diff --git a/samba-4-15-kerberos-clock-skew.patch b/samba-4-15-kerberos-clock-skew.patch new file mode 100644 index 0000000..1e87049 --- /dev/null +++ b/samba-4-15-kerberos-clock-skew.patch @@ -0,0 +1,347 @@ +From 01205e1ff2a16ecdeb99fd4153f40f917decacee Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 13 Apr 2022 11:01:00 +0200 +Subject: [PATCH 1/4] s3:winbind: Do not use domain's private data to store the + SAMR pipes + +The domain's private_data pointer is also used to store a ADS_STRUCT, +which is not allocated using talloc and there are many places casting +this pointer directly. + +The recently added samba.tests.pam_winbind_setcred was randomly failing +and after debugging it the problem was that kerberos authentication was +failing because the time_offset passed to kerberos_return_pac() was +wrong. This time_offset was retrieved from ads->auth.time_offset, where +the ads pointer was directly casted from domain->private_data but +private_data was pointing to a winbind_internal_pipes struct. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit e1f29b0970f4cac52a9cd517be6862cf69a1433a) +--- + source3/winbindd/winbindd.h | 6 ++++++ + source3/winbindd/winbindd_ndr.c | 3 +++ + source3/winbindd/winbindd_samr.c | 18 ++++++------------ + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index dac4a1fa927..762844502e5 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -43,6 +43,8 @@ + + #define WB_REPLACE_CHAR '_' + ++struct winbind_internal_pipes; ++ + struct winbindd_cli_state { + struct winbindd_cli_state *prev, *next; /* Linked list pointers */ + int sock; /* Open socket from client */ +@@ -157,6 +159,10 @@ struct winbindd_domain { + + void *private_data; + ++ struct { ++ struct winbind_internal_pipes *samr_pipes; ++ } backend_data; ++ + /* A working DC */ + char *dcname; + const char *ping_dcname; +diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c +index 157ce1bff27..36901776b98 100644 +--- a/source3/winbindd/winbindd_ndr.c ++++ b/source3/winbindd/winbindd_ndr.c +@@ -144,6 +144,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, + ndr_print_bool(ndr, "startup", r->startup); + ndr_print_winbindd_methods(ndr, "backend", r->backend); + ndr_print_ptr(ndr, "private_data", r->private_data); ++ ndr_print_ptr(ndr, ++ "backend_data.samr_pipes", ++ r->backend_data.samr_pipes); + ndr_print_string(ndr, "dcname", r->dcname); + ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); + ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); +diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c +index 5e23ff8217b..ce66adcc0c7 100644 +--- a/source3/winbindd/winbindd_samr.c ++++ b/source3/winbindd/winbindd_samr.c +@@ -130,7 +130,7 @@ static NTSTATUS open_cached_internal_pipe_conn( + { + struct winbind_internal_pipes *internal_pipes = NULL; + +- if (domain->private_data == NULL) { ++ if (domain->backend_data.samr_pipes == NULL) { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + +@@ -156,14 +156,14 @@ static NTSTATUS open_cached_internal_pipe_conn( + return status; + } + +- domain->private_data = talloc_move(domain, &internal_pipes); ++ domain->backend_data.samr_pipes = ++ talloc_move(domain, &internal_pipes); + + TALLOC_FREE(frame); + + } + +- internal_pipes = talloc_get_type_abort( +- domain->private_data, struct winbind_internal_pipes); ++ internal_pipes = domain->backend_data.samr_pipes; + + if (samr_domain_hnd) { + *samr_domain_hnd = internal_pipes->samr_domain_hnd; +@@ -188,23 +188,17 @@ static bool reset_connection_on_error(struct winbindd_domain *domain, + struct rpc_pipe_client *p, + NTSTATUS status) + { +- struct winbind_internal_pipes *internal_pipes = NULL; + struct dcerpc_binding_handle *b = p->binding_handle; + +- internal_pipes = talloc_get_type_abort( +- domain->private_data, struct winbind_internal_pipes); +- + if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) || + NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR)) + { +- TALLOC_FREE(internal_pipes); +- domain->private_data = NULL; ++ TALLOC_FREE(domain->backend_data.samr_pipes); + return true; + } + + if (!dcerpc_binding_handle_is_connected(b)) { +- TALLOC_FREE(internal_pipes); +- domain->private_data = NULL; ++ TALLOC_FREE(domain->backend_data.samr_pipes); + return true; + } + +-- +2.35.1 + + +From 79ab2a5669a1e21e96f29cecc651dccacd7ace71 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 13 Apr 2022 11:15:35 +0200 +Subject: [PATCH 2/4] s3:winbind: Simplify open_cached_internal_pipe_conn() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 91395e660a2b1b69bf74ca0b77aee416e2ac1db3) +--- + source3/winbindd/winbindd_samr.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/winbindd_samr.c b/source3/winbindd/winbindd_samr.c +index ce66adcc0c7..20b5d758d1a 100644 +--- a/source3/winbindd/winbindd_samr.c ++++ b/source3/winbindd/winbindd_samr.c +@@ -128,9 +128,10 @@ static NTSTATUS open_cached_internal_pipe_conn( + struct rpc_pipe_client **lsa_pipe, + struct policy_handle *lsa_hnd) + { +- struct winbind_internal_pipes *internal_pipes = NULL; ++ struct winbind_internal_pipes *internal_pipes = ++ domain->backend_data.samr_pipes; + +- if (domain->backend_data.samr_pipes == NULL) { ++ if (internal_pipes == NULL) { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + +@@ -157,14 +158,11 @@ static NTSTATUS open_cached_internal_pipe_conn( + } + + domain->backend_data.samr_pipes = +- talloc_move(domain, &internal_pipes); ++ talloc_steal(domain, internal_pipes); + + TALLOC_FREE(frame); +- + } + +- internal_pipes = domain->backend_data.samr_pipes; +- + if (samr_domain_hnd) { + *samr_domain_hnd = internal_pipes->samr_domain_hnd; + } +-- +2.35.1 + + +From d57f54deef45c638093717378adc1a0743699ae8 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 13 Apr 2022 11:31:45 +0200 +Subject: [PATCH 3/4] s3:winbind: Do not use domain's private data to store the + ADS_STRUCT + +The ADS_STRUCT is not allocated using talloc and there are many places +casting this pointer directly so use a typed pointer. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3cb256439e9ceece26c2de82293c43486543e0cb) +--- + source3/winbindd/winbindd.h | 2 ++ + source3/winbindd/winbindd_ads.c | 10 +++++----- + source3/winbindd/winbindd_ndr.c | 3 +++ + source3/winbindd/winbindd_pam.c | 6 ++---- + 4 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index 762844502e5..3cc88367b90 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -44,6 +44,7 @@ + #define WB_REPLACE_CHAR '_' + + struct winbind_internal_pipes; ++struct ads_struct; + + struct winbindd_cli_state { + struct winbindd_cli_state *prev, *next; /* Linked list pointers */ +@@ -161,6 +162,7 @@ struct winbindd_domain { + + struct { + struct winbind_internal_pipes *samr_pipes; ++ struct ads_struct *ads_conn; + } backend_data; + + /* A working DC */ +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 6f01ef6e334..d350f160223 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -269,10 +269,10 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + } + + DEBUG(10,("ads_cached_connection\n")); +- ads_cached_connection_reuse((ADS_STRUCT **)&domain->private_data); ++ ads_cached_connection_reuse(&domain->backend_data.ads_conn); + +- if (domain->private_data) { +- return (ADS_STRUCT *)domain->private_data; ++ if (domain->backend_data.ads_conn != NULL) { ++ return domain->backend_data.ads_conn; + } + + /* the machine acct password might have change - fetch it every time */ +@@ -303,7 +303,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + } + + status = ads_cached_connection_connect( +- (ADS_STRUCT **)&domain->private_data, ++ &domain->backend_data.ads_conn, + domain->alt_name, + domain->name, NULL, + password, realm, +@@ -322,7 +322,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + return NULL; + } + +- return (ADS_STRUCT *)domain->private_data; ++ return domain->backend_data.ads_conn; + } + + /* Query display info for a realm. This is the basic user list fn */ +diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c +index 36901776b98..94ce9d73747 100644 +--- a/source3/winbindd/winbindd_ndr.c ++++ b/source3/winbindd/winbindd_ndr.c +@@ -147,6 +147,9 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, + ndr_print_ptr(ndr, + "backend_data.samr_pipes", + r->backend_data.samr_pipes); ++ ndr_print_ptr(ndr, ++ "backend_data.ads_conn", ++ r->backend_data.ads_conn); + ndr_print_string(ndr, "dcname", r->dcname); + ndr_print_sockaddr_storage(ndr, "dcaddr", &r->dcaddr); + ndr_print_time_t(ndr, "last_seq_check", r->last_seq_check); +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 1a2628b50ba..5505220335f 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -677,7 +677,6 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + fstring name_namespace, name_domain, name_user; + time_t ticket_lifetime = 0; + time_t renewal_until = 0; +- ADS_STRUCT *ads; + time_t time_offset = 0; + const char *user_ccache_file; + struct PAC_LOGON_INFO *logon_info = NULL; +@@ -716,9 +715,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + /* 2nd step: + * get kerberos properties */ + +- if (domain->private_data) { +- ads = (ADS_STRUCT *)domain->private_data; +- time_offset = ads->auth.time_offset; ++ if (domain->backend_data.ads_conn != NULL) { ++ time_offset = domain->backend_data.ads_conn->auth.time_offset; + } + + +-- +2.35.1 + + +From e32528fd5abbace15b3aad2c7cec8d9c6ade7bf7 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 13 Apr 2022 11:34:18 +0200 +Subject: [PATCH 4/4] s3:winbind: Remove no longer used domain's private_data + pointer + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15046 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit a6d6ae3cfcd64a85f82ec5b12253ca0e237d95bb) +--- + source3/winbindd/winbindd.h | 4 ---- + source3/winbindd/winbindd_ndr.c | 1 - + 2 files changed, 5 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index 3cc88367b90..fe286a9a686 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -156,10 +156,6 @@ struct winbindd_domain { + */ + struct winbindd_methods *backend; + +- /* Private data for the backends (used for connection cache) */ +- +- void *private_data; +- + struct { + struct winbind_internal_pipes *samr_pipes; + struct ads_struct *ads_conn; +diff --git a/source3/winbindd/winbindd_ndr.c b/source3/winbindd/winbindd_ndr.c +index 94ce9d73747..b393586a692 100644 +--- a/source3/winbindd/winbindd_ndr.c ++++ b/source3/winbindd/winbindd_ndr.c +@@ -143,7 +143,6 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr, + ndr_print_time_t(ndr, "startup_time", r->startup_time); + ndr_print_bool(ndr, "startup", r->startup); + ndr_print_winbindd_methods(ndr, "backend", r->backend); +- ndr_print_ptr(ndr, "private_data", r->private_data); + ndr_print_ptr(ndr, + "backend_data.samr_pipes", + r->backend_data.samr_pipes); +-- +2.35.1 + diff --git a/samba-4-15-smbd-upn.patch b/samba-4-15-smbd-upn.patch new file mode 100644 index 0000000..703a7d6 --- /dev/null +++ b/samba-4-15-smbd-upn.patch @@ -0,0 +1,273 @@ +From 25465d0bc77dd712b3d94e488f2cf0583fd7ac04 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:10:56 +0200 +Subject: [PATCH 1/5] s3:passdb: Remove trailing spaces in lookup_sid.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 756cd0eed30322ae6dbd5402ec11441387475884) +--- + source3/passdb/lookup_sid.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index a551bcfd24a..3a28cdc68a6 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -1,4 +1,4 @@ +-/* ++/* + Unix SMB/CIFS implementation. + uid/user handling + Copyright (C) Andrew Tridgell 1992-1998 +@@ -72,7 +72,7 @@ static bool lookup_unix_group_name(const char *name, struct dom_sid *sid) + If an explicit domain name was given in the form domain\user, it + has to try that. If no explicit domain name was given, we have + to do guesswork. +-*****************************************************************/ ++*****************************************************************/ + + bool lookup_name(TALLOC_CTX *mem_ctx, + const char *full_name, int flags, +@@ -300,7 +300,7 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + goto ok; + } + +- /* 6. Builtin aliases */ ++ /* 6. Builtin aliases */ + + if ((flags & LOOKUP_NAME_BUILTIN) && + lookup_builtin_name(name, &rid)) +@@ -882,7 +882,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, + } + + /* First build up the data structures: +- * ++ * + * dom_infos is a list of domains referenced in the list of + * SIDs. Later we will walk the list of domains and look up the RIDs + * in bulk. +@@ -1070,7 +1070,7 @@ NTSTATUS lookup_sids(TALLOC_CTX *mem_ctx, int num_sids, + + /***************************************************************** + *THE CANONICAL* convert SID to name function. +-*****************************************************************/ ++*****************************************************************/ + + bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + const char **ret_domain, const char **ret_name, +@@ -1104,7 +1104,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + goto done; + } + +- if ((ret_name != NULL) && ++ if ((ret_name != NULL) && + !(*ret_name = talloc_strdup(mem_ctx, name->name))) { + goto done; + } +@@ -1130,7 +1130,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, + + /***************************************************************** + *THE LEGACY* convert SID to id function. +-*****************************************************************/ ++*****************************************************************/ + + static bool legacy_sid_to_unixid(const struct dom_sid *psid, struct unixid *id) + { +@@ -1465,7 +1465,7 @@ fail: + + /***************************************************************** + *THE CANONICAL* convert SID to uid function. +-*****************************************************************/ ++*****************************************************************/ + + bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) + { +@@ -1527,7 +1527,7 @@ bool sid_to_uid(const struct dom_sid *psid, uid_t *puid) + /***************************************************************** + *THE CANONICAL* convert SID to gid function. + Group mapping is used for gids that maps to Wellknown SIDs +-*****************************************************************/ ++*****************************************************************/ + + bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid) + { +-- +2.36.0 + + +From e884efce61290ad6f4125ab4e3adb08bcc1a800d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:12:02 +0200 +Subject: [PATCH 2/5] s3:passdb: Add support to handle UPNs in lookup_name() + +This address an issue if sssd is running and handling nsswitch. If we look up +a user with getpwnam("DOMAIN\user") it will return user@REALM in the passwd +structure. We need to be able to deal with that. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2a03fb91c1120718ada9d4b8421044cb7eae7b83) +--- + source3/passdb/lookup_sid.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index 3a28cdc68a6..c14d7a7b123 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -100,8 +100,18 @@ bool lookup_name(TALLOC_CTX *mem_ctx, + PTR_DIFF(p, full_name)); + name = talloc_strdup(tmp_ctx, p+1); + } else { +- domain = talloc_strdup(tmp_ctx, ""); +- name = talloc_strdup(tmp_ctx, full_name); ++ char *q = strchr_m(full_name, '@'); ++ ++ /* Set the domain for UPNs */ ++ if (q != NULL) { ++ name = talloc_strndup(tmp_ctx, ++ full_name, ++ PTR_DIFF(q, full_name)); ++ domain = talloc_strdup(tmp_ctx, q + 1); ++ } else { ++ domain = talloc_strdup(tmp_ctx, ""); ++ name = talloc_strdup(tmp_ctx, full_name); ++ } + } + + if ((domain == NULL) || (name == NULL)) { +-- +2.36.0 + + +From cc548efd5fa1783e8412e7ac695c8d6be3323d67 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 12:26:25 +0200 +Subject: [PATCH 3/5] s3:passdb: Use already defined pointer in + lookup_name_smbconf() + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit ed8e466854d6d8d6120388716a7b604df7a4db27) +--- + source3/passdb/lookup_sid.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index c14d7a7b123..dbea5578f92 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -464,7 +464,7 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + const char **ret_domain, const char **ret_name, + struct dom_sid *ret_sid, enum lsa_SidType *ret_type) + { +- char *qualified_name; ++ char *qualified_name = NULL; + const char *p; + + if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { +@@ -472,16 +472,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + /* The name is already qualified with a domain. */ + + if (*lp_winbind_separator() != '\\') { +- char *tmp; +- + /* lookup_name() needs '\\' as a separator */ + +- tmp = talloc_strdup(mem_ctx, full_name); +- if (!tmp) { ++ qualified_name = talloc_strdup(mem_ctx, full_name); ++ if (qualified_name == NULL) { + return false; + } +- tmp[p - full_name] = '\\'; +- full_name = tmp; ++ qualified_name[p - full_name] = '\\'; ++ full_name = qualified_name; + } + + return lookup_name(mem_ctx, full_name, flags, +-- +2.36.0 + + +From 3ee3336f4a3fbb80ccabe6c1494a68286af55437 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:24:10 +0200 +Subject: [PATCH 4/5] s3:passdb: Refactor lookup_name_smbconf() + +This will be changed to support UPNs too in the next patch. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2690310743920dfe20ac235c1e3617e0f421eddc) +--- + source3/passdb/lookup_sid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index dbea5578f92..de9dd123239 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -465,13 +465,14 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + struct dom_sid *ret_sid, enum lsa_SidType *ret_type) + { + char *qualified_name = NULL; +- const char *p; ++ const char *p = strchr_m(full_name, *lp_winbind_separator()); ++ bool is_qualified = p != NULL; + +- if ((p = strchr_m(full_name, *lp_winbind_separator())) != NULL) { ++ if (is_qualified) { + + /* The name is already qualified with a domain. */ + +- if (*lp_winbind_separator() != '\\') { ++ if (p != NULL && *lp_winbind_separator() != '\\') { + /* lookup_name() needs '\\' as a separator */ + + qualified_name = talloc_strdup(mem_ctx, full_name); +-- +2.36.0 + + +From 1baa5b170c36854eaa0a5f2c9aba29d50194f750 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 26 Apr 2022 07:39:12 +0200 +Subject: [PATCH 5/5] s3:passdb: Also allow to handle UPNs in + lookup_name_smbconf() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15054 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 28fc44f2852046d03cada161ed1001d04d9e1554) +--- + source3/passdb/lookup_sid.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c +index de9dd123239..426ea3f81bd 100644 +--- a/source3/passdb/lookup_sid.c ++++ b/source3/passdb/lookup_sid.c +@@ -466,8 +466,9 @@ bool lookup_name_smbconf(TALLOC_CTX *mem_ctx, + { + char *qualified_name = NULL; + const char *p = strchr_m(full_name, *lp_winbind_separator()); +- bool is_qualified = p != NULL; ++ bool is_qualified = p != NULL || strchr_m(full_name, '@') != NULL; + ++ /* For DOMAIN\user or user@REALM directly call lookup_name(). */ + if (is_qualified) { + + /* The name is already qualified with a domain. */ +-- +2.36.0 + diff --git a/samba-4-15-username-map.patch b/samba-4-15-username-map.patch new file mode 100644 index 0000000..0687115 --- /dev/null +++ b/samba-4-15-username-map.patch @@ -0,0 +1,321 @@ +From 438284e1025a96dfa2eb0928de99226f580f356f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 1 Apr 2022 15:56:30 +0200 +Subject: [PATCH 1/5] selftest: Create users "jackthemapper" and "jacknomapper" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Noel Power +Reviewed-by: Jeremy Allison +(cherry picked from commit 1b0146182224fe01ed70815364656a626038685a) +--- + selftest/target/Samba3.pm | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 62fb3d1e39e..b0ea9804c50 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1466,8 +1466,10 @@ sub setup_ad_member_idmap_nss + my $extra_member_options = " + # bob:x:65521:65531:localbob gecos:/:/bin/false + # jane:x:65520:65531:localjane gecos:/:/bin/false ++ # jackthemapper:x:65519:65531:localjackthemaper gecos:/:/bin/false ++ # jacknomapper:x:65518:65531:localjacknomaper gecos:/:/bin/false + idmap config $dcvars->{DOMAIN} : backend = nss +- idmap config $dcvars->{DOMAIN} : range = 65520-65521 ++ idmap config $dcvars->{DOMAIN} : range = 65518-65521 + + # Support SMB1 so that we can use posix_whoami(). + client min protocol = CORE +@@ -2532,6 +2534,8 @@ sub provision($$) + my ($uid_slashuser); + my ($uid_localbob); + my ($uid_localjane); ++ my ($uid_localjackthemapper); ++ my ($uid_localjacknomapper); + + if ($unix_uid < 0xffff - 13) { + $max_uid = 0xffff; +@@ -2554,6 +2558,8 @@ sub provision($$) + $uid_slashuser = $max_uid - 13; + $uid_localbob = $max_uid - 14; + $uid_localjane = $max_uid - 15; ++ $uid_localjackthemapper = $max_uid - 16; ++ $uid_localjacknomapper = $max_uid - 17; + + if ($unix_gids[0] < 0xffff - 8) { + $max_gid = 0xffff; +@@ -3298,6 +3304,8 @@ eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false + slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false + bob:x:$uid_localbob:$gid_domusers:localbob gecos:/:/bin/false + jane:x:$uid_localjane:$gid_domusers:localjane gecos:/:/bin/false ++jackthemapper:x:$uid_localjackthemapper:$gid_domusers:localjackthemaper gecos:/:/bin/false ++jacknomapper:x:$uid_localjacknomapper:$gid_domusers:localjacknomaper gecos:/:/bin/false + "; + if ($unix_uid != 0) { + print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false +@@ -3362,6 +3370,8 @@ force_user:x:$gid_force_user: + createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); + createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); + createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); ++ createuser($self, "jackthemapper", "mApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jackthemapper"); ++ createuser($self, "jacknomapper", "nOmApsEcrEt", $conffile, \%createuser_env) || die("Unable to create jacknomapper"); + + open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); + print DNS_UPDATE_LIST "A $server. $server_ip\n"; +-- +2.34.1 + + +From 28bf2f4c52105fc11515c58e13b935ae046399b4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 5 Apr 2022 08:30:23 +0200 +Subject: [PATCH 2/5] selftest: Create groups "jackthemappergroup" and + "jacknomappergroup" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Noel Power +(cherry picked from commit 26e4268d6e3bde74520e36f3ca3cc9d979292d1d) +--- + selftest/target/Samba3.pm | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index b0ea9804c50..131034a0e07 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -2527,6 +2527,8 @@ sub provision($$) + my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins); + my ($gid_userdup, $gid_everyone); + my ($gid_force_user); ++ my ($gid_jackthemapper); ++ my ($gid_jacknomapper); + my ($uid_user1); + my ($uid_user2); + my ($uid_gooduser); +@@ -2575,6 +2577,8 @@ sub provision($$) + $gid_userdup = $max_gid - 6; + $gid_everyone = $max_gid - 7; + $gid_force_user = $max_gid - 8; ++ $gid_jackthemapper = $max_gid - 9; ++ $gid_jacknomapper = $max_gid - 10; + + ## + ## create conffile +@@ -3325,6 +3329,8 @@ domadmins:X:$gid_domadmins: + userdup:x:$gid_userdup:$unix_name + everyone:x:$gid_everyone: + force_user:x:$gid_force_user: ++jackthemappergroup:x:$gid_jackthemapper:jackthemapper ++jacknomappergroup:x:$gid_jacknomapper:jacknomapper + "; + if ($unix_gids[0] != 0) { + print GROUP "root:x:$gid_root: +-- +2.34.1 + + +From deadcd6a919188a75157e54b2fd772e4bf18d4fc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 5 Apr 2022 08:31:41 +0200 +Subject: [PATCH 3/5] selftest: Add to "username.map" mapping for + jackthemappergroup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 + +Only for environment ad_member_idmap_nss. + +* !jacknompapper = \@jackthemappergroup + jackthemaper from group jackthemappergroup is mapped to jacknompapper + +* !root = jacknomappergroup + since there is no '@' or '+' prefix, it is not an UNIX group mapping + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Noel Power +(cherry picked from commit 0feeb6d58a6d6b1949faa842473053af4562c979) +--- + selftest/target/Samba3.pm | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 131034a0e07..8d309f9c99a 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1490,6 +1490,8 @@ sub setup_ad_member_idmap_nss + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " ++!jacknomapper = \@jackthemappergroup ++!root = jacknomappergroup + root = $dcvars->{DOMAIN}/root + bob = $dcvars->{DOMAIN}/bob + "; +-- +2.34.1 + + +From edf5d5641de92665c30804be6825040d7b0862af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 5 Apr 2022 14:04:52 +0200 +Subject: [PATCH 4/5] s3:tests Test "username map" for UNIX groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Noel Power +(cherry picked from commit af8747a28bd62937a01fa4648f404bd0b09a44c0) +--- + selftest/knownfail.d/usernamemap | 1 + + source3/script/tests/test_usernamemap.sh | 28 ++++++++++++++++++++++++ + source3/selftest/tests.py | 2 ++ + 3 files changed, 31 insertions(+) + create mode 100644 selftest/knownfail.d/usernamemap + create mode 100755 source3/script/tests/test_usernamemap.sh + +diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap +new file mode 100644 +index 00000000000..1c720fe892d +--- /dev/null ++++ b/selftest/knownfail.d/usernamemap +@@ -0,0 +1 @@ ++samba3.blackbox.smbclient_usernamemap.jacknomapper +diff --git a/source3/script/tests/test_usernamemap.sh b/source3/script/tests/test_usernamemap.sh +new file mode 100755 +index 00000000000..3a3344a8781 +--- /dev/null ++++ b/source3/script/tests/test_usernamemap.sh +@@ -0,0 +1,28 @@ ++#!/bin/sh ++# ++# Copyright (c) 2022 Pavel Filipenský ++# ++# Tests for "username map" smb.conf parameter for UNIX groups ++ ++if [ $# -lt 2 ]; then ++cat < +Date: Fri, 25 Mar 2022 11:11:50 +0100 +Subject: [PATCH 5/5] s3:auth: Fix user_in_list() for UNIX groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15041 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Noel Power + +Autobuild-User(master): Noel Power +Autobuild-Date(master): Thu Apr 7 09:49:44 UTC 2022 on sn-devel-184 + +(cherry picked from commit 6dc463d3e2eb229df1c4f620cfcaf22ac71738d4) +--- + selftest/knownfail.d/usernamemap | 1 - + source3/auth/user_util.c | 12 +++++++----- + 2 files changed, 7 insertions(+), 6 deletions(-) + delete mode 100644 selftest/knownfail.d/usernamemap + +diff --git a/selftest/knownfail.d/usernamemap b/selftest/knownfail.d/usernamemap +deleted file mode 100644 +index 1c720fe892d..00000000000 +--- a/selftest/knownfail.d/usernamemap ++++ /dev/null +@@ -1 +0,0 @@ +-samba3.blackbox.smbclient_usernamemap.jacknomapper +diff --git a/source3/auth/user_util.c b/source3/auth/user_util.c +index 70b4f320c5e..aa765c2a692 100644 +--- a/source3/auth/user_util.c ++++ b/source3/auth/user_util.c +@@ -143,11 +143,11 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) + return false; + } + +- DBG_DEBUG("Checking user %s in list\n", user); +- + while (*list) { + const char *p = *list; +- bool ok; ++ bool check_unix_group = false; ++ ++ DBG_DEBUG("Checking user '%s' in list '%s'.\n", user, *list); + + /* Check raw username */ + if (strequal(user, p)) { +@@ -155,11 +155,13 @@ bool user_in_list(TALLOC_CTX *ctx, const char *user, const char * const *list) + } + + while (*p == '@' || *p == '&' || *p == '+') { ++ if (*p == '@' || *p == '+') { ++ check_unix_group = true; ++ } + p++; + } + +- ok = user_in_group(user, p); +- if (ok) { ++ if (check_unix_group && user_in_group(user, p)) { + return true; + } + +-- +2.34.1 + diff --git a/samba.spec b/samba.spec index c6c58a6..7a41d67 100644 --- a/samba.spec +++ b/samba.spec @@ -132,7 +132,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 5 +%global baserelease 8 %global samba_version 4.15.5 %global talloc_version 2.3.3 @@ -212,6 +212,9 @@ Patch7: samba-virus_scanner.patch Patch8: samba-4-15-fix-autorid.patch Patch9: samba-4-15-fix-winbind-refresh-tickets.patch Patch10: samba-4-15-fix-create-local-krb5-conf.patch +Patch11: samba-4-15-username-map.patch +Patch12: samba-4-15-kerberos-clock-skew.patch +Patch13: samba-4-15-smbd-upn.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -4110,9 +4113,15 @@ fi %endif %changelog -* Wed Mar 16 2022 Andreas Schneider - 4.15.5-5 -- resolves: rhbz#2064325 - Fix 'create krb5 conf = yes` when a KDC has a - single IP address. +* Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 +- resolves: rhbz#2070522 - Fix UPNs handling in lookup_name*() calls + +* Wed Apr 20 2022 Pavel Filipenský - 4.15.5-7 +- resolves: rhbz#2076505 - PAM Kerberos authentication fails with a clock skew error + +* Wed Apr 13 2022 Pavel Filipenský - 4.15.5-6 +- resolves: rhbz#2059151 - Fix username map for unix groups +- resolves: rhbz#2065212 - Fix 'create krb5 conf = yes` when a KDC has a single IP address. * Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 - resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh