rpms
/
samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merged update from upstream sources 

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/samba.git#efa876d95a02913a341dfc94008f28127956e205
This commit is contained in:
DistroBaker 2020-10-27 18:49:30 +01:00 committed by Petr Šabata
parent a51aab87ae
commit 580979ffc9
8 changed files with 3168 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
1528.patch Normal file
View File

@ -0,0 +1,66 @@
From e3629a3924107507be9ddb2c001f9843854ddf3b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 25 Aug 2020 17:39:18 +0200
Subject: [PATCH] third_party: Update resolv_wrapper to version 1.1.7
This fixes some Samba tests which redirect stderr to stdout and then get
more messages than expected.
Signed-off-by: Andreas Schneider <asn@samba.org>
---
buildtools/wafsamba/samba_third_party.py | 2 +-
third_party/resolv_wrapper/resolv_wrapper.c | 4 ++--
third_party/resolv_wrapper/wscript | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py
index 318da4f4eff..bc2b21f2a55 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -34,7 +34,7 @@ Build.BuildContext.CHECK_NSS_WRAPPER = CHECK_NSS_WRAPPER
@conf
def CHECK_RESOLV_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('resolv_wrapper', minversion='1.1.6')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('resolv_wrapper', minversion='1.1.7')
Build.BuildContext.CHECK_RESOLV_WRAPPER = CHECK_RESOLV_WRAPPER
@conf
diff --git a/third_party/resolv_wrapper/resolv_wrapper.c b/third_party/resolv_wrapper/resolv_wrapper.c
index 0d3f34ce591..b69a55a80e0 100644
--- a/third_party/resolv_wrapper/resolv_wrapper.c
+++ b/third_party/resolv_wrapper/resolv_wrapper.c
@@ -1844,7 +1844,7 @@ static int rwrap_parse_resolv_conf(struct __res_state *state,
fp = fopen(resolv_conf, "r");
if (fp == NULL) {
- RWRAP_LOG(RWRAP_LOG_ERROR,
+ RWRAP_LOG(RWRAP_LOG_WARN,
"Opening %s failed: %s",
resolv_conf, strerror(errno));
return -1;
@@ -1930,7 +1930,7 @@ static int rwrap_parse_resolv_conf(struct __res_state *state,
fclose(fp);
if (nserv == 0) {
- RWRAP_LOG(RWRAP_LOG_ERROR,
+ RWRAP_LOG(RWRAP_LOG_WARN,
"No usable nameservers found in %s",
resolv_conf);
errno = ESRCH;
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
index ea3df498a6e..a7f18389b0f 100644
--- a/third_party/resolv_wrapper/wscript
+++ b/third_party/resolv_wrapper/wscript
@@ -2,7 +2,7 @@
import os
-VERSION="1.1.6"
+VERSION="1.1.7"
def configure(conf):
if conf.CHECK_RESOLV_WRAPPER():
--
GitLab

1389
1624.patch Normal file
View File

File diff suppressed because it is too large Load Diff

197
1635.patch Normal file
View File

@ -0,0 +1,197 @@
From 0daa6a2bc688146f4e1d7b5604a6fe231f6d069e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Oct 2020 11:08:19 +0200
Subject: [PATCH 1/5] s3:script: Fix test_dfree_quota.sh
source3/script/tests/test_dfree_quota.sh: line 200: [: missing `]'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/script/tests/test_dfree_quota.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/script/tests/test_dfree_quota.sh b/source3/script/tests/test_dfree_quota.sh
index e86d431180a..a1403a8c4ba 100755
--- a/source3/script/tests/test_dfree_quota.sh
+++ b/source3/script/tests/test_dfree_quota.sh
@@ -197,7 +197,7 @@ test_smbcquotas() {
return $status
}
-if [ $protocol != "SMB3" -a $protocol != "NT1"]; then
+if [ $protocol != "SMB3" ] && [ $protocol != "NT1" ]; then
echo "unsupported protocol $protocol" | subunit_fail_test "Test dfree quota"
failed=`expr $failed + 1`
fi
--
GitLab
From 4867cafe766fa8aa69ce005dc5c4f05a4af676c8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Oct 2020 17:40:01 +0200
Subject: [PATCH 2/5] buildtools: Do not install binaries which are for
selftest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
---
buildtools/wafsamba/wafsamba.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index 9f6ee4f5c7f..9dd6d05b91b 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -365,8 +365,10 @@ def SAMBA_BINARY(bld, binname, source,
for_selftest=False):
'''define a Samba binary'''
- if for_selftest and not bld.CONFIG_GET('ENABLE_SELFTEST'):
- enabled=False
+ if for_selftest:
+ install=False
+ if not bld.CONFIG_GET('ENABLE_SELFTEST'):
+ enabled=False
if not enabled:
SET_TARGET_TYPE(bld, binname, 'DISABLED')
--
GitLab
From a4d5a21880b1cc8adfcbebd6940d06e2fdab3f14 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Oct 2020 17:41:01 +0200
Subject: [PATCH 3/5] unittests: Mark test binaries for selftest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
---
testsuite/unittests/wscript | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/testsuite/unittests/wscript b/testsuite/unittests/wscript
index 40fcb01ad57..2b4b37b92de 100644
--- a/testsuite/unittests/wscript
+++ b/testsuite/unittests/wscript
@@ -9,7 +9,7 @@ def build(bld):
bld.SAMBA_BINARY('test_krb5samba',
source='test_krb5_samba.c',
deps='krb5samba cmocka',
- install=False)
+ for_selftest=True)
bld.SAMBA_BINARY('test_sambafs_srv_pipe',
source='test_sambafs_srv_pipe.c',
@@ -18,7 +18,7 @@ def build(bld):
RPC_SAMR
cmocka
''',
- install=False)
+ for_selftest=True)
bld.SAMBA_BINARY('test_lib_util_modules',
source='test_lib_util_modules.c',
@@ -26,7 +26,7 @@ def build(bld):
samba-modules
cmocka
''',
- install=False)
+ for_selftest=True)
bld.SAMBA_MODULE('rpc_test_dummy_module',
source='rpc_test_dummy_module.c',
--
GitLab
From d399761e8261a4de5ce9449f97ade61388e8a1e2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 23 Oct 2020 08:53:43 +0200
Subject: [PATCH 4/5] s3:modules: Do not install vfs modules only used for
testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/modules/wscript_build | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index c4f3db22296..36b047ef79b 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -114,7 +114,8 @@ bld.SAMBA3_MODULE('vfs_fake_acls',
deps='samba-util',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_fake_acls'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_acls'))
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_acls'),
+ install=False)
bld.SAMBA3_MODULE('vfs_recycle',
subsystem='vfs',
@@ -622,21 +623,24 @@ bld.SAMBA3_MODULE('vfs_fake_dfq',
source='vfs_fake_dfq.c',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_fake_dfq'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_dfq'))
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_fake_dfq'),
+ install=False)
bld.SAMBA3_MODULE('vfs_error_inject',
subsystem='vfs',
source='vfs_error_inject.c',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_error_inject'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_error_inject'))
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_error_inject'),
+ install=False)
bld.SAMBA3_MODULE('vfs_delay_inject',
subsystem='vfs',
source='vfs_delay_inject.c',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_delay_inject'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_delay_inject'))
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_delay_inject'),
+ install=False)
bld.SAMBA3_MODULE('vfs_widelinks',
subsystem='vfs',
--
GitLab
From 58e412ac6d9822aa65639d7c1171a2723ca3ee8a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 23 Oct 2020 08:57:12 +0200
Subject: [PATCH 5/5] examples:auth: Do not install example plugin
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14550
Signed-off-by: Andreas Schneider <asn@samba.org>
---
examples/auth/wscript_build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/examples/auth/wscript_build b/examples/auth/wscript_build
index 91f5302918b..03221238e5f 100644
--- a/examples/auth/wscript_build
+++ b/examples/auth/wscript_build
@@ -6,4 +6,5 @@ bld.SAMBA3_MODULE('auth_skel',
deps='samba-util',
init_function='',
internal_module=bld.SAMBA3_IS_STATIC_MODULE('auth_skel'),
- enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_skel'))
+ enabled=bld.SAMBA3_IS_ENABLED_MODULE('auth_skel'),
+ install=False)
--
GitLab

143
samba-dnspython-2.0.0-v4.13.patch Normal file
View File

@ -0,0 +1,143 @@
From 12b51be8633689763080f2eb1e0b13487e3e71e1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Sat, 24 Oct 2020 12:17:44 +0300
Subject: [PATCH] DNS Resolver: support both dnspython before and after 2.0.0
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
The compatibility shim was developed by Stanislav Levin for FreeIPA and
adopted for Samba by Alexander Bokovoy.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
python/samba/dnsresolver.py | 68 +++++++++++++++++++++++++++
source4/scripting/bin/samba_dnsupdate | 5 +-
2 files changed, 71 insertions(+), 2 deletions(-)
create mode 100644 python/samba/dnsresolver.py
diff --git a/python/samba/dnsresolver.py b/python/samba/dnsresolver.py
new file mode 100644
index 00000000000..a627555a855
--- /dev/null
+++ b/python/samba/dnsresolver.py
@@ -0,0 +1,68 @@
+# Samba wrapper for DNS resolvers
+#
+# Copyright (C) Stanislav Levin <slev@altlinux.org>
+# Copyright (C) Alexander Bokovoy <ab@samba.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import dns.resolver
+import dns.rdatatype
+import dns.reversename
+
+class DNSResolver(dns.resolver.Resolver):
+ """DNS stub resolver compatible with both dnspython < 2.0.0
+ and dnspython >= 2.0.0.
+
+ Set `use_search_by_default` attribute to `True`, which
+ determines the default for whether the search list configured
+ in the system's resolver configuration is used for relative
+ names, and whether the resolver's domain may be added to relative
+ names.
+
+ Increase the default lifetime which determines the number of seconds
+ to spend trying to get an answer to the question. dnspython 2.0.0
+ changes this to 5sec, while the previous one was 30sec.
+ """
+ def __init__(self, *args, **kwargs):
+ super().__init__(*args, **kwargs)
+ self.reset_defaults()
+ self.resolve = getattr(super(), "resolve", self.query)
+ self.resolve_address = getattr(
+ super(),
+ "resolve_address",
+ self._resolve_address
+ )
+
+ def reset_defaults(self):
+ self.use_search_by_default = True
+ # the default is 5sec
+ self.lifetime = 15
+
+ def reset(self):
+ super().reset()
+ self.reset_defaults()
+
+ def _resolve_address(self, ip_address, *args, **kwargs):
+ """Query nameservers for PTR records.
+
+ :param ip_address: IPv4 or IPv6 address
+ :type ip_address: str
+ """
+ return self.resolve(
+ dns.reversename.from_address(ip_address),
+ rdtype=dns.rdatatype.PTR,
+ *args,
+ **kwargs,
+ )
diff --git a/source4/scripting/bin/samba_dnsupdate b/source4/scripting/bin/samba_dnsupdate
index 44eb1cadd27..fe04ce71338 100755
--- a/source4/scripting/bin/samba_dnsupdate
+++ b/source4/scripting/bin/samba_dnsupdate
@@ -53,6 +53,7 @@ from samba.compat import get_string
from samba.compat import text_type
import ldb
+from samba.dnsresolver import DNSResolver
import dns.resolver
import dns.exception
@@ -259,7 +260,7 @@ def hostname_match(h1, h2):
def get_resolver(d=None):
resolv_conf = os.getenv('RESOLV_CONF', default='/etc/resolv.conf')
- resolver = dns.resolver.Resolver(filename=resolv_conf, configure=True)
+ resolver = DNSResolver(filename=resolv_conf, configure=True)
if d is not None and d.nameservers != []:
resolver.nameservers = d.nameservers
@@ -271,7 +272,7 @@ def check_one_dns_name(name, name_type, d=None):
if d and not d.nameservers:
d.nameservers = resolver.nameservers
# dns.resolver.Answer
- return resolver.query(name, name_type)
+ return resolver.resolve(name, name_type)
def check_dns_name(d):
"""check that a DNS entry exists."""
--
2.28.0

210
samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch Normal file
View File

@ -0,0 +1,210 @@
From 81d6949acdad70ecfb130d3286eeab1b3a51937f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 7 Oct 2020 19:25:24 +0300
Subject: [PATCH 1/2] cli_credentials_parse_string: fix parsing of principals
When parsing a principal-like name, user name was left with full
principal instead of taking only the left part before '@' sign.
>>> from samba import credentials
>>> t = credentials.Credentials()
>>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
>>> t.get_username()
'admin@realm.test'
The issue is that cli_credentials_set_username() does a talloc_strdup()
of the argument, so we need to change order of assignment to allow
talloc_strdup() to copy the right part of the string.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
auth/credentials/credentials.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 77c35dd104b..06ac79058f9 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -840,11 +840,10 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
* in order to undo the effect of
* cli_credentials_guess().
*/
- cli_credentials_set_username(credentials, uname, obtained);
- cli_credentials_set_domain(credentials, "", obtained);
-
cli_credentials_set_principal(credentials, uname, obtained);
*p = 0;
+ cli_credentials_set_username(credentials, uname, obtained);
+ cli_credentials_set_domain(credentials, "", obtained);
cli_credentials_set_realm(credentials, p+1, obtained);
return;
} else if ((p = strchr_m(uname,'\\'))
--
2.28.0
From fa38bebb993011428612d51819530218d8358f5e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Mon, 13 Jan 2020 16:04:20 +0200
Subject: [PATCH 2/2] lookup_name: allow lookup for own realm
When using security tab in Windows Explorer, a lookup over a trusted
forest might come as realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
Allow this lookup using realm to be done against primary domain.
Refactor user name parsing code to reuse cli_credentials_* API to be
consistent with other places. cli_credentials_parse_string() handles
both domain and realm-based user name variants.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/passdb/lookup_sid.c | 75 ++++++++++++++++++++++++++-----------
1 file changed, 53 insertions(+), 22 deletions(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 82c47b3145b..39d599fed27 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -29,6 +29,7 @@
#include "../libcli/security/security.h"
#include "lib/winbind_util.h"
#include "../librpc/gen_ndr/idmap.h"
+#include "auth/credentials/credentials.h"
static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
{
@@ -78,52 +79,82 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
const char **ret_domain, const char **ret_name,
struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
{
- char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
+ const char *realm = NULL;
uint32_t rid;
struct dom_sid sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct cli_credentials *creds = NULL;
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
- p = strchr_m(full_name, '\\');
-
- if (p != NULL) {
- domain = talloc_strndup(tmp_ctx, full_name,
- PTR_DIFF(p, full_name));
- name = talloc_strdup(tmp_ctx, p+1);
- } else {
- domain = talloc_strdup(tmp_ctx, "");
- name = talloc_strdup(tmp_ctx, full_name);
+ creds = cli_credentials_init(tmp_ctx);
+ if (creds == NULL) {
+ DEBUG(0, ("cli_credentials_init failed\n"));
+ return false;
}
- if ((domain == NULL) || (name == NULL)) {
- DEBUG(0, ("talloc failed\n"));
- TALLOC_FREE(tmp_ctx);
+ cli_credentials_parse_string(creds, full_name, CRED_SPECIFIED);
+ name = cli_credentials_get_username(creds);
+ domain = cli_credentials_get_domain(creds);
+ realm = cli_credentials_get_realm(creds);
+
+ /* At this point we have:
+ * - name -- normal name or empty string
+ * - domain -- either NULL or domain name
+ * - realm -- either NULL or realm name
+ *
+ * domain and realm are exclusive to each other
+ * the code below in lookup_name assumes domain
+ * to be at least empty string, not NULL
+ */
+
+ if ((name == NULL) || (name[0] == '\0')) {
+ DEBUG(0, ("lookup_name with empty name, exit\n"));
return false;
}
+ if ((domain == NULL) && (realm == NULL)) {
+ domain = talloc_strdup(creds, "");
+ }
+
DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
- strequal(domain, get_global_sam_name()))
- {
+ /* Windows clients may send a LookupNames request with both NetBIOS
+ * domain name- and realm-qualified user names. Thus, we need to check
+ * both against both of the SAM domain name and realm, if set. Since
+ * domain name and realm in the request are exclusive, test the one
+ * that is specified. cli_credentials_parse_string() will either set
+ * realm or wouldn't so we can use it to detect if realm was specified.
+ */
+ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
+ const char *domain_name = realm ? realm : domain;
+ bool check_global_sam = false;
+
+ if (domain_name[0] != '\0') {
+ check_global_sam = strequal(domain_name, get_global_sam_name());
+ if (!check_global_sam && lp_realm() != NULL) {
+ check_global_sam = strequal(domain_name, lp_realm());
+ }
+ }
- /* It's our own domain, lookup the name in passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
- sid_compose(&sid, get_global_sam_sid(), rid);
- goto ok;
+ if (check_global_sam) {
+ /* It's our own domain, lookup the name in passdb */
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ sid_compose(&sid, get_global_sam_sid(), rid);
+ goto ok;
+ }
+ TALLOC_FREE(tmp_ctx);
+ return false;
}
- TALLOC_FREE(tmp_ctx);
- return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
--
2.28.0

726
samba-s4u.patch Normal file
View File

@ -0,0 +1,726 @@
From fe300549844509624d944b93fc64dc6d382e71c1 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 3/7] mit-kdc: add basic loacl realm S4U support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 148 +++++++++---------
source4/kdc/mit_samba.c | 47 ++----
source4/kdc/mit_samba.h | 6 +-
wscript_configure_system_mitkrb5 | 3 +
6 files changed, 91 insertions(+), 115 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 9197551ed61..944324d9a2f 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -192,13 +192,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *out_pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
- krb5_pac ipac = NULL;
- DATA_BLOB logon_data = { NULL, 0 };
+ krb5_keyblock *header_server_key = NULL;
+ krb5_key_data *impersonator_kd = NULL;
+ krb5_keyblock impersonator_key = {0};
krb5_error_code code;
+ krb5_pac pac;
+
+ *out_pac = NULL;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
@@ -230,41 +234,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
- &ipac);
+ &pac);
if (code != 0) {
goto done;
}
- /* TODO: verify this is correct
- *
- * In the constrained delegation case, the PAC is from a service
- * ticket rather than a TGT; we must verify the server and KDC
- * signatures to assert that the server did not forge the PAC.
+ /*
+ * For constrained delegation in MIT version < 1.18 we aren't provided
+ * with the 2nd ticket server key to verify the PAC.
+ * We can workaround that by fetching the key from the client db entry,
+ * which is the impersonator account in that version.
+ * TODO: use the provided entry in the new 1.18 version.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- server_key,
- krbtgt_key);
+ /* The impersonator must be local. */
+ if (client == NULL) {
+ code = KRB5KDC_ERR_BADOPTION;
+ goto done;
+ }
+ /* Fetch and decrypt 2nd ticket server's current key. */
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+ &impersonator_kd);
+ if (code != 0) {
+ goto done;
+ }
+ code = krb5_dbe_decrypt_key_data(context, NULL,
+ impersonator_kd,
+ &impersonator_key, NULL);
+ if (code != 0) {
+ goto done;
+ }
+ header_server_key = &impersonator_key;
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
- }
- if (code != 0) {
- goto done;
+ header_server_key = krbtgt_key;
}
- /* check and update PAC */
- code = krb5_pac_parse(context,
- authdata[0]->contents,
- authdata[0]->length,
- pac);
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
+ header_server_key, NULL);
if (code != 0) {
goto done;
}
@@ -272,17 +278,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
- client_princ,
client,
server,
krbtgt,
krbtgt_key,
- pac);
+ &pac);
+ if (code != 0) {
+ goto done;
+ }
+
+ *out_pac = pac;
+ pac = NULL;
done:
+ krb5_free_keyblock_contents(context, &impersonator_key);
krb5_free_authdata(context, authdata);
- krb5_pac_free(context, ipac);
- free(logon_data.data);
+ krb5_pac_free(context, pac);
return code;
}
@@ -324,7 +335,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
{
#endif
krb5_authdata **authdata = NULL;
- krb5_boolean is_as_req;
+ krb5_const_principal pac_client;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
@@ -334,24 +345,21 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
#endif
- /* FIXME: We don't support S4U yet */
- if (flags & KRB5_KDB_FLAGS_S4U) {
- return KRB5_KDB_DBTYPE_NOSUP;
- }
-
- is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
-
- if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
- code = ks_get_pac(context, client, client_key, &pac);
- if (code != 0) {
- goto done;
- }
+ /* In protocol transition, we are currently not provided with the tgt
+ * client name to verify the PAC, we could probably skip the name
+ * verification and just verify the signatures, but since we don't
+ * support cross-realm nor aliases, we can just use server->princ */
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ pac_client = server->princ;
+ } else {
+ pac_client = client_princ;
}
- if (!is_as_req) {
+ /* TGS request */
+ if (!(flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY)) {
code = ks_verify_pac(context,
flags,
- client_princ,
+ pac_client,
client,
server,
krbtgt,
@@ -363,14 +371,28 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
if (code != 0) {
goto done;
}
+
+ /* We require PAC as we don't support LSA_TRUST_TYPE_MIT */
+ if (pac == NULL) {
+ code = KRB5_KDB_DBTYPE_NOSUP;
+ goto done;
+ }
}
- if (pac == NULL && client != NULL) {
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ krb5_pac_free(context, pac);
+ pac = NULL;
+ }
+ /* AS request or local realm protocol transition */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) ||
+ (client != NULL && (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION))) {
code = ks_get_pac(context, client, client_key, &pac);
if (code != 0) {
goto done;
}
+ /* We require a pac! */
+ SMB_ASSERT(pac != NULL);
}
if (pac == NULL) {
@@ -379,7 +401,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
}
code = krb5_pac_sign(context, pac, authtime, client_princ,
- server_key, krbtgt_key, &pac_data);
+ server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
@@ -405,11 +427,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
- if (code != 0) {
- goto done;
- }
-
- code = 0;
done:
krb5_pac_free(context, pac);
@@ -432,32 +449,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
- char *target_name = NULL;
- bool is_enterprise;
- krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
- code = krb5_unparse_name(context, proxy, &target_name);
- if (code) {
- goto done;
- }
-
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
- code = mit_samba_check_s4u2proxy(mit_ctx,
- delegating_service,
- target_name,
- is_enterprise);
-
-done:
- free(target_name);
- return code;
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 54dcd545ea1..f23327c9613 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -467,7 +467,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -615,7 +614,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
- discard_const(client_principal),
+ client->princ,
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -937,41 +936,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name)
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal)
{
-#if 1
- /*
- * This is disabled because mit_samba_update_pac_data() does not handle
- * S4U_DELEGATION_INFO
- */
-
- return KRB5KDC_ERR_BADOPTION;
-#else
- krb5_principal target_principal;
- int flags = 0;
- int ret;
-
- if (is_nt_enterprise_name) {
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
- }
-
- ret = krb5_parse_name_flags(ctx->context, target_name,
- flags, &target_principal);
- if (ret) {
- return ret;
- }
-
- ret = samba_kdc_check_s4u2proxy(ctx->context,
- ctx->db_ctx,
- skdc_entry,
- target_principal);
-
- krb5_free_principal(ctx->context, target_principal);
-
- return ret;
-#endif
+ struct samba_kdc_entry *server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ server_skdc_entry,
+ target_principal);
}
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index ba824557bd5..5aadf206443 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name);
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal);
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.25.4
From ff1b225493ede3d43cfad571770dacb73f75ec42 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 5/7] krb5-mit: enable S4U client support for MIT build
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
source4/auth/kerberos/kerberos_util.c | 11 --
4 files changed, 185 insertions(+), 14 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..e72ab3c30f7 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2568,6 +2568,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ bool cmp;
+ krb5_principal mod = NULL;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length -1] !=
+ b->data[0].data[b->data[0].length -1]) {
+ if (a->data[0].data[a->data[0].length -1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx, a, b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx, &init_creds,
+ init_principal,
+ init_password,
+ NULL, NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name. */
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index ca9a893e4f7..3264ce5eb3b 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
{
krb5_error_code ret;
const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
const char *self_service;
-#endif
const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
@@ -268,9 +266,7 @@ done:
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL
self_service = cli_credentials_get_self_service(credentials);
-#endif
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
#endif
if (password) {
if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
ccache,
princ,
@@ -342,12 +337,6 @@ done:
krb_options,
NULL,
&kdc_time);
-#else
- talloc_free(mem_ctx);
- (*error_string) = "INTERNAL error: s4u2 ops "
- "are not supported with MIT build yet";
- return EINVAL;
-#endif
} else {
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.25.4
From cf1b9bdc09180d68e2b30258839d2f78b7af9c62 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 7/7] wip: for canonicalization with new MIT kdc code
---
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 8 ++++++--
source4/kdc/mit_samba.c | 3 +++
source4/kdc/sdb.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 6a09ecb6fe1..bc5211fef35 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index a560a1cd84b..c27b6a8ef4c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
+ * the canonical name in all lookups, and takes care to canonicalize
+ * only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index f23327c9613..4084e893cc2 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -198,6 +198,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
+#if KRB5_KDB_API_VERSION >= 10
+ sflags |= SDB_F_FORCE_CANON;
+#endif
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
2.25.4

118
samba-systemd-notification.patch Normal file
View File

@ -0,0 +1,118 @@
From 9dd1a4809b1b6d65bfb2258b443b0fe36e0a32f7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Sat, 24 Oct 2020 16:52:43 +0300
Subject: [PATCH] daemons: report status to systemd even when running in
foreground
When systemd launches samba services, the configuration we have in
systemd service files expects that the main process (/usr/sbin/*)
would use sd_notify() to report back its status. However, we only use
sd_notify() when running become_daemon().
As a result, samba/smbd/winbindd/nmbd processes never report back its
status and the status updates from other childs (smbd, winbindd, etc)
are not accepted as we now have implied NotifyAccess=main since commit
d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc
This leads to a timeout and killing samba process by systemd. Situation
is reproducible in Fedora 33, for example.
Make sure that we have required status updates for all daemons in case
we aren't runnning in interactive mode.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14552
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/nmbd/nmbd.c | 4 +++-
source3/smbd/server.c | 4 +++-
source3/winbindd/winbindd.c | 5 ++++-
source4/smbd/server.c | 4 +++-
4 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
index 0b881d13f7b..f6aeba1f714 100644
--- a/source3/nmbd/nmbd.c
+++ b/source3/nmbd/nmbd.c
@@ -1009,6 +1009,8 @@ static bool open_sockets(bool isdaemon, int port)
if (is_daemon && !opt_interactive) {
DEBUG(3, ("Becoming a daemon.\n"));
become_daemon(Fork, no_process_group, log_stdout);
+ } else if (!opt_interactive) {
+ daemon_status("nmbd", "Starting process...");
}
#ifdef HAVE_SETPGID
@@ -1135,7 +1137,7 @@ static bool open_sockets(bool isdaemon, int port)
exit_daemon( "NMBD failed to setup packet server.", EACCES);
}
- if (is_daemon && !opt_interactive) {
+ if (!opt_interactive) {
daemon_ready("nmbd");
}
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 153dd3c9323..3d9db5d8407 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1893,6 +1893,8 @@ extern void build_options(bool screen);
if (is_daemon && !interactive) {
DEBUG(3, ("Becoming a daemon.\n"));
become_daemon(Fork, no_process_group, log_stdout);
+ } else {
+ daemon_status("smbd", "Starting process ...");
}
#ifdef HAVE_SETPGID
@@ -2100,7 +2102,7 @@ extern void build_options(bool screen);
exit_daemon("Samba cannot setup ep pipe", EACCES);
}
- if (is_daemon && !interactive) {
+ if (!interactive) {
daemon_ready("smbd");
}
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 4397a1bc0d1..1e08237905a 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1880,8 +1880,11 @@ int main(int argc, const char **argv)
BlockSignals(False, SIGHUP);
BlockSignals(False, SIGCHLD);
- if (!interactive)
+ if (!interactive) {
become_daemon(Fork, no_process_group, log_stdout);
+ } else {
+ daemon_status("winbindd", "Starting process ...");
+ }
pidfile_create(lp_pid_directory(), "winbindd");
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 95acb99b86c..ee2e7508bb3 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -648,6 +648,8 @@ static int binary_smbd_main(const char *binary_name,
if (opt_daemon) {
DBG_NOTICE("Becoming a daemon.\n");
become_daemon(opt_fork, opt_no_process_group, false);
+ } else if (!opt_interactive) {
+ daemon_status("samba", "Starting process...");
}
/* Create the memory context to hang everything off. */
@@ -931,7 +933,7 @@ static int binary_smbd_main(const char *binary_name,
}
}
- if (opt_daemon) {
+ if (!opt_interactive) {
daemon_ready("samba");
}
--
2.28.0

482
samba.spec
View File

File diff suppressed because it is too large Load Diff