From c30e554fc5a68d2a2bd49e2c527afb102acb82b2 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 14 Jun 2024 10:15:05 +0300 Subject: [PATCH] Import OL samba-4.19.4-105.0.1.el9_4 --- ...906-s3-passdb-fix-memleak-in-pdb_tdb.patch | 42 +++ ...am-fix-leak-in-extract_pac_vrfy_sigs.patch | 80 +++++ SOURCES/samba-4.19-redhat.patch | 316 +++++++++++++++--- SPECS/samba.spec | 16 +- 4 files changed, 409 insertions(+), 45 deletions(-) create mode 100644 SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch create mode 100644 SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch diff --git a/SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch b/SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch new file mode 100644 index 0000000..bcfc2c1 --- /dev/null +++ b/SOURCES/101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch @@ -0,0 +1,42 @@ +From 18913d384edb8c49c69501fd6db5511312614594 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 27 Oct 2023 12:09:53 +0200 +Subject: [PATCH] s3:passdb: Do not leak memory in pdb_tdb + +==19938==ERROR: LeakSanitizer: detected memory leaks + +Direct leak of 77 byte(s) in 1 object(s) allocated from: + #0 0x7f7d482841f8 in strdup (/lib64/libasan.so.8+0x841f8) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) + #1 0x7f7d47204846 (bin/shared/libsamba-util.so.0+0x4c846) (BuildId: 43b084eb9013442ac68eb1fc17649f142cbb0f94) + #2 0x7f7d40b1d97a in pdb_init_tdbsam ../../source3/passdb/pdb_tdb.c:1361 + #3 0x7f7d4715f266 (bin/shared/libsamba-passdb.so.0+0x76266) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) + #4 0x7f7d4715f57a (bin/shared/libsamba-passdb.so.0+0x7657a) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) + #5 0x7f7d47163700 (bin/shared/libsamba-passdb.so.0+0x7a700) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) + #6 0x55a9177d3853 in main ../../source3/smbd/server.c:1928 + #7 0x7f7d434281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke + +Orabug: 36371906 +Signed-off-by: Shaleen Bathla +Reviewed-by: Laurence Rochfort +--- + source3/passdb/pdb_tdb.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c +index 4c578f8069d..f9ba193df3b 100644 +--- a/source3/passdb/pdb_tdb.c ++++ b/source3/passdb/pdb_tdb.c +@@ -1346,6 +1346,9 @@ static NTSTATUS pdb_init_tdbsam(struct pdb_methods **pdb_method, const char *loc + } + pfile = tdbfile; + } ++ ++ /* Do not leak memory if the init function is called more than once */ ++ SAFE_FREE(tdbsam_filename); + tdbsam_filename = SMB_STRDUP(pfile); + if (!tdbsam_filename) { + return NT_STATUS_NO_MEMORY; +-- diff --git a/SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch b/SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch new file mode 100644 index 0000000..46d9be7 --- /dev/null +++ b/SOURCES/102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch @@ -0,0 +1,80 @@ +From 48493735e2d2091740fe784cf07a4258dfc0b512 Mon Sep 17 00:00:00 2001 +From: Shaleen Bathla +Date: Wed, 10 Apr 2024 18:31:39 +0530 +Subject: [PATCH] s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs + +Add missing free for entry variable and its members : key and principal +Found definite memory leaks via valgrind as shown below. + +Leak 1 : +==1686== 76,800 bytes in 2,400 blocks are definitely lost in loss record 432 of 433 +==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431) +==1686== by 0x79CBFED: krb5int_c_copy_keyblock_contents (keyblocks.c:101) +==1686== by 0x621CFA3: krb5_mkt_get_next (kt_memory.c:500) +==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) +==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) +==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) +==1686== by 0x127F45: process_request_send (winbindd.c:502) +==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749) +==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) +==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) +==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) +==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) +==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) +==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823) +==1686== by 0x1232F3: main (winbindd.c:1718) + +Leak 2 : +==1686== at 0x4C38185: malloc (vg_replace_malloc.c:431) +==1686== by 0x62255E4: krb5_copy_principal (copy_princ.c:38) +==1686== by 0x621D003: krb5_mkt_get_next (kt_memory.c:503) +==1686== by 0x141186: extract_pac_vrfy_sigs (winbindd_pam.c:3384) +==1686== by 0x141186: winbindd_pam_auth_pac_verify (winbindd_pam.c:3434) +==1686== by 0x17ED21: winbindd_pam_auth_crap_send (winbindd_pam_auth_crap.c:68) +==1686== by 0x127F45: process_request_send (winbindd.c:502) +==1686== by 0x127F45: winbind_client_request_read (winbindd.c:749) +==1686== by 0x124AAF: wb_req_read_done (wb_reqtrans.c:126) +==1686== by 0x66D4706: tevent_common_invoke_fd_handler (tevent_fd.c:142) +==1686== by 0x66DAF4E: epoll_event_loop (tevent_epoll.c:737) +==1686== by 0x66DAF4E: epoll_event_loop_once (tevent_epoll.c:938) +==1686== by 0x66D8F5A: std_event_loop_once (tevent_standard.c:110) +==1686== by 0x66D39B4: _tevent_loop_once (tevent.c:823) +==1686== by 0x1232F3: main (winbindd.c:1718) + +Signed-off-by: Shaleen Bathla +Reviewed-by: Andrew Bartlett +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Apr 16 10:22:51 UTC 2024 on atb-devel-224 + +Orabug: 36566309 +Signed-off-by: Shaleen Bathla +Reviewed-by: Laurence Rochfort +--- + source3/winbindd/winbindd_pam.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 6c890c8acd5..e7d64189b7e 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -3433,12 +3433,17 @@ static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob, + NULL, /* client_principal */ + 0, /* tgs_authtime */ + p_pac_data); ++ (void)smb_krb5_kt_free_entry(krbctx, &entry); + if (NT_STATUS_IS_OK(status)) { + break; + } +- k5ret = smb_krb5_kt_free_entry(krbctx, &entry); + k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor); + } ++ if (k5ret != 0 && k5ret != KRB5_KT_END) { ++ DEBUG(1, ("Failed to get next entry: %s\n", ++ error_message(k5ret))); ++ (void)smb_krb5_kt_free_entry(krbctx, &entry); ++ } + + k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor); + if (k5ret) { diff --git a/SOURCES/samba-4.19-redhat.patch b/SOURCES/samba-4.19-redhat.patch index 1450c56..7ec74d1 100644 --- a/SOURCES/samba-4.19-redhat.patch +++ b/SOURCES/samba-4.19-redhat.patch @@ -1,7 +1,7 @@ From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:05:54 +0300 -Subject: [PATCH 01/21] gp: Support more global trust directories +Subject: [PATCH 01/25] gp: Support more global trust directories In addition to the SUSE global trust directory, add support for RHEL and Debian-based distributions (including Ubuntu). @@ -60,13 +60,13 @@ index 312c8ddf467..1b90ab46e90 100644 # Symlink the certs to global trust dir dst = os.path.join(global_trust_dir, os.path.basename(src)) -- -2.43.0 +2.41.0 From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 17 Aug 2023 01:09:28 +0300 -Subject: [PATCH 02/21] gp: Support update-ca-trust helper +Subject: [PATCH 02/25] gp: Support update-ca-trust helper This is used on RHEL/Fedora instead of update-ca-certificates. They behave similarly so it's enough to change the command name. @@ -104,13 +104,13 @@ index 1b90ab46e90..cefdafa21b2 100644 Popen([update]).wait() # Setup Certificate Auto Enrollment -- -2.43.0 +2.41.0 From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 11 Aug 2023 18:46:42 +0300 -Subject: [PATCH 03/21] gp: Change root cert extension suffix +Subject: [PATCH 03/25] gp: Change root cert extension suffix On Ubuntu, certificates must end in '.crt' in order to be considered by the `update-ca-certificates` helper. @@ -138,13 +138,13 @@ index cefdafa21b2..c562722906b 100644 w.write(cert) root_certs.append(dest) -- -2.43.0 +2.41.0 From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:06:43 +0300 -Subject: [PATCH 04/21] gp: Test with binary content for certificate data +Subject: [PATCH 04/25] gp: Test with binary content for certificate data This fails all GPO-related tests that call `gpupdate --rsop`. @@ -216,13 +216,13 @@ index 00000000000..0aad59607c2 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:20:11 +0300 -Subject: [PATCH 05/21] gp: Convert CA certificates to base64 +Subject: [PATCH 05/25] gp: Convert CA certificates to base64 I don't know whether this applies universally, but in our case the contents of `es['cACertificate'][0]` are binary, so cleanly converting @@ -289,13 +289,13 @@ index 0aad59607c2..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:16:23 +0300 -Subject: [PATCH 06/21] gp: Test adding new cert templates enforces changes +Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes Ensure that cepces-submit reporting additional templates and re-applying will enforce the updated policy. @@ -422,13 +422,13 @@ index 00000000000..4edc1dce730 +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:37:17 +0300 -Subject: [PATCH 07/21] gp: Template changes should invalidate cache +Subject: [PATCH 07/25] gp: Template changes should invalidate cache If certificate templates are added or removed, the autoenroll extension should react to this and reapply the policy. Previously this wasn't @@ -487,13 +487,13 @@ index 4edc1dce730..00000000000 -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 18 Aug 2023 17:26:59 +0300 -Subject: [PATCH 08/21] gp: Test disabled enrollment unapplies policy +Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy For this we need to stage a Registry.pol file with certificate autoenrollment enabled, but with checkboxes unticked. @@ -588,13 +588,13 @@ index 00000000000..83bc9f0ac1f @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Wed, 16 Aug 2023 12:33:59 +0300 -Subject: [PATCH 09/21] gp: Send list of keys instead of dict to remove +Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove `cache_get_all_attribute_values` returns a dict whereas we need to pass a list of keys to `remove`. These will be interpolated in the gpdb search. @@ -634,13 +634,13 @@ index 83bc9f0ac1f..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext -- -2.43.0 +2.41.0 From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 9 Jan 2024 08:50:01 +0100 -Subject: [PATCH 10/21] python:gp: Print a nice message if cepces-submit can't +Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't be found BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 @@ -691,13 +691,13 @@ index 64c35782ae8..08d1a7348cd 100644 def getca(ca, url, trust_dir): -- -2.43.0 +2.41.0 From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Mon, 8 Jan 2024 18:05:08 +0200 -Subject: [PATCH 11/21] gpo: Test certificate policy without NDES +Subject: [PATCH 11/25] gpo: Test certificate policy without NDES As of 8231eaf856b, the NDES feature is no longer required on Windows, as cert auto-enroll can use the certificate from the LDAP request. @@ -895,13 +895,13 @@ index 00000000000..f1e590bc7d8 @@ -0,0 +1 @@ +^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.43.0 +2.41.0 From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Thu, 18 Jan 2024 20:23:24 +0200 -Subject: [PATCH 12/21] gpo: Decode base64 root cert before importing +Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing The reasoning behind this is described in the previous commit message, but essentially this should either be wrapped in certificate blocks and @@ -948,13 +948,13 @@ index f1e590bc7d8..00000000000 @@ -1 +0,0 @@ -^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes -- -2.43.0 +2.41.0 From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 From: Gabriel Nagy Date: Fri, 19 Jan 2024 11:36:19 +0200 -Subject: [PATCH 13/21] gpo: Do not get templates list on first run +Subject: [PATCH 13/25] gpo: Do not get templates list on first run This is a visual fix and has no impact on functionality apart from cleaner log messages. @@ -997,13 +997,13 @@ index cd5e54f1110..559c903e1a2 100644 if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: self.unapply(guid, attribute, old_val) -- -2.43.0 +2.41.0 From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 5 Jan 2024 08:47:07 -0700 -Subject: [PATCH 14/21] gp: Skip site GP list if no site is found +Subject: [PATCH 14/25] gp: Skip site GP list if no site is found [MS-GPOL] 3.2.5.1.4 Site Search says if the site search returns ERROR_NO_SITENAME, the GP site @@ -1065,13 +1065,13 @@ index 617ef79350c..babd8f90748 100644 # (L)ocal gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", -- -2.43.0 +2.41.0 From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:14:30 +0100 -Subject: [PATCH 15/21] python:gp: Avoid path check for cepces-submit +Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1111,13 +1111,13 @@ index 559c903e1a2..7325d5132cf 100644 '%s --server=%s --auth=%s' % (cepces_submit, ca['hostname'], auth)], -- -2.43.0 +2.41.0 From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 14:07:47 +0100 -Subject: [PATCH 16/21] python:gp: Improve logging for certificate enrollment +Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1171,13 +1171,13 @@ index 7325d5132cf..a25a9678587 100644 getcert = which('getcert') cepces_submit = find_cepces_submit() -- -2.43.0 +2.41.0 From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:04:36 +0100 -Subject: [PATCH 17/21] python:gp: Do not print an error, if CA already exists +Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1217,13 +1217,13 @@ index a25a9678587..0b23cd688db 100644 for template in supported_templates: attrs = fetch_template_attrs(ldb, template) -- -2.43.0 +2.41.0 From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:02 +0100 -Subject: [PATCH 18/21] python:gp: Do not print an error if template already +Subject: [PATCH 18/25] python:gp: Do not print an error if template already exists MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1264,13 +1264,13 @@ index 0b23cd688db..db681cb6f69 100644 data['templates'].append(nickname) if update is not None: -- -2.43.0 +2.41.0 From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:05:24 +0100 -Subject: [PATCH 19/21] python:gp: Log an error if update fails +Subject: [PATCH 19/25] python:gp: Log an error if update fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -1301,13 +1301,13 @@ index db681cb6f69..c8ad2039dc6 100644 log.warn('certmonger and cepces must be installed for ' + 'certificate auto enrollment to work') -- -2.43.0 +2.41.0 From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 22 Jan 2024 15:46:24 +0100 -Subject: [PATCH 20/21] python:gp: Improve working of log messages to avoid +Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid confusion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1354,13 +1354,13 @@ index c8ad2039dc6..2b7f7d22c2b 100644 log.warn('Installing the server certificate only.') der_certificate = base64.b64decode(ca['cACertificate']) -- -2.43.0 +2.41.0 From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 29 Jan 2024 17:46:30 +0100 -Subject: [PATCH 21/21] python:gp: Fix logging with gp +Subject: [PATCH 21/25] python:gp: Fix logging with gp This allows enable INFO level logging with: `samba-gpupdate -d3` @@ -1396,5 +1396,237 @@ index a74a8707d50..c3de32825db 100644 logger.setLevel(logging.CRITICAL) if log_level == 1: -- -2.43.0 +2.41.0 + + +From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 13 Mar 2024 13:55:41 +0100 +Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) +--- + docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml +index b364bbfa231..de6d36afe95 100644 +--- a/docs-xml/manpages/idmap_ad.8.xml ++++ b/docs-xml/manpages/idmap_ad.8.xml +@@ -100,6 +100,16 @@ + + + ++ all_groupmem = yes/no ++ ++ If set to yes winbind will retrieve all ++ group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, ++ including those with missing uidNumber. ++ ++ Default: no ++ ++ ++ + deny ous + This parameter is a list of OUs from + which objects will not be mapped via the ad idmap +-- +2.41.0 + + +From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 12 Mar 2024 13:20:24 +0100 +Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem() + in idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The LDAP query of lookup_groupmem() returns all group members from AD +even those with missing uidNumber. Such group members are useless in +UNIX environment for idmap_ad backend since there is no uid mapping. + +'test_user' is member of group "Domanin Users" with 200K members, +only 20K members have set uidNumber. + +Without this fix: + +$ time id test_user + +real 1m5.946s +user 0m0.019s +sys 0m0.012s + +With this fix: + +$ time id test_user + +real 0m3.544s +user 0m0.004s +sys 0m0.007s + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) +--- + source3/winbindd/winbindd_ads.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index d7a665abbc6..e625aa6473f 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -1037,7 +1037,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, + } + + static NTSTATUS add_primary_group_members( +- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, ++ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, + char ***all_members, size_t *num_all_members) + { + char *filter; +@@ -1049,10 +1049,13 @@ static NTSTATUS add_primary_group_members( + char **members; + size_t num_members; + ads_control args; ++ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); + + filter = talloc_asprintf( +- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", +- (unsigned)rid); ++ mem_ctx, ++ "(&(objectCategory=user)(primaryGroupID=%u)%s)", ++ (unsigned)rid, ++ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); + if (filter == NULL) { + goto done; + } +@@ -1204,7 +1207,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + + DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); + +- status = add_primary_group_members(ads, mem_ctx, rid, ++ status = add_primary_group_members(ads, mem_ctx, rid, domain->name, + &members, &num_members); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("%s: add_primary_group_members failed: %s\n", +-- +2.41.0 + + +From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 25 Mar 2024 22:38:18 +0100 +Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to + setup_ad_member_idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) +--- + selftest/target/Samba3.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 44ac4a5901a..606c65f8ab1 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1412,6 +1412,7 @@ sub setup_ad_member_idmap_ad + idmap config $dcvars->{TRUST_DOMAIN} : backend = ad + idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 + gensec_gssapi:requested_life_time = 5 ++ winbind expand groups = 1 + "; + + my $ret = $self->provision( +-- +2.41.0 + + +From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 14 Mar 2024 15:24:21 +0100 +Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to + test_idmap_ad.sh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 + +(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) +--- + nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh +index 7ae112ada71..1d4bd395ba9 100755 +--- a/nsswitch/tests/test_idmap_ad.sh ++++ b/nsswitch/tests/test_idmap_ad.sh +@@ -94,6 +94,14 @@ gidNumber: 2000001 + unixHomeDirectory: /home/forbidden + loginShell: /bin/tcsh + gecos: User in forbidden OU ++ ++dn: CN=no_posix_id,CN=Users,$BASE_DN ++changetype: add ++objectClass: user ++samaccountName: no_posix_id ++unixHomeDirectory: /home/no_posix_id ++loginShell: /bin/sh ++gecos: User without uidNumber and gidNumber + EOF + + # +@@ -171,6 +179,17 @@ then + failed=$(($failed + 1)) + fi + ++# ++# Test 6: Make sure that with the default "all_groups=no" ++# the group "domain users" will not show user "no_posix_id" ++# but will show "SAMBA2008R2/administrator" ++# ++ ++dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word ++out="$($wbinfo --group-info "$dom_users")" ++testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) ++testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) ++ + # + # Trusted domain test 1: Test uid of Administrator, should be 2500000 + # +@@ -241,6 +260,9 @@ gidNumber: 2000002 + dn: cn=forbidden,ou=sub,$BASE_DN + changetype: delete + ++dn: CN=no_posix_id,CN=Users,$BASE_DN ++changetype: delete ++ + dn: ou=sub,$BASE_DN + changetype: delete + EOF +-- +2.41.0 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 8c3f2c3..8302ea9 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -147,7 +147,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.19.4 -%global baserelease 104 +%global baserelease 105 # This should be rc1 or %%nil %global pre_release %nil @@ -205,7 +205,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{?dist} +Release: %{samba_release}.0.1%{?dist} %if 0%{?fedora} Epoch: 2 @@ -244,6 +244,10 @@ Source202: samba.abignore # Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch Patch0: samba-4.19-redhat.patch +# Oracle Patches +Patch101: 101-orabug36371906-s3-passdb-fix-memleak-in-pdb_tdb.patch +Patch102: 102-orabug36566309-s3-winbindd-winbindd_pam-fix-leak-in-extract_pac_vrfy_sigs.patch + Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} @@ -4473,6 +4477,13 @@ fi %endif %changelog +* Tue Jun 11 2024 EL Errata - 4.19.4-105.0.1 +- s3: winbindd: winbindd_pam: fix leak in extract_pac_vrfy_sigs [Orabug: 36566309] +- s3:passdb: Do not leak memory in pdb_tdb [Orabug: 36371906] + +* Wed Apr 24 2024 Pavel Filipenský - 4.19.4-105 +- resolves: RHEL-33783 - Add option to request only POSIX groups from AD in idmap_ad + * Mon Feb 19 2024 Andreas Schneider - 4.19.4-104 - related: RHEL-2109 - Disable support for certificate auto enrollment @@ -7245,4 +7256,3 @@ fi - Added a number of options to smb.conf file - Added smbadduser command (missed from all previous RPMs) - Doooh! - Added smbuser file and smb.conf file updates for username map -