diff --git a/.gitignore b/.gitignore index 41cd890..a32ae18 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.15.5.tar.xz +SOURCES/samba-4.16.4.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index b1ff8f6..620213e 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz +c943ec2e8b9413cd3465e39481b49872b4486e86 SOURCES/samba-4.16.4.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/CVE-2022-32742-v4-15.patch b/SOURCES/CVE-2022-32742-v4-15.patch deleted file mode 100644 index 314b144..0000000 --- a/SOURCES/CVE-2022-32742-v4-15.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 7 Jun 2022 09:40:45 -0700 -Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test. - -Reproduces the test code in: - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Add knownfail. - -Signed-off-by: Jeremy Allison -Reviewed-by: David Disseldorp ---- - selftest/knownfail.d/bad-write | 2 + - source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++ - 2 files changed, 91 insertions(+) - create mode 100644 selftest/knownfail.d/bad-write - -diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write -new file mode 100644 -index 00000000000..5fc16606a13 ---- /dev/null -+++ b/selftest/knownfail.d/bad-write -@@ -0,0 +1,2 @@ -+^samba3.raw.write.bad-write\(nt4_dc_smb1\) -+^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c -index 0a2f50f425b..661485bb548 100644 ---- a/source4/torture/raw/write.c -+++ b/source4/torture/raw/write.c -@@ -25,6 +25,7 @@ - #include "libcli/libcli.h" - #include "torture/util.h" - #include "torture/raw/proto.h" -+#include "libcli/raw/raw_proto.h" - - #define CHECK_STATUS(status, correct) do { \ - if (!NT_STATUS_EQUAL(status, correct)) { \ -@@ -694,6 +695,93 @@ done: - return ret; - } - -+/* -+ test a deliberately bad SMB1 write. -+*/ -+static bool test_bad_write(struct torture_context *tctx, -+ struct smbcli_state *cli) -+{ -+ bool ret = false; -+ int fnum = -1; -+ struct smbcli_request *req = NULL; -+ const char *fname = BASEDIR "\\badwrite.txt"; -+ bool ok = false; -+ -+ if (!torture_setup_dir(cli, BASEDIR)) { -+ torture_fail(tctx, "failed to setup basedir"); -+ } -+ -+ torture_comment(tctx, "Testing RAW_BAD_WRITE\n"); -+ -+ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE); -+ if (fnum == -1) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Failed to create %s - %s\n", -+ fname, -+ smbcli_errstr(cli->tree))); -+ } -+ -+ req = smbcli_request_setup(cli->tree, -+ SMBwrite, -+ 5, -+ 0); -+ if (req == NULL) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "talloc fail\n")); -+ } -+ -+ SSVAL(req->out.vwv, VWV(0), fnum); -+ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */ -+ SIVAL(req->out.vwv, VWV(2), 0); /* offset */ -+ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */ -+ -+ if (!smbcli_request_send(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Send failed\n")); -+ } -+ -+ if (!smbcli_request_receive(req)) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, "Reveive failed\n")); -+ } -+ -+ /* -+ * Check for expected error codes. -+ * ntvfs returns NT_STATUS_UNSUCCESSFUL. -+ */ -+ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) || -+ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL)); -+ -+ if (!ok) { -+ torture_fail_goto(tctx, -+ done, -+ talloc_asprintf(tctx, -+ "Should have returned " -+ "NT_STATUS_INVALID_PARAMETER or " -+ "NT_STATUS_UNSUCCESSFUL " -+ "got %s\n", -+ nt_errstr(req->status))); -+ } -+ -+ ret = true; -+ -+done: -+ if (req != NULL) { -+ smbcli_request_destroy(req); -+ } -+ if (fnum != -1) { -+ smbcli_close(cli->tree, fnum); -+ } -+ smb_raw_exit(cli->session); -+ smbcli_deltree(cli->tree, BASEDIR); -+ return ret; -+} -+ - /* - basic testing of write calls - */ -@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx) - torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock); - torture_suite_add_1smb_test(suite, "write close", test_writeclose); - torture_suite_add_1smb_test(suite, "writex", test_writex); -+ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write); - - return suite; - } --- -2.34.1 - - -From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 8 Jun 2022 13:50:51 -0700 -Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. - -Fixes the raw.write.bad-write test. - -NB. We need the two (==0) changes in source3/smbd/reply.c -as the gcc optimizer now knows that the return from -smbreq_bufrem() can never be less than zero. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 - -Remove knownfail. - -Signed-off-by: Jeremy Allison -Reviewed-by: David Disseldorp - ---- - selftest/knownfail.d/bad-write | 2 -- - source3/include/smb_macros.h | 2 +- - source3/smbd/reply.c | 4 ++-- - 3 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/bad-write - -diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write -deleted file mode 100644 -index 5fc16606a13..00000000000 ---- a/selftest/knownfail.d/bad-write -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.raw.write.bad-write\(nt4_dc_smb1\) --^samba3.raw.write.bad-write\(ad_dc_smb1\) -diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h -index 344a997cbd2..c75b93fcc25 100644 ---- a/source3/include/smb_macros.h -+++ b/source3/include/smb_macros.h -@@ -152,7 +152,7 @@ - - /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ - #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) --#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) -+#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) - - - /* Note that chain_size must be available as an extern int to this macro. */ -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c -index d4573d3da55..e1a47a65662 100644 ---- a/source3/smbd/reply.c -+++ b/source3/smbd/reply.c -@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - *err = NT_STATUS_INVALID_PARAMETER; - return 0; - } -@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, - { - ssize_t bufrem = smbreq_bufrem(req, src); - -- if (bufrem < 0) { -+ if (bufrem == 0) { - return 0; - } - --- -2.34.1 - diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch deleted file mode 100644 index f63464c..0000000 --- a/SOURCES/samba-4-15-fix-autorid.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:06:30 +0100 -Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) ---- - source3/winbindd/idmap_autorid.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c -index ad53b5810ee..c7d56a37684 100644 ---- a/source3/winbindd/idmap_autorid.c -+++ b/source3/winbindd/idmap_autorid.c -@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) - config->maxranges = (dom->high_id - dom->low_id + 1) / - config->rangesize; - -- if (config->maxranges == 0) { -- DEBUG(1, ("Allowed uid range is smaller than rangesize. " -- "Increase uid range or decrease rangesize.\n")); -+ if (config->maxranges < 2) { -+ DBG_WARNING("Allowed idmap range is not a least double the " -+ "size of the rangesize. Please increase idmap " -+ "range.\n"); - status = NT_STATUS_INVALID_PARAMETER; - goto error; - } --- -2.35.1 - - -From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:07:50 +0100 -Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) ---- - source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index 98bcc219b1e..58ba46bc15f 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, - return false; /* Keep scanning */ - } - -+static int idmap_config_int(const char *domname, const char *option, int def) -+{ -+ int len = snprintf(NULL, 0, "idmap config %s", domname); -+ -+ if (len == -1) { -+ return def; -+ } -+ { -+ char config_option[len+1]; -+ snprintf(config_option, sizeof(config_option), -+ "idmap config %s", domname); -+ return lp_parm_int(-1, config_option, option, def); -+ } -+} -+ - static bool do_idmap_check(void) - { - struct idmap_domains *d; -@@ -157,6 +172,42 @@ static bool do_idmap_check(void) - rc); - } - -+ /* Check autorid backend */ -+ if (strequal(lp_idmap_default_backend(), "autorid")) { -+ struct idmap_config *c = NULL; -+ bool found = false; -+ -+ for (i = 0; i < d->count; i++) { -+ c = &d->c[i]; -+ -+ if (strequal(c->backend, "autorid")) { -+ found = true; -+ break; -+ } -+ } -+ -+ if (found) { -+ uint32_t rangesize = -+ idmap_config_int("*", "rangesize", 100000); -+ uint32_t maxranges = -+ (c->high - c->low + 1) / rangesize; -+ -+ if (maxranges < 2) { -+ fprintf(stderr, -+ "ERROR: The idmap autorid range " -+ "[%u-%u] needs to be at least twice as " -+ "big as the rangesize [%u]!" -+ "\n\n", -+ c->low, -+ c->high, -+ rangesize); -+ ok = false; -+ goto done; -+ } -+ } -+ } -+ -+ /* Check for overlapping idmap ranges */ - for (i = 0; i < d->count; i++) { - struct idmap_config *c = &d->c[i]; - uint32_t j; --- -2.35.1 - - -From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 1 Feb 2022 10:05:19 +0100 -Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation - -What we want to avoid: - -$ ./bin/testparm -s | grep "idmap config" - idmap config * : rangesize = 10000 - idmap config * : range = 10000-19999 - idmap config * : backend = autorid - -$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators -S-1-5-32-544 SID_ALIAS (4) - -$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 -10000 - -$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice -S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) - -$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 -failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND -Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid - -If only one range is configured we are either not able to map users/groups -from our primary *and* the BUILTIN domain. We need at least two ranges to also -cover the BUILTIN domain! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) ---- - docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml -index 6c4da1cad8a..980718f0bd4 100644 ---- a/docs-xml/manpages/idmap_autorid.8.xml -+++ b/docs-xml/manpages/idmap_autorid.8.xml -@@ -48,7 +48,13 @@ - and the corresponding map is discarded. It is - intended as a way to avoid accidental UID/GID - overlaps between local and remotely defined -- IDs. -+ IDs. Note that the range should be a multiple -+ of the rangesize and needs to be at least twice -+ as large in order to have sufficient id range -+ space for the mandatory BUILTIN domain. -+ With a default rangesize of 100000 the range -+ needs to span at least 200000. -+ This would be: range = 100000 - 299999. - - - --- -2.35.1 - diff --git a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch b/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch deleted file mode 100644 index 2d7ad44..0000000 --- a/SOURCES/samba-4-15-fix-create-local-krb5-conf.patch +++ /dev/null @@ -1,477 +0,0 @@ -From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 16:53:02 +0100 -Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - testprogs/blackbox/test_net_ads.sh | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index 76b394b10a9..cfafb945b62 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -51,6 +51,12 @@ fi - - testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - -+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf") -+testit "local krb5.conf created" \ -+ test -r \ -+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" || -+ failed=$((failed + 1)) -+ - testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1` - - netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') --- -2.35.1 - - -From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:03:40 +0100 -Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 75beeef4a44..60fe03fd5d7 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -1,4 +1,4 @@ --/* -+/* - Unix SMB/CIFS implementation. - kerberos utility library - Copyright (C) Andrew Tridgell 2001 -@@ -37,11 +37,11 @@ - #define LIBADS_CCACHE_NAME "MEMORY:libads" - - /* -- we use a prompter to avoid a crash bug in the kerberos libs when -+ we use a prompter to avoid a crash bug in the kerberos libs when - dealing with empty passwords - this prompter is just a string copy ... - */ --static krb5_error_code -+static krb5_error_code - kerb_prompter(krb5_context ctx, void *data, - const char *name, - const char *banner, -@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal, - krb5_get_init_creds_opt_set_address_list(opt, addr->addrs); - } - -- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), -+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password), - kerb_prompter, discard_const_p(char, password), - 0, NULL, opt))) { - goto out; -@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name) - } - - if ((code = krb5_cc_destroy (ctx, cc))) { -- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", -+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n", - error_message(code))); - } - -@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal, - int time_offset, - const char *cache_name) - { -- return kerberos_kinit_password_ext(principal, -- password, -- time_offset, -- 0, -+ return kerberos_kinit_password_ext(principal, -+ password, -+ time_offset, -+ 0, - 0, - cache_name, - False, --- -2.35.1 - - -From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:04:34 +0100 -Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string() - -This avoids useless allocations. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 60fe03fd5d7..1bf149ef09b 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx, - struct netlogon_samlogon_response **responses = NULL; - NTSTATUS status; - bool ok; -- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "", -- print_canonical_sockaddr_with_port(mem_ctx, pss)); -+ char *kdc_str = NULL; - -+ SMB_ASSERT(pss != NULL); -+ -+ kdc_str = talloc_asprintf(mem_ctx, -+ "\t\tkdc = %s\n", -+ print_canonical_sockaddr_with_port(mem_ctx, -+ pss)); - if (kdc_str == NULL) { - TALLOC_FREE(frame); - return NULL; -@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx, - } - } - -- dc_addrs2 = talloc_zero_array(talloc_tos(), -- struct tsocket_address *, -- num_dcs); -- - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { - TALLOC_FREE(kdc_str); - goto out; - } -+ -+ dc_addrs2 = talloc_zero_array(talloc_tos(), -+ struct tsocket_address *, -+ num_dcs); - if (dc_addrs2 == NULL) { - TALLOC_FREE(kdc_str); - goto out; --- -2.35.1 - - -From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:10:47 +0100 -Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 1bf149ef09b..6a46d72a156 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - - result = kdc_str; - out: -- DBG_DEBUG("Returning\n%s\n", kdc_str); -+ if (result != NULL) { -+ DBG_DEBUG("Returning\n%s\n", kdc_str); -+ } else { -+ DBG_NOTICE("Failed to get KDC ip address\n"); -+ } - - TALLOC_FREE(ip_sa_site); - TALLOC_FREE(ip_sa_nonsite); --- -2.35.1 - - -From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:48:23 +0100 -Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in - get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 6a46d72a156..d1c410ffa4b 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - } - - /* Append to the string - inefficient but not done often. */ -- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", -- kdc_str, -- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); -- TALLOC_FREE(kdc_str); -+ new_kdc_str = talloc_asprintf_append( -+ kdc_str, -+ "\t\tkdc = %s\n", -+ print_canonical_sockaddr_with_port( -+ mem_ctx, &dc_addrs[i])); - if (new_kdc_str == NULL) { - goto out; - } --- -2.35.1 - - -From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:56:58 +0100 -Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index d1c410ffa4b..aadc65a3edc 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - - SMB_ASSERT(pss != NULL); - -- kdc_str = talloc_asprintf(mem_ctx, -+ kdc_str = talloc_asprintf(frame, - "\t\tkdc = %s\n", - print_canonical_sockaddr_with_port(mem_ctx, - pss)); -@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - */ - - if (sitename) { -- status = get_kdc_list(talloc_tos(), -+ status = get_kdc_list(frame, - realm, - sitename, - &ip_sa_site, -@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - - /* Get all KDC's. */ - -- status = get_kdc_list(talloc_tos(), -+ status = get_kdc_list(frame, - realm, - NULL, - &ip_sa_nonsite, -@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx, - kdc_str = new_kdc_str; - } - -- result = kdc_str; -+ result = talloc_move(mem_ctx, &kdc_str); - out: - if (result != NULL) { - DBG_DEBUG("Returning\n%s\n", kdc_str); -@@ -597,8 +597,6 @@ out: - DBG_NOTICE("Failed to get KDC ip address\n"); - } - -- TALLOC_FREE(ip_sa_site); -- TALLOC_FREE(ip_sa_nonsite); - TALLOC_FREE(frame); - return result; - } --- -2.35.1 - - -From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 12:57:18 +0100 -Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str - -This is allocated on the stackframe now! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 12 +----------- - 1 file changed, 1 insertion(+), 11 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index aadc65a3edc..2087dc1e6f9 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - print_canonical_sockaddr_with_port(mem_ctx, - pss)); - if (kdc_str == NULL) { -- TALLOC_FREE(frame); -- return NULL; -+ goto out; - } - - ok = sockaddr_storage_to_samba_sockaddr(&sa, pss); - if (!ok) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("get_kdc_list fail %s\n", - nt_errstr(status)); -- TALLOC_FREE(kdc_str); - goto out; - } - DBG_DEBUG("got %zu addresses from site %s search\n", -@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DBG_ERR("get_kdc_list (site-less) fail %s\n", - nt_errstr(status)); -- TALLOC_FREE(kdc_str); - goto out; - } - DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite); -@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (count_site + count_nonsite < count_site) { - /* Wrap check. */ - DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n"); -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage, - count_site + count_nonsite); - if (dc_addrs == NULL) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - struct tsocket_address *, - num_dcs); - if (dc_addrs2 == NULL) { -- TALLOC_FREE(kdc_str); - goto out; - } - -@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - status = map_nt_error_from_unix(errno); - DEBUG(2,("Failed to create tsocket_address for %s - %s\n", - addr, nt_errstr(status))); -- TALLOC_FREE(kdc_str); - goto out; - } - } -@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx, - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: " - "%s\n", nt_errstr(status))); -- TALLOC_FREE(kdc_str); - goto out; - } - --- -2.35.1 - - -From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 13:02:05 +0100 -Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for - NULL in get_kdc_ip_string() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 2087dc1e6f9..20dceeefb22 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx, - NTSTATUS status; - bool ok; - char *kdc_str = NULL; -+ char *canon_sockaddr = NULL; - - SMB_ASSERT(pss != NULL); - -+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss); -+ if (canon_sockaddr == NULL) { -+ goto out; -+ } -+ - kdc_str = talloc_asprintf(frame, - "\t\tkdc = %s\n", -- print_canonical_sockaddr_with_port(mem_ctx, -- pss)); -+ canon_sockaddr); - if (kdc_str == NULL) { - goto out; - } --- -2.35.1 - - -From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 15 Mar 2022 13:10:06 +0100 -Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf - -We create an KDC ip string entry directly at the beginning, use it if we -don't have any additional DCs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016 - -Signed-off-by: Andreas Schneider ---- - source3/libads/kerberos.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 20dceeefb22..3fd86e87064 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx, - - DBG_DEBUG("%zu additional KDCs to test\n", num_dcs); - if (num_dcs == 0) { -+ /* -+ * We do not have additional KDCs, but we have the one passed -+ * in via `pss`. So just use that one and leave. -+ */ -+ result = talloc_move(mem_ctx, &kdc_str); - goto out; - } - --- -2.35.1 - diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch deleted file mode 100644 index 93c2caa..0000000 --- a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch +++ /dev/null @@ -1,411 +0,0 @@ -From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 12:59:44 +0100 -Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error - path - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) ---- - source3/libads/authdata.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index dd21d895fc2..c048510d480 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; -+ DATA_BLOB tkt = data_blob_null; -+ DATA_BLOB tkt_wrapped = data_blob_null; -+ DATA_BLOB ap_rep = data_blob_null; -+ DATA_BLOB sesskey1 = data_blob_null; - const char *auth_princ = NULL; - const char *cc = "MEMORY:kerberos_return_pac"; - struct auth_session_info *session_info; -@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - ZERO_STRUCT(sesskey1); - - if (!name || !pass) { -- return NT_STATUS_INVALID_PARAMETER; -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto out; - } - - if (cache_name) { -@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - - if (expire_time && renew_till_time && - (*expire_time == 0) && (*renew_till_time == 0)) { -- return NT_STATUS_INVALID_LOGON_TYPE; -+ status = NT_STATUS_INVALID_LOGON_TYPE; -+ goto out; - } - - ret = ads_krb5_cli_get_ticket(mem_ctx, --- -2.35.1 - - -From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:00:05 +0100 -Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug - macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) ---- - lib/krb5_wrap/krb5_samba.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..42d4b950f80 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - goto done; - } - -- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); -+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); - - /* FIXME: we should not fall back to defaults */ - ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); --- -2.35.1 - - -From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:28 +0100 -Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer - debug macro - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) ---- - lib/krb5_wrap/krb5_samba.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 42d4b950f80..76c2dcd2126 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, - - ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); - if (ret) { -- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); -+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " -+ "for client '%s' and service '%s' failed: %s\n", -+ ccache_string, client_string, service_string, -+ error_message(ret)); - goto done; - } - --- -2.35.1 - - -From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:08:56 +0100 -Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from - kerberos_return_pac() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) ---- - source3/libads/authdata.c | 22 +++++++++++++++++++++- - source3/libads/kerberos_proto.h | 2 ++ - source3/utils/net_ads.c | 2 ++ - source3/winbindd/winbindd_pam.c | 2 ++ - 4 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index c048510d480..bf9a2335445 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **_pac_data_ctr) - { - krb5_error_code ret; -@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_context; - struct loadparm_context *lp_ctx; - struct PAC_DATA_CTR *pac_data_ctr = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); -@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - goto out; - } - -+ if (_canon_principal != NULL) { -+ *_canon_principal = NULL; -+ } -+ -+ if (_canon_realm != NULL) { -+ *_canon_realm = NULL; -+ } -+ - if (cache_name) { - cc = cache_name; - } -@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - request_pac, - add_netbios_addr, - renewable_time, -- NULL, NULL, NULL, -+ tmp_ctx, -+ &canon_principal, -+ &canon_realm, - &status); - if (ret) { - DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", -@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - } - - *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); -+ if (_canon_principal != NULL) { -+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); -+ } -+ if (_canon_realm != NULL) { -+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); -+ } - - out: - talloc_free(tmp_ctx); -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index 3d7b5bc074b..807381248c8 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -+ char **_canon_principal, -+ char **_canon_realm, - struct PAC_DATA_CTR **pac_data_ctr); - - /* The following definitions come from libads/krb5_setpw.c */ -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 8f993f9ba4c..c41fb0afe9c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch - 2592000, /* one month */ - impersonate_princ_s, - local_service, -+ NULL, -+ NULL, - pac_data_ctr); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 7606bfb4ecd..025a5cbc111 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -+ NULL, -+ NULL, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); --- -2.35.1 - - -From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 13:19:02 +0100 -Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache - entry - -They will be used later to refresh the tickets. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) ---- - source3/winbindd/winbindd.h | 2 ++ - source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- - source3/winbindd/winbindd_pam.c | 14 ++++++++++---- - source3/winbindd/winbindd_proto.h | 4 +++- - 4 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index a6b2238cec1..dac4a1fa927 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { - const char *service; - const char *username; - const char *realm; -+ const char *canon_principal; -+ const char *canon_realm; - struct WINBINDD_MEMORY_CREDS *cred_ptr; - int ref_count; - uid_t uid; -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index c3077e21989..88847b1ab97 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request) -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm) - { - struct WINBINDD_CCACHE_ENTRY *entry = NULL; - struct timeval t; -@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - goto no_mem; - } - } -+ if (canon_principal != NULL) { -+ entry->canon_principal = talloc_strdup(entry, canon_principal); -+ if (entry->canon_principal == NULL) { -+ goto no_mem; -+ } -+ } -+ if (canon_realm != NULL) { -+ entry->canon_realm = talloc_strdup(entry, canon_realm); -+ if (entry->canon_realm == NULL) { -+ goto no_mem; -+ } -+ } - - entry->ccname = talloc_strdup(entry, ccname); - if (!entry->ccname) { -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 025a5cbc111..a24cef78440 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - const char *local_service; - uint32_t i; - struct netr_SamInfo6 *info6_copy = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - bool ok; - - *info6 = NULL; -@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -- NULL, -- NULL, -+ &canon_principal, -+ &canon_realm, - &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); -@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - time(NULL), - ticket_lifetime, - renewal_until, -- false); -+ false, -+ canon_principal, -+ canon_realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", -@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, - time(NULL), - time(NULL) + lp_winbind_cache_time(), - time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, -- true); -+ true, -+ principal_s, -+ realm); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("winbindd_dual_pam_auth_cached: failed " -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h -index c0d653a6d77..16c23f3de40 100644 ---- a/source3/winbindd/winbindd_proto.h -+++ b/source3/winbindd/winbindd_proto.h -@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, - time_t create_time, - time_t ticket_end, - time_t renew_until, -- bool postponed_request); -+ bool postponed_request, -+ const char *canon_principal, -+ const char *canon_realm); - NTSTATUS remove_ccache(const char *username); - struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); - NTSTATUS winbindd_add_memory_creds(const char *username, --- -2.35.1 - - -From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Tue, 22 Feb 2022 14:28:44 +0100 -Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the - credentials - -The principal name stored in the winbindd ccache entry might be an -enterprise principal name if enterprise principals are enabled. Use -the canonical name to renew the credentials. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) ---- - source3/winbindd/winbindd_cred_cache.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index 88847b1ab97..6c65db6a73f 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -209,7 +209,7 @@ rekinit: - set_effective_uid(entry->uid); - - ret = smb_krb5_renew_ticket(entry->ccname, -- entry->principal_name, -+ entry->canon_principal, - entry->service, - &new_start); - #if defined(DEBUG_KRB5_TKT_RENEWAL) --- -2.35.1 - diff --git a/SOURCES/samba-4-15-kerberos-clock-skew.patch b/SOURCES/samba-4-15-kerberos-clock-skew.patch deleted file mode 100644 index 1e87049..0000000 --- a/SOURCES/samba-4-15-kerberos-clock-skew.patch +++ /dev/null @@ -1,347 +0,0 @@ -From 01205e1ff2a16ecdeb99fd4153f40f917decacee Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:01:00 +0200 -Subject: [PATCH 1/4] s3:winbind: Do not use domain's private data to store the - SAMR pipes - -The domain's private_data pointer is also used to store a ADS_STRUCT, -which is not allocated using talloc and there are many places casting -this pointer directly. - -The recently added samba.tests.pam_winbind_setcred was randomly failing -and after debugging it the problem was that kerberos authentication was -failing because the time_offset passed to kerberos_return_pac() was -wrong. This time_offset was retrieved from ads->auth.time_offset, where -the ads pointer was directly casted from domain->private_data but -private_data was pointing to a winbind_internal_pipes struct. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit e1f29b0970f4cac52a9cd517be6862cf69a1433a) ---- - source3/winbindd/winbindd.h | 6 ++++++ - source3/winbindd/winbindd_ndr.c | 3 +++ - source3/winbindd/winbindd_samr.c | 18 ++++++------------ - 3 files changed, 15 insertions(+), 12 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index dac4a1fa927..762844502e5 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -43,6 +43,8 @@ - - #define WB_REPLACE_CHAR '_' - -+struct winbind_internal_pipes; -+ - struct winbindd_cli_state { - struct winbindd_cli_state *prev, *next; /* Linked list pointers */ - int sock; /* Open socket from client */ -@@ -157,6 +159,10 @@ struct winbindd_domain { - - void *private_data; - -+ struct { -+ struct winbind_internal_pipes *samr_pipes; -+ } backend_data; -+ - /* A working DC */ - char *dcname; - const char *ping_dcname; -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 157ce1bff27..36901776b98 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -144,6 +144,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_bool(ndr, "startup", r->startup); - ndr_print_winbindd_methods(ndr, "backend", r->backend); - ndr_print_ptr(ndr, "private_data", r->private_data); -+ ndr_print_ptr(ndr, -+ "backend_data.samr_pipes", -+ r->backend_data.samr_pipes); - ndr_print_string(ndr, "dcname", r->dcname); - ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); - ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); -diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c -index 5e23ff8217b..ce66adcc0c7 100644 ---- a/source3/winbindd/winbindd_samr.c -+++ b/source3/winbindd/winbindd_samr.c -@@ -130,7 +130,7 @@ static NTSTATUS open_cached_internal_pipe_conn( - { - struct winbind_internal_pipes *internal_pipes = NULL; - -- if (domain->private_data == NULL) { -+ if (domain->backend_data.samr_pipes == NULL) { - TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS status; - -@@ -156,14 +156,14 @@ static NTSTATUS open_cached_internal_pipe_conn( - return status; - } - -- domain->private_data = talloc_move(domain, &internal_pipes); -+ domain->backend_data.samr_pipes = -+ talloc_move(domain, &internal_pipes); - - TALLOC_FREE(frame); - - } - -- internal_pipes = talloc_get_type_abort( -- domain->private_data, struct winbind_internal_pipes); -+ internal_pipes = domain->backend_data.samr_pipes; - - if (samr_domain_hnd) { - *samr_domain_hnd = internal_pipes->samr_domain_hnd; -@@ -188,23 +188,17 @@ static bool reset_connection_on_error(struct winbindd_domain *domain, - struct rpc_pipe_client *p, - NTSTATUS status) - { -- struct winbind_internal_pipes *internal_pipes = NULL; - struct dcerpc_binding_handle *b = p->binding_handle; - -- internal_pipes = talloc_get_type_abort( -- domain->private_data, struct winbind_internal_pipes); -- - if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || - NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR)) - { -- TALLOC_FREE(internal_pipes); -- domain->private_data = NULL; -+ TALLOC_FREE(domain->backend_data.samr_pipes); - return true; - } - - if (!dcerpc_binding_handle_is_connected(b)) { -- TALLOC_FREE(internal_pipes); -- domain->private_data = NULL; -+ TALLOC_FREE(domain->backend_data.samr_pipes); - return true; - } - --- -2.35.1 - - -From 79ab2a5669a1e21e96f29cecc651dccacd7ace71 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:15:35 +0200 -Subject: [PATCH 2/4] s3:winbind: Simplify open_cached_internal_pipe_conn() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 91395e660a2b1b69bf74ca0b77aee416e2ac1db3) ---- - source3/winbindd/winbindd_samr.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c -index ce66adcc0c7..20b5d758d1a 100644 ---- a/source3/winbindd/winbindd_samr.c -+++ b/source3/winbindd/winbindd_samr.c -@@ -128,9 +128,10 @@ static NTSTATUS open_cached_internal_pipe_conn( - struct rpc_pipe_client **lsa_pipe, - struct policy_handle *lsa_hnd) - { -- struct winbind_internal_pipes *internal_pipes = NULL; -+ struct winbind_internal_pipes *internal_pipes = -+ domain->backend_data.samr_pipes; - -- if (domain->backend_data.samr_pipes == NULL) { -+ if (internal_pipes == NULL) { - TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS status; - -@@ -157,14 +158,11 @@ static NTSTATUS open_cached_internal_pipe_conn( - } - - domain->backend_data.samr_pipes = -- talloc_move(domain, &internal_pipes); -+ talloc_steal(domain, internal_pipes); - - TALLOC_FREE(frame); -- - } - -- internal_pipes = domain->backend_data.samr_pipes; -- - if (samr_domain_hnd) { - *samr_domain_hnd = internal_pipes->samr_domain_hnd; - } --- -2.35.1 - - -From d57f54deef45c638093717378adc1a0743699ae8 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:31:45 +0200 -Subject: [PATCH 3/4] s3:winbind: Do not use domain's private data to store the - ADS_STRUCT - -The ADS_STRUCT is not allocated using talloc and there are many places -casting this pointer directly so use a typed pointer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3cb256439e9ceece26c2de82293c43486543e0cb) ---- - source3/winbindd/winbindd.h | 2 ++ - source3/winbindd/winbindd_ads.c | 10 +++++----- - source3/winbindd/winbindd_ndr.c | 3 +++ - source3/winbindd/winbindd_pam.c | 6 ++---- - 4 files changed, 12 insertions(+), 9 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index 762844502e5..3cc88367b90 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -44,6 +44,7 @@ - #define WB_REPLACE_CHAR '_' - - struct winbind_internal_pipes; -+struct ads_struct; - - struct winbindd_cli_state { - struct winbindd_cli_state *prev, *next; /* Linked list pointers */ -@@ -161,6 +162,7 @@ struct winbindd_domain { - - struct { - struct winbind_internal_pipes *samr_pipes; -+ struct ads_struct *ads_conn; - } backend_data; - - /* A working DC */ -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 6f01ef6e334..d350f160223 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -269,10 +269,10 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - } - - DEBUG(10,("ads_cached_connection\n")); -- ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data); -+ ads_cached_connection_reuse(&domain->backend_data.ads_conn); - -- if (domain->private_data) { -- return (ADS_STRUCT *)domain->private_data; -+ if (domain->backend_data.ads_conn != NULL) { -+ return domain->backend_data.ads_conn; - } - - /* the machine acct password might have change - fetch it every time */ -@@ -303,7 +303,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - } - - status = ads_cached_connection_connect( -- (ADS_STRUCT **)&domain->private_data, -+ &domain->backend_data.ads_conn, - domain->alt_name, - domain->name, NULL, - password, realm, -@@ -322,7 +322,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) - return NULL; - } - -- return (ADS_STRUCT *)domain->private_data; -+ return domain->backend_data.ads_conn; - } - - /* Query display info for a realm. This is the basic user list fn */ -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 36901776b98..94ce9d73747 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -147,6 +147,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_ptr(ndr, - "backend_data.samr_pipes", - r->backend_data.samr_pipes); -+ ndr_print_ptr(ndr, -+ "backend_data.ads_conn", -+ r->backend_data.ads_conn); - ndr_print_string(ndr, "dcname", r->dcname); - ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); - ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 1a2628b50ba..5505220335f 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -677,7 +677,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - fstring name_namespace, name_domain, name_user; - time_t ticket_lifetime = 0; - time_t renewal_until = 0; -- ADS_STRUCT *ads; - time_t time_offset = 0; - const char *user_ccache_file; - struct PAC_LOGON_INFO *logon_info = NULL; -@@ -716,9 +715,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - /* 2nd step: - * get kerberos properties */ - -- if (domain->private_data) { -- ads = (ADS_STRUCT *)domain->private_data; -- time_offset = ads->auth.time_offset; -+ if (domain->backend_data.ads_conn != NULL) { -+ time_offset = domain->backend_data.ads_conn->auth.time_offset; - } - - --- -2.35.1 - - -From e32528fd5abbace15b3aad2c7cec8d9c6ade7bf7 Mon Sep 17 00:00:00 2001 -From: Samuel Cabrero -Date: Wed, 13 Apr 2022 11:34:18 +0200 -Subject: [PATCH 4/4] s3:winbind: Remove no longer used domain's private_data - pointer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 - -Signed-off-by: Samuel Cabrero -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb) ---- - source3/winbindd/winbindd.h | 4 ---- - source3/winbindd/winbindd_ndr.c | 1 - - 2 files changed, 5 deletions(-) - -diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h -index 3cc88367b90..fe286a9a686 100644 ---- a/source3/winbindd/winbindd.h -+++ b/source3/winbindd/winbindd.h -@@ -156,10 +156,6 @@ struct winbindd_domain { - */ - struct winbindd_methods *backend; - -- /* Private data for the backends (used for connection cache) */ -- -- void *private_data; -- - struct { - struct winbind_internal_pipes *samr_pipes; - struct ads_struct *ads_conn; -diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c -index 94ce9d73747..b393586a692 100644 ---- a/source3/winbindd/winbindd_ndr.c -+++ b/source3/winbindd/winbindd_ndr.c -@@ -143,7 +143,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, - ndr_print_time_t(ndr, "startup_time", r->startup_time); - ndr_print_bool(ndr, "startup", r->startup); - ndr_print_winbindd_methods(ndr, "backend", r->backend); -- ndr_print_ptr(ndr, "private_data", r->private_data); - ndr_print_ptr(ndr, - "backend_data.samr_pipes", - r->backend_data.samr_pipes); --- -2.35.1 - diff --git a/SOURCES/samba-4-15-smbd-upn.patch b/SOURCES/samba-4-15-smbd-upn.patch deleted file mode 100644 index 703a7d6..0000000 --- a/SOURCES/samba-4-15-smbd-upn.patch +++ /dev/null @@ -1,273 +0,0 @@ -From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:10:56 +0200 -Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884) ---- - source3/passdb/lookup_sid.c | 18 +++++++++--------- - 1 file changed, 9 insertions(+), 9 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index a551bcfd24a..3a28cdc68a6 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -1,4 +1,4 @@ --/* -+/* - Unix SMB/CIFS implementation. - uid/user handling - Copyright (C) Andrew Tridgell 1992-1998 -@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid) - If an explicit domain name was given in the form domain\user, it - has to try that. If no explicit domain name was given, we have - to do guesswork. --*****************************************************************/ -+*****************************************************************/ - - bool lookup_name(TALLOC_CTX *mem_ctx, - const char *full_name, int flags, -@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, - goto ok; - } - -- /* 6. Builtin aliases */ -+ /* 6. Builtin aliases */ - - if ((flags & LOOKUP_NAME_BUILTIN) && - lookup_builtin_name(name, &rid)) -@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, - } - - /* First build up the data structures: -- * -+ * - * dom_infos is a list of domains referenced in the list of - * SIDs. Later we will walk the list of domains and look up the RIDs - * in bulk. -@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, - - /***************************************************************** - *THE CANONICAL* convert SID to name function. --*****************************************************************/ -+*****************************************************************/ - - bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - const char **ret_domain, const char **ret_name, -@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - goto done; - } - -- if ((ret_name != NULL) && -+ if ((ret_name != NULL) && - !(*ret_name = talloc_strdup(mem_ctx, name->name))) { - goto done; - } -@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, - - /***************************************************************** - *THE LEGACY* convert SID to id function. --*****************************************************************/ -+*****************************************************************/ - - static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) - { -@@ -1465,7 +1465,7 @@ fail: - - /***************************************************************** - *THE CANONICAL* convert SID to uid function. --*****************************************************************/ -+*****************************************************************/ - - bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) - { -@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) - /***************************************************************** - *THE CANONICAL* convert SID to gid function. - Group mapping is used for gids that maps to Wellknown SIDs --*****************************************************************/ -+*****************************************************************/ - - bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid) - { --- -2.36.0 - - -From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:12:02 +0200 -Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name() - -This address an issue if sssd is running and handling nsswitch. If we look up -a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd -structure. We need to be able to deal with that. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83) ---- - source3/passdb/lookup_sid.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index 3a28cdc68a6..c14d7a7b123 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx, - PTR_DIFF(p, full_name)); - name = talloc_strdup(tmp_ctx, p+1); - } else { -- domain = talloc_strdup(tmp_ctx, ""); -- name = talloc_strdup(tmp_ctx, full_name); -+ char *q = strchr_m(full_name, '@'); -+ -+ /* Set the domain for UPNs */ -+ if (q != NULL) { -+ name = talloc_strndup(tmp_ctx, -+ full_name, -+ PTR_DIFF(q, full_name)); -+ domain = talloc_strdup(tmp_ctx, q + 1); -+ } else { -+ domain = talloc_strdup(tmp_ctx, ""); -+ name = talloc_strdup(tmp_ctx, full_name); -+ } - } - - if ((domain == NULL) || (name == NULL)) { --- -2.36.0 - - -From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 12:26:25 +0200 -Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in - lookup_name_smbconf() - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27) ---- - source3/passdb/lookup_sid.c | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index c14d7a7b123..dbea5578f92 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - const char **ret_domain, const char **ret_name, - struct dom_sid *ret_sid, enum lsa_SidType *ret_type) - { -- char *qualified_name; -+ char *qualified_name = NULL; - const char *p; - - if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { -@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - /* The name is already qualified with a domain. */ - - if (*lp_winbind_separator() != '\\') { -- char *tmp; -- - /* lookup_name() needs '\\' as a separator */ - -- tmp = talloc_strdup(mem_ctx, full_name); -- if (!tmp) { -+ qualified_name = talloc_strdup(mem_ctx, full_name); -+ if (qualified_name == NULL) { - return false; - } -- tmp[p - full_name] = '\\'; -- full_name = tmp; -+ qualified_name[p - full_name] = '\\'; -+ full_name = qualified_name; - } - - return lookup_name(mem_ctx, full_name, flags, --- -2.36.0 - - -From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:24:10 +0200 -Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf() - -This will be changed to support UPNs too in the next patch. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc) ---- - source3/passdb/lookup_sid.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index dbea5578f92..de9dd123239 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - struct dom_sid *ret_sid, enum lsa_SidType *ret_type) - { - char *qualified_name = NULL; -- const char *p; -+ const char *p = strchr_m(full_name, *lp_winbind_separator()); -+ bool is_qualified = p != NULL; - -- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { -+ if (is_qualified) { - - /* The name is already qualified with a domain. */ - -- if (*lp_winbind_separator() != '\\') { -+ if (p != NULL && *lp_winbind_separator() != '\\') { - /* lookup_name() needs '\\' as a separator */ - - qualified_name = talloc_strdup(mem_ctx, full_name); --- -2.36.0 - - -From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 26 Apr 2022 07:39:12 +0200 -Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in - lookup_name_smbconf() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554) ---- - source3/passdb/lookup_sid.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index de9dd123239..426ea3f81bd 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, - { - char *qualified_name = NULL; - const char *p = strchr_m(full_name, *lp_winbind_separator()); -- bool is_qualified = p != NULL; -+ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL; - -+ /* For DOMAIN\user or user@REALM directly call lookup_name(). */ - if (is_qualified) { - - /* The name is already qualified with a domain. */ --- -2.36.0 - diff --git a/SOURCES/samba-4-15-username-map.patch b/SOURCES/samba-4-15-username-map.patch deleted file mode 100644 index 0687115..0000000 --- a/SOURCES/samba-4-15-username-map.patch +++ /dev/null @@ -1,321 +0,0 @@ -From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 1 Apr 2022 15:56:30 +0200 -Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a) ---- - selftest/target/Samba3.pm | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 62fb3d1e39e..b0ea9804c50 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss - my $extra_member_options = " - # bob:x:65521:65531:localbob gecos:/:/bin/false - # jane:x:65520:65531:localjane gecos:/:/bin/false -+ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false -+ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false - idmap config $dcvars->{DOMAIN} : backend = nss -- idmap config $dcvars->{DOMAIN} : range = 65520-65521 -+ idmap config $dcvars->{DOMAIN} : range = 65518-65521 - - # Support SMB1 so that we can use posix_whoami(). - client min protocol = CORE -@@ -2532,6 +2534,8 @@ sub provision($$) - my ($uid_slashuser); - my ($uid_localbob); - my ($uid_localjane); -+ my ($uid_localjackthemapper); -+ my ($uid_localjacknomapper); - - if ($unix_uid < 0xffff - 13) { - $max_uid = 0xffff; -@@ -2554,6 +2558,8 @@ sub provision($$) - $uid_slashuser = $max_uid - 13; - $uid_localbob = $max_uid - 14; - $uid_localjane = $max_uid - 15; -+ $uid_localjackthemapper = $max_uid - 16; -+ $uid_localjacknomapper = $max_uid - 17; - - if ($unix_gids[0] < 0xffff - 8) { - $max_gid = 0xffff; -@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false - slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false - bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false - jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false -+jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false -+jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false - "; - if ($unix_uid != 0) { - print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false -@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user: - createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); - createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); - createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); -+ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper"); -+ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper"); - - open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); - print DNS_UPDATE_LIST "A $server. $server_ip\n"; --- -2.34.1 - - -From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 08:30:23 +0200 -Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and - "jacknomappergroup" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d) ---- - selftest/target/Samba3.pm | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b0ea9804c50..131034a0e07 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -2527,6 +2527,8 @@ sub provision($$) - my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); - my ($gid_userdup, $gid_everyone); - my ($gid_force_user); -+ my ($gid_jackthemapper); -+ my ($gid_jacknomapper); - my ($uid_user1); - my ($uid_user2); - my ($uid_gooduser); -@@ -2575,6 +2577,8 @@ sub provision($$) - $gid_userdup = $max_gid - 6; - $gid_everyone = $max_gid - 7; - $gid_force_user = $max_gid - 8; -+ $gid_jackthemapper = $max_gid - 9; -+ $gid_jacknomapper = $max_gid - 10; - - ## - ## create conffile -@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins: - userdup:x:$gid_userdup:$unix_name - everyone:x:$gid_everyone: - force_user:x:$gid_force_user: -+jackthemappergroup:x:$gid_jackthemapper:jackthemapper -+jacknomappergroup:x:$gid_jacknomapper:jacknomapper - "; - if ($unix_gids[0] != 0) { - print GROUP "root:x:$gid_root: --- -2.34.1 - - -From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 08:31:41 +0200 -Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for - jackthemappergroup -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Only for environment ad_member_idmap_nss. - -* !jacknompapper = \@jackthemappergroup - jackthemaper from group jackthemappergroup is mapped to jacknompapper - -* !root = jacknomappergroup - since there is no '@' or '+' prefix, it is not an UNIX group mapping - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979) ---- - selftest/target/Samba3.pm | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 131034a0e07..8d309f9c99a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss - - open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); - print USERMAP " -+!jacknomapper = \@jackthemappergroup -+!root = jacknomappergroup - root = $dcvars->{DOMAIN}/root - bob = $dcvars->{DOMAIN}/bob - "; --- -2.34.1 - - -From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 5 Apr 2022 14:04:52 +0200 -Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power -(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0) ---- - selftest/knownfail.d/usernamemap | 1 + - source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++ - source3/selftest/tests.py | 2 ++ - 3 files changed, 31 insertions(+) - create mode 100644 selftest/knownfail.d/usernamemap - create mode 100755 source3/script/tests/test_usernamemap.sh - -diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap -new file mode 100644 -index 00000000000..1c720fe892d ---- /dev/null -+++ b/selftest/knownfail.d/usernamemap -@@ -0,0 +1 @@ -+samba3.blackbox.smbclient_usernamemap.jacknomapper -diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh -new file mode 100755 -index 00000000000..3a3344a8781 ---- /dev/null -+++ b/source3/script/tests/test_usernamemap.sh -@@ -0,0 +1,28 @@ -+#!/bin/sh -+# -+# Copyright (c) 2022 Pavel Filipenský -+# -+# Tests for "username map" smb.conf parameter for UNIX groups -+ -+if [ $# -lt 2 ]; then -+cat < -Date: Fri, 25 Mar 2022 11:11:50 +0100 -Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Noel Power - -Autobuild-User(master): Noel Power -Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184 - -(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4) ---- - selftest/knownfail.d/usernamemap | 1 - - source3/auth/user_util.c | 12 +++++++----- - 2 files changed, 7 insertions(+), 6 deletions(-) - delete mode 100644 selftest/knownfail.d/usernamemap - -diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap -deleted file mode 100644 -index 1c720fe892d..00000000000 ---- a/selftest/knownfail.d/usernamemap -+++ /dev/null -@@ -1 +0,0 @@ --samba3.blackbox.smbclient_usernamemap.jacknomapper -diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c -index 70b4f320c5e..aa765c2a692 100644 ---- a/source3/auth/user_util.c -+++ b/source3/auth/user_util.c -@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) - return false; - } - -- DBG_DEBUG("Checking user %s in list\n", user); -- - while (*list) { - const char *p = *list; -- bool ok; -+ bool check_unix_group = false; -+ -+ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list); - - /* Check raw username */ - if (strequal(user, p)) { -@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) - } - - while (*p == '@' || *p == '&' || *p == '+') { -+ if (*p == '@' || *p == '+') { -+ check_unix_group = true; -+ } - p++; - } - -- ok = user_in_group(user, p); -- if (ok) { -+ if (check_unix_group && user_in_group(user, p)) { - return true; - } - --- -2.34.1 - diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc deleted file mode 100644 index 4e31e62..0000000 --- a/SOURCES/samba-4.15.5.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA -tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX -KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9 -j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt -b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY -0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v -/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj -+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9 -g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y -5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ -f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB -OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo= -=oc6g ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.16-waf-crypto.patch b/SOURCES/samba-4.16-waf-crypto.patch new file mode 100644 index 0000000..337be97 --- /dev/null +++ b/SOURCES/samba-4.16-waf-crypto.patch @@ -0,0 +1,77 @@ +From 41d3efebcf6abab9119f9b0f97c86c1c48739fee Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:24:04 +0200 +Subject: [PATCH 1/2] waf: Check for GnuTLS earlier + +As GnuTLS is an essential part we need to check for it early so we can react on +GnuTLS features in other wscripts. + +Signed-off-by: Andreas Schneider +--- + wscript | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/wscript b/wscript +index d8220b35095..5b85d9a1682 100644 +--- a/wscript ++++ b/wscript +@@ -189,6 +189,8 @@ def configure(conf): + conf.RECURSE('dynconfig') + conf.RECURSE('selftest') + ++ conf.PROCESS_SEPARATE_RULE('system_gnutls') ++ + conf.CHECK_CFG(package='zlib', minversion='1.2.3', + args='--cflags --libs', + mandatory=True) +@@ -297,8 +299,6 @@ def configure(conf): + if not conf.CONFIG_GET('KRB5_VENDOR'): + conf.PROCESS_SEPARATE_RULE('embedded_heimdal') + +- conf.PROCESS_SEPARATE_RULE('system_gnutls') +- + conf.RECURSE('source4/dsdb/samdb/ldb_modules') + conf.RECURSE('source4/ntvfs/sysdep') + conf.RECURSE('lib/util') +-- +2.35.1 + + +From 63701a28116afc1550c23cb5f7b9d6e366fd1270 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Apr 2022 11:25:31 +0200 +Subject: [PATCH 2/2] third_party:waf: Do not recurse in aesni-intel if GnuTLS + provides the cipher + +Signed-off-by: Andreas Schneider +--- + third_party/wscript | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/third_party/wscript b/third_party/wscript +index 1f4bc1ce1d7..a17c15bcaa7 100644 +--- a/third_party/wscript ++++ b/third_party/wscript +@@ -5,7 +5,8 @@ from waflib import Options + def configure(conf): + conf.RECURSE('cmocka') + conf.RECURSE('popt') +- conf.RECURSE('aesni-intel') ++ if not conf.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ conf.RECURSE('aesni-intel') + if conf.CONFIG_GET('ENABLE_SELFTEST'): + conf.RECURSE('socket_wrapper') + conf.RECURSE('nss_wrapper') +@@ -18,7 +19,8 @@ def configure(conf): + def build(bld): + bld.RECURSE('cmocka') + bld.RECURSE('popt') +- bld.RECURSE('aesni-intel') ++ if not bld.CONFIG_SET('HAVE_GNUTLS_AES_CMAC'): ++ bld.RECURSE('aesni-intel') + if bld.CONFIG_GET('SOCKET_WRAPPER'): + bld.RECURSE('socket_wrapper') + if bld.CONFIG_GET('NSS_WRAPPER'): +-- +2.35.1 + diff --git a/SOURCES/samba-4.16.4.tar.asc b/SOURCES/samba-4.16.4.tar.asc new file mode 100644 index 0000000..96aba0e --- /dev/null +++ b/SOURCES/samba-4.16.4.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmLg520ACgkQqplEL7aA +tiBsuA//ZqQhoz1unYEMk6tqu528xGweYd488gjdKkszWPCI5NmGbmvN/tbhUIc3 +WbJO8oPEFN81+a0b7nsKxpgDt8IR00rx4mA3A5rh+Z1PTbUWpjBxchTsXZsEaDaE +dA/pRes+rzDpjLg2VWAd+5SDwy1d5ZfZ+gX/qntfpgYLqiBfJNJJPxCEFqnG1IUF +xaWwKQNuduq89Wr3LabSCjx4IMQEABr8VN+WZG5JhmKBaad1I5tOBOFypLS0iKUX +bGsMr3itdKFvYmAFM2ZbY/Q7DZb5GIUvNOqyRcBYQe33tqS2GYjEHS0tbXoNP5l2 +gQcs3FiebX6Bi4I6EoFL380LLG1zskCV5xRtGIvrW7SOKCnkaswuxlHEQSVWFc0A +2aZmT7RaKYwtm+0kD+Fq3PWBwPvLBgiCP9oohfOgqrW9VnIJNbyCyJcBbK8snS0a +KIfr+hM+ccNBVhmpFWRjA0WkVW9d9/tcDFN63nTQJkZg4cXZboMVO7fjmo4U1oJK +qIVU5Xr0e5TXLNWguvr6t03CUvtfgBHMYFrHRX4HJTN7Z3m4WxAYt+jspIavQP/S +muj4g/INYmjZmBG2f9mign6Tt3MtOtHlymMFAJ1t1e+9B5v1dkmO4T6ffqbDgvg5 +bnAFUM5+bzW81DGJNbITDSNBU7PokwP4cQBNTVtgK38DW4BiPO8= +=6kYO +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-ctdb-etcd-reclock.patch b/SOURCES/samba-ctdb-etcd-reclock.patch deleted file mode 100644 index 2a55408..0000000 --- a/SOURCES/samba-ctdb-etcd-reclock.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001 -From: Martin Schwenke -Date: Tue, 27 Apr 2021 15:46:14 +1000 -Subject: [PATCH] utils: Use Python 3 - -Due to the number of flake8 and pylint warnings it is unclear if the -source has Python 3 incompatibilities. These will be cleaned up in -subsequent commits. - -Signed-off-by: "L.P.H. van Belle" -Reviewed-by: Martin Schwenke -Reviewed-by: David Disseldorp -Reviewed-by: Jose A. Rivera ---- - ctdb/utils/etcd/ctdb_etcd_lock | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock -index 000c6bb7208..7f5194eff0a 100755 ---- a/ctdb/utils/etcd/ctdb_etcd_lock -+++ b/ctdb/utils/etcd/ctdb_etcd_lock -@@ -1,4 +1,4 @@ --#!/usr/bin/python -+#!/usr/bin/env python3 - # - # This program is free software: you can redistribute it and/or modify - # it under the terms of the GNU General Public License as published by --- -2.31.1 - diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch deleted file mode 100644 index d80e85b..0000000 --- a/SOURCES/samba-disable-ntlmssp.patch +++ /dev/null @@ -1,764 +0,0 @@ -From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 10 Dec 2021 16:08:04 +0100 -Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) ---- - source3/utils/net_ads.c | 22 +++++++++++++++++++++- - 1 file changed, 21 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 6ab4a0096b1..8f993f9ba4c 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, - char *cp; - const char *realm = NULL; - bool tried_closest_dc = false; -+ enum credentials_use_kerberos krb5_state = -+ CRED_USE_KERBEROS_DISABLED; - - /* lp_realm() should be handled by a command line param, - However, the join requires that realm be set in smb.conf -@@ -650,10 +652,28 @@ retry: - ads->auth.password = smb_xstrdup(c->opt_password); - } - -- ads->auth.flags |= auth_flags; - SAFE_FREE(ads->auth.user_name); - ads->auth.user_name = smb_xstrdup(c->opt_user_name); - -+ ads->auth.flags |= auth_flags; -+ -+ /* The ADS code will handle FIPS mode */ -+ krb5_state = cli_credentials_get_kerberos_state(c->creds); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } -+ - /* - * If the username is of the form "name@realm", - * extract the realm and convert to upper case. --- -2.33.1 - - -From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Wed, 8 Dec 2021 16:05:17 +0100 -Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 60fa2bf80cb..b91e2d15bcf 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -1,18 +1,18 @@ --/* -+/* - Unix SMB/CIFS implementation. - ads sasl code - Copyright (C) Andrew Tridgell 2001 -- -+ - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. -- -+ - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. -- -+ - You should have received a copy of the GNU General Public License - along with this program. If not, see . - */ -@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { - .disconnect = ads_sasl_gensec_disconnect - }; - --/* -+/* - perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can - we fit on one socket??) - */ -@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, - - #endif /* HAVE_KRB5 */ - --/* -+/* - this performs a SASL/SPNEGO bind - */ - static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) -@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - file_save("sasl_spnego.dat", blob.data, blob.length); - #endif - -- /* the server sent us the first part of the SPNEGO exchange in the negprot -+ /* the server sent us the first part of the SPNEGO exchange in the negprot - reply */ - if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || - OIDs[0] == NULL) { -@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - #ifdef HAVE_KRB5 - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && -- got_kerberos_mechanism) -+ got_kerberos_mechanism) - { - mech = "KRB5"; - -@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - "calling kinit\n", ads_errstr(status))); - } - -- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); -+ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", -@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - } - - /* only fallback to NTLMSSP if allowed */ -- if (ADS_ERR_OK(status) || -+ if (ADS_ERR_OK(status) || - !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { - goto done; - } -@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - #endif - - /* lets do NTLMSSP ... this has the big advantage that we don't need -- to sync clocks, and we don't rely on special versions of the krb5 -+ to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", --- -2.33.1 - - -From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Thu, 9 Dec 2021 13:43:08 +0100 -Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) ---- - source3/libads/sasl.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index b91e2d15bcf..992f7022a69 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - - DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " - "for %s/%s with user[%s] realm[%s]: %s, " -- "fallback to NTLMSSP\n", -+ "try to fallback to NTLMSSP\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - to sync clocks, and we don't rely on special versions of the krb5 - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; -+ -+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { -+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" -+ " disallowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_USE_KERBEROS_DISABLED, - p.service, p.hostname, --- -2.33.1 - - -From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 7 Jan 2022 10:31:19 +0100 -Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) ---- - source3/libads/sasl.c | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 992f7022a69..ea98aa47ecd 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - p.service, p.hostname, - blob); - if (!ADS_ERR_OK(status)) { -- DEBUG(0,("kinit succeeded but " -- "ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s\n", -+ DBG_ERR("kinit succeeded but " -+ "SPNEGO bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s\n", - p.service, p.hostname, - ads->auth.user_name, - ads->auth.realm, -- ads_errstr(status))); -+ ads_errstr(status)); - } - } - -@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - goto done; - } - -- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " -- "for %s/%s with user[%s] realm[%s]: %s, " -- "try to fallback to NTLMSSP\n", -- p.service, p.hostname, -- ads->auth.user_name, -- ads->auth.realm, -- ads_errstr(status))); -+ DBG_WARNING("SASL bind with Kerberos failed " -+ "for %s/%s - user[%s], realm[%s]: %s, " -+ "try to fallback to NTLMSSP\n", -+ p.service, p.hostname, -+ ads->auth.user_name, -+ ads->auth.realm, -+ ads_errstr(status)); - } - #endif - --- -2.33.1 - - -From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 11:13:06 +0100 -Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds - without kerberos) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) ---- - source3/libads/sasl.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index ea98aa47ecd..1bcfe0490a8 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - library for HMAC_MD4 encryption */ - mech = "NTLMSSP"; - -+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { -+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); -+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); -+ goto done; -+ } -+ - if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { - DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" - " disallowed.\n"); --- -2.33.1 - - -From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 3 Jan 2022 15:33:46 +0100 -Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) ---- - .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ - 1 file changed, 41 insertions(+) - create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh - -diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -new file mode 100755 -index 00000000000..2822ab29d14 ---- /dev/null -+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh -@@ -0,0 +1,41 @@ -+#!/bin/sh -+# Blackbox tests for diabing NTLMSSP for ldap clinet connections -+# Copyright (c) 2022 Pavel Filipenský -+ -+if [ $# -lt 2 ]; then -+cat <&1 || failed=`expr $failed + 1` -+ -+# We should be allowed to use NTLM for connecting -+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+GNUTLS_FORCE_FIPS_MODE=1 -+export GNUTLS_FORCE_FIPS_MODE -+ -+# Checks that testparm reports: Weak crypto is disallowed -+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` -+ -+# We should not be allowed to use NTLM for connecting -+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` -+ -+unset GNUTLS_FORCE_FIPS_MODE -+ -+exit $failed --- -2.33.1 - - -From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 4 Jan 2022 12:00:20 +0100 -Subject: [PATCH 07/10] s4:selftest: plan test suite - samba4.blackbox.test_weak_disable_ntlmssp_ldap -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) ---- - source4/selftest/tests.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 1e4b2ae6dd3..3a6a716f061 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo - - if have_gnutls_fips_mode_support: - plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) -+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) - - for env in ["ad_dc_fips", "ad_member_fips"]: - plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) --- -2.33.1 - - -From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:47:38 +0100 -Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) ---- - source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- - 1 file changed, 19 insertions(+), 19 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 948c903f165..e415df347e6 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("query_user_list: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * According to Section 5.1(4) of RFC 2251 if a value of a type is it's - * default value, it MUST be absent. In case of extensible matching the - * "dnattr" boolean defaults to FALSE and so it must be only be present -- * when set to TRUE. -+ * when set to TRUE. - * - * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a - * filter using bitwise matching rule then the buggy AD fails to decode -@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - * - * Thanks to Ralf Haferkamp for input and testing - Guenther */ - -- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", -+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", - ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, -- ADS_LDAP_MATCHING_RULE_BIT_AND, -+ ADS_LDAP_MATCHING_RULE_BIT_AND, - enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); - - if (filter == NULL) { -@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, - DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); - - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, - struct wb_acct_info **info) - { - /* -- * This is a stub function only as we returned the domain -+ * This is a stub function only as we returned the domain - * local groups in enum_dom_groups() if the domain->native field - * was true. This is a simple performance optimization when - * using LDAP. - * -- * if we ever need to enumerate domain local groups separately, -+ * if we ever need to enumerate domain local groups separately, - * then this optimization in enum_dom_groups() will need - * to be split out - */ -@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, - tokenGroups are not available. */ - static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - TALLOC_CTX *mem_ctx, -- const char *user_dn, -+ const char *user_dn, - struct dom_sid *primary_group, - uint32_t *p_num_groups, struct dom_sid **user_sids) - { -@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - if ( !winbindd_can_contact_domain( domain ) ) { - DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", -- domain->name)); -+ domain->name)); - return NT_STATUS_OK; - } - -@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, - - DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); - done: -- if (res) -+ if (res) - ads_msgfree(ads, res); - - return status; -@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - if (count != 1) { - status = NT_STATUS_UNSUCCESSFUL; - DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " -- "invalid number of results (count=%d)\n", -+ "invalid number of results (count=%d)\n", - dom_sid_str_buf(sid, &buf), - count)); - goto done; - } - - if (!msg) { -- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", -+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", - dom_sid_str_buf(sid, &buf))); - status = NT_STATUS_UNSUCCESSFUL; - goto done; -@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - } - - if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { -- DEBUG(1,("%s: No primary group for sid=%s !?\n", -+ DEBUG(1,("%s: No primary group for sid=%s !?\n", - domain->name, - dom_sid_str_buf(sid, &buf))); - goto done; -@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - - count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); - -- /* there must always be at least one group in the token, -+ /* there must always be at least one group in the token, - unless we are talking to a buggy Win2k server */ - - /* actually this only happens when the machine account has no read -@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, - /* lookup what groups this user is a member of by DN search on - * "member" */ - -- status = lookup_usergroups_member(domain, mem_ctx, user_dn, -+ status = lookup_usergroups_member(domain, mem_ctx, user_dn, - &primary_group, - &num_groups, user_sids); - *p_num_groups = num_groups; -@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, - DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " - "not map any SIDs at all.\n")); - /* Don't handle this as an error here. -- * There is nothing left to do with respect to the -+ * There is nothing left to do with respect to the - * overall result... */ - } - else if (!NT_STATUS_IS_OK(status)) { -@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, - NETR_TRUST_FLAG_IN_FOREST; - } else { - flags = NETR_TRUST_FLAG_IN_FOREST; -- } -+ } - - result = cm_connect_netlogon(domain, &cli); - - if (!NT_STATUS_IS_OK(result)) { - DEBUG(5, ("trusted_domains: Could not open a connection to %s " -- "for PIPE_NETLOGON (%s)\n", -+ "for PIPE_NETLOGON (%s)\n", - domain->name, nt_errstr(result))); - return NT_STATUS_UNSUCCESSFUL; - } --- -2.33.1 - - -From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 18 Jan 2022 19:44:54 +0100 -Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) ---- - source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index e415df347e6..6f01ef6e334 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -34,6 +34,7 @@ - #include "../libds/common/flag_mapping.h" - #include "libsmb/samlogon_cache.h" - #include "passdb.h" -+#include "auth/credentials/credentials.h" - - #ifdef HAVE_ADS - -@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ADS_STATUS status; - struct sockaddr_storage dc_ss; - fstring dc_name; -+ enum credentials_use_kerberos krb5_state; - - if (auth_realm == NULL) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); -@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - ads->auth.renewable = renewable; - ads->auth.password = password; - -- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - ads->auth.realm = SMB_STRDUP(auth_realm); - if (!strupper_m(ads->auth.realm)) { --- -2.33.1 - - -From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Fri, 21 Jan 2022 12:01:33 +0100 -Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS - mode -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 - -Pair-Programmed-With: Andreas Schneider - -Signed-off-by: Pavel Filipenský -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 - -(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) ---- - source3/libnet/libnet_join.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 02705f1c70c..4c67e9af5c4 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - ADS_STATUS status; - ADS_STRUCT *my_ads = NULL; - char *cp; -+ enum credentials_use_kerberos krb5_state; - - my_ads = ads_init(dns_domain_name, - netbios_domain_name, -@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ /* In FIPS mode, client use kerberos is forced to required. */ -+ krb5_state = lp_client_use_kerberos(); -+ switch (krb5_state) { -+ case CRED_USE_KERBEROS_REQUIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DESIRED: -+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ case CRED_USE_KERBEROS_DISABLED: -+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ break; -+ } - - if (user_name) { - SAFE_FREE(my_ads->auth.user_name); --- -2.33.1 - diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch deleted file mode 100644 index 9e57630..0000000 --- a/SOURCES/samba-disable-systemd-notifications.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 -From: "FeRD (Frank Dana)" -Date: Mon, 24 Jan 2022 22:14:31 -0500 -Subject: [PATCH] printing/bgqd: Disable systemd notifications - -samba-bgqd daemon is started by existing Samba daemons. When running -under systemd, those daemons control systemd notifications and -samba-bgqd messages need to be silenced. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 - -Signed-off-by: FeRD (Frank Dana) -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) ---- - source3/printing/samba-bgqd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c -index f21327fc622..59ed0cc40db 100644 ---- a/source3/printing/samba-bgqd.c -+++ b/source3/printing/samba-bgqd.c -@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) - - log_stdout = (debug_get_log_type() == DEBUG_STDOUT); - -+ /* main process will notify systemd */ -+ daemon_sd_notifications(false); -+ - if (!cmdline_daemon_cfg->fork) { - daemon_status(progname, "Starting process ... "); - } else { --- -2.34.1 - diff --git a/SOURCES/samba-glibc-dns.patch b/SOURCES/samba-glibc-dns.patch deleted file mode 100644 index c01d481..0000000 --- a/SOURCES/samba-glibc-dns.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 7 Oct 2021 15:55:37 +0200 -Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34 - -With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper -anymore. The res_* symbols have been moved from libresolv to libc. We are not -able to intercept any traffic inside of libc. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - selftest/wscript | 2 +- - third_party/resolv_wrapper/wscript | 13 +++++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/selftest/wscript b/selftest/wscript -index a6be06c2ae9..85d9338489a 100644 ---- a/selftest/wscript -+++ b/selftest/wscript -@@ -252,7 +252,7 @@ def cmd_testonly(opt): - if os.environ.get('USE_NAMESPACES') is None: - env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH') - -- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'): -+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'): - env.OPTIONS += " --use-dns-faking" - - if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): -diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript -index a7f18389b0f..7e369bd90b5 100644 ---- a/third_party/resolv_wrapper/wscript -+++ b/third_party/resolv_wrapper/wscript -@@ -1,6 +1,7 @@ - #!/usr/bin/env python - - import os -+from waflib import Logs - - VERSION="1.1.7" - -@@ -49,6 +50,18 @@ def configure(conf): - if conf.CONFIG_SET('HAVE_RES_NCLOSE'): - conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1) - -+ # If we find res_nquery in libc, we can't do resolv.conf redirect -+ conf.CHECK_FUNCS('res_nquery __res_nquery') -+ if (conf.CONFIG_SET('HAVE_RES_NQUERY') -+ or conf.CONFIG_SET('HAVE___RES_NQUERY')): -+ Logs.warn("Detection for resolv_wrapper: " -+ "Only dns faking will be available") -+ else: -+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'): -+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) -+ - conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True) - conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True) --- -2.33.1 - diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch deleted file mode 100644 index 5dee86c..0000000 --- a/SOURCES/samba-password-change-prompt.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 17 Nov 2021 09:56:09 +0100 -Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to - off). - -This change disables the prompt for the change of an expired password by -default (using the PAM_RADIO_TYPE mechanism if present). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider -(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) ---- - docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ - nsswitch/pam_winbind.c | 12 ++++++++++-- - nsswitch/pam_winbind.h | 1 + - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml -index 0bc288f91a1..bae9298fc32 100644 ---- a/docs-xml/manpages/pam_winbind.conf.5.xml -+++ b/docs-xml/manpages/pam_winbind.conf.5.xml -@@ -194,6 +194,13 @@ - - - -+ -+ pwd_change_prompt = yes|no -+ -+ Generate prompt for changing an expired password. Defaults to "no". -+ -+ -+ - - - -diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c -index 720a4b90d85..06098dd07d8 100644 ---- a/nsswitch/pam_winbind.c -+++ b/nsswitch/pam_winbind.c -@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, - ctrl |= WINBIND_MKHOMEDIR; - } - -+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; -+ } -+ - config_from_pam: - /* step through arguments */ - for (i=argc,v=argv; i-- > 0; ++v) { -@@ -522,6 +526,8 @@ config_from_pam: - else if (!strncasecmp(*v, "warn_pwd_expire", - strlen("warn_pwd_expire"))) - ctrl |= WINBIND_WARN_PWD_EXPIRE; -+ else if (!strcasecmp(*v, "pwd_change_prompt")) -+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; - else if (type != PAM_WINBIND_CLEANUP) { - __pam_log(pamh, ctrl, LOG_ERR, - "pam_parse: unknown option: %s", *v); -@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, - * successfully sent the warning message. - * Give the user a chance to change pwd. - */ -- if (ret == PAM_SUCCESS) { -+ if (ret == PAM_SUCCESS && -+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { - if (change_pwd) { - retval = _pam_winbind_change_pwd(ctx); - if (retval) { -diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h -index c6786d65a4d..2f4a25729bd 100644 ---- a/nsswitch/pam_winbind.h -+++ b/nsswitch/pam_winbind.h -@@ -157,6 +157,7 @@ do { \ - #define WINBIND_WARN_PWD_EXPIRE 0x00002000 - #define WINBIND_MKHOMEDIR 0x00004000 - #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 -+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 - - #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) - #define _(string) dgettext(MODULE_NAME, string) --- -2.35.1 - diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch deleted file mode 100644 index d1a6b6a..0000000 --- a/SOURCES/samba-printing-win7.patch +++ /dev/null @@ -1,229 +0,0 @@ -From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 22 Jan 2022 01:08:26 +0100 -Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls - -This is important for the source3/rpc_server code as it might -be called embedded in smbd and may not run as root with access -to our private tdb/ldb files. - -Note this is only really needed for 4.15 and older, as -we no longer run the rpc_server embedded in smbd, -but we better be consistent for now. - -This should be able to fix the problem the printing no longer works -on Windows 7 with 2021-10 monthly rollup patch (KB5006743). - -Windows uses NTLMSSP with privacy at the DCERPC layer on top -of NCACN_NP (smb). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) ---- - librpc/rpc/dcesrv_auth.c | 5 +++++ - librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ - librpc/rpc/dcesrv_core.h | 2 ++ - source3/rpc_server/rpc_config.c | 2 ++ - source4/rpc_server/service_rpc.c | 10 ++++++++++ - 5 files changed, 37 insertions(+) - -diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c -index fec8df513a83..99d8e0162160 100644 ---- a/librpc/rpc/dcesrv_auth.c -+++ b/librpc/rpc/dcesrv_auth.c -@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) - auth->auth_level = call->in_auth_info.auth_level; - auth->auth_context_id = call->in_auth_info.auth_context_id; - -+ cb->auth.become_root(); - status = cb->auth.gensec_prepare( - auth, - call, - &auth->gensec_security, - cb->auth.private_data); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", - nt_errstr(status))); -@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) - NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - { - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - const char *pdu = ""; - - switch (call->pkt.ptype) { -@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) - return status; - } - -+ cb->auth.become_root(); - status = gensec_session_info(auth->gensec_security, - auth, - &auth->session_info); -+ cb->auth.unbecome_root(); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to establish session_info: %s\n", - nt_errstr(status))); -diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c -index d16159b0b6cd..ea91fc689b4a 100644 ---- a/librpc/rpc/dcesrv_core.c -+++ b/librpc/rpc/dcesrv_core.c -@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - struct dcerpc_binding *ep_2nd_description = NULL; - const char *endpoint = NULL; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct dcerpc_ack_ctx *ack_features = NULL; - struct tevent_req *subreq = NULL; -@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - { - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct tevent_req *subreq = NULL; - NTSTATUS status; - -@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) - return NT_STATUS_OK; - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - struct ncacn_packet *pkt = &call->ack_pkt; - uint32_t extra_flags = 0; - struct dcesrv_auth *auth = call->auth_state; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - struct dcerpc_ack_ctx *ack_ctx_list = NULL; - struct tevent_req *subreq = NULL; - size_t i; -@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) - return dcesrv_auth_reply(call); - } - -+ cb->auth.become_root(); - subreq = gensec_update_send(call, call->event_ctx, - auth->gensec_security, - call->in_auth_info.credentials); -+ cb->auth.unbecome_root(); - if (subreq == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) - tevent_req_callback_data(subreq, - struct dcesrv_call_state); - struct dcesrv_connection *conn = call->conn; -+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; - NTSTATUS status; - -+ cb->auth.become_root(); - status = gensec_update_recv(subreq, call, - &call->out_auth_info->credentials); -+ cb->auth.unbecome_root(); - TALLOC_FREE(subreq); - - status = dcesrv_auth_complete(call, status); -diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h -index d8d5f9030959..0538442e0ce6 100644 ---- a/librpc/rpc/dcesrv_core.h -+++ b/librpc/rpc/dcesrv_core.h -@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { - struct gensec_security **out, - void *private_data); - void *private_data; -+ void (*become_root)(void); -+ void (*unbecome_root)(void); - } auth; - struct { - NTSTATUS (*find)( -diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c -index 2f1a01da1c0b..289c4f398409 100644 ---- a/source3/rpc_server/rpc_config.c -+++ b/source3/rpc_server/rpc_config.c -@@ -31,6 +31,8 @@ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = dcesrv_log_successful_authz, - .auth.gensec_prepare = dcesrv_auth_gensec_prepare, -+ .auth.become_root = become_root, -+ .auth.unbecome_root = unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - -diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c -index d8c6746d7815..ebb50f8a7ef3 100644 ---- a/source4/rpc_server/service_rpc.c -+++ b/source4/rpc_server/service_rpc.c -@@ -40,9 +40,19 @@ - #include "../libcli/named_pipe_auth/npa_tstream.h" - #include "samba/process_model.h" - -+static void skip_become_root(void) -+{ -+} -+ -+static void skip_unbecome_root(void) -+{ -+} -+ - static struct dcesrv_context_callbacks srv_callbacks = { - .log.successful_authz = log_successful_dcesrv_authz_event, - .auth.gensec_prepare = dcesrv_gensec_prepare, -+ .auth.become_root = skip_become_root, -+ .auth.unbecome_root = skip_unbecome_root, - .assoc_group.find = dcesrv_assoc_group_find, - }; - --- -2.25.1 - diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch index 8e84d96..5d3cb55 100644 --- a/SOURCES/samba-s4u.patch +++ b/SOURCES/samba-s4u.patch @@ -1,4 +1,4 @@ -From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:25:03 +0300 Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support @@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 71 insertions(+), 106 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index f35210669c2..b1c7c5dcc5e 100644 +index 793fe366c35..22534c09974 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, krb5_keyblock *krbtgt_key, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, @@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644 mit_ctx = ks_get_context(context); if (mit_ctx == NULL) { -@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, @@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { goto done; } -@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = mit_samba_reget_pac(mit_ctx, context, flags, @@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644 return code; } -@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **pac_auth_data = NULL; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644 krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; -@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; @@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* -@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ks_client_princ = client->princ; } @@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (client_entry == NULL) { client_entry = client; } -@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, code = ks_verify_pac(context, flags, @@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644 client_entry, server, krbtgt, -@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, is_as_req ? "AS-REQ" : "TGS-REQ", client_name); code = krb5_pac_sign(context, pac, authtime, ks_client_princ, @@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); goto done; -@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, KRB5_AUTHDATA_IF_RELEVANT, authdata, signed_auth_data); @@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644 done: if (client_entry != NULL && client_entry != client) { ks_free_principal(context, client_entry); -@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, +@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, * server; -> delegating service * proxy; -> target principal */ @@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 4239332f0d9..acc3cba6254 100644 +index cb72b5de294..03c2c2ea1de 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, +@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, context, *pac, server->princ, @@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644 deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Update delegation info failed: %s\n", -@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, } int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644 static krb5_error_code mit_samba_change_pwd_error(krb5_context context, diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 636c77ec97c..9cb00c9610e 100644 +index 4431e82a1b2..9370ab533af 100644 --- a/source4/kdc/mit_samba.h +++ b/source4/kdc/mit_samba.h -@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, DATA_BLOB *e_data); int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -333,10 +333,10 @@ index 636c77ec97c..9cb00c9610e 100644 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, char *pwd, -- -2.33.1 +2.37.1 -From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:35:30 +0300 Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build @@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 185 insertions(+), 13 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..791b417d5ba 100644 +index 4321f07ca09..3fd95e47fca 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c -@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, +@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, return 0; } @@ -546,7 +546,7 @@ index fff5b4e2a22..791b417d5ba 100644 #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index eab67f6d969..b5385c69a33 100644 +index a66b7465530..c8573f52bd9 100644 --- a/lib/krb5_wrap/krb5_samba.h +++ b/lib/krb5_wrap/krb5_samba.h @@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, @@ -611,66 +611,23 @@ index 544d9d853cc..c14d8c72d8c 100644 ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, ccache, -- -2.33.1 +2.37.1 -From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 19 Sep 2020 14:16:20 +0200 Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code --- - source4/heimdal/lib/hdb/hdb.h | 1 + - source4/kdc/db-glue.c | 8 ++++++-- - source4/kdc/mit_samba.c | 3 +++ - source4/kdc/sdb.h | 1 + - 4 files changed, 11 insertions(+), 2 deletions(-) + source4/kdc/mit_samba.c | 3 +++ + 1 file changed, 3 insertions(+) -diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h -index 5ef9d9565f3..dafaffc6c2d 100644 ---- a/source4/heimdal/lib/hdb/hdb.h -+++ b/source4/heimdal/lib/hdb/hdb.h -@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ - #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ - - /* hdb_capability_flags */ - #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index aff74f2ee71..d16b4c3329a 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - } - } - -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { -+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { - krb5_clear_error_message(context); - goto out; - } -- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { -+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ - * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants -+ * the canonical name in all lookups, and takes care to canonicalize -+ * only when appropriate. - */ - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index acc3cba6254..f0b9df8b613 100644 +index 03c2c2ea1de..30fade56531 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, +@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } @@ -680,18 +637,6 @@ index acc3cba6254..f0b9df8b613 100644 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_INCLUDE_PAC)) { /* -diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h -index c929acccce6..a9115ec23d7 100644 ---- a/source4/kdc/sdb.h -+++ b/source4/kdc/sdb.h -@@ -116,6 +116,7 @@ struct sdb_entry_ex { - #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ - #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ - - void sdb_free_entry(struct sdb_entry_ex *e); - void free_sdb_entry(struct sdb_entry *s); -- -2.33.1 +2.37.1 diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch deleted file mode 100644 index 6e243da..0000000 --- a/SOURCES/samba-virus_scanner.patch +++ /dev/null @@ -1,597 +0,0 @@ -From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Feb 2022 16:33:10 +0100 -Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd - -We have the env variable SERVER_LOG_LEVEL which allows you to change -the log level on the command line. If we force -d0 this will not work. - -make test TESTS="samba" SERVER_LOG_LEVEL=10 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) ---- - selftest/target/Samba3.pm | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index b901fd2677a..64a9a791a61 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -2153,7 +2153,7 @@ sub make_bin_cmd - { - my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; - -- my @optargs = ("-d0"); -+ my @optargs = (); - if (defined($options)) { - @optargs = split(/ /, $options); - } --- -2.34.1 - - -From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 12:07:03 +0100 -Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses - filename matching -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1) ---- - source3/modules/vfs_virusfilter.c | 12 +++++ - source3/modules/vfs_virusfilter_common.h | 4 ++ - source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++ - source3/modules/wscript_build | 1 + - 4 files changed, 75 insertions(+) - create mode 100644 source3/modules/vfs_virusfilter_dummy.c - -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index 9fafe4e5d41..e6cbee7cd45 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -35,12 +35,14 @@ - - enum virusfilter_scanner_enum { - VIRUSFILTER_SCANNER_CLAMAV, -+ VIRUSFILTER_SCANNER_DUMMY, - VIRUSFILTER_SCANNER_FSAV, - VIRUSFILTER_SCANNER_SOPHOS - }; - - static const struct enum_list scanner_list[] = { - { VIRUSFILTER_SCANNER_CLAMAV, "clamav" }, -+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" }, - { VIRUSFILTER_SCANNER_FSAV, "fsav" }, - { VIRUSFILTER_SCANNER_SOPHOS, "sophos" }, - { -1, NULL } -@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect( - int snum = SNUM(handle->conn); - struct virusfilter_config *config = NULL; - const char *exclude_files = NULL; -+ const char *infected_files = NULL; - const char *temp_quarantine_dir_mode = NULL; - const char *infected_file_command = NULL; - const char *scan_error_command = NULL; -@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect( - set_namearray(&config->exclude_files, exclude_files); - } - -+ infected_files = lp_parm_const_string( -+ snum, "virusfilter", "infected files", NULL); -+ if (infected_files != NULL) { -+ set_namearray(&config->infected_files, infected_files); -+ } -+ - config->cache_entry_limit = lp_parm_int( - snum, "virusfilter", "cache entry limit", 100); - -@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( - case VIRUSFILTER_SCANNER_CLAMAV: - ret = virusfilter_clamav_init(config); - break; -+ case VIRUSFILTER_SCANNER_DUMMY: -+ ret = virusfilter_dummy_init(config); -+ break; - default: - DBG_ERR("Unhandled scanner %d\n", backend); - return -1; -diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h -index f71b0b949a7..463a9d74e9c 100644 ---- a/source3/modules/vfs_virusfilter_common.h -+++ b/source3/modules/vfs_virusfilter_common.h -@@ -83,6 +83,9 @@ struct virusfilter_config { - /* Exclude files */ - name_compare_entry *exclude_files; - -+ /* Infected files */ -+ name_compare_entry *infected_files; -+ - /* Scan result cache */ - struct virusfilter_cache *cache; - int cache_entry_limit; -@@ -149,5 +152,6 @@ struct virusfilter_backend { - int virusfilter_sophos_init(struct virusfilter_config *config); - int virusfilter_fsav_init(struct virusfilter_config *config); - int virusfilter_clamav_init(struct virusfilter_config *config); -+int virusfilter_dummy_init(struct virusfilter_config *config); - - #endif /* _VIRUSFILTER_COMMON_H */ -diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c -new file mode 100644 -index 00000000000..03405cd6629 ---- /dev/null -+++ b/source3/modules/vfs_virusfilter_dummy.c -@@ -0,0 +1,58 @@ -+/* -+ Samba-VirusFilter VFS modules -+ Dummy scanner with infected files support. -+ Copyright (C) 2022 Pavel Filipenský -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include "modules/vfs_virusfilter_utils.h" -+ -+static virusfilter_result virusfilter_dummy_scan( -+ struct vfs_handle_struct *handle, -+ struct virusfilter_config *config, -+ const struct files_struct *fsp, -+ char **reportp) -+{ -+ bool ok; -+ -+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp)); -+ ok = is_in_path(fsp->fsp_name->base_name, -+ config->infected_files, -+ false); -+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN; -+} -+ -+static struct virusfilter_backend_fns virusfilter_backend_dummy = { -+ .connect = NULL, -+ .disconnect = NULL, -+ .scan_init = NULL, -+ .scan = virusfilter_dummy_scan, -+ .scan_end = NULL, -+}; -+ -+int virusfilter_dummy_init(struct virusfilter_config *config) -+{ -+ struct virusfilter_backend *backend = NULL; -+ -+ backend = talloc_zero(config, struct virusfilter_backend); -+ if (backend == NULL) { -+ return -1; -+ } -+ -+ backend->fns = &virusfilter_backend_dummy; -+ backend->name = "dummy"; -+ config->backend = backend; -+ return 0; -+} -diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build -index 40df4539392..ff318c3fa06 100644 ---- a/source3/modules/wscript_build -+++ b/source3/modules/wscript_build -@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', - vfs_virusfilter_sophos.c - vfs_virusfilter_fsav.c - vfs_virusfilter_clamav.c -+ vfs_virusfilter_dummy.c - ''', - deps='samba-util VFS_VIRUSFILTER_UTILS', - init_function='', --- -2.34.1 - - -From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 22:35:29 +0100 -Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and - 'virusfilter:infected files' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969) ---- - docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml -index 329a35af68a..88f91d73a42 100644 ---- a/docs-xml/manpages/vfs_virusfilter.8.xml -+++ b/docs-xml/manpages/vfs_virusfilter.8.xml -@@ -48,6 +48,10 @@ - scanner - clamav, the ClamAV - scanner -+ dummy, dummy scanner used in -+ tests. Checks against the infected files -+ parameter and flags any name that matches as infected. -+ - - - -@@ -264,6 +268,14 @@ - - - -+ -+ virusfilter:infected files = empty -+ -+ Files that virusfilter dummy flags as infected. -+ If this option is not set, the default is empty. -+ -+ -+ - - virusfilter:block access on error = false - --- -2.34.1 - - -From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:34:56 +0100 -Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a) ---- - selftest/target/Samba3.pm | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 64a9a791a61..7584a0e7ba9 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -188,7 +188,7 @@ sub getlog_env_app($$$) - close(LOG); - - return "" if $out eq $title; -- -+ - return $out; - } - -@@ -2426,7 +2426,7 @@ sub provision($$) - my $nmbdsockdir="$prefix_abs/nmbd"; - unlink($nmbdsockdir); - -- ## -+ ## - ## create the test directory layout - ## - die ("prefix_abs = ''") if $prefix_abs eq ""; -@@ -3290,7 +3290,7 @@ sub provision($$) - unless (open(PASSWD, ">$nss_wrapper_passwd")) { - warn("Unable to open $nss_wrapper_passwd"); - return undef; -- } -+ } - print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false - $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false - pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false --- -2.34.1 - - -From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Tue, 8 Feb 2022 15:35:48 +0100 -Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544) ---- - selftest/knownfail.d/virus_scanner | 2 + - selftest/target/Samba3.pm | 12 ++ - source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++ - source3/selftest/tests.py | 9 ++ - 4 files changed, 147 insertions(+) - create mode 100644 selftest/knownfail.d/virus_scanner - create mode 100755 source3/script/tests/test_virus_scanner.sh - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -new file mode 100644 -index 00000000000..6df3fd20627 ---- /dev/null -+++ b/selftest/knownfail.d/virus_scanner -@@ -0,0 +1,2 @@ -+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') -+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 7584a0e7ba9..c1d0c60d96a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1688,6 +1688,9 @@ sub setup_fileserver - my $veto_sharedir="$share_dir/veto"; - push(@dirs,$veto_sharedir); - -+ my $virusfilter_sharedir="$share_dir/virusfilter"; -+ push(@dirs,$virusfilter_sharedir); -+ - my $ip4 = Samba::get_ipv4_addr("FILESERVER"); - my $fileserver_options = " - kernel change notify = yes -@@ -1813,6 +1816,15 @@ sub setup_fileserver - path = $veto_sharedir - delete veto files = yes - -+[virusfilter] -+ path = $virusfilter_sharedir -+ vfs objects = acl_xattr virusfilter -+ virusfilter:scanner = dummy -+ virusfilter:min file size = 0 -+ virusfilter:infected files = *infected* -+ virusfilter:infected file action = rename -+ virusfilter:scan on close = yes -+ - [homes] - comment = Home directories - browseable = No -diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh -new file mode 100755 -index 00000000000..2234ea6ca89 ---- /dev/null -+++ b/source3/script/tests/test_virus_scanner.sh -@@ -0,0 +1,124 @@ -+#!/bin/sh -+# Copyright (c) 2022 Pavel Filipenský -+# shellcheck disable=1091 -+ -+if [ $# -lt 4 ]; then -+cat <fsp_flags.modified -+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/infected.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}" -+ -+ # check that virusfilter:rename prefix/suffix was added -+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then -+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing." -+ return 1 -+ fi -+ -+ # check that file was not uploaded -+ if [ -f "${sharedir}/infected.upload.txt" ]; then -+ echo "ERROR: {sharedir}/${smbfile} should not exist." -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_read() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+check_healthy_write() -+{ -+ rm -rf "${sharedir:?}"/* -+ -+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then -+ echo "ERROR: Cannot create ${sharedir}/healthy.txt" -+ return 1 -+ fi -+ -+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt" -+ -+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then -+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED" -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+testit "check_infected_read" check_infected_read || failed=$((failed + 1)) -+testit "check_infected_write" check_infected_write || failed=$((failed + 1)) -+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1)) -+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1)) -+ -+testok "$0" "$failed" -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 701be011f70..6b146c76381 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", - '$SERVER_IP', - "tmp"]) - -+env = 'fileserver' -+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), -+ [os.path.join(samba3srcdir, -+ "script/tests/test_virus_scanner.sh"), -+ '$SERVER_IP', -+ "virusfilter", -+ '$LOCAL_PATH', -+ smbclient3]) -+ - for env in ['fileserver', 'simpleserver']: - plantestsuite("samba3.blackbox.smbclient.encryption", env, - [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"), --- -2.34.1 - - -From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= -Date: Mon, 7 Feb 2022 23:06:10 +0100 -Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 - -Signed-off-by: Pavel Filipenský - -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184 - -(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c) ---- - selftest/knownfail.d/virus_scanner | 2 -- - source3/modules/vfs_virusfilter.c | 6 +++--- - 2 files changed, 3 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/virus_scanner - -diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner -deleted file mode 100644 -index 6df3fd20627..00000000000 ---- a/selftest/knownfail.d/virus_scanner -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') --^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') -diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c -index e6cbee7cd45..d1554967ad1 100644 ---- a/source3/modules/vfs_virusfilter.c -+++ b/source3/modules/vfs_virusfilter.c -@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, - */ - goto virusfilter_vfs_open_next; - } -- ret = S_ISREG(smb_fname->st.st_ex_mode); -+ ret = S_ISREG(sbuf.st_ex_mode); - if (ret == 0) { - DBG_INFO("Not scanned: Directory or special file: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->max_file_size > 0 && -- smb_fname->st.st_ex_size > config->max_file_size) -+ sbuf.st_ex_size > config->max_file_size) - { - DBG_INFO("Not scanned: file size > max file size: %s/%s\n", - cwd_fname, fname); - goto virusfilter_vfs_open_next; - } - if (config->min_file_size > 0 && -- smb_fname->st.st_ex_size < config->min_file_size) -+ sbuf.st_ex_size < config->min_file_size) - { - DBG_INFO("Not scanned: file size < min file size: %s/%s\n", - cwd_fname, fname); --- -2.34.1 - diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 3aaa858..9d452c6 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -52,7 +52,9 @@ # Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} -%ifarch aarch64 ppc64le s390x x86_64 +# ppc64le excluded pending resolution of https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104172 +#%%ifarch aarch64 ppc64le s390x x86_64 +%ifarch aarch64 s390x x86_64 %bcond_without vfs_cephfs %bcond_without ceph_mutex %else @@ -69,7 +71,7 @@ # Build vfs_gluster module by default on 64bit Fedora %global is_rhgs 0 -%if "%{dist}" == ".el8rhgs" || "%{dist}" == ".el9rhgs" +%if "%{dist}" == ".el7rhgs" || "%{dist}" == ".el8rhgs" %global is_rhgs 1 %endif @@ -132,13 +134,13 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 10 +%global baserelease 2 -%global samba_version 4.15.5 +%global samba_version 4.16.4 %global talloc_version 2.3.3 -%global tdb_version 1.4.4 -%global tevent_version 0.11.0 -%global ldb_version 2.4.1 +%global tdb_version 1.4.6 +%global tevent_version 0.12.0 +%global ldb_version 2.5.2 # This should be rc1 or nil %global pre_release %nil @@ -203,20 +205,8 @@ Source15: samba.abignore Source201: README.downgrade Patch0: samba-s4u.patch -Patch1: samba-ctdb-etcd-reclock.patch -Patch2: samba-glibc-dns.patch -Patch3: samba-printing-win7.patch -Patch4: samba-disable-systemd-notifications.patch -Patch5: samba-disable-ntlmssp.patch -Patch6: samba-password-change-prompt.patch -Patch7: samba-virus_scanner.patch -Patch8: samba-4-15-fix-autorid.patch -Patch9: samba-4-15-fix-winbind-refresh-tickets.patch -Patch10: samba-4-15-fix-create-local-krb5-conf.patch -Patch11: samba-4-15-username-map.patch -Patch12: samba-4-15-kerberos-clock-skew.patch -Patch13: samba-4-15-smbd-upn.patch -Patch14: CVE-2022-32742-v4-15.patch +# https://gitlab.com/samba-team/samba/-/merge_requests/2477 +Patch1: samba-4.16-waf-crypto.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -338,7 +328,7 @@ BuildRequires: python3-etcd # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} @@ -375,12 +365,18 @@ BuildRequires: lmdb-devel %if %{with dc} || %{with testsuite} BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} -BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle BuildRequires: python3-cryptography + +%if %{without includelibs} BuildRequires: tdb-tools +BuildRequires: ldb-tools +#endif without includelibs +%endif + +#endif with dc || with testsuite %endif # filter out perl requirements pulled in from examples in the docdir. @@ -439,8 +435,10 @@ SMB/CIFS clients. Summary: Files used by both Samba servers and clients BuildArch: noarch -Requires(post): systemd +Requires(post): (systemd-standalone-tmpfiles or systemd) +%if 0%{?fedora} Recommends: logrotate +%endif Provides: samba4-common = %{samba_depver} Obsoletes: samba4-common < %{samba_depver} @@ -503,6 +501,8 @@ Requires: python3-%{name} = %{samba_depver} # samba-tool needs tdbbackup Requires: tdb-tools %if %{with dc} +# samba-tool needs python3-samba-dc on a full build +Requires: python3-%{name}-dc = %{samba_depver} # samba-tool needs mdb_copy for domain backup or upgrade provision Requires: lmdb %endif @@ -518,6 +518,8 @@ SMB/CIFS clients. %package dc Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-provision = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -558,6 +560,7 @@ The samba-dc-provision package provides files to setup a domain controller ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -573,9 +576,11 @@ link against the SMB, RPC and other protocols. ### DC-BIND %package dc-bind-dlz Summary: Bind DLZ module for Samba AD +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} Requires: %{name}-dc = %{samba_depver} +Requires: %{name}-libs = %{samba_depver} Requires: bind Provides: bundled(libreplace) @@ -591,6 +596,9 @@ name server related details of Samba AD. Summary: Developer tools for Samba libraries Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} @@ -605,6 +613,7 @@ libraries in the Samba suite. %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system Requires: %{name} = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Provides: bundled(libreplace) @@ -740,6 +749,9 @@ Summary: Samba Python3 libraries Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +%if %{with dc} +Requires: %{name}-dc-libs = %{samba_depver} +%endif Requires: python3-talloc Requires: python3-tevent Requires: python3-tdb @@ -778,6 +790,8 @@ If you want to run full set of Samba tests, you need to install this package. %if %{with dc} || %{with testsuite} %package -n python3-samba-dc Summary: Samba Python libraries for Samba AD +Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-dc-libs = %{samba_depver} Requires: python3-%{name} = %{samba_depver} %description -n python3-samba-dc @@ -1031,6 +1045,7 @@ and use CTDB instead. Summary: CTDB PCP pmda support Requires: ctdb = %{samba_depver} Requires: pcp-libs +Requires: %{name}-client-libs = %{samba_depver} %description -n ctdb-pcp-pmda Performance Co-Pilot (PCP) support for CTDB @@ -1072,6 +1087,11 @@ Support for using an existing CEPH cluster as a mutex helper for CTDB xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %autosetup -n samba-%{version}%{pre_release} -p1 +# Ensure we rely on GnuTLS and do not build any other crypto code shipping with +# the sources. +rm -rf third_party/{aesni-intel,heimdal} +rm -f lib/crypto/{aes,rijndael}*.c + %build %if %{with includelibs} %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1086,7 +1106,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - #endif with includelibs %endif -%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} +%global _samba_libraries !popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} %global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 %global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 @@ -1625,7 +1645,17 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%dir %{_libexecdir}/samba %{_libexecdir}/samba/samba-bgqd +%{_libexecdir}/samba/samba-dcerpcd +%{_libexecdir}/samba/rpcd_classic +%{_libexecdir}/samba/rpcd_epmapper +%{_libexecdir}/samba/rpcd_fsrvp +%{_libexecdir}/samba/rpcd_lsad +%{_libexecdir}/samba/rpcd_mdssvc +%{_libexecdir}/samba/rpcd_rpcecho +%{_libexecdir}/samba/rpcd_spoolss +%{_libexecdir}/samba/rpcd_winreg %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc @@ -1639,6 +1669,7 @@ fi %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/samba-bgqd.8* +%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1653,6 +1684,7 @@ fi %{_mandir}/man8/vfs_crossrename.8* %{_mandir}/man8/vfs_default_quota.8* %{_mandir}/man8/vfs_dirsort.8* +%{_mandir}/man8/vfs_expand_msdfs.8* %{_mandir}/man8/vfs_extd_audit.8* %{_mandir}/man8/vfs_fake_perms.8* %{_mandir}/man8/vfs_fileid.8* @@ -1863,7 +1895,6 @@ fi %if %{without libwbclient} %{_libdir}/samba/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so #endif without libwbclient %endif @@ -2071,6 +2102,7 @@ fi %{_libdir}/samba/bind9/dlz_bind9_12.so %{_libdir}/samba/bind9/dlz_bind9_14.so %{_libdir}/samba/bind9/dlz_bind9_16.so +%{_libdir}/samba/bind9/dlz_bind9_18.so #endif with dc %endif @@ -2243,6 +2275,9 @@ fi %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so +%{_libdir}/samba/libREG-FULL-samba4.so +%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so +%{_libdir}/samba/libRPC-WORKER-samba4.so ### LIBSMBCLIENT %if %{with libsmbclient} @@ -2262,7 +2297,6 @@ fi %if %{with libwbclient} %files -n libwbclient %{_libdir}/samba/wbclient/libwbclient.so.* -%{_libdir}/samba/libwinbind-client-samba4.so ### LIBWBCLIENT-DEVEL %files -n libwbclient-devel @@ -2333,7 +2367,11 @@ fi %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc @@ -2449,7 +2487,11 @@ fi %{python3_sitearch}/samba/emulate/__init__.py %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py +%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py +%{python3_sitearch}/samba/gp_chromium_ext.py %{python3_sitearch}/samba/gp_ext_loader.py +%{python3_sitearch}/samba/gp_firefox_ext.py +%{python3_sitearch}/samba/gp_firewalld_ext.py %{python3_sitearch}/samba/gp_msgs_ext.py %{python3_sitearch}/samba/gp_smb_conf_ext.py %{python3_sitearch}/samba/gp_sudoers_ext.py @@ -2766,6 +2808,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc %{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc %{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc %{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc @@ -2934,15 +2977,17 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc -%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc @@ -2959,26 +3004,28 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py %{python3_sitearch}/samba/tests/krb5/rodc_tests.py -%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py -%{python3_sitearch}/samba/tests/krb5/spn_tests.py -%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py %{python3_sitearch}/samba/tests/krb5/test_ldap.py %{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py %{python3_sitearch}/samba/tests/krb5/test_rpc.py %{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py -%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py @@ -3042,6 +3089,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc @@ -3078,6 +3126,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py %{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py +%{python3_sitearch}/samba/tests/samba_tool/join_member.py %{python3_sitearch}/samba/tests/samba_tool/ntacl.py %{python3_sitearch}/samba/tests/samba_tool/ou.py %{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py @@ -3109,6 +3158,7 @@ fi %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py %{python3_sitearch}/samba/tests/source.py +%{python3_sitearch}/samba/tests/source_chars.py %{python3_sitearch}/samba/tests/strings.py %{python3_sitearch}/samba/tests/subunitrun.py %{python3_sitearch}/samba/tests/tdb_util.py @@ -3130,7 +3180,6 @@ fi %{_mandir}/man1/masktest.1* %{_mandir}/man1/ndrdump.1* %{_mandir}/man1/smbtorture.1* -%{_mandir}/man1/vfstest.1* %if %{with testsuite} # files to ignore in testsuite mode @@ -4114,21 +4163,39 @@ fi %endif %changelog -* Mon Sep 12 2022 Andreas Schneider - 4.15.5-10 -- resolves: rhbz#2126041 - Do not require samba package in python3-samba +* Thu Aug 25 2022 Andreas Schneider - 4.16.4-2 +- resolves: rhbz#2120956 - Do not require samba package in python3-samba -* Fri Sep 09 2022 Andreas Schneider - 4.15.5-9 -- Fix CVE-2022-32742 -- resolves: rhbz#2125552 +* Thu Jul 28 2022 Andreas Schneider - 4.16.4-1 +- Rebase to version 4.16.4 +- resolves: rhbz#2108331 - Fix CVE-2022-32742 + +* Mon Jul 18 2022 Pavel Filipenský - 4.16.3-0 +- related: rhbz#2077468 - Rebase Samba to 4.16.3 +- resolves: rhbz#2106672 - The pcap background queue process should not be stopped +- resolves: rhbz#2106263 - Fix crash in rpcd_classic +- resolves: rhbz#2100093 - Fix net ads info returns LDAP server and LDAP server name + +* Tue Jun 14 2022 Pavel Filipenský - 4.16.2-1 +- resolves: rhbz#2084162 - Fix printer displays only after 300 seconds timeout + +* Mon Jun 13 2022 Pavel Filipenský - 4.16.2-0 +- Fix rpminspect abidiff +- related: rhbz#2077468 - Rebase Samba to 4.16.2 + +* Mon May 02 2022 Pavel Filipenský - 4.16.1-0 +- Update to Samba 4.16.1 +- resolves: rhbz#2077468 Rebase Samba to the the latest 4.16.x release * Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 -- resolves: rhbz#2079303 - Fix username map for unix groups -- resolves: rhbz#2079299 - PAM Kerberos authentication fails with a clock skew error -- resolves: rhbz#2079304 - Fix UPNs handling in lookup_name*() calls +- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls -* Wed Mar 16 2022 Andreas Schneider - 4.15.5-5 -- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a - single IP address. +* Wed Apr 20 2022 Pavel Filipenský - 4.15.5-7 +- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error + +* Wed Apr 13 2022 Pavel Filipenský - 4.15.5-6 +- resolves: rhbz#2059151 - Fix username map for unix groups +- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. * Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 - resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh