import samba-4.15.5-105.el9_0
This commit is contained in:
commit
a1612cf1ff
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
SOURCES/samba-4.15.5.tar.xz
|
||||
SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
2
.samba.metadata
Normal file
2
.samba.metadata
Normal file
@ -0,0 +1,2 @@
|
||||
f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz
|
||||
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
29
SOURCES/README.downgrade
Normal file
29
SOURCES/README.downgrade
Normal file
@ -0,0 +1,29 @@
|
||||
Downgrading Samba
|
||||
=================
|
||||
|
||||
Short version: data-preserving downgrades between Samba versions are not supported
|
||||
|
||||
Long version:
|
||||
With Samba development there are cases when on-disk database format evolves.
|
||||
In general, Samba Team attempts to maintain forward compatibility and
|
||||
automatically upgrade databases during runtime when requires.
|
||||
However, when downgrade is required Samba will not perform downgrade to
|
||||
existing databases. It may be impossible if new features that caused database
|
||||
upgrade are in use. Thus, one needs to consider a downgrade procedure before
|
||||
actually downgrading Samba setup.
|
||||
|
||||
Please always perform back up prior both upgrading and downgrading across major
|
||||
version changes. Restoring database files is easiest and simplest way to get to
|
||||
previously working setup.
|
||||
|
||||
Easiest way to downgrade is to remove all created databases and start from scratch.
|
||||
This means losing all authentication and domain relationship data, as well as
|
||||
user databases (in case of tdb storage), printers, registry settings, and winbindd
|
||||
caches.
|
||||
|
||||
Remove databases in following locations:
|
||||
/var/lib/samba/*.tdb
|
||||
/var/lib/samba/private/*.tdb
|
||||
|
||||
In particular, registry settings are known to prevent running downgraded versions
|
||||
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.
|
38
SOURCES/pam_winbind.conf
Normal file
38
SOURCES/pam_winbind.conf
Normal file
@ -0,0 +1,38 @@
|
||||
#
|
||||
# pam_winbind configuration file
|
||||
#
|
||||
# /etc/security/pam_winbind.conf
|
||||
#
|
||||
|
||||
[global]
|
||||
|
||||
# turn on debugging
|
||||
;debug = no
|
||||
|
||||
# turn on extended PAM state debugging
|
||||
;debug_state = no
|
||||
|
||||
# request a cached login if possible
|
||||
# (needs "winbind offline logon = yes" in smb.conf)
|
||||
;cached_login = no
|
||||
|
||||
# authenticate using kerberos
|
||||
;krb5_auth = no
|
||||
|
||||
# when using kerberos, request a "FILE" krb5 credential cache type
|
||||
# (leave empty to just do krb5 authentication but not have a ticket
|
||||
# afterwards)
|
||||
;krb5_ccache_type =
|
||||
|
||||
# make successful authentication dependend on membership of one SID
|
||||
# (can also take a name)
|
||||
;require_membership_of =
|
||||
|
||||
# password expiry warning period in days
|
||||
;warn_pwd_expire = 14
|
||||
|
||||
# omit pam conversations
|
||||
;silent = no
|
||||
|
||||
# create homedirectory on the fly
|
||||
;mkhomedir = no
|
231
SOURCES/samba-4-15-fix-autorid.patch
Normal file
231
SOURCES/samba-4-15-fix-autorid.patch
Normal file
@ -0,0 +1,231 @@
|
||||
From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 1 Feb 2022 10:06:30 +0100
|
||||
Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range
|
||||
|
||||
What we want to avoid:
|
||||
|
||||
$ ./bin/testparm -s | grep "idmap config"
|
||||
idmap config * : rangesize = 10000
|
||||
idmap config * : range = 10000-19999
|
||||
idmap config * : backend = autorid
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||
S-1-5-32-544 SID_ALIAS (4)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||
10000
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||
|
||||
If only one range is configured we are either not able to map users/groups
|
||||
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||
cover the BUILTIN domain!
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
|
||||
---
|
||||
source3/winbindd/idmap_autorid.c | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
|
||||
index ad53b5810ee..c7d56a37684 100644
|
||||
--- a/source3/winbindd/idmap_autorid.c
|
||||
+++ b/source3/winbindd/idmap_autorid.c
|
||||
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
|
||||
config->maxranges = (dom->high_id - dom->low_id + 1) /
|
||||
config->rangesize;
|
||||
|
||||
- if (config->maxranges == 0) {
|
||||
- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
|
||||
- "Increase uid range or decrease rangesize.\n"));
|
||||
+ if (config->maxranges < 2) {
|
||||
+ DBG_WARNING("Allowed idmap range is not a least double the "
|
||||
+ "size of the rangesize. Please increase idmap "
|
||||
+ "range.\n");
|
||||
status = NT_STATUS_INVALID_PARAMETER;
|
||||
goto error;
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 1 Feb 2022 10:07:50 +0100
|
||||
Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid
|
||||
|
||||
What we want to avoid:
|
||||
|
||||
$ ./bin/testparm -s | grep "idmap config"
|
||||
idmap config * : rangesize = 10000
|
||||
idmap config * : range = 10000-19999
|
||||
idmap config * : backend = autorid
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||
S-1-5-32-544 SID_ALIAS (4)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||
10000
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||
|
||||
If only one range is configured we are either not able to map users/groups
|
||||
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||
cover the BUILTIN domain!
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
|
||||
---
|
||||
source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 51 insertions(+)
|
||||
|
||||
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
||||
index 98bcc219b1e..58ba46bc15f 100644
|
||||
--- a/source3/utils/testparm.c
|
||||
+++ b/source3/utils/testparm.c
|
||||
@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
|
||||
return false; /* Keep scanning */
|
||||
}
|
||||
|
||||
+static int idmap_config_int(const char *domname, const char *option, int def)
|
||||
+{
|
||||
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
|
||||
+
|
||||
+ if (len == -1) {
|
||||
+ return def;
|
||||
+ }
|
||||
+ {
|
||||
+ char config_option[len+1];
|
||||
+ snprintf(config_option, sizeof(config_option),
|
||||
+ "idmap config %s", domname);
|
||||
+ return lp_parm_int(-1, config_option, option, def);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static bool do_idmap_check(void)
|
||||
{
|
||||
struct idmap_domains *d;
|
||||
@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
|
||||
rc);
|
||||
}
|
||||
|
||||
+ /* Check autorid backend */
|
||||
+ if (strequal(lp_idmap_default_backend(), "autorid")) {
|
||||
+ struct idmap_config *c = NULL;
|
||||
+ bool found = false;
|
||||
+
|
||||
+ for (i = 0; i < d->count; i++) {
|
||||
+ c = &d->c[i];
|
||||
+
|
||||
+ if (strequal(c->backend, "autorid")) {
|
||||
+ found = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (found) {
|
||||
+ uint32_t rangesize =
|
||||
+ idmap_config_int("*", "rangesize", 100000);
|
||||
+ uint32_t maxranges =
|
||||
+ (c->high - c->low + 1) / rangesize;
|
||||
+
|
||||
+ if (maxranges < 2) {
|
||||
+ fprintf(stderr,
|
||||
+ "ERROR: The idmap autorid range "
|
||||
+ "[%u-%u] needs to be at least twice as "
|
||||
+ "big as the rangesize [%u]!"
|
||||
+ "\n\n",
|
||||
+ c->low,
|
||||
+ c->high,
|
||||
+ rangesize);
|
||||
+ ok = false;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Check for overlapping idmap ranges */
|
||||
for (i = 0; i < d->count; i++) {
|
||||
struct idmap_config *c = &d->c[i];
|
||||
uint32_t j;
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 1 Feb 2022 10:05:19 +0100
|
||||
Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation
|
||||
|
||||
What we want to avoid:
|
||||
|
||||
$ ./bin/testparm -s | grep "idmap config"
|
||||
idmap config * : rangesize = 10000
|
||||
idmap config * : range = 10000-19999
|
||||
idmap config * : backend = autorid
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
|
||||
S-1-5-32-544 SID_ALIAS (4)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
|
||||
10000
|
||||
|
||||
$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
|
||||
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)
|
||||
|
||||
$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
|
||||
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
|
||||
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid
|
||||
|
||||
If only one range is configured we are either not able to map users/groups
|
||||
from our primary *and* the BUILTIN domain. We need at least two ranges to also
|
||||
cover the BUILTIN domain!
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
|
||||
---
|
||||
docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
|
||||
index 6c4da1cad8a..980718f0bd4 100644
|
||||
--- a/docs-xml/manpages/idmap_autorid.8.xml
|
||||
+++ b/docs-xml/manpages/idmap_autorid.8.xml
|
||||
@@ -48,7 +48,13 @@
|
||||
and the corresponding map is discarded. It is
|
||||
intended as a way to avoid accidental UID/GID
|
||||
overlaps between local and remotely defined
|
||||
- IDs.
|
||||
+ IDs. Note that the range should be a multiple
|
||||
+ of the rangesize and needs to be at least twice
|
||||
+ as large in order to have sufficient id range
|
||||
+ space for the mandatory BUILTIN domain.
|
||||
+ With a default rangesize of 100000 the range
|
||||
+ needs to span at least 200000.
|
||||
+ This would be: range = 100000 - 299999.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
Normal file
477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
Normal file
@ -0,0 +1,477 @@
|
||||
From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 16:53:02 +0100
|
||||
Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
testprogs/blackbox/test_net_ads.sh | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
||||
index 76b394b10a9..cfafb945b62 100755
|
||||
--- a/testprogs/blackbox/test_net_ads.sh
|
||||
+++ b/testprogs/blackbox/test_net_ads.sh
|
||||
@@ -51,6 +51,12 @@ fi
|
||||
|
||||
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
|
||||
+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
|
||||
+testit "local krb5.conf created" \
|
||||
+ test -r \
|
||||
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
|
||||
+ failed=$((failed + 1))
|
||||
+
|
||||
testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
|
||||
|
||||
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:03:40 +0100
|
||||
Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 18 +++++++++---------
|
||||
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 75beeef4a44..60fe03fd5d7 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -1,4 +1,4 @@
|
||||
-/*
|
||||
+/*
|
||||
Unix SMB/CIFS implementation.
|
||||
kerberos utility library
|
||||
Copyright (C) Andrew Tridgell 2001
|
||||
@@ -37,11 +37,11 @@
|
||||
#define LIBADS_CCACHE_NAME "MEMORY:libads"
|
||||
|
||||
/*
|
||||
- we use a prompter to avoid a crash bug in the kerberos libs when
|
||||
+ we use a prompter to avoid a crash bug in the kerberos libs when
|
||||
dealing with empty passwords
|
||||
this prompter is just a string copy ...
|
||||
*/
|
||||
-static krb5_error_code
|
||||
+static krb5_error_code
|
||||
kerb_prompter(krb5_context ctx, void *data,
|
||||
const char *name,
|
||||
const char *banner,
|
||||
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
|
||||
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
|
||||
}
|
||||
|
||||
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
|
||||
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
|
||||
kerb_prompter, discard_const_p(char, password),
|
||||
0, NULL, opt))) {
|
||||
goto out;
|
||||
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
|
||||
}
|
||||
|
||||
if ((code = krb5_cc_destroy (ctx, cc))) {
|
||||
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
|
||||
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
|
||||
error_message(code)));
|
||||
}
|
||||
|
||||
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
|
||||
int time_offset,
|
||||
const char *cache_name)
|
||||
{
|
||||
- return kerberos_kinit_password_ext(principal,
|
||||
- password,
|
||||
- time_offset,
|
||||
- 0,
|
||||
+ return kerberos_kinit_password_ext(principal,
|
||||
+ password,
|
||||
+ time_offset,
|
||||
+ 0,
|
||||
0,
|
||||
cache_name,
|
||||
False,
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:04:34 +0100
|
||||
Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()
|
||||
|
||||
This avoids useless allocations.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 17 +++++++++++------
|
||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 60fe03fd5d7..1bf149ef09b 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
struct netlogon_samlogon_response **responses = NULL;
|
||||
NTSTATUS status;
|
||||
bool ok;
|
||||
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
|
||||
- print_canonical_sockaddr_with_port(mem_ctx, pss));
|
||||
+ char *kdc_str = NULL;
|
||||
|
||||
+ SMB_ASSERT(pss != NULL);
|
||||
+
|
||||
+ kdc_str = talloc_asprintf(mem_ctx,
|
||||
+ "\t\tkdc = %s\n",
|
||||
+ print_canonical_sockaddr_with_port(mem_ctx,
|
||||
+ pss));
|
||||
if (kdc_str == NULL) {
|
||||
TALLOC_FREE(frame);
|
||||
return NULL;
|
||||
@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
}
|
||||
}
|
||||
|
||||
- dc_addrs2 = talloc_zero_array(talloc_tos(),
|
||||
- struct tsocket_address *,
|
||||
- num_dcs);
|
||||
-
|
||||
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||
if (num_dcs == 0) {
|
||||
TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
+
|
||||
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
|
||||
+ struct tsocket_address *,
|
||||
+ num_dcs);
|
||||
if (dc_addrs2 == NULL) {
|
||||
TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:10:47 +0100
|
||||
Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 1bf149ef09b..6a46d72a156 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
|
||||
result = kdc_str;
|
||||
out:
|
||||
- DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||
+ if (result != NULL) {
|
||||
+ DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||
+ } else {
|
||||
+ DBG_NOTICE("Failed to get KDC ip address\n");
|
||||
+ }
|
||||
|
||||
TALLOC_FREE(ip_sa_site);
|
||||
TALLOC_FREE(ip_sa_nonsite);
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:48:23 +0100
|
||||
Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
|
||||
get_kdc_ip_string()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 9 +++++----
|
||||
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 6a46d72a156..d1c410ffa4b 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
}
|
||||
|
||||
/* Append to the string - inefficient but not done often. */
|
||||
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
|
||||
- kdc_str,
|
||||
- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
|
||||
- TALLOC_FREE(kdc_str);
|
||||
+ new_kdc_str = talloc_asprintf_append(
|
||||
+ kdc_str,
|
||||
+ "\t\tkdc = %s\n",
|
||||
+ print_canonical_sockaddr_with_port(
|
||||
+ mem_ctx, &dc_addrs[i]));
|
||||
if (new_kdc_str == NULL) {
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:56:58 +0100
|
||||
Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index d1c410ffa4b..aadc65a3edc 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
|
||||
SMB_ASSERT(pss != NULL);
|
||||
|
||||
- kdc_str = talloc_asprintf(mem_ctx,
|
||||
+ kdc_str = talloc_asprintf(frame,
|
||||
"\t\tkdc = %s\n",
|
||||
print_canonical_sockaddr_with_port(mem_ctx,
|
||||
pss));
|
||||
@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
*/
|
||||
|
||||
if (sitename) {
|
||||
- status = get_kdc_list(talloc_tos(),
|
||||
+ status = get_kdc_list(frame,
|
||||
realm,
|
||||
sitename,
|
||||
&ip_sa_site,
|
||||
@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
|
||||
/* Get all KDC's. */
|
||||
|
||||
- status = get_kdc_list(talloc_tos(),
|
||||
+ status = get_kdc_list(frame,
|
||||
realm,
|
||||
NULL,
|
||||
&ip_sa_nonsite,
|
||||
@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
kdc_str = new_kdc_str;
|
||||
}
|
||||
|
||||
- result = kdc_str;
|
||||
+ result = talloc_move(mem_ctx, &kdc_str);
|
||||
out:
|
||||
if (result != NULL) {
|
||||
DBG_DEBUG("Returning\n%s\n", kdc_str);
|
||||
@@ -597,8 +597,6 @@ out:
|
||||
DBG_NOTICE("Failed to get KDC ip address\n");
|
||||
}
|
||||
|
||||
- TALLOC_FREE(ip_sa_site);
|
||||
- TALLOC_FREE(ip_sa_nonsite);
|
||||
TALLOC_FREE(frame);
|
||||
return result;
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 12:57:18 +0100
|
||||
Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str
|
||||
|
||||
This is allocated on the stackframe now!
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 12 +-----------
|
||||
1 file changed, 1 insertion(+), 11 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index aadc65a3edc..2087dc1e6f9 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
print_canonical_sockaddr_with_port(mem_ctx,
|
||||
pss));
|
||||
if (kdc_str == NULL) {
|
||||
- TALLOC_FREE(frame);
|
||||
- return NULL;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
|
||||
if (!ok) {
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DBG_ERR("get_kdc_list fail %s\n",
|
||||
nt_errstr(status));
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
DBG_DEBUG("got %zu addresses from site %s search\n",
|
||||
@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DBG_ERR("get_kdc_list (site-less) fail %s\n",
|
||||
nt_errstr(status));
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
|
||||
@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
if (count_site + count_nonsite < count_site) {
|
||||
/* Wrap check. */
|
||||
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
|
||||
count_site + count_nonsite);
|
||||
if (dc_addrs == NULL) {
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
|
||||
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||
if (num_dcs == 0) {
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
struct tsocket_address *,
|
||||
num_dcs);
|
||||
if (dc_addrs2 == NULL) {
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
status = map_nt_error_from_unix(errno);
|
||||
DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
|
||||
addr, nt_errstr(status)));
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
|
||||
"%s\n", nt_errstr(status)));
|
||||
- TALLOC_FREE(kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 13:02:05 +0100
|
||||
Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
|
||||
NULL in get_kdc_ip_string()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 2087dc1e6f9..20dceeefb22 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
NTSTATUS status;
|
||||
bool ok;
|
||||
char *kdc_str = NULL;
|
||||
+ char *canon_sockaddr = NULL;
|
||||
|
||||
SMB_ASSERT(pss != NULL);
|
||||
|
||||
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
|
||||
+ if (canon_sockaddr == NULL) {
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
kdc_str = talloc_asprintf(frame,
|
||||
"\t\tkdc = %s\n",
|
||||
- print_canonical_sockaddr_with_port(mem_ctx,
|
||||
- pss));
|
||||
+ canon_sockaddr);
|
||||
if (kdc_str == NULL) {
|
||||
goto out;
|
||||
}
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 15 Mar 2022 13:10:06 +0100
|
||||
Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf
|
||||
|
||||
We create an KDC ip string entry directly at the beginning, use it if we
|
||||
don't have any additional DCs.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source3/libads/kerberos.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||
index 20dceeefb22..3fd86e87064 100644
|
||||
--- a/source3/libads/kerberos.c
|
||||
+++ b/source3/libads/kerberos.c
|
||||
@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
|
||||
|
||||
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
|
||||
if (num_dcs == 0) {
|
||||
+ /*
|
||||
+ * We do not have additional KDCs, but we have the one passed
|
||||
+ * in via `pss`. So just use that one and leave.
|
||||
+ */
|
||||
+ result = talloc_move(mem_ctx, &kdc_str);
|
||||
goto out;
|
||||
}
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
Normal file
411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
Normal file
@ -0,0 +1,411 @@
|
||||
From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 12:59:44 +0100
|
||||
Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
|
||||
path
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
|
||||
---
|
||||
source3/libads/authdata.c | 11 ++++++++---
|
||||
1 file changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
|
||||
index dd21d895fc2..c048510d480 100644
|
||||
--- a/source3/libads/authdata.c
|
||||
+++ b/source3/libads/authdata.c
|
||||
@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
{
|
||||
krb5_error_code ret;
|
||||
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
|
||||
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
|
||||
+ DATA_BLOB tkt = data_blob_null;
|
||||
+ DATA_BLOB tkt_wrapped = data_blob_null;
|
||||
+ DATA_BLOB ap_rep = data_blob_null;
|
||||
+ DATA_BLOB sesskey1 = data_blob_null;
|
||||
const char *auth_princ = NULL;
|
||||
const char *cc = "MEMORY:kerberos_return_pac";
|
||||
struct auth_session_info *session_info;
|
||||
@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
ZERO_STRUCT(sesskey1);
|
||||
|
||||
if (!name || !pass) {
|
||||
- return NT_STATUS_INVALID_PARAMETER;
|
||||
+ status = NT_STATUS_INVALID_PARAMETER;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
if (cache_name) {
|
||||
@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if (expire_time && renew_till_time &&
|
||||
(*expire_time == 0) && (*renew_till_time == 0)) {
|
||||
- return NT_STATUS_INVALID_LOGON_TYPE;
|
||||
+ status = NT_STATUS_INVALID_LOGON_TYPE;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
ret = ads_krb5_cli_get_ticket(mem_ctx,
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 13:00:05 +0100
|
||||
Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
|
||||
macro
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
|
||||
---
|
||||
lib/krb5_wrap/krb5_samba.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index fff5b4e2a22..42d4b950f80 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
|
||||
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
|
||||
|
||||
/* FIXME: we should not fall back to defaults */
|
||||
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 14:28:28 +0100
|
||||
Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
|
||||
debug macro
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
|
||||
---
|
||||
lib/krb5_wrap/krb5_samba.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index 42d4b950f80..76c2dcd2126 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
|
||||
|
||||
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
|
||||
if (ret) {
|
||||
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
|
||||
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
|
||||
+ "for client '%s' and service '%s' failed: %s\n",
|
||||
+ ccache_string, client_string, service_string,
|
||||
+ error_message(ret));
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 13:08:56 +0100
|
||||
Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
|
||||
kerberos_return_pac()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
|
||||
---
|
||||
source3/libads/authdata.c | 22 +++++++++++++++++++++-
|
||||
source3/libads/kerberos_proto.h | 2 ++
|
||||
source3/utils/net_ads.c | 2 ++
|
||||
source3/winbindd/winbindd_pam.c | 2 ++
|
||||
4 files changed, 27 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
|
||||
index c048510d480..bf9a2335445 100644
|
||||
--- a/source3/libads/authdata.c
|
||||
+++ b/source3/libads/authdata.c
|
||||
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
time_t renewable_time,
|
||||
const char *impersonate_princ_s,
|
||||
const char *local_service,
|
||||
+ char **_canon_principal,
|
||||
+ char **_canon_realm,
|
||||
struct PAC_DATA_CTR **_pac_data_ctr)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
struct auth4_context *auth_context;
|
||||
struct loadparm_context *lp_ctx;
|
||||
struct PAC_DATA_CTR *pac_data_ctr = NULL;
|
||||
+ char *canon_principal = NULL;
|
||||
+ char *canon_realm = NULL;
|
||||
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
||||
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ if (_canon_principal != NULL) {
|
||||
+ *_canon_principal = NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (_canon_realm != NULL) {
|
||||
+ *_canon_realm = NULL;
|
||||
+ }
|
||||
+
|
||||
if (cache_name) {
|
||||
cc = cache_name;
|
||||
}
|
||||
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
request_pac,
|
||||
add_netbios_addr,
|
||||
renewable_time,
|
||||
- NULL, NULL, NULL,
|
||||
+ tmp_ctx,
|
||||
+ &canon_principal,
|
||||
+ &canon_realm,
|
||||
&status);
|
||||
if (ret) {
|
||||
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
|
||||
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
|
||||
+ if (_canon_principal != NULL) {
|
||||
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
|
||||
+ }
|
||||
+ if (_canon_realm != NULL) {
|
||||
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
|
||||
+ }
|
||||
|
||||
out:
|
||||
talloc_free(tmp_ctx);
|
||||
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
|
||||
index 3d7b5bc074b..807381248c8 100644
|
||||
--- a/source3/libads/kerberos_proto.h
|
||||
+++ b/source3/libads/kerberos_proto.h
|
||||
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
time_t renewable_time,
|
||||
const char *impersonate_princ_s,
|
||||
const char *local_service,
|
||||
+ char **_canon_principal,
|
||||
+ char **_canon_realm,
|
||||
struct PAC_DATA_CTR **pac_data_ctr);
|
||||
|
||||
/* The following definitions come from libads/krb5_setpw.c */
|
||||
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
||||
index 8f993f9ba4c..c41fb0afe9c 100644
|
||||
--- a/source3/utils/net_ads.c
|
||||
+++ b/source3/utils/net_ads.c
|
||||
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
|
||||
2592000, /* one month */
|
||||
impersonate_princ_s,
|
||||
local_service,
|
||||
+ NULL,
|
||||
+ NULL,
|
||||
pac_data_ctr);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
d_printf(_("failed to query kerberos PAC: %s\n"),
|
||||
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||
index 7606bfb4ecd..025a5cbc111 100644
|
||||
--- a/source3/winbindd/winbindd_pam.c
|
||||
+++ b/source3/winbindd/winbindd_pam.c
|
||||
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||
NULL,
|
||||
local_service,
|
||||
+ NULL,
|
||||
+ NULL,
|
||||
&pac_data_ctr);
|
||||
if (user_ccache_file != NULL) {
|
||||
gain_root_privilege();
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 13:19:02 +0100
|
||||
Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
|
||||
entry
|
||||
|
||||
They will be used later to refresh the tickets.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
|
||||
---
|
||||
source3/winbindd/winbindd.h | 2 ++
|
||||
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
|
||||
source3/winbindd/winbindd_pam.c | 14 ++++++++++----
|
||||
source3/winbindd/winbindd_proto.h | 4 +++-
|
||||
4 files changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
|
||||
index a6b2238cec1..dac4a1fa927 100644
|
||||
--- a/source3/winbindd/winbindd.h
|
||||
+++ b/source3/winbindd/winbindd.h
|
||||
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
|
||||
const char *service;
|
||||
const char *username;
|
||||
const char *realm;
|
||||
+ const char *canon_principal;
|
||||
+ const char *canon_realm;
|
||||
struct WINBINDD_MEMORY_CREDS *cred_ptr;
|
||||
int ref_count;
|
||||
uid_t uid;
|
||||
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
|
||||
index c3077e21989..88847b1ab97 100644
|
||||
--- a/source3/winbindd/winbindd_cred_cache.c
|
||||
+++ b/source3/winbindd/winbindd_cred_cache.c
|
||||
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||
time_t create_time,
|
||||
time_t ticket_end,
|
||||
time_t renew_until,
|
||||
- bool postponed_request)
|
||||
+ bool postponed_request,
|
||||
+ const char *canon_principal,
|
||||
+ const char *canon_realm)
|
||||
{
|
||||
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
|
||||
struct timeval t;
|
||||
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||
goto no_mem;
|
||||
}
|
||||
}
|
||||
+ if (canon_principal != NULL) {
|
||||
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
|
||||
+ if (entry->canon_principal == NULL) {
|
||||
+ goto no_mem;
|
||||
+ }
|
||||
+ }
|
||||
+ if (canon_realm != NULL) {
|
||||
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
|
||||
+ if (entry->canon_realm == NULL) {
|
||||
+ goto no_mem;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
entry->ccname = talloc_strdup(entry, ccname);
|
||||
if (!entry->ccname) {
|
||||
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
|
||||
index 025a5cbc111..a24cef78440 100644
|
||||
--- a/source3/winbindd/winbindd_pam.c
|
||||
+++ b/source3/winbindd/winbindd_pam.c
|
||||
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
const char *local_service;
|
||||
uint32_t i;
|
||||
struct netr_SamInfo6 *info6_copy = NULL;
|
||||
+ char *canon_principal = NULL;
|
||||
+ char *canon_realm = NULL;
|
||||
bool ok;
|
||||
|
||||
*info6 = NULL;
|
||||
@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||
NULL,
|
||||
local_service,
|
||||
- NULL,
|
||||
- NULL,
|
||||
+ &canon_principal,
|
||||
+ &canon_realm,
|
||||
&pac_data_ctr);
|
||||
if (user_ccache_file != NULL) {
|
||||
gain_root_privilege();
|
||||
@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
time(NULL),
|
||||
ticket_lifetime,
|
||||
renewal_until,
|
||||
- false);
|
||||
+ false,
|
||||
+ canon_principal,
|
||||
+ canon_realm);
|
||||
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
|
||||
@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
|
||||
time(NULL),
|
||||
time(NULL) + lp_winbind_cache_time(),
|
||||
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||
- true);
|
||||
+ true,
|
||||
+ principal_s,
|
||||
+ realm);
|
||||
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
|
||||
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
|
||||
index c0d653a6d77..16c23f3de40 100644
|
||||
--- a/source3/winbindd/winbindd_proto.h
|
||||
+++ b/source3/winbindd/winbindd_proto.h
|
||||
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
|
||||
time_t create_time,
|
||||
time_t ticket_end,
|
||||
time_t renew_until,
|
||||
- bool postponed_request);
|
||||
+ bool postponed_request,
|
||||
+ const char *canon_principal,
|
||||
+ const char *canon_realm);
|
||||
NTSTATUS remove_ccache(const char *username);
|
||||
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
|
||||
NTSTATUS winbindd_add_memory_creds(const char *username,
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
||||
From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
|
||||
From: Samuel Cabrero <scabrero@suse.de>
|
||||
Date: Tue, 22 Feb 2022 14:28:44 +0100
|
||||
Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
|
||||
credentials
|
||||
|
||||
The principal name stored in the winbindd ccache entry might be an
|
||||
enterprise principal name if enterprise principals are enabled. Use
|
||||
the canonical name to renew the credentials.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979
|
||||
|
||||
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
|
||||
---
|
||||
source3/winbindd/winbindd_cred_cache.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
|
||||
index 88847b1ab97..6c65db6a73f 100644
|
||||
--- a/source3/winbindd/winbindd_cred_cache.c
|
||||
+++ b/source3/winbindd/winbindd_cred_cache.c
|
||||
@@ -209,7 +209,7 @@ rekinit:
|
||||
set_effective_uid(entry->uid);
|
||||
|
||||
ret = smb_krb5_renew_ticket(entry->ccname,
|
||||
- entry->principal_name,
|
||||
+ entry->canon_principal,
|
||||
entry->service,
|
||||
&new_start);
|
||||
#if defined(DEBUG_KRB5_TKT_RENEWAL)
|
||||
--
|
||||
2.35.1
|
||||
|
16
SOURCES/samba-4.15.5.tar.asc
Normal file
16
SOURCES/samba-4.15.5.tar.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
|
||||
tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
|
||||
KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
|
||||
j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
|
||||
b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
|
||||
0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
|
||||
/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
|
||||
+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
|
||||
g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
|
||||
5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
|
||||
f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
|
||||
OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
|
||||
=oc6g
|
||||
-----END PGP SIGNATURE-----
|
30
SOURCES/samba-ctdb-etcd-reclock.patch
Normal file
30
SOURCES/samba-ctdb-etcd-reclock.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
|
||||
From: Martin Schwenke <martin@meltin.net>
|
||||
Date: Tue, 27 Apr 2021 15:46:14 +1000
|
||||
Subject: [PATCH] utils: Use Python 3
|
||||
|
||||
Due to the number of flake8 and pylint warnings it is unclear if the
|
||||
source has Python 3 incompatibilities. These will be cleaned up in
|
||||
subsequent commits.
|
||||
|
||||
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
|
||||
Reviewed-by: Martin Schwenke <martin@meltin.net>
|
||||
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
||||
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
|
||||
---
|
||||
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
index 000c6bb7208..7f5194eff0a 100755
|
||||
--- a/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/env python3
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
--
|
||||
2.31.1
|
||||
|
764
SOURCES/samba-disable-ntlmssp.patch
Normal file
764
SOURCES/samba-disable-ntlmssp.patch
Normal file
@ -0,0 +1,764 @@
|
||||
From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Fri, 10 Dec 2021 16:08:04 +0100
|
||||
Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
|
||||
---
|
||||
source3/utils/net_ads.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
||||
index 6ab4a0096b1..8f993f9ba4c 100644
|
||||
--- a/source3/utils/net_ads.c
|
||||
+++ b/source3/utils/net_ads.c
|
||||
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
|
||||
char *cp;
|
||||
const char *realm = NULL;
|
||||
bool tried_closest_dc = false;
|
||||
+ enum credentials_use_kerberos krb5_state =
|
||||
+ CRED_USE_KERBEROS_DISABLED;
|
||||
|
||||
/* lp_realm() should be handled by a command line param,
|
||||
However, the join requires that realm be set in smb.conf
|
||||
@@ -650,10 +652,28 @@ retry:
|
||||
ads->auth.password = smb_xstrdup(c->opt_password);
|
||||
}
|
||||
|
||||
- ads->auth.flags |= auth_flags;
|
||||
SAFE_FREE(ads->auth.user_name);
|
||||
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
|
||||
|
||||
+ ads->auth.flags |= auth_flags;
|
||||
+
|
||||
+ /* The ADS code will handle FIPS mode */
|
||||
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
|
||||
+ switch (krb5_state) {
|
||||
+ case CRED_USE_KERBEROS_REQUIRED:
|
||||
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DESIRED:
|
||||
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DISABLED:
|
||||
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* If the username is of the form "name@realm",
|
||||
* extract the realm and convert to upper case.
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Wed, 8 Dec 2021 16:05:17 +0100
|
||||
Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
|
||||
---
|
||||
source3/libads/sasl.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
||||
index 60fa2bf80cb..b91e2d15bcf 100644
|
||||
--- a/source3/libads/sasl.c
|
||||
+++ b/source3/libads/sasl.c
|
||||
@@ -1,18 +1,18 @@
|
||||
-/*
|
||||
+/*
|
||||
Unix SMB/CIFS implementation.
|
||||
ads sasl code
|
||||
Copyright (C) Andrew Tridgell 2001
|
||||
-
|
||||
+
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
-
|
||||
+
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
-
|
||||
+
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
|
||||
.disconnect = ads_sasl_gensec_disconnect
|
||||
};
|
||||
|
||||
-/*
|
||||
+/*
|
||||
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
|
||||
we fit on one socket??)
|
||||
*/
|
||||
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
|
||||
|
||||
#endif /* HAVE_KRB5 */
|
||||
|
||||
-/*
|
||||
+/*
|
||||
this performs a SASL/SPNEGO bind
|
||||
*/
|
||||
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
file_save("sasl_spnego.dat", blob.data, blob.length);
|
||||
#endif
|
||||
|
||||
- /* the server sent us the first part of the SPNEGO exchange in the negprot
|
||||
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
|
||||
reply */
|
||||
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
|
||||
OIDs[0] == NULL) {
|
||||
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
|
||||
- got_kerberos_mechanism)
|
||||
+ got_kerberos_mechanism)
|
||||
{
|
||||
mech = "KRB5";
|
||||
|
||||
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
"calling kinit\n", ads_errstr(status)));
|
||||
}
|
||||
|
||||
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
|
||||
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
|
||||
|
||||
if (ADS_ERR_OK(status)) {
|
||||
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
||||
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
}
|
||||
|
||||
/* only fallback to NTLMSSP if allowed */
|
||||
- if (ADS_ERR_OK(status) ||
|
||||
+ if (ADS_ERR_OK(status) ||
|
||||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
|
||||
goto done;
|
||||
}
|
||||
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
#endif
|
||||
|
||||
/* lets do NTLMSSP ... this has the big advantage that we don't need
|
||||
- to sync clocks, and we don't rely on special versions of the krb5
|
||||
+ to sync clocks, and we don't rely on special versions of the krb5
|
||||
library for HMAC_MD4 encryption */
|
||||
mech = "NTLMSSP";
|
||||
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Thu, 9 Dec 2021 13:43:08 +0100
|
||||
Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
|
||||
---
|
||||
source3/libads/sasl.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
||||
index b91e2d15bcf..992f7022a69 100644
|
||||
--- a/source3/libads/sasl.c
|
||||
+++ b/source3/libads/sasl.c
|
||||
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
|
||||
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
|
||||
"for %s/%s with user[%s] realm[%s]: %s, "
|
||||
- "fallback to NTLMSSP\n",
|
||||
+ "try to fallback to NTLMSSP\n",
|
||||
p.service, p.hostname,
|
||||
ads->auth.user_name,
|
||||
ads->auth.realm,
|
||||
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
to sync clocks, and we don't rely on special versions of the krb5
|
||||
library for HMAC_MD4 encryption */
|
||||
mech = "NTLMSSP";
|
||||
+
|
||||
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
|
||||
+ " disallowed.\n");
|
||||
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
|
||||
CRED_USE_KERBEROS_DISABLED,
|
||||
p.service, p.hostname,
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Fri, 7 Jan 2022 10:31:19 +0100
|
||||
Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
|
||||
---
|
||||
source3/libads/sasl.c | 22 +++++++++++-----------
|
||||
1 file changed, 11 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
||||
index 992f7022a69..ea98aa47ecd 100644
|
||||
--- a/source3/libads/sasl.c
|
||||
+++ b/source3/libads/sasl.c
|
||||
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
p.service, p.hostname,
|
||||
blob);
|
||||
if (!ADS_ERR_OK(status)) {
|
||||
- DEBUG(0,("kinit succeeded but "
|
||||
- "ads_sasl_spnego_gensec_bind(KRB5) failed "
|
||||
- "for %s/%s with user[%s] realm[%s]: %s\n",
|
||||
+ DBG_ERR("kinit succeeded but "
|
||||
+ "SPNEGO bind with Kerberos failed "
|
||||
+ "for %s/%s - user[%s], realm[%s]: %s\n",
|
||||
p.service, p.hostname,
|
||||
ads->auth.user_name,
|
||||
ads->auth.realm,
|
||||
- ads_errstr(status)));
|
||||
+ ads_errstr(status));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
|
||||
- "for %s/%s with user[%s] realm[%s]: %s, "
|
||||
- "try to fallback to NTLMSSP\n",
|
||||
- p.service, p.hostname,
|
||||
- ads->auth.user_name,
|
||||
- ads->auth.realm,
|
||||
- ads_errstr(status)));
|
||||
+ DBG_WARNING("SASL bind with Kerberos failed "
|
||||
+ "for %s/%s - user[%s], realm[%s]: %s, "
|
||||
+ "try to fallback to NTLMSSP\n",
|
||||
+ p.service, p.hostname,
|
||||
+ ads->auth.user_name,
|
||||
+ ads->auth.realm,
|
||||
+ ads_errstr(status));
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Mon, 3 Jan 2022 11:13:06 +0100
|
||||
Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
|
||||
without kerberos)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
|
||||
---
|
||||
source3/libads/sasl.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
||||
index ea98aa47ecd..1bcfe0490a8 100644
|
||||
--- a/source3/libads/sasl.c
|
||||
+++ b/source3/libads/sasl.c
|
||||
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
|
||||
library for HMAC_MD4 encryption */
|
||||
mech = "NTLMSSP";
|
||||
|
||||
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
|
||||
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
|
||||
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
||||
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
|
||||
" disallowed.\n");
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Mon, 3 Jan 2022 15:33:46 +0100
|
||||
Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
|
||||
connections
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
|
||||
---
|
||||
.../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
|
||||
1 file changed, 41 insertions(+)
|
||||
create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
|
||||
|
||||
diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
|
||||
new file mode 100755
|
||||
index 00000000000..2822ab29d14
|
||||
--- /dev/null
|
||||
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
|
||||
@@ -0,0 +1,41 @@
|
||||
+#!/bin/sh
|
||||
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
|
||||
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
|
||||
+
|
||||
+if [ $# -lt 2 ]; then
|
||||
+cat <<EOF
|
||||
+Usage: $0 USERNAME PASSWORD
|
||||
+EOF
|
||||
+exit 1;
|
||||
+fi
|
||||
+
|
||||
+USERNAME=$1
|
||||
+PASSWORD=$2
|
||||
+shift 2
|
||||
+
|
||||
+failed=0
|
||||
+. `dirname $0`/subunit.sh
|
||||
+
|
||||
+samba_testparm="$BINDIR/testparm"
|
||||
+samba_net="$BINDIR/net"
|
||||
+
|
||||
+unset GNUTLS_FORCE_FIPS_MODE
|
||||
+
|
||||
+# Checks that testparm reports: Weak crypto is allowed
|
||||
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
|
||||
+
|
||||
+# We should be allowed to use NTLM for connecting
|
||||
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
|
||||
+
|
||||
+GNUTLS_FORCE_FIPS_MODE=1
|
||||
+export GNUTLS_FORCE_FIPS_MODE
|
||||
+
|
||||
+# Checks that testparm reports: Weak crypto is disallowed
|
||||
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
|
||||
+
|
||||
+# We should not be allowed to use NTLM for connecting
|
||||
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
|
||||
+
|
||||
+unset GNUTLS_FORCE_FIPS_MODE
|
||||
+
|
||||
+exit $failed
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 4 Jan 2022 12:00:20 +0100
|
||||
Subject: [PATCH 07/10] s4:selftest: plan test suite
|
||||
samba4.blackbox.test_weak_disable_ntlmssp_ldap
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
|
||||
---
|
||||
source4/selftest/tests.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
||||
index 1e4b2ae6dd3..3a6a716f061 100755
|
||||
--- a/source4/selftest/tests.py
|
||||
+++ b/source4/selftest/tests.py
|
||||
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
|
||||
|
||||
if have_gnutls_fips_mode_support:
|
||||
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
|
||||
+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
|
||||
|
||||
for env in ["ad_dc_fips", "ad_member_fips"]:
|
||||
plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 18 Jan 2022 19:47:38 +0100
|
||||
Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
|
||||
---
|
||||
source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
|
||||
1 file changed, 19 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
|
||||
index 948c903f165..e415df347e6 100644
|
||||
--- a/source3/winbindd/winbindd_ads.c
|
||||
+++ b/source3/winbindd/winbindd_ads.c
|
||||
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
|
||||
|
||||
if ( !winbindd_can_contact_domain( domain ) ) {
|
||||
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
|
||||
- domain->name));
|
||||
+ domain->name));
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
|
||||
|
||||
if ( !winbindd_can_contact_domain( domain ) ) {
|
||||
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
|
||||
- domain->name));
|
||||
+ domain->name));
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
|
||||
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
|
||||
* default value, it MUST be absent. In case of extensible matching the
|
||||
* "dnattr" boolean defaults to FALSE and so it must be only be present
|
||||
- * when set to TRUE.
|
||||
+ * when set to TRUE.
|
||||
*
|
||||
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
|
||||
* filter using bitwise matching rule then the buggy AD fails to decode
|
||||
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
|
||||
*
|
||||
* Thanks to Ralf Haferkamp for input and testing - Guenther */
|
||||
|
||||
- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
|
||||
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
|
||||
ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
|
||||
- ADS_LDAP_MATCHING_RULE_BIT_AND,
|
||||
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
|
||||
enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
|
||||
|
||||
if (filter == NULL) {
|
||||
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
|
||||
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
|
||||
|
||||
done:
|
||||
- if (res)
|
||||
+ if (res)
|
||||
ads_msgfree(ads, res);
|
||||
|
||||
return status;
|
||||
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
|
||||
struct wb_acct_info **info)
|
||||
{
|
||||
/*
|
||||
- * This is a stub function only as we returned the domain
|
||||
+ * This is a stub function only as we returned the domain
|
||||
* local groups in enum_dom_groups() if the domain->native field
|
||||
* was true. This is a simple performance optimization when
|
||||
* using LDAP.
|
||||
*
|
||||
- * if we ever need to enumerate domain local groups separately,
|
||||
+ * if we ever need to enumerate domain local groups separately,
|
||||
* then this optimization in enum_dom_groups() will need
|
||||
* to be split out
|
||||
*/
|
||||
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
|
||||
tokenGroups are not available. */
|
||||
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
- const char *user_dn,
|
||||
+ const char *user_dn,
|
||||
struct dom_sid *primary_group,
|
||||
uint32_t *p_num_groups, struct dom_sid **user_sids)
|
||||
{
|
||||
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
|
||||
|
||||
if ( !winbindd_can_contact_domain( domain ) ) {
|
||||
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
|
||||
- domain->name));
|
||||
+ domain->name));
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
|
||||
|
||||
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
|
||||
done:
|
||||
- if (res)
|
||||
+ if (res)
|
||||
ads_msgfree(ads, res);
|
||||
|
||||
return status;
|
||||
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
|
||||
if (count != 1) {
|
||||
status = NT_STATUS_UNSUCCESSFUL;
|
||||
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
|
||||
- "invalid number of results (count=%d)\n",
|
||||
+ "invalid number of results (count=%d)\n",
|
||||
dom_sid_str_buf(sid, &buf),
|
||||
count));
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (!msg) {
|
||||
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
|
||||
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
|
||||
dom_sid_str_buf(sid, &buf)));
|
||||
status = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
|
||||
}
|
||||
|
||||
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
|
||||
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
|
||||
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
|
||||
domain->name,
|
||||
dom_sid_str_buf(sid, &buf)));
|
||||
goto done;
|
||||
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
|
||||
|
||||
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
|
||||
|
||||
- /* there must always be at least one group in the token,
|
||||
+ /* there must always be at least one group in the token,
|
||||
unless we are talking to a buggy Win2k server */
|
||||
|
||||
/* actually this only happens when the machine account has no read
|
||||
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
|
||||
/* lookup what groups this user is a member of by DN search on
|
||||
* "member" */
|
||||
|
||||
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
|
||||
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
|
||||
&primary_group,
|
||||
&num_groups, user_sids);
|
||||
*p_num_groups = num_groups;
|
||||
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
|
||||
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
|
||||
"not map any SIDs at all.\n"));
|
||||
/* Don't handle this as an error here.
|
||||
- * There is nothing left to do with respect to the
|
||||
+ * There is nothing left to do with respect to the
|
||||
* overall result... */
|
||||
}
|
||||
else if (!NT_STATUS_IS_OK(status)) {
|
||||
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
|
||||
NETR_TRUST_FLAG_IN_FOREST;
|
||||
} else {
|
||||
flags = NETR_TRUST_FLAG_IN_FOREST;
|
||||
- }
|
||||
+ }
|
||||
|
||||
result = cm_connect_netlogon(domain, &cli);
|
||||
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
|
||||
- "for PIPE_NETLOGON (%s)\n",
|
||||
+ "for PIPE_NETLOGON (%s)\n",
|
||||
domain->name, nt_errstr(result)));
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 18 Jan 2022 19:44:54 +0100
|
||||
Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
|
||||
mode
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
|
||||
---
|
||||
source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
|
||||
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
|
||||
index e415df347e6..6f01ef6e334 100644
|
||||
--- a/source3/winbindd/winbindd_ads.c
|
||||
+++ b/source3/winbindd/winbindd_ads.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include "../libds/common/flag_mapping.h"
|
||||
#include "libsmb/samlogon_cache.h"
|
||||
#include "passdb.h"
|
||||
+#include "auth/credentials/credentials.h"
|
||||
|
||||
#ifdef HAVE_ADS
|
||||
|
||||
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
|
||||
ADS_STATUS status;
|
||||
struct sockaddr_storage dc_ss;
|
||||
fstring dc_name;
|
||||
+ enum credentials_use_kerberos krb5_state;
|
||||
|
||||
if (auth_realm == NULL) {
|
||||
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
|
||||
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
|
||||
ads->auth.renewable = renewable;
|
||||
ads->auth.password = password;
|
||||
|
||||
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ /* In FIPS mode, client use kerberos is forced to required. */
|
||||
+ krb5_state = lp_client_use_kerberos();
|
||||
+ switch (krb5_state) {
|
||||
+ case CRED_USE_KERBEROS_REQUIRED:
|
||||
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DESIRED:
|
||||
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DISABLED:
|
||||
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
ads->auth.realm = SMB_STRDUP(auth_realm);
|
||||
if (!strupper_m(ads->auth.realm)) {
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Fri, 21 Jan 2022 12:01:33 +0100
|
||||
Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
|
||||
mode
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
|
||||
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
||||
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
|
||||
|
||||
(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
|
||||
---
|
||||
source3/libnet/libnet_join.c | 18 +++++++++++++++++-
|
||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||
index 02705f1c70c..4c67e9af5c4 100644
|
||||
--- a/source3/libnet/libnet_join.c
|
||||
+++ b/source3/libnet/libnet_join.c
|
||||
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
|
||||
ADS_STATUS status;
|
||||
ADS_STRUCT *my_ads = NULL;
|
||||
char *cp;
|
||||
+ enum credentials_use_kerberos krb5_state;
|
||||
|
||||
my_ads = ads_init(dns_domain_name,
|
||||
netbios_domain_name,
|
||||
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
|
||||
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
|
||||
}
|
||||
|
||||
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ /* In FIPS mode, client use kerberos is forced to required. */
|
||||
+ krb5_state = lp_client_use_kerberos();
|
||||
+ switch (krb5_state) {
|
||||
+ case CRED_USE_KERBEROS_REQUIRED:
|
||||
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DESIRED:
|
||||
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ case CRED_USE_KERBEROS_DISABLED:
|
||||
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
|
||||
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
if (user_name) {
|
||||
SAFE_FREE(my_ads->auth.user_name);
|
||||
--
|
||||
2.33.1
|
||||
|
36
SOURCES/samba-disable-systemd-notifications.patch
Normal file
36
SOURCES/samba-disable-systemd-notifications.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
|
||||
From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
|
||||
Date: Mon, 24 Jan 2022 22:14:31 -0500
|
||||
Subject: [PATCH] printing/bgqd: Disable systemd notifications
|
||||
|
||||
samba-bgqd daemon is started by existing Samba daemons. When running
|
||||
under systemd, those daemons control systemd notifications and
|
||||
samba-bgqd messages need to be silenced.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
|
||||
|
||||
Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
|
||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
|
||||
---
|
||||
source3/printing/samba-bgqd.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
|
||||
index f21327fc622..59ed0cc40db 100644
|
||||
--- a/source3/printing/samba-bgqd.c
|
||||
+++ b/source3/printing/samba-bgqd.c
|
||||
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
|
||||
|
||||
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
|
||||
|
||||
+ /* main process will notify systemd */
|
||||
+ daemon_sd_notifications(false);
|
||||
+
|
||||
if (!cmdline_daemon_cfg->fork) {
|
||||
daemon_status(progname, "Starting process ... ");
|
||||
} else {
|
||||
--
|
||||
2.34.1
|
||||
|
64
SOURCES/samba-glibc-dns.patch
Normal file
64
SOURCES/samba-glibc-dns.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 7 Oct 2021 15:55:37 +0200
|
||||
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
|
||||
|
||||
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
|
||||
anymore. The res_* symbols have been moved from libresolv to libc. We are not
|
||||
able to intercept any traffic inside of libc.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
selftest/wscript | 2 +-
|
||||
third_party/resolv_wrapper/wscript | 13 +++++++++++++
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/selftest/wscript b/selftest/wscript
|
||||
index a6be06c2ae9..85d9338489a 100644
|
||||
--- a/selftest/wscript
|
||||
+++ b/selftest/wscript
|
||||
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
|
||||
if os.environ.get('USE_NAMESPACES') is None:
|
||||
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
|
||||
|
||||
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
|
||||
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
|
||||
env.OPTIONS += " --use-dns-faking"
|
||||
|
||||
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
|
||||
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
|
||||
index a7f18389b0f..7e369bd90b5 100644
|
||||
--- a/third_party/resolv_wrapper/wscript
|
||||
+++ b/third_party/resolv_wrapper/wscript
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import os
|
||||
+from waflib import Logs
|
||||
|
||||
VERSION="1.1.7"
|
||||
|
||||
@@ -49,6 +50,18 @@ def configure(conf):
|
||||
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
|
||||
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
|
||||
|
||||
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
|
||||
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
|
||||
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
|
||||
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
|
||||
+ Logs.warn("Detection for resolv_wrapper: "
|
||||
+ "Only dns faking will be available")
|
||||
+ else:
|
||||
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
|
||||
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
|
||||
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
|
||||
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
|
||||
+
|
||||
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
|
||||
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
|
||||
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
|
||||
--
|
||||
2.33.1
|
||||
|
100
SOURCES/samba-password-change-prompt.patch
Normal file
100
SOURCES/samba-password-change-prompt.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||
Date: Wed, 17 Nov 2021 09:56:09 +0100
|
||||
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
|
||||
off).
|
||||
|
||||
This change disables the prompt for the change of an expired password by
|
||||
default (using the PAM_RADIO_TYPE mechanism if present).
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
|
||||
|
||||
Guenther
|
||||
|
||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
|
||||
---
|
||||
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
|
||||
nsswitch/pam_winbind.c | 12 ++++++++++--
|
||||
nsswitch/pam_winbind.h | 1 +
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
index 0bc288f91a1..bae9298fc32 100644
|
||||
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
@@ -194,6 +194,13 @@
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>pwd_change_prompt = yes|no</term>
|
||||
+ <listitem><para>
|
||||
+ Generate prompt for changing an expired password. Defaults to "no".
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
|
||||
</para>
|
||||
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
|
||||
index 720a4b90d85..06098dd07d8 100644
|
||||
--- a/nsswitch/pam_winbind.c
|
||||
+++ b/nsswitch/pam_winbind.c
|
||||
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
|
||||
ctrl |= WINBIND_MKHOMEDIR;
|
||||
}
|
||||
|
||||
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
|
||||
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
|
||||
+ }
|
||||
+
|
||||
config_from_pam:
|
||||
/* step through arguments */
|
||||
for (i=argc,v=argv; i-- > 0; ++v) {
|
||||
@@ -522,6 +526,8 @@ config_from_pam:
|
||||
else if (!strncasecmp(*v, "warn_pwd_expire",
|
||||
strlen("warn_pwd_expire")))
|
||||
ctrl |= WINBIND_WARN_PWD_EXPIRE;
|
||||
+ else if (!strcasecmp(*v, "pwd_change_prompt"))
|
||||
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
|
||||
else if (type != PAM_WINBIND_CLEANUP) {
|
||||
__pam_log(pamh, ctrl, LOG_ERR,
|
||||
"pam_parse: unknown option: %s", *v);
|
||||
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
|
||||
* successfully sent the warning message.
|
||||
* Give the user a chance to change pwd.
|
||||
*/
|
||||
- if (ret == PAM_SUCCESS) {
|
||||
+ if (ret == PAM_SUCCESS &&
|
||||
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
|
||||
if (change_pwd) {
|
||||
retval = _pam_winbind_change_pwd(ctx);
|
||||
if (retval) {
|
||||
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
|
||||
* successfully sent the warning message.
|
||||
* Give the user a chance to change pwd.
|
||||
*/
|
||||
- if (ret == PAM_SUCCESS) {
|
||||
+ if (ret == PAM_SUCCESS &&
|
||||
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
|
||||
if (change_pwd) {
|
||||
retval = _pam_winbind_change_pwd(ctx);
|
||||
if (retval) {
|
||||
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
|
||||
index c6786d65a4d..2f4a25729bd 100644
|
||||
--- a/nsswitch/pam_winbind.h
|
||||
+++ b/nsswitch/pam_winbind.h
|
||||
@@ -157,6 +157,7 @@ do { \
|
||||
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
|
||||
#define WINBIND_MKHOMEDIR 0x00004000
|
||||
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
|
||||
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
|
||||
|
||||
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
|
||||
#define _(string) dgettext(MODULE_NAME, string)
|
||||
--
|
||||
2.35.1
|
||||
|
229
SOURCES/samba-printing-win7.patch
Normal file
229
SOURCES/samba-printing-win7.patch
Normal file
@ -0,0 +1,229 @@
|
||||
From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 22 Jan 2022 01:08:26 +0100
|
||||
Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
|
||||
|
||||
This is important for the source3/rpc_server code as it might
|
||||
be called embedded in smbd and may not run as root with access
|
||||
to our private tdb/ldb files.
|
||||
|
||||
Note this is only really needed for 4.15 and older, as
|
||||
we no longer run the rpc_server embedded in smbd,
|
||||
but we better be consistent for now.
|
||||
|
||||
This should be able to fix the problem the printing no longer works
|
||||
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
|
||||
|
||||
Windows uses NTLMSSP with privacy at the DCERPC layer on top
|
||||
of NCACN_NP (smb).
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
|
||||
---
|
||||
librpc/rpc/dcesrv_auth.c | 5 +++++
|
||||
librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
|
||||
librpc/rpc/dcesrv_core.h | 2 ++
|
||||
source3/rpc_server/rpc_config.c | 2 ++
|
||||
source4/rpc_server/service_rpc.c | 10 ++++++++++
|
||||
5 files changed, 37 insertions(+)
|
||||
|
||||
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
|
||||
index fec8df513a83..99d8e0162160 100644
|
||||
--- a/librpc/rpc/dcesrv_auth.c
|
||||
+++ b/librpc/rpc/dcesrv_auth.c
|
||||
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
|
||||
auth->auth_level = call->in_auth_info.auth_level;
|
||||
auth->auth_context_id = call->in_auth_info.auth_context_id;
|
||||
|
||||
+ cb->auth.become_root();
|
||||
status = cb->auth.gensec_prepare(
|
||||
auth,
|
||||
call,
|
||||
&auth->gensec_security,
|
||||
cb->auth.private_data);
|
||||
+ cb->auth.unbecome_root();
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
|
||||
nt_errstr(status)));
|
||||
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
|
||||
NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
|
||||
{
|
||||
struct dcesrv_auth *auth = call->auth_state;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
const char *pdu = "<unknown>";
|
||||
|
||||
switch (call->pkt.ptype) {
|
||||
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
|
||||
return status;
|
||||
}
|
||||
|
||||
+ cb->auth.become_root();
|
||||
status = gensec_session_info(auth->gensec_security,
|
||||
auth,
|
||||
&auth->session_info);
|
||||
+ cb->auth.unbecome_root();
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(1, ("Failed to establish session_info: %s\n",
|
||||
nt_errstr(status)));
|
||||
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
|
||||
index d16159b0b6cd..ea91fc689b4a 100644
|
||||
--- a/librpc/rpc/dcesrv_core.c
|
||||
+++ b/librpc/rpc/dcesrv_core.c
|
||||
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
|
||||
struct dcerpc_binding *ep_2nd_description = NULL;
|
||||
const char *endpoint = NULL;
|
||||
struct dcesrv_auth *auth = call->auth_state;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
|
||||
struct dcerpc_ack_ctx *ack_features = NULL;
|
||||
struct tevent_req *subreq = NULL;
|
||||
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
|
||||
return dcesrv_auth_reply(call);
|
||||
}
|
||||
|
||||
+ cb->auth.become_root();
|
||||
subreq = gensec_update_send(call, call->event_ctx,
|
||||
auth->gensec_security,
|
||||
call->in_auth_info.credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
if (subreq == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
|
||||
tevent_req_callback_data(subreq,
|
||||
struct dcesrv_call_state);
|
||||
struct dcesrv_connection *conn = call->conn;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
NTSTATUS status;
|
||||
|
||||
+ cb->auth.become_root();
|
||||
status = gensec_update_recv(subreq, call,
|
||||
&call->out_auth_info->credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
TALLOC_FREE(subreq);
|
||||
|
||||
status = dcesrv_auth_complete(call, status);
|
||||
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
|
||||
{
|
||||
struct dcesrv_connection *conn = call->conn;
|
||||
struct dcesrv_auth *auth = call->auth_state;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
struct tevent_req *subreq = NULL;
|
||||
NTSTATUS status;
|
||||
|
||||
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
+ cb->auth.become_root();
|
||||
subreq = gensec_update_send(call, call->event_ctx,
|
||||
auth->gensec_security,
|
||||
call->in_auth_info.credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
if (subreq == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
|
||||
struct dcesrv_call_state);
|
||||
struct dcesrv_connection *conn = call->conn;
|
||||
struct dcesrv_auth *auth = call->auth_state;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
NTSTATUS status;
|
||||
|
||||
+ cb->auth.become_root();
|
||||
status = gensec_update_recv(subreq, call,
|
||||
&call->out_auth_info->credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
TALLOC_FREE(subreq);
|
||||
|
||||
status = dcesrv_auth_complete(call, status);
|
||||
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
|
||||
struct ncacn_packet *pkt = &call->ack_pkt;
|
||||
uint32_t extra_flags = 0;
|
||||
struct dcesrv_auth *auth = call->auth_state;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
|
||||
struct tevent_req *subreq = NULL;
|
||||
size_t i;
|
||||
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
|
||||
return dcesrv_auth_reply(call);
|
||||
}
|
||||
|
||||
+ cb->auth.become_root();
|
||||
subreq = gensec_update_send(call, call->event_ctx,
|
||||
auth->gensec_security,
|
||||
call->in_auth_info.credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
if (subreq == NULL) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
|
||||
tevent_req_callback_data(subreq,
|
||||
struct dcesrv_call_state);
|
||||
struct dcesrv_connection *conn = call->conn;
|
||||
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
|
||||
NTSTATUS status;
|
||||
|
||||
+ cb->auth.become_root();
|
||||
status = gensec_update_recv(subreq, call,
|
||||
&call->out_auth_info->credentials);
|
||||
+ cb->auth.unbecome_root();
|
||||
TALLOC_FREE(subreq);
|
||||
|
||||
status = dcesrv_auth_complete(call, status);
|
||||
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
|
||||
index d8d5f9030959..0538442e0ce6 100644
|
||||
--- a/librpc/rpc/dcesrv_core.h
|
||||
+++ b/librpc/rpc/dcesrv_core.h
|
||||
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
|
||||
struct gensec_security **out,
|
||||
void *private_data);
|
||||
void *private_data;
|
||||
+ void (*become_root)(void);
|
||||
+ void (*unbecome_root)(void);
|
||||
} auth;
|
||||
struct {
|
||||
NTSTATUS (*find)(
|
||||
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
|
||||
index 2f1a01da1c0b..289c4f398409 100644
|
||||
--- a/source3/rpc_server/rpc_config.c
|
||||
+++ b/source3/rpc_server/rpc_config.c
|
||||
@@ -31,6 +31,8 @@
|
||||
static struct dcesrv_context_callbacks srv_callbacks = {
|
||||
.log.successful_authz = dcesrv_log_successful_authz,
|
||||
.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
|
||||
+ .auth.become_root = become_root,
|
||||
+ .auth.unbecome_root = unbecome_root,
|
||||
.assoc_group.find = dcesrv_assoc_group_find,
|
||||
};
|
||||
|
||||
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
|
||||
index d8c6746d7815..ebb50f8a7ef3 100644
|
||||
--- a/source4/rpc_server/service_rpc.c
|
||||
+++ b/source4/rpc_server/service_rpc.c
|
||||
@@ -40,9 +40,19 @@
|
||||
#include "../libcli/named_pipe_auth/npa_tstream.h"
|
||||
#include "samba/process_model.h"
|
||||
|
||||
+static void skip_become_root(void)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
+static void skip_unbecome_root(void)
|
||||
+{
|
||||
+}
|
||||
+
|
||||
static struct dcesrv_context_callbacks srv_callbacks = {
|
||||
.log.successful_authz = log_successful_dcesrv_authz_event,
|
||||
.auth.gensec_prepare = dcesrv_gensec_prepare,
|
||||
+ .auth.become_root = skip_become_root,
|
||||
+ .auth.unbecome_root = skip_unbecome_root,
|
||||
.assoc_group.find = dcesrv_assoc_group_find,
|
||||
};
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
697
SOURCES/samba-s4u.patch
Normal file
697
SOURCES/samba-s4u.patch
Normal file
@ -0,0 +1,697 @@
|
||||
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:25:03 +0300
|
||||
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
|
||||
source4/kdc/mit_samba.c | 47 ++-------
|
||||
source4/kdc/mit_samba.h | 6 +-
|
||||
3 files changed, 71 insertions(+), 106 deletions(-)
|
||||
|
||||
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
index f35210669c2..b1c7c5dcc5e 100644
|
||||
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
krb5_keyblock *krbtgt_key,
|
||||
krb5_timestamp authtime,
|
||||
krb5_authdata **tgt_auth_data,
|
||||
- krb5_pac *pac)
|
||||
+ krb5_pac *out_pac)
|
||||
{
|
||||
struct mit_samba_context *mit_ctx;
|
||||
krb5_authdata **authdata = NULL;
|
||||
- krb5_pac ipac = NULL;
|
||||
- DATA_BLOB logon_data = { NULL, 0 };
|
||||
+ krb5_keyblock *header_server_key = NULL;
|
||||
+ krb5_key_data *impersonator_kd = NULL;
|
||||
+ krb5_keyblock impersonator_key = {0};
|
||||
krb5_error_code code;
|
||||
+ krb5_pac pac;
|
||||
+
|
||||
+ *out_pac = NULL;
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = krb5_pac_parse(context,
|
||||
authdata[0]->contents,
|
||||
authdata[0]->length,
|
||||
- &ipac);
|
||||
+ &pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* TODO: verify this is correct
|
||||
- *
|
||||
- * In the constrained delegation case, the PAC is from a service
|
||||
- * ticket rather than a TGT; we must verify the server and KDC
|
||||
- * signatures to assert that the server did not forge the PAC.
|
||||
+ /*
|
||||
+ * For constrained delegation in MIT version < 1.18 we aren't provided
|
||||
+ * with the 2nd ticket server key to verify the PAC.
|
||||
+ * We can workaround that by fetching the key from the client db entry,
|
||||
+ * which is the impersonator account in that version.
|
||||
+ * TODO: use the provided entry in the new 1.18 version.
|
||||
*/
|
||||
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
||||
- code = krb5_pac_verify(context,
|
||||
- ipac,
|
||||
- authtime,
|
||||
- client_princ,
|
||||
- server_key,
|
||||
- krbtgt_key);
|
||||
+ /* The impersonator must be local. */
|
||||
+ if (client == NULL) {
|
||||
+ code = KRB5KDC_ERR_BADOPTION;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ /* Fetch and decrypt 2nd ticket server's current key. */
|
||||
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
|
||||
+ &impersonator_kd);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ code = krb5_dbe_decrypt_key_data(context, NULL,
|
||||
+ impersonator_kd,
|
||||
+ &impersonator_key, NULL);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ header_server_key = &impersonator_key;
|
||||
} else {
|
||||
- code = krb5_pac_verify(context,
|
||||
- ipac,
|
||||
- authtime,
|
||||
- client_princ,
|
||||
- krbtgt_key,
|
||||
- NULL);
|
||||
- }
|
||||
- if (code != 0) {
|
||||
- goto done;
|
||||
+ header_server_key = krbtgt_key;
|
||||
}
|
||||
|
||||
- /* check and update PAC */
|
||||
- code = krb5_pac_parse(context,
|
||||
- authdata[0]->contents,
|
||||
- authdata[0]->length,
|
||||
- pac);
|
||||
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
|
||||
+ header_server_key, NULL);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = mit_samba_reget_pac(mit_ctx,
|
||||
context,
|
||||
flags,
|
||||
- client_princ,
|
||||
client,
|
||||
server,
|
||||
krbtgt,
|
||||
krbtgt_key,
|
||||
- pac);
|
||||
+ &pac);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ *out_pac = pac;
|
||||
+ pac = NULL;
|
||||
|
||||
done:
|
||||
+ krb5_free_keyblock_contents(context, &impersonator_key);
|
||||
krb5_free_authdata(context, authdata);
|
||||
- krb5_pac_free(context, ipac);
|
||||
- free(logon_data.data);
|
||||
+ krb5_pac_free(context, pac);
|
||||
|
||||
return code;
|
||||
}
|
||||
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krb5_authdata **pac_auth_data = NULL;
|
||||
krb5_authdata **authdata = NULL;
|
||||
krb5_boolean is_as_req;
|
||||
+ krb5_const_principal pac_client;
|
||||
krb5_error_code code;
|
||||
krb5_pac pac = NULL;
|
||||
krb5_data pac_data;
|
||||
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
||||
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
||||
|
||||
- /* FIXME: We don't support S4U yet */
|
||||
- if (flags & KRB5_KDB_FLAGS_S4U) {
|
||||
- return KRB5_KDB_DBTYPE_NOSUP;
|
||||
- }
|
||||
-
|
||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
||||
|
||||
/*
|
||||
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
ks_client_princ = client->princ;
|
||||
}
|
||||
|
||||
+ /* In protocol transition, we are currently not provided with the tgt
|
||||
+ * client name to verify the PAC, we could probably skip the name
|
||||
+ * verification and just verify the signatures, but since we don't
|
||||
+ * support cross-realm nor aliases, we can just use server->princ */
|
||||
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
|
||||
+ pac_client = server->princ;
|
||||
+ } else {
|
||||
+ pac_client = ks_client_princ;
|
||||
+ }
|
||||
+
|
||||
if (client_entry == NULL) {
|
||||
client_entry = client;
|
||||
}
|
||||
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
|
||||
code = ks_verify_pac(context,
|
||||
flags,
|
||||
- ks_client_princ,
|
||||
+ pac_client,
|
||||
client_entry,
|
||||
server,
|
||||
krbtgt,
|
||||
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
is_as_req ? "AS-REQ" : "TGS-REQ",
|
||||
client_name);
|
||||
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
||||
- server_key, krbtgt_key, &pac_data);
|
||||
+ server_key, krbtgt_key, &pac_data);
|
||||
if (code != 0) {
|
||||
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
||||
goto done;
|
||||
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
KRB5_AUTHDATA_IF_RELEVANT,
|
||||
authdata,
|
||||
signed_auth_data);
|
||||
- if (code != 0) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- code = 0;
|
||||
-
|
||||
done:
|
||||
if (client_entry != NULL && client_entry != client) {
|
||||
ks_free_principal(context, client_entry);
|
||||
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
* server; -> delegating service
|
||||
* proxy; -> target principal
|
||||
*/
|
||||
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
|
||||
-
|
||||
- char *target_name = NULL;
|
||||
- bool is_enterprise;
|
||||
- krb5_error_code code;
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
return KRB5_KDB_DBNOTINITED;
|
||||
}
|
||||
|
||||
- code = krb5_unparse_name(context, proxy, &target_name);
|
||||
- if (code) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
|
||||
-
|
||||
- code = mit_samba_check_s4u2proxy(mit_ctx,
|
||||
- delegating_service,
|
||||
- target_name,
|
||||
- is_enterprise);
|
||||
-
|
||||
-done:
|
||||
- free(target_name);
|
||||
- return code;
|
||||
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
|
||||
}
|
||||
|
||||
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index 4239332f0d9..acc3cba6254 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
- krb5_const_principal client_principal,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
context,
|
||||
*pac,
|
||||
server->princ,
|
||||
- discard_const(client_principal),
|
||||
+ client->princ,
|
||||
deleg_blob);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("Update delegation info failed: %s\n",
|
||||
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
}
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
- krb5_db_entry *kentry,
|
||||
- const char *target_name,
|
||||
- bool is_nt_enterprise_name)
|
||||
+ const krb5_db_entry *server,
|
||||
+ krb5_const_principal target_principal)
|
||||
{
|
||||
-#if 1
|
||||
- /*
|
||||
- * This is disabled because mit_samba_update_pac_data() does not handle
|
||||
- * S4U_DELEGATION_INFO
|
||||
- */
|
||||
-
|
||||
- return KRB5KDC_ERR_BADOPTION;
|
||||
-#else
|
||||
- krb5_principal target_principal;
|
||||
- int flags = 0;
|
||||
- int ret;
|
||||
-
|
||||
- if (is_nt_enterprise_name) {
|
||||
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
|
||||
- }
|
||||
-
|
||||
- ret = krb5_parse_name_flags(ctx->context, target_name,
|
||||
- flags, &target_principal);
|
||||
- if (ret) {
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
- ret = samba_kdc_check_s4u2proxy(ctx->context,
|
||||
- ctx->db_ctx,
|
||||
- skdc_entry,
|
||||
- target_principal);
|
||||
-
|
||||
- krb5_free_principal(ctx->context, target_principal);
|
||||
-
|
||||
- return ret;
|
||||
-#endif
|
||||
+ struct samba_kdc_entry *server_skdc_entry =
|
||||
+ talloc_get_type_abort(server->e_data,
|
||||
+ struct samba_kdc_entry);
|
||||
+
|
||||
+ return samba_kdc_check_s4u2proxy(ctx->context,
|
||||
+ ctx->db_ctx,
|
||||
+ server_skdc_entry,
|
||||
+ target_principal);
|
||||
}
|
||||
|
||||
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
|
||||
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
|
||||
index 636c77ec97c..9cb00c9610e 100644
|
||||
--- a/source4/kdc/mit_samba.h
|
||||
+++ b/source4/kdc/mit_samba.h
|
||||
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
- krb5_const_principal client_principal,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
DATA_BLOB *e_data);
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
- krb5_db_entry *kentry,
|
||||
- const char *target_name,
|
||||
- bool is_nt_enterprise_name);
|
||||
+ const krb5_db_entry *server,
|
||||
+ krb5_const_principal target_principal);
|
||||
|
||||
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
|
||||
char *pwd,
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:35:30 +0300
|
||||
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
|
||||
lib/krb5_wrap/krb5_samba.h | 2 -
|
||||
source4/auth/kerberos/kerberos_util.c | 11 --
|
||||
3 files changed, 185 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index fff5b4e2a22..791b417d5ba 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+#else /* MIT */
|
||||
+
|
||||
+static bool princ_compare_no_dollar(krb5_context ctx,
|
||||
+ krb5_principal a,
|
||||
+ krb5_principal b)
|
||||
+{
|
||||
+ bool cmp;
|
||||
+ krb5_principal mod = NULL;
|
||||
+
|
||||
+ if (a->length == 1 && b->length == 1 &&
|
||||
+ a->data[0].length != 0 && b->data[0].length != 0 &&
|
||||
+ a->data[0].data[a->data[0].length -1] !=
|
||||
+ b->data[0].data[b->data[0].length -1]) {
|
||||
+ if (a->data[0].data[a->data[0].length -1] == '$') {
|
||||
+ mod = a;
|
||||
+ mod->data[0].length--;
|
||||
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
|
||||
+ mod = b;
|
||||
+ mod->data[0].length--;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ cmp = krb5_principal_compare_flags(ctx, a, b,
|
||||
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
|
||||
+
|
||||
+ if (mod != NULL) {
|
||||
+ mod->data[0].length++;
|
||||
+ }
|
||||
+
|
||||
+ return cmp;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
+ krb5_ccache store_cc,
|
||||
+ krb5_principal init_principal,
|
||||
+ const char *init_password,
|
||||
+ krb5_principal impersonate_principal,
|
||||
+ const char *self_service,
|
||||
+ const char *target_service,
|
||||
+ krb5_get_init_creds_opt *krb_options,
|
||||
+ time_t *expire_time,
|
||||
+ time_t *kdc_time)
|
||||
+{
|
||||
+ krb5_error_code code;
|
||||
+ krb5_principal self_princ = NULL;
|
||||
+ krb5_principal target_princ = NULL;
|
||||
+ krb5_creds *store_creds;
|
||||
+ krb5_creds *s4u2self_creds = NULL;
|
||||
+ krb5_creds *s4u2proxy_creds = NULL;
|
||||
+ krb5_creds init_creds = {0};
|
||||
+ krb5_creds mcreds = {0};
|
||||
+ krb5_flags options = KRB5_GC_NO_STORE;
|
||||
+ krb5_ccache tmp_cc;
|
||||
+ bool s4u2proxy;
|
||||
+
|
||||
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
|
||||
+ if (code != 0) {
|
||||
+ return code;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_get_init_creds_password(ctx, &init_creds,
|
||||
+ init_principal,
|
||||
+ init_password,
|
||||
+ NULL, NULL,
|
||||
+ 0,
|
||||
+ NULL,
|
||||
+ krb_options);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Check if we also need S4U2Proxy or if S4U2Self is
|
||||
+ * enough in order to get a ticket for the target.
|
||||
+ */
|
||||
+ if (target_service == NULL) {
|
||||
+ s4u2proxy = false;
|
||||
+ } else if (strcmp(target_service, self_service) == 0) {
|
||||
+ s4u2proxy = false;
|
||||
+ } else {
|
||||
+ s4u2proxy = true;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_parse_name(ctx, self_service, &self_princ);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
|
||||
+ * client and the request server to be the same principal name. */
|
||||
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
|
||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ mcreds.client = impersonate_principal;
|
||||
+ mcreds.server = init_creds.client;
|
||||
+
|
||||
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
|
||||
+ NULL, &s4u2self_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (s4u2proxy) {
|
||||
+ code = krb5_parse_name(ctx, target_service, &target_princ);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ mcreds.client = init_creds.client;
|
||||
+ mcreds.server = target_princ;
|
||||
+ mcreds.second_ticket = s4u2self_creds->ticket;
|
||||
+
|
||||
+ code = krb5_get_credentials(ctx, options |
|
||||
+ KRB5_GC_CONSTRAINED_DELEGATION,
|
||||
+ tmp_cc, &mcreds, &s4u2proxy_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Check KDC support of S4U2Proxy extension */
|
||||
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
|
||||
+ s4u2proxy_creds->client)) {
|
||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ store_creds = s4u2proxy_creds;
|
||||
+ } else {
|
||||
+ store_creds = s4u2self_creds;;
|
||||
+
|
||||
+ /* We need to save the ticket with the requested server name
|
||||
+ * or the caller won't be able to find it in cache. */
|
||||
+ if (!krb5_principal_compare(ctx, self_princ,
|
||||
+ store_creds->server)) {
|
||||
+ krb5_free_principal(ctx, store_creds->server);
|
||||
+ store_creds->server = NULL;
|
||||
+ code = krb5_copy_principal(ctx, self_princ,
|
||||
+ &store_creds->server);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (expire_time) {
|
||||
+ *expire_time = (time_t) store_creds->times.endtime;
|
||||
+ }
|
||||
+
|
||||
+ if (kdc_time) {
|
||||
+ *kdc_time = (time_t) store_creds->times.starttime;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ krb5_cc_destroy(ctx, tmp_cc);
|
||||
+ krb5_free_cred_contents(ctx, &init_creds);
|
||||
+ krb5_free_creds(ctx, s4u2self_creds);
|
||||
+ krb5_free_creds(ctx, s4u2proxy_creds);
|
||||
+ krb5_free_principal(ctx, self_princ);
|
||||
+ krb5_free_principal(ctx, target_princ);
|
||||
+
|
||||
+ return code;
|
||||
+}
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
|
||||
index eab67f6d969..b5385c69a33 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.h
|
||||
+++ b/lib/krb5_wrap/krb5_samba.h
|
||||
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
|
||||
krb5_get_init_creds_opt *krb_options,
|
||||
time_t *expire_time,
|
||||
time_t *kdc_time);
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
krb5_ccache store_cc,
|
||||
krb5_principal init_principal,
|
||||
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
krb5_get_init_creds_opt *krb_options,
|
||||
time_t *expire_time,
|
||||
time_t *kdc_time);
|
||||
-#endif
|
||||
|
||||
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
|
||||
#define smb_krb5_make_principal krb5_make_principal
|
||||
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
|
||||
index 544d9d853cc..c14d8c72d8c 100644
|
||||
--- a/source4/auth/kerberos/kerberos_util.c
|
||||
+++ b/source4/auth/kerberos/kerberos_util.c
|
||||
@@ -234,9 +234,7 @@ done:
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const char *password;
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
const char *self_service;
|
||||
-#endif
|
||||
const char *target_service;
|
||||
time_t kdc_time = 0;
|
||||
krb5_principal princ;
|
||||
@@ -268,9 +266,7 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
self_service = cli_credentials_get_self_service(credentials);
|
||||
-#endif
|
||||
target_service = cli_credentials_get_target_service(credentials);
|
||||
|
||||
password = cli_credentials_get_password(credentials);
|
||||
@@ -331,7 +327,6 @@ done:
|
||||
#endif
|
||||
if (password) {
|
||||
if (impersonate_principal) {
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
|
||||
ccache,
|
||||
princ,
|
||||
@@ -342,12 +337,6 @@ done:
|
||||
krb_options,
|
||||
NULL,
|
||||
&kdc_time);
|
||||
-#else
|
||||
- talloc_free(mem_ctx);
|
||||
- (*error_string) = "INTERNAL error: s4u2 ops "
|
||||
- "are not supported with MIT build yet";
|
||||
- return EINVAL;
|
||||
-#endif
|
||||
} else {
|
||||
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
|
||||
ccache,
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Sat, 19 Sep 2020 14:16:20 +0200
|
||||
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
|
||||
|
||||
---
|
||||
source4/heimdal/lib/hdb/hdb.h | 1 +
|
||||
source4/kdc/db-glue.c | 8 ++++++--
|
||||
source4/kdc/mit_samba.c | 3 +++
|
||||
source4/kdc/sdb.h | 1 +
|
||||
4 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
|
||||
index 5ef9d9565f3..dafaffc6c2d 100644
|
||||
--- a/source4/heimdal/lib/hdb/hdb.h
|
||||
+++ b/source4/heimdal/lib/hdb/hdb.h
|
||||
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
|
||||
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
|
||||
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
/* hdb_capability_flags */
|
||||
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
|
||||
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
||||
index aff74f2ee71..d16b4c3329a 100644
|
||||
--- a/source4/kdc/db-glue.c
|
||||
+++ b/source4/kdc/db-glue.c
|
||||
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
|
||||
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
krb5_clear_error_message(context);
|
||||
goto out;
|
||||
}
|
||||
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
|
||||
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
|
||||
/*
|
||||
* SDB_F_CANON maps from the canonicalize flag in the
|
||||
* packet, and has a different meaning between AS-REQ
|
||||
* and TGS-REQ. We only change the principal in the AS-REQ case
|
||||
+ *
|
||||
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
|
||||
+ * the canonical name in all lookups, and takes care to canonicalize
|
||||
+ * only when appropriate.
|
||||
*/
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index acc3cba6254..f0b9df8b613 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
|
||||
sflags |= SDB_F_CANON;
|
||||
}
|
||||
+#if KRB5_KDB_API_VERSION >= 10
|
||||
+ sflags |= SDB_F_FORCE_CANON;
|
||||
+#endif
|
||||
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
|
||||
KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
||||
/*
|
||||
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
|
||||
index c929acccce6..a9115ec23d7 100644
|
||||
--- a/source4/kdc/sdb.h
|
||||
+++ b/source4/kdc/sdb.h
|
||||
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
|
||||
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
|
||||
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
void sdb_free_entry(struct sdb_entry_ex *e);
|
||||
void free_sdb_entry(struct sdb_entry *s);
|
||||
--
|
||||
2.33.1
|
||||
|
597
SOURCES/samba-virus_scanner.patch
Normal file
597
SOURCES/samba-virus_scanner.patch
Normal file
@ -0,0 +1,597 @@
|
||||
From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed, 9 Feb 2022 16:33:10 +0100
|
||||
Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd
|
||||
|
||||
We have the env variable SERVER_LOG_LEVEL which allows you to change
|
||||
the log level on the command line. If we force -d0 this will not work.
|
||||
|
||||
make test TESTS="samba" SERVER_LOG_LEVEL=10
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
|
||||
---
|
||||
selftest/target/Samba3.pm | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index b901fd2677a..64a9a791a61 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -2153,7 +2153,7 @@ sub make_bin_cmd
|
||||
{
|
||||
my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
|
||||
|
||||
- my @optargs = ("-d0");
|
||||
+ my @optargs = ();
|
||||
if (defined($options)) {
|
||||
@optargs = split(/ /, $options);
|
||||
}
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 8 Feb 2022 12:07:03 +0100
|
||||
Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
|
||||
filename matching
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
|
||||
---
|
||||
source3/modules/vfs_virusfilter.c | 12 +++++
|
||||
source3/modules/vfs_virusfilter_common.h | 4 ++
|
||||
source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++
|
||||
source3/modules/wscript_build | 1 +
|
||||
4 files changed, 75 insertions(+)
|
||||
create mode 100644 source3/modules/vfs_virusfilter_dummy.c
|
||||
|
||||
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
|
||||
index 9fafe4e5d41..e6cbee7cd45 100644
|
||||
--- a/source3/modules/vfs_virusfilter.c
|
||||
+++ b/source3/modules/vfs_virusfilter.c
|
||||
@@ -35,12 +35,14 @@
|
||||
|
||||
enum virusfilter_scanner_enum {
|
||||
VIRUSFILTER_SCANNER_CLAMAV,
|
||||
+ VIRUSFILTER_SCANNER_DUMMY,
|
||||
VIRUSFILTER_SCANNER_FSAV,
|
||||
VIRUSFILTER_SCANNER_SOPHOS
|
||||
};
|
||||
|
||||
static const struct enum_list scanner_list[] = {
|
||||
{ VIRUSFILTER_SCANNER_CLAMAV, "clamav" },
|
||||
+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" },
|
||||
{ VIRUSFILTER_SCANNER_FSAV, "fsav" },
|
||||
{ VIRUSFILTER_SCANNER_SOPHOS, "sophos" },
|
||||
{ -1, NULL }
|
||||
@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
|
||||
int snum = SNUM(handle->conn);
|
||||
struct virusfilter_config *config = NULL;
|
||||
const char *exclude_files = NULL;
|
||||
+ const char *infected_files = NULL;
|
||||
const char *temp_quarantine_dir_mode = NULL;
|
||||
const char *infected_file_command = NULL;
|
||||
const char *scan_error_command = NULL;
|
||||
@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
|
||||
set_namearray(&config->exclude_files, exclude_files);
|
||||
}
|
||||
|
||||
+ infected_files = lp_parm_const_string(
|
||||
+ snum, "virusfilter", "infected files", NULL);
|
||||
+ if (infected_files != NULL) {
|
||||
+ set_namearray(&config->infected_files, infected_files);
|
||||
+ }
|
||||
+
|
||||
config->cache_entry_limit = lp_parm_int(
|
||||
snum, "virusfilter", "cache entry limit", 100);
|
||||
|
||||
@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
|
||||
case VIRUSFILTER_SCANNER_CLAMAV:
|
||||
ret = virusfilter_clamav_init(config);
|
||||
break;
|
||||
+ case VIRUSFILTER_SCANNER_DUMMY:
|
||||
+ ret = virusfilter_dummy_init(config);
|
||||
+ break;
|
||||
default:
|
||||
DBG_ERR("Unhandled scanner %d\n", backend);
|
||||
return -1;
|
||||
diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
|
||||
index f71b0b949a7..463a9d74e9c 100644
|
||||
--- a/source3/modules/vfs_virusfilter_common.h
|
||||
+++ b/source3/modules/vfs_virusfilter_common.h
|
||||
@@ -83,6 +83,9 @@ struct virusfilter_config {
|
||||
/* Exclude files */
|
||||
name_compare_entry *exclude_files;
|
||||
|
||||
+ /* Infected files */
|
||||
+ name_compare_entry *infected_files;
|
||||
+
|
||||
/* Scan result cache */
|
||||
struct virusfilter_cache *cache;
|
||||
int cache_entry_limit;
|
||||
@@ -149,5 +152,6 @@ struct virusfilter_backend {
|
||||
int virusfilter_sophos_init(struct virusfilter_config *config);
|
||||
int virusfilter_fsav_init(struct virusfilter_config *config);
|
||||
int virusfilter_clamav_init(struct virusfilter_config *config);
|
||||
+int virusfilter_dummy_init(struct virusfilter_config *config);
|
||||
|
||||
#endif /* _VIRUSFILTER_COMMON_H */
|
||||
diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
|
||||
new file mode 100644
|
||||
index 00000000000..03405cd6629
|
||||
--- /dev/null
|
||||
+++ b/source3/modules/vfs_virusfilter_dummy.c
|
||||
@@ -0,0 +1,58 @@
|
||||
+/*
|
||||
+ Samba-VirusFilter VFS modules
|
||||
+ Dummy scanner with infected files support.
|
||||
+ Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include "modules/vfs_virusfilter_utils.h"
|
||||
+
|
||||
+static virusfilter_result virusfilter_dummy_scan(
|
||||
+ struct vfs_handle_struct *handle,
|
||||
+ struct virusfilter_config *config,
|
||||
+ const struct files_struct *fsp,
|
||||
+ char **reportp)
|
||||
+{
|
||||
+ bool ok;
|
||||
+
|
||||
+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
|
||||
+ ok = is_in_path(fsp->fsp_name->base_name,
|
||||
+ config->infected_files,
|
||||
+ false);
|
||||
+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
|
||||
+}
|
||||
+
|
||||
+static struct virusfilter_backend_fns virusfilter_backend_dummy = {
|
||||
+ .connect = NULL,
|
||||
+ .disconnect = NULL,
|
||||
+ .scan_init = NULL,
|
||||
+ .scan = virusfilter_dummy_scan,
|
||||
+ .scan_end = NULL,
|
||||
+};
|
||||
+
|
||||
+int virusfilter_dummy_init(struct virusfilter_config *config)
|
||||
+{
|
||||
+ struct virusfilter_backend *backend = NULL;
|
||||
+
|
||||
+ backend = talloc_zero(config, struct virusfilter_backend);
|
||||
+ if (backend == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ backend->fns = &virusfilter_backend_dummy;
|
||||
+ backend->name = "dummy";
|
||||
+ config->backend = backend;
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
|
||||
index 40df4539392..ff318c3fa06 100644
|
||||
--- a/source3/modules/wscript_build
|
||||
+++ b/source3/modules/wscript_build
|
||||
@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
|
||||
vfs_virusfilter_sophos.c
|
||||
vfs_virusfilter_fsav.c
|
||||
vfs_virusfilter_clamav.c
|
||||
+ vfs_virusfilter_dummy.c
|
||||
''',
|
||||
deps='samba-util VFS_VIRUSFILTER_UTILS',
|
||||
init_function='',
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 8 Feb 2022 22:35:29 +0100
|
||||
Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
|
||||
'virusfilter:infected files'
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
|
||||
---
|
||||
docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
|
||||
diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
|
||||
index 329a35af68a..88f91d73a42 100644
|
||||
--- a/docs-xml/manpages/vfs_virusfilter.8.xml
|
||||
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
|
||||
@@ -48,6 +48,10 @@
|
||||
scanner</para></listitem>
|
||||
<listitem><para><emphasis>clamav</emphasis>, the ClamAV
|
||||
scanner</para></listitem>
|
||||
+ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
|
||||
+ tests. Checks against the <emphasis>infected files</emphasis>
|
||||
+ parameter and flags any name that matches as infected.
|
||||
+ </para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
@@ -264,6 +268,14 @@
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>virusfilter:infected files = empty</term>
|
||||
+ <listitem>
|
||||
+ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
|
||||
+ <para>If this option is not set, the default is empty.</para>
|
||||
+ </listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
<varlistentry>
|
||||
<term>virusfilter:block access on error = false</term>
|
||||
<listitem>
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 8 Feb 2022 15:34:56 +0100
|
||||
Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
|
||||
---
|
||||
selftest/target/Samba3.pm | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index 64a9a791a61..7584a0e7ba9 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
|
||||
close(LOG);
|
||||
|
||||
return "" if $out eq $title;
|
||||
-
|
||||
+
|
||||
return $out;
|
||||
}
|
||||
|
||||
@@ -2426,7 +2426,7 @@ sub provision($$)
|
||||
my $nmbdsockdir="$prefix_abs/nmbd";
|
||||
unlink($nmbdsockdir);
|
||||
|
||||
- ##
|
||||
+ ##
|
||||
## create the test directory layout
|
||||
##
|
||||
die ("prefix_abs = ''") if $prefix_abs eq "";
|
||||
@@ -3290,7 +3290,7 @@ sub provision($$)
|
||||
unless (open(PASSWD, ">$nss_wrapper_passwd")) {
|
||||
warn("Unable to open $nss_wrapper_passwd");
|
||||
return undef;
|
||||
- }
|
||||
+ }
|
||||
print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
|
||||
$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
|
||||
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Tue, 8 Feb 2022 15:35:48 +0100
|
||||
Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
|
||||
---
|
||||
selftest/knownfail.d/virus_scanner | 2 +
|
||||
selftest/target/Samba3.pm | 12 ++
|
||||
source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
|
||||
source3/selftest/tests.py | 9 ++
|
||||
4 files changed, 147 insertions(+)
|
||||
create mode 100644 selftest/knownfail.d/virus_scanner
|
||||
create mode 100755 source3/script/tests/test_virus_scanner.sh
|
||||
|
||||
diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
|
||||
new file mode 100644
|
||||
index 00000000000..6df3fd20627
|
||||
--- /dev/null
|
||||
+++ b/selftest/knownfail.d/virus_scanner
|
||||
@@ -0,0 +1,2 @@
|
||||
+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
|
||||
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index 7584a0e7ba9..c1d0c60d96a 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -1688,6 +1688,9 @@ sub setup_fileserver
|
||||
my $veto_sharedir="$share_dir/veto";
|
||||
push(@dirs,$veto_sharedir);
|
||||
|
||||
+ my $virusfilter_sharedir="$share_dir/virusfilter";
|
||||
+ push(@dirs,$virusfilter_sharedir);
|
||||
+
|
||||
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
|
||||
my $fileserver_options = "
|
||||
kernel change notify = yes
|
||||
@@ -1813,6 +1816,15 @@ sub setup_fileserver
|
||||
path = $veto_sharedir
|
||||
delete veto files = yes
|
||||
|
||||
+[virusfilter]
|
||||
+ path = $virusfilter_sharedir
|
||||
+ vfs objects = acl_xattr virusfilter
|
||||
+ virusfilter:scanner = dummy
|
||||
+ virusfilter:min file size = 0
|
||||
+ virusfilter:infected files = *infected*
|
||||
+ virusfilter:infected file action = rename
|
||||
+ virusfilter:scan on close = yes
|
||||
+
|
||||
[homes]
|
||||
comment = Home directories
|
||||
browseable = No
|
||||
diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
|
||||
new file mode 100755
|
||||
index 00000000000..2234ea6ca89
|
||||
--- /dev/null
|
||||
+++ b/source3/script/tests/test_virus_scanner.sh
|
||||
@@ -0,0 +1,124 @@
|
||||
+#!/bin/sh
|
||||
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
|
||||
+# shellcheck disable=1091
|
||||
+
|
||||
+if [ $# -lt 4 ]; then
|
||||
+cat <<EOF
|
||||
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
|
||||
+EOF
|
||||
+exit 1;
|
||||
+fi
|
||||
+
|
||||
+SERVER_IP=${1}
|
||||
+SHARE=${2}
|
||||
+LOCAL_PATH=${3}
|
||||
+SMBCLIENT=${4}
|
||||
+
|
||||
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
|
||||
+
|
||||
+failed=0
|
||||
+sharedir="${LOCAL_PATH}/${SHARE}"
|
||||
+
|
||||
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
|
||||
+. "${incdir}/subunit.sh"
|
||||
+
|
||||
+check_infected_read()
|
||||
+{
|
||||
+ rm -rf "${sharedir:?}"/*
|
||||
+
|
||||
+ if ! touch "${sharedir}/infected.txt"; then
|
||||
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
|
||||
+
|
||||
+ # check that virusfilter:rename prefix/suffix was added
|
||||
+ if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
|
||||
+ echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ # check that file was not downloaded
|
||||
+ if [ -f "${sharedir}/infected.download.txt" ]; then
|
||||
+ echo "ERROR: {sharedir}/infected.download.txt should not exist."
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+check_infected_write()
|
||||
+{
|
||||
+ rm -rf "${sharedir:?}"/*
|
||||
+ smbfile=infected.upload.txt
|
||||
+ smbfilerenamed="virusfilter.${smbfile}.infected"
|
||||
+
|
||||
+ # non empty file is needed
|
||||
+ # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
|
||||
+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
|
||||
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
|
||||
+
|
||||
+ # check that virusfilter:rename prefix/suffix was added
|
||||
+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
|
||||
+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ # check that file was not uploaded
|
||||
+ if [ -f "${sharedir}/infected.upload.txt" ]; then
|
||||
+ echo "ERROR: {sharedir}/${smbfile} should not exist."
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+check_healthy_read()
|
||||
+{
|
||||
+ rm -rf "${sharedir:?}"/*
|
||||
+
|
||||
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
|
||||
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
|
||||
+
|
||||
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
|
||||
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+check_healthy_write()
|
||||
+{
|
||||
+ rm -rf "${sharedir:?}"/*
|
||||
+
|
||||
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
|
||||
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
|
||||
+
|
||||
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
|
||||
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
|
||||
+ return 1
|
||||
+ fi
|
||||
+
|
||||
+ return 0
|
||||
+}
|
||||
+
|
||||
+testit "check_infected_read" check_infected_read || failed=$((failed + 1))
|
||||
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
|
||||
+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1))
|
||||
+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1))
|
||||
+
|
||||
+testok "$0" "$failed"
|
||||
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
||||
index 701be011f70..6b146c76381 100755
|
||||
--- a/source3/selftest/tests.py
|
||||
+++ b/source3/selftest/tests.py
|
||||
@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
|
||||
'$SERVER_IP',
|
||||
"tmp"])
|
||||
|
||||
+env = 'fileserver'
|
||||
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
|
||||
+ [os.path.join(samba3srcdir,
|
||||
+ "script/tests/test_virus_scanner.sh"),
|
||||
+ '$SERVER_IP',
|
||||
+ "virusfilter",
|
||||
+ '$LOCAL_PATH',
|
||||
+ smbclient3])
|
||||
+
|
||||
for env in ['fileserver', 'simpleserver']:
|
||||
plantestsuite("samba3.blackbox.smbclient.encryption", env,
|
||||
[os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
|
||||
--
|
||||
2.34.1
|
||||
|
||||
|
||||
From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
|
||||
Date: Mon, 7 Feb 2022 23:06:10 +0100
|
||||
Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971
|
||||
|
||||
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
|
||||
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
||||
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184
|
||||
|
||||
(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
|
||||
---
|
||||
selftest/knownfail.d/virus_scanner | 2 --
|
||||
source3/modules/vfs_virusfilter.c | 6 +++---
|
||||
2 files changed, 3 insertions(+), 5 deletions(-)
|
||||
delete mode 100644 selftest/knownfail.d/virus_scanner
|
||||
|
||||
diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
|
||||
deleted file mode 100644
|
||||
index 6df3fd20627..00000000000
|
||||
--- a/selftest/knownfail.d/virus_scanner
|
||||
+++ /dev/null
|
||||
@@ -1,2 +0,0 @@
|
||||
-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
|
||||
-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
|
||||
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
|
||||
index e6cbee7cd45..d1554967ad1 100644
|
||||
--- a/source3/modules/vfs_virusfilter.c
|
||||
+++ b/source3/modules/vfs_virusfilter.c
|
||||
@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
|
||||
*/
|
||||
goto virusfilter_vfs_open_next;
|
||||
}
|
||||
- ret = S_ISREG(smb_fname->st.st_ex_mode);
|
||||
+ ret = S_ISREG(sbuf.st_ex_mode);
|
||||
if (ret == 0) {
|
||||
DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
|
||||
cwd_fname, fname);
|
||||
goto virusfilter_vfs_open_next;
|
||||
}
|
||||
if (config->max_file_size > 0 &&
|
||||
- smb_fname->st.st_ex_size > config->max_file_size)
|
||||
+ sbuf.st_ex_size > config->max_file_size)
|
||||
{
|
||||
DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
|
||||
cwd_fname, fname);
|
||||
goto virusfilter_vfs_open_next;
|
||||
}
|
||||
if (config->min_file_size > 0 &&
|
||||
- smb_fname->st.st_ex_size < config->min_file_size)
|
||||
+ sbuf.st_ex_size < config->min_file_size)
|
||||
{
|
||||
DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
|
||||
cwd_fname, fname);
|
||||
--
|
||||
2.34.1
|
||||
|
10
SOURCES/samba.logrotate
Normal file
10
SOURCES/samba.logrotate
Normal file
@ -0,0 +1,10 @@
|
||||
/var/log/samba/log.* {
|
||||
compress
|
||||
dateext
|
||||
maxage 365
|
||||
rotate 99
|
||||
notifempty
|
||||
olddir /var/log/samba/old
|
||||
missingok
|
||||
copytruncate
|
||||
}
|
6
SOURCES/samba.pamd
Normal file
6
SOURCES/samba.pamd
Normal file
@ -0,0 +1,6 @@
|
||||
#%PAM-1.0
|
||||
auth required pam_nologin.so
|
||||
auth include password-auth
|
||||
account include password-auth
|
||||
session include password-auth
|
||||
password include password-auth
|
313
SOURCES/smb.conf.example
Normal file
313
SOURCES/smb.conf.example
Normal file
@ -0,0 +1,313 @@
|
||||
# This is the main Samba configuration file. For detailed information about the
|
||||
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
|
||||
# number of configurable options, most of which are not shown in this example.
|
||||
#
|
||||
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
|
||||
# and using Samba:
|
||||
# https://wiki.samba.org/index.php/User_Documentation
|
||||
#
|
||||
# In this file, lines starting with a semicolon (;) or a hash (#) are
|
||||
# comments and are ignored. This file uses hashes to denote commentary and
|
||||
# semicolons for parts of the file you may wish to configure.
|
||||
#
|
||||
# NOTE: Run the "testparm" command after modifying this file to check for basic
|
||||
# syntax errors.
|
||||
#
|
||||
#---------------
|
||||
# Security-Enhanced Linux (SELinux) Notes:
|
||||
#
|
||||
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
|
||||
# useradd and groupadd family of binaries. Run the following command as the
|
||||
# root user to turn this Boolean on:
|
||||
# setsebool -P samba_domain_controller on
|
||||
#
|
||||
# Turn the samba_enable_home_dirs Boolean on if you want to share home
|
||||
# directories via Samba. Run the following command as the root user to turn this
|
||||
# Boolean on:
|
||||
# setsebool -P samba_enable_home_dirs on
|
||||
#
|
||||
# If you create a new directory, such as a new top-level directory, label it
|
||||
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
|
||||
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
|
||||
# such directories should already have an SELinux label.
|
||||
#
|
||||
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
|
||||
# label for a given directory.
|
||||
#
|
||||
# Set SELinux labels only on files and directories you have created. Use the
|
||||
# chcon command to temporarily change a label:
|
||||
# chcon -t samba_share_t /path/to/directory
|
||||
#
|
||||
# Changes made via chcon are lost when the file system is relabeled or commands
|
||||
# such as restorecon are run.
|
||||
#
|
||||
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
|
||||
# directories. To share such directories and only allow read-only permissions:
|
||||
# setsebool -P samba_export_all_ro on
|
||||
# To share such directories and allow read and write permissions:
|
||||
# setsebool -P samba_export_all_rw on
|
||||
#
|
||||
# To run scripts (preexec/root prexec/print command/...), copy them to the
|
||||
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
|
||||
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
|
||||
# their existing SELinux labels, which may be labels that SELinux does not allow
|
||||
# smbd to run. Copying the scripts will result in the correct SELinux labels.
|
||||
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
|
||||
# apply the correct SELinux labels to these files.
|
||||
#
|
||||
#--------------
|
||||
#
|
||||
#======================= Global Settings =====================================
|
||||
|
||||
[global]
|
||||
|
||||
# ----------------------- Network-Related Options -------------------------
|
||||
#
|
||||
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
|
||||
#
|
||||
# server string = the equivalent of the Windows NT Description field.
|
||||
#
|
||||
# netbios name = used to specify a server name that is not tied to the hostname,
|
||||
# maximum is 15 characters.
|
||||
#
|
||||
# interfaces = used to configure Samba to listen on multiple network interfaces.
|
||||
# If you have multiple interfaces, you can use the "interfaces =" option to
|
||||
# configure which of those interfaces Samba listens on. Never omit the localhost
|
||||
# interface (lo).
|
||||
#
|
||||
# hosts allow = the hosts allowed to connect. This option can also be used on a
|
||||
# per-share basis.
|
||||
#
|
||||
# hosts deny = the hosts not allowed to connect. This option can also be used on
|
||||
# a per-share basis.
|
||||
#
|
||||
workgroup = MYGROUP
|
||||
server string = Samba Server Version %v
|
||||
|
||||
; netbios name = MYSERVER
|
||||
|
||||
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
|
||||
; hosts allow = 127. 192.168.12. 192.168.13.
|
||||
|
||||
# --------------------------- Logging Options -----------------------------
|
||||
#
|
||||
# log file = specify where log files are written to and how they are split.
|
||||
#
|
||||
# max log size = specify the maximum size log files are allowed to reach. Log
|
||||
# files are rotated when they reach the size specified with "max log size".
|
||||
#
|
||||
|
||||
# log files split per-machine:
|
||||
log file = /var/log/samba/log.%m
|
||||
# maximum size of 50KB per log file, then rotate:
|
||||
max log size = 50
|
||||
|
||||
# ----------------------- Standalone Server Options ------------------------
|
||||
#
|
||||
# security = the mode Samba runs in. This can be set to user, share
|
||||
# (deprecated), or server (deprecated).
|
||||
#
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
|
||||
security = user
|
||||
passdb backend = tdbsam
|
||||
|
||||
|
||||
# ----------------------- Domain Members Options ------------------------
|
||||
#
|
||||
# security = must be set to domain or ads.
|
||||
#
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
# realm = only use the realm option when the "security = ads" option is set.
|
||||
# The realm option specifies the Active Directory realm the host is a part of.
|
||||
#
|
||||
# password server = only use this option when the "security = server"
|
||||
# option is set, or if you cannot use DNS to locate a Domain Controller. The
|
||||
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
|
||||
#
|
||||
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
|
||||
#
|
||||
# Use "password server = *" to automatically locate Domain Controllers.
|
||||
|
||||
; security = domain
|
||||
; passdb backend = tdbsam
|
||||
; realm = MY_REALM
|
||||
|
||||
; password server = <NT-Server-Name>
|
||||
|
||||
# ----------------------- Domain Controller Options ------------------------
|
||||
#
|
||||
# security = must be set to user for domain controllers.
|
||||
#
|
||||
# passdb backend = the backend used to store user information in. New
|
||||
# installations should use either tdbsam or ldapsam. No additional configuration
|
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards
|
||||
# compatibility.
|
||||
#
|
||||
# domain master = specifies Samba to be the Domain Master Browser, allowing
|
||||
# Samba to collate browse lists between subnets. Do not use the "domain master"
|
||||
# option if you already have a Windows NT domain controller performing this task.
|
||||
#
|
||||
# domain logons = allows Samba to provide a network logon service for Windows
|
||||
# workstations.
|
||||
#
|
||||
# logon script = specifies a script to run at login time on the client. These
|
||||
# scripts must be provided in a share named NETLOGON.
|
||||
#
|
||||
# logon path = specifies (with a UNC path) where user profiles are stored.
|
||||
#
|
||||
#
|
||||
; security = user
|
||||
; passdb backend = tdbsam
|
||||
|
||||
; domain master = yes
|
||||
; domain logons = yes
|
||||
|
||||
# the following login script name is determined by the machine name
|
||||
# (%m):
|
||||
; logon script = %m.bat
|
||||
# the following login script name is determined by the UNIX user used:
|
||||
; logon script = %u.bat
|
||||
; logon path = \\%L\Profiles\%u
|
||||
# use an empty path to disable profile support:
|
||||
; logon path =
|
||||
|
||||
# various scripts can be used on a domain controller or a stand-alone
|
||||
# machine to add or delete corresponding UNIX accounts:
|
||||
|
||||
; add user script = /usr/sbin/useradd "%u" -n -g users
|
||||
; add group script = /usr/sbin/groupadd "%g"
|
||||
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
|
||||
; delete user script = /usr/sbin/userdel "%u"
|
||||
; delete user from group script = /usr/sbin/userdel "%u" "%g"
|
||||
; delete group script = /usr/sbin/groupdel "%g"
|
||||
|
||||
|
||||
# ----------------------- Browser Control Options ----------------------------
|
||||
#
|
||||
# local master = when set to no, Samba does not become the master browser on
|
||||
# your network. When set to yes, normal election rules apply.
|
||||
#
|
||||
# os level = determines the precedence the server has in master browser
|
||||
# elections. The default value should be reasonable.
|
||||
#
|
||||
# preferred master = when set to yes, Samba forces a local browser election at
|
||||
# start up (and gives itself a slightly higher chance of winning the election).
|
||||
#
|
||||
; local master = no
|
||||
; os level = 33
|
||||
; preferred master = yes
|
||||
|
||||
#----------------------------- Name Resolution -------------------------------
|
||||
#
|
||||
# This section details the support for the Windows Internet Name Service (WINS).
|
||||
#
|
||||
# Note: Samba can be either a WINS server or a WINS client, but not both.
|
||||
#
|
||||
# wins support = when set to yes, the NMBD component of Samba enables its WINS
|
||||
# server.
|
||||
#
|
||||
# wins server = tells the NMBD component of Samba to be a WINS client.
|
||||
#
|
||||
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
|
||||
# of a non WINS capable client. For this to work, there must be at least one
|
||||
# WINS server on the network. The default is no.
|
||||
#
|
||||
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
|
||||
# nslookups.
|
||||
|
||||
; wins support = yes
|
||||
; wins server = w.x.y.z
|
||||
; wins proxy = yes
|
||||
|
||||
; dns proxy = yes
|
||||
|
||||
# --------------------------- Printing Options -----------------------------
|
||||
#
|
||||
# The options in this section allow you to configure a non-default printing
|
||||
# system.
|
||||
#
|
||||
# load printers = when set you yes, the list of printers is automatically
|
||||
# loaded, rather than setting them up individually.
|
||||
#
|
||||
# cups options = allows you to pass options to the CUPS library. Setting this
|
||||
# option to raw, for example, allows you to use drivers on your Windows clients.
|
||||
#
|
||||
# printcap name = used to specify an alternative printcap file.
|
||||
#
|
||||
|
||||
load printers = yes
|
||||
cups options = raw
|
||||
|
||||
; printcap name = /etc/printcap
|
||||
# obtain a list of printers automatically on UNIX System V systems:
|
||||
; printcap name = lpstat
|
||||
; printing = cups
|
||||
|
||||
# --------------------------- File System Options ---------------------------
|
||||
#
|
||||
# The options in this section can be un-commented if the file system supports
|
||||
# extended attributes, and those attributes are enabled (usually via the
|
||||
# "user_xattr" mount option). These options allow the administrator to specify
|
||||
# that DOS attributes are stored in extended attributes and also make sure that
|
||||
# Samba does not change the permission bits.
|
||||
#
|
||||
# Note: These options can be used on a per-share basis. Setting them globally
|
||||
# (in the [global] section) makes them the default for all shares.
|
||||
|
||||
; map archive = no
|
||||
; map hidden = no
|
||||
; map read only = no
|
||||
; map system = no
|
||||
; store dos attributes = yes
|
||||
|
||||
|
||||
#============================ Share Definitions ==============================
|
||||
|
||||
[homes]
|
||||
comment = Home Directories
|
||||
browseable = no
|
||||
writable = yes
|
||||
; valid users = %S
|
||||
; valid users = MYDOMAIN\%S
|
||||
|
||||
[printers]
|
||||
comment = All Printers
|
||||
path = /var/tmp
|
||||
browseable = no
|
||||
guest ok = no
|
||||
writable = no
|
||||
printable = yes
|
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons:
|
||||
; [netlogon]
|
||||
; comment = Network Logon Service
|
||||
; path = /var/lib/samba/netlogon
|
||||
; guest ok = yes
|
||||
; writable = no
|
||||
; share modes = no
|
||||
|
||||
# Un-comment the following to provide a specific roaming profile share.
|
||||
# The default is to use the user's home directory:
|
||||
; [Profiles]
|
||||
; path = /var/lib/samba/profiles
|
||||
; browseable = no
|
||||
; guest ok = yes
|
||||
|
||||
# A publicly accessible directory that is read only, except for users in the
|
||||
# "staff" group (which have write permissions):
|
||||
; [public]
|
||||
; comment = Public Stuff
|
||||
; path = /home/samba
|
||||
; public = yes
|
||||
; writable = no
|
||||
; printable = no
|
||||
; write list = +staff
|
41
SOURCES/smb.conf.vendor
Normal file
41
SOURCES/smb.conf.vendor
Normal file
@ -0,0 +1,41 @@
|
||||
# See smb.conf.example for a more detailed config file or
|
||||
# read the smb.conf manpage.
|
||||
# Run 'testparm' to verify the config is correct after
|
||||
# you modified it.
|
||||
#
|
||||
# Note:
|
||||
# SMB1 is disabled by default. This means clients without support for SMB2 or
|
||||
# SMB3 are no longer able to connect to smbd (by default).
|
||||
|
||||
[global]
|
||||
workgroup = SAMBA
|
||||
security = user
|
||||
|
||||
passdb backend = tdbsam
|
||||
|
||||
printing = cups
|
||||
printcap name = cups
|
||||
load printers = yes
|
||||
cups options = raw
|
||||
|
||||
[homes]
|
||||
comment = Home Directories
|
||||
valid users = %S, %D%w%S
|
||||
browseable = No
|
||||
read only = No
|
||||
inherit acls = Yes
|
||||
|
||||
[printers]
|
||||
comment = All Printers
|
||||
path = /var/tmp
|
||||
printable = Yes
|
||||
create mask = 0600
|
||||
browseable = No
|
||||
|
||||
[print$]
|
||||
comment = Printer Drivers
|
||||
path = /var/lib/samba/drivers
|
||||
write list = @printadmin root
|
||||
force group = @printadmin
|
||||
create mask = 0664
|
||||
directory mask = 0775
|
6764
SPECS/samba.spec
Normal file
6764
SPECS/samba.spec
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user