Compare commits

...

No commits in common. "c8" and "c8s" have entirely different histories.
c8 ... c8s

26 changed files with 3497 additions and 19 deletions

20
.gitignore vendored
View File

@ -1,2 +1,18 @@
SOURCES/samba-4.19.4.tar.xz SOURCES/samba-4.17.5.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg /samba-4.17.5.tar.xz
/samba-4.18.2.tar.asc
/samba-4.18.2.tar.xz
/samba-4.18.3.tar.asc
/samba-4.18.3.tar.xz
/samba-4.18.4.tar.asc
/samba-4.18.4.tar.xz
/samba-4.18.5.tar.asc
/samba-4.18.5.tar.xz
/samba-4.18.6.tar.xz
/samba-4.18.6.tar.asc
/samba-4.19.2.tar.asc
/samba-4.19.2.tar.xz
/samba-4.19.3.tar.asc
/samba-4.19.3.tar.xz
/samba-4.19.4.tar.asc
/samba-4.19.4.tar.xz

186
README.md Normal file
View File

@ -0,0 +1,186 @@
Samba is a free SMB and CIFS client and server and Domain Controller for UNIX
and other operating systems. It is maintained by the Samba Team, who support the
original author, Andrew Tridgell.
This software is freely distributable under the GNU public license, a copy of
which you should have received with this software (in a file called COPYING).
# WHAT IS SMB/CIFS?
This is a big question.
The very short answer is that it is the protocol by which a lot of PC-related
machines share files and printers and other information such as lists of
available files and printers. Operating systems that support this natively
include Windows 9x, Windows NT (and derivatives), OS/2, Mac OS X and Linux. Add
on packages that achieve the same thing are available for DOS, Windows 3.1, VMS,
Unix of all kinds, MVS, and more. Some Web Browsers can speak this protocol as
well (smb://). Alternatives to SMB include Netware, NFS, Appletalk, Banyan
Vines, Decnet etc; many of these have advantages but none are both public
specifications and widely implemented in desktop machines by default.
The Common Internet File system (CIFS) is what the new SMB initiative is called.
For details watch [here](https://samba.org/cifs)
# WHY DO PEOPLE WANT TO USE SMB?
* Many people want to integrate their Microsoft desktop clients with their Unix
servers.
* Others want to integrate their Microsoft (etc) servers with Unix servers. This
is a different problem to integrating desktop clients.
* Others want to replace protocols like NFS, DecNet and Novell NCP, especially
when used with PCs.
# WHAT CAN SAMBA DO?
Please refer to the WHATSNEW.txt included with this README for a list of
features in the latest Samba release.
Here is a very short list of what samba includes, and what it does. For many
networks this can be simply summarized by "Samba provides a complete replacement
for Windows NT, Warp, NFS or Netware servers."
* a SMB server, to provide Windows NT and LAN Manager-style file and print
services to SMB clients such as Windows 95, Warp Server, smbfs and others.
* a Windows Domain Controller (NT4 and AD) replacement.
* a file/print server that can act as a member of a Windows NT 4.0 or Active
Directory domain.
* a NetBIOS (rfc1001/1002) nameserver, which amongst other things gives browsing
support. Samba can be the master browser on your LAN if you wish.
* a ftp-like SMB client so you can access PC resources (disks and printers) from
UNIX, Netware, and other operating systems
* a tar extension to the client for backing up PCs
* limited command-line tool that supports some of the NT administrative
functionality, which can be used on Samba, NT workstation and NT server.
For a much better overview have a look at the [web site](http://samba.org/samba)
and browse the user survey.
#### Related packages include:
* cifsvfs, an advanced Linux-only filesystem allowing you to mount remote SMB
filesystems from PCs on your Linux box. This is included as standard with Linux
2.5 and later.
* smbfs, the previous Linux-only filesystem allowing you to mount remote SMB
filesystems from PCs on your Linux box. This is included as standard with Linux
2.0 and later.
# CONTRIBUTIONS
### To contribute via GitHub
* fork the official Samba team repository on GitHub
-- see [GitHub](https://github.com/samba-team/samba)
* become familiar with the coding standards as described in README.Coding
* make sure you read the Samba copyright policy
-- see [Copyright Policy](https://www.samba.org/samba/devel/copyright-policy.html)
* create a feature branch
* make changes
* when committing, be sure to add signed-off-by tags
-- see [Commit message tags](https://wiki.samba.org/index.php/CodeReview#commit_message_tags)
* send a pull request for your branch through GitHub
* this will trigger an email to the samba-technical mailing list
* discussion happens on the samba-technical mailing list as described below
* more info on using Git for Samba development can be found on Samba Wiki
-- see [Using Git for Samba](https://wiki.samba.org/index.php/Using_Git_for_Samba_Development)
### To contribute via mailing lists
Join the mailing list. The Samba team accepts patches (preferably in "diff -u"
format, see [here](https://samba.org/samba/devel) for more details) and are
always glad to receive feedback or suggestions to the address
samba@lists.samba.org. More information on the various Samba mailing lists can
be found at [mailman](http://lists.samba.org).
You can also get the Samba sourcecode straight from the [git repository](http://wiki.samba.org/index.php/Using_Git_for_Samba_Development).
If you like a particular feature then look through the git change-log on the
[web](https://git.samba.org/?p=samba.git;a=summary) and see who added it, then
send them an email.
Remember that free software of this kind lives or dies by the response we get.
If no one tells us they like it then we'll probably move onto something else.
# MORE INFO
### DOCUMENTATION
There is quite a bit of documentation included with the package, including man
pages, and lots of .html files with hints and useful info. This is also
available from the web page. There is a growing collection of information under
docs/.
A list of Samba documentation in languages other than English is available on
the web page.
If you would like to help with the documentation, please coordinate on the
samba@lists.samba.org mailing list. See the next section for details on
subscribing to samba mailing lists.
### MAILING LIST
Please do NOT send subscription/unsubscription requests to the lists!
There is a mailing list for discussion of Samba. For details go to [mailman](https://lists.samba.org)
or send mail to <samba-subscribe@lists.samba.org>.
There is also an announcement mailing list where new versions are announced. To
subscribe go to [mailman](http://lists.samba.org) or send mail to
<samba-announce-subscribe@lists.samba.org>. All announcements also go to the
samba list, so you only need to be on one.
For details of other Samba mailing lists and for access to archives, see
[mailman](http://lists.samba.org)
### MAILING LIST ETIQUETTE
A few tips when submitting to this or any mailing list.
- Make your subject short and descriptive. Avoid the words "help" or "Samba" in
the subject. The readers of this list already know that a) you need help, and b)
you are writing about samba (of course, you may need to distinguish between
Samba PDC and other file sharing software). Avoid phrases such as "what is" and
"how do i". Some good subject lines might look like "Slow response with Excel
files" or "Migrating from Samba PDC to NT PDC".
- If you include the original message in your reply, trim it so that only the
relevant lines, enough to establish context, are included. Chances are (since
this is a mailing list) we've already read the original message.
- Trim irrelevant headers from the original message in your reply. All we need
to see is a) From, b) Date, and c) Subject. We don't even really need the
Subject, if you haven't changed it. Better yet is to just preface the original
message with "On [date] [someone] wrote:".
- Please don't reply to or argue about spam, spam filters or viruses on any
Samba lists. We do have a spam filtering system that is working quite well thank
you very much but occasionally unwanted messages slip through. Deal with it.
- Never say "Me too." It doesn't help anyone solve the problem. Instead, if you
ARE having the same problem, give more information. Have you seen something that
the other writer hasn't mentioned, which may be helpful?
- If you ask about a problem, then come up with the solution on your own or
through another source, by all means post it. Someone else may have the same
problem and is waiting for an answer, but never hears of it.
- Give as much *relevant* information as possible such as Samba release number,
OS, kernel version, etc...
- RTFM. Google.
### WEB SITE
A Samba WWW [site](https://samba.org) has been setup with lots of useful info.
As well as general information and documentation, this also has searchable
archives of the mailing list and a user survey that shows who else is using this
package.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
=kOPP
-----END PGP SIGNATURE-----

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
# recipients: sssd-qe, asn, pfilipen, ftrivino
--- !Policy
product_versions:
- rhel-8
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

24
rpminspect.yaml Normal file
View File

@ -0,0 +1,24 @@
---
badfuncs:
ignore:
- /usr/bin/nmblookup
- /usr/bin/smbtorture
- /usr/lib*/libndr.so.*
- /usr/lib*/libsmbconf.so.*
- /usr/lib*/samba/libgse-samba4.so
- /usr/lib*/samba/libsamba-sockets-samba4.so
- /usr/lib*/samba/service/nbtd.so
- /usr/libexec/ctdb/smnotify
- /usr/sbin/nmbd
runpath:
allowed_paths:
- /usr/lib/samba
- /usr/lib64/samba
abidiff:
suppression_file: samba.abignore
debuginfo:
ignore:
- /usr/lib*/libdcerpc-samr.so.*

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,106 @@
From 21d8c1b2dabf8dd5a65de14816c6701e9c81de44 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 5 Dec 2023 15:46:48 +0100
Subject: [PATCH 1/2] s3:tests: Add smbget test for
smb://DOAMIN;user%password@server/share/file
This is supported according to the smbget manpage!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e5fe856e76eba26e3b85a391bcea02dfe045c26e)
---
source3/script/tests/test_smbget.sh | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/source3/script/tests/test_smbget.sh b/source3/script/tests/test_smbget.sh
index 46c1f4a68a5..bdc62a71eff 100755
--- a/source3/script/tests/test_smbget.sh
+++ b/source3/script/tests/test_smbget.sh
@@ -145,6 +145,22 @@ test_singlefile_smburl()
return 0
}
+test_singlefile_smburl2()
+{
+ clear_download_area
+ $SMBGET "smb://$DOMAIN;$USERNAME:$PASSWORD@$SERVER_IP/smbget/testfile"
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: RC does not match, expected: 0'
+ return 1
+ fi
+ cmp --silent $WORKDIR/testfile ./testfile
+ if [ $? -ne 0 ]; then
+ echo 'ERROR: file content does not match'
+ return 1
+ fi
+ return 0
+}
+
test_singlefile_authfile()
{
clear_download_area
@@ -499,6 +515,10 @@ testit "download single file with --update and UPN" test_singlefile_U_UPN ||
testit "download single file with smb URL" test_singlefile_smburl ||
failed=$(expr $failed + 1)
+testit "download single file with smb URL including domain" \
+ test_singlefile_smburl2 ||
+ failed=$(expr $failed + 1)
+
testit "download single file with authfile" test_singlefile_authfile ||
failed=$(expr $failed + 1)
--
2.43.0
From e19fa9d75ee70ec23e70f166ee70241c116f7bf5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 6 Dec 2023 08:48:34 +0100
Subject: [PATCH 2/2] s3:utils: Fix setting the debug level
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15525
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 763b2efe69dc74e1c0cd954607031012f832486d)
---
source3/utils/smbget.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index 5c99dcf918a..8d98ba24602 100644
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -849,6 +849,7 @@ int main(int argc, char **argv)
uint32_t gensec_features;
bool use_wbccache = false;
SMBCCTX *smb_ctx = NULL;
+ int dbg_lvl = -1;
int rc;
smb_init_locale();
@@ -922,13 +923,16 @@ int main(int argc, char **argv)
samba_cmdline_burn(argc, argv);
+ /* smbc_new_context() will set the log level to 0 */
+ dbg_lvl = debuglevel_get();
+
smb_ctx = smbc_new_context();
if (smb_ctx == NULL) {
fprintf(stderr, "Unable to initialize libsmbclient\n");
ok = false;
goto done;
}
- smbc_setDebug(smb_ctx, debuglevel_get());
+ smbc_setDebug(smb_ctx, dbg_lvl);
rc = smbc_setConfiguration(smb_ctx, lp_default_path());
if (rc < 0) {
--
2.43.0

1632
samba-4.19-redhat.patch Normal file

File diff suppressed because it is too large Load Diff

Binary file not shown.

View File

@ -147,7 +147,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.19.4 %global samba_version 4.19.4
%global baserelease 3 %global baserelease 4
# This should be rc1 or %%nil # This should be rc1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -244,6 +244,12 @@ Source18: samba-winbind-systemd-sysusers.conf
Source201: README.downgrade Source201: README.downgrade
Source202: samba.abignore Source202: samba.abignore
# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-19-redhat
# This will give us CI and makes it easy to generate patchsets.
#
# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch
Patch0: samba-4.19-redhat.patch
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(pre): %{name}-common = %{samba_depver} Requires(pre): %{name}-common = %{samba_depver}
@ -4473,6 +4479,12 @@ fi
%endif %endif
%changelog %changelog
* Thu May 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-4
- related: RHEL-33813 - Undo wrong changes in rpminspect.yaml
* Thu May 02 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-4
- resolves: RHEL-33813 - Add option to request only POSIX groups from AD in idmap_ad
* Thu Jan 18 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-3 * Thu Jan 18 2024 Pavel Filipenský <pfilipen@redhat.com> - 4.19.4-3
- resolves: RHEL-19753 - Fix smbget interactive authentication - resolves: RHEL-19753 - Fix smbget interactive authentication

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (samba-4.19.4.tar.asc) = 11bc51407d1464339817d7568f5d5bb059c19a05b49c6a1307d7425d289acb617ecd3e633e3736bdaa94947a7b3630d6cdb7ed6fe59d52556234c549eca8172a
SHA512 (samba-4.19.4.tar.xz) = 3d2899e4a3b8bcb77befc29c4af66d3ac858b7f7a0dbbb66a8bc210cd88d9cde3e11361334a5cce650318473134ec8b134148bfa4af4d51f555de33eff395029

62
tests/testparm/Makefile Normal file
View File

@ -0,0 +1,62 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of gating test "testparm"
# Description: Basic config check for samba
# Author: Andrej Dzilsky <adzilsky@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2019 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=testparm
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Andrej Dzilsky <adzilsky@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Basic samba config check" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 5m" >> $(METADATA)
@echo "RunFor: samba" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Bug: 1653890" >> $(METADATA)
rhts-lint $(METADATA)

43
tests/testparm/runtest.sh Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of gating test "testparm"
# Description: Basic samba config check
# Author: Andrej Dzilsky <adzilsky@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2019 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
# From Andreas Schneider <asn@redhat.com>:
# This is a basic test which makes sure the samba is installed and the default
# smb.conf is available.
rlJournalStart
rlPhaseStartTest
rlRun "testparm -v -s" 0 "testparm ends with expected output"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

13
tests/tests.yml Normal file
View File

@ -0,0 +1,13 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- testparm
required_packages:
- samba
- samba-client
- samba-common

325
v4-19-fix-force-user.patch Normal file
View File

@ -0,0 +1,325 @@
From 322597e5e243264d56ede73e579b4bf767bca5be Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Sep 2023 16:29:46 +0200
Subject: [PATCH 1/3] selftest: Show that 'allow trusted domains = no'
firewalls Unix User|Group
UNEXPECTED(failure): samba3.blackbox.smbclient_auth.plain.local_creds.smbclient //LOCALSHARE4/forceuser_unixonly as user(simpleserver)
REASON: Exception: Exception: tree connect failed: NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ad0c0dd071401d98f0b7f595efbdf5312a165ab4)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 ++
selftest/target/Samba3.pm | 1 +
2 files changed, 3 insertions(+)
create mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
new file mode 100644
index 00000000000..b515400cd90
--- /dev/null
+++ b/selftest/knownfail.d/forceuser_trusteddomains
@@ -0,0 +1,2 @@
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
+samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 39831afc599..85e69e4b72d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1689,6 +1689,7 @@ sub setup_simpleserver
vfs objects = xattr_tdb streams_depot
change notify = no
server smb encrypt = off
+ allow trusted domains = no
[vfs_aio_pthread]
path = $prefix_abs/share
--
2.43.0
From 13775d470f26b8f85d7c7b539276237dc94d54c9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 8 Sep 2023 12:50:32 +0200
Subject: [PATCH 2/3] s3:auth: Remove trailing white spaces from auth_util.c
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8f496161463f110e494201303b96dd14ab3774cd)
---
source3/auth/auth_util.c | 64 ++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 32 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 293523f4272..e5863d2272b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -144,14 +144,14 @@ NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -167,12 +167,12 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
DATA_BLOB nt_blob = data_blob(nt_network_pwd, nt_pwd_len);
status = make_user_info_map(mem_ctx, user_info,
- smb_name, client_domain,
+ smb_name, client_domain,
workstation_name,
remote_address,
local_address,
"SamLogon",
- lm_pwd_len ? &lm_blob : NULL,
+ lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
@@ -188,20 +188,20 @@ bool make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- Create an auth_usersupplied_data, making the DATA_BLOBs here.
+ Create an auth_usersupplied_data, making the DATA_BLOBs here.
Decrypt and encrypt the passwords.
****************************************************************************/
bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
- const char *client_domain,
+ const char *smb_name,
+ const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
uint32_t logon_parameters,
- const uchar chal[8],
- const uchar lm_interactive_pwd[16],
+ const uchar chal[8],
+ const uchar lm_interactive_pwd[16],
const uchar nt_interactive_pwd[16])
{
struct samr_Password lm_pwd;
@@ -250,7 +250,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
nt_status = make_user_info_map(
mem_ctx,
- user_info,
+ user_info,
smb_name, client_domain, workstation_name,
remote_address,
local_address,
@@ -280,7 +280,7 @@ bool make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
struct auth_usersupplied_info **user_info,
- const char *smb_name,
+ const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
const struct tsocket_address *local_address,
@@ -315,10 +315,10 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
/* We can't do an NT hash here, as the password needs to be
case insensitive */
- local_nt_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
} else {
- local_lm_blob = data_blob_null;
- local_nt_blob = data_blob_null;
+ local_lm_blob = data_blob_null;
+ local_nt_blob = data_blob_null;
}
plaintext_password_string = talloc_strndup(talloc_tos(),
@@ -329,7 +329,7 @@ bool make_user_info_for_reply(TALLOC_CTX *mem_ctx,
}
ret = make_user_info(mem_ctx,
- user_info, smb_name, smb_name, client_domain, client_domain,
+ user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_address,
@@ -403,14 +403,14 @@ bool make_user_info_guest(TALLOC_CTX *mem_ctx,
nt_status = make_user_info(mem_ctx,
user_info,
- "","",
- "","",
- "",
+ "","",
+ "","",
+ "",
remote_address,
local_address,
service_description,
- NULL, NULL,
- NULL, NULL,
+ NULL, NULL,
+ NULL, NULL,
NULL,
AUTH_PASSWORD_RESPONSE);
@@ -1258,7 +1258,7 @@ done:
}
session_info->unique_session_token = GUID_random();
-
+
*session_info_out = talloc_move(mem_ctx, &session_info);
TALLOC_FREE(frame);
return NT_STATUS_OK;
@@ -1954,9 +1954,9 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
*pwd = passwd;
/* This is pointless -- there is no support for differing
- unix and windows names. Make sure to always store the
+ unix and windows names. Make sure to always store the
one we actually looked up and succeeded. Have I mentioned
- why I hate the 'winbind use default domain' parameter?
+ why I hate the 'winbind use default domain' parameter?
--jerry */
*found_username = talloc_strdup( mem_ctx, real_username );
@@ -1965,8 +1965,8 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
}
/****************************************************************************
- Wrapper to allow the getpwnam() call to strip the domain name and
- try again in case a local UNIX user is already there. Also run through
+ Wrapper to allow the getpwnam() call to strip the domain name and
+ try again in case a local UNIX user is already there. Also run through
the username if we fallback to the username only.
****************************************************************************/
@@ -1977,11 +1977,11 @@ struct passwd *smb_getpwnam( TALLOC_CTX *mem_ctx, const char *domuser,
char *p = NULL;
const char *username = NULL;
- /* we only save a copy of the username it has been mangled
+ /* we only save a copy of the username it has been mangled
by winbindd use default domain */
*p_save_username = NULL;
- /* don't call map_username() here since it has to be done higher
+ /* don't call map_username() here since it has to be done higher
up the stack so we don't call it multiple times */
username = talloc_strdup(mem_ctx, domuser);
@@ -2068,10 +2068,10 @@ username_only:
}
/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon
+ Make a server_info struct from the info3 returned by a domain logon
***************************************************************************/
-NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
@@ -2089,9 +2089,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
struct dom_sid sid;
TALLOC_CTX *tmp_ctx = talloc_stackframe();
- /*
+ /*
Here is where we should check the list of
- trusted domains, and verify that the SID
+ trusted domains, and verify that the SID
matches.
*/
--
2.43.0
From a83c51913963bbabd5c4fdd00ba2fc69df2b6ca6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 30 Nov 2023 10:54:07 +0100
Subject: [PATCH 3/3] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
local token
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 00034d022896f879bf91bb78eb9e2972162c99ce)
---
selftest/knownfail.d/forceuser_trusteddomains | 2 --
source3/auth/auth_util.c | 17 ++++++++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains
diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
deleted file mode 100644
index b515400cd90..00000000000
--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index e5863d2272b..2a35fea5061 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "dom_sid.h"
#include "includes.h"
#include "auth.h"
#include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct dom_sid tmp_sid;
struct auth_session_info *session_info = NULL;
struct unixid *ids;
+ bool is_allowed = false;
/* Ensure we can't possible take a code path leading to a
* null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_LOGON_FAILURE;
}
- if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+ is_allowed = true;
+ }
+
+ /* Check if we have extra info about the user. */
+ if (dom_sid_in_domain(&global_sid_Unix_Users,
+ &server_info->extra.user_sid) ||
+ dom_sid_in_domain(&global_sid_Unix_Groups,
+ &server_info->extra.pgid_sid))
+ {
+ is_allowed = true;
+ }
+
+ if (!is_allowed) {
DBG_NOTICE("Authentication failed for user [%s] "
"from firewalled domain [%s]\n",
server_info->info3->base.account_name.string,
--
2.43.0