Update to Samba 4.0.0rc5.

This commit is contained in:
Andreas Schneider 2012-11-13 12:59:39 +01:00
parent 3eabd5bb16
commit b9c801614f
6 changed files with 106 additions and 201 deletions

View File

@ -1,64 +0,0 @@
commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe
Author: Günther Deschner <gd@samba.org>
AuthorDate: Mon Dec 19 10:52:58 2011 +0100
Commit: Günther Deschner <gd@samba.org>
CommitDate: Tue Oct 2 16:22:31 2012 +0200
s3-kerberos: add aes enctypes to generated krb5.conf.
Guenther
---
source3/libads/kerberos.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index fd39394..3183e26 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
int fd;
char *realm_upper = NULL;
bool result = false;
+ char *aes_enctypes = NULL;
if (!lp_create_krb5_conf()) {
return false;
@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
goto done;
}
- /* FIXME: add aes here - gd */
+ aes_enctypes = talloc_strdup(fname, "");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+
file_contents = talloc_asprintf(fname,
"[libdefaults]\n\tdefault_realm = %s\n"
- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
"[realms]\n\t%s = {\n"
"\t%s\t}\n",
- realm_upper, realm_upper, kdc_ip_string);
+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
+ realm_upper, kdc_ip_string);
if (!file_contents) {
goto done;

View File

@ -1,65 +0,0 @@
commit eae33e96fcaa456830862325b91579faf2a96213
Author: Günther Deschner <gd@samba.org>
AuthorDate: Thu Dec 15 18:12:41 2011 +0100
Commit: Günther Deschner <gd@samba.org>
CommitDate: Tue Oct 2 16:22:31 2012 +0200
s3-krb5: use and request AES keys in kerberos operations.
Guenther
---
lib/krb5_wrap/krb5_samba.c | 6 ++++++
source3/libads/kerberos.c | 1 +
source3/libads/kerberos_keytab.c | 8 +++++++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 1a5a710..8037337 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_NULL};
initialize_krb5_error_table();
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1093d12..fd39394 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
goto done;
}
+ /* FIXME: add aes here - gd */
file_contents = talloc_asprintf(fname,
"[libdefaults]\n\tdefault_realm = %s\n"
"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index eb2603b..b7df50d 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
- krb5_enctype enctypes[4] = {
+ krb5_enctype enctypes[6] = {
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_ARCFOUR_HMAC,
0
};

View File

@ -1,40 +0,0 @@
From 6c148a1532f9b29b1ec6283a971caeb7de4ff24e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 1 Nov 2012 14:41:56 +0100
Subject: [PATCH] s3:winbindd:cache: fix offline logons with cached
credentials (bug #9321)
The removal of consumption of the time field from the centry
as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
had the side effect of changing the offset for reading the following
nt password hash, so the read password hash was wrong.
This patch re-installs the consumption of the time,
thereby fixing the bug without changing the disk format of the cache.
Signed-off-by: Michael Adam <obnox@samba.org>
---
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 2c9dd4a..c79d3b6 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1329,6 +1329,13 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
+ /*
+ * We don't use the time element at this moment,
+ * but we have to consume it, so that we don't
+ * neet to change the disk format of the cache.
+ */
+ (void)centry_time(centry);
+
/* In the salted case this isn't actually the nt_hash itself,
but the MD5 of the salt + nt_hash. Let the caller
sort this out. It can tell as we only return the cached_salt
--
1.7.9.5

View File

@ -0,0 +1,95 @@
commit 3b01dd5f59841b11e9906b8c23345946e0d0ea8c
Author: Andreas Schneider <asn@samba.org>
AuthorDate: Fri Nov 9 15:33:09 2012 +0100
Commit: Stefan Metzmacher <metze@samba.org>
CommitDate: Mon Nov 12 18:57:18 2012 +0100
s3:winbind: BUG 9386: Failover if netlogon pipe is not available.
Samba continues to query a broken DC while the DC did not finish to
rebuild Sysvol (after a Windows crash, for example). It causes end users
to received strange codes while trying to authenticate, even if there is
a secondary DC available.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
---
source3/winbindd/winbindd_pam.c | 52 ++++++++++++++++++++++++++++++-----------
1 file changed, 39 insertions(+), 13 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5b6b77b..b23d421 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1175,6 +1175,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
struct netr_SamInfo3 **info3)
{
int attempts = 0;
+ int netr_attempts = 0;
bool retry = false;
NTSTATUS result;
@@ -1189,22 +1190,47 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
result = cm_connect_netlogon(domain, &netlogon_pipe);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n",
- nt_errstr(result)));
- if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
- if (attempts > 0) {
- DEBUG(3, ("This is the second problem for this "
- "particular call, forcing the close of "
- "this connection\n"));
- invalidate_cm_connection(&domain->conn);
- } else {
- DEBUG(3, ("First call to cm_connect_netlogon "
- "has timed out, retrying\n"));
- continue;
- }
+ DEBUG(3,("Could not open handle to NETLOGON pipe "
+ "(error: %s, attempts: %d)\n",
+ nt_errstr(result), netr_attempts));
+
+ /* After the first retry always close the connection */
+ if (netr_attempts > 0) {
+ DEBUG(3, ("This is again a problem for this "
+ "particular call, forcing the close "
+ "of this connection\n"));
+ invalidate_cm_connection(&domain->conn);
+ }
+
+ /* After the second retry failover to the next DC */
+ if (netr_attempts > 1) {
+ /*
+ * If the netlogon server is not reachable then
+ * it is possible that the DC is rebuilding
+ * sysvol and shutdown netlogon for that time.
+ * We should failover to the next dc.
+ */
+ DEBUG(3, ("This is the third problem for this "
+ "particular call, adding DC to the "
+ "negative cache list\n"));
+ add_failed_connection_entry(domain->name,
+ domain->dcname,
+ result);
+ saf_delete(domain->name);
+ }
+
+ /* Only allow 3 retries */
+ if (netr_attempts < 3) {
+ DEBUG(3, ("The connection to netlogon "
+ "failed, retrying\n"));
+ netr_attempts++;
+ retry = true;
+ continue;
}
return result;
}
+ netr_attempts = 0;
+
auth = netlogon_pipe->auth;
if (netlogon_pipe->dc) {
neg_flags = netlogon_pipe->dc->negotiate_flags;

View File

@ -1,4 +1,4 @@
%define main_release 165
%define main_release 166
%define samba_version 4.0.0
%define talloc_version 2.0.7
@ -6,7 +6,7 @@
%define tdb_version 1.2.10
%define tevent_version 0.9.17
%define ldb_version 1.1.12
%define pre_release rc4
%define pre_release rc5
%define samba_release %{main_release}%{?dist}.%{pre_release}
@ -57,14 +57,11 @@ Source2: samba.xinetd
Source3: swat.desktop
Source4: smb.conf.default
Source5: pam_winbind.conf
Source7: winbind.networkmanager
Source200: README.dc
Source201: README.downgrade
Patch0: samba-4.0.0rc4-request_aes_krb_keys.patch
Patch1: samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch
Patch2: samba-4.0.0rc5-fix_winbind_offline_logon.patch
Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@ -407,9 +404,7 @@ the local kerberos library to use the same KDC as samba and winbind use
%prep
%setup -q -n samba-%{version}%{pre_release}
%patch0 -p1 -b .request_aes_krb_keys
%patch1 -p1 -b .add_aes_enctypes_to_krb5_conf
%patch2 -p1 -b .winbind_offline_logon
%patch0 -p1 -b .samlogon_failover
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -554,9 +549,10 @@ for i in nmb smb winbind ; do
install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
done
# FIXME use packaging/NetworkManager/30-winbind
# NetworkManager online/offline script
install -d -m 0755 %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/
install -m 0755 %{SOURCE7} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind
install -m 0755 packaging/NetworkManager/30-winbind-systemd \
%{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind
# winbind krb5 locator
install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
@ -772,7 +768,6 @@ rm -rf %{buildroot}
%{_bindir}/profiles
%{_bindir}/smbcontrol
%{_bindir}/testparm
%{_libdir}/samba/libgpo.so
%{_datadir}/samba/codepages
%config(noreplace) %{_sysconfdir}/logrotate.d/samba
%attr(0700,root,root) %dir /var/log/samba
@ -1069,6 +1064,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/liberrors.so
%{_libdir}/samba/libevents.so
%{_libdir}/samba/libflag_mapping.so
%{_libdir}/samba/libgpo.so
%{_libdir}/samba/libgse.so
%{_libdir}/samba/libinterfaces.so
%{_libdir}/samba/libkrb5samba.so
@ -1302,6 +1298,9 @@ rm -rf %{buildroot}
%{_mandir}/man7/winbind_krb5_locator.7*
%changelog
* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-166.rc5
- Update to Samba 4.0.0rc5.
* Mon Nov 05 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-165.rc4
- Fix library dependencies of libnetapi.

View File

@ -1,20 +0,0 @@
#!/bin/sh
winbind_is_active=$(/bin/systemctl is-active winbind.service)
test "${winbind_is_active}" = "active" || exit 0
winbind_offline_logon=$(testparm -s --parameter-name "winbind offline logon" 2>/dev/null)
test "${winbind_offline_logon}" = "Yes" || exit 0
case "$2" in
up|vpn-up)
nmb_is_active=$(/bin/systemctl is-active nmb.service)
if test "${nmb_is_active}" = "active"; then
/bin/systemctl try-restart nmb.service || :
fi
/usr/bin/smbcontrol winbind online || :
;;
down)
/usr/bin/smbcontrol winbind offline
;;
esac