Tree - rpms/ipa - CentOS Git server

rpms / ipa

Blame SOURCES/0008-Support-Samba-4.9.patch

Blob History Raw

		86baa9	`From 9650b233bdbda82bcbb447a3fc94523655cabc39 Mon Sep 17 00:00:00 2001`
		86baa9	`From: Alexander Bokovoy <abokovoy@redhat.com>`
		86baa9	`Date: Fri, 21 Sep 2018 10:57:23 +0300`
		86baa9	`Subject: [PATCH] Support Samba 4.9`
		86baa9
		86baa9	`Samba 4.9 became a bit more strict about creating a local NT token and a`
		86baa9	`failure to resolve or create BUILTIN\Guests group will cause a rejection`
		86baa9	`of the connection for a successfully authenticated one.`
		86baa9
		86baa9	`Add a default mapping of the nobody group to BUILTIN\Guests.`
		86baa9
		86baa9	`BUILTIN\Guests is a special group SID that is added to the NT token for`
		86baa9	`authenticated users.`
		86baa9
		86baa9	`For real guests there is 'guest account' option in smb.conf which`
		86baa9	`defaults to 'nobody' user.`
		86baa9
		86baa9	`This was implicit behavior before as 'guest account = nobody' by`
		86baa9	`default would pick up 'nobody' group as well.`
		86baa9
		86baa9	`Fixes: https://pagure.io/freeipa/issue/7705`
		86baa9	`Reviewed-By: Rob Crittenden <rcritten@redhat.com>`
		86baa9	`(cherry picked from commit 703497532abe4189835d0a02b32f9919c889bc1c)`
		86baa9
		86baa9	`Reviewed-By: Christian Heimes <cheimes@redhat.com>`
		86baa9	`---`
		86baa9	`.../updates/90-post_upgrade_plugins.update \| 1 +`
		86baa9	`ipaserver/install/adtrustinstance.py \| 14 +++++++++++++`
		86baa9	`ipaserver/install/plugins/adtrust.py \| 20 ++++++++++++++++++-`
		86baa9	`3 files changed, 34 insertions(+), 1 deletion(-)`
		86baa9
		86baa9	`diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update`
		86baa9	`index bbc3e29422fc0f139c2ca68a7033863e4c25f8cf..4e9378d9b567842e1cc9a8eeae819a931810895d 100644`
		86baa9	`--- a/install/updates/90-post_upgrade_plugins.update`
		86baa9	`+++ b/install/updates/90-post_upgrade_plugins.update`
		86baa9	`@@ -19,6 +19,7 @@ plugin: update_fix_duplicate_cacrt_in_ldap`
		86baa9	`plugin: update_upload_cacrt`
		86baa9	`# update_ra_cert_store has to be executed after update_ca_renewal_master`
		86baa9	`plugin: update_ra_cert_store`
		86baa9	`+plugin: update_mapping_Guests_to_nobody`
		86baa9
		86baa9	`# last`
		86baa9	`# DNS version 1`
		86baa9	`diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py`
		86baa9	`index e787fccb9482809b180012ed8e7be2e5a6494f93..d6b8f5cfa66c0cfbc6d47906703fc09c3e961a53 100644`
		86baa9	`--- a/ipaserver/install/adtrustinstance.py`
		86baa9	`+++ b/ipaserver/install/adtrustinstance.py`
		86baa9	`@@ -120,6 +120,15 @@ def make_netbios_name(s):`
		86baa9	`return ''.join([c for c in s.split('.')[0].upper() \`
		86baa9	`if c in ALLOWED_NETBIOS_CHARS])[:15]`
		86baa9
		86baa9	`+`
		86baa9	`+def map_Guests_to_nobody():`
		86baa9	`+ env = {'LC_ALL': 'C'}`
		86baa9	`+ args = [paths.NET, 'groupmap', 'add', 'sid=S-1-5-32-546',`
		86baa9	`+ 'unixgroup=nobody', 'type=builtin']`
		86baa9	`+`
		86baa9	`+ logger.debug("Map BUILTIN\\Guests to a group 'nobody'")`
		86baa9	`+ ipautil.run(args, env=env, raiseonerr=False, capture_error=True)`
		86baa9	`+`
		86baa9	`class ADTRUSTInstance(service.Service):`
		86baa9
		86baa9	`ATTR_SID = "ipaNTSecurityIdentifier"`
		86baa9	`@@ -532,6 +541,9 @@ class ADTRUSTInstance(service.Service):`
		86baa9	`tmp_conf.flush()`
		86baa9	`ipautil.run([paths.NET, "conf", "import", tmp_conf.name])`
		86baa9
		86baa9	`+ def __map_Guests_to_nobody(self):`
		86baa9	`+ map_Guests_to_nobody()`
		86baa9	`+`
		86baa9	`def __setup_group_membership(self):`
		86baa9	`# Add the CIFS and host principals to the 'adtrust agents' group`
		86baa9	`# as 389-ds only operates with GroupOfNames, we have to use`
		86baa9	`@@ -833,6 +845,8 @@ class ADTRUSTInstance(service.Service):`
		86baa9	`self.__create_samba_domain_object)`
		86baa9	`self.step("creating samba config registry", self.__write_smb_registry)`
		86baa9	`self.step("writing samba config file", self.__write_smb_conf)`
		86baa9	`+ self.step("map BUILTIN\\Guests to nobody group",`
		86baa9	`+ self.__map_Guests_to_nobody)`
		86baa9	`self.step("adding cifs Kerberos principal",`
		86baa9	`self.request_service_keytab)`
		86baa9	`self.step("adding cifs and host Kerberos principals to the adtrust agents group", \`
		86baa9	`diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py`
		86baa9	`index bec5a09c1c129b1129f31e3df59a2fa87aac0691..1f50bef891770c53a9086c7aa36d0ee1f088fbe6 100644`
		86baa9	`--- a/ipaserver/install/plugins/adtrust.py`
		86baa9	`+++ b/ipaserver/install/plugins/adtrust.py`
		86baa9	`@@ -23,7 +23,8 @@ from ipalib import Registry, errors`
		86baa9	`from ipalib import Updater`
		86baa9	`from ipapython.dn import DN`
		86baa9	`from ipaserver.install import sysupgrade`
		86baa9	`-from ipaserver.install.adtrustinstance import ADTRUSTInstance`
		86baa9	`+from ipaserver.install.adtrustinstance import (`
		86baa9	`+ ADTRUSTInstance, map_Guests_to_nobody)`
		86baa9
		86baa9	`logger = logging.getLogger(__name__)`
		86baa9
		86baa9	`@@ -382,3 +383,20 @@ class update_tdo_gidnumber(Updater):`
		86baa9	`return False, ()`
		86baa9
		86baa9	`return False, ()`
		86baa9	`+`
		86baa9	`+`
		86baa9	`+@register()`
		86baa9	`+class update_mapping_Guests_to_nobody(Updater):`
		86baa9	`+ """`
		86baa9	`+ Map BUILTIN\\Guests group to nobody`
		86baa9	`+`
		86baa9	`+ Samba 4.9 became more strict on availability of builtin Guests group`
		86baa9	`+ """`
		86baa9	`+ def execute(self, **options):`
		86baa9	`+ # First, see if trusts are enabled on the server`
		86baa9	`+ if not self.api.Command.adtrust_is_enabled()['result']:`
		86baa9	`+ logger.debug('AD Trusts are not enabled on this server')`
		86baa9	`+ return False, []`
		86baa9	`+`
		86baa9	`+ map_Guests_to_nobody()`
		86baa9	`+ return False, []`
		86baa9	`--`
		86baa9	`2.20.1`
		86baa9

rpms / ipa

Source Code

Blame SOURCES/0008-Support-Samba-4.9.patch