parent
0fe8d6657b
commit
9220df7904
1
.gitignore
vendored
1
.gitignore
vendored
@ -27,3 +27,4 @@ samba-3.6.0pre1.tar.gz
|
||||
/samba-4.0.6.tar.bz2
|
||||
/samba-4.0.7.tar.xz
|
||||
/samba-4.1.0rc1.tar.xz
|
||||
/samba-4.1.0rc2.tar.xz
|
||||
|
@ -1,406 +0,0 @@
|
||||
From bc7060261e5ad4db03d49414f8d3910ae231b79f Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 3 Apr 2013 15:52:06 +0300
|
||||
Subject: [PATCH 1/4] wafsamba: fix samba_abi for default catch-all case
|
||||
|
||||
Only filter out the symbol when positive match was not found and there is
|
||||
negative match.
|
||||
|
||||
ABI signature file generator worked incorrectly for cases when mixture of
|
||||
positive and negative matches were provided. This resulted in generating empty
|
||||
signature file for libpdb since there was no catch-all positive match anymore.
|
||||
|
||||
Commit 9ba44cc610426fb558b49aa9680b5bdf55c29082 removed explicit '*' positive
|
||||
match and corresponding vscript generator adds '*' by default if global match
|
||||
list is empty, so this commit introduces feature parity into signature
|
||||
generator.
|
||||
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
buildtools/wafsamba/samba_abi.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
|
||||
index 488dab8..76acd00 100644
|
||||
--- a/buildtools/wafsamba/samba_abi.py
|
||||
+++ b/buildtools/wafsamba/samba_abi.py
|
||||
@@ -50,13 +50,15 @@ def parse_sigs(sigs, abi_match):
|
||||
sa = s.split(':')
|
||||
if abi_match:
|
||||
matched = False
|
||||
+ negative = False
|
||||
for p in abi_match:
|
||||
if p[0] == '!' and fnmatch.fnmatch(sa[0], p[1:]):
|
||||
+ negative = True
|
||||
break
|
||||
elif fnmatch.fnmatch(sa[0], p):
|
||||
matched = True
|
||||
break
|
||||
- if not matched:
|
||||
+ if (not matched) and negative:
|
||||
continue
|
||||
Logs.debug("%s -> %s" % (sa[1], normalise_signature(sa[1])))
|
||||
ret[sa[0]] = normalise_signature(sa[1])
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
From ff9cbe37219a41ceb0c624a995f12692f6634760 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 3 Apr 2013 16:01:34 +0300
|
||||
Subject: [PATCH 2/4] s3-waf: filter out ldapsam internal init functions
|
||||
|
||||
pdb_ldapsam_init* functions (init and init_common) are used in
|
||||
pdb_ipa.c and pdb_nds.c which are always linked together with
|
||||
pdb_ldap.c where pdb_ldapsam_init* functions reside.
|
||||
|
||||
Tested with both ldapsam integrated (into libpdb) and as
|
||||
a separate module.
|
||||
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/wscript_build | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/source3/wscript_build b/source3/wscript_build
|
||||
index 02040bf..fd20b81 100755
|
||||
--- a/source3/wscript_build
|
||||
+++ b/source3/wscript_build
|
||||
@@ -716,6 +716,7 @@ ldapsam_pdb_match = ['!priv2ld', '!smbldap_search_domain_info',
|
||||
'!get_attr_list']
|
||||
private_pdb_match.append('!pdb_nds_*')
|
||||
private_pdb_match.append('!pdb_init_ldapsam')
|
||||
+private_pdb_match.append('!pdb_ldapsam_init*')
|
||||
private_pdb_match = private_pdb_match + ldapsam_pdb_match
|
||||
|
||||
private_pdb_match = private_pdb_match + map(lambda x: '!pdb_%s_init' % x, static_pdb_match)
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
From 67e4a28c0b14259f0f25a292f91924f82c84bae1 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 3 Apr 2013 16:37:00 +0300
|
||||
Subject: [PATCH 3/4] PASSDB: add support to set and enumerate UPN suffixes
|
||||
associated with our forest
|
||||
|
||||
Samba PDC may manage a forest containing DNS domains in addition to the primary one.
|
||||
Information about them is advertised via netr_DsRGetForestTrustInformation when
|
||||
trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and
|
||||
via netr_GetForestTrustInformation.
|
||||
|
||||
This changeset only expands PASSDB API; how suffixes are maintained is left
|
||||
to specific PDB modules. Set function is added so that suffixes could be
|
||||
managed through 'net' and other Samba utilities, if possible.
|
||||
|
||||
One possible implementation is available for ipasam module in FreeIPA:
|
||||
http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4
|
||||
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/include/passdb.h | 18 +++++++++++++++++-
|
||||
source3/passdb/ABI/pdb-0.sigs | 2 ++
|
||||
source3/passdb/pdb_interface.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
3 files changed, 55 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
|
||||
index 908631d..5e5a7bf 100644
|
||||
--- a/source3/include/passdb.h
|
||||
+++ b/source3/include/passdb.h
|
||||
@@ -412,9 +412,10 @@ enum pdb_policy_type {
|
||||
* Changed to 18, pdb_rid_algorithm -> pdb_capabilities
|
||||
* Changed to 19, removed uid_to_rid
|
||||
* Changed to 20, pdb_secret calls
|
||||
+ * Changed to 21, set/enum_upn_suffixes. AB.
|
||||
*/
|
||||
|
||||
-#define PASSDB_INTERFACE_VERSION 20
|
||||
+#define PASSDB_INTERFACE_VERSION 21
|
||||
|
||||
struct pdb_methods
|
||||
{
|
||||
@@ -614,6 +615,15 @@ struct pdb_methods
|
||||
NTSTATUS (*delete_secret)(struct pdb_methods *methods,
|
||||
const char *secret_name);
|
||||
|
||||
+ NTSTATUS (*enum_upn_suffixes)(struct pdb_methods *methods,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ uint32_t *num_suffixes,
|
||||
+ char ***suffixes);
|
||||
+
|
||||
+ NTSTATUS (*set_upn_suffixes)(struct pdb_methods *methods,
|
||||
+ uint32_t num_suffixes,
|
||||
+ const char **suffixes);
|
||||
+
|
||||
void *private_data; /* Private data of some kind */
|
||||
|
||||
void (*free_private_data)(void **);
|
||||
@@ -911,6 +921,12 @@ NTSTATUS pdb_delete_secret(const char *secret_name);
|
||||
bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
|
||||
struct unixid *id);
|
||||
|
||||
+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
|
||||
+ uint32_t *num_suffixes,
|
||||
+ char ***suffixes);
|
||||
+
|
||||
+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
|
||||
+ const char **suffixes);
|
||||
|
||||
/* The following definitions come from passdb/pdb_util.c */
|
||||
|
||||
diff --git a/source3/passdb/ABI/pdb-0.sigs b/source3/passdb/ABI/pdb-0.sigs
|
||||
index 4108b9a..51810ef 100644
|
||||
--- a/source3/passdb/ABI/pdb-0.sigs
|
||||
+++ b/source3/passdb/ABI/pdb-0.sigs
|
||||
@@ -112,6 +112,7 @@ pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t
|
||||
pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *)
|
||||
pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***)
|
||||
pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***)
|
||||
+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***)
|
||||
pdb_find_backend_entry: struct pdb_init_function_entry *(const char *)
|
||||
pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *)
|
||||
pdb_get_acct_ctrl: uint32_t (const struct samu *)
|
||||
@@ -230,6 +231,7 @@ pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain
|
||||
pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *)
|
||||
pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *)
|
||||
pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state)
|
||||
+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **)
|
||||
pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state)
|
||||
pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state)
|
||||
pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state)
|
||||
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
|
||||
index 775f8a3..36dde6f 100644
|
||||
--- a/source3/passdb/pdb_interface.c
|
||||
+++ b/source3/passdb/pdb_interface.c
|
||||
@@ -2340,6 +2340,39 @@ static struct pdb_domain_info *pdb_default_get_domain_info(
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+/*****************************************************************
|
||||
+ UPN suffixes
|
||||
+ *****************************************************************/
|
||||
+static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb,
|
||||
+ TALLOC_CTX *mem_ctx,
|
||||
+ uint32_t *num_suffixes,
|
||||
+ char ***suffixes)
|
||||
+{
|
||||
+ return NT_STATUS_NOT_IMPLEMENTED;
|
||||
+}
|
||||
+
|
||||
+static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb,
|
||||
+ uint32_t num_suffixes,
|
||||
+ const char **suffixes)
|
||||
+{
|
||||
+ return NT_STATUS_NOT_IMPLEMENTED;
|
||||
+}
|
||||
+
|
||||
+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx,
|
||||
+ uint32_t *num_suffixes,
|
||||
+ char ***suffixes)
|
||||
+{
|
||||
+ struct pdb_methods *pdb = pdb_get_methods();
|
||||
+ return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes);
|
||||
+}
|
||||
+
|
||||
+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes,
|
||||
+ const char **suffixes)
|
||||
+{
|
||||
+ struct pdb_methods *pdb = pdb_get_methods();
|
||||
+ return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes);
|
||||
+}
|
||||
+
|
||||
/*******************************************************************
|
||||
secret methods
|
||||
*******************************************************************/
|
||||
@@ -2487,5 +2520,8 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods )
|
||||
(*methods)->set_secret = pdb_default_set_secret;
|
||||
(*methods)->delete_secret = pdb_default_delete_secret;
|
||||
|
||||
+ (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes;
|
||||
+ (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes;
|
||||
+
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
--
|
||||
1.8.1.4
|
||||
|
||||
From 801d299067c1ad8e9e63e0c675a4d1284de2f85c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 3 Apr 2013 16:52:45 +0300
|
||||
Subject: [PATCH 4/4] s3-netlogon: enumerate UPN suffixes from PASSDB when
|
||||
available
|
||||
|
||||
Optionally append list of UPN suffixes if PDB module returns non-empty one.
|
||||
|
||||
Refactor fill_forest_trust_array() in source3 to allow reuse of the code between
|
||||
_netr_DsRGetForestTrustInformation() and _netr_GetForestTrustInformation()
|
||||
|
||||
Implement a special case of _netr_DsRGetForestTrustInformation in smbd
|
||||
when trusted_domain_name is NULL (covered by test_DsrEnumerateDomainTrusts()
|
||||
in rpc.netlogon torture tests, see comment in source4/torture/rpc/netlogon.c).
|
||||
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Tue Apr 9 22:19:34 CEST 2013 on sn-devel-104
|
||||
---
|
||||
source3/rpc_server/netlogon/srv_netlog_nt.c | 106 ++++++++++++++++++++++++----
|
||||
1 file changed, 94 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
index 9b50655..c45f33f 100644
|
||||
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
@@ -2309,22 +2309,16 @@ NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p,
|
||||
/****************************************************************
|
||||
****************************************************************/
|
||||
|
||||
-WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
|
||||
- struct netr_DsRGetForestTrustInformation *r)
|
||||
-{
|
||||
- p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
|
||||
- return WERR_NOT_SUPPORTED;
|
||||
-}
|
||||
-
|
||||
-/****************************************************************
|
||||
-****************************************************************/
|
||||
-
|
||||
static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
|
||||
struct lsa_ForestTrustInformation *info)
|
||||
{
|
||||
struct lsa_ForestTrustRecord *e;
|
||||
struct pdb_domain_info *dom_info;
|
||||
struct lsa_ForestTrustDomainInfo *domain_info;
|
||||
+ char **upn_suffixes = NULL;
|
||||
+ uint32_t num_suffixes = 0;
|
||||
+ uint32_t i = 0;
|
||||
+ NTSTATUS status;
|
||||
|
||||
dom_info = pdb_get_domain_info(mem_ctx);
|
||||
if (dom_info == NULL) {
|
||||
@@ -2332,7 +2326,15 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
info->count = 2;
|
||||
- info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, 2);
|
||||
+
|
||||
+ become_root();
|
||||
+ status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes);
|
||||
+ unbecome_root();
|
||||
+ if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) {
|
||||
+ info->count += num_suffixes;
|
||||
+ }
|
||||
+
|
||||
+ info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count);
|
||||
if (info->entries == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@@ -2350,6 +2352,21 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
|
||||
|
||||
info->entries[0] = e;
|
||||
|
||||
+ if (num_suffixes > 0) {
|
||||
+ for (i = 0; i < num_suffixes ; i++) {
|
||||
+ e = talloc(info, struct lsa_ForestTrustRecord);
|
||||
+ if (e == NULL) {
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ e->flags = 0;
|
||||
+ e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME;
|
||||
+ e->time = 0; /* so far always 0 in traces. */
|
||||
+ e->forest_trust_data.top_level_name.string = upn_suffixes[i];
|
||||
+ info->entries[1 + i] = e;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
e = talloc(info, struct lsa_ForestTrustRecord);
|
||||
if (e == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
@@ -2368,12 +2385,76 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx,
|
||||
domain_info->netbios_domain_name.string = talloc_steal(info,
|
||||
dom_info->name);
|
||||
|
||||
- info->entries[1] = e;
|
||||
+ info->entries[info->count - 1] = e;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/****************************************************************
|
||||
+****************************************************************/
|
||||
+
|
||||
+WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
|
||||
+ struct netr_DsRGetForestTrustInformation *r)
|
||||
+{
|
||||
+ NTSTATUS status;
|
||||
+ struct lsa_ForestTrustInformation *info, **info_ptr;
|
||||
+
|
||||
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
|
||||
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
|
||||
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
|
||||
+ return WERR_ACCESS_DENIED;
|
||||
+ }
|
||||
+
|
||||
+ if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) {
|
||||
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
|
||||
+ return WERR_INVALID_FLAGS;
|
||||
+ }
|
||||
+
|
||||
+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) {
|
||||
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
|
||||
+ return WERR_NERR_NOTPRIMARY;
|
||||
+ }
|
||||
+
|
||||
+ if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) {
|
||||
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
|
||||
+ return WERR_INVALID_PARAMETER;
|
||||
+ }
|
||||
+
|
||||
+ /* retrieve forest trust information and stop further processing */
|
||||
+ if (r->in.trusted_domain_name == NULL) {
|
||||
+ info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *);
|
||||
+ if (info_ptr == NULL) {
|
||||
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
||||
+ return WERR_NOMEM;
|
||||
+ }
|
||||
+ info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation);
|
||||
+ if (info == NULL) {
|
||||
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
||||
+ return WERR_NOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* Fill forest trust information and expand UPN suffixes list */
|
||||
+ status = fill_forest_trust_array(p->mem_ctx, info);
|
||||
+ if (!NT_STATUS_IS_OK(status)) {
|
||||
+ p->fault_state = DCERPC_FAULT_CANT_PERFORM;
|
||||
+ return WERR_NOMEM;
|
||||
+ }
|
||||
+
|
||||
+ *info_ptr = info;
|
||||
+ r->out.forest_trust_info = info_ptr;
|
||||
+
|
||||
+ return WERR_OK;
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43)
|
||||
+ * when trusted_domain_name is not NULL */
|
||||
+
|
||||
+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
|
||||
+ return WERR_NOT_SUPPORTED;
|
||||
+}
|
||||
+
|
||||
+/****************************************************************
|
||||
_netr_GetForestTrustInformation
|
||||
****************************************************************/
|
||||
|
||||
@@ -2417,6 +2498,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
+ /* Fill forest trust information, do expand UPN suffixes list */
|
||||
status = fill_forest_trust_array(p->mem_ctx, info);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
--
|
||||
1.8.1.4
|
||||
|
@ -1,44 +0,0 @@
|
||||
From 91300255f4b93dad920af2399a6cd64720d47e4f Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 11 Jul 2013 13:44:53 +0200
|
||||
Subject: [PATCH] s3-winbind: Do not delete an existing valid credential cache.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994
|
||||
|
||||
Thanks to David Woodhouse <dwmw2@infradead.org>.
|
||||
|
||||
Reviewed-by: Günther Deschner <gd@samba.org>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
|
||||
|
||||
(cherry picked from commit 0529b59fbe3f96509893fc4e93a75d6928b5a532)
|
||||
---
|
||||
source3/winbindd/winbindd_pam.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||
index b23d421..99794e6 100644
|
||||
--- a/source3/winbindd/winbindd_pam.c
|
||||
+++ b/source3/winbindd/winbindd_pam.c
|
||||
@@ -677,6 +677,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_OK;
|
||||
|
||||
failed:
|
||||
+ /*
|
||||
+ * Do not delete an existing valid credential cache, if the user
|
||||
+ * e.g. enters a wrong password
|
||||
+ */
|
||||
+ if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE"))
|
||||
+ && user_ccache_file != NULL) {
|
||||
+ return result;
|
||||
+ }
|
||||
|
||||
/* we could have created a new credential cache with a valid tgt in it
|
||||
* but we werent able to get or verify the service ticket for this
|
||||
--
|
||||
1.8.3.1
|
||||
|
@ -1,217 +0,0 @@
|
||||
From bfbf322626965100a72eeaed31573a36a61b33d1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||
Date: Thu, 18 Jul 2013 19:04:29 +0200
|
||||
Subject: [PATCH 1/3] wbinfo: allow to define a custom krb5ccname for
|
||||
kerberized pam auth.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Guenther
|
||||
|
||||
Signed-off-by: Günther Deschner <gd@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
(cherry picked from commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95)
|
||||
---
|
||||
nsswitch/wbinfo.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
|
||||
index 1d1557d..cfb430b 100644
|
||||
--- a/nsswitch/wbinfo.c
|
||||
+++ b/nsswitch/wbinfo.c
|
||||
@@ -2083,6 +2083,7 @@ int main(int argc, char **argv, char **envp)
|
||||
bool use_lanman = false;
|
||||
char *logoff_user = getenv("USER");
|
||||
int logoff_uid = geteuid();
|
||||
+ const char *opt_krb5ccname = "FILE";
|
||||
|
||||
struct poptOption long_options[] = {
|
||||
POPT_AUTOHELP
|
||||
@@ -2164,6 +2165,7 @@ int main(int argc, char **argv, char **envp)
|
||||
{ "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" },
|
||||
/* destroys wbinfo --help output */
|
||||
/* "user%password,DOM\\user%password,user@EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */
|
||||
+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" },
|
||||
#endif
|
||||
{ "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL },
|
||||
{ "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL },
|
||||
@@ -2533,13 +2535,13 @@ int main(int argc, char **argv, char **envp)
|
||||
WBFLAG_PAM_INFO3_TEXT |
|
||||
WBFLAG_PAM_CONTACT_TRUSTDOM;
|
||||
|
||||
- if (!wbinfo_auth_krb5(string_arg, "FILE",
|
||||
+ if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname,
|
||||
flags)) {
|
||||
d_fprintf(stderr,
|
||||
"Could not authenticate user "
|
||||
"[%s] with Kerberos "
|
||||
"(ccache: %s)\n", string_arg,
|
||||
- "FILE");
|
||||
+ opt_krb5ccname);
|
||||
goto done;
|
||||
}
|
||||
break;
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From b9c191e3cde6aa5d726f3bea46d853441bf7daf0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||
Date: Thu, 18 Jul 2013 19:05:51 +0200
|
||||
Subject: [PATCH 2/3] s3-winbindd: support the DIR pragma for raw kerberos user
|
||||
pam authentication.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It is currently only available in MIT. In addition, allow to define custom
|
||||
filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the
|
||||
%u pattern.
|
||||
|
||||
Guenther
|
||||
|
||||
Signed-off-by: Günther Deschner <gd@samba.org>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
(cherry picked from commit 7ad3a367d52b1f123c318946d654e95639202130)
|
||||
---
|
||||
source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||
index aed4741..7b67154 100644
|
||||
--- a/source3/winbindd/winbindd_pam.c
|
||||
+++ b/source3/winbindd/winbindd_pam.c
|
||||
@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx,
|
||||
gen_cc = talloc_asprintf(
|
||||
mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid);
|
||||
}
|
||||
+ if (strequal(type, "DIR")) {
|
||||
+ gen_cc = talloc_asprintf(
|
||||
+ mem_ctx, "DIR:/run/user/%d/krb5cc", uid);
|
||||
+ }
|
||||
+
|
||||
+ if (strnequal(type, "FILE:/", 6) ||
|
||||
+ strnequal(type, "WRFILE:/", 8) ||
|
||||
+ strnequal(type, "DIR:/", 5)) {
|
||||
+
|
||||
+ /* we allow only one "%u" substitution */
|
||||
+
|
||||
+ char *p;
|
||||
+
|
||||
+ p = strchr(type, '%');
|
||||
+ if (p != NULL) {
|
||||
+
|
||||
+ p++;
|
||||
+
|
||||
+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) {
|
||||
+ gen_cc = talloc_asprintf(mem_ctx, type, uid);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
*user_ccache_file = gen_cc;
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
|
||||
From c488253925831a3683446e93bd79d9593c4f9295 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||
Date: Thu, 18 Jul 2013 19:09:14 +0200
|
||||
Subject: [PATCH 3/3] pam_winbind: update documentation for "DIR" krb5ccname
|
||||
pragma.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Guenther
|
||||
|
||||
Signed-off-by: Günther Deschner <gd@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
||||
Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104
|
||||
|
||||
(cherry picked from commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb)
|
||||
---
|
||||
docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++++--------
|
||||
examples/pam_winbind/pam_winbind.conf | 3 ++-
|
||||
2 files changed, 31 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
index 7098ff4..be7f684 100644
|
||||
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
@@ -106,16 +106,35 @@
|
||||
<term>krb5_ccache_type = [type]</term>
|
||||
<listitem><para>
|
||||
|
||||
- When pam_winbind is configured to try kerberos authentication
|
||||
- by enabling the <parameter>krb5_auth</parameter> option, it can
|
||||
- store the retrieved Ticket Granting Ticket (TGT) in a
|
||||
- credential cache. The type of credential cache can be set with
|
||||
- this option. Currently the only supported value is:
|
||||
- <parameter>FILE</parameter>. In that case a credential cache in
|
||||
- the form of /tmp/krb5cc_UID will be created, where UID is
|
||||
- replaced with the numeric user id. Leave empty to just do
|
||||
- kerberos authentication without having a ticket cache after the
|
||||
- logon has succeeded. This setting is empty by default.
|
||||
+ When pam_winbind is configured to try kerberos authentication by
|
||||
+ enabling the <parameter>krb5_auth</parameter> option, it can
|
||||
+ store the retrieved Ticket Granting Ticket (TGT) in a credential
|
||||
+ cache. The type of credential cache can be controlled with this
|
||||
+ option. The supported values are: <parameter>FILE</parameter>
|
||||
+ and <parameter>DIR</parameter> (when the DIR type is supported
|
||||
+ by the system's Kerberos library). In case of FILE a credential
|
||||
+ cache in the form of /tmp/krb5cc_UID will be created - in case
|
||||
+ of DIR it will be located under the /run/user/UID/krb5cc
|
||||
+ directory. UID is replaced with the numeric user id.</para>
|
||||
+
|
||||
+ <para>It is also possible to define custom filepaths and use the "%u"
|
||||
+ pattern in order to substitue the numeric user id.
|
||||
+ Examples:</para>
|
||||
+
|
||||
+ <variablelist>
|
||||
+ <varlistentry>
|
||||
+ <term>krb5_ccache_type = DIR:/run/user/%u/krb5cc</term>
|
||||
+ <listitem><para>This will create a credential cache file in the specified directory.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+ <varlistentry>
|
||||
+ <term>krb5_ccache_type = FILE:/tmp/krb5cc_%u</term>
|
||||
+ <listitem><para>This will create a credential cache file.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+ </variablelist>
|
||||
+
|
||||
+ <para> Leave empty to just do kerberos authentication without
|
||||
+ having a ticket cache after the logon has succeeded.
|
||||
+ This setting is empty by default.
|
||||
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf
|
||||
index dd0b112..87bc388 100644
|
||||
--- a/examples/pam_winbind/pam_winbind.conf
|
||||
+++ b/examples/pam_winbind/pam_winbind.conf
|
||||
@@ -3,6 +3,7 @@
|
||||
#
|
||||
# /etc/security/pam_winbind.conf
|
||||
#
|
||||
+# For more details see man pam_winbind.conf(5)
|
||||
|
||||
[global]
|
||||
|
||||
@@ -19,7 +20,7 @@
|
||||
# authenticate using kerberos
|
||||
;krb5_auth = no
|
||||
|
||||
-# when using kerberos, request a "FILE" krb5 credential cache type
|
||||
+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type
|
||||
# (leave empty to just do krb5 authentication but not have a ticket
|
||||
# afterwards)
|
||||
;krb5_ccache_type =
|
||||
--
|
||||
1.8.3.1
|
@ -1,36 +0,0 @@
|
||||
From f0ff2d8ee925921c70f2b9149316f123402ab81b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 19 Jul 2013 16:08:39 +0200
|
||||
Subject: [PATCH] s3-waf: Rename regedit to samba-regedit.
|
||||
|
||||
This is needed cause wine already provides a binary with the name
|
||||
regedit.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10040
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Kai Blin <kai@samba.org>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Mon Jul 22 14:12:38 CEST 2013 on sn-devel-104
|
||||
|
||||
(cherry picked from commit b5051111d2fd3a9ae3b3aa028ccf013a98c20b38)
|
||||
---
|
||||
source3/wscript_build | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/wscript_build b/source3/wscript_build
|
||||
index 19c6d08..a8bdaf0 100755
|
||||
--- a/source3/wscript_build
|
||||
+++ b/source3/wscript_build
|
||||
@@ -1615,7 +1615,7 @@ bld.SAMBA3_PYTHON('pylibsmb',
|
||||
realname='samba/samba3/libsmb_samba_internal.so'
|
||||
)
|
||||
|
||||
-bld.SAMBA3_BINARY('regedit',
|
||||
+bld.SAMBA3_BINARY('samba-regedit',
|
||||
source="""utils/regedit.c utils/regedit_samba3.c
|
||||
utils/regedit_wrap.c utils/regedit_treeview.c
|
||||
utils/regedit_valuelist.c utils/regedit_dialog.c
|
||||
--
|
||||
1.8.3.1
|
21
samba.spec
21
samba.spec
@ -1,7 +1,7 @@
|
||||
# Set --with testsuite or %bcond_without to run the Samba torture testsuite.
|
||||
%bcond_with testsuite
|
||||
|
||||
%define main_release 2
|
||||
%define main_release 3
|
||||
|
||||
%define samba_version 4.1.0
|
||||
%define talloc_version 2.0.8
|
||||
@ -10,7 +10,7 @@
|
||||
%define tevent_version 0.9.18
|
||||
%define ldb_version 1.1.16
|
||||
# This should be rc1 or nil
|
||||
%define pre_release rc1
|
||||
%define pre_release rc2
|
||||
|
||||
%if "x%{?pre_release}" != "x"
|
||||
%define samba_release 0.%{main_release}.%{pre_release}%{?dist}
|
||||
@ -44,7 +44,7 @@
|
||||
|
||||
Name: samba
|
||||
Version: %{samba_version}
|
||||
Release: %{samba_release}.1
|
||||
Release: %{samba_release}
|
||||
|
||||
%if 0%{?rhel}
|
||||
Epoch: 0
|
||||
@ -75,10 +75,6 @@ Source6: samba.pamd
|
||||
Source200: README.dc
|
||||
Source201: README.downgrade
|
||||
|
||||
Patch0: samba-4.0.8-fix_winbind_ccache_cleanup.patch
|
||||
Patch1: samba-4.1.0rc1-fix_regedit_name.patch
|
||||
Patch2: samba-4.1.0rc1-add_support_for_cc_type_dir.patch
|
||||
|
||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
@ -435,9 +431,6 @@ the local kerberos library to use the same KDC as samba and winbind use
|
||||
|
||||
%prep
|
||||
%setup -q -n samba-%{version}%{pre_release}
|
||||
%patch0 -p1 -b .samba-4.0.8-fix_winbind_ccache_cleanup.patch
|
||||
%patch1 -p1 -b .samba-4.1.0rc1-fix_regedit_name.patch
|
||||
%patch2 -p1 -b .samba-4.1.0rc1-add_support_for_cc_type_dir.patch
|
||||
|
||||
%build
|
||||
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
|
||||
@ -708,7 +701,10 @@ rm -rf %{buildroot}
|
||||
%{_bindir}/eventlogadm
|
||||
%{_sbindir}/nmbd
|
||||
%{_sbindir}/smbd
|
||||
%{_libdir}/samba/auth
|
||||
%dir %{_libdir}/samba/auth
|
||||
%{_libdir}/samba/auth/script.so
|
||||
%{_libdir}/samba/auth/unix.so
|
||||
%{_libdir}/samba/auth/wbc.so
|
||||
%dir %{_libdir}/samba/vfs
|
||||
%{_libdir}/samba/vfs/acl_tdb.so
|
||||
%{_libdir}/samba/vfs/acl_xattr.so
|
||||
@ -1463,6 +1459,9 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man7/winbind_krb5_locator.7*
|
||||
|
||||
%changelog
|
||||
* Mon Aug 12 2013 - Andreas Schneider <asn@redhat.com> - 2:4.1.0-0.3
|
||||
- related: #985609 - Update to Samba 4.1.0rc2.
|
||||
|
||||
* Sat Aug 03 2013 Petr Pisar <ppisar@redhat.com> - 2:4.1.0-0.2.rc1.1
|
||||
- Perl 5.18 rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user