diff --git a/samba-4-15-smbd-upn.patch b/samba-4-15-smbd-upn.patch new file mode 100644 index 0000000..703a7d6 --- /dev/null +++ b/samba-4-15-smbd-upn.patch @@ -0,0 +1,273 @@ +From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:10:56 +0200 +Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884) +--- + source3/passdb/lookup_sid.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index a551bcfd24a..3a28cdc68a6 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -1,4 +1,4 @@ +-/* ++/* + Unix SMB/CIFS implementation. + uid/user handling + Copyright (C) Andrew Tridgell 1992-1998 +@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid) + If an explicit domain name was given in the form domain\user, it + has to try that. If no explicit domain name was given, we have + to do guesswork. +-*****************************************************************/ ++*****************************************************************/ + + bool lookup_name(TALLOC_CTX *mem_ctx, + const char *full_name, int flags, +@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + goto ok; + } + +- /* 6. Builtin aliases */ ++ /* 6. Builtin aliases */ + + if ((flags & LOOKUP_NAME_BUILTIN) && + lookup_builtin_name(name, &rid)) +@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, + } + + /* First build up the data structures: +- * ++ * + * dom_infos is a list of domains referenced in the list of + * SIDs. Later we will walk the list of domains and look up the RIDs + * in bulk. +@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, + + /***************************************************************** + *THE CANONICAL* convert SID to name function. +-*****************************************************************/ ++*****************************************************************/ + + bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + const char **ret_domain, const char **ret_name, +@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + goto done; + } + +- if ((ret_name != NULL) && ++ if ((ret_name != NULL) && + !(*ret_name = talloc_strdup(mem_ctx, name->name))) { + goto done; + } +@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + + /***************************************************************** + *THE LEGACY* convert SID to id function. +-*****************************************************************/ ++*****************************************************************/ + + static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) + { +@@ -1465,7 +1465,7 @@ fail: + + /***************************************************************** + *THE CANONICAL* convert SID to uid function. +-*****************************************************************/ ++*****************************************************************/ + + bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) + { +@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) + /***************************************************************** + *THE CANONICAL* convert SID to gid function. + Group mapping is used for gids that maps to Wellknown SIDs +-*****************************************************************/ ++*****************************************************************/ + + bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid) + { +-- +2.36.0 + + +From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:12:02 +0200 +Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name() + +This address an issue if sssd is running and handling nsswitch. If we look up +a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd +structure. We need to be able to deal with that. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83) +--- + source3/passdb/lookup_sid.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index 3a28cdc68a6..c14d7a7b123 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + PTR_DIFF(p, full_name)); + name = talloc_strdup(tmp_ctx, p+1); + } else { +- domain = talloc_strdup(tmp_ctx, ""); +- name = talloc_strdup(tmp_ctx, full_name); ++ char *q = strchr_m(full_name, '@'); ++ ++ /* Set the domain for UPNs */ ++ if (q != NULL) { ++ name = talloc_strndup(tmp_ctx, ++ full_name, ++ PTR_DIFF(q, full_name)); ++ domain = talloc_strdup(tmp_ctx, q + 1); ++ } else { ++ domain = talloc_strdup(tmp_ctx, ""); ++ name = talloc_strdup(tmp_ctx, full_name); ++ } + } + + if ((domain == NULL) || (name == NULL)) { +-- +2.36.0 + + +From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 12:26:25 +0200 +Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in + lookup_name_smbconf() + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27) +--- + source3/passdb/lookup_sid.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index c14d7a7b123..dbea5578f92 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + const char **ret_domain, const char **ret_name, + struct dom_sid *ret_sid, enum lsa_SidType *ret_type) + { +- char *qualified_name; ++ char *qualified_name = NULL; + const char *p; + + if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { +@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + /* The name is already qualified with a domain. */ + + if (*lp_winbind_separator() != '\\') { +- char *tmp; +- + /* lookup_name() needs '\\' as a separator */ + +- tmp = talloc_strdup(mem_ctx, full_name); +- if (!tmp) { ++ qualified_name = talloc_strdup(mem_ctx, full_name); ++ if (qualified_name == NULL) { + return false; + } +- tmp[p - full_name] = '\\'; +- full_name = tmp; ++ qualified_name[p - full_name] = '\\'; ++ full_name = qualified_name; + } + + return lookup_name(mem_ctx, full_name, flags, +-- +2.36.0 + + +From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:24:10 +0200 +Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf() + +This will be changed to support UPNs too in the next patch. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc) +--- + source3/passdb/lookup_sid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index dbea5578f92..de9dd123239 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + struct dom_sid *ret_sid, enum lsa_SidType *ret_type) + { + char *qualified_name = NULL; +- const char *p; ++ const char *p = strchr_m(full_name, *lp_winbind_separator()); ++ bool is_qualified = p != NULL; + +- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { ++ if (is_qualified) { + + /* The name is already qualified with a domain. */ + +- if (*lp_winbind_separator() != '\\') { ++ if (p != NULL && *lp_winbind_separator() != '\\') { + /* lookup_name() needs '\\' as a separator */ + + qualified_name = talloc_strdup(mem_ctx, full_name); +-- +2.36.0 + + +From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:39:12 +0200 +Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in + lookup_name_smbconf() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554) +--- + source3/passdb/lookup_sid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index de9dd123239..426ea3f81bd 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + { + char *qualified_name = NULL; + const char *p = strchr_m(full_name, *lp_winbind_separator()); +- bool is_qualified = p != NULL; ++ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL; + ++ /* For DOMAIN\user or user@REALM directly call lookup_name(). */ + if (is_qualified) { + + /* The name is already qualified with a domain. */ +-- +2.36.0 + diff --git a/samba.spec b/samba.spec index 06b060f..32ed885 100644 --- a/samba.spec +++ b/samba.spec @@ -132,7 +132,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 107 +%global baserelease 108 %global samba_version 4.15.5 %global talloc_version 2.3.3 @@ -214,6 +214,7 @@ Patch9: samba-4-15-fix-winbind-refresh-tickets.patch Patch10: samba-4-15-fix-create-local-krb5-conf.patch Patch11: samba-4-15-username-map.patch Patch12: samba-4-15-kerberos-clock-skew.patch +Patch13: samba-4-15-smbd-upn.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -4112,6 +4113,9 @@ fi %endif %changelog +* Wed Apr 27 2022 Pavel Filipenský - 4.15.5-108 +- resolves: rhbz#2078838 - Fix UPNs handling in lookup_name*() calls + * Wed Apr 20 2022 Pavel Filipenský - 4.15.5-106 - resolves: rhbz#2065376 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. - resolves: rhbz#2076504 - PAM Kerberos authentication fails with a clock skew error