Compare commits
No commits in common. "changed/a9/samba-4.17.5-103.el9_2.alma" and "c8" have entirely different histories.
changed/a9
...
c8
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/samba-4.17.5.tar.xz
|
||||
SOURCES/samba-4.19.4.tar.xz
|
||||
SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
||||
|
@ -1,2 +1,2 @@
|
||||
68926a886d20bbd5b4d768d9788d4b5a5ca399e5 SOURCES/samba-4.17.5.tar.xz
|
||||
6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
|
||||
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
||||
|
@ -1,38 +0,0 @@
|
||||
From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 15 Jul 2023 17:20:32 +0200
|
||||
Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
|
||||
response level 2
|
||||
|
||||
We don't have any documentation about this yet, but tests against
|
||||
a Windows Server 2022 patched with KB5028166 revealed that
|
||||
the response for query_level=2 is exactly the same as
|
||||
for querey_level=1.
|
||||
|
||||
Until we know the reason for query_level=2 we won't
|
||||
use it as client nor support it in the server, but
|
||||
we want ndrdump to work.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||
---
|
||||
librpc/idl/netlogon.idl | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
|
||||
index 48a8c8f9310..85dd73ee7e4 100644
|
||||
--- a/librpc/idl/netlogon.idl
|
||||
+++ b/librpc/idl/netlogon.idl
|
||||
@@ -1236,6 +1236,7 @@ interface netlogon
|
||||
/* Function 0x15 */
|
||||
typedef [switch_type(uint32)] union {
|
||||
[case(1)] netr_NegotiateFlags server_capabilities;
|
||||
+ [case(2)] netr_NegotiateFlags server_capabilities;
|
||||
} netr_Capabilities;
|
||||
|
||||
NTSTATUS netr_LogonGetCapabilities(
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,128 +0,0 @@
|
||||
From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 15 Jul 2023 17:25:05 +0200
|
||||
Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
|
||||
netr_LogonGetCapabilities with different levels
|
||||
|
||||
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
for unsupported query_levels, we allow it to work with servers
|
||||
with or without support for query_level=2.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||
---
|
||||
.../knownfail.d/netr_LogonGetCapabilities | 3 +
|
||||
source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++-
|
||||
2 files changed, 79 insertions(+), 1 deletion(-)
|
||||
create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
|
||||
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
new file mode 100644
|
||||
index 00000000000..30aadf3bb9d
|
||||
--- /dev/null
|
||||
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
@@ -0,0 +1,3 @@
|
||||
+^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||
+^samba3.rpc.schannel.*\.schannel\(ad_dc
|
||||
+^samba4.rpc.schannel.*\.schannel\(ad_dc
|
||||
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
|
||||
index 1f068eb7826..a3d190f13dd 100644
|
||||
--- a/source4/torture/rpc/netlogon.c
|
||||
+++ b/source4/torture/rpc/netlogon.c
|
||||
@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
||||
r.out.capabilities = &capabilities;
|
||||
r.out.return_authenticator = &return_auth;
|
||||
|
||||
- torture_comment(tctx, "Testing LogonGetCapabilities\n");
|
||||
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
|
||||
|
||||
+ r.in.query_level = 0;
|
||||
+ ZERO_STRUCT(return_auth);
|
||||
+
|
||||
+ /*
|
||||
+ * we need to operate on a temporary copy of creds
|
||||
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||
+ * without looking a the authenticator.
|
||||
+ */
|
||||
+ tmp_creds = *creds;
|
||||
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||
+
|
||||
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||
+ "LogonGetCapabilities query_level=0 failed");
|
||||
+
|
||||
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
|
||||
+
|
||||
+ r.in.query_level = 3;
|
||||
+ ZERO_STRUCT(return_auth);
|
||||
+
|
||||
+ /*
|
||||
+ * we need to operate on a temporary copy of creds
|
||||
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||
+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||
+ * without looking a the authenticator.
|
||||
+ */
|
||||
+ tmp_creds = *creds;
|
||||
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||
+
|
||||
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||
+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
|
||||
+ "LogonGetCapabilities query_level=0 failed");
|
||||
+
|
||||
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
|
||||
+
|
||||
+ r.in.query_level = 1;
|
||||
ZERO_STRUCT(return_auth);
|
||||
|
||||
/*
|
||||
@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
|
||||
|
||||
*creds = tmp_creds;
|
||||
|
||||
+ torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||
+ &r.out.return_authenticator->cred),
|
||||
+ "Credential chaining failed");
|
||||
+
|
||||
+ torture_assert_int_equal(tctx, creds->negotiate_flags,
|
||||
+ capabilities.server_capabilities,
|
||||
+ "negotiate flags");
|
||||
+
|
||||
+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
|
||||
+
|
||||
+ r.in.query_level = 2;
|
||||
+ ZERO_STRUCT(return_auth);
|
||||
+
|
||||
+ /*
|
||||
+ * we need to operate on a temporary copy of creds
|
||||
+ * because dcerpc_netr_LogonGetCapabilities with
|
||||
+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||
+ * without looking a the authenticator.
|
||||
+ */
|
||||
+ tmp_creds = *creds;
|
||||
+ netlogon_creds_client_authenticator(&tmp_creds, &auth);
|
||||
+
|
||||
+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
|
||||
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
|
||||
+ /*
|
||||
+ * an server without KB5028166 returns
|
||||
+ * DCERPC_NCA_S_FAULT_INVALID_TAG =>
|
||||
+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
|
||||
+ */
|
||||
+ return true;
|
||||
+ }
|
||||
+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
|
||||
+
|
||||
+ *creds = tmp_creds;
|
||||
+
|
||||
torture_assert(tctx, netlogon_creds_client_check(creds,
|
||||
&r.out.return_authenticator->cred),
|
||||
"Credential chaining failed");
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,89 +0,0 @@
|
||||
From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
||||
Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
||||
invalid netr_LogonGetCapabilities levels
|
||||
|
||||
This is important as Windows clients with KB5028166 seem to
|
||||
call netr_LogonGetCapabilities with query_level=2 after
|
||||
a call with query_level=1.
|
||||
|
||||
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
for query_level values other than 1.
|
||||
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
||||
later fails to marshall the response, which results
|
||||
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
||||
|
||||
Because we don't have any documentation for level 2 yet,
|
||||
we just try to behave like an unpatched server and
|
||||
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
||||
DCERPC_FAULT_BAD_STUB_DATA.
|
||||
Which allows patched Windows clients to keep working
|
||||
against a Samba DC.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||
---
|
||||
.../knownfail.d/netr_LogonGetCapabilities | 2 --
|
||||
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
|
||||
2 files changed, 24 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
index 30aadf3bb9d..99c7ac711ed 100644
|
||||
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
@@ -1,3 +1 @@
|
||||
^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||
-^samba3.rpc.schannel.*\.schannel\(ad_dc
|
||||
-^samba4.rpc.schannel.*\.schannel\(ad_dc
|
||||
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||
index 6ccba65d3bf..dc2167f08b2 100644
|
||||
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
||||
@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
||||
struct netlogon_creds_CredentialState *creds;
|
||||
NTSTATUS status;
|
||||
|
||||
+ switch (r->in.query_level) {
|
||||
+ case 1:
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ /*
|
||||
+ * Until we know the details behind KB5028166
|
||||
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
+ * like an unpatched Windows Server.
|
||||
+ */
|
||||
+ FALL_THROUGH;
|
||||
+ default:
|
||||
+ /*
|
||||
+ * There would not be a way to marshall the
|
||||
+ * the response. Which would mean our final
|
||||
+ * ndr_push would fail an we would return
|
||||
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
||||
+ *
|
||||
+ * But it's important to match a Windows server
|
||||
+ * especially before KB5028166, see also our bug #15418
|
||||
+ * Otherwise Windows client would stop talking to us.
|
||||
+ */
|
||||
+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
|
||||
+ }
|
||||
+
|
||||
status = dcesrv_netr_creds_server_step_check(dce_call,
|
||||
mem_ctx,
|
||||
r->in.computer_name,
|
||||
@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
|
||||
}
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
- if (r->in.query_level != 1) {
|
||||
- return NT_STATUS_NOT_SUPPORTED;
|
||||
- }
|
||||
-
|
||||
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,93 +0,0 @@
|
||||
From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 15 Jul 2023 16:11:48 +0200
|
||||
Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
|
||||
invalid netr_LogonGetCapabilities levels
|
||||
|
||||
This is important as Windows clients with KB5028166 seem to
|
||||
call netr_LogonGetCapabilities with query_level=2 after
|
||||
a call with query_level=1.
|
||||
|
||||
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
for query_level values other than 1.
|
||||
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
|
||||
later fails to marshall the response, which results
|
||||
in DCERPC_FAULT_BAD_STUB_DATA instead.
|
||||
|
||||
Because we don't have any documentation for level 2 yet,
|
||||
we just try to behave like an unpatched server and
|
||||
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
|
||||
DCERPC_FAULT_BAD_STUB_DATA.
|
||||
Which allows patched Windows clients to keep working
|
||||
against a Samba DC.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||
|
||||
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
||||
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
|
||||
---
|
||||
.../knownfail.d/netr_LogonGetCapabilities | 1 -
|
||||
source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
|
||||
2 files changed, 25 insertions(+), 5 deletions(-)
|
||||
delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
|
||||
diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
deleted file mode 100644
|
||||
index 99c7ac711ed..00000000000
|
||||
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
|
||||
+++ /dev/null
|
||||
@@ -1 +0,0 @@
|
||||
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
|
||||
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
index 3ba58e61206..e8aa14167fc 100644
|
||||
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
|
||||
@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
||||
struct netlogon_creds_CredentialState *creds;
|
||||
NTSTATUS status;
|
||||
|
||||
+ switch (r->in.query_level) {
|
||||
+ case 1:
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ /*
|
||||
+ * Until we know the details behind KB5028166
|
||||
+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
|
||||
+ * like an unpatched Windows Server.
|
||||
+ */
|
||||
+ FALL_THROUGH;
|
||||
+ default:
|
||||
+ /*
|
||||
+ * There would not be a way to marshall the
|
||||
+ * the response. Which would mean our final
|
||||
+ * ndr_push would fail an we would return
|
||||
+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
|
||||
+ *
|
||||
+ * But it's important to match a Windows server
|
||||
+ * especially before KB5028166, see also our bug #15418
|
||||
+ * Otherwise Windows client would stop talking to us.
|
||||
+ */
|
||||
+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
|
||||
+ return NT_STATUS_NOT_SUPPORTED;
|
||||
+ }
|
||||
+
|
||||
become_root();
|
||||
status = dcesrv_netr_creds_server_step_check(p->dce_call,
|
||||
p->mem_ctx,
|
||||
@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
|
||||
return status;
|
||||
}
|
||||
|
||||
- if (r->in.query_level != 1) {
|
||||
- return NT_STATUS_NOT_SUPPORTED;
|
||||
- }
|
||||
-
|
||||
r->out.capabilities->server_capabilities = creds->negotiate_flags;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,137 +0,0 @@
|
||||
From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Boehme <slow@samba.org>
|
||||
Date: Tue, 20 Jun 2023 12:46:31 +0200
|
||||
Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
|
||||
signing
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
||||
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
---
|
||||
.../samba3.smb2.session-require-signing | 1 +
|
||||
selftest/target/Samba3.pm | 1 +
|
||||
source3/selftest/tests.py | 2 +
|
||||
source4/torture/smb2/session.c | 64 +++++++++++++++++++
|
||||
source4/torture/smb2/smb2.c | 1 +
|
||||
5 files changed, 69 insertions(+)
|
||||
create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
|
||||
diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
new file mode 100644
|
||||
index 00000000000..53b7a7022a8
|
||||
--- /dev/null
|
||||
+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
@@ -0,0 +1 @@
|
||||
+^samba3.smb2.session-require-signing.bug15397
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index d9e17473615..b4c3c130e9a 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
|
||||
# values required for tests to succeed
|
||||
create krb5 conf = no
|
||||
map to guest = bad user
|
||||
+ server signing = required
|
||||
";
|
||||
|
||||
my $ret = $self->provision(
|
||||
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
||||
index b069630605a..d2b5409d0a9 100755
|
||||
--- a/source3/selftest/tests.py
|
||||
+++ b/source3/selftest/tests.py
|
||||
@@ -1097,6 +1097,8 @@ for t in tests:
|
||||
# Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
|
||||
# ad_member_idmap_rid sets "create krb5.conf = no"
|
||||
plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
|
||||
+ elif t == "smb2.session-require-signing":
|
||||
+ plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
|
||||
elif t == "rpc.lsa":
|
||||
plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
|
||||
plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
|
||||
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
|
||||
index 51df51542d4..823304f190f 100644
|
||||
--- a/source4/torture/smb2/session.c
|
||||
+++ b/source4/torture/smb2/session.c
|
||||
@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
|
||||
|
||||
return suite;
|
||||
}
|
||||
+
|
||||
+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
|
||||
+ struct smb2_tree *_tree)
|
||||
+{
|
||||
+ const char *host = torture_setting_string(tctx, "host", NULL);
|
||||
+ const char *share = torture_setting_string(tctx, "share", NULL);
|
||||
+ struct cli_credentials *_creds = samba_cmdline_get_creds();
|
||||
+ struct cli_credentials *creds = NULL;
|
||||
+ struct smbcli_options options;
|
||||
+ struct smb2_tree *tree = NULL;
|
||||
+ uint8_t security_mode;
|
||||
+ NTSTATUS status;
|
||||
+ bool ok = true;
|
||||
+
|
||||
+ /*
|
||||
+ * Setup our own connection so we can control the signing flags
|
||||
+ */
|
||||
+
|
||||
+ creds = cli_credentials_shallow_copy(tctx, _creds);
|
||||
+ torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
|
||||
+
|
||||
+ options = _tree->session->transport->options;
|
||||
+ options.client_guid = GUID_random();
|
||||
+ options.signing = SMB_SIGNING_IF_REQUIRED;
|
||||
+
|
||||
+ status = smb2_connect(tctx,
|
||||
+ host,
|
||||
+ lpcfg_smb_ports(tctx->lp_ctx),
|
||||
+ share,
|
||||
+ lpcfg_resolve_context(tctx->lp_ctx),
|
||||
+ creds,
|
||||
+ &tree,
|
||||
+ tctx->ev,
|
||||
+ &options,
|
||||
+ lpcfg_socket_options(tctx->lp_ctx),
|
||||
+ lpcfg_gensec_settings(tctx, tctx->lp_ctx));
|
||||
+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
|
||||
+ "smb2_connect failed");
|
||||
+
|
||||
+ security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
|
||||
+
|
||||
+ torture_assert_int_equal_goto(
|
||||
+ tctx,
|
||||
+ security_mode,
|
||||
+ SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
|
||||
+ ok,
|
||||
+ done,
|
||||
+ "Signing not required");
|
||||
+
|
||||
+done:
|
||||
+ return ok;
|
||||
+}
|
||||
+
|
||||
+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
|
||||
+{
|
||||
+ struct torture_suite *suite =
|
||||
+ torture_suite_create(ctx, "session-require-signing");
|
||||
+
|
||||
+ torture_suite_add_1smb2_test(suite, "bug15397",
|
||||
+ test_session_require_sign_bug15397);
|
||||
+
|
||||
+ suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
|
||||
+ return suite;
|
||||
+}
|
||||
diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
|
||||
index c595b108ce8..5b6477e47bc 100644
|
||||
--- a/source4/torture/smb2/smb2.c
|
||||
+++ b/source4/torture/smb2/smb2.c
|
||||
@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
|
||||
torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
|
||||
torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
|
||||
torture_suite_add_suite(suite, torture_smb2_session_init(suite));
|
||||
+ torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
|
||||
torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
|
||||
torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
|
||||
torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,131 +0,0 @@
|
||||
From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Boehme <slow@samba.org>
|
||||
Date: Wed, 21 Jun 2023 15:06:12 +0200
|
||||
Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to
|
||||
smb[1|2]_srv_init_signing()
|
||||
|
||||
No change in behaviour.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
||||
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
---
|
||||
source3/smbd/proto.h | 3 ++-
|
||||
source3/smbd/smb1_signing.c | 10 ++--------
|
||||
source3/smbd/smb1_signing.h | 3 ++-
|
||||
source3/smbd/smb2_signing.c | 25 +++++++++++++++----------
|
||||
4 files changed, 21 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
|
||||
index a39f0a2edfa..3884617e77b 100644
|
||||
--- a/source3/smbd/proto.h
|
||||
+++ b/source3/smbd/proto.h
|
||||
@@ -52,7 +52,8 @@ struct dcesrv_context;
|
||||
|
||||
/* The following definitions come from smbd/smb2_signing.c */
|
||||
|
||||
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn);
|
||||
+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
+ struct smbXsrv_connection *conn);
|
||||
bool srv_init_signing(struct smbXsrv_connection *conn);
|
||||
|
||||
/* The following definitions come from smbd/aio.c */
|
||||
diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c
|
||||
index 6bcb0629c4f..aa3027d5318 100644
|
||||
--- a/source3/smbd/smb1_signing.c
|
||||
+++ b/source3/smbd/smb1_signing.c
|
||||
@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
|
||||
Called by server negprot when signing has been negotiated.
|
||||
************************************************************/
|
||||
|
||||
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
|
||||
+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
+ struct smbXsrv_connection *conn)
|
||||
{
|
||||
bool allowed = true;
|
||||
bool desired;
|
||||
bool mandatory = false;
|
||||
|
||||
- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
|
||||
- if (lp_ctx == NULL) {
|
||||
- DEBUG(10, ("loadparm_init_s3 failed\n"));
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* if the client and server allow signing,
|
||||
* we desire to use it.
|
||||
@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
|
||||
*/
|
||||
|
||||
desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
|
||||
- talloc_unlink(conn, lp_ctx);
|
||||
|
||||
if (lp_async_smb_echo_handler()) {
|
||||
struct smbd_shm_signing *s;
|
||||
diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h
|
||||
index 56c59c5bbc2..26f60420dfa 100644
|
||||
--- a/source3/smbd/smb1_signing.h
|
||||
+++ b/source3/smbd/smb1_signing.h
|
||||
@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn);
|
||||
void smb1_srv_set_signing(struct smbXsrv_connection *conn,
|
||||
const DATA_BLOB user_session_key,
|
||||
const DATA_BLOB response);
|
||||
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn);
|
||||
+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
+ struct smbXsrv_connection *conn);
|
||||
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
|
||||
index 4691ef4d613..c1f876f9cd7 100644
|
||||
--- a/source3/smbd/smb2_signing.c
|
||||
+++ b/source3/smbd/smb2_signing.c
|
||||
@@ -26,32 +26,37 @@
|
||||
#include "lib/param/param.h"
|
||||
#include "smb2_signing.h"
|
||||
|
||||
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn)
|
||||
+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
+ struct smbXsrv_connection *conn)
|
||||
{
|
||||
- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
|
||||
- if (lp_ctx == NULL) {
|
||||
- DBG_DEBUG("loadparm_init_s3 failed\n");
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
/*
|
||||
* For SMB2 all we need to know is if signing is mandatory.
|
||||
* It is always allowed and desired, whatever the smb.conf says.
|
||||
*/
|
||||
(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
||||
- talloc_unlink(conn, lp_ctx);
|
||||
return true;
|
||||
}
|
||||
|
||||
bool srv_init_signing(struct smbXsrv_connection *conn)
|
||||
{
|
||||
+ struct loadparm_context *lp_ctx = NULL;
|
||||
+ bool ok;
|
||||
+
|
||||
+ lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
|
||||
+ if (lp_ctx == NULL) {
|
||||
+ DBG_DEBUG("loadparm_init_s3 failed\n");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
#if defined(WITH_SMB1SERVER)
|
||||
if (conn->protocol >= PROTOCOL_SMB2_02) {
|
||||
#endif
|
||||
- return smb2_srv_init_signing(conn);
|
||||
+ ok = smb2_srv_init_signing(lp_ctx, conn);
|
||||
#if defined(WITH_SMB1SERVER)
|
||||
} else {
|
||||
- return smb1_srv_init_signing(conn);
|
||||
+ ok = smb1_srv_init_signing(lp_ctx, conn);
|
||||
}
|
||||
#endif
|
||||
+ talloc_unlink(conn, lp_ctx);
|
||||
+ return ok;
|
||||
}
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,73 +0,0 @@
|
||||
From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Boehme <slow@samba.org>
|
||||
Date: Wed, 21 Jun 2023 15:10:58 +0200
|
||||
Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code
|
||||
in srv_init_signing()
|
||||
|
||||
It's now a one-line function, imho the overall code is simpler if that code is
|
||||
just inlined.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
||||
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
---
|
||||
source3/smbd/proto.h | 2 --
|
||||
source3/smbd/smb2_signing.c | 19 ++++++-------------
|
||||
2 files changed, 6 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
|
||||
index 3884617e77b..78e1b48be09 100644
|
||||
--- a/source3/smbd/proto.h
|
||||
+++ b/source3/smbd/proto.h
|
||||
@@ -52,8 +52,6 @@ struct dcesrv_context;
|
||||
|
||||
/* The following definitions come from smbd/smb2_signing.c */
|
||||
|
||||
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
- struct smbXsrv_connection *conn);
|
||||
bool srv_init_signing(struct smbXsrv_connection *conn);
|
||||
|
||||
/* The following definitions come from smbd/aio.c */
|
||||
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
|
||||
index c1f876f9cd7..ef4a54d5710 100644
|
||||
--- a/source3/smbd/smb2_signing.c
|
||||
+++ b/source3/smbd/smb2_signing.c
|
||||
@@ -26,21 +26,10 @@
|
||||
#include "lib/param/param.h"
|
||||
#include "smb2_signing.h"
|
||||
|
||||
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
|
||||
- struct smbXsrv_connection *conn)
|
||||
-{
|
||||
- /*
|
||||
- * For SMB2 all we need to know is if signing is mandatory.
|
||||
- * It is always allowed and desired, whatever the smb.conf says.
|
||||
- */
|
||||
- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
||||
- return true;
|
||||
-}
|
||||
-
|
||||
bool srv_init_signing(struct smbXsrv_connection *conn)
|
||||
{
|
||||
struct loadparm_context *lp_ctx = NULL;
|
||||
- bool ok;
|
||||
+ bool ok = true;
|
||||
|
||||
lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
|
||||
if (lp_ctx == NULL) {
|
||||
@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
|
||||
#if defined(WITH_SMB1SERVER)
|
||||
if (conn->protocol >= PROTOCOL_SMB2_02) {
|
||||
#endif
|
||||
- ok = smb2_srv_init_signing(lp_ctx, conn);
|
||||
+ /*
|
||||
+ * For SMB2 all we need to know is if signing is mandatory.
|
||||
+ * It is always allowed and desired, whatever the smb.conf says.
|
||||
+ */
|
||||
+ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
||||
#if defined(WITH_SMB1SERVER)
|
||||
} else {
|
||||
ok = smb1_srv_init_signing(lp_ctx, conn);
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,36 +0,0 @@
|
||||
From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Boehme <slow@samba.org>
|
||||
Date: Tue, 20 Jun 2023 18:13:23 +0200
|
||||
Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in
|
||||
smbd_smb2_request_process_negprot()
|
||||
|
||||
This is just going to bitrot. Anyone who's interested can just grep for
|
||||
"signing_mandatory" and look up what it does.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
||||
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
---
|
||||
source3/smbd/smb2_negprot.c | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
|
||||
index 9d4ce160e5c..885769be24d 100644
|
||||
--- a/source3/smbd/smb2_negprot.c
|
||||
+++ b/source3/smbd/smb2_negprot.c
|
||||
@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
|
||||
}
|
||||
|
||||
security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
|
||||
- /*
|
||||
- * We use xconn->smb2.signing_mandatory set up via
|
||||
- * srv_init_signing() -> smb2_srv_init_signing().
|
||||
- * This calls lpcfg_server_signing_allowed() to get the correct
|
||||
- * defaults, e.g. signing_required for an ad_dc.
|
||||
- */
|
||||
if (xconn->smb2.signing_mandatory) {
|
||||
security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
|
||||
}
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,63 +0,0 @@
|
||||
From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
|
||||
From: Ralph Boehme <slow@samba.org>
|
||||
Date: Tue, 20 Jun 2023 15:33:02 +0200
|
||||
Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
|
||||
|
||||
This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
|
||||
calling srv_init_signing() very early after accepting the connection in
|
||||
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
|
||||
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
|
||||
Autobuild-User(master): Jule Anger <janger@samba.org>
|
||||
Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
|
||||
---
|
||||
.../samba3.smb2.session-require-signing | 1 -
|
||||
source3/smbd/smb2_signing.c | 19 ++++++++-----------
|
||||
2 files changed, 8 insertions(+), 12 deletions(-)
|
||||
delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
|
||||
diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
deleted file mode 100644
|
||||
index 53b7a7022a8..00000000000
|
||||
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
|
||||
+++ /dev/null
|
||||
@@ -1 +0,0 @@
|
||||
-^samba3.smb2.session-require-signing.bug15397
|
||||
diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
|
||||
index ef4a54d5710..73d07380dfa 100644
|
||||
--- a/source3/smbd/smb2_signing.c
|
||||
+++ b/source3/smbd/smb2_signing.c
|
||||
@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
|
||||
return false;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * For SMB2 all we need to know is if signing is mandatory.
|
||||
+ * It is always allowed and desired, whatever the smb.conf says.
|
||||
+ */
|
||||
+ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
||||
+
|
||||
#if defined(WITH_SMB1SERVER)
|
||||
- if (conn->protocol >= PROTOCOL_SMB2_02) {
|
||||
-#endif
|
||||
- /*
|
||||
- * For SMB2 all we need to know is if signing is mandatory.
|
||||
- * It is always allowed and desired, whatever the smb.conf says.
|
||||
- */
|
||||
- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
|
||||
-#if defined(WITH_SMB1SERVER)
|
||||
- } else {
|
||||
- ok = smb1_srv_init_signing(lp_ctx, conn);
|
||||
- }
|
||||
+ ok = smb1_srv_init_signing(lp_ctx, conn);
|
||||
#endif
|
||||
+
|
||||
talloc_unlink(conn, lp_ctx);
|
||||
return ok;
|
||||
}
|
||||
--
|
||||
2.39.3
|
||||
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmPSvJEACgkQqplEL7aA
|
||||
tiDXbA//bPY+2A4y8zPJLibWjRtmv76xTgj1EJMZoC5d7+5PXQfuVhVULGYrxriF
|
||||
MIF4CtTnMDk20mihnQb03csGpZGvqfBKbZg6jYolqeTmwRDgKXf9dxLxYYBGswPN
|
||||
JXiF/ZvDQzEorrsz24o7i9Pe44IXpdf7+3RjIXhKjCa2vFQibTndGRhYb0UYiR9S
|
||||
DELp6V/rmV9/BrYWVhHVnuzROzNWsrXIyu1GPNRWdX6ptJmjq6f8wZUP0NODYsBP
|
||||
e0+BpXwob795tDSAMBnbnp7ZsHRYgB2/iWDTe19MF5LjHCcPwRWmzfZjiWQuz11D
|
||||
kg7RUmlTkpU0mrToM+Uyg3Lhc8sayojDTHkIuIPBTuirdKuyP5Zov1wCaPuvf8Ew
|
||||
LCQlQsC2AVeko8xY7P5ieXrmsfncoKR23S0MaKM6oNXooMJcNFnemMvCsOGGeGCi
|
||||
HJa1whPdI5Cj3zLB5X35UNMmauS7qWyyj3lS2horg8L/iIQ3R3q+0Xkd5VmX1BXz
|
||||
EhVDvOnb1F7E9HFlxhZRJFufpnHrGZX6ZYe6BqP8oU092UUU5JMeIqe20wG/dAtX
|
||||
B91QhITdPDnM4KrSbch9i+BKW1xD8srRXu4yqMTZp6X6dPh6lnzVn6vj4uKNCMwz
|
||||
2qLa3Rl+cRON1uTeFJXSTHg/diHjKriu3+bCqm0RlHAFLMtvudk=
|
||||
=gZl3
|
||||
-----END PGP SIGNATURE-----
|
1787
SOURCES/samba-4.19-redhat.patch
Normal file
1787
SOURCES/samba-4.19-redhat.patch
Normal file
File diff suppressed because it is too large
Load Diff
16
SOURCES/samba-4.19.4.tar.asc
Normal file
16
SOURCES/samba-4.19.4.tar.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
|
||||
tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
|
||||
Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
|
||||
2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
|
||||
XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
|
||||
iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
|
||||
svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
|
||||
JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
|
||||
ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
|
||||
vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
|
||||
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
|
||||
1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
|
||||
=kOPP
|
||||
-----END PGP SIGNATURE-----
|
2
SOURCES/samba-winbind-systemd-sysusers.conf
Normal file
2
SOURCES/samba-winbind-systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
||||
#Type Name ID
|
||||
g wbpriv 88
|
@ -18,6 +18,9 @@
|
||||
load printers = yes
|
||||
cups options = raw
|
||||
|
||||
# Install samba-usershares package for support
|
||||
include = /etc/samba/usershares.conf
|
||||
|
||||
[homes]
|
||||
comment = Home Directories
|
||||
valid users = %S, %D%w%S
|
||||
|
1235
SPECS/samba.spec
1235
SPECS/samba.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user