import samba-4.15.5-105.el9_0
This commit is contained in:
parent
71695e885b
commit
7d8c09e6bd
231
SOURCES/samba-4-15-fix-autorid.patch
Normal file
231
SOURCES/samba-4-15-fix-autorid.patch
Normal file
@ -0,0 +1,231 @@
|
|||||||
|
From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 1 Feb 2022 10:06:30 +0100
|
||||||
|
Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
|
||||||
|
|
||||||
|
What we want to avoid:
|
||||||
|
|
||||||
|
$ ./bin/testparm -s | grep "idmap config"
|
||||||
|
idmap config * : rangesize = 10000
|
||||||
|
idmap config * : range = 10000-19999
|
||||||
|
idmap config * : backend = autorid
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||||
|
S-1-5-32-544 SID_ALIAS (4)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||||
|
10000
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||||
|
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||||
|
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||||
|
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||||
|
|
||||||
|
If only one range is configured we are either not able to map users/groups
|
||||||
|
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||||
|
cover the BUILTIN domain!
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||||
|
(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
|
||||||
|
---
|
||||||
|
source3/winbindd/idmap_autorid.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
|
||||||
|
index ad53b5810ee..c7d56a37684 100644
|
||||||
|
--- a/source3/winbindd/idmap_autorid.c
|
||||||
|
+++ b/source3/winbindd/idmap_autorid.c
|
||||||
|
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
|
||||||
|
config->maxranges = (dom->high_id - dom->low_id + 1) /
|
||||||
|
config->rangesize;
|
||||||
|
|
||||||
|
- if (config->maxranges == 0) {
|
||||||
|
- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
|
||||||
|
- "Increase uid range or decrease rangesize.\n"));
|
||||||
|
+ if (config->maxranges < 2) {
|
||||||
|
+ DBG_WARNING("Allowed idmap range is not a least double the "
|
||||||
|
+ "size of the rangesize. Please increase idmap "
|
||||||
|
+ "range.\n");
|
||||||
|
status = NT_STATUS_INVALID_PARAMETER;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 1 Feb 2022 10:07:50 +0100
|
||||||
|
Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
|
||||||
|
|
||||||
|
What we want to avoid:
|
||||||
|
|
||||||
|
$ ./bin/testparm -s | grep "idmap config"
|
||||||
|
idmap config * : rangesize = 10000
|
||||||
|
idmap config * : range = 10000-19999
|
||||||
|
idmap config * : backend = autorid
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||||
|
S-1-5-32-544 SID_ALIAS (4)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||||
|
10000
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||||
|
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||||
|
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||||
|
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||||
|
|
||||||
|
If only one range is configured we are either not able to map users/groups
|
||||||
|
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||||
|
cover the BUILTIN domain!
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||||
|
(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
|
||||||
|
---
|
||||||
|
source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 51 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
||||||
|
index 98bcc219b1e..58ba46bc15f 100644
|
||||||
|
--- a/source3/utils/testparm.c
|
||||||
|
+++ b/source3/utils/testparm.c
|
||||||
|
@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
|
||||||
|
return false; /* Keep scanning */
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int idmap_config_int(const char *domname, const char *option, int def)
|
||||||
|
+{
|
||||||
|
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
|
||||||
|
+
|
||||||
|
+ if (len == -1) {
|
||||||
|
+ return def;
|
||||||
|
+ }
|
||||||
|
+ {
|
||||||
|
+ char config_option[len+1];
|
||||||
|
+ snprintf(config_option, sizeof(config_option),
|
||||||
|
+ "idmap config %s", domname);
|
||||||
|
+ return lp_parm_int(-1, config_option, option, def);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static bool do_idmap_check(void)
|
||||||
|
{
|
||||||
|
struct idmap_domains *d;
|
||||||
|
@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
|
||||||
|
rc);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Check autorid backend */
|
||||||
|
+ if (strequal(lp_idmap_default_backend(), "autorid")) {
|
||||||
|
+ struct idmap_config *c = NULL;
|
||||||
|
+ bool found = false;
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < d->count; i++) {
|
||||||
|
+ c = &d->c[i];
|
||||||
|
+
|
||||||
|
+ if (strequal(c->backend, "autorid")) {
|
||||||
|
+ found = true;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (found) {
|
||||||
|
+ uint32_t rangesize =
|
||||||
|
+ idmap_config_int("*", "rangesize", 100000);
|
||||||
|
+ uint32_t maxranges =
|
||||||
|
+ (c->high - c->low + 1) / rangesize;
|
||||||
|
+
|
||||||
|
+ if (maxranges < 2) {
|
||||||
|
+ fprintf(stderr,
|
||||||
|
+ "ERROR: The idmap autorid range "
|
||||||
|
+ "[%u-%u] needs to be at least twice as "
|
||||||
|
+ "big as the rangesize [%u]!"
|
||||||
|
+ "\n\n",
|
||||||
|
+ c->low,
|
||||||
|
+ c->high,
|
||||||
|
+ rangesize);
|
||||||
|
+ ok = false;
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check for overlapping idmap ranges */
|
||||||
|
for (i = 0; i < d->count; i++) {
|
||||||
|
struct idmap_config *c = &d->c[i];
|
||||||
|
uint32_t j;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 1 Feb 2022 10:05:19 +0100
|
||||||
|
Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
|
||||||
|
|
||||||
|
What we want to avoid:
|
||||||
|
|
||||||
|
$ ./bin/testparm -s | grep "idmap config"
|
||||||
|
idmap config * : rangesize = 10000
|
||||||
|
idmap config * : range = 10000-19999
|
||||||
|
idmap config * : backend = autorid
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||||
|
S-1-5-32-544 SID_ALIAS (4)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||||
|
10000
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||||
|
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||||
|
|
||||||
|
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||||
|
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||||
|
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||||
|
|
||||||
|
If only one range is configured we are either not able to map users/groups
|
||||||
|
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||||
|
cover the BUILTIN domain!
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||||
|
(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
|
||||||
|
---
|
||||||
|
docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
|
||||||
|
index 6c4da1cad8a..980718f0bd4 100644
|
||||||
|
--- a/docs-xml/manpages/idmap_autorid.8.xml
|
||||||
|
+++ b/docs-xml/manpages/idmap_autorid.8.xml
|
||||||
|
@@ -48,7 +48,13 @@
|
||||||
|
and the corresponding map is discarded. It is
|
||||||
|
intended as a way to avoid accidental UID/GID
|
||||||
|
overlaps between local and remotely defined
|
||||||
|
- IDs.
|
||||||
|
+ IDs. Note that the range should be a multiple
|
||||||
|
+ of the rangesize and needs to be at least twice
|
||||||
|
+ as large in order to have sufficient id range
|
||||||
|
+ space for the mandatory BUILTIN domain.
|
||||||
|
+ With a default rangesize of 100000 the range
|
||||||
|
+ needs to span at least 200000.
|
||||||
|
+ This would be: range = 100000 - 299999.
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
Normal file
477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
Normal file
@ -0,0 +1,477 @@
|
|||||||
|
From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 16:53:02 +0100
|
||||||
|
Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
testprogs/blackbox/test_net_ads.sh | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
||||||
|
index 76b394b10a9..cfafb945b62 100755
|
||||||
|
--- a/testprogs/blackbox/test_net_ads.sh
|
||||||
|
+++ b/testprogs/blackbox/test_net_ads.sh
|
||||||
|
@@ -51,6 +51,12 @@ fi
|
||||||
|
|
||||||
|
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||||
|
|
||||||
|
+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
|
||||||
|
+testit "local krb5.conf created" \
|
||||||
|
+ test -r \
|
||||||
|
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
|
||||||
|
+ failed=$((failed + 1))
|
||||||
|
+
|
||||||
|
testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
|
||||||
|
|
||||||
|
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:03:40 +0100
|
||||||
|
Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 75beeef4a44..60fe03fd5d7 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/*
|
||||||
|
+/*
|
||||||
|
Unix SMB/CIFS implementation.
|
||||||
|
kerberos utility library
|
||||||
|
Copyright (C) Andrew Tridgell 2001
|
||||||
|
@@ -37,11 +37,11 @@
|
||||||
|
#define LIBADS_CCACHE_NAME "MEMORY:libads"
|
||||||
|
|
||||||
|
/*
|
||||||
|
- we use a prompter to avoid a crash bug in the kerberos libs when
|
||||||
|
+ we use a prompter to avoid a crash bug in the kerberos libs when
|
||||||
|
dealing with empty passwords
|
||||||
|
this prompter is just a string copy ...
|
||||||
|
*/
|
||||||
|
-static krb5_error_code
|
||||||
|
+static krb5_error_code
|
||||||
|
kerb_prompter(krb5_context ctx, void *data,
|
||||||
|
const char *name,
|
||||||
|
const char *banner,
|
||||||
|
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
|
||||||
|
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
|
||||||
|
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
|
||||||
|
kerb_prompter, discard_const_p(char, password),
|
||||||
|
0, NULL, opt))) {
|
||||||
|
goto out;
|
||||||
|
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((code = krb5_cc_destroy (ctx, cc))) {
|
||||||
|
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
|
||||||
|
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
|
||||||
|
error_message(code)));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
|
||||||
|
int time_offset,
|
||||||
|
const char *cache_name)
|
||||||
|
{
|
||||||
|
- return kerberos_kinit_password_ext(principal,
|
||||||
|
- password,
|
||||||
|
- time_offset,
|
||||||
|
- 0,
|
||||||
|
+ return kerberos_kinit_password_ext(principal,
|
||||||
|
+ password,
|
||||||
|
+ time_offset,
|
||||||
|
+ 0,
|
||||||
|
0,
|
||||||
|
cache_name,
|
||||||
|
False,
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:04:34 +0100
|
||||||
|
Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()
|
||||||
|
|
||||||
|
This avoids useless allocations.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 17 +++++++++++------
|
||||||
|
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 60fe03fd5d7..1bf149ef09b 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
struct netlogon_samlogon_response **responses = NULL;
|
||||||
|
NTSTATUS status;
|
||||||
|
bool ok;
|
||||||
|
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
|
||||||
|
- print_canonical_sockaddr_with_port(mem_ctx, pss));
|
||||||
|
+ char *kdc_str = NULL;
|
||||||
|
|
||||||
|
+ SMB_ASSERT(pss != NULL);
|
||||||
|
+
|
||||||
|
+ kdc_str = talloc_asprintf(mem_ctx,
|
||||||
|
+ "\t\tkdc = %s\n",
|
||||||
|
+ print_canonical_sockaddr_with_port(mem_ctx,
|
||||||
|
+ pss));
|
||||||
|
if (kdc_str == NULL) {
|
||||||
|
TALLOC_FREE(frame);
|
||||||
|
return NULL;
|
||||||
|
@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- dc_addrs2 = talloc_zero_array(talloc_tos(),
|
||||||
|
- struct tsocket_address *,
|
||||||
|
- num_dcs);
|
||||||
|
-
|
||||||
|
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||||
|
if (num_dcs == 0) {
|
||||||
|
TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
|
||||||
|
+ struct tsocket_address *,
|
||||||
|
+ num_dcs);
|
||||||
|
if (dc_addrs2 == NULL) {
|
||||||
|
TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:10:47 +0100
|
||||||
|
Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 1bf149ef09b..6a46d72a156 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
|
||||||
|
result = kdc_str;
|
||||||
|
out:
|
||||||
|
- DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||||
|
+ if (result != NULL) {
|
||||||
|
+ DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||||
|
+ } else {
|
||||||
|
+ DBG_NOTICE("Failed to get KDC ip address\n");
|
||||||
|
+ }
|
||||||
|
|
||||||
|
TALLOC_FREE(ip_sa_site);
|
||||||
|
TALLOC_FREE(ip_sa_nonsite);
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:48:23 +0100
|
||||||
|
Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
|
||||||
|
get_kdc_ip_string()
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 9 +++++----
|
||||||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 6a46d72a156..d1c410ffa4b 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Append to the string - inefficient but not done often. */
|
||||||
|
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
|
||||||
|
- kdc_str,
|
||||||
|
- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
+ new_kdc_str = talloc_asprintf_append(
|
||||||
|
+ kdc_str,
|
||||||
|
+ "\t\tkdc = %s\n",
|
||||||
|
+ print_canonical_sockaddr_with_port(
|
||||||
|
+ mem_ctx, &dc_addrs[i]));
|
||||||
|
if (new_kdc_str == NULL) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:56:58 +0100
|
||||||
|
Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 10 ++++------
|
||||||
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index d1c410ffa4b..aadc65a3edc 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
|
||||||
|
SMB_ASSERT(pss != NULL);
|
||||||
|
|
||||||
|
- kdc_str = talloc_asprintf(mem_ctx,
|
||||||
|
+ kdc_str = talloc_asprintf(frame,
|
||||||
|
"\t\tkdc = %s\n",
|
||||||
|
print_canonical_sockaddr_with_port(mem_ctx,
|
||||||
|
pss));
|
||||||
|
@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (sitename) {
|
||||||
|
- status = get_kdc_list(talloc_tos(),
|
||||||
|
+ status = get_kdc_list(frame,
|
||||||
|
realm,
|
||||||
|
sitename,
|
||||||
|
&ip_sa_site,
|
||||||
|
@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
|
||||||
|
/* Get all KDC's. */
|
||||||
|
|
||||||
|
- status = get_kdc_list(talloc_tos(),
|
||||||
|
+ status = get_kdc_list(frame,
|
||||||
|
realm,
|
||||||
|
NULL,
|
||||||
|
&ip_sa_nonsite,
|
||||||
|
@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
kdc_str = new_kdc_str;
|
||||||
|
}
|
||||||
|
|
||||||
|
- result = kdc_str;
|
||||||
|
+ result = talloc_move(mem_ctx, &kdc_str);
|
||||||
|
out:
|
||||||
|
if (result != NULL) {
|
||||||
|
DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||||
|
@@ -597,8 +597,6 @@ out:
|
||||||
|
DBG_NOTICE("Failed to get KDC ip address\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
- TALLOC_FREE(ip_sa_site);
|
||||||
|
- TALLOC_FREE(ip_sa_nonsite);
|
||||||
|
TALLOC_FREE(frame);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 12:57:18 +0100
|
||||||
|
Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str
|
||||||
|
|
||||||
|
This is allocated on the stackframe now!
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 12 +-----------
|
||||||
|
1 file changed, 1 insertion(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index aadc65a3edc..2087dc1e6f9 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
print_canonical_sockaddr_with_port(mem_ctx,
|
||||||
|
pss));
|
||||||
|
if (kdc_str == NULL) {
|
||||||
|
- TALLOC_FREE(frame);
|
||||||
|
- return NULL;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
|
||||||
|
if (!ok) {
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
DBG_ERR("get_kdc_list fail %s\n",
|
||||||
|
nt_errstr(status));
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
DBG_DEBUG("got %zu addresses from site %s search\n",
|
||||||
|
@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
DBG_ERR("get_kdc_list (site-less) fail %s\n",
|
||||||
|
nt_errstr(status));
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
|
||||||
|
@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
if (count_site + count_nonsite < count_site) {
|
||||||
|
/* Wrap check. */
|
||||||
|
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
|
||||||
|
count_site + count_nonsite);
|
||||||
|
if (dc_addrs == NULL) {
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
|
||||||
|
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||||
|
if (num_dcs == 0) {
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
struct tsocket_address *,
|
||||||
|
num_dcs);
|
||||||
|
if (dc_addrs2 == NULL) {
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
status = map_nt_error_from_unix(errno);
|
||||||
|
DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
|
||||||
|
addr, nt_errstr(status)));
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
|
||||||
|
"%s\n", nt_errstr(status)));
|
||||||
|
- TALLOC_FREE(kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 13:02:05 +0100
|
||||||
|
Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
|
||||||
|
NULL in get_kdc_ip_string()
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 2087dc1e6f9..20dceeefb22 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
NTSTATUS status;
|
||||||
|
bool ok;
|
||||||
|
char *kdc_str = NULL;
|
||||||
|
+ char *canon_sockaddr = NULL;
|
||||||
|
|
||||||
|
SMB_ASSERT(pss != NULL);
|
||||||
|
|
||||||
|
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
|
||||||
|
+ if (canon_sockaddr == NULL) {
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
kdc_str = talloc_asprintf(frame,
|
||||||
|
"\t\tkdc = %s\n",
|
||||||
|
- print_canonical_sockaddr_with_port(mem_ctx,
|
||||||
|
- pss));
|
||||||
|
+ canon_sockaddr);
|
||||||
|
if (kdc_str == NULL) {
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 15 Mar 2022 13:10:06 +0100
|
||||||
|
Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf
|
||||||
|
|
||||||
|
We create an KDC ip string entry directly at the beginning, use it if we
|
||||||
|
don't have any additional DCs.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index 20dceeefb22..3fd86e87064 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||||
|
|
||||||
|
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||||
|
if (num_dcs == 0) {
|
||||||
|
+ /*
|
||||||
|
+ * We do not have additional KDCs, but we have the one passed
|
||||||
|
+ * in via `pss`. So just use that one and leave.
|
||||||
|
+ */
|
||||||
|
+ result = talloc_move(mem_ctx, &kdc_str);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
Normal file
411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
Normal file
@ -0,0 +1,411 @@
|
|||||||
|
From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 12:59:44 +0100
|
||||||
|
Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
|
||||||
|
path
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
|
||||||
|
---
|
||||||
|
source3/libads/authdata.c | 11 ++++++++---
|
||||||
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
|
||||||
|
index dd21d895fc2..c048510d480 100644
|
||||||
|
--- a/source3/libads/authdata.c
|
||||||
|
+++ b/source3/libads/authdata.c
|
||||||
|
@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
|
||||||
|
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
|
||||||
|
+ DATA_BLOB tkt = data_blob_null;
|
||||||
|
+ DATA_BLOB tkt_wrapped = data_blob_null;
|
||||||
|
+ DATA_BLOB ap_rep = data_blob_null;
|
||||||
|
+ DATA_BLOB sesskey1 = data_blob_null;
|
||||||
|
const char *auth_princ = NULL;
|
||||||
|
const char *cc = "MEMORY:kerberos_return_pac";
|
||||||
|
struct auth_session_info *session_info;
|
||||||
|
@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
ZERO_STRUCT(sesskey1);
|
||||||
|
|
||||||
|
if (!name || !pass) {
|
||||||
|
- return NT_STATUS_INVALID_PARAMETER;
|
||||||
|
+ status = NT_STATUS_INVALID_PARAMETER;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cache_name) {
|
||||||
|
@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
if (expire_time && renew_till_time &&
|
||||||
|
(*expire_time == 0) && (*renew_till_time == 0)) {
|
||||||
|
- return NT_STATUS_INVALID_LOGON_TYPE;
|
||||||
|
+ status = NT_STATUS_INVALID_LOGON_TYPE;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = ads_krb5_cli_get_ticket(mem_ctx,
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 13:00:05 +0100
|
||||||
|
Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
|
||||||
|
macro
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
|
||||||
|
---
|
||||||
|
lib/krb5_wrap/krb5_samba.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||||
|
index fff5b4e2a22..42d4b950f80 100644
|
||||||
|
--- a/lib/krb5_wrap/krb5_samba.c
|
||||||
|
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||||
|
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
|
||||||
|
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
|
||||||
|
|
||||||
|
/* FIXME: we should not fall back to defaults */
|
||||||
|
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 14:28:28 +0100
|
||||||
|
Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
|
||||||
|
debug macro
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
|
||||||
|
---
|
||||||
|
lib/krb5_wrap/krb5_samba.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||||
|
index 42d4b950f80..76c2dcd2126 100644
|
||||||
|
--- a/lib/krb5_wrap/krb5_samba.c
|
||||||
|
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||||
|
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
|
||||||
|
|
||||||
|
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
|
||||||
|
if (ret) {
|
||||||
|
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
|
||||||
|
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
|
||||||
|
+ "for client '%s' and service '%s' failed: %s\n",
|
||||||
|
+ ccache_string, client_string, service_string,
|
||||||
|
+ error_message(ret));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 13:08:56 +0100
|
||||||
|
Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
|
||||||
|
kerberos_return_pac()
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
|
||||||
|
---
|
||||||
|
source3/libads/authdata.c | 22 +++++++++++++++++++++-
|
||||||
|
source3/libads/kerberos_proto.h | 2 ++
|
||||||
|
source3/utils/net_ads.c | 2 ++
|
||||||
|
source3/winbindd/winbindd_pam.c | 2 ++
|
||||||
|
4 files changed, 27 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
|
||||||
|
index c048510d480..bf9a2335445 100644
|
||||||
|
--- a/source3/libads/authdata.c
|
||||||
|
+++ b/source3/libads/authdata.c
|
||||||
|
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
time_t renewable_time,
|
||||||
|
const char *impersonate_princ_s,
|
||||||
|
const char *local_service,
|
||||||
|
+ char **_canon_principal,
|
||||||
|
+ char **_canon_realm,
|
||||||
|
struct PAC_DATA_CTR **_pac_data_ctr)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
struct auth4_context *auth_context;
|
||||||
|
struct loadparm_context *lp_ctx;
|
||||||
|
struct PAC_DATA_CTR *pac_data_ctr = NULL;
|
||||||
|
+ char *canon_principal = NULL;
|
||||||
|
+ char *canon_realm = NULL;
|
||||||
|
|
||||||
|
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||||
|
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
||||||
|
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (_canon_principal != NULL) {
|
||||||
|
+ *_canon_principal = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (_canon_realm != NULL) {
|
||||||
|
+ *_canon_realm = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (cache_name) {
|
||||||
|
cc = cache_name;
|
||||||
|
}
|
||||||
|
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
request_pac,
|
||||||
|
add_netbios_addr,
|
||||||
|
renewable_time,
|
||||||
|
- NULL, NULL, NULL,
|
||||||
|
+ tmp_ctx,
|
||||||
|
+ &canon_principal,
|
||||||
|
+ &canon_realm,
|
||||||
|
&status);
|
||||||
|
if (ret) {
|
||||||
|
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
|
||||||
|
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
|
||||||
|
+ if (_canon_principal != NULL) {
|
||||||
|
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
|
||||||
|
+ }
|
||||||
|
+ if (_canon_realm != NULL) {
|
||||||
|
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
out:
|
||||||
|
talloc_free(tmp_ctx);
|
||||||
|
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
|
||||||
|
index 3d7b5bc074b..807381248c8 100644
|
||||||
|
--- a/source3/libads/kerberos_proto.h
|
||||||
|
+++ b/source3/libads/kerberos_proto.h
|
||||||
|
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||||
|
time_t renewable_time,
|
||||||
|
const char *impersonate_princ_s,
|
||||||
|
const char *local_service,
|
||||||
|
+ char **_canon_principal,
|
||||||
|
+ char **_canon_realm,
|
||||||
|
struct PAC_DATA_CTR **pac_data_ctr);
|
||||||
|
|
||||||
|
/* The following definitions come from libads/krb5_setpw.c */
|
||||||
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
||||||
|
index 8f993f9ba4c..c41fb0afe9c 100644
|
||||||
|
--- a/source3/utils/net_ads.c
|
||||||
|
+++ b/source3/utils/net_ads.c
|
||||||
|
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
|
||||||
|
2592000, /* one month */
|
||||||
|
impersonate_princ_s,
|
||||||
|
local_service,
|
||||||
|
+ NULL,
|
||||||
|
+ NULL,
|
||||||
|
pac_data_ctr);
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
d_printf(_("failed to query kerberos PAC: %s\n"),
|
||||||
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||||
|
index 7606bfb4ecd..025a5cbc111 100644
|
||||||
|
--- a/source3/winbindd/winbindd_pam.c
|
||||||
|
+++ b/source3/winbindd/winbindd_pam.c
|
||||||
|
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||||
|
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||||
|
NULL,
|
||||||
|
local_service,
|
||||||
|
+ NULL,
|
||||||
|
+ NULL,
|
||||||
|
&pac_data_ctr);
|
||||||
|
if (user_ccache_file != NULL) {
|
||||||
|
gain_root_privilege();
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 13:19:02 +0100
|
||||||
|
Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
|
||||||
|
entry
|
||||||
|
|
||||||
|
They will be used later to refresh the tickets.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
|
||||||
|
---
|
||||||
|
source3/winbindd/winbindd.h | 2 ++
|
||||||
|
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
|
||||||
|
source3/winbindd/winbindd_pam.c | 14 ++++++++++----
|
||||||
|
source3/winbindd/winbindd_proto.h | 4 +++-
|
||||||
|
4 files changed, 30 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
|
||||||
|
index a6b2238cec1..dac4a1fa927 100644
|
||||||
|
--- a/source3/winbindd/winbindd.h
|
||||||
|
+++ b/source3/winbindd/winbindd.h
|
||||||
|
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
|
||||||
|
const char *service;
|
||||||
|
const char *username;
|
||||||
|
const char *realm;
|
||||||
|
+ const char *canon_principal;
|
||||||
|
+ const char *canon_realm;
|
||||||
|
struct WINBINDD_MEMORY_CREDS *cred_ptr;
|
||||||
|
int ref_count;
|
||||||
|
uid_t uid;
|
||||||
|
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
index c3077e21989..88847b1ab97 100644
|
||||||
|
--- a/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
+++ b/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||||
|
time_t create_time,
|
||||||
|
time_t ticket_end,
|
||||||
|
time_t renew_until,
|
||||||
|
- bool postponed_request)
|
||||||
|
+ bool postponed_request,
|
||||||
|
+ const char *canon_principal,
|
||||||
|
+ const char *canon_realm)
|
||||||
|
{
|
||||||
|
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
|
||||||
|
struct timeval t;
|
||||||
|
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||||
|
goto no_mem;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (canon_principal != NULL) {
|
||||||
|
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
|
||||||
|
+ if (entry->canon_principal == NULL) {
|
||||||
|
+ goto no_mem;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (canon_realm != NULL) {
|
||||||
|
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
|
||||||
|
+ if (entry->canon_realm == NULL) {
|
||||||
|
+ goto no_mem;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
entry->ccname = talloc_strdup(entry, ccname);
|
||||||
|
if (!entry->ccname) {
|
||||||
|
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||||
|
index 025a5cbc111..a24cef78440 100644
|
||||||
|
--- a/source3/winbindd/winbindd_pam.c
|
||||||
|
+++ b/source3/winbindd/winbindd_pam.c
|
||||||
|
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||||
|
const char *local_service;
|
||||||
|
uint32_t i;
|
||||||
|
struct netr_SamInfo6 *info6_copy = NULL;
|
||||||
|
+ char *canon_principal = NULL;
|
||||||
|
+ char *canon_realm = NULL;
|
||||||
|
bool ok;
|
||||||
|
|
||||||
|
*info6 = NULL;
|
||||||
|
@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||||
|
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||||
|
NULL,
|
||||||
|
local_service,
|
||||||
|
- NULL,
|
||||||
|
- NULL,
|
||||||
|
+ &canon_principal,
|
||||||
|
+ &canon_realm,
|
||||||
|
&pac_data_ctr);
|
||||||
|
if (user_ccache_file != NULL) {
|
||||||
|
gain_root_privilege();
|
||||||
|
@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||||
|
time(NULL),
|
||||||
|
ticket_lifetime,
|
||||||
|
renewal_until,
|
||||||
|
- false);
|
||||||
|
+ false,
|
||||||
|
+ canon_principal,
|
||||||
|
+ canon_realm);
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(result)) {
|
||||||
|
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
|
||||||
|
@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
|
||||||
|
time(NULL),
|
||||||
|
time(NULL) + lp_winbind_cache_time(),
|
||||||
|
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||||
|
- true);
|
||||||
|
+ true,
|
||||||
|
+ principal_s,
|
||||||
|
+ realm);
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(result)) {
|
||||||
|
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
|
||||||
|
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
|
||||||
|
index c0d653a6d77..16c23f3de40 100644
|
||||||
|
--- a/source3/winbindd/winbindd_proto.h
|
||||||
|
+++ b/source3/winbindd/winbindd_proto.h
|
||||||
|
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||||
|
time_t create_time,
|
||||||
|
time_t ticket_end,
|
||||||
|
time_t renew_until,
|
||||||
|
- bool postponed_request);
|
||||||
|
+ bool postponed_request,
|
||||||
|
+ const char *canon_principal,
|
||||||
|
+ const char *canon_realm);
|
||||||
|
NTSTATUS remove_ccache(const char *username);
|
||||||
|
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
|
||||||
|
NTSTATUS winbindd_add_memory_creds(const char *username,
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
||||||
|
|
||||||
|
From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Samuel Cabrero <scabrero@suse.de>
|
||||||
|
Date: Tue, 22 Feb 2022 14:28:44 +0100
|
||||||
|
Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
|
||||||
|
credentials
|
||||||
|
|
||||||
|
The principal name stored in the winbindd ccache entry might be an
|
||||||
|
enterprise principal name if enterprise principals are enabled. Use
|
||||||
|
the canonical name to renew the credentials.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||||
|
|
||||||
|
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||||
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
|
||||||
|
---
|
||||||
|
source3/winbindd/winbindd_cred_cache.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
index 88847b1ab97..6c65db6a73f 100644
|
||||||
|
--- a/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
+++ b/source3/winbindd/winbindd_cred_cache.c
|
||||||
|
@@ -209,7 +209,7 @@ rekinit:
|
||||||
|
set_effective_uid(entry->uid);
|
||||||
|
|
||||||
|
ret = smb_krb5_renew_ticket(entry->ccname,
|
||||||
|
- entry->principal_name,
|
||||||
|
+ entry->canon_principal,
|
||||||
|
entry->service,
|
||||||
|
&new_start);
|
||||||
|
#if defined(DEBUG_KRB5_TKT_RENEWAL)
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -132,7 +132,7 @@
|
|||||||
|
|
||||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||||
|
|
||||||
%global baserelease 101
|
%global baserelease 105
|
||||||
|
|
||||||
%global samba_version 4.15.5
|
%global samba_version 4.15.5
|
||||||
%global talloc_version 2.3.3
|
%global talloc_version 2.3.3
|
||||||
@ -209,6 +209,9 @@ Patch4: samba-disable-systemd-notifications.patch
|
|||||||
Patch5: samba-disable-ntlmssp.patch
|
Patch5: samba-disable-ntlmssp.patch
|
||||||
Patch6: samba-password-change-prompt.patch
|
Patch6: samba-password-change-prompt.patch
|
||||||
Patch7: samba-virus_scanner.patch
|
Patch7: samba-virus_scanner.patch
|
||||||
|
Patch8: samba-4-15-fix-autorid.patch
|
||||||
|
Patch9: samba-4-15-fix-winbind-refresh-tickets.patch
|
||||||
|
Patch10: samba-4-15-fix-create-local-krb5-conf.patch
|
||||||
|
|
||||||
Requires(pre): /usr/sbin/groupadd
|
Requires(pre): /usr/sbin/groupadd
|
||||||
Requires(post): systemd
|
Requires(post): systemd
|
||||||
@ -4107,6 +4110,19 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 18 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-105
|
||||||
|
- resolves: rhbz#2064765 - Fix 'create krb5 conf = yes` when a KDC has a single
|
||||||
|
IP address.
|
||||||
|
|
||||||
|
* Thu Feb 24 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-104
|
||||||
|
- resolves: rhbz#2057500 - Fix winbind kerberos ticket refresh
|
||||||
|
|
||||||
|
* Mon Feb 21 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-103
|
||||||
|
- related: rhbz#2044231 - Fix typo in testparm output
|
||||||
|
|
||||||
|
* Thu Feb 17 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-102
|
||||||
|
- resolves: rhbz#2044231 - Improve idmap autorid sanity checks and documentation
|
||||||
|
|
||||||
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
|
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
|
||||||
- resolves: #2050111 - [RFE] Change change password change prompt phrasing
|
- resolves: #2050111 - [RFE] Change change password change prompt phrasing
|
||||||
- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file
|
- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file
|
||||||
|
Loading…
Reference in New Issue
Block a user