Update to version 4.21.1

- related: RHEL-59777
This commit is contained in:
Pavel Filipenský 2024-10-14 14:44:19 +02:00
parent cb06748333
commit ca24bb59fc
6 changed files with 15 additions and 195 deletions

2
.gitignore vendored
View File

@ -365,3 +365,5 @@ samba-3.6.0pre1.tar.gz
/samba-4.20.2.tar.asc
/samba-4.21.0.tar.asc
/samba-4.21.0.tar.xz
/samba-4.21.1.tar.asc
/samba-4.21.1.tar.xz

View File

@ -1,4 +1,4 @@
From c9a7bc3e8f36cb9d6746e23ea56f9c27b82dcf49 Mon Sep 17 00:00:00 2001
From 2d9ab68f501f5796bdf4662a058a2adff30d497e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 22 Jul 2024 12:26:55 +0200
Subject: [PATCH] s3:notifyd: Use a watcher per db record

View File

@ -1,132 +0,0 @@
From 26797d7bd2662718b3eb795f1b8e6100d51e3ab7 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Tue, 3 Sep 2024 08:48:24 +0300
Subject: [PATCH] sync machine password to keytab: handle FreeIPA use case
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
FreeIPA uses own procedure to retrieve keytabs and during the setup of
Samba on FreeIPA client the keytab is already present, only machine
account needs to be set in the secrets database.
'sync machine password to keytab' option handling broke this use case by
always attempting to contact a domain controller and failing to do so
(Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=2309199).
The original synchronizing machine account password to keytab feature
did not have a mechanism to disable its logic at all.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Fri Sep 13 13:16:09 UTC 2024 on atb-devel-224
(cherry picked from commit 4f577c7b6894132be4842944f2f950b087312b16)
---
.../security/syncmachinepasswordtokeytab.xml | 29 +++++++++++++++++--
source3/libads/kerberos_keytab.c | 5 ++++
source3/utils/net.c | 8 +++++
source3/utils/testparm.c | 3 +-
4 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index 4cad9da73f2..f7dc30023d4 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -18,7 +18,11 @@ or by winbindd doing regular updates (see <smbconfoption name="machine password
</para>
<para>
-The option takes a list of keytab strings. Each string has this form:
+The option takes a list of keytab strings to describe how to synchronize
+content of those keytabs or a single 'disabled' value to disable the
+synchronization.
+
+Each string has this form:
<programlisting>
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
@@ -70,8 +74,27 @@ If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC.
</para>
<para>
-If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
-where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
+If no value is present and <smbconfoption name="kerberos method"/> is different from
+'secrets only', the behavior differs between winbind and net utility:
+</para>
+<itemizedlist>
+ <listitem>
+ <para><userinput>winbind</userinput> uses value
+ <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+ where the path to the keytab is obtained either from the krb5 library or from
+ <smbconfoption name="dedicated keytab file"/>.
+ </para>
+ </listitem>
+ <listitem>
+ <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
+ </listitem>
+ <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
+</itemizedlist>
+
+<para>
+If a single value 'disabled' is present, the synchronization process is
+disabled. This is required for FreeIPA domain member setup where keytab
+synchronization uses a protocol not implemented by Samba.
</para>
<para>
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 6ede567b75f..dbf8af44c1f 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -904,6 +904,11 @@ NTSTATUS sync_pw2keytabs(void)
goto params_ready;
}
+ if ((*lp_ptr != NULL) && strequal_m(*lp_ptr, "disabled")) {
+ DBG_DEBUG("'sync machine password to keytab' is explicitly disabled.\n");
+ return NT_STATUS_OK;
+ }
+
line = lp_ptr;
while (*line) {
DBG_DEBUG("Scanning line: %s\n", *line);
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 7b40d2bee95..c432ebe991f 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -207,6 +207,14 @@ static int net_changesecretpw(struct net_context *c, int argc,
struct timeval tv = timeval_current();
NTTIME now = timeval_to_nttime(&tv);
+#ifdef HAVE_ADS
+ if (USE_KERBEROS_KEYTAB) {
+ if (lp_sync_machine_password_to_keytab() == NULL) {
+ lp_do_parameter(-1, "sync machine password to keytab", "disabled");
+ }
+ }
+#endif
+
if (c->opt_stdin) {
set_line_buffering(stdin);
set_line_buffering(stdout);
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e3ed336a79a..a31a7a8a30a 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -803,7 +803,8 @@ static int do_global_checks(void)
"instead of 'kerberos method'.\n\n");
}
- if (lp_ptr != NULL) {
+ if (lp_ptr != NULL &&
+ ((*lp_ptr != NULL) && !strequal_m(*lp_ptr, "disabled"))) {
while (*lp_ptr) {
ret |= pw2kt_check_line(*lp_ptr++);
}
--
2.46.0

View File

@ -1,55 +0,0 @@
From 9f265d6f3b852a9eed9f19147585fe2801507f63 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 24 Sep 2024 15:48:23 +0200
Subject: [PATCH] ldb: Build lmdb backend also in non-AD case
We should build with lmdb support also if it is not in AD case. The lmdb
backend is also used e.g. by sssd.
If you don't want to build it, you can always specify --without-ldb-lmdb
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15721
Signed-off-by: Andreas Schneider <asn@samba.org>
---
lib/ldb/wscript | 22 +++++++++-------------
1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 87aa3bb6d77..f234fa79c10 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -33,21 +33,17 @@ def configure(conf):
conf.CONFIG_GET('ENABLE_SELFTEST'):
Logs.warn("NOTE: Some AD DC parts of selftest will fail")
+ conf.env.REQUIRE_LMDB = False
+ elif Options.options.without_ldb_lmdb:
+ if not Options.options.without_ad_dc and \
+ conf.CONFIG_GET('ENABLE_SELFTEST'):
+ raise Errors.WafError('--without-ldb-lmdb conflicts '
+ 'with --enable-selftest while '
+ 'building the AD DC')
+
conf.env.REQUIRE_LMDB = False
else:
- if Options.options.without_ad_dc:
- conf.env.REQUIRE_LMDB = False
- else:
- if Options.options.without_ldb_lmdb:
- if not Options.options.without_ad_dc and \
- conf.CONFIG_GET('ENABLE_SELFTEST'):
- raise Errors.WafError('--without-ldb-lmdb conflicts '
- 'with --enable-selftest while '
- 'building the AD DC')
-
- conf.env.REQUIRE_LMDB = False
- else:
- conf.env.REQUIRE_LMDB = True
+ conf.env.REQUIRE_LMDB = True
# if lmdb support is enabled then we require lmdb
# is present, build the mdb back end and enable lmdb support in
--
GitLab

View File

@ -150,7 +150,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.21.0
%global samba_version 4.21.1
# The release field is extended:
# <pkgrel>[.<extraver>][.<snapinfo>]%%{?dist}[.<minorbump>]
@ -252,10 +252,15 @@ Source18: samba-winbind-systemd-sysusers.conf
Source201: README.downgrade
Source202: samba.abignore
Patch0: samba-4.21.0-backport-freeipa-support.patch
# https://gitlab.com/samba-team/samba/-/merge_requests/3807
Patch1: samba-4.21.0-ldb-lmdb.patch
Patch2: samba-4.21.0-s3-notifyd.patch
# Patch0 is created using:
#
# git clone git@gitlab.com:samba-redhat/samba.git
# cd samba
# git checkout v4-21-redhat
# git format-patch --stdout -l1 --no-renames -N > redhat-4.21.patch
# where N is number of commits
Patch0: redhat-4.21.patch
Requires(pre): %{name}-common = %{samba_depver}
Requires: %{name}-common = %{samba_depver}

View File

@ -1,2 +1,2 @@
SHA512 (samba-4.21.0.tar.asc) = 7fffbd0b88b42dd7f340e4bcae17da4a68a0f8de86a1e71534a4a02a477a746e4cdb16df7c0da33aaf13278cefb452bd9b7c61ed029e248576f7158e8bec339e
SHA512 (samba-4.21.0.tar.xz) = d05c823afc04669766130745c139e7d129eb9961525453d6da8b5ee6693d4c08192496d07e5c211e86d553956504fb9df16611cc9268111b71b95c7f2fa868a0
SHA512 (samba-4.21.1.tar.asc) = 2c1e4b347044e15a852ced8bb412a3f372fd2c2b5e0001b1a773f7283f2d8fa62942143b46cbc3f16b18882255cf0aac4426002453971361b0002357657484f1
SHA512 (samba-4.21.1.tar.xz) = 182759820708c9df26fbcb09e755e81236ecacf543f3e18a05dbd0ea551ab072d338fe239eb99ff506f158ec45e981a893ce46eacdde6e073ee85ceb43e2669a