rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import samba-4.15.5-101.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-03-01 08:16:28 -05:00 committed by Stepan Oksanichenko
parent 62736d05e1
commit 71695e885b
10 changed files with 1772 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.15.3.tar.xz
SOURCES/samba-4.15.5.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg

2
.samba.metadata
View File

@ -1,2 +1,2 @@
e778708ce1f39566d91d74dce8e9940b324d1ef1 SOURCES/samba-4.15.3.tar.xz
f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

16
SOURCES/samba-4.15.3.tar.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0kACgkQqplEL7aA
tiCzMg/+IzBD53oeYFSSt6V9o1ZhD/7bL425n/7Ea2iLaHkOEQWN3AgKV7h1rdSb
tS/Ys3xUf9LB1ZVkXbu17oWj5pG8aWcp6Ky80uXHycZ5X0/fcHegSU5SIyUfLs0F
d3BXvFWkPIy8H9a55wFTpJte2ofRoFqWUG4MAlOq83ummnmrz0W5j6QcufVIRjWq
hGMbg8Vjk+UEtKNO7fl8iSQ0ZRyXCkBR3biDBtMbvtoluaVkixxwwSPqgDoNXgju
ox2EbVfHLSHc+7Tb30uKQq/mf3uhf6ASIrajNVrXotK1fgpCCKnMLb9qRHEftttY
DwYKQvsrHCw9vYg/xyO2NOBr82mxjE6NBLsV1Kp8pdc4vInmAqOCsQpOuZ0SgO6u
sZk4c5AkfH7pZtHeNtlefiGe8/7ApU6UC6kkXT3mnLBtWKMBte9/NR6ZgCLle7tV
aAx6Io9j/rAeueRRgIK98bzxXSufjtFyNmM+Qr7IXnFHtJNM919ib4pr5DzpGwAc
+FMG0LfmU0XiUXcbw/IZ3AOD2DBwZC58ZezO3alUS8eRqNTP13v3Uhg9F78+eyah
Wbohx05Y4MA1ywtMd8z/dZn97nw3bw+z6fLNC//1Sq1qo1fXipaoSQW1LK9IHeVO
cV7cvd2c16p7NN3Op+34QY7Nc7b1uhtTV3v3tiEQYR/uQx+tyz8=
=fu6B
-----END PGP SIGNATURE-----

16
SOURCES/samba-4.15.5.tar.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
=oc6g
-----END PGP SIGNATURE-----

764
SOURCES/samba-disable-ntlmssp.patch Normal file
View File

@ -0,0 +1,764 @@
From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 10 Dec 2021 16:08:04 +0100
Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
---
source3/utils/net_ads.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6ab4a0096b1..8f993f9ba4c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
char *cp;
const char *realm = NULL;
bool tried_closest_dc = false;
+ enum credentials_use_kerberos krb5_state =
+ CRED_USE_KERBEROS_DISABLED;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
ads->auth.password = smb_xstrdup(c->opt_password);
}
- ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ ads->auth.flags |= auth_flags;
+
+ /* The ADS code will handle FIPS mode */
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
/*
* If the username is of the form "name@realm",
* extract the realm and convert to upper case.
--
2.33.1
From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Wed, 8 Dec 2021 16:05:17 +0100
Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 60fa2bf80cb..b91e2d15bcf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
.disconnect = ads_sasl_gensec_disconnect
};
-/*
+/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
#endif /* HAVE_KRB5 */
-/*
+/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
- /* the server sent us the first part of the SPNEGO exchange in the negprot
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
+ got_kerberos_mechanism)
{
mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
}
/* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
+ if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
+ to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
--
2.33.1
From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Thu, 9 Dec 2021 13:43:08 +0100
Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
---
source3/libads/sasl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b91e2d15bcf..992f7022a69 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
"for %s/%s with user[%s] realm[%s]: %s, "
- "fallback to NTLMSSP\n",
+ "try to fallback to NTLMSSP\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
--
2.33.1
From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 7 Jan 2022 10:31:19 +0100
Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 992f7022a69..ea98aa47ecd 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s\n",
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
- ads_errstr(status)));
+ ads_errstr(status));
}
}
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
goto done;
}
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
- "try to fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
- ads_errstr(status)));
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
}
#endif
--
2.33.1
From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 11:13:06 +0100
Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
without kerberos)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
---
source3/libads/sasl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index ea98aa47ecd..1bcfe0490a8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
" disallowed.\n");
--
2.33.1
From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 15:33:46 +0100
Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
---
.../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
new file mode 100755
index 00000000000..2822ab29d14
--- /dev/null
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 USERNAME PASSWORD
+EOF
+exit 1;
+fi
+
+USERNAME=$1
+PASSWORD=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_testparm="$BINDIR/testparm"
+samba_net="$BINDIR/net"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
--
2.33.1
From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 4 Jan 2022 12:00:20 +0100
Subject: [PATCH 07/10] s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
---
source4/selftest/tests.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1e4b2ae6dd3..3a6a716f061 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
if have_gnutls_fips_mode_support:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
for env in ["ad_dc_fips", "ad_member_fips"]:
plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
--
2.33.1
From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:47:38 +0100
Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
---
source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 948c903f165..e415df347e6 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
- * when set to TRUE.
+ * when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
*
* Thanks to Ralf Haferkamp for input and testing - Guenther */
- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
- ADS_LDAP_MATCHING_RULE_BIT_AND,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
if (filter == NULL) {
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
struct wb_acct_info **info)
{
/*
- * This is a stub function only as we returned the domain
+ * This is a stub function only as we returned the domain
* local groups in enum_dom_groups() if the domain->native field
* was true. This is a simple performance optimization when
* using LDAP.
*
- * if we ever need to enumerate domain local groups separately,
+ * if we ever need to enumerate domain local groups separately,
* then this optimization in enum_dom_groups() will need
* to be split out
*/
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- const char *user_dn,
+ const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "invalid number of results (count=%d)\n",
+ "invalid number of results (count=%d)\n",
dom_sid_str_buf(sid, &buf),
count));
goto done;
}
if (!msg) {
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name,
dom_sid_str_buf(sid, &buf)));
goto done;
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
- /* there must always be at least one group in the token,
+ /* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
/* lookup what groups this user is a member of by DN search on
* "member" */
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
"not map any SIDs at all.\n"));
/* Don't handle this as an error here.
- * There is nothing left to do with respect to the
+ * There is nothing left to do with respect to the
* overall result... */
}
else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
NETR_TRUST_FLAG_IN_FOREST;
} else {
flags = NETR_TRUST_FLAG_IN_FOREST;
- }
+ }
result = cm_connect_netlogon(domain, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
- "for PIPE_NETLOGON (%s)\n",
+ "for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
--
2.33.1
From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:44:54 +0100
Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
---
source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
#include "../libds/common/flag_mapping.h"
#include "libsmb/samlogon_cache.h"
#include "passdb.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ADS_STATUS status;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
if (auth_realm == NULL) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
--
2.33.1
From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 21 Jan 2022 12:01:33 +0100
Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
---
source3/libnet/libnet_join.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 02705f1c70c..4c67e9af5c4 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
ADS_STATUS status;
ADS_STRUCT *my_ads = NULL;
char *cp;
+ enum credentials_use_kerberos krb5_state;
my_ads = ads_init(dns_domain_name,
netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
--
2.33.1

36
SOURCES/samba-disable-systemd-notifications.patch Normal file
View File

@ -0,0 +1,36 @@
From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
Date: Mon, 24 Jan 2022 22:14:31 -0500
Subject: [PATCH] printing/bgqd: Disable systemd notifications
samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
---
source3/printing/samba-bgqd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index f21327fc622..59ed0cc40db 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ /* main process will notify systemd */
+ daemon_sd_notifications(false);
+
if (!cmdline_daemon_cfg->fork) {
daemon_status(progname, "Starting process ... ");
} else {
--
2.34.1

100
SOURCES/samba-password-change-prompt.patch Normal file
View File

@ -0,0 +1,100 @@
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 17 Nov 2021 09:56:09 +0100
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
---
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
nsswitch/pam_winbind.c | 12 ++++++++++--
nsswitch/pam_winbind.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 0bc288f91a1..bae9298fc32 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>pwd_change_prompt = yes|no</term>
+ <listitem><para>
+ Generate prompt for changing an expired password. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
</para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 720a4b90d85..06098dd07d8 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
ctrl |= WINBIND_MKHOMEDIR;
}
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+ }
+
config_from_pam:
/* step through arguments */
for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
else if (!strncasecmp(*v, "warn_pwd_expire",
strlen("warn_pwd_expire")))
ctrl |= WINBIND_WARN_PWD_EXPIRE;
+ else if (!strcasecmp(*v, "pwd_change_prompt"))
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
else if (type != PAM_WINBIND_CLEANUP) {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index c6786d65a4d..2f4a25729bd 100644
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do { \
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
#define WINBIND_MKHOMEDIR 0x00004000
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
#define _(string) dgettext(MODULE_NAME, string)
--
2.35.1

229
SOURCES/samba-printing-win7.patch Normal file
View File

@ -0,0 +1,229 @@
From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 22 Jan 2022 01:08:26 +0100
Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.
Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.
This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
---
librpc/rpc/dcesrv_auth.c | 5 +++++
librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
librpc/rpc/dcesrv_core.h | 2 ++
source3/rpc_server/rpc_config.c | 2 ++
source4/rpc_server/service_rpc.c | 10 ++++++++++
5 files changed, 37 insertions(+)
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index fec8df513a83..99d8e0162160 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
auth->auth_level = call->in_auth_info.auth_level;
auth->auth_context_id = call->in_auth_info.auth_context_id;
+ cb->auth.become_root();
status = cb->auth.gensec_prepare(
auth,
call,
&auth->gensec_security,
cb->auth.private_data);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
nt_errstr(status)));
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
{
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
const char *pdu = "<unknown>";
switch (call->pkt.ptype) {
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
return status;
}
+ cb->auth.become_root();
status = gensec_session_info(auth->gensec_security,
auth,
&auth->session_info);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n",
nt_errstr(status)));
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index d16159b0b6cd..ea91fc689b4a 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
struct dcerpc_binding *ep_2nd_description = NULL;
const char *endpoint = NULL;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
struct tevent_req *subreq = NULL;
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct tevent_req *subreq = NULL;
NTSTATUS status;
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
return NT_STATUS_OK;
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct tevent_req *subreq = NULL;
size_t i;
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index d8d5f9030959..0538442e0ce6 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
struct gensec_security **out,
void *private_data);
void *private_data;
+ void (*become_root)(void);
+ void (*unbecome_root)(void);
} auth;
struct {
NTSTATUS (*find)(
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 2f1a01da1c0b..289c4f398409 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -31,6 +31,8 @@
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = dcesrv_log_successful_authz,
.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
+ .auth.become_root = become_root,
+ .auth.unbecome_root = unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index d8c6746d7815..ebb50f8a7ef3 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -40,9 +40,19 @@
#include "../libcli/named_pipe_auth/npa_tstream.h"
#include "samba/process_model.h"
+static void skip_become_root(void)
+{
+}
+
+static void skip_unbecome_root(void)
+{
+}
+
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = log_successful_dcesrv_authz_event,
.auth.gensec_prepare = dcesrv_gensec_prepare,
+ .auth.become_root = skip_become_root,
+ .auth.unbecome_root = skip_unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
--
2.25.1

597
SOURCES/samba-virus_scanner.patch Normal file
View File

@ -0,0 +1,597 @@
From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Feb 2022 16:33:10 +0100
Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
We have the env variable SERVER_LOG_LEVEL which allows you to change
the log level on the command line. If we force -d0 this will not work.
make test TESTS="samba" SERVER_LOG_LEVEL=10
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
---
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index b901fd2677a..64a9a791a61 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2153,7 +2153,7 @@ sub make_bin_cmd
{
my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
- my @optargs = ("-d0");
+ my @optargs = ();
if (defined($options)) {
@optargs = split(/ /, $options);
}
--
2.34.1
From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 12:07:03 +0100
Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
filename matching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
---
source3/modules/vfs_virusfilter.c | 12 +++++
source3/modules/vfs_virusfilter_common.h | 4 ++
source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++
source3/modules/wscript_build | 1 +
4 files changed, 75 insertions(+)
create mode 100644 source3/modules/vfs_virusfilter_dummy.c
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 9fafe4e5d41..e6cbee7cd45 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -35,12 +35,14 @@
enum virusfilter_scanner_enum {
VIRUSFILTER_SCANNER_CLAMAV,
+ VIRUSFILTER_SCANNER_DUMMY,
VIRUSFILTER_SCANNER_FSAV,
VIRUSFILTER_SCANNER_SOPHOS
};
static const struct enum_list scanner_list[] = {
{ VIRUSFILTER_SCANNER_CLAMAV, "clamav" },
+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" },
{ VIRUSFILTER_SCANNER_FSAV, "fsav" },
{ VIRUSFILTER_SCANNER_SOPHOS, "sophos" },
{ -1, NULL }
@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
int snum = SNUM(handle->conn);
struct virusfilter_config *config = NULL;
const char *exclude_files = NULL;
+ const char *infected_files = NULL;
const char *temp_quarantine_dir_mode = NULL;
const char *infected_file_command = NULL;
const char *scan_error_command = NULL;
@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
set_namearray(&config->exclude_files, exclude_files);
}
+ infected_files = lp_parm_const_string(
+ snum, "virusfilter", "infected files", NULL);
+ if (infected_files != NULL) {
+ set_namearray(&config->infected_files, infected_files);
+ }
+
config->cache_entry_limit = lp_parm_int(
snum, "virusfilter", "cache entry limit", 100);
@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
case VIRUSFILTER_SCANNER_CLAMAV:
ret = virusfilter_clamav_init(config);
break;
+ case VIRUSFILTER_SCANNER_DUMMY:
+ ret = virusfilter_dummy_init(config);
+ break;
default:
DBG_ERR("Unhandled scanner %d\n", backend);
return -1;
diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
index f71b0b949a7..463a9d74e9c 100644
--- a/source3/modules/vfs_virusfilter_common.h
+++ b/source3/modules/vfs_virusfilter_common.h
@@ -83,6 +83,9 @@ struct virusfilter_config {
/* Exclude files */
name_compare_entry *exclude_files;
+ /* Infected files */
+ name_compare_entry *infected_files;
+
/* Scan result cache */
struct virusfilter_cache *cache;
int cache_entry_limit;
@@ -149,5 +152,6 @@ struct virusfilter_backend {
int virusfilter_sophos_init(struct virusfilter_config *config);
int virusfilter_fsav_init(struct virusfilter_config *config);
int virusfilter_clamav_init(struct virusfilter_config *config);
+int virusfilter_dummy_init(struct virusfilter_config *config);
#endif /* _VIRUSFILTER_COMMON_H */
diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
new file mode 100644
index 00000000000..03405cd6629
--- /dev/null
+++ b/source3/modules/vfs_virusfilter_dummy.c
@@ -0,0 +1,58 @@
+/*
+ Samba-VirusFilter VFS modules
+ Dummy scanner with infected files support.
+ Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "modules/vfs_virusfilter_utils.h"
+
+static virusfilter_result virusfilter_dummy_scan(
+ struct vfs_handle_struct *handle,
+ struct virusfilter_config *config,
+ const struct files_struct *fsp,
+ char **reportp)
+{
+ bool ok;
+
+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
+ ok = is_in_path(fsp->fsp_name->base_name,
+ config->infected_files,
+ false);
+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
+}
+
+static struct virusfilter_backend_fns virusfilter_backend_dummy = {
+ .connect = NULL,
+ .disconnect = NULL,
+ .scan_init = NULL,
+ .scan = virusfilter_dummy_scan,
+ .scan_end = NULL,
+};
+
+int virusfilter_dummy_init(struct virusfilter_config *config)
+{
+ struct virusfilter_backend *backend = NULL;
+
+ backend = talloc_zero(config, struct virusfilter_backend);
+ if (backend == NULL) {
+ return -1;
+ }
+
+ backend->fns = &virusfilter_backend_dummy;
+ backend->name = "dummy";
+ config->backend = backend;
+ return 0;
+}
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 40df4539392..ff318c3fa06 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
vfs_virusfilter_sophos.c
vfs_virusfilter_fsav.c
vfs_virusfilter_clamav.c
+ vfs_virusfilter_dummy.c
''',
deps='samba-util VFS_VIRUSFILTER_UTILS',
init_function='',
--
2.34.1
From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 22:35:29 +0100
Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
'virusfilter:infected files'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
---
docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
index 329a35af68a..88f91d73a42 100644
--- a/docs-xml/manpages/vfs_virusfilter.8.xml
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -48,6 +48,10 @@
scanner</para></listitem>
<listitem><para><emphasis>clamav</emphasis>, the ClamAV
scanner</para></listitem>
+ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
+ tests. Checks against the <emphasis>infected files</emphasis>
+ parameter and flags any name that matches as infected.
+ </para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
@@ -264,6 +268,14 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>virusfilter:infected files = empty</term>
+ <listitem>
+ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
+ <para>If this option is not set, the default is empty.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>virusfilter:block access on error = false</term>
<listitem>
--
2.34.1
From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:34:56 +0100
Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
---
selftest/target/Samba3.pm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 64a9a791a61..7584a0e7ba9 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
close(LOG);
return "" if $out eq $title;
-
+
return $out;
}
@@ -2426,7 +2426,7 @@ sub provision($$)
my $nmbdsockdir="$prefix_abs/nmbd";
unlink($nmbdsockdir);
- ##
+ ##
## create the test directory layout
##
die ("prefix_abs = ''") if $prefix_abs eq "";
@@ -3290,7 +3290,7 @@ sub provision($$)
unless (open(PASSWD, ">$nss_wrapper_passwd")) {
warn("Unable to open $nss_wrapper_passwd");
return undef;
- }
+ }
print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
--
2.34.1
From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:35:48 +0100
Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
---
selftest/knownfail.d/virus_scanner | 2 +
selftest/target/Samba3.pm | 12 ++
source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
source3/selftest/tests.py | 9 ++
4 files changed, 147 insertions(+)
create mode 100644 selftest/knownfail.d/virus_scanner
create mode 100755 source3/script/tests/test_virus_scanner.sh
diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
new file mode 100644
index 00000000000..6df3fd20627
--- /dev/null
+++ b/selftest/knownfail.d/virus_scanner
@@ -0,0 +1,2 @@
+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7584a0e7ba9..c1d0c60d96a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1688,6 +1688,9 @@ sub setup_fileserver
my $veto_sharedir="$share_dir/veto";
push(@dirs,$veto_sharedir);
+ my $virusfilter_sharedir="$share_dir/virusfilter";
+ push(@dirs,$virusfilter_sharedir);
+
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
kernel change notify = yes
@@ -1813,6 +1816,15 @@ sub setup_fileserver
path = $veto_sharedir
delete veto files = yes
+[virusfilter]
+ path = $virusfilter_sharedir
+ vfs objects = acl_xattr virusfilter
+ virusfilter:scanner = dummy
+ virusfilter:min file size = 0
+ virusfilter:infected files = *infected*
+ virusfilter:infected file action = rename
+ virusfilter:scan on close = yes
+
[homes]
comment = Home directories
browseable = No
diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
new file mode 100755
index 00000000000..2234ea6ca89
--- /dev/null
+++ b/source3/script/tests/test_virus_scanner.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+# shellcheck disable=1091
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER_IP=${1}
+SHARE=${2}
+LOCAL_PATH=${3}
+SMBCLIENT=${4}
+
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
+
+failed=0
+sharedir="${LOCAL_PATH}/${SHARE}"
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+
+check_infected_read()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! touch "${sharedir}/infected.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
+
+ # check that virusfilter:rename prefix/suffix was added
+ if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
+ echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
+ return 1
+ fi
+
+ # check that file was not downloaded
+ if [ -f "${sharedir}/infected.download.txt" ]; then
+ echo "ERROR: {sharedir}/infected.download.txt should not exist."
+ return 1
+ fi
+
+ return 0
+}
+
+check_infected_write()
+{
+ rm -rf "${sharedir:?}"/*
+ smbfile=infected.upload.txt
+ smbfilerenamed="virusfilter.${smbfile}.infected"
+
+ # non empty file is needed
+ # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
+
+ # check that virusfilter:rename prefix/suffix was added
+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
+ return 1
+ fi
+
+ # check that file was not uploaded
+ if [ -f "${sharedir}/infected.upload.txt" ]; then
+ echo "ERROR: {sharedir}/${smbfile} should not exist."
+ return 1
+ fi
+
+ return 0
+}
+
+check_healthy_read()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
+
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
+ return 1
+ fi
+
+ return 0
+}
+
+check_healthy_write()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
+
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
+ return 1
+ fi
+
+ return 0
+}
+
+testit "check_infected_read" check_infected_read || failed=$((failed + 1))
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1))
+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1))
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 701be011f70..6b146c76381 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
'$SERVER_IP',
"tmp"])
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
+ [os.path.join(samba3srcdir,
+ "script/tests/test_virus_scanner.sh"),
+ '$SERVER_IP',
+ "virusfilter",
+ '$LOCAL_PATH',
+ smbclient3])
+
for env in ['fileserver', 'simpleserver']:
plantestsuite("samba3.blackbox.smbclient.encryption", env,
[os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
--
2.34.1
From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 7 Feb 2022 23:06:10 +0100
Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
---
selftest/knownfail.d/virus_scanner | 2 --
source3/modules/vfs_virusfilter.c | 6 +++---
2 files changed, 3 insertions(+), 5 deletions(-)
delete mode 100644 selftest/knownfail.d/virus_scanner
diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
deleted file mode 100644
index 6df3fd20627..00000000000
--- a/selftest/knownfail.d/virus_scanner
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index e6cbee7cd45..d1554967ad1 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
*/
goto virusfilter_vfs_open_next;
}
- ret = S_ISREG(smb_fname->st.st_ex_mode);
+ ret = S_ISREG(sbuf.st_ex_mode);
if (ret == 0) {
DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
cwd_fname, fname);
goto virusfilter_vfs_open_next;
}
if (config->max_file_size > 0 &&
- smb_fname->st.st_ex_size > config->max_file_size)
+ sbuf.st_ex_size > config->max_file_size)
{
DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
cwd_fname, fname);
goto virusfilter_vfs_open_next;
}
if (config->min_file_size > 0 &&
- smb_fname->st.st_ex_size < config->min_file_size)
+ sbuf.st_ex_size < config->min_file_size)
{
DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
cwd_fname, fname);
--
2.34.1

31
SPECS/samba.spec
View File

@ -132,9 +132,9 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global baserelease 1
%global baserelease 101
%global samba_version 4.15.3
%global samba_version 4.15.5
%global talloc_version 2.3.3
%global tdb_version 1.4.4
%global tevent_version 0.11.0
@ -204,6 +204,11 @@ Source201: README.downgrade
Patch0: samba-s4u.patch
Patch1: samba-ctdb-etcd-reclock.patch
Patch2: samba-glibc-dns.patch
Patch3: samba-printing-win7.patch
Patch4: samba-disable-systemd-notifications.patch
Patch5: samba-disable-ntlmssp.patch
Patch6: samba-password-change-prompt.patch
Patch7: samba-virus_scanner.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -325,7 +330,7 @@ BuildRequires: python3-etcd
# Add python3-iso8601 to avoid that the
# version in Samba is being packaged
BuildRequires: python3-iso8601
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1 >= 0.4.8
BuildRequires: bind
BuildRequires: krb5-server >= %{required_mit_krb5}
@ -4102,6 +4107,26 @@ fi
%endif
%changelog
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
- resolves: #2050111 - [RFE] Change change password change prompt phrasing
- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file
* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-100
- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
- resolves: #2046129 - Fix CVE-2021-44141
- resolves: #2046154 - Fix CVE-2021-44142
- resolves: #2044405 - Fix printing no longer works on Windows 7
- resolves: #2049485 - Fix systemd notifications
- resolves: #2049604 - Disable NTLMSSP for ldap client connections
* Mon Jan 24 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-100
- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
- resolves: #2039154 - Fix CVE-2021-20316
- resolves: #2044238 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7x
- resolves: #2044239 - [smb] Segmentation fault when joining the domain
- resolves: #2044241 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED
- resolves: #2044255 - Fix CVE-2021-43566
* Wed Dec 15 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.15.3-1
- related: rhbz#2013578 - Rebase to Samba 4.15.3
- resolves: rhbz#2028026 - Fix possible null pointer dereference in winbind