Compare commits

..

No commits in common. "imports/c8s/samba-4.15.5-0.el8" and "c8" have entirely different histories.

19 changed files with 2626 additions and 2124 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.15.5.tar.xz SOURCES/samba-4.19.4.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,2 +1,2 @@
f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz 6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA
tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX
KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9
j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt
b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY
0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v
/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj
+rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9
g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y
5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ
f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB
OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo=
=oc6g
-----END PGP SIGNATURE-----

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
+NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
=kOPP
-----END PGP SIGNATURE-----

View File

@ -1,30 +0,0 @@
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Tue, 27 Apr 2021 15:46:14 +1000
Subject: [PATCH] utils: Use Python 3
Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
---
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
index 000c6bb7208..7f5194eff0a 100755
--- a/ctdb/utils/etcd/ctdb_etcd_lock
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python3
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
--
2.31.1

View File

@ -1,764 +0,0 @@
From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 10 Dec 2021 16:08:04 +0100
Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
---
source3/utils/net_ads.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6ab4a0096b1..8f993f9ba4c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
char *cp;
const char *realm = NULL;
bool tried_closest_dc = false;
+ enum credentials_use_kerberos krb5_state =
+ CRED_USE_KERBEROS_DISABLED;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
ads->auth.password = smb_xstrdup(c->opt_password);
}
- ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ ads->auth.flags |= auth_flags;
+
+ /* The ADS code will handle FIPS mode */
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
/*
* If the username is of the form "name@realm",
* extract the realm and convert to upper case.
--
2.33.1
From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Wed, 8 Dec 2021 16:05:17 +0100
Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 60fa2bf80cb..b91e2d15bcf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
.disconnect = ads_sasl_gensec_disconnect
};
-/*
+/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
#endif /* HAVE_KRB5 */
-/*
+/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
- /* the server sent us the first part of the SPNEGO exchange in the negprot
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
+ got_kerberos_mechanism)
{
mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
}
/* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
+ if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
+ to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
--
2.33.1
From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Thu, 9 Dec 2021 13:43:08 +0100
Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
---
source3/libads/sasl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b91e2d15bcf..992f7022a69 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
"for %s/%s with user[%s] realm[%s]: %s, "
- "fallback to NTLMSSP\n",
+ "try to fallback to NTLMSSP\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
--
2.33.1
From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 7 Jan 2022 10:31:19 +0100
Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 992f7022a69..ea98aa47ecd 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s\n",
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
- ads_errstr(status)));
+ ads_errstr(status));
}
}
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
goto done;
}
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
- "try to fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
- ads_errstr(status)));
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
}
#endif
--
2.33.1
From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 11:13:06 +0100
Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
without kerberos)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
---
source3/libads/sasl.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index ea98aa47ecd..1bcfe0490a8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
" disallowed.\n");
--
2.33.1
From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 15:33:46 +0100
Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
---
.../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
new file mode 100755
index 00000000000..2822ab29d14
--- /dev/null
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 USERNAME PASSWORD
+EOF
+exit 1;
+fi
+
+USERNAME=$1
+PASSWORD=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_testparm="$BINDIR/testparm"
+samba_net="$BINDIR/net"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
--
2.33.1
From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 4 Jan 2022 12:00:20 +0100
Subject: [PATCH 07/10] s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
---
source4/selftest/tests.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1e4b2ae6dd3..3a6a716f061 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
if have_gnutls_fips_mode_support:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
for env in ["ad_dc_fips", "ad_member_fips"]:
plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
--
2.33.1
From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:47:38 +0100
Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
---
source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 948c903f165..e415df347e6 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
- * when set to TRUE.
+ * when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
*
* Thanks to Ralf Haferkamp for input and testing - Guenther */
- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
- ADS_LDAP_MATCHING_RULE_BIT_AND,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
if (filter == NULL) {
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
struct wb_acct_info **info)
{
/*
- * This is a stub function only as we returned the domain
+ * This is a stub function only as we returned the domain
* local groups in enum_dom_groups() if the domain->native field
* was true. This is a simple performance optimization when
* using LDAP.
*
- * if we ever need to enumerate domain local groups separately,
+ * if we ever need to enumerate domain local groups separately,
* then this optimization in enum_dom_groups() will need
* to be split out
*/
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- const char *user_dn,
+ const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "invalid number of results (count=%d)\n",
+ "invalid number of results (count=%d)\n",
dom_sid_str_buf(sid, &buf),
count));
goto done;
}
if (!msg) {
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name,
dom_sid_str_buf(sid, &buf)));
goto done;
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
- /* there must always be at least one group in the token,
+ /* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
/* lookup what groups this user is a member of by DN search on
* "member" */
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
"not map any SIDs at all.\n"));
/* Don't handle this as an error here.
- * There is nothing left to do with respect to the
+ * There is nothing left to do with respect to the
* overall result... */
}
else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
NETR_TRUST_FLAG_IN_FOREST;
} else {
flags = NETR_TRUST_FLAG_IN_FOREST;
- }
+ }
result = cm_connect_netlogon(domain, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
- "for PIPE_NETLOGON (%s)\n",
+ "for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
--
2.33.1
From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:44:54 +0100
Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
---
source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
#include "../libds/common/flag_mapping.h"
#include "libsmb/samlogon_cache.h"
#include "passdb.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ADS_STATUS status;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
if (auth_realm == NULL) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
--
2.33.1
From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 21 Jan 2022 12:01:33 +0100
Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
---
source3/libnet/libnet_join.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 02705f1c70c..4c67e9af5c4 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
ADS_STATUS status;
ADS_STRUCT *my_ads = NULL;
char *cp;
+ enum credentials_use_kerberos krb5_state;
my_ads = ads_init(dns_domain_name,
netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
--
2.33.1

View File

@ -1,36 +0,0 @@
From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
Date: Mon, 24 Jan 2022 22:14:31 -0500
Subject: [PATCH] printing/bgqd: Disable systemd notifications
samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947
Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
---
source3/printing/samba-bgqd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index f21327fc622..59ed0cc40db 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ /* main process will notify systemd */
+ daemon_sd_notifications(false);
+
if (!cmdline_daemon_cfg->fork) {
daemon_status(progname, "Starting process ... ");
} else {
--
2.34.1

View File

@ -1,64 +0,0 @@
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Oct 2021 15:55:37 +0200
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
selftest/wscript | 2 +-
third_party/resolv_wrapper/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/selftest/wscript b/selftest/wscript
index a6be06c2ae9..85d9338489a 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
if os.environ.get('USE_NAMESPACES') is None:
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
env.OPTIONS += " --use-dns-faking"
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
index a7f18389b0f..7e369bd90b5 100644
--- a/third_party/resolv_wrapper/wscript
+++ b/third_party/resolv_wrapper/wscript
@@ -1,6 +1,7 @@
#!/usr/bin/env python
import os
+from waflib import Logs
VERSION="1.1.7"
@@ -49,6 +50,18 @@ def configure(conf):
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
+ Logs.warn("Detection for resolv_wrapper: "
+ "Only dns faking will be available")
+ else:
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
--
2.33.1

View File

@ -1,229 +0,0 @@
From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 22 Jan 2022 01:08:26 +0100
Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.
Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.
This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).
Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
---
librpc/rpc/dcesrv_auth.c | 5 +++++
librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
librpc/rpc/dcesrv_core.h | 2 ++
source3/rpc_server/rpc_config.c | 2 ++
source4/rpc_server/service_rpc.c | 10 ++++++++++
5 files changed, 37 insertions(+)
diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index fec8df513a83..99d8e0162160 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
auth->auth_level = call->in_auth_info.auth_level;
auth->auth_context_id = call->in_auth_info.auth_context_id;
+ cb->auth.become_root();
status = cb->auth.gensec_prepare(
auth,
call,
&auth->gensec_security,
cb->auth.private_data);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
nt_errstr(status)));
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
{
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
const char *pdu = "<unknown>";
switch (call->pkt.ptype) {
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
return status;
}
+ cb->auth.become_root();
status = gensec_session_info(auth->gensec_security,
auth,
&auth->session_info);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n",
nt_errstr(status)));
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index d16159b0b6cd..ea91fc689b4a 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
struct dcerpc_binding *ep_2nd_description = NULL;
const char *endpoint = NULL;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
struct tevent_req *subreq = NULL;
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct tevent_req *subreq = NULL;
NTSTATUS status;
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
return NT_STATUS_OK;
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct tevent_req *subreq = NULL;
size_t i;
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index d8d5f9030959..0538442e0ce6 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
struct gensec_security **out,
void *private_data);
void *private_data;
+ void (*become_root)(void);
+ void (*unbecome_root)(void);
} auth;
struct {
NTSTATUS (*find)(
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 2f1a01da1c0b..289c4f398409 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -31,6 +31,8 @@
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = dcesrv_log_successful_authz,
.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
+ .auth.become_root = become_root,
+ .auth.unbecome_root = unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index d8c6746d7815..ebb50f8a7ef3 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -40,9 +40,19 @@
#include "../libcli/named_pipe_auth/npa_tstream.h"
#include "samba/process_model.h"
+static void skip_become_root(void)
+{
+}
+
+static void skip_unbecome_root(void)
+{
+}
+
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = log_successful_dcesrv_authz_event,
.auth.gensec_prepare = dcesrv_gensec_prepare,
+ .auth.become_root = skip_become_root,
+ .auth.unbecome_root = skip_unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
--
2.25.1

View File

@ -1,697 +0,0 @@
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
source4/kdc/mit_samba.c | 47 ++-------
source4/kdc/mit_samba.h | 6 +-
3 files changed, 71 insertions(+), 106 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..b1c7c5dcc5e 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *out_pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
- krb5_pac ipac = NULL;
- DATA_BLOB logon_data = { NULL, 0 };
+ krb5_keyblock *header_server_key = NULL;
+ krb5_key_data *impersonator_kd = NULL;
+ krb5_keyblock impersonator_key = {0};
krb5_error_code code;
+ krb5_pac pac;
+
+ *out_pac = NULL;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
- &ipac);
+ &pac);
if (code != 0) {
goto done;
}
- /* TODO: verify this is correct
- *
- * In the constrained delegation case, the PAC is from a service
- * ticket rather than a TGT; we must verify the server and KDC
- * signatures to assert that the server did not forge the PAC.
+ /*
+ * For constrained delegation in MIT version < 1.18 we aren't provided
+ * with the 2nd ticket server key to verify the PAC.
+ * We can workaround that by fetching the key from the client db entry,
+ * which is the impersonator account in that version.
+ * TODO: use the provided entry in the new 1.18 version.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- server_key,
- krbtgt_key);
+ /* The impersonator must be local. */
+ if (client == NULL) {
+ code = KRB5KDC_ERR_BADOPTION;
+ goto done;
+ }
+ /* Fetch and decrypt 2nd ticket server's current key. */
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+ &impersonator_kd);
+ if (code != 0) {
+ goto done;
+ }
+ code = krb5_dbe_decrypt_key_data(context, NULL,
+ impersonator_kd,
+ &impersonator_key, NULL);
+ if (code != 0) {
+ goto done;
+ }
+ header_server_key = &impersonator_key;
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
- }
- if (code != 0) {
- goto done;
+ header_server_key = krbtgt_key;
}
- /* check and update PAC */
- code = krb5_pac_parse(context,
- authdata[0]->contents,
- authdata[0]->length,
- pac);
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
+ header_server_key, NULL);
if (code != 0) {
goto done;
}
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
- client_princ,
client,
server,
krbtgt,
krbtgt_key,
- pac);
+ &pac);
+ if (code != 0) {
+ goto done;
+ }
+
+ *out_pac = pac;
+ pac = NULL;
done:
+ krb5_free_keyblock_contents(context, &impersonator_key);
krb5_free_authdata(context, authdata);
- krb5_pac_free(context, ipac);
- free(logon_data.data);
+ krb5_pac_free(context, pac);
return code;
}
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
+ krb5_const_principal pac_client;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- /* FIXME: We don't support S4U yet */
- if (flags & KRB5_KDB_FLAGS_S4U) {
- return KRB5_KDB_DBTYPE_NOSUP;
- }
-
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
ks_client_princ = client->princ;
}
+ /* In protocol transition, we are currently not provided with the tgt
+ * client name to verify the PAC, we could probably skip the name
+ * verification and just verify the signatures, but since we don't
+ * support cross-realm nor aliases, we can just use server->princ */
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ pac_client = server->princ;
+ } else {
+ pac_client = ks_client_princ;
+ }
+
if (client_entry == NULL) {
client_entry = client;
}
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ pac_client,
client_entry,
server,
krbtgt,
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
- if (code != 0) {
- goto done;
- }
-
- code = 0;
-
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
- char *target_name = NULL;
- bool is_enterprise;
- krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
- code = krb5_unparse_name(context, proxy, &target_name);
- if (code) {
- goto done;
- }
-
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
- code = mit_samba_check_s4u2proxy(mit_ctx,
- delegating_service,
- target_name,
- is_enterprise);
-
-done:
- free(target_name);
- return code;
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..acc3cba6254 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
- discard_const(client_principal),
+ client->princ,
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name)
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal)
{
-#if 1
- /*
- * This is disabled because mit_samba_update_pac_data() does not handle
- * S4U_DELEGATION_INFO
- */
-
- return KRB5KDC_ERR_BADOPTION;
-#else
- krb5_principal target_principal;
- int flags = 0;
- int ret;
-
- if (is_nt_enterprise_name) {
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
- }
-
- ret = krb5_parse_name_flags(ctx->context, target_name,
- flags, &target_principal);
- if (ret) {
- return ret;
- }
-
- ret = samba_kdc_check_s4u2proxy(ctx->context,
- ctx->db_ctx,
- skdc_entry,
- target_principal);
-
- krb5_free_principal(ctx->context, target_principal);
-
- return ret;
-#endif
+ struct samba_kdc_entry *server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ server_skdc_entry,
+ target_principal);
}
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index 636c77ec97c..9cb00c9610e 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name);
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal);
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.33.1
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
source4/auth/kerberos/kerberos_util.c | 11 --
3 files changed, 185 insertions(+), 13 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..791b417d5ba 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ bool cmp;
+ krb5_principal mod = NULL;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length -1] !=
+ b->data[0].data[b->data[0].length -1]) {
+ if (a->data[0].data[a->data[0].length -1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx, a, b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx, &init_creds,
+ init_principal,
+ init_password,
+ NULL, NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name. */
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index eab67f6d969..b5385c69a33 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
{
krb5_error_code ret;
const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
const char *self_service;
-#endif
const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
@@ -268,9 +266,7 @@ done:
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL
self_service = cli_credentials_get_self_service(credentials);
-#endif
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
#endif
if (password) {
if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
ccache,
princ,
@@ -342,12 +337,6 @@ done:
krb_options,
NULL,
&kdc_time);
-#else
- talloc_free(mem_ctx);
- (*error_string) = "INTERNAL error: s4u2 ops "
- "are not supported with MIT build yet";
- return EINVAL;
-#endif
} else {
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.33.1
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
---
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 8 ++++++--
source4/kdc/mit_samba.c | 3 +++
source4/kdc/sdb.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..d16b4c3329a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
+ * the canonical name in all lookups, and takes care to canonicalize
+ * only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index acc3cba6254..f0b9df8b613 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
+#if KRB5_KDB_API_VERSION >= 10
+ sflags |= SDB_F_FORCE_CANON;
+#endif
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
2.33.1

View File

@ -0,0 +1,2 @@
#Type Name ID
g printadmin -

View File

@ -0,0 +1,2 @@
#Type Name ID
g usershares -

View File

@ -0,0 +1,2 @@
#Type Name ID
g wbpriv 88

5
SOURCES/samba.abignore Normal file
View File

@ -0,0 +1,5 @@
#################################################
# This is a grouping library without any code
#################################################
[suppress_file]
file_name_regexp=.*libdcerpc-samr\\.so.*

View File

@ -281,7 +281,7 @@
[printers] [printers]
comment = All Printers comment = All Printers
path = /var/spool/samba path = /var/tmp
browseable = no browseable = no
guest ok = no guest ok = no
writable = no writable = no

View File

@ -2,6 +2,10 @@
# read the smb.conf manpage. # read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after # Run 'testparm' to verify the config is correct after
# you modified it. # you modified it.
#
# Note:
# SMB1 is disabled by default. This means clients without support for SMB2 or
# SMB3 are no longer able to connect to smbd (by default).
[global] [global]
workgroup = SAMBA workgroup = SAMBA
@ -14,6 +18,9 @@
load printers = yes load printers = yes
cups options = raw cups options = raw
# Install samba-usershares package for support
include = /etc/samba/usershares.conf
[homes] [homes]
comment = Home Directories comment = Home Directories
valid users = %S, %D%w%S valid users = %S, %D%w%S

View File

@ -0,0 +1,3 @@
[global]
usershare max shares = 100
usershare allow guests = yes

File diff suppressed because it is too large Load Diff