From 6729ff37a82902375e2d743cb82492168bf5713d Mon Sep 17 00:00:00 2001 From: CentOS Buildsys Date: Apr 04 2014 11:04:36 +0000 Subject: import samba-4.1.1-31.el7.src.rpm --- diff --git a/.samba.metadata b/.samba.metadata index 8d59ac5..e66477a 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1 +1 @@ -0a30103eaf9664c67d6af76d098b53fde7e6de3a SOURCES/samba-4.1.0.tar.xz +7858cf2570eb436e7b50ddfc4acf23844cf83179 SOURCES/samba-4.1.1.tar.xz diff --git a/SOURCES/samba-4.1.0-upn.patch b/SOURCES/samba-4.1.0-upn.patch new file mode 100644 index 0000000..b5caa31 --- /dev/null +++ b/SOURCES/samba-4.1.0-upn.patch @@ -0,0 +1,53 @@ +From d161c173088ce82ea11a914ce62c5b77af9f4f9f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 6 Nov 2013 18:21:32 +0100 +Subject: [PATCH] s3-libnetjoin: use upper-case realm when composing default + upn. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In case we are about to generate a keytab during the join make sure the default +upn we create is usable with kinit -k. + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/libnet/libnet_join.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 2dcb920..b84fcd6 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -449,10 +449,25 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx, + } + + if (!r->in.upn) { ++ char *realm = r->out.dns_domain_name; ++ ++ /* in case we are about to generate a keytab during the join ++ * make sure the default upn we create is usable with kinit -k. ++ * gd */ ++ ++ if (USE_KERBEROS_KEYTAB) { ++ realm = talloc_strdup_upper(mem_ctx, ++ r->out.dns_domain_name); ++ } ++ ++ if (!realm) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ + r->in.upn = talloc_asprintf(mem_ctx, + "host/%s@%s", + r->in.machine_name, +- r->out.dns_domain_name); ++ realm); + if (!r->in.upn) { + return ADS_ERROR(LDAP_NO_MEMORY); + } +-- +1.8.3.1 + diff --git a/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch b/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch new file mode 100644 index 0000000..85362d1 --- /dev/null +++ b/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch @@ -0,0 +1,38 @@ +commit 45a1cbb7514f9db5fe2d7c2207d7723092aa164d +Author: Volker Lendecke +AuthorDate: Thu Jul 11 14:57:53 2013 +0200 +Commit: Karolin Seeger +CommitDate: Mon Oct 14 10:11:48 2013 +0200 + + ccan: Fix calling memset with zero length parameter + + Signed-off-by: Volker Lendecke + Reviewed-by: Andreas Schneider + + Autobuild-User(master): Andreas Schneider + Autobuild-Date(master): Thu Jul 11 16:55:49 CEST 2013 on sn-devel-104 + + Signed-off-by: Andreas Schneider + + Fix bug #10190 - Fix memset used with constant zero length parameter. +--- + lib/ccan/tally/tally.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/ccan/tally/tally.c b/lib/ccan/tally/tally.c +index 774373c..29f0555 100644 +--- a/lib/ccan/tally/tally.c ++++ b/lib/ccan/tally/tally.c +@@ -506,11 +506,11 @@ char *tally_histogram(const struct tally *tally, + + if (count > covered) { + count -= covered; ++ memset(p, '*', count); + } else { + count = 0; + } + +- memset(p, '*', count); + p += count; + *p = '\n'; + p++; diff --git a/SOURCES/samba-4.1.2-doc.patch b/SOURCES/samba-4.1.2-doc.patch new file mode 100644 index 0000000..93aa45c --- /dev/null +++ b/SOURCES/samba-4.1.2-doc.patch @@ -0,0 +1,4246 @@ +From 1573638212a9733a44939a4d38a226f38dca36f1 Mon Sep 17 00:00:00 2001 +From: Michele Baldessari +Date: Tue, 9 Jul 2013 23:23:33 +0200 +Subject: [PATCH] Fix typos in man-pages + +Fix some typos in the man-pages. + +Signed-off-by: Michele Baldessari +Reviewed-by: Simo Sorce + +Autobuild-User(master): Simo Sorce +Autobuild-Date(master): Wed Jul 10 16:45:07 CEST 2013 on sn-devel-104 +--- + docs-xml/manpages/dbwrap_tool.1.xml | 2 +- + docs-xml/manpages/idmap_autorid.8.xml | 2 +- + docs-xml/manpages/net.8.xml | 2 +- + docs-xml/manpages/pdbedit.8.xml | 2 +- + docs-xml/manpages/samba.7.xml | 2 +- + docs-xml/manpages/smbclient.1.xml | 2 +- + docs-xml/manpages/smbpasswd.5.xml | 2 +- + docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml +index e2b2cee..a1a2f97 100644 +--- a/docs-xml/manpages/dbwrap_tool.1.xml ++++ b/docs-xml/manpages/dbwrap_tool.1.xml +@@ -49,7 +49,7 @@ + fetch: fetch a record + store: create or modify a record + delete: remove a record +- exists: test for existance of a record ++ exists: test for existence of a record + erase: remove all records + listkeys: list all available records + listwatchers: list processes, which are waiting for changes in a record +diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml +index c35f903..7446d53 100644 +--- a/docs-xml/manpages/idmap_autorid.8.xml ++++ b/docs-xml/manpages/idmap_autorid.8.xml +@@ -109,7 +109,7 @@ + EXAMPLES + + This example shows you the minimal configuration that will +- work for the principial domain and 19 trusted domains / range ++ work for the principal domain and 19 trusted domains / range + extensions. + + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index dd5b3ab..0df2e07 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1671,7 +1671,7 @@ shares created by other users. + + Starting with version 3.2.0, a Samba server can be configured by data + stored in registry. This configuration data can be edited with the new "net +-conf" commands. There is also the possiblity to configure a remote Samba server ++conf" commands. There is also the possibility to configure a remote Samba server + by enabling the RPC conf mode and specifying the the address of the remote server. + + +diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml +index 4bb3751..c5d6b23 100644 +--- a/docs-xml/manpages/pdbedit.8.xml ++++ b/docs-xml/manpages/pdbedit.8.xml +@@ -289,7 +289,7 @@ retype new password + + + +- pdbedit does not call the unix password syncronisation ++ pdbedit does not call the unix password synchronization + script if + has been set. It only updates the data in the Samba + user database. +diff --git a/docs-xml/manpages/samba.7.xml b/docs-xml/manpages/samba.7.xml +index 9299660..cedb4e4 100644 +--- a/docs-xml/manpages/samba.7.xml ++++ b/docs-xml/manpages/samba.7.xml +@@ -91,7 +91,7 @@ + 8 + The samba-tool + is the main Samba Administration tool regarding +- Acitive Directory services. ++ Active Directory services. + + + +diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml +index 328fd50..b222c56 100644 +--- a/docs-xml/manpages/smbclient.1.xml ++++ b/docs-xml/manpages/smbclient.1.xml +@@ -564,7 +564,7 @@ + sent to the server on directory listings and file opens. If + the "backup intent" flag is true, the server will try and + bypass some file system checks if the user has been granted +- SE_BACKUP or SE_RESTORE privilages. This state is useful when ++ SE_BACKUP or SE_RESTORE privileges. This state is useful when + performing a backup or restore operation. + + +diff --git a/docs-xml/manpages/smbpasswd.5.xml b/docs-xml/manpages/smbpasswd.5.xml +index fc512b8..986dedb 100644 +--- a/docs-xml/manpages/smbpasswd.5.xml ++++ b/docs-xml/manpages/smbpasswd.5.xml +@@ -39,7 +39,7 @@ + The format of the smbpasswd file used by Samba 2.2 + is very similar to the familiar Unix passwd(5) + file. It is an ASCII file containing one line for each user. Each field +- ithin each line is separated from the next by a colon. Any entry ++ within each line is separated from the next by a colon. Any entry + beginning with '#' is ignored. The smbpasswd file contains the + following information for each user: + +diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +index 0daafc6..38644e7 100644 +--- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml ++++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml +@@ -139,7 +139,7 @@ + The module now can identify itself against the receiver with a sub-release number, where + the receiver may run with a different sub-release number than the module. However, as + long as both run on the V2.x protocol, the receiver will not crash, even if the module +- uses features only implemented in the newer subrelease. Ultimatively, if the module uses ++ uses features only implemented in the newer subrelease. Ultimately, if the module uses + a new feature from a newer subrelease, and the receiver runs an older protocol, it is just + ignoring the functionality. Of course it is best to have both the receiver and the module + running the same subrelease of the protocol. +-- +1.8.3.1 + +From 16a873bf7c5c3d236e4bc107953dc6f3159764a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:42:06 +0200 +Subject: [PATCH 01/83] docs: remove duplicate word "the" in idmap_ad manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/idmap_ad.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml +index 2ae490b..56378c1 100644 +--- a/docs-xml/manpages/idmap_ad.8.xml ++++ b/docs-xml/manpages/idmap_ad.8.xml +@@ -31,7 +31,7 @@ + + + Currently, the ad backend +- does not work as the the default idmap backend, but one has ++ does not work as the default idmap backend, but one has + to configure it separately for each domain for which one wants + to use it, using disjoint ranges. One usually needs to configure + a writeable default idmap range, using for example the +-- +1.8.3.1 + + +From f17f61a4c0d5c13a273eae0b72521e464b1d3d8f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:44:12 +0200 +Subject: [PATCH 02/83] docs: remove duplicate word "name" in nmblookup + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmblookup.1.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml +index bb4bd96..12c707f 100644 +--- a/docs-xml/manpages/nmblookup.1.xml ++++ b/docs-xml/manpages/nmblookup.1.xml +@@ -57,7 +57,7 @@ + + -M + Searches for a master browser by looking +- up the NetBIOS name name with a ++ up the NetBIOS name with a + type of 0x1d. If + name is "-" then it does a lookup on the special name + __MSBROWSE__. Please note that in order to +-- +1.8.3.1 + + +From 4112eb0529780113716c6032561504196be8235f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:45:21 +0200 +Subject: [PATCH 03/83] docs: remove duplicate word "name" in nmblookup4 + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + libcli/nbt/man/nmblookup4.1.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libcli/nbt/man/nmblookup4.1.xml b/libcli/nbt/man/nmblookup4.1.xml +index 198afec..b6fe48c 100644 +--- a/libcli/nbt/man/nmblookup4.1.xml ++++ b/libcli/nbt/man/nmblookup4.1.xml +@@ -57,7 +57,7 @@ + + -M + Searches for a master browser by looking +- up the NetBIOS name name with a ++ up the NetBIOS name with a + type of 0x1d. If + name is "-" then it does a lookup on the special name + __MSBROWSE__. Please note that in order to +-- +1.8.3.1 + + +From e320d57ed6a4d732980656eb01a5f777357f9715 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:50:28 +0200 +Subject: [PATCH 04/83] docs: remove duplicate arguments listing in regdiff + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source4/lib/registry/man/regdiff.1.xml | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/source4/lib/registry/man/regdiff.1.xml b/source4/lib/registry/man/regdiff.1.xml +index 3fe965c..23aae34 100644 +--- a/source4/lib/registry/man/regdiff.1.xml ++++ b/source4/lib/registry/man/regdiff.1.xml +@@ -21,11 +21,8 @@ + regdiff + --help + --backend=BACKEND +- --backend=BACKEND +- --credentials=CREDENTIALS + --credentials=CREDENTIALS + location +- location + + + +-- +1.8.3.1 + + +From d33ca796071a2a6f8bf65d6eed2fe159a75de8c5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:55:03 +0200 +Subject: [PATCH 05/83] docs: remove duplicate word "the" in winbindd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/winbindd.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml +index 5100493..1cb49ca 100644 +--- a/docs-xml/manpages/winbindd.8.xml ++++ b/docs-xml/manpages/winbindd.8.xml +@@ -364,7 +364,7 @@ auth required /lib/security/pam_unix.so \ + be the same. The user and group ids will only be valid for the local + machine, unless a shared is configured. + +- If the the Windows NT SID to UNIX user and group id mapping ++ If the Windows NT SID to UNIX user and group id mapping + file is damaged or destroyed then the mappings will be lost. + + +-- +1.8.3.1 + + +From 6a0b75f901052234f35d4ba596754e7714af7e87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:58:45 +0200 +Subject: [PATCH 06/83] docs: remove duplicate mention of "smbtorture" in + smbtorture manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source4/torture/man/smbtorture.1.xml | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/source4/torture/man/smbtorture.1.xml b/source4/torture/man/smbtorture.1.xml +index 9b70b9b..09e19ed 100644 +--- a/source4/torture/man/smbtorture.1.xml ++++ b/source4/torture/man/smbtorture.1.xml +@@ -19,10 +19,6 @@ + + + smbtorture +- +- +- +- smbtorture + //server/share + -d debuglevel + -U user%pass +-- +1.8.3.1 + + +From e003650f5cf0b9581da00ad39b0784aab074119b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 17:59:22 +0200 +Subject: [PATCH 07/83] docs: remove duplicate mention of "ntdbtool" in + ntdbtool manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + lib/ntdb/man/ntdbtool.8.xml | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/lib/ntdb/man/ntdbtool.8.xml b/lib/ntdb/man/ntdbtool.8.xml +index a23a48e..7e6530c 100644 +--- a/lib/ntdb/man/ntdbtool.8.xml ++++ b/lib/ntdb/man/ntdbtool.8.xml +@@ -20,10 +20,6 @@ + + + ntdbtool +- +- +- +- ntdbtool + + NTDBFILE + +-- +1.8.3.1 + + +From 56cff0b3f40b98c0d00323eb94a2204af6c48fed Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 18:00:02 +0200 +Subject: [PATCH 08/83] docs: remove duplicate mention of "smbta-util" in + smbta-util manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbta-util.8.xml | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/docs-xml/manpages/smbta-util.8.xml b/docs-xml/manpages/smbta-util.8.xml +index ef38926..3925e87 100644 +--- a/docs-xml/manpages/smbta-util.8.xml ++++ b/docs-xml/manpages/smbta-util.8.xml +@@ -20,10 +20,6 @@ + + + smbta-util +- +- +- +- smbta-util + + COMMANDS + +-- +1.8.3.1 + + +From a2a7991624fa273b01898a26c86f951b928525e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 18:02:47 +0200 +Subject: [PATCH 09/83] docs: remove duplicate word "trust" from net manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 2f04deb..aad5fb5 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -877,7 +877,7 @@ net rpc trust create \ + + RPC TRUST DELETE + +-Delete a trust trust object by calling lsaDeleteTrustedDomain. ++Delete a trust object by calling lsaDeleteTrustedDomain. + The can be done on a single server or on two servers at once. + + Options: +-- +1.8.3.1 + + +From 93f32c777c1a36d9d4dc91b6aa1e9e14ee13fb91 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 14 Oct 2013 18:03:14 +0200 +Subject: [PATCH 10/83] docs: remove duplicate word "the" from net manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index aad5fb5..5fa042e 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -1737,7 +1737,7 @@ shares created by other users. + Starting with version 3.2.0, a Samba server can be configured by data + stored in registry. This configuration data can be edited with the new "net + conf" commands. There is also the possibility to configure a remote Samba server +-by enabling the RPC conf mode and specifying the the address of the remote server. ++by enabling the RPC conf mode and specifying the address of the remote server. + + + +-- +1.8.3.1 + + +From 05db55af943e50bd8f7b29f8210f32350239ea59 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 15 Oct 2013 15:11:33 +0200 +Subject: [PATCH 11/83] docs: mention more options in winbindd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/winbindd.8.xml | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml +index 1cb49ca..f6aad3f 100644 +--- a/docs-xml/manpages/winbindd.8.xml ++++ b/docs-xml/manpages/winbindd.8.xml +@@ -20,13 +20,13 @@ + + + winbindd +- -D +- -F +- -S +- -i ++ -D|--daemon ++ -F|--foreground ++ -S|--stdout ++ -i|--interactive + -d <debug level> + -s <smb config file> +- -n ++ -n|--no-caching + + + +@@ -135,7 +135,7 @@ hosts: files wins + + + +- -D ++ -D|--daemon + If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background on the appropriate port. +@@ -145,7 +145,7 @@ hosts: files wins + + + +- -F ++ -F|--foreground + If specified, this parameter causes + the main winbindd process to not daemonize, + i.e. double-fork and disassociate with the terminal. +@@ -160,7 +160,7 @@ hosts: files wins + + + +- -S ++ -S|--stdout + If specified, this parameter causes + winbindd to log to standard output rather + than a file. +@@ -171,7 +171,7 @@ hosts: files wins + &stdarg.help; + + +- -i ++ -i|--interactive + Tells winbindd to not + become a daemon and detach from the current terminal. This + option is used by developers when interactive debugging +@@ -182,7 +182,7 @@ hosts: files wins + + + +- -n ++ -n|--no-caching + Disable some caching. This means winbindd will + often have to wait for a response from the domain controller + before it can respond to a client and this thus makes things +-- +1.8.3.1 + + +From b5fa1139a4e9ef7bd79ace6efe7bf06af595daa4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 15:19:59 +0100 +Subject: [PATCH 12/83] docs: mention --no-process-group in winbindd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/winbindd.8.xml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml +index f6aad3f..fd644c3 100644 +--- a/docs-xml/manpages/winbindd.8.xml ++++ b/docs-xml/manpages/winbindd.8.xml +@@ -27,6 +27,7 @@ + -d <debug level> + -s <smb config file> + -n|--no-caching ++ --no-process-group + + + +@@ -194,6 +195,12 @@ hosts: files wins + + + ++ ++ --no-process-group ++ Do not create a new process group for winbindd. ++ ++ ++ + + + +-- +1.8.3.1 + + +From 4f790b10d5a6737f1b5978fca27d78a0b27aa75d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:23:03 +0100 +Subject: [PATCH 13/83] docs: mention --dc-info in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index f970a5e..2df86ca 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -27,6 +27,7 @@ + --ccache-save + --change-user-password + -D domain ++ --dc-info domain + --domain domain + --dsgetdcname domain + -g +@@ -142,6 +143,12 @@ + + + ++ --dc-info domain ++ Displays information about the current domain controller for a domain. ++ ++ ++ ++ + --domain name + This parameter sets the domain on which any specified + operations will performed. If special domain name '.' is used to represent +-- +1.8.3.1 + + +From 824c468261a3d61732fea88a5d6cfb9aa5c7ed94 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:23:20 +0100 +Subject: [PATCH 14/83] docs: mention --krb5ccname option in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index 2df86ca..4de3c81 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -40,6 +40,7 @@ + -i user + -I ip + -K user%password ++ --krb5ccname cctype + --lanman + -m + -n name +@@ -246,6 +247,13 @@ + + + ++ --krb5ccname KRB5CCNAME ++ Allows to request a sepcific kerberos credential ++ cache type used for authentication. ++ ++ ++ ++ + --lanman + Use lanman cryptography for user authentication. + +-- +1.8.3.1 + + +From fa47e425132f6022cd41118e2c6ac34181adc4a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:29:10 +0100 +Subject: [PATCH 15/83] docs: mention logoff options in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index 4de3c81..cb1812f 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -42,6 +42,9 @@ + -K user%password + --krb5ccname cctype + --lanman ++ --logoff ++ --logoff-uid uid ++ --logoff-user username + -m + -n name + -N netbios-name +@@ -260,6 +263,24 @@ + + + ++ --logoff ++ Logoff a user. ++ ++ ++ ++ ++ --logoff-uid UID ++ Define user uid used during logoff request. ++ ++ ++ ++ ++ --logoff-user USERNAME ++ Define username used during logoff request. ++ ++ ++ ++ + -m|--trusted-domains + Produce a list of domains trusted by the + Windows NT server winbindd +-- +1.8.3.1 + + +From 7c4c66853f4f0fa426d11d01bc4732186501d6ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:33:19 +0100 +Subject: [PATCH 16/83] docs: mention --lookup-sids in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index cb1812f..a3d4d5f 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -45,6 +45,7 @@ + --logoff + --logoff-uid uid + --logoff-user username ++ --lookup-sids + -m + -n name + -N netbios-name +@@ -281,6 +282,13 @@ + + + ++ --lookup-sids SID1,SID2... ++ Looks up SIDs. SIDs must be specified as ASCII strings in the traditional Microsoft ++ format. For example, S-1-5-21-1455342024-3071081365-2475485837-500. ++ ++ ++ ++ + -m|--trusted-domains + Produce a list of domains trusted by the + Windows NT server winbindd +-- +1.8.3.1 + + +From 7d41f1c4d30eef9fa20a7741be1cb50e566b40cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:36:21 +0100 +Subject: [PATCH 17/83] docs: mention --pam-logon in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index a3d4d5f..a091e94 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -54,6 +54,7 @@ + --own-domain + -p + -P|--ping-dc ++ --pam-logon user%password + -r user + -R|--lookup-rids + -s sid +@@ -343,6 +344,13 @@ + + + ++ --pam-logon username%password ++ Attempt to authenticate a user in the same way ++ pam_winbind would do. ++ ++ ++ ++ + -p|--ping + Check whether winbindd + 8 is still alive. +-- +1.8.3.1 + + +From 27d49babb19759e0d3ef93a2290c049e1ba6aaa3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:40:56 +0100 +Subject: [PATCH 18/83] docs: mention --remove-gid-mapping/--remove-uid-mapping + in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index a091e94..31362ac 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -57,6 +57,8 @@ + --pam-logon user%password + -r user + -R|--lookup-rids ++ --remove-gid-mapping gid,sid ++ --remove-uid-mapping uid,sid + -s sid + --separator + --set-auth-user user%password +@@ -383,6 +385,18 @@ + + + ++ --remove-gid-mapping GID,SID ++ Removes an existing GID to SID mapping from the database. ++ ++ ++ ++ ++ --remove-uid-mapping UID,SID ++ Removes an existing UID to SID mapping from the database. ++ ++ ++ ++ + -s|--sid-to-name sid + Use -s to resolve + a SID to a name. This is the inverse of the -n +-- +1.8.3.1 + + +From 80ab6eaa973df8874567306d1488a813801ab39c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 16:42:56 +0100 +Subject: [PATCH 19/83] docs: mention --set-gid-mapping/--set-uid-mapping in + wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index 31362ac..3dbcfc1 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -62,6 +62,8 @@ + -s sid + --separator + --set-auth-user user%password ++ --set-gid-mapping gid,sid ++ --set-uid-mapping uid,sid + -S sid + --sid-aliases sid + --sid-to-fullname sid +@@ -423,6 +425,18 @@ + + + ++ --set-gid-mapping GID,SID ++ Create a GID to SID mapping in the database. ++ ++ ++ ++ ++ --set-uid-mapping UID,SID ++ Create a UID to SID mapping in the database. ++ ++ ++ ++ + -S|--sid-to-uid sid + Convert a SID to a UNIX user id. If the SID + does not correspond to a UNIX user mapped by +-- +1.8.3.1 + + +From 87e6b5b7fb22c8cf26ae00a315b3e73987f49d55 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:13:38 +0100 +Subject: [PATCH 20/83] docs: mention --sequence in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index 3dbcfc1..1a871c2 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -61,6 +61,7 @@ + --remove-uid-mapping uid,sid + -s sid + --separator ++ --sequence + --set-auth-user user%password + --set-gid-mapping gid,sid + --set-uid-mapping uid,sid +@@ -414,6 +415,13 @@ + + + ++ --sequence ++ This command has been deprecated. Please use ++ the --online-status option instead. ++ ++ ++ ++ + --set-auth-user username%password + Store username and password used by + winbindd8 +-- +1.8.3.1 + + +From c55315a3a26ced194e553b5aa8e97f3a41a308ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:18:40 +0100 +Subject: [PATCH 21/83] docs: mention --sids-to-unix-ids in wbinfo manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/wbinfo.1.xml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml +index 1a871c2..9907dc6 100644 +--- a/docs-xml/manpages/wbinfo.1.xml ++++ b/docs-xml/manpages/wbinfo.1.xml +@@ -68,6 +68,7 @@ + -S sid + --sid-aliases sid + --sid-to-fullname sid ++ --sids-to-unix-ids sidlist + -t + -u + --uid-info uid +@@ -466,6 +467,14 @@ + + + ++ --sids-to-unix-ids sid1,sid2,sid3... ++ Resolve SIDs to Unix IDs. ++ SIDs must be specified as ASCII strings ++ in the traditional Microsoft format. For example, ++ S-1-5-21-1455342024-3071081365-2475485837-500. ++ ++ ++ + -t|--check-secret + Verify that the workstation trust account + created when the Samba server is added to the Windows NT +-- +1.8.3.1 + + +From dac78176f3e28a1cbc513bb77a3454570f7de4e1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:23:23 +0100 +Subject: [PATCH 22/83] docs: remove unsupported options from nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index f1ab3e3..7aabfa6 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -23,10 +23,7 @@ + -D + -F + -S +- -a + -i +- -o +- -h + -V + -d <debug level> + -H <lmhosts file> +-- +1.8.3.1 + + +From 77eae60bd9a6b7e1d5248b5b0984d38a54de9c3e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:25:04 +0100 +Subject: [PATCH 23/83] docs: mention --daemon in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 7aabfa6..cc5f83d 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -20,7 +20,7 @@ + + + nmbd +- -D ++ -D|--daemon + -F + -S + -i +@@ -78,7 +78,7 @@ + + + +- -D ++ -D|--daemon + If specified, this parameter causes + nmbd to operate as a daemon. That is, + it detaches itself and runs in the background, fielding +-- +1.8.3.1 + + +From 28758deda94f28bd0bd188f8277807b8d2ccf829 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:25:52 +0100 +Subject: [PATCH 24/83] docs: mention --foreground in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index cc5f83d..9f607ab 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -21,7 +21,7 @@ + + nmbd + -D|--daemon +- -F ++ -F|--foreground + -S + -i + -V +@@ -90,7 +90,7 @@ + + + +- -F ++ -F|--foreground + If specified, this parameter causes + the main nmbd process to not daemonize, + i.e. double-fork and disassociate with the terminal. +-- +1.8.3.1 + + +From fd8d8b95f8b5b21b4e46836dc6becef480737dc2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:27:28 +0100 +Subject: [PATCH 25/83] docs: mention --hosts in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 9f607ab..283ebc2 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -26,7 +26,7 @@ + -i + -V + -d <debug level> +- -H <lmhosts file> ++ -H|--hosts <lmhosts file> + -l <log directory> + -p <port number> + -s <configuration file> +@@ -125,7 +125,7 @@ + &stdarg.help; + + +- -H <filename> ++ -H|--hosts <filename> + NetBIOS lmhosts file. The lmhosts + file is a list of NetBIOS names to IP addresses that + is loaded by the nmbd server and used via the name +-- +1.8.3.1 + + +From ea99d8a256df7faaedc5b8903fe183f4dcbde296 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:28:15 +0100 +Subject: [PATCH 26/83] docs: mention --interactive in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 283ebc2..62f3380 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -23,7 +23,7 @@ + -D|--daemon + -F|--foreground + -S +- -i ++ -i|--interactive + -V + -d <debug level> + -H|--hosts <lmhosts file> +@@ -112,7 +112,7 @@ + + + +- -i ++ -i|--interactive + If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this +-- +1.8.3.1 + + +From a624426d86cf2da69ba2e03506b5f252d32adb11 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:29:37 +0100 +Subject: [PATCH 27/83] docs: mention --log-stdout in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 62f3380..715796d 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -22,7 +22,7 @@ + nmbd + -D|--daemon + -F|--foreground +- -S ++ -S|--log-stdout + -i|--interactive + -V + -d <debug level> +@@ -105,7 +105,7 @@ + + + +- -S ++ -S|--log-stdout + If specified, this parameter causes + nmbd to log to standard output rather + than a file. +-- +1.8.3.1 + + +From 548d9daeffc83191ea1e6ea51ce63aacffe98c41 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:31:10 +0100 +Subject: [PATCH 28/83] docs: mention --no-process-group in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 715796d..8540a09 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -30,6 +30,7 @@ + -l <log directory> + -p <port number> + -s <configuration file> ++ --no-process-group + + + +@@ -157,6 +158,12 @@ + won't need help! + + ++ ++ --no-process-group ++ Do not create a new process group for nmbd. ++ ++ ++ + + + +-- +1.8.3.1 + + +From d6a07717a7f2febdd4591fc0c3c1fe8b719963e9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:31:50 +0100 +Subject: [PATCH 29/83] docs: mention --port in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index 8540a09..b7ead70 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -28,7 +28,7 @@ + -d <debug level> + -H|--hosts <lmhosts file> + -l <log directory> +- -p <port number> ++ -p|--port <port number> + -s <configuration file> + --no-process-group + +@@ -150,7 +150,7 @@ + &popt.common.samba; + + +- -p <UDP port number> ++ -p|--port <UDP port number> + UDP port number is a positive integer value. + This option changes the default UDP port number (normally 137) + that nmbd responds to name queries on. Don't +-- +1.8.3.1 + + +From 792ff0029c790fe8b225134b19d320e8392c5895 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:37:05 +0100 +Subject: [PATCH 30/83] docs: remove unsupported options from smbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbd.8.xml | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml +index 0d0c387..cc6e400 100644 +--- a/docs-xml/manpages/smbd.8.xml ++++ b/docs-xml/manpages/smbd.8.xml +@@ -23,14 +23,12 @@ + -F + -S + -i +- -h + -V + -b + -d <debug level> + -l <log directory> + -p <port number(s)> + -P <profiling level> +- -O <socket option> + -s <configuration file> + + +-- +1.8.3.1 + + +From ad46b6689d999651732894968e5e49d045591203 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 14 Nov 2013 17:49:58 +0100 +Subject: [PATCH 31/83] docs: mention many more options in smbd options. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbd.8.xml | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml +index cc6e400..d73f1db 100644 +--- a/docs-xml/manpages/smbd.8.xml ++++ b/docs-xml/manpages/smbd.8.xml +@@ -19,17 +19,18 @@ + + + smbd +- -D +- -F +- -S +- -i ++ -D|--daemon ++ -F|--foreground ++ -S|--log-stdout ++ -i|--interactive + -V +- -b ++ -b|--build-options + -d <debug level> +- -l <log directory> ++ -l|--log-basename <log directory> + -p <port number(s)> + -P <profiling level> + -s <configuration file> ++ --no-process-group + + + +@@ -79,7 +80,7 @@ + + + +- -D ++ -D|--daemon + If specified, this parameter causes + the server to operate as a daemon. That is, it detaches + itself and runs in the background, fielding requests +@@ -92,7 +93,7 @@ + + + +- -F ++ -F|--foreground + If specified, this parameter causes + the main smbd process to not daemonize, + i.e. double-fork and disassociate with the terminal. +@@ -107,14 +108,14 @@ + + + +- -S ++ -S|--log-stdout + If specified, this parameter causes + smbd to log to standard output rather + than a file. + + + +- -i ++ -i|--interactive + If this parameter is specified it causes the + server to run "interactively", not as a daemon, even if the + server is executed on the command line of a shell. Setting this +@@ -130,7 +131,13 @@ + &stdarg.help; + + +- -b ++ --no-process-group ++ Do not create a new process group for smbd. ++ ++ ++ ++ ++ -b|--build-options + Prints information about how + Samba was built. + +-- +1.8.3.1 + + +From 7c473ac293a44896181d9d2619b922815433c77d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 12:07:48 +0100 +Subject: [PATCH 32/83] docs: mention --numeric in smbstatus manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbstatus.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/smbstatus.1.xml b/docs-xml/manpages/smbstatus.1.xml +index b0d07d2..126d0b2 100644 +--- a/docs-xml/manpages/smbstatus.1.xml ++++ b/docs-xml/manpages/smbstatus.1.xml +@@ -31,6 +31,7 @@ + -f + -s <configuration file> + -u <username> ++ -n|--numeric + + + +@@ -121,6 +122,13 @@ + + + ++ ++ -n|--numeric ++ causes smbstatus to display numeric UIDs and GIDs instead of ++ resolving them to names. ++ ++ ++ + + + +-- +1.8.3.1 + + +From 5f606e7e9ccd11949ae78a0a44f47be578116f89 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 12:11:21 +0100 +Subject: [PATCH 33/83] docs: mention -R|--profile-rates in smbstatus manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbstatus.1.xml | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/smbstatus.1.xml b/docs-xml/manpages/smbstatus.1.xml +index 126d0b2..d4213b6 100644 +--- a/docs-xml/manpages/smbstatus.1.xml ++++ b/docs-xml/manpages/smbstatus.1.xml +@@ -32,6 +32,7 @@ + -s <configuration file> + -u <username> + -n|--numeric ++ -R|--profile-rates + + + +@@ -51,12 +52,19 @@ + + + -P|--profile +- If samba has been compiled with the +- profiling option, print only the contents of the profiling ++ If samba has been compiled with the ++ profiling option, print only the contents of the profiling + shared memory area. + + + ++ -R|--profile-rates ++ If samba has been compiled with the ++ profiling option, print the contents of the profiling ++ shared memory area and the call rates. ++ ++ ++ + -b|--brief + gives brief output. + +-- +1.8.3.1 + + +From 9dcbc77f5a79d148a7346c361ad2790ab8a40555 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 12:57:06 +0100 +Subject: [PATCH 34/83] docs: mention -S|--setsddl in sharesec manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/sharesec.1.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml +index e83e6b3..8f29cba 100644 +--- a/docs-xml/manpages/sharesec.1.xml ++++ b/docs-xml/manpages/sharesec.1.xml +@@ -35,6 +35,7 @@ + -V, --version + -?, --help + --usage ++ -S, --setsddl=STRING + + + +@@ -113,6 +114,13 @@ + + + ++ ++ -S|--setsddl=STRING ++ ++ Set security descriptor by providing ACL in SDDL format. ++ ++ ++ + &stdarg.help; + &stdarg.server.debug; + &popt.common.samba; +-- +1.8.3.1 + + +From d692389ea57724bd71caadb62e0231993188d34f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 12:59:49 +0100 +Subject: [PATCH 35/83] docs: mention -V|--viewsddl in sharesec manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/sharesec.1.xml | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml +index 8f29cba..f73fba2 100644 +--- a/docs-xml/manpages/sharesec.1.xml ++++ b/docs-xml/manpages/sharesec.1.xml +@@ -32,10 +32,11 @@ + -d, --debuglevel=DEBUGLEVEL + -s, --configfile=CONFIGFILE + -l, --log-basename=LOGFILEBASE +- -V, --version ++ --version + -?, --help + --usage + -S, --setsddl=STRING ++ -V, --viewsddl + + + +@@ -121,6 +122,13 @@ + + + ++ ++ -V|--viewsddl ++ ++ List a share acl in SDDL format. ++ ++ ++ + &stdarg.help; + &stdarg.server.debug; + &popt.common.samba; +-- +1.8.3.1 + + +From ffe94e363375aa47cd72d715309f6568067482fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 13:03:20 +0100 +Subject: [PATCH 36/83] docs: mention -p in dbwrap-tool manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/dbwrap_tool.1.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml +index 07d42be..b8280ac 100644 +--- a/docs-xml/manpages/dbwrap_tool.1.xml ++++ b/docs-xml/manpages/dbwrap_tool.1.xml +@@ -19,7 +19,7 @@ + + + dbwrap_tool +- --persistent ++ -p|--persistent + -d <debug level> + -s <config file> + -l <log file base> +@@ -70,7 +70,7 @@ + + + +- --persistent ++ -p|--persistent + Open the database as a persistent database. + If this option is not specified, the database is opened as + non-persistent. +-- +1.8.3.1 + + +From 22fcc536a568283b0d2c8b1772399fef7bc63406 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 15:15:41 +0100 +Subject: [PATCH 37/83] docs: bring samba entity popt.common.credentials in + line with popt_common_credentials. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This adds documentation of the following parameters to all manpages of binaries that +actually use popt_common_credentials: + +-S|--signing +-e|--encrypt +-P|--machinepass +--pw-nt-hash + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/build/DTD/samba.entities | 35 +++++++++++++++++++++++++++++++++++ + 1 file changed, 35 insertions(+) + +diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities +index c9c6744..8ddae70 100644 +--- a/docs-xml/build/DTD/samba.entities ++++ b/docs-xml/build/DTD/samba.entities +@@ -464,6 +464,37 @@ Try to use the credentials cached by winbind. + + '> + ++ ++-S|--signing on|off|required ++Set the client signing state. ++ ++ ++'> ++ ++ ++-P|--machine-pass ++Use stored machine account password. ++ ++ ++'> ++ ++ ++-e|--encrypt ++Encrypt SMB transport (UNIX extended servers only). ++ ++ ++'> ++ ++ ++--pw-nt-hash ++The supplied password is the NT hash. ++ ++ ++'> + + +@@ -478,6 +509,10 @@ Try to use the credentials cached by winbind. + &stdarg.useccache; + &stdarg.authfile; + &stdarg.username; ++&stdarg.signing; ++&stdarg.machinepass; ++&stdarg.encrypt; ++&stdarg.pwnthash; + '> + + +-- +1.8.3.1 + + +From 7173604e9e20ee4826622f8f1dd3e3194ee3588f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 16:06:36 +0100 +Subject: [PATCH 38/83] docs: remove now duplicate mention for 4 credential + options in samba-regedit manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/samba-regedit.8.xml | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml +index e7ec761..c40b2ec 100644 +--- a/docs-xml/manpages/samba-regedit.8.xml ++++ b/docs-xml/manpages/samba-regedit.8.xml +@@ -70,25 +70,7 @@ + Set smb.conf option from command line. + + &popt.common.connection; +- +- -S|--signing +- Set the client signing state. +- +- +- -P|--machine-pass +- Use stored machine account password. +- + &popt.common.credentials; +- +- -e|--encrypt +- Encrypt SMB transport (UNIX extended servers only). +- +- +- +- --pw-nt-hash +- The supplied password is the NT hash. +- +- + + + +-- +1.8.3.1 + + +From 8a4d846f1dca6ecbc7d9411f3e26d79a8622e5c4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 16:07:41 +0100 +Subject: [PATCH 39/83] docs: add missing &popt.common.samba entity to + smbcontrol manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcontrol.1.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs-xml/manpages/smbcontrol.1.xml b/docs-xml/manpages/smbcontrol.1.xml +index e2c7939..be8dd0f 100644 +--- a/docs-xml/manpages/smbcontrol.1.xml ++++ b/docs-xml/manpages/smbcontrol.1.xml +@@ -51,6 +51,7 @@ + + &stdarg.help; + &stdarg.configfile; ++ &popt.common.samba; + + -i + Run interactively. Individual commands +-- +1.8.3.1 + + +From 23516cfbdde6d38fc710fd3a47fdc155e657dc47 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 16:08:10 +0100 +Subject: [PATCH 40/83] docs: add missing &popt.common.connection entity to + smbcacls manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index 7770fa2..e504dd7 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -178,6 +178,7 @@ + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; ++ &popt.common.connection; + + + +-- +1.8.3.1 + + +From 743e9a847e1014e2722c650f94d99fa277d7fa9a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 16:40:36 +0100 +Subject: [PATCH 41/83] docs: remove more duplicate options from samba-regedit + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/samba-regedit.8.xml | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml +index c40b2ec..acf8c53 100644 +--- a/docs-xml/manpages/samba-regedit.8.xml ++++ b/docs-xml/manpages/samba-regedit.8.xml +@@ -56,19 +56,12 @@ + OPTIONS + + &stdarg.help; ++ &stdarg.client.debug; + + --usage + Display brief usage message. + +- +- -d|--debuglevel=<debuglevel> +- Set debug level. +- + &popt.common.samba; +- +- --option=<parameter>=<value> +- Set smb.conf option from command line. +- + &popt.common.connection; + &popt.common.credentials; + +-- +1.8.3.1 + + +From deacd68cce662d0780eaa255fd51fc4f5f5ee629 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 15 Nov 2013 16:57:52 +0100 +Subject: [PATCH 42/83] docs: add new popt.autohelp entity. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/build/DTD/samba.entities | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities +index 8ddae70..cb683d1 100644 +--- a/docs-xml/build/DTD/samba.entities ++++ b/docs-xml/build/DTD/samba.entities +@@ -496,13 +496,6 @@ Try to use the credentials cached by winbind. + + '> + +- +--?|--help +-Print a summary of command line options. +- +-'> +- + + ++ ++-?|--help ++Print a summary of command line options. ++ ++ ++'> ++ ++ ++--usage ++Display brief usage message. ++ ++ ++'> ++ ++ ++ + + OpenLDAP'> + smbd'> +-- +1.8.3.1 + + +From c71fd4a9f49bf5cf2cef7874789e95b0603bbaa4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 11:40:35 +0100 +Subject: [PATCH 43/83] docs: mention --change-sid|--new-sid in profiles + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/profiles.1.xml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml +index 311c8ff..83358a8 100644 +--- a/docs-xml/manpages/profiles.1.xml ++++ b/docs-xml/manpages/profiles.1.xml +@@ -21,8 +21,8 @@ + + profiles + -v +- -c SID +- -n SID ++ -c|--change-sid SID ++ -n|--new-sid SID + file + + +@@ -58,6 +58,7 @@ + + + -c SID1 -n SID2 ++ --change-sid SID1 --new-sid SID2 + Change all occurrences of SID1 in file by SID2. + + +-- +1.8.3.1 + + +From ca6776d341a5e98b30a9c544c91e89ad062291b3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 11:41:00 +0100 +Subject: [PATCH 44/83] docs: use popt.samba.common entity in profiles manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/profiles.1.xml | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml +index 83358a8..c448eb5 100644 +--- a/docs-xml/manpages/profiles.1.xml ++++ b/docs-xml/manpages/profiles.1.xml +@@ -63,8 +63,9 @@ + + + +- &stdarg.help; +- ++ &popt.common.samba.client; ++ &popt.autohelp; ++ + + + +-- +1.8.3.1 + + +From 1e4fb44c97eddb28aad903ddbfe0f05229f5802e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 11:44:28 +0100 +Subject: [PATCH 45/83] docs: use popt.autohelp in smbtree manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbtree.1.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/smbtree.1.xml b/docs-xml/manpages/smbtree.1.xml +index b99c4b1..5e9b639 100644 +--- a/docs-xml/manpages/smbtree.1.xml ++++ b/docs-xml/manpages/smbtree.1.xml +@@ -70,7 +70,7 @@ + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; +- &stdarg.help; ++ &popt.autohelp; + + + +-- +1.8.3.1 + + +From def43ad250168790fe3db868c0f688ff04f0fefa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 11:51:55 +0100 +Subject: [PATCH 46/83] docs: mention --update and --encrypt in smbget manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbget.1.xml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/docs-xml/manpages/smbget.1.xml b/docs-xml/manpages/smbget.1.xml +index b805b4c..a277712 100644 +--- a/docs-xml/manpages/smbget.1.xml ++++ b/docs-xml/manpages/smbget.1.xml +@@ -35,6 +35,7 @@ + -v, --verbose + -b, --blocksize + -O, --stdout ++ -U, --update + -?, --help + --usage + smb://host/share/path/to/file +@@ -150,6 +151,14 @@ + --usage + Display brief usage message + ++ ++ ++ -U, --update ++ Download only when remote file is newer than local file or local file is missing. ++ ++ ++ &stdarg.encrypt; ++ + + + +-- +1.8.3.1 + + +From 51fa7800d3b9f84b962d396270391a8cfd4d5a84 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 11:59:54 +0100 +Subject: [PATCH 47/83] docs: mention more long option names in smbcquotas + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcquotas.1.xml | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/docs-xml/manpages/smbcquotas.1.xml b/docs-xml/manpages/smbcquotas.1.xml +index 23328b4..8c76939 100644 +--- a/docs-xml/manpages/smbcquotas.1.xml ++++ b/docs-xml/manpages/smbcquotas.1.xml +@@ -20,13 +20,13 @@ + + smbcquotas + //server/share +- -u user +- -L +- -F +- -S QUOTA_SET_COMMAND +- -n +- -t +- -v ++ -u|--user user ++ -L|--list ++ -F|--fs ++ -S|--set QUOTA_SET_COMMAND ++ -n|--numeric ++ -t|--test-args ++ -v|--verbose + + -d debuglevel + -s configfile +@@ -60,7 +60,7 @@ + + + +- -u user ++ -u|--user user + Specifies the user of whom the quotas are get or set. + By default the current user's username will be used. + +@@ -68,51 +68,53 @@ + + + +- -L ++ -L|--list + Lists all quota records of the share. + + + + + +- -F ++ -F|--fs + Show the share quota status and default limits. + + + + + +- -S QUOTA_SET_COMMAND ++ -S|--set QUOTA_SET_COMMAND + This command sets/modifies quotas for a user or on the share, + depending on the QUOTA_SET_COMMAND parameter which is described later. + + + + +- -n ++ -n|--numeric + This option displays all QUOTA information in numeric + format. The default is to convert SIDs to names and QUOTA limits + to a readable string format. + + + +- -t ++ -t|--test-args + + Don't actually do anything, only validate the correctness of the arguments. + + + + +- -v ++ -v|--verbose + + Be verbose. + + + +- &stdarg.help; ++ + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; ++ &popt.autohelp; ++ + + + +-- +1.8.3.1 + + +From 0a7eff9cd77516368a1b1b7578bed64c3768b0da Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:10:29 +0100 +Subject: [PATCH 48/83] docs: mention -B|--browse to smbclient manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbclient.1.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml +index b9e55e9..d5a7068 100644 +--- a/docs-xml/manpages/smbclient.1.xml ++++ b/docs-xml/manpages/smbclient.1.xml +@@ -343,7 +343,13 @@ + cannot be negotiated. + + +- ++ ++ ++ -B|--browse ++ Browse SMB servers using DNS. ++ ++ ++ + &stdarg.client.debug; + &popt.common.samba; + &popt.common.credentials; +-- +1.8.3.1 + + +From 5cab201a16663e9d91e4501124d6aeeaaa71e189 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:12:23 +0100 +Subject: [PATCH 49/83] docs: better document -e|--encrypt option globally. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is taken from smbclient manpage. + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/build/DTD/samba.entities | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities +index cb683d1..1e852ec 100644 +--- a/docs-xml/build/DTD/samba.entities ++++ b/docs-xml/build/DTD/samba.entities +@@ -483,7 +483,14 @@ Try to use the credentials cached by winbind. + + -e|--encrypt +-Encrypt SMB transport (UNIX extended servers only). ++ ++This command line parameter requires the remote ++server support the UNIX extensions or that the SMB3 protocol has been selected. ++Requests that the connection be encrypted. Negotiates SMB encryption using either ++SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for ++the encryption negotiation (either kerberos or NTLMv1/v2 if given ++domain/username/password triple. Fails the connection if encryption ++cannot be negotiated. + + + '> +-- +1.8.3.1 + + +From a2899b157f6096fd48e0c9a16a8cb7c848736ea4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:16:00 +0100 +Subject: [PATCH 50/83] docs: use popt.autohelp and remove duplicate -e option + from smbclient manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbclient.1.xml | 16 +--------------- + 1 file changed, 1 insertion(+), 15 deletions(-) + +diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml +index d5a7068..b4f7896 100644 +--- a/docs-xml/manpages/smbclient.1.xml ++++ b/docs-xml/manpages/smbclient.1.xml +@@ -276,8 +276,6 @@ + + + +- &stdarg.help; +- + + -I|--ip-address IP-address + IP address is the address of the server to connect to. +@@ -332,19 +330,6 @@ + + + +- -e|--encrypt +- +- This command line parameter requires the remote +- server support the UNIX extensions or that the SMB3 protocol has been selected. +- Requests that the connection be encrypted. Negotiates SMB encryption using either +- SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for +- the encryption negotiation (either kerberos or NTLMv1/v2 if given +- domain/username/password triple. Fails the connection if encryption +- cannot be negotiated. +- +- +- +- + -B|--browse + Browse SMB servers using DNS. + +@@ -354,6 +339,7 @@ + &popt.common.samba; + &popt.common.credentials; + &popt.common.connection; ++ &popt.autohelp; + + + -t|--timeout <timeout-seconds> +-- +1.8.3.1 + + +From 26da51a94ea329aa78e2d69fc8190954e61e0b26 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:17:36 +0100 +Subject: [PATCH 51/83] docs: remove unsupported -h option from smbcacls + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index e504dd7..71e3f50 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -31,7 +31,6 @@ + --numeric + -t + -U username +- -h + -d + -e + -m|--max-protocol LEVEL +-- +1.8.3.1 + + +From 559073e711cad5f895707385cc355440e21513d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:18:34 +0100 +Subject: [PATCH 52/83] docs: use popt.autohelp entity in smbcacls manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index 71e3f50..3c00363 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -173,11 +173,11 @@ + + + +- &stdarg.help; + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; + &popt.common.connection; ++ &popt.autohelp; + + + +-- +1.8.3.1 + + +From 019deb1e1acedb6ec522baad85592c17f2f78268 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:21:24 +0100 +Subject: [PATCH 53/83] docs: remove duplicate -e option from smbcacls manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 12 ------------ + 1 file changed, 12 deletions(-) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index 3c00363..0b8fe94 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -141,18 +141,6 @@ + + + +- -e +- This command line parameter requires the remote +- server support the UNIX extensions or that the SMB3 protocol has been selected. +- Requests that the connection be encrypted. Negotiates SMB encryption using either +- SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for +- the encryption negotiation (either kerberos or NTLMv1/v2 if given +- domain/username/password triple. Fails the connection if encryption +- cannot be negotiated. +- +- +- +- + -m|--max-protocol PROTOCOL_NAME + This allows the user to select the + highest SMB protocol level that smbcacls will use to +-- +1.8.3.1 + + +From c7a4feaaf1236dce8de546b5019058efba047e31 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:25:12 +0100 +Subject: [PATCH 54/83] docs: mention --query-security-info|--set-security-info + in smbcacls manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index 0b8fe94..33b8dbd 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -34,6 +34,8 @@ + -d + -e + -m|--max-protocol LEVEL ++ --query-security-info FLAGS ++ --set-security-info FLAGS + + + +@@ -160,7 +162,19 @@ + the arguments. + + +- ++ ++ ++ --query-security-info FLAGS ++ The security-info flags for queries. ++ ++ ++ ++ ++ --set-security-info FLAGS ++ The security-info flags for queries. ++ ++ ++ + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; +-- +1.8.3.1 + + +From 94b26e6d7b22396ad220ddd1ed359376fc151458 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:35:16 +0100 +Subject: [PATCH 55/83] docs: mention --sddl and --domain-sid in smbcacls + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcacls.1.xml | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml +index 33b8dbd..1f7aaf2 100644 +--- a/docs-xml/manpages/smbcacls.1.xml ++++ b/docs-xml/manpages/smbcacls.1.xml +@@ -36,6 +36,8 @@ + -m|--max-protocol LEVEL + --query-security-info FLAGS + --set-security-info FLAGS ++ --sddl ++ --domain-sid SID + + + +@@ -175,6 +177,18 @@ + + + ++ ++ --sddl ++ Output and input acls in sddl format. ++ ++ ++ ++ ++ --domain-sid SID ++ SID used for sddl processing. ++ ++ ++ + &stdarg.server.debug; + &popt.common.samba; + &popt.common.credentials; +-- +1.8.3.1 + + +From fb051ee29a55c6d72739bc895f05add50f2054d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:39:00 +0100 +Subject: [PATCH 56/83] docs: remove unsupported -h option and use + popt.autohelp entity in rpcclient manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/rpcclient.1.xml | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml +index 7193a90..76bcbc2 100644 +--- a/docs-xml/manpages/rpcclient.1.xml ++++ b/docs-xml/manpages/rpcclient.1.xml +@@ -23,7 +23,6 @@ + -A authfile + -c <command string> + -d debuglevel +- -h + -l logdir + -N + -s <smb config file> +@@ -98,7 +97,7 @@ + &popt.common.samba; + &popt.common.credentials; + &popt.common.connection; +- &stdarg.help; ++ &popt.autohelp; + + + +-- +1.8.3.1 + + +From db62a5841a4892dc2d45ff027cac346c0e67c5aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:51:42 +0100 +Subject: [PATCH 57/83] docs: document all long option names in nmblookup + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmblookup.1.xml | 41 +++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 21 deletions(-) + +diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml +index 12c707f..b110b28 100644 +--- a/docs-xml/manpages/nmblookup.1.xml ++++ b/docs-xml/manpages/nmblookup.1.xml +@@ -20,19 +20,18 @@ + + + nmblookup +- -M +- -R +- -S +- -r +- -A +- -h +- -B <broadcast address> +- -U <unicast address> ++ -M|--master-browser ++ -R|--recursion ++ -S|--status ++ -r|--root-port ++ -A|--lookup-by-ip ++ -B|--broadcast <broadcast address> ++ -U|--unicast <unicast address> + -d <debug level> + -s <smb config file> + -i <NetBIOS scope> +- -T +- -f ++ -T|--translate ++ -f|--flags + name + + +@@ -55,8 +54,8 @@ + + + +- -M +- Searches for a master browser by looking ++ -M|--master-browser ++ Searches for a master browser by looking + up the NetBIOS name with a + type of 0x1d. If + name is "-" then it does a lookup on the special name +@@ -67,7 +66,7 @@ + + + +- -R ++ -R|--recursion + Set the recursion desired bit in the packet + to do a recursive lookup. This is used when sending a name + query to a machine running a WINS server and the user wishes +@@ -78,7 +77,7 @@ + + + +- -S ++ -S|--status + Once the name query has returned an IP + address then do a node status query as well. A node status + query returns the NetBIOS names registered by a host. +@@ -87,7 +86,7 @@ + + + +- -r ++ -r|--root-port + Try and bind to UDP port 137 to send and receive UDP + datagrams. The reason for this option is a bug in Windows 95 + where it ignores the source port of the requesting packet +@@ -100,7 +99,7 @@ + + + +- -A ++ -A|--lookup-by-ip + Interpret name as + an IP Address and do a node status query on this address. + +@@ -109,10 +108,10 @@ + + + &popt.common.connection; +- &stdarg.help; ++ &popt.autohelp; + + +- -B <broadcast address> ++ -B|--broadcast <broadcast address> + Send the query to the given broadcast address. Without + this option the default behavior of nmblookup is to send the + query to the broadcast address of the network interfaces as +@@ -126,7 +125,7 @@ + + + +- -U <unicast address> ++ -U|--unicast <unicast address> + Do a unicast query to the specified address or + host unicast address. This option + (along with the -R option) is needed to +@@ -137,7 +136,7 @@ + &popt.common.samba; + + +- -T ++ -T|--translate + This causes any IP addresses found in the + lookup to be looked up via a reverse DNS lookup into a + DNS name, and printed out before each +@@ -148,7 +147,7 @@ + + + +- -f ++ -f|--flags + + Show which flags apply to the name that has been looked up. Possible + answers are zero or more of: Response, Authoritative, +-- +1.8.3.1 + + +From f9cdbfb27325d4e84d866fdee2a7bc729c25e24e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 12:55:02 +0100 +Subject: [PATCH 58/83] docs: use popt.autohelp entity in dbwrap-tools manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/dbwrap_tool.1.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml +index b8280ac..8e979f6 100644 +--- a/docs-xml/manpages/dbwrap_tool.1.xml ++++ b/docs-xml/manpages/dbwrap_tool.1.xml +@@ -77,7 +77,7 @@ + + + &popt.common.samba.client; +- &stdarg.help; ++ &popt.autohelp; + + + +-- +1.8.3.1 + + +From 0674ef7c5b3551564894ee7b8810ee3c18857922 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 13:45:38 +0100 +Subject: [PATCH 59/83] docs: fix testparm manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/testparm.1.xml | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +diff --git a/docs-xml/manpages/testparm.1.xml b/docs-xml/manpages/testparm.1.xml +index b258c20..ce69dc7 100644 +--- a/docs-xml/manpages/testparm.1.xml ++++ b/docs-xml/manpages/testparm.1.xml +@@ -20,10 +20,9 @@ + + + testparm +- -s +- -h +- -v +- -t <encoding> ++ -s|--suppress-prompt ++ --help ++ -v|--verbose + config filename + hostname hostIP + +@@ -63,17 +62,19 @@ + + + +- -s ++ -s|--suppress-prompt + Without this option, testparm + will prompt for a carriage return after printing the service + names and before dumping the service definitions. + + +- &stdarg.help; + &stdarg.version; +- ++ &stdarg.option; ++ &popt.autohelp; ++ &stdarg.client.debug; ++ + +- -v ++ -v|--verbose + If this option is specified, testparm + will also output all options that were not used in + smb.conf5 +@@ -81,13 +82,6 @@ + + + +- -t encoding +- +- Output data in specified encoding. +- +- +- +- + --parameter-name parametername + + Dumps the named parameter. If no section-name is set the view +@@ -107,6 +101,20 @@ + + + ++ --show-all-parameters ++ ++ Show the parameters, type, possible values. ++ ++ ++ ++ ++ -l|--skip-logic-checks ++ ++ Skip the global checks. ++ ++ ++ ++ + configfilename + This is the name of the configuration file + to check. If this parameter is not present then the +-- +1.8.3.1 + + +From a0d8cb8f536620a6dbf1fab0093c715c9efaba65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 13:46:06 +0100 +Subject: [PATCH 60/83] docs: use &popt.autohelp entity in pdbedit manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/pdbedit.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml +index 5bb12c4..c59a1cf6 100644 +--- a/docs-xml/manpages/pdbedit.8.xml ++++ b/docs-xml/manpages/pdbedit.8.xml +@@ -503,7 +503,7 @@ account policy value for bad lockout attempt is now 3 + + + +- &stdarg.help; ++ &popt.autohelp; + &stdarg.server.debug; + &popt.common.samba; + +-- +1.8.3.1 + + +From 91d25302b92e01fdba3fa4bc22fea9a8381ae19e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 13:52:59 +0100 +Subject: [PATCH 61/83] docs: fix smbcontrol manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbcontrol.1.xml | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/docs-xml/manpages/smbcontrol.1.xml b/docs-xml/manpages/smbcontrol.1.xml +index be8dd0f..234e02d 100644 +--- a/docs-xml/manpages/smbcontrol.1.xml ++++ b/docs-xml/manpages/smbcontrol.1.xml +@@ -19,8 +19,8 @@ + + + smbcontrol +- -i + -s ++ -t|--timeout + + + +@@ -49,15 +49,14 @@ + OPTIONS + + +- &stdarg.help; ++ &popt.autohelp; + &stdarg.configfile; +- &popt.common.samba; ++ &popt.common.samba.client; + +- -i +- Run interactively. Individual commands +- of the form destination message-type parameters can be entered +- on STDIN. An empty command line or a "q" will quit the +- program. ++ -t|--timeout ++ ++ Set timeout to seconds. ++ + + + +-- +1.8.3.1 + + +From 177c2c9c0ffe1ee434afc9d22d4bba12ae55d312 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 14:45:51 +0100 +Subject: [PATCH 62/83] docs: fix ntlm_auth manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/ntlm_auth.1.xml | 42 ++++++++++++++++++++++++++++++++------- + 1 file changed, 35 insertions(+), 7 deletions(-) + +diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml +index 4ada951..4ce57a2 100644 +--- a/docs-xml/manpages/ntlm_auth.1.xml ++++ b/docs-xml/manpages/ntlm_auth.1.xml +@@ -19,9 +19,6 @@ + + + ntlm_auth +- -d debuglevel +- -l logdir +- -s <smb config file> + + + +@@ -363,10 +360,41 @@ + + + +- &stdarg.server.debug; +- &popt.common.samba; +- &stdarg.help; +- ++ ++ --pam-winbind-conf=FILENAME ++ Define the path to the pam_winbind.conf file. ++ ++ ++ ++ --target-hostname=HOSTNAME ++ Define the target hostname. ++ ++ ++ ++ --target-service=SERVICE ++ Define the target service. ++ ++ ++ ++ --use-cached-creds ++ Whether to use credentials cached by winbindd. ++ ++ ++ ++ --configfile=<configuration file> ++ The file specified contains the ++ configuration details required by the server. The ++ information in this file includes server-specific ++ information such as what printcap file to use, as well ++ as descriptions of all the services that the server is ++ to provide. See &smb.conf; for more information. ++ The default configuration file name is determined at ++ compile time. ++ ++ ++ &stdarg.version; ++ &popt.autohelp; ++ + + + +-- +1.8.3.1 + + +From b04375e725edfd419fa65c96d524b9fb351d5efc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 15:52:35 +0100 +Subject: [PATCH 63/83] docs: use popt.autohelp entity in nmbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/nmbd.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml +index b7ead70..d83fb8f 100644 +--- a/docs-xml/manpages/nmbd.8.xml ++++ b/docs-xml/manpages/nmbd.8.xml +@@ -123,7 +123,7 @@ + given. + + +- &stdarg.help; ++ &popt.autohelp; + + + -H|--hosts <filename> +-- +1.8.3.1 + + +From 25eace39266edcac85c7d65a68dfbb632453b6f6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 15:53:08 +0100 +Subject: [PATCH 64/83] docs: use popt.autohelp entity in winbindd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/winbindd.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml +index fd644c3..c16c998 100644 +--- a/docs-xml/manpages/winbindd.8.xml ++++ b/docs-xml/manpages/winbindd.8.xml +@@ -169,7 +169,7 @@ hosts: files wins + + &stdarg.server.debug; + &popt.common.samba; +- &stdarg.help; ++ &popt.autohelp; + + + -i|--interactive +-- +1.8.3.1 + + +From b649d631793bdd83ff1f3935a45f1617c1a4c3e8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 15:53:29 +0100 +Subject: [PATCH 65/83] docs: use popt.autohelp entity in smbd manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/smbd.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml +index d73f1db..00e65b3 100644 +--- a/docs-xml/manpages/smbd.8.xml ++++ b/docs-xml/manpages/smbd.8.xml +@@ -128,7 +128,7 @@ + + &stdarg.server.debug; + &popt.common.samba; +- &stdarg.help; ++ &popt.autohelp; + + + --no-process-group +-- +1.8.3.1 + + +From 0815f114fbe99144061dc1c8c326fb0ee71f4a76 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 15:53:49 +0100 +Subject: [PATCH 66/83] docs: use popt.autohelp entity in samba.8 manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/samba.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/samba.8.xml b/docs-xml/manpages/samba.8.xml +index 2b53944..da426bb 100644 +--- a/docs-xml/manpages/samba.8.xml ++++ b/docs-xml/manpages/samba.8.xml +@@ -148,7 +148,7 @@ + + + &popt.common.samba.server; +- &stdarg.help; ++ &popt.autohelp; + + + +-- +1.8.3.1 + + +From 0b24a4236c2b865a0cf318fcabb3ce64b93d9409 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 16:00:39 +0100 +Subject: [PATCH 67/83] docs: mention more options in net manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 86 +++++++++++++++++++++++++++++++++++---------- + 1 file changed, 68 insertions(+), 18 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 5fa042e..ccc993b 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -22,20 +22,25 @@ + + net + <ads|rap|rpc> +- -h +- -w workgroup +- -W myworkgroup +- -U user +- -I ip-address +- -p port ++ -h|--help ++ -w|--workgroup workgroup ++ -W|--myworkgroup myworkgroup ++ -U|--user user ++ -I|--ipaddress ip-address ++ -p|--port port + -n myname + -s conffile +- -S server +- -l +- -P ++ -S|--server server ++ -l|--long ++ -v|--verbose ++ -f|--force ++ -P|--machine-pass + -d debuglevel + -V + --request-timeout seconds ++ -t|--timeout seconds ++ -i|--stdin ++ --tallocreport + + + +@@ -64,7 +69,7 @@ + &stdarg.kerberos; + + +- -w target-workgroup ++ -w|--workgroup target-workgroup + + Sets target workgroup or domain. You have to specify + either this option or the IP address or the name of a server. +@@ -72,21 +77,21 @@ + + + +- -W workgroup ++ -W|--myworkgroup workgroup + + Sets client workgroup or domain + + + + +- -U user ++ -U|--user user + + User name to use + + + + +- -I ip-address ++ -I|--ipaddress ip-address + + IP address of target server to use. You have to + specify either this option or a target workgroup or +@@ -95,7 +100,7 @@ + + + +- -p port ++ -p|--port port + + Port on the target server to connect to (usually 139 or 445). + Defaults to trying 445 first, then 139. +@@ -106,7 +111,7 @@ + &stdarg.configfile; + + +- -S server ++ -S|--server server + + Name of target server. You should specify either + this option or a target workgroup or a target IP address. +@@ -114,14 +119,28 @@ + + + +- -l ++ -l|--long + + When listing data, give more information on each item. + + + + +- -P ++ -v|--verbose ++ ++ When listing data, give more verbose information on each item. ++ ++ ++ ++ ++ -f|--force ++ ++ Enforcing a net command. ++ ++ ++ ++ ++ -P|--machine-pass + + Make queries to the external server using the machine account of the local server. + +@@ -135,7 +154,38 @@ + + + +- &stdarg.server.debug; ++ ++ -t|--timeout 30 ++ ++ Set timeout for client operations to 30 seconds. ++ ++ ++ ++ ++ --use-ccache ++ ++ Try to use the credentials cached by winbind. ++ ++ ++ ++ ++ -i|--stdin ++ ++ Take input for net commands from standard input. ++ ++ ++ ++ ++ --tallocreport ++ ++ Generate a talloc report while processing a net ++ command. ++ ++ ++ ++ &stdarg.encrypt; ++ &popt.common.samba.client; ++ + + + +-- +1.8.3.1 + + +From 7c8dcc5e0f61577becf1954b6abfb72e4689eab2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 16:08:19 +0100 +Subject: [PATCH 68/83] docs: add net rpc vampire specific options in net + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index ccc993b..c9802f8 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -183,6 +183,32 @@ + + + ++ ++ ++ ++ --force-full-repl ++ ++ When calling "net rpc vampire keytab" this option ++ enforces a full re-creation of the generated keytab file. ++ ++ ++ ++ ++ --single-obj-repl ++ ++ When calling "net rpc vampire keytab" this option ++ allows to replicate just a single object to the generated keytab file. ++ ++ ++ ++ ++ --clean-old-entries ++ ++ When calling "net rpc vampire keytab" this option ++ allows to cleanup old entries from the generated keytab file. ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From f1e03c2bc1bb34d1918b232035c25cc9e0e6811d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 16:17:32 +0100 +Subject: [PATCH 69/83] docs: add net idmap specific options in net manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index c9802f8..5cc623f9 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -209,6 +209,32 @@ + + + ++ ++ ++ ++ --db ++ Define dbfile for "net idmap" commands. ++ ++ ++ ++ ++ --lock ++ Activates locking of the dbfile for "net idmap check" command. ++ ++ ++ ++ ++ -a|--auto ++ Activates noninteractive mode in "net idmap check". ++ ++ ++ ++ ++ --repair ++ Activates repair mode in "net idmap check". ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From e73493c64af9f76fa41b56c154ea973619e97cb0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 16:22:52 +0100 +Subject: [PATCH 70/83] docs: add net rpc share migrate specific options in net + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 5cc623f9..6fba00b 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -235,6 +235,38 @@ + + + ++ ++ ++ ++ --acls ++ Includes ACLs to be copied in "net rpc share migrate". ++ ++ ++ ++ ++ --attrs ++ Includes file attributes to be copied in "net rpc share migrate". ++ ++ ++ ++ ++ --timestamps ++ Includes timestamps to be copied in "net rpc share migrate". ++ ++ ++ ++ ++ -X|--exclude DIRECTORY ++ Allows to exclude directories when copying with "net rpc share migrate". ++ ++ ++ ++ ++ --destination SERVERNAME ++ Defines the target servername of migration process (defaults to localhost). ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From cb90d1eb8f1ea0fd23f7af4aa1a21447d4772a1e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 16:28:10 +0100 +Subject: [PATCH 71/83] docs: add net groupmap set specific options in net + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 6fba00b..fd13f43 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -267,6 +267,36 @@ + + + ++ ++ ++ ++ -L|--local ++ Sets the type of group mapping to local ++ (used in "net groupmap set"). ++ ++ ++ ++ ++ -D|--domain ++ Sets the type of group mapping to domain ++ (used in "net groupmap set"). ++ ++ ++ ++ ++ -N|--ntname NTNAME ++ Sets the ntname of a group mapping ++ (used in "net groupmap set"). ++ ++ ++ ++ ++ -R|--rid RID ++ Sets the rid of a group mapping ++ (used in "net groupmap set"). ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From 57269672d1b52c5a1318619f5b6ccdfb757c161f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 17:11:31 +0100 +Subject: [PATCH 72/83] docs: add net rpc registry check specific options in + net manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index fd13f43..4d43625 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -297,6 +297,29 @@ + + + ++ ++ ++ ++ --reg-version REG_VERSION ++ Assume database version {n|1,2,3} ++ (used in "net registry check"). ++ ++ ++ ++ ++ -o|--output FILENAME ++ Output database file ++ (used in "net registry check"). ++ ++ ++ ++ ++ --wipe ++ Createa a new database from scratch ++ (used in "net registry check"). ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From 49ab592097a235d31355bf4e58d2957ee56c5a3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 17:15:57 +0100 +Subject: [PATCH 73/83] docs: add net registry import specific options in net + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/net.8.xml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 4d43625..ce976b4 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -320,6 +320,15 @@ + + + ++ ++ ++ ++ --precheck PRECHECK_DB_FILENAME ++ Defines filename for database prechecking ++ (used in "net registry import"). ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +-- +1.8.3.1 + + +From 19d1a7abcf5ceaf2577952b90ca77eb776bc95d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 18 Nov 2013 17:26:28 +0100 +Subject: [PATCH 74/83] docs: document remaining undocumented options in net + manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Nov 19 12:05:56 CET 2013 on sn-devel-104 +--- + docs-xml/manpages/net.8.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index ce976b4..49cab42 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -183,6 +183,48 @@ + + + ++ ++ -T|--test ++ Only test command sequence, dry-run. ++ ++ ++ ++ ++ -F|--flags FLAGS ++ Pass down integer flags to a net subcommand. ++ ++ ++ ++ ++ -C|--comment COMMENT ++ Pass down a comment string to a net subcommand. ++ ++ ++ ++ ++ -n|--myname MYNAME ++ Use MYNAME as a requester name for a net subcommand. ++ ++ ++ ++ ++ -c|--container CONTAINER ++ Use a specific AD container for net ads operations. ++ ++ ++ ++ ++ -M|--maxusers MAXUSERS ++ Fill in the maxusers field in net rpc share operations. ++ ++ ++ ++ ++ -r|--reboot ++ Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations). ++ ++ ++ + + + +-- +1.8.3.1 + + +From 7a587e715ae413ce0f44be4c6f63a9e30fe697e5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:14:45 +0100 +Subject: [PATCH 75/83] docs: remove duplicate "a" from vfs_cacheprime manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/manpages/vfs_cacheprime.8.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/vfs_cacheprime.8.xml b/docs-xml/manpages/vfs_cacheprime.8.xml +index b490ba6..b92a6c1 100644 +--- a/docs-xml/manpages/vfs_cacheprime.8.xml ++++ b/docs-xml/manpages/vfs_cacheprime.8.xml +@@ -84,7 +84,7 @@ + + + CAVEATS +- cacheprime is not a a substitute for ++ cacheprime is not a substitute for + a general-purpose readahead mechanism. It is intended for use + only in very specific environments where disk operations must + be aligned and sized to known values (as much as that is possible). +-- +1.8.3.1 + + +From b55b56351d71bb4a4517d857959c7c9d9d2b768c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:17:19 +0100 +Subject: [PATCH 76/83] docs: remove duplicate "the" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/misc/directorynamecachesize.xml | 2 +- + docs-xml/smbdotconf/protocol/ntaclsupport.xml | 2 +- + docs-xml/smbdotconf/winbind/idmapconfig.xml | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/smbdotconf/misc/directorynamecachesize.xml b/docs-xml/smbdotconf/misc/directorynamecachesize.xml +index 1064b7e..d02c4f5 100644 +--- a/docs-xml/smbdotconf/misc/directorynamecachesize.xml ++++ b/docs-xml/smbdotconf/misc/directorynamecachesize.xml +@@ -5,7 +5,7 @@ + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + + +- This parameter specifies the the size of the directory name cache. ++ This parameter specifies the size of the directory name cache. + It will be needed to turn this off for *BSD systems. + + +diff --git a/docs-xml/smbdotconf/protocol/ntaclsupport.xml b/docs-xml/smbdotconf/protocol/ntaclsupport.xml +index 1e9cedf..451d5d8 100644 +--- a/docs-xml/smbdotconf/protocol/ntaclsupport.xml ++++ b/docs-xml/smbdotconf/protocol/ntaclsupport.xml +@@ -7,7 +7,7 @@ + This boolean parameter controls whether smbd + 8 will attempt to map + UNIX permissions into Windows NT access control lists. The UNIX +- permissions considered are the the traditional UNIX owner and ++ permissions considered are the traditional UNIX owner and + group permissions, as well as POSIX ACLs set on any files or + directories. This parameter was formally a global parameter in + releases prior to 2.2.2. +diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml +index 5d3605a..30925a2 100644 +--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml ++++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml +@@ -17,7 +17,7 @@ + + + The idmap configuration is hence divided into groups, one group +- for each domain to be configured, and one group with the the ++ for each domain to be configured, and one group with the + asterisk instead of a proper domain name, which specifies the + default configuration that is used to catch all domains that do + not have an explicit idmap configuration of their own. +-- +1.8.3.1 + + +From 25577278211f82a353477c48ea1381cdd16b3b63 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:18:57 +0100 +Subject: [PATCH 77/83] docs: remove duplicate "to" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/misc/rpcserver.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/misc/rpcserver.xml b/docs-xml/smbdotconf/misc/rpcserver.xml +index 4372eea..9a22939 100644 +--- a/docs-xml/smbdotconf/misc/rpcserver.xml ++++ b/docs-xml/smbdotconf/misc/rpcserver.xml +@@ -59,7 +59,7 @@ + Currently in Samba3 we support three daemons, spoolssd, epmd and + lsasd. These daemons can be enabled using the + rpc_daemon option. For spoolssd you have +- to to enable the daemon and proxy the named pipe with: ++ to enable the daemon and proxy the named pipe with: + + + +-- +1.8.3.1 + + +From ced12107e0af429af088cd63b86c8b8b21e83a1a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:20:12 +0100 +Subject: [PATCH 78/83] docs: remove duplicate "not" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/protocol/aclallowexecutealways.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml +index 49d2c48..0c9588e 100644 +--- a/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml ++++ b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml +@@ -17,7 +17,7 @@ + If this parameter is set to "True", Samba does not check execute permissions on + "open for execution", thus re-establishing the behaviour of Samba 3.6. + This can be useful to smoothen upgrades from older Samba versions to 4.0 and newer. +- This setting is not not meant to be used as a permanent setting, but as a temporary relief: ++ This setting is not meant to be used as a permanent setting, but as a temporary relief: + It is recommended to fix the permissions in the ACLs and reset this parameter to the + default after a certain transition period. + +-- +1.8.3.1 + + +From 59a240513c7d48afb337b102466c539af3f880f3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:33:33 +0100 +Subject: [PATCH 79/83] docs: remove duplicate "or" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml b/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml +index 974b6f0..54e7b87 100644 +--- a/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml ++++ b/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml +@@ -20,7 +20,7 @@ + timestamp than the object files it contains. + + However, Unix time semantics mean that the create time +- reported by Samba will be updated whenever a file is created or ++ reported by Samba will be updated whenever a file is created + or deleted in the directory. NMAKE finds all object files in + the object directory. The timestamp of the last one built is then + compared to the timestamp of the object directory. If the +-- +1.8.3.1 + + +From 0cf92d476feabb870f67061d38d1027ebc59a852 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:34:05 +0100 +Subject: [PATCH 80/83] docs: remove duplicate "on" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/security/aclgroupcontrol.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml +index e62216a..279a57b 100644 +--- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml ++++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml +@@ -24,7 +24,7 @@ + + + This parameter is best used with the option and also +- on on a share containing directories with the UNIX setgid bit set ++ on a share containing directories with the UNIX setgid bit set + on them, which causes new files and directories created within it to inherit the group + ownership from the containing directory. + +-- +1.8.3.1 + + +From 8d1ff1d73f43d0fd4c2290496389c006afb2de93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:34:33 +0100 +Subject: [PATCH 81/83] docs: remove duplicate "must" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/security/smbencrypt.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml +index d556166..51079ae 100644 +--- a/docs-xml/smbdotconf/security/smbencrypt.xml ++++ b/docs-xml/smbdotconf/security/smbencrypt.xml +@@ -21,7 +21,7 @@ + and disabled. This may be set on a per-share + basis, but clients may chose to encrypt the entire session, not + just traffic to a specific share. If this is set to mandatory +- then all traffic to a share must must ++ then all traffic to a share must + be encrypted once the connection has been made to the share. + The server would return "access denied" to all non-encrypted + requests on such a share. Selecting encrypted traffic reduces +-- +1.8.3.1 + + +From 344c59f99996d4e6a23c2cc914377536ea7e9eee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:34:54 +0100 +Subject: [PATCH 82/83] docs: remove duplicate "line" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + docs-xml/smbdotconf/security/usernamemapscript.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml +index 6df134c..9e2e1a5 100644 +--- a/docs-xml/smbdotconf/security/usernamemapscript.xml ++++ b/docs-xml/smbdotconf/security/usernamemapscript.xml +@@ -8,7 +8,7 @@ + parameter. This parameter + specifies and external program or script that must accept a single + command line option (the username transmitted in the authentication +- request) and return a line line on standard output (the name to which ++ request) and return a line on standard output (the name to which + the account should mapped). In this way, it is possible to store + username map tables in an LDAP or NIS directory services. + +-- +1.8.3.1 + + +From c0bdd8011cc14a03bbddb7ad894219c649a609d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 19 Nov 2013 12:36:53 +0100 +Subject: [PATCH 83/83] docs: remove duplicate "used" from smb.conf manpage. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Nov 19 14:40:40 CET 2013 on sn-devel-104 +--- + docs-xml/smbdotconf/filename/manglingmethod.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs-xml/smbdotconf/filename/manglingmethod.xml b/docs-xml/smbdotconf/filename/manglingmethod.xml +index f6e2eda..347dc56 100644 +--- a/docs-xml/smbdotconf/filename/manglingmethod.xml ++++ b/docs-xml/smbdotconf/filename/manglingmethod.xml +@@ -6,7 +6,7 @@ + + controls the algorithm used for the generating + the mangled names. Can take two different values, "hash" and +- "hash2". "hash" is the algorithm that was used ++ "hash2". "hash" is the algorithm that was + used in Samba for many years and was the default in Samba 2.2.x "hash2" is + now the default and is newer and considered a better algorithm (generates less collisions) in + the names. Many Win32 applications store the mangled names and so +-- +1.8.3.1 + diff --git a/SOURCES/samba-4.1.2-fix_strict_aliasing.patch b/SOURCES/samba-4.1.2-fix_strict_aliasing.patch new file mode 100644 index 0000000..7a60239 --- /dev/null +++ b/SOURCES/samba-4.1.2-fix_strict_aliasing.patch @@ -0,0 +1,109 @@ +From d31a18bcaaa3f3dd5f0bf8db705089c42c7ab0b3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 14 Nov 2013 18:36:41 +0100 +Subject: [PATCH] util: Remove 32bit macros breaking strict aliasing. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10269 + +These macros might have worked but they break strict aliasing in the +meantime and so the compiler is not able to optimize the relevant code. + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Nov 14 23:16:45 CET 2013 on sn-devel-104 + +(cherry picked from commit af69cb2a78810e608ccff115b433801a58a749e4) +Signed-off-by: Andreas Schneider +--- + lib/util/byteorder.h | 52 ++-------------------------------------------------- + 1 file changed, 2 insertions(+), 50 deletions(-) + +diff --git a/lib/util/byteorder.h b/lib/util/byteorder.h +index 6bcf71e..58cd68a 100644 +--- a/lib/util/byteorder.h ++++ b/lib/util/byteorder.h +@@ -35,15 +35,6 @@ Here is a description of this file that I emailed to the samba list once: + + sure. + +-The distinction between 386 and other architectures is only there as +-an optimisation. You can take it out completely and it will make no +-difference. The routines (macros) in byteorder.h are totally byteorder +-independent. The 386 optimsation just takes advantage of the fact that +-the x86 processors don't care about alignment, so we don't have to +-align ints on int boundaries etc. If there are other processors out +-there that aren't alignment sensitive then you could also define +-CAREFUL_ALIGNMENT=0 on those processors as well. +- + Ok, now to the macros themselves. I'll take a simple example, say we + want to extract a 2 byte integer from a SMB packet and put it into a + type called uint16_t that is in the local machines byte order, and you +@@ -130,20 +121,6 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val) + #define HAVE_ASM_BYTEORDER 0 + #endif + +- +- +-#undef CAREFUL_ALIGNMENT +- +-/* we know that the 386 can handle misalignment and has the "right" +- byteorder */ +-#if defined(__i386__) +-#define CAREFUL_ALIGNMENT 0 +-#endif +- +-#ifndef CAREFUL_ALIGNMENT +-#define CAREFUL_ALIGNMENT 1 +-#endif +- + #define CVAL(buf,pos) ((unsigned int)(((const uint8_t *)(buf))[pos])) + #define CVAL_NC(buf,pos) (((uint8_t *)(buf))[pos]) /* Non-const version of CVAL */ + #define PVAL(buf,pos) (CVAL(buf,pos)) +@@ -161,7 +138,7 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val) + #define SSVALS(buf,pos,val) SSVAL((buf),(pos),((int16_t)(val))) + #define SIVALS(buf,pos,val) SIVAL((buf),(pos),((int32_t)(val))) + +-#elif CAREFUL_ALIGNMENT ++#else /* not HAVE_ASM_BYTEORDER */ + + #define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8) + #define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16) +@@ -174,32 +151,7 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val) + #define SSVALS(buf,pos,val) SSVALX((buf),(pos),((int16_t)(val))) + #define SIVALS(buf,pos,val) SIVALX((buf),(pos),((int32_t)(val))) + +-#else /* not CAREFUL_ALIGNMENT */ +- +-/* this handles things for architectures like the 386 that can handle +- alignment errors */ +-/* +- WARNING: This section is dependent on the length of int16_t and int32_t +- being correct +-*/ +- +-/* get single value from an SMB buffer */ +-#define SVAL(buf,pos) (*(const uint16_t *)((const char *)(buf) + (pos))) +-#define SVAL_NC(buf,pos) (*(uint16_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */ +-#define IVAL(buf,pos) (*(const uint32_t *)((const char *)(buf) + (pos))) +-#define IVAL_NC(buf,pos) (*(uint32_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */ +-#define SVALS(buf,pos) (*(const int16_t *)((const char *)(buf) + (pos))) +-#define SVALS_NC(buf,pos) (*(int16_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */ +-#define IVALS(buf,pos) (*(const int32_t *)((const char *)(buf) + (pos))) +-#define IVALS_NC(buf,pos) (*(int32_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */ +- +-/* store single value in an SMB buffer */ +-#define SSVAL(buf,pos,val) SVAL_NC(buf,pos)=((uint16_t)(val)) +-#define SIVAL(buf,pos,val) IVAL_NC(buf,pos)=((uint32_t)(val)) +-#define SSVALS(buf,pos,val) SVALS_NC(buf,pos)=((int16_t)(val)) +-#define SIVALS(buf,pos,val) IVALS_NC(buf,pos)=((int32_t)(val)) +- +-#endif /* not CAREFUL_ALIGNMENT */ ++#endif /* not HAVE_ASM_BYTEORDER */ + + /* 64 bit macros */ + #define BVAL(p, ofs) (IVAL(p,ofs) | (((uint64_t)IVAL(p,(ofs)+4)) << 32)) +-- +1.8.4 + diff --git a/SOURCES/samba-4.1.2-winbind_cache_keysize.patch b/SOURCES/samba-4.1.2-winbind_cache_keysize.patch new file mode 100644 index 0000000..fd4b505 --- /dev/null +++ b/SOURCES/samba-4.1.2-winbind_cache_keysize.patch @@ -0,0 +1,41 @@ +From 944e9fbc20f125b52e047484dca1792d75561ed9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 13 Nov 2013 15:10:33 +0100 +Subject: [PATCH] s3-winbindd: Fix #10264, cache_traverse_validate_fn failure + for NDR cache entries. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We need to increase the keysize limit for NDR queries. A wbint_LookupSids query +for just 20 sids already hits the older limit. + +Guenther + +https://bugzilla.samba.org/show_bug.cgi?id=10264 +Signed-off-by: Günther Deschner +Reviewed-by: Michael Adam + +Autobuild-User(master): Michael Adam +Autobuild-Date(master): Wed Nov 13 19:33:46 CET 2013 on sn-devel-104 +--- + source3/winbindd/winbindd_cache.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c +index 91c19fa..267cefc 100644 +--- a/source3/winbindd/winbindd_cache.c ++++ b/source3/winbindd/winbindd_cache.c +@@ -4065,7 +4065,8 @@ static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_D + struct tdb_validation_status *v_state = (struct tdb_validation_status *)state; + + /* Paranoia check. */ +- if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0) { ++ if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0 || ++ strncmp("NDR/", (const char *)kbuf.dptr, 4) == 0) { + max_key_len = 1024 * 1024; + } + if (kbuf.dsize > max_key_len) { +-- +1.8.3.1 + diff --git a/SOURCES/samba-4.1.3-CVE-2012-6150.patch b/SOURCES/samba-4.1.3-CVE-2012-6150.patch new file mode 100644 index 0000000..b4bd091 --- /dev/null +++ b/SOURCES/samba-4.1.3-CVE-2012-6150.patch @@ -0,0 +1,38 @@ +From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Wed, 16 Oct 2013 16:30:55 +0100 +Subject: [PATCH] fail authentication for single group name which cannot be + converted to sid + +furthermore if more than one name is supplied and no sid is converted +then also fail. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300 + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +Reviewed-by: David Disseldorp +[ddiss@samba.org: fixed incorrect bugzilla tag I added to master commit] +--- + nsswitch/pam_winbind.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c +index 9322971..cd5e7ba 100644 +--- a/nsswitch/pam_winbind.c ++++ b/nsswitch/pam_winbind.c +@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx, + _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s " + "to sid, please contact your administrator to see " + "if group %s is valid."), search_location, search_location); ++ ++ /* If no valid groups were converted we should fail outright */ ++ if (name_list != NULL && strlen(sid_list_buffer) == 0) { ++ result = false; ++ goto out; ++ } + /* + * The lookup of the last name failed.. + * It results in require_member_of_sid ends with ',' +-- +1.8.1.4 diff --git a/SOURCES/samba-4.1.3-CVE-2013-4408.patch b/SOURCES/samba-4.1.3-CVE-2013-4408.patch new file mode 100644 index 0000000..7624ff1 --- /dev/null +++ b/SOURCES/samba-4.1.3-CVE-2013-4408.patch @@ -0,0 +1,1974 @@ +From ea6e3de5ae7c79b3badf9cfa8fcbaebf76ec5bae Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 24 Sep 2013 05:03:40 +0200 +Subject: [PATCH 01/16] CVE-2013-4408:librpc: check for invalid frag_len + within dcerpc_read_ncacn_packet_done() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + librpc/rpc/dcerpc_util.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c +index de292c8..458ecc5 100644 +--- a/librpc/rpc/dcerpc_util.c ++++ b/librpc/rpc/dcerpc_util.c +@@ -292,6 +292,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq) + return; + } + ++ if (state->pkt->frag_length != state->buffer.length) { ++ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); ++ return; ++ } ++ + tevent_req_done(req); + } + +-- +1.7.9.5 + + +From d405a5afc175c5a936511f861a35cffd3be43fd9 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 24 Sep 2013 05:03:40 +0200 +Subject: [PATCH 02/16] CVE-2013-4408:librpc: check for invalid frag_len + within dcerpc_read_ncacn_packet_next_vector() + +We should do this explicit instead of relying on +tstream_readv_pdu_ask_for_next_vector() to catch the overflow. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + librpc/rpc/dcerpc_util.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c +index 458ecc5..0b9cca3 100644 +--- a/librpc/rpc/dcerpc_util.c ++++ b/librpc/rpc/dcerpc_util.c +@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream, + + ofs = state->buffer.length; + ++ if (frag_len < ofs) { ++ /* ++ * something is wrong, let the caller deal with it ++ */ ++ *_vector = NULL; ++ *_count = 0; ++ return 0; ++ } ++ + state->buffer.data = talloc_realloc(state, + state->buffer.data, + uint8_t, frag_len); +-- +1.7.9.5 + + +From db3a2292a096d95ce672950e738c35e902077604 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Sep 2013 23:25:12 +0200 +Subject: [PATCH 03/16] CVE-2013-4408:s3:rpc_client: check for invalid + frag_len in dcerpc_pull_ncacn_packet() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/librpc/rpc/dcerpc_helpers.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c +index d36c2da..a55e419 100644 +--- a/source3/librpc/rpc/dcerpc_helpers.c ++++ b/source3/librpc/rpc/dcerpc_helpers.c +@@ -127,6 +127,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx, + NDR_PRINT_DEBUG(ncacn_packet, r); + } + ++ if (r->frag_length != blob->length) { ++ return NT_STATUS_RPC_PROTOCOL_ERROR; ++ } ++ + return NT_STATUS_OK; + } + +-- +1.7.9.5 + + +From 1e1b1d587a056d898f0f5bb99235e488a06079f1 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Sep 2013 23:25:12 +0200 +Subject: [PATCH 04/16] CVE-2013-4408:s3:rpc_client: verify frag_len at least + contains the header size + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/rpc_client/cli_pipe.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index 2e978ef..fd854c4 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -284,6 +284,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx, + } + + state->frag_len = dcerpc_get_frag_length(pdu); ++ if (state->frag_len < RPC_HEADER_LEN) { ++ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); ++ return tevent_req_post(req, ev); ++ } + + /* + * Ensure we have frag_len bytes of data. +@@ -332,6 +336,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq) + } + + state->frag_len = dcerpc_get_frag_length(state->pdu); ++ if (state->frag_len < RPC_HEADER_LEN) { ++ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR); ++ return; ++ } + + if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) { + tevent_req_nterror(req, NT_STATUS_NO_MEMORY); +-- +1.7.9.5 + + +From 33d4dc2f0512d845cc6e00174b870833dd055862 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Sep 2013 23:25:12 +0200 +Subject: [PATCH 05/16] CVE-2013-4408:s4:dcerpc: check for invalid frag_len in + ncacn_pull() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source4/librpc/rpc/dcerpc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c +index e653cba..2826160 100644 +--- a/source4/librpc/rpc/dcerpc.c ++++ b/source4/librpc/rpc/dcerpc.c +@@ -693,6 +693,10 @@ static NTSTATUS ncacn_pull(struct dcecli_connection *c, DATA_BLOB *blob, TALLOC_ + return ndr_map_error2ntstatus(ndr_err); + } + ++ if (pkt->frag_length != blob->length) { ++ return NT_STATUS_RPC_PROTOCOL_ERROR; ++ } ++ + return NT_STATUS_OK; + } + +-- +1.7.9.5 + + +From 7ff27a03ddcb2aaa6b130266a9262dca79a324c5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Sep 2013 23:25:12 +0200 +Subject: [PATCH 06/16] CVE-2013-4408:s4:dcerpc_smb: check for invalid + frag_len in send_read_request_continue() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source4/librpc/rpc/dcerpc_smb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c +index e02631e..efb76cf 100644 +--- a/source4/librpc/rpc/dcerpc_smb.c ++++ b/source4/librpc/rpc/dcerpc_smb.c +@@ -163,6 +163,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO + } else { + uint32_t frag_length = blob->length>=16? + dcerpc_get_frag_length(blob):0x2000; ++ ++ if (frag_length < state->data.length) { ++ talloc_free(state); ++ return NT_STATUS_RPC_PROTOCOL_ERROR; ++ } ++ + state->received = blob->length; + state->data = data_blob_talloc(state, NULL, frag_length); + if (!state->data.data) { +-- +1.7.9.5 + + +From 2e01567db620407a9bfdee28efa61ddccc1357f8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 25 Sep 2013 23:25:12 +0200 +Subject: [PATCH 07/16] CVE-2013-4408:s4:dcerpc_smb2: check for invalid + frag_len in send_read_request_continue() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source4/librpc/rpc/dcerpc_smb2.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c +index 473ca78..2b1c66e 100644 +--- a/source4/librpc/rpc/dcerpc_smb2.c ++++ b/source4/librpc/rpc/dcerpc_smb2.c +@@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO + + if (state->data.length >= 16) { + uint16_t frag_length = dcerpc_get_frag_length(&state->data); ++ ++ if (frag_length < state->data.length) { ++ talloc_free(state); ++ return NT_STATUS_RPC_PROTOCOL_ERROR; ++ } ++ + io.in.length = frag_length - state->data.length; + } else { + io.in.length = 0x2000; +-- +1.7.9.5 + + +From 2a94a9db0086582119bbcb7b4c82e86e8a3f8137 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 24 Sep 2013 05:03:40 +0200 +Subject: [PATCH 08/16] CVE-2013-4408:s4:dcerpc_sock: check for invalid + frag_len within sock_complete_packet() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source4/librpc/rpc/dcerpc_sock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c +index 58fca4c..d36af11 100644 +--- a/source4/librpc/rpc/dcerpc_sock.c ++++ b/source4/librpc/rpc/dcerpc_sock.c +@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t + return STATUS_MORE_ENTRIES; + } + *size = dcerpc_get_frag_length(&blob); ++ if (*size < blob.length) { ++ /* ++ * something is wrong, let the caller deal with it ++ */ ++ *size = blob.length; ++ } + if (*size > blob.length) { + return STATUS_MORE_ENTRIES; + } +-- +1.7.9.5 + + +From 79c3d6df2fc63e188ae6091d6f0bd0a55f3fe548 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 16 Oct 2013 14:17:49 +0200 +Subject: [PATCH 09/16] CVE-2013-4408:async_sock: add some overflow detection + to read_packet_handler() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + lib/async_req/async_sock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c +index 59dde88..74b2cb7 100644 +--- a/lib/async_req/async_sock.c ++++ b/lib/async_req/async_sock.c +@@ -667,6 +667,11 @@ static void read_packet_handler(struct tevent_context *ev, + return; + } + ++ if (total + more < total) { ++ tevent_req_error(req, EMSGSIZE); ++ return; ++ } ++ + tmp = talloc_realloc(state, state->buf, uint8_t, total+more); + if (tevent_req_nomem(tmp, req)) { + return; +-- +1.7.9.5 + + +From ebfad1eadb3fc492f31c35a9d2585fe27ed00ad5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 16 Oct 2013 14:17:49 +0200 +Subject: [PATCH 10/16] CVE-2013-4408:s3:util_tsock: add some overflow + detection to tstream_read_packet_done() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/lib/util_tsock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/lib/util_tsock.c b/source3/lib/util_tsock.c +index 35a97f5..03380ef 100644 +--- a/source3/lib/util_tsock.c ++++ b/source3/lib/util_tsock.c +@@ -110,6 +110,11 @@ static void tstream_read_packet_done(struct tevent_req *subreq) + return; + } + ++ if (total + more < total) { ++ tevent_req_error(req, EMSGSIZE); ++ return; ++ } ++ + tmp = talloc_realloc(state, state->buf, uint8_t, total+more); + if (tevent_req_nomem(tmp, req)) { + return; +-- +1.7.9.5 + + +From 1108ce2b996cde47a653cdfca27e059e3986da5f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 16 Oct 2013 14:17:49 +0200 +Subject: [PATCH 11/16] CVE-2013-4408:libcli/util: add some size verification + to tstream_read_pdu_blob_done() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + libcli/util/tstream.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c +index 12cef9b..dd830e2 100644 +--- a/libcli/util/tstream.c ++++ b/libcli/util/tstream.c +@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq) + return; + } + ++ if (new_buf_size <= old_buf_size) { ++ tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE); ++ return; ++ } ++ + buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size); + if (tevent_req_nomem(buf, req)) { + return; +-- +1.7.9.5 + + +From 72d5d302c5ed46f3ca465653f6c595ea500b3063 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 16 Oct 2013 16:26:58 +0200 +Subject: [PATCH 12/16] CVE-2013-4408:s3:ctdb_conn: add some length + verification to ctdb_packet_more() + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +--- + source3/lib/ctdb_conn.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c +index 90930eb..40071d4 100644 +--- a/source3/lib/ctdb_conn.c ++++ b/source3/lib/ctdb_conn.c +@@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p) + return 0; + } + memcpy(&len, buf, sizeof(len)); ++ ++ if (len < sizeof(uint32_t)) { ++ return -1; ++ } ++ + return (len - sizeof(uint32_t)); + } + +-- +1.7.9.5 + + +From 5335358922eb2d86f00c73bb9e11940cc0cec7ce Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 17 Oct 2013 14:44:35 -0700 +Subject: [PATCH 13/16] CVE-2013-4408:s3:Ensure we always check call_id when + validating an RPC reply. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Jeremy Allison +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_client/cli_pipe.c | 33 +++++++++++++++++++++++++-------- + 1 file changed, 25 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index fd854c4..385ae25 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -389,6 +389,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, + struct ncacn_packet *pkt, + DATA_BLOB *pdu, + uint8_t expected_pkt_type, ++ uint32_t call_id, + DATA_BLOB *rdata, + DATA_BLOB *reply_pdu) + { +@@ -487,7 +488,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, + "from %s!\n", + (unsigned int)pkt->ptype, + rpccli_pipe_txt(talloc_tos(), cli))); +- return NT_STATUS_INVALID_INFO_CLASS; ++ return NT_STATUS_RPC_PROTOCOL_ERROR; + } + + if (pkt->ptype != expected_pkt_type) { +@@ -495,7 +496,15 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx, + "RPC packet type - %u, not %u\n", + rpccli_pipe_txt(talloc_tos(), cli), + pkt->ptype, expected_pkt_type)); +- return NT_STATUS_INVALID_INFO_CLASS; ++ return NT_STATUS_RPC_PROTOCOL_ERROR; ++ } ++ ++ if (pkt->call_id != call_id) { ++ DEBUG(3, (__location__ ": Connection to %s got an unexpected " ++ "RPC call_id - %u, not %u\n", ++ rpccli_pipe_txt(talloc_tos(), cli), ++ pkt->call_id, call_id)); ++ return NT_STATUS_RPC_PROTOCOL_ERROR; + } + + /* Do this just before return - we don't want to modify any rpc header +@@ -701,6 +710,7 @@ struct rpc_api_pipe_state { + struct tevent_context *ev; + struct rpc_pipe_client *cli; + uint8_t expected_pkt_type; ++ uint32_t call_id; + + DATA_BLOB incoming_frag; + struct ncacn_packet *pkt; +@@ -719,7 +729,8 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct rpc_pipe_client *cli, + DATA_BLOB *data, /* Outgoing PDU */ +- uint8_t expected_pkt_type) ++ uint8_t expected_pkt_type, ++ uint32_t call_id) + { + struct tevent_req *req, *subreq; + struct rpc_api_pipe_state *state; +@@ -733,6 +744,7 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx, + state->ev = ev; + state->cli = cli; + state->expected_pkt_type = expected_pkt_type; ++ state->call_id = call_id; + state->incoming_frag = data_blob_null; + state->reply_pdu = data_blob_null; + state->reply_pdu_offset = 0; +@@ -884,6 +896,7 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq) + state->cli, state->pkt, + &state->incoming_frag, + state->expected_pkt_type, ++ state->call_id, + &rdata, + &state->reply_pdu); + +@@ -1226,7 +1239,8 @@ struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx, + if (is_last_frag) { + subreq = rpc_api_pipe_send(state, ev, state->cli, + &state->rpc_out, +- DCERPC_PKT_RESPONSE); ++ DCERPC_PKT_RESPONSE, ++ state->call_id); + if (subreq == NULL) { + goto fail; + } +@@ -1362,7 +1376,8 @@ static void rpc_api_pipe_req_write_done(struct tevent_req *subreq) + if (is_last_frag) { + subreq = rpc_api_pipe_send(state, state->ev, state->cli, + &state->rpc_out, +- DCERPC_PKT_RESPONSE); ++ DCERPC_PKT_RESPONSE, ++ state->call_id); + if (tevent_req_nomem(subreq, req)) { + return; + } +@@ -1608,7 +1623,7 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx, + } + + subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out, +- DCERPC_PKT_BIND_ACK); ++ DCERPC_PKT_BIND_ACK, state->rpc_call_id); + if (subreq == NULL) { + goto fail; + } +@@ -1916,7 +1931,8 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req, + } + + subreq = rpc_api_pipe_send(state, state->ev, state->cli, +- &state->rpc_out, DCERPC_PKT_ALTER_RESP); ++ &state->rpc_out, DCERPC_PKT_ALTER_RESP, ++ state->rpc_call_id); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1948,7 +1964,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req, + } + + subreq = rpc_api_pipe_send(state, state->ev, state->cli, +- &state->rpc_out, DCERPC_PKT_AUTH3); ++ &state->rpc_out, DCERPC_PKT_AUTH3, ++ state->rpc_call_id); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +-- +1.7.9.5 + + +From 7d60c72841e8b2e4315e506fb1033508b43425f6 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 7 Nov 2013 20:38:01 -0800 +Subject: [PATCH 14/16] CVE-2013-4408:s3:Ensure LookupSids replies arrays are + range checked. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Signed-off-by: Jeremy Allison +--- + nsswitch/libwbclient/wbc_sid.c | 7 +++++++ + nsswitch/wbinfo.c | 23 ++++++++++++++++++++--- + source3/rpc_client/cli_lsarpc.c | 17 ++++++++++++++++- + source3/rpcclient/cmd_lsarpc.c | 7 +++++-- + source3/winbindd/wb_lookupsids.c | 3 +++ + source3/winbindd/winbindd_rpc.c | 32 ++++++++++++++++++++++++++++++++ + source4/libcli/util/clilsa.c | 16 +++++++++++++++- + source4/winbind/wb_async_helpers.c | 13 ++++++++++++- + 8 files changed, 110 insertions(+), 8 deletions(-) + +diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c +index bab6933..82ac339 100644 +--- a/nsswitch/libwbclient/wbc_sid.c ++++ b/nsswitch/libwbclient/wbc_sid.c +@@ -421,6 +421,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids, + for (i=0; i= num_domains) { ++ goto wbc_err_invalid; ++ } ++ + if (*q != ' ') { + goto wbc_err_invalid; + } +diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c +index 17977ed..3f0310a 100644 +--- a/nsswitch/wbinfo.c ++++ b/nsswitch/wbinfo.c +@@ -1391,11 +1391,28 @@ static bool wbinfo_lookup_sids(const char *arg) + } + + for (i=0; i %s\\%s %d\n", sidstr, +- domains[names[i].domain_index].short_name, +- names[i].name, names[i].type); ++ if (names[i].domain_index >= num_domains) { ++ domain = ""; ++ } else if (names[i].domain_index < 0) { ++ domain = ""; ++ } else { ++ domain = domains[names[i].domain_index].short_name; ++ } ++ ++ if (names[i].type == WBC_SID_NAME_DOMAIN) { ++ d_printf("%s -> %s %d\n", sidstr, ++ domain, ++ names[i].type); ++ } else { ++ d_printf("%s -> %s%c%s %d\n", sidstr, ++ domain, ++ winbind_separator(), ++ names[i].name, names[i].type); ++ } + } + wbcFreeMemory(names); + wbcFreeMemory(domains); +diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c +index 126f370..7cadd6e 100644 +--- a/source3/rpc_client/cli_lsarpc.c ++++ b/source3/rpc_client/cli_lsarpc.c +@@ -279,11 +279,26 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h, + + for (i = 0; i < num_sids; i++) { + const char *name, *dom_name; +- uint32_t dom_idx = lsa_names.names[i].sid_index; ++ uint32_t dom_idx; ++ ++ if (i >= lsa_names.count) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ return status; ++ } ++ ++ dom_idx = lsa_names.names[i].sid_index; + + /* Translate optimised name through domain index array */ + + if (dom_idx != 0xffffffff) { ++ if (ref_domains == NULL) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ return status; ++ } ++ if (dom_idx >= ref_domains->count) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ return status; ++ } + + dom_name = ref_domains->domains[dom_idx].name.string; + name = lsa_names.names[i].name.string; +diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c +index cbc089f..a7ee4e4 100644 +--- a/source3/rpcclient/cmd_lsarpc.c ++++ b/source3/rpcclient/cmd_lsarpc.c +@@ -450,7 +450,7 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli, + NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result; + int i; + struct lsa_SidArray sids; +- struct lsa_RefDomainList *domains; ++ struct lsa_RefDomainList *domains = NULL; + struct lsa_TransNameArray2 names; + uint32_t count = 0; + struct dcerpc_binding_handle *b = cli->binding_handle; +@@ -506,9 +506,12 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli, + + /* Print results */ + +- for (i = 0; i < count; i++) { ++ for (i = 0; i < names.count; i++) { + fstring sid_str; + ++ if (i >= sids.num_sids) { ++ break; ++ } + sid_to_fstring(sid_str, sids.sids[i].sid); + printf("%s %s (%d)\n", sid_str, + names.names[i].name.string, +diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c +index 2c4ebda..e10d511 100644 +--- a/source3/winbindd/wb_lookupsids.c ++++ b/source3/winbindd/wb_lookupsids.c +@@ -402,6 +402,9 @@ static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains, + uint32_t src_domain_index, dst_domain_index; + + src_domain_index = src_name->sid_index; ++ if (src_domain_index >= src_domains->count) { ++ return false; ++ } + src_domain = &src_domains->domains[src_domain_index]; + + if (!wb_lookupsids_find_dom_idx( +diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c +index 44deeb0..7345ea7 100644 +--- a/source3/winbindd/winbindd_rpc.c ++++ b/source3/winbindd/winbindd_rpc.c +@@ -1084,6 +1084,10 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, + if (NT_STATUS_IS_ERR(result)) { + return result; + } ++ if (sids->num_sids != lsa_names2.count) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ + names = talloc_zero(mem_ctx, struct lsa_TransNameArray); + if (names == NULL) { + return NT_STATUS_NO_MEMORY; +@@ -1099,6 +1103,16 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, + names->names[i].name.string = talloc_move( + names->names, &lsa_names2.names[i].name.string); + names->names[i].sid_index = lsa_names2.names[i].sid_index; ++ ++ if (names->names[i].sid_index == UINT32_MAX) { ++ continue; ++ } ++ if ((*pdomains) == NULL) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (names->names[i].sid_index >= (*pdomains)->count) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } + } + *pnames = names; + return result; +@@ -1114,6 +1128,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + uint32_t count; ++ uint32_t i; + NTSTATUS status, result; + + status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy); +@@ -1140,6 +1155,23 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, + if (NT_STATUS_IS_ERR(result)) { + return result; + } ++ ++ if (sids->num_sids != names->count) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ ++ for (i=0; i < names->count; i++) { ++ if (names->names[i].sid_index == UINT32_MAX) { ++ continue; ++ } ++ if ((*pdomains) == NULL) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (names->names[i].sid_index >= (*pdomains)->count) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ } ++ + *pnames = names; + return result; + } +diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c +index 812f953..cc0dae5 100644 +--- a/source4/libcli/util/clilsa.c ++++ b/source4/libcli/util/clilsa.c +@@ -260,7 +260,21 @@ NTSTATUS smblsa_lookup_sid(struct smbcli_state *cli, + } + if (names.count != 1) { + talloc_free(mem_ctx2); +- return NT_STATUS_UNSUCCESSFUL; ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (domains == NULL) { ++ talloc_free(mem_ctx2); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (domains->count != 1) { ++ talloc_free(mem_ctx2); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (names.names[0].sid_index != UINT32_MAX && ++ names.names[0].sid_index >= domains->count) ++ { ++ talloc_free(mem_ctx2); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + (*name) = talloc_asprintf(mem_ctx, "%s\\%s", +diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c +index 2af8567..e3de2eb 100644 +--- a/source4/winbind/wb_async_helpers.c ++++ b/source4/winbind/wb_async_helpers.c +@@ -122,6 +122,12 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq) + return; + } + ++ if (state->names.count != state->num_sids) { ++ composite_error(state->ctx, ++ NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } ++ + state->result = talloc_array(state, struct wb_sid_object *, + state->num_sids); + if (composite_nomem(state->result, state->ctx)) return; +@@ -142,9 +148,14 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq) + continue; + } + ++ if (domains == NULL) { ++ composite_error(state->ctx, ++ NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } + if (name->sid_index >= domains->count) { + composite_error(state->ctx, +- NT_STATUS_INVALID_PARAMETER); ++ NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +-- +1.7.9.5 + + +From e89cb29f386adf364fb953686eb34d0db7d62202 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 7 Nov 2013 21:40:55 -0800 +Subject: [PATCH 15/16] CVE-2013-4408:s3:Ensure LookupNames replies arrays are + range checked. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Stefan Metzmacher +Signed-off-by: Jeremy Allison +--- + source3/lib/netapi/group.c | 82 +++++++++++++++++++++++++++ + source3/lib/netapi/localgroup.c | 8 ++- + source3/lib/netapi/user.c | 56 ++++++++++++++++++ + source3/libnet/libnet_join.c | 16 ++++++ + source3/rpc_client/cli_lsarpc.c | 18 ++++++ + source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +- + source3/rpcclient/cmd_lsarpc.c | 6 +- + source3/rpcclient/cmd_samr.c | 58 ++++++++++++++++++- + source3/smbd/lanman.c | 8 +++ + source3/utils/net_rpc.c | 40 ++++++++++++- + source3/utils/net_rpc_join.c | 9 +++ + source3/winbindd/winbindd_rpc.c | 14 +---- + source4/libcli/util/clilsa.c | 6 +- + source4/libnet/groupinfo.c | 9 ++- + source4/libnet/groupman.c | 10 ++-- + source4/libnet/libnet_join.c | 12 +++- + source4/libnet/libnet_lookup.c | 5 ++ + source4/libnet/libnet_passwd.c | 10 +++- + source4/libnet/userinfo.c | 8 ++- + source4/libnet/userman.c | 24 ++++---- + source4/winbind/wb_async_helpers.c | 13 ++++- + 21 files changed, 368 insertions(+), 46 deletions(-) + +diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c +index 9813f7e..69c7af4 100644 +--- a/source3/lib/netapi/group.c ++++ b/source3/lib/netapi/group.c +@@ -309,6 +309,15 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx, + goto done; + } + ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ + if (types.ids[0] != SID_NAME_DOM_GRP) { + werr = WERR_INVALID_DATATYPE; + goto done; +@@ -511,6 +520,14 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_DOM_GRP) { + werr = WERR_INVALID_DATATYPE; +@@ -781,6 +798,14 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_DOM_GRP) { + werr = WERR_INVALID_DATATYPE; +@@ -921,6 +946,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx, + werr = WERR_GROUPNOTFOUND; + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_DOM_GRP) { + werr = WERR_GROUPNOTFOUND; +@@ -959,6 +992,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx, + werr = WERR_USER_NOT_FOUND; + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_USER) { + werr = WERR_USER_NOT_FOUND; +@@ -1065,6 +1106,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx, + werr = WERR_GROUPNOTFOUND; + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_DOM_GRP) { + werr = WERR_GROUPNOTFOUND; +@@ -1104,6 +1153,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx, + werr = WERR_USER_NOT_FOUND; + goto done; + } ++ if (rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + if (types.ids[0] != SID_NAME_USER) { + werr = WERR_USER_NOT_FOUND; +@@ -1515,6 +1572,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (group_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenGroup(b, talloc_tos(), + &domain_handle, +@@ -1691,6 +1756,14 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (group_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (group_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenGroup(b, talloc_tos(), + &domain_handle, +@@ -1769,6 +1842,15 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx, + goto done; + } + ++ if (r->in.num_entries != user_rids.count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (r->in.num_entries != name_types.count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ + member_rids = user_rids.ids; + + status = dcerpc_samr_QueryGroupMember(b, talloc_tos(), +diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c +index 1a544ad..17cab68 100644 +--- a/source3/lib/netapi/localgroup.c ++++ b/source3/lib/netapi/localgroup.c +@@ -58,6 +58,12 @@ static NTSTATUS libnetapi_samr_lookup_and_open_alias(TALLOC_CTX *mem_ctx, + if (!NT_STATUS_IS_OK(result)) { + return result; + } ++ if (user_rids.count != 1) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (name_types.count != 1) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } + + switch (name_types.ids[0]) { + case SID_NAME_ALIAS: +@@ -1041,7 +1047,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx, + NT_STATUS_NOT_OK_RETURN(result); + + if (count != 1 || sids.count != 1) { +- return NT_STATUS_NONE_MAPPED; ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + sid_copy(sid, sids.sids[0].sid); +diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c +index df3914c..e699ad3 100644 +--- a/source3/lib/netapi/user.c ++++ b/source3/lib/netapi/user.c +@@ -604,6 +604,14 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, talloc_tos(), + &domain_handle, +@@ -1803,6 +1811,14 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli, + domain_sid, +@@ -1968,6 +1984,14 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, talloc_tos(), + &domain_handle, +@@ -3027,6 +3051,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, talloc_tos(), + &domain_handle, +@@ -3202,6 +3234,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, talloc_tos(), + &domain_handle, +@@ -3262,6 +3302,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (group_rids.count != r->in.num_entries) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != r->in.num_entries) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + member_rids = group_rids.ids; + +@@ -3539,6 +3587,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (user_rids.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, talloc_tos(), + &domain_handle, +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index dfe7283..29d1944 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -1023,6 +1023,14 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, + status = result; + goto done; + } ++ if (user_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0,("%s is not a user account (type=%d)\n", +@@ -1416,6 +1424,14 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx, + status = result; + goto done; + } ++ if (user_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, +diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c +index 7cadd6e..974538b 100644 +--- a/source3/rpc_client/cli_lsarpc.c ++++ b/source3/rpc_client/cli_lsarpc.c +@@ -662,9 +662,19 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + struct dom_sid *sid = &(*sids)[i]; + + if (use_lookupnames4) { ++ if (i >= sid_array3.count) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ + dom_idx = sid_array3.sids[i].sid_index; + (*types)[i] = sid_array3.sids[i].sid_type; + } else { ++ if (i >= sid_array.count) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ + dom_idx = sid_array.sids[i].sid_index; + (*types)[i] = sid_array.sids[i].sid_type; + } +@@ -677,6 +687,14 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h, + (*types)[i] = SID_NAME_UNKNOWN; + continue; + } ++ if (domains == NULL) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (dom_idx >= domains->count) { ++ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + if (use_lookupnames4) { + sid_copy(sid, sid_array3.sids[i].sid); +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 6a6c125..e5ca474 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -580,7 +580,7 @@ static NTSTATUS samr_find_machine_account(TALLOC_CTX *mem_ctx, + status = NT_STATUS_NO_SUCH_USER; + goto out; + } +- if (rids.count != types.count) { ++ if (types.count != 1) { + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } +diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c +index a7ee4e4..5c28b1c 100644 +--- a/source3/rpcclient/cmd_lsarpc.c ++++ b/source3/rpcclient/cmd_lsarpc.c +@@ -323,7 +323,7 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli, + + uint32_t num_names; + struct lsa_String *names; +- struct lsa_RefDomainList *domains; ++ struct lsa_RefDomainList *domains = NULL; + struct lsa_TransSidArray3 sids; + uint32_t count = 0; + int i; +@@ -361,6 +361,10 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli, + return result; + } + ++ if (sids.count != num_names) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ + for (i = 0; i < sids.count; i++) { + fstring sid_str; + sid_to_fstring(sid_str, sids.sids[i].sid); +diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c +index 022230b..5bc8c0b 100644 +--- a/source3/rpcclient/cmd_samr.c ++++ b/source3/rpcclient/cmd_samr.c +@@ -385,7 +385,17 @@ static NTSTATUS cmd_samr_query_user(struct rpc_pipe_client *cli, + if (!NT_STATUS_IS_OK(status)) { + goto done; + } ++ + if (NT_STATUS_IS_OK(result)) { ++ if (rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ + status = dcerpc_samr_OpenUser(b, mem_ctx, + &domain_pol, + access_mask, +@@ -1453,6 +1463,15 @@ static NTSTATUS cmd_samr_delete_alias(struct rpc_pipe_client *cli, + goto done; + } + if (NT_STATUS_IS_OK(result)) { ++ if (rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ + status = dcerpc_samr_OpenAlias(b, mem_ctx, + &domain_pol, + access_mask, +@@ -2115,6 +2134,14 @@ static NTSTATUS cmd_samr_lookup_names(struct rpc_pipe_client *cli, + status = result; + goto done; + } ++ if (rids.count != num_names) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != num_names) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + /* Display results */ + +@@ -2272,6 +2299,14 @@ static NTSTATUS cmd_samr_delete_dom_group(struct rpc_pipe_client *cli, + status = result; + goto done; + } ++ if (group_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenGroup(b, mem_ctx, + &domain_pol, +@@ -2375,6 +2410,14 @@ static NTSTATUS cmd_samr_delete_dom_user(struct rpc_pipe_client *cli, + status = result; + goto done; + } ++ if (user_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, mem_ctx, + &domain_pol, +@@ -2763,6 +2806,14 @@ static NTSTATUS cmd_samr_chgpasswd(struct rpc_pipe_client *cli, + status = result; + goto done; + } ++ if (rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, mem_ctx, + &domain_pol, +@@ -3166,7 +3217,12 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli, + if (!NT_STATUS_IS_OK(result)) { + return result; + } +- ++ if (rids.count != 1) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (types.count != 1) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } + + status = dcerpc_samr_OpenUser(b, mem_ctx, + &domain_pol, +diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c +index b5598a4..e6b9530 100644 +--- a/source3/smbd/lanman.c ++++ b/source3/smbd/lanman.c +@@ -2629,6 +2629,14 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn, + nt_errstr(result))); + goto close_domain; + } ++ if (rid.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto close_domain; ++ } ++ if (type.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto close_domain; ++ } + + if (type.ids[0] != SID_NAME_USER) { + DEBUG(10, ("%s is a %s, not a user\n", UserName, +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index 870ad22..e0c8eea 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -1667,6 +1667,14 @@ static NTSTATUS rpc_group_delete_internals(struct net_context *c, + d_fprintf(stderr, _("Lookup of '%s' failed\n"),argv[0]); + goto done; + } ++ if (group_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + switch (name_types.ids[0]) + { +@@ -2074,6 +2082,14 @@ static NTSTATUS rpc_add_groupmem(struct rpc_pipe_client *pipe_hnd, + member); + goto done; + } ++ if (rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (rid_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenGroup(b, mem_ctx, + &domain_pol, +@@ -2329,6 +2345,14 @@ static NTSTATUS rpc_del_groupmem(struct net_context *c, + member); + goto done; + } ++ if (rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (rid_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenGroup(b, mem_ctx, + &domain_pol, +@@ -3112,9 +3136,15 @@ static NTSTATUS rpc_group_members_internals(struct net_context *c, + if (rids.count != 1) { + d_fprintf(stderr, _("Couldn't find group %s\n"), + argv[0]); +- return result; ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (rid_types.count != 1) { ++ d_fprintf(stderr, _("Couldn't find group %s\n"), ++ argv[0]); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + ++ + if (rid_types.ids[0] == SID_NAME_DOM_GRP) { + return rpc_list_group_members(c, pipe_hnd, mem_ctx, domain_name, + domain_sid, &domain_pol, +@@ -6064,6 +6094,14 @@ static NTSTATUS rpc_trustdom_del_internals(struct net_context *c, + acct_name, nt_errstr(result) ); + goto done; + } ++ if (user_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + status = dcerpc_samr_OpenUser(b, mem_ctx, + &domain_pol, +diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c +index 7167cf9..56799cd 100644 +--- a/source3/utils/net_rpc_join.c ++++ b/source3/utils/net_rpc_join.c +@@ -380,6 +380,15 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv) + ("error looking up rid for user %s: %s/%s\n", + acct_name, nt_errstr(status), nt_errstr(result))); + ++ if (user_rids.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (name_types.count != 1) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ + if (name_types.ids[0] != SID_NAME_USER) { + DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0])); + goto done; +diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c +index 7345ea7..6b88c84 100644 +--- a/source3/winbindd/winbindd_rpc.c ++++ b/source3/winbindd/winbindd_rpc.c +@@ -1063,7 +1063,7 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, + struct lsa_TransNameArray **pnames) + { + struct lsa_TransNameArray2 lsa_names2; +- struct lsa_TransNameArray *names; ++ struct lsa_TransNameArray *names = *pnames; + uint32_t i, count; + NTSTATUS status, result; + +@@ -1088,10 +1088,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + +- names = talloc_zero(mem_ctx, struct lsa_TransNameArray); +- if (names == NULL) { +- return NT_STATUS_NO_MEMORY; +- } + names->count = lsa_names2.count; + names->names = talloc_array(names, struct lsa_TranslatedName, + names->count); +@@ -1114,7 +1110,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx, + return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + } +- *pnames = names; + return result; + } + +@@ -1124,7 +1119,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, + struct lsa_RefDomainList **pdomains, + struct lsa_TransNameArray **pnames) + { +- struct lsa_TransNameArray *names; ++ struct lsa_TransNameArray *names = *pnames; + struct rpc_pipe_client *cli = NULL; + struct policy_handle lsa_policy; + uint32_t count; +@@ -1141,10 +1136,6 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, + pdomains, pnames); + } + +- names = talloc_zero(mem_ctx, struct lsa_TransNameArray); +- if (names == NULL) { +- return NT_STATUS_NO_MEMORY; +- } + status = dcerpc_lsa_LookupSids(cli->binding_handle, mem_ctx, + &lsa_policy, sids, pdomains, + names, LSA_LOOKUP_NAMES_ALL, +@@ -1172,6 +1163,5 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx, + } + } + +- *pnames = names; + return result; + } +diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c +index cc0dae5..0437352 100644 +--- a/source4/libcli/util/clilsa.c ++++ b/source4/libcli/util/clilsa.c +@@ -335,7 +335,11 @@ NTSTATUS smblsa_lookup_name(struct smbcli_state *cli, + } + if (sids.count != 1) { + talloc_free(mem_ctx2); +- return NT_STATUS_UNSUCCESSFUL; ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (domains->count != 1) { ++ talloc_free(mem_ctx2); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + sid = domains->domains[0].sid; +diff --git a/source4/libnet/groupinfo.c b/source4/libnet/groupinfo.c +index 9060973..5c8b0f7 100644 +--- a/source4/libnet/groupinfo.c ++++ b/source4/libnet/groupinfo.c +@@ -88,11 +88,14 @@ static void continue_groupinfo_lookup(struct tevent_req *subreq) + s->monitor_fn(&msg); + } + +- + /* have we actually got name resolved + - we're looking for only one at the moment */ +- if (s->lookup.out.rids->count == 0) { +- composite_error(c, NT_STATUS_NO_SUCH_USER); ++ if (s->lookup.out.rids->count != s->lookup.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } ++ if (s->lookup.out.types->count != s->lookup.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +diff --git a/source4/libnet/groupman.c b/source4/libnet/groupman.c +index 9771ea5..59a3f35 100644 +--- a/source4/libnet/groupman.c ++++ b/source4/libnet/groupman.c +@@ -219,13 +219,13 @@ static void continue_groupdel_name_found(struct tevent_req *subreq) + + /* what to do when there's no group account to delete + and what if there's more than one rid resolved */ +- if (!s->lookupname.out.rids->count) { +- c->status = NT_STATUS_NO_SUCH_GROUP; ++ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) { ++ c->status = NT_STATUS_INVALID_NETWORK_RESPONSE; + composite_error(c, c->status); + return; +- +- } else if (!s->lookupname.out.rids->count > 1) { +- c->status = NT_STATUS_INVALID_ACCOUNT_NAME; ++ } ++ if (s->lookupname.out.types->count != s->lookupname.in.num_names) { ++ c->status = NT_STATUS_INVALID_NETWORK_RESPONSE; + composite_error(c, c->status); + return; + } +diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c +index 0977403..8c1b57d 100644 +--- a/source4/libnet/libnet_join.c ++++ b/source4/libnet/libnet_join.c +@@ -656,9 +656,17 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru + "samr_LookupNames for [%s] returns %d RIDs", + r->in.account_name, ln.out.rids->count); + talloc_free(tmp_ctx); +- return NT_STATUS_INVALID_PARAMETER; ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } +- ++ ++ if (ln.out.types->count != 1) { ++ r->out.error_string = talloc_asprintf(mem_ctx, ++ "samr_LookupNames for [%s] returns %d RID TYPEs", ++ r->in.account_name, ln.out.types->count); ++ talloc_free(tmp_ctx); ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ + /* prepare samr_OpenUser */ + ZERO_STRUCTP(u_handle); + ou.in.domain_handle = &d_handle; +diff --git a/source4/libnet/libnet_lookup.c b/source4/libnet/libnet_lookup.c +index cf2d70c..77072b7 100644 +--- a/source4/libnet/libnet_lookup.c ++++ b/source4/libnet/libnet_lookup.c +@@ -365,6 +365,11 @@ static void continue_name_found(struct tevent_req *subreq) + c->status = s->lookup.out.result; + if (!composite_is_ok(c)) return; + ++ if (s->lookup.out.sids->count != s->lookup.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } ++ + composite_done(c); + } + +diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c +index 861d746..77176bc 100644 +--- a/source4/libnet/libnet_passwd.c ++++ b/source4/libnet/libnet_passwd.c +@@ -627,10 +627,18 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX * + r->samr.out.error_string = talloc_asprintf(mem_ctx, + "samr_LookupNames for [%s] returns %d RIDs", + r->samr.in.account_name, ln.out.rids->count); +- status = NT_STATUS_INVALID_PARAMETER; ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; + goto disconnect; + } + ++ if (ln.out.types->count != 1) { ++ r->samr.out.error_string = talloc_asprintf(mem_ctx, ++ "samr_LookupNames for [%s] returns %d RID TYPEs", ++ r->samr.in.account_name, ln.out.types->count); ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto disconnect; ++ } ++ + /* prepare samr_OpenUser */ + ZERO_STRUCT(u_handle); + ou.in.domain_handle = &d_handle; +diff --git a/source4/libnet/userinfo.c b/source4/libnet/userinfo.c +index 75c46e4..9530f9e 100644 +--- a/source4/libnet/userinfo.c ++++ b/source4/libnet/userinfo.c +@@ -90,8 +90,12 @@ static void continue_userinfo_lookup(struct tevent_req *subreq) + + /* have we actually got name resolved + - we're looking for only one at the moment */ +- if (s->lookup.out.rids->count == 0) { +- composite_error(c, NT_STATUS_NO_SUCH_USER); ++ if (s->lookup.out.rids->count != s->lookup.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } ++ if (s->lookup.out.types->count != s->lookup.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +diff --git a/source4/libnet/userman.c b/source4/libnet/userman.c +index c1ee017..a7301ea 100644 +--- a/source4/libnet/userman.c ++++ b/source4/libnet/userman.c +@@ -237,14 +237,12 @@ static void continue_userdel_name_found(struct tevent_req *subreq) + + /* what to do when there's no user account to delete + and what if there's more than one rid resolved */ +- if (!s->lookupname.out.rids->count) { +- c->status = NT_STATUS_NO_SUCH_USER; +- composite_error(c, c->status); ++ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; +- +- } else if (!s->lookupname.out.rids->count > 1) { +- c->status = NT_STATUS_INVALID_ACCOUNT_NAME; +- composite_error(c, c->status); ++ } ++ if (s->lookupname.out.types->count != s->lookupname.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +@@ -513,14 +511,12 @@ static void continue_usermod_name_found(struct tevent_req *subreq) + + /* what to do when there's no user account to delete + and what if there's more than one rid resolved */ +- if (!s->lookupname.out.rids->count) { +- c->status = NT_STATUS_NO_SUCH_USER; +- composite_error(c, c->status); ++ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; +- +- } else if (!s->lookupname.out.rids->count > 1) { +- c->status = NT_STATUS_INVALID_ACCOUNT_NAME; +- composite_error(c, c->status); ++ } ++ if (s->lookupname.out.types->count != s->lookupname.in.num_names) { ++ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c +index e3de2eb..2a05f12 100644 +--- a/source4/winbind/wb_async_helpers.c ++++ b/source4/winbind/wb_async_helpers.c +@@ -285,6 +285,12 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq) + return; + } + ++ if (state->sids.count != state->num_names) { ++ composite_error(state->ctx, ++ NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } ++ + state->result = talloc_array(state, struct wb_sid_object *, + state->num_names); + if (composite_nomem(state->result, state->ctx)) return; +@@ -303,9 +309,14 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq) + continue; + } + ++ if (domains == NULL) { ++ composite_error(state->ctx, ++ NT_STATUS_INVALID_NETWORK_RESPONSE); ++ return; ++ } + if (sid->sid_index >= domains->count) { + composite_error(state->ctx, +- NT_STATUS_INVALID_PARAMETER); ++ NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + +-- +1.7.9.5 + + +From 4e96ec86265ec504555f8542b735782589f73b17 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 7 Nov 2013 22:41:22 -0800 +Subject: [PATCH 16/16] CVE-2013-4408:s3:Ensure LookupRids() replies arrays + are range checked. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185 + +Signed-off-by: Jeremy Allison +Signed-off-by: Stefan Metzmacher +--- + source3/lib/netapi/group.c | 16 ++++++++++++++++ + source3/lib/netapi/user.c | 16 ++++++++++++++++ + source3/rpcclient/cmd_samr.c | 8 ++++++++ + source3/utils/net_rpc.c | 7 ++++++- + source3/winbindd/winbindd_msrpc.c | 10 ++++++++-- + source3/winbindd/winbindd_rpc.c | 10 ++++++++-- + 6 files changed, 62 insertions(+), 5 deletions(-) + +diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c +index 69c7af4..b806fc4 100644 +--- a/source3/lib/netapi/group.c ++++ b/source3/lib/netapi/group.c +@@ -395,6 +395,14 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (names.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (member_types.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + } + + for (i=0; i < rid_array->count; i++) { +@@ -1624,6 +1632,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (names.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (member_types.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + for (i=0; i < names.count; i++) { + +diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c +index e699ad3..a971e2d 100644 +--- a/source3/lib/netapi/user.c ++++ b/source3/lib/netapi/user.c +@@ -3114,6 +3114,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (names.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != rid_array->count) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + for (i=0; i < names.count; i++) { + status = add_GROUP_USERS_INFO_X_buffer(ctx, +@@ -3716,6 +3724,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx, + werr = ntstatus_to_werror(result); + goto done; + } ++ if (names.count != num_rids) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } ++ if (types.count != num_rids) { ++ werr = WERR_BAD_NET_RESP; ++ goto done; ++ } + + for (i=0; i < names.count; i++) { + status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx, +diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c +index 5bc8c0b..87882c3 100644 +--- a/source3/rpcclient/cmd_samr.c ++++ b/source3/rpcclient/cmd_samr.c +@@ -2223,6 +2223,14 @@ static NTSTATUS cmd_samr_lookup_rids(struct rpc_pipe_client *cli, + goto done; + + /* Display results */ ++ if (num_rids != names.count) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } ++ if (num_rids != types.count) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto done; ++ } + + for (i = 0; i < num_rids; i++) { + printf("rid 0x%x: %s (%d)\n", +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index e0c8eea..92964b5 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -2900,7 +2900,12 @@ static NTSTATUS rpc_list_group_members(struct net_context *c, + if (!NT_STATUS_IS_OK(result)) { + return result; + } +- ++ if (names.count != this_time) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (types.count != this_time) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } + /* We only have users as members, but make the output + the same as the output of alias members */ + +diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c +index e86838c..0dc69c7 100644 +--- a/source3/winbindd/winbindd_msrpc.c ++++ b/source3/winbindd/winbindd_msrpc.c +@@ -744,14 +744,20 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain, + /* Copy result into array. The talloc system will take + care of freeing the temporary arrays later on. */ + +- if (tmp_names.count != tmp_types.count) { +- return NT_STATUS_UNSUCCESSFUL; ++ if (tmp_names.count != num_lookup_rids) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (tmp_types.count != num_lookup_rids) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + for (r=0; r= *num_names) { ++ break; ++ } + (*names)[total_names] = fill_domain_username_talloc( + mem_ctx, domain->name, + tmp_names.names[r].string, true); +diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c +index 6b88c84..0986d82 100644 +--- a/source3/winbindd/winbindd_rpc.c ++++ b/source3/winbindd/winbindd_rpc.c +@@ -871,14 +871,20 @@ NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx, + + /* Copy result into array. The talloc system will take + care of freeing the temporary arrays later on. */ +- if (tmp_names.count != tmp_types.count) { +- return NT_STATUS_UNSUCCESSFUL; ++ if (tmp_names.count != num_names) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (tmp_types.count != num_names) { ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; + } + + for (r = 0; r < tmp_names.count; r++) { + if (tmp_types.ids[r] == SID_NAME_UNKNOWN) { + continue; + } ++ if (total_names >= num_names) { ++ break; ++ } + names[total_names] = fill_domain_username_talloc(names, + domain_name, + tmp_names.names[r].string, +-- +1.7.9.5 + diff --git a/SOURCES/samba-4.1.3-fix_build_warnings.patch b/SOURCES/samba-4.1.3-fix_build_warnings.patch new file mode 100644 index 0000000..8626a93 --- /dev/null +++ b/SOURCES/samba-4.1.3-fix_build_warnings.patch @@ -0,0 +1,331 @@ +From 09692988bc382c3fd01e51e88818b29d5265cc57 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:12 +0100 +Subject: [PATCH 02/10] s3-libsmb: Use the right macro to set uint16_t attr. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit f8ab594d0253920cefc441587a55fddb688be550) +--- + source3/libsmb/cli_smb2_fnum.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c +index 202000f..c3feef6 100644 +--- a/source3/libsmb/cli_smb2_fnum.c ++++ b/source3/libsmb/cli_smb2_fnum.c +@@ -1290,7 +1290,7 @@ NTSTATUS cli_smb2_setatr(struct cli_state *cli, + inbuf.length = sizeof(inbuf_store); + data_blob_clear(&inbuf); + +- SIVAL(inbuf.data,32,attr); ++ SSVAL(inbuf.data, 32, attr); + if (mtime != 0) { + put_long_date((char *)inbuf.data + 16,mtime); + } +-- +1.8.4.3 + + +From a4732fa9ab8414e79a73bcac7d69147da75ae8c5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:13 +0100 +Subject: [PATCH 03/10] testsuit: Fix fprintf format. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 69b3a0cb3f2736e98c20dabb43c201af0c004f67) +--- + testsuite/nsswitch/getgrent_r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testsuite/nsswitch/getgrent_r.c b/testsuite/nsswitch/getgrent_r.c +index 4f1f0ce..883c897 100644 +--- a/testsuite/nsswitch/getgrent_r.c ++++ b/testsuite/nsswitch/getgrent_r.c +@@ -32,7 +32,7 @@ void dump_grent(char *id) + setgrent(); + + while((gr = getgrent()) != NULL) { +- fprintf(fptr,"%s:%s:%d:%d\n", gr->gr_name, gr->gr_passwd, ++ fprintf(fptr,"%s:%s:%d\n", gr->gr_name, gr->gr_passwd, + gr->gr_gid); + } + +-- +1.8.4.3 + + +From 1ff739972f7d8feb864a4d3cf595e49d37636082 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:14 +0100 +Subject: [PATCH 04/10] s3-utils: Fix scanf format in smbacls. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 4c98b9ce8f8de5883796aa38f1193e04a0ee4e58) +--- + source3/utils/smbcacls.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c +index 3ee7034..bb02aa0 100644 +--- a/source3/utils/smbcacls.c ++++ b/source3/utils/smbcacls.c +@@ -490,7 +490,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace, + p++; + /* Try to parse numeric form */ + +- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 && ++ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 && + StringToSid(cli, &sid, str)) { + goto done; + } +@@ -553,7 +553,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace, + return False; + } + } else { +- if (!sscanf(tok, "%i", &aflags)) { ++ if (!sscanf(tok, "%u", &aflags)) { + printf("ACE '%s': bad integer flags entry at '%s'\n", + orig_str, tok); + SAFE_FREE(str); +@@ -571,7 +571,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace, + } + + if (strncmp(tok, "0x", 2) == 0) { +- if (sscanf(tok, "%i", &amask) != 1) { ++ if (sscanf(tok, "%u", &amask) != 1) { + printf("ACE '%s': bad hex number at '%s'\n", + orig_str, tok); + SAFE_FREE(str); +-- +1.8.4.3 + + +From b22ff03654cf781a982580a41bcec99b2c25a5f2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:15 +0100 +Subject: [PATCH 05/10] s3-utils: Fix scanf format in sharesec. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 278899f5a763af7e7603f05f07048b7d8d4e9972) +--- + source3/utils/sharesec.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c +index 38c11e0..2b1e435 100644 +--- a/source3/utils/sharesec.c ++++ b/source3/utils/sharesec.c +@@ -186,7 +186,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str) + p++; + /* Try to parse numeric form */ + +- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 && ++ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 && + string_to_sid(&sid, str)) { + goto done; + } +@@ -226,7 +226,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str) + /* no flags on share permissions */ + + if (!(next_token_talloc(frame, &cp, &tok, "/") && +- sscanf(tok, "%i", &aflags) && aflags == 0)) { ++ sscanf(tok, "%u", &aflags) && aflags == 0)) { + fprintf(stderr, "ACE '%s': bad integer flags entry at '%s'\n", + orig_str, tok); + SAFE_FREE(str); +@@ -243,7 +243,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str) + } + + if (strncmp(tok, "0x", 2) == 0) { +- if (sscanf(tok, "%i", &amask) != 1) { ++ if (sscanf(tok, "%u", &amask) != 1) { + fprintf(stderr, "ACE '%s': bad hex number at '%s'\n", + orig_str, tok); + TALLOC_FREE(frame); +-- +1.8.4.3 + + +From 3f8b5b50e6ed56241ee92f9d26f0c4b6d0166db2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:16 +0100 +Subject: [PATCH 06/10] s3-libsmb: Fix scanf format in parse_ace(). + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 1214e3345c655a4c7dc98c69c4e018e47558f639) +--- + source3/libsmb/libsmb_xattr.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c +index 22ffa8f..7d34290 100644 +--- a/source3/libsmb/libsmb_xattr.c ++++ b/source3/libsmb/libsmb_xattr.c +@@ -303,7 +303,7 @@ parse_ace(struct cli_state *ipc_cli, + p++; + /* Try to parse numeric form */ + +- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 && ++ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 && + convert_string_to_sid(ipc_cli, pol, numeric, &sid, str)) { + goto done; + } +@@ -333,7 +333,7 @@ parse_ace(struct cli_state *ipc_cli, + /* Only numeric form accepted for flags at present */ + + if (!(next_token_talloc(frame, &cp, &tok, "/") && +- sscanf(tok, "%i", &aflags))) { ++ sscanf(tok, "%u", &aflags))) { + TALLOC_FREE(frame); + return false; + } +@@ -344,7 +344,7 @@ parse_ace(struct cli_state *ipc_cli, + } + + if (strncmp(tok, "0x", 2) == 0) { +- if (sscanf(tok, "%i", &amask) != 1) { ++ if (sscanf(tok, "%u", &amask) != 1) { + TALLOC_FREE(frame); + return false; + } +-- +1.8.4.3 + + +From 502d63223e4fd77152ea095c7d94774d093c9c4a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:17 +0100 +Subject: [PATCH 07/10] examples: Fix scanf format in perf_writer_disk. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit f71b5e44e7a705096e4fdd7aa3d0e22df994e363) +--- + examples/perfcounter/perf_writer_disk.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/examples/perfcounter/perf_writer_disk.c b/examples/perfcounter/perf_writer_disk.c +index 15188d2..18a63a4 100644 +--- a/examples/perfcounter/perf_writer_disk.c ++++ b/examples/perfcounter/perf_writer_disk.c +@@ -132,7 +132,7 @@ void get_diskinfo(PERF_DATA_BLOCK *data) + int status, num; + char buf[LARGE_BUF], *start; + FILE *diskstats; +- long reads, writes, discard; ++ unsigned long reads, writes, discard; + + diskstats = fopen("/proc/diskstats", "r"); + rewind(diskstats); +@@ -147,10 +147,10 @@ void get_diskinfo(PERF_DATA_BLOCK *data) + p->freeMegs = (statfsbuf.f_bfree*statfsbuf.f_bsize)/1048576; + start = strstr(buf, data->diskInfo.mdata[i].name); + start += strlen(data->diskInfo.mdata[i].name) + 1; +- num = sscanf(start, "%u %u %u %u", ++ num = sscanf(start, "%lu %lu %lu %lu", + &reads, +- &discard, +- &writes, ++ &discard, ++ &writes, + &discard); + p->writesPerSec = writes; + p->readsPerSec = reads; +-- +1.8.4.3 + + +From f636ca86e3cb4b61960c3db927760b6de3776365 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:18 +0100 +Subject: [PATCH 08/10] s3-vfs: Remove unused variable in vfs_glusterfs. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 9e7e83e9d07e967ac966b1cc17f21cb75c81a774) +--- + source3/modules/vfs_glusterfs.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c +index e5c691e..d792fb3 100644 +--- a/source3/modules/vfs_glusterfs.c ++++ b/source3/modules/vfs_glusterfs.c +@@ -1397,7 +1397,6 @@ static int vfs_gluster_sys_acl_set_fd(struct vfs_handle_struct *handle, + SMB_ACL_T theacl) + { + int ret; +- char *key; + char *buf; + ssize_t size; + +-- +1.8.4.3 + + +From ea3bc968082c8fbb18d9416143c9fe8a56d691fa Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:19 +0100 +Subject: [PATCH 09/10] s3-vfs: Make glfs_set_preopened() static. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 4deb00a60f484824217a9683ec9cc2838deae8e0) +--- + source3/modules/vfs_glusterfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c +index d792fb3..ca7d790 100644 +--- a/source3/modules/vfs_glusterfs.c ++++ b/source3/modules/vfs_glusterfs.c +@@ -145,7 +145,7 @@ static struct glfs_preopened { + } *glfs_preopened; + + +-int glfs_set_preopened(const char *volume, glfs_t *fs) ++static int glfs_set_preopened(const char *volume, glfs_t *fs) + { + struct glfs_preopened *entry = NULL; + +-- +1.8.4.3 + + +From 22264b8b9578f85e457e99c5b18739ea92854189 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Nov 2013 17:02:20 +0100 +Subject: [PATCH 10/10] s3-libnet: Use a const char for realm. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Fri Nov 15 23:11:54 CET 2013 on sn-devel-104 + +(cherry picked from commit d02d70251f98ea2e7db4aea36f372cb0f65c04c5) +--- + source3/libnet/libnet_join.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 96f7a98..7edccd1 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -449,7 +449,7 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx, + } + + if (!r->in.upn) { +- char *realm = r->out.dns_domain_name; ++ const char *realm = r->out.dns_domain_name; + + /* in case we are about to generate a keytab during the join + * make sure the default upn we create is usable with kinit -k. +-- +1.8.4.3 + diff --git a/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch b/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch new file mode 100644 index 0000000..2f8cfcd --- /dev/null +++ b/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch @@ -0,0 +1,370 @@ +From 9346945c4b57ffc937f7800202e5c42504750d3d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 18 Nov 2013 14:58:04 +0100 +Subject: [PATCH 1/2] s3-lib: Add grpname to talloc_sub_specified(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 6366ebb79bb72d9dcb12f8fe8d6e35611fcff150) +--- + source3/include/proto.h | 1 + + source3/lib/substitute.c | 31 +++++++++++++++++++++++++------ + source3/passdb/passdb.c | 8 ++++---- + source3/passdb/pdb_ldap.c | 24 +++++++++++++++++++++--- + source3/torture/torture.c | 2 +- + source3/utils/net_sam.c | 2 ++ + source3/winbindd/wb_fill_pwent.c | 4 ++-- + 7 files changed, 56 insertions(+), 16 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index ddf3fab..a42faf8 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -222,6 +222,7 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, const char *smb_name, + char *talloc_sub_specified(TALLOC_CTX *mem_ctx, + const char *input_string, + const char *username, ++ const char *grpname, + const char *domain, + uid_t uid, + gid_t gid); +diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c +index a254bca..ca2ac79 100644 +--- a/source3/lib/substitute.c ++++ b/source3/lib/substitute.c +@@ -613,6 +613,7 @@ done: + char *talloc_sub_specified(TALLOC_CTX *mem_ctx, + const char *input_string, + const char *username, ++ const char *grpname, + const char *domain, + uid_t uid, + gid_t gid) +@@ -648,9 +649,18 @@ char *talloc_sub_specified(TALLOC_CTX *mem_ctx, + break; + case 'G' : + if (gid != -1) { +- a_string = talloc_string_sub( +- tmp_ctx, a_string, "%G", +- gidtoname(gid)); ++ const char *name; ++ ++ if (grpname != NULL) { ++ name = grpname; ++ } else { ++ name = gidtoname(gid); ++ } ++ ++ a_string = talloc_string_sub(tmp_ctx, ++ a_string, ++ "%G", ++ name); + } else { + a_string = talloc_string_sub( + tmp_ctx, a_string, +@@ -659,9 +669,18 @@ char *talloc_sub_specified(TALLOC_CTX *mem_ctx, + break; + case 'g' : + if (gid != -1) { +- a_string = talloc_string_sub( +- tmp_ctx, a_string, "%g", +- gidtoname(gid)); ++ const char *name; ++ ++ if (grpname != NULL) { ++ name = grpname; ++ } else { ++ name = gidtoname(gid); ++ } ++ ++ a_string = talloc_string_sub(tmp_ctx, ++ a_string, ++ "%g", ++ name); + } else { + a_string = talloc_string_sub( + tmp_ctx, a_string, "%g", "NO_GROUP"); +diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c +index 379d858..5a4620f 100644 +--- a/source3/passdb/passdb.c ++++ b/source3/passdb/passdb.c +@@ -228,16 +228,16 @@ static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods, + /* set some basic attributes */ + + pdb_set_profile_path(user, talloc_sub_specified(user, +- lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), ++ lp_logon_path(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), + PDB_DEFAULT); + pdb_set_homedir(user, talloc_sub_specified(user, +- lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), ++ lp_logon_home(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), + PDB_DEFAULT); + pdb_set_dir_drive(user, talloc_sub_specified(user, +- lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), ++ lp_logon_drive(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), + PDB_DEFAULT); + pdb_set_logon_script(user, talloc_sub_specified(user, +- lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid), ++ lp_logon_script(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid), + PDB_DEFAULT); + } + +diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c +index d7db4d8..bb0d3b3 100644 +--- a/source3/passdb/pdb_ldap.c ++++ b/source3/passdb/pdb_ldap.c +@@ -5316,11 +5316,29 @@ static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods, + + if (is_machine) { + /* TODO: choose a more appropriate default for machines */ +- homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid); ++ homedir = talloc_sub_specified(tmp_ctx, ++ lp_template_homedir(), ++ "SMB_workstations_home", ++ NULL, ++ ldap_state->domain_name, ++ uid, ++ gid); + shell = talloc_strdup(tmp_ctx, "/bin/false"); + } else { +- homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid); +- shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid); ++ homedir = talloc_sub_specified(tmp_ctx, ++ lp_template_homedir(), ++ name, ++ NULL, ++ ldap_state->domain_name, ++ uid, ++ gid); ++ shell = talloc_sub_specified(tmp_ctx, ++ lp_template_shell(), ++ name, ++ NULL, ++ ldap_state->domain_name, ++ uid, ++ gid); + } + uidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)uid); + gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid); +diff --git a/source3/torture/torture.c b/source3/torture/torture.c +index ee51a4d..b7badc6 100644 +--- a/source3/torture/torture.c ++++ b/source3/torture/torture.c +@@ -6553,7 +6553,7 @@ static bool subst_test(const char *str, const char *user, const char *domain, + char *subst; + bool result = true; + +- subst = talloc_sub_specified(talloc_tos(), str, user, domain, uid, gid); ++ subst = talloc_sub_specified(talloc_tos(), str, user, NULL, domain, uid, gid); + + if (strcmp(subst, expected) != 0) { + printf("sub_specified(%s, %s, %s, %d, %d) returned [%s], expected " +diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c +index 3a752ce..b7b76e8 100644 +--- a/source3/utils/net_sam.c ++++ b/source3/utils/net_sam.c +@@ -1873,10 +1873,12 @@ doma_done: + gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid); + dir = talloc_sub_specified(tc, lp_template_homedir(), + "Administrator", ++ NULL, + get_global_sam_name(), + uid, domadmins_gid); + shell = talloc_sub_specified(tc, lp_template_shell(), + "Administrator", ++ NULL, + get_global_sam_name(), + uid, domadmins_gid); + +diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c +index 688afc6..3b711bd 100644 +--- a/source3/winbindd/wb_fill_pwent.c ++++ b/source3/winbindd/wb_fill_pwent.c +@@ -214,11 +214,11 @@ static bool fillup_pw_field(const char *lp_template, + + if ((in != NULL) && (in[0] != '\0') && (lp_security() == SEC_ADS)) { + templ = talloc_sub_specified(talloc_tos(), in, +- username, domname, ++ username, NULL, domname, + uid, gid); + } else { + templ = talloc_sub_specified(talloc_tos(), lp_template, +- username, domname, ++ username, NULL, domname, + uid, gid); + } + +-- +1.8.4.3 + + +From 5ccae02f63d655d476d887660f28ad4dce08e790 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 18 Nov 2013 14:58:14 +0100 +Subject: [PATCH 2/2] s3-winbind: Pass the group name to fillup_pw_field(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Fri Nov 22 02:04:54 CET 2013 on sn-devel-104 + +(cherry picked from commit 000172a5ab7e4bfac7ef618d0d78ec7fe95d0e2a) +--- + source3/winbindd/wb_fill_pwent.c | 73 +++++++++++++++++++++++----------------- + 1 file changed, 43 insertions(+), 30 deletions(-) + +diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c +index 3b711bd..9d0abbd 100644 +--- a/source3/winbindd/wb_fill_pwent.c ++++ b/source3/winbindd/wb_fill_pwent.c +@@ -29,6 +29,7 @@ struct wb_fill_pwent_state { + + static bool fillup_pw_field(const char *lp_template, + const char *username, ++ const char *grpname, + const char *domname, + uid_t uid, + gid_t gid, +@@ -36,7 +37,7 @@ static bool fillup_pw_field(const char *lp_template, + fstring out); + + static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq); +-static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq); ++static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq); + + struct tevent_req *wb_fill_pwent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +@@ -90,47 +91,45 @@ static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq) + + state->pw->pw_uid = (uid_t)xid.id; + +- subreq = wb_sids2xids_send(state, state->ev, &state->info->group_sid, 1); ++ subreq = wb_getgrsid_send(state, state->ev, &state->info->group_sid, 1); + if (tevent_req_nomem(subreq, req)) { + return; + } +- tevent_req_set_callback(subreq, wb_fill_pwent_sid2gid_done, req); ++ tevent_req_set_callback(subreq, wb_fill_pwent_getgrsid_done, req); + } + +-static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq) ++static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct wb_fill_pwent_state *state = tevent_req_data( + req, struct wb_fill_pwent_state); + struct winbindd_domain *domain; +- char *dom_name; ++ const char *dom_name; ++ const char *grp_name; + fstring user_name, output_username; + char *mapped_name = NULL; ++ struct talloc_dict *members; ++ TALLOC_CTX *tmp_ctx = talloc_stackframe(); + NTSTATUS status; +- struct unixid xid; +- +- status = wb_sids2xids_recv(subreq, &xid); ++ bool ok; ++ ++ /* xid handling is done in getgrsid() */ ++ status = wb_getgrsid_recv(subreq, ++ tmp_ctx, ++ &dom_name, ++ &grp_name, ++ &state->pw->pw_gid, ++ &members); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, status)) { ++ talloc_free(tmp_ctx); + return; + } + +- /* +- * We are filtering further down in sids2xids, but that filtering +- * depends on the actual type of the sid handed in (as determined +- * by lookupsids). Here we need to filter for the type of object +- * actually requested, in this case gid. +- */ +- if (!(xid.type == ID_TYPE_GID || xid.type == ID_TYPE_BOTH)) { +- tevent_req_nterror(req, NT_STATUS_NONE_MAPPED); +- return; +- } +- +- state->pw->pw_gid = (gid_t)xid.id; +- + domain = find_domain_from_sid_noinit(&state->info->user_sid); + if (domain == NULL) { ++ talloc_free(tmp_ctx); + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return; + } +@@ -166,17 +165,30 @@ static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq) + fstrcpy(state->pw->pw_gecos, state->info->full_name); + + /* Home directory and shell */ +- +- if (!fillup_pw_field(lp_template_homedir(), user_name, dom_name, +- state->pw->pw_uid, state->pw->pw_gid, +- state->info->homedir, state->pw->pw_dir)) { ++ ok = fillup_pw_field(lp_template_homedir(), ++ user_name, ++ grp_name, ++ dom_name, ++ state->pw->pw_uid, ++ state->pw->pw_gid, ++ state->info->homedir, ++ state->pw->pw_dir); ++ if (!ok) { ++ talloc_free(tmp_ctx); + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return; + } + +- if (!fillup_pw_field(lp_template_shell(), user_name, dom_name, +- state->pw->pw_uid, state->pw->pw_gid, +- state->info->shell, state->pw->pw_shell)) { ++ ok = fillup_pw_field(lp_template_shell(), ++ user_name, ++ grp_name, ++ dom_name, ++ state->pw->pw_uid, ++ state->pw->pw_gid, ++ state->info->shell, ++ state->pw->pw_shell); ++ talloc_free(tmp_ctx); ++ if (!ok) { + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return; + } +@@ -195,6 +207,7 @@ NTSTATUS wb_fill_pwent_recv(struct tevent_req *req) + + static bool fillup_pw_field(const char *lp_template, + const char *username, ++ const char *grpname, + const char *domname, + uid_t uid, + gid_t gid, +@@ -214,11 +227,11 @@ static bool fillup_pw_field(const char *lp_template, + + if ((in != NULL) && (in[0] != '\0') && (lp_security() == SEC_ADS)) { + templ = talloc_sub_specified(talloc_tos(), in, +- username, NULL, domname, ++ username, grpname, domname, + uid, gid); + } else { + templ = talloc_sub_specified(talloc_tos(), lp_template, +- username, NULL, domname, ++ username, grpname, domname, + uid, gid); + } + +-- +1.8.4.3 + diff --git a/SOURCES/samba-4.1.3-winbind_debug.patch b/SOURCES/samba-4.1.3-winbind_debug.patch new file mode 100644 index 0000000..714be1b --- /dev/null +++ b/SOURCES/samba-4.1.3-winbind_debug.patch @@ -0,0 +1,37 @@ +From 967f9bd1f8a147c4b89ada3b6c7e1ce064c511bc Mon Sep 17 00:00:00 2001 +From: Jan Brummer +Date: Mon, 9 Dec 2013 15:22:29 +0100 +Subject: [PATCH] s3-winbindd: Fix DEBUG statement in winbind_msg_offline(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10285 + +Reviewed-by: Günther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Dec 9 17:28:37 CET 2013 on sn-devel-104 +--- + source3/winbindd/winbindd_dual.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c +index 972924c..64af571 100644 +--- a/source3/winbindd/winbindd_dual.c ++++ b/source3/winbindd/winbindd_dual.c +@@ -626,7 +626,7 @@ void winbind_msg_offline(struct messaging_context *msg_ctx, + we only set it online / offline for that domain. */ + + DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n", +- (unsigned int)child->pid, domain->name )); ++ (unsigned int)child->pid, child->domain->name )); + + messaging_send_buf(msg_ctx, pid_to_procid(child->pid), + MSG_WINBIND_OFFLINE, +-- +1.8.3.1 + diff --git a/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch b/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch new file mode 100644 index 0000000..b403ae9 --- /dev/null +++ b/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch @@ -0,0 +1,210 @@ +From 770d684ee974efde80186fe579ff85bc4c038b83 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 21 Nov 2013 21:05:29 +0100 +Subject: [PATCH] smbd: Fix bug 10284 + +If we msg_read_send on a nonempty channel, we create one +tevent_immediate. If we directly receive another message and from +within the msg_read_send's tevent_req callback we immediately do +another msg_read_send, we end up with two tevent_immediate events for +msg_channel_trigger with just one incoming message. Test to follow. + +This patch simplifies msg_channel.c by removing the explicit immediate +events. Instead, it relies on the implicit immediate event available +via tevent_req_defer_callback. For messages received from tdb with +a msg_read_send req pending, we directly finish that request without +putting the message on the queue. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10284 +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 6b6920b02905661ae661a894e3bd8d2c744d7003) +--- + source3/lib/msg_channel.c | 100 ++++++++++++++-------------------------------- + 1 file changed, 31 insertions(+), 69 deletions(-) + +diff --git a/source3/lib/msg_channel.c b/source3/lib/msg_channel.c +index 625d07c..8e23fd4 100644 +--- a/source3/lib/msg_channel.c ++++ b/source3/lib/msg_channel.c +@@ -41,9 +41,6 @@ static void msg_channel_init_got_ctdb(struct tevent_req *subreq); + static void msg_channel_init_got_msg(struct messaging_context *msg, + void *priv, uint32_t msg_type, + struct server_id server_id, DATA_BLOB *data); +-static void msg_channel_trigger(struct tevent_context *ev, +- struct tevent_immediate *im, +- void *priv); + static int msg_channel_destructor(struct msg_channel *s); + + struct tevent_req *msg_channel_init_send(TALLOC_CTX *mem_ctx, +@@ -157,6 +154,12 @@ fail: + return err; + } + ++struct msg_read_state { ++ struct tevent_context *ev; ++ struct msg_channel *channel; ++ struct messaging_rec *rec; ++}; ++ + static void msg_channel_init_got_msg(struct messaging_context *msg, + void *priv, uint32_t msg_type, + struct server_id server_id, +@@ -167,7 +170,6 @@ static void msg_channel_init_got_msg(struct messaging_context *msg, + struct messaging_rec *rec; + struct messaging_rec **msgs; + size_t num_msgs; +- struct tevent_immediate *im; + + rec = talloc(s, struct messaging_rec); + if (rec == NULL) { +@@ -184,6 +186,19 @@ static void msg_channel_init_got_msg(struct messaging_context *msg, + } + rec->buf.length = data->length; + ++ if (s->pending_req != NULL) { ++ struct tevent_req *req = s->pending_req; ++ struct msg_read_state *state = tevent_req_data( ++ req, struct msg_read_state); ++ ++ s->pending_req = NULL; ++ ++ state->rec = talloc_move(state, &rec); ++ tevent_req_defer_callback(req, s->ev); ++ tevent_req_done(req); ++ return; ++ } ++ + num_msgs = talloc_array_length(s->msgs); + msgs = talloc_realloc(s, s->msgs, struct messaging_rec *, num_msgs+1); + if (msgs == NULL) { +@@ -192,28 +207,11 @@ static void msg_channel_init_got_msg(struct messaging_context *msg, + s->msgs = msgs; + s->msgs[num_msgs] = talloc_move(s->msgs, &rec); + +- if (s->pending_req == NULL) { +- return; +- } +- +- im = tevent_create_immediate(s); +- if (im == NULL) { +- goto fail; +- } +- tevent_schedule_immediate(im, s->ev, msg_channel_trigger, s); + return; + fail: + TALLOC_FREE(rec); + } + +-struct msg_read_state { +- struct tevent_context *ev; +- struct tevent_req *req; +- struct msg_channel *channel; +- struct messaging_rec *rec; +-}; +- +-static int msg_read_state_destructor(struct msg_read_state *s); + static void msg_read_got_ctdb(struct tevent_req *subreq); + + struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx, +@@ -221,7 +219,6 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx, + struct msg_channel *channel) + { + struct tevent_req *req; +- struct tevent_immediate *im; + struct msg_read_state *state; + void *msg_tdb_event; + size_t num_msgs; +@@ -231,28 +228,28 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx, + return NULL; + } + state->ev = ev; +- state->req = req; + state->channel = channel; + + if (channel->pending_req != NULL) { + tevent_req_error(req, EBUSY); + return tevent_req_post(req, ev); + } +- channel->pending_req = req; +- channel->ev = ev; +- talloc_set_destructor(state, msg_read_state_destructor); + + num_msgs = talloc_array_length(channel->msgs); + if (num_msgs != 0) { +- im = tevent_create_immediate(channel->ev); +- if (tevent_req_nomem(im, req)) { +- return tevent_req_post(req, ev); +- } +- tevent_schedule_immediate(im, channel->ev, msg_channel_trigger, +- channel); +- return req; ++ state->rec = talloc_move(state, &channel->msgs[0]); ++ memmove(channel->msgs, channel->msgs+1, ++ sizeof(struct messaging_rec *) * (num_msgs-1)); ++ channel->msgs = talloc_realloc( ++ channel, channel->msgs, struct messaging_rec *, ++ num_msgs - 1); ++ tevent_req_done(req); ++ return tevent_req_post(req, ev); + } + ++ channel->pending_req = req; ++ channel->ev = ev; ++ + msg_tdb_event = messaging_tdb_event(state, channel->msg, ev); + if (tevent_req_nomem(msg_tdb_event, req)) { + return tevent_req_post(req, ev); +@@ -271,42 +268,6 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx, + return req; + } + +-static int msg_read_state_destructor(struct msg_read_state *s) +-{ +- assert(s->channel->pending_req == s->req); +- s->channel->pending_req = NULL; +- return 0; +-} +- +-static void msg_channel_trigger(struct tevent_context *ev, +- struct tevent_immediate *im, +- void *priv) +-{ +- struct msg_channel *channel; +- struct tevent_req *req; +- struct msg_read_state *state; +- size_t num_msgs; +- +- channel = talloc_get_type_abort(priv, struct msg_channel); +- req = channel->pending_req; +- state = tevent_req_data(req, struct msg_read_state); +- +- talloc_set_destructor(state, NULL); +- msg_read_state_destructor(state); +- +- num_msgs = talloc_array_length(channel->msgs); +- assert(num_msgs > 0); +- +- state->rec = talloc_move(state, &channel->msgs[0]); +- +- memmove(channel->msgs, channel->msgs+1, +- sizeof(struct messaging_rec *) * (num_msgs-1)); +- channel->msgs = talloc_realloc( +- channel, channel->msgs, struct messaging_rec *, num_msgs - 1); +- +- tevent_req_done(req); +-} +- + static void msg_read_got_ctdb(struct tevent_req *subreq) + { + struct tevent_req *req = tevent_req_callback_data( +@@ -368,5 +329,6 @@ int msg_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + return err; + } + *prec = talloc_move(mem_ctx, &state->rec); ++ tevent_req_received(req); + return 0; + } +-- +1.8.1.2 + diff --git a/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch b/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch new file mode 100644 index 0000000..250798b --- /dev/null +++ b/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch @@ -0,0 +1,46 @@ +From b73750c2d2f65a0b4597fa0a11cc22272ba47524 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Nov 2013 17:21:01 +0100 +Subject: [PATCH] s3-lib: Fix %G substitution for domain users in smbd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10286 +Signed-off-by: Andreas Schneider +Reviewed-by: Christian Ambach + +Autobuild-User(master): Christian Ambach +Autobuild-Date(master): Tue Dec 10 16:39:43 CET 2013 on sn-devel-104 + +(cherry picked from commit 8eef4ab79ec5fb7e96ad2f2ad6c9bf30db13a50d) +Signed-off-by: Andreas Schneider +--- + source3/lib/substitute.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c +index ca2ac79..937f02c 100644 +--- a/source3/lib/substitute.c ++++ b/source3/lib/substitute.c +@@ -499,10 +499,20 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, + break; + case 'G' : { + struct passwd *pass; +- r = talloc_strdup(tmp_ctx, smb_name); ++ ++ if (domain_name != NULL && domain_name[0] != '\0') { ++ r = talloc_asprintf(tmp_ctx, ++ "%s%c%s", ++ domain_name, ++ *lp_winbind_separator(), ++ smb_name); ++ } else { ++ r = talloc_strdup(tmp_ctx, smb_name); ++ } + if (r == NULL) { + goto error; + } ++ + pass = Get_Pwnam_alloc(tmp_ctx, r); + if (pass != NULL) { + a_string = realloc_string_sub( +-- +1.8.5 diff --git a/SOURCES/samba-4.1.4-fix_dropbox_regression.patch b/SOURCES/samba-4.1.4-fix_dropbox_regression.patch new file mode 100644 index 0000000..db6abc0 --- /dev/null +++ b/SOURCES/samba-4.1.4-fix_dropbox_regression.patch @@ -0,0 +1,269 @@ +From 22b7400498af7cecbdf608adb7f622b803b50471 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 3 Dec 2013 13:20:17 +0100 +Subject: [PATCH 1/3] smbd: Fix regression for the dropbox case. + +We need to allow to save a file to a directory with perm -wx. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297 + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 5b49fe24c906cbae12beff7a1b45de6809258cab) +--- + source3/smbd/filename.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c +index fc96550..16d0df1 100644 +--- a/source3/smbd/filename.c ++++ b/source3/smbd/filename.c +@@ -722,7 +722,10 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + */ + + if (errno == EACCES) { +- if (ucf_flags & UCF_CREATING_FILE) { ++ if ((ucf_flags & UCF_CREATING_FILE) == 0) { ++ status = NT_STATUS_ACCESS_DENIED; ++ goto fail; ++ } else { + /* + * This is the dropbox + * behaviour. A dropbox is a +@@ -734,11 +737,8 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + * nevertheless want to allow + * users creating a file. + */ +- status = NT_STATUS_OBJECT_PATH_NOT_FOUND; +- } else { +- status = NT_STATUS_ACCESS_DENIED; ++ errno = 0; + } +- goto fail; + } + + if ((errno != 0) && (errno != ENOENT)) { +-- +1.8.5.1 + + +From e02e1bca121fa8dec84afa01132d450b6b2355b6 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 3 Dec 2013 10:19:09 -0800 +Subject: [PATCH 2/3] smbd: change flag name from UCF_CREATING_FILE to + UCF_PREP_CREATEFILE + +In preparation to using it for all open calls. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke +(cherry picked from commit 874318a97868e08837a1febb1be8e8a167b5ae0f) +--- + source3/smbd/filename.c | 2 +- + source3/smbd/nttrans.c | 4 ++-- + source3/smbd/reply.c | 10 +++++----- + source3/smbd/smb2_create.c | 2 +- + source3/smbd/smbd.h | 2 +- + 5 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c +index 16d0df1..ba41986 100644 +--- a/source3/smbd/filename.c ++++ b/source3/smbd/filename.c +@@ -722,7 +722,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx, + */ + + if (errno == EACCES) { +- if ((ucf_flags & UCF_CREATING_FILE) == 0) { ++ if ((ucf_flags & UCF_PREP_CREATEFILE) == 0) { + status = NT_STATUS_ACCESS_DENIED; + goto fail; + } else { +diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c +index b7dfa8c..15fa4b6 100644 +--- a/source3/smbd/nttrans.c ++++ b/source3/smbd/nttrans.c +@@ -539,7 +539,7 @@ void reply_ntcreate_and_X(struct smb_request *req) + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, + (create_disposition == FILE_CREATE) +- ? UCF_CREATING_FILE : 0, ++ ? UCF_PREP_CREATEFILE : 0, + NULL, + &smb_fname); + +@@ -1119,7 +1119,7 @@ static void call_nt_transact_create(connection_struct *conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, + (create_disposition == FILE_CREATE) +- ? UCF_CREATING_FILE : 0, ++ ? UCF_PREP_CREATEFILE : 0, + NULL, + &smb_fname); + +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index 2d729ec..2c9749e 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -1918,7 +1918,7 @@ void reply_open(struct smb_request *req) + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, + (create_disposition == FILE_CREATE) +- ? UCF_CREATING_FILE : 0, ++ ? UCF_PREP_CREATEFILE : 0, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +@@ -2096,7 +2096,7 @@ void reply_open_and_X(struct smb_request *req) + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, + (create_disposition == FILE_CREATE) +- ? UCF_CREATING_FILE : 0, ++ ? UCF_PREP_CREATEFILE : 0, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +@@ -2329,7 +2329,7 @@ void reply_mknew(struct smb_request *req) + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- UCF_CREATING_FILE, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +@@ -2470,7 +2470,7 @@ void reply_ctemp(struct smb_request *req) + status = filename_convert(ctx, conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- UCF_CREATING_FILE, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +@@ -5829,7 +5829,7 @@ void reply_mkdir(struct smb_request *req) + status = filename_convert(ctx, conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + directory, +- UCF_CREATING_FILE, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_dname); + if (!NT_STATUS_IS_OK(status)) { +diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c +index c4d4991..f637dac 100644 +--- a/source3/smbd/smb2_create.c ++++ b/source3/smbd/smb2_create.c +@@ -872,7 +872,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, + smb1req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, + (in_create_disposition == FILE_CREATE) ? +- UCF_CREATING_FILE : 0, ++ UCF_PREP_CREATEFILE : 0, + NULL, /* ppath_contains_wcards */ + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +diff --git a/source3/smbd/smbd.h b/source3/smbd/smbd.h +index e769157..5cf88bf 100644 +--- a/source3/smbd/smbd.h ++++ b/source3/smbd/smbd.h +@@ -73,6 +73,6 @@ struct trans_state { + #define UCF_COND_ALLOW_WCARD_LCOMP 0x00000004 + #define UCF_POSIX_PATHNAMES 0x00000008 + #define UCF_UNIX_NAME_LOOKUP 0x00000010 +-#define UCF_CREATING_FILE 0x00000020 ++#define UCF_PREP_CREATEFILE 0x00000020 + + #endif /* _SMBD_SMBD_H */ +-- +1.8.5.1 + + +From e7abcfae4fbbf4d6fe56e5a1a4d76ffe4e9677d9 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 3 Dec 2013 10:21:16 -0800 +Subject: [PATCH 3/3] smbd: Always use UCF_PREP_CREATEFILE for filename_convert + calls to resolve a path for open. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon Dec 9 21:02:21 CET 2013 on sn-devel-104 + +(cherry picked from commit f98d10af2a05f0261611f4cabdfe274cd9fe91c0) +--- + source3/smbd/nttrans.c | 6 ++---- + source3/smbd/reply.c | 6 ++---- + source3/smbd/smb2_create.c | 3 +-- + 3 files changed, 5 insertions(+), 10 deletions(-) + +diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c +index 15fa4b6..0d3cd07 100644 +--- a/source3/smbd/nttrans.c ++++ b/source3/smbd/nttrans.c +@@ -538,8 +538,7 @@ void reply_ntcreate_and_X(struct smb_request *req) + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- (create_disposition == FILE_CREATE) +- ? UCF_PREP_CREATEFILE : 0, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + +@@ -1118,8 +1117,7 @@ static void call_nt_transact_create(connection_struct *conn, + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- (create_disposition == FILE_CREATE) +- ? UCF_PREP_CREATEFILE : 0, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index 2c9749e..f293b69 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -1917,8 +1917,7 @@ void reply_open(struct smb_request *req) + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- (create_disposition == FILE_CREATE) +- ? UCF_PREP_CREATEFILE : 0, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +@@ -2095,8 +2094,7 @@ void reply_open_and_X(struct smb_request *req) + conn, + req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- (create_disposition == FILE_CREATE) +- ? UCF_PREP_CREATEFILE : 0, ++ UCF_PREP_CREATEFILE, + NULL, + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c +index f637dac..6730ad6 100644 +--- a/source3/smbd/smb2_create.c ++++ b/source3/smbd/smb2_create.c +@@ -871,8 +871,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, + smb1req->conn, + smb1req->flags2 & FLAGS2_DFS_PATHNAMES, + fname, +- (in_create_disposition == FILE_CREATE) ? +- UCF_PREP_CREATEFILE : 0, ++ UCF_PREP_CREATEFILE, + NULL, /* ppath_contains_wcards */ + &smb_fname); + if (!NT_STATUS_IS_OK(status)) { +-- +1.8.5.1 diff --git a/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch b/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch new file mode 100644 index 0000000..f60d6e2 --- /dev/null +++ b/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch @@ -0,0 +1,32 @@ +From c1b7cf5481f20e7503e736ac2edd4c6d47dfea1c Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 5 Dec 2013 15:50:58 +0100 +Subject: [PATCH] smbd: Fix a panic when a smb2 brlock times out + +Found by Peter Somogyi. + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Dec 5 21:21:35 CET 2013 on sn-devel-104 +--- + source3/smbd/smb2_lock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c +index e2ea251..671cd6f 100644 +--- a/source3/smbd/smb2_lock.c ++++ b/source3/smbd/smb2_lock.c +@@ -511,7 +511,7 @@ static bool recalc_smb2_brl_timeout(struct smbd_server_connection *sconn) + NULL, + next_timeout, + brl_timeout_fn, +- NULL); ++ sconn); + if (!sconn->smb2.locks.brl_timeout) { + return false; + } +-- +1.8.5.1 + diff --git a/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch b/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch new file mode 100644 index 0000000..f67d136 --- /dev/null +++ b/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch @@ -0,0 +1,233 @@ +From ac40cbf90f78cf25d7cc2b5182a11c6706b73bf4 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 6 Jan 2014 15:15:37 -0800 +Subject: [PATCH 1/2] s3: winbindd: Move the logic of whether to set + 'domain->primary' into add_trusted_domain(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke +(cherry picked from commit cfa6a36467f5679a88e49419e8af32b724c242bd) +--- + source3/winbindd/winbindd_util.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 85b014d..10ca132 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -99,6 +99,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const + char *idmap_config_option; + const char *param; + const char **ignored_domains, **dom; ++ int role = lp_server_role(); + + ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL); + for (dom=ignored_domains; dom && *dom; dom++) { +@@ -196,6 +197,15 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const + sid_copy(&domain->sid, sid); + } + ++ /* Is this our primary domain ? */ ++ if (strequal(domain_name, get_global_sam_name()) && ++ (role != ROLE_DOMAIN_MEMBER)) { ++ domain->primary = true; ++ } else if (strequal(domain_name, lp_workgroup()) && ++ (role == ROLE_DOMAIN_MEMBER)) { ++ domain->primary = true; ++ } ++ + /* Link to domain list */ + DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *); + +@@ -628,9 +638,6 @@ bool init_domain_list(void) + domain = add_trusted_domain(get_global_sam_name(), NULL, + &cache_methods, get_global_sam_sid()); + if (domain) { +- if ( role != ROLE_DOMAIN_MEMBER ) { +- domain->primary = True; +- } + setup_domain_child(domain); + } + +@@ -647,7 +654,6 @@ bool init_domain_list(void) + domain = add_trusted_domain( lp_workgroup(), lp_realm(), + &cache_methods, &our_sid); + if (domain) { +- domain->primary = True; + setup_domain_child(domain); + + /* Even in the parent winbindd we'll need to +-- +1.8.5.1 + + +From 607019cef6f730c91af9d9825cd0c1d82e494859 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 6 Jan 2014 15:22:59 -0800 +Subject: [PATCH 2/2] s3: winbindd: Move calling setup_domain_child() into + add_trusted_domain(). + +Ensure it only gets called when a new domain is allocated +and added to the list. + +This should fix problems with the previous logic where +setup_domain_child() was called in places where an existing +domain was returned. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Wed Jan 8 20:46:55 CET 2014 on sn-devel-104 + +(cherry picked from commit ca931e460460ffe46735f98b31db47220772d566) +--- + source3/winbindd/winbindd_util.c | 46 ++++++++++++---------------------------- + 1 file changed, 14 insertions(+), 32 deletions(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 10ca132..a00fe14 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -89,7 +89,10 @@ static bool is_in_internal_domain(const struct dom_sid *sid) + } + + +-/* Add a trusted domain to our list of domains */ ++/* Add a trusted domain to our list of domains. ++ If the domain already exists in the list, ++ return it and don't re-initialize. */ ++ + static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name, + struct winbindd_methods *methods, + const struct dom_sid *sid) +@@ -147,7 +150,10 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const + + if (domain != NULL) { + /* +- * We found a match. Possibly update the SID ++ * We found a match on domain->name or ++ * domain->alt_name. Possibly update the SID ++ * if the stored SID was the NULL SID ++ * and return the matching entry. + */ + if ((sid != NULL) + && dom_sid_equal(&domain->sid, &global_sid_NULL)) { +@@ -242,6 +248,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const + + done: + ++ setup_domain_child(domain); ++ + DEBUG(2,("Added domain %s %s %s\n", + domain->name, domain->alt_name, + &domain->sid?sid_string_dbg(&domain->sid):"")); +@@ -315,9 +323,7 @@ static void trustdom_list_done(struct tevent_req *req) + while ((p != NULL) && (*p != '\0')) { + char *q, *sidstr, *alt_name; + struct dom_sid sid; +- struct winbindd_domain *domain; + char *alternate_name = NULL; +- bool domain_exists; + + alt_name = strchr(p, '\\'); + if (alt_name == NULL) { +@@ -351,26 +357,16 @@ static void trustdom_list_done(struct tevent_req *req) + if ( !strequal( alt_name, "(null)" ) ) + alternate_name = alt_name; + +- /* Check if we already have a child for the domain */ +- domain_exists = (find_domain_from_name_noinit(p) != NULL); +- + /* + * We always call add_trusted_domain() cause on an existing + * domain structure, it will update the SID if necessary. + * This is important because we need the SID for sibling + * domains. + */ +- domain = add_trusted_domain(p, alternate_name, ++ (void)add_trusted_domain(p, alternate_name, + &cache_methods, + &sid); + +- /* +- * If the domain doesn't exist yet and got correctly added, +- * setup a new domain child. +- */ +- if (!domain_exists && domain != NULL) { +- setup_domain_child(domain); +- } + p=q; + if (p != NULL) + p += 1; +@@ -444,9 +440,6 @@ static void rescan_forest_root_trusts( void ) + dom_list[i].dns_name, + &cache_methods, + &dom_list[i].sid ); +- if (d != NULL) { +- setup_domain_child(d); +- } + } + + if (d == NULL) { +@@ -516,9 +509,6 @@ static void rescan_forest_trusts( void ) + dom_list[i].dns_name, + &cache_methods, + &dom_list[i].sid ); +- if (d != NULL) { +- setup_domain_child(d); +- } + } + + if (d == NULL) { +@@ -619,7 +609,6 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai + /* Look up global info for the winbind daemon */ + bool init_domain_list(void) + { +- struct winbindd_domain *domain; + int role = lp_server_role(); + + /* Free existing list */ +@@ -627,23 +616,18 @@ bool init_domain_list(void) + + /* BUILTIN domain */ + +- domain = add_trusted_domain("BUILTIN", NULL, &cache_methods, ++ (void)add_trusted_domain("BUILTIN", NULL, &cache_methods, + &global_sid_Builtin); +- if (domain) { +- setup_domain_child(domain); +- } + + /* Local SAM */ + +- domain = add_trusted_domain(get_global_sam_name(), NULL, ++ (void)add_trusted_domain(get_global_sam_name(), NULL, + &cache_methods, get_global_sam_sid()); +- if (domain) { +- setup_domain_child(domain); +- } + + /* Add ourselves as the first entry. */ + + if ( role == ROLE_DOMAIN_MEMBER ) { ++ struct winbindd_domain *domain; + struct dom_sid our_sid; + + if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) { +@@ -654,8 +638,6 @@ bool init_domain_list(void) + domain = add_trusted_domain( lp_workgroup(), lp_realm(), + &cache_methods, &our_sid); + if (domain) { +- setup_domain_child(domain); +- + /* Even in the parent winbindd we'll need to + talk to the DC, so try and see if we can + contact it. Theoretically this isn't neccessary +-- +1.8.5.1 + diff --git a/SOURCES/samba-4.1.5-fix_force_user_sec_ads.patch b/SOURCES/samba-4.1.5-fix_force_user_sec_ads.patch new file mode 100644 index 0000000..6c08ccc --- /dev/null +++ b/SOURCES/samba-4.1.5-fix_force_user_sec_ads.patch @@ -0,0 +1,1448 @@ +From 80f3551d4f594438dcc93dd82a7953c4a913badd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Dec 2013 12:57:20 +0100 +Subject: [PATCH 1/7] s3-lib: Add winbind_lookup_usersids(). + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett + +(cherry picked from commit 241e98d8ee099f9cc5feb835085b4abd2b1ee663) +--- + source3/lib/winbind_util.c | 34 +++++ + source3/lib/winbind_util.h | 4 + + source3/passdb/ABI/pdb-0.1.0.sigs | 311 ++++++++++++++++++++++++++++++++++++++ + source3/wscript_build | 2 +- + 4 files changed, 350 insertions(+), 1 deletion(-) + create mode 100644 source3/passdb/ABI/pdb-0.1.0.sigs + +diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c +index b458ebe..f62682b 100644 +--- a/source3/lib/winbind_util.c ++++ b/source3/lib/winbind_util.c +@@ -342,6 +342,40 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, + return true; + } + ++bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, ++ const struct dom_sid *user_sid, ++ uint32_t *p_num_sids, ++ struct dom_sid **p_sids) ++{ ++ wbcErr ret; ++ struct wbcDomainSid dom_sid; ++ struct wbcDomainSid *sid_list = NULL; ++ uint32_t num_sids; ++ ++ memcpy(&dom_sid, user_sid, sizeof(dom_sid)); ++ ++ ret = wbcLookupUserSids(&dom_sid, ++ false, ++ &num_sids, ++ &sid_list); ++ if (ret != WBC_ERR_SUCCESS) { ++ return false; ++ } ++ ++ *p_sids = talloc_array(mem_ctx, struct dom_sid, num_sids); ++ if (*p_sids == NULL) { ++ wbcFreeMemory(sid_list); ++ return false; ++ } ++ ++ memcpy(*p_sids, sid_list, sizeof(dom_sid) * num_sids); ++ ++ *p_num_sids = num_sids; ++ wbcFreeMemory(sid_list); ++ ++ return true; ++} ++ + #else /* WITH_WINBIND */ + + struct passwd * winbind_getpwnam(const char * name) +diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h +index 541bb95..abbc5a9 100644 +--- a/source3/lib/winbind_util.h ++++ b/source3/lib/winbind_util.h +@@ -58,5 +58,9 @@ bool winbind_get_sid_aliases(TALLOC_CTX *mem_ctx, + size_t num_members, + uint32_t **pp_alias_rids, + size_t *p_num_alias_rids); ++bool winbind_lookup_usersids(TALLOC_CTX *mem_ctx, ++ const struct dom_sid *user_sid, ++ uint32_t *p_num_sids, ++ struct dom_sid **p_sids); + + #endif /* __LIB__WINBIND_UTIL_H__ */ +diff --git a/source3/passdb/ABI/pdb-0.1.0.sigs b/source3/passdb/ABI/pdb-0.1.0.sigs +new file mode 100644 +index 0000000..f4de9c4 +--- /dev/null ++++ b/source3/passdb/ABI/pdb-0.1.0.sigs +@@ -0,0 +1,311 @@ ++PDB_secrets_clear_domain_protection: bool (const char *) ++PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *) ++PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *) ++PDB_secrets_mark_domain_protected: bool (const char *) ++PDB_secrets_store_domain_guid: bool (const char *, struct GUID *) ++PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *) ++account_policy_get: bool (enum pdb_policy_type, uint32_t *) ++account_policy_get_default: bool (enum pdb_policy_type, uint32_t *) ++account_policy_get_desc: const char *(enum pdb_policy_type) ++account_policy_name_to_typenum: enum pdb_policy_type (const char *) ++account_policy_names_list: void (TALLOC_CTX *, const char ***, int *) ++account_policy_set: bool (enum pdb_policy_type, uint32_t) ++add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *) ++algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t) ++algorithmic_pdb_rid_is_user: bool (uint32_t) ++algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t) ++algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t) ++algorithmic_rid_base: int (void) ++builtin_domain_name: const char *(void) ++cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *) ++cache_account_policy_set: bool (enum pdb_policy_type, uint32_t) ++create_builtin_administrators: NTSTATUS (const struct dom_sid *) ++create_builtin_users: NTSTATUS (const struct dom_sid *) ++decode_account_policy_name: const char *(enum pdb_policy_type) ++get_account_pol_db: struct db_context *(void) ++get_account_policy_attr: const char *(enum pdb_policy_type) ++get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *) ++get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **) ++get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *) ++get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int) ++get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *) ++get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *) ++gid_to_sid: void (struct dom_sid *, gid_t) ++gid_to_unix_groups_sid: void (gid_t, struct dom_sid *) ++grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int) ++grant_all_privileges: bool (const struct dom_sid *) ++grant_privilege_by_name: bool (const struct dom_sid *, const char *) ++grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) ++groupdb_tdb_init: const struct mapping_backend *(void) ++init_account_policy: bool (void) ++init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool) ++init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t) ++initialize_password_db: bool (bool, struct tevent_context *) ++is_dc_trusted_domain_situation: bool (const char *) ++is_privileged_sid: bool (const struct dom_sid *) ++local_password_change: NTSTATUS (const char *, int, const char *, char **, char **) ++login_cache_delentry: bool (const struct samu *) ++login_cache_init: bool (void) ++login_cache_read: bool (struct samu *, struct login_cache *) ++login_cache_shutdown: bool (void) ++login_cache_write: bool (const struct samu *, const struct login_cache *) ++lookup_builtin_name: bool (const char *, uint32_t *) ++lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **) ++lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *) ++lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) ++lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) ++lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) ++lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **) ++lookup_unix_group_name: bool (const char *, struct dom_sid *) ++lookup_unix_user_name: bool (const char *, struct dom_sid *) ++lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **) ++lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **) ++make_pdb_method: NTSTATUS (struct pdb_methods **) ++make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *) ++max_algorithmic_gid: gid_t (void) ++max_algorithmic_uid: uid_t (void) ++my_sam_name: const char *(void) ++pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) ++pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *) ++pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) ++pdb_add_sam_account: NTSTATUS (struct samu *) ++pdb_build_fields_present: uint32_t (struct samu *) ++pdb_capabilities: uint32_t (void) ++pdb_copy_sam_account: bool (struct samu *, struct samu *) ++pdb_create_alias: NTSTATUS (const char *, uint32_t *) ++pdb_create_builtin: NTSTATUS (uint32_t) ++pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t) ++pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *) ++pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *) ++pdb_decode_acct_ctrl: uint32_t (const char *) ++pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) ++pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *) ++pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) ++pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *) ++pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) ++pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) ++pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) ++pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) ++pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) ++pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) ++pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) ++pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) ++pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) ++pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) ++pdb_del_trusted_domain: NTSTATUS (const char *) ++pdb_del_trusteddom_pw: bool (const char *) ++pdb_delete_alias: NTSTATUS (const struct dom_sid *) ++pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t) ++pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid) ++pdb_delete_sam_account: NTSTATUS (struct samu *) ++pdb_delete_secret: NTSTATUS (const char *) ++pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *) ++pdb_element_is_changed: bool (const struct samu *, enum pdb_elements) ++pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements) ++pdb_encode_acct_ctrl: char *(uint32_t, size_t) ++pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) ++pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) ++pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *) ++pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *) ++pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***) ++pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) ++pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***) ++pdb_find_backend_entry: struct pdb_init_function_entry *(const char *) ++pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *) ++pdb_get_acct_ctrl: uint32_t (const struct samu *) ++pdb_get_acct_desc: const char *(const struct samu *) ++pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) ++pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *) ++pdb_get_backends: const struct pdb_init_function_entry *(void) ++pdb_get_bad_password_count: uint16_t (const struct samu *) ++pdb_get_bad_password_time: time_t (const struct samu *) ++pdb_get_code_page: uint16_t (const struct samu *) ++pdb_get_comment: const char *(const struct samu *) ++pdb_get_country_code: uint16_t (const struct samu *) ++pdb_get_dir_drive: const char *(const struct samu *) ++pdb_get_domain: const char *(const struct samu *) ++pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *) ++pdb_get_fullname: const char *(const struct samu *) ++pdb_get_group_rid: uint32_t (struct samu *) ++pdb_get_group_sid: const struct dom_sid *(struct samu *) ++pdb_get_homedir: const char *(const struct samu *) ++pdb_get_hours: const uint8_t *(const struct samu *) ++pdb_get_hours_len: uint32_t (const struct samu *) ++pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements) ++pdb_get_kickoff_time: time_t (const struct samu *) ++pdb_get_lanman_passwd: const uint8_t *(const struct samu *) ++pdb_get_logoff_time: time_t (const struct samu *) ++pdb_get_logon_count: uint16_t (const struct samu *) ++pdb_get_logon_divs: uint16_t (const struct samu *) ++pdb_get_logon_script: const char *(const struct samu *) ++pdb_get_logon_time: time_t (const struct samu *) ++pdb_get_munged_dial: const char *(const struct samu *) ++pdb_get_nt_passwd: const uint8_t *(const struct samu *) ++pdb_get_nt_username: const char *(const struct samu *) ++pdb_get_pass_can_change: bool (const struct samu *) ++pdb_get_pass_can_change_time: time_t (const struct samu *) ++pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *) ++pdb_get_pass_last_set_time: time_t (const struct samu *) ++pdb_get_pass_must_change_time: time_t (const struct samu *) ++pdb_get_plaintext_passwd: const char *(const struct samu *) ++pdb_get_profile_path: const char *(const struct samu *) ++pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *) ++pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **) ++pdb_get_seq_num: bool (time_t *) ++pdb_get_tevent_context: struct tevent_context *(void) ++pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **) ++pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **) ++pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *) ++pdb_get_unknown_6: uint32_t (const struct samu *) ++pdb_get_user_rid: uint32_t (const struct samu *) ++pdb_get_user_sid: const struct dom_sid *(const struct samu *) ++pdb_get_username: const char *(const struct samu *) ++pdb_get_workstations: const char *(const struct samu *) ++pdb_getgrgid: bool (GROUP_MAP *, gid_t) ++pdb_getgrnam: bool (GROUP_MAP *, const char *) ++pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid) ++pdb_gethexhours: bool (const char *, unsigned char *) ++pdb_gethexpwd: bool (const char *, unsigned char *) ++pdb_getsampwnam: bool (struct samu *, const char *) ++pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) ++pdb_gid_to_sid: bool (gid_t, struct dom_sid *) ++pdb_group_rid_to_gid: gid_t (uint32_t) ++pdb_increment_bad_password_count: bool (struct samu *) ++pdb_is_password_change_time_max: bool (time_t) ++pdb_is_responsible_for_builtin: bool (void) ++pdb_is_responsible_for_our_sam: bool (void) ++pdb_is_responsible_for_unix_groups: bool (void) ++pdb_is_responsible_for_unix_users: bool (void) ++pdb_is_responsible_for_wellknown: bool (void) ++pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *) ++pdb_new_rid: bool (uint32_t *) ++pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) ++pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool) ++pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) ++pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) ++pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) ++pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) ++pdb_rename_sam_account: NTSTATUS (struct samu *, const char *) ++pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *) ++pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **) ++pdb_search_groups: struct pdb_search *(TALLOC_CTX *) ++pdb_search_init: struct pdb_search *(TALLOC_CTX *, enum pdb_search_type) ++pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t) ++pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t) ++pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) ++pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state) ++pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) ++pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state) ++pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state) ++pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) ++pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state) ++pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) ++pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_pass_can_change: bool (struct samu *, bool) ++pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state) ++pdb_set_plaintext_passwd: bool (struct samu *, const char *) ++pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state) ++pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *) ++pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *) ++pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *) ++pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *) ++pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **) ++pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) ++pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) ++pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state) ++pdb_sethexhours: void (char *, const unsigned char *) ++pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) ++pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) ++pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) ++pdb_uid_to_sid: bool (uid_t, struct dom_sid *) ++pdb_update_autolock_flag: bool (struct samu *, bool *) ++pdb_update_bad_password_count: bool (struct samu *, bool *) ++pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) ++pdb_update_login_attempts: NTSTATUS (struct samu *, bool) ++pdb_update_sam_account: NTSTATUS (struct samu *) ++privilege_create_account: NTSTATUS (const struct dom_sid *) ++privilege_delete_account: NTSTATUS (const struct dom_sid *) ++privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *) ++privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *) ++revoke_all_privileges: bool (const struct dom_sid *) ++revoke_privilege_by_name: bool (const struct dom_sid *, const char *) ++revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) ++samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *) ++samu_new: struct samu *(TALLOC_CTX *) ++samu_set_unix: NTSTATUS (struct samu *, const struct passwd *) ++secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) ++sid_check_is_builtin: bool (const struct dom_sid *) ++sid_check_is_for_passdb: bool (const struct dom_sid *) ++sid_check_is_in_builtin: bool (const struct dom_sid *) ++sid_check_is_in_unix_groups: bool (const struct dom_sid *) ++sid_check_is_in_unix_users: bool (const struct dom_sid *) ++sid_check_is_in_wellknown_domain: bool (const struct dom_sid *) ++sid_check_is_unix_groups: bool (const struct dom_sid *) ++sid_check_is_unix_users: bool (const struct dom_sid *) ++sid_check_is_wellknown_builtin: bool (const struct dom_sid *) ++sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **) ++sid_check_object_is_for_passdb: bool (const struct dom_sid *) ++sid_to_gid: bool (const struct dom_sid *, gid_t *) ++sid_to_uid: bool (const struct dom_sid *, uid_t *) ++sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *) ++smb_add_user_group: int (const char *, const char *) ++smb_create_group: int (const char *, gid_t *) ++smb_delete_group: int (const char *) ++smb_delete_user_group: int (const char *, const char *) ++smb_nscd_flush_group_cache: void (void) ++smb_nscd_flush_user_cache: void (void) ++smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function) ++smb_set_primary_group: int (const char *, const char *) ++uid_to_sid: void (struct dom_sid *, uid_t) ++uid_to_unix_users_sid: void (uid_t, struct dom_sid *) ++unix_groups_domain_name: const char *(void) ++unix_users_domain_name: const char *(void) ++unixid_from_both: void (struct unixid *, uint32_t) ++unixid_from_gid: void (struct unixid *, uint32_t) ++unixid_from_uid: void (struct unixid *, uint32_t) ++wb_is_trusted_domain: wbcErr (const char *) ++winbind_allocate_gid: bool (gid_t *) ++winbind_allocate_uid: bool (uid_t *) ++winbind_get_groups: bool (TALLOC_CTX *, const char *, uint32_t *, gid_t **) ++winbind_get_sid_aliases: bool (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) ++winbind_getpwnam: struct passwd *(const char *) ++winbind_getpwsid: struct passwd *(const struct dom_sid *) ++winbind_gid_to_sid: bool (struct dom_sid *, gid_t) ++winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *) ++winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **) ++winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) ++winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **) ++winbind_ping: bool (void) ++winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *) ++winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *) ++winbind_uid_to_sid: bool (struct dom_sid *, uid_t) +diff --git a/source3/wscript_build b/source3/wscript_build +index e0432bf..6d6b6aa 100755 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -736,7 +736,7 @@ bld.SAMBA3_LIBRARY('pdb', + passdb/lookup_sid.h''', + abi_match=private_pdb_match, + abi_directory='passdb/ABI', +- vnum='0', ++ vnum='0.1.0', + vars=locals()) + + bld.SAMBA3_LIBRARY('smbldaphelper', +-- +1.8.5.2 + + +From 91debcafd196a9e821efddce0a9d75c48f8e168d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 13 Dec 2013 19:08:34 +0100 +Subject: [PATCH 2/7] s3-auth: Add passwd_to_SamInfo3(). + +First this function tries to contacts winbind if the user is a domain +user to get valid information about it. If winbind isn't running it will +try to create everything from the passwd struct. This is not always +reliable but works in most cases. It improves the current situation +which doesn't talk to winbind at all. + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 1bb11c7744df6928cb8a096373ab920366b38770) +--- + source3/auth/proto.h | 4 ++ + source3/auth/server_info.c | 116 +++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 120 insertions(+) + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 76661fc..8385e66 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -286,6 +286,10 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + const char *login_server, + struct netr_SamInfo3 **_info3, + struct extra_auth_info *extra); ++NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct netr_SamInfo3 **pinfo3); + struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, + struct netr_SamInfo3 *orig); + struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index d2b7d6e..46d8178 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -24,6 +24,7 @@ + #include "../libcli/security/security.h" + #include "rpc_client/util_netlogon.h" + #include "nsswitch/libwbclient/wbclient.h" ++#include "lib/winbind_util.h" + #include "passdb.h" + + #undef DBGC_CLASS +@@ -436,6 +437,121 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, + return NT_STATUS_OK; + } + ++NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct netr_SamInfo3 **pinfo3) ++{ ++ struct netr_SamInfo3 *info3; ++ NTSTATUS status; ++ TALLOC_CTX *tmp_ctx; ++ const char *domain_name = NULL; ++ const char *user_name = NULL; ++ struct dom_sid domain_sid; ++ struct dom_sid user_sid; ++ struct dom_sid group_sid; ++ enum lsa_SidType type; ++ uint32_t num_sids = 0; ++ struct dom_sid *user_sids = NULL; ++ bool ok; ++ ++ tmp_ctx = talloc_stackframe(); ++ ++ ok = lookup_name_smbconf(tmp_ctx, ++ unix_username, ++ LOOKUP_NAME_ALL, ++ &domain_name, ++ &user_name, ++ &user_sid, ++ &type); ++ if (!ok) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ if (type != SID_NAME_USER) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ ok = winbind_lookup_usersids(tmp_ctx, ++ &user_sid, ++ &num_sids, ++ &user_sids); ++ /* Check if winbind is running */ ++ if (ok) { ++ /* ++ * Winbind is running and the first element of the user_sids ++ * is the primary group. ++ */ ++ if (num_sids > 0) { ++ group_sid = user_sids[0]; ++ } ++ } else { ++ /* ++ * Winbind is not running, create the group_sid from the ++ * group id. ++ */ ++ gid_to_sid(&group_sid, pwd->pw_gid); ++ } ++ ++ /* Make sure we have a valid group sid */ ++ ok = !is_null_sid(&group_sid); ++ if (!ok) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } ++ ++ /* Construct a netr_SamInfo3 from the information we have */ ++ info3 = talloc_zero(tmp_ctx, struct netr_SamInfo3); ++ if (!info3) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ info3->base.account_name.string = talloc_strdup(info3, unix_username); ++ if (info3->base.account_name.string == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ ZERO_STRUCT(domain_sid); ++ ++ sid_copy(&domain_sid, &user_sid); ++ sid_split_rid(&domain_sid, &info3->base.rid); ++ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); ++ ++ ok = sid_peek_check_rid(&domain_sid, &group_sid, ++ &info3->base.primary_gid); ++ if (!ok) { ++ DEBUG(1, ("The primary group domain sid(%s) does not " ++ "match the domain sid(%s) for %s(%s)\n", ++ sid_string_dbg(&group_sid), ++ sid_string_dbg(&domain_sid), ++ unix_username, ++ sid_string_dbg(&user_sid))); ++ status = NT_STATUS_INVALID_SID; ++ goto done; ++ } ++ ++ info3->base.acct_flags = ACB_NORMAL; ++ ++ if (num_sids) { ++ status = group_sids_to_info3(info3, user_sids, num_sids); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto done; ++ } ++ } ++ ++ *pinfo3 = talloc_steal(mem_ctx, info3); ++ ++ status = NT_STATUS_OK; ++done: ++ talloc_free(tmp_ctx); ++ ++ return status; ++} ++ + #undef RET_NOMEM + + #define RET_NOMEM(ptr) do { \ +-- +1.8.5.2 + + +From c7b7670dc5cd8dbf727258666b6417d67afafb33 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 13 Dec 2013 19:11:01 +0100 +Subject: [PATCH 3/7] s3-auth: Pass talloc context to make_server_info_pw(). + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 1b59c9743cf3fbd66b0b8b52162b2cc8d922e5cf) +--- + source3/auth/auth_unix.c | 7 +++++-- + source3/auth/auth_util.c | 52 +++++++++++++++++++++++++++++------------------- + source3/auth/proto.h | 7 ++++--- + source3/auth/user_krb5.c | 5 +---- + 4 files changed, 42 insertions(+), 29 deletions(-) + +diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c +index c8b5435..7b483a2 100644 +--- a/source3/auth/auth_unix.c ++++ b/source3/auth/auth_unix.c +@@ -67,8 +67,11 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, + unbecome_root(); + + if (NT_STATUS_IS_OK(nt_status)) { +- if (pass) { +- make_server_info_pw(server_info, pass->pw_name, pass); ++ if (pass != NULL) { ++ nt_status = make_server_info_pw(mem_ctx, ++ pass->pw_name, ++ pass, ++ server_info); + } else { + /* we need to do somthing more useful here */ + nt_status = NT_STATUS_NO_SUCH_USER; +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index ceaa706..b225b0d 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -639,14 +639,15 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + to a struct samu + ***************************************************************************/ + +-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, +- char *unix_username, +- struct passwd *pwd) ++NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct auth_serversupplied_info **server_info) + { + NTSTATUS status; + struct samu *sampass = NULL; + char *qualified_name = NULL; +- TALLOC_CTX *mem_ctx = NULL; ++ TALLOC_CTX *tmp_ctx; + struct dom_sid u_sid; + enum lsa_SidType type; + struct auth_serversupplied_info *result; +@@ -664,27 +665,27 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, + * plaintext passwords were used with no SAM backend. + */ + +- mem_ctx = talloc_init("make_server_info_pw_tmp"); +- if (!mem_ctx) { ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- qualified_name = talloc_asprintf(mem_ctx, "%s\\%s", ++ qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", + unix_users_domain_name(), + unix_username ); + if (!qualified_name) { +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + +- if (!lookup_name(mem_ctx, qualified_name, LOOKUP_NAME_ALL, ++ if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, + NULL, NULL, + &u_sid, &type)) { +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_SUCH_USER; + } + +- TALLOC_FREE(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + + if (type != SID_NAME_USER) { + return NT_STATUS_NO_SUCH_USER; +@@ -707,7 +708,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, + /* set the user sid to be the calculated u_sid */ + pdb_set_user_sid(sampass, &u_sid, PDB_SET); + +- result = make_server_info(NULL); ++ result = make_server_info(mem_ctx); + if (result == NULL) { + TALLOC_FREE(sampass); + return NT_STATUS_NO_MEMORY; +@@ -992,25 +993,36 @@ NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, + struct passwd *pwd; + NTSTATUS status; + struct auth_serversupplied_info *result; ++ TALLOC_CTX *tmp_ctx; + +- pwd = Get_Pwnam_alloc(talloc_tos(), username); +- if (pwd == NULL) { +- return NT_STATUS_NO_SUCH_USER; ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { ++ return NT_STATUS_NO_MEMORY; + } + +- status = make_server_info_pw(&result, pwd->pw_name, pwd); ++ pwd = Get_Pwnam_alloc(tmp_ctx, username); ++ if (pwd == NULL) { ++ status = NT_STATUS_NO_SUCH_USER; ++ goto done; ++ } + ++ status = make_server_info_pw(tmp_ctx, pwd->pw_name, pwd, &result); + if (!NT_STATUS_IS_OK(status)) { +- return status; ++ goto done; + } + + result->nss_token = true; + result->guest = is_guest; + + /* Now turn the server_info into a session_info with the full token etc */ +- status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info); +- TALLOC_FREE(result); +- TALLOC_FREE(pwd); ++ status = create_local_token(mem_ctx, ++ result, ++ NULL, ++ pwd->pw_name, ++ session_info); ++ ++done: ++ talloc_free(tmp_ctx); + + return status; + } +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 8385e66..7abca07 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -206,9 +206,10 @@ bool user_in_group_sid(const char *username, const struct dom_sid *group_sid); + bool user_sid_in_group_sid(const struct dom_sid *sid, const struct dom_sid *group_sid); + bool user_in_group(const char *username, const char *groupname); + struct passwd; +-NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info, +- char *unix_username, +- struct passwd *pwd); ++NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, ++ const char *unix_username, ++ const struct passwd *pwd, ++ struct auth_serversupplied_info **server_info); + NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx, + const char *username, + bool is_guest, +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 974a8aa..7d44285 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -242,7 +242,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + */ + DEBUG(10, ("didn't find user %s in passdb, calling " + "make_server_info_pw\n", username)); +- status = make_server_info_pw(&tmp, username, pw); ++ status = make_server_info_pw(mem_ctx, username, pw, &tmp); + } + + TALLOC_FREE(sampass); +@@ -253,9 +253,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + return status; + } + +- /* Steal tmp server info into the server_info pointer. */ +- server_info = talloc_move(mem_ctx, &tmp); +- + /* make_server_info_pw does not set the domain. Without this + * we end up with the local netbios name in substitutions for + * %D. */ +-- +1.8.5.2 + + +From 4fbd13598e8bdc6acf41329f71de806de4265f36 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 13 Dec 2013 19:19:02 +0100 +Subject: [PATCH 4/7] s3-auth: Add passwd_to_SamInfo3(). + +Correctly lookup users which come from smb.conf. passwd_to_SamInfo3() +tries to contact winbind if the user is a domain user to get +valid information about it. If winbind isn't running it will try to +create everything from the passwd struct. This is not always reliable +but works in most cases. It improves the current situation which doesn't +talk to winbind at all. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Wed Feb 5 01:40:38 CET 2014 on sn-devel-104 + +(cherry picked from commit 40e6456b5896e934fcd581c2cac2389984256e09) +--- + source3/auth/auth_util.c | 87 +++++++++------------------------------------- + source3/auth/server_info.c | 22 ++++++++++-- + 2 files changed, 36 insertions(+), 73 deletions(-) + +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index b225b0d..24190af 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -645,98 +645,43 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info **server_info) + { + NTSTATUS status; +- struct samu *sampass = NULL; +- char *qualified_name = NULL; +- TALLOC_CTX *tmp_ctx; +- struct dom_sid u_sid; +- enum lsa_SidType type; ++ TALLOC_CTX *tmp_ctx = NULL; + struct auth_serversupplied_info *result; + +- /* +- * The SID returned in server_info->sam_account is based +- * on our SAM sid even though for a pure UNIX account this should +- * not be the case as it doesn't really exist in the SAM db. +- * This causes lookups on "[in]valid users" to fail as they +- * will lookup this name as a "Unix User" SID to check against +- * the user token. Fix this by adding the "Unix User"\unix_username +- * SID to the sid array. The correct fix should probably be +- * changing the server_info->sam_account user SID to be a +- * S-1-22 Unix SID, but this might break old configs where +- * plaintext passwords were used with no SAM backend. +- */ +- + tmp_ctx = talloc_stackframe(); + if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- qualified_name = talloc_asprintf(tmp_ctx, "%s\\%s", +- unix_users_domain_name(), +- unix_username ); +- if (!qualified_name) { +- TALLOC_FREE(tmp_ctx); +- return NT_STATUS_NO_MEMORY; +- } +- +- if (!lookup_name(tmp_ctx, qualified_name, LOOKUP_NAME_ALL, +- NULL, NULL, +- &u_sid, &type)) { +- TALLOC_FREE(tmp_ctx); +- return NT_STATUS_NO_SUCH_USER; +- } +- +- TALLOC_FREE(tmp_ctx); +- +- if (type != SID_NAME_USER) { +- return NT_STATUS_NO_SUCH_USER; +- } +- +- if ( !(sampass = samu_new( NULL )) ) { +- return NT_STATUS_NO_MEMORY; +- } +- +- status = samu_set_unix( sampass, pwd ); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- /* In pathological cases the above call can set the account +- * name to the DOMAIN\username form. Reset the account name +- * using unix_username */ +- pdb_set_username(sampass, unix_username, PDB_SET); +- +- /* set the user sid to be the calculated u_sid */ +- pdb_set_user_sid(sampass, &u_sid, PDB_SET); +- +- result = make_server_info(mem_ctx); ++ result = make_server_info(tmp_ctx); + if (result == NULL) { +- TALLOC_FREE(sampass); +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + +- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), +- &result->info3, &result->extra); +- TALLOC_FREE(sampass); ++ status = passwd_to_SamInfo3(result, ++ unix_username, ++ pwd, ++ &result->info3); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(10, ("Failed to convert samu to info3: %s\n", +- nt_errstr(status))); +- TALLOC_FREE(result); +- return status; ++ goto done; + } + + result->unix_name = talloc_strdup(result, unix_username); +- + if (result->unix_name == NULL) { +- TALLOC_FREE(result); +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + result->utok.uid = pwd->pw_uid; + result->utok.gid = pwd->pw_gid; + +- *server_info = result; ++ *server_info = talloc_steal(mem_ctx, result); ++ status = NT_STATUS_OK; ++done: ++ talloc_free(tmp_ctx); + +- return NT_STATUS_OK; ++ return status; + } + + static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, +diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c +index 46d8178..43711d5 100644 +--- a/source3/auth/server_info.c ++++ b/source3/auth/server_info.c +@@ -489,10 +489,28 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, + } + } else { + /* +- * Winbind is not running, create the group_sid from the +- * group id. ++ * Winbind is not running, try to create the group_sid from the ++ * passwd group id. ++ */ ++ ++ /* ++ * This can lead to a primary group of S-1-22-2-XX which ++ * will be rejected by other Samba code. + */ + gid_to_sid(&group_sid, pwd->pw_gid); ++ ++ ZERO_STRUCT(domain_sid); ++ ++ /* ++ * If we are a unix group, set the group_sid to the ++ * 'Domain Users' RID of 513 which will always resolve to a ++ * name. ++ */ ++ if (sid_check_is_in_unix_groups(&group_sid)) { ++ sid_compose(&group_sid, ++ get_global_sam_sid(), ++ DOMAIN_RID_USERS); ++ } + } + + /* Make sure we have a valid group sid */ +-- +1.8.5.2 + + +From 76bb5e0888f4131ab773d90160051a51c401c90d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 18 Feb 2014 10:02:57 +0100 +Subject: [PATCH 5/7] s3-auth: Pass mem_ctx to make_server_info_sam(). + +Coverity-Id: 1168009 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Signed-off-by: Andreas Schneider + +Change-Id: Ie614b0654c3a7eec1ebb10dbb9763696eec795bd +Reviewed-by: Andrew Bartlett +(cherry picked from commit 3dc72266005e87a291f5bf9847257e8c54314d39) +--- + source3/auth/check_samsec.c | 2 +- + source3/auth/proto.h | 5 ++-- + source3/auth/server_info_sam.c | 56 +++++++++++++++++++++++++++--------------- + source3/auth/user_krb5.c | 12 +++++---- + 4 files changed, 47 insertions(+), 28 deletions(-) + +diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c +index 7ed8cc2..b6cac60 100644 +--- a/source3/auth/check_samsec.c ++++ b/source3/auth/check_samsec.c +@@ -482,7 +482,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, + } + + become_root(); +- nt_status = make_server_info_sam(server_info, sampass); ++ nt_status = make_server_info_sam(mem_ctx, sampass, server_info); + unbecome_root(); + + TALLOC_FREE(sampass); +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 7abca07..eac3e54 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -190,8 +190,9 @@ bool make_user_info_guest(const struct tsocket_address *remote_address, + struct auth_usersupplied_info **user_info); + + struct samu; +-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, +- struct samu *sampass); ++NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, ++ struct samu *sampass, ++ struct auth_serversupplied_info **pserver_info); + NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, + const struct auth_serversupplied_info *server_info, + DATA_BLOB *session_key, +diff --git a/source3/auth/server_info_sam.c b/source3/auth/server_info_sam.c +index 5d657f9..47087b1 100644 +--- a/source3/auth/server_info_sam.c ++++ b/source3/auth/server_info_sam.c +@@ -58,39 +58,51 @@ static bool is_our_machine_account(const char *username) + Make (and fill) a user_info struct from a struct samu + ***************************************************************************/ + +-NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, +- struct samu *sampass) ++NTSTATUS make_server_info_sam(TALLOC_CTX *mem_ctx, ++ struct samu *sampass, ++ struct auth_serversupplied_info **pserver_info) + { + struct passwd *pwd; +- struct auth_serversupplied_info *result; ++ struct auth_serversupplied_info *server_info; + const char *username = pdb_get_username(sampass); ++ TALLOC_CTX *tmp_ctx; + NTSTATUS status; + +- if ( !(result = make_server_info(NULL)) ) { ++ tmp_ctx = talloc_stackframe(); ++ if (tmp_ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + +- if ( !(pwd = Get_Pwnam_alloc(result, username)) ) { ++ server_info = make_server_info(tmp_ctx); ++ if (server_info == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ pwd = Get_Pwnam_alloc(tmp_ctx, username); ++ if (pwd == NULL) { + DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n", + pdb_get_username(sampass))); +- TALLOC_FREE(result); +- return NT_STATUS_NO_SUCH_USER; ++ status = NT_STATUS_NO_SUCH_USER; ++ goto out; + } + +- status = samu_to_SamInfo3(result, sampass, lp_netbios_name(), +- &result->info3, &result->extra); ++ status = samu_to_SamInfo3(server_info, ++ sampass, ++ lp_netbios_name(), ++ &server_info->info3, ++ &server_info->extra); + if (!NT_STATUS_IS_OK(status)) { +- TALLOC_FREE(result); +- return status; ++ goto out; + } + +- result->unix_name = pwd->pw_name; +- /* Ensure that we keep pwd->pw_name, because we will free pwd below */ +- talloc_steal(result, pwd->pw_name); +- result->utok.gid = pwd->pw_gid; +- result->utok.uid = pwd->pw_uid; ++ server_info->unix_name = talloc_strdup(server_info, pwd->pw_name); ++ if (server_info->unix_name == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto out; ++ } + +- TALLOC_FREE(pwd); ++ server_info->utok.gid = pwd->pw_gid; ++ server_info->utok.uid = pwd->pw_uid; + + if (IS_DC && is_our_machine_account(username)) { + /* +@@ -110,9 +122,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info, + } + + DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n", +- pdb_get_username(sampass), result->unix_name)); ++ pdb_get_username(sampass), server_info->unix_name)); ++ ++ *pserver_info = talloc_steal(mem_ctx, server_info); + +- *server_info = result; ++ status = NT_STATUS_OK; ++out: ++ talloc_free(tmp_ctx); + +- return NT_STATUS_OK; ++ return status; + } +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 7d44285..e40c8ac 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -223,9 +223,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + * SID consistency with ntlmssp session setup + */ + struct samu *sampass; +- /* The stupid make_server_info_XX functions here +- don't take a talloc context. */ +- struct auth_serversupplied_info *tmp = NULL; + + sampass = samu_new(talloc_tos()); + if (sampass == NULL) { +@@ -235,14 +232,19 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, + if (pdb_getsampwnam(sampass, username)) { + DEBUG(10, ("found user %s in passdb, calling " + "make_server_info_sam\n", username)); +- status = make_server_info_sam(&tmp, sampass); ++ status = make_server_info_sam(mem_ctx, ++ sampass, ++ &server_info); + } else { + /* + * User not in passdb, make it up artificially + */ + DEBUG(10, ("didn't find user %s in passdb, calling " + "make_server_info_pw\n", username)); +- status = make_server_info_pw(mem_ctx, username, pw, &tmp); ++ status = make_server_info_pw(mem_ctx, ++ username, ++ pw, ++ &server_info); + } + + TALLOC_FREE(sampass); +-- +1.8.5.2 + + +From f9c0adb6237c6e60c33ee6af21f55c0cdefa132c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 18 Feb 2014 10:19:57 +0100 +Subject: [PATCH 6/7] s3-auth: Pass mem_ctx to auth_check_ntlm_password(). + +Coverity-Id: 1168009 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8598 + +Signed-off-by: Andreas Schneider + +Change-Id: Ie01674561a6a75239a13918d3190c2f21c3efc7a +Reviewed-by: Andrew Bartlett +(cherry picked from commit 4d792db03f18aa164b565c7fdc7b446c174fba28) +--- + source3/auth/auth.c | 50 ++++++++++++++++++----------- + source3/auth/auth_ntlmssp.c | 6 ++-- + source3/auth/proto.h | 8 +++-- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 ++-- + source3/torture/pdbtest.c | 5 ++- + 5 files changed, 48 insertions(+), 27 deletions(-) + +diff --git a/source3/auth/auth.c b/source3/auth/auth.c +index c3797cf..dc9af02 100644 +--- a/source3/auth/auth.c ++++ b/source3/auth/auth.c +@@ -160,18 +160,19 @@ static bool check_domain_match(const char *user, const char *domain) + * + **/ + +-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, +- const struct auth_usersupplied_info *user_info, +- struct auth_serversupplied_info **server_info) ++NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, ++ const struct auth_context *auth_context, ++ const struct auth_usersupplied_info *user_info, ++ struct auth_serversupplied_info **pserver_info) + { + /* if all the modules say 'not for me' this is reasonable */ + NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; + const char *unix_username; + auth_methods *auth_method; +- TALLOC_CTX *mem_ctx; + +- if (!user_info || !auth_context || !server_info) ++ if (user_info == NULL || auth_context == NULL || pserver_info == NULL) { + return NT_STATUS_LOGON_FAILURE; ++ } + + DEBUG(3, ("check_ntlm_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name)); +@@ -205,17 +206,27 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + return NT_STATUS_LOGON_FAILURE; + + for (auth_method = auth_context->auth_method_list;auth_method; auth_method = auth_method->next) { ++ struct auth_serversupplied_info *server_info; ++ TALLOC_CTX *tmp_ctx; + NTSTATUS result; + +- mem_ctx = talloc_init("%s authentication for user %s\\%s", auth_method->name, +- user_info->mapped.domain_name, user_info->client.account_name); ++ tmp_ctx = talloc_named(mem_ctx, ++ 0, ++ "%s authentication for user %s\\%s", ++ auth_method->name, ++ user_info->mapped.domain_name, ++ user_info->client.account_name); + +- result = auth_method->auth(auth_context, auth_method->private_data, mem_ctx, user_info, server_info); ++ result = auth_method->auth(auth_context, ++ auth_method->private_data, ++ tmp_ctx, ++ user_info, ++ &server_info); + + /* check if the module did anything */ + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ) { + DEBUG(10,("check_ntlm_password: %s had nothing to say\n", auth_method->name)); +- talloc_destroy(mem_ctx); ++ TALLOC_FREE(tmp_ctx); + continue; + } + +@@ -229,19 +240,20 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + auth_method->name, user_info->client.account_name, nt_errstr(nt_status))); + } + +- talloc_destroy(mem_ctx); +- +- if ( NT_STATUS_IS_OK(nt_status)) +- { +- break; ++ if (NT_STATUS_IS_OK(nt_status)) { ++ *pserver_info = talloc_steal(mem_ctx, server_info); ++ TALLOC_FREE(tmp_ctx); ++ break; + } ++ ++ TALLOC_FREE(tmp_ctx); + } + + /* successful authentication */ + + if (NT_STATUS_IS_OK(nt_status)) { +- unix_username = (*server_info)->unix_name; +- if (!(*server_info)->guest) { ++ unix_username = (*pserver_info)->unix_name; ++ if (!(*pserver_info)->guest) { + const char *rhost; + + if (tsocket_address_is_inet(user_info->remote_host, "ip")) { +@@ -270,9 +282,9 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + } + + if (NT_STATUS_IS_OK(nt_status)) { +- DEBUG((*server_info)->guest ? 5 : 2, ++ DEBUG((*pserver_info)->guest ? 5 : 2, + ("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n", +- (*server_info)->guest ? "guest " : "", ++ (*pserver_info)->guest ? "guest " : "", + user_info->client.account_name, + user_info->mapped.account_name, + unix_username)); +@@ -286,7 +298,7 @@ NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, + DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n", + user_info->client.account_name, user_info->mapped.account_name, + nt_errstr(nt_status))); +- ZERO_STRUCTP(server_info); ++ ZERO_STRUCTP(pserver_info); + + return nt_status; + } +diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c +index f99bd44..cb7726c 100644 +--- a/source3/auth/auth_ntlmssp.c ++++ b/source3/auth/auth_ntlmssp.c +@@ -134,8 +134,10 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, + + mapped_user_info->flags = user_info->flags; + +- nt_status = auth_check_ntlm_password(auth_context, +- mapped_user_info, &server_info); ++ nt_status = auth_check_ntlm_password(mem_ctx, ++ auth_context, ++ mapped_user_info, ++ &server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: %s\n", +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index eac3e54..15b1ba0 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -65,6 +65,8 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, + * struct. When the return is other than NT_STATUS_OK the contents + * of that structure is undefined. + * ++ * @param mem_ctx The memory context to use to allocate server_info ++ * + * @param user_info Contains the user supplied components, including the passwords. + * Must be created with make_user_info() or one of its wrappers. + * +@@ -79,9 +81,9 @@ NTSTATUS auth_get_ntlm_challenge(struct auth_context *auth_context, + * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. + * + **/ +- +-NTSTATUS auth_check_ntlm_password(const struct auth_context *auth_context, +- const struct auth_usersupplied_info *user_info, ++NTSTATUS auth_check_ntlm_password(TALLOC_CTX *mem_ctx, ++ const struct auth_context *auth_context, ++ const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + + /* The following definitions come from auth/auth_builtin.c */ +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index e5ca474..0c8c9a5 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1650,8 +1650,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + } /* end switch */ + + if ( NT_STATUS_IS_OK(status) ) { +- status = auth_check_ntlm_password(auth_context, +- user_info, &server_info); ++ status = auth_check_ntlm_password(p->mem_ctx, ++ auth_context, ++ user_info, ++ &server_info); + } + + TALLOC_FREE(auth_context); +diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c +index 17da455..14d58b9 100644 +--- a/source3/torture/pdbtest.c ++++ b/source3/torture/pdbtest.c +@@ -304,7 +304,10 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) + return False; + } + +- status = auth_check_ntlm_password(auth_context, user_info, &server_info); ++ status = auth_check_ntlm_password(mem_ctx, ++ auth_context, ++ user_info, ++ &server_info); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to test authentication with auth module: %s\n", nt_errstr(status))); +-- +1.8.5.2 + + +From a48bcd84c59b5b2cb8c3e0f5d68b35065bed81d7 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 18 Feb 2014 13:52:49 +0100 +Subject: [PATCH 7/7] s3-auth: Pass mem_ctx to do_map_to_guest_server_info(). + +Change-Id: If53117023e3ab37c810193edd00a81d247fdde7a +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Wed Feb 19 01:28:14 CET 2014 on sn-devel-104 + +(cherry picked from commit 79e2725f339e7c5336b4053348c4266268de6ca3) +--- + source3/auth/auth_ntlmssp.c | 7 ++++--- + source3/auth/auth_util.c | 12 +++++++----- + source3/auth/proto.h | 8 +++++--- + 3 files changed, 16 insertions(+), 11 deletions(-) + +diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c +index cb7726c..d4fe901 100644 +--- a/source3/auth/auth_ntlmssp.c ++++ b/source3/auth/auth_ntlmssp.c +@@ -151,10 +151,11 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context, + free_user_info(&mapped_user_info); + + if (!NT_STATUS_IS_OK(nt_status)) { +- nt_status = do_map_to_guest_server_info(nt_status, +- &server_info, ++ nt_status = do_map_to_guest_server_info(mem_ctx, ++ nt_status, + user_info->client.account_name, +- user_info->client.domain_name); ++ user_info->client.domain_name, ++ &server_info); + *server_returned_info = talloc_steal(mem_ctx, server_info); + return nt_status; + } +diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c +index 24190af..8cf5cb7 100644 +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1536,9 +1536,11 @@ bool is_trusted_domain(const char* dom_name) + on a logon error possibly map the error to success if "map to guest" + is set approriately + */ +-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, +- struct auth_serversupplied_info **server_info, +- const char *user, const char *domain) ++NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, ++ NTSTATUS status, ++ const char *user, ++ const char *domain, ++ struct auth_serversupplied_info **server_info) + { + user = user ? user : ""; + domain = domain ? domain : ""; +@@ -1548,13 +1550,13 @@ NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + DEBUG(3,("No such user %s [%s] - using guest account\n", + user, domain)); +- return make_server_info_guest(NULL, server_info); ++ return make_server_info_guest(mem_ctx, server_info); + } + } else if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n", + user)); +- return make_server_info_guest(NULL, server_info); ++ return make_server_info_guest(mem_ctx, server_info); + } + } + +diff --git a/source3/auth/proto.h b/source3/auth/proto.h +index 15b1ba0..7b8959f 100644 +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -264,9 +264,11 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, + enum auth_password_state password_state); + void free_user_info(struct auth_usersupplied_info **user_info); + +-NTSTATUS do_map_to_guest_server_info(NTSTATUS status, +- struct auth_serversupplied_info **server_info, +- const char *user, const char *domain); ++NTSTATUS do_map_to_guest_server_info(TALLOC_CTX *mem_ctx, ++ NTSTATUS status, ++ const char *user, ++ const char *domain, ++ struct auth_serversupplied_info **server_info); + + /* The following definitions come from auth/auth_winbind.c */ + +-- +1.8.5.2 + diff --git a/SOURCES/samba-4.1.5-fix_resource_leaks.patch b/SOURCES/samba-4.1.5-fix_resource_leaks.patch new file mode 100644 index 0000000..b2c6e05 --- /dev/null +++ b/SOURCES/samba-4.1.5-fix_resource_leaks.patch @@ -0,0 +1,158 @@ +From d790112e74b684a516152e301d5a46c178bf437c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jan 2014 14:50:18 +0100 +Subject: [PATCH 1/4] lib: Fix strict-aliasing warning in md5 code. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the compiler detects strict aliasing problems it isn't able to +optimize the code. + +Signed-off-by: Andreas Schneider +Reviewed-by: Günther Deschner +(cherry picked from commit 615efa4ae84373ae8aefb36fcf7583338665429a) +--- + lib/crypto/md5.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/lib/crypto/md5.c b/lib/crypto/md5.c +index b834c91..352f80f 100644 +--- a/lib/crypto/md5.c ++++ b/lib/crypto/md5.c +@@ -137,9 +137,12 @@ _PUBLIC_ void MD5Final(uint8_t digest[16], MD5_CTX *ctx) + } + byteReverse(ctx->in, 14); + +- /* Append length in bits and transform */ +- ((uint32_t *) ctx->in)[14] = ctx->bits[0]; +- ((uint32_t *) ctx->in)[15] = ctx->bits[1]; ++ /* Append length in bits and transform. ++ * Use memcpy to avoid strict-aliasing problems. ++ * This way it can be optimized. ++ */ ++ memcpy(&ctx->in[14 * sizeof(uint32_t)], &ctx->bits[0], sizeof(uint32_t)); ++ memcpy(&ctx->in[15 * sizeof(uint32_t)], &ctx->bits[1], sizeof(uint32_t)); + + MD5Transform(ctx->buf, (uint32_t *) ctx->in); + byteReverse((uint8_t *) ctx->buf, 4); +-- +1.8.5.2 + + +From 38bae403ce6a8efaee5704328b47ec5b8300b5ed Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jan 2014 15:06:14 +0100 +Subject: [PATCH 2/4] s3-libads: Fix memory leaks in ads_build_path(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Andreas Schneider +Reviewed-by: Günther Deschner +(cherry picked from commit c8371b4ec12f2dea6ce18724de59a23e04826c1d) +--- + source3/libads/ads_struct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c +index fd7e417..30d433e 100644 +--- a/source3/libads/ads_struct.c ++++ b/source3/libads/ads_struct.c +@@ -55,12 +55,14 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int + if (strlcpy(ret,field, len) >= len) { + /* Truncate ! */ + free(r); ++ free(ret); + return NULL; + } + p=strtok_r(r, sep, &saveptr); + if (p) { + if (strlcat(ret, p, len) >= len) { + free(r); ++ free(ret); + return NULL; + } + +-- +1.8.5.2 + + +From 37eb6566dd18958cbe2f216aa9880e9455939426 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jan 2014 15:12:24 +0100 +Subject: [PATCH 3/4] wbinfo: Fix a memory leak in wbinfo_ping_dc(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Andreas Schneider +Reviewed-by: Günther Deschner +(cherry picked from commit 541164d47a86bab90ef96a9be40b8c0997abdd61) +--- + nsswitch/wbinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c +index 3f0310a..0a5ec40 100644 +--- a/nsswitch/wbinfo.c ++++ b/nsswitch/wbinfo.c +@@ -838,6 +838,7 @@ static bool wbinfo_ping_dc(void) + dcname ? dcname : "", + WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed"); + ++ wbcFreeMemory(dcname); + if (wbc_status == WBC_ERR_AUTH_ERROR) { + d_fprintf(stderr, "error code was %s (0x%x)\n", + error->nt_string, error->nt_status); +-- +1.8.5.2 + + +From f203bfbd91a695f582a6c7ea2fae2c8f3c6825c9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jan 2014 15:20:21 +0100 +Subject: [PATCH 4/4] s3-passdb: Fix string duplication to pointers. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Andreas Schneider +Reviewed-by: Günther Deschner + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Thu Jan 9 22:35:25 CET 2014 on sn-devel-104 + +(cherry picked from commit bff3ac250e9d4e7d91820eb53c28257aa38fff88) +--- + source3/passdb/py_passdb.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c +index 3fd14cd..e1df75b 100644 +--- a/source3/passdb/py_passdb.c ++++ b/source3/passdb/py_passdb.c +@@ -2269,8 +2269,18 @@ static PyObject *py_pdb_set_aliasinfo(pytalloc_Object *self, PyObject *args) + + alias_sid = pytalloc_get_ptr(py_alias_sid); + +- fstrcpy(alias_info.acct_name, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_name"))); +- fstrcpy(alias_info.acct_desc, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_desc"))); ++ alias_info.acct_name = talloc_strdup(frame, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_name"))); ++ if (alias_info.acct_name == NULL) { ++ PyErr_Format(py_pdb_error, "Unable to allocate memory"); ++ talloc_free(frame); ++ return NULL; ++ } ++ alias_info.acct_desc = talloc_strdup(frame, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_desc"))); ++ if (alias_info.acct_desc == NULL) { ++ PyErr_Format(py_pdb_error, "Unable to allocate memory"); ++ talloc_free(frame); ++ return NULL; ++ } + + status = methods->set_aliasinfo(methods, alias_sid, &alias_info); + if (!NT_STATUS_IS_OK(status)) { +-- +1.8.5.2 + diff --git a/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch b/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch new file mode 100644 index 0000000..467d37a --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch @@ -0,0 +1,162 @@ +From 44cf46b0bbb0abf5aebfbf2f2da713da65573175 Mon Sep 17 00:00:00 2001 +From: Gregor Beck +Date: Thu, 9 Jan 2014 10:15:31 +0100 +Subject: [PATCH 1/2] s3:rpc_server: minor refactoring of process_request_pdu() + +Signed-off-by: Gregor Beck +Reviewed-by: Stefan Metzmacher +Reviewed-by: Guenther Deschner +(cherry picked from commit b5f30205931a4b9d0b3b257d5855869e606f8b63) +--- + source3/rpc_server/srv_pipe.c | 25 ++++++++++--------------- + 1 file changed, 10 insertions(+), 15 deletions(-) + +diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c +index 894f12c..a5b74ed 100644 +--- a/source3/rpc_server/srv_pipe.c ++++ b/source3/rpc_server/srv_pipe.c +@@ -1561,24 +1561,19 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt + } + } + +- if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) { +- bool ret = False; +- /* +- * Ok - we finally have a complete RPC stream. +- * Call the rpc command to process it. +- */ +- +- /* +- * Process the complete data stream here. +- */ +- if (pipe_init_outgoing_data(p)) { +- ret = api_pipe_request(p, pkt); +- } ++ if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) { ++ return true; ++ } + +- return ret; ++ /* ++ * Ok - we finally have a complete RPC stream. ++ * Call the rpc command to process it. ++ */ ++ if (!pipe_init_outgoing_data(p)) { ++ return false; + } + +- return True; ++ return api_pipe_request(p, pkt); + } + + /**************************************************************************** +-- +1.9.0 + + +From 436aa053561b9b6ff4b991bf6a2f5196ed39dd38 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 20 Mar 2014 14:45:01 +0100 +Subject: [PATCH 2/2] s3-rpc_server: Fix handling of fragmented rpc requests. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We need to call pipe_init_outgoing_data() as the first thing in +process_complete_pdu(). Otherwise the caller may use uninitialized +memory and tries to write a response into the socket. + +The problem happens only if a real socket is used, which means +in all cases for master and only with external rpc daemons in v4-0 +and v4-1. + +The problem looks like this in the logs. + + [2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu) + Processing packet type 0 + [2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request) + Checking request auth. + [2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process) + Sending 1 fragments in a total of 0 bytes + [2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process) + Sending PDU number: 0, PDU Length: 4294967228 + [2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done) + Writev failed! + [2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done) + Fatal error(Message too long). Terminating client(127.0.0.1) connection! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481 + +Pair-Programmed-With: Stefan Metzmacher +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104 + +(cherry picked from commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7) +--- + source3/rpc_server/srv_pipe.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c +index a5b74ed..7daff04 100644 +--- a/source3/rpc_server/srv_pipe.c ++++ b/source3/rpc_server/srv_pipe.c +@@ -1569,9 +1569,6 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt + * Ok - we finally have a complete RPC stream. + * Call the rpc command to process it. + */ +- if (!pipe_init_outgoing_data(p)) { +- return false; +- } + + return api_pipe_request(p, pkt); + } +@@ -1621,6 +1618,10 @@ void process_complete_pdu(struct pipes_struct *p) + + DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype)); + ++ if (!pipe_init_outgoing_data(p)) { ++ goto done; ++ } ++ + switch (pkt->ptype) { + case DCERPC_PKT_REQUEST: + reply = process_request_pdu(p, pkt); +@@ -1653,9 +1654,7 @@ void process_complete_pdu(struct pipes_struct *p) + /* + * We assume that a pipe bind is only in one pdu. + */ +- if (pipe_init_outgoing_data(p)) { +- reply = api_pipe_bind_req(p, pkt); +- } ++ reply = api_pipe_bind_req(p, pkt); + break; + + case DCERPC_PKT_BIND_ACK: +@@ -1670,9 +1669,7 @@ void process_complete_pdu(struct pipes_struct *p) + /* + * We assume that a pipe bind is only in one pdu. + */ +- if (pipe_init_outgoing_data(p)) { +- reply = api_pipe_alter_context(p, pkt); +- } ++ reply = api_pipe_alter_context(p, pkt); + break; + + case DCERPC_PKT_ALTER_RESP: +@@ -1684,9 +1681,7 @@ void process_complete_pdu(struct pipes_struct *p) + /* + * The third packet in an auth exchange. + */ +- if (pipe_init_outgoing_data(p)) { +- reply = api_pipe_bind_auth3(p, pkt); +- } ++ reply = api_pipe_bind_auth3(p, pkt); + break; + + case DCERPC_PKT_SHUTDOWN: +-- +1.9.0 + diff --git a/SOURCES/samba-4.1.6-fix_ipv6_join.patch b/SOURCES/samba-4.1.6-fix_ipv6_join.patch new file mode 100755 index 0000000..daa283e --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_ipv6_join.patch @@ -0,0 +1,266 @@ +From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 13 Jan 2014 15:59:26 +0100 +Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Just calling print_canonical_sockaddr() is sufficient, as it already deals with +ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is +removed as well. It was pointless because it always derived the port number from +the provided address which was either a SMB (usually port 445) or LDAP +connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC. +Finally, the kerberos libraries that we support and build with, can deal with +ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of +resolving the DC name on the kerberos library anymore. + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos.c | 73 ++++------------------------------------------- + 1 file changed, 5 insertions(+), 68 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index b026e09..ea14350 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal, + /************************************************************************ + ************************************************************************/ + +-static char *print_kdc_line(char *mem_ctx, +- const char *prev_line, +- const struct sockaddr_storage *pss, +- const char *kdc_name) +-{ +- char addr[INET6_ADDRSTRLEN]; +- uint16_t port = get_sockaddr_port(pss); +- +- if (pss->ss_family == AF_INET) { +- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", +- prev_line, +- print_canonical_sockaddr(mem_ctx, pss)); +- } +- +- /* +- * IPv6 starts here +- */ +- +- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n", +- kdc_name, port)); +- +- if (port != 0 && port != DEFAULT_KRB5_PORT) { +- /* Currently for IPv6 we can't specify a non-default +- krb5 port with an address, as this requires a ':'. +- Resolve to a name. */ +- char hostname[MAX_DNS_NAME_LENGTH]; +- int ret = sys_getnameinfo((const struct sockaddr *)pss, +- sizeof(*pss), +- hostname, sizeof(hostname), +- NULL, 0, +- NI_NAMEREQD); +- if (ret) { +- DEBUG(0,("print_kdc_line: can't resolve name " +- "for kdc with non-default port %s. " +- "Error %s\n.", +- print_canonical_sockaddr(mem_ctx, pss), +- gai_strerror(ret))); +- return NULL; +- } +- /* Success, use host:port */ +- return talloc_asprintf(mem_ctx, +- "%s\tkdc = %s:%u\n", +- prev_line, +- hostname, +- (unsigned int)port); +- } +- +- /* no krb5 lib currently supports "kdc = ipv6 address" +- * at all, so just fill in just the kdc_name if we have +- * it and let the krb5 lib figure out the appropriate +- * ipv6 address - gd */ +- +- if (kdc_name) { +- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", +- prev_line, kdc_name); +- } +- +- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", +- prev_line, +- print_sockaddr(addr, +- sizeof(addr), +- pss)); +-} +- + /************************************************************************ + Create a string list of available kdc's, possibly searching by sitename. + Does DNS queries. +@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx, + char *result = NULL; + struct netlogon_samlogon_response **responses = NULL; + NTSTATUS status; +- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name); ++ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "", ++ print_canonical_sockaddr(mem_ctx, pss)); + + if (kdc_str == NULL) { + TALLOC_FREE(frame); +@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx, + } + + /* Append to the string - inefficient but not done often. */ +- new_kdc_str = print_kdc_line(mem_ctx, kdc_str, +- &dc_addrs[i], +- kdc_name); ++ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", ++ kdc_str, ++ print_canonical_sockaddr(mem_ctx, &dc_addrs[i])); + if (new_kdc_str == NULL) { + goto fail; + } +-- +1.8.5.3 + + +From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 7 Mar 2014 14:47:31 +0100 +Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from + create_local_private_krb5_conf_for_domain(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos.c | 10 ++++------ + source3/libads/kerberos_proto.h | 3 +-- + source3/libnet/libnet_join.c | 3 +-- + source3/libsmb/namequery_dc.c | 6 ++---- + source3/winbindd/winbindd_cm.c | 6 ++---- + 5 files changed, 10 insertions(+), 18 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index ea14350..649e568 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs, + static char *get_kdc_ip_string(char *mem_ctx, + const char *realm, + const char *sitename, +- const struct sockaddr_storage *pss, +- const char *kdc_name) ++ const struct sockaddr_storage *pss) + { + TALLOC_CTX *frame = talloc_stackframe(); + int i; +@@ -756,8 +755,7 @@ fail: + bool create_local_private_krb5_conf_for_domain(const char *realm, + const char *domain, + const char *sitename, +- const struct sockaddr_storage *pss, +- const char *kdc_name) ++ const struct sockaddr_storage *pss) + { + char *dname; + char *tmpname = NULL; +@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + return false; + } + +- if (domain == NULL || pss == NULL || kdc_name == NULL) { ++ if (domain == NULL || pss == NULL) { + return false; + } + +@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + goto done; + } + +- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name); ++ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss); + if (!kdc_ip_string) { + goto done; + } +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index f7470d2..2559634 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal, + bool create_local_private_krb5_conf_for_domain(const char *realm, + const char *domain, + const char *sitename, +- const struct sockaddr_storage *pss, +- const char *kdc_name); ++ const struct sockaddr_storage *pss); + + /* The following definitions come from libads/authdata.c */ + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a87eb38..68884cd 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + + create_local_private_krb5_conf_for_domain( + r->out.dns_domain_name, r->out.netbios_domain_name, +- NULL, smbXcli_conn_remote_sockaddr(cli->conn), +- smbXcli_conn_remote_name(cli->conn)); ++ NULL, smbXcli_conn_remote_sockaddr(cli->conn)); + + if (r->out.domain_is_ad && r->in.account_ou && + !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { +diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c +index 3cfae79..eb34741 100644 +--- a/source3/libsmb/namequery_dc.c ++++ b/source3/libsmb/namequery_dc.c +@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain, + create_local_private_krb5_conf_for_domain(realm, + domain, + sitename, +- &ads->ldap.ss, +- ads->config.ldap_server_name); ++ &ads->ldap.ss); + } else { + create_local_private_krb5_conf_for_domain(realm, + domain, + NULL, +- &ads->ldap.ss, +- ads->config.ldap_server_name); ++ &ads->ldap.ss); + } + } + #endif +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 669a43e..be13a57 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx, + create_local_private_krb5_conf_for_domain(domain->alt_name, + domain->name, + sitename, +- pss, +- *name); ++ pss); + + SAFE_FREE(sitename); + } else { +@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx, + create_local_private_krb5_conf_for_domain(domain->alt_name, + domain->name, + NULL, +- pss, +- *name); ++ pss); + } + winbindd_set_locator_kdc_envs(domain); + +-- +1.8.5.3 + diff --git a/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch b/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch new file mode 100644 index 0000000..2ed6596 --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch @@ -0,0 +1,42 @@ +From 1545864a58c11e4b37f3950cdae457d3d2f5fd4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 4 Feb 2014 16:38:46 +0100 +Subject: [PATCH] librpc/nbt: increase MAX_COMPONENTS limit for nbt_names. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +domains with more then 10 subdomains are not so uncommon. + +https://bugzilla.samba.org/show_bug.cgi?id=10439 + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Thu Feb 13 16:30:50 CET 2014 on sn-devel-104 + +(cherry picked from commit 4e05bad0d18e351cb2a2db74860e77adea727c79) +Signed-off-by: Andreas Schneider +--- + librpc/ndr/ndr_nbt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c +index f2a1ca3..842e972 100644 +--- a/librpc/ndr/ndr_nbt.c ++++ b/librpc/ndr/ndr_nbt.c +@@ -27,7 +27,7 @@ + #include "../libcli/netlogon/netlogon.h" + + /* don't allow an unlimited number of name components */ +-#define MAX_COMPONENTS 10 ++#define MAX_COMPONENTS 128 + + /** + print a nbt string +-- +1.8.5.2 + diff --git a/SOURCES/samba-4.1.6-fix_one_way_trusts.patch b/SOURCES/samba-4.1.6-fix_one_way_trusts.patch new file mode 100644 index 0000000..7819bc8 --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_one_way_trusts.patch @@ -0,0 +1,132 @@ +From 2b8174819ac31e662f1cd7092b3d122ad6ebb609 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 26 Sep 2013 01:20:10 +0200 +Subject: [PATCH 1/3] pidl:NDR/Client: fix dcerpc_function() with [out,ref] + pointers + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit f50b561336c7b6c08300e6e477859d1f9fab62c2) +--- + pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm +index c796b46..fed94cd 100644 +--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm ++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm +@@ -693,6 +693,20 @@ sub ParseFunction_Sync($$$$) + } + $self->pidl(""); + ++ $self->pidl("/* Out parameters */"); ++ foreach my $e (@{$fn->{ELEMENTS}}) { ++ next unless grep(/out/, @{$e->{DIRECTION}}); ++ ++ $self->ParseCopyArgument($fn, $e, "r.out.", "_"); ++ } ++ $self->pidl(""); ++ ++ if (defined($fn->{RETURN_TYPE})) { ++ $self->pidl("/* Result */"); ++ $self->pidl("ZERO_STRUCT(r.out.result);"); ++ $self->pidl(""); ++ } ++ + $self->pidl("status = dcerpc_$name\_r(h, mem_ctx, &r);"); + $self->pidl("if (!NT_STATUS_IS_OK(status)) {"); + $self->indent; +-- +1.7.9.5 + + +From a211a1dd984b6b55a7222987e5acda1c9b2a5e8b Mon Sep 17 00:00:00 2001 +From: Gregor Beck +Date: Thu, 20 Feb 2014 13:14:31 +0100 +Subject: [PATCH 2/3] s3:winbindd: fix _wbint_LookupSids() on error + +We need to make sure that r->out.domains remains valid, +otherwise we're not able to marshall the response. + +Note that wbint_LookupSids() has [out,ref] lsa_RefDomainList *domains, +while lsa_LookupSids() has [out,ref] lsa_RefDomainList **domains. + +Pair-Programmed-With: Stefan Metzmacher + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10458 +Signed-off-by: Gregor Beck +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3413e64149702136429d7b5acaa7a52c49abf564) +--- + source3/winbindd/winbindd_dual_srv.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index e23d048..b873655 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -74,6 +74,7 @@ NTSTATUS _wbint_LookupSid(struct pipes_struct *p, struct wbint_LookupSid *r) + NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r) + { + struct winbindd_domain *domain = wb_child_domain(); ++ struct lsa_RefDomainList *domains = r->out.domains; + NTSTATUS status; + + if (domain == NULL) { +@@ -87,7 +88,12 @@ NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r) + * done at the wbint RPC layer. + */ + status = rpc_lookup_sids(p->mem_ctx, domain, r->in.sids, +- &r->out.domains, &r->out.names); ++ &domains, &r->out.names); ++ ++ if (domains != NULL) { ++ r->out.domains = domains; ++ } ++ + reset_cm_connection_on_error(domain, status); + return status; + } +-- +1.7.9.5 + + +From a1f5fd46627a9cff9bae645eeccff209978fa2ee Mon Sep 17 00:00:00 2001 +From: Gregor Beck +Date: Thu, 20 Feb 2014 11:25:53 +0100 +Subject: [PATCH 3/3] s3:winbindd: avoid directly asking a trusted domain in + wb_lookupsids*() + +As a domain member we should always use a DC of our own domain. + +It would be possible to pass all sids in one single dcerpc_wbint_LookupSids() +call. For now we just fix bug. + +Pair-Programmed-With: Stefan Metzmacher + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10458 +Signed-off-by: Gregor Beck +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 66fb0ce9557553a4c01607b517e65ac4c93841d0) +--- + source3/winbindd/wb_lookupsids.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c +index e10d511..b474220 100644 +--- a/source3/winbindd/wb_lookupsids.c ++++ b/source3/winbindd/wb_lookupsids.c +@@ -320,7 +320,7 @@ static struct wb_lookupsids_domain *wb_lookupsids_get_domain( + } + } + +- wb_domain = find_domain_from_sid_noinit(sid); ++ wb_domain = find_lookup_domain_from_sid(sid); + if (wb_domain == NULL) { + return NULL; + } +-- +1.7.9.5 + diff --git a/SOURCES/samba-4.1.6-fix_pidl_install.patch b/SOURCES/samba-4.1.6-fix_pidl_install.patch new file mode 100644 index 0000000..d1df233 --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_pidl_install.patch @@ -0,0 +1,229 @@ +From 1124387625c3e24a4e8a100d2db83dec502bfa13 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 25 Feb 2014 16:04:24 +0100 +Subject: [PATCH 1/3] pidl: Install pidl files corrently. + +Globbing is a really bad idea in installtion system. One of them is if +you use patch -b to create a backup, you will end up installing the +backup file too! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472 + +Signed-off-by: Andreas Schneider +Reviewed-by: Kai Blin +(cherry picked from commit cee11cfa4544425099268cd32393169afb4bb107) +--- + pidl/lib/wscript_build | 31 ++++++++++++++++++++++++++++++- + pidl/wscript | 3 --- + 2 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build +index eb5f1e0..9bddf3f 100644 +--- a/pidl/lib/wscript_build ++++ b/pidl/lib/wscript_build +@@ -1,4 +1,33 @@ + #!/usr/bin/env python + + # install the pidl modules +-bld.INSTALL_WILDCARD('${DATAROOTDIR}/perl5', '**/*.pm', flat=False) ++bld.INSTALL_FILES('${DATAROOTDIR}/perl5', ++ ''' ++ Parse/Pidl.pm ++ Parse/Pidl/Samba4.pm ++ Parse/Pidl/CUtil.pm ++ Parse/Pidl/Expr.pm ++ Parse/Pidl/Wireshark/Conformance.pm ++ Parse/Pidl/Wireshark/NDR.pm ++ Parse/Pidl/ODL.pm ++ Parse/Pidl/Dump.pm ++ Parse/Pidl/Util.pm ++ Parse/Pidl/Samba4/Header.pm ++ Parse/Pidl/Samba4/COM/Header.pm ++ Parse/Pidl/Samba4/COM/Proxy.pm ++ Parse/Pidl/Samba4/COM/Stub.pm ++ Parse/Pidl/Samba4/TDR.pm ++ Parse/Pidl/Samba4/NDR/Server.pm ++ Parse/Pidl/Samba4/NDR/Client.pm ++ Parse/Pidl/Samba4/NDR/Parser.pm ++ Parse/Pidl/Samba4/Python.pm ++ Parse/Pidl/Samba4/Template.pm ++ Parse/Pidl/IDL.pm ++ Parse/Pidl/Typelist.pm ++ Parse/Pidl/Samba3/ClientNDR.pm ++ Parse/Pidl/Samba3/ServerNDR.pm ++ Parse/Pidl/Compat.pm ++ Parse/Pidl/NDR.pm ++ Parse/Yapp/Driver.pm ++ ''', ++ flat=False) +diff --git a/pidl/wscript b/pidl/wscript +index 7a25734..05d9982 100644 +--- a/pidl/wscript ++++ b/pidl/wscript +@@ -26,9 +26,6 @@ def build(bld): + if not bld.CONFIG_SET('HAVE_PERL_MAKEMAKER'): + return + +- pidl_src = ['pidl'] +- pidl_src.extend(bld.path.ant_glob('lib/**/*.pm').split()) +- + pidl_manpages = { + 'pidl': 'man1/pidl.${PERLMAN1EXT}', + 'lib/Parse/Pidl/NDR.pm': 'man3/Parse::Pidl::NDR.${PERLMAN3EXT}', +-- +1.8.5.2 + + +From b929788024a2d051f0ef5d94b566346147151062 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 25 Feb 2014 17:16:37 +0100 +Subject: [PATCH 2/3] waf: Add option to specify perl vendor dir. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472 + +Signed-off-by: Andreas Schneider +Reviewed-by: Kai Blin + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Thu Feb 27 11:48:54 CET 2014 on sn-devel-104 + +(cherry picked from commit 9b200555fec2e33da9521db388d1839375aa8d83) +--- + buildtools/wafadmin/Tools/perl.py | 7 +++++++ + pidl/lib/wscript_build | 2 +- + pidl/wscript | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/buildtools/wafadmin/Tools/perl.py b/buildtools/wafadmin/Tools/perl.py +index a6787a8..90be8d8 100644 +--- a/buildtools/wafadmin/Tools/perl.py ++++ b/buildtools/wafadmin/Tools/perl.py +@@ -103,7 +103,14 @@ def check_perl_ext_devel(conf): + else: + conf.env.ARCHDIR_PERL = read_out('print $Config{sitearch}')[0] + ++ conf.env.VENDORDIR_PERL = Options.options.perlvendordir ++ + def set_options(opt): + opt.add_option("--with-perl-binary", type="string", dest="perlbinary", help = 'Specify alternate perl binary', default=None) + opt.add_option("--with-perl-archdir", type="string", dest="perlarchdir", help = 'Specify directory where to install arch specific files', default=None) + ++ opt.add_option("--with-perl-vendordir", ++ type="string", ++ dest="perlvendordir", ++ help="Specify directory where to install perl vendor files", ++ default='${DATAROOTDIR}/perl5/vendor_perl') +diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build +index 9bddf3f..29632d4 100644 +--- a/pidl/lib/wscript_build ++++ b/pidl/lib/wscript_build +@@ -1,7 +1,7 @@ + #!/usr/bin/env python + + # install the pidl modules +-bld.INSTALL_FILES('${DATAROOTDIR}/perl5', ++bld.INSTALL_FILES(bld.env.VENDORDIR_PERL, + ''' + Parse/Pidl.pm + Parse/Pidl/Samba4.pm +diff --git a/pidl/wscript b/pidl/wscript +index 05d9982..77abb01 100644 +--- a/pidl/wscript ++++ b/pidl/wscript +@@ -8,6 +8,8 @@ def set_options(opt): + + def configure(conf): + conf.check_tool('perl') ++ conf.check_perl_ext_devel() ++ + # we need a recent version of MakeMaker to get the right man page names + if conf.CHECK_PERL_MANPAGE(): + conf.env.PERLMAN1EXT = conf.CHECK_PERL_MANPAGE(section='1') +-- +1.8.5.2 + + +From bbf583db46d258e9f406b4f4c3d73fe94bf3bfab Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 27 Feb 2014 13:14:56 +0100 +Subject: [PATCH 3/3] pidl: Make perl(Parse:Yapp:Driver) installation optional. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jelmer Vernooij + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Thu Feb 27 18:47:03 CET 2014 on sn-devel-104 + +(cherry picked from commit f0030c619bcf22dbe9eed54b2c0dc9c61f564838) +--- + pidl/lib/wscript_build | 6 +++++- + pidl/wscript | 25 ++++++++++++++++++++++++- + 2 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build +index 29632d4..09d26eb 100644 +--- a/pidl/lib/wscript_build ++++ b/pidl/lib/wscript_build +@@ -28,6 +28,10 @@ bld.INSTALL_FILES(bld.env.VENDORDIR_PERL, + Parse/Pidl/Samba3/ServerNDR.pm + Parse/Pidl/Compat.pm + Parse/Pidl/NDR.pm +- Parse/Yapp/Driver.pm + ''', + flat=False) ++ ++if not bld.CONFIG_SET('USING_SYSTEM_PARSE_YAPP_DRIVER'): ++ bld.INSTALL_FILES(bld.env.VENDORDIR_PERL, ++ 'Parse/Yapp/Driver.pm', ++ flat=False) +diff --git a/pidl/wscript b/pidl/wscript +index 77abb01..c7b72c4 100644 +--- a/pidl/wscript ++++ b/pidl/wscript +@@ -1,6 +1,6 @@ + #!/usr/bin/env python + +-import os, sys, Logs ++import os, sys, Logs, Options + from samba_utils import MODE_755 + + def set_options(opt): +@@ -20,6 +20,9 @@ def configure(conf): + conf.find_program('yapp', var='YAPP') + conf.find_program('pod2man', var='POD2MAN') + ++ # Check for perl(Parse::Yapp::Driver) ++ check_system_perl_module(conf, "Parse::Yapp::Driver", 1.05) ++ + def build(bld): + bld.INSTALL_FILES('${BINDIR}', 'pidl', chmod=MODE_755) + +@@ -82,3 +85,23 @@ try this to avoid this message: + $ touch ../pidl/lib/Parse/Pidl/IDL.pm ../pidl/lib/Parse/Pidl/Expr.pm + ''') + ++def check_system_perl_module(conf, module, version=None): ++ bundle_name = module.replace('::', '_') ++ module_check = module ++ found = False ++ ++ # Create module string with version ++ if version: ++ module_check = module + ' ' + str(version) ++ ++ # Check if we have to bundle it. ++ if conf.LIB_MUST_BE_BUNDLED(bundle_name.lower()): ++ return False ++ ++ # Check for system perl module ++ if not conf.check_perl_module(module_check): ++ return False ++ ++ conf.define('USING_SYSTEM_%s' % bundle_name.upper(), 1) ++ ++ return True +-- +1.8.5.2 + diff --git a/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch b/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch new file mode 100644 index 0000000..be7f64b --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch @@ -0,0 +1,35 @@ +From bfd3125066cfc722e244c9f651a3e5dafb8d005d Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 24 Feb 2014 16:18:31 -0800 +Subject: [PATCH] s3-printing: Fix obvious memory leak in + printer_list_get_printer(). + +https://bugzilla.samba.org/show_bug.cgi?id=9993 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ira Cooper +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Feb 25 13:19:37 CET 2014 on sn-devel-104 + +(cherry picked from commit 148bbdd8d04400b5d873f636671dd443952ca04f) +--- + source3/printing/printer_list.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c +index 6e02ee5..7e89ec4 100644 +--- a/source3/printing/printer_list.c ++++ b/source3/printing/printer_list.c +@@ -133,6 +133,7 @@ NTSTATUS printer_list_get_printer(TALLOC_CTX *mem_ctx, + done: + SAFE_FREE(nstr); + SAFE_FREE(cstr); ++ SAFE_FREE(lstr); + TALLOC_FREE(key); + return status; + } +-- +1.8.5.2 + diff --git a/SOURCES/samba-4.1.6-fix_service_with_force_user.patch b/SOURCES/samba-4.1.6-fix_service_with_force_user.patch new file mode 100644 index 0000000..8754ae1 --- /dev/null +++ b/SOURCES/samba-4.1.6-fix_service_with_force_user.patch @@ -0,0 +1,69 @@ +From 34d4e883146bccda53422fa50a35ab25ca880d2e Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 17 Mar 2014 14:35:00 -0700 +Subject: [PATCH] s3: smbd: Fileserving share access checks. + +Git commit 86d1e1db8e2747e30c89627cda123fde1e84f579 +fixed share_access not being reset between users, +by changing make_connection_snum() to call a common +function check_user_share_access() in the same way +that change_to_user() (which can be called on any +incoming packet) does. + +Unfortunately that bugfix was incorrect and +broke "force user" and "force group" as it +called check_user_share_access() inside +make_connection_snum() using the conn->session_info +pointer instead of the vuser->session_info pointer. + +conn->session_info represents the token to use +when actually accessing the file system, and so +is modified by force user and force group. + +vuser->session_info represents the "pristine" +token of the user logging in, and is never modified +by force user and force group. + +Samba 3.6.x checked the share access based on +the "pristine" token of the user logging in, +not the token modified by force user and force group. +This change restores the expected behavior. + +Fixes bug #9878 - force user does not work as expected + +https://bugzilla.samba.org/show_bug.cgi?id=9878 + +Signed-off-by: Jeremy Allison +--- + source3/smbd/service.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source3/smbd/service.c b/source3/smbd/service.c +index a7464f0..7d06551 100644 +--- a/source3/smbd/service.c ++++ b/source3/smbd/service.c +@@ -614,11 +614,19 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, + } + + /* +- * Set up the share security descriptor ++ * Set up the share security descriptor. ++ * NOTE - we use the *INCOMING USER* session_info ++ * here, as does (indirectly) change_to_user(), ++ * which can be called on any incoming packet. ++ * This way we set up the share access based ++ * on the authenticated user, not the forced ++ * user. See bug: ++ * ++ * https://bugzilla.samba.org/show_bug.cgi?id=9878 + */ + + status = check_user_share_access(conn, +- conn->session_info, ++ vuser->session_info, + &conn->share_access, + &conn->read_only); + if (!NT_STATUS_IS_OK(status)) { +-- +1.9.0.279.gdc9e3eb + diff --git a/SOURCES/samba-4.1.6-ipv6_workaround.patch b/SOURCES/samba-4.1.6-ipv6_workaround.patch new file mode 100644 index 0000000..b327812 --- /dev/null +++ b/SOURCES/samba-4.1.6-ipv6_workaround.patch @@ -0,0 +1,76 @@ +From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 2 Apr 2014 19:37:34 +0200 +Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config + files more robust. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Older MIT Kerberos libraries will add any secondary ipv6 address as +ipv4 address, defining the (default) krb5 port 88 circumvents that. + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++-- + 1 file changed, 27 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 649e568..f3c23ea 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs, + *num_addrs += 1; + } + ++/* print_canonical_sockaddr prints an ipv6 addr in the form of ++* [ipv6.addr]. This string, when put in a generated krb5.conf file is not ++* always properly dealt with by some older krb5 libraries. Adding the hard-coded ++* portnumber workarounds the issue. - gd */ ++ ++static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx, ++ const struct sockaddr_storage *pss) ++{ ++ char *str = NULL; ++ ++ str = print_canonical_sockaddr(mem_ctx, pss); ++ if (str == NULL) { ++ return NULL; ++ } ++ ++ if (pss->ss_family != AF_INET6) { ++ return str; ++ } ++ ++#if defined(HAVE_IPV6) ++ str = talloc_asprintf_append(str, ":88"); ++#endif ++ return str; ++} ++ + static char *get_kdc_ip_string(char *mem_ctx, + const char *realm, + const char *sitename, +@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + struct netlogon_samlogon_response **responses = NULL; + NTSTATUS status; + char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "", +- print_canonical_sockaddr(mem_ctx, pss)); ++ print_canonical_sockaddr_with_port(mem_ctx, pss)); + + if (kdc_str == NULL) { + TALLOC_FREE(frame); +@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx, + /* Append to the string - inefficient but not done often. */ + new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", + kdc_str, +- print_canonical_sockaddr(mem_ctx, &dc_addrs[i])); ++ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i])); + if (new_kdc_str == NULL) { + goto fail; + } +-- +1.9.0 + diff --git a/SOURCES/samba-4.1.6-net_ads_kerberos_pac.patch b/SOURCES/samba-4.1.6-net_ads_kerberos_pac.patch new file mode 100644 index 0000000..26a4caf --- /dev/null +++ b/SOURCES/samba-4.1.6-net_ads_kerberos_pac.patch @@ -0,0 +1,962 @@ +From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 17 Jan 2014 14:29:03 +0100 +Subject: [PATCH 1/8] s3-libads: pass down local_service to + kerberos_return_pac(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/libads/authdata.c | 6 +----- + source3/libads/kerberos_proto.h | 1 + + source3/utils/net_ads.c | 8 ++++++++ + source3/winbindd/winbindd_pam.c | 9 +++++++++ + 4 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index 801e551..dd80dc2 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + bool add_netbios_addr, + time_t renewable_time, + const char *impersonate_princ_s, ++ const char *local_service, + struct PAC_LOGON_INFO **_logon_info) + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; + DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; + const char *auth_princ = NULL; +- const char *local_service = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + struct auth_session_info *session_info; + struct gensec_security *gensec_server_context; +@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + } + NT_STATUS_HAVE_NO_MEMORY(auth_princ); + +- local_service = talloc_asprintf(mem_ctx, "%s$@%s", +- lp_netbios_name(), lp_realm()); +- NT_STATUS_HAVE_NO_MEMORY(local_service); +- + ret = kerberos_kinit_password_ext(auth_princ, + pass, + time_offset, +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index 2559634..1151d66 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + bool add_netbios_addr, + time_t renewable_time, + const char *impersonate_princ_s, ++ const char *local_service, + struct PAC_LOGON_INFO **logon_info); + + /* The following definitions come from libads/krb5_setpw.c */ +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 89eebf3..5a073b1 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + NTSTATUS status; + int ret = -1; + const char *impersonate_princ_s = NULL; ++ const char *local_service = NULL; + + if (c->display_usage) { + d_printf( "%s\n" +@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + impersonate_princ_s = argv[0]; + } + ++ local_service = talloc_asprintf(mem_ctx, "%s$@%s", ++ lp_netbios_name(), lp_realm()); ++ if (local_service == NULL) { ++ goto out; ++ } ++ + c->opt_password = net_prompt_pass(c, c->opt_user_name); + + status = kerberos_return_pac(mem_ctx, +@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + true, + 2592000, /* one month */ + impersonate_princ_s, ++ local_service, + &info); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 3f3ec70..61e2cef 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + time_t time_offset = 0; + const char *user_ccache_file; + struct PAC_LOGON_INFO *logon_info = NULL; ++ const char *local_service; + + *info3 = NULL; + +@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + ++ local_service = talloc_asprintf(mem_ctx, "%s$@%s", ++ lp_netbios_name(), lp_realm()); ++ if (local_service == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ + /* if this is a user ccache, we need to act as the user to let the krb5 + * library handle the chown, etc. */ + +@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + true, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, ++ local_service, + &logon_info); + if (user_ccache_file != NULL) { + gain_root_privilege(); +-- +1.8.5.3 + + +From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 3 Mar 2014 12:14:51 +0100 +Subject: [PATCH 2/8] auth/kerberos: fix a typo. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + auth/kerberos/kerberos_pac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c +index 81f7f21..8f55c8f 100644 +--- a/auth/kerberos/kerberos_pac.c ++++ b/auth/kerberos/kerberos_pac.c +@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + } + + /** +-* @brief Decode a blob containing a NDR envoded PAC structure ++* @brief Decode a blob containing a NDR encoded PAC structure + * + * @param mem_ctx - The memory context + * @param pac_data_blob - The data blob containing the NDR encoded data +-- +1.8.5.3 + + +From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Mon, 10 Mar 2014 15:11:18 +0100 +Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used + in "net ads kerberos pac". +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/utils/net_ads.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 5a073b1..ac6346f 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + int ret = -1; + const char *impersonate_princ_s = NULL; + const char *local_service = NULL; ++ int i; + + if (c->display_usage) { + d_printf( "%s\n" +@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + return 0; + } + ++ for (i=0; i 0) { +- impersonate_princ_s = argv[0]; +- } +- + local_service = talloc_asprintf(mem_ctx, "%s$@%s", + lp_netbios_name(), lp_realm()); + if (local_service == NULL) { +-- +1.8.5.3 + + +From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 11 Mar 2014 16:34:36 +0100 +Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads + kerberos pac". +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/utils/net_ads.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index ac6346f..c53c8c6 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + return -1; + } + } ++ if (strnequal(argv[i], "local_service", strlen("local_service"))) { ++ local_service = get_string_param(argv[i]); ++ if (local_service == NULL) { ++ return -1; ++ } ++ } + } + + mem_ctx = talloc_init("net_ads_kerberos_pac"); +@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + goto out; + } + +- local_service = talloc_asprintf(mem_ctx, "%s$@%s", +- lp_netbios_name(), lp_realm()); + if (local_service == NULL) { +- goto out; ++ local_service = talloc_asprintf(mem_ctx, "%s$@%s", ++ lp_netbios_name(), lp_realm()); ++ if (local_service == NULL) { ++ goto out; ++ } + } + + c->opt_password = net_prompt_pass(c, c->opt_user_name); +-- +1.8.5.3 + + +From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 21 Feb 2014 18:56:04 +0100 +Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/libads/authdata.c | 28 +++++++++++++++++----------- + source3/libads/kerberos_proto.h | 4 ++-- + source3/utils/net_ads.c | 17 ++++++++++++++++- + source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++- + 4 files changed, 56 insertions(+), 15 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index dd80dc2..53e40ef 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, + struct auth_session_info **session_info) + { + TALLOC_CTX *tmp_ctx; +- struct PAC_LOGON_INFO *logon_info = NULL; ++ struct PAC_DATA *pac_data = NULL; + NTSTATUS status = NT_STATUS_INTERNAL_ERROR; + + tmp_ctx = talloc_new(mem_ctx); +@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, + } + + if (pac_blob) { +- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, +- NULL, NULL, 0, &logon_info); ++ status = kerberos_decode_pac(tmp_ctx, ++ *pac_blob, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ 0, ++ &pac_data); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + +- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO"); ++ talloc_set_name_const(pac_data, "struct PAC_DATA"); + +- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info); ++ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); + *session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (!*session_info) { + status = NT_STATUS_NO_MEMORY; +@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, +- struct PAC_LOGON_INFO **_logon_info) ++ struct PAC_DATA **_pac_data) + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; +@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + size_t idx = 0; + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; +- struct PAC_LOGON_INFO *logon_info = NULL; ++ struct PAC_DATA *pac_data = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); +@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + goto out; + } + +- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data, +- struct PAC_LOGON_INFO); +- if (logon_info == NULL) { ++ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, ++ struct PAC_DATA); ++ if (pac_data == NULL) { + DEBUG(1,("no PAC\n")); + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + +- *_logon_info = talloc_move(mem_ctx, &logon_info); ++ *_pac_data = talloc_move(mem_ctx, &pac_data); + + out: + talloc_free(tmp_ctx); +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index 1151d66..b2f7486 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -32,7 +32,7 @@ + + #include "system/kerberos.h" + +-struct PAC_LOGON_INFO; ++struct PAC_DATA; + + #include "libads/ads_status.h" + +@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, +- struct PAC_LOGON_INFO **logon_info); ++ struct PAC_DATA **pac_data); + + /* The following definitions come from libads/krb5_setpw.c */ + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index c53c8c6..19da6da 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** + static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) + { + struct PAC_LOGON_INFO *info = NULL; ++ struct PAC_DATA *pac_data = NULL; + TALLOC_CTX *mem_ctx = NULL; + NTSTATUS status; + int ret = -1; +@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + 2592000, /* one month */ + impersonate_princ_s, + local_service, +- &info); ++ &pac_data); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), + nt_errstr(status)); + goto out; + } + ++ for (i=0; i < pac_data->num_buffers; i++) { ++ ++ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { ++ continue; ++ } ++ ++ info = pac_data->buffers[i].info->logon_info.info; ++ if (!info) { ++ goto out; ++ } ++ ++ break; ++ } ++ + if (info) { + const char *s; + s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 61e2cef..a8daae51 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + time_t time_offset = 0; + const char *user_ccache_file; + struct PAC_LOGON_INFO *logon_info = NULL; ++ struct PAC_DATA *pac_data = NULL; + const char *local_service; ++ int i; + + *info3 = NULL; + +@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, +- &logon_info); ++ &pac_data); + if (user_ccache_file != NULL) { + gain_root_privilege(); + } +@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + goto failed; + } + ++ if (pac_data == NULL) { ++ goto failed; ++ } ++ ++ for (i=0; i < pac_data->num_buffers; i++) { ++ ++ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { ++ continue; ++ } ++ ++ logon_info = pac_data->buffers[i].info->logon_info.info; ++ if (!logon_info) { ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ ++ break; ++ } ++ + *info3 = &logon_info->info3; + + DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", +-- +1.8.5.3 + + +From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 11 Mar 2014 18:07:11 +0100 +Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC + container. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/libads/authdata.c | 29 +++++++++++++++++++++-------- + source3/libads/kerberos_proto.h | 7 ++++++- + source3/utils/net_ads.c | 5 ++++- + source3/winbindd/winbindd_pam.c | 8 +++++++- + 4 files changed, 38 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index 53e40ef..276408d 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, + { + TALLOC_CTX *tmp_ctx; + struct PAC_DATA *pac_data = NULL; ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; + NTSTATUS status = NT_STATUS_INTERNAL_ERROR; + + tmp_ctx = talloc_new(mem_ctx); +@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, + } + } + +- talloc_set_name_const(pac_data, "struct PAC_DATA"); ++ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR); ++ if (pac_data_ctr == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR"); ++ ++ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data); ++ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr, ++ pac_blob->data, ++ pac_blob->length); ++ ++ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr); + +- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); + *session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (!*session_info) { + status = NT_STATUS_NO_MEMORY; +@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, +- struct PAC_DATA **_pac_data) ++ struct PAC_DATA_CTR **_pac_data_ctr) + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; +@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + size_t idx = 0; + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; +- struct PAC_DATA *pac_data = NULL; ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); +@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + goto out; + } + +- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, +- struct PAC_DATA); +- if (pac_data == NULL) { ++ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data, ++ struct PAC_DATA_CTR); ++ if (pac_data_ctr == NULL) { + DEBUG(1,("no PAC\n")); + status = NT_STATUS_INVALID_PARAMETER; + goto out; + } + +- *_pac_data = talloc_move(mem_ctx, &pac_data); ++ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); + + out: + talloc_free(tmp_ctx); +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index b2f7486..3d0ad4b 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -34,6 +34,11 @@ + + struct PAC_DATA; + ++struct PAC_DATA_CTR { ++ DATA_BLOB pac_blob; ++ struct PAC_DATA *pac_data; ++}; ++ + #include "libads/ads_status.h" + + /* The following definitions come from libads/kerberos.c */ +@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, +- struct PAC_DATA **pac_data); ++ struct PAC_DATA_CTR **pac_data_ctr); + + /* The following definitions come from libads/krb5_setpw.c */ + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 19da6da..19c28b1 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + { + struct PAC_LOGON_INFO *info = NULL; + struct PAC_DATA *pac_data = NULL; ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; + TALLOC_CTX *mem_ctx = NULL; + NTSTATUS status; + int ret = -1; +@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + 2592000, /* one month */ + impersonate_princ_s, + local_service, +- &pac_data); ++ &pac_data_ctr); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), + nt_errstr(status)); + goto out; + } + ++ pac_data = pac_data_ctr->pac_data; ++ + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index a8daae51..b41291e 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + const char *user_ccache_file; + struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; + const char *local_service; + int i; + +@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, +- &pac_data); ++ &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); + } +@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + goto failed; + } + ++ if (pac_data_ctr == NULL) { ++ goto failed; ++ } ++ ++ pac_data = pac_data_ctr->pac_data; + if (pac_data == NULL) { + goto failed; + } +-- +1.8.5.3 + + +From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 11 Mar 2014 18:14:39 +0100 +Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac" + command. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow +dumping of individial pac buffer types. Ommitting type= or using type=0 will +dump the whole PAC structure on stdout. + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++---------------- + 1 file changed, 77 insertions(+), 38 deletions(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 19c28b1..f54cf23 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** + return ret; + } + +-static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) ++static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv, ++ struct PAC_DATA_CTR **pac_data_ctr) + { +- struct PAC_LOGON_INFO *info = NULL; +- struct PAC_DATA *pac_data = NULL; +- struct PAC_DATA_CTR *pac_data_ctr = NULL; +- TALLOC_CTX *mem_ctx = NULL; + NTSTATUS status; + int ret = -1; + const char *impersonate_princ_s = NULL; + const char *local_service = NULL; + int i; + +- if (c->display_usage) { +- d_printf( "%s\n" +- "net ads kerberos pac [impersonation_principal]\n" +- " %s\n", +- _("Usage:"), +- _("Dump the Kerberos PAC")); +- return 0; +- } +- + for (i=0; iopt_password = net_prompt_pass(c, c->opt_user_name); + +- status = kerberos_return_pac(mem_ctx, ++ status = kerberos_return_pac(c, + c->opt_user_name, + c->opt_password, + 0, +@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + 2592000, /* one month */ + impersonate_princ_s, + local_service, +- &pac_data_ctr); ++ pac_data_ctr); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), + nt_errstr(status)); + goto out; + } + +- pac_data = pac_data_ctr->pac_data; ++ ret = 0; ++ out: ++ return ret; ++} + +- for (i=0; i < pac_data->num_buffers; i++) { ++static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv) ++{ ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; ++ int i; ++ int ret = -1; ++ enum PAC_TYPE type = 0; + +- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { +- continue; ++ if (c->display_usage) { ++ d_printf( "%s\n" ++ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n" ++ " %s\n", ++ _("Usage:"), ++ _("Dump the Kerberos PAC")); ++ return -1; ++ } ++ ++ for (i=0; ibuffers[i].info->logon_info.info; +- if (!info) { +- goto out; ++ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr); ++ if (ret) { ++ return ret; ++ } ++ ++ if (type == 0) { ++ ++ char *s = NULL; ++ ++ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA, ++ pac_data_ctr->pac_data); ++ if (s != NULL) { ++ d_printf(_("The Pac: %s\n"), s); ++ talloc_free(s); + } + +- break; ++ return 0; + } + +- if (info) { +- const char *s; +- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); +- d_printf(_("The Pac: %s\n"), s); ++ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) { ++ ++ char *s = NULL; ++ ++ if (pac_data_ctr->pac_data->buffers[i].type != type) { ++ continue; ++ } ++ ++ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type, ++ pac_data_ctr->pac_data->buffers[i].info); ++ if (s != NULL) { ++ d_printf(_("The Pac: %s\n"), s); ++ talloc_free(s); ++ } ++ break; + } + +- ret = 0; +- out: +- TALLOC_FREE(mem_ctx); +- return ret; ++ return 0; ++} ++ ++static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) ++{ ++ struct functable func[] = { ++ { ++ "dump", ++ net_ads_kerberos_pac_dump, ++ NET_TRANSPORT_ADS, ++ N_("Dump Kerberos PAC"), ++ N_("net ads kerberos pac dump\n" ++ " Dump a Kerberos PAC to stdout") ++ }, ++ ++ {NULL, NULL, 0, NULL, NULL} ++ }; ++ ++ return net_run_function(c, argc, argv, "net ads kerberos pac", func); + } + + static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv) +-- +1.8.5.3 + + +From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 11 Mar 2014 18:16:40 +0100 +Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use "filename=string" to define a file where to save the unencrypted PAC to. + +Guenther + +Signed-off-by: Günther Deschner +Reviewed-by: Andreas Schneider +--- + source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index f54cf23..8b8e719 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char + return 0; + } + ++static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv) ++{ ++ struct PAC_DATA_CTR *pac_data_ctr = NULL; ++ char *filename = NULL; ++ int ret = -1; ++ int i; ++ ++ if (c->display_usage) { ++ d_printf( "%s\n" ++ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n" ++ " %s\n", ++ _("Usage:"), ++ _("Save the Kerberos PAC")); ++ return -1; ++ } ++ ++ for (i=0; i\" to save the PAC\n")); ++ return -1; ++ } ++ ++ /* save the raw format */ ++ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) { ++ d_printf(_("failed to save PAC in %s\n"), filename); ++ return -1; ++ } ++ ++ return 0; ++} ++ + static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) + { + struct functable func[] = { +@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar + N_("net ads kerberos pac dump\n" + " Dump a Kerberos PAC to stdout") + }, ++ { ++ "save", ++ net_ads_kerberos_pac_save, ++ NET_TRANSPORT_ADS, ++ N_("Save Kerberos PAC"), ++ N_("net ads kerberos pac save\n" ++ " Save a Kerberos PAC in a file") ++ }, + + {NULL, NULL, 0, NULL, NULL} + }; +-- +1.8.5.3 + diff --git a/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch b/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch new file mode 100644 index 0000000..dea0af3 --- /dev/null +++ b/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch @@ -0,0 +1,748 @@ +From 4be15cc68a49b353f1f2f4f198b968098bee4d83 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 25 Mar 2014 12:53:04 +0200 +Subject: [PATCH 1/5] add systemd integration + +Add --with-systemd / --without-systemd options to check whether +libsystemd-daemon library is available and use it to report service +startup status to systemd for smbd/winbindd/nmbd and AD DC. + +The problem it solves is correct reporting of the Samba services +at the point when they are ready to serve clients, important for +high availability software integration. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +(cherry picked from commit 54b5d9a7384ae27b2a26586ff909128427c05abe) +--- + lib/util/become_daemon.c | 37 ++++++++++++++++++++++++++++++++++++- + lib/util/samba_util.h | 12 ++++++++++++ + lib/util/wscript_build | 2 +- + packaging/systemd/nmb.service | 3 ++- + packaging/systemd/samba.service | 3 ++- + packaging/systemd/smb.service | 3 ++- + packaging/systemd/winbind.service | 3 ++- + source3/nmbd/nmbd.c | 4 ++++ + source3/smbd/server.c | 4 ++++ + source3/winbindd/winbindd.c | 5 +++++ + source4/smbd/server.c | 4 ++++ + wscript | 27 +++++++++++++++++++++++---- + 12 files changed, 97 insertions(+), 10 deletions(-) + +diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c +index 2ca0478..35c8b32 100644 +--- a/lib/util/become_daemon.c ++++ b/lib/util/become_daemon.c +@@ -24,6 +24,9 @@ + #include "includes.h" + #include "system/filesys.h" + #include "system/locale.h" ++#if HAVE_SYSTEMD ++#include ++#endif + + /******************************************************************* + Close the low 3 fd's and open dev/null in their place. +@@ -75,8 +78,13 @@ _PUBLIC_ void close_low_fds(bool stdin_too, bool stdout_too, bool stderr_too) + + _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout) + { ++ pid_t newpid; + if (do_fork) { +- if (fork()) { ++ newpid = fork(); ++ if (newpid) { ++#if HAVE_SYSTEMD ++ sd_notifyf(0, "READY=0\nSTATUS=Starting process...\nMAINPID=%lu", (unsigned long) newpid); ++#endif /* HAVE_SYSTEMD */ + _exit(0); + } + } +@@ -100,3 +108,30 @@ _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout + * never close stderr (but debug might dup it onto a log file) */ + close_low_fds(do_fork, !log_stdout, false); + } ++ ++_PUBLIC_ void exit_daemon(const char *msg, int error) ++{ ++#ifdef HAVE_SYSTEMD ++ if (msg == NULL) { ++ msg = strerror(error); ++ } ++ ++ sd_notifyf(0, "STATUS=daemon failed to start: %s\n" ++ "ERRNO=%i", ++ msg, ++ error); ++#endif ++ DEBUG(0, ("STATUS=daemon failed to start: %s, error code %d\n", msg, error)); ++ exit(1); ++} ++ ++_PUBLIC_ void daemon_ready(const char *daemon) ++{ ++ if (daemon == NULL) { ++ daemon = "Samba"; ++ } ++#ifdef HAVE_SYSTEMD ++ sd_notifyf(0, "READY=1\nSTATUS=%s: ready to serve connections...", daemon); ++#endif ++ DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon)); ++} +diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h +index f52347e..2996710 100644 +--- a/lib/util/samba_util.h ++++ b/lib/util/samba_util.h +@@ -842,6 +842,18 @@ _PUBLIC_ void close_low_fds(bool stdin_too, bool stdout_too, bool stderr_too); + _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout); + + /** ++ Exit daemon and print error message to the log at level 0 ++ Optionally report failure to systemd if systemd integration is enabled ++**/ ++_PUBLIC_ void exit_daemon(const char *msg, int error); ++ ++/** ++ Report that the daemon is ready to serve connections to the log at level 0 ++ Optionally report status to systemd if systemd integration is enabled ++**/ ++_PUBLIC_ void daemon_ready(const char *daemon); ++ ++/** + * @brief Get a password from the console. + * + * You should make sure that the buffer is an empty string! +diff --git a/lib/util/wscript_build b/lib/util/wscript_build +index 39a1613..5087116 100755 +--- a/lib/util/wscript_build ++++ b/lib/util/wscript_build +@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util', + server_id.c dprintf.c parmlist.c bitmap.c pidfile.c + tevent_debug.c util_process.c''', + deps='DYNCONFIG', +- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid', ++ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon', + public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h', + header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ], + local_include=False, +diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service +index e5e81a1..3d71a7d 100644 +--- a/packaging/systemd/nmb.service ++++ b/packaging/systemd/nmb.service +@@ -3,7 +3,8 @@ Description=Samba NMB Daemon + After=syslog.target network.target + + [Service] +-Type=forking ++Type=notify ++NotifyAccess=all + PIDFile=/run/nmbd.pid + EnvironmentFile=-/etc/sysconfig/samba + ExecStart=/usr/sbin/nmbd $NMBDOPTIONS +diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service +index e2878d1..824f89c 100644 +--- a/packaging/systemd/samba.service ++++ b/packaging/systemd/samba.service +@@ -3,7 +3,8 @@ Description=Samba AD Daemon + After=syslog.target network.target + + [Service] +-Type=forking ++Type=notify ++NotifyAccess=all + PIDFile=/run/samba.pid + LimitNOFILE=16384 + EnvironmentFile=-/etc/sysconfig/samba +diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service +index d0d945a..9810891 100644 +--- a/packaging/systemd/smb.service ++++ b/packaging/systemd/smb.service +@@ -3,7 +3,8 @@ Description=Samba SMB Daemon + After=syslog.target network.target nmb.service winbind.service + + [Service] +-Type=forking ++Type=notify ++NotifyAccess=all + PIDFile=/run/smbd.pid + LimitNOFILE=16384 + EnvironmentFile=-/etc/sysconfig/samba +diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service +index eff266f..f711a17 100644 +--- a/packaging/systemd/winbind.service ++++ b/packaging/systemd/winbind.service +@@ -3,7 +3,8 @@ Description=Samba Winbind Daemon + After=syslog.target network.target nmb.service + + [Service] +-Type=forking ++Type=notify ++NotifyAccess=all + PIDFile=/run/winbindd.pid + EnvironmentFile=-/etc/sysconfig/samba + ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index ec0e7d0..aced774 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -1088,6 +1088,10 @@ static bool open_sockets(bool isdaemon, int port) + exit(1); + } + ++ if (is_daemon && !opt_interactive) { ++ daemon_ready("nmbd"); ++ } ++ + TALLOC_FREE(frame); + process(msg); + +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index d3cd33e..b2a9d8f 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1489,6 +1489,10 @@ extern void build_options(bool screen); + exit(1); + } + ++ if (is_daemon && !interactive) { ++ daemon_ready("smbd"); ++ } ++ + /* only start other daemons if we are running as a daemon + * -- bad things will happen if smbd is launched via inetd + * and we fork a copy of ourselves here */ +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 50573ac..61c1dbc 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1581,6 +1581,11 @@ int main(int argc, char **argv, char **envp) + } + + TALLOC_FREE(frame); ++ ++ if (!interactive) { ++ daemon_ready("winbindd"); ++ } ++ + /* Loop waiting for requests */ + while (1) { + frame = talloc_stackframe(); +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index 37aac62..3a23190 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -498,6 +498,10 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + return 1; + } + ++ if (opt_daemon) { ++ daemon_ready("samba"); ++ } ++ + /* wait for events - this is where smbd sits for most of its + life */ + tevent_loop_wait(event_ctx); +diff --git a/wscript b/wscript +index 83c82e3..2f02c6e 100644 +--- a/wscript ++++ b/wscript +@@ -64,8 +64,15 @@ def set_options(opt): + help=("Disable Position Independent Executable builds"), + action="store_false", dest='enable_pie') + +- gr = opt.option_group('developer options') ++ opt.add_option('--with-systemd', ++ help=("Enable systemd integration"), ++ action='store_true', dest='enable_systemd') ++ ++ opt.add_option('--without-systemd', ++ help=("Disable systemd integration"), ++ action='store_false', dest='enable_systemd') + ++ gr = opt.option_group('developer options') + + opt.tool_options('python') # options for disabling pyc or pyo compilation + # enable options related to building python extensions +@@ -162,11 +169,8 @@ def configure(conf): + if not conf.CHECK_CODE('#include "tests/summary.c"', + define='SUMMARY_PASSES', + addmain=False, +- execute=True, + msg='Checking configure summary'): + raise Utils.WafError('configure summary failed') +- +- conf.SAMBA_CONFIG_H('include/config.h') + + if Options.options.enable_pie != False: + if Options.options.enable_pie == True: +@@ -178,6 +182,21 @@ def configure(conf): + msg="Checking compiler for PIE support"): + conf.env['ENABLE_PIE'] = True + ++ if Options.options.enable_systemd != False: ++ conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs', ++ msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON") ++ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon') ++ conf.CHECK_LIB('systemd-daemon', shlib=True) ++ ++ if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'): ++ conf.DEFINE('HAVE_SYSTEMD', '1') ++ conf.env['ENABLE_SYSTEMD'] = True ++ else: ++ conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY') ++ conf.undefine('HAVE_SYSTEMD') ++ ++ conf.SAMBA_CONFIG_H('include/config.h') ++ + def etags(ctx): + '''build TAGS file using etags''' + import Utils +-- +1.8.5.3 + + +From a6250f706655bd8fda81fe15ccc9441f7d4e1c84 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Mar 2014 10:56:12 +0200 +Subject: [PATCH 2/5] smbd: use exit_daemon() to support reporting to systemd + from smbd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +--- + source3/smbd/server.c | 44 +++++++++++++++++++------------------------- + 1 file changed, 19 insertions(+), 25 deletions(-) + +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index b2a9d8f..34c949d 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1314,8 +1314,7 @@ extern void build_options(bool screen); + ev_ctx, + false); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("reinit_after_fork() failed\n")); +- exit(1); ++ exit_daemon("reinit_after_fork() failed", map_errno_from_nt_status(status)); + } + + if (!interactive) { +@@ -1326,8 +1325,7 @@ extern void build_options(bool screen); + */ + status = init_before_fork(); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status))); +- exit(1); ++ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status)); + } + } + +@@ -1360,7 +1358,7 @@ extern void build_options(bool screen); + /* Setup all the TDB's - including CLEAR_IF_FIRST tdb's. */ + + if (smbd_memcache() == NULL) { +- exit(1); ++ exit_daemon("no memcache available", EACCES); + } + + memcache_set_global(smbd_memcache()); +@@ -1372,69 +1370,65 @@ extern void build_options(bool screen); + exit(1); + + if (!secrets_init()) { +- DEBUG(0, ("ERROR: smbd can not open secrets.tdb\n")); +- exit(1); ++ exit_daemon("smbd can not open secrets.tdb", EACCES); + } + + if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { + struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers()); + if (!open_schannel_session_store(NULL, lp_ctx)) { +- DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); +- exit(1); ++ exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES); + } + TALLOC_FREE(lp_ctx); + } + + if(!get_global_sam_sid()) { +- DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n")); +- exit(1); ++ exit_daemon("Samba cannot create a SAM SID", EACCES); + } + + server_id = messaging_server_id(msg_ctx); + status = smbXsrv_version_global_init(&server_id); + if (!NT_STATUS_IS_OK(status)) { +- exit(1); ++ exit_daemon("Samba cannot init server context", EACCES); + } + + status = smbXsrv_session_global_init(); + if (!NT_STATUS_IS_OK(status)) { +- exit(1); ++ exit_daemon("Samba cannot init session context", EACCES); + } + + status = smbXsrv_tcon_global_init(); + if (!NT_STATUS_IS_OK(status)) { +- exit(1); ++ exit_daemon("Samba cannot init tcon context", EACCES); + } + + if (!locking_init()) +- exit(1); ++ exit_daemon("Samba cannot init locking", EACCES); + + if (!messaging_tdb_parent_init(ev_ctx)) { +- exit(1); ++ exit_daemon("Samba cannot init TDB messaging", EACCES); + } + + if (!smbd_parent_notify_init(NULL, msg_ctx, ev_ctx)) { +- exit(1); ++ exit_daemon("Samba cannot init notification", EACCES); + } + + if (!smbd_scavenger_init(NULL, msg_ctx, ev_ctx)) { +- exit(1); ++ exit_daemon("Samba cannot init scavenging", EACCES); + } + + if (!serverid_parent_init(ev_ctx)) { +- exit(1); ++ exit_daemon("Samba cannot init server id", EACCES); + } + + if (!W_ERROR_IS_OK(registry_init_full())) +- exit(1); ++ exit_daemon("Samba cannot init registry", EACCES); + + /* Open the share_info.tdb here, so we don't have to open + after the fork on every single connection. This is a small + performance improvment and reduces the total number of system + fds used. */ + if (!share_info_db_init()) { +- DEBUG(0,("ERROR: failed to load share info db.\n")); +- exit(1); ++ exit_daemon("ERROR: failed to load share info db.", EACCES); + } + + status = init_system_session_info(); +@@ -1455,7 +1449,7 @@ extern void build_options(bool screen); + } + status = smbXsrv_open_global_init(); + if (!NT_STATUS_IS_OK(status)) { +- exit(1); ++ exit_daemon("Samba cannot init global open", map_errno_from_nt_status(status)); + } + + /* This MUST be done before start_epmd() because otherwise +@@ -1486,7 +1480,7 @@ extern void build_options(bool screen); + } + + if (!dcesrv_ep_setup(ev_ctx, msg_ctx)) { +- exit(1); ++ exit_daemon("Samba cannot setup ep pipe", EACCES); + } + + if (is_daemon && !interactive) { +@@ -1507,7 +1501,7 @@ extern void build_options(bool screen); + bool bgq = lp_parm_bool(-1, "smbd", "backgroundqueue", true); + + if (!printing_subsystem_init(ev_ctx, msg_ctx, true, bgq)) { +- exit(1); ++ exit_daemon("Samba failed to init printing subsystem", EACCES); + } + } + } else if (!lp__disable_spoolss() && +-- +1.8.5.3 + + +From 580933198c1da02ad668b32f68bfeac833d97980 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Mar 2014 11:34:56 +0200 +Subject: [PATCH 3/5] nmbd: use exit_daemon() to report status to systemd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +(cherry picked from commit a54e94559b5ebabbb8c5c938fdf159efceff39e6) +--- + source3/nmbd/nmbd.c | 39 ++++++++++++++------------------------- + 1 file changed, 14 insertions(+), 25 deletions(-) + +diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c +index aced774..dc2d4c7 100644 +--- a/source3/nmbd/nmbd.c ++++ b/source3/nmbd/nmbd.c +@@ -966,16 +966,12 @@ static bool open_sockets(bool isdaemon, int port) + + ok = directory_create_or_exist(lp_lockdir(), geteuid(), 0755); + if (!ok) { +- DEBUG(0, ("Failed to create directory %s for lock files - %s\n", +- lp_lockdir(), strerror(errno))); +- exit(1); ++ exit_daemon("Failed to create directory for lock files, check 'lock directory'", errno); + } + + ok = directory_create_or_exist(lp_piddir(), geteuid(), 0755); + if (!ok) { +- DEBUG(0, ("Failed to create directory %s for pid files - %s\n", +- lp_piddir(), strerror(errno))); +- exit(1); ++ exit_daemon("Failed to create directory for pid files, check 'pid directory'", errno); + } + + pidfile_create(lp_piddir(), "nmbd"); +@@ -984,8 +980,7 @@ static bool open_sockets(bool isdaemon, int port) + false); + + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("reinit_after_fork() failed\n")); +- exit(1); ++ exit_daemon("reinit_after_fork() failed", map_errno_from_nt_status(status)); + } + + /* +@@ -995,16 +990,15 @@ static bool open_sockets(bool isdaemon, int port) + */ + status = init_before_fork(); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status))); +- exit(1); ++ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status)); + } + + if (!nmbd_setup_sig_term_handler(msg)) +- exit(1); ++ exit_daemon("NMBD failed to setup signal handler", EINVAL); + if (!nmbd_setup_stdin_handler(msg, !Fork)) +- exit(1); ++ exit_daemon("NMBD failed to setup stdin handler", EINVAL); + if (!nmbd_setup_sig_hup_handler(msg)) +- exit(1); ++ exit_daemon("NMBD failed to setup SIGHUP handler", EINVAL); + + /* get broadcast messages */ + +@@ -1012,8 +1006,7 @@ static bool open_sockets(bool isdaemon, int port) + FLAG_MSG_GENERAL | + FLAG_MSG_NMBD | + FLAG_MSG_DBWRAP)) { +- DEBUG(1, ("Could not register myself in serverid.tdb\n")); +- exit(1); ++ exit_daemon("Could not register NMBD process in serverid.tdb", EACCES); + } + + messaging_register(msg, NULL, MSG_FORCE_ELECTION, +@@ -1044,9 +1037,8 @@ static bool open_sockets(bool isdaemon, int port) + + /* Create an nmbd subnet record for each of the above. */ + if( False == create_subnets() ) { +- DEBUG(0,("ERROR: Failed when creating subnet lists. Exiting.\n")); + kill_async_dns_child(); +- exit(1); ++ exit_daemon("NMBD failed when creating subnet lists", EACCES); + } + + /* Load in any static local names. */ +@@ -1058,9 +1050,8 @@ static bool open_sockets(bool isdaemon, int port) + + /* If we are acting as a WINS server, initialise data structures. */ + if( !initialise_wins() ) { +- DEBUG( 0, ( "nmbd: Failed when initialising WINS server.\n" ) ); + kill_async_dns_child(); +- exit(1); ++ exit_daemon( "NMBD failed when initialising WINS server.", EACCES); + } + + /* +@@ -1072,21 +1063,19 @@ static bool open_sockets(bool isdaemon, int port) + */ + + if( False == register_my_workgroup_and_names() ) { +- DEBUG(0,("ERROR: Failed when creating my my workgroup. Exiting.\n")); + kill_async_dns_child(); +- exit(1); ++ exit_daemon( "NMBD failed when creating my workgroup.", EACCES); + } + + if (!initialize_nmbd_proxy_logon()) { +- DEBUG(0,("ERROR: Failed setup nmbd_proxy_logon.\n")); + kill_async_dns_child(); +- exit(1); ++ exit_daemon( "NMBD failed to setup nmbd_proxy_logon.", EACCES); + } + + if (!nmbd_init_packet_server()) { + kill_async_dns_child(); +- exit(1); +- } ++ exit_daemon( "NMBD failed to setup packet server.", EACCES); ++ } + + if (is_daemon && !opt_interactive) { + daemon_ready("nmbd"); +-- +1.8.5.3 + + +From 1067bdd3e590d5ab880044456c667e3663d99c95 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Mar 2014 11:45:21 +0200 +Subject: [PATCH 4/5] winbindd: use exit_daemon() to pass startup status to + systemd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 91013315c9fa946bf85c85df0ccd40a803f3dc6f) +--- + source3/winbindd/winbindd.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 61c1dbc..68ffd7e 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1543,8 +1543,7 @@ int main(int argc, char **argv, char **envp) + winbind_event_context(), + false); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("reinit_after_fork() failed\n")); +- exit(1); ++ exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status)); + } + + /* +@@ -1554,17 +1553,14 @@ int main(int argc, char **argv, char **envp) + */ + status = init_before_fork(); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status))); +- exit(1); ++ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status)); + } + + winbindd_register_handlers(winbind_messaging_context(), !Fork); + + status = init_system_session_info(); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(1, ("ERROR: failed to setup system user info: %s.\n", +- nt_errstr(status))); +- exit(1); ++ exit_daemon("Winbindd failed to setup system user info", map_errno_from_nt_status(status)); + } + + rpc_lsarpc_init(NULL); +@@ -1576,8 +1572,7 @@ int main(int argc, char **argv, char **envp) + /* setup listen sockets */ + + if (!winbindd_setup_listeners()) { +- DEBUG(0,("winbindd_setup_listeners() failed\n")); +- exit(1); ++ exit_daemon("Winbindd failed to setup listeners", EPIPE); + } + + TALLOC_FREE(frame); +-- +1.8.5.3 + + +From 037b9fd66e777571e2c963945e41535371b4683e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Mar 2014 12:30:30 +0200 +Subject: [PATCH 5/5] ad-dc: use exit_daemon() to communicate status of startup + to systemd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit a343303cbcd5af303455843ebf202e2f30daf3a6) +--- + source4/smbd/server.c | 19 +++++++------------ + 1 file changed, 7 insertions(+), 12 deletions(-) + +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index 3a23190..d5d9d9c 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -398,15 +398,13 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + + if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) { + if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) { +- DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); +- exit(1); ++ exit_daemon("Samba cannot open schannel store for secured NETLOGON operations.", EACCES); + } + } + + /* make sure we won't go through nss_winbind */ + if (!winbind_off()) { +- DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n")); +- exit(1); ++ exit_daemon("Samba failed to disable recusive winbindd calls.", EACCES); + } + + gensec_init(); /* FIXME: */ +@@ -431,8 +429,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + event_ctx = s4_event_context_init(talloc_autofree_context()); + + if (event_ctx == NULL) { +- DEBUG(0,("Initializing event context failed\n")); +- return 1; ++ exit_daemon("Initializing event context failed", EACCES); + } + + if (opt_interactive) { +@@ -449,7 +446,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + #endif + + if (fstat(0, &st) != 0) { +- exit(1); ++ exit_daemon("Samba failed to set standard input handler", ENOTTY); + } + + if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) { +@@ -478,15 +475,14 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + DEBUG(0, ("At this time the 'samba' binary should only be used for either:\n")); + DEBUGADD(0, ("'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote'\n")); + DEBUGADD(0, ("You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks\n")); +- exit(1); ++ exit_daemon("Samba detected misconfigured 'server role' and exited. Check logs for details", EINVAL); + }; + + prime_ldb_databases(event_ctx); + + status = setup_parent_messaging(event_ctx, cmdline_lp_ctx); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("Failed to setup parent messaging - %s\n", nt_errstr(status))); +- return 1; ++ exit_daemon("Samba failed to setup parent messaging", NT_STATUS_V(status)); + } + + DEBUG(0,("%s: using '%s' process model\n", binary_name, model)); +@@ -494,8 +490,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ + status = server_service_startup(event_ctx, cmdline_lp_ctx, model, + lpcfg_server_services(cmdline_lp_ctx)); + if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("Starting Services failed - %s\n", nt_errstr(status))); +- return 1; ++ exit_daemon("Samba failed to start services", NT_STATUS_V(status)); + } + + if (opt_daemon) { +-- +1.8.5.3 + diff --git a/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch b/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch new file mode 100644 index 0000000..ec602da --- /dev/null +++ b/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch @@ -0,0 +1,52 @@ +From 101c93f1e54095f8e115e33a66ec1127ead207da Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 18 Mar 2014 19:41:38 +0200 +Subject: [PATCH] lsa.idl: define lsa.ForestTrustCollisionInfo and + ForestTrustCollisionRecord as public structs + +For Python bindings PIDL wants the struct to be defined as public if we +want to use __ndr_print/pack/unpack. + +Define the [public] attribute to ForestTrustCollisionInfo/Record to +allow easier debugging when there is collision in establishing a trust. + +This change does not affect C code as NDR functions are always +generated, only not exposed in Python bindings. + +https://bugzilla.samba.org/show_bug.cgi?id=10504 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Jelmer Vernooij + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Mon Mar 24 12:44:50 CET 2014 on sn-devel-104 + +(cherry picked from commit 59767911bded48388c27d5f9cd2ff1346a1c01a6) +--- + librpc/idl/lsa.idl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl +index d8f2649..80efbd5 100644 +--- a/librpc/idl/lsa.idl ++++ b/librpc/idl/lsa.idl +@@ -1328,14 +1328,14 @@ import "misc.idl", "security.idl"; + [default] uint32 flags; + } lsa_ForestTrustCollisionFlags; + +- typedef struct { ++ typedef [public] struct { + uint32 index; + lsa_ForestTrustCollisionRecordType type; + [switch_is(type)] lsa_ForestTrustCollisionFlags flags; + lsa_String name; + } lsa_ForestTrustCollisionRecord; + +- typedef struct { ++ typedef [public] struct { + uint32 count; + [size_is(count)] lsa_ForestTrustCollisionRecord **entries; + } lsa_ForestTrustCollisionInfo; +-- +1.8.5.3 + diff --git a/SOURCES/samba-4.1.x-CVE-2013-4496.patch b/SOURCES/samba-4.1.x-CVE-2013-4496.patch new file mode 100644 index 0000000..7529025 --- /dev/null +++ b/SOURCES/samba-4.1.x-CVE-2013-4496.patch @@ -0,0 +1,1118 @@ +From c129261c506c6b941630fd7f4bc72820eb272761 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 1 Nov 2013 14:55:44 +1300 +Subject: [PATCH 1/4] CVE-2013-4496:s3-samr: Block attempts to crack passwords + via repeated password changes + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 + +Signed-off-by: Andrew Bartlett +Signed-off-by: Stefan Metzmacher +Signed-off-by: Jeremy Allison +Reviewed-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +--- + source3/rpc_server/samr/srv_samr_chgpasswd.c | 55 ++++++++++++++++ + source3/rpc_server/samr/srv_samr_nt.c | 90 +++++++++++++++++++++----- + 2 files changed, 129 insertions(+), 16 deletions(-) + +diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c +index db1f459..1c9c33a 100644 +--- a/source3/rpc_server/samr/srv_samr_chgpasswd.c ++++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c +@@ -1106,6 +1106,8 @@ NTSTATUS pass_oem_change(char *user, const char *rhost, + struct samu *sampass = NULL; + NTSTATUS nt_status; + bool ret = false; ++ bool updated_badpw = false; ++ NTSTATUS update_login_attempts_status; + + if (!(sampass = samu_new(NULL))) { + return NT_STATUS_NO_MEMORY; +@@ -1121,6 +1123,13 @@ NTSTATUS pass_oem_change(char *user, const char *rhost, + return NT_STATUS_NO_SUCH_USER; + } + ++ /* Quit if the account was locked out. */ ++ if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { ++ DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user)); ++ TALLOC_FREE(sampass); ++ return NT_STATUS_ACCOUNT_LOCKED_OUT; ++ } ++ + nt_status = check_oem_password(user, + password_encrypted_with_lm_hash, + old_lm_hash_encrypted, +@@ -1129,6 +1138,52 @@ NTSTATUS pass_oem_change(char *user, const char *rhost, + sampass, + &new_passwd); + ++ /* ++ * Notify passdb backend of login success/failure. If not ++ * NT_STATUS_OK the backend doesn't like the login ++ */ ++ update_login_attempts_status = pdb_update_login_attempts(sampass, ++ NT_STATUS_IS_OK(nt_status)); ++ ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ bool increment_bad_pw_count = false; ++ ++ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) && ++ (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && ++ NT_STATUS_IS_OK(update_login_attempts_status)) ++ { ++ increment_bad_pw_count = true; ++ } ++ ++ if (increment_bad_pw_count) { ++ pdb_increment_bad_password_count(sampass); ++ updated_badpw = true; ++ } else { ++ pdb_update_bad_password_count(sampass, ++ &updated_badpw); ++ } ++ } else { ++ ++ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) && ++ (pdb_get_bad_password_count(sampass) > 0)){ ++ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED); ++ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED); ++ updated_badpw = true; ++ } ++ } ++ ++ if (updated_badpw) { ++ NTSTATUS update_status; ++ become_root(); ++ update_status = pdb_update_sam_account(sampass); ++ unbecome_root(); ++ ++ if (!NT_STATUS_IS_OK(update_status)) { ++ DEBUG(1, ("Failed to modify entry: %s\n", ++ nt_errstr(update_status))); ++ } ++ } ++ + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(sampass); + return nt_status; +diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c +index b366eda..98e8bea 100644 +--- a/source3/rpc_server/samr/srv_samr_nt.c ++++ b/source3/rpc_server/samr/srv_samr_nt.c +@@ -1722,9 +1722,11 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + NTSTATUS status; + bool ret = false; + struct samr_user_info *uinfo; +- struct samu *pwd; ++ struct samu *pwd = NULL; + struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash; + struct samr_Password lm_pwd, nt_pwd; ++ bool updated_badpw = false; ++ NTSTATUS update_login_attempts_status; + + uinfo = policy_handle_find(p, r->in.user_handle, + SAMR_USER_ACCESS_SET_PASSWORD, NULL, +@@ -1736,6 +1738,15 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n", + sid_string_dbg(&uinfo->sid))); + ++ /* basic sanity checking on parameters. Do this before any database ops */ ++ if (!r->in.lm_present || !r->in.nt_present || ++ !r->in.old_lm_crypted || !r->in.new_lm_crypted || ++ !r->in.old_nt_crypted || !r->in.new_nt_crypted) { ++ /* we should really handle a change with lm not ++ present */ ++ return NT_STATUS_INVALID_PARAMETER_MIX; ++ } ++ + if (!(pwd = samu_new(NULL))) { + return NT_STATUS_NO_MEMORY; + } +@@ -1749,6 +1760,14 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + return NT_STATUS_WRONG_PASSWORD; + } + ++ /* Quit if the account was locked out. */ ++ if (pdb_get_acct_ctrl(pwd) & ACB_AUTOLOCK) { ++ DEBUG(3, ("Account for user %s was locked out.\n", ++ pdb_get_username(pwd))); ++ status = NT_STATUS_ACCOUNT_LOCKED_OUT; ++ goto out; ++ } ++ + { + const uint8_t *lm_pass, *nt_pass; + +@@ -1757,29 +1776,19 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + + if (!lm_pass || !nt_pass) { + status = NT_STATUS_WRONG_PASSWORD; +- goto out; ++ goto update_login; + } + + memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash)); + memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash)); + } + +- /* basic sanity checking on parameters. Do this before any database ops */ +- if (!r->in.lm_present || !r->in.nt_present || +- !r->in.old_lm_crypted || !r->in.new_lm_crypted || +- !r->in.old_nt_crypted || !r->in.new_nt_crypted) { +- /* we should really handle a change with lm not +- present */ +- status = NT_STATUS_INVALID_PARAMETER_MIX; +- goto out; +- } +- + /* decrypt and check the new lm hash */ + D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash); + D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash); + if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) { + status = NT_STATUS_WRONG_PASSWORD; +- goto out; ++ goto update_login; + } + + /* decrypt and check the new nt hash */ +@@ -1787,7 +1796,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash); + if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) { + status = NT_STATUS_WRONG_PASSWORD; +- goto out; ++ goto update_login; + } + + /* The NT Cross is not required by Win2k3 R2, but if present +@@ -1796,7 +1805,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash); + if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) { + status = NT_STATUS_WRONG_PASSWORD; +- goto out; ++ goto update_login; + } + } + +@@ -1806,7 +1815,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash); + if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) { + status = NT_STATUS_WRONG_PASSWORD; +- goto out; ++ goto update_login; + } + } + +@@ -1817,6 +1826,55 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + } + + status = pdb_update_sam_account(pwd); ++ ++update_login: ++ ++ /* ++ * Notify passdb backend of login success/failure. If not ++ * NT_STATUS_OK the backend doesn't like the login ++ */ ++ update_login_attempts_status = pdb_update_login_attempts(pwd, ++ NT_STATUS_IS_OK(status)); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ bool increment_bad_pw_count = false; ++ ++ if (NT_STATUS_EQUAL(status,NT_STATUS_WRONG_PASSWORD) && ++ (pdb_get_acct_ctrl(pwd) & ACB_NORMAL) && ++ NT_STATUS_IS_OK(update_login_attempts_status)) ++ { ++ increment_bad_pw_count = true; ++ } ++ ++ if (increment_bad_pw_count) { ++ pdb_increment_bad_password_count(pwd); ++ updated_badpw = true; ++ } else { ++ pdb_update_bad_password_count(pwd, ++ &updated_badpw); ++ } ++ } else { ++ ++ if ((pdb_get_acct_ctrl(pwd) & ACB_NORMAL) && ++ (pdb_get_bad_password_count(pwd) > 0)){ ++ pdb_set_bad_password_count(pwd, 0, PDB_CHANGED); ++ pdb_set_bad_password_time(pwd, 0, PDB_CHANGED); ++ updated_badpw = true; ++ } ++ } ++ ++ if (updated_badpw) { ++ NTSTATUS update_status; ++ become_root(); ++ update_status = pdb_update_sam_account(pwd); ++ unbecome_root(); ++ ++ if (!NT_STATUS_IS_OK(update_status)) { ++ DEBUG(1, ("Failed to modify entry: %s\n", ++ nt_errstr(update_status))); ++ } ++ } ++ + out: + TALLOC_FREE(pwd); + +-- +1.7.9.5 + + +From fab5ee090e2e4765441b82e17a6cbb98523f6943 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Nov 2013 14:04:20 +0100 +Subject: [PATCH 2/4] CVE-2013-4496:s3:auth: fix memory leak in the + ACCOUNT_LOCKED_OUT case. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +Signed-off-by: Andrew Bartlett +Reviewed-by: Andreas Schneider +--- + source3/auth/check_samsec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c +index 7ed8cc2..94f30b1 100644 +--- a/source3/auth/check_samsec.c ++++ b/source3/auth/check_samsec.c +@@ -408,6 +408,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, + /* Quit if the account was locked out. */ + if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) { + DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username)); ++ TALLOC_FREE(sampass); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + +-- +1.7.9.5 + + +From bf3443c12f2a67481eb2e45ca41b906c438d06da Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Tue, 5 Nov 2013 16:16:46 +1300 +Subject: [PATCH 3/4] CVE-2013-4496:samr: Remove ChangePasswordUser + +This old password change mechanism does not provide the plaintext to +validate against password complexity, and it is not used by modern +clients. + +The missing features in both implementations (by design) were: + + - the password complexity checks (no plaintext) + - the minimum password length (no plaintext) + +Additionally, the source3 version did not check: + + - the minimum password age + - pdb_get_pass_can_change() which checks the security + descriptor for the 'user cannot change password' setting. + - the password history + - the output of the 'passwd program' if 'unix passwd sync = yes'. + +Finally, the mechanism was almost useless, as it was incorrectly +only made available to administrative users with permission +to reset the password. It is removed here so that it is not +mistakenly reinstated in the future. + +Andrew Bartlett + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/samr/srv_samr_nt.c | 169 +------------------- + source3/smbd/lanman.c | 254 ------------------------------- + source4/rpc_server/samr/samr_password.c | 145 +----------------- + source4/torture/rpc/samr.c | 6 + + 4 files changed, 20 insertions(+), 554 deletions(-) + +diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c +index 98e8bea..99f03ec 100644 +--- a/source3/rpc_server/samr/srv_samr_nt.c ++++ b/source3/rpc_server/samr/srv_samr_nt.c +@@ -1713,172 +1713,19 @@ NTSTATUS _samr_LookupNames(struct pipes_struct *p, + } + + /**************************************************************** +- _samr_ChangePasswordUser ++ _samr_ChangePasswordUser. ++ ++ So old it is just not worth implementing ++ because it does not supply a plaintext and so we can't do password ++ complexity checking and cannot update other services that use a ++ plaintext password via passwd chat/pam password change/ldap password ++ sync. + ****************************************************************/ + + NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p, + struct samr_ChangePasswordUser *r) + { +- NTSTATUS status; +- bool ret = false; +- struct samr_user_info *uinfo; +- struct samu *pwd = NULL; +- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash; +- struct samr_Password lm_pwd, nt_pwd; +- bool updated_badpw = false; +- NTSTATUS update_login_attempts_status; +- +- uinfo = policy_handle_find(p, r->in.user_handle, +- SAMR_USER_ACCESS_SET_PASSWORD, NULL, +- struct samr_user_info, &status); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- +- DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n", +- sid_string_dbg(&uinfo->sid))); +- +- /* basic sanity checking on parameters. Do this before any database ops */ +- if (!r->in.lm_present || !r->in.nt_present || +- !r->in.old_lm_crypted || !r->in.new_lm_crypted || +- !r->in.old_nt_crypted || !r->in.new_nt_crypted) { +- /* we should really handle a change with lm not +- present */ +- return NT_STATUS_INVALID_PARAMETER_MIX; +- } +- +- if (!(pwd = samu_new(NULL))) { +- return NT_STATUS_NO_MEMORY; +- } +- +- become_root(); +- ret = pdb_getsampwsid(pwd, &uinfo->sid); +- unbecome_root(); +- +- if (!ret) { +- TALLOC_FREE(pwd); +- return NT_STATUS_WRONG_PASSWORD; +- } +- +- /* Quit if the account was locked out. */ +- if (pdb_get_acct_ctrl(pwd) & ACB_AUTOLOCK) { +- DEBUG(3, ("Account for user %s was locked out.\n", +- pdb_get_username(pwd))); +- status = NT_STATUS_ACCOUNT_LOCKED_OUT; +- goto out; +- } +- +- { +- const uint8_t *lm_pass, *nt_pass; +- +- lm_pass = pdb_get_lanman_passwd(pwd); +- nt_pass = pdb_get_nt_passwd(pwd); +- +- if (!lm_pass || !nt_pass) { +- status = NT_STATUS_WRONG_PASSWORD; +- goto update_login; +- } +- +- memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash)); +- memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash)); +- } +- +- /* decrypt and check the new lm hash */ +- D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash); +- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash); +- if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) { +- status = NT_STATUS_WRONG_PASSWORD; +- goto update_login; +- } +- +- /* decrypt and check the new nt hash */ +- D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash); +- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash); +- if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) { +- status = NT_STATUS_WRONG_PASSWORD; +- goto update_login; +- } +- +- /* The NT Cross is not required by Win2k3 R2, but if present +- check the nt cross hash */ +- if (r->in.cross1_present && r->in.nt_cross) { +- D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash); +- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) { +- status = NT_STATUS_WRONG_PASSWORD; +- goto update_login; +- } +- } +- +- /* The LM Cross is not required by Win2k3 R2, but if present +- check the lm cross hash */ +- if (r->in.cross2_present && r->in.lm_cross) { +- D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash); +- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) { +- status = NT_STATUS_WRONG_PASSWORD; +- goto update_login; +- } +- } +- +- if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) || +- !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) { +- status = NT_STATUS_ACCESS_DENIED; +- goto out; +- } +- +- status = pdb_update_sam_account(pwd); +- +-update_login: +- +- /* +- * Notify passdb backend of login success/failure. If not +- * NT_STATUS_OK the backend doesn't like the login +- */ +- update_login_attempts_status = pdb_update_login_attempts(pwd, +- NT_STATUS_IS_OK(status)); +- +- if (!NT_STATUS_IS_OK(status)) { +- bool increment_bad_pw_count = false; +- +- if (NT_STATUS_EQUAL(status,NT_STATUS_WRONG_PASSWORD) && +- (pdb_get_acct_ctrl(pwd) & ACB_NORMAL) && +- NT_STATUS_IS_OK(update_login_attempts_status)) +- { +- increment_bad_pw_count = true; +- } +- +- if (increment_bad_pw_count) { +- pdb_increment_bad_password_count(pwd); +- updated_badpw = true; +- } else { +- pdb_update_bad_password_count(pwd, +- &updated_badpw); +- } +- } else { +- +- if ((pdb_get_acct_ctrl(pwd) & ACB_NORMAL) && +- (pdb_get_bad_password_count(pwd) > 0)){ +- pdb_set_bad_password_count(pwd, 0, PDB_CHANGED); +- pdb_set_bad_password_time(pwd, 0, PDB_CHANGED); +- updated_badpw = true; +- } +- } +- +- if (updated_badpw) { +- NTSTATUS update_status; +- become_root(); +- update_status = pdb_update_sam_account(pwd); +- unbecome_root(); +- +- if (!NT_STATUS_IS_OK(update_status)) { +- DEBUG(1, ("Failed to modify entry: %s\n", +- nt_errstr(update_status))); +- } +- } +- +- out: +- TALLOC_FREE(pwd); +- +- return status; ++ return NT_STATUS_NOT_IMPLEMENTED; + } + + /******************************************************************* +diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c +index e6b9530..1b734a7 100644 +--- a/source3/smbd/lanman.c ++++ b/source3/smbd/lanman.c +@@ -2948,259 +2948,6 @@ static bool api_NetRemoteTOD(struct smbd_server_connection *sconn, + } + + /**************************************************************************** +- Set the user password. +-*****************************************************************************/ +- +-static bool api_SetUserPassword(struct smbd_server_connection *sconn, +- connection_struct *conn,uint64_t vuid, +- char *param, int tpscnt, +- char *data, int tdscnt, +- int mdrcnt,int mprcnt, +- char **rdata,char **rparam, +- int *rdata_len,int *rparam_len) +-{ +- char *np = get_safe_str_ptr(param,tpscnt,param,2); +- char *p = NULL; +- fstring user; +- fstring pass1,pass2; +- TALLOC_CTX *mem_ctx = talloc_tos(); +- NTSTATUS status, result; +- struct rpc_pipe_client *cli = NULL; +- struct policy_handle connect_handle, domain_handle, user_handle; +- struct lsa_String domain_name; +- struct dom_sid2 *domain_sid; +- struct lsa_String names; +- struct samr_Ids rids; +- struct samr_Ids types; +- struct samr_Password old_lm_hash; +- struct samr_Password new_lm_hash; +- int errcode = NERR_badpass; +- uint32_t rid; +- int encrypted; +- int min_pwd_length; +- struct dcerpc_binding_handle *b = NULL; +- +- /* Skip 2 strings. */ +- p = skip_string(param,tpscnt,np); +- p = skip_string(param,tpscnt,p); +- +- if (!np || !p) { +- return False; +- } +- +- /* Do we have a string ? */ +- if (skip_string(param,tpscnt,p) == NULL) { +- return False; +- } +- pull_ascii_fstring(user,p); +- +- p = skip_string(param,tpscnt,p); +- if (!p) { +- return False; +- } +- +- memset(pass1,'\0',sizeof(pass1)); +- memset(pass2,'\0',sizeof(pass2)); +- /* +- * We use 31 here not 32 as we're checking +- * the last byte we want to access is safe. +- */ +- if (!is_offset_safe(param,tpscnt,p,31)) { +- return False; +- } +- memcpy(pass1,p,16); +- memcpy(pass2,p+16,16); +- +- encrypted = get_safe_SVAL(param,tpscnt,p+32,0,-1); +- if (encrypted == -1) { +- errcode = W_ERROR_V(WERR_INVALID_PARAM); +- goto out; +- } +- +- min_pwd_length = get_safe_SVAL(param,tpscnt,p+34,0,-1); +- if (min_pwd_length == -1) { +- errcode = W_ERROR_V(WERR_INVALID_PARAM); +- goto out; +- } +- +- *rparam_len = 4; +- *rparam = smb_realloc_limit(*rparam,*rparam_len); +- if (!*rparam) { +- return False; +- } +- +- *rdata_len = 0; +- +- DEBUG(3,("Set password for <%s> (encrypted: %d, min_pwd_length: %d)\n", +- user, encrypted, min_pwd_length)); +- +- ZERO_STRUCT(connect_handle); +- ZERO_STRUCT(domain_handle); +- ZERO_STRUCT(user_handle); +- +- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id, +- conn->session_info, +- conn->sconn->remote_address, +- conn->sconn->msg_ctx, +- &cli); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(0,("api_SetUserPassword: could not connect to samr: %s\n", +- nt_errstr(status))); +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- +- b = cli->binding_handle; +- +- status = dcerpc_samr_Connect2(b, mem_ctx, +- lp_netbios_name(), +- SAMR_ACCESS_CONNECT_TO_SERVER | +- SAMR_ACCESS_ENUM_DOMAINS | +- SAMR_ACCESS_LOOKUP_DOMAIN, +- &connect_handle, +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- init_lsa_String(&domain_name, get_global_sam_name()); +- +- status = dcerpc_samr_LookupDomain(b, mem_ctx, +- &connect_handle, +- &domain_name, +- &domain_sid, +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- status = dcerpc_samr_OpenDomain(b, mem_ctx, +- &connect_handle, +- SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT, +- domain_sid, +- &domain_handle, +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- init_lsa_String(&names, user); +- +- status = dcerpc_samr_LookupNames(b, mem_ctx, +- &domain_handle, +- 1, +- &names, +- &rids, +- &types, +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- if (rids.count != 1) { +- errcode = W_ERROR_V(WERR_NO_SUCH_USER); +- goto out; +- } +- if (rids.count != types.count) { +- errcode = W_ERROR_V(WERR_INVALID_PARAM); +- goto out; +- } +- if (types.ids[0] != SID_NAME_USER) { +- errcode = W_ERROR_V(WERR_INVALID_PARAM); +- goto out; +- } +- +- rid = rids.ids[0]; +- +- status = dcerpc_samr_OpenUser(b, mem_ctx, +- &domain_handle, +- SAMR_USER_ACCESS_CHANGE_PASSWORD, +- rid, +- &user_handle, +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- if (encrypted == 0) { +- E_deshash(pass1, old_lm_hash.hash); +- E_deshash(pass2, new_lm_hash.hash); +- } else { +- ZERO_STRUCT(old_lm_hash); +- ZERO_STRUCT(new_lm_hash); +- memcpy(old_lm_hash.hash, pass1, MIN(strlen(pass1), 16)); +- memcpy(new_lm_hash.hash, pass2, MIN(strlen(pass2), 16)); +- } +- +- status = dcerpc_samr_ChangePasswordUser(b, mem_ctx, +- &user_handle, +- true, /* lm_present */ +- &old_lm_hash, +- &new_lm_hash, +- false, /* nt_present */ +- NULL, /* old_nt_crypted */ +- NULL, /* new_nt_crypted */ +- false, /* cross1_present */ +- NULL, /* nt_cross */ +- false, /* cross2_present */ +- NULL, /* lm_cross */ +- &result); +- if (!NT_STATUS_IS_OK(status)) { +- errcode = W_ERROR_V(ntstatus_to_werror(status)); +- goto out; +- } +- if (!NT_STATUS_IS_OK(result)) { +- errcode = W_ERROR_V(ntstatus_to_werror(result)); +- goto out; +- } +- +- errcode = NERR_Success; +- out: +- +- if (b && is_valid_policy_hnd(&user_handle)) { +- dcerpc_samr_Close(b, mem_ctx, &user_handle, &result); +- } +- if (b && is_valid_policy_hnd(&domain_handle)) { +- dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result); +- } +- if (b && is_valid_policy_hnd(&connect_handle)) { +- dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result); +- } +- +- memset((char *)pass1,'\0',sizeof(fstring)); +- memset((char *)pass2,'\0',sizeof(fstring)); +- +- SSVAL(*rparam,0,errcode); +- SSVAL(*rparam,2,0); /* converter word */ +- return(True); +-} +- +-/**************************************************************************** + Set the user password (SamOEM version - gets plaintext). + ****************************************************************************/ + +@@ -5797,7 +5544,6 @@ static const struct { + {"NetServerEnum2", RAP_NetServerEnum2, api_RNetServerEnum2}, /* anon OK */ + {"NetServerEnum3", RAP_NetServerEnum3, api_RNetServerEnum3}, /* anon OK */ + {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms}, +- {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword}, + {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon}, + {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo}, + {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum}, +diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c +index 2d9c48a..9d6c921 100644 +--- a/source4/rpc_server/samr/samr_password.c ++++ b/source4/rpc_server/samr/samr_password.c +@@ -33,150 +33,17 @@ + + /* + samr_ChangePasswordUser ++ ++ So old it is just not worth implementing ++ because it does not supply a plaintext and so we can't do password ++ complexity checking and cannot update all the other password hashes. ++ + */ + NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call, + TALLOC_CTX *mem_ctx, + struct samr_ChangePasswordUser *r) + { +- struct dcesrv_handle *h; +- struct samr_account_state *a_state; +- struct ldb_context *sam_ctx; +- struct ldb_message **res; +- int ret; +- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash; +- struct samr_Password *lm_pwd, *nt_pwd; +- NTSTATUS status = NT_STATUS_OK; +- const char * const attrs[] = { "dBCSPwd", "unicodePwd" , NULL }; +- +- DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER); +- +- a_state = h->data; +- +- /* basic sanity checking on parameters. Do this before any database ops */ +- if (!r->in.lm_present || !r->in.nt_present || +- !r->in.old_lm_crypted || !r->in.new_lm_crypted || +- !r->in.old_nt_crypted || !r->in.new_nt_crypted) { +- /* we should really handle a change with lm not +- present */ +- return NT_STATUS_INVALID_PARAMETER_MIX; +- } +- +- /* Connect to a SAMDB with system privileges for fetching the old pw +- * hashes. */ +- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, +- dce_call->conn->dce_ctx->lp_ctx, +- system_session(dce_call->conn->dce_ctx->lp_ctx), 0); +- if (sam_ctx == NULL) { +- return NT_STATUS_INVALID_SYSTEM_SERVICE; +- } +- +- /* fetch the old hashes */ +- ret = gendb_search_dn(sam_ctx, mem_ctx, +- a_state->account_dn, &res, attrs); +- if (ret != 1) { +- return NT_STATUS_WRONG_PASSWORD; +- } +- +- status = samdb_result_passwords(mem_ctx, +- dce_call->conn->dce_ctx->lp_ctx, +- res[0], &lm_pwd, &nt_pwd); +- if (!NT_STATUS_IS_OK(status) || !nt_pwd) { +- return NT_STATUS_WRONG_PASSWORD; +- } +- +- /* decrypt and check the new lm hash */ +- if (lm_pwd) { +- D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash); +- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash); +- } +- +- /* decrypt and check the new nt hash */ +- D_P16(nt_pwd->hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash); +- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash); +- +- /* The NT Cross is not required by Win2k3 R2, but if present +- check the nt cross hash */ +- if (r->in.cross1_present && r->in.nt_cross && lm_pwd) { +- D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash); +- } +- +- /* The LM Cross is not required by Win2k3 R2, but if present +- check the lm cross hash */ +- if (r->in.cross2_present && r->in.lm_cross && lm_pwd) { +- D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash); +- } +- +- /* Start a SAM with user privileges for the password change */ +- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, +- dce_call->conn->dce_ctx->lp_ctx, +- dce_call->conn->auth_state.session_info, 0); +- if (sam_ctx == NULL) { +- return NT_STATUS_INVALID_SYSTEM_SERVICE; +- } +- +- /* Start transaction */ +- ret = ldb_transaction_start(sam_ctx); +- if (ret != LDB_SUCCESS) { +- DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx))); +- return NT_STATUS_TRANSACTION_ABORTED; +- } +- +- /* Performs the password modification. We pass the old hashes read out +- * from the database since they were already checked against the user- +- * provided ones. */ +- status = samdb_set_password(sam_ctx, mem_ctx, +- a_state->account_dn, +- a_state->domain_state->domain_dn, +- NULL, &new_lmPwdHash, &new_ntPwdHash, +- lm_pwd, nt_pwd, /* this is a user password change */ +- NULL, +- NULL); +- if (!NT_STATUS_IS_OK(status)) { +- ldb_transaction_cancel(sam_ctx); +- return status; +- } +- +- /* decrypt and check the new lm hash */ +- if (lm_pwd) { +- if (memcmp(checkHash.hash, lm_pwd, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); +- return NT_STATUS_WRONG_PASSWORD; +- } +- } +- +- if (memcmp(checkHash.hash, nt_pwd, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); +- return NT_STATUS_WRONG_PASSWORD; +- } +- +- /* The NT Cross is not required by Win2k3 R2, but if present +- check the nt cross hash */ +- if (r->in.cross1_present && r->in.nt_cross && lm_pwd) { +- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); +- return NT_STATUS_WRONG_PASSWORD; +- } +- } +- +- /* The LM Cross is not required by Win2k3 R2, but if present +- check the lm cross hash */ +- if (r->in.cross2_present && r->in.lm_cross && lm_pwd) { +- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); +- return NT_STATUS_WRONG_PASSWORD; +- } +- } +- +- /* And this confirms it in a transaction commit */ +- ret = ldb_transaction_commit(sam_ctx); +- if (ret != LDB_SUCCESS) { +- DEBUG(1,("Failed to commit transaction to change password on %s: %s\n", +- ldb_dn_get_linearized(a_state->account_dn), +- ldb_errstring(sam_ctx))); +- return NT_STATUS_TRANSACTION_ABORTED; +- } +- +- return NT_STATUS_OK; ++ return NT_STATUS_NOT_IMPLEMENTED; + } + + /* +diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c +index a0a5f1a..cdfa2b8 100644 +--- a/source4/torture/rpc/samr.c ++++ b/source4/torture/rpc/samr.c +@@ -1759,6 +1759,12 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b, + torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n", + __location__, __FUNCTION__, + oldpass, newpass, nt_errstr(r.out.result)); ++ ++ /* Do not proceed if this call has been removed */ ++ if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) { ++ return true; ++ } ++ + if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) { + torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD, + "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM hash"); +-- +1.7.9.5 + + +From b0281ad59d3ba8b32787ce112fb4a83d935c60d1 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Thu, 28 Nov 2013 06:50:01 +1300 +Subject: [PATCH 4/4] CVE-2013-4496:Revert remainder of + ce895609b04380bfc41e4f8fddc84bd2f9324340 + +Part of this was removed when ChangePasswordUser was unimplemented, +but remove the remainder of this flawed commit. Fully check the +password first, as extract_pw_from_buffer() already does a partial +check of the password because it needs a correct old password to +correctly decrypt the length. + +Andrew Bartlett + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +--- + source4/rpc_server/samr/samr_password.c | 69 ++++++++++++++++--------------- + 1 file changed, 35 insertions(+), 34 deletions(-) + +diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c +index 9d6c921..685a8e7 100644 +--- a/source4/rpc_server/samr/samr_password.c ++++ b/source4/rpc_server/samr/samr_password.c +@@ -142,6 +142,9 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, + + E_deshash(new_pass, new_lm_hash); + E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash); ++ if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) { ++ return NT_STATUS_WRONG_PASSWORD; ++ } + + /* Connect to a SAMDB with user privileges for the password change */ + sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, +@@ -173,11 +176,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call, + return status; + } + +- if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); +- return NT_STATUS_WRONG_PASSWORD; +- } +- + /* And this confirms it in a transaction commit */ + ret = ldb_transaction_commit(sam_ctx); + if (ret != LDB_SUCCESS) { +@@ -267,33 +265,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, + goto failed; + } + +- /* Connect to a SAMDB with user privileges for the password change */ +- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, +- dce_call->conn->dce_ctx->lp_ctx, +- dce_call->conn->auth_state.session_info, 0); +- if (sam_ctx == NULL) { +- return NT_STATUS_INVALID_SYSTEM_SERVICE; +- } +- +- ret = ldb_transaction_start(sam_ctx); +- if (ret != LDB_SUCCESS) { +- DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx))); +- return NT_STATUS_TRANSACTION_ABORTED; +- } +- +- /* Performs the password modification. We pass the old hashes read out +- * from the database since they were already checked against the user- +- * provided ones. */ +- status = samdb_set_password(sam_ctx, mem_ctx, +- user_dn, NULL, +- &new_password, +- NULL, NULL, +- lm_pwd, nt_pwd, /* this is a user password change */ +- &reason, +- &dominfo); +- +- if (!NT_STATUS_IS_OK(status)) { +- ldb_transaction_cancel(sam_ctx); ++ if (r->in.nt_verifier == NULL) { ++ status = NT_STATUS_WRONG_PASSWORD; + goto failed; + } + +@@ -302,7 +275,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, + + E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash); + if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); + status = NT_STATUS_WRONG_PASSWORD; + goto failed; + } +@@ -322,13 +294,42 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call, + E_deshash(new_pass, new_lm_hash); + E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash); + if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) { +- ldb_transaction_cancel(sam_ctx); + status = NT_STATUS_WRONG_PASSWORD; + goto failed; + } + } + } + ++ /* Connect to a SAMDB with user privileges for the password change */ ++ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, ++ dce_call->conn->dce_ctx->lp_ctx, ++ dce_call->conn->auth_state.session_info, 0); ++ if (sam_ctx == NULL) { ++ return NT_STATUS_INVALID_SYSTEM_SERVICE; ++ } ++ ++ ret = ldb_transaction_start(sam_ctx); ++ if (ret != LDB_SUCCESS) { ++ DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx))); ++ return NT_STATUS_TRANSACTION_ABORTED; ++ } ++ ++ /* Performs the password modification. We pass the old hashes read out ++ * from the database since they were already checked against the user- ++ * provided ones. */ ++ status = samdb_set_password(sam_ctx, mem_ctx, ++ user_dn, NULL, ++ &new_password, ++ NULL, NULL, ++ lm_pwd, nt_pwd, /* this is a user password change */ ++ &reason, ++ &dominfo); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ ldb_transaction_cancel(sam_ctx); ++ goto failed; ++ } ++ + /* And this confirms it in a transaction commit */ + ret = ldb_transaction_commit(sam_ctx); + if (ret != LDB_SUCCESS) { +-- +1.7.9.5 + diff --git a/SOURCES/samba-4.1.x-CVE-2013-6442.patch b/SOURCES/samba-4.1.x-CVE-2013-6442.patch new file mode 100644 index 0000000..39f53bf --- /dev/null +++ b/SOURCES/samba-4.1.x-CVE-2013-6442.patch @@ -0,0 +1,31 @@ +From 82b1dafad17904bc224b0632486006fe88301b57 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 18 Dec 2013 13:56:18 -0800 +Subject: [PATCH] CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing + ACL when setting owner or group owner. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327 +Bug 10327 - CVE-2013-6442: smbcacls --chown | --chgrp dacl regression + +Signed-off-by: Jeremy Allison +Reviewed-by: Stefan Metzmacher +--- + source3/utils/smbcacls.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c +index 11b7388..e3b7099 100644 +--- a/source3/utils/smbcacls.c ++++ b/source3/utils/smbcacls.c +@@ -990,7 +990,7 @@ static int owner_set(struct cli_state *cli, enum chown_mode change_mode, + return EXIT_FAILED; + } + +- sd = make_sec_desc(talloc_tos(),old->revision, old->type, ++ sd = make_sec_desc(talloc_tos(),old->revision, SEC_DESC_SELF_RELATIVE, + (change_mode == REQUEST_CHOWN) ? &sid : NULL, + (change_mode == REQUEST_CHGRP) ? &sid : NULL, + NULL, NULL, &sd_size); +-- +1.8.5.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index b48a704..e653b3d 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,9 +1,9 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 3 +%define main_release 31 -%define samba_version 4.1.0 +%define samba_version 4.1.1 %define talloc_version 2.0.8 %define ntdb_version 0.9 %define tdb_version 1.2.12 @@ -85,6 +85,37 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade +Patch0: samba-4.1.1-Fix-memset-in-ntdb.patch +Patch1: samba-4.1.0-upn.patch +Patch2: samba-4.1.2-fix_strict_aliasing.patch +Patch3: samba-4.1.2-doc.patch +Patch4: samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch +Patch5: samba-4.1.3-CVE-2013-4408.patch +Patch6: samba-4.1.3-fix_build_warnings.patch +Patch7: samba-4.1.2-winbind_cache_keysize.patch +Patch8: samba-4.1.3-CVE-2012-6150.patch +Patch9: samba-4.1.3-winbind_debug.patch +Patch10: samba-4.1.4-fix_dropbox_regression.patch +Patch11: samba-4.1.4-fix_G_substitution_in_service_path.patch +Patch12: samba-4.1.4-fix_winbind_100_percent_childs.patch +Patch13: samba-4.1.4-Fix-segfault-in-smbd.patch +Patch14: samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch +Patch15: samba-4.1.5-fix_resource_leaks.patch +Patch16: samba-4.1.5-fix_force_user_sec_ads.patch +Patch17: samba-4.1.6-fix_one_way_trusts.patch +Patch18: samba-4.1.6-fix_printer_list_memleadk.patch +Patch19: samba-4.1.6-fix_pidl_install.patch +Patch20: samba-4.1.6-fix_nbt_with_more_than_9_components.patch +Patch21: samba-4.1.6-fix_ipv6_join.patch +Patch22: samba-4.1.x-CVE-2013-4496.patch +Patch23: samba-4.1.x-CVE-2013-6442.patch +Patch24: samba-4.1.6-net_ads_kerberos_pac.patch +Patch25: samba-4.1.6-fix_service_with_force_user.patch +Patch26: samba-4.1.6-fix_fragmented_rpc_handling.patch +Patch27: samba-4.1.7-make_pidl_lsa_struct_public.patch +Patch28: samba-4.1.7-Make_daemons_systemd_aware.patch +Patch29: samba-4.1.6-ipv6_workaround.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -101,6 +132,14 @@ Requires: libwbclient = %{samba_depver} Provides: samba4 = %{samba_depver} Obsoletes: samba4 < %{samba_depver} +# We don't build it outdated docs anymore +Obsoletes: samba-doc +# Is not supported yet +Obsoletes: samba-domainjoin-gui +# SWAT been deprecated and removed from samba +Obsoletes: samba-swat +Obsoletes: samba4-swat + %if %with_clustering_support BuildRequires: ctdb-devel %endif @@ -126,14 +165,17 @@ BuildRequires: python-devel BuildRequires: python-tevent BuildRequires: quota-devel BuildRequires: readline-devel +BuildRequires: systemd-devel BuildRequires: sed BuildRequires: zlib-devel >= 1.2.3 -BuildRequires: libbsd-devel %if %{with_vfs_glusterfs} BuildRequires: glusterfs-api-devel >= 3.4.0.16 BuildRequires: glusterfs-devel >= 3.4.0.16 %endif +# pidl requirements +BuildRequires: perl(Parse::Yapp) + %if ! %with_internal_talloc %global libtalloc_version 2.0.7 @@ -266,7 +308,8 @@ Summary: Samba VFS module for GlusterFS Group: Applications/System Requires: glusterfs-api >= 3.4.0.16 Requires: glusterfs >= 3.4.0.16 -Requires: samba = %{epoch}:%{samba_version}-%{release} +Requires: %{name} = %{epoch}:%{samba_version}-%{release} +Requires: %{name}-libs = %{epoch}:%{samba_version}-%{release} Obsoletes: samba-glusterfs Provides: samba-glusterfs @@ -325,6 +368,8 @@ The libwbclient package contains the winbind client library from the Samba suite Summary: Developer tools for the winbind library Group: Development/Libraries Requires: libwbclient = %{samba_depver} +Obsoletes: samba-winbind-devel +Provides: samba-winbind-devel %description -n libwbclient-devel The libwbclient-devel package provides developer tools for the wbclient library. @@ -359,7 +404,7 @@ Provides: samba4-pidl = %{samba_depver} Obsoletes: samba4-pidl < %{samba_depver} %description pidl -The samba4-pidl package contains the Perl IDL compiler used by Samba +The %{name}-pidl package contains the Perl IDL compiler used by Samba and Wireshark to parse IDL and similar protocols ### TEST @@ -475,6 +520,37 @@ module necessary to communicate to the Winbind Daemon %prep %setup -q -n samba-%{version}%{pre_release} +%patch0 -p1 -b .samba-4.1.1-Fix-memset-in-ntdb.patch +%patch1 -p1 -b .samba-4.1.0-upn.patch +%patch2 -p1 -b .samba-4.1.2-fix_strict_aliasing.patch +%patch3 -p1 -b .samba-4.1.2-doc.patch +%patch4 -p1 -b .samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch +%patch5 -p1 -b .samba-4.1.3-CVE-2013-4408.patch +%patch6 -p1 -b .samba-4.1.3-fix_build_warnings.patch +%patch7 -p1 -b .samba-4.1.2-winbind_cache_keysize.patch +%patch8 -p1 -b .samba-4.1.3-CVE-2012-6150.patch +%patch9 -p1 -b .samba-4.1.3-winbind_debug.patch +%patch10 -p1 -b .samba-4.1.4-fix_dropbox_regression.patch +%patch11 -p1 -b .samba-4.1.4-fix_G_substitution_in_service_path.patch +%patch12 -p1 -b .samba-4.1.4-fix_winbind_100_percent_childs.patch +%patch13 -p1 -b .samba-4.1.4-Fix-segfault-in-smbd.patch +%patch14 -p1 -b .samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch +%patch15 -p1 -b .samba-4.1.5-fix_resource_leaks.patch +%patch16 -p1 -b .samba-4.1.5-fix_force_user_sec_ads.patch +%patch17 -p1 -b .samba-4.1.6-fix_one_way_trusts.patch +%patch18 -p1 -b .samba-4.1.6-fix_printer_list_memleadk.patch +%patch19 -p1 -b .samba-4.1.6-fix_pidl_install.patch +%patch20 -p1 -b .samba-4.1.6-fix_nbt_with_more_than_9_components.patch +%patch21 -p1 -b .samba-4.1.6-fix_ipv6_join.patch +%patch22 -p1 -b .samba-4.1.x-CVE-2013-4496.patch +%patch23 -p1 -b .samba-4.1.x-CVE-2013-6442.patch +%patch24 -p1 -b .samba-4.1.6-net_ads_kerberos_pac.patch +%patch25 -p1 -b .samba-4.1.6-fix_service_with_force_user.patch +%patch26 -p1 -b .samba-4.1.6-fix_fragmented_rpc_handling.patch +%patch27 -p1 -b .samba-4.1.7-make_pidl_lsa_struct_public.patch +%patch28 -p1 -b .samba-4.1.7-Make_daemons_systemd_aware.patch +%patch29 -p1 -b .samba-4.1.6-ipv6_workaround.patch + %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent @@ -527,11 +603,13 @@ LDFLAGS="-Wl,-z,relro,-z,now" \ --with-pammodulesdir=%{_libdir}/security \ --with-lockdir=/var/lib/samba \ --with-cachedir=/var/lib/samba \ + --with-perl-vendordir=%{perl_vendorlib} \ --disable-gnutls \ --disable-rpath-install \ --with-shared-modules=%{_samba4_modules} \ --bundled-libraries=%{_samba4_libraries} \ --with-pam \ + --without-fam \ %if (! %with_libsmbclient) || (! %with_libwbclient) --private-libraries=%{_samba4_private_libraries} \ %endif @@ -552,15 +630,12 @@ LDFLAGS="-Wl,-z,relro,-z,now" \ --enable-selftest \ %endif %if ! %with_pam_smbpass - --without-pam_smbpass + --without-pam_smbpass \ %endif + --with-systemd make %{?_smp_mflags} -# Build PIDL for installation into vendor directories before -# 'make proto' gets to it. -(cd pidl && %{__perl} Makefile.PL INSTALLDIRS=vendor ) - %install rm -rf %{buildroot} make install DESTDIR=%{buildroot} @@ -579,13 +654,6 @@ install -d -m 0755 %{buildroot}/var/run/winbindd install -d -m 0755 %{buildroot}/%{_libdir}/samba install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig -# Undo the PIDL install, we want to try again with the right options. -rm -rf %{buildroot}/%{_libdir}/perl5 -rm -rf %{buildroot}/%{_datadir}/perl5 - -# Install PIDL. -( cd pidl && make install PERL_INSTALL_ROOT=%{buildroot} ) - # Install other stuff install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba @@ -620,7 +688,7 @@ install -m 0644 %{SOURCE200} packaging/README.dc-libs install -d -m 0755 %{buildroot}%{_unitdir} for i in nmb smb winbind ; do - cat packaging/systemd/$i.service | sed -e 's@Type=forking@Type=forking\nEnvironment=KRB5CCNAME=/run/samba/krb5cc_samba@g' >tmp$i.service + cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=/run/samba/krb5cc_samba@g' >tmp$i.service install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service done @@ -633,18 +701,10 @@ install -m 0755 packaging/NetworkManager/30-winbind-systemd \ install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -# Clean out crap left behind by the PIDL install. -find %{buildroot} -type f -name .packlist -exec rm -f {} \; -rm -f %{buildroot}%{perl_vendorlib}/wscript_build -rm -rf %{buildroot}%{perl_vendorlib}/Parse/Yapp - # This makes the right links, as rpmlint requires that # the ldconfig-created links be recorded in the RPM. /sbin/ldconfig -N -n %{buildroot}%{_libdir} -# Fix up permission on perl install. -%{_fixperms} %{buildroot}%{perl_vendorlib} - %if %{with testsuite} %check TDB_NO_FSYNC=1 make %{?_smp_mflags} test @@ -1435,10 +1495,41 @@ rm -rf %{buildroot} ### PIDL %files pidl %defattr(-,root,root,-) -%{perl_vendorlib}/Parse/Pidl* +%attr(755,root,root) %{_bindir}/pidl +%dir %{perl_vendorlib}/Parse +%{perl_vendorlib}/Parse/Pidl.pm +%dir %{perl_vendorlib}/Parse/Pidl +%{perl_vendorlib}/Parse/Pidl/CUtil.pm +%{perl_vendorlib}/Parse/Pidl/Samba4.pm +%{perl_vendorlib}/Parse/Pidl/Expr.pm +%{perl_vendorlib}/Parse/Pidl/ODL.pm +%{perl_vendorlib}/Parse/Pidl/Typelist.pm +%{perl_vendorlib}/Parse/Pidl/IDL.pm +%{perl_vendorlib}/Parse/Pidl/Compat.pm +%dir %{perl_vendorlib}/Parse/Pidl/Wireshark +%{perl_vendorlib}/Parse/Pidl/Wireshark/Conformance.pm +%{perl_vendorlib}/Parse/Pidl/Wireshark/NDR.pm +%{perl_vendorlib}/Parse/Pidl/Dump.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba3 +%{perl_vendorlib}/Parse/Pidl/Samba3/ServerNDR.pm +%{perl_vendorlib}/Parse/Pidl/Samba3/ClientNDR.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4 +%{perl_vendorlib}/Parse/Pidl/Samba4/Header.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4/COM +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Header.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Proxy.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/COM/Stub.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/Python.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm +%dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm +%{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm +%{perl_vendorlib}/Parse/Pidl/NDR.pm +%{perl_vendorlib}/Parse/Pidl/Util.pm %{_mandir}/man1/pidl* %{_mandir}/man3/Parse::Pidl* -%attr(755,root,root) %{_bindir}/pidl ### PYTHON %files python @@ -1522,6 +1613,117 @@ rm -rf %{buildroot} %{_mandir}/man8/pam_winbind.8* %changelog +* Thu Apr 03 2014 - Guenther Deschner - 4.1.1-31 +- resolves: #1082653 - Add IPv6 workaround for MIT kerberos. + +* Thu Apr 03 2014 - Alexander Bokovoy - 4.1.1-30 +- resolves: #1083859 - Force KRB5CCNAME in Samba systemd units. +- related: #1082598 - Fully enables systemd integration. + +* Tue Apr 01 2014 - Andreas Schneider - 4.1.1-29 +- resolves: #1082598 - Add missing BuildRequires for systemd-devel. + +* Wed Mar 26 2014 - Andreas Schneider - 4.1.1-28 +- resolves: #1077918 - Make daemons systemd aware. + +* Mon Mar 24 2014 - Andreas Schneider - 4.1.1-27 +- resolves: #1077857 - Fix internal error received while adding trust. + +* Fri Mar 21 2014 - Guenther Deschner - 4.1.1-26 +- resolves: #1079008 - Fix fragmented rpc handling. + +* Tue Mar 18 2014 - Andreas Schneider - 4.1.1-25 +- resolves: #1077651 - Fix 'force user' option for shares. + +* Wed Mar 12 2014 - Guenther Deschner - 4.1.1-24 +- resolves: #1053748 - Enhance "net ads kerberos pac" tool. + +* Mon Mar 10 2014 - Andreas Schneider - 4.1.1-23 +- resolves: #1072804 - Fix CVE-2013-4496. +- resolves: #1072804 - Fix CVE-2013-6442. + +* Fri Mar 07 2014 - Guenther Deschner - 4.1.1-22 +- resolves: #1024788 - Fix joining over IPv6. + +* Tue Mar 04 2014 - Andreas Schneider - 4.1.1-21 +- resolves: #1066536 - Fix NBT queries with more than 9 or more components. + +* Thu Feb 27 2014 - Andreas Schneider - 4.1.1-20 +- resolves: #1070692 - Don't package perl(Parse::Yapp::Driver) + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-19 +- related: #1067606 - Add missing directories. + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-18 +- related: #1067606 - Fix installation of pidl files. + +* Tue Feb 25 2014 - Andreas Schneider - 4.1.1-17 +- resolves: #1067606 - Fix wbinfo with one-way trust. +- resolves: #1069569 - Fix memory leak reading the printer list. + +* Thu Feb 20 2014 - Andreas Schneider - 4.1.1-16 +- resolves: #1063186 - Fix force_user with security=ads. + +* Wed Feb 05 2014 - Andreas Schneider - 4.1.1-15 +- resolves: #1029001 - Fix force_user with security=ads. + +* Tue Jan 28 2014 Daniel Mach - 4.1.1-14 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 - Andreas Schneider - 4.1.1-13 +- resolves: #1051582 - Fix warnings an resource leaks reported by rpmdiff. + +* Fri Jan 10 2014 - Andreas Schneider - 4.1.1-12 +- resolves: #1050886 - Fix full CPU utilization in winbindd. +- resolves: #1051400 - Fix segfault in smbd. +- resolves: #1051402 - Fix SMB2 server panic when a smb2 brlock times out. + +* Thu Jan 09 2014 - Andreas Schneider - 4.1.1-11 +- resolves: #1042845 - Do not build with libbsd. + +* Fri Dec 27 2013 Daniel Mach - 4.1.1-10 +- Mass rebuild 2013-12-27 + +* Wed Dec 11 2013 - Andreas Schneider - 4.1.1-9 +- resolves: #1033122 - Fix dropbox regression. +- resolves: #1040464 - Fix %G substituion for config parameters. + +* Wed Dec 11 2013 - Guenther Deschner - 4.1.1-8 +- resolves: #1040052 - Fix winbind debug message NULL pointer derreference. + +* Mon Dec 09 2013 - Andreas Schneider - 4.1.1-7 +- resolves: #1039499 - Fix CVE-2012-6150. + +* Fri Nov 29 2013 - Guenther Deschner - 4.1.1-6 +- resolves: #1033109 - Fix winbind cache keysize limitations. + +* Wed Nov 27 2013 - Andreas Schneider - 4.1.1-5 +- resolves: #1034160 - Make sure we don't build the fam notify module. + +* Mon Nov 25 2013 - Andreas Schneider - 4.1.1-4 +- resolves: #1034048 - Fix group name substitution in template homedir. +- resolves: #1018041 - Fix CVE-2013-4408. +- related: #884169 - Fix several covscan warnings. + +* Mon Nov 18 2013 - Guenther Deschner - 4.1.1-3 +- resolves: #948509 - Fix manpage correctness. + +* Fri Nov 15 2013 - Andreas Schneider - 4.1.1-2 +- related: #884169 - Fix strict aliasing warnings. + +* Mon Nov 11 2013 - Andreas Schneider - 4.1.1-1 +- resolves: #1024543 - Fix CVE-2013-4475. +- Update to Samba 4.1.1. + +* Mon Nov 11 2013 - Andreas Schneider - 4.1.0-5 +- related: #884169 - Fix the upgrade path. + +* Wed Oct 30 2013 - Andreas Schneider - 4.1.0-4 +- related: #884169 - Add direct dependency to samba-libs in the + glusterfs package. +- resolves: #996567 - Fix userPrincipalName composition. +- related: #884169 - Fix memset call with zero length in in ntdb. + * Fri Oct 18 2013 - Andreas Schneider - 4.1.0-3 - resolves: #1019384 - Build glusterfs VFS plguin.