rpms/samba
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to version 4.19.4

Browse Source 
related: RHEL-16476
This commit is contained in:
Andreas Schneider 2024-01-10 13:22:26 +01:00
parent e18484a6e0
commit b81e903fbc
7 changed files with 23 additions and 1520 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -283,3 +283,5 @@ samba-3.6.0pre1.tar.gz
/samba-4.18.6.tar.asc
/samba-4.19.3.tar.xz
/samba-4.19.3.tar.asc
/samba-4.19.4.tar.xz
/samba-4.19.4.tar.asc

325
samba-4.19-fix-force-user-trusted-domains.patch
View File

@ -1,325 +0,0 @@
From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Sep 2023 16:29:46 +0200
Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 ++
selftest/target/Samba3.pm | 1 +
2 files changed, 3 insertions(+)
create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
new file mode 100644
index 00000000000..b515400cd90
--- /dev/null
+++ b/selftest/knownfail.d/forceuser_trusteddomains
@@ -0,0 +1,2 @@
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 39831afc599..85e69e4b72d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1689,6 +1689,7 @@ sub setup_simpleserver
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
+ allow trusted domains = no
[vfs_aio_pthread]
path = $prefix_abs/share
--
2.43.0
From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Sep 2023 12:50:32 +0200
Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
---
source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 32 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 293523f4272..e5863d2272b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
status = make_user_info_map(mem_ctx, user_info,
- smb_name, client_domain,
+ smb_name, client_domain,
workstation_name,
remote_address,
local_address,
"SamLogon",
- lm_pwd_len ? &lm_blob : NULL,
+ lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
uint32_t logon_parameters,
- const uchar chal[8],
- const uchar lm_interactive_pwd[16],
+ const uchar chal[8],
+ const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
nt_status = make_user_info_map(
mem_ctx,
- user_info,
+ user_info,
smb_name, client_domain, workstation_name,
remote_address,
local_address,
@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
+ const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
/* We can't do an NT hash here, as the password needs to be
case insensitive */
- local_nt_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
} else {
- local_lm_blob = data_blob_null;
- local_nt_blob = data_blob_null;
+ local_lm_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
}
plaintext_password_string = talloc_strndup(talloc_tos(),
@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
}
ret = make_user_info(mem_ctx,
- user_info, smb_name, smb_name, client_domain, client_domain,
+ user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_address,
@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
nt_status = make_user_info(mem_ctx,
user_info,
- "","",
- "","",
- "",
+ "","",
+ "","",
+ "",
remote_address,
local_address,
service_description,
- NULL, NULL,
- NULL, NULL,
+ NULL, NULL,
+ NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
@@ -1258,7 +1258,7 @@ done:
}
session_info->unique_session_token = GUID_random();
-
+
*session_info_out = talloc_move(mem_ctx, &session_info);
TALLOC_FREE(frame);
return NT_STATUS_OK;
@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
*pwd = passwd;
/* This is pointless -- there is no support for differing
- unix and windows names. Make sure to always store the
+ unix and windows names. Make sure to always store the
one we actually looked up and succeeded. Have I mentioned
- why I hate the 'winbind use default domain' parameter?
+ why I hate the 'winbind use default domain' parameter?
--jerry */
*found_username = talloc_strdup( mem_ctx, real_username );
@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
}
/****************************************************************************
- Wrapper to allow the getpwnam() call to strip the domain name and
- try again in case a local UNIX user is already there. Also run through
+ Wrapper to allow the getpwnam() call to strip the domain name and
+ try again in case a local UNIX user is already there. Also run through
the username if we fallback to the username only.
****************************************************************************/
@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
char *p = NULL;
const char *username = NULL;
- /* we only save a copy of the username it has been mangled
+ /* we only save a copy of the username it has been mangled
by winbindd use default domain */
*p_save_username = NULL;
- /* don't call map_username() here since it has to be done higher
+ /* don't call map_username() here since it has to be done higher
up the stack so we don't call it multiple times */
username = talloc_strdup(mem_ctx, domuser);
@@ -2068,10 +2068,10 @@ username_only:
}
/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon
+ Make a server_info struct from the info3 returned by a domain logon
***************************************************************************/
-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct dom_sid sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- /*
+ /*
Here is where we should check the list of
- trusted domains, and verify that the SID
+ trusted domains, and verify that the SID
matches.
*/
--
2.43.0
From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 30 Nov 2023 10:54:07 +0100
Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 --
source3/auth/auth_util.c | 17 ++++++++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
deleted file mode 100644
index b515400cd90..00000000000
--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index e5863d2272b..2a35fea5061 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "dom_sid.h"
#include "includes.h"
#include "auth.h"
#include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct dom_sid tmp_sid;
struct auth_session_info *session_info = NULL;
struct unixid *ids;
+ bool is_allowed = false;
/* Ensure we can't possible take a code path leading to a
* null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ is_allowed = true;
+ }
+
+ /* Check if we have extra info about the user. */
+ if (dom_sid_in_domain(&global_sid_Unix_Users,
+ &server_info->extra.user_sid) ||
+ dom_sid_in_domain(&global_sid_Unix_Groups,
+ &server_info->extra.pgid_sid))
+ {
+ is_allowed = true;
+ }
+
+ if (!is_allowed) {
DBG_NOTICE("Authentication failed for user [%s] "
"from firewalled domain [%s]\n",
server_info->info3->base.account_name.string,
--
2.43.0

1065
samba-4.19-fix-smbget-auth.patch
View File

File diff suppressed because it is too large Load Diff

106
samba-4.19-fix-smbget-debug.patch
View File

@ -1,106 +0,0 @@
From 21d8c1b2dabf8dd5a65de14816c6701e9c81de44 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 5 Dec 2023 15:46:48 +0100
Subject: [PATCH 1/2] s3:tests: Add smbget test for
smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e)
---
source3/script/tests/test_smbget.sh | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 46c1f4a68a5..bdc62a71eff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -145,6 +145,22 @@ test_singlefile_smburl()
return 0
}
+test_singlefile_smburl2()
+{
+ clear_download_area
+ $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: RC does not match, expected: 0'
+ return 1
+ fi
+ cmp --silent $WORKDIR/testfile ./testfile
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: file content does not match'
+ return 1
+ fi
+ return 0
+}
+
test_singlefile_authfile()
{
clear_download_area
@@ -499,6 +515,10 @@ testit "download single file with --update and UPN" test_singlefile_U_UPN ||
testit "download single file with smb URL" test_singlefile_smburl ||
failed=$(expr $failed + 1)
+testit "download single file with smb URL including domain" \
+ test_singlefile_smburl2 ||
+ failed=$(expr $failed + 1)
+
testit "download single file with authfile" test_singlefile_authfile ||
failed=$(expr $failed + 1)
--
2.43.0
From e19fa9d75ee70ec23e70f166ee70241c116f7bf5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 08:48:34 +0100
Subject: [PATCH 2/2] s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d)
---
source3/utils/smbget.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index 5c99dcf918a..8d98ba24602 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -849,6 +849,7 @@ int main(int argc, char **argv)
uint32_t gensec_features;
bool use_wbccache = false;
SMBCCTX *smb_ctx = NULL;
+ int dbg_lvl = -1;
int rc;
smb_init_locale();
@@ -922,13 +923,16 @@ int main(int argc, char **argv)
samba_cmdline_burn(argc, argv);
+ /* smbc_new_context() will set the log level to 0 */
+ dbg_lvl = debuglevel_get();
+
smb_ctx = smbc_new_context();
if (smb_ctx == NULL) {
fprintf(stderr, "Unable to initialize libsmbclient\n");
ok = false;
goto done;
}
- smbc_setDebug(smb_ctx, debuglevel_get());
+ smbc_setDebug(smb_ctx, dbg_lvl);
rc = smbc_setConfiguration(smb_ctx, lp_default_path());
if (rc < 0) {
--
2.43.0

2
samba-winbind-systemd-sysusers.conf Normal file
View File

@ -0,0 +1,2 @@
#Type Name ID
g wbpriv 88

39
samba.spec
View File

@ -146,7 +146,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.19.3
%global samba_version 4.19.4
%global baserelease 100
# This should be rc1 or %%nil
%global pre_release %nil
@ -197,12 +197,6 @@
# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
%undefine _strict_symbol_defs_build
%global libwbc_alternatives_version 0.16
%global libwbc_alternatives_suffix %nil
%if 0%{?__isa_bits} == 64
%global libwbc_alternatives_suffix -64
%endif
%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
# Make a copy of this variable to prevent repeated evaluation of the
@ -239,16 +233,11 @@ Source14: samba.pamd
Source15: usershares.conf.vendor
Source16: samba-systemd-sysusers.conf
Source17: samba-usershares-systemd-sysusers.conf
Source18: samba-winbind-systemd-sysusers.conf
Source201: README.downgrade
Source202: samba.abignore
Patch0: samba-4.19-fix-force-user-trusted-domains.patch
Patch1: samba-4.19-fix-smbget-debug.patch
Patch2: samba-4.19-fix-smbget-auth.patch
Requires(pre): /usr/sbin/groupadd
Requires(pre): %{name}-common = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
Requires: %{name}-common-libs = %{samba_depver}
@ -744,9 +733,12 @@ Samba VFS module for GlusterFS integration.
%package gpupdate
Summary: Samba GPO support for clients
Requires: cepces
Requires: cepces-certmonger
Requires: certmonger
Requires: %{name}-ldb-ldap-modules = %{samba_depver}
Requires: python3-%{name} = %{samba_depver}
# samba-tool needs python3-samba-dc also on non-dc build
Requires: python3-%{name}-dc = %{samba_depver}
%description gpupdate
This package provides the samba-gpupdate tool to apply Group Policy Objects
@ -1420,6 +1412,7 @@ echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf
install -d -m 0755 %{buildroot}%{_sysusersdir}
install -m 0644 %{SOURCE16} %{buildroot}%{_sysusersdir}/samba.conf
install -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/samba-usershares.conf
install -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/samba-winbind.conf
install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba
@ -1534,11 +1527,8 @@ export WINBINDD_DONT_LOG_STDOUT=1
%systemd_postun_with_restart nmb.service
%pre common
%if 0%{?fedora} || 0%{?rhel} > 8
# This creates the group 'printadmin'
%sysusers_create_compat %{SOURCE16}
%else
getent group printadmin >/dev/null || groupadd -r printadmin || :
%endif
%post common
%{?ldconfig}
@ -1608,14 +1598,12 @@ fi
%ldconfig_scriptlets test
%pre usershares
%if 0%{?fedora} || 0%{?rhel} > 8
# This creates the group 'usershares'
%sysusers_create_compat %{SOURCE17}
%else
getent group usershares >/dev/null || groupadd -r usershares || :
%endif
%pre winbind
/usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || :
# This creates the group 'wbpriv'
%sysusers_create_compat %{SOURCE18}
%post winbind
%systemd_post winbind.service
@ -3491,6 +3479,7 @@ fi
%{_libdir}/samba/libnss-info-samba4.so
%{_libdir}/samba/libidmap-samba4.so
%{_sbindir}/winbindd
%{_sysusersdir}/samba-winbind.conf
%attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
%{_unitdir}/winbind.service
%{_prefix}/lib/NetworkManager
@ -4479,6 +4468,12 @@ fi
%endif
%changelog
* Wed Jan 10 2024 Andreas Schneider <asn@redhat.com> - 4.19.4-100
- related: RHEL-16476 - Update to version 4.19.4
- resolves: RHEL-2109 - Add support for certificate auto enrollment
- resolves: RHEL-20761 - Add missing requirements for samba-gpupdate
- resolves: RHEL-19566 - Fix smbget interactive authentication
* Mon Dec 04 2023 Andreas Schneider <asn@redhat.com> - 4.19.3-100
- resolves: RHEL-16476 - Update to version 4.19.3
- resolves: RHEL-11362 - Fix security issues:

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (samba-4.19.3.tar.xz) = c222d11c2b196c02ce99a5d6b806df5b9dbfdc50f0d5de43723cf75af69e0fb8ec06d9fbd9a4ca8be03f3ff39a8e5422464afb9279816d3350308045350245a3
SHA512 (samba-4.19.3.tar.asc) = 76692b6eced6ecbbb49dea21e895ee4486aa09118a53b9a113ba0679063c6052333789156abe30b9d4ee11527743c2334eb49c055421c2cf6b347df18f6afb03
SHA512 (samba-4.19.4.tar.xz) = 3d2899e4a3b8bcb77befc29c4af66d3ac858b7f7a0dbbb66a8bc210cd88d9cde3e11361334a5cce650318473134ec8b134148bfa4af4d51f555de33eff395029
SHA512 (samba-4.19.4.tar.asc) = 11bc51407d1464339817d7568f5d5bb059c19a05b49c6a1307d7425d289acb617ecd3e633e3736bdaa94947a7b3630d6cdb7ed6fe59d52556234c549eca8172a