Compare commits
11 Commits
imports/c8
...
c8
Author | SHA1 | Date |
---|---|---|
eabdullin | ab22c6a6c6 | |
eabdullin | 9fb77a900a | |
CentOS Sources | f16b5f7a86 | |
CentOS Sources | 122824123f | |
CentOS Sources | af57ae664d | |
CentOS Sources | 3f570223e5 | |
CentOS Sources | 7a0123472d | |
CentOS Sources | ae42d337a3 | |
CentOS Sources | 370637166c | |
CentOS Sources | 9db6553941 | |
CentOS Sources | 85b413e4a9 |
|
@ -1,2 +1,2 @@
|
||||||
SOURCES/samba-4.14.5.tar.xz
|
SOURCES/samba-4.19.4.tar.xz
|
||||||
SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
46925b3ed9f63b1b936f2271253fdccccbf1575f SOURCES/samba-4.14.5.tar.xz
|
|
||||||
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
|
|
|
@ -1,108 +0,0 @@
|
||||||
From 2a961e883b624219a72f212c554d34a18f22d4d1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stefan Metzmacher <metze@samba.org>
|
|
||||||
Date: Thu, 24 Nov 2016 09:12:59 +0100
|
|
||||||
Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non
|
|
||||||
spnego authentication if we require kerberos
|
|
||||||
|
|
||||||
We should not send NTLM[v2] data on the wire if the user asked for kerberos
|
|
||||||
only.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
|
|
||||||
|
|
||||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
||||||
---
|
|
||||||
source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
|
|
||||||
1 file changed, 14 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
|
|
||||||
index 51e121bdce6b..391ee081fe62 100644
|
|
||||||
--- a/source4/libcli/smb_composite/sesssetup.c
|
|
||||||
+++ b/source4/libcli/smb_composite/sesssetup.c
|
|
||||||
@@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
|
|
||||||
NTSTATUS status;
|
|
||||||
enum smb_encryption_setting encryption_state =
|
|
||||||
cli_credentials_get_smb_encryption(io->in.credentials);
|
|
||||||
+ enum credentials_use_kerberos krb5_state =
|
|
||||||
+ cli_credentials_get_kerberos_state(io->in.credentials);
|
|
||||||
|
|
||||||
c = composite_create(session, session->transport->ev);
|
|
||||||
if (c == NULL) return NULL;
|
|
||||||
@@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
|
|
||||||
|
|
||||||
/* no session setup at all in earliest protocol varients */
|
|
||||||
if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
|
|
||||||
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
||||||
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
|
||||||
+ return c;
|
|
||||||
+ }
|
|
||||||
ZERO_STRUCT(io->out);
|
|
||||||
composite_done(c);
|
|
||||||
return c;
|
|
||||||
@@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
|
|
||||||
|
|
||||||
/* see what session setup interface we will use */
|
|
||||||
if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
|
|
||||||
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
||||||
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
|
||||||
+ return c;
|
|
||||||
+ }
|
|
||||||
status = session_setup_old(c, session, io, &state->req);
|
|
||||||
} else if (!session->transport->options.use_spnego ||
|
|
||||||
!(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
|
|
||||||
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
||||||
+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
|
||||||
+ return c;
|
|
||||||
+ }
|
|
||||||
status = session_setup_nt1(c, session, io, &state->req);
|
|
||||||
} else {
|
|
||||||
struct tevent_req *subreq = NULL;
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
||||||
|
|
||||||
From 31a67554cf6c3d9368bef58d1249844f8eeb0059 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stefan Metzmacher <metze@samba.org>
|
|
||||||
Date: Thu, 27 Oct 2016 10:40:28 +0200
|
|
||||||
Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
|
|
||||||
authentication if we require kerberos
|
|
||||||
|
|
||||||
We should not send NTLM[v2] nor plaintext data on the wire if the user
|
|
||||||
asked for kerberos only.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
|
|
||||||
|
|
||||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
||||||
---
|
|
||||||
source3/libsmb/cliconnect.c | 9 +++++++++
|
|
||||||
1 file changed, 9 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
||||||
index 853fb344bcd6..c01846ac8119 100644
|
|
||||||
--- a/source3/libsmb/cliconnect.c
|
|
||||||
+++ b/source3/libsmb/cliconnect.c
|
|
||||||
@@ -1442,6 +1442,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
|
|
||||||
uint32_t in_sess_key = 0;
|
|
||||||
const char *in_native_os = NULL;
|
|
||||||
const char *in_native_lm = NULL;
|
|
||||||
+ enum credentials_use_kerberos krb5_state =
|
|
||||||
+ cli_credentials_get_kerberos_state(creds);
|
|
||||||
NTSTATUS status;
|
|
||||||
|
|
||||||
req = tevent_req_create(mem_ctx, &state,
|
|
||||||
@@ -1483,6 +1485,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
|
|
||||||
return req;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
|
|
||||||
+ DBG_WARNING("Kerberos authentication requested, but "
|
|
||||||
+ "the server does not support SPNEGO authentication\n");
|
|
||||||
+ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
|
||||||
+ return tevent_req_post(req, ev);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
|
|
||||||
/*
|
|
||||||
* SessionSetupAndX was introduced by LANMAN 1.0. So we skip
|
|
||||||
--
|
|
||||||
2.25.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -1,51 +0,0 @@
|
||||||
From c11dab13dd30af3e0beb69e8d47c3bfd85e18a91 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <ab@samba.org>
|
|
||||||
Date: Fri, 12 Nov 2021 19:06:01 +0200
|
|
||||||
Subject: [PATCH] IPA DC: add missing checks
|
|
||||||
|
|
||||||
When introducing FreeIPA support, two places were forgotten:
|
|
||||||
|
|
||||||
- schannel gensec module needs to be aware of IPA DC
|
|
||||||
- _lsa_QueryInfoPolicy should treat IPA DC as PDC
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
|
||||||
|
|
||||||
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
|
||||||
Autobuild-Date(master): Sat Nov 13 07:01:26 UTC 2021 on sn-devel-184
|
|
||||||
|
|
||||||
(cherry picked from commit c69b66f649c1d47a7367f7efe25b8df32369a3a5)
|
|
||||||
---
|
|
||||||
auth/gensec/schannel.c | 1 +
|
|
||||||
source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
|
|
||||||
2 files changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
|
|
||||||
index 0cdae141ead..6ebbe8f3179 100644
|
|
||||||
--- a/auth/gensec/schannel.c
|
|
||||||
+++ b/auth/gensec/schannel.c
|
|
||||||
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
|
|
||||||
case ROLE_DOMAIN_BDC:
|
|
||||||
case ROLE_DOMAIN_PDC:
|
|
||||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
|
||||||
+ case ROLE_IPA_DC:
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
default:
|
|
||||||
return NT_STATUS_NOT_IMPLEMENTED;
|
|
||||||
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
||||||
index d6d606ddeca..36774be3e32 100644
|
|
||||||
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
||||||
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
|
|
||||||
@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
|
|
||||||
switch (lp_server_role()) {
|
|
||||||
case ROLE_DOMAIN_PDC:
|
|
||||||
case ROLE_DOMAIN_BDC:
|
|
||||||
+ case ROLE_IPA_DC:
|
|
||||||
name = get_global_sam_name();
|
|
||||||
sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
|
|
||||||
if (!sid) {
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
|
@ -1,41 +0,0 @@
|
||||||
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stefan Metzmacher <metze@samba.org>
|
|
||||||
Date: Tue, 9 Nov 2021 20:50:20 +0100
|
|
||||||
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
|
|
||||||
|
|
||||||
add_trusted_domain() should only reject domains
|
|
||||||
based on is_allowed_domain(), which now also
|
|
||||||
checks "allow trusted domains = no", if we don't
|
|
||||||
have an explicit trust to the domain (SEC_CHAN_NULL).
|
|
||||||
|
|
||||||
We use at least SEC_CHAN_LOCAL for local domains like
|
|
||||||
BUILTIN.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
|
|
||||||
|
|
||||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
||||||
|
|
||||||
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
|
||||||
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
|
|
||||||
|
|
||||||
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
|
|
||||||
---
|
|
||||||
source3/winbindd/winbindd_util.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
|
|
||||||
index 42ddbfd2f44..9d54e462c42 100644
|
|
||||||
--- a/source3/winbindd/winbindd_util.c
|
|
||||||
+++ b/source3/winbindd/winbindd_util.c
|
|
||||||
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
|
|
||||||
return NT_STATUS_INVALID_PARAMETER;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (!is_allowed_domain(domain_name)) {
|
|
||||||
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
|
|
||||||
return NT_STATUS_NO_SUCH_DOMAIN;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
|
@ -1,298 +0,0 @@
|
||||||
From 97829843013e2f0d81b6ed61d155a04217e40205 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Wed, 1 Sep 2021 15:39:19 +1200
|
|
||||||
Subject: [PATCH 1/6] krb5pac.idl: Add ticket checksum PAC buffer type
|
|
||||||
|
|
||||||
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Reviewed-by: Isaac Boukris <iboukris@samba.org>
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
|
|
||||||
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
|
|
||||||
---
|
|
||||||
librpc/idl/krb5pac.idl | 4 +++-
|
|
||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
||||||
index fb360c1257f..3239d7656b6 100644
|
|
||||||
--- a/librpc/idl/krb5pac.idl
|
|
||||||
+++ b/librpc/idl/krb5pac.idl
|
|
||||||
@@ -112,7 +112,8 @@ interface krb5pac
|
|
||||||
PAC_TYPE_KDC_CHECKSUM = 7,
|
|
||||||
PAC_TYPE_LOGON_NAME = 10,
|
|
||||||
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
|
|
||||||
- PAC_TYPE_UPN_DNS_INFO = 12
|
|
||||||
+ PAC_TYPE_UPN_DNS_INFO = 12,
|
|
||||||
+ PAC_TYPE_TICKET_CHECKSUM = 16
|
|
||||||
} PAC_TYPE;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
@@ -128,6 +129,7 @@ interface krb5pac
|
|
||||||
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
|
|
||||||
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
|
|
||||||
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
||||||
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
||||||
/* when new PAC info types are added they are supposed to be done
|
|
||||||
in such a way that they are backwards compatible with existing
|
|
||||||
servers. This makes it safe to just use a [default] for
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From 99cc0e06e5fe2776371b808432af39de00f76cdf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Wed, 1 Sep 2021 15:40:59 +1200
|
|
||||||
Subject: [PATCH 2/6] security.idl: Add well-known SIDs for FAST
|
|
||||||
|
|
||||||
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Reviewed-by: Isaac Boukris <iboukris@samba.org>
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
|
|
||||||
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
|
|
||||||
---
|
|
||||||
librpc/idl/security.idl | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
|
|
||||||
index 06bf7449a70..3df96dedbdd 100644
|
|
||||||
--- a/librpc/idl/security.idl
|
|
||||||
+++ b/librpc/idl/security.idl
|
|
||||||
@@ -295,6 +295,9 @@ interface security
|
|
||||||
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
|
|
||||||
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
|
|
||||||
|
|
||||||
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
|
|
||||||
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From 693bcdb2f9b64af390d619c9b39293c581900151 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Wed, 29 Sep 2021 16:15:26 +1300
|
|
||||||
Subject: [PATCH 3/6] krb5pac.idl: Add missing buffer type values
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
|
|
||||||
|
|
||||||
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Backported-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
librpc/idl/krb5pac.idl | 3 +++
|
|
||||||
1 file changed, 3 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
||||||
index 3239d7656b6..515150ab9cd 100644
|
|
||||||
--- a/librpc/idl/krb5pac.idl
|
|
||||||
+++ b/librpc/idl/krb5pac.idl
|
|
||||||
@@ -113,6 +113,9 @@ interface krb5pac
|
|
||||||
PAC_TYPE_LOGON_NAME = 10,
|
|
||||||
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
|
|
||||||
PAC_TYPE_UPN_DNS_INFO = 12,
|
|
||||||
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
|
|
||||||
+ PAC_TYPE_DEVICE_INFO = 14,
|
|
||||||
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
||||||
PAC_TYPE_TICKET_CHECKSUM = 16
|
|
||||||
} PAC_TYPE;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From 97323751c1b6b97e72eb80b8b99485d94696b30b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Tue, 26 Oct 2021 20:33:38 +1300
|
|
||||||
Subject: [PATCH 4/6] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC
|
|
||||||
buffer type
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
|
|
||||||
|
|
||||||
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
---
|
|
||||||
librpc/idl/krb5pac.idl | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
||||||
index 515150ab9cd..7a8d16464eb 100644
|
|
||||||
--- a/librpc/idl/krb5pac.idl
|
|
||||||
+++ b/librpc/idl/krb5pac.idl
|
|
||||||
@@ -97,6 +97,16 @@ interface krb5pac
|
|
||||||
PAC_UPN_DNS_FLAGS flags;
|
|
||||||
} PAC_UPN_DNS_INFO;
|
|
||||||
|
|
||||||
+ typedef [bitmap32bit] bitmap {
|
|
||||||
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED = 0x00000001,
|
|
||||||
+ PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY = 0x00000002
|
|
||||||
+ } PAC_ATTRIBUTE_INFO_FLAGS;
|
|
||||||
+
|
|
||||||
+ typedef struct {
|
|
||||||
+ uint32 flags_length; /* length in bits */
|
|
||||||
+ PAC_ATTRIBUTE_INFO_FLAGS flags;
|
|
||||||
+ } PAC_ATTRIBUTES_INFO;
|
|
||||||
+
|
|
||||||
typedef [public] struct {
|
|
||||||
PAC_LOGON_INFO *info;
|
|
||||||
} PAC_LOGON_INFO_CTR;
|
|
||||||
@@ -116,7 +126,8 @@ interface krb5pac
|
|
||||||
PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
|
|
||||||
PAC_TYPE_DEVICE_INFO = 14,
|
|
||||||
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
||||||
- PAC_TYPE_TICKET_CHECKSUM = 16
|
|
||||||
+ PAC_TYPE_TICKET_CHECKSUM = 16,
|
|
||||||
+ PAC_TYPE_ATTRIBUTES_INFO = 17
|
|
||||||
} PAC_TYPE;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
@@ -133,6 +144,7 @@ interface krb5pac
|
|
||||||
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
|
|
||||||
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
||||||
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
||||||
+ [case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
|
|
||||||
/* when new PAC info types are added they are supposed to be done
|
|
||||||
in such a way that they are backwards compatible with existing
|
|
||||||
servers. This makes it safe to just use a [default] for
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From 9867beabf3b0be026d900e26ac91af655fb50cfe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Date: Tue, 26 Oct 2021 20:33:49 +1300
|
|
||||||
Subject: [PATCH 5/6] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
|
|
||||||
buffer type
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
|
|
||||||
|
|
||||||
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
---
|
|
||||||
librpc/idl/krb5pac.idl | 8 +++++++-
|
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
||||||
index 7a8d16464eb..52fb40c4bbb 100644
|
|
||||||
--- a/librpc/idl/krb5pac.idl
|
|
||||||
+++ b/librpc/idl/krb5pac.idl
|
|
||||||
@@ -107,6 +107,10 @@ interface krb5pac
|
|
||||||
PAC_ATTRIBUTE_INFO_FLAGS flags;
|
|
||||||
} PAC_ATTRIBUTES_INFO;
|
|
||||||
|
|
||||||
+ typedef struct {
|
|
||||||
+ dom_sid sid;
|
|
||||||
+ } PAC_REQUESTER_SID;
|
|
||||||
+
|
|
||||||
typedef [public] struct {
|
|
||||||
PAC_LOGON_INFO *info;
|
|
||||||
} PAC_LOGON_INFO_CTR;
|
|
||||||
@@ -127,7 +131,8 @@ interface krb5pac
|
|
||||||
PAC_TYPE_DEVICE_INFO = 14,
|
|
||||||
PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
|
|
||||||
PAC_TYPE_TICKET_CHECKSUM = 16,
|
|
||||||
- PAC_TYPE_ATTRIBUTES_INFO = 17
|
|
||||||
+ PAC_TYPE_ATTRIBUTES_INFO = 17,
|
|
||||||
+ PAC_TYPE_REQUESTER_SID = 18
|
|
||||||
} PAC_TYPE;
|
|
||||||
|
|
||||||
typedef struct {
|
|
||||||
@@ -145,6 +150,7 @@ interface krb5pac
|
|
||||||
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
|
|
||||||
[case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
|
|
||||||
[case(PAC_TYPE_ATTRIBUTES_INFO)] PAC_ATTRIBUTES_INFO attributes_info;
|
|
||||||
+ [case(PAC_TYPE_REQUESTER_SID)] PAC_REQUESTER_SID requester_sid;
|
|
||||||
/* when new PAC info types are added they are supposed to be done
|
|
||||||
in such a way that they are backwards compatible with existing
|
|
||||||
servers. This makes it safe to just use a [default] for
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
||||||
|
|
||||||
From fb92457cfd11745be73660eb90519b625f6a5d97 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Date: Mon, 27 Sep 2021 11:20:19 +1300
|
|
||||||
Subject: [PATCH 6/6] CVE-2020-25721 krb5pac: Add new buffers for
|
|
||||||
samAccountName and objectSID
|
|
||||||
|
|
||||||
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
|
|
||||||
|
|
||||||
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
||||||
---
|
|
||||||
librpc/idl/krb5pac.idl | 18 ++++++++++++++++--
|
|
||||||
librpc/ndr/ndr_krb5pac.c | 4 ++--
|
|
||||||
2 files changed, 18 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
|
|
||||||
index 52fb40c4bbb..bbe4a253e3a 100644
|
|
||||||
--- a/librpc/idl/krb5pac.idl
|
|
||||||
+++ b/librpc/idl/krb5pac.idl
|
|
||||||
@@ -86,15 +86,29 @@ interface krb5pac
|
|
||||||
} PAC_CONSTRAINED_DELEGATION;
|
|
||||||
|
|
||||||
typedef [bitmap32bit] bitmap {
|
|
||||||
- PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001
|
|
||||||
+ PAC_UPN_DNS_FLAG_CONSTRUCTED = 0x00000001,
|
|
||||||
+ PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID = 0x00000002
|
|
||||||
} PAC_UPN_DNS_FLAGS;
|
|
||||||
|
|
||||||
+ typedef struct {
|
|
||||||
+ [value(2*strlen_m(samaccountname))] uint16 samaccountname_size;
|
|
||||||
+ [relative_short,subcontext(0),subcontext_size(samaccountname_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *samaccountname;
|
|
||||||
+ [value(ndr_size_dom_sid(objectsid, ndr->flags))] uint16 objectsid_size;
|
|
||||||
+ [relative_short,subcontext(0),subcontext_size(objectsid_size)] dom_sid *objectsid;
|
|
||||||
+ } PAC_UPN_DNS_INFO_SAM_NAME_AND_SID;
|
|
||||||
+
|
|
||||||
+ typedef [nodiscriminant] union {
|
|
||||||
+ [case(PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_SAM_NAME_AND_SID sam_name_and_sid;
|
|
||||||
+ [default];
|
|
||||||
+ } PAC_UPN_DNS_INFO_EX;
|
|
||||||
+
|
|
||||||
typedef struct {
|
|
||||||
[value(2*strlen_m(upn_name))] uint16 upn_name_size;
|
|
||||||
[relative_short,subcontext(0),subcontext_size(upn_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *upn_name;
|
|
||||||
[value(2*strlen_m(dns_domain_name))] uint16 dns_domain_name_size;
|
|
||||||
[relative_short,subcontext(0),subcontext_size(dns_domain_name_size),flag(NDR_ALIGN8|STR_NOTERM|NDR_REMAINING)] string *dns_domain_name;
|
|
||||||
PAC_UPN_DNS_FLAGS flags;
|
|
||||||
+ [switch_is(flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID)] PAC_UPN_DNS_INFO_EX ex;
|
|
||||||
} PAC_UPN_DNS_INFO;
|
|
||||||
|
|
||||||
typedef [bitmap32bit] bitmap {
|
|
||||||
@@ -160,7 +174,7 @@ interface krb5pac
|
|
||||||
|
|
||||||
typedef [public,nopush,nopull] struct {
|
|
||||||
PAC_TYPE type;
|
|
||||||
- [value(_ndr_size_PAC_INFO(info, type, 0))] uint32 _ndr_size;
|
|
||||||
+ [value(_ndr_size_PAC_INFO(info, type, LIBNDR_FLAG_ALIGN8))] uint32 _ndr_size;
|
|
||||||
/*
|
|
||||||
* We need to have two subcontexts to get the padding right,
|
|
||||||
* the outer subcontext uses NDR_ROUND(_ndr_size, 8), while
|
|
||||||
diff --git a/librpc/ndr/ndr_krb5pac.c b/librpc/ndr/ndr_krb5pac.c
|
|
||||||
index a9ae2c4a789..57b28df9e52 100644
|
|
||||||
--- a/librpc/ndr/ndr_krb5pac.c
|
|
||||||
+++ b/librpc/ndr/ndr_krb5pac.c
|
|
||||||
@@ -41,7 +41,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
|
|
||||||
if (ndr_flags & NDR_SCALARS) {
|
|
||||||
NDR_CHECK(ndr_push_align(ndr, 4));
|
|
||||||
NDR_CHECK(ndr_push_PAC_TYPE(ndr, NDR_SCALARS, r->type));
|
|
||||||
- NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,0)));
|
|
||||||
+ NDR_CHECK(ndr_push_uint32(ndr, NDR_SCALARS, _ndr_size_PAC_INFO(r->info,r->type,LIBNDR_FLAG_ALIGN8)));
|
|
||||||
{
|
|
||||||
uint32_t _flags_save_PAC_INFO = ndr->flags;
|
|
||||||
ndr_set_flags(&ndr->flags, LIBNDR_FLAG_ALIGN8);
|
|
||||||
@@ -59,7 +59,7 @@ enum ndr_err_code ndr_push_PAC_BUFFER(struct ndr_push *ndr, int ndr_flags, const
|
|
||||||
{
|
|
||||||
struct ndr_push *_ndr_info_pad;
|
|
||||||
struct ndr_push *_ndr_info;
|
|
||||||
- size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, 0);
|
|
||||||
+ size_t _ndr_size = _ndr_size_PAC_INFO(r->info, r->type, LIBNDR_FLAG_ALIGN8);
|
|
||||||
NDR_CHECK(ndr_push_subcontext_start(ndr, &_ndr_info_pad, 0, NDR_ROUND(_ndr_size, 8)));
|
|
||||||
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
|
|
||||||
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
|
|
||||||
--
|
|
||||||
2.33.1
|
|
||||||
|
|
|
@ -1,49 +0,0 @@
|
||||||
From 4b192aaf503ea7f5eba27b6e43edcfe54ac6c5a6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Wed, 26 May 2021 15:04:08 +0200
|
|
||||||
Subject: [PATCH] s3:modules: Reduce debug level if file doesn't exists on dfs
|
|
||||||
share
|
|
||||||
|
|
||||||
There is software out there trying to open desktop.ini in every
|
|
||||||
directory. Avoid spamming the logs with error messages.
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
|
||||||
|
|
||||||
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
|
||||||
Autobuild-Date(master): Fri Jun 18 18:14:11 UTC 2021 on sn-devel-184
|
|
||||||
|
|
||||||
(cherry picked from commit 4079efae76718a84a4cf24b6613cdc53cdb2dd39)
|
|
||||||
---
|
|
||||||
source3/modules/vfs_default.c | 15 +++++++++++----
|
|
||||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
|
|
||||||
index 8d592bbad64..ea036b24ddf 100644
|
|
||||||
--- a/source3/modules/vfs_default.c
|
|
||||||
+++ b/source3/modules/vfs_default.c
|
|
||||||
@@ -476,10 +476,17 @@ static NTSTATUS vfswrap_read_dfs_pathat(struct vfs_handle_struct *handle,
|
|
||||||
status = NT_STATUS_OBJECT_TYPE_MISMATCH;
|
|
||||||
} else {
|
|
||||||
status = map_nt_error_from_unix(errno);
|
|
||||||
- DBG_ERR("Error reading "
|
|
||||||
- "msdfs link %s: %s\n",
|
|
||||||
- smb_fname->base_name,
|
|
||||||
- strerror(errno));
|
|
||||||
+ if (errno == ENOENT) {
|
|
||||||
+ DBG_NOTICE("Error reading "
|
|
||||||
+ "msdfs link %s: %s\n",
|
|
||||||
+ smb_fname->base_name,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ } else {
|
|
||||||
+ DBG_ERR("Error reading "
|
|
||||||
+ "msdfs link %s: %s\n",
|
|
||||||
+ smb_fname->base_name,
|
|
||||||
+ strerror(errno));
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
goto err;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmC14EsACgkQqplEL7aA
|
|
||||||
tiDWUA//b0Dj/dJozZY/Q6OI9UjPNL9nvPGqpKF0Sl2sW5jO1KWdcq1OZk+H6eO5
|
|
||||||
gaX9nuH8Qo/IMxVRIPZVW6lXwsLzSdAOhwPAV02D/feSNfuld078v5yN1My2x6gH
|
|
||||||
tmfEVXZJjNkObhLDz0Wgq3mxxKvwxSM4+q2SI9p2/Yk32+oT1l/EWT3WZRNa/I1x
|
|
||||||
MF8nr8p5BktPw7tQoITG/JhkWudfkPpvVA3LJYl+F0rjubMA3C3btvDNquPaNXQ0
|
|
||||||
Jr0nOt8+OKpsrtBb6ED0su7CWqbHHjc7lTKLepruqnHzllk5/Tcsu6APVRb8qjim
|
|
||||||
B2ElieWYJKQ7vBchjuSw/3ufqOsJdvckO4znGM1bUFDnCV0DDOXPE/U5QmjcoQqE
|
|
||||||
kJ36m53WnGCHR3JbL+rSjrB1m0ip8tViNraV+Ch2sXNlNvKYPNNo3cgX62nnDWJz
|
|
||||||
aLlncx0W1LpZ8mhYVv0AvdoVKBDygzxheye8Fssz3Wz5RDzZ6Vm0AoJwBm+G8v1k
|
|
||||||
u0MXMyvBv1KLpBLL27PJm2m7r6KIDB0v9PuLK5iF107omkSWfY/lMLQR2UFph8oH
|
|
||||||
uCwV5PiEy/ecBhBfo3KzUG5yJLBBayYB2vGcXJh4yRpAByppFbpo3csr6UZSEsU8
|
|
||||||
iImmN97Tg3QVd/FTn9qRiQ15NxzWC0XCE1glY87KqqC5kl5Lk9Y=
|
|
||||||
=i6jp
|
|
||||||
-----END PGP SIGNATURE-----
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
|
||||||
|
tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
|
||||||
|
Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
|
||||||
|
2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
|
||||||
|
XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
|
||||||
|
iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
|
||||||
|
svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
|
||||||
|
JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
|
||||||
|
ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
|
||||||
|
vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
|
||||||
|
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
|
||||||
|
1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
|
||||||
|
=kOPP
|
||||||
|
-----END PGP SIGNATURE-----
|
|
@ -0,0 +1,2 @@
|
||||||
|
#Type Name ID
|
||||||
|
g printadmin -
|
|
@ -0,0 +1,2 @@
|
||||||
|
#Type Name ID
|
||||||
|
g usershares -
|
|
@ -0,0 +1,2 @@
|
||||||
|
#Type Name ID
|
||||||
|
g wbpriv 88
|
|
@ -0,0 +1,5 @@
|
||||||
|
#################################################
|
||||||
|
# This is a grouping library without any code
|
||||||
|
#################################################
|
||||||
|
[suppress_file]
|
||||||
|
file_name_regexp=.*libdcerpc-samr\\.so.*
|
|
@ -281,7 +281,7 @@
|
||||||
|
|
||||||
[printers]
|
[printers]
|
||||||
comment = All Printers
|
comment = All Printers
|
||||||
path = /var/spool/samba
|
path = /var/tmp
|
||||||
browseable = no
|
browseable = no
|
||||||
guest ok = no
|
guest ok = no
|
||||||
writable = no
|
writable = no
|
||||||
|
|
|
@ -2,6 +2,10 @@
|
||||||
# read the smb.conf manpage.
|
# read the smb.conf manpage.
|
||||||
# Run 'testparm' to verify the config is correct after
|
# Run 'testparm' to verify the config is correct after
|
||||||
# you modified it.
|
# you modified it.
|
||||||
|
#
|
||||||
|
# Note:
|
||||||
|
# SMB1 is disabled by default. This means clients without support for SMB2 or
|
||||||
|
# SMB3 are no longer able to connect to smbd (by default).
|
||||||
|
|
||||||
[global]
|
[global]
|
||||||
workgroup = SAMBA
|
workgroup = SAMBA
|
||||||
|
@ -14,6 +18,9 @@
|
||||||
load printers = yes
|
load printers = yes
|
||||||
cups options = raw
|
cups options = raw
|
||||||
|
|
||||||
|
# Install samba-usershares package for support
|
||||||
|
include = /etc/samba/usershares.conf
|
||||||
|
|
||||||
[homes]
|
[homes]
|
||||||
comment = Home Directories
|
comment = Home Directories
|
||||||
valid users = %S, %D%w%S
|
valid users = %S, %D%w%S
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
[global]
|
||||||
|
usershare max shares = 100
|
||||||
|
usershare allow guests = yes
|
1310
SPECS/samba.spec
1310
SPECS/samba.spec
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue