Update to version 4.21.1
- related: RHEL-59777
This commit is contained in:
parent
cb06748333
commit
ca24bb59fc
2
.gitignore
vendored
2
.gitignore
vendored
@ -365,3 +365,5 @@ samba-3.6.0pre1.tar.gz
|
||||
/samba-4.20.2.tar.asc
|
||||
/samba-4.21.0.tar.asc
|
||||
/samba-4.21.0.tar.xz
|
||||
/samba-4.21.1.tar.asc
|
||||
/samba-4.21.1.tar.xz
|
||||
|
@ -1,4 +1,4 @@
|
||||
From c9a7bc3e8f36cb9d6746e23ea56f9c27b82dcf49 Mon Sep 17 00:00:00 2001
|
||||
From 2d9ab68f501f5796bdf4662a058a2adff30d497e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 22 Jul 2024 12:26:55 +0200
|
||||
Subject: [PATCH] s3:notifyd: Use a watcher per db record
|
@ -1,132 +0,0 @@
|
||||
From 26797d7bd2662718b3eb795f1b8e6100d51e3ab7 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Tue, 3 Sep 2024 08:48:24 +0300
|
||||
Subject: [PATCH] sync machine password to keytab: handle FreeIPA use case
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
FreeIPA uses own procedure to retrieve keytabs and during the setup of
|
||||
Samba on FreeIPA client the keytab is already present, only machine
|
||||
account needs to be set in the secrets database.
|
||||
|
||||
'sync machine password to keytab' option handling broke this use case by
|
||||
always attempting to contact a domain controller and failing to do so
|
||||
(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199).
|
||||
|
||||
The original synchronizing machine account password to keytab feature
|
||||
did not have a mechanism to disable its logic at all.
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
|
||||
|
||||
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
||||
Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
|
||||
|
||||
(cherry picked from commit 4f577c7b6894132be4842944f2f950b087312b16)
|
||||
---
|
||||
.../security/syncmachinepasswordtokeytab.xml | 29 +++++++++++++++++--
|
||||
source3/libads/kerberos_keytab.c | 5 ++++
|
||||
source3/utils/net.c | 8 +++++
|
||||
source3/utils/testparm.c | 3 +-
|
||||
4 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
||||
index 4cad9da73f2..f7dc30023d4 100644
|
||||
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
||||
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
|
||||
@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
|
||||
</para>
|
||||
|
||||
<para>
|
||||
-The option takes a list of keytab strings. Each string has this form:
|
||||
+The option takes a list of keytab strings to describe how to synchronize
|
||||
+content of those keytabs or a single 'disabled' value to disable the
|
||||
+synchronization.
|
||||
+
|
||||
+Each string has this form:
|
||||
<programlisting>
|
||||
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
||||
</programlisting>
|
||||
@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
-If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
||||
-where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
|
||||
+If no value is present and <smbconfoption name="kerberos method"/> is different from
|
||||
+'secrets only', the behavior differs between winbind and net utility:
|
||||
+</para>
|
||||
+<itemizedlist>
|
||||
+ <listitem>
|
||||
+ <para><userinput>winbind</userinput> uses value
|
||||
+ <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
||||
+ where the path to the keytab is obtained either from the krb5 library or from
|
||||
+ <smbconfoption name="dedicated keytab file"/>.
|
||||
+ </para>
|
||||
+ </listitem>
|
||||
+ <listitem>
|
||||
+ <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
|
||||
+ </listitem>
|
||||
+ <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
|
||||
+</itemizedlist>
|
||||
+
|
||||
+<para>
|
||||
+If a single value 'disabled' is present, the synchronization process is
|
||||
+disabled. This is required for FreeIPA domain member setup where keytab
|
||||
+synchronization uses a protocol not implemented by Samba.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
||||
index 6ede567b75f..dbf8af44c1f 100644
|
||||
--- a/source3/libads/kerberos_keytab.c
|
||||
+++ b/source3/libads/kerberos_keytab.c
|
||||
@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
|
||||
goto params_ready;
|
||||
}
|
||||
|
||||
+ if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
|
||||
+ DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
|
||||
+ return NT_STATUS_OK;
|
||||
+ }
|
||||
+
|
||||
line = lp_ptr;
|
||||
while (*line) {
|
||||
DBG_DEBUG("Scanning line: %s\n", *line);
|
||||
diff --git a/source3/utils/net.c b/source3/utils/net.c
|
||||
index 7b40d2bee95..c432ebe991f 100644
|
||||
--- a/source3/utils/net.c
|
||||
+++ b/source3/utils/net.c
|
||||
@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
|
||||
struct timeval tv = timeval_current();
|
||||
NTTIME now = timeval_to_nttime(&tv);
|
||||
|
||||
+#ifdef HAVE_ADS
|
||||
+ if (USE_KERBEROS_KEYTAB) {
|
||||
+ if (lp_sync_machine_password_to_keytab() == NULL) {
|
||||
+ lp_do_parameter(-1, "sync machine password to keytab", "disabled");
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
if (c->opt_stdin) {
|
||||
set_line_buffering(stdin);
|
||||
set_line_buffering(stdout);
|
||||
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
||||
index e3ed336a79a..a31a7a8a30a 100644
|
||||
--- a/source3/utils/testparm.c
|
||||
+++ b/source3/utils/testparm.c
|
||||
@@ -803,7 +803,8 @@ static int do_global_checks(void)
|
||||
"instead of 'kerberos method'.\n\n");
|
||||
}
|
||||
|
||||
- if (lp_ptr != NULL) {
|
||||
+ if (lp_ptr != NULL &&
|
||||
+ ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
|
||||
while (*lp_ptr) {
|
||||
ret |= pw2kt_check_line(*lp_ptr++);
|
||||
}
|
||||
--
|
||||
2.46.0
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 9f265d6f3b852a9eed9f19147585fe2801507f63 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 24 Sep 2024 15:48:23 +0200
|
||||
Subject: [PATCH] ldb: Build lmdb backend also in non-AD case
|
||||
|
||||
We should build with lmdb support also if it is not in AD case. The lmdb
|
||||
backend is also used e.g. by sssd.
|
||||
|
||||
If you don't want to build it, you can always specify --without-ldb-lmdb
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15721
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
lib/ldb/wscript | 22 +++++++++-------------
|
||||
1 file changed, 9 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
|
||||
index 87aa3bb6d77..f234fa79c10 100644
|
||||
--- a/lib/ldb/wscript
|
||||
+++ b/lib/ldb/wscript
|
||||
@@ -33,21 +33,17 @@ def configure(conf):
|
||||
conf.CONFIG_GET('ENABLE_SELFTEST'):
|
||||
Logs.warn("NOTE: Some AD DC parts of selftest will fail")
|
||||
|
||||
+ conf.env.REQUIRE_LMDB = False
|
||||
+ elif Options.options.without_ldb_lmdb:
|
||||
+ if not Options.options.without_ad_dc and \
|
||||
+ conf.CONFIG_GET('ENABLE_SELFTEST'):
|
||||
+ raise Errors.WafError('--without-ldb-lmdb conflicts '
|
||||
+ 'with --enable-selftest while '
|
||||
+ 'building the AD DC')
|
||||
+
|
||||
conf.env.REQUIRE_LMDB = False
|
||||
else:
|
||||
- if Options.options.without_ad_dc:
|
||||
- conf.env.REQUIRE_LMDB = False
|
||||
- else:
|
||||
- if Options.options.without_ldb_lmdb:
|
||||
- if not Options.options.without_ad_dc and \
|
||||
- conf.CONFIG_GET('ENABLE_SELFTEST'):
|
||||
- raise Errors.WafError('--without-ldb-lmdb conflicts '
|
||||
- 'with --enable-selftest while '
|
||||
- 'building the AD DC')
|
||||
-
|
||||
- conf.env.REQUIRE_LMDB = False
|
||||
- else:
|
||||
- conf.env.REQUIRE_LMDB = True
|
||||
+ conf.env.REQUIRE_LMDB = True
|
||||
|
||||
# if lmdb support is enabled then we require lmdb
|
||||
# is present, build the mdb back end and enable lmdb support in
|
||||
--
|
||||
GitLab
|
||||
|
15
samba.spec
15
samba.spec
@ -150,7 +150,7 @@
|
||||
|
||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||
|
||||
%global samba_version 4.21.0
|
||||
%global samba_version 4.21.1
|
||||
|
||||
# The release field is extended:
|
||||
# <pkgrel>[.<extraver>][.<snapinfo>]%%{?dist}[.<minorbump>]
|
||||
@ -252,10 +252,15 @@ Source18: samba-winbind-systemd-sysusers.conf
|
||||
Source201: README.downgrade
|
||||
Source202: samba.abignore
|
||||
|
||||
Patch0: samba-4.21.0-backport-freeipa-support.patch
|
||||
# https://gitlab.com/samba-team/samba/-/merge_requests/3807
|
||||
Patch1: samba-4.21.0-ldb-lmdb.patch
|
||||
Patch2: samba-4.21.0-s3-notifyd.patch
|
||||
# Patch0 is created using:
|
||||
#
|
||||
# git clone git@gitlab.com:samba-redhat/samba.git
|
||||
# cd samba
|
||||
# git checkout v4-21-redhat
|
||||
# git format-patch --stdout -l1 --no-renames -N > redhat-4.21.patch
|
||||
# where N is number of commits
|
||||
|
||||
Patch0: redhat-4.21.patch
|
||||
|
||||
Requires(pre): %{name}-common = %{samba_depver}
|
||||
Requires: %{name}-common = %{samba_depver}
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (samba-4.21.0.tar.asc) = 7fffbd0b88b42dd7f340e4bcae17da4a68a0f8de86a1e71534a4a02a477a746e4cdb16df7c0da33aaf13278cefb452bd9b7c61ed029e248576f7158e8bec339e
|
||||
SHA512 (samba-4.21.0.tar.xz) = d05c823afc04669766130745c139e7d129eb9961525453d6da8b5ee6693d4c08192496d07e5c211e86d553956504fb9df16611cc9268111b71b95c7f2fa868a0
|
||||
SHA512 (samba-4.21.1.tar.asc) = 2c1e4b347044e15a852ced8bb412a3f372fd2c2b5e0001b1a773f7283f2d8fa62942143b46cbc3f16b18882255cf0aac4426002453971361b0002357657484f1
|
||||
SHA512 (samba-4.21.1.tar.xz) = 182759820708c9df26fbcb09e755e81236ecacf543f3e18a05dbd0ea551ab072d338fe239eb99ff506f158ec45e981a893ce46eacdde6e073ee85ceb43e2669a
|
||||
|
Loading…
Reference in New Issue
Block a user