return undef; -+ return undef; - } - - $ret->{DC_SERVER} = $dcvars->{SERVER}; -@@ -1909,7 +1909,7 @@ sub check_or_start($$) { - LOG_FILE => $env_vars->{WINBINDD_TEST_LOG}, - PCAP_FILE => "env-$ENV{ENVNAME}-winbindd", - }; -- if ($winbindd ne "yes") { -+ if ($winbindd ne "yes" and $winbindd ne "offline") { - $daemon_ctx->{SKIP_DAEMON} = 1; - } - -@@ -3130,13 +3130,17 @@ sub wait_for_start($$$$$) - } - } - -- if ($winbindd eq "yes") { -+ if ($winbindd eq "yes" or $winbindd eq "offline") { - print "checking for winbindd\n"; - my $count = 0; - $cmd = "SELFTEST_WINBINDD_SOCKET_DIR='$envvars->{SELFTEST_WINBINDD_SOCKET_DIR}' "; - $cmd .= "NSS_WRAPPER_PASSWD='$envvars->{NSS_WRAPPER_PASSWD}' "; - $cmd .= "NSS_WRAPPER_GROUP='$envvars->{NSS_WRAPPER_GROUP}' "; -- $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; -+ if ($winbindd eq "yes") { -+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping-dc"; -+ } elsif ($winbindd eq "offline") { -+ $cmd .= Samba::bindir_path($self, "wbinfo") . " --ping"; -+ } - - do { - $ret = system($cmd); --- -2.33.1 - - -From c25f4625813b0f7f3baf33ce17c3d6691c9fd602 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 11 May 2021 17:59:51 +0200 -Subject: [PATCH 03/39] CVE-2020-25717 selftest: Pass down the machine account - name to provision_ad_member - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit fbe68dcbb783409589cdefd8ee551c9971c51f08) - -Needed as preparation for CVE-2020-25717 ---- - selftest/target/Samba.pm | 1 + - selftest/target/Samba3.pm | 10 ++++++++-- - 2 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm -index 5a7efa9c280..d48ac2c64a1 100644 ---- a/selftest/target/Samba.pm -+++ b/selftest/target/Samba.pm -@@ -588,6 +588,7 @@ sub get_interface($) - addcsmb1 => 54, - lclnt4dc2smb1 => 55, - fipsdc => 56, -+ fipsadmember => 57, - - rootdnsforwarder => 64, - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 9534d06b597..4686f5d36aa 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -646,6 +646,7 @@ sub provision_ad_member - { - my ($self, - $prefix, -+ $machine_account, - $dcvars, - $trustvars_f, - $trustvars_e, -@@ -762,7 +763,7 @@ sub provision_ad_member - prefix => $prefix, - domain => $dcvars->{DOMAIN}, - realm => $dcvars->{REALM}, -- server => "LOCALADMEMBER", -+ server => $machine_account, - password => "loCalMemberPass", - extra_options => $member_options, - resolv_conf => $dcvars->{RESOLV_CONF}); -@@ -876,7 +877,11 @@ sub setup_ad_member - - print "PROVISIONING AD MEMBER..."; - -- return $self->provision_ad_member($prefix, $dcvars, $trustvars_f, $trustvars_e); -+ return $self->provision_ad_member($prefix, -+ "LOCALADMEMBER", -+ $dcvars, -+ $trustvars_f, -+ $trustvars_e); - } - - sub setup_ad_member_rfc2307 -@@ -1199,6 +1204,7 @@ sub setup_ad_member_fips - print "PROVISIONING AD FIPS MEMBER..."; - - return $self->provision_ad_member($prefix, -+ "FIPSADMEMBER", - $dcvars, - $trustvars_f, - $trustvars_e, --- -2.33.1 - - -From 449503537d409f5774433ea19f520f560bfff981 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 10 Jun 2021 16:20:28 +0200 -Subject: [PATCH 04/39] CVE-2020-25717 selftest: Only set netbios aliases for - the ad_member env - -The provision_ad_member() function is reused by different -setup_ad_member*() functions. Each environment needs to have unique -netbios aliases as they are all in the same network. -The aliases should only be set for the 'ad_member' environment. - -Signed-Off-By: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Fri Jun 11 01:26:36 UTC 2021 on sn-devel-184 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit e165dcc770ec58c3749d653d6cb85f6ecf9479d6) ---- - selftest/target/Samba3.pm | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 4686f5d36aa..5c0f71757ef 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -682,11 +682,17 @@ sub provision_ad_member - $substitution_path = "$share_dir/D_$dcvars->{DOMAIN}/u_$dcvars->{DOMAIN}/alice/g_$dcvars->{DOMAIN}/domain users"; - push(@dirs, $substitution_path); - -+ -+ my $netbios_aliases = ""; -+ if ($machine_account eq "LOCALADMEMBER") { -+ $netbios_aliases = "netbios aliases = foo bar"; -+ } -+ - my $member_options = " - security = ads - workgroup = $dcvars->{DOMAIN} - realm = $dcvars->{REALM} -- netbios aliases = foo bar -+ $netbios_aliases - template homedir = /home/%D/%G/%U - auth event notification = true - password server = $dcvars->{SERVER} --- -2.33.1 - - -From 930722757311af95dbd516222e21a4a107f11ce4 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 14 Apr 2021 10:05:59 +0200 -Subject: [PATCH 05/39] CVE-2020-25717 auth3: Simplify check_samba4_security() - -First set up "server_info" in a local variable and once it's fully set -up, assign it to the out parameter "pserver_info". - -Pointer dereferencing obfuscates the code for me. - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit 062a0c14c6ee0b74e7619af73747df59c5e67672) ---- - source3/auth/auth_samba4.c | 29 +++++++++++++++++------------ - 1 file changed, 17 insertions(+), 12 deletions(-) - -diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c -index 0a7c67be232..ac141354747 100644 ---- a/source3/auth/auth_samba4.c -+++ b/source3/auth/auth_samba4.c -@@ -108,11 +108,12 @@ static struct server_id *new_server_id_task(TALLOC_CTX *mem_ctx) - * services the AD DC. It is tested via pdbtest. - */ - --static NTSTATUS check_samba4_security(const struct auth_context *auth_context, -- void *my_private_data, -- TALLOC_CTX *mem_ctx, -- const struct auth_usersupplied_info *user_info, -- struct auth_serversupplied_info **server_info) -+static NTSTATUS check_samba4_security( -+ const struct auth_context *auth_context, -+ void *my_private_data, -+ TALLOC_CTX *mem_ctx, -+ const struct auth_usersupplied_info *user_info, -+ struct auth_serversupplied_info **pserver_info) - { - TALLOC_CTX *frame = talloc_stackframe(); - struct netr_SamInfo3 *info3 = NULL; -@@ -120,6 +121,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, - struct auth_user_info_dc *user_info_dc; - struct auth4_context *auth4_context; - uint8_t authoritative = 0; -+ struct auth_serversupplied_info *server_info = NULL; - - nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); - if (!NT_STATUS_IS_OK(nt_status)) { -@@ -161,17 +163,19 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, - } - - if (user_info->flags & USER_INFO_INFO3_AND_NO_AUTHZ) { -- *server_info = make_server_info(mem_ctx); -- if (*server_info == NULL) { -+ server_info = make_server_info(mem_ctx); -+ if (server_info == NULL) { - nt_status = NT_STATUS_NO_MEMORY; - goto done; - } -- (*server_info)->info3 = talloc_steal(*server_info, info3); -- -+ server_info->info3 = talloc_move(server_info, &info3); - } else { -- nt_status = make_server_info_info3(mem_ctx, user_info->client.account_name, -- user_info->mapped.domain_name, server_info, -- info3); -+ nt_status = make_server_info_info3( -+ mem_ctx, -+ user_info->client.account_name, -+ user_info->mapped.domain_name, -+ &server_info, -+ info3); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("make_server_info_info3 failed: %s\n", - nt_errstr(nt_status))); -@@ -179,6 +183,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, - } - } - -+ *pserver_info = server_info; - nt_status = NT_STATUS_OK; - - done: --- -2.33.1 - - -From bf52e64053a0f4369d005782d2f9a75d03328ddb Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 13 Apr 2021 15:14:01 +0000 -Subject: [PATCH 06/39] CVE-2020-25717 auth: Simplify DEBUG statements in - make_auth3_context_for_ntlm() - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit 8536bf7fce41c43bbed25f7ed4ce5775a1b9c0d5) ---- - source3/auth/auth.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/source3/auth/auth.c b/source3/auth/auth.c -index fa73c4e4db2..6d2a40f0f29 100644 ---- a/source3/auth/auth.c -+++ b/source3/auth/auth.c -@@ -530,28 +530,28 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx, - struct auth_context **auth_context) - { - const char *methods = NULL; -+ const char *role = NULL; - - switch (lp_server_role()) { - case ROLE_ACTIVE_DIRECTORY_DC: -- DEBUG(5,("Making default auth method list for server role = " -- "'active directory domain controller'\n")); -+ role = "'active directory domain controller'"; - methods = "samba4"; - break; - case ROLE_DOMAIN_MEMBER: -- DEBUG(5,("Making default auth method list for server role = 'domain member'\n")); -+ role = "'domain member'"; - methods = "anonymous sam winbind sam_ignoredomain"; - break; - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: -- DEBUG(5,("Making default auth method list for DC\n")); -+ role = "'DC'"; - methods = "anonymous sam winbind sam_ignoredomain"; - break; - case ROLE_STANDALONE: -- DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = yes\n")); - if (lp_encrypt_passwords()) { -+ role = "'standalone server', encrypt passwords = yes"; - methods = "anonymous sam_ignoredomain"; - } else { -- DEBUG(5,("Making default auth method list for server role = 'standalone server', encrypt passwords = no\n")); -+ role = "'standalone server', encrypt passwords = no"; - methods = "anonymous unix"; - } - break; -@@ -560,6 +560,9 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx, - return NT_STATUS_UNSUCCESSFUL; - } - -+ DBG_INFO("Making default auth method list for server role = %s\n", -+ role); -+ - return make_auth_context_specific(mem_ctx, auth_context, methods); - } - --- -2.33.1 - - -From fe1188475e15269321a62b4d11cc520e5b7d0c6e Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 14 Apr 2021 21:48:32 +0200 -Subject: [PATCH 07/39] CVE-2020-25717 auth4: Make auth_anonymous pseudo-async - -Signed-off-by: Volker Lendecke -Reviewed-by: Andrew Bartlett - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit 759573136876ef2b1b1c7484f99570d7de957e0d) ---- - source4/auth/ntlm/auth_anonymous.c | 66 ++++++++++++++++++++++++++---- - source4/auth/ntlm/wscript_build | 2 +- - 2 files changed, 58 insertions(+), 10 deletions(-) - -diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c -index 83aeb431f5f..a25aacaa137 100644 ---- a/source4/auth/ntlm/auth_anonymous.c -+++ b/source4/auth/ntlm/auth_anonymous.c -@@ -20,9 +20,11 @@ - */ - - #include "includes.h" -+#include - #include "auth/auth.h" - #include "auth/ntlm/auth_proto.h" - #include "param/param.h" -+#include "lib/util/tevent_ntstatus.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -84,19 +86,65 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, - * anonymou logons to be dealt with in one place. Non-anonymou logons 'fail' - * and pass onto the next module. - **/ --static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, -- TALLOC_CTX *mem_ctx, -- const struct auth_usersupplied_info *user_info, -- struct auth_user_info_dc **_user_info_dc, -- bool *authoritative) -+ -+struct anonymous_check_password_state { -+ struct auth_user_info_dc *user_info_dc; -+}; -+ -+static struct tevent_req *anonymous_check_password_send( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct auth_method_context *ctx, -+ const struct auth_usersupplied_info *user_info) -+{ -+ struct tevent_req *req = NULL; -+ struct anonymous_check_password_state *state = NULL; -+ NTSTATUS status; -+ -+ req = tevent_req_create( -+ mem_ctx, -+ &state, -+ struct anonymous_check_password_state); -+ if (req == NULL) { -+ return NULL; -+ } -+ -+ status = auth_anonymous_user_info_dc( -+ state, -+ lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), -+ &state->user_info_dc); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); -+ } -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+} -+ -+static NTSTATUS anonymous_check_password_recv( -+ struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct auth_user_info_dc **interim_info, -+ bool *authoritative) - { -- return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc); -+ struct anonymous_check_password_state *state = tevent_req_data( -+ req, struct anonymous_check_password_state); -+ NTSTATUS status; -+ -+ if (tevent_req_is_nterror(req, &status)) { -+ tevent_req_received(req); -+ return status; -+ } -+ *interim_info = talloc_move(mem_ctx, &state->user_info_dc); -+ tevent_req_received(req); -+ return NT_STATUS_OK; - } - -+ - static const struct auth_operations anonymous_auth_ops = { -- .name = "anonymous", -- .want_check = anonymous_want_check, -- .check_password = anonymous_check_password -+ .name = "anonymous", -+ .want_check = anonymous_want_check, -+ .check_password_send = anonymous_check_password_send, -+ .check_password_recv = anonymous_check_password_recv, - }; - - _PUBLIC_ NTSTATUS auth4_anonymous_init(TALLOC_CTX *ctx) -diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build -index 04a760c3e49..6ea0c4d7e3a 100644 ---- a/source4/auth/ntlm/wscript_build -+++ b/source4/auth/ntlm/wscript_build -@@ -12,7 +12,7 @@ bld.SAMBA_MODULE('auth4_anonymous', - source='auth_anonymous.c', - subsystem='auth4', - init_function='auth4_anonymous_init', -- deps='talloc' -+ deps='tevent' - ) - - --- -2.33.1 - - -From c72dd26cd46ca9dc7e68649f444accf0da9b7d51 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 14 Apr 2021 22:22:18 +0200 -Subject: [PATCH 08/39] CVE-2020-25717 auth4: Make auth_developer pseudo-async - -This is a simpler approach to really just wrap the code. - -Signed-off-by: Volker Lendecke -Reviewed-by: Andrew Bartlett - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit 43a1e42815718591faa8d526319b96d089a758fa) ---- - source4/auth/ntlm/auth_developer.c | 61 +++++++++++++++++++++++++++++- - source4/auth/ntlm/wscript_build | 2 +- - 2 files changed, 61 insertions(+), 2 deletions(-) - -diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c -index 209786b63b2..1823989c68d 100644 ---- a/source4/auth/ntlm/auth_developer.c -+++ b/source4/auth/ntlm/auth_developer.c -@@ -20,9 +20,11 @@ - */ - - #include "includes.h" -+#include - #include "auth/auth.h" - #include "auth/ntlm/auth_proto.h" - #include "libcli/security/security.h" -+#include "lib/util/tevent_ntstatus.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -137,10 +139,67 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, - return nt_status; - } - -+struct name_to_ntstatus_check_password_state { -+ struct auth_user_info_dc *user_info_dc; -+ bool authoritative; -+}; -+ -+static struct tevent_req *name_to_ntstatus_check_password_send( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct auth_method_context *ctx, -+ const struct auth_usersupplied_info *user_info) -+{ -+ struct tevent_req *req = NULL; -+ struct name_to_ntstatus_check_password_state *state = NULL; -+ NTSTATUS status; -+ -+ req = tevent_req_create( -+ mem_ctx, -+ &state, -+ struct name_to_ntstatus_check_password_state); -+ if (req == NULL) { -+ return NULL; -+ } -+ -+ status = name_to_ntstatus_check_password( -+ ctx, -+ state, -+ user_info, -+ &state->user_info_dc, -+ &state->authoritative); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); -+ } -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+} -+ -+static NTSTATUS name_to_ntstatus_check_password_recv( -+ struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct auth_user_info_dc **interim_info, -+ bool *authoritative) -+{ -+ struct name_to_ntstatus_check_password_state *state = tevent_req_data( -+ req, struct name_to_ntstatus_check_password_state); -+ NTSTATUS status; -+ -+ if (tevent_req_is_nterror(req, &status)) { -+ tevent_req_received(req); -+ return status; -+ } -+ *interim_info = talloc_move(mem_ctx, &state->user_info_dc); -+ *authoritative = state->authoritative; -+ tevent_req_received(req); -+ return NT_STATUS_OK; -+} -+ - static const struct auth_operations name_to_ntstatus_auth_ops = { - .name = "name_to_ntstatus", - .want_check = name_to_ntstatus_want_check, -- .check_password = name_to_ntstatus_check_password -+ .check_password_send = name_to_ntstatus_check_password_send, -+ .check_password_recv = name_to_ntstatus_check_password_recv, - }; - - _PUBLIC_ NTSTATUS auth4_developer_init(TALLOC_CTX *ctx) -diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build -index 6ea0c4d7e3a..1ee8d79563a 100644 ---- a/source4/auth/ntlm/wscript_build -+++ b/source4/auth/ntlm/wscript_build -@@ -28,7 +28,7 @@ bld.SAMBA_MODULE('auth4_developer', - source='auth_developer.c', - subsystem='auth4', - init_function='auth4_developer_init', -- deps='talloc' -+ deps='tevent' - ) - - --- -2.33.1 - - -From a5f3c5d48c490c637cf4e5854dbd01a585c9c0eb Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 14 Apr 2021 21:59:55 +0200 -Subject: [PATCH 09/39] CVE-2020-25717 auth4: Make auth_unix pseudo-async - -Signed-off-by: Volker Lendecke -Reviewed-by: Andrew Bartlett - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit a6f42ab8a778b9863990da3112c2e868cd006303) ---- - source4/auth/ntlm/auth_unix.c | 85 ++++++++++++++++++++++++----------- - 1 file changed, 59 insertions(+), 26 deletions(-) - -diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c -index 67cd5f3dc44..cfe4f1a073f 100644 ---- a/source4/auth/ntlm/auth_unix.c -+++ b/source4/auth/ntlm/auth_unix.c -@@ -27,6 +27,7 @@ - #include "lib/tsocket/tsocket.h" - #include "../libcli/auth/pam_errors.h" - #include "param/param.h" -+#include "lib/util/tevent_ntstatus.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -713,46 +714,78 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx, - return NT_STATUS_OK; - } - --static NTSTATUS authunix_check_password(struct auth_method_context *ctx, -- TALLOC_CTX *mem_ctx, -- const struct auth_usersupplied_info *user_info, -- struct auth_user_info_dc **user_info_dc, -- bool *authoritative) -+struct authunix_check_password_state { -+ struct auth_user_info_dc *user_info_dc; -+}; -+ -+static struct tevent_req *authunix_check_password_send( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct auth_method_context *ctx, -+ const struct auth_usersupplied_info *user_info) - { -- TALLOC_CTX *check_ctx; -- NTSTATUS nt_status; -- struct passwd *pwd; -+ struct tevent_req *req = NULL; -+ struct authunix_check_password_state *state = NULL; -+ struct passwd *pwd = NULL; -+ NTSTATUS status; - -- if (user_info->password_state != AUTH_PASSWORD_PLAIN) { -- return NT_STATUS_INVALID_PARAMETER; -+ req = tevent_req_create( -+ mem_ctx, -+ &state, -+ struct authunix_check_password_state); -+ if (req == NULL) { -+ return NULL; - } - -- check_ctx = talloc_named_const(mem_ctx, 0, "check_unix_password"); -- if (check_ctx == NULL) { -- return NT_STATUS_NO_MEMORY; -+ if (user_info->password_state != AUTH_PASSWORD_PLAIN) { -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ return tevent_req_post(req, ev); - } - -- nt_status = check_unix_password(check_ctx, ctx->auth_ctx->lp_ctx, user_info, &pwd); -- if (!NT_STATUS_IS_OK(nt_status)) { -- talloc_free(check_ctx); -- return nt_status; -+ status = check_unix_password( -+ state, ctx->auth_ctx->lp_ctx, user_info, &pwd); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); - } - -- nt_status = authunix_make_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), -- user_info, pwd, user_info_dc); -- if (!NT_STATUS_IS_OK(nt_status)) { -- talloc_free(check_ctx); -- return nt_status; -+ status = authunix_make_user_info_dc( -+ state, -+ lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), -+ user_info, -+ pwd, -+ &state->user_info_dc); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); - } - -- talloc_free(check_ctx); -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+} -+ -+static NTSTATUS authunix_check_password_recv( -+ struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct auth_user_info_dc **interim_info, -+ bool *authoritative) -+{ -+ struct authunix_check_password_state *state = tevent_req_data( -+ req, struct authunix_check_password_state); -+ NTSTATUS status; -+ -+ if (tevent_req_is_nterror(req, &status)) { -+ tevent_req_received(req); -+ return status; -+ } -+ *interim_info = talloc_move(mem_ctx, &state->user_info_dc); -+ tevent_req_received(req); - return NT_STATUS_OK; - } - - static const struct auth_operations unix_ops = { -- .name = "unix", -- .want_check = authunix_want_check, -- .check_password = authunix_check_password -+ .name = "unix", -+ .want_check = authunix_want_check, -+ .check_password_send = authunix_check_password_send, -+ .check_password_recv = authunix_check_password_recv, - }; - - _PUBLIC_ NTSTATUS auth4_unix_init(TALLOC_CTX *ctx) --- -2.33.1 - - -From e655b408ee2bf4fb4535140c03dd1d795be861dd Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Thu, 15 Apr 2021 10:04:21 +0200 -Subject: [PATCH 10/39] CVE-2020-25717 auth4: Make auth_sam pseudo-async - -Signed-off-by: Volker Lendecke -Reviewed-by: Andrew Bartlett - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit f852fb4cd4e2bcd676a9ea104c5bf00979771eed) ---- - source4/auth/ntlm/auth_sam.c | 69 ++++++++++++++++++++++++++++++++++-- - 1 file changed, 67 insertions(+), 2 deletions(-) - -diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c -index c5b27171937..a521bc94bc4 100644 ---- a/source4/auth/ntlm/auth_sam.c -+++ b/source4/auth/ntlm/auth_sam.c -@@ -36,6 +36,7 @@ - #include "lib/messaging/irpc.h" - #include "libcli/auth/libcli_auth.h" - #include "libds/common/roles.h" -+#include "lib/util/tevent_ntstatus.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -733,6 +734,68 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx - return NT_STATUS_OK; - } - -+struct authsam_check_password_state { -+ struct auth_user_info_dc *user_info_dc; -+ bool authoritative; -+}; -+ -+static struct tevent_req *authsam_check_password_send( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct auth_method_context *ctx, -+ const struct auth_usersupplied_info *user_info) -+{ -+ struct tevent_req *req = NULL; -+ struct authsam_check_password_state *state = NULL; -+ NTSTATUS status; -+ -+ req = tevent_req_create( -+ mem_ctx, &state, struct authsam_check_password_state); -+ if (req == NULL) { -+ return NULL; -+ } -+ /* -+ * authsam_check_password_internals() sets this to false in -+ * the rodc case, otherwise it leaves it untouched. Default to -+ * "we're authoritative". -+ */ -+ state->authoritative = true; -+ -+ status = authsam_check_password_internals( -+ ctx, -+ state, -+ user_info, -+ &state->user_info_dc, -+ &state->authoritative); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); -+ } -+ -+ tevent_req_done(req); -+ return tevent_req_post(req, ev); -+} -+ -+static NTSTATUS authsam_check_password_recv( -+ struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct auth_user_info_dc **interim_info, -+ bool *authoritative) -+{ -+ struct authsam_check_password_state *state = tevent_req_data( -+ req, struct authsam_check_password_state); -+ NTSTATUS status; -+ -+ *authoritative = state->authoritative; -+ -+ if (tevent_req_is_nterror(req, &status)) { -+ tevent_req_received(req); -+ return status; -+ } -+ *interim_info = talloc_move(mem_ctx, &state->user_info_dc); -+ tevent_req_received(req); -+ return NT_STATUS_OK; -+} -+ - static NTSTATUS authsam_ignoredomain_want_check(struct auth_method_context *ctx, - TALLOC_CTX *mem_ctx, - const struct auth_usersupplied_info *user_info) -@@ -888,14 +951,16 @@ static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, - static const struct auth_operations sam_ignoredomain_ops = { - .name = "sam_ignoredomain", - .want_check = authsam_ignoredomain_want_check, -- .check_password = authsam_check_password_internals, -+ .check_password_send = authsam_check_password_send, -+ .check_password_recv = authsam_check_password_recv, - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, - }; - - static const struct auth_operations sam_ops = { - .name = "sam", - .want_check = authsam_want_check, -- .check_password = authsam_check_password_internals, -+ .check_password_send = authsam_check_password_send, -+ .check_password_recv = authsam_check_password_recv, - .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, - }; - --- -2.33.1 - - -From 61e6c5f7c5d1df83350ae4969a1f365b4302a240 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 14 Apr 2021 22:24:44 +0200 -Subject: [PATCH 11/39] CVE-2020-25717 auth4: Remove sync check_password from - auth_operations - -Remove complexity in the data structures, and pushes the async-ness -one level down. - -Signed-off-by: Volker Lendecke -Reviewed-by: Andrew Bartlett - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -(cherry picked from commit 254af19ba89b4c42e5f45ec731e6577d2fcc6736) ---- - source4/auth/auth.h | 4 ---- - source4/auth/ntlm/auth.c | 44 ++++------------------------------------ - 2 files changed, 4 insertions(+), 44 deletions(-) - -diff --git a/source4/auth/auth.h b/source4/auth/auth.h -index 51895c9259f..3f9fb1ae3cb 100644 ---- a/source4/auth/auth.h -+++ b/source4/auth/auth.h -@@ -61,10 +61,6 @@ struct auth_operations { - - /* Given the user supplied info, check a password */ - -- NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, -- const struct auth_usersupplied_info *user_info, -- struct auth_user_info_dc **interim_info, -- bool *authoritative); - struct tevent_req *(*check_password_send)(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct auth_method_context *ctx, -diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c -index 75cf12c5742..e54eb7719f5 100644 ---- a/source4/auth/ntlm/auth.c -+++ b/source4/auth/ntlm/auth.c -@@ -332,7 +332,6 @@ static void auth_check_password_next(struct tevent_req *req) - struct auth_check_password_state *state = - tevent_req_data(req, struct auth_check_password_state); - struct tevent_req *subreq = NULL; -- bool authoritative = true; - NTSTATUS status; - - if (state->method == NULL) { -@@ -357,47 +356,12 @@ static void auth_check_password_next(struct tevent_req *req) - return; - } - -- if (state->method->ops->check_password_send != NULL) { -- subreq = state->method->ops->check_password_send(state, -- state->ev, -- state->method, -- state->user_info); -- if (tevent_req_nomem(subreq, req)) { -- return; -- } -- tevent_req_set_callback(subreq, -- auth_check_password_done, -- req); -- return; -- } -- -- if (state->method->ops->check_password == NULL) { -- tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); -- return; -- } -- -- status = state->method->ops->check_password(state->method, -- state, -- state->user_info, -- &state->user_info_dc, -- &authoritative); -- if (!authoritative || -- NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { -- DEBUG(11,("auth_check_password_send: " -- "%s passes to the next method\n", -- state->method->ops->name)); -- state->method = state->method->next; -- auth_check_password_next(req); -- return; -- } -- -- /* the backend has handled the request */ -- -- if (tevent_req_nterror(req, status)) { -+ subreq = state->method->ops->check_password_send( -+ state, state->ev, state->method, state->user_info); -+ if (tevent_req_nomem(subreq, req)) { - return; - } -- -- tevent_req_done(req); -+ tevent_req_set_callback(subreq, auth_check_password_done, req); - } - - static void auth_check_password_done(struct tevent_req *subreq) --- -2.33.1 - - -From 557c44fe666b758eebb8ffab2b540722d995f3cd Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 12/39] CVE-2020-25717: s3:winbindd: make sure we default to - r->out.authoritative = true - -We need to make sure that temporary failures don't trigger a fallback -to the local SAM that silently ignores the domain name part for users. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/winbindd/winbindd_dual_srv.c | 7 +++++++ - source3/winbindd/winbindd_irpc.c | 7 +++++++ - source3/winbindd/winbindd_pam.c | 15 +++++++++++---- - source3/winbindd/winbindd_pam_auth_crap.c | 9 ++++++++- - source3/winbindd/winbindd_util.c | 7 +++++++ - 5 files changed, 40 insertions(+), 5 deletions(-) - -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c -index 32d11e1fa57..0be5ae5554b 100644 ---- a/source3/winbindd/winbindd_dual_srv.c -+++ b/source3/winbindd/winbindd_dual_srv.c -@@ -941,6 +941,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p, - union netr_Validation *validation = NULL; - bool interactive = false; - -+ /* -+ * Make sure we start with authoritative=true, -+ * it will only set to false if we don't know the -+ * domain. -+ */ -+ r->out.authoritative = true; -+ - domain = wb_child_domain(); - if (domain == NULL) { - return NT_STATUS_REQUEST_NOT_ACCEPTED; -diff --git a/source3/winbindd/winbindd_irpc.c b/source3/winbindd/winbindd_irpc.c -index e419736010b..918393c0827 100644 ---- a/source3/winbindd/winbindd_irpc.c -+++ b/source3/winbindd/winbindd_irpc.c -@@ -142,6 +142,13 @@ static NTSTATUS wb_irpc_SamLogon(struct irpc_message *msg, - const char *target_domain_name = NULL; - const char *account_name = NULL; - -+ /* -+ * Make sure we start with authoritative=true, -+ * it will only set to false if we don't know the -+ * domain. -+ */ -+ req->out.authoritative = true; -+ - switch (req->in.logon_level) { - case NetlogonInteractiveInformation: - case NetlogonServiceInformation: -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index f27802ee065..f71eb8197a4 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -1799,7 +1799,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon( - { - fstring name_namespace, name_domain, name_user; - NTSTATUS result; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags = 0; - uint16_t validation_level = 0; - union netr_Validation *validation = NULL; -@@ -2453,6 +2453,13 @@ done: - result = NT_STATUS_NO_LOGON_SERVERS; - } - -+ /* -+ * Here we don't alter -+ * state->response->data.auth.authoritative based -+ * on the servers response -+ * as we don't want a fallback to the local sam -+ * for interactive PAM logons -+ */ - set_auth_errors(state->response, result); - - DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", -@@ -2667,7 +2674,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, - const char *name_domain = NULL; - const char *workstation; - uint64_t logon_id = 0; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags = 0; - uint16_t validation_level; - union netr_Validation *validation = NULL; -@@ -2740,7 +2747,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, - &validation_level, - &validation); - if (!NT_STATUS_IS_OK(result)) { -- state->response->data.auth.authoritative = authoritative; - goto done; - } - -@@ -2772,7 +2778,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, - "from firewalled domain [%s]\n", - info3->base.account_name.string, - info3->base.logon_domain.string); -- state->response->data.auth.authoritative = true; - result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED; - goto done; - } -@@ -2794,6 +2799,8 @@ done: - } - - set_auth_errors(state->response, result); -+ state->response->data.auth.authoritative = authoritative; -+ - /* - * Log the winbind pam authentication, the logon_id will tie this to - * any of the logons invoked from this request. -diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c -index dacb6566be6..a6f13806df9 100644 ---- a/source3/winbindd/winbindd_pam_auth_crap.c -+++ b/source3/winbindd/winbindd_pam_auth_crap.c -@@ -26,6 +26,7 @@ - - struct winbindd_pam_auth_crap_state { - struct winbindd_response *response; -+ bool authoritative; - uint32_t flags; - }; - -@@ -47,7 +48,7 @@ struct tevent_req *winbindd_pam_auth_crap_send( - if (req == NULL) { - return NULL; - } -- -+ state->authoritative = true; - state->flags = request->flags; - - if (state->flags & WBFLAG_PAM_AUTH_PAC) { -@@ -126,6 +127,11 @@ struct tevent_req *winbindd_pam_auth_crap_send( - - domain = find_auth_domain(request->flags, auth_domain); - if (domain == NULL) { -+ /* -+ * We don't know the domain so -+ * we're not authoritative -+ */ -+ state->authoritative = false; - tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); - return tevent_req_post(req, ev); - } -@@ -186,6 +192,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, - - if (tevent_req_is_nterror(req, &status)) { - set_auth_errors(response, status); -+ response->data.auth.authoritative = state->authoritative; - return status; - } - -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index 414b770a271..ac4cd731c09 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -2095,6 +2095,13 @@ void winbindd_unset_locator_kdc_env(const struct winbindd_domain *domain) - - void set_auth_errors(struct winbindd_response *resp, NTSTATUS result) - { -+ /* -+ * Make sure we start with authoritative=true, -+ * it will only set to false if we don't know the -+ * domain. -+ */ -+ resp->data.auth.authoritative = true; -+ - resp->data.auth.nt_status = NT_STATUS_V(result); - fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); - --- -2.33.1 - - -From 3733dfeb24e5b58f9d92940573afbcd4a4d418fa Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 13/39] CVE-2020-25717: s4:auth/ntlm: make sure - auth_check_password() defaults to r->out.authoritative = true - -We need to make sure that temporary failures don't trigger a fallback -to the local SAM that silently ignores the domain name part for users. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source4/auth/ntlm/auth.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c -index e54eb7719f5..4c66f2c23cb 100644 ---- a/source4/auth/ntlm/auth.c -+++ b/source4/auth/ntlm/auth.c -@@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, - /*TODO: create a new event context here! */ - ev = auth_ctx->event_ctx; - -+ /* -+ * We are authoritative by default -+ */ -+ *pauthoritative = 1; -+ - subreq = auth_check_password_send(mem_ctx, - ev, - auth_ctx, --- -2.33.1 - - -From fb466bcff4f42287e2895cf3b1b0dc20776ec607 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 14/39] CVE-2020-25717: s4:torture: start with authoritative = - 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source4/torture/rpc/samlogon.c | 4 ++-- - source4/torture/rpc/schannel.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c -index 76933b8869e..703e25fe3c5 100644 ---- a/source4/torture/rpc/samlogon.c -+++ b/source4/torture/rpc/samlogon.c -@@ -1407,7 +1407,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - - union netr_LogonLevel logon; - union netr_Validation validation; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags = 0; - - ZERO_STRUCT(logon); -@@ -1520,7 +1520,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, - - union netr_LogonLevel logon; - union netr_Validation validation; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - struct dcerpc_binding_handle *b = p->binding_handle; - - ZERO_STRUCT(a); -diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c -index a5755041040..08a5120b66d 100644 ---- a/source4/torture/rpc/schannel.c -+++ b/source4/torture/rpc/schannel.c -@@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, - struct netr_NetworkInfo ninfo; - union netr_LogonLevel logon; - union netr_Validation validation; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t _flags = 0; - DATA_BLOB names_blob, chal, lm_resp, nt_resp; - int i; --- -2.33.1 - - -From 7e3934334f6d532a087db43a308c404d34b81458 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 15/39] CVE-2020-25717: s4:smb_server: start with authoritative - = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source4/smb_server/smb/sesssetup.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c -index 68cdd70feff..8428ca3fabb 100644 ---- a/source4/smb_server/smb/sesssetup.c -+++ b/source4/smb_server/smb/sesssetup.c -@@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq) - struct auth_session_info *session_info; - struct smbsrv_session *smb_sess; - NTSTATUS status; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags; - - status = auth_check_password_recv(subreq, req, &user_info_dc, -@@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq) - struct auth_user_info_dc *user_info_dc = NULL; - struct auth_session_info *session_info; - struct smbsrv_session *smb_sess; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags; - NTSTATUS status; - --- -2.33.1 - - -From c4a595518b453ecc5c0e2bfe7ba2cf531ea37e13 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 16/39] CVE-2020-25717: s4:auth_simple: start with - authoritative = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source4/auth/ntlm/auth_simple.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c -index 8df160cefc3..8301aec519c 100644 ---- a/source4/auth/ntlm/auth_simple.c -+++ b/source4/auth/ntlm/auth_simple.c -@@ -150,7 +150,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq) - const struct tsocket_address *local_address = user_info->local_host; - const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; - struct auth_user_info_dc *user_info_dc = NULL; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags = 0; - NTSTATUS nt_status; - --- -2.33.1 - - -From 0e32b75b21d5daf08fffbe25b6c40197ed04cbf8 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 17/39] CVE-2020-25717: s3:ntlm_auth: start with authoritative - = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/utils/ntlm_auth.c | 4 ++-- - source3/utils/ntlm_auth_diagnostics.c | 10 +++++----- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 0370803167f..b3ab3a473bf 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -1927,7 +1927,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod - TALLOC_FREE(mem_ctx); - - } else { -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - - if (!domain) { - domain = smb_xstrdup(get_winbind_domain()); -@@ -2443,7 +2443,7 @@ static bool check_auth_crap(void) - char *hex_lm_key; - char *hex_user_session_key; - char *error_string; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - - setbuf(stdout, NULL); - -diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c -index 41591a8de33..fc0fc19bacb 100644 ---- a/source3/utils/ntlm_auth_diagnostics.c -+++ b/source3/utils/ntlm_auth_diagnostics.c -@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which) - DATA_BLOB lm_response = data_blob(NULL, 24); - DATA_BLOB nt_response = data_blob(NULL, 24); - DATA_BLOB session_key = data_blob(NULL, 16); -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uchar lm_key[8]; - uchar user_session_key[16]; - uchar lm_hash[16]; -@@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void) - NTSTATUS nt_status; - uint32_t flags = 0; - DATA_BLOB nt_response = data_blob(NULL, 24); -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uchar lm_key[8]; - uchar lm_hash[16]; - uchar user_session_key[16]; -@@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void) - uint32_t flags = 0; - DATA_BLOB nt_response = data_blob(NULL, 24); - DATA_BLOB session_key = data_blob(NULL, 16); -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint8_t lm_key[8]; - uint8_t lm_hash[16]; - uint8_t user_session_key[16]; -@@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which) - DATA_BLOB lmv2_response = data_blob_null; - DATA_BLOB ntlmv2_session_key = data_blob_null; - DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain()); -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uchar user_session_key[16]; - DATA_BLOB chall = get_challenge(); - char *error_string; -@@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which) - char *password; - smb_ucs2_t *nt_response_ucs2; - size_t converted_size; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uchar user_session_key[16]; - uchar lm_key[16]; - static const uchar zeros[8] = { 0, }; --- -2.33.1 - - -From aa52008a73b9960acbb6b39684c5c460480e365b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 18/39] CVE-2020-25717: s3:torture: start with authoritative = - 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/torture/pdbtest.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c -index 5d74aa9ab78..b300504c4cb 100644 ---- a/source3/torture/pdbtest.c -+++ b/source3/torture/pdbtest.c -@@ -277,7 +277,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) - struct netr_SamInfo6 *info6_wbc = NULL; - NTSTATUS status; - bool ok; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - int rc; - - rc = SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, --- -2.33.1 - - -From 9c133372ac3687e9316f1b76fdbcc9d95d54db42 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 19/39] CVE-2020-25717: s3:rpcclient: start with authoritative - = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/rpcclient/cmd_netlogon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c -index d5c1b91f2be..4ea63e40b8d 100644 ---- a/source3/rpcclient/cmd_netlogon.c -+++ b/source3/rpcclient/cmd_netlogon.c -@@ -496,7 +496,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, - uint32_t logon_param = 0; - const char *workstation = NULL; - struct netr_SamInfo3 *info3 = NULL; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - uint32_t flags = 0; - uint16_t validation_level; - union netr_Validation *validation = NULL; --- -2.33.1 - - -From 7a2bf7eb4be1c7988bfe14dbbf297f79a05220ad Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 20/39] CVE-2020-25717: s3:auth: start with authoritative = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 2 +- - source3/auth/auth_samba4.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index e62585e919c..57281874b35 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -416,7 +416,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, - { - NTSTATUS nt_status; - void *server_info; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - struct tevent_context *ev = NULL; - struct tevent_req *subreq = NULL; - bool ok; -diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c -index ac141354747..fde78d5e74e 100644 ---- a/source3/auth/auth_samba4.c -+++ b/source3/auth/auth_samba4.c -@@ -120,7 +120,7 @@ static NTSTATUS check_samba4_security( - NTSTATUS nt_status; - struct auth_user_info_dc *user_info_dc; - struct auth4_context *auth4_context; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - struct auth_serversupplied_info *server_info = NULL; - - nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); --- -2.33.1 - - -From 97f2108d84017998d2612139b787fdb674c235e2 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 21/39] CVE-2020-25717: auth/ntlmssp: start with authoritative - = 1 - -This is not strictly needed, but makes it easier to audit -that we don't miss important places. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - auth/ntlmssp/ntlmssp_server.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c -index 001238278d7..939aa0ef4aa 100644 ---- a/auth/ntlmssp/ntlmssp_server.c -+++ b/auth/ntlmssp/ntlmssp_server.c -@@ -799,7 +799,7 @@ static void ntlmssp_server_auth_done(struct tevent_req *subreq) - struct gensec_security *gensec_security = state->gensec_security; - struct gensec_ntlmssp_context *gensec_ntlmssp = state->gensec_ntlmssp; - struct auth4_context *auth_context = gensec_security->auth_context; -- uint8_t authoritative = 0; -+ uint8_t authoritative = 1; - NTSTATUS status; - - status = auth_context->check_ntlm_password_recv(subreq, --- -2.33.1 - - -From 59e3ccaaced1fa3f7db250d44c7e9a94070d583b Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 28 Sep 2021 10:43:40 +0200 -Subject: [PATCH 22/39] CVE-2020-25717: loadparm: Add new parameter "min domain - uid" - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Samuel Cabrero -Signed-off-by: Stefan Metzmacher - -[abartlet@samba.org Backported from master/4.15 due to - conflicts with other new parameters] ---- - docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++ - docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++ - lib/param/loadparm.c | 4 ++++ - source3/param/loadparm.c | 2 ++ - 4 files changed, 27 insertions(+) - create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml - -diff --git a/docs-xml/smbdotconf/security/mindomainuid.xml b/docs-xml/smbdotconf/security/mindomainuid.xml -new file mode 100644 -index 00000000000..46ae795d730 ---- /dev/null -+++ b/docs-xml/smbdotconf/security/mindomainuid.xml -@@ -0,0 +1,17 @@ -+ -+ -+ -+ The integer parameter specifies the minimum uid allowed when mapping a -+ local account to a domain account. -+ -+ -+ -+ Note that this option interacts with the configured idmap ranges! -+ -+ -+ -+1000 -+ -diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml -index 1374040fb29..f70f11df757 100644 ---- a/docs-xml/smbdotconf/winbind/idmapconfig.xml -+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml -@@ -80,6 +80,9 @@ - authoritative for a unix ID to SID mapping, so it must be set - for each individually configured domain and for the default - configuration. The configured ranges must be mutually disjoint. -+ -+ -+ Note that the low value interacts with the option! - - - -@@ -115,4 +118,5 @@ - - - -+min domain uid - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 3548c47d857..eedfa00bcb0 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -3090,6 +3090,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - "client smb encrypt", - "default"); - -+ lpcfg_do_global_parameter(lp_ctx, -+ "min domain uid", -+ "1000"); -+ - for (i = 0; parm_table[i].label; i++) { - if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { - lp_ctx->flags[i] |= FLAG_DEFAULT; -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index acb4d149f0b..300b539748b 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -967,6 +967,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - - Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT; - -+ Globals.min_domain_uid = 1000; -+ - /* Now put back the settings that were set with lp_set_cmdline() */ - apply_lp_set_cmdline(); - } --- -2.33.1 - - -From 977bbda9fed9362bfa46e541c8cdb9666d43b57a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 19:57:18 +0200 -Subject: [PATCH 23/39] CVE-2020-25717: s3:auth: let - auth3_generate_session_info_pac() forward the low level errors - -Mapping everything to ACCESS_DENIED makes it hard to debug problems, -which may happen because of our more restrictive behaviour in future. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index 57281874b35..f6a501f1df7 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", - nt_errstr(status))); -- status = NT_STATUS_ACCESS_DENIED; -+ status = nt_status_squash(status); - goto done; - } - --- -2.33.1 - - -From ed88e24afbf85cc6a61c236604f3fc43a10f0d97 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 28 Sep 2021 10:45:11 +0200 -Subject: [PATCH 24/39] CVE-2020-25717: s3:auth: Check minimum domain uid - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Samuel Cabrero -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett - -[abartlet@samba.org Removed knownfail on advice from metze] ---- - source3/auth/auth_util.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 4686b29111e..4de4bc74374 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -2103,6 +2103,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - } - } - goto out; -+ } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && -+ !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) { -+ /* -+ * !is_myname(domain) because when smbd starts tries to setup -+ * the guest user info, calling this function with nobody -+ * username. Nobody is usually uid 65535 but it can be changed -+ * to a regular user with 'guest account' parameter -+ */ -+ nt_status = NT_STATUS_INVALID_TOKEN; -+ DBG_NOTICE("Username '%s%s%s' is invalid on this system, " -+ "it does not meet 'min domain uid' " -+ "restriction (%u < %u): %s\n", -+ nt_domain, lp_winbind_separator(), nt_username, -+ pwd->pw_uid, lp_min_domain_uid(), -+ nt_errstr(nt_status)); -+ goto out; - } - - result = make_server_info(tmp_ctx); --- -2.33.1 - - -From 51a78934575b47e6add3110904c5de6c97566fd7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 17:40:30 +0200 -Subject: [PATCH 25/39] CVE-2020-25717: s3:auth: we should not try to - autocreate the guest account - -We should avoid autocreation of users as much as possible. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/user_krb5.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c -index 8998f9c8f8a..074e8c7eb71 100644 ---- a/source3/auth/user_krb5.c -+++ b/source3/auth/user_krb5.c -@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - if (!fuser) { - return NT_STATUS_NO_MEMORY; - } -- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); -+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false); - } - - /* extra sanity check that the guest account is valid */ --- -2.33.1 - - -From 0ef009b205acf1b14f8763cf2e6ce13ec8bea151 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 18:08:20 +0200 -Subject: [PATCH 26/39] CVE-2020-25717: s3:auth: no longer let check_account() - autocreate local users - -So far we autocreated local user accounts based on just the -account_name (just ignoring any domain part). - -This only happens via a possible 'add user script', -which is not typically defined on domain members -and on NT4 DCs local users already exist in the -local passdb anyway. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 4de4bc74374..99b85d47a5f 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1898,7 +1898,7 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, - return NT_STATUS_NO_MEMORY; - } - -- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); -+ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); - if (!passwd) { - DEBUG(3, ("Failed to find authenticated user %s via " - "getpwnam(), denying access.\n", dom_user)); --- -2.33.1 - - -From de475a3eba52cb4599330f6932e98f97c3749ec7 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 8 Oct 2021 12:33:16 +0200 -Subject: [PATCH 27/39] CVE-2020-25717: s3:auth: remove fallbacks in - smb_getpwnam() - -So far we tried getpwnam("DOMAIN\account") first and -always did a fallback to getpwnam("account") completely -ignoring the domain part, this just causes problems -as we mix "DOMAIN1\account", "DOMAIN2\account", -and "account"! - -As we require a running winbindd for domain member setups -we should no longer do a fallback to just "account" for -users served by winbindd! - -For users of the local SAM don't use this code path, -as check_sam_security() doesn't call check_account(). - -The only case where smb_getpwnam("account") happens is -when map_username() via ("username map [script]") mapped -"DOMAIN\account" to something without '\', but that is -explicitly desired by the admin. - -Note: use 'git show -w' - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Ralph Boehme -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/ktest | 26 +++++++++++++ - source3/auth/auth_util.c | 77 +++++++++++++++++++++----------------- - 2 files changed, 68 insertions(+), 35 deletions(-) - create mode 100644 selftest/knownfail.d/ktest - -diff --git a/selftest/knownfail.d/ktest b/selftest/knownfail.d/ktest -new file mode 100644 -index 00000000000..809612ba0b9 ---- /dev/null -+++ b/selftest/knownfail.d/ktest -@@ -0,0 +1,26 @@ -+^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5...rpcclient.ktest:local -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5...rpcclient.ktest:local -+^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,packet...rpcclient.ktest:local -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,packet...rpcclient.ktest:local -+^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,sign...rpcclient.ktest:local -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,sign...rpcclient.ktest:local -+^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest -+^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,seal...rpcclient.ktest:local -+^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,seal...rpcclient.ktest:local -+^samba3.blackbox.smbclient_krb5.old.ccache..smbclient.ktest:local -+^samba3.blackbox.smbclient_krb5.new.ccache..smbclient.ktest:local -+^samba3.blackbox.smbclient_large_file..krb5.smbclient.large.posix.write.read.ktest:local -+^samba3.blackbox.smbclient_large_file..krb5.cmp.of.read.and.written.files.ktest:local -+^samba3.blackbox.smbclient_krb5.old.ccache.--client-protection=encrypt.smbclient.ktest:local -+^samba3.blackbox.smbclient_krb5.new.ccache.--client-protection=encrypt.smbclient.ktest:local -+^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.smbclient.large.posix.write.read.ktest:local -+^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.cmp.of.read.and.written.files.ktest:local -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 99b85d47a5f..d81313a0495 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1933,7 +1933,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, - { - struct passwd *pw = NULL; - char *p = NULL; -- char *username = NULL; -+ const char *username = NULL; - - /* we only save a copy of the username it has been mangled - by winbindd use default domain */ -@@ -1952,48 +1952,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser, - /* code for a DOMAIN\user string */ - - if ( p ) { -- pw = Get_Pwnam_alloc( mem_ctx, domuser ); -- if ( pw ) { -- /* make sure we get the case of the username correct */ -- /* work around 'winbind use default domain = yes' */ -- -- if ( lp_winbind_use_default_domain() && -- !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { -- char *domain; -- -- /* split the domain and username into 2 strings */ -- *p = '\0'; -- domain = username; -- -- *p_save_username = talloc_asprintf(mem_ctx, -- "%s%c%s", -- domain, -- *lp_winbind_separator(), -- pw->pw_name); -- if (!*p_save_username) { -- TALLOC_FREE(pw); -- return NULL; -- } -- } else { -- *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); -- } -+ const char *domain = NULL; - -- /* whew -- done! */ -- return pw; -+ /* split the domain and username into 2 strings */ -+ *p = '\0'; -+ domain = username; -+ p++; -+ username = p; -+ -+ if (strequal(domain, get_global_sam_name())) { -+ /* -+ * This typically don't happen -+ * as check_sam_Security() -+ * don't call make_server_info_info3() -+ * and thus check_account(). -+ * -+ * But we better keep this. -+ */ -+ goto username_only; - } - -- /* setup for lookup of just the username */ -- /* remember that p and username are overlapping memory */ -- -- p++; -- username = talloc_strdup(mem_ctx, p); -- if (!username) { -+ pw = Get_Pwnam_alloc( mem_ctx, domuser ); -+ if (pw == NULL) { - return NULL; - } -+ /* make sure we get the case of the username correct */ -+ /* work around 'winbind use default domain = yes' */ -+ -+ if ( lp_winbind_use_default_domain() && -+ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { -+ *p_save_username = talloc_asprintf(mem_ctx, -+ "%s%c%s", -+ domain, -+ *lp_winbind_separator(), -+ pw->pw_name); -+ if (!*p_save_username) { -+ TALLOC_FREE(pw); -+ return NULL; -+ } -+ } else { -+ *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); -+ } -+ -+ /* whew -- done! */ -+ return pw; -+ - } - - /* just lookup a plain username */ -- -+username_only: - pw = Get_Pwnam_alloc(mem_ctx, username); - - /* Create local user if requested but only if winbindd --- -2.33.1 - - -From debd9501c568ebd536275a240cd796187d1ce39b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 21 Sep 2021 13:13:52 +0200 -Subject: [PATCH 28/39] CVE-2020-25717: s3:lib: add lp_allow_trusted_domains() - logic to is_allowed_domain() - -is_allowed_domain() is a central place we already use to -trigger NT_STATUS_AUTHENTICATION_FIREWALL_FAILED, so -we can add additional logic there. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/lib/util_names.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c -index 630a25875c7..876035cbe29 100644 ---- a/source3/lib/util_names.c -+++ b/source3/lib/util_names.c -@@ -200,5 +200,18 @@ bool is_allowed_domain(const char *domain_name) - } - } - -- return true; -+ if (lp_allow_trusted_domains()) { -+ return true; -+ } -+ -+ if (strequal(lp_workgroup(), domain_name)) { -+ return true; -+ } -+ -+ if (is_myname(domain_name)) { -+ return true; -+ } -+ -+ DBG_NOTICE("Not trusted domain '%s'\n", domain_name); -+ return false; - } --- -2.33.1 - - -From d2b7d75eccee7575c3dab25cc8c61e2cf00994d3 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 4 Oct 2021 18:03:55 +0200 -Subject: [PATCH 29/39] CVE-2020-25717: s3:auth: don't let create_local_token - depend on !winbind_ping() - -We always require a running winbindd on a domain member, so -we should better fail a request instead of silently alter -the behaviour, which results in a different unix token, just -because winbindd might be restarted. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_util.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index d81313a0495..065b525500f 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -576,13 +576,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - } - - /* -- * If winbind is not around, we can not make much use of the SIDs the -- * domain controller provided us with. Likewise if the user name was -- * mapped to some local unix user. -+ * If the user name was mapped to some local unix user, -+ * we can not make much use of the SIDs the -+ * domain controller provided us with. - */ -- -- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || -- (server_info->nss_token)) { -+ if (server_info->nss_token) { - char *found_username = NULL; - status = create_token_from_username(session_info, - server_info->unix_name, --- -2.33.1 - - -From 045a019e452c512224a13cfbd98c592cb7f2e912 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 11 Nov 2020 18:50:45 +0200 -Subject: [PATCH 30/39] CVE-2020-25717: Add FreeIPA domain controller role - -As we want to reduce use of 'classic domain controller' role but FreeIPA -relies on it internally, add a separate role to mark FreeIPA domain -controller role. - -It means that role won't result in ROLE_STANDALONE. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Alexander Bokovoy -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - docs-xml/smbdotconf/security/serverrole.xml | 7 ++++ - lib/param/loadparm_server_role.c | 2 ++ - lib/param/param_table.c | 1 + - lib/param/util.c | 1 + - libcli/netlogon/netlogon.c | 2 +- - libds/common/roles.h | 1 + - source3/auth/auth.c | 3 ++ - source3/auth/auth_sam.c | 14 ++++---- - source3/include/smb_macros.h | 2 +- - source3/lib/netapi/joindomain.c | 1 + - source3/param/loadparm.c | 4 ++- - source3/passdb/lookup_sid.c | 2 +- - source3/passdb/machine_account_secrets.c | 7 ++-- - source3/registry/reg_backend_prod_options.c | 1 + - source3/rpc_server/dssetup/srv_dssetup_nt.c | 1 + - source3/smbd/server.c | 2 +- - source3/winbindd/winbindd_misc.c | 2 +- - source3/winbindd/winbindd_util.c | 40 ++++++++++++++++----- - source4/auth/ntlm/auth.c | 1 + - source4/kdc/kdc-heimdal.c | 1 + - source4/rpc_server/samr/dcesrv_samr.c | 2 ++ - 21 files changed, 72 insertions(+), 25 deletions(-) - -diff --git a/docs-xml/smbdotconf/security/serverrole.xml b/docs-xml/smbdotconf/security/serverrole.xml -index 9511c61c96d..b8b83a127b5 100644 ---- a/docs-xml/smbdotconf/security/serverrole.xml -+++ b/docs-xml/smbdotconf/security/serverrole.xml -@@ -78,6 +78,13 @@ - url="http://wiki.samba.org/index.php/Samba4/HOWTO">Samba4 - HOWTO - -+ SERVER ROLE = IPA DOMAIN CONTROLLER -+ -+ This mode of operation runs Samba in a hybrid mode for IPA -+ domain controller, providing forest trust to Active Directory. -+ This role requires special configuration performed by IPA installers -+ and should not be used manually by any administrator. -+ - - - security -diff --git a/lib/param/loadparm_server_role.c b/lib/param/loadparm_server_role.c -index 7a6bc770723..a78d1ab9cf3 100644 ---- a/lib/param/loadparm_server_role.c -+++ b/lib/param/loadparm_server_role.c -@@ -42,6 +42,7 @@ static const struct srv_role_tab { - { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" }, - { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" }, - { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" }, -+ { ROLE_IPA_DC, "ROLE_IPA_DC"}, - { 0, NULL } - }; - -@@ -140,6 +141,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security) - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: - case ROLE_ACTIVE_DIRECTORY_DC: -+ case ROLE_IPA_DC: - if (security == SEC_USER) { - valid = true; - } -diff --git a/lib/param/param_table.c b/lib/param/param_table.c -index e2f737279dc..3dc5fc59991 100644 ---- a/lib/param/param_table.c -+++ b/lib/param/param_table.c -@@ -111,6 +111,7 @@ static const struct enum_list enum_server_role[] = { - {ROLE_ACTIVE_DIRECTORY_DC, "active directory domain controller"}, - {ROLE_ACTIVE_DIRECTORY_DC, "domain controller"}, - {ROLE_ACTIVE_DIRECTORY_DC, "dc"}, -+ {ROLE_IPA_DC, "IPA primary domain controller"}, - {-1, NULL} - }; - -diff --git a/lib/param/util.c b/lib/param/util.c -index cd8e74b9d8f..9a0fc102de8 100644 ---- a/lib/param/util.c -+++ b/lib/param/util.c -@@ -255,6 +255,7 @@ const char *lpcfg_sam_name(struct loadparm_context *lp_ctx) - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: - case ROLE_ACTIVE_DIRECTORY_DC: -+ case ROLE_IPA_DC: - return lpcfg_workgroup(lp_ctx); - default: - return lpcfg_netbios_name(lp_ctx); -diff --git a/libcli/netlogon/netlogon.c b/libcli/netlogon/netlogon.c -index 239503e85b6..59af460dc4e 100644 ---- a/libcli/netlogon/netlogon.c -+++ b/libcli/netlogon/netlogon.c -@@ -93,7 +93,7 @@ NTSTATUS pull_netlogon_samlogon_response(DATA_BLOB *data, TALLOC_CTX *mem_ctx, - if (ndr->offset < ndr->data_size) { - TALLOC_FREE(ndr); - /* -- * We need to handle a bug in FreeIPA (at least <= 4.1.2). -+ * We need to handle a bug in IPA (at least <= 4.1.2). - * - * They include the ip address information without setting - * NETLOGON_NT_VERSION_5EX_WITH_IP, while using -diff --git a/libds/common/roles.h b/libds/common/roles.h -index 4772c8d7d3f..03ba1915b21 100644 ---- a/libds/common/roles.h -+++ b/libds/common/roles.h -@@ -33,6 +33,7 @@ enum server_role { - - /* not in samr.idl */ - ROLE_ACTIVE_DIRECTORY_DC = 4, -+ ROLE_IPA_DC = 5, - - /* To determine the role automatically, this is not a valid role */ - ROLE_AUTO = 100 -diff --git a/source3/auth/auth.c b/source3/auth/auth.c -index 6d2a40f0f29..d0036ea6b30 100644 ---- a/source3/auth/auth.c -+++ b/source3/auth/auth.c -@@ -543,6 +543,7 @@ NTSTATUS make_auth3_context_for_ntlm(TALLOC_CTX *mem_ctx, - break; - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: -+ case ROLE_IPA_DC: - role = "'DC'"; - methods = "anonymous sam winbind sam_ignoredomain"; - break; -@@ -574,6 +575,7 @@ NTSTATUS make_auth3_context_for_netlogon(TALLOC_CTX *mem_ctx, - switch (lp_server_role()) { - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: -+ case ROLE_IPA_DC: - methods = "sam_netlogon3 winbind"; - break; - -@@ -595,6 +597,7 @@ NTSTATUS make_auth3_context_for_winbind(TALLOC_CTX *mem_ctx, - case ROLE_DOMAIN_MEMBER: - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: -+ case ROLE_IPA_DC: - methods = "sam"; - break; - case ROLE_ACTIVE_DIRECTORY_DC: -diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c -index e8e0d543f8c..a2ce1013975 100644 ---- a/source3/auth/auth_sam.c -+++ b/source3/auth/auth_sam.c -@@ -143,12 +143,13 @@ static NTSTATUS auth_samstrict_auth(const struct auth_context *auth_context, - break; - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - if (!is_local_name && !is_my_domain) { - /* If we are running on a DC that has PASSDB module with domain - * information, check if DNS forest name is matching the domain -- * name. This is the case of FreeIPA domain controller when -- * trusted AD DCs attempt to authenticate FreeIPA users using -- * the forest root domain (which is the only domain in FreeIPA). -+ * name. This is the case of IPA domain controller when -+ * trusted AD DCs attempt to authenticate IPA users using -+ * the forest root domain (which is the only domain in IPA). - */ - struct pdb_domain_info *dom_info = NULL; - -@@ -234,6 +235,7 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context, - switch (lp_server_role()) { - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - break; - default: - DBG_ERR("Invalid server role\n"); -@@ -252,9 +254,9 @@ static NTSTATUS auth_sam_netlogon3_auth(const struct auth_context *auth_context, - if (!is_my_domain) { - /* If we are running on a DC that has PASSDB module with domain - * information, check if DNS forest name is matching the domain -- * name. This is the case of FreeIPA domain controller when -- * trusted AD DCs attempt to authenticate FreeIPA users using -- * the forest root domain (which is the only domain in FreeIPA). -+ * name. This is the case of IPA domain controller when -+ * trusted AD DCs attempt to authenticate IPA users using -+ * the forest root domain (which is the only domain in IPA). - */ - struct pdb_domain_info *dom_info = NULL; - dom_info = pdb_get_domain_info(mem_ctx); -diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h -index d9583945c55..def122727f0 100644 ---- a/source3/include/smb_macros.h -+++ b/source3/include/smb_macros.h -@@ -203,7 +203,7 @@ copy an IP address from one buffer to another - Check to see if we are a DC for this domain - *****************************************************************************/ - --#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) -+#define IS_DC (lp_server_role()==ROLE_DOMAIN_PDC || lp_server_role()==ROLE_DOMAIN_BDC || lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_server_role() == ROLE_IPA_DC) - #define IS_AD_DC (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) - - /* -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c -index f2d36fc00db..d1710c4b938 100644 ---- a/source3/lib/netapi/joindomain.c -+++ b/source3/lib/netapi/joindomain.c -@@ -375,6 +375,7 @@ WERROR NetGetJoinInformation_l(struct libnetapi_ctx *ctx, - case ROLE_DOMAIN_MEMBER: - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - *r->out.name_type = NetSetupDomainName; - break; - case ROLE_STANDALONE: -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 300b539748b..8bcd35f3d88 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -4412,6 +4412,7 @@ int lp_default_server_announce(void) - default_server_announce |= SV_TYPE_DOMAIN_MEMBER; - break; - case ROLE_DOMAIN_PDC: -+ case ROLE_IPA_DC: - default_server_announce |= SV_TYPE_DOMAIN_CTRL; - break; - case ROLE_DOMAIN_BDC: -@@ -4437,7 +4438,8 @@ int lp_default_server_announce(void) - bool lp_domain_master(void) - { - if (Globals._domain_master == Auto) -- return (lp_server_role() == ROLE_DOMAIN_PDC); -+ return (lp_server_role() == ROLE_DOMAIN_PDC || -+ lp_server_role() == ROLE_IPA_DC); - - return (bool)Globals._domain_master; - } -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index 0e01467b3cb..a551bcfd24a 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -121,7 +121,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, - - /* If we are running on a DC that has PASSDB module with domain - * information, check if DNS forest name is matching the domain -- * name. This is the case of FreeIPA domain controller when -+ * name. This is the case of IPA domain controller when - * trusted AD DC looks up users found in a Global Catalog of - * the forest root domain. */ - if (!check_global_sam && (IS_DC)) { -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index d81f79c705b..618019b8322 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -198,7 +198,8 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid) - dyn_guid = (struct GUID *)secrets_fetch(key, &size); - - if (!dyn_guid) { -- if (lp_server_role() == ROLE_DOMAIN_PDC) { -+ if (lp_server_role() == ROLE_DOMAIN_PDC || -+ lp_server_role() == ROLE_IPA_DC) { - new_guid = GUID_random(); - if (!secrets_store_domain_guid(domain, &new_guid)) - return False; -@@ -314,9 +315,7 @@ static const char *trust_keystr(const char *domain) - - enum netr_SchannelType get_default_sec_channel(void) - { -- if (lp_server_role() == ROLE_DOMAIN_BDC || -- lp_server_role() == ROLE_DOMAIN_PDC || -- lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { -+ if (IS_DC) { - return SEC_CHAN_BDC; - } else { - return SEC_CHAN_WKSTA; -diff --git a/source3/registry/reg_backend_prod_options.c b/source3/registry/reg_backend_prod_options.c -index 655c587ac40..7bd3f324c37 100644 ---- a/source3/registry/reg_backend_prod_options.c -+++ b/source3/registry/reg_backend_prod_options.c -@@ -40,6 +40,7 @@ static int prod_options_fetch_values(const char *key, struct regval_ctr *regvals - switch (lp_server_role()) { - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - value_ascii = "LanmanNT"; - break; - case ROLE_STANDALONE: -diff --git a/source3/rpc_server/dssetup/srv_dssetup_nt.c b/source3/rpc_server/dssetup/srv_dssetup_nt.c -index 64569382695..932452bc13b 100644 ---- a/source3/rpc_server/dssetup/srv_dssetup_nt.c -+++ b/source3/rpc_server/dssetup/srv_dssetup_nt.c -@@ -63,6 +63,7 @@ static WERROR fill_dsrole_dominfo_basic(TALLOC_CTX *ctx, - basic->domain = get_global_sam_name(); - break; - case ROLE_DOMAIN_PDC: -+ case ROLE_IPA_DC: - basic->role = DS_ROLE_PRIMARY_DC; - basic->domain = get_global_sam_name(); - break; -diff --git a/source3/smbd/server.c b/source3/smbd/server.c -index a0456100afe..26961fa6cf4 100644 ---- a/source3/smbd/server.c -+++ b/source3/smbd/server.c -@@ -1979,7 +1979,7 @@ extern void build_options(bool screen); - exit_daemon("smbd can not open secrets.tdb", EACCES); - } - -- if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { -+ if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC || lp_server_role() == ROLE_IPA_DC) { - struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers()); - if (!open_schannel_session_store(NULL, lp_ctx)) { - exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES); -diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c -index 451ad6aee14..db7e1c87dee 100644 ---- a/source3/winbindd/winbindd_misc.c -+++ b/source3/winbindd/winbindd_misc.c -@@ -76,7 +76,7 @@ static char *get_trust_type_string(TALLOC_CTX *mem_ctx, - case SEC_CHAN_BDC: { - int role = lp_server_role(); - -- if (role == ROLE_DOMAIN_PDC) { -+ if (role == ROLE_DOMAIN_PDC || role == ROLE_IPA_DC) { - s = talloc_strdup(mem_ctx, "PDC"); - if (s == NULL) { - return NULL; -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index ac4cd731c09..42ddbfd2f44 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -1254,15 +1254,37 @@ bool init_domain_list(void) - secure_channel_type = SEC_CHAN_LOCAL; - } - -- status = add_trusted_domain(get_global_sam_name(), -- NULL, -- get_global_sam_sid(), -- LSA_TRUST_TYPE_DOWNLEVEL, -- trust_flags, -- 0, /* trust_attribs */ -- secure_channel_type, -- NULL, -- &domain); -+ if ((pdb_domain_info != NULL) && (role == ROLE_IPA_DC)) { -+ /* This is IPA DC that presents itself as -+ * an Active Directory domain controller to trusted AD -+ * forests but in fact is a classic domain controller. -+ */ -+ trust_flags = NETR_TRUST_FLAG_PRIMARY; -+ trust_flags |= NETR_TRUST_FLAG_IN_FOREST; -+ trust_flags |= NETR_TRUST_FLAG_NATIVE; -+ trust_flags |= NETR_TRUST_FLAG_OUTBOUND; -+ trust_flags |= NETR_TRUST_FLAG_TREEROOT; -+ status = add_trusted_domain(pdb_domain_info->name, -+ pdb_domain_info->dns_domain, -+ &pdb_domain_info->sid, -+ LSA_TRUST_TYPE_UPLEVEL, -+ trust_flags, -+ LSA_TRUST_ATTRIBUTE_WITHIN_FOREST, -+ secure_channel_type, -+ NULL, -+ &domain); -+ TALLOC_FREE(pdb_domain_info); -+ } else { -+ status = add_trusted_domain(get_global_sam_name(), -+ NULL, -+ get_global_sam_sid(), -+ LSA_TRUST_TYPE_DOWNLEVEL, -+ trust_flags, -+ 0, /* trust_attribs */ -+ secure_channel_type, -+ NULL, -+ &domain); -+ } - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("Failed to add local SAM to " - "domain to winbindd's internal list\n"); -diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c -index 4c66f2c23cb..ea9ff70ce80 100644 ---- a/source4/auth/ntlm/auth.c -+++ b/source4/auth/ntlm/auth.c -@@ -737,6 +737,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context * - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: - case ROLE_ACTIVE_DIRECTORY_DC: -+ case ROLE_IPA_DC: - auth_methods = str_list_make(mem_ctx, "anonymous sam winbind sam_ignoredomain", NULL); - break; - } -diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c -index a3c357ca1a6..ba74df4f2ec 100644 ---- a/source4/kdc/kdc-heimdal.c -+++ b/source4/kdc/kdc-heimdal.c -@@ -276,6 +276,7 @@ static NTSTATUS kdc_task_init(struct task_server *task) - return NT_STATUS_INVALID_DOMAIN_ROLE; - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - task_server_terminate( - task, "Cannot start KDC as a 'classic Samba' DC", false); - return NT_STATUS_INVALID_DOMAIN_ROLE; -diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c -index cda887d45ee..29c509522be 100644 ---- a/source4/rpc_server/samr/dcesrv_samr.c -+++ b/source4/rpc_server/samr/dcesrv_samr.c -@@ -575,6 +575,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state - break; - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - case ROLE_AUTO: - return NT_STATUS_INTERNAL_ERROR; - case ROLE_DOMAIN_MEMBER: -@@ -723,6 +724,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state, - break; - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - case ROLE_AUTO: - return NT_STATUS_INTERNAL_ERROR; - case ROLE_DOMAIN_MEMBER: --- -2.33.1 - - -From 4b3a3fa914b79c548100eda1baa5c589fd8f04bf Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 5 Oct 2021 18:11:57 +0200 -Subject: [PATCH 31/39] CVE-2020-25719 CVE-2020-25717: auth/gensec: always - require a PAC in domain mode (DC or member) - -AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set -on the service account, which can only be explicitly configured, -but that's an invalid configuration! - -We still try to support standalone servers in an MIT realm, -as legacy setup. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett - -[jsutton@samba.org Removed knownfail entries] ---- - auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++---- - 1 file changed, 23 insertions(+), 4 deletions(-) - -diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c -index e185acc0c20..694661b53b5 100644 ---- a/auth/gensec/gensec_util.c -+++ b/auth/gensec/gensec_util.c -@@ -25,6 +25,8 @@ - #include "auth/gensec/gensec_internal.h" - #include "auth/common_auth.h" - #include "../lib/util/asn1.h" -+#include "param/param.h" -+#include "libds/common/roles.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -46,10 +48,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, - session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; - - if (!pac_blob) { -- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { -- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", -- principal_string)); -- return NT_STATUS_ACCESS_DENIED; -+ enum server_role server_role = -+ lpcfg_server_role(gensec_security->settings->lp_ctx); -+ -+ /* -+ * For any domain setup (DC or member) we require having -+ * a PAC, as the service ticket comes from an AD DC, -+ * which will always provide a PAC, unless -+ * UF_NO_AUTH_DATA_REQUIRED is configured for our -+ * account, but that's just an invalid configuration, -+ * the admin configured for us! -+ * -+ * As a legacy case, we still allow kerberos tickets from an MIT -+ * realm, but only in standalone mode. In that mode we'll only -+ * ever accept a kerberos authentication with a keytab file -+ * being explicitly configured via the 'keytab method' option. -+ */ -+ if (server_role != ROLE_STANDALONE) { -+ DBG_WARNING("Unable to find PAC in ticket from %s, " -+ "failing to allow access\n", -+ principal_string); -+ return NT_STATUS_NO_IMPERSONATION_TOKEN; - } - DBG_NOTICE("Unable to find PAC for %s, resorting to local " - "user lookup\n", principal_string); --- -2.33.1 - - -From 5b7e9cc45370601553e464e539d0243eeec98659 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 11 Oct 2021 23:17:19 +0200 -Subject: [PATCH 32/39] CVE-2020-25719 CVE-2020-25717: s4:auth: remove unused - auth_generate_session_info_principal() - -We'll require a PAC at the main gensec layer already. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source4/auth/auth.h | 8 ------ - source4/auth/ntlm/auth.c | 49 ++++-------------------------------- - source4/auth/ntlm/auth_sam.c | 12 --------- - 3 files changed, 5 insertions(+), 64 deletions(-) - -diff --git a/source4/auth/auth.h b/source4/auth/auth.h -index 3f9fb1ae3cb..6b7db99cbe2 100644 ---- a/source4/auth/auth.h -+++ b/source4/auth/auth.h -@@ -69,14 +69,6 @@ struct auth_operations { - TALLOC_CTX *mem_ctx, - struct auth_user_info_dc **interim_info, - bool *authoritative); -- -- /* Lookup a 'session info interim' return based only on the principal or DN */ -- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, -- struct auth4_context *auth_context, -- const char *principal, -- struct ldb_dn *user_dn, -- struct auth_user_info_dc **interim_info); -- uint32_t flags; - }; - - struct auth_method_context { -diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c -index ea9ff70ce80..3dd2ffc9276 100644 ---- a/source4/auth/ntlm/auth.c -+++ b/source4/auth/ntlm/auth.c -@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha - return NT_STATUS_OK; - } - --/**************************************************************************** --Used in the gensec_gssapi and gensec_krb5 server-side code, where the --PAC isn't available, and for tokenGroups in the DSDB stack. -- -- Supply either a principal or a DN --****************************************************************************/ --static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx, -- TALLOC_CTX *mem_ctx, -- const char *principal, -- struct ldb_dn *user_dn, -- uint32_t session_info_flags, -- struct auth_session_info **session_info) --{ -- NTSTATUS nt_status; -- struct auth_method_context *method; -- struct auth_user_info_dc *user_info_dc; -- -- for (method = auth_ctx->methods; method; method = method->next) { -- if (!method->ops->get_user_info_dc_principal) { -- continue; -- } -- -- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc); -- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { -- continue; -- } -- if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -- } -- -- nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, -- user_info_dc, -- user_info_dc->info->account_name, -- session_info_flags, session_info); -- talloc_free(user_info_dc); -- -- return nt_status; -- } -- -- return NT_STATUS_NOT_IMPLEMENTED; --} -- - /** - * Check a user's Plaintext, LM or NTLM password. - * (sync version) -@@ -627,8 +585,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx, - TALLOC_CTX *tmp_ctx; - - if (!pac_blob) { -- return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name, -- NULL, session_info_flags, session_info); -+ /* -+ * This should already be catched at the main -+ * gensec layer, but better check twice -+ */ -+ return NT_STATUS_INTERNAL_ERROR; - } - - tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); -diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c -index a521bc94bc4..dbbf97665db 100644 ---- a/source4/auth/ntlm/auth_sam.c -+++ b/source4/auth/ntlm/auth_sam.c -@@ -938,22 +938,11 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, - return NT_STATUS_OK; - } - --/* Wrapper for the auth subsystem pointer */ --static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, -- struct auth4_context *auth_context, -- const char *principal, -- struct ldb_dn *user_dn, -- struct auth_user_info_dc **user_info_dc) --{ -- return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, -- principal, user_dn, user_info_dc); --} - static const struct auth_operations sam_ignoredomain_ops = { - .name = "sam_ignoredomain", - .want_check = authsam_ignoredomain_want_check, - .check_password_send = authsam_check_password_send, - .check_password_recv = authsam_check_password_recv, -- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, - }; - - static const struct auth_operations sam_ops = { -@@ -961,7 +950,6 @@ static const struct auth_operations sam_ops = { - .want_check = authsam_want_check, - .check_password_send = authsam_check_password_send, - .check_password_recv = authsam_check_password_recv, -- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, - }; - - _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); --- -2.33.1 - - -From 85914f7dbe62cb0092f106ee89a4cff46b91fb3e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 21 Sep 2021 12:27:28 +0200 -Subject: [PATCH 33/39] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in - ntlm_auth_generate_session_info_pac() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/utils/ntlm_auth.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index b3ab3a473bf..16431771e74 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -818,23 +818,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c - if (!p) { - DEBUG(3, ("[%s] Doesn't look like a valid principal\n", - princ_name)); -- return NT_STATUS_LOGON_FAILURE; -+ status = NT_STATUS_LOGON_FAILURE; -+ goto done; - } - - user = talloc_strndup(mem_ctx, princ_name, p - princ_name); - if (!user) { -- return NT_STATUS_NO_MEMORY; -+ status = NT_STATUS_NO_MEMORY; -+ goto done; - } - - realm = talloc_strdup(talloc_tos(), p + 1); - if (!realm) { -- return NT_STATUS_NO_MEMORY; -+ status = NT_STATUS_NO_MEMORY; -+ goto done; - } - - if (!strequal(realm, lp_realm())) { - DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); - if (!lp_allow_trusted_domains()) { -- return NT_STATUS_LOGON_FAILURE; -+ status = NT_STATUS_LOGON_FAILURE; -+ goto done; - } - } - -@@ -842,7 +846,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c - domain = talloc_strdup(mem_ctx, - logon_info->info3.base.logon_domain.string); - if (!domain) { -- return NT_STATUS_NO_MEMORY; -+ status = NT_STATUS_NO_MEMORY; -+ goto done; - } - DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); - } else { -@@ -872,7 +877,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c - domain = talloc_strdup(mem_ctx, realm); - } - if (!domain) { -- return NT_STATUS_NO_MEMORY; -+ status = NT_STATUS_NO_MEMORY; -+ goto done; - } - DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); - } --- -2.33.1 - - -From 128802ff973fd3a3089e672f7d81c517a779c6be Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 21 Sep 2021 12:44:01 +0200 -Subject: [PATCH 34/39] CVE-2020-25717: s3:ntlm_auth: let - ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO - only - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/utils/ntlm_auth.c | 91 ++++++++++++--------------------------- - 1 file changed, 28 insertions(+), 63 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 16431771e74..02a23792890 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -790,10 +790,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c - struct PAC_LOGON_INFO *logon_info = NULL; - char *unixuser; - NTSTATUS status; -- char *domain = NULL; -- char *realm = NULL; -- char *user = NULL; -- char *p; -+ const char *domain = ""; -+ const char *user = ""; - - tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { -@@ -810,79 +808,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c - if (!NT_STATUS_IS_OK(status)) { - goto done; - } -- } -- -- DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); -- -- p = strchr_m(princ_name, '@'); -- if (!p) { -- DEBUG(3, ("[%s] Doesn't look like a valid principal\n", -- princ_name)); -- status = NT_STATUS_LOGON_FAILURE; -+ } else { -+ status = NT_STATUS_ACCESS_DENIED; -+ DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n", -+ princ_name, nt_errstr(status)); - goto done; - } - -- user = talloc_strndup(mem_ctx, princ_name, p - princ_name); -- if (!user) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -+ if (logon_info->info3.base.account_name.string != NULL) { -+ user = logon_info->info3.base.account_name.string; -+ } else { -+ user = ""; -+ } -+ if (logon_info->info3.base.logon_domain.string != NULL) { -+ domain = logon_info->info3.base.logon_domain.string; -+ } else { -+ domain = ""; - } - -- realm = talloc_strdup(talloc_tos(), p + 1); -- if (!realm) { -- status = NT_STATUS_NO_MEMORY; -+ if (strlen(user) == 0 || strlen(domain) == 0) { -+ status = NT_STATUS_ACCESS_DENIED; -+ DBG_WARNING("Kerberos ticket for[%s] has invalid " -+ "account_name[%s]/logon_domain[%s]: %s\n", -+ princ_name, -+ logon_info->info3.base.account_name.string, -+ logon_info->info3.base.logon_domain.string, -+ nt_errstr(status)); - goto done; - } - -- if (!strequal(realm, lp_realm())) { -- DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); -+ DBG_NOTICE("Kerberos ticket principal name is [%s] " -+ "account_name[%s]/logon_domain[%s]\n", -+ princ_name, user, domain); -+ -+ if (!strequal(domain, lp_workgroup())) { - if (!lp_allow_trusted_domains()) { - status = NT_STATUS_LOGON_FAILURE; - goto done; - } - } - -- if (logon_info && logon_info->info3.base.logon_domain.string) { -- domain = talloc_strdup(mem_ctx, -- logon_info->info3.base.logon_domain.string); -- if (!domain) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); -- } else { -- -- /* If we have winbind running, we can (and must) shorten the -- username by using the short netbios name. Otherwise we will -- have inconsistent user names. With Kerberos, we get the -- fully qualified realm, with ntlmssp we get the short -- name. And even w2k3 does use ntlmssp if you for example -- connect to an ip address. */ -- -- wbcErr wbc_status; -- struct wbcDomainInfo *info = NULL; -- -- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", -- realm)); -- -- wbc_status = wbcDomainInfo(realm, &info); -- -- if (WBC_ERROR_IS_OK(wbc_status)) { -- domain = talloc_strdup(mem_ctx, -- info->short_name); -- wbcFreeMemory(info); -- } else { -- DEBUG(3, ("Could not find short name: %s\n", -- wbcErrorString(wbc_status))); -- domain = talloc_strdup(mem_ctx, realm); -- } -- if (!domain) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); -- } -- - unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user); - if (!unixuser) { - status = NT_STATUS_NO_MEMORY; --- -2.33.1 - - -From e9063c114461ac82c5db3fa32f59b57a87be65be Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 4 Oct 2021 19:42:20 +0200 -Subject: [PATCH 35/39] CVE-2020-25717: s3:auth: let - auth3_generate_session_info_pac() delegate everything to - make_server_info_wbcAuthUserInfo() - -This consolidates the code paths used for NTLMSSP and Kerberos! - -I checked what we were already doing for NTLMSSP, which is this: - -a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx() -b) as a domain member we require a valid response from winbindd, - otherwise we'll return NT_STATUS_NO_LOGON_SERVERS -c) we call make_server_info_wbcAuthUserInfo(), which internally - calls make_server_info_info3() -d) auth_check_ntlm_password() calls - smb_pam_accountcheck(unix_username, rhost), where rhost - is only an ipv4 or ipv6 address (without reverse dns lookup) -e) from auth3_check_password_send/auth3_check_password_recv() - server_returned_info will be passed to auth3_generate_session_info(), - triggered by gensec_session_info(), which means we'll call into - create_local_token() in order to transform auth_serversupplied_info - into auth_session_info. - -For Kerberos gensec_session_info() will call -auth3_generate_session_info_pac() via the gensec_generate_session_info_pac() -helper function. The current logic is this: - -a) gensec_generate_session_info_pac() is the function that - evaluates the 'gensec:require_pac', which defaulted to 'no' - before. -b) auth3_generate_session_info_pac() called - wbcAuthenticateUserEx() in order to pass the PAC blob - to winbindd, but only to prime its cache, e.g. netsamlogon cache - and others. Most failures were just ignored. -c) If the PAC blob is available, it extracted the PAC_LOGON_INFO - from it. -d) Then we called the horrible get_user_from_kerberos_info() function: - - It uses a first part of the tickets principal name (before the @) - as username and combines that with the 'logon_info->base.logon_domain' - if the logon_info (PAC) is present. - - As a fallback without a PAC it's tries to ask winbindd for a mapping - from realm to netbios domain name. - - Finally is falls back to using the realm as netbios domain name - With this information is builds 'userdomain+winbind_separator+useraccount' - and calls map_username() followed by smb_getpwnam() with create=true, - Note this is similar to the make_server_info_info3() => check_account() - => smb_getpwnam() logic under 3. - - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name - instead of the ip address as rhost. - - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the - guest account. -e) We called create_info3_from_pac_logon_info() -f) make_session_info_krb5() calls gets called and triggers this: - - If get_user_from_kerberos_info() mapped to guest, it calls - make_server_info_guest() - - If create_info3_from_pac_logon_info() created a info3 from logon_info, - it calls make_server_info_info3() - - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with - a fallback to make_server_info_pw() - From there it calls create_local_token() - -I tried to change auth3_generate_session_info_pac() to behave similar -to auth_winbind.c together with auth3_generate_session_info() as -a domain member, as we now rely on a PAC: - -a) As domain member we require a PAC and always call wbcAuthenticateUserEx() - and require a valid response! -b) we call make_server_info_wbcAuthUserInfo(), which internally - calls make_server_info_info3(). Note make_server_info_info3() - handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest() - internally. -c) Similar to auth_check_ntlm_password() we now call - smb_pam_accountcheck(unix_username, rhost), where rhost - is only an ipv4 or ipv6 address (without reverse dns lookup) -d) From there it calls create_local_token() - -As standalone server (in an MIT realm) we continue -with the already existing code logic, which works without a PAC: -a) we keep smb_getpwnam() with create=true logic as it - also requires an explicit 'add user script' option. -b) In the following commits we assert that there's - actually no PAC in this mode, which means we can - remove unused and confusing code. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 137 ++++++++++++++++++++++++++++-------- - 1 file changed, 109 insertions(+), 28 deletions(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index f6a501f1df7..a8390b1b156 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - uint32_t session_info_flags, - struct auth_session_info **session_info) - { -+ enum server_role server_role = lp_server_role(); - TALLOC_CTX *tmp_ctx; - struct PAC_LOGON_INFO *logon_info = NULL; - struct netr_SamInfo3 *info3_copy = NULL; -@@ -54,39 +55,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - char *ntuser; - char *ntdomain; - char *username; -- char *rhost; -+ const char *rhost; - struct passwd *pw; - NTSTATUS status; -- int rc; - - tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - -- if (pac_blob) { --#ifdef HAVE_KRB5 -+ if (tsocket_address_is_inet(remote_address, "ip")) { -+ rhost = tsocket_address_inet_addr_string( -+ remote_address, tmp_ctx); -+ if (rhost == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } -+ } else { -+ rhost = "127.0.0.1"; -+ } -+ -+ if (server_role != ROLE_STANDALONE) { - struct wbcAuthUserParams params = { 0 }; - struct wbcAuthUserInfo *info = NULL; - struct wbcAuthErrorInfo *err = NULL; -+ struct auth_serversupplied_info *server_info = NULL; -+ char *original_user_name = NULL; -+ char *p = NULL; - wbcErr wbc_err; - -+ if (pac_blob == NULL) { -+ /* -+ * This should already be catched at the main -+ * gensec layer, but better check twice -+ */ -+ status = NT_STATUS_INTERNAL_ERROR; -+ goto done; -+ } -+ - /* - * Let winbind decode the PAC. - * This will also store the user - * data in the netsamlogon cache. - * -- * We need to do this *before* we -- * call get_user_from_kerberos_info() -- * as that does a user lookup that -- * expects info in the netsamlogon cache. -- * -- * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 -+ * This used to be a cache prime -+ * optimization, but now we delegate -+ * all logic to winbindd, as we require -+ * winbindd as domain member anyway. - */ - params.level = WBC_AUTH_USER_LEVEL_PAC; - params.password.pac.data = pac_blob->data; - params.password.pac.length = pac_blob->length; - -+ /* we are contacting the privileged pipe */ - become_root(); - wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); - unbecome_root(); -@@ -99,18 +120,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - */ - - switch (wbc_err) { -- case WBC_ERR_WINBIND_NOT_AVAILABLE: - case WBC_ERR_SUCCESS: - break; -+ case WBC_ERR_WINBIND_NOT_AVAILABLE: -+ status = NT_STATUS_NO_LOGON_SERVERS; -+ DBG_ERR("winbindd not running - " -+ "but required as domain member: %s\n", -+ nt_errstr(status)); -+ goto done; - case WBC_ERR_AUTH_ERROR: - status = NT_STATUS(err->nt_status); - wbcFreeMemory(err); - goto done; -+ case WBC_ERR_NO_MEMORY: -+ status = NT_STATUS_NO_MEMORY; -+ goto done; - default: - status = NT_STATUS_LOGON_FAILURE; - goto done; - } - -+ status = make_server_info_wbcAuthUserInfo(tmp_ctx, -+ info->account_name, -+ info->domain_name, -+ info, &server_info); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n", -+ nt_errstr(status))); -+ goto done; -+ } -+ -+ /* We skip doing this step if the caller asked us not to */ -+ if (!(server_info->guest)) { -+ const char *unix_username = server_info->unix_name; -+ -+ /* We might not be root if we are an RPC call */ -+ become_root(); -+ status = smb_pam_accountcheck(unix_username, rhost); -+ unbecome_root(); -+ -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] " -+ "FAILED with error %s\n", -+ unix_username, nt_errstr(status))); -+ goto done; -+ } -+ -+ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] " -+ "succeeded\n", unix_username)); -+ } -+ -+ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); -+ -+ p = strchr_m(princ_name, '@'); -+ if (!p) { -+ DEBUG(3, ("[%s] Doesn't look like a valid principal\n", -+ princ_name)); -+ status = NT_STATUS_LOGON_FAILURE; -+ goto done; -+ } -+ -+ original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name); -+ if (original_user_name == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } -+ -+ status = create_local_token(mem_ctx, -+ server_info, -+ NULL, -+ original_user_name, -+ session_info); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(10, ("create_local_token failed: %s\n", -+ nt_errstr(status))); -+ goto done; -+ } -+ -+ goto session_info_ready; -+ } -+ -+ /* This is the standalone legacy code path */ -+ -+ if (pac_blob != NULL) { -+#ifdef HAVE_KRB5 - status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, - NULL, NULL, 0, &logon_info); - #else -@@ -121,22 +214,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - } - } - -- rc = get_remote_hostname(remote_address, -- &rhost, -- tmp_ctx); -- if (rc < 0) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- if (strequal(rhost, "UNKNOWN")) { -- rhost = tsocket_address_inet_addr_string(remote_address, -- tmp_ctx); -- if (rhost == NULL) { -- status = NT_STATUS_NO_MEMORY; -- goto done; -- } -- } -- - status = get_user_from_kerberos_info(tmp_ctx, rhost, - princ_name, logon_info, - &is_mapped, &is_guest, -@@ -170,6 +247,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - goto done; - } - -+session_info_ready: -+ - /* setup the string used by %U */ - set_current_user_info((*session_info)->unix_info->sanitized_username, - (*session_info)->unix_info->unix_name, -@@ -179,7 +258,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - lp_load_with_shares(get_dyn_CONFIGFILE()); - - DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", -- ntuser, ntdomain, rhost)); -+ (*session_info)->info->account_name, -+ (*session_info)->info->domain_name, -+ rhost)); - - status = NT_STATUS_OK; - --- -2.33.1 - - -From a05d4ea28d68fda457c12a66052cb3712939279a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 5 Oct 2021 17:14:01 +0200 -Subject: [PATCH 36/39] CVE-2020-25717: selftest: configure 'ktest' env with - winbindd and idmap_autorid - -The 'ktest' environment was/is designed to test kerberos in an active -directory member setup. It was created at a time we wanted to test -smbd/winbindd with kerberos without having the source4 ad dc available. - -This still applies to testing the build with system krb5 libraries -but without relying on a running ad dc. - -As a domain member setup requires a running winbindd, we should test it -that way, in order to reflect a valid setup. - -As a side effect it provides a way to demonstrate that we can accept -smb connections authenticated via kerberos, but no connection to -a domain controller! In order get this working offline, we need an -idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which -should be the default choice. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - selftest/knownfail.d/ktest | 26 -------------------------- - selftest/target/Samba3.pm | 12 +++++------- - 2 files changed, 5 insertions(+), 33 deletions(-) - delete mode 100644 selftest/knownfail.d/ktest - -diff --git a/selftest/knownfail.d/ktest b/selftest/knownfail.d/ktest -deleted file mode 100644 -index 809612ba0b9..00000000000 ---- a/selftest/knownfail.d/ktest -+++ /dev/null -@@ -1,26 +0,0 @@ --^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2...lsa.LookupSidsReply.ktest --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5...rpcclient.ktest:local --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5...rpcclient.ktest:local --^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,connect...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,packet...lsa.LookupSidsReply.ktest --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,packet...rpcclient.ktest:local --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,packet...rpcclient.ktest:local --^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,sign...lsa.LookupSidsReply.ktest --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,sign...rpcclient.ktest:local --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,sign...rpcclient.ktest:local --^samba3.rpc.lsa.lookupsids.krb5.with.old.ccache.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest --^samba3.rpc.lsa.lookupsids.krb5.ncacn_np.with..smb2,seal...lsa.LookupSidsReply.ktest --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..krb5,seal...rpcclient.ktest:local --^samba3.blackbox.rpcclient.krb5.ncacn_np.with..spnego,krb5,seal...rpcclient.ktest:local --^samba3.blackbox.smbclient_krb5.old.ccache..smbclient.ktest:local --^samba3.blackbox.smbclient_krb5.new.ccache..smbclient.ktest:local --^samba3.blackbox.smbclient_large_file..krb5.smbclient.large.posix.write.read.ktest:local --^samba3.blackbox.smbclient_large_file..krb5.cmp.of.read.and.written.files.ktest:local --^samba3.blackbox.smbclient_krb5.old.ccache.--client-protection=encrypt.smbclient.ktest:local --^samba3.blackbox.smbclient_krb5.new.ccache.--client-protection=encrypt.smbclient.ktest:local --^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.smbclient.large.posix.write.read.ktest:local --^samba3.blackbox.smbclient_large_file.--client-protection=encrypt.krb5.cmp.of.read.and.written.files.ktest:local -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 5c0f71757ef..577e3170daa 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1675,7 +1675,6 @@ sub setup_ktest - workgroup = KTEST - realm = ktest.samba.example.com - security = ads -- username map = $prefix/lib/username.map - server signing = required - server min protocol = SMB3_00 - client max protocol = SMB3 -@@ -1683,6 +1682,10 @@ sub setup_ktest - # This disables NTLM auth against the local SAM, which - # we use can then test this setting by. - ntlm auth = disabled -+ -+ idmap config * : backend = autorid -+ idmap config * : range = 1000000-1999999 -+ idmap config * : rangesize = 100000 - "; - - my $ret = $self->provision( -@@ -1708,12 +1711,6 @@ sub setup_ktest - - $ret->{KRB5_CONFIG} = $ctx->{krb5_conf}; - -- open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); -- print USERMAP " --$ret->{USERNAME} = KTEST\\Administrator --"; -- close(USERMAP); -- - #This is the secrets.tdb created by 'net ads join' from Samba3 to a - #Samba4 DC with the same parameters as are being used here. The - #domain SID is S-1-5-21-1071277805-689288055-3486227160 -@@ -1765,6 +1762,7 @@ $ret->{USERNAME} = KTEST\\Administrator - if (not $self->check_or_start( - env_vars => $ret, - nmbd => "yes", -+ winbindd => "offline", - smbd => "yes")) { - return undef; - } --- -2.33.1 - - -From 0d821434ccdccad38659d76b54159b6335e351c5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 5 Oct 2021 18:12:49 +0200 -Subject: [PATCH 37/39] CVE-2020-25717: s3:auth: let - auth3_generate_session_info_pac() reject a PAC in standalone mode - -We should be strict in standalone mode, that we only support MIT realms -without a PAC in order to keep the code sane. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 29 +++++++++-------------------- - 1 file changed, 9 insertions(+), 20 deletions(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index a8390b1b156..babda46fc92 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - { - enum server_role server_role = lp_server_role(); - TALLOC_CTX *tmp_ctx; -- struct PAC_LOGON_INFO *logon_info = NULL; -- struct netr_SamInfo3 *info3_copy = NULL; - bool is_mapped; - bool is_guest; - char *ntuser; -@@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - /* This is the standalone legacy code path */ - - if (pac_blob != NULL) { --#ifdef HAVE_KRB5 -- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, -- NULL, NULL, 0, &logon_info); --#else -- status = NT_STATUS_ACCESS_DENIED; --#endif -+ /* -+ * In standalone mode we don't expect a PAC! -+ * we only support MIT realms -+ */ -+ status = NT_STATUS_BAD_TOKEN_TYPE; -+ DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n", -+ princ_name, nt_errstr(status)); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - } - - status = get_user_from_kerberos_info(tmp_ctx, rhost, -- princ_name, logon_info, -+ princ_name, NULL, - &is_mapped, &is_guest, - &ntuser, &ntdomain, - &username, &pw); -@@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - goto done; - } - -- /* Get the info3 from the PAC data if we have it */ -- if (logon_info) { -- status = create_info3_from_pac_logon_info(tmp_ctx, -- logon_info, -- &info3_copy); -- if (!NT_STATUS_IS_OK(status)) { -- goto done; -- } -- } -- - status = make_session_info_krb5(mem_ctx, - ntuser, ntdomain, username, pw, -- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, -+ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, - session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", --- -2.33.1 - - -From 2292c83cc012473d6729e578ec5a84d6be415fab Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 17:59:59 +0200 -Subject: [PATCH 38/39] CVE-2020-25717: s3:auth: simplify - get_user_from_kerberos_info() by removing the unused logon_info argument - -This code is only every called in standalone mode on a MIT realm, -it means we never have a PAC and we also don't have winbindd arround. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 2 +- - source3/auth/proto.h | 1 - - source3/auth/user_krb5.c | 57 +++++++------------------------------ - 3 files changed, 11 insertions(+), 49 deletions(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index babda46fc92..8923aec0a4d 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - } - - status = get_user_from_kerberos_info(tmp_ctx, rhost, -- princ_name, NULL, -+ princ_name, - &is_mapped, &is_guest, - &ntuser, &ntdomain, - &username, &pw); -diff --git a/source3/auth/proto.h b/source3/auth/proto.h -index 097b17fee44..46fae447347 100644 ---- a/source3/auth/proto.h -+++ b/source3/auth/proto.h -@@ -423,7 +423,6 @@ struct PAC_LOGON_INFO; - NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - const char *cli_name, - const char *princ_name, -- struct PAC_LOGON_INFO *logon_info, - bool *is_mapped, - bool *mapped_to_guest, - char **ntuser, -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c -index 074e8c7eb71..7b69ca6c222 100644 ---- a/source3/auth/user_krb5.c -+++ b/source3/auth/user_krb5.c -@@ -31,7 +31,6 @@ - NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - const char *cli_name, - const char *princ_name, -- struct PAC_LOGON_INFO *logon_info, - bool *is_mapped, - bool *mapped_to_guest, - char **ntuser, -@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - struct passwd **_pw) - { - NTSTATUS status; -- char *domain = NULL; -- char *realm = NULL; -+ const char *domain = NULL; -+ const char *realm = NULL; - char *user = NULL; - char *p; - char *fuser = NULL; -@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- realm = talloc_strdup(talloc_tos(), p + 1); -- if (!realm) { -- return NT_STATUS_NO_MEMORY; -- } -+ realm = p + 1; - - if (!strequal(realm, lp_realm())) { - DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); - if (!lp_allow_trusted_domains()) { - return NT_STATUS_LOGON_FAILURE; - } -- } -- -- if (logon_info && logon_info->info3.base.logon_domain.string) { -- domain = talloc_strdup(mem_ctx, -- logon_info->info3.base.logon_domain.string); -- if (!domain) { -- return NT_STATUS_NO_MEMORY; -- } -- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); -+ domain = realm; - } else { -- -- /* If we have winbind running, we can (and must) shorten the -- username by using the short netbios name. Otherwise we will -- have inconsistent user names. With Kerberos, we get the -- fully qualified realm, with ntlmssp we get the short -- name. And even w2k3 does use ntlmssp if you for example -- connect to an ip address. */ -- -- wbcErr wbc_status; -- struct wbcDomainInfo *info = NULL; -- -- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", -- realm)); -- -- wbc_status = wbcDomainInfo(realm, &info); -- -- if (WBC_ERROR_IS_OK(wbc_status)) { -- domain = talloc_strdup(mem_ctx, -- info->short_name); -- wbcFreeMemory(info); -- } else { -- DEBUG(3, ("Could not find short name: %s\n", -- wbcErrorString(wbc_status))); -- domain = talloc_strdup(mem_ctx, realm); -- } -- if (!domain) { -- return NT_STATUS_NO_MEMORY; -- } -- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); -+ domain = lp_workgroup(); - } - - fuser = talloc_asprintf(mem_ctx, -@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - *ntuser = user; -- *ntdomain = domain; -+ *ntdomain = talloc_strdup(mem_ctx, domain); -+ if (*ntdomain == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ - *_pw = pw; - - return NT_STATUS_OK; -@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, - const char *cli_name, - const char *princ_name, -- struct PAC_LOGON_INFO *logon_info, - bool *is_mapped, - bool *mapped_to_guest, - char **ntuser, --- -2.33.1 - - -From 5607df9a4601a89735c1f9a3eaa700310d89c79a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Oct 2021 18:03:04 +0200 -Subject: [PATCH 39/39] CVE-2020-25717: s3:auth: simplify - make_session_info_krb5() by removing unused arguments - -This is only ever be called in standalone mode with an MIT realm, -so we don't have a PAC/info3 structure. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - source3/auth/auth_generic.c | 2 +- - source3/auth/proto.h | 2 -- - source3/auth/user_krb5.c | 20 +------------------- - 3 files changed, 2 insertions(+), 22 deletions(-) - -diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c -index 8923aec0a4d..fa22a0b2339 100644 ---- a/source3/auth/auth_generic.c -+++ b/source3/auth/auth_generic.c -@@ -227,7 +227,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, - - status = make_session_info_krb5(mem_ctx, - ntuser, ntdomain, username, pw, -- NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, -+ is_guest, is_mapped, - session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", -diff --git a/source3/auth/proto.h b/source3/auth/proto.h -index 46fae447347..fb7f663512b 100644 ---- a/source3/auth/proto.h -+++ b/source3/auth/proto.h -@@ -434,9 +434,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - char *ntdomain, - char *username, - struct passwd *pw, -- const struct netr_SamInfo3 *info3, - bool mapped_to_guest, bool username_was_mapped, -- DATA_BLOB *session_key, - struct auth_session_info **session_info); - - /* The following definitions come from auth/auth_samba4.c */ -diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c -index 7b69ca6c222..b8f37cbeee0 100644 ---- a/source3/auth/user_krb5.c -+++ b/source3/auth/user_krb5.c -@@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - char *ntdomain, - char *username, - struct passwd *pw, -- const struct netr_SamInfo3 *info3, - bool mapped_to_guest, bool username_was_mapped, -- DATA_BLOB *session_key, - struct auth_session_info **session_info) - { - NTSTATUS status; -@@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - return status; - } - -- } else if (info3) { -- /* pass the unmapped username here since map_username() -- will be called again in make_server_info_info3() */ -- -- status = make_server_info_info3(mem_ctx, -- ntuser, ntdomain, -- &server_info, -- info3); -- if (!NT_STATUS_IS_OK(status)) { -- DEBUG(1, ("make_server_info_info3 failed: %s!\n", -- nt_errstr(status))); -- return status; -- } -- - } else { - /* - * We didn't get a PAC, we have to make up the user -@@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - - server_info->nss_token |= username_was_mapped; - -- status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info); -+ status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info); - talloc_free(server_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("failed to create local token: %s\n", -@@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, - char *ntdomain, - char *username, - struct passwd *pw, -- const struct netr_SamInfo3 *info3, - bool mapped_to_guest, bool username_was_mapped, -- DATA_BLOB *session_key, - struct auth_session_info **session_info) - { - return NT_STATUS_NOT_IMPLEMENTED; --- -2.33.1 - diff --git a/SOURCES/CVE-2021-23192.patch b/SOURCES/CVE-2021-23192.patch deleted file mode 100644 index 5e14212..0000000 --- a/SOURCES/CVE-2021-23192.patch +++ /dev/null @@ -1,4996 +0,0 @@ -From d6310598bd205240950410d59a3453f45c45d644 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Fri, 2 Apr 2021 12:20:38 +0200 -Subject: [PATCH 1/9] rpc: Give dcerpc_util.c its own header - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -(cherry picked from commit 8945d99758d8bedd374f1c51304b87a6cf10498c) ---- - librpc/rpc/dcerpc_util.c | 1 + - librpc/rpc/dcerpc_util.h | 103 ++++++++++++++++++++ - librpc/rpc/dcesrv_auth.c | 1 + - librpc/rpc/dcesrv_core.c | 1 + - librpc/rpc/dcesrv_reply.c | 1 + - librpc/rpc/rpc_common.h | 74 -------------- - source3/librpc/rpc/dcerpc_helpers.c | 1 + - source3/rpc_client/cli_pipe.c | 1 + - source3/rpc_client/rpc_transport_np.c | 1 + - source3/rpc_server/rpc_ncacn_np.c | 1 + - source4/librpc/rpc/dcerpc.c | 1 + - source4/librpc/rpc/dcerpc_roh_channel_out.c | 1 + - 12 files changed, 113 insertions(+), 74 deletions(-) - create mode 100644 librpc/rpc/dcerpc_util.h - -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c -index 42e8e611019..925fb70ad7c 100644 ---- a/librpc/rpc/dcerpc_util.c -+++ b/librpc/rpc/dcerpc_util.c -@@ -25,6 +25,7 @@ - #include "lib/tsocket/tsocket.h" - #include "lib/util/tevent_ntstatus.h" - #include "librpc/rpc/dcerpc.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "rpc_common.h" - #include "lib/util/bitmap.h" -diff --git a/librpc/rpc/dcerpc_util.h b/librpc/rpc/dcerpc_util.h -new file mode 100644 -index 00000000000..0ecaf428c3c ---- /dev/null -+++ b/librpc/rpc/dcerpc_util.h -@@ -0,0 +1,103 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ Copyright (C) Stefan Metzmacher 2010-2011 -+ Copyright (C) Andrew Tridgell 2010-2011 -+ Copyright (C) Simo Sorce 2010 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef __LIBRPC_RPC_DCERPC_UTIL_H__ -+#define __LIBRPC_RPC_DCERPC_UTIL_H__ -+ -+#include "replace.h" -+#include -+#include "lib/util/data_blob.h" -+#include "librpc/rpc/rpc_common.h" -+#include "librpc/gen_ndr/dcerpc.h" -+ -+void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v); -+uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob); -+void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v); -+uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob); -+uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob); -+uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob); -+uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob); -+uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob); -+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx, -+ enum dcerpc_transport_t transport, -+ const struct ndr_interface_table *table); -+ -+NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, -+ const DATA_BLOB *blob, -+ struct ncacn_packet *r); -+ -+/** -+* @brief Pull a dcerpc_auth structure, taking account of any auth -+* padding in the blob. For request/response packets we pass -+* the whole data blob, so auth_data_only must be set to false -+* as the blob contains data+pad+auth and no just pad+auth. -+* -+* @param pkt - The ncacn_packet strcuture -+* @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements -+* @param pkt_trailer - The packet trailer data, usually the trailing -+* auth_info blob, but in the request/response case -+* this is the stub_and_verifier blob. -+* @param auth - A preallocated dcerpc_auth *empty* structure -+* @param auth_length - The length of the auth trail, sum of auth header -+* lenght and pkt->auth_length -+* @param auth_data_only - Whether the pkt_trailer includes only the auth_blob -+* (+ padding) or also other data. -+* -+* @return - A NTSTATUS error code. -+*/ -+NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, -+ TALLOC_CTX *mem_ctx, -+ const DATA_BLOB *pkt_trailer, -+ struct dcerpc_auth *auth, -+ uint32_t *auth_length, -+ bool auth_data_only); -+NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, -+ enum dcerpc_pkt_type ptype, -+ size_t max_auth_info, -+ uint8_t required_flags, -+ uint8_t optional_flags); -+NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ enum dcerpc_pkt_type ptype, -+ uint8_t required_flags, -+ uint8_t optional_flags, -+ uint8_t payload_offset, -+ DATA_BLOB *payload_and_verifier, -+ DATA_BLOB *raw_packet, -+ const struct ncacn_packet *pkt); -+NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ DATA_BLOB *raw_packet, -+ size_t sig_size, -+ uint8_t payload_offset, -+ const DATA_BLOB *payload, -+ const struct ncacn_packet *pkt); -+struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct tstream_context *stream); -+NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct ncacn_packet **pkt, -+ DATA_BLOB *buffer); -+ -+#endif -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index 8ac90f2a2bd..f7919ebf575 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -23,6 +23,7 @@ - #include "includes.h" - #include "librpc/rpc/dcesrv_core.h" - #include "librpc/rpc/dcesrv_core_proto.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "auth/credentials/credentials.h" - #include "auth/gensec/gensec.h" -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index 06f6c4b2382..74730f22c7c 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -24,6 +24,7 @@ - #include "includes.h" - #include "librpc/rpc/dcesrv_core.h" - #include "librpc/rpc/dcesrv_core_proto.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "librpc/gen_ndr/auth.h" - #include "auth/gensec/gensec.h" - #include "lib/util/dlinklist.h" -diff --git a/librpc/rpc/dcesrv_reply.c b/librpc/rpc/dcesrv_reply.c -index 96bd98f53e1..5b4429956e7 100644 ---- a/librpc/rpc/dcesrv_reply.c -+++ b/librpc/rpc/dcesrv_reply.c -@@ -23,6 +23,7 @@ - #include "includes.h" - #include "librpc/rpc/dcesrv_core.h" - #include "librpc/rpc/dcesrv_core_proto.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "auth/gensec/gensec.h" - #include "lib/util/dlinklist.h" - #include "param/param.h" -diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h -index 82fe2eb7e80..55a35f31096 100644 ---- a/librpc/rpc/rpc_common.h -+++ b/librpc/rpc/rpc_common.h -@@ -165,80 +165,6 @@ const char *derpc_transport_string_by_transport(enum dcerpc_transport_t t); - enum dcerpc_transport_t dcerpc_transport_by_name(const char *name); - enum dcerpc_transport_t dcerpc_transport_by_tower(const struct epm_tower *tower); - --/* The following definitions come from ../librpc/rpc/dcerpc_util.c */ -- --void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v); --uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob); --void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v); --uint16_t dcerpc_get_auth_length(const DATA_BLOB *blob); --uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob); --uint8_t dcerpc_get_auth_type(const DATA_BLOB *blob); --uint8_t dcerpc_get_auth_level(const DATA_BLOB *blob); --uint32_t dcerpc_get_auth_context_id(const DATA_BLOB *blob); --const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx, -- enum dcerpc_transport_t transport, -- const struct ndr_interface_table *table); -- --NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, -- const DATA_BLOB *blob, -- struct ncacn_packet *r); -- --/** --* @brief Pull a dcerpc_auth structure, taking account of any auth --* padding in the blob. For request/response packets we pass --* the whole data blob, so auth_data_only must be set to false --* as the blob contains data+pad+auth and no just pad+auth. --* --* @param pkt - The ncacn_packet strcuture --* @param mem_ctx - The mem_ctx used to allocate dcerpc_auth elements --* @param pkt_trailer - The packet trailer data, usually the trailing --* auth_info blob, but in the request/response case --* this is the stub_and_verifier blob. --* @param auth - A preallocated dcerpc_auth *empty* structure --* @param auth_length - The length of the auth trail, sum of auth header --* lenght and pkt->auth_length --* @param auth_data_only - Whether the pkt_trailer includes only the auth_blob --* (+ padding) or also other data. --* --* @return - A NTSTATUS error code. --*/ --NTSTATUS dcerpc_pull_auth_trailer(const struct ncacn_packet *pkt, -- TALLOC_CTX *mem_ctx, -- const DATA_BLOB *pkt_trailer, -- struct dcerpc_auth *auth, -- uint32_t *auth_length, -- bool auth_data_only); --NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, -- enum dcerpc_pkt_type ptype, -- size_t max_auth_info, -- uint8_t required_flags, -- uint8_t optional_flags); --NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- enum dcerpc_pkt_type ptype, -- uint8_t required_flags, -- uint8_t optional_flags, -- uint8_t payload_offset, -- DATA_BLOB *payload_and_verifier, -- DATA_BLOB *raw_packet, -- const struct ncacn_packet *pkt); --NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- DATA_BLOB *raw_packet, -- size_t sig_size, -- uint8_t payload_offset, -- const DATA_BLOB *payload, -- const struct ncacn_packet *pkt); --struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev, -- struct tstream_context *stream); --NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req, -- TALLOC_CTX *mem_ctx, -- struct ncacn_packet **pkt, -- DATA_BLOB *buffer); -- - /* The following definitions come from ../librpc/rpc/binding_handle.c */ - - struct dcerpc_binding_handle_ops { -diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c -index 1f67987561c..c609efd5b07 100644 ---- a/source3/librpc/rpc/dcerpc_helpers.c -+++ b/source3/librpc/rpc/dcerpc_helpers.c -@@ -20,6 +20,7 @@ - - #include "includes.h" - #include "librpc/rpc/dcerpc.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "librpc/crypto/gse.h" - #include "auth/gensec/gensec.h" -diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c -index 8f52acadec8..3d16f1092db 100644 ---- a/source3/rpc_client/cli_pipe.c -+++ b/source3/rpc_client/cli_pipe.c -@@ -30,6 +30,7 @@ - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "librpc/gen_ndr/ndr_netlogon_c.h" - #include "librpc/rpc/dcerpc.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "rpc_dce.h" - #include "cli_pipe.h" - #include "libsmb/libsmb.h" -diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c -index 9dc5c5634fc..b24023661ff 100644 ---- a/source3/rpc_client/rpc_transport_np.c -+++ b/source3/rpc_client/rpc_transport_np.c -@@ -19,6 +19,7 @@ - - #include "includes.h" - #include "../lib/util/tevent_ntstatus.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "rpc_client/rpc_transport.h" - #include "librpc/ndr/ndr_table.h" - #include "libcli/smb/smbXcli_base.h" -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c -index 494b002e714..a874a2376d1 100644 ---- a/source3/rpc_server/rpc_ncacn_np.c -+++ b/source3/rpc_server/rpc_ncacn_np.c -@@ -37,6 +37,7 @@ - #include "rpc_server/rpc_config.h" - #include "librpc/ndr/ndr_table.h" - #include "rpc_server/rpc_server.h" -+#include "librpc/rpc/dcerpc_util.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_RPC_SRV -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c -index 87a99a8df89..f97263dcc5b 100644 ---- a/source4/librpc/rpc/dcerpc.c -+++ b/source4/librpc/rpc/dcerpc.c -@@ -26,6 +26,7 @@ - #include "lib/events/events.h" - #include "librpc/rpc/dcerpc.h" - #include "librpc/rpc/dcerpc_proto.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "librpc/gen_ndr/ndr_misc.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "auth/gensec/gensec.h" -diff --git a/source4/librpc/rpc/dcerpc_roh_channel_out.c b/source4/librpc/rpc/dcerpc_roh_channel_out.c -index e431689d419..2abafb0bab5 100644 ---- a/source4/librpc/rpc/dcerpc_roh_channel_out.c -+++ b/source4/librpc/rpc/dcerpc_roh_channel_out.c -@@ -37,6 +37,7 @@ - #include "librpc/rpc/dcerpc.h" - #include "librpc/rpc/dcerpc_roh.h" - #include "librpc/rpc/dcerpc_proto.h" -+#include "librpc/rpc/dcerpc_util.h" - #include "libcli/http/http.h" - - struct roh_request_state { --- -2.25.1 - - -From fc8592c7e3aa24c3b6819641908f21311840e6cb Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Fri, 2 Apr 2021 13:41:21 +0200 -Subject: [PATCH 2/9] librpc: Remove the gensec dependency from library - dcerpc-binding - -This means yet another library, but having to depend on gensec just -for dcerpc_parse_binding() and basic packet parsing seems like a bit -overkill to me. - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Tue Apr 6 23:33:14 UTC 2021 on sn-devel-184 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -(cherry picked from commit 4d3b6506d30e4bf302f832493dad00a83b73d370) ---- - libcli/auth/wscript_build | 10 +- - librpc/rpc/dcerpc_pkt_auth.c | 497 +++++++++++++++++++++++++++++++++++ - librpc/rpc/dcerpc_pkt_auth.h | 58 ++++ - librpc/rpc/dcerpc_util.c | 464 -------------------------------- - librpc/rpc/dcerpc_util.h | 18 -- - librpc/rpc/dcesrv_auth.c | 1 + - librpc/wscript_build | 25 +- - source3/wscript_build | 8 +- - source4/librpc/rpc/dcerpc.c | 1 + - source4/librpc/wscript_build | 21 +- - 10 files changed, 613 insertions(+), 490 deletions(-) - create mode 100644 librpc/rpc/dcerpc_pkt_auth.c - create mode 100644 librpc/rpc/dcerpc_pkt_auth.h - -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 2a6a7468e45..24ab68fac1e 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -30,7 +30,15 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL', - - bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI', - source='netlogon_creds_cli.c', -- deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON' -+ deps=''' -+ dbwrap -+ util_tdb -+ tevent-util -+ samba-hostconfig -+ gensec -+ RPC_NDR_NETLOGON -+ NDR_NETLOGON -+ ''' - ) - - bld.SAMBA_SUBSYSTEM('PAM_ERRORS', -diff --git a/librpc/rpc/dcerpc_pkt_auth.c b/librpc/rpc/dcerpc_pkt_auth.c -new file mode 100644 -index 00000000000..322d7497893 ---- /dev/null -+++ b/librpc/rpc/dcerpc_pkt_auth.c -@@ -0,0 +1,497 @@ -+/* -+ Unix SMB/CIFS implementation. -+ raw dcerpc operations -+ -+ Copyright (C) Andrew Tridgell 2003-2005 -+ Copyright (C) Jelmer Vernooij 2004-2005 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "replace.h" -+#include "system/network.h" -+#include -+#include "lib/util/talloc_stack.h" -+#include "lib/util/debug.h" -+#include "lib/util/byteorder.h" -+#include "lib/util/samba_util.h" -+#include "librpc/rpc/dcerpc.h" -+#include "librpc/rpc/dcerpc_util.h" -+#include "librpc/rpc/dcerpc_pkt_auth.h" -+#include "librpc/gen_ndr/ndr_dcerpc.h" -+#include "rpc_common.h" -+#include "lib/util/bitmap.h" -+#include "auth/gensec/gensec.h" -+#include "lib/util/mkdir_p.h" -+#include "lib/crypto/gnutls_helpers.h" -+#include -+ -+NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ enum dcerpc_pkt_type ptype, -+ uint8_t required_flags, -+ uint8_t optional_flags, -+ uint8_t payload_offset, -+ DATA_BLOB *payload_and_verifier, -+ DATA_BLOB *raw_packet, -+ const struct ncacn_packet *pkt) -+{ -+ NTSTATUS status; -+ struct dcerpc_auth auth; -+ uint32_t auth_length; -+ -+ if (auth_state == NULL) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ status = dcerpc_verify_ncacn_packet_header(pkt, ptype, -+ payload_and_verifier->length, -+ required_flags, optional_flags); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ switch (auth_state->auth_level) { -+ case DCERPC_AUTH_LEVEL_PRIVACY: -+ case DCERPC_AUTH_LEVEL_INTEGRITY: -+ case DCERPC_AUTH_LEVEL_PACKET: -+ break; -+ -+ case DCERPC_AUTH_LEVEL_CONNECT: -+ if (pkt->auth_length != 0) { -+ break; -+ } -+ return NT_STATUS_OK; -+ case DCERPC_AUTH_LEVEL_NONE: -+ if (pkt->auth_length != 0) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ return NT_STATUS_OK; -+ -+ default: -+ return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL; -+ } -+ -+ if (pkt->auth_length == 0) { -+ return NT_STATUS_RPC_PROTOCOL_ERROR; -+ } -+ -+ if (gensec == NULL) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ status = dcerpc_pull_auth_trailer(pkt, mem_ctx, -+ payload_and_verifier, -+ &auth, &auth_length, false); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ if (payload_and_verifier->length < auth_length) { -+ /* -+ * should be checked in dcerpc_pull_auth_trailer() -+ */ -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ payload_and_verifier->length -= auth_length; -+ -+ if (payload_and_verifier->length < auth.auth_pad_length) { -+ /* -+ * should be checked in dcerpc_pull_auth_trailer() -+ */ -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ if (auth.auth_type != auth_state->auth_type) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ if (auth.auth_level != auth_state->auth_level) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ if (auth.auth_context_id != auth_state->auth_context_id) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ /* check signature or unseal the packet */ -+ switch (auth_state->auth_level) { -+ case DCERPC_AUTH_LEVEL_PRIVACY: -+ status = gensec_unseal_packet(gensec, -+ raw_packet->data + payload_offset, -+ payload_and_verifier->length, -+ raw_packet->data, -+ raw_packet->length - -+ auth.credentials.length, -+ &auth.credentials); -+ if (!NT_STATUS_IS_OK(status)) { -+ return NT_STATUS_RPC_SEC_PKG_ERROR; -+ } -+ memcpy(payload_and_verifier->data, -+ raw_packet->data + payload_offset, -+ payload_and_verifier->length); -+ break; -+ -+ case DCERPC_AUTH_LEVEL_INTEGRITY: -+ case DCERPC_AUTH_LEVEL_PACKET: -+ status = gensec_check_packet(gensec, -+ payload_and_verifier->data, -+ payload_and_verifier->length, -+ raw_packet->data, -+ raw_packet->length - -+ auth.credentials.length, -+ &auth.credentials); -+ if (!NT_STATUS_IS_OK(status)) { -+ return NT_STATUS_RPC_SEC_PKG_ERROR; -+ } -+ break; -+ -+ case DCERPC_AUTH_LEVEL_CONNECT: -+ /* for now we ignore possible signatures here */ -+ break; -+ -+ default: -+ return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL; -+ } -+ -+ /* -+ * remove the indicated amount of padding -+ * -+ * A possible overflow is checked above. -+ */ -+ payload_and_verifier->length -= auth.auth_pad_length; -+ -+ return NT_STATUS_OK; -+} -+ -+NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ DATA_BLOB *raw_packet, -+ size_t sig_size, -+ uint8_t payload_offset, -+ const DATA_BLOB *payload, -+ const struct ncacn_packet *pkt) -+{ -+ TALLOC_CTX *frame = talloc_stackframe(); -+ NTSTATUS status; -+ enum ndr_err_code ndr_err; -+ struct ndr_push *ndr = NULL; -+ uint32_t payload_length; -+ uint32_t whole_length; -+ DATA_BLOB blob = data_blob_null; -+ DATA_BLOB sig = data_blob_null; -+ struct dcerpc_auth _out_auth_info; -+ struct dcerpc_auth *out_auth_info = NULL; -+ -+ *raw_packet = data_blob_null; -+ -+ if (auth_state == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ switch (auth_state->auth_level) { -+ case DCERPC_AUTH_LEVEL_PRIVACY: -+ case DCERPC_AUTH_LEVEL_INTEGRITY: -+ case DCERPC_AUTH_LEVEL_PACKET: -+ if (sig_size == 0) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ if (gensec == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ _out_auth_info = (struct dcerpc_auth) { -+ .auth_type = auth_state->auth_type, -+ .auth_level = auth_state->auth_level, -+ .auth_context_id = auth_state->auth_context_id, -+ }; -+ out_auth_info = &_out_auth_info; -+ break; -+ -+ case DCERPC_AUTH_LEVEL_CONNECT: -+ /* -+ * TODO: let the gensec mech decide if it wants to generate a -+ * signature that might be needed for schannel... -+ */ -+ if (sig_size != 0) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ if (gensec == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ break; -+ -+ case DCERPC_AUTH_LEVEL_NONE: -+ if (sig_size != 0) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ break; -+ -+ default: -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ ndr = ndr_push_init_ctx(frame); -+ if (ndr == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ TALLOC_FREE(frame); -+ return ndr_map_error2ntstatus(ndr_err); -+ } -+ -+ if (out_auth_info != NULL) { -+ /* -+ * pad to 16 byte multiple in the payload portion of the -+ * packet. This matches what w2k3 does. Note that we can't use -+ * ndr_push_align() as that is relative to the start of the -+ * whole packet, whereas w2k8 wants it relative to the start -+ * of the stub. -+ */ -+ out_auth_info->auth_pad_length = -+ DCERPC_AUTH_PAD_LENGTH(payload->length); -+ ndr_err = ndr_push_zero(ndr, out_auth_info->auth_pad_length); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ TALLOC_FREE(frame); -+ return ndr_map_error2ntstatus(ndr_err); -+ } -+ -+ payload_length = payload->length + -+ out_auth_info->auth_pad_length; -+ -+ ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, -+ out_auth_info); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ TALLOC_FREE(frame); -+ return ndr_map_error2ntstatus(ndr_err); -+ } -+ -+ whole_length = ndr->offset; -+ -+ ndr_err = ndr_push_zero(ndr, sig_size); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ TALLOC_FREE(frame); -+ return ndr_map_error2ntstatus(ndr_err); -+ } -+ } else { -+ payload_length = payload->length; -+ whole_length = ndr->offset; -+ } -+ -+ /* extract the whole packet as a blob */ -+ blob = ndr_push_blob(ndr); -+ -+ /* -+ * Setup the frag and auth length in the packet buffer. -+ * This is needed if the GENSEC mech does AEAD signing -+ * of the packet headers. The signature itself will be -+ * appended later. -+ */ -+ dcerpc_set_frag_length(&blob, blob.length); -+ dcerpc_set_auth_length(&blob, sig_size); -+ -+ /* sign or seal the packet */ -+ switch (auth_state->auth_level) { -+ case DCERPC_AUTH_LEVEL_PRIVACY: -+ status = gensec_seal_packet(gensec, -+ frame, -+ blob.data + payload_offset, -+ payload_length, -+ blob.data, -+ whole_length, -+ &sig); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ break; -+ -+ case DCERPC_AUTH_LEVEL_INTEGRITY: -+ case DCERPC_AUTH_LEVEL_PACKET: -+ status = gensec_sign_packet(gensec, -+ frame, -+ blob.data + payload_offset, -+ payload_length, -+ blob.data, -+ whole_length, -+ &sig); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ break; -+ -+ case DCERPC_AUTH_LEVEL_CONNECT: -+ case DCERPC_AUTH_LEVEL_NONE: -+ break; -+ -+ default: -+ TALLOC_FREE(frame); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ if (sig.length != sig_size) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_RPC_SEC_PKG_ERROR; -+ } -+ -+ if (sig_size != 0) { -+ memcpy(blob.data + whole_length, sig.data, sig_size); -+ } -+ -+ *raw_packet = blob; -+ talloc_steal(mem_ctx, raw_packet->data); -+ TALLOC_FREE(frame); -+ return NT_STATUS_OK; -+} -+ -+#ifdef DEVELOPER -+ -+/* -+ * Save valid, well-formed DCE/RPC stubs to use as a seed for -+ * ndr_fuzz_X -+ */ -+void dcerpc_save_ndr_fuzz_seed(TALLOC_CTX *mem_ctx, -+ DATA_BLOB raw_blob, -+ const char *dump_dir, -+ const char *iface_name, -+ int flags, -+ int opnum, -+ bool ndr64) -+{ -+ char *fname = NULL; -+ const char *sub_dir = NULL; -+ TALLOC_CTX *temp_ctx = talloc_new(mem_ctx); -+ DATA_BLOB blob; -+ int ret, rc; -+ uint8_t digest[20]; -+ DATA_BLOB digest_blob; -+ char *digest_hex; -+ uint16_t fuzz_flags = 0; -+ -+ /* -+ * We want to save the 'stub' in a per-pipe subdirectory, with -+ * the ndr_fuzz_X header 4 byte header. For the sake of -+ * convenience (this is a developer only function), we mkdir -+ * -p the sub-directories when they are needed. -+ */ -+ -+ if (dump_dir == NULL) { -+ return; -+ } -+ -+ temp_ctx = talloc_stackframe(); -+ -+ sub_dir = talloc_asprintf(temp_ctx, "%s/%s", -+ dump_dir, -+ iface_name); -+ if (sub_dir == NULL) { -+ talloc_free(temp_ctx); -+ return; -+ } -+ ret = mkdir_p(sub_dir, 0755); -+ if (ret && errno != EEXIST) { -+ DBG_ERR("could not create %s\n", sub_dir); -+ talloc_free(temp_ctx); -+ return; -+ } -+ -+ blob.length = raw_blob.length + 4; -+ blob.data = talloc_array(sub_dir, -+ uint8_t, -+ blob.length); -+ if (blob.data == NULL) { -+ DBG_ERR("could not allocate for fuzz seeds! (%s)\n", -+ iface_name); -+ talloc_free(temp_ctx); -+ return; -+ } -+ -+ if (ndr64) { -+ fuzz_flags = 4; -+ } -+ if (flags & NDR_IN) { -+ fuzz_flags |= 1; -+ } else if (flags & NDR_OUT) { -+ fuzz_flags |= 2; -+ } -+ -+ SSVAL(blob.data, 0, fuzz_flags); -+ SSVAL(blob.data, 2, opnum); -+ -+ memcpy(&blob.data[4], -+ raw_blob.data, -+ raw_blob.length); -+ -+ /* -+ * This matches how oss-fuzz names the corpus input files, due -+ * to a preference from libFuzzer -+ */ -+ rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, -+ blob.data, -+ blob.length, -+ digest); -+ if (rc < 0) { -+ /* -+ * This prints a better error message, eg if SHA1 is -+ * disabled -+ */ -+ NTSTATUS status = gnutls_error_to_ntstatus(rc, -+ NT_STATUS_HASH_NOT_SUPPORTED); -+ DBG_ERR("Failed to generate SHA1 to save fuzz seed: %s", -+ nt_errstr(status)); -+ talloc_free(temp_ctx); -+ return; -+ } -+ -+ digest_blob.data = digest; -+ digest_blob.length = sizeof(digest); -+ digest_hex = data_blob_hex_string_lower(temp_ctx, &digest_blob); -+ -+ fname = talloc_asprintf(temp_ctx, "%s/%s", -+ sub_dir, -+ digest_hex); -+ if (fname == NULL) { -+ talloc_free(temp_ctx); -+ return; -+ } -+ -+ /* -+ * If this fails, it is most likely because that file already -+ * exists. This is fine, it means we already have this -+ * sample -+ */ -+ file_save(fname, -+ blob.data, -+ blob.length); -+ -+ talloc_free(temp_ctx); -+} -+ -+#endif /*if DEVELOPER, enveloping _dcesrv_save_ndr_fuzz_seed() */ -diff --git a/librpc/rpc/dcerpc_pkt_auth.h b/librpc/rpc/dcerpc_pkt_auth.h -new file mode 100644 -index 00000000000..c0d23b91c05 ---- /dev/null -+++ b/librpc/rpc/dcerpc_pkt_auth.h -@@ -0,0 +1,58 @@ -+/* -+ Unix SMB/CIFS implementation. -+ -+ Copyright (C) Stefan Metzmacher 2010-2011 -+ Copyright (C) Andrew Tridgell 2010-2011 -+ Copyright (C) Simo Sorce 2010 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#ifndef __LIBRPC_RPC_DCERPC_PKT_AUTH_H__ -+#define __LIBRPC_RPC_DCERPC_PKT_AUTH_H__ -+ -+#include "replace.h" -+#include -+#include "lib/util/data_blob.h" -+#include "libcli/util/ntstatus.h" -+#include "librpc/rpc/rpc_common.h" -+#include "librpc/gen_ndr/dcerpc.h" -+ -+NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ enum dcerpc_pkt_type ptype, -+ uint8_t required_flags, -+ uint8_t optional_flags, -+ uint8_t payload_offset, -+ DATA_BLOB *payload_and_verifier, -+ DATA_BLOB *raw_packet, -+ const struct ncacn_packet *pkt); -+NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -+ struct gensec_security *gensec, -+ TALLOC_CTX *mem_ctx, -+ DATA_BLOB *raw_packet, -+ size_t sig_size, -+ uint8_t payload_offset, -+ const DATA_BLOB *payload, -+ const struct ncacn_packet *pkt); -+struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev, -+ struct tstream_context *stream); -+NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req, -+ TALLOC_CTX *mem_ctx, -+ struct ncacn_packet **pkt, -+ DATA_BLOB *buffer); -+ -+#endif -diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c -index 925fb70ad7c..c878a2af094 100644 ---- a/librpc/rpc/dcerpc_util.c -+++ b/librpc/rpc/dcerpc_util.c -@@ -29,10 +29,6 @@ - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "rpc_common.h" - #include "lib/util/bitmap.h" --#include "auth/gensec/gensec.h" --#include "lib/util/mkdir_p.h" --#include "lib/crypto/gnutls_helpers.h" --#include - - #undef strncasecmp - -@@ -486,340 +482,6 @@ NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, - return NT_STATUS_OK; - } - --NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- enum dcerpc_pkt_type ptype, -- uint8_t required_flags, -- uint8_t optional_flags, -- uint8_t payload_offset, -- DATA_BLOB *payload_and_verifier, -- DATA_BLOB *raw_packet, -- const struct ncacn_packet *pkt) --{ -- NTSTATUS status; -- struct dcerpc_auth auth; -- uint32_t auth_length; -- -- if (auth_state == NULL) { -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- status = dcerpc_verify_ncacn_packet_header(pkt, ptype, -- payload_and_verifier->length, -- required_flags, optional_flags); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- switch (auth_state->auth_level) { -- case DCERPC_AUTH_LEVEL_PRIVACY: -- case DCERPC_AUTH_LEVEL_INTEGRITY: -- case DCERPC_AUTH_LEVEL_PACKET: -- break; -- -- case DCERPC_AUTH_LEVEL_CONNECT: -- if (pkt->auth_length != 0) { -- break; -- } -- return NT_STATUS_OK; -- case DCERPC_AUTH_LEVEL_NONE: -- if (pkt->auth_length != 0) { -- return NT_STATUS_ACCESS_DENIED; -- } -- return NT_STATUS_OK; -- -- default: -- return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL; -- } -- -- if (pkt->auth_length == 0) { -- return NT_STATUS_RPC_PROTOCOL_ERROR; -- } -- -- if (gensec == NULL) { -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- status = dcerpc_pull_auth_trailer(pkt, mem_ctx, -- payload_and_verifier, -- &auth, &auth_length, false); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- if (payload_and_verifier->length < auth_length) { -- /* -- * should be checked in dcerpc_pull_auth_trailer() -- */ -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- payload_and_verifier->length -= auth_length; -- -- if (payload_and_verifier->length < auth.auth_pad_length) { -- /* -- * should be checked in dcerpc_pull_auth_trailer() -- */ -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- if (auth.auth_type != auth_state->auth_type) { -- return NT_STATUS_ACCESS_DENIED; -- } -- -- if (auth.auth_level != auth_state->auth_level) { -- return NT_STATUS_ACCESS_DENIED; -- } -- -- if (auth.auth_context_id != auth_state->auth_context_id) { -- return NT_STATUS_ACCESS_DENIED; -- } -- -- /* check signature or unseal the packet */ -- switch (auth_state->auth_level) { -- case DCERPC_AUTH_LEVEL_PRIVACY: -- status = gensec_unseal_packet(gensec, -- raw_packet->data + payload_offset, -- payload_and_verifier->length, -- raw_packet->data, -- raw_packet->length - -- auth.credentials.length, -- &auth.credentials); -- if (!NT_STATUS_IS_OK(status)) { -- return NT_STATUS_RPC_SEC_PKG_ERROR; -- } -- memcpy(payload_and_verifier->data, -- raw_packet->data + payload_offset, -- payload_and_verifier->length); -- break; -- -- case DCERPC_AUTH_LEVEL_INTEGRITY: -- case DCERPC_AUTH_LEVEL_PACKET: -- status = gensec_check_packet(gensec, -- payload_and_verifier->data, -- payload_and_verifier->length, -- raw_packet->data, -- raw_packet->length - -- auth.credentials.length, -- &auth.credentials); -- if (!NT_STATUS_IS_OK(status)) { -- return NT_STATUS_RPC_SEC_PKG_ERROR; -- } -- break; -- -- case DCERPC_AUTH_LEVEL_CONNECT: -- /* for now we ignore possible signatures here */ -- break; -- -- default: -- return NT_STATUS_RPC_UNSUPPORTED_AUTHN_LEVEL; -- } -- -- /* -- * remove the indicated amount of padding -- * -- * A possible overflow is checked above. -- */ -- payload_and_verifier->length -= auth.auth_pad_length; -- -- return NT_STATUS_OK; --} -- --NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- DATA_BLOB *raw_packet, -- size_t sig_size, -- uint8_t payload_offset, -- const DATA_BLOB *payload, -- const struct ncacn_packet *pkt) --{ -- TALLOC_CTX *frame = talloc_stackframe(); -- NTSTATUS status; -- enum ndr_err_code ndr_err; -- struct ndr_push *ndr = NULL; -- uint32_t payload_length; -- uint32_t whole_length; -- DATA_BLOB blob = data_blob_null; -- DATA_BLOB sig = data_blob_null; -- struct dcerpc_auth _out_auth_info; -- struct dcerpc_auth *out_auth_info = NULL; -- -- *raw_packet = data_blob_null; -- -- if (auth_state == NULL) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- switch (auth_state->auth_level) { -- case DCERPC_AUTH_LEVEL_PRIVACY: -- case DCERPC_AUTH_LEVEL_INTEGRITY: -- case DCERPC_AUTH_LEVEL_PACKET: -- if (sig_size == 0) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- if (gensec == NULL) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- _out_auth_info = (struct dcerpc_auth) { -- .auth_type = auth_state->auth_type, -- .auth_level = auth_state->auth_level, -- .auth_context_id = auth_state->auth_context_id, -- }; -- out_auth_info = &_out_auth_info; -- break; -- -- case DCERPC_AUTH_LEVEL_CONNECT: -- /* -- * TODO: let the gensec mech decide if it wants to generate a -- * signature that might be needed for schannel... -- */ -- if (sig_size != 0) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- if (gensec == NULL) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- break; -- -- case DCERPC_AUTH_LEVEL_NONE: -- if (sig_size != 0) { -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- break; -- -- default: -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- ndr = ndr_push_init_ctx(frame); -- if (ndr == NULL) { -- TALLOC_FREE(frame); -- return NT_STATUS_NO_MEMORY; -- } -- -- ndr_err = ndr_push_ncacn_packet(ndr, NDR_SCALARS|NDR_BUFFERS, pkt); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- TALLOC_FREE(frame); -- return ndr_map_error2ntstatus(ndr_err); -- } -- -- if (out_auth_info != NULL) { -- /* -- * pad to 16 byte multiple in the payload portion of the -- * packet. This matches what w2k3 does. Note that we can't use -- * ndr_push_align() as that is relative to the start of the -- * whole packet, whereas w2k8 wants it relative to the start -- * of the stub. -- */ -- out_auth_info->auth_pad_length = -- DCERPC_AUTH_PAD_LENGTH(payload->length); -- ndr_err = ndr_push_zero(ndr, out_auth_info->auth_pad_length); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- TALLOC_FREE(frame); -- return ndr_map_error2ntstatus(ndr_err); -- } -- -- payload_length = payload->length + -- out_auth_info->auth_pad_length; -- -- ndr_err = ndr_push_dcerpc_auth(ndr, NDR_SCALARS|NDR_BUFFERS, -- out_auth_info); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- TALLOC_FREE(frame); -- return ndr_map_error2ntstatus(ndr_err); -- } -- -- whole_length = ndr->offset; -- -- ndr_err = ndr_push_zero(ndr, sig_size); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- TALLOC_FREE(frame); -- return ndr_map_error2ntstatus(ndr_err); -- } -- } else { -- payload_length = payload->length; -- whole_length = ndr->offset; -- } -- -- /* extract the whole packet as a blob */ -- blob = ndr_push_blob(ndr); -- -- /* -- * Setup the frag and auth length in the packet buffer. -- * This is needed if the GENSEC mech does AEAD signing -- * of the packet headers. The signature itself will be -- * appended later. -- */ -- dcerpc_set_frag_length(&blob, blob.length); -- dcerpc_set_auth_length(&blob, sig_size); -- -- /* sign or seal the packet */ -- switch (auth_state->auth_level) { -- case DCERPC_AUTH_LEVEL_PRIVACY: -- status = gensec_seal_packet(gensec, -- frame, -- blob.data + payload_offset, -- payload_length, -- blob.data, -- whole_length, -- &sig); -- if (!NT_STATUS_IS_OK(status)) { -- TALLOC_FREE(frame); -- return status; -- } -- break; -- -- case DCERPC_AUTH_LEVEL_INTEGRITY: -- case DCERPC_AUTH_LEVEL_PACKET: -- status = gensec_sign_packet(gensec, -- frame, -- blob.data + payload_offset, -- payload_length, -- blob.data, -- whole_length, -- &sig); -- if (!NT_STATUS_IS_OK(status)) { -- TALLOC_FREE(frame); -- return status; -- } -- break; -- -- case DCERPC_AUTH_LEVEL_CONNECT: -- case DCERPC_AUTH_LEVEL_NONE: -- break; -- -- default: -- TALLOC_FREE(frame); -- return NT_STATUS_INTERNAL_ERROR; -- } -- -- if (sig.length != sig_size) { -- TALLOC_FREE(frame); -- return NT_STATUS_RPC_SEC_PKG_ERROR; -- } -- -- if (sig_size != 0) { -- memcpy(blob.data + whole_length, sig.data, sig_size); -- } -- -- *raw_packet = blob; -- talloc_steal(mem_ctx, raw_packet->data); -- TALLOC_FREE(frame); -- return NT_STATUS_OK; --} -- - struct dcerpc_read_ncacn_packet_state { - #if 0 - struct { -@@ -1474,129 +1136,3 @@ void dcerpc_log_packet(const char *packet_log_dir, - free(name); - } - } -- -- --#ifdef DEVELOPER -- --/* -- * Save valid, well-formed DCE/RPC stubs to use as a seed for -- * ndr_fuzz_X -- */ --void dcerpc_save_ndr_fuzz_seed(TALLOC_CTX *mem_ctx, -- DATA_BLOB raw_blob, -- const char *dump_dir, -- const char *iface_name, -- int flags, -- int opnum, -- bool ndr64) --{ -- char *fname = NULL; -- const char *sub_dir = NULL; -- TALLOC_CTX *temp_ctx = talloc_new(mem_ctx); -- DATA_BLOB blob; -- int ret, rc; -- uint8_t digest[20]; -- DATA_BLOB digest_blob; -- char *digest_hex; -- uint16_t fuzz_flags = 0; -- -- /* -- * We want to save the 'stub' in a per-pipe subdirectory, with -- * the ndr_fuzz_X header 4 byte header. For the sake of -- * convenience (this is a developer only function), we mkdir -- * -p the sub-directories when they are needed. -- */ -- -- if (dump_dir == NULL) { -- return; -- } -- -- temp_ctx = talloc_stackframe(); -- -- sub_dir = talloc_asprintf(temp_ctx, "%s/%s", -- dump_dir, -- iface_name); -- if (sub_dir == NULL) { -- talloc_free(temp_ctx); -- return; -- } -- ret = mkdir_p(sub_dir, 0755); -- if (ret && errno != EEXIST) { -- DBG_ERR("could not create %s\n", sub_dir); -- talloc_free(temp_ctx); -- return; -- } -- -- blob.length = raw_blob.length + 4; -- blob.data = talloc_array(sub_dir, -- uint8_t, -- blob.length); -- if (blob.data == NULL) { -- DBG_ERR("could not allocate for fuzz seeds! (%s)\n", -- iface_name); -- talloc_free(temp_ctx); -- return; -- } -- -- if (ndr64) { -- fuzz_flags = 4; -- } -- if (flags & NDR_IN) { -- fuzz_flags |= 1; -- } else if (flags & NDR_OUT) { -- fuzz_flags |= 2; -- } -- -- SSVAL(blob.data, 0, fuzz_flags); -- SSVAL(blob.data, 2, opnum); -- -- memcpy(&blob.data[4], -- raw_blob.data, -- raw_blob.length); -- -- /* -- * This matches how oss-fuzz names the corpus input files, due -- * to a preference from libFuzzer -- */ -- rc = gnutls_hash_fast(GNUTLS_DIG_SHA1, -- blob.data, -- blob.length, -- digest); -- if (rc < 0) { -- /* -- * This prints a better error message, eg if SHA1 is -- * disabled -- */ -- NTSTATUS status = gnutls_error_to_ntstatus(rc, -- NT_STATUS_HASH_NOT_SUPPORTED); -- DBG_ERR("Failed to generate SHA1 to save fuzz seed: %s", -- nt_errstr(status)); -- talloc_free(temp_ctx); -- return; -- } -- -- digest_blob.data = digest; -- digest_blob.length = sizeof(digest); -- digest_hex = data_blob_hex_string_lower(temp_ctx, &digest_blob); -- -- fname = talloc_asprintf(temp_ctx, "%s/%s", -- sub_dir, -- digest_hex); -- if (fname == NULL) { -- talloc_free(temp_ctx); -- return; -- } -- -- /* -- * If this fails, it is most likely because that file already -- * exists. This is fine, it means we already have this -- * sample -- */ -- file_save(fname, -- blob.data, -- blob.length); -- -- talloc_free(temp_ctx); --} -- --#endif /*if DEVELOPER, enveloping _dcesrv_save_ndr_fuzz_seed() */ -diff --git a/librpc/rpc/dcerpc_util.h b/librpc/rpc/dcerpc_util.h -index 0ecaf428c3c..a9bc7bd3832 100644 ---- a/librpc/rpc/dcerpc_util.h -+++ b/librpc/rpc/dcerpc_util.h -@@ -74,24 +74,6 @@ NTSTATUS dcerpc_verify_ncacn_packet_header(const struct ncacn_packet *pkt, - size_t max_auth_info, - uint8_t required_flags, - uint8_t optional_flags); --NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- enum dcerpc_pkt_type ptype, -- uint8_t required_flags, -- uint8_t optional_flags, -- uint8_t payload_offset, -- DATA_BLOB *payload_and_verifier, -- DATA_BLOB *raw_packet, -- const struct ncacn_packet *pkt); --NTSTATUS dcerpc_ncacn_push_pkt_auth(const struct dcerpc_auth *auth_state, -- struct gensec_security *gensec, -- TALLOC_CTX *mem_ctx, -- DATA_BLOB *raw_packet, -- size_t sig_size, -- uint8_t payload_offset, -- const DATA_BLOB *payload, -- const struct ncacn_packet *pkt); - struct tevent_req *dcerpc_read_ncacn_packet_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct tstream_context *stream); -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index f7919ebf575..8dda86d88e2 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -24,6 +24,7 @@ - #include "librpc/rpc/dcesrv_core.h" - #include "librpc/rpc/dcesrv_core_proto.h" - #include "librpc/rpc/dcerpc_util.h" -+#include "librpc/rpc/dcerpc_pkt_auth.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "auth/credentials/credentials.h" - #include "auth/gensec/gensec.h" -diff --git a/librpc/wscript_build b/librpc/wscript_build -index e4632d538a4..59d6c31363d 100644 ---- a/librpc/wscript_build -+++ b/librpc/wscript_build -@@ -655,12 +655,24 @@ bld.SAMBA_LIBRARY('ndr', - ) - - bld.SAMBA_LIBRARY('dcerpc-binding', -- source='rpc/dcerpc_error.c rpc/binding.c rpc/dcerpc_util.c rpc/binding_handle.c', -- deps='ndr tevent NDR_DCERPC LIBTSOCKET tevent-util gensec', -+ source=''' -+ rpc/dcerpc_error.c -+ rpc/binding.c -+ rpc/dcerpc_util.c -+ rpc/binding_handle.c -+ ''', -+ deps='ndr tevent NDR_DCERPC LIBTSOCKET tevent-util', - pc_files=[], - public_headers='rpc/rpc_common.h', - vnum='0.0.1') - -+bld.SAMBA_LIBRARY('dcerpc-pkt-auth', -+ private_library=True, -+ source=''' -+ rpc/dcerpc_pkt_auth.c -+ ''', -+ deps='dcerpc-binding gensec') -+ - bld.SAMBA_LIBRARY('dcerpc-server-core', - source=''' - rpc/dcesrv_core.c -@@ -669,7 +681,14 @@ bld.SAMBA_LIBRARY('dcerpc-server-core', - rpc/dcesrv_reply.c - rpc/dcesrv_handles.c - ''', -- deps='ndr dcerpc-binding samba-util-core gnutls GNUTLS_HELPERS', -+ deps=''' -+ ndr -+ dcerpc-binding -+ samba-util-core -+ gnutls -+ GNUTLS_HELPERS -+ dcerpc-pkt-auth -+ ''', - pc_files=[], - public_headers='rpc/dcesrv_core.h', - autoproto='rpc/dcesrv_core_proto.h', -diff --git a/source3/wscript_build b/source3/wscript_build -index 5d04fcb41d1..a143477a506 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1034,9 +1034,11 @@ bld.SAMBA3_LIBRARY('cli_spoolss', - rpc_client/init_spoolss.c - ''', - deps=''' -- RPC_NDR_SPOOLSS -- smbconf -- secrets3''', -+ RPC_NDR_SPOOLSS -+ smbconf -+ secrets3 -+ gensec -+ ''', - private_library=True) - - bld.SAMBA3_SUBSYSTEM('LIBCLI_WINREG', -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c -index f97263dcc5b..4847e8a0200 100644 ---- a/source4/librpc/rpc/dcerpc.c -+++ b/source4/librpc/rpc/dcerpc.c -@@ -27,6 +27,7 @@ - #include "librpc/rpc/dcerpc.h" - #include "librpc/rpc/dcerpc_proto.h" - #include "librpc/rpc/dcerpc_util.h" -+#include "librpc/rpc/dcerpc_pkt_auth.h" - #include "librpc/gen_ndr/ndr_misc.h" - #include "librpc/gen_ndr/ndr_dcerpc.h" - #include "auth/gensec/gensec.h" -diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build -index ea9c4853d7a..511008d919d 100644 ---- a/source4/librpc/wscript_build -+++ b/source4/librpc/wscript_build -@@ -157,7 +157,26 @@ bld.SAMBA_LIBRARY('dcerpc', - rpc/dcerpc_roh_channel_in.c rpc/dcerpc_roh_channel_out.c rpc/dcerpc_roh.c - rpc/dcerpc_connect.c rpc/dcerpc_secondary.c''', - pc_files='dcerpc.pc', -- deps='samba_socket LIBCLI_RESOLVE LIBCLI_SMB LIBCLI_SMB2 ndr NDR_DCERPC RPC_NDR_EPMAPPER NDR_SCHANNEL RPC_NDR_NETLOGON RPC_NDR_MGMT gensec LIBCLI_AUTH smbclient-raw LP_RESOLVE tevent-util dcerpc-binding param_options http', -+ deps=''' -+ samba_socket -+ LIBCLI_RESOLVE -+ LIBCLI_SMB -+ LIBCLI_SMB2 -+ ndr -+ NDR_DCERPC -+ RPC_NDR_EPMAPPER -+ NDR_SCHANNEL -+ RPC_NDR_NETLOGON -+ RPC_NDR_MGMT -+ gensec -+ LIBCLI_AUTH -+ smbclient-raw -+ LP_RESOLVE -+ tevent-util -+ dcerpc-binding -+ dcerpc-pkt-auth -+ param_options -+ http''', - autoproto='rpc/dcerpc_proto.h', - public_deps='samba-credentials tevent talloc', - public_headers='''rpc/dcerpc.h''', --- -2.25.1 - - -From fba123a44e0afd9d2377e3e45b0b2d88aecb2136 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Nov 2020 11:25:41 +0100 -Subject: [PATCH 3/9] CVE-2021-23192: dcesrv_core: add better debugging to - dcesrv_fault_disconnect() - -It's better to see the location that triggered the fault. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - librpc/rpc/dcesrv_core.c | 29 ++++++++++++++++++++++++----- - 1 file changed, 24 insertions(+), 5 deletions(-) - -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index 74730f22c7c..0c2d83b4b17 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -705,19 +705,38 @@ static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason) - return NT_STATUS_OK; - } - --static NTSTATUS dcesrv_fault_disconnect(struct dcesrv_call_state *call, -- uint32_t fault_code) -+static NTSTATUS _dcesrv_fault_disconnect_flags(struct dcesrv_call_state *call, -+ uint32_t fault_code, -+ uint8_t extra_flags, -+ const char *func, -+ const char *location) - { -+ const char *reason = NULL; -+ -+ reason = talloc_asprintf(call, "%s:%s: fault=%u (%s) flags=0x%x", -+ func, location, -+ fault_code, -+ dcerpc_errstr(call, fault_code), -+ extra_flags); -+ if (reason == NULL) { -+ reason = location; -+ } -+ - /* - * We add the call to the pending_call_list - * in order to defer the termination. - */ -- dcesrv_call_disconnect_after(call, "dcesrv_fault_disconnect"); - -- return dcesrv_fault_with_flags(call, fault_code, -- DCERPC_PFC_FLAG_DID_NOT_EXECUTE); -+ dcesrv_call_disconnect_after(call, reason); -+ -+ return dcesrv_fault_with_flags(call, fault_code, extra_flags); - } - -+#define dcesrv_fault_disconnect(call, fault_code) \ -+ _dcesrv_fault_disconnect_flags(call, fault_code, \ -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE, \ -+ __func__, __location__) -+ - static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c) - { - DLIST_REMOVE(c->conn->contexts, c); --- -2.25.1 - - -From 937d9c1b4926aa4b511d1eb4f9b1729fb20ac9fa Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Nov 2020 11:27:19 +0100 -Subject: [PATCH 4/9] CVE-2021-23192: dcesrv_core: add - dcesrv_fault_disconnect0() that skips DCERPC_PFC_FLAG_DID_NOT_EXECUTE - -That makes the callers much simpler and allow better debugging. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - librpc/rpc/dcesrv_core.c | 47 ++++++++++++++-------------------------- - 1 file changed, 16 insertions(+), 31 deletions(-) - -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index 0c2d83b4b17..ffaa9019d4b 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -736,6 +736,9 @@ static NTSTATUS _dcesrv_fault_disconnect_flags(struct dcesrv_call_state *call, - _dcesrv_fault_disconnect_flags(call, fault_code, \ - DCERPC_PFC_FLAG_DID_NOT_EXECUTE, \ - __func__, __location__) -+#define dcesrv_fault_disconnect0(call, fault_code) \ -+ _dcesrv_fault_disconnect_flags(call, fault_code, 0, \ -+ __func__, __location__) - - static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c) - { -@@ -2097,10 +2100,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - * Note that we don't check against the negotiated - * max_recv_frag, but a hard coded value. - */ -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - frag_length too large"); -- return dcesrv_fault(call, -- DCERPC_NCA_S_PROTO_ERROR); -+ return dcesrv_fault_disconnect0(call, DCERPC_NCA_S_PROTO_ERROR); - } - - if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) { -@@ -2110,10 +2110,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - * if DCERPC_PFC_FLAG_CONC_MPX was negotiated. - */ - if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) { -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - " -- "existing pending call without CONN_MPX"); -- return dcesrv_fault(call, -+ return dcesrv_fault_disconnect0(call, - DCERPC_NCA_S_PROTO_ERROR); - } - } -@@ -2131,10 +2128,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - TALLOC_FREE(call); - call = dce_conn->incoming_fragmented_call_list; - } -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - " -- "existing fragmented call"); -- return dcesrv_fault(call, -+ return dcesrv_fault_disconnect0(call, - DCERPC_NCA_S_PROTO_ERROR); - } - if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) { -@@ -2155,10 +2149,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - existing = dcesrv_find_fragmented_call(dce_conn, - call->pkt.call_id); - if (existing == NULL) { -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - " -- "no existing fragmented call"); -- return dcesrv_fault(call, -+ return dcesrv_fault_disconnect0(call, - DCERPC_NCA_S_PROTO_ERROR); - } - er = &existing->pkt.u.request; -@@ -2211,12 +2202,10 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - * here, because we don't want to set - * DCERPC_PFC_FLAG_DID_NOT_EXECUTE - */ -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - failed"); - if (call->fault_code == 0) { - call->fault_code = DCERPC_FAULT_ACCESS_DENIED; - } -- return dcesrv_fault(call, call->fault_code); -+ return dcesrv_fault_disconnect0(call, call->fault_code); - } - } - -@@ -2233,20 +2222,17 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - */ - available = dce_conn->max_total_request_size; - if (er->stub_and_verifier.length > available) { -- dcesrv_call_disconnect_after(existing, -- "dcesrv_auth_request - existing payload too large"); -- return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED); -+ return dcesrv_fault_disconnect0(existing, -+ DCERPC_FAULT_ACCESS_DENIED); - } - available -= er->stub_and_verifier.length; - if (nr->alloc_hint > available) { -- dcesrv_call_disconnect_after(existing, -- "dcesrv_auth_request - alloc hint too large"); -- return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED); -+ return dcesrv_fault_disconnect0(existing, -+ DCERPC_FAULT_ACCESS_DENIED); - } - if (nr->stub_and_verifier.length > available) { -- dcesrv_call_disconnect_after(existing, -- "dcesrv_auth_request - new payload too large"); -- return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED); -+ return dcesrv_fault_disconnect0(existing, -+ DCERPC_FAULT_ACCESS_DENIED); - } - alloc_hint = er->stub_and_verifier.length + nr->alloc_hint; - /* allocate at least 1 byte */ -@@ -2285,9 +2271,8 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - * Up to 4 MByte are allowed by all fragments - */ - if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) { -- dcesrv_call_disconnect_after(call, -- "dcesrv_auth_request - initial alloc hint too large"); -- return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED); -+ return dcesrv_fault_disconnect0(call, -+ DCERPC_FAULT_ACCESS_DENIED); - } - dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST); - return NT_STATUS_OK; --- -2.25.1 - - -From 480bfd0a809705966d782839f02f899fc3f68241 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 11 Nov 2020 16:59:06 +0100 -Subject: [PATCH 5/9] CVE-2021-23192: python/tests/dcerpc: change - assertNotEquals() into assertNotEqual() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - python/samba/tests/dcerpc/raw_protocol.py | 288 +++++++++++----------- - python/samba/tests/dcerpc/raw_testcase.py | 14 +- - 2 files changed, 151 insertions(+), 151 deletions(-) - -diff --git a/python/samba/tests/dcerpc/raw_protocol.py b/python/samba/tests/dcerpc/raw_protocol.py -index dc13d41c6a2..cbd398d5290 100755 ---- a/python/samba/tests/dcerpc/raw_protocol.py -+++ b/python/samba/tests/dcerpc/raw_protocol.py -@@ -65,7 +65,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=rep_pfc_flags, auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -86,7 +86,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -108,7 +108,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -128,7 +128,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=rep_pfc_flags, auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertEqual(rep.u.secondary_address, "") - self.assertPadding(rep.u._pad1, 2) -@@ -149,7 +149,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -396,7 +396,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -469,7 +469,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -489,7 +489,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -521,7 +521,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -541,7 +541,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -562,7 +562,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, ctx1.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -589,7 +589,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -609,7 +609,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -630,7 +630,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -646,7 +646,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -705,7 +705,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -732,7 +732,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -765,7 +765,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -794,7 +794,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -826,7 +826,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -855,7 +855,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -876,7 +876,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, ctx1a.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -902,7 +902,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -928,7 +928,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -947,7 +947,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -966,7 +966,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -985,7 +985,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1004,7 +1004,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 1) -@@ -1023,7 +1023,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1049,7 +1049,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 2) -@@ -1073,7 +1073,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1085,7 +1085,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 2) -@@ -1109,7 +1109,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1122,7 +1122,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1134,7 +1134,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 2) -@@ -1158,7 +1158,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1171,7 +1171,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1197,7 +1197,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 2) -@@ -1221,7 +1221,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1233,7 +1233,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 0) - self.assertPadding(rep.u._pad1, 2) - self.assertEqual(rep.u.num_results, 2) -@@ -1257,7 +1257,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1282,7 +1282,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1318,7 +1318,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1352,7 +1352,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1424,7 +1424,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1459,7 +1459,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1494,7 +1494,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1617,7 +1617,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1638,7 +1638,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1658,7 +1658,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -1708,7 +1708,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, rep_both) - self.assertEqual(rep.u.max_recv_frag, rep_both) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1760,7 +1760,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu(ndr_print=True, hexdump=True) - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1775,7 +1775,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1791,7 +1791,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -1866,7 +1866,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - auth_length=0) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -1888,7 +1888,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1902,7 +1902,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1916,7 +1916,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -1994,7 +1994,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2014,7 +2014,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2036,7 +2036,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2052,7 +2052,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2098,7 +2098,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2128,7 +2128,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2195,7 +2195,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - dcerpc.DCERPC_PFC_FLAG_LAST | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2243,7 +2243,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2277,7 +2277,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2313,7 +2313,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=dcerpc.DCERPC_PFC_FLAG_FIRST | - dcerpc.DCERPC_PFC_FLAG_LAST, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2341,7 +2341,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2376,7 +2376,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2390,7 +2390,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2415,7 +2415,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2450,7 +2450,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2464,7 +2464,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2503,7 +2503,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2517,7 +2517,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2552,7 +2552,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req1.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req1.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2600,7 +2600,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req2.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2650,7 +2650,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -2660,7 +2660,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -2691,7 +2691,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -2707,7 +2707,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2727,7 +2727,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We don't get an auth_info back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -2747,7 +2747,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2805,7 +2805,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -2815,7 +2815,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -2846,7 +2846,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -2868,7 +2868,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -2926,7 +2926,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - assoc_group_id = rep.u.assoc_group_id - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) -@@ -2937,7 +2937,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -2961,7 +2961,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3009,7 +3009,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3019,7 +3019,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3047,7 +3047,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We get a fault back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3098,7 +3098,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3108,7 +3108,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3137,7 +3137,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3153,7 +3153,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -3173,7 +3173,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We don't get an auth_info back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -3205,7 +3205,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3256,7 +3256,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3266,7 +3266,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3295,7 +3295,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3311,7 +3311,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -3331,7 +3331,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We don't get an auth_info back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -3362,7 +3362,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3409,7 +3409,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3419,7 +3419,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3440,7 +3440,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3493,7 +3493,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3503,7 +3503,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3524,7 +3524,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3579,7 +3579,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3589,7 +3589,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3611,7 +3611,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3659,7 +3659,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3669,7 +3669,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3691,7 +3691,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3746,7 +3746,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3756,7 +3756,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3778,7 +3778,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3833,7 +3833,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3843,7 +3843,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3865,7 +3865,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -3930,7 +3930,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -3940,7 +3940,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -3984,7 +3984,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -4000,7 +4000,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4020,7 +4020,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We don't get an auth_info back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4144,7 +4144,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -4154,7 +4154,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -4191,7 +4191,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -4256,7 +4256,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -4266,7 +4266,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -4295,7 +4295,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - rep = self.recv_pdu() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4315,7 +4315,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - # We don't get an auth_info back - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4375,7 +4375,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_BIND_ACK, req.call_id) - self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag) - self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag) -- self.assertNotEquals(rep.u.assoc_group_id, req.u.assoc_group_id) -+ self.assertNotEqual(rep.u.assoc_group_id, req.u.assoc_group_id) - self.assertEqual(rep.u.secondary_address_size, 4) - self.assertEqual(rep.u.secondary_address, "%d" % self.tcp_port) - self.assertPadding(rep.u._pad1, 2) -@@ -4385,7 +4385,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.assertEqual(rep.u.ctx_list[0].reason, - dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED) - self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ndr32) -- self.assertNotEquals(len(rep.u.auth_info), 0) -+ self.assertNotEqual(len(rep.u.auth_info), 0) - a = self.parse_auth(rep.u.auth_info) - - from_server = a.credentials -@@ -4406,7 +4406,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -4521,7 +4521,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, req.call_id, - pfc_flags=req.pfc_flags | response_fault_flags, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, ctx1.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -4688,7 +4688,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - (rep, rep_blob) = self.recv_pdu_raw() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=sig_size) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4756,7 +4756,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - pfc_flags=req.pfc_flags | - dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, ctx1.context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -4805,7 +4805,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - (rep, rep_blob) = self.recv_pdu_raw() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=sig_size) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -@@ -4870,7 +4870,7 @@ class TestDCERPC_BIND(RawDCERPCTest): - (rep, rep_blob) = self.recv_pdu_raw() - self.verify_pdu(rep, dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=sig_size) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) -diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py -index f1c097ebe6d..ed77d329cd5 100644 ---- a/python/samba/tests/dcerpc/raw_testcase.py -+++ b/python/samba/tests/dcerpc/raw_testcase.py -@@ -321,7 +321,7 @@ class RawDCERPCTest(TestCase): - pfc_flags=req.pfc_flags | - samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -361,7 +361,7 @@ class RawDCERPCTest(TestCase): - if assoc_group_id != 0: - self.assertEqual(rep.u.assoc_group_id, assoc_group_id) - else: -- self.assertNotEquals(rep.u.assoc_group_id, 0) -+ self.assertNotEqual(rep.u.assoc_group_id, 0) - assoc_group_id = rep.u.assoc_group_id - sda_str = self.secondary_address - sda_len = len(sda_str) + 1 -@@ -385,7 +385,7 @@ class RawDCERPCTest(TestCase): - self.assertEqual(rep.auth_length, 0) - self.assertEqual(len(rep.u.auth_info), 0) - return ack -- self.assertNotEquals(rep.auth_length, 0) -+ self.assertNotEqual(rep.auth_length, 0) - self.assertGreater(len(rep.u.auth_info), samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH) - self.assertEqual(rep.auth_length, len(rep.u.auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH) - -@@ -426,7 +426,7 @@ class RawDCERPCTest(TestCase): - pfc_flags=req.pfc_flags | - samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE, - auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, 0) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -451,7 +451,7 @@ class RawDCERPCTest(TestCase): - if finished: - self.assertEqual(rep.auth_length, 0) - else: -- self.assertNotEquals(rep.auth_length, 0) -+ self.assertNotEqual(rep.auth_length, 0) - self.assertGreaterEqual(len(rep.u.auth_info), samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH) - self.assertEqual(rep.auth_length, len(rep.u.auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH) - -@@ -547,7 +547,7 @@ class RawDCERPCTest(TestCase): - if fault_status: - self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, req.call_id, - pfc_flags=fault_pfc_flags, auth_length=0) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, fault_context_id) - self.assertEqual(rep.u.cancel_count, 0) - self.assertEqual(rep.u.flags, 0) -@@ -563,7 +563,7 @@ class RawDCERPCTest(TestCase): - - self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_RESPONSE, req.call_id, - auth_length=expected_auth_length) -- self.assertNotEquals(rep.u.alloc_hint, 0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) --- -2.25.1 - - -From 4ec27da793964c3c49995ada3da047bae0174d26 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Nov 2020 09:50:58 +0100 -Subject: [PATCH 6/9] CVE-2021-23192: python/tests/dcerpc: let - generate_request_auth() use g_auth_level in all places - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - python/samba/tests/dcerpc/raw_testcase.py | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py -index ed77d329cd5..53f7fa0a2a8 100644 ---- a/python/samba/tests/dcerpc/raw_testcase.py -+++ b/python/samba/tests/dcerpc/raw_testcase.py -@@ -922,12 +922,12 @@ class RawDCERPCTest(TestCase): - req_data = req_blob[ofs_stub:ofs_trailer] - req_whole = req_blob[0:ofs_sig] - -- if auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PRIVACY: -+ if auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PRIVACY: - # TODO: not yet supported here - self.assertTrue(False) -- elif auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET: -+ elif auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET: - req_sig = auth_context["gensec"].sign_packet(req_data, req_whole) -- elif auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_CONNECT: -+ elif auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_CONNECT: - self.assertEqual(auth_context["auth_type"], - dcerpc.DCERPC_AUTH_TYPE_NTLMSSP) - req_sig = b"\x01" +b"\x00" *15 --- -2.25.1 - - -From 188f01b8ac8b84e9e41a769731cb4426658920cb Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Nov 2020 17:43:06 +0100 -Subject: [PATCH 7/9] CVE-2021-23192: python/tests/dcerpc: fix - do_single_request(send_req=False) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - python/samba/tests/dcerpc/raw_testcase.py | 37 ++++++++++++----------- - 1 file changed, 20 insertions(+), 17 deletions(-) - -diff --git a/python/samba/tests/dcerpc/raw_testcase.py b/python/samba/tests/dcerpc/raw_testcase.py -index 53f7fa0a2a8..22b56704fa3 100644 ---- a/python/samba/tests/dcerpc/raw_testcase.py -+++ b/python/samba/tests/dcerpc/raw_testcase.py -@@ -526,26 +526,25 @@ class RawDCERPCTest(TestCase): - if hexdump: - sys.stderr.write("stub_in: %d\n%s" % (len(stub_in), self.hexdump(stub_in))) - -- pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST -- pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST -- if object is not None: -- pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_OBJECT_UUID -- -- req = self.generate_request_auth(call_id=call_id, -- context_id=ctx.context_id, -- pfc_flags=pfc_flags, -- object=object, -- opnum=io.opnum(), -- stub=stub_in, -- auth_context=auth_context) -- if send_req: -+ pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST -+ pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST -+ if object is not None: -+ pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_OBJECT_UUID -+ -+ req = self.generate_request_auth(call_id=call_id, -+ context_id=ctx.context_id, -+ pfc_flags=pfc_flags, -+ object=object, -+ opnum=io.opnum(), -+ stub=stub_in, -+ auth_context=auth_context) - self.send_pdu(req, ndr_print=ndr_print, hexdump=hexdump) - if recv_rep: - (rep, rep_blob) = self.recv_pdu_raw(timeout=timeout, - ndr_print=ndr_print, - hexdump=hexdump) - if fault_status: -- self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, req.call_id, -+ self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, call_id, - pfc_flags=fault_pfc_flags, auth_length=0) - self.assertNotEqual(rep.u.alloc_hint, 0) - self.assertEqual(rep.u.context_id, fault_context_id) -@@ -559,12 +558,16 @@ class RawDCERPCTest(TestCase): - expected_auth_length = 0 - if auth_context is not None and \ - auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET: -- expected_auth_length = req.auth_length -+ if send_req: -+ expected_auth_length = req.auth_length -+ else: -+ expected_auth_length = rep.auth_length -+ - -- self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_RESPONSE, req.call_id, -+ self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_RESPONSE, call_id, - auth_length=expected_auth_length) - self.assertNotEqual(rep.u.alloc_hint, 0) -- self.assertEqual(rep.u.context_id, req.u.context_id & 0xff) -+ self.assertEqual(rep.u.context_id, ctx.context_id & 0xff) - self.assertEqual(rep.u.cancel_count, 0) - self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint) - stub_out = self.check_response_auth(rep, rep_blob, auth_context) --- -2.25.1 - - -From 7cf3a4a33282ed5b135fcdc47a5cc7cdca370ee7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Nov 2020 18:14:46 +0100 -Subject: [PATCH 8/9] CVE-2021-23192: python/tests/dcerpc: add tests to check - how security contexts relate to fragmented requests - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - python/samba/tests/dcerpc/raw_protocol.py | 1273 +++++++++++++++++++++ - selftest/knownfail.d/dcerpc-auth-fraq | 20 + - 2 files changed, 1293 insertions(+) - create mode 100644 selftest/knownfail.d/dcerpc-auth-fraq - -diff --git a/python/samba/tests/dcerpc/raw_protocol.py b/python/samba/tests/dcerpc/raw_protocol.py -index cbd398d5290..3c9d0b136a5 100755 ---- a/python/samba/tests/dcerpc/raw_protocol.py -+++ b/python/samba/tests/dcerpc/raw_protocol.py -@@ -1683,6 +1683,1279 @@ class TestDCERPC_BIND(RawDCERPCTest): - def test_auth_none_packet_request(self): - return self._test_auth_none_level_request(dcerpc.DCERPC_AUTH_LEVEL_PACKET) - -+ def test_ntlmssp_multi_auth_first1_lastSame2(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_SEC_PKG_ERROR -+ auth_context_2nd = 2 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastNext2(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 2 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastSame111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = None -+ auth_context_2nd = 1 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastNext111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_lastNext111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastSameNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_lastSameNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastNextNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_lastNextNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastSameNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_lastSameNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_lastNextNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_lastNextNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_last(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def _test_generic_auth_first_2nd(self, -+ auth_type, -+ pfc_flags_2nd, -+ expected_fault, -+ auth_context_2nd=2, -+ skip_first=False, -+ expected_call_id=None, -+ expected_context_id=None, -+ conc_mpx=False, -+ not_executed=False, -+ forced_call_id=None, -+ forced_context_id=None, -+ forced_opnum=None, -+ forced_auth_context_id=None, -+ forced_auth_type=None, -+ forced_auth_level=None): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ auth_level1 = dcerpc.DCERPC_AUTH_LEVEL_INTEGRITY -+ auth_context_id1=1 -+ auth_level2 = dcerpc.DCERPC_AUTH_LEVEL_PACKET -+ auth_context_id2=2 -+ -+ creds = self.get_user_creds() -+ -+ abstract = samba.dcerpc.mgmt.abstract_syntax() -+ transfer = base.transfer_syntax_ndr() -+ -+ tsf1_list = [transfer] -+ ctx = samba.dcerpc.dcerpc.ctx_list() -+ ctx.context_id = 1 -+ ctx.num_transfer_syntaxes = len(tsf1_list) -+ ctx.abstract_syntax = abstract -+ ctx.transfer_syntaxes = tsf1_list -+ -+ auth_context1 = self.get_auth_context_creds(creds=creds, -+ auth_type=auth_type, -+ auth_level=auth_level1, -+ auth_context_id=auth_context_id1, -+ hdr_signing=False) -+ auth_context2 = self.get_auth_context_creds(creds=creds, -+ auth_type=auth_type, -+ auth_level=auth_level2, -+ auth_context_id=auth_context_id2, -+ hdr_signing=False) -+ -+ bind_pfc_flags = dcerpc.DCERPC_PFC_FLAG_FIRST | dcerpc.DCERPC_PFC_FLAG_LAST -+ if conc_mpx: -+ bind_pfc_flags |= dcerpc.DCERPC_PFC_FLAG_CONC_MPX -+ -+ ack0 = self.do_generic_bind(call_id=0, -+ ctx=ctx, -+ pfc_flags=bind_pfc_flags) -+ -+ ack1 = self.do_generic_bind(call_id=1, -+ ctx=ctx, -+ auth_context=auth_context1, -+ assoc_group_id = ack0.u.assoc_group_id, -+ start_with_alter=True) -+ if auth_context_2nd == 2: -+ ack2 = self.do_generic_bind(call_id=2, -+ ctx=ctx, -+ auth_context=auth_context2, -+ assoc_group_id = ack0.u.assoc_group_id, -+ start_with_alter=True) -+ -+ ndr_print = self.do_ndr_print -+ hexdump = self.do_hexdump -+ inq_if_ids = samba.dcerpc.mgmt.inq_if_ids() -+ io = inq_if_ids -+ if ndr_print: -+ sys.stderr.write("in: %s" % samba.ndr.ndr_print_in(io)) -+ stub_in = samba.ndr.ndr_pack_in(io) -+ stub_in += b'\xfe'*45 # add some padding in order to have some payload -+ if hexdump: -+ sys.stderr.write("stub_in: %d\n%s" % (len(stub_in), self.hexdump(stub_in))) -+ -+ call_id = 3 -+ context_id = ctx.context_id -+ opnum = io.opnum() -+ -+ if not skip_first: -+ pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST -+ stub_in_tmp = stub_in[0:16] -+ req = self.generate_request_auth(call_id=call_id, -+ context_id=context_id, -+ pfc_flags=pfc_flags, -+ opnum=opnum, -+ alloc_hint=len(stub_in), -+ stub=stub_in_tmp, -+ auth_context=auth_context1) -+ self.send_pdu(req, ndr_print=ndr_print, hexdump=hexdump) -+ rep = self.recv_pdu(timeout=0.01) -+ self.assertIsNone(rep) -+ self.assertIsConnected() -+ -+ # context_id, opnum and auth header values are completely ignored -+ if auth_context_2nd == 1: -+ auth_context_copy = auth_context1.copy() -+ elif auth_context_2nd == 2: -+ auth_context_copy = auth_context2.copy() -+ else: -+ auth_context_copy = None -+ -+ expected_pfc_flags = dcerpc.DCERPC_PFC_FLAG_FIRST | dcerpc.DCERPC_PFC_FLAG_LAST -+ if expected_context_id is None: -+ expected_context_id = context_id -+ if expected_call_id is None: -+ expected_call_id = call_id -+ if not_executed: -+ expected_pfc_flags |= dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE -+ -+ if forced_call_id is not None: -+ call_id = forced_call_id -+ if forced_context_id is not None: -+ context_id = forced_context_id -+ if forced_opnum is not None: -+ opnum = forced_opnum -+ if forced_auth_context_id is not None: -+ auth_context_copy["auth_context_id"] = forced_auth_context_id -+ if forced_auth_type is not None: -+ auth_context_copy["auth_type"] = forced_auth_type -+ if forced_auth_level is not None: -+ auth_context_copy["auth_level"] = forced_auth_level -+ -+ pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST -+ stub_in_tmp = stub_in[16:-1] -+ req = self.generate_request_auth(call_id=call_id, -+ context_id=context_id, -+ pfc_flags=pfc_flags_2nd, -+ opnum=opnum, -+ alloc_hint=len(stub_in_tmp), -+ stub=stub_in_tmp, -+ auth_context=auth_context_copy) -+ self.send_pdu(req, ndr_print=ndr_print, hexdump=hexdump) -+ if expected_fault is None: -+ self.do_single_request(call_id=3, ctx=ctx, io=io, send_req=False, auth_context=auth_context1) -+ return -+ rep = self.recv_pdu() -+ self.verify_pdu(rep, dcerpc.DCERPC_PKT_FAULT, expected_call_id, -+ pfc_flags=expected_pfc_flags, -+ auth_length=0) -+ self.assertNotEqual(rep.u.alloc_hint, 0) -+ self.assertEqual(rep.u.context_id, expected_context_id) -+ self.assertEqual(rep.u.cancel_count, 0) -+ self.assertEqual(rep.u.flags, 0) -+ self.assertEqual(rep.u.status, expected_fault) -+ self.assertEqual(rep.u.reserved, 0) -+ self.assertEqual(len(rep.u.error_and_verifier), 0) -+ -+ if not_executed: -+ # still alive -+ rep = self.recv_pdu(timeout=0.01) -+ self.assertIsNone(rep) -+ self.assertIsConnected() -+ return -+ -+ # wait for a disconnect -+ rep = self.recv_pdu() -+ self.assertIsNone(rep) -+ self.assertNotConnected() -+ -+ def _test_generic_auth_first_last(self, -+ auth_type, -+ expected_fault, -+ auth_context_2nd=2, -+ expected_call_id=None, -+ expected_context_id=None, -+ conc_mpx=False, -+ not_executed=False, -+ forced_call_id=None, -+ forced_context_id=None, -+ forced_opnum=None, -+ forced_auth_context_id=None, -+ forced_auth_type=None, -+ forced_auth_level=None): -+ pfc_flags_2nd = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST -+ return self._test_generic_auth_first_2nd(auth_type, -+ pfc_flags_2nd, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def _test_generic_auth_first_first(self, -+ auth_type, -+ expected_fault, -+ auth_context_2nd=2, -+ expected_call_id=None, -+ expected_context_id=None, -+ conc_mpx=False, -+ not_executed=False, -+ forced_call_id=None, -+ forced_context_id=None, -+ forced_opnum=None, -+ forced_auth_context_id=None, -+ forced_auth_type=None, -+ forced_auth_level=None): -+ pfc_flags_2nd = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST -+ return self._test_generic_auth_first_2nd(auth_type, -+ pfc_flags_2nd, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstSame2(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_SEC_PKG_ERROR -+ auth_context_2nd = 2 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstNext2(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 2 -+ expected_call_id = 3 -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstSame111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstSame111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstNext111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = 3 -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstNext111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = 1 -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstSameNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstSameNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = None -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstNextNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstNextNone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstSameNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstSameNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = None -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_first1_firstNextNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = None -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = False -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_multi_auth_MPX_first1_firstNextNone111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ auth_context_2nd = None -+ expected_call_id = 4 -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = True -+ forced_call_id = 4 -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_first_first(auth_type, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def _test_generic_auth_middle(self, -+ auth_type, -+ expected_fault, -+ expected_context_id=None, -+ not_executed=False, -+ conc_mpx=False, -+ forced_context_id=None, -+ forced_opnum=None, -+ forced_auth_context_id=None, -+ forced_auth_type=None, -+ forced_auth_level=None): -+ auth_context_2nd = 1 -+ skip_first = True -+ pfc_flags_2nd = 0 -+ expected_call_id = None -+ forced_call_id = None -+ return self._test_generic_auth_first_2nd(auth_type, -+ pfc_flags_2nd, -+ expected_fault, -+ auth_context_2nd=auth_context_2nd, -+ skip_first=skip_first, -+ expected_call_id=expected_call_id, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_call_id=forced_call_id, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_alone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_alone(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_all_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_all_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_UNKNOWN_IF -+ expected_context_id = 0 -+ not_executed = True -+ conc_mpx = True -+ forced_context_id = 111 -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_auth_all_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = None -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_auth_all_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_ACCESS_DENIED -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_context_id = None -+ forced_opnum = 111 -+ forced_auth_context_id = 111 -+ forced_auth_type = 111 -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_auth_context_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = 111 -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_auth_context_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_ACCESS_DENIED -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = 111 -+ forced_auth_type = None -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_auth_type_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = 111 -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_auth_type_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_ACCESS_DENIED -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = 111 -+ forced_auth_level = None -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_middle_auth_level_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_NCA_S_PROTO_ERROR -+ expected_context_id = 0 -+ not_executed = False -+ conc_mpx = False -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ -+ def test_ntlmssp_auth_MPX_middle_auth_level_111(self): -+ auth_type = dcerpc.DCERPC_AUTH_TYPE_NTLMSSP -+ expected_fault = dcerpc.DCERPC_FAULT_ACCESS_DENIED -+ expected_context_id = None -+ not_executed = False -+ conc_mpx = True -+ forced_context_id = None -+ forced_opnum = None -+ forced_auth_context_id = None -+ forced_auth_type = None -+ forced_auth_level = 111 -+ return self._test_generic_auth_middle(auth_type, -+ expected_fault, -+ expected_context_id=expected_context_id, -+ not_executed=not_executed, -+ conc_mpx=conc_mpx, -+ forced_context_id=forced_context_id, -+ forced_opnum=forced_opnum, -+ forced_auth_context_id=forced_auth_context_id, -+ forced_auth_type=forced_auth_type, -+ forced_auth_level=forced_auth_level) -+ - def _test_neg_xmit_check_values(self, - req_xmit=None, - req_recv=None, -diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq -new file mode 100644 -index 00000000000..f3c62b65e9e ---- /dev/null -+++ b/selftest/knownfail.d/dcerpc-auth-fraq -@@ -0,0 +1,20 @@ -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2 -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone -+^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111 --- -2.25.1 - - -From 43b09da3138606e2d0fbc033e8bc50fa82687946 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 16 Nov 2020 14:15:06 +0100 -Subject: [PATCH 9/9] CVE-2021-23192: dcesrv_core: only the first fragment - specifies the auth_contexts - -All other fragments blindly inherit it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - librpc/rpc/dcerpc_pkt_auth.c | 19 +++--- - librpc/rpc/dcerpc_pkt_auth.h | 1 + - librpc/rpc/dcesrv_auth.c | 28 +++++++++ - librpc/rpc/dcesrv_core.c | 86 +++++++++++++++++++++------ - selftest/knownfail.d/dcerpc-auth-fraq | 20 ------- - source4/librpc/rpc/dcerpc.c | 1 + - 6 files changed, 109 insertions(+), 46 deletions(-) - delete mode 100644 selftest/knownfail.d/dcerpc-auth-fraq - -diff --git a/librpc/rpc/dcerpc_pkt_auth.c b/librpc/rpc/dcerpc_pkt_auth.c -index 322d7497893..1cb191468b5 100644 ---- a/librpc/rpc/dcerpc_pkt_auth.c -+++ b/librpc/rpc/dcerpc_pkt_auth.c -@@ -39,6 +39,7 @@ - - NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, - struct gensec_security *gensec, -+ bool check_pkt_auth_fields, - TALLOC_CTX *mem_ctx, - enum dcerpc_pkt_type ptype, - uint8_t required_flags, -@@ -115,16 +116,18 @@ NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, - return NT_STATUS_INTERNAL_ERROR; - } - -- if (auth.auth_type != auth_state->auth_type) { -- return NT_STATUS_ACCESS_DENIED; -- } -+ if (check_pkt_auth_fields) { -+ if (auth.auth_type != auth_state->auth_type) { -+ return NT_STATUS_ACCESS_DENIED; -+ } - -- if (auth.auth_level != auth_state->auth_level) { -- return NT_STATUS_ACCESS_DENIED; -- } -+ if (auth.auth_level != auth_state->auth_level) { -+ return NT_STATUS_ACCESS_DENIED; -+ } - -- if (auth.auth_context_id != auth_state->auth_context_id) { -- return NT_STATUS_ACCESS_DENIED; -+ if (auth.auth_context_id != auth_state->auth_context_id) { -+ return NT_STATUS_ACCESS_DENIED; -+ } - } - - /* check signature or unseal the packet */ -diff --git a/librpc/rpc/dcerpc_pkt_auth.h b/librpc/rpc/dcerpc_pkt_auth.h -index c0d23b91c05..1dcee12f53c 100644 ---- a/librpc/rpc/dcerpc_pkt_auth.h -+++ b/librpc/rpc/dcerpc_pkt_auth.h -@@ -31,6 +31,7 @@ - - NTSTATUS dcerpc_ncacn_pull_pkt_auth(const struct dcerpc_auth *auth_state, - struct gensec_security *gensec, -+ bool check_pkt_auth_fields, - TALLOC_CTX *mem_ctx, - enum dcerpc_pkt_type ptype, - uint8_t required_flags, -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index 8dda86d88e2..9d8df6c42e2 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -438,6 +438,10 @@ bool dcesrv_auth_prepare_auth3(struct dcesrv_call_state *call) - return false; - } - -+ if (auth->auth_invalid) { -+ return false; -+ } -+ - /* We can't work without an existing gensec state */ - if (auth->gensec_security == NULL) { - return false; -@@ -524,6 +528,10 @@ bool dcesrv_auth_alter(struct dcesrv_call_state *call) - return false; - } - -+ if (auth->auth_invalid) { -+ return false; -+ } -+ - if (call->in_auth_info.auth_type != auth->auth_type) { - return false; - } -@@ -590,6 +598,7 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call, - .auth_level = auth->auth_level, - .auth_context_id = auth->auth_context_id, - }; -+ bool check_pkt_auth_fields; - NTSTATUS status; - - if (!auth->auth_started) { -@@ -605,8 +614,27 @@ bool dcesrv_auth_pkt_pull(struct dcesrv_call_state *call, - return false; - } - -+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) { -+ /* -+ * The caller most likely checked this -+ * already, but we better double check. -+ */ -+ check_pkt_auth_fields = true; -+ } else { -+ /* -+ * The caller already found first fragment -+ * and is passing the auth_state of it. -+ * A server is supposed to use the -+ * setting of the first fragment and -+ * completely ignore the values -+ * on the remaining fragments -+ */ -+ check_pkt_auth_fields = false; -+ } -+ - status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth, - auth->gensec_security, -+ check_pkt_auth_fields, - call, - pkt->ptype, - required_flags, -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index ffaa9019d4b..0bab4c10641 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -1805,6 +1805,10 @@ static NTSTATUS dcesrv_request(struct dcesrv_call_state *call) - struct ndr_pull *pull; - NTSTATUS status; - -+ if (auth->auth_invalid) { -+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); -+ } -+ - if (!auth->auth_finished) { - return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR); - } -@@ -1968,6 +1972,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - enum dcerpc_AuthType auth_type = 0; - enum dcerpc_AuthLevel auth_level = 0; - uint32_t auth_context_id = 0; -+ bool auth_invalid = false; - - call = talloc_zero(dce_conn, struct dcesrv_call_state); - if (!call) { -@@ -1999,12 +2004,16 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - - if (call->auth_state == NULL) { - struct dcesrv_auth *a = NULL; -+ bool check_type_level = true; - - auth_type = dcerpc_get_auth_type(&blob); - auth_level = dcerpc_get_auth_level(&blob); - auth_context_id = dcerpc_get_auth_context_id(&blob); - - if (call->pkt.ptype == DCERPC_PKT_REQUEST) { -+ if (!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) { -+ check_type_level = false; -+ } - dce_conn->default_auth_level_connect = NULL; - if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) { - dce_conn->got_explicit_auth_level_connect = true; -@@ -2014,14 +2023,19 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - for (a = dce_conn->auth_states; a != NULL; a = a->next) { - num_auth_ctx++; - -- if (a->auth_type != auth_type) { -+ if (a->auth_context_id != auth_context_id) { - continue; - } -- if (a->auth_finished && a->auth_level != auth_level) { -- continue; -+ -+ if (a->auth_type != auth_type) { -+ auth_invalid = true; - } -- if (a->auth_context_id != auth_context_id) { -- continue; -+ if (a->auth_level != auth_level) { -+ auth_invalid = true; -+ } -+ -+ if (check_type_level && auth_invalid) { -+ a->auth_invalid = true; - } - - DLIST_PROMOTE(dce_conn->auth_states, a); -@@ -2048,6 +2062,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - /* - * This can never be valid. - */ -+ auth_invalid = true; - a->auth_invalid = true; - } - call->auth_state = a; -@@ -2116,6 +2131,18 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - } - /* only one request is possible in the fragmented list */ - if (dce_conn->incoming_fragmented_call_list != NULL) { -+ call->fault_code = DCERPC_NCA_S_PROTO_ERROR; -+ -+ existing = dcesrv_find_fragmented_call(dce_conn, -+ call->pkt.call_id); -+ if (existing != NULL && call->auth_state != existing->auth_state) { -+ call->context = dcesrv_find_context(call->conn, -+ call->pkt.u.request.context_id); -+ -+ if (call->pkt.auth_length != 0 && existing->context == call->context) { -+ call->fault_code = DCERPC_FAULT_SEC_PKG_ERROR; -+ } -+ } - if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) { - /* - * Without DCERPC_PFC_FLAG_CONC_MPX -@@ -2125,11 +2152,14 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - * This is important to get the - * call_id and context_id right. - */ -+ dce_conn->incoming_fragmented_call_list->fault_code = call->fault_code; - TALLOC_FREE(call); - call = dce_conn->incoming_fragmented_call_list; - } -- return dcesrv_fault_disconnect0(call, -- DCERPC_NCA_S_PROTO_ERROR); -+ if (existing != NULL) { -+ call->context = existing->context; -+ } -+ return dcesrv_fault_disconnect0(call, call->fault_code); - } - if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) { - return dcesrv_fault_disconnect(call, -@@ -2142,17 +2172,43 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - DCERPC_PFC_FLAG_DID_NOT_EXECUTE); - } - } else { -- const struct dcerpc_request *nr = &call->pkt.u.request; -- const struct dcerpc_request *er = NULL; - int cmp; - - existing = dcesrv_find_fragmented_call(dce_conn, - call->pkt.call_id); - if (existing == NULL) { -+ if (!(dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) { -+ /* -+ * Without DCERPC_PFC_FLAG_CONC_MPX -+ * we need to return the FAULT on the -+ * already existing call. -+ * -+ * This is important to get the -+ * call_id and context_id right. -+ */ -+ if (dce_conn->incoming_fragmented_call_list != NULL) { -+ TALLOC_FREE(call); -+ call = dce_conn->incoming_fragmented_call_list; -+ } -+ return dcesrv_fault_disconnect0(call, -+ DCERPC_NCA_S_PROTO_ERROR); -+ } -+ if (dce_conn->incoming_fragmented_call_list != NULL) { -+ return dcesrv_fault_disconnect0(call, DCERPC_NCA_S_PROTO_ERROR); -+ } -+ call->context = dcesrv_find_context(call->conn, -+ call->pkt.u.request.context_id); -+ if (call->context == NULL) { -+ return dcesrv_fault_with_flags(call, DCERPC_NCA_S_UNKNOWN_IF, -+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE); -+ } -+ if (auth_invalid) { -+ return dcesrv_fault_disconnect0(call, -+ DCERPC_FAULT_ACCESS_DENIED); -+ } - return dcesrv_fault_disconnect0(call, - DCERPC_NCA_S_PROTO_ERROR); - } -- er = &existing->pkt.u.request; - - if (call->pkt.ptype != existing->pkt.ptype) { - /* trying to play silly buggers are we? */ -@@ -2165,14 +2221,8 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn, - return dcesrv_fault_disconnect(existing, - DCERPC_NCA_S_PROTO_ERROR); - } -- if (nr->context_id != er->context_id) { -- return dcesrv_fault_disconnect(existing, -- DCERPC_NCA_S_PROTO_ERROR); -- } -- if (nr->opnum != er->opnum) { -- return dcesrv_fault_disconnect(existing, -- DCERPC_NCA_S_PROTO_ERROR); -- } -+ call->auth_state = existing->auth_state; -+ call->context = existing->context; - } - } - -diff --git a/selftest/knownfail.d/dcerpc-auth-fraq b/selftest/knownfail.d/dcerpc-auth-fraq -deleted file mode 100644 -index f3c62b65e9e..00000000000 ---- a/selftest/knownfail.d/dcerpc-auth-fraq -+++ /dev/null -@@ -1,20 +0,0 @@ --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_all_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_alone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_all_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_context_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_level_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_auth_MPX_middle_auth_type_111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSame111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_firstSameNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_MPX_first1_lastSameNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_firstSame2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNext2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastNextNone111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame111 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSame2 --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone --^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_ntlmssp_multi_auth_first1_lastSameNone111 -diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c -index 4847e8a0200..baf6df6e498 100644 ---- a/source4/librpc/rpc/dcerpc.c -+++ b/source4/librpc/rpc/dcerpc.c -@@ -726,6 +726,7 @@ static NTSTATUS ncacn_pull_pkt_auth(struct dcecli_connection *c, - - status = dcerpc_ncacn_pull_pkt_auth(&tmp_auth, - c->security_state.generic_state, -+ true, /* check_pkt_auth_fields */ - mem_ctx, - ptype, - required_flags, --- -2.25.1 - diff --git a/SOURCES/CVE-2021-44142-v4.14.patch b/SOURCES/CVE-2021-44142-v4.14.patch deleted file mode 100644 index 1f76f7c..0000000 --- a/SOURCES/CVE-2021-44142-v4.14.patch +++ /dev/null @@ -1,759 +0,0 @@ -From 2f7332f6c283fbedbd859c79a3f74ca6e07aad46 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Thu, 13 Jan 2022 16:48:01 +0100 -Subject: [PATCH 1/5] CVE-2021-44142: libadouble: add defines for icon lengths - -From https://www.ietf.org/rfc/rfc1740.txt - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 - -Signed-off-by: Ralph Boehme ---- - source3/lib/adouble.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/lib/adouble.h b/source3/lib/adouble.h -index 90a825c502e0..e3b9263a1f9a 100644 ---- a/source3/lib/adouble.h -+++ b/source3/lib/adouble.h -@@ -101,6 +101,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t; - #define ADEDLEN_MACFILEI 4 - #define ADEDLEN_PRODOSFILEI 8 - #define ADEDLEN_MSDOSFILEI 2 -+#define ADEDLEN_ICONBW 128 -+#define ADEDLEN_ICONCOL 1024 - #define ADEDLEN_DID 4 - #define ADEDLEN_PRIVDEV 8 - #define ADEDLEN_PRIVINO 8 --- -2.34.1 - - -From fc20cb8268af1203a331ba142b630d4dfb613478 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sat, 20 Nov 2021 16:36:42 +0100 -Subject: [PATCH 2/5] CVE-2021-44142: smbd: add Netatalk xattr used by - vfs_fruit to the list of private Samba xattrs - -This is an internal xattr that should not be user visible. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 - -Signed-off-by: Ralph Boehme -[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c] ---- - source3/smbd/trans2.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c -index 70a492a96a8a..a200656b76cf 100644 ---- a/source3/smbd/trans2.c -+++ b/source3/smbd/trans2.c -@@ -45,6 +45,7 @@ - #include "smb1_utils.h" - #include "libcli/smb/smb2_posix.h" - #include "lib/util/string_wrappers.h" -+#include "source3/lib/adouble.h" - - #define DIR_ENTRY_SAFETY_MARGIN 4096 - -@@ -218,6 +219,7 @@ bool samba_private_attr_name(const char *unix_ea_name) - SAMBA_XATTR_DOS_ATTRIB, - SAMBA_XATTR_MARKER, - XATTR_NTACL_NAME, -+ AFPINFO_EA_NETATALK, - NULL - }; - --- -2.34.1 - - -From 73302708170a71afce09ff42640ea4fceff4d08a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 26 Nov 2021 07:19:32 +0100 -Subject: [PATCH 3/5] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() - -This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, -which is used for parsing ._ AppleDouble sidecar files, and the buffer -ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all -buffer out-of-bounds access checks in ad_unpack_xattrs(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 - -Signed-off-by: Ralph Boehme ---- - source3/lib/adouble.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c -index 0ab9019cfb59..7875dd6f0df8 100644 ---- a/source3/lib/adouble.c -+++ b/source3/lib/adouble.c -@@ -707,14 +707,27 @@ static bool ad_pack(struct vfs_handle_struct *handle, - static bool ad_unpack_xattrs(struct adouble *ad) - { - struct ad_xattr_header *h = &ad->adx_header; -+ size_t bufsize = talloc_get_size(ad->ad_data); - const char *p = ad->ad_data; - uint32_t hoff; - uint32_t i; - -+ if (ad->ad_type != ADOUBLE_RSRC) { -+ return false; -+ } -+ - if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) { - return true; - } - -+ /* -+ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an -+ * ADOUBLE_RSRC type (._ AppleDouble file on-disk). -+ */ -+ if (bufsize != AD_XATTR_MAX_HDR_SIZE) { -+ return false; -+ } -+ - /* 2 bytes padding */ - hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2; - -@@ -964,9 +977,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries, - ad->ad_eid[eid].ade_len = len; - } - -- ok = ad_unpack_xattrs(ad); -- if (!ok) { -- return false; -+ if (ad->ad_type == ADOUBLE_RSRC) { -+ ok = ad_unpack_xattrs(ad); -+ if (!ok) { -+ return false; -+ } - } - - return true; --- -2.34.1 - - -From 0cfe02ac7ad197ea9fb4b19f296b73e5e7baf0af Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Thu, 25 Nov 2021 15:04:03 +0100 -Subject: [PATCH 4/5] CVE-2021-44142: libadouble: add basic cmocka tests - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 - -Signed-off-by: Ralph Boehme -[slow@samba.org: conflict due to missing test in selftest/tests.py] ---- - selftest/knownfail.d/samba.unittests.adouble | 3 + - selftest/tests.py | 2 + - source3/lib/test_adouble.c | 389 +++++++++++++++++++ - source3/wscript_build | 5 + - 4 files changed, 399 insertions(+) - create mode 100644 selftest/knownfail.d/samba.unittests.adouble - create mode 100644 source3/lib/test_adouble.c - -diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble -new file mode 100644 -index 000000000000..8b0314f2faec ---- /dev/null -+++ b/selftest/knownfail.d/samba.unittests.adouble -@@ -0,0 +1,3 @@ -+^samba.unittests.adouble.parse_abouble_finderinfo2\(none\) -+^samba.unittests.adouble.parse_abouble_finderinfo3\(none\) -+^samba.unittests.adouble.parse_abouble_date2\(none\) -diff --git a/selftest/tests.py b/selftest/tests.py -index af1e46061852..f4a1056f1dc8 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -427,3 +427,5 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none", - [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) - plantestsuite("samba.unittests.credentials", "none", - [os.path.join(bindir(), "default/auth/credentials/test_creds")]) -+plantestsuite("samba.unittests.adouble", "none", -+ [os.path.join(bindir(), "test_adouble")]) -diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c -new file mode 100644 -index 000000000000..615c22469c91 ---- /dev/null -+++ b/source3/lib/test_adouble.c -@@ -0,0 +1,389 @@ -+/* -+ * Unix SMB/CIFS implementation. -+ * -+ * Copyright (C) 2021 Ralph Boehme -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include "adouble.c" -+#include -+ -+static int setup_talloc_context(void **state) -+{ -+ TALLOC_CTX *frame = talloc_stackframe(); -+ -+ *state = frame; -+ return 0; -+} -+ -+static int teardown_talloc_context(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ -+ TALLOC_FREE(frame); -+ return 0; -+} -+ -+/* -+ * Basic and sane buffer. -+ */ -+static uint8_t ad_basic[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x32, /* offset */ -+ 0x00, 0x00, 0x00, 0x20, /* length */ -+ /* adentry 2: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x52, /* offset */ -+ 0xff, 0xff, 0xff, 0x00, /* length */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+/* -+ * An empty FinderInfo entry. -+ */ -+static uint8_t ad_finderinfo1[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */ -+ 0x00, 0x00, 0x00, 0x00, /* len: 0, so off+len don't exceed bufferlen */ -+ /* adentry 2: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x52, /* offset */ -+ 0xff, 0xff, 0xff, 0x00, /* length */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+/* -+ * A dangerous FinderInfo with correct length exceeding buffer by one byte. -+ */ -+static uint8_t ad_finderinfo2[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */ -+ 0x00, 0x00, 0x00, 0x20, /* len: 32, so off+len exceeds bufferlen by 1 */ -+ /* adentry 2: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x52, /* offset */ -+ 0xff, 0xff, 0xff, 0x00, /* length */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+static uint8_t ad_finderinfo3[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */ -+ 0x00, 0x00, 0x00, 0x1f, /* len: 31, so off+len don't exceed buf */ -+ /* adentry 2: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ -+ 0x00, 0x00, 0x00, 0x52, /* offset */ -+ 0xff, 0xff, 0xff, 0x00, /* length */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+/* -+ * A dangerous name entry. -+ */ -+static uint8_t ad_name[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x32, /* offset */ -+ 0x00, 0x00, 0x00, 0x20, /* length */ -+ /* adentry 2: Name */ -+ 0x00, 0x00, 0x00, 0x03, /* eid: Name */ -+ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */ -+ 0x00, 0x00, 0x00, 0x01, /* len: 1, so off+len exceeds bufferlen */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+/* -+ * A empty ADEID_FILEDATESI entry. -+ */ -+static uint8_t ad_date1[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x32, /* offset */ -+ 0x00, 0x00, 0x00, 0x20, /* length */ -+ /* adentry 2: Dates */ -+ 0x00, 0x00, 0x00, 0x08, /* eid: dates */ -+ 0x00, 0x00, 0x00, 0x52, /* off: end of buffer */ -+ 0x00, 0x00, 0x00, 0x00, /* len: 0, empty entry, valid */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+/* -+ * A dangerous ADEID_FILEDATESI entry, invalid length. -+ */ -+static uint8_t ad_date2[] = { -+ 0x00, 0x05, 0x16, 0x07, /* Magic */ -+ 0x00, 0x02, 0x00, 0x00, /* Version */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x00, 0x00, 0x00, /* Filler */ -+ 0x00, 0x02, /* Count */ -+ /* adentry 1: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ -+ 0x00, 0x00, 0x00, 0x32, /* offset */ -+ 0x00, 0x00, 0x00, 0x20, /* length */ -+ /* adentry 2: Dates */ -+ 0x00, 0x00, 0x00, 0x08, /* eid: dates */ -+ 0x00, 0x00, 0x00, 0x43, /* off: FinderInfo buf but one byte short */ -+ 0x00, 0x00, 0x00, 0x0f, /* len: 15, so off+len don't exceed bufferlen */ -+ /* FinderInfo data: 32 bytes */ -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, -+}; -+ -+static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx, -+ uint8_t *adbuf, -+ size_t adsize, -+ off_t filesize) -+{ -+ struct adouble *ad = NULL; -+ bool ok; -+ -+ ad = talloc_zero(mem_ctx, struct adouble); -+ ad->ad_data = talloc_zero_size(ad, adsize); -+ assert_non_null(ad); -+ -+ memcpy(ad->ad_data, adbuf, adsize); -+ -+ ok = ad_unpack(ad, 2, filesize); -+ if (!ok) { -+ return NULL; -+ } -+ -+ return ad; -+} -+ -+static void parse_abouble_basic(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ char *p = NULL; -+ -+ ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52); -+ assert_non_null(ad); -+ -+ p = ad_get_entry(ad, ADEID_FINDERI); -+ assert_non_null(p); -+ -+ return; -+} -+ -+static void parse_abouble_finderinfo1(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ char *p = NULL; -+ -+ ad = parse_adouble(frame, -+ ad_finderinfo1, -+ sizeof(ad_finderinfo1), -+ 0xffffff52); -+ assert_non_null(ad); -+ -+ p = ad_get_entry(ad, ADEID_FINDERI); -+ assert_null(p); -+ -+ return; -+} -+ -+static void parse_abouble_finderinfo2(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ -+ ad = parse_adouble(frame, -+ ad_finderinfo2, -+ sizeof(ad_finderinfo2), -+ 0xffffff52); -+ assert_null(ad); -+ -+ return; -+} -+ -+static void parse_abouble_finderinfo3(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ -+ ad = parse_adouble(frame, -+ ad_finderinfo3, -+ sizeof(ad_finderinfo3), -+ 0xffffff52); -+ assert_null(ad); -+ -+ return; -+} -+ -+static void parse_abouble_name(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ -+ ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52); -+ assert_null(ad); -+ -+ return; -+} -+ -+static void parse_abouble_date1(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ char *p = NULL; -+ -+ ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52); -+ assert_non_null(ad); -+ -+ p = ad_get_entry(ad, ADEID_FILEDATESI); -+ assert_null(p); -+ -+ return; -+} -+ -+static void parse_abouble_date2(void **state) -+{ -+ TALLOC_CTX *frame = *state; -+ struct adouble *ad = NULL; -+ -+ ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52); -+ assert_null(ad); -+ -+ return; -+} -+ -+int main(int argc, char *argv[]) -+{ -+ int rc; -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(parse_abouble_basic), -+ cmocka_unit_test(parse_abouble_finderinfo1), -+ cmocka_unit_test(parse_abouble_finderinfo2), -+ cmocka_unit_test(parse_abouble_finderinfo3), -+ cmocka_unit_test(parse_abouble_name), -+ cmocka_unit_test(parse_abouble_date1), -+ cmocka_unit_test(parse_abouble_date2), -+ }; -+ -+ if (argc == 2) { -+ cmocka_set_test_filter(argv[1]); -+ } -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ -+ rc = cmocka_run_group_tests(tests, -+ setup_talloc_context, -+ teardown_talloc_context); -+ -+ return rc; -+} -diff --git a/source3/wscript_build b/source3/wscript_build -index a143477a5064..95e589cfc734 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1088,6 +1088,11 @@ bld.SAMBA3_SUBSYSTEM('ADOUBLE', - source='lib/adouble.c', - deps='STRING_REPLACE') - -+bld.SAMBA3_BINARY('test_adouble', -+ source='lib/test_adouble.c', -+ deps='smbd_base STRING_REPLACE cmocka', -+ for_selftest=True) -+ - bld.SAMBA3_SUBSYSTEM('STRING_REPLACE', - source='lib/string_replace.c') - --- -2.34.1 - - -From 793ca8c474a74f82745a266f4a4bf9e20443ad53 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Thu, 13 Jan 2022 17:03:02 +0100 -Subject: [PATCH 5/5] CVE-2021-44142: libadouble: harden parsing code - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 - -Signed-off-by: Ralph Boehme ---- - selftest/knownfail.d/samba.unittests.adouble | 3 - - source3/lib/adouble.c | 115 ++++++++++++++++--- - 2 files changed, 101 insertions(+), 17 deletions(-) - delete mode 100644 selftest/knownfail.d/samba.unittests.adouble - -diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble -deleted file mode 100644 -index 8b0314f2faec..000000000000 ---- a/selftest/knownfail.d/samba.unittests.adouble -+++ /dev/null -@@ -1,3 +0,0 @@ --^samba.unittests.adouble.parse_abouble_finderinfo2\(none\) --^samba.unittests.adouble.parse_abouble_finderinfo3\(none\) --^samba.unittests.adouble.parse_abouble_date2\(none\) -diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c -index 7875dd6f0df8..48cc0007c23c 100644 ---- a/source3/lib/adouble.c -+++ b/source3/lib/adouble.c -@@ -269,6 +269,95 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off) - return ad->ad_eid[eid].ade_off = off; - } - -+/* -+ * All entries besides FinderInfo and resource fork must fit into the -+ * buffer. FinderInfo is special as it may be larger then the default 32 bytes -+ * if it contains marshalled xattrs, which we will fixup that in -+ * ad_convert(). The first 32 bytes however must also be part of the buffer. -+ * -+ * The resource fork is never accessed directly by the ad_data buf. -+ */ -+static bool ad_entry_check_size(uint32_t eid, -+ size_t bufsize, -+ uint32_t off, -+ uint32_t got_len) -+{ -+ struct { -+ off_t expected_len; -+ bool fixed_size; -+ bool minimum_size; -+ } ad_checks[] = { -+ [ADEID_DFORK] = {-1, false, false}, /* not applicable */ -+ [ADEID_RFORK] = {-1, false, false}, /* no limit */ -+ [ADEID_NAME] = {ADEDLEN_NAME, false, false}, -+ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false}, -+ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false}, -+ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false}, -+ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false}, -+ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false}, -+ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true}, -+ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false}, -+ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false}, -+ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false}, -+ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false}, -+ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false}, -+ [ADEID_DID] = {ADEDLEN_DID, true, false}, -+ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false}, -+ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false}, -+ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false}, -+ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false}, -+ }; -+ -+ if (eid >= ADEID_MAX) { -+ return false; -+ } -+ if (got_len == 0) { -+ /* Entry present, but empty, allow */ -+ return true; -+ } -+ if (ad_checks[eid].expected_len == 0) { -+ /* -+ * Shouldn't happen: implicitly initialized to zero because -+ * explicit initializer missing. -+ */ -+ return false; -+ } -+ if (ad_checks[eid].expected_len == -1) { -+ /* Unused or no limit */ -+ return true; -+ } -+ if (ad_checks[eid].fixed_size) { -+ if (ad_checks[eid].expected_len != got_len) { -+ /* Wrong size fo fixed size entry. */ -+ return false; -+ } -+ } else { -+ if (ad_checks[eid].minimum_size) { -+ if (got_len < ad_checks[eid].expected_len) { -+ /* -+ * Too small for variable sized entry with -+ * minimum size. -+ */ -+ return false; -+ } -+ } else { -+ if (got_len > ad_checks[eid].expected_len) { -+ /* Too big for variable sized entry. */ -+ return false; -+ } -+ } -+ } -+ if (off + got_len < off) { -+ /* wrap around */ -+ return false; -+ } -+ if (off + got_len > bufsize) { -+ /* overflow */ -+ return false; -+ } -+ return true; -+} -+ - /** - * Return a pointer to an AppleDouble entry - * -@@ -276,8 +365,15 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off) - **/ - char *ad_get_entry(const struct adouble *ad, int eid) - { -+ size_t bufsize = talloc_get_size(ad->ad_data); - off_t off = ad_getentryoff(ad, eid); - size_t len = ad_getentrylen(ad, eid); -+ bool valid; -+ -+ valid = ad_entry_check_size(eid, bufsize, off, len); -+ if (!valid) { -+ return NULL; -+ } - - if (off == 0 || len == 0) { - return NULL; -@@ -914,20 +1010,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries, - return false; - } - -- /* -- * All entries besides FinderInfo and resource fork -- * must fit into the buffer. FinderInfo is special as -- * it may be larger then the default 32 bytes (if it -- * contains marshalled xattrs), but we will fixup that -- * in ad_convert(). And the resource fork is never -- * accessed directly by the ad_data buf (also see -- * comment above) anyway. -- */ -- if ((eid != ADEID_RFORK) && -- (eid != ADEID_FINDERI) && -- ((off + len) > bufsize)) { -- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n", -- eid, off, len)); -+ ok = ad_entry_check_size(eid, bufsize, off, len); -+ if (!ok) { -+ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] " -+ "off [%"PRIu32"] len [%"PRIu32"]\n", -+ eid, bufsize, off, len); - return false; - } - --- -2.34.1 - diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch new file mode 100644 index 0000000..f63464c --- /dev/null +++ b/SOURCES/samba-4-15-fix-autorid.patch @@ -0,0 +1,231 @@ +From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:06:30 +0100 +Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) +--- + source3/winbindd/idmap_autorid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c +index ad53b5810ee..c7d56a37684 100644 +--- a/source3/winbindd/idmap_autorid.c ++++ b/source3/winbindd/idmap_autorid.c +@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) + config->maxranges = (dom->high_id - dom->low_id + 1) / + config->rangesize; + +- if (config->maxranges == 0) { +- DEBUG(1, ("Allowed uid range is smaller than rangesize. " +- "Increase uid range or decrease rangesize.\n")); ++ if (config->maxranges < 2) { ++ DBG_WARNING("Allowed idmap range is not a least double the " ++ "size of the rangesize. Please increase idmap " ++ "range.\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto error; + } +-- +2.35.1 + + +From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:07:50 +0100 +Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) +--- + source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 98bcc219b1e..58ba46bc15f 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, + return false; /* Keep scanning */ + } + ++static int idmap_config_int(const char *domname, const char *option, int def) ++{ ++ int len = snprintf(NULL, 0, "idmap config %s", domname); ++ ++ if (len == -1) { ++ return def; ++ } ++ { ++ char config_option[len+1]; ++ snprintf(config_option, sizeof(config_option), ++ "idmap config %s", domname); ++ return lp_parm_int(-1, config_option, option, def); ++ } ++} ++ + static bool do_idmap_check(void) + { + struct idmap_domains *d; +@@ -157,6 +172,42 @@ static bool do_idmap_check(void) + rc); + } + ++ /* Check autorid backend */ ++ if (strequal(lp_idmap_default_backend(), "autorid")) { ++ struct idmap_config *c = NULL; ++ bool found = false; ++ ++ for (i = 0; i < d->count; i++) { ++ c = &d->c[i]; ++ ++ if (strequal(c->backend, "autorid")) { ++ found = true; ++ break; ++ } ++ } ++ ++ if (found) { ++ uint32_t rangesize = ++ idmap_config_int("*", "rangesize", 100000); ++ uint32_t maxranges = ++ (c->high - c->low + 1) / rangesize; ++ ++ if (maxranges < 2) { ++ fprintf(stderr, ++ "ERROR: The idmap autorid range " ++ "[%u-%u] needs to be at least twice as " ++ "big as the rangesize [%u]!" ++ "\n\n", ++ c->low, ++ c->high, ++ rangesize); ++ ok = false; ++ goto done; ++ } ++ } ++ } ++ ++ /* Check for overlapping idmap ranges */ + for (i = 0; i < d->count; i++) { + struct idmap_config *c = &d->c[i]; + uint32_t j; +-- +2.35.1 + + +From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:05:19 +0100 +Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) +--- + docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml +index 6c4da1cad8a..980718f0bd4 100644 +--- a/docs-xml/manpages/idmap_autorid.8.xml ++++ b/docs-xml/manpages/idmap_autorid.8.xml +@@ -48,7 +48,13 @@ + and the corresponding map is discarded. It is + intended as a way to avoid accidental UID/GID + overlaps between local and remotely defined +- IDs. ++ IDs. Note that the range should be a multiple ++ of the rangesize and needs to be at least twice ++ as large in order to have sufficient id range ++ space for the mandatory BUILTIN domain. ++ With a default rangesize of 100000 the range ++ needs to span at least 200000. ++ This would be: range = 100000 - 299999. + + + +-- +2.35.1 + diff --git a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch new file mode 100644 index 0000000..2d7ad44 --- /dev/null +++ b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch @@ -0,0 +1,477 @@ +From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 16:53:02 +0100 +Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + testprogs/blackbox/test_net_ads.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 76b394b10a9..cfafb945b62 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -51,6 +51,12 @@ fi + + testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") ++testit "local krb5.conf created" \ ++ test -r \ ++ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || ++ failed=$((failed + 1)) ++ + testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` + + netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') +-- +2.35.1 + + +From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:03:40 +0100 +Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 75beeef4a44..60fe03fd5d7 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -1,4 +1,4 @@ +-/* ++/* + Unix SMB/CIFS implementation. + kerberos utility library + Copyright (C) Andrew Tridgell 2001 +@@ -37,11 +37,11 @@ + #define LIBADS_CCACHE_NAME "MEMORY:libads" + + /* +- we use a prompter to avoid a crash bug in the kerberos libs when ++ we use a prompter to avoid a crash bug in the kerberos libs when + dealing with empty passwords + this prompter is just a string copy ... + */ +-static krb5_error_code ++static krb5_error_code + kerb_prompter(krb5_context ctx, void *data, + const char *name, + const char *banner, +@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal, + krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); + } + +- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), ++ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), + kerb_prompter, discard_const_p(char, password), + 0, NULL, opt))) { + goto out; +@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name) + } + + if ((code = krb5_cc_destroy (ctx, cc))) { +- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", ++ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", + error_message(code))); + } + +@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal, + int time_offset, + const char *cache_name) + { +- return kerberos_kinit_password_ext(principal, +- password, +- time_offset, +- 0, ++ return kerberos_kinit_password_ext(principal, ++ password, ++ time_offset, ++ 0, + 0, + cache_name, + False, +-- +2.35.1 + + +From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:04:34 +0100 +Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string() + +This avoids useless allocations. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 60fe03fd5d7..1bf149ef09b 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx, + struct netlogon_samlogon_response **responses = NULL; + NTSTATUS status; + bool ok; +- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "", +- print_canonical_sockaddr_with_port(mem_ctx, pss)); ++ char *kdc_str = NULL; + ++ SMB_ASSERT(pss != NULL); ++ ++ kdc_str = talloc_asprintf(mem_ctx, ++ "\t\tkdc = %s\n", ++ print_canonical_sockaddr_with_port(mem_ctx, ++ pss)); + if (kdc_str == NULL) { + TALLOC_FREE(frame); + return NULL; +@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx, + } + } + +- dc_addrs2 = talloc_zero_array(talloc_tos(), +- struct tsocket_address *, +- num_dcs); +- + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { + TALLOC_FREE(kdc_str); + goto out; + } ++ ++ dc_addrs2 = talloc_zero_array(talloc_tos(), ++ struct tsocket_address *, ++ num_dcs); + if (dc_addrs2 == NULL) { + TALLOC_FREE(kdc_str); + goto out; +-- +2.35.1 + + +From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:10:47 +0100 +Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 1bf149ef09b..6a46d72a156 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + + result = kdc_str; + out: +- DBG_DEBUG("Returning\n%s\n", kdc_str); ++ if (result != NULL) { ++ DBG_DEBUG("Returning\n%s\n", kdc_str); ++ } else { ++ DBG_NOTICE("Failed to get KDC ip address\n"); ++ } + + TALLOC_FREE(ip_sa_site); + TALLOC_FREE(ip_sa_nonsite); +-- +2.35.1 + + +From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:48:23 +0100 +Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in + get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 6a46d72a156..d1c410ffa4b 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + } + + /* Append to the string - inefficient but not done often. */ +- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", +- kdc_str, +- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); +- TALLOC_FREE(kdc_str); ++ new_kdc_str = talloc_asprintf_append( ++ kdc_str, ++ "\t\tkdc = %s\n", ++ print_canonical_sockaddr_with_port( ++ mem_ctx, &dc_addrs[i])); + if (new_kdc_str == NULL) { + goto out; + } +-- +2.35.1 + + +From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:56:58 +0100 +Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index d1c410ffa4b..aadc65a3edc 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + + SMB_ASSERT(pss != NULL); + +- kdc_str = talloc_asprintf(mem_ctx, ++ kdc_str = talloc_asprintf(frame, + "\t\tkdc = %s\n", + print_canonical_sockaddr_with_port(mem_ctx, + pss)); +@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + */ + + if (sitename) { +- status = get_kdc_list(talloc_tos(), ++ status = get_kdc_list(frame, + realm, + sitename, + &ip_sa_site, +@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + + /* Get all KDC's. */ + +- status = get_kdc_list(talloc_tos(), ++ status = get_kdc_list(frame, + realm, + NULL, + &ip_sa_nonsite, +@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + kdc_str = new_kdc_str; + } + +- result = kdc_str; ++ result = talloc_move(mem_ctx, &kdc_str); + out: + if (result != NULL) { + DBG_DEBUG("Returning\n%s\n", kdc_str); +@@ -597,8 +597,6 @@ out: + DBG_NOTICE("Failed to get KDC ip address\n"); + } + +- TALLOC_FREE(ip_sa_site); +- TALLOC_FREE(ip_sa_nonsite); + TALLOC_FREE(frame); + return result; + } +-- +2.35.1 + + +From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 12:57:18 +0100 +Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str + +This is allocated on the stackframe now! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index aadc65a3edc..2087dc1e6f9 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + print_canonical_sockaddr_with_port(mem_ctx, + pss)); + if (kdc_str == NULL) { +- TALLOC_FREE(frame); +- return NULL; ++ goto out; + } + + ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); + if (!ok) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list fail %s\n", + nt_errstr(status)); +- TALLOC_FREE(kdc_str); + goto out; + } + DBG_DEBUG("got %zu addresses from site %s search\n", +@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DBG_ERR("get_kdc_list (site-less) fail %s\n", + nt_errstr(status)); +- TALLOC_FREE(kdc_str); + goto out; + } + DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); +@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (count_site + count_nonsite < count_site) { + /* Wrap check. */ + DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, + count_site + count_nonsite); + if (dc_addrs == NULL) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + struct tsocket_address *, + num_dcs); + if (dc_addrs2 == NULL) { +- TALLOC_FREE(kdc_str); + goto out; + } + +@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + status = map_nt_error_from_unix(errno); + DEBUG(2,("Failed to create tsocket_address for %s - %s\n", + addr, nt_errstr(status))); +- TALLOC_FREE(kdc_str); + goto out; + } + } +@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx, + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: " + "%s\n", nt_errstr(status))); +- TALLOC_FREE(kdc_str); + goto out; + } + +-- +2.35.1 + + +From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 13:02:05 +0100 +Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for + NULL in get_kdc_ip_string() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 2087dc1e6f9..20dceeefb22 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx, + NTSTATUS status; + bool ok; + char *kdc_str = NULL; ++ char *canon_sockaddr = NULL; + + SMB_ASSERT(pss != NULL); + ++ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); ++ if (canon_sockaddr == NULL) { ++ goto out; ++ } ++ + kdc_str = talloc_asprintf(frame, + "\t\tkdc = %s\n", +- print_canonical_sockaddr_with_port(mem_ctx, +- pss)); ++ canon_sockaddr); + if (kdc_str == NULL) { + goto out; + } +-- +2.35.1 + + +From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 15 Mar 2022 13:10:06 +0100 +Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf + +We create an KDC ip string entry directly at the beginning, use it if we +don't have any additional DCs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 + +Signed-off-by: Andreas Schneider +--- + source3/libads/kerberos.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 20dceeefb22..3fd86e87064 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx, + + DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); + if (num_dcs == 0) { ++ /* ++ * We do not have additional KDCs, but we have the one passed ++ * in via `pss`. So just use that one and leave. ++ */ ++ result = talloc_move(mem_ctx, &kdc_str); + goto out; + } + +-- +2.35.1 + diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch new file mode 100644 index 0000000..93c2caa --- /dev/null +++ b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch @@ -0,0 +1,411 @@ +From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 12:59:44 +0100 +Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error + path + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) +--- + source3/libads/authdata.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index dd21d895fc2..c048510d480 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; +- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; ++ DATA_BLOB tkt = data_blob_null; ++ DATA_BLOB tkt_wrapped = data_blob_null; ++ DATA_BLOB ap_rep = data_blob_null; ++ DATA_BLOB sesskey1 = data_blob_null; + const char *auth_princ = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + struct auth_session_info *session_info; +@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + ZERO_STRUCT(sesskey1); + + if (!name || !pass) { +- return NT_STATUS_INVALID_PARAMETER; ++ status = NT_STATUS_INVALID_PARAMETER; ++ goto out; + } + + if (cache_name) { +@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + + if (expire_time && renew_till_time && + (*expire_time == 0) && (*renew_till_time == 0)) { +- return NT_STATUS_INVALID_LOGON_TYPE; ++ status = NT_STATUS_INVALID_LOGON_TYPE; ++ goto out; + } + + ret = ads_krb5_cli_get_ticket(mem_ctx, +-- +2.35.1 + + +From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:00:05 +0100 +Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug + macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) +--- + lib/krb5_wrap/krb5_samba.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..42d4b950f80 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + goto done; + } + +- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); ++ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); + + /* FIXME: we should not fall back to defaults */ + ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); +-- +2.35.1 + + +From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:28 +0100 +Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer + debug macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) +--- + lib/krb5_wrap/krb5_samba.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 42d4b950f80..76c2dcd2126 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + + ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); + if (ret) { +- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); ++ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " ++ "for client '%s' and service '%s' failed: %s\n", ++ ccache_string, client_string, service_string, ++ error_message(ret)); + goto done; + } + +-- +2.35.1 + + +From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:08:56 +0100 +Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from + kerberos_return_pac() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) +--- + source3/libads/authdata.c | 22 +++++++++++++++++++++- + source3/libads/kerberos_proto.h | 2 ++ + source3/utils/net_ads.c | 2 ++ + source3/winbindd/winbindd_pam.c | 2 ++ + 4 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index c048510d480..bf9a2335445 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **_pac_data_ctr) + { + krb5_error_code ret; +@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; + struct PAC_DATA_CTR *pac_data_ctr = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); +@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + goto out; + } + ++ if (_canon_principal != NULL) { ++ *_canon_principal = NULL; ++ } ++ ++ if (_canon_realm != NULL) { ++ *_canon_realm = NULL; ++ } ++ + if (cache_name) { + cc = cache_name; + } +@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + request_pac, + add_netbios_addr, + renewable_time, +- NULL, NULL, NULL, ++ tmp_ctx, ++ &canon_principal, ++ &canon_realm, + &status); + if (ret) { + DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", +@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + } + + *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); ++ if (_canon_principal != NULL) { ++ *_canon_principal = talloc_move(mem_ctx, &canon_principal); ++ } ++ if (_canon_realm != NULL) { ++ *_canon_realm = talloc_move(mem_ctx, &canon_realm); ++ } + + out: + talloc_free(tmp_ctx); +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index 3d7b5bc074b..807381248c8 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **pac_data_ctr); + + /* The following definitions come from libads/krb5_setpw.c */ +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 8f993f9ba4c..c41fb0afe9c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch + 2592000, /* one month */ + impersonate_princ_s, + local_service, ++ NULL, ++ NULL, + pac_data_ctr); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 7606bfb4ecd..025a5cbc111 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, ++ NULL, ++ NULL, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +-- +2.35.1 + + +From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:19:02 +0100 +Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache + entry + +They will be used later to refresh the tickets. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) +--- + source3/winbindd/winbindd.h | 2 ++ + source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- + source3/winbindd/winbindd_pam.c | 14 ++++++++++---- + source3/winbindd/winbindd_proto.h | 4 +++- + 4 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index a6b2238cec1..dac4a1fa927 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { + const char *service; + const char *username; + const char *realm; ++ const char *canon_principal; ++ const char *canon_realm; + struct WINBINDD_MEMORY_CREDS *cred_ptr; + int ref_count; + uid_t uid; +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index c3077e21989..88847b1ab97 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request) ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm) + { + struct WINBINDD_CCACHE_ENTRY *entry = NULL; + struct timeval t; +@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + goto no_mem; + } + } ++ if (canon_principal != NULL) { ++ entry->canon_principal = talloc_strdup(entry, canon_principal); ++ if (entry->canon_principal == NULL) { ++ goto no_mem; ++ } ++ } ++ if (canon_realm != NULL) { ++ entry->canon_realm = talloc_strdup(entry, canon_realm); ++ if (entry->canon_realm == NULL) { ++ goto no_mem; ++ } ++ } + + entry->ccname = talloc_strdup(entry, ccname); + if (!entry->ccname) { +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 025a5cbc111..a24cef78440 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + const char *local_service; + uint32_t i; + struct netr_SamInfo6 *info6_copy = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + bool ok; + + *info6 = NULL; +@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, +- NULL, +- NULL, ++ &canon_principal, ++ &canon_realm, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + time(NULL), + ticket_lifetime, + renewal_until, +- false); ++ false, ++ canon_principal, ++ canon_realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", +@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, + time(NULL), + time(NULL) + lp_winbind_cache_time(), + time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, +- true); ++ true, ++ principal_s, ++ realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed " +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index c0d653a6d77..16c23f3de40 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request); ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm); + NTSTATUS remove_ccache(const char *username); + struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); + NTSTATUS winbindd_add_memory_creds(const char *username, +-- +2.35.1 + + +From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:44 +0100 +Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the + credentials + +The principal name stored in the winbindd ccache entry might be an +enterprise principal name if enterprise principals are enabled. Use +the canonical name to renew the credentials. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) +--- + source3/winbindd/winbindd_cred_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index 88847b1ab97..6c65db6a73f 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -209,7 +209,7 @@ rekinit: + set_effective_uid(entry->uid); + + ret = smb_krb5_renew_ticket(entry->ccname, +- entry->principal_name, ++ entry->canon_principal, + entry->service, + &new_start); + #if defined(DEBUG_KRB5_TKT_RENEWAL) +-- +2.35.1 + diff --git a/SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch b/SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch deleted file mode 100644 index 7e33d59..0000000 --- a/SOURCES/samba-4.14-IPA-DC-add-missing-checks.patch +++ /dev/null @@ -1,51 +0,0 @@ -From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 12 Nov 2021 19:06:01 +0200 -Subject: [PATCH] IPA DC: add missing checks - -When introducing FreeIPA support, two places were forgotten: - - - schannel gensec module needs to be aware of IPA DC - - _lsa_QueryInfoPolicy should treat IPA DC as PDC - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Alexander Bokovoy -Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184 - -(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5) ---- - auth/gensec/schannel.c | 1 + - source3/rpc_server/lsa/srv_lsa_nt.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c -index 0cdae141ead..6ebbe8f3179 100644 ---- a/auth/gensec/schannel.c -+++ b/auth/gensec/schannel.c -@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) - case ROLE_DOMAIN_BDC: - case ROLE_DOMAIN_PDC: - case ROLE_ACTIVE_DIRECTORY_DC: -+ case ROLE_IPA_DC: - return NT_STATUS_OK; - default: - return NT_STATUS_NOT_IMPLEMENTED; -diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c -index d6d606ddeca..36774be3e32 100644 ---- a/source3/rpc_server/lsa/srv_lsa_nt.c -+++ b/source3/rpc_server/lsa/srv_lsa_nt.c -@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p, - switch (lp_server_role()) { - case ROLE_DOMAIN_PDC: - case ROLE_DOMAIN_BDC: -+ case ROLE_IPA_DC: - name = get_global_sam_name(); - sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); - if (!sid) { --- -2.33.1 - diff --git a/SOURCES/samba-4.14-del-dir-with-dangling-symlinks.patch b/SOURCES/samba-4.14-del-dir-with-dangling-symlinks.patch deleted file mode 100644 index ca9dd8e..0000000 --- a/SOURCES/samba-4.14-del-dir-with-dangling-symlinks.patch +++ /dev/null @@ -1,1023 +0,0 @@ -From a0618e0eda69d31d090f776a9217a6a3cf76e5da Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 21 Oct 2021 16:37:27 -0700 -Subject: [PATCH 1/7] s3: smbd: Add two tests showing the ability to delete a - directory containing a dangling symlink over SMB2 depends on "delete veto - files" setting. - -Add knownfail. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit 942123b95923f35a32df4196a072a3ed3468396a) -(cherry picked from commit 359517877d6462ff4398401748f921c8b79357a6) ---- - selftest/knownfail.d/rmdir_dangle_symlink | 1 + - selftest/target/Samba3.pm | 4 + - .../test_delete_veto_files_only_rmdir.sh | 183 ++++++++++++++++++ - source3/selftest/tests.py | 3 + - 4 files changed, 191 insertions(+) - create mode 100644 selftest/knownfail.d/rmdir_dangle_symlink - create mode 100755 source3/script/tests/test_delete_veto_files_only_rmdir.sh - -diff --git a/selftest/knownfail.d/rmdir_dangle_symlink b/selftest/knownfail.d/rmdir_dangle_symlink -new file mode 100644 -index 00000000000..c775dc5fe15 ---- /dev/null -+++ b/selftest/knownfail.d/rmdir_dangle_symlink -@@ -0,0 +1 @@ -+^samba3.blackbox.test_dangle_rmdir.rmdir can delete directory containing dangling symlink\(fileserver\) -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index bbff9d74817..588d7779dd4 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1584,6 +1584,10 @@ sub setup_fileserver - veto files = /veto_name*/ - delete veto files = yes - -+[delete_veto_files_only] -+ path = $veto_sharedir -+ delete veto files = yes -+ - [homes] - comment = Home directories - browseable = No -diff --git a/source3/script/tests/test_delete_veto_files_only_rmdir.sh b/source3/script/tests/test_delete_veto_files_only_rmdir.sh -new file mode 100755 -index 00000000000..d2c3b2198f7 ---- /dev/null -+++ b/source3/script/tests/test_delete_veto_files_only_rmdir.sh -@@ -0,0 +1,183 @@ -+#!/bin/sh -+# -+# Check smbclient can (or cannot) delete a directory containing dangling symlinks. -+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 -+# -+ -+if [ $# -lt 6 ]; then -+cat < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < -Date: Mon, 25 Oct 2021 12:01:58 -0700 -Subject: [PATCH 2/7] s3: VFS: streams_depot. Allow unlinkat to cope with - dangling symlinks. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit 295d7d026babe3cd5123d0f53adcb16868907f05) -(backported from commit 7a4173809a87350bc3580240232978042ec2ceca) -[pfilipen@redhat.com: code in 4.15 uses different variable name] ---- - source3/modules/vfs_streams_depot.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/source3/modules/vfs_streams_depot.c b/source3/modules/vfs_streams_depot.c -index a5e02d5a069..dd6376e5fd0 100644 ---- a/source3/modules/vfs_streams_depot.c -+++ b/source3/modules/vfs_streams_depot.c -@@ -739,6 +739,16 @@ static int streams_depot_unlink_internal(vfs_handle_struct *handle, - ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname_base); - } else { - ret = SMB_VFS_NEXT_STAT(handle, smb_fname_base); -+ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { -+ if (VALID_STAT(smb_fname->st) && -+ S_ISLNK(smb_fname->st.st_ex_mode)) { -+ /* -+ * Original name was a link - Could be -+ * trying to remove a dangling symlink. -+ */ -+ ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname_base); -+ } -+ } - } - - if (ret == -1) { --- -2.33.1 - - -From 474a91d03527a15f7655be3866a9e5eaa405118f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 25 Oct 2021 12:02:43 -0700 -Subject: [PATCH 3/7] s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling - symlinks. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit f254be19d6501a4f573843af97963e350a9ee2ed) -(backported from commit 0dba0917fd97e975d1daab5b0828644d026c2bc5) -[pfilipen@redhat.com: code in 4.15 uses different variable name] ---- - source3/modules/vfs_xattr_tdb.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c -index d89a1dd0d7d..e06ff9639f1 100644 ---- a/source3/modules/vfs_xattr_tdb.c -+++ b/source3/modules/vfs_xattr_tdb.c -@@ -639,6 +639,16 @@ static int xattr_tdb_unlinkat(vfs_handle_struct *handle, - ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname_tmp); - } else { - ret = SMB_VFS_NEXT_STAT(handle, smb_fname_tmp); -+ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { -+ if (VALID_STAT(smb_fname->st) && -+ S_ISLNK(smb_fname->st.st_ex_mode)) { -+ /* -+ * Original name was a link - Could be -+ * trying to remove a dangling symlink. -+ */ -+ ret = SMB_VFS_NEXT_LSTAT(handle, smb_fname_tmp); -+ } -+ } - } - if (ret == -1) { - goto out; --- -2.33.1 - - -From 298a8dac1160ebba56cd84b7e25908e160b88f85 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 25 Oct 2021 12:21:37 -0700 -Subject: [PATCH 4/7] s3: smbd: Fix rmdir_internals() to do an early return if - lp_delete_veto_files() is not set. - -Fix the comments to match what the code actually does. The -exit at the end of the scan directory loop if we find a client -visible filename is a change in behavior, but the previous -behavior (not exist on visible filename, but delete it) was -a bug and in non-tested code. Now it's testd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit a37d16e7c55f85e3f2c9c8614755ea6307092d5f) -(backported from commit e00fe095e8cf7ab54bc82870b913762d2fdddbad) -[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15] ---- - source3/smbd/close.c | 247 ++++++++++++++++++++++--------------------- - 1 file changed, 128 insertions(+), 119 deletions(-) - -diff --git a/source3/smbd/close.c b/source3/smbd/close.c -index f05619d1886..0c102b9533b 100644 ---- a/source3/smbd/close.c -+++ b/source3/smbd/close.c -@@ -938,8 +938,11 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - { - connection_struct *conn = fsp->conn; - struct smb_filename *smb_dname = fsp->fsp_name; -- const struct loadparm_substitution *lp_sub = -- loadparm_s3_global_substitution(); -+ SMB_STRUCT_STAT st; -+ const char *dname = NULL; -+ char *talloced = NULL; -+ long dirpos = 0; -+ struct smb_Dir *dir_hnd = NULL; - int ret; - - SMB_ASSERT(!is_ntfs_stream_smb_fname(smb_dname)); -@@ -974,143 +977,149 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - return NT_STATUS_OK; - } - -- if(((errno == ENOTEMPTY)||(errno == EEXIST)) && *lp_veto_files(talloc_tos(), lp_sub, SNUM(conn))) { -- /* -- * Check to see if the only thing in this directory are -- * vetoed files/directories. If so then delete them and -- * retry. If we fail to delete any of them (and we *don't* -- * do a recursive delete) then fail the rmdir. -- */ -- SMB_STRUCT_STAT st; -- const char *dname = NULL; -- char *talloced = NULL; -- long dirpos = 0; -- struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), conn, -- smb_dname, NULL, -- 0); -- -- if(dir_hnd == NULL) { -+ if (!((errno == ENOTEMPTY) || (errno == EEXIST))) { -+ DEBUG(3,("rmdir_internals: couldn't remove directory %s : " -+ "%s\n", smb_fname_str_dbg(smb_dname), -+ strerror(errno))); -+ return map_nt_error_from_unix(errno); -+ } -+ -+ /* -+ * Here we know the initial directory unlink failed with -+ * ENOTEMPTY or EEXIST so we know there are objects within. -+ * If we don't have permission to delete files non -+ * visible to the client just fail the directory delete. -+ */ -+ -+ if (!lp_delete_veto_files(SNUM(conn))) { -+ errno = ENOTEMPTY; -+ goto err; -+ } -+ -+ /* -+ * Check to see if the only thing in this directory are -+ * files non-visible to the client. If not, fail the delete. -+ */ -+ -+ dir_hnd = OpenDir(talloc_tos(), conn, smb_dname, NULL, 0); -+ if (dir_hnd == NULL) { -+ errno = ENOTEMPTY; -+ goto err; -+ } -+ -+ while ((dname = ReadDirName(dir_hnd, &dirpos, &st, &talloced)) != NULL) { -+ if((strcmp(dname, ".") == 0) || (strcmp(dname, "..")==0)) { -+ TALLOC_FREE(talloced); -+ continue; -+ } -+ if (!is_visible_file(conn, -+ dir_hnd, -+ dname, -+ &st, -+ false)) { -+ TALLOC_FREE(talloced); -+ continue; -+ } -+ if(!IS_VETO_PATH(conn, dname)) { -+ /* -+ * We found a client visible name. -+ * We cannot delete this directory. -+ */ -+ DBG_DEBUG("got name %s - " -+ "can't delete directory %s\n", -+ dname, -+ fsp_str_dbg(fsp)); -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); - errno = ENOTEMPTY; - goto err; - } -+ TALLOC_FREE(talloced); -+ } - -- while ((dname = ReadDirName(dir_hnd, &dirpos, &st, -- &talloced)) != NULL) { -- if((strcmp(dname, ".") == 0) || (strcmp(dname, "..")==0)) { -- TALLOC_FREE(talloced); -- continue; -- } -- if (!is_visible_file(conn, -- dir_hnd, -- dname, -- &st, -- false)) { -- TALLOC_FREE(talloced); -- continue; -- } -- if(!IS_VETO_PATH(conn, dname)) { -- TALLOC_FREE(dir_hnd); -- TALLOC_FREE(talloced); -- errno = ENOTEMPTY; -- goto err; -- } -+ /* Do a recursive delete. */ -+ RewindDir(dir_hnd,&dirpos); -+ while ((dname = ReadDirName(dir_hnd, &dirpos, &st, &talloced)) != NULL) { -+ struct smb_filename *smb_dname_full = NULL; -+ char *fullname = NULL; -+ bool do_break = true; -+ -+ if (ISDOT(dname) || ISDOTDOT(dname)) { -+ TALLOC_FREE(talloced); -+ continue; -+ } -+ if (!is_visible_file(conn, -+ dir_hnd, -+ dname, -+ &st, -+ false)) { - TALLOC_FREE(talloced); -+ continue; - } - -- /* We only have veto files/directories. -- * Are we allowed to delete them ? */ -+ fullname = talloc_asprintf(ctx, -+ "%s/%s", -+ smb_dname->base_name, -+ dname); - -- if(!lp_delete_veto_files(SNUM(conn))) { -- TALLOC_FREE(dir_hnd); -- errno = ENOTEMPTY; -- goto err; -+ if (fullname == NULL) { -+ errno = ENOMEM; -+ goto err_break; - } - -- /* Do a recursive delete. */ -- RewindDir(dir_hnd,&dirpos); -- while ((dname = ReadDirName(dir_hnd, &dirpos, &st, -- &talloced)) != NULL) { -- struct smb_filename *smb_dname_full = NULL; -- char *fullname = NULL; -- bool do_break = true; -- -- if (ISDOT(dname) || ISDOTDOT(dname)) { -- TALLOC_FREE(talloced); -- continue; -- } -- if (!is_visible_file(conn, -- dir_hnd, -- dname, -- &st, -- false)) { -- TALLOC_FREE(talloced); -- continue; -- } -- -- fullname = talloc_asprintf(ctx, -- "%s/%s", -- smb_dname->base_name, -- dname); -+ smb_dname_full = synthetic_smb_fname(talloc_tos(), -+ fullname, -+ NULL, -+ NULL, -+ smb_dname->twrp, -+ smb_dname->flags); -+ if (smb_dname_full == NULL) { -+ errno = ENOMEM; -+ goto err_break; -+ } - -- if(!fullname) { -- errno = ENOMEM; -+ if(SMB_VFS_LSTAT(conn, smb_dname_full) != 0) { -+ goto err_break; -+ } -+ if(smb_dname_full->st.st_ex_mode & S_IFDIR) { -+ int retval; -+ if(!recursive_rmdir(ctx, conn, -+ smb_dname_full)) { - goto err_break; - } -- -- smb_dname_full = synthetic_smb_fname(talloc_tos(), -- fullname, -- NULL, -- NULL, -- smb_dname->twrp, -- smb_dname->flags); -- if (smb_dname_full == NULL) { -- errno = ENOMEM; -+ retval = SMB_VFS_UNLINKAT(conn, -+ conn->cwd_fsp, -+ smb_dname_full, -+ AT_REMOVEDIR); -+ if(retval != 0) { - goto err_break; - } -- -- if(SMB_VFS_LSTAT(conn, smb_dname_full) != 0) { -+ } else { -+ int retval = SMB_VFS_UNLINKAT(conn, -+ conn->cwd_fsp, -+ smb_dname_full, -+ 0); -+ if(retval != 0) { - goto err_break; - } -- if(smb_dname_full->st.st_ex_mode & S_IFDIR) { -- int retval; -- if(!recursive_rmdir(ctx, conn, -- smb_dname_full)) { -- goto err_break; -- } -- retval = SMB_VFS_UNLINKAT(conn, -- conn->cwd_fsp, -- smb_dname_full, -- AT_REMOVEDIR); -- if(retval != 0) { -- goto err_break; -- } -- } else { -- int retval = SMB_VFS_UNLINKAT(conn, -- conn->cwd_fsp, -- smb_dname_full, -- 0); -- if(retval != 0) { -- goto err_break; -- } -- } -+ } - -- /* Successful iteration. */ -- do_break = false; -+ /* Successful iteration. */ -+ do_break = false; - -- err_break: -- TALLOC_FREE(fullname); -- TALLOC_FREE(smb_dname_full); -- TALLOC_FREE(talloced); -- if (do_break) -- break; -- } -- TALLOC_FREE(dir_hnd); -- /* Retry the rmdir */ -- ret = SMB_VFS_UNLINKAT(conn, -- conn->cwd_fsp, -- smb_dname, -- AT_REMOVEDIR); -+ err_break: -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ TALLOC_FREE(talloced); -+ if (do_break) -+ break; - } -+ TALLOC_FREE(dir_hnd); -+ /* Retry the rmdir */ -+ ret = SMB_VFS_UNLINKAT(conn, -+ conn->cwd_fsp, -+ smb_dname, -+ AT_REMOVEDIR); - - err: - --- -2.33.1 - - -From a7075aeedd078c68b57556678fa40907cd66cd08 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 25 Oct 2021 12:32:29 -0700 -Subject: [PATCH 5/7] s3: smbd: Fix logic in rmdir_internals() to cope with - dangling symlinks. - -Still need to add the same logic in can_delete_directory_fsp() -before we can delete the knownfail. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit 26fecad2e66e91a3913d88ee2e0889f266e91d89) -(backported from commit 4793c4d5307472f0eb72f70f7dbf7324744e3f91) -[pfilipen@redhat.com: rmdir_internals() got refactored in 4.15] ---- - source3/smbd/close.c | 103 ++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 101 insertions(+), 2 deletions(-) - -diff --git a/source3/smbd/close.c b/source3/smbd/close.c -index 0c102b9533b..81811f703b0 100644 ---- a/source3/smbd/close.c -+++ b/source3/smbd/close.c -@@ -1008,10 +1008,14 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - } - - while ((dname = ReadDirName(dir_hnd, &dirpos, &st, &talloced)) != NULL) { -+ struct smb_filename *smb_dname_full = NULL; -+ char *fullname = NULL; -+ - if((strcmp(dname, ".") == 0) || (strcmp(dname, "..")==0)) { - TALLOC_FREE(talloced); - continue; - } -+ - if (!is_visible_file(conn, - dir_hnd, - dname, -@@ -1020,6 +1024,98 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - TALLOC_FREE(talloced); - continue; - } -+ -+ fullname = talloc_asprintf(talloc_tos(), -+ "%s/%s", -+ smb_dname->base_name, -+ dname); -+ -+ if (fullname == NULL) { -+ TALLOC_FREE(talloced); -+ errno = ENOMEM; -+ goto err; -+ } -+ -+ smb_dname_full = synthetic_smb_fname(talloc_tos(), -+ fullname, -+ NULL, -+ NULL, -+ smb_dname->twrp, -+ smb_dname->flags); -+ if (smb_dname_full == NULL) { -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ errno = ENOMEM; -+ goto err; -+ } -+ -+ ret = SMB_VFS_LSTAT(conn, smb_dname_full); -+ if (ret != 0) { -+ int saved_errno = errno; -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ errno = saved_errno; -+ goto err; -+ } -+ -+ if (S_ISLNK(smb_dname_full->st.st_ex_mode)) { -+ /* Could it be an msdfs link ? */ -+ if (lp_host_msdfs() && -+ lp_msdfs_root(SNUM(conn))) { -+ struct smb_filename *smb_atname; -+ smb_atname = synthetic_smb_fname(talloc_tos(), -+ dname, -+ NULL, -+ &smb_dname_full->st, -+ fsp->fsp_name->twrp, -+ fsp->fsp_name->flags); -+ if (smb_atname == NULL) { -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ errno = ENOMEM; -+ goto err; -+ } -+ if (is_msdfs_link(conn, smb_atname)) { -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ TALLOC_FREE(smb_atname); -+ DBG_DEBUG("got msdfs link name %s " -+ "- can't delete directory %s\n", -+ dname, -+ fsp_str_dbg(fsp)); -+ errno = ENOTEMPTY; -+ goto err; -+ } -+ TALLOC_FREE(smb_atname); -+ } -+ -+ /* Not a DFS link - could it be a dangling symlink ? */ -+ ret = SMB_VFS_STAT(conn, smb_dname_full); -+ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { -+ /* -+ * Dangling symlink. -+ * Allow delete as "delete veto files = yes" -+ */ -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ continue; -+ } -+ -+ DBG_DEBUG("got symlink name %s - " -+ "can't delete directory %s\n", -+ dname, -+ fsp_str_dbg(fsp)); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ errno = ENOTEMPTY; -+ goto err; -+ } -+ - if(!IS_VETO_PATH(conn, dname)) { - /* - * We found a client visible name. -@@ -1029,12 +1125,15 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - "can't delete directory %s\n", - dname, - fsp_str_dbg(fsp)); -- TALLOC_FREE(dir_hnd); - TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); - errno = ENOTEMPTY; - goto err; - } - TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); - } - - /* Do a recursive delete. */ -@@ -1114,7 +1213,6 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - if (do_break) - break; - } -- TALLOC_FREE(dir_hnd); - /* Retry the rmdir */ - ret = SMB_VFS_UNLINKAT(conn, - conn->cwd_fsp, -@@ -1123,6 +1221,7 @@ static NTSTATUS rmdir_internals(TALLOC_CTX *ctx, files_struct *fsp) - - err: - -+ TALLOC_FREE(dir_hnd); - if (ret != 0) { - DEBUG(3,("rmdir_internals: couldn't remove directory %s : " - "%s\n", smb_fname_str_dbg(smb_dname), --- -2.33.1 - - -From 843fc3b857cdfd6c7e902acef933d17690815e7e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 25 Oct 2021 12:36:57 -0700 -Subject: [PATCH 6/7] s3: smbd: Fix logic in can_delete_directory_fsp() to cope - with dangling symlinks. - -Remove knownfail. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit e9ef970eee5eca8ab3720279c54098e91d2dfda9) -(backported from commit 5023dbc04bfad7cc39e8c4de96f40c82e7a0288e) -[pfilipen@redhat.com: can_delete_directory_fsp() got refactored in 4.15] ---- - selftest/knownfail.d/rmdir_dangle_symlink | 1 - - source3/smbd/dir.c | 97 +++++++++++++++++++++++ - 2 files changed, 97 insertions(+), 1 deletion(-) - delete mode 100644 selftest/knownfail.d/rmdir_dangle_symlink - -diff --git a/selftest/knownfail.d/rmdir_dangle_symlink b/selftest/knownfail.d/rmdir_dangle_symlink -deleted file mode 100644 -index c775dc5fe15..00000000000 ---- a/selftest/knownfail.d/rmdir_dangle_symlink -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.blackbox.test_dangle_rmdir.rmdir can delete directory containing dangling symlink\(fileserver\) -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index 545c7499f28..96edc8678e5 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1876,6 +1876,8 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) - char *talloced = NULL; - SMB_STRUCT_STAT st; - struct connection_struct *conn = fsp->conn; -+ struct smb_filename *smb_dname = fsp->fsp_name; -+ int ret; - struct smb_Dir *dir_hnd = OpenDir(talloc_tos(), - conn, - fsp->fsp_name, -@@ -1887,6 +1889,9 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) - } - - while ((dname = ReadDirName(dir_hnd, &dirpos, &st, &talloced))) { -+ struct smb_filename *smb_dname_full = NULL; -+ char *fullname = NULL; -+ - if (ISDOT(dname) || (ISDOTDOT(dname))) { - TALLOC_FREE(talloced); - continue; -@@ -1901,6 +1906,98 @@ NTSTATUS can_delete_directory_fsp(files_struct *fsp) - continue; - } - -+ fullname = talloc_asprintf(talloc_tos(), -+ "%s/%s", -+ smb_dname->base_name, -+ dname); -+ -+ if (fullname == NULL) { -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ smb_dname_full = synthetic_smb_fname(talloc_tos(), -+ fullname, -+ NULL, -+ NULL, -+ smb_dname->twrp, -+ smb_dname->flags); -+ if (smb_dname_full == NULL) { -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ret = SMB_VFS_LSTAT(conn, smb_dname_full); -+ if (ret != 0) { -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ return map_nt_error_from_unix(errno); -+ } -+ -+ if (S_ISLNK(smb_dname_full->st.st_ex_mode)) { -+ /* Could it be an msdfs link ? */ -+ if (lp_host_msdfs() && -+ lp_msdfs_root(SNUM(conn))) { -+ struct smb_filename *smb_atname; -+ smb_atname = synthetic_smb_fname(talloc_tos(), -+ dname, -+ NULL, -+ &smb_dname_full->st, -+ fsp->fsp_name->twrp, -+ fsp->fsp_name->flags); -+ if (smb_atname == NULL) { -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ return NT_STATUS_NO_MEMORY; -+ } -+ if (is_msdfs_link(conn, smb_atname)) { -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ TALLOC_FREE(smb_atname); -+ DBG_DEBUG("got msdfs link name %s " -+ "- can't delete directory %s\n", -+ dname, -+ fsp_str_dbg(fsp)); -+ return NT_STATUS_DIRECTORY_NOT_EMPTY; -+ } -+ TALLOC_FREE(smb_atname); -+ } -+ -+ /* Not a DFS link - could it be a dangling symlink ? */ -+ ret = SMB_VFS_STAT(conn, smb_dname_full); -+ if (ret == -1 && (errno == ENOENT || errno == ELOOP)) { -+ /* -+ * Dangling symlink. -+ * Allow if "delete veto files = yes" -+ */ -+ if (lp_delete_veto_files(SNUM(conn))) { -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ continue; -+ } -+ } -+ -+ DBG_DEBUG("got symlink name %s - " -+ "can't delete directory %s\n", -+ dname, -+ fsp_str_dbg(fsp)); -+ TALLOC_FREE(dir_hnd); -+ TALLOC_FREE(talloced); -+ TALLOC_FREE(fullname); -+ TALLOC_FREE(smb_dname_full); -+ return NT_STATUS_DIRECTORY_NOT_EMPTY; -+ } -+ - DEBUG(10,("got name %s - can't delete\n", - dname )); - status = NT_STATUS_DIRECTORY_NOT_EMPTY; --- -2.33.1 - - -From 7189ea825d8c9e4777dba737227ead602ad9b651 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 25 Oct 2021 12:42:02 -0700 -Subject: [PATCH 7/7] s3: docs-xml: Clarify the "delete veto files" paramter. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14879 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Fri Oct 29 14:57:14 UTC 2021 on sn-devel-184 - -(cherry picked from commit 0b818c6b77e972626d0b071bebcf4ce55619fb84) -(cherry picked from commit a549dc219cba5bd61969e4919ae4142f52c133ea) ---- - docs-xml/smbdotconf/filename/deletevetofiles.xml | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/docs-xml/smbdotconf/filename/deletevetofiles.xml b/docs-xml/smbdotconf/filename/deletevetofiles.xml -index 581dc05396d..570d4ac60a0 100644 ---- a/docs-xml/smbdotconf/filename/deletevetofiles.xml -+++ b/docs-xml/smbdotconf/filename/deletevetofiles.xml -@@ -4,9 +4,12 @@ - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - - This option is used when Samba is attempting to -- delete a directory that contains one or more vetoed directories -- (see the -- option). If this option is set to no (the default) then if a vetoed -+ delete a directory that contains one or more vetoed files -+ or directories or non-visible files or directories (such -+ as dangling symlinks that point nowhere). -+ (see the , , -+ , -+ options). If this option is set to no (the default) then if a vetoed - directory contains any non-vetoed files or directories then the - directory delete will fail. This is usually what you want. - --- -2.33.1 - diff --git a/SOURCES/samba-4.14-fix-domain-join-segfault.patch b/SOURCES/samba-4.14-fix-domain-join-segfault.patch deleted file mode 100644 index 0521c27..0000000 --- a/SOURCES/samba-4.14-fix-domain-join-segfault.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0ef9fe22f56ef3ff202f88426c3ee48c15e4a71e Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Fri, 26 Nov 2021 11:59:45 +0100 -Subject: [PATCH] smbd: s3-dsgetdcname: handle num_ips == 0 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 - -Pair-Programmed-With: Stefan Metzmacher -Signed-off-by: Ralph Boehme -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 - -(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) ---- - source3/libsmb/dsgetdcname.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c -index f8ae96109b71..5954e48d747b 100644 ---- a/source3/libsmb/dsgetdcname.c -+++ b/source3/libsmb/dsgetdcname.c -@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx, - for (i = 0; i < numdcs; i++) { - size_t j; - -+ if (dcs[i].num_ips == 0) { -+ continue; -+ } -+ - dclist[ret_count].hostname = - talloc_move(dclist, &dcs[i].hostname); - --- -2.33.1 - diff --git a/SOURCES/samba-4.14-fix-username-map-script.patch b/SOURCES/samba-4.14-fix-username-map-script.patch deleted file mode 100644 index 8d7dcc8..0000000 --- a/SOURCES/samba-4.14-fix-username-map-script.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 0e179b5f06988c576a1fff505c06920d51fe8ed4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 12 Nov 2021 15:27:58 +0100 -Subject: [PATCH 1/3] CVE-2020-25727: idmap_nss: verify that the name of the - sid belongs to the configured domain - -We already check the sid belongs to the domain, but checking the name -too feels better and make it easier to understand. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5) ---- - source3/winbindd/idmap_nss.c | 26 +++++++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c -index da50e2b4aa7..2729a0de3f3 100644 ---- a/source3/winbindd/idmap_nss.c -+++ b/source3/winbindd/idmap_nss.c -@@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma - for (i = 0; ids[i]; i++) { - struct group *gr; - enum lsa_SidType type; -- const char *p = NULL; -+ const char *_domain = NULL; -+ const char *_name = NULL; -+ char *domain = NULL; - char *name = NULL; - bool ret; - - /* by default calls to winbindd are disabled - the following call will not recurse so this is safe */ - (void)winbind_on(); -- ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL, -- &p, &type); -+ ret = winbind_lookup_sid(talloc_tos(), -+ ids[i]->sid, -+ &_domain, -+ &_name, -+ &type); - (void)winbind_off(); -- name = discard_const_p(char, p); -- - if (!ret) { - /* TODO: how do we know if the name is really not mapped, - * or something just failed ? */ -@@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma - continue; - } - -+ domain = discard_const_p(char, _domain); -+ name = discard_const_p(char, _name); -+ -+ if (!strequal(domain, dom->name)) { -+ struct dom_sid_buf buf; -+ DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n", -+ dom->name, dom_sid_str_buf(ids[i]->sid, &buf), -+ sid_type_lookup(type), domain, name); -+ ids[i]->status = ID_UNMAPPED; -+ continue; -+ } -+ - switch (type) { - case SID_NAME_USER: { - struct passwd *pw; -@@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma - ids[i]->status = ID_UNKNOWN; - break; - } -+ TALLOC_FREE(domain); - TALLOC_FREE(name); - } - return NT_STATUS_OK; --- -2.34.1 - - -From 704ae4b8308e9ae6c50e3548f98de65e97ab6aa6 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Fri, 12 Nov 2021 20:53:30 +1300 -Subject: [PATCH 2/3] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent - uid' to make room for new accounts - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 - -Signed-off-by: Joseph Sutton -Reviewed-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a) ---- - nsswitch/nsstest.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c -index e2ee9fbf3af..45270cdc459 100644 ---- a/nsswitch/nsstest.c -+++ b/nsswitch/nsstest.c -@@ -466,7 +466,7 @@ static void nss_test_errors(void) - printf("ERROR Non existent user gave error %d\n", last_error); - } - -- pwd = getpwuid(0xFFF0); -+ pwd = getpwuid(0xFF00); - if (pwd || last_error != NSS_STATUS_NOTFOUND) { - total_errors++; - printf("ERROR Non existent uid gave error %d\n", last_error); --- -2.34.1 - - -From 844723aa82cec67fd863fc327bde9fb04eab438d Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 12 Nov 2021 16:10:31 +1300 -Subject: [PATCH 3/3] CVE-2020-25717: s3:auth: Fallback to a SID/UID based - mapping if the named based lookup fails -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Before the CVE-2020-25717 fixes we had a fallback from -getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and -unpredictable. - -Now we do the fallback based on sid_to_uid() followed by -getpwuid() on the returned uid. - -This obsoletes 'username map [script]' based workaround adviced -for CVE-2020-25717, when nss_winbindd is not used or -idmap_nss is actually used. - -In future we may decide to prefer or only do the SID/UID based -lookup, but for now we want to keep this unchanged as much as possible. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andrew Bartlett -Signed-off-by: Stefan Metzmacher - -[metze@samba.org moved the new logic into the fallback codepath only - in order to avoid behavior changes as much as possible] -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184 - -(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e) ---- - source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++- - 1 file changed, 33 insertions(+), 1 deletion(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 065b525500f..7a97dd45f11 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1862,7 +1862,9 @@ const struct auth_session_info *get_session_info_system(void) - ***************************************************************************/ - - static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, -- const char *username, char **found_username, -+ const char *username, -+ const struct dom_sid *sid, -+ char **found_username, - struct passwd **pwd, - bool *username_was_mapped) - { -@@ -1897,6 +1899,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, - } - - passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); -+ if (!passwd && !*username_was_mapped) { -+ struct dom_sid_buf buf; -+ uid_t uid; -+ bool ok; -+ -+ DBG_DEBUG("Failed to find authenticated user %s via " -+ "getpwnam(), fallback to sid_to_uid(%s).\n", -+ dom_user, dom_sid_str_buf(sid, &buf)); -+ -+ ok = sid_to_uid(sid, &uid); -+ if (!ok) { -+ DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n", -+ dom_sid_str_buf(sid, &buf), dom_user); -+ return NT_STATUS_NO_SUCH_USER; -+ } -+ passwd = getpwuid_alloc(mem_ctx, uid); -+ if (!passwd) { -+ DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n", -+ (long long)uid, -+ dom_sid_str_buf(sid, &buf), -+ dom_user); -+ return NT_STATUS_NO_SUCH_USER; -+ } -+ real_username = talloc_strdup(mem_ctx, passwd->pw_name); -+ } - if (!passwd) { - DEBUG(3, ("Failed to find authenticated user %s via " - "getpwnam(), denying access.\n", dom_user)); -@@ -2042,6 +2069,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - bool username_was_mapped; - struct passwd *pwd; - struct auth_serversupplied_info *result; -+ struct dom_sid sid; - TALLOC_CTX *tmp_ctx = talloc_stackframe(); - - /* -@@ -2088,9 +2116,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, - - /* this call will try to create the user if necessary */ - -+ sid_copy(&sid, info3->base.domain_sid); -+ sid_append_rid(&sid, info3->base.rid); -+ - nt_status = check_account(tmp_ctx, - nt_domain, - nt_username, -+ &sid, - &found_username, - &pwd, - &username_was_mapped); --- -2.34.1 - diff --git a/SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch b/SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch deleted file mode 100644 index 4924872..0000000 --- a/SOURCES/samba-4.14-fix-winbind-no-trusted-domain.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 9 Nov 2021 20:50:20 +0100 -Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression - -add_trusted_domain() should only reject domains -based on is_allowed_domain(), which now also -checks "allow trusted domains = no", if we don't -have an explicit trust to the domain (SEC_CHAN_NULL). - -We use at least SEC_CHAN_LOCAL for local domains like -BUILTIN. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 - -Signed-off-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 - -(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) ---- - source3/winbindd/winbindd_util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index 42ddbfd2f44..9d54e462c42 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, - return NT_STATUS_INVALID_PARAMETER; - } - -- if (!is_allowed_domain(domain_name)) { -+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { - return NT_STATUS_NO_SUCH_DOMAIN; - } - --- -2.33.1 - diff --git a/SOURCES/samba-4.14-krb5pac.patch b/SOURCES/samba-4.14-krb5pac.patch deleted file mode 100644 index ff3e1ca..0000000 --- a/SOURCES/samba-4.14-krb5pac.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 97829843013e2f0d81b6ed61d155a04217e40205 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Wed, 1 Sep 2021 15:39:19 +1200 -Subject: [PATCH 1/6] krb5pac.idl: Add ticket checksum PAC buffer type - -Signed-off-by: Joseph Sutton -Reviewed-by: Andrew Bartlett -Reviewed-by: Isaac Boukris -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 -(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce) ---- - librpc/idl/krb5pac.idl | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl -index fb360c1257f..3239d7656b6 100644 ---- a/librpc/idl/krb5pac.idl -+++ b/librpc/idl/krb5pac.idl -@@ -112,7 +112,8 @@ interface krb5pac - PAC_TYPE_KDC_CHECKSUM = 7, - PAC_TYPE_LOGON_NAME = 10, - PAC_TYPE_CONSTRAINED_DELEGATION = 11, -- PAC_TYPE_UPN_DNS_INFO = 12 -+ PAC_TYPE_UPN_DNS_INFO = 12, -+ PAC_TYPE_TICKET_CHECKSUM = 16 - } PAC_TYPE; - - typedef struct { -@@ -128,6 +129,7 @@ interface krb5pac - [case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)] - PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation; - [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; -+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; - /* when new PAC info types are added they are supposed to be done - in such a way that they are backwards compatible with existing - servers. This makes it safe to just use a [default] for --- -2.33.1 - - -From 99cc0e06e5fe2776371b808432af39de00f76cdf Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Wed, 1 Sep 2021 15:40:59 +1200 -Subject: [PATCH 2/6] security.idl: Add well-known SIDs for FAST - -Signed-off-by: Joseph Sutton -Reviewed-by: Andrew Bartlett -Reviewed-by: Isaac Boukris -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 -(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12) ---- - librpc/idl/security.idl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl -index 06bf7449a70..3df96dedbdd 100644 ---- a/librpc/idl/security.idl -+++ b/librpc/idl/security.idl -@@ -295,6 +295,9 @@ interface security - const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; - const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; - -+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496"; -+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497"; -+ - /* - * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx - */ --- -2.33.1 - - -From 693bcdb2f9b64af390d619c9b39293c581900151 Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Wed, 29 Sep 2021 16:15:26 +1300 -Subject: [PATCH 3/6] krb5pac.idl: Add missing buffer type values - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 - -Signed-off-by: Joseph Sutton -Reviewed-by: Andrew Bartlett -Backported-by: Andreas Schneider ---- - librpc/idl/krb5pac.idl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl -index 3239d7656b6..515150ab9cd 100644 ---- a/librpc/idl/krb5pac.idl -+++ b/librpc/idl/krb5pac.idl -@@ -113,6 +113,9 @@ interface krb5pac - PAC_TYPE_LOGON_NAME = 10, - PAC_TYPE_CONSTRAINED_DELEGATION = 11, - PAC_TYPE_UPN_DNS_INFO = 12, -+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13, -+ PAC_TYPE_DEVICE_INFO = 14, -+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15, - PAC_TYPE_TICKET_CHECKSUM = 16 - } PAC_TYPE; - --- -2.33.1 - - -From 97323751c1b6b97e72eb80b8b99485d94696b30b Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Tue, 26 Oct 2021 20:33:38 +1300 -Subject: [PATCH 4/6] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC - buffer type - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 - -Signed-off-by: Joseph Sutton -Reviewed-by: Andrew Bartlett ---- - librpc/idl/krb5pac.idl | 14 +++++++++++++- - 1 file changed, 13 insertions(+), 1 deletion(-) - -diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl -index 515150ab9cd..7a8d16464eb 100644 ---- a/librpc/idl/krb5pac.idl -+++ b/librpc/idl/krb5pac.idl -@@ -97,6 +97,16 @@ interface krb5pac - PAC_UPN_DNS_FLAGS flags; - } PAC_UPN_DNS_INFO; - -+ typedef [bitmap32bit] bitmap { -+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001, -+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002 -+ } PAC_ATTRIBUTE_INFO_FLAGS; -+ -+ typedef struct { -+ uint32 flags_length; /* length in bits */ -+ PAC_ATTRIBUTE_INFO_FLAGS flags; -+ } PAC_ATTRIBUTES_INFO; -+ - typedef [public] struct { - PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; -@@ -116,7 +126,8 @@ interface krb5pac - PAC_TYPE_CLIENT_CLAIMS_INFO = 13, - PAC_TYPE_DEVICE_INFO = 14, - PAC_TYPE_DEVICE_CLAIMS_INFO = 15, -- PAC_TYPE_TICKET_CHECKSUM = 16 -+ PAC_TYPE_TICKET_CHECKSUM = 16, -+ PAC_TYPE_ATTRIBUTES_INFO = 17 - } PAC_TYPE; - - typedef struct { -@@ -133,6 +144,7 @@ interface krb5pac - PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation; - [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; - [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; -+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info; - /* when new PAC info types are added they are supposed to be done - in such a way that they are backwards compatible with existing - servers. This makes it safe to just use a [default] for --- -2.33.1 - - -From 9867beabf3b0be026d900e26ac91af655fb50cfe Mon Sep 17 00:00:00 2001 -From: Joseph Sutton -Date: Tue, 26 Oct 2021 20:33:49 +1300 -Subject: [PATCH 5/6] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC - buffer type - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 - -Signed-off-by: Joseph Sutton -Reviewed-by: Andrew Bartlett ---- - librpc/idl/krb5pac.idl | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl -index 7a8d16464eb..52fb40c4bbb 100644 ---- a/librpc/idl/krb5pac.idl -+++ b/librpc/idl/krb5pac.idl -@@ -107,6 +107,10 @@ interface krb5pac - PAC_ATTRIBUTE_INFO_FLAGS flags; - } PAC_ATTRIBUTES_INFO; - -+ typedef struct { -+ dom_sid sid; -+ } PAC_REQUESTER_SID; -+ - typedef [public] struct { - PAC_LOGON_INFO *info; - } PAC_LOGON_INFO_CTR; -@@ -127,7 +131,8 @@ interface krb5pac - PAC_TYPE_DEVICE_INFO = 14, - PAC_TYPE_DEVICE_CLAIMS_INFO = 15, - PAC_TYPE_TICKET_CHECKSUM = 16, -- PAC_TYPE_ATTRIBUTES_INFO = 17 -+ PAC_TYPE_ATTRIBUTES_INFO = 17, -+ PAC_TYPE_REQUESTER_SID = 18 - } PAC_TYPE; - - typedef struct { -@@ -145,6 +150,7 @@ interface krb5pac - [case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info; - [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum; - [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info; -+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid; - /* when new PAC info types are added they are supposed to be done - in such a way that they are backwards compatible with existing - servers. This makes it safe to just use a [default] for --- -2.33.1 - - -From fb92457cfd11745be73660eb90519b625f6a5d97 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Mon, 27 Sep 2021 11:20:19 +1300 -Subject: [PATCH 6/6] CVE-2020-25721 krb5pac: Add new buffers for - samAccountName and objectSID - -These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835 - -Signed-off-by: Andrew Bartlett -Reviewed-by: Joseph Sutton ---- - librpc/idl/krb5pac.idl | 18 ++++++++++++++++-- - librpc/ndr/ndr_krb5pac.c | 4 ++-- - 2 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl -index 52fb40c4bbb..bbe4a253e3a 100644 ---- a/librpc/idl/krb5pac.idl -+++ b/librpc/idl/krb5pac.idl -@@ -86,15 +86,29 @@ interface krb5pac - } PAC_CONSTRAINED_DELEGATION; - - typedef [bitmap32bit] bitmap { -- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001 -+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001, -+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002 - } PAC_UPN_DNS_FLAGS; - -+ typedef struct { -+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size; -+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname; -+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size; -+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid; -+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID; -+ -+ typedef [nodiscriminant] union { -+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid; -+ [default]; -+ } PAC_UPN_DNS_INFO_EX; -+ - typedef struct { - [value(2*strlen_m(upn_name))] uint16 upn_name_size; - [relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name; - [value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size; - [relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name; - PAC_UPN_DNS_FLAGS flags; -+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex; - } PAC_UPN_DNS_INFO; - - typedef [bitmap32bit] bitmap { -@@ -160,7 +174,7 @@ interface krb5pac - - typedef [public,nopush,nopull] struct { - PAC_TYPE type; -- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size; -+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size; - /* - * We need to have two subcontexts to get the padding right, - * the outer subcontext uses NDR_ROUND(_ndr_size, 8), while -diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c -index a9ae2c4a789..57b28df9e52 100644 ---- a/librpc/ndr/ndr_krb5pac.c -+++ b/librpc/ndr/ndr_krb5pac.c -@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const - if (ndr_flags & NDR_SCALARS) { - NDR_CHECK(ndr_push_align(ndr, 4)); - NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type)); -- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0))); -+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8))); - { - uint32_t _flags_save_PAC_INFO = ndr->flags; - ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8); -@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const - { - struct ndr_push *_ndr_info_pad; - struct ndr_push *_ndr_info; -- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0); -+ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8); - NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8))); - NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size)); - NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type)); --- -2.33.1 - diff --git a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch b/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch deleted file mode 100644 index de8d813..0000000 --- a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4b192aaf503ea7f5eba27b6e43edcfe54ac6c5a6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 26 May 2021 15:04:08 +0200 -Subject: [PATCH] s3:modules: Reduce debug level if file doesn't exists on dfs - share - -There is software out there trying to open desktop.ini in every -directory. Avoid spamming the logs with error messages. - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Fri Jun 18 18:14:11 UTC 2021 on sn-devel-184 - -(cherry picked from commit 4079efae76718a84a4cf24b6613cdc53cdb2dd39) ---- - source3/modules/vfs_default.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index 8d592bbad64..ea036b24ddf 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -476,10 +476,17 @@ static NTSTATUS vfswrap_read_dfs_pathat(struct vfs_handle_struct *handle, - status = NT_STATUS_OBJECT_TYPE_MISMATCH; - } else { - status = map_nt_error_from_unix(errno); -- DBG_ERR("Error reading " -- "msdfs link %s: %s\n", -- smb_fname->base_name, -- strerror(errno)); -+ if (errno == ENOENT) { -+ DBG_NOTICE("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } else { -+ DBG_ERR("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } - } - goto err; - } --- -2.31.1 - diff --git a/SOURCES/samba-4.14-recursive-delete-of-veto-files.patch b/SOURCES/samba-4.14-recursive-delete-of-veto-files.patch deleted file mode 100644 index 62525e7..0000000 --- a/SOURCES/samba-4.14-recursive-delete-of-veto-files.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 505e48439364c4027aa11aeda467bbd2060b89f4 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 21 Oct 2021 15:06:20 -0700 -Subject: [PATCH] s3: smbd: Add two tests showing recursive directory delete of - a directory containing veto file and msdfs links over SMB2. - -Add knownfail. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit ad0082d79a681b981154747dcde5713e1933b88f) -(cherry picked from commit dab3fa1d8c27e696afa15e071331f646e06d9706) ---- - selftest/target/Samba3.pm | 16 ++ - source3/script/tests/test_veto_rmdir.sh | 217 ++++++++++++++++++++++++ - source3/selftest/tests.py | 3 + - 3 files changed, 236 insertions(+) - create mode 100755 source3/script/tests/test_veto_rmdir.sh - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 14a1f1223b1..bbff9d74817 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1460,6 +1460,9 @@ sub setup_fileserver - my $bad_iconv_sharedir="$share_dir/bad_iconv"; - push(@dirs, $bad_iconv_sharedir); - -+ my $veto_sharedir="$share_dir/veto"; -+ push(@dirs,$veto_sharedir); -+ - my $ip4 = Samba::get_ipv4_addr("FILESERVER"); - my $fileserver_options = " - kernel change notify = yes -@@ -1568,6 +1571,19 @@ sub setup_fileserver - comment = smb username is [%U] - vfs objects = - -+[veto_files_nodelete] -+ path = $veto_sharedir -+ read only = no -+ msdfs root = yes -+ veto files = /veto_name*/ -+ delete veto files = no -+ -+[veto_files_delete] -+ path = $veto_sharedir -+ msdfs root = yes -+ veto files = /veto_name*/ -+ delete veto files = yes -+ - [homes] - comment = Home directories - browseable = No -diff --git a/source3/script/tests/test_veto_rmdir.sh b/source3/script/tests/test_veto_rmdir.sh -new file mode 100755 -index 00000000000..d3df8f1bba0 ---- /dev/null -+++ b/source3/script/tests/test_veto_rmdir.sh -@@ -0,0 +1,217 @@ -+#!/bin/sh -+# -+# Check smbclient can (or cannot) delete a directory containing veto files. -+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878 -+# -+ -+if [ $# -lt 6 ]; then -+cat < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < "$tmpfile" < +Date: Tue, 27 Apr 2021 15:46:14 +1000 +Subject: [PATCH] utils: Use Python 3 + +Due to the number of flake8 and pylint warnings it is unclear if the +source has Python 3 incompatibilities. These will be cleaned up in +subsequent commits. + +Signed-off-by: "L.P.H. van Belle" +Reviewed-by: Martin Schwenke +Reviewed-by: David Disseldorp +Reviewed-by: Jose A. Rivera +--- + ctdb/utils/etcd/ctdb_etcd_lock | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock +index 000c6bb7208..7f5194eff0a 100755 +--- a/ctdb/utils/etcd/ctdb_etcd_lock ++++ b/ctdb/utils/etcd/ctdb_etcd_lock +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/env python3 + # + # This program is free software: you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by +-- +2.31.1 + diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch new file mode 100644 index 0000000..d80e85b --- /dev/null +++ b/SOURCES/samba-disable-ntlmssp.patch @@ -0,0 +1,764 @@ +From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 10 Dec 2021 16:08:04 +0100 +Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) +--- + source3/utils/net_ads.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 6ab4a0096b1..8f993f9ba4c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, + char *cp; + const char *realm = NULL; + bool tried_closest_dc = false; ++ enum credentials_use_kerberos krb5_state = ++ CRED_USE_KERBEROS_DISABLED; + + /* lp_realm() should be handled by a command line param, + However, the join requires that realm be set in smb.conf +@@ -650,10 +652,28 @@ retry: + ads->auth.password = smb_xstrdup(c->opt_password); + } + +- ads->auth.flags |= auth_flags; + SAFE_FREE(ads->auth.user_name); + ads->auth.user_name = smb_xstrdup(c->opt_user_name); + ++ ads->auth.flags |= auth_flags; ++ ++ /* The ADS code will handle FIPS mode */ ++ krb5_state = cli_credentials_get_kerberos_state(c->creds); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } ++ + /* + * If the username is of the form "name@realm", + * extract the realm and convert to upper case. +-- +2.33.1 + + +From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 8 Dec 2021 16:05:17 +0100 +Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 60fa2bf80cb..b91e2d15bcf 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -1,18 +1,18 @@ +-/* ++/* + Unix SMB/CIFS implementation. + ads sasl code + Copyright (C) Andrew Tridgell 2001 +- ++ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. +- ++ + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. +- ++ + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ +@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { + .disconnect = ads_sasl_gensec_disconnect + }; + +-/* ++/* + perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can + we fit on one socket??) + */ +@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, + + #endif /* HAVE_KRB5 */ + +-/* ++/* + this performs a SASL/SPNEGO bind + */ + static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) +@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + file_save("sasl_spnego.dat", blob.data, blob.length); + #endif + +- /* the server sent us the first part of the SPNEGO exchange in the negprot ++ /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { +@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + #ifdef HAVE_KRB5 + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && +- got_kerberos_mechanism) ++ got_kerberos_mechanism) + { + mech = "KRB5"; + +@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + "calling kinit\n", ads_errstr(status))); + } + +- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); ++ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + } + + /* only fallback to NTLMSSP if allowed */ +- if (ADS_ERR_OK(status) || ++ if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { + goto done; + } +@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + #endif + + /* lets do NTLMSSP ... this has the big advantage that we don't need +- to sync clocks, and we don't rely on special versions of the krb5 ++ to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +-- +2.33.1 + + +From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 9 Dec 2021 13:43:08 +0100 +Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) +--- + source3/libads/sasl.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index b91e2d15bcf..992f7022a69 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " + "for %s/%s with user[%s] realm[%s]: %s, " +- "fallback to NTLMSSP\n", ++ "try to fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; ++ ++ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { ++ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" ++ " disallowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_DISABLED, + p.service, p.hostname, +-- +2.33.1 + + +From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 7 Jan 2022 10:31:19 +0100 +Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 992f7022a69..ea98aa47ecd 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + p.service, p.hostname, + blob); + if (!ADS_ERR_OK(status)) { +- DEBUG(0,("kinit succeeded but " +- "ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s\n", ++ DBG_ERR("kinit succeeded but " ++ "SPNEGO bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +- ads_errstr(status))); ++ ads_errstr(status)); + } + } + +@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + goto done; + } + +- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s, " +- "try to fallback to NTLMSSP\n", +- p.service, p.hostname, +- ads->auth.user_name, +- ads->auth.realm, +- ads_errstr(status))); ++ DBG_WARNING("SASL bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s, " ++ "try to fallback to NTLMSSP\n", ++ p.service, p.hostname, ++ ads->auth.user_name, ++ ads->auth.realm, ++ ads_errstr(status)); + } + #endif + +-- +2.33.1 + + +From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 11:13:06 +0100 +Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds + without kerberos) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) +--- + source3/libads/sasl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index ea98aa47ecd..1bcfe0490a8 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + ++ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { ++ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" + " disallowed.\n"); +-- +2.33.1 + + +From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 15:33:46 +0100 +Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) +--- + .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ + 1 file changed, 41 insertions(+) + create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh + +diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +new file mode 100755 +index 00000000000..2822ab29d14 +--- /dev/null ++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# Blackbox tests for diabing NTLMSSP for ldap clinet connections ++# Copyright (c) 2022 Pavel Filipenský ++ ++if [ $# -lt 2 ]; then ++cat <&1 || failed=`expr $failed + 1` ++ ++# We should be allowed to use NTLM for connecting ++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++GNUTLS_FORCE_FIPS_MODE=1 ++export GNUTLS_FORCE_FIPS_MODE ++ ++# Checks that testparm reports: Weak crypto is disallowed ++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` ++ ++# We should not be allowed to use NTLM for connecting ++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++unset GNUTLS_FORCE_FIPS_MODE ++ ++exit $failed +-- +2.33.1 + + +From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 4 Jan 2022 12:00:20 +0100 +Subject: [PATCH 07/10] s4:selftest: plan test suite + samba4.blackbox.test_weak_disable_ntlmssp_ldap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) +--- + source4/selftest/tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 1e4b2ae6dd3..3a6a716f061 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo + + if have_gnutls_fips_mode_support: + plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) ++ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) + + for env in ["ad_dc_fips", "ad_member_fips"]: + plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) +-- +2.33.1 + + +From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:47:38 +0100 +Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) +--- + source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 948c903f165..e415df347e6 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user_list: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * According to Section 5.1(4) of RFC 2251 if a value of a type is it's + * default value, it MUST be absent. In case of extensible matching the + * "dnattr" boolean defaults to FALSE and so it must be only be present +- * when set to TRUE. ++ * when set to TRUE. + * + * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a + * filter using bitwise matching rule then the buggy AD fails to decode +@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * + * Thanks to Ralf Haferkamp for input and testing - Guenther */ + +- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", ++ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", + ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, +- ADS_LDAP_MATCHING_RULE_BIT_AND, ++ ADS_LDAP_MATCHING_RULE_BIT_AND, + enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); + + if (filter == NULL) { +@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); + + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + struct wb_acct_info **info) + { + /* +- * This is a stub function only as we returned the domain ++ * This is a stub function only as we returned the domain + * local groups in enum_dom_groups() if the domain->native field + * was true. This is a simple performance optimization when + * using LDAP. + * +- * if we ever need to enumerate domain local groups separately, ++ * if we ever need to enumerate domain local groups separately, + * then this optimization in enum_dom_groups() will need + * to be split out + */ +@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, + tokenGroups are not available. */ + static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, +- const char *user_dn, ++ const char *user_dn, + struct dom_sid *primary_group, + uint32_t *p_num_groups, struct dom_sid **user_sids) + { +@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + if (count != 1) { + status = NT_STATUS_UNSUCCESSFUL; + DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " +- "invalid number of results (count=%d)\n", ++ "invalid number of results (count=%d)\n", + dom_sid_str_buf(sid, &buf), + count)); + goto done; + } + + if (!msg) { +- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", ++ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", + dom_sid_str_buf(sid, &buf))); + status = NT_STATUS_UNSUCCESSFUL; + goto done; +@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + } + + if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { +- DEBUG(1,("%s: No primary group for sid=%s !?\n", ++ DEBUG(1,("%s: No primary group for sid=%s !?\n", + domain->name, + dom_sid_str_buf(sid, &buf))); + goto done; +@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + + count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); + +- /* there must always be at least one group in the token, ++ /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ + + /* actually this only happens when the machine account has no read +@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + /* lookup what groups this user is a member of by DN search on + * "member" */ + +- status = lookup_usergroups_member(domain, mem_ctx, user_dn, ++ status = lookup_usergroups_member(domain, mem_ctx, user_dn, + &primary_group, + &num_groups, user_sids); + *p_num_groups = num_groups; +@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " + "not map any SIDs at all.\n")); + /* Don't handle this as an error here. +- * There is nothing left to do with respect to the ++ * There is nothing left to do with respect to the + * overall result... */ + } + else if (!NT_STATUS_IS_OK(status)) { +@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, + NETR_TRUST_FLAG_IN_FOREST; + } else { + flags = NETR_TRUST_FLAG_IN_FOREST; +- } ++ } + + result = cm_connect_netlogon(domain, &cli); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(5, ("trusted_domains: Could not open a connection to %s " +- "for PIPE_NETLOGON (%s)\n", ++ "for PIPE_NETLOGON (%s)\n", + domain->name, nt_errstr(result))); + return NT_STATUS_UNSUCCESSFUL; + } +-- +2.33.1 + + +From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:44:54 +0100 +Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) +--- + source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index e415df347e6..6f01ef6e334 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -34,6 +34,7 @@ + #include "../libds/common/flag_mapping.h" + #include "libsmb/samlogon_cache.h" + #include "passdb.h" ++#include "auth/credentials/credentials.h" + + #ifdef HAVE_ADS + +@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ADS_STATUS status; + struct sockaddr_storage dc_ss; + fstring dc_name; ++ enum credentials_use_kerberos krb5_state; + + if (auth_realm == NULL) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); +@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ads->auth.renewable = renewable; + ads->auth.password = password; + +- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + ads->auth.realm = SMB_STRDUP(auth_realm); + if (!strupper_m(ads->auth.realm)) { +-- +2.33.1 + + +From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 21 Jan 2022 12:01:33 +0100 +Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 + +(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) +--- + source3/libnet/libnet_join.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 02705f1c70c..4c67e9af5c4 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + ADS_STATUS status; + ADS_STRUCT *my_ads = NULL; + char *cp; ++ enum credentials_use_kerberos krb5_state; + + my_ads = ads_init(dns_domain_name, + netbios_domain_name, +@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + +- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + if (user_name) { + SAFE_FREE(my_ads->auth.user_name); +-- +2.33.1 + diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch new file mode 100644 index 0000000..9e57630 --- /dev/null +++ b/SOURCES/samba-disable-systemd-notifications.patch @@ -0,0 +1,36 @@ +From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 +From: "FeRD (Frank Dana)" +Date: Mon, 24 Jan 2022 22:14:31 -0500 +Subject: [PATCH] printing/bgqd: Disable systemd notifications + +samba-bgqd daemon is started by existing Samba daemons. When running +under systemd, those daemons control systemd notifications and +samba-bgqd messages need to be silenced. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 + +Signed-off-by: FeRD (Frank Dana) +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) +--- + source3/printing/samba-bgqd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c +index f21327fc622..59ed0cc40db 100644 +--- a/source3/printing/samba-bgqd.c ++++ b/source3/printing/samba-bgqd.c +@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) + + log_stdout = (debug_get_log_type() == DEBUG_STDOUT); + ++ /* main process will notify systemd */ ++ daemon_sd_notifications(false); ++ + if (!cmdline_daemon_cfg->fork) { + daemon_status(progname, "Starting process ... "); + } else { +-- +2.34.1 + diff --git a/SOURCES/samba-glibc-dns.patch b/SOURCES/samba-glibc-dns.patch new file mode 100644 index 0000000..c01d481 --- /dev/null +++ b/SOURCES/samba-glibc-dns.patch @@ -0,0 +1,64 @@ +From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 7 Oct 2021 15:55:37 +0200 +Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34 + +With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper +anymore. The res_* symbols have been moved from libresolv to libc. We are not +able to intercept any traffic inside of libc. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + selftest/wscript | 2 +- + third_party/resolv_wrapper/wscript | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/selftest/wscript b/selftest/wscript +index a6be06c2ae9..85d9338489a 100644 +--- a/selftest/wscript ++++ b/selftest/wscript +@@ -252,7 +252,7 @@ def cmd_testonly(opt): + if os.environ.get('USE_NAMESPACES') is None: + env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH') + +- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'): ++ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'): + env.OPTIONS += " --use-dns-faking" + + if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): +diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript +index a7f18389b0f..7e369bd90b5 100644 +--- a/third_party/resolv_wrapper/wscript ++++ b/third_party/resolv_wrapper/wscript +@@ -1,6 +1,7 @@ + #!/usr/bin/env python + + import os ++from waflib import Logs + + VERSION="1.1.7" + +@@ -49,6 +50,18 @@ def configure(conf): + if conf.CONFIG_SET('HAVE_RES_NCLOSE'): + conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1) + ++ # If we find res_nquery in libc, we can't do resolv.conf redirect ++ conf.CHECK_FUNCS('res_nquery __res_nquery') ++ if (conf.CONFIG_SET('HAVE_RES_NQUERY') ++ or conf.CONFIG_SET('HAVE___RES_NQUERY')): ++ Logs.warn("Detection for resolv_wrapper: " ++ "Only dns faking will be available") ++ else: ++ if conf.CHECK_FUNCS('res_nquery', lib='resolv'): ++ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) ++ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'): ++ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) ++ + conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True) + conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True) + conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True) +-- +2.33.1 + diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch new file mode 100644 index 0000000..5dee86c --- /dev/null +++ b/SOURCES/samba-password-change-prompt.patch @@ -0,0 +1,100 @@ +From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 17 Nov 2021 09:56:09 +0100 +Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to + off). + +This change disables the prompt for the change of an expired password by +default (using the PAM_RADIO_TYPE mechanism if present). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) +--- + docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ + nsswitch/pam_winbind.c | 12 ++++++++++-- + nsswitch/pam_winbind.h | 1 + + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml +index 0bc288f91a1..bae9298fc32 100644 +--- a/docs-xml/manpages/pam_winbind.conf.5.xml ++++ b/docs-xml/manpages/pam_winbind.conf.5.xml +@@ -194,6 +194,13 @@ + + + ++ ++ pwd_change_prompt = yes|no ++ ++ Generate prompt for changing an expired password. Defaults to "no". ++ ++ ++ + + + +diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c +index 720a4b90d85..06098dd07d8 100644 +--- a/nsswitch/pam_winbind.c ++++ b/nsswitch/pam_winbind.c +@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, + ctrl |= WINBIND_MKHOMEDIR; + } + ++ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; ++ } ++ + config_from_pam: + /* step through arguments */ + for (i=argc,v=argv; i-- > 0; ++v) { +@@ -522,6 +526,8 @@ config_from_pam: + else if (!strncasecmp(*v, "warn_pwd_expire", + strlen("warn_pwd_expire"))) + ctrl |= WINBIND_WARN_PWD_EXPIRE; ++ else if (!strcasecmp(*v, "pwd_change_prompt")) ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; + else if (type != PAM_WINBIND_CLEANUP) { + __pam_log(pamh, ctrl, LOG_ERR, + "pam_parse: unknown option: %s", *v); +@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h +index c6786d65a4d..2f4a25729bd 100644 +--- a/nsswitch/pam_winbind.h ++++ b/nsswitch/pam_winbind.h +@@ -157,6 +157,7 @@ do { \ + #define WINBIND_WARN_PWD_EXPIRE 0x00002000 + #define WINBIND_MKHOMEDIR 0x00004000 + #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 ++#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 + + #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) + #define _(string) dgettext(MODULE_NAME, string) +-- +2.35.1 + diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch new file mode 100644 index 0000000..d1a6b6a --- /dev/null +++ b/SOURCES/samba-printing-win7.patch @@ -0,0 +1,229 @@ +From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 22 Jan 2022 01:08:26 +0100 +Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls + +This is important for the source3/rpc_server code as it might +be called embedded in smbd and may not run as root with access +to our private tdb/ldb files. + +Note this is only really needed for 4.15 and older, as +we no longer run the rpc_server embedded in smbd, +but we better be consistent for now. + +This should be able to fix the problem the printing no longer works +on Windows 7 with 2021-10 monthly rollup patch (KB5006743). + +Windows uses NTLMSSP with privacy at the DCERPC layer on top +of NCACN_NP (smb). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) +--- + librpc/rpc/dcesrv_auth.c | 5 +++++ + librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ + librpc/rpc/dcesrv_core.h | 2 ++ + source3/rpc_server/rpc_config.c | 2 ++ + source4/rpc_server/service_rpc.c | 10 ++++++++++ + 5 files changed, 37 insertions(+) + +diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c +index fec8df513a83..99d8e0162160 100644 +--- a/librpc/rpc/dcesrv_auth.c ++++ b/librpc/rpc/dcesrv_auth.c +@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) + auth->auth_level = call->in_auth_info.auth_level; + auth->auth_context_id = call->in_auth_info.auth_context_id; + ++ cb->auth.become_root(); + status = cb->auth.gensec_prepare( + auth, + call, + &auth->gensec_security, + cb->auth.private_data); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", + nt_errstr(status))); +@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) + NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + { + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + const char *pdu = ""; + + switch (call->pkt.ptype) { +@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + return status; + } + ++ cb->auth.become_root(); + status = gensec_session_info(auth->gensec_security, + auth, + &auth->session_info); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", + nt_errstr(status))); +diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c +index d16159b0b6cd..ea91fc689b4a 100644 +--- a/librpc/rpc/dcesrv_core.c ++++ b/librpc/rpc/dcesrv_core.c +@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + struct dcerpc_binding *ep_2nd_description = NULL; + const char *endpoint = NULL; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct dcerpc_ack_ctx *ack_features = NULL; + struct tevent_req *subreq = NULL; +@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + { + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct tevent_req *subreq = NULL; + NTSTATUS status; + +@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + return NT_STATUS_OK; + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + struct ncacn_packet *pkt = &call->ack_pkt; + uint32_t extra_flags = 0; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct tevent_req *subreq = NULL; + size_t i; +@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h +index d8d5f9030959..0538442e0ce6 100644 +--- a/librpc/rpc/dcesrv_core.h ++++ b/librpc/rpc/dcesrv_core.h +@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { + struct gensec_security **out, + void *private_data); + void *private_data; ++ void (*become_root)(void); ++ void (*unbecome_root)(void); + } auth; + struct { + NTSTATUS (*find)( +diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c +index 2f1a01da1c0b..289c4f398409 100644 +--- a/source3/rpc_server/rpc_config.c ++++ b/source3/rpc_server/rpc_config.c +@@ -31,6 +31,8 @@ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = dcesrv_log_successful_authz, + .auth.gensec_prepare = dcesrv_auth_gensec_prepare, ++ .auth.become_root = become_root, ++ .auth.unbecome_root = unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c +index d8c6746d7815..ebb50f8a7ef3 100644 +--- a/source4/rpc_server/service_rpc.c ++++ b/source4/rpc_server/service_rpc.c +@@ -40,9 +40,19 @@ + #include "../libcli/named_pipe_auth/npa_tstream.h" + #include "samba/process_model.h" + ++static void skip_become_root(void) ++{ ++} ++ ++static void skip_unbecome_root(void) ++{ ++} ++ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = log_successful_dcesrv_authz_event, + .auth.gensec_prepare = dcesrv_gensec_prepare, ++ .auth.become_root = skip_become_root, ++ .auth.unbecome_root = skip_unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +-- +2.25.1 + diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch new file mode 100644 index 0000000..8e84d96 --- /dev/null +++ b/SOURCES/samba-s4u.patch @@ -0,0 +1,697 @@ +From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:25:03 +0300 +Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ + source4/kdc/mit_samba.c | 47 ++------- + source4/kdc/mit_samba.h | 6 +- + 3 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index f35210669c2..b1c7c5dcc5e 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, +- krb5_pac *pac) ++ krb5_pac *out_pac) + { + struct mit_samba_context *mit_ctx; + krb5_authdata **authdata = NULL; +- krb5_pac ipac = NULL; +- DATA_BLOB logon_data = { NULL, 0 }; ++ krb5_keyblock *header_server_key = NULL; ++ krb5_key_data *impersonator_kd = NULL; ++ krb5_keyblock impersonator_key = {0}; + krb5_error_code code; ++ krb5_pac pac; ++ ++ *out_pac = NULL; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { +@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = krb5_pac_parse(context, + authdata[0]->contents, + authdata[0]->length, +- &ipac); ++ &pac); + if (code != 0) { + goto done; + } + +- /* TODO: verify this is correct +- * +- * In the constrained delegation case, the PAC is from a service +- * ticket rather than a TGT; we must verify the server and KDC +- * signatures to assert that the server did not forge the PAC. ++ /* ++ * For constrained delegation in MIT version < 1.18 we aren't provided ++ * with the 2nd ticket server key to verify the PAC. ++ * We can workaround that by fetching the key from the client db entry, ++ * which is the impersonator account in that version. ++ * TODO: use the provided entry in the new 1.18 version. + */ + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- server_key, +- krbtgt_key); ++ /* The impersonator must be local. */ ++ if (client == NULL) { ++ code = KRB5KDC_ERR_BADOPTION; ++ goto done; ++ } ++ /* Fetch and decrypt 2nd ticket server's current key. */ ++ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, ++ &impersonator_kd); ++ if (code != 0) { ++ goto done; ++ } ++ code = krb5_dbe_decrypt_key_data(context, NULL, ++ impersonator_kd, ++ &impersonator_key, NULL); ++ if (code != 0) { ++ goto done; ++ } ++ header_server_key = &impersonator_key; + } else { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- krbtgt_key, +- NULL); +- } +- if (code != 0) { +- goto done; ++ header_server_key = krbtgt_key; + } + +- /* check and update PAC */ +- code = krb5_pac_parse(context, +- authdata[0]->contents, +- authdata[0]->length, +- pac); ++ code = krb5_pac_verify(context, pac, authtime, client_princ, ++ header_server_key, NULL); + if (code != 0) { + goto done; + } +@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = mit_samba_reget_pac(mit_ctx, + context, + flags, +- client_princ, + client, + server, + krbtgt, + krbtgt_key, +- pac); ++ &pac); ++ if (code != 0) { ++ goto done; ++ } ++ ++ *out_pac = pac; ++ pac = NULL; + + done: ++ krb5_free_keyblock_contents(context, &impersonator_key); + krb5_free_authdata(context, authdata); +- krb5_pac_free(context, ipac); +- free(logon_data.data); ++ krb5_pac_free(context, pac); + + return code; + } +@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_authdata **pac_auth_data = NULL; + krb5_authdata **authdata = NULL; + krb5_boolean is_as_req; ++ krb5_const_principal pac_client; + krb5_error_code code; + krb5_pac pac = NULL; + krb5_data pac_data; +@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; + +- /* FIXME: We don't support S4U yet */ +- if (flags & KRB5_KDB_FLAGS_S4U) { +- return KRB5_KDB_DBTYPE_NOSUP; +- } +- + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + + /* +@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + ks_client_princ = client->princ; + } + ++ /* In protocol transition, we are currently not provided with the tgt ++ * client name to verify the PAC, we could probably skip the name ++ * verification and just verify the signatures, but since we don't ++ * support cross-realm nor aliases, we can just use server->princ */ ++ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { ++ pac_client = server->princ; ++ } else { ++ pac_client = ks_client_princ; ++ } ++ + if (client_entry == NULL) { + client_entry = client; + } +@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + + code = ks_verify_pac(context, + flags, +- ks_client_princ, ++ pac_client, + client_entry, + server, + krbtgt, +@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + is_as_req ? "AS-REQ" : "TGS-REQ", + client_name); + code = krb5_pac_sign(context, pac, authtime, ks_client_princ, +- server_key, krbtgt_key, &pac_data); ++ server_key, krbtgt_key, &pac_data); + if (code != 0) { + DBG_ERR("krb5_pac_sign failed: %d\n", code); + goto done; +@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + KRB5_AUTHDATA_IF_RELEVANT, + authdata, + signed_auth_data); +- if (code != 0) { +- goto done; +- } +- +- code = 0; +- + done: + if (client_entry != NULL && client_entry != client) { + ks_free_principal(context, client_entry); +@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, + * server; -> delegating service + * proxy; -> target principal + */ +- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); +- +- char *target_name = NULL; +- bool is_enterprise; +- krb5_error_code code; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + +- code = krb5_unparse_name(context, proxy, &target_name); +- if (code) { +- goto done; +- } +- +- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); +- +- code = mit_samba_check_s4u2proxy(mit_ctx, +- delegating_service, +- target_name, +- is_enterprise); +- +-done: +- free(target_name); +- return code; ++ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); + } + + +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index 4239332f0d9..acc3cba6254 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + context, + *pac, + server->princ, +- discard_const(client_principal), ++ client->princ, + deleg_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Update delegation info failed: %s\n", +@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + } + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name) ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal) + { +-#if 1 +- /* +- * This is disabled because mit_samba_update_pac_data() does not handle +- * S4U_DELEGATION_INFO +- */ +- +- return KRB5KDC_ERR_BADOPTION; +-#else +- krb5_principal target_principal; +- int flags = 0; +- int ret; +- +- if (is_nt_enterprise_name) { +- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; +- } +- +- ret = krb5_parse_name_flags(ctx->context, target_name, +- flags, &target_principal); +- if (ret) { +- return ret; +- } +- +- ret = samba_kdc_check_s4u2proxy(ctx->context, +- ctx->db_ctx, +- skdc_entry, +- target_principal); +- +- krb5_free_principal(ctx->context, target_principal); +- +- return ret; +-#endif ++ struct samba_kdc_entry *server_skdc_entry = ++ talloc_get_type_abort(server->e_data, ++ struct samba_kdc_entry); ++ ++ return samba_kdc_check_s4u2proxy(ctx->context, ++ ctx->db_ctx, ++ server_skdc_entry, ++ target_principal); + } + + static krb5_error_code mit_samba_change_pwd_error(krb5_context context, +diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h +index 636c77ec97c..9cb00c9610e 100644 +--- a/source4/kdc/mit_samba.h ++++ b/source4/kdc/mit_samba.h +@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + DATA_BLOB *e_data); + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name); ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal); + + int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, + char *pwd, +-- +2.33.1 + + +From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:35:30 +0300 +Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ + lib/krb5_wrap/krb5_samba.h | 2 - + source4/auth/kerberos/kerberos_util.c | 11 -- + 3 files changed, 185 insertions(+), 13 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..791b417d5ba 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + + return 0; + } ++ ++#else /* MIT */ ++ ++static bool princ_compare_no_dollar(krb5_context ctx, ++ krb5_principal a, ++ krb5_principal b) ++{ ++ bool cmp; ++ krb5_principal mod = NULL; ++ ++ if (a->length == 1 && b->length == 1 && ++ a->data[0].length != 0 && b->data[0].length != 0 && ++ a->data[0].data[a->data[0].length -1] != ++ b->data[0].data[b->data[0].length -1]) { ++ if (a->data[0].data[a->data[0].length -1] == '$') { ++ mod = a; ++ mod->data[0].length--; ++ } else if (b->data[0].data[b->data[0].length -1] == '$') { ++ mod = b; ++ mod->data[0].length--; ++ } ++ } ++ ++ cmp = krb5_principal_compare_flags(ctx, a, b, ++ KRB5_PRINCIPAL_COMPARE_CASEFOLD); ++ ++ if (mod != NULL) { ++ mod->data[0].length++; ++ } ++ ++ return cmp; ++} ++ ++krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, ++ krb5_ccache store_cc, ++ krb5_principal init_principal, ++ const char *init_password, ++ krb5_principal impersonate_principal, ++ const char *self_service, ++ const char *target_service, ++ krb5_get_init_creds_opt *krb_options, ++ time_t *expire_time, ++ time_t *kdc_time) ++{ ++ krb5_error_code code; ++ krb5_principal self_princ = NULL; ++ krb5_principal target_princ = NULL; ++ krb5_creds *store_creds; ++ krb5_creds *s4u2self_creds = NULL; ++ krb5_creds *s4u2proxy_creds = NULL; ++ krb5_creds init_creds = {0}; ++ krb5_creds mcreds = {0}; ++ krb5_flags options = KRB5_GC_NO_STORE; ++ krb5_ccache tmp_cc; ++ bool s4u2proxy; ++ ++ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); ++ if (code != 0) { ++ return code; ++ } ++ ++ code = krb5_get_init_creds_password(ctx, &init_creds, ++ init_principal, ++ init_password, ++ NULL, NULL, ++ 0, ++ NULL, ++ krb_options); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* ++ * Check if we also need S4U2Proxy or if S4U2Self is ++ * enough in order to get a ticket for the target. ++ */ ++ if (target_service == NULL) { ++ s4u2proxy = false; ++ } else if (strcmp(target_service, self_service) == 0) { ++ s4u2proxy = false; ++ } else { ++ s4u2proxy = true; ++ } ++ ++ code = krb5_parse_name(ctx, self_service, &self_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt ++ * client and the request server to be the same principal name. */ ++ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ mcreds.client = impersonate_principal; ++ mcreds.server = init_creds.client; ++ ++ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, ++ NULL, &s4u2self_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (s4u2proxy) { ++ code = krb5_parse_name(ctx, target_service, &target_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ mcreds.client = init_creds.client; ++ mcreds.server = target_princ; ++ mcreds.second_ticket = s4u2self_creds->ticket; ++ ++ code = krb5_get_credentials(ctx, options | ++ KRB5_GC_CONSTRAINED_DELEGATION, ++ tmp_cc, &mcreds, &s4u2proxy_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* Check KDC support of S4U2Proxy extension */ ++ if (!krb5_principal_compare(ctx, s4u2self_creds->client, ++ s4u2proxy_creds->client)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ store_creds = s4u2proxy_creds; ++ } else { ++ store_creds = s4u2self_creds;; ++ ++ /* We need to save the ticket with the requested server name ++ * or the caller won't be able to find it in cache. */ ++ if (!krb5_principal_compare(ctx, self_princ, ++ store_creds->server)) { ++ krb5_free_principal(ctx, store_creds->server); ++ store_creds->server = NULL; ++ code = krb5_copy_principal(ctx, self_princ, ++ &store_creds->server); ++ if (code != 0) { ++ goto done; ++ } ++ } ++ } ++ ++ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, store_cc, store_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (expire_time) { ++ *expire_time = (time_t) store_creds->times.endtime; ++ } ++ ++ if (kdc_time) { ++ *kdc_time = (time_t) store_creds->times.starttime; ++ } ++ ++done: ++ krb5_cc_destroy(ctx, tmp_cc); ++ krb5_free_cred_contents(ctx, &init_creds); ++ krb5_free_creds(ctx, s4u2self_creds); ++ krb5_free_creds(ctx, s4u2proxy_creds); ++ krb5_free_principal(ctx, self_princ); ++ krb5_free_principal(ctx, target_princ); ++ ++ return code; ++} + #endif + + #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index eab67f6d969..b5385c69a33 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#ifdef SAMBA4_USES_HEIMDAL + krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, +@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#endif + + #if defined(HAVE_KRB5_MAKE_PRINCIPAL) + #define smb_krb5_make_principal krb5_make_principal +diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c +index 544d9d853cc..c14d8c72d8c 100644 +--- a/source4/auth/kerberos/kerberos_util.c ++++ b/source4/auth/kerberos/kerberos_util.c +@@ -234,9 +234,7 @@ done: + { + krb5_error_code ret; + const char *password; +-#ifdef SAMBA4_USES_HEIMDAL + const char *self_service; +-#endif + const char *target_service; + time_t kdc_time = 0; + krb5_principal princ; +@@ -268,9 +266,7 @@ done: + return ret; + } + +-#ifdef SAMBA4_USES_HEIMDAL + self_service = cli_credentials_get_self_service(credentials); +-#endif + target_service = cli_credentials_get_target_service(credentials); + + password = cli_credentials_get_password(credentials); +@@ -331,7 +327,6 @@ done: + #endif + if (password) { + if (impersonate_principal) { +-#ifdef SAMBA4_USES_HEIMDAL + ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, + ccache, + princ, +@@ -342,12 +337,6 @@ done: + krb_options, + NULL, + &kdc_time); +-#else +- talloc_free(mem_ctx); +- (*error_string) = "INTERNAL error: s4u2 ops " +- "are not supported with MIT build yet"; +- return EINVAL; +-#endif + } else { + ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, + ccache, +-- +2.33.1 + + +From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Sep 2020 14:16:20 +0200 +Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code + +--- + source4/heimdal/lib/hdb/hdb.h | 1 + + source4/kdc/db-glue.c | 8 ++++++-- + source4/kdc/mit_samba.c | 3 +++ + source4/kdc/sdb.h | 1 + + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h +index 5ef9d9565f3..dafaffc6c2d 100644 +--- a/source4/heimdal/lib/hdb/hdb.h ++++ b/source4/heimdal/lib/hdb/hdb.h +@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; + #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ + #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ + + /* hdb_capability_flags */ + #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index aff74f2ee71..d16b4c3329a 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, + } + } + +- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { ++ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { + krb5_clear_error_message(context); + goto out; + } +- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { ++ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ + /* + * SDB_F_CANON maps from the canonicalize flag in the + * packet, and has a different meaning between AS-REQ + * and TGS-REQ. We only change the principal in the AS-REQ case ++ * ++ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants ++ * the canonical name in all lookups, and takes care to canonicalize ++ * only when appropriate. + */ + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index acc3cba6254..f0b9df8b613 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, + if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { + sflags |= SDB_F_CANON; + } ++#if KRB5_KDB_API_VERSION >= 10 ++ sflags |= SDB_F_FORCE_CANON; ++#endif + if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | + KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* +diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h +index c929acccce6..a9115ec23d7 100644 +--- a/source4/kdc/sdb.h ++++ b/source4/kdc/sdb.h +@@ -116,6 +116,7 @@ struct sdb_entry_ex { + #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ + #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ + + void sdb_free_entry(struct sdb_entry_ex *e); + void free_sdb_entry(struct sdb_entry *s); +-- +2.33.1 + diff --git a/SOURCES/samba-4.14-fix-virus-scanner.patch b/SOURCES/samba-virus_scanner.patch similarity index 87% rename from SOURCES/samba-4.14-fix-virus-scanner.patch rename to SOURCES/samba-virus_scanner.patch index 515c642..6e243da 100644 --- a/SOURCES/samba-4.14-fix-virus-scanner.patch +++ b/SOURCES/samba-virus_scanner.patch @@ -1,7 +1,41 @@ -From e4baa05c6f73b364843f0ddd5394bf4298aca0d7 Mon Sep 17 00:00:00 2001 +From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Feb 2022 16:33:10 +0100 +Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd + +We have the env variable SERVER_LOG_LEVEL which allows you to change +the log level on the command line. If we force -d0 this will not work. + +make test TESTS="samba" SERVER_LOG_LEVEL=10 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index b901fd2677a..64a9a791a61 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -2153,7 +2153,7 @@ sub make_bin_cmd + { + my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; + +- my @optargs = ("-d0"); ++ my @optargs = (); + if (defined($options)) { + @optargs = split(/ /, $options); + } +-- +2.34.1 + + +From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 8 Feb 2022 12:07:03 +0100 -Subject: [PATCH 1/5] s3:modules: Implement dummy virus scanner that uses +Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses filename matching MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -22,7 +56,7 @@ Reviewed-by: Andreas Schneider create mode 100644 source3/modules/vfs_virusfilter_dummy.c diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index 524e7dfbad9..5ae8a02a369 100644 +index 9fafe4e5d41..e6cbee7cd45 100644 --- a/source3/modules/vfs_virusfilter.c +++ b/source3/modules/vfs_virusfilter.c @@ -35,12 +35,14 @@ @@ -61,7 +95,7 @@ index 524e7dfbad9..5ae8a02a369 100644 config->cache_entry_limit = lp_parm_int( snum, "virusfilter", "cache entry limit", 100); -@@ -532,6 +541,9 @@ static int virusfilter_vfs_connect( +@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( case VIRUSFILTER_SCANNER_CLAMAV: ret = virusfilter_clamav_init(config); break; @@ -157,10 +191,10 @@ index 00000000000..03405cd6629 + return 0; +} diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build -index 36b047ef79b..444a16f2cc0 100644 +index 40df4539392..ff318c3fa06 100644 --- a/source3/modules/wscript_build +++ b/source3/modules/wscript_build -@@ -598,6 +598,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', +@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', vfs_virusfilter_sophos.c vfs_virusfilter_fsav.c vfs_virusfilter_clamav.c @@ -172,10 +206,10 @@ index 36b047ef79b..444a16f2cc0 100644 2.34.1 -From f3c9a2e7c524b25558550ed7fb1b7778975a3f2b Mon Sep 17 00:00:00 2001 +From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 8 Feb 2022 22:35:29 +0100 -Subject: [PATCH 2/5] docs-xml:manpages: Document 'dummy' virusfilter and +Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and 'virusfilter:infected files' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -225,10 +259,10 @@ index 329a35af68a..88f91d73a42 100644 2.34.1 -From 3758a9612862c88a17ed20787b60346859c03eea Mon Sep 17 00:00:00 2001 +From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 8 Feb 2022 15:34:56 +0100 -Subject: [PATCH 3/5] selftest: Fix trailing whitespace in Samba3.pm +Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -244,7 +278,7 @@ Reviewed-by: Andreas Schneider 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 9a8c9ee2604..306783931e0 100755 +index 64a9a791a61..7584a0e7ba9 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -188,7 +188,7 @@ sub getlog_env_app($$$) @@ -256,7 +290,7 @@ index 9a8c9ee2604..306783931e0 100755 return $out; } -@@ -2205,7 +2205,7 @@ sub provision($$) +@@ -2426,7 +2426,7 @@ sub provision($$) my $nmbdsockdir="$prefix_abs/nmbd"; unlink($nmbdsockdir); @@ -265,7 +299,7 @@ index 9a8c9ee2604..306783931e0 100755 ## create the test directory layout ## die ("prefix_abs = ''") if $prefix_abs eq ""; -@@ -3057,7 +3057,7 @@ sub provision($$) +@@ -3290,7 +3290,7 @@ sub provision($$) unless (open(PASSWD, ">$nss_wrapper_passwd")) { warn("Unable to open $nss_wrapper_passwd"); return undef; @@ -278,10 +312,10 @@ index 9a8c9ee2604..306783931e0 100755 2.34.1 -From e92fbd282c584cadcd0ed513c414b5377282ed64 Mon Sep 17 00:00:00 2001 +From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 8 Feb 2022 15:35:48 +0100 -Subject: [PATCH 4/5] s3:selftest: Add test for virus scanner +Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -312,10 +346,10 @@ index 00000000000..6df3fd20627 +^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') +^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 306783931e0..baec3347c7d 100755 +index 7584a0e7ba9..c1d0c60d96a 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm -@@ -1463,6 +1463,9 @@ sub setup_fileserver +@@ -1688,6 +1688,9 @@ sub setup_fileserver my $veto_sharedir="$share_dir/veto"; push(@dirs,$veto_sharedir); @@ -325,7 +359,7 @@ index 306783931e0..baec3347c7d 100755 my $ip4 = Samba::get_ipv4_addr("FILESERVER"); my $fileserver_options = " kernel change notify = yes -@@ -1588,6 +1591,15 @@ sub setup_fileserver +@@ -1813,6 +1816,15 @@ sub setup_fileserver path = $veto_sharedir delete veto files = yes @@ -472,12 +506,12 @@ index 00000000000..2234ea6ca89 + +testok "$0" "$failed" diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index c78c9ea4ab8..3c8976874e6 100755 +index 701be011f70..6b146c76381 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py -@@ -1113,6 +1113,15 @@ plantestsuite("samba3.blackbox.smbclient.encryption_off", "simpleserver", - "$USERNAME", "$PASSWORD", "$SERVER", - smbclient3]) +@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", + '$SERVER_IP', + "tmp"]) +env = 'fileserver' +plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), @@ -495,10 +529,10 @@ index c78c9ea4ab8..3c8976874e6 100755 2.34.1 -From 3e1a57b6d8528d7aa4c46b8ac76bff034523b273 Mon Sep 17 00:00:00 2001 +From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 7 Feb 2022 23:06:10 +0100 -Subject: [PATCH 5/5] s3:modules: Fix virusfilter_vfs_openat +Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -530,10 +564,10 @@ index 6df3fd20627..00000000000 -^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') -^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index 5ae8a02a369..8c7e5323341 100644 +index e6cbee7cd45..d1554967ad1 100644 --- a/source3/modules/vfs_virusfilter.c +++ b/source3/modules/vfs_virusfilter.c -@@ -1304,21 +1304,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, +@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, */ goto virusfilter_vfs_open_next; } diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 2d49425..c6c58a6 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -2,12 +2,16 @@ # # To build and run the tests use: # +# fedpkg local --with testsuite +# or # rpmbuild --rebuild --with testsuite samba.src.rpm # %bcond_with testsuite # Build with internal talloc, tevent, tdb and ldb. # +# fedpkg local --with=testsuite --with=includelibs +# or # rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm # %bcond_with includelibs @@ -15,6 +19,9 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering +# Define _make_verbose if it doesn't exist (RHEL8) +%{!?_make_verbose:%define _make_verbose V=1 VERBOSE=1} + # Build with Active Directory Domain Controller support by default on Fedora %if 0%{?fedora} %bcond_without dc @@ -42,18 +49,21 @@ %bcond_without winexe %endif -# Build vfs_ceph module by default on 64bit Fedora +# Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} %ifarch aarch64 ppc64le s390x x86_64 %bcond_without vfs_cephfs +%bcond_without ceph_mutex %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endifarch %endif %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endif fedora %endif @@ -106,15 +116,29 @@ #endif fedora || rhel >= 8 %endif +# Build the ctdb-pcp-pmda package by default on Fedora +%if 0%{?fedora} +%bcond_without pcp_pmda +%else +%bcond_with pcp_pmda +%endif + +# Build the etcd helpers by default on Fedora +%if 0%{?fedora} +%bcond_without etcd_mutex +%else +%bcond_with etcd_mutex +%endif + %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 10 +%global baserelease 5 -%global samba_version 4.14.5 -%global talloc_version 2.3.2 -%global tdb_version 1.4.3 -%global tevent_version 0.10.2 -%global ldb_version 2.3.0 +%global samba_version 4.15.5 +%global talloc_version 2.3.3 +%global tdb_version 1.4.4 +%global tevent_version 0.11.0 +%global ldb_version 2.4.1 # This should be rc1 or nil %global pre_release %nil @@ -177,19 +201,17 @@ Source14: samba.pamd Source201: README.downgrade -Patch0: samba-4.14-raise-dfs-enoent-debug-level.patch -Patch1: CVE-2016-2124.patch -Patch2: CVE-2021-23192.patch -Patch3: CVE-2020-25717.patch -Patch4: samba-4.14-krb5pac.patch -Patch5: samba-4.14-fix-winbind-no-trusted-domain.patch -Patch6: samba-4.14-IPA-DC-add-missing-checks.patch -Patch7: samba-4.14-recursive-delete-of-veto-files.patch -Patch8: samba-4.14-del-dir-with-dangling-symlinks.patch -Patch9: samba-4.14-fix-username-map-script.patch -Patch10: samba-4.14-fix-domain-join-segfault.patch -Patch11: CVE-2021-44142-v4.14.patch -Patch12: samba-4.14-fix-virus-scanner.patch +Patch0: samba-s4u.patch +Patch1: samba-ctdb-etcd-reclock.patch +Patch2: samba-glibc-dns.patch +Patch3: samba-printing-win7.patch +Patch4: samba-disable-systemd-notifications.patch +Patch5: samba-disable-ntlmssp.patch +Patch6: samba-password-change-prompt.patch +Patch7: samba-virus_scanner.patch +Patch8: samba-4-15-fix-autorid.patch +Patch9: samba-4-15-fix-winbind-refresh-tickets.patch +Patch10: samba-4-15-fix-create-local-krb5-conf.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -297,6 +319,16 @@ BuildRequires: libcephfs-devel BuildRequires: liburing-devel >= 0.4 %endif +%if %{with pcp_pmda} +BuildRequires: pcp-libs-devel +%endif +%if %{with ceph_mutex} +BuildRequires: librados-devel +%endif +%if %{with etcd_mutex} +BuildRequires: python3-etcd +%endif + %if %{with dc} || %{with testsuite} # Add python3-iso8601 to avoid that the # version in Samba is being packaged @@ -326,9 +358,13 @@ BuildRequires: python3-tdb >= %{tdb_version} BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: python3-ldb >= %{ldb_version} BuildRequires: python3-ldb-devel >= %{ldb_version} -%else +%endif + +%if %{with includelibs} || %{with testsuite} +# lmdb-devel is required for the mdb ldb module, if samba is configured +# to build includelibs we need lmdb-devel for building that module on our own BuildRequires: lmdb-devel -#endif without testsuite +#endif without includelibs %endif %if %{with dc} || %{with testsuite} @@ -338,6 +374,7 @@ BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle +BuildRequires: python3-cryptography BuildRequires: tdb-tools %endif @@ -435,7 +472,7 @@ Obsoletes: ctdb-tests-debuginfo < %{samba_depver} # endif with clustering %endif -# If only build glusterfs for RHGS and Fedora, so obsolete it on other version +# We only build glusterfs for RHGS and Fedora, so obsolete it on other versions # of the distro %if %{without vfs_glusterfs} Obsoletes: samba-vfs-glusterfs < %{samba_depver} @@ -456,6 +493,15 @@ Requires: samba-libs = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +# samba-tool needs python3-samba +Requires: python3-%{name} = %{samba_depver} +# samba-tool needs tdbbackup +Requires: tdb-tools +%if %{with dc} +# samba-tool needs mdb_copy for domain backup or upgrade provision +Requires: lmdb +%endif + Provides: bundled(libreplace) %description common-tools @@ -477,10 +523,6 @@ Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif -# samba-tool needs tdbbackup -Requires: tdb-tools -# samba-tool needs mdb_copy -Requires: lmdb Requires: ldb-tools Requires: python3-setproctitle # Force using libldb version to be the same as build version @@ -573,6 +615,7 @@ Samba VFS module for Ceph distributed storage system integration. Summary: Samba VFS module for io_uring Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Provides: bundled(libreplace) @@ -716,7 +759,7 @@ Summary: Samba python devel files Requires: python3-%{name} = %{samba_depver} %description -n python3-%{name}-devel -The python3-%{name}-devel package contains the Python 3 defel files. +The python3-%{name}-devel package contains the Python 3 devel files. %package -n python3-samba-test Summary: Samba Python libraries @@ -811,9 +854,12 @@ Summary: Samba winbind Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires(post): %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} %if %{with libwbclient} @@ -906,6 +952,7 @@ necessary to communicate to the Winbind Daemon Summary: Samba Winexe Windows Binary License: GPLv3 Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Provides: bundled(libreplace) @@ -973,6 +1020,45 @@ and use CTDB instead. #endif with testsuite %endif + +%if %{with pcp_pmda} + +%package -n ctdb-pcp-pmda +Summary: CTDB PCP pmda support +Requires: ctdb = %{samba_depver} +Requires: pcp-libs + +%description -n ctdb-pcp-pmda +Performance Co-Pilot (PCP) support for CTDB + +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} + +%package -n ctdb-etcd-mutex +Summary: CTDB ETCD mutex helper +Requires: ctdb = %{samba_depver} +Requires: python3-etcd + +%description -n ctdb-etcd-mutex +Support for using an existing ETCD cluster as a mutex helper for CTDB + +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} + +%package -n ctdb-ceph-mutex +Summary: CTDB ceph mutex helper +Requires: ctdb = %{samba_depver} + +%description -n ctdb-ceph-mutex +Support for using an existing CEPH cluster as a mutex helper for CTDB + +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -1062,9 +1148,19 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" %endif %if %{with testsuite} --enable-selftest \ +%endif +%if %{with pcp_pmda} + --enable-pmda \ +%endif +%if %{with ceph_mutex} + --enable-ceph-reclock \ +%endif +%if %{with etcd_mutex} + --enable-etcd-reclock \ %endif --with-profiling-data \ --with-systemd \ + --with-quotas \ --systemd-install-services \ --with-systemddir=/usr/lib/systemd/system \ --systemd-smb-extra=%{_systemd_extra} \ @@ -1073,7 +1169,7 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! -%{__make} %{?_smp_mflags} V=1 +%{__make} %{?_smp_mflags} %{_make_verbose} pushd pidl %__perl Makefile.PL PREFIX=%{_prefix} @@ -1082,7 +1178,8 @@ pushd pidl popd %install -%make_install +# Do not use %%make_install, make is just a wrapper around waf in Samba! +%{__make} %{?_smp_mflags} %{_make_verbose} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security @@ -1170,12 +1267,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ - %{_mandir}/man8/samba-tool.8 \ %{_mandir}/man8/samba-gpupdate.8 \ %{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \ @@ -1526,6 +1621,8 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%{_libexecdir}/samba/samba-bgqd + %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc %{_datadir}/samba/mdssvc/elasticsearch_mappings.json @@ -1537,6 +1634,7 @@ fi %config(noreplace) %{_sysconfdir}/pam.d/samba %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* +%{_mandir}/man8/samba-bgqd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1587,9 +1685,8 @@ fi %{_bindir}/cifsdd %{_bindir}/dbwrap_tool %{_bindir}/dumpmscat -%exclude %{_bindir}/findsmb %{_bindir}/mvxattr -%{_bindir}/mdfind +%{_bindir}/mdsearch %{_bindir}/nmblookup %{_bindir}/oLschema2ldif %{_bindir}/regdiff @@ -1616,9 +1713,8 @@ fi %{_mandir}/man1/regpatch.1* %{_mandir}/man1/regshell.1* %{_mandir}/man1/regtree.1* -%exclude %{_mandir}/man1/findsmb.1* %{_mandir}/man1/log2pcap.1* -%{_mandir}/man1/mdfind.1* +%{_mandir}/man1/mdsearch.1* %{_mandir}/man1/mvxattr.1* %{_mandir}/man1/rpcclient.1* %{_mandir}/man1/sharesec.1* @@ -1699,12 +1795,11 @@ fi %{_libdir}/samba/libclidns-samba4.so %{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so %{_libdir}/samba/libdbwrap-samba4.so -%{_libdir}/samba/libdcerpc-samba-samba4.so %{_libdir}/samba/libdcerpc-pkt-auth-samba4.so +%{_libdir}/samba/libdcerpc-samba-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so %{_libdir}/samba/libgenrand-samba4.so @@ -1758,7 +1853,6 @@ fi %{_libdir}/samba/libtime-basic-samba4.so %{_libdir}/samba/libtorture-samba4.so %{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-cmdline-samba4.so %{_libdir}/samba/libutil-reg-samba4.so %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so @@ -1784,7 +1878,7 @@ fi %{_libdir}/samba/ldb/asq.so %{_libdir}/samba/ldb/ldb.so -#%%{_libdir}/samba/ldb/mdb.so +%{_libdir}/samba/ldb/mdb.so %{_libdir}/samba/ldb/paged_searches.so %{_libdir}/samba/ldb/rdn_name.so %{_libdir}/samba/ldb/sample.so @@ -1822,8 +1916,7 @@ fi ### COMMON-libs %files common-libs # common libraries -%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so -%{_libdir}/samba/libpopt-samba3-samba4.so +%{_libdir}/samba/libcmdline-samba4.so %dir %{_libdir}/samba/ldb @@ -1836,6 +1929,7 @@ fi %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles +%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1844,13 +1938,13 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* +%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* ### DC %if %{with dc} || %{with testsuite} %files dc %{_unitdir}/samba.service -%{_bindir}/samba-tool %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db @@ -1918,7 +2012,6 @@ fi %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* %{_mandir}/man8/samba-gpupdate.8* -%{_mandir}/man8/samba-tool.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -1961,7 +2054,6 @@ fi %endif %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so @@ -1970,8 +2062,6 @@ fi %files dc-bind-dlz %attr(770,root,named) %dir /var/lib/samba/bind-dns %dir %{_libdir}/samba/bind9 -%{_libdir}/samba/bind9/dlz_bind9.so -%{_libdir}/samba/bind9/dlz_bind9_9.so %{_libdir}/samba/bind9/dlz_bind9_10.so %{_libdir}/samba/bind9/dlz_bind9_11.so %{_libdir}/samba/bind9/dlz_bind9_12.so @@ -2145,6 +2235,7 @@ fi %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so @@ -2239,6 +2330,7 @@ fi %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc @@ -2261,7 +2353,14 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2290,6 +2389,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so %{python3_sitearch}/samba/dcerpc/messaging.*.so @@ -2318,9 +2418,12 @@ fi %{python3_sitearch}/samba/descriptor.py %{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py +%{python3_sitearch}/samba/dsdb.*.so +%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/gpclass.py +%{python3_sitearch}/samba/gp_gnome_settings_ext.py %{python3_sitearch}/samba/gp_scripts_ext.py %{python3_sitearch}/samba/gp_sec_ext.py %{python3_sitearch}/samba/gpo.*.so @@ -2331,6 +2434,7 @@ fi %{python3_sitearch}/samba/messaging.*.so %{python3_sitearch}/samba/ndr.py %{python3_sitearch}/samba/net.*.so +%{python3_sitearch}/samba/net_s3.*.so %{python3_sitearch}/samba/ntstatus.*.so %{python3_sitearch}/samba/posix_eadb.*.so %dir %{python3_sitearch}/samba/emulate @@ -2453,7 +2557,14 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py +%{python3_sitearch}/samba/vgp_access_ext.py +%{python3_sitearch}/samba/vgp_files_ext.py +%{python3_sitearch}/samba/vgp_issue_ext.py +%{python3_sitearch}/samba/vgp_motd_ext.py +%{python3_sitearch}/samba/vgp_openssh_ext.py +%{python3_sitearch}/samba/vgp_startup_scripts_ext.py %{python3_sitearch}/samba/vgp_sudoers_ext.py +%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2500,8 +2611,6 @@ fi %{python3_sitearch}/samba/dcerpc/dnsserver.*.so %{python3_sitearch}/samba/dckeytab.*.so -%{python3_sitearch}/samba/dsdb.*.so -%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2568,6 +2677,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc @@ -2575,6 +2685,8 @@ fi %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc @@ -2586,17 +2698,22 @@ fi %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc %{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc %{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -2632,10 +2749,12 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc @@ -2670,7 +2789,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc -%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc @@ -2686,7 +2805,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py -%{python3_sitearch}/samba/tests/blackbox/mdfind.py +%{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py @@ -2714,6 +2833,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc @@ -2733,6 +2853,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/lsa.py %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py @@ -2748,6 +2869,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/unix.py %{python3_sitearch}/samba/tests/dckeytab.py %{python3_sitearch}/samba/tests/dns.py +%{python3_sitearch}/samba/tests/dns_aging.py %{python3_sitearch}/samba/tests/dns_base.py %{python3_sitearch}/samba/tests/dns_forwarder.py %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers @@ -2758,6 +2880,8 @@ fi %{python3_sitearch}/samba/tests/dns_tkey.py %{python3_sitearch}/samba/tests/dns_wildcard.py %{python3_sitearch}/samba/tests/dsdb.py +%{python3_sitearch}/samba/tests/dsdb_api.py +%{python3_sitearch}/samba/tests/dsdb_dns.py %{python3_sitearch}/samba/tests/dsdb_lock.py %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py %{python3_sitearch}/samba/tests/docs.py @@ -2777,9 +2901,11 @@ fi %{python3_sitearch}/samba/tests/get_opt.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py +%{python3_sitearch}/samba/tests/gpo_member.py %{python3_sitearch}/samba/tests/graph.py %{python3_sitearch}/samba/tests/group_audit.py %{python3_sitearch}/samba/tests/hostconfig.py +%{python3_sitearch}/samba/tests/imports.py %{python3_sitearch}/samba/tests/join.py %dir %{python3_sitearch}/samba/tests/kcc %{python3_sitearch}/samba/tests/kcc/__init__.py @@ -2795,37 +2921,66 @@ fi %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py %dir %{python3_sitearch}/samba/tests/krb5 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__ +%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/alias_tests.py %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py +%{python3_sitearch}/samba/tests/krb5/as_req_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rodc_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py +%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ldap.py +%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py +%{python3_sitearch}/samba/tests/krb5/test_rpc.py +%{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py %{python3_sitearch}/samba/tests/ldap_referrals.py +%{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py +%{python3_sitearch}/samba/tests/ndr.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -2861,6 +3016,7 @@ fi %{python3_sitearch}/samba/tests/s3passdb.py %{python3_sitearch}/samba/tests/s3registry.py %{python3_sitearch}/samba/tests/s3windb.py +%{python3_sitearch}/samba/tests/s3_net_join.py %{python3_sitearch}/samba/tests/samba3sam.py %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool @@ -2877,6 +3033,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc @@ -2888,6 +3045,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc @@ -2911,6 +3069,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/forest.py %{python3_sitearch}/samba/tests/samba_tool/fsmo.py %{python3_sitearch}/samba/tests/samba_tool/gpo.py +%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py %{python3_sitearch}/samba/tests/samba_tool/group.py %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py @@ -2922,6 +3081,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py +%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py %{python3_sitearch}/samba/tests/samba_tool/sites.py @@ -2937,6 +3097,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py +%{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/smb.py @@ -3080,6 +3241,7 @@ fi %{_libexecdir}/ctdb/ctdb_recovery_helper %{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/tdb_mutex_check %dir %{_localstatedir}/lib/ctdb/ %dir %{_localstatedir}/lib/ctdb/persistent @@ -3910,6 +4072,33 @@ fi #endif with selftest %endif +%if %{with pcp_pmda} +%files -n ctdb-pcp-pmda +%dir %{_localstatedir}/lib/pcp/pmdas/ctdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/Install +%{_localstatedir}/lib/pcp/pmdas/ctdb/README +%{_localstatedir}/lib/pcp/pmdas/ctdb/Remove +%{_localstatedir}/lib/pcp/pmdas/ctdb/domain.h +%{_localstatedir}/lib/pcp/pmdas/ctdb/help +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmdactdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmns +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} +%files -n ctdb-etcd-mutex +%{_libexecdir}/ctdb/ctdb_etcd_lock +%{_mandir}/man7/ctdb-etcd.7.gz +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} +%files -n ctdb-ceph-mutex +%{_libexecdir}/ctdb/ctdb_mutex_ceph_rados_helper +%{_mandir}/man7/ctdb_mutex_ceph_rados_helper.7.gz +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -3921,36 +4110,75 @@ fi %endif %changelog -* Tue Feb 22 2022 Pavel Filipenský - 4.14.5-10 -- resolves: rhbz#2029417 - Fix virusfilter_vfs_openat: Not scanned: Directory or special file +* Wed Mar 16 2022 Andreas Schneider - 4.15.5-5 +- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a + single IP address. -* Thu Jan 27 2022 Andreas Schneider - 4.14.5-9 -- resolves: rhbz#2046174 - Fix username map script regression of CVE-2020-25717 -- resolves: rhbz#2046160 - Fix possible segfault while joining a domain -- resolves: rhbz#2046152 - Fix CVE-2021-44142 +* Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 +- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh -* Thu Dec 02 2021 Pavel Filipenský - 4.14.5-8 -- resolves: rhbz#2026717 - Dir containing dangling symlinks cannot be deleted +* Mon Feb 21 2022 Andreas Schneider - 4.15.5-3 +- related: rhbz#1979959 - Fix typo in testparm output -* Mon Nov 22 2021 Andreas Schneider - 4.14.5-7 -- related: rhbz#2021171 - Fix CVE-2020-25717 +* Thu Feb 17 2022 Andreas Schneider - 4.15.5-2 +- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation + +* Mon Feb 14 2022 Pavel Filipenský - 4.15.5-1 +- resolves: #1995849 - [RFE] Change change password change prompt phrasing +- resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file + +* Wed Feb 02 2022 Pavel Filipenský - 4.15.5-0 +- Update to Samba 4.15.5 +- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release +- resolves: rhbz#2046127 - Fix CVE-2021-44141 +- resolves: rhbz#2046153 - Fix CVE-2021-44142 +- resolves: rhbz#2044404 - Printing no longer works on Windows 7 +- resolves: rhbz#2043154 - Fix systemd notifications +- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads) + +* Fri Jan 21 2022 Pavel Filipenský - 4.15.4-0 +- Update to Samba 4.15.4 +- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release +- resolves: rhbz#2039153 - Fix CVE-2021-20316 +- resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth +- resolves: rhbz#2039157 - Fix CVE-2021-43566 +- resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7 +- resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain +- resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED + +* Thu Dec 16 2021 Pavel Filipenský - 4.15.3-1 +- related: rhbz#2013596 - Rebase to version 4.15.3 +- resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind +- resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired + +* Fri Dec 03 2021 Andreas Schneider - 4.15.2-2 +- related: rhbz#2013596 - Remove unneeded lmdb dependency + +* Thu Nov 25 2021 Pavel Filipenský - 4.15.2-1 +- resolves: rhbz#2013596 - Rebase to version 4.15.2 +- resolves: rhbz#1999294 - Remove noisy error message in winbindd +- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth + with one-way trusts +- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks + +* Mon Nov 22 2021 Andreas Schneider - 4.14.5-14 +- related: rbhz#2019674 - Fix CVE-2020-25717 - Fix running ktest (selftest) -* Sat Nov 13 2021 Alexander Bokovoy - 4.14.5-6 -- related: rhbz#2021171 - Fix CVE-2020-25717 +* Sat Nov 13 2021 Alexander Bokovoy - 4.14.5-13 +- related: rbhz#2019674 - Fix CVE-2020-25717 - Add missing checks for IPA DC server role -* Tue Nov 09 2021 Andreas Schneider - 4.14.5-5 -- resolves: rhbz#2021493 - Add missing PAC buffer types to krb5pac.idl -- related: rbhz#2021171 - Fix regression with 'allow trusted domains = no' +* Wed Nov 10 2021 Andreas Schneider - 4.14.5-12 +- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no' -* Fri Nov 05 2021 Andreas Schneider - 4.14.4-4 -- resolves: rhbz#2021163 - Fix CVE-2016-2124 -- resolves: rhbz#2021167 - Fix CVE-2021-23192 -- resolves: rhbz#2021171 - Fix CVE-2020-25717 +* Tue Nov 09 2021 Andreas Schneider - 4.14.5-11 +- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl + +* Fri Nov 05 2021 Andreas Schneider - 4.14.4-3 +- resolves: rhbz#2019662 - Fix CVE-2016-2124 +- resolves: rhbz#2019668 - Fix CVE-2021-23192 +- resolves: rbhz#2019674 - Fix CVE-2020-25717 * Tue Jul 13 2021 Andreas Schneider - 4.14.4-2 - related: rhbz#1980346 - Rebuild for libtalloc 0.11.0