From af2bad6e62dd1e587a0ae392c3977d6135b5cb04 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 29 2020 07:02:32 +0000 Subject: import samba-4.10.16-5.el7 --- diff --git a/.gitignore b/.gitignore index 99161ff..dd5cbe0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.10.4.tar.xz +SOURCES/samba-4.10.16.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 1e4e8c9..4ce8620 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz +607e2f6e50489c9a6f5cda75a72fda6c3f0d4a94 SOURCES/samba-4.10.16.tar.xz diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt deleted file mode 100644 index eec8124..0000000 --- a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt +++ /dev/null @@ -1,393 +0,0 @@ -From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 12 Jul 2019 12:10:35 -0700 -Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug - info into a new function. - -Will be called on elsewhere on successful impersonation. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -Reviewed-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 37 +++++++++++++++++++++++-------------- - 1 file changed, 23 insertions(+), 14 deletions(-) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index a4bcb747d37e..ce8e8d92131c 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn, - return(True); - } - -+static void print_impersonation_info(connection_struct *conn) -+{ -+ struct smb_filename *cwdfname = NULL; -+ -+ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) { -+ return; -+ } -+ -+ cwdfname = vfs_GetWd(talloc_tos(), conn); -+ if (cwdfname == NULL) { -+ return; -+ } -+ -+ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -+ (int)getuid(), -+ (int)geteuid(), -+ (int)getgid(), -+ (int)getegid(), -+ cwdfname->base_name); -+ TALLOC_FREE(cwdfname); -+} -+ - /**************************************************************************** - Become the user of a connection number without changing the security context - stack, but modify the current_user entries. -@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.done_chdir = true; - } - -- if (CHECK_DEBUGLVL(DBGLVL_INFO)) { -- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn); -- if (cwdfname == NULL) { -- return false; -- } -- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -- (int)getuid(), -- (int)geteuid(), -- (int)getgid(), -- (int)getegid(), -- cwdfname->base_name); -- TALLOC_FREE(cwdfname); -- } -- -+ print_impersonation_info(conn); - return true; - } - --- -2.17.1 - - -From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:01:29 +0200 -Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that - change_to_user_internal() always resets current_user.done_chdir - -We should not leave current_user.done_chdir as true if we didn't call -chdir_current_service() with success. - -This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when -chdir_current_service() worked once on one share but later failed on another -share. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - source3/smbd/uid.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index ce8e8d92131c..77a81f602988 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.conn = conn; - current_user.vuid = vuid; - current_user.need_chdir = conn->tcon_done; -+ current_user.done_chdir = false; - - if (current_user.need_chdir) { - ok = chdir_current_service(conn); --- -2.17.1 - - -From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 18 Jun 2019 14:04:08 +0200 -Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset - current_user.{need,done}_chdir in become_root() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 77a81f602988..50868ba8572a 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -624,6 +624,9 @@ void smbd_become_root(void) - } - push_conn_ctx(); - set_root_sec_ctx(); -+ -+ current_user.need_chdir = false; -+ current_user.done_chdir = false; - } - - /* Unbecome the root user */ --- -2.17.1 - - -From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 30 Jul 2019 17:16:59 +0200 -Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own - independent subdirectory - -The next patch will otherwise break the fsrvp related tests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/target/Samba3.pm | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 9d88253c9fe7..f7eb314138a0 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$) - my $widelinks_linkdir="$shrdir/widelinks_foo"; - push(@dirs,$widelinks_linkdir); - -+ my $fsrvp_shrdir="$shrdir/fsrvp"; -+ push(@dirs,$fsrvp_shrdir); -+ - my $shadow_tstdir="$shrdir/shadow"; - push(@dirs,$shadow_tstdir); - my $shadow_mntdir="$shadow_tstdir/mount"; -@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$) - guest ok = yes - - [fsrvp_share] -- path = $shrdir -+ path = $fsrvp_shrdir - comment = fake shapshots using rsync - vfs objects = shell_snap shadow_copy2 - shell_snap:check path command = $fake_snap_pl --check - shell_snap:create command = $fake_snap_pl --create - shell_snap:delete command = $fake_snap_pl --delete - # a relative path here fails, the snapshot dir is no longer found -- shadow:snapdir = $shrdir/.snapshots -+ shadow:snapdir = $fsrvp_shrdir/.snapshots - - [shadow1] - path = $shadow_shrdir --- -2.17.1 - - -From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 16 Jul 2019 15:40:38 +0200 -Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test - for the no permission on share root problem - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/knownfail.d/CVE-2019-10197 | 1 + - selftest/target/Samba3.pm | 12 +++++++++ - source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++ - 3 files changed, 43 insertions(+) - create mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -new file mode 100644 -index 000000000000..f7056bbf3ad4 ---- /dev/null -+++ b/selftest/knownfail.d/CVE-2019-10197 -@@ -0,0 +1 @@ -+^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index f7eb314138a0..2f491441815f 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$) - my $ro_shrdir="$shrdir/root-tmp"; - push(@dirs,$ro_shrdir); - -+ my $noperm_shrdir="$shrdir/noperm-tmp"; -+ push(@dirs,$noperm_shrdir); -+ - my $msdfs_shrdir="$shrdir/msdfsshare"; - push(@dirs,$msdfs_shrdir); - -@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$) - chmod 0755, $piddir; - - -+ ## -+ ## Create a directory without permissions to enter -+ ## -+ chmod 0000, $noperm_shrdir; -+ - ## - ## create ro and msdfs share layout - ## -@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$) - [ro-tmp] - path = $ro_shrdir - guest ok = yes -+[noperm] -+ path = $noperm_shrdir -+ wide links = yes -+ guest ok = yes - [write-list-tmp] - path = $shrdir - read only = yes -diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh -index bf033ccd2fbf..0bae1d78fac9 100755 ---- a/source3/script/tests/test_smbclient_s3.sh -+++ b/source3/script/tests/test_smbclient_s3.sh -@@ -1329,6 +1329,32 @@ EOF - fi - } - -+# -+# Regression test for CVE-2019-10197 -+# we should always get ACCESS_DENIED -+# -+test_noperm_share_regression() -+{ -+ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1' -+ eval echo "$cmd" -+ out=`eval $cmd` -+ ret=$? -+ if [ $ret -eq 0 ] ; then -+ echo "$out" -+ echo "failed accessing no perm share should not work" -+ return 1 -+ fi -+ -+ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l` -+ if [ "$num" -ne "2" ] ; then -+ echo "$out" -+ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected" -+ return 1 -+ fi -+ -+ return 0 -+} -+ - # Test smbclient deltree command - test_deltree() - { -@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \ - test_local_symlinks || \ - failed=`expr $failed + 1` - -+testit "noperm share regression" \ -+ test_noperm_share_regression || \ -+ failed=`expr $failed + 1` -+ - testit "smbclient deltree command" \ - test_deltree || \ - failed=`expr $failed + 1` --- -2.17.1 - - -From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:02:15 +0200 -Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate() - out of change_to_user_internal() - -This makes sure we always call chdir_current_service() even -when we still impersonated the user. Which is important -in order to run the SMB* request within the correct working directory -and only if the user has permissions to enter that directory. - -It makes sure we always update conn->lastused_count -in chdir_current_service() for each request. - -Note that vfs_ChDir() (called from chdir_current_service()) -maintains its own cache and avoids calling SMB_VFS_CHDIR() -if possible. - -It means we still avoid syscalls if we get a multiple requests -for the same session/tcon tuple. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - selftest/knownfail.d/CVE-2019-10197 | 1 - - source3/smbd/uid.c | 21 +++++++++++++++++---- - 2 files changed, 17 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -deleted file mode 100644 -index f7056bbf3ad4..000000000000 ---- a/selftest/knownfail.d/CVE-2019-10197 -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 50868ba8572a..5c39baade5cf 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn) - stack, but modify the current_user entries. - ****************************************************************************/ - --static bool change_to_user_internal(connection_struct *conn, -- const struct auth_session_info *session_info, -- uint64_t vuid) -+static bool change_to_user_impersonate(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) - { - int snum; - gid_t gid; -@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn, - - if ((current_user.conn == conn) && - (current_user.vuid == vuid) && -- (current_user.need_chdir == conn->tcon_done) && - (current_user.ut.uid == session_info->unix_token->uid)) - { - DBG_INFO("Skipping user change - already user\n"); -@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn, - - current_user.conn = conn; - current_user.vuid = vuid; -+ return true; -+} -+ -+static bool change_to_user_internal(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) -+{ -+ bool ok; -+ -+ ok = change_to_user_impersonate(conn, session_info, vuid); -+ if (!ok) { -+ return false; -+ } -+ - current_user.need_chdir = conn->tcon_done; - current_user.done_chdir = false; - --- -2.17.1 - diff --git a/SOURCES/CVE-2019-10218-4.11.patch b/SOURCES/CVE-2019-10218-4.11.patch deleted file mode 100644 index 49bec9e..0000000 --- a/SOURCES/CVE-2019-10218-4.11.patch +++ /dev/null @@ -1,170 +0,0 @@ -From d429b48596c63140696ba600bddb0908f2350f70 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 5 Aug 2019 13:39:53 -0700 -Subject: [PATCH 1/2] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code - from evil server returned names. - -Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 - -Signed-off-by: Jeremy Allison ---- - source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++ - source3/libsmb/proto.h | 3 ++ - 2 files changed, 78 insertions(+) - -diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c -index 5cb1fce4338..4f518339e2b 100644 ---- a/source3/libsmb/clilist.c -+++ b/source3/libsmb/clilist.c -@@ -24,6 +24,66 @@ - #include "trans2.h" - #include "../libcli/smb/smbXcli_base.h" - -+/**************************************************************************** -+ Check if a returned directory name is safe. -+****************************************************************************/ -+ -+static NTSTATUS is_bad_name(bool windows_names, const char *name) -+{ -+ const char *bad_name_p = NULL; -+ -+ bad_name_p = strchr(name, '/'); -+ if (bad_name_p != NULL) { -+ /* -+ * Windows and POSIX names can't have '/'. -+ * Server is attacking us. -+ */ -+ return NT_STATUS_INVALID_NETWORK_RESPONSE; -+ } -+ if (windows_names) { -+ bad_name_p = strchr(name, '\\'); -+ if (bad_name_p != NULL) { -+ /* -+ * Windows names can't have '\\'. -+ * Server is attacking us. -+ */ -+ return NT_STATUS_INVALID_NETWORK_RESPONSE; -+ } -+ } -+ return NT_STATUS_OK; -+} -+ -+/**************************************************************************** -+ Check if a returned directory name is safe. Disconnect if server is -+ sending bad names. -+****************************************************************************/ -+ -+NTSTATUS is_bad_finfo_name(const struct cli_state *cli, -+ const struct file_info *finfo) -+{ -+ NTSTATUS status = NT_STATUS_OK; -+ bool windows_names = true; -+ -+ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) { -+ windows_names = false; -+ } -+ if (finfo->name != NULL) { -+ status = is_bad_name(windows_names, finfo->name); -+ if (!NT_STATUS_IS_OK(status)) { -+ DBG_ERR("bad finfo->name\n"); -+ return status; -+ } -+ } -+ if (finfo->short_name != NULL) { -+ status = is_bad_name(windows_names, finfo->short_name); -+ if (!NT_STATUS_IS_OK(status)) { -+ DBG_ERR("bad finfo->short_name\n"); -+ return status; -+ } -+ } -+ return NT_STATUS_OK; -+} -+ - /**************************************************************************** - Calculate a safe next_entry_offset. - ****************************************************************************/ -@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - TALLOC_FREE(finfo); - return NT_STATUS_NO_MEMORY; - } -+ -+ status = is_bad_finfo_name(state->cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(state->cli->conn, status); -+ TALLOC_FREE(finfo); -+ return status; -+ } - } - *pfinfo = finfo; - return NT_STATUS_OK; -@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq) - ff_eos = true; - break; - } -+ -+ status = is_bad_finfo_name(state->cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(state->cli->conn, status); -+ tevent_req_nterror(req, status); -+ return; -+ } -+ - if (!state->first && (state->mask[0] != '\0') && - strcsequal(finfo->name, state->mask)) { - DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has " -diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h -index 6a647da58c8..48855d7112c 100644 ---- a/source3/libsmb/proto.h -+++ b/source3/libsmb/proto.h -@@ -760,6 +760,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli, - - /* The following definitions come from libsmb/clilist.c */ - -+NTSTATUS is_bad_finfo_name(const struct cli_state *cli, -+ const struct file_info *finfo); -+ - NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute, - NTSTATUS (*fn)(const char *, struct file_info *, - const char *, void *), void *state); --- -2.23.0.866.gb869b98d4c-goog - - -From c61e75b5755efab938c1b2045eb4d539a0724c47 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 6 Aug 2019 12:08:09 -0700 -Subject: [PATCH 2/2] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code - from evil server returned names. - -Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 - -Signed-off-by: Jeremy Allison ---- - source3/libsmb/cli_smb2_fnum.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c -index 535beaab841..3fa322c243b 100644 ---- a/source3/libsmb/cli_smb2_fnum.c -+++ b/source3/libsmb/cli_smb2_fnum.c -@@ -1442,6 +1442,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, - goto fail; - } - -+ /* Protect against server attack. */ -+ status = is_bad_finfo_name(cli, finfo); -+ if (!NT_STATUS_IS_OK(status)) { -+ smbXcli_conn_disconnect(cli->conn, status); -+ goto fail; -+ } -+ - if (dir_check_ftype((uint32_t)finfo->mode, - (uint32_t)attribute)) { - /* --- -2.23.0.866.gb869b98d4c-goog - diff --git a/SOURCES/libldb-require-version-1.5.4.patch b/SOURCES/libldb-require-version-1.5.4.patch new file mode 100644 index 0000000..810c9e6 --- /dev/null +++ b/SOURCES/libldb-require-version-1.5.4.patch @@ -0,0 +1,150 @@ +From a691be8ed36fb5740ae877a46f0aff72ce0c9cb2 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 4 May 2020 12:17:37 +0200 +Subject: [PATCH] ldb: revert ad-dc fix and keep ldb version at 1.5.4 + +Revert "ldap server: generate correct referral schemes" + +This reverts commit 1958cd8a7fb81ec51b81944ecf4dd0fb5c4208fa. +--- + lib/ldb/include/ldb_module.h | 5 ----- + lib/ldb/wscript | 2 +- + selftest/knownfail.d/ldap_referrals | 1 + + source4/dsdb/samdb/ldb_modules/partition.c | 16 +++++----------- + source4/ldap_server/ldap_backend.c | 18 ------------------ + source4/ldap_server/ldap_server.c | 1 - + source4/ldap_server/ldap_server.h | 6 ------ + 7 files changed, 7 insertions(+), 42 deletions(-) + create mode 100644 selftest/knownfail.d/ldap_referrals + +diff --git a/lib/ldb/include/ldb_module.h b/lib/ldb/include/ldb_module.h +index 8c47082690b..9a5c61d0e73 100644 +--- a/lib/ldb/include/ldb_module.h ++++ b/lib/ldb/include/ldb_module.h +@@ -103,11 +103,6 @@ struct ldb_module; + * attributes, not to be printed in trace messages */ + #define LDB_SECRET_ATTRIBUTE_LIST_OPAQUE "LDB_SECRET_ATTRIBUTE_LIST" + +-/* +- * The scheme to be used for referral entries, i.e. ldap or ldaps +- */ +-#define LDAP_REFERRAL_SCHEME_OPAQUE "LDAP_REFERRAL_SCHEME" +- + /* + these function pointers define the operations that a ldb module can intercept + */ +diff --git a/lib/ldb/wscript b/lib/ldb/wscript +index 0f760a9bc80..d3402a7b5b2 100644 +--- a/lib/ldb/wscript ++++ b/lib/ldb/wscript +@@ -1,7 +1,7 @@ + #!/usr/bin/env python + + APPNAME = 'ldb' +-VERSION = '1.5.7' ++VERSION = '1.5.4' + + import sys, os + +diff --git a/selftest/knownfail.d/ldap_referrals b/selftest/knownfail.d/ldap_referrals +new file mode 100644 +index 00000000000..403f0d3bd6d +--- /dev/null ++++ b/selftest/knownfail.d/ldap_referrals +@@ -0,0 +1 @@ ++^samba.ldap.referrals.samba.tests.ldap_referrals.LdapReferralTest.test_ldaps_search +diff --git a/source4/dsdb/samdb/ldb_modules/partition.c b/source4/dsdb/samdb/ldb_modules/partition.c +index f66ccab1dd5..49bdeb04fa5 100644 +--- a/source4/dsdb/samdb/ldb_modules/partition.c ++++ b/source4/dsdb/samdb/ldb_modules/partition.c +@@ -902,17 +902,11 @@ static int partition_search(struct ldb_module *module, struct ldb_request *req) + data->partitions[i]->ctrl->dn) == 0) && + (ldb_dn_compare(req->op.search.base, + data->partitions[i]->ctrl->dn) != 0)) { +- const char *scheme = ldb_get_opaque( +- ldb, LDAP_REFERRAL_SCHEME_OPAQUE); +- char *ref = talloc_asprintf( +- ac, +- "%s://%s/%s%s", +- scheme == NULL ? "ldap" : scheme, +- lpcfg_dnsdomain(lp_ctx), +- ldb_dn_get_linearized( +- data->partitions[i]->ctrl->dn), +- req->op.search.scope == +- LDB_SCOPE_ONELEVEL ? "??base" : ""); ++ char *ref = talloc_asprintf(ac, ++ "ldap://%s/%s%s", ++ lpcfg_dnsdomain(lp_ctx), ++ ldb_dn_get_linearized(data->partitions[i]->ctrl->dn), ++ req->op.search.scope == LDB_SCOPE_ONELEVEL ? "??base" : ""); + + if (ref == NULL) { + return ldb_oom(ldb); +diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c +index 573472c0f7f..39f1aa2a2a6 100644 +--- a/source4/ldap_server/ldap_backend.c ++++ b/source4/ldap_server/ldap_backend.c +@@ -647,24 +647,6 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) + call->notification.busy = true; + } + +- { +- const char *scheme = NULL; +- switch (call->conn->referral_scheme) { +- case LDAP_REFERRAL_SCHEME_LDAPS: +- scheme = "ldaps"; +- break; +- default: +- scheme = "ldap"; +- } +- ldb_ret = ldb_set_opaque( +- samdb, +- LDAP_REFERRAL_SCHEME_OPAQUE, +- discard_const_p(char *, scheme)); +- if (ldb_ret != LDB_SUCCESS) { +- goto reply; +- } +- } +- + ldb_set_timeout(samdb, lreq, req->timelimit); + + if (!call->conn->is_privileged) { +diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c +index 25c3b624abc..7c7eeb0a6c1 100644 +--- a/source4/ldap_server/ldap_server.c ++++ b/source4/ldap_server/ldap_server.c +@@ -436,7 +436,6 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq) + } + + conn->sockets.active = conn->sockets.tls; +- conn->referral_scheme = LDAP_REFERRAL_SCHEME_LDAPS; + ldapsrv_call_read_next(conn); + } + +diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h +index 5b944f5ab9b..d3e31fb1eec 100644 +--- a/source4/ldap_server/ldap_server.h ++++ b/source4/ldap_server/ldap_server.h +@@ -24,11 +24,6 @@ + #include "system/network.h" + #include "lib/param/loadparm.h" + +-enum ldap_server_referral_scheme { +- LDAP_REFERRAL_SCHEME_LDAP, +- LDAP_REFERRAL_SCHEME_LDAPS +-}; +- + struct ldapsrv_connection { + struct ldapsrv_connection *next, *prev; + struct loadparm_context *lp_ctx; +@@ -52,7 +47,6 @@ struct ldapsrv_connection { + bool is_privileged; + enum ldap_server_require_strong_auth require_strong_auth; + bool authz_logged; +- enum ldap_server_referral_scheme referral_scheme; + + struct { + int initial_timeout; +-- +2.24.1 + diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch deleted file mode 100644 index 9dd2eec..0000000 --- a/SOURCES/samba-4.10-fix-netbios-join.patch +++ /dev/null @@ -1,723 +0,0 @@ -From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 30 Aug 2019 00:22:15 +0300 -Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and - lp_dnsdomain() - -This make the join process much more reliable, and avoids "Constraint -violation" error when the fqdn returned from getaddrinfo has already -got assigned an SPN. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 31 +++++++++++------------------- - testprogs/blackbox/test_net_ads.sh | 7 +++++-- - 2 files changed, 16 insertions(+), 22 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 7943bef2cf6..818b3039cb9 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -- if (!name_to_fqdn(my_fqdn, r->in.machine_name) -- || (strchr(my_fqdn, '.') == NULL)) { -- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, -- r->out.dns_domain_name); -- } -+ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); - - if (!strlower_m(my_fqdn)) { - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -- if (!strequal(my_fqdn, r->in.machine_name)) { -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -- if (!spn) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ if (spn == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (!ok) { -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - } - -@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* - * Add HOST/netbiosname.domainname - */ -- if (r->out.dns_domain_name == NULL) { -- continue; -- } - fstr_sprintf(my_fqdn, "%s.%s", - *netbios_aliases, -- r->out.dns_domain_name); -+ lp_dnsdomain()); - - spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); - if (spn == NULL) { -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index cc8345c4624..ef6f99ddea4 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai - netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') - uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') - lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') --fqdns="$netbios.$lc_realm" -+fqdn="$netbios.$lc_realm" - - krb_princ="primary/instance@$REALM" - testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` -@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin - service="nfs" - testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` - --search_str="$service/$fqdns@$REALM" -+search_str="$service/$fqdn@$REALM" - found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` - testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` - -@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed - - testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` - -+testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` -+testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+ - ##Goodbye... - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - --- -2.21.0 - - -From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 20:00:34 +0300 -Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit - room for indentation - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------ - 1 file changed, 47 insertions(+), 48 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 818b3039cb9..67ab50c68a8 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* Windows only creates HOST/shortname & HOST/fqdn. */ - - spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); -- if (!spn) { -+ if (spn == NULL) { - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - if (!strupper_m(spn)) { -@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -- netbios_aliases = lp_netbios_aliases(); -- if (netbios_aliases != NULL) { -- for (; *netbios_aliases != NULL; netbios_aliases++) { -- /* -- * Add HOST/NETBIOSNAME -- */ -- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -- if (spn == NULL) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -- if (!strupper_m(spn)) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ for (netbios_aliases = lp_netbios_aliases(); -+ netbios_aliases != NULL && *netbios_aliases != NULL; -+ netbios_aliases++) { -+ /* -+ * Add HOST/NETBIOSNAME -+ */ -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -+ if (spn == NULL) { -+ TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ if (!strupper_m(spn)) { -+ TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- TALLOC_FREE(spn); -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (ok) { -+ TALLOC_FREE(spn); -+ continue; -+ } -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); -+ if (!ok) { - TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ TALLOC_FREE(spn); - -- /* -- * Add HOST/netbiosname.domainname -- */ -- fstr_sprintf(my_fqdn, "%s.%s", -- *netbios_aliases, -- lp_dnsdomain()); -+ /* -+ * Add HOST/netbiosname.domainname -+ */ -+ fstr_sprintf(my_fqdn, "%s.%s", -+ *netbios_aliases, -+ lp_dnsdomain()); - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -- if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ if (spn == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- TALLOC_FREE(spn); -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- } -+ ok = ads_element_in_array(spn_array, num_spns, spn); -+ if (ok) { -+ TALLOC_FREE(spn); -+ continue; -+ } -+ ok = add_string_to_array(spn_array, spn, -+ &spn_array, &num_spns); -+ if (!ok) { - TALLOC_FREE(spn); -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } -+ TALLOC_FREE(spn); - } - - /* make sure to NULL terminate the array */ --- -2.21.0 - - -From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 21:29:47 +0300 -Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling - -and avoid a possible memory leak when passing null to -add_string_to_array() as mem_ctx. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 74 ++++++++++++++++++++---------------- - 1 file changed, 42 insertions(+), 32 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 67ab50c68a8..43035370526 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, - static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -+ TALLOC_CTX *frame = talloc_stackframe(); - ADS_STATUS status; - ADS_MODLIST mods; - fstring my_fqdn; -@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - return status; - } - -- status = libnet_join_get_machine_spns(mem_ctx, -+ status = libnet_join_get_machine_spns(frame, - r, - discard_const_p(char **, &spn_array), - &num_spns); -@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - - /* Windows only creates HOST/shortname & HOST/fqdn. */ - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); -+ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - if (!strupper_m(spn)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -+ ok = add_string_to_array(frame, spn, - &spn_array, &num_spns); - if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - } - - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); - - if (!strlower_m(my_fqdn)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (!ok) { -- ok = add_string_to_array(spn_array, spn, -+ ok = add_string_to_array(frame, spn, - &spn_array, &num_spns); - if (!ok) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - } - -@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - /* - * Add HOST/NETBIOSNAME - */ -- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); -+ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases); - if (spn == NULL) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - if (!strupper_m(spn)) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (ok) { -- TALLOC_FREE(spn); - continue; - } - ok = add_string_to_array(spn_array, spn, - &spn_array, &num_spns); - if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } -- TALLOC_FREE(spn); - - /* - * Add HOST/netbiosname.domainname -@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - *netbios_aliases, - lp_dnsdomain()); - -- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); -+ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); - if (spn == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - ok = ads_element_in_array(spn_array, num_spns, spn); - if (ok) { -- TALLOC_FREE(spn); - continue; - } - ok = add_string_to_array(spn_array, spn, - &spn_array, &num_spns); - if (!ok) { -- TALLOC_FREE(spn); -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } -- TALLOC_FREE(spn); - } - - /* make sure to NULL terminate the array */ -- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1); -+ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); - if (spn_array == NULL) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - spn_array[num_spns] = NULL; - - mods = ads_init_mods(mem_ctx); - if (!mods) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - /* fields of primary importance */ - - status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn); - if (!ADS_ERR_OK(status)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - - status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName", - spn_array); - if (!ADS_ERR_OK(status)) { -- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; - } - -- return ads_gen_mod(r->in.ads, r->out.dn, mods); -+ status = ads_gen_mod(r->in.ads, r->out.dn, mods); -+ -+done: -+ TALLOC_FREE(frame); -+ return status; - } - - /**************************************************************** --- -2.21.0 - - -From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 18 Sep 2019 23:15:57 +0300 -Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to - array - -and do not skip adding a fully qualified spn to netbios-aliases -in case a short spn already existed. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - source3/libnet/libnet_join.c | 56 +++++++++++++++--------------------- - 1 file changed, 23 insertions(+), 33 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 43035370526..a1d8a25bbc2 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, - return status; - } - -+static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn, -+ const char ***array, size_t *num) -+{ -+ bool ok = ads_element_in_array(*array, *num, spn); -+ if (!ok) { -+ ok = add_string_to_array(mem_ctx, spn, array, num); -+ if (!ok) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ } -+ return ADS_SUCCESS; -+} -+ - /**************************************************************** - Set a machines dNSHostName and servicePrincipalName attributes - ****************************************************************/ -@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - const char **spn_array = NULL; - size_t num_spns = 0; - char *spn = NULL; -- bool ok; - const char **netbios_aliases = NULL; - - /* Find our DN */ -@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (!ok) { -- ok = add_string_to_array(frame, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- goto done; -- } -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; - } - - fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); -@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (!ok) { -- ok = add_string_to_array(frame, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -- goto done; -- } -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; - } - - for (netbios_aliases = lp_netbios_aliases(); -@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { - goto done; - } - -@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -- ok = ads_element_in_array(spn_array, num_spns, spn); -- if (ok) { -- continue; -- } -- ok = add_string_to_array(spn_array, spn, -- &spn_array, &num_spns); -- if (!ok) { -- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { - goto done; - } - } --- -2.21.0 - - -From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 17 Sep 2019 21:38:07 +0300 -Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy ---- - docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++ - 1 file changed, 11 insertions(+) - create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml - -diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml -new file mode 100644 -index 00000000000..ddc04ee9f81 ---- /dev/null -+++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml -@@ -0,0 +1,11 @@ -+ -+ -+ A list of additional DNS names by which this host can be identified -+ -+ -+empty string (no additional dns names) -+ host2.example.com host3.other.com -+ --- -2.21.0 - - -From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Fri, 13 Sep 2019 10:56:10 +0300 -Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames - entries -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -and set msDS-AdditionalDnsHostName to the specified list. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 - -Signed-off-by: Isaac Boukris -Reviewed-by: Ralph Boehme -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184 ---- - source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++ - testprogs/blackbox/test_net_ads.sh | 10 +++++++++- - 2 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a1d8a25bbc2..eb8e0ea17f7 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - size_t num_spns = 0; - char *spn = NULL; - const char **netbios_aliases = NULL; -+ const char **addl_hostnames = NULL; - - /* Find our DN */ - -@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - } - } - -+ for (addl_hostnames = lp_additional_dns_hostnames(); -+ addl_hostnames != NULL && *addl_hostnames != NULL; -+ addl_hostnames++) { -+ -+ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames); -+ if (spn == NULL) { -+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); -+ if (!ADS_ERR_OK(status)) { -+ goto done; -+ } -+ } -+ - /* make sure to NULL terminate the array */ - spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); - if (spn_array == NULL) { -@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, - goto done; - } - -+ addl_hostnames = lp_additional_dns_hostnames(); -+ if (addl_hostnames != NULL && *addl_hostnames != NULL) { -+ status = ads_mod_strlist(mem_ctx, &mods, -+ "msDS-AdditionalDnsHostName", -+ addl_hostnames); -+ if (!ADS_ERR_OK(status)) { -+ goto done; -+ } -+ } -+ - status = ads_gen_mod(r->in.ads, r->out.dn, mods); - - done: -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index ef6f99ddea4..8bcff006b8e 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com" - computers_dn="CN=Computers,$base_dn" - testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` - --testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -+dns_alias1="${netbios}_alias1.other.${lc_realm}" -+dns_alias2="${netbios}_alias2.other2.${lc_realm}" -+testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - - testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` - - testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` - testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` - -+testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` -+ -+testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` -+testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` -+ - ##Goodbye... - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - --- -2.21.0 - diff --git a/SOURCES/samba-4.10-fix-spnego-downgrade.patch b/SOURCES/samba-4.10-fix-spnego-downgrade.patch deleted file mode 100644 index 0f3c786..0000000 --- a/SOURCES/samba-4.10-fix-spnego-downgrade.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 55d19011faa99fae6ddcd778e433a0b253e0c7b4 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 16:31:21 +0300 -Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic - token - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher ---- - auth/gensec/spnego.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 0b3fbdce7ac..6bb5c8b6417 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -136,6 +136,7 @@ struct spnego_state { - bool done_mic_check; - - bool simulate_w2k; -+ bool no_optimistic; - - /* - * The following is used to implement -@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi - - spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, - "spnego", "simulate_w2k", false); -+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, -+ "spnego", -+ "client_no_optimistic", -+ false); - - gensec_security->private_data = spnego_state; - return NT_STATUS_OK; -@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req) - * blob and NT_STATUS_OK. - */ - state->sub.status = NT_STATUS_OK; -+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START && -+ spnego_state->no_optimistic) { -+ /* -+ * Skip optimistic token per conf. -+ */ -+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; - } else { - /* - * MORE_PROCESSING_REQUIRED => --- -2.21.0 - - -From e03ce41c911d5fead3f11c2eedce6baf7164e232 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 16:39:43 +0300 -Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher ---- - selftest/knownfail.d/spnego_no_optimistic | 1 + - source4/selftest/tests.py | 4 ++++ - 2 files changed, 5 insertions(+) - create mode 100644 selftest/knownfail.d/spnego_no_optimistic - -diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic -new file mode 100644 -index 00000000000..54f51446be0 ---- /dev/null -+++ b/selftest/knownfail.d/spnego_no_optimistic -@@ -0,0 +1 @@ -+^samba4.smb.spnego.*.no_optimistic -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index aa54308c524..9c3c77f1c56 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -513,6 +513,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha - plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon") - plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon") - -+# Test SPNEGO without issuing an optimistic token -+opt='--option=spnego:client_no_optimistic=yes' -+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic") -+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic") - - wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""] - --- -2.21.0 - - -From 7e1be4ab8ff1ab8869b79f42828489dfa5450f2b Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 17:04:12 +0300 -Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 ---- - auth/gensec/spnego.c | 13 +++++++++++++ - selftest/knownfail.d/spnego_no_optimistic | 1 - - 2 files changed, 13 insertions(+), 1 deletion(-) - delete mode 100644 selftest/knownfail.d/spnego_no_optimistic - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 6bb5c8b6417..5f78267281d 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -1300,6 +1300,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( - spnego_state->mic_requested = true; - } - -+ if (sub_in.length == 0) { -+ spnego_state->no_optimistic = true; -+ } -+ - /* - * Note that 'cur_sec' is temporary memory, but - * cur_sec->oid points to a const string in the -@@ -1934,6 +1938,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) - * Skip optimistic token per conf. - */ - state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ } else if (spnego_state->state_position == SPNEGO_SERVER_START && -+ state->sub.in.length == 0 && spnego_state->no_optimistic) { -+ /* -+ * If we didn't like the mechanism for which the client sent us -+ * an optimistic token, or if he didn't send any, don't call -+ * the sub mechanism just yet. -+ */ -+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ spnego_state->no_optimistic = false; - } else { - /* - * MORE_PROCESSING_REQUIRED => -diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic -deleted file mode 100644 -index 54f51446be0..00000000000 ---- a/selftest/knownfail.d/spnego_no_optimistic -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.smb.spnego.*.no_optimistic --- -2.21.0 - diff --git a/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch b/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch deleted file mode 100644 index a935971..0000000 --- a/SOURCES/samba-4.10-fix_client_log_spam_for_messaging.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 6947e4141016bb140dfae62cd71be9d9ba5d7060 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sat, 4 May 2019 12:12:04 +0200 -Subject: [PATCH 1/2] s3:dbwrap: initialize messaging before getting the ctdb - connection - -This is a better fix for bug #13465. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925 - -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison -(cherry picked from commit ca95d7f41b683b4d7ac59ed6ee709d44abfe2019) ---- - source3/lib/dbwrap/dbwrap_open.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c -index c8dfd9103a8..20084bca471 100644 ---- a/source3/lib/dbwrap/dbwrap_open.c -+++ b/source3/lib/dbwrap/dbwrap_open.c -@@ -141,13 +141,19 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx, - struct messaging_context *msg_ctx; - struct ctdbd_connection *conn; - -+ /* -+ * Initialize messaging before getting the ctdb -+ * connection, as the ctdb connection requires messaging -+ * to be initialized. -+ */ -+ msg_ctx = global_messaging_context(); -+ - conn = messaging_ctdb_connection(); - if (conn == NULL) { - DBG_WARNING("No ctdb connection\n"); - errno = EIO; - return NULL; - } -- msg_ctx = global_messaging_context(); - - result = db_open_ctdb(mem_ctx, msg_ctx, base, - hash_size, --- -2.21.0 - - -From ca5652c7ee22955fb1690534fe33759ccb008ee5 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sat, 4 May 2019 12:12:48 +0200 -Subject: [PATCH 2/2] s3: remove now unneeded call to - cmdline_messaging_context() - -This was only needed as dbwrap_open() had a bug where it asked for the ctdb -connection before initializing messaging. The previous commit fixed that so we -can now safely remove the calls to cmdline_messaging_context() from all tools -that don't use messaging. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=13925 - -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Oct 24 09:33:47 UTC 2019 on sn-devel-184 - -(cherry picked from commit 9471508391fd3bcf199b1e94f8d9ee2b956e8f8e) ---- - source3/lib/popt_common_cmdline.c | 7 ------- - source3/utils/dbwrap_tool.c | 2 -- - source3/utils/eventlogadm.c | 3 --- - source3/utils/ntlm_auth.c | 2 -- - source3/utils/pdbedit.c | 2 -- - source3/utils/sharesec.c | 1 - - source3/utils/smbget.c | 2 -- - source3/utils/smbpasswd.c | 2 -- - source3/utils/testparm.c | 2 -- - 9 files changed, 23 deletions(-) - -diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c -index 79e34847f48..39a787510a3 100644 ---- a/source3/lib/popt_common_cmdline.c -+++ b/source3/lib/popt_common_cmdline.c -@@ -102,15 +102,8 @@ static void popt_common_credentials_callback(poptContext con, - } - - if (reason == POPT_CALLBACK_REASON_POST) { -- struct messaging_context *msg_ctx = NULL; - bool ok; - -- msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); -- if (msg_ctx == NULL) { -- fprintf(stderr, "Unable to initialize " -- "messaging context\n"); -- } -- - ok = lp_load_client(get_dyn_CONFIGFILE()); - if (!ok) { - const char *pname = poptGetInvocationName(con); -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c -index 2808a5d68bf..153a4459ee0 100644 ---- a/source3/utils/dbwrap_tool.c -+++ b/source3/utils/dbwrap_tool.c -@@ -422,8 +422,6 @@ int main(int argc, const char **argv) - while (extra_argv[extra_argc]) extra_argc++; - } - -- cmdline_messaging_context(get_dyn_CONFIGFILE()); -- - lp_load_global(get_dyn_CONFIGFILE()); - - if ((extra_argc < 2) || (extra_argc > 5)) { -diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c -index db874dfae8a..2770fffa48c 100644 ---- a/source3/utils/eventlogadm.c -+++ b/source3/utils/eventlogadm.c -@@ -473,9 +473,6 @@ int main( int argc, char *argv[] ) - exit( 1 ); - } - -- cmdline_messaging_context(configfile == NULL ? -- get_dyn_CONFIGFILE() : configfile); -- - if ( configfile == NULL ) { - lp_load_global(get_dyn_CONFIGFILE()); - } else if (!lp_load_global(configfile)) { -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 2be641c891c..87f6554ae4f 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -2504,8 +2504,6 @@ enum { - - poptFreeContext(pc); - -- cmdline_messaging_context(get_dyn_CONFIGFILE()); -- - if (!lp_load_global(get_dyn_CONFIGFILE())) { - d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n", - get_dyn_CONFIGFILE(), strerror(errno)); -diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c -index 74f8c3b0b2f..14edbaeceea 100644 ---- a/source3/utils/pdbedit.c -+++ b/source3/utils/pdbedit.c -@@ -1128,8 +1128,6 @@ int main(int argc, const char **argv) - if (user_name == NULL) - user_name = poptGetArg(pc); - -- cmdline_messaging_context(get_dyn_CONFIGFILE()); -- - if (!lp_load_global(get_dyn_CONFIGFILE())) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE()); - exit(1); -diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c -index 2ea81b9adfa..10c347eaac3 100644 ---- a/source3/utils/sharesec.c -+++ b/source3/utils/sharesec.c -@@ -501,7 +501,6 @@ int main(int argc, const char *argv[]) - - setlinebuf(stdout); - -- cmdline_messaging_context(get_dyn_CONFIGFILE()); - lp_load_with_registry_shares(get_dyn_CONFIGFILE()); - - /* check for initializing secrets.tdb first */ -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index 58690be56e3..a948a336445 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -1003,8 +1003,6 @@ int main(int argc, char **argv) - - popt_burn_cmdline_password(argc, argv); - -- cmdline_messaging_context(get_dyn_CONFIGFILE()); -- - if (smbc_init(get_auth_data, opt.debuglevel) < 0) { - fprintf(stderr, "Unable to initialize libsmbclient\n"); - return 1; -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 8e2b9d7f80f..a6509abe5cb 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -197,8 +197,6 @@ static int process_options(int argc, char **argv, int local_flags) - usage(); - } - -- cmdline_messaging_context(configfile); -- - if (!lp_load_global(configfile)) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", - configfile); -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index efa58a6a417..9ba625da4bf 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -742,8 +742,6 @@ static void do_per_share_checks(int s) - goto done; - } - -- cmdline_messaging_context(config_file); -- - fprintf(stderr,"Load smb config files from %s\n",config_file); - - if (!lp_load_with_registry_shares(config_file)) { --- -2.21.0 - diff --git a/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch deleted file mode 100644 index b3e0247..0000000 --- a/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch +++ /dev/null @@ -1,1276 +0,0 @@ -From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 8 Aug 2019 14:35:38 +0200 -Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh - -There are missing ` at the end of the line. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37) ---- - testprogs/blackbox/test_net_ads.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index d3c4de5b741..512aa9d2952 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte - # SPN parser is very basic but does detect some illegal combination - - windows_spn="$spn_service/$spn_host:" --testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 -+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` - - windows_spn="$spn_service/$spn_host/" --testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 -+testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` - - testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` - --- -2.23.0 - - -From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 13 Aug 2019 17:06:58 +0200 -Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add() - -ldap_add_s() is marked as deprecated. - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64) ---- - source3/libads/ldap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 8d13a7cf18c..d409d4ab78e 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) - /* make sure the end of the list is NULL */ - mods[i] = NULL; - -- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); -+ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL); - ads_print_error(ret, ads->ldap.ld); - TALLOC_FREE(utf8_dn); - return ADS_ERROR(ret); --- -2.23.0 - - -From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 13 Aug 2019 17:41:40 +0200 -Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for - joining - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f) ---- - libgpo/pygpo.c | 2 +- - source3/lib/netapi/joindomain.c | 5 ++++- - source3/libads/ads_proto.h | 9 ++++++++- - source3/libads/ads_struct.c | 14 +++++++++++++- - source3/libads/ldap.c | 4 ++-- - source3/libnet/libnet_join.c | 3 ++- - source3/libsmb/namequery_dc.c | 2 +- - source3/printing/nt_printing_ads.c | 6 +++--- - source3/utils/net_ads.c | 13 +++++++++---- - source3/winbindd/winbindd_ads.c | 5 ++++- - source3/winbindd/winbindd_cm.c | 5 ++++- - 11 files changed, 51 insertions(+), 17 deletions(-) - -diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c -index cd107318860..4db8cad7ca4 100644 ---- a/libgpo/pygpo.c -+++ b/libgpo/pygpo.c -@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) - return -1; - } - -- self->ads_ptr = ads_init(realm, workgroup, ldap_server); -+ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); - if (self->ads_ptr == NULL) { - return -1; - } -diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c -index ff2154ba803..8d0752f4531 100644 ---- a/source3/lib/netapi/joindomain.c -+++ b/source3/lib/netapi/joindomain.c -@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, - - dc = strip_hostname(info->dc_unc); - -- ads = ads_init(info->domain_name, info->domain_name, dc); -+ ads = ads_init(info->domain_name, -+ info->domain_name, -+ dc, -+ ADS_SASL_PLAIN); - if (!ads) { - return WERR_GEN_FAILURE; - } -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h -index 154bf67f964..92bb3a22cdb 100644 ---- a/source3/libads/ads_proto.h -+++ b/source3/libads/ads_proto.h -@@ -32,6 +32,12 @@ - #ifndef _LIBADS_ADS_PROTO_H_ - #define _LIBADS_ADS_PROTO_H_ - -+enum ads_sasl_state_e { -+ ADS_SASL_PLAIN = 0, -+ ADS_SASL_SIGN, -+ ADS_SASL_SEAL, -+}; -+ - /* The following definitions come from libads/ads_struct.c */ - - char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); -@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); - char *ads_build_domain(const char *dn); - ADS_STRUCT *ads_init(const char *realm, - const char *workgroup, -- const char *ldap_server); -+ const char *ldap_server, -+ enum ads_sasl_state_e sasl_state); - bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); - void ads_destroy(ADS_STRUCT **ads); - -diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c -index 3ab682c0e38..043a1b21247 100644 ---- a/source3/libads/ads_struct.c -+++ b/source3/libads/ads_struct.c -@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) - */ - ADS_STRUCT *ads_init(const char *realm, - const char *workgroup, -- const char *ldap_server) -+ const char *ldap_server, -+ enum ads_sasl_state_e sasl_state) - { - ADS_STRUCT *ads; - int wrap_flags; -@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, - wrap_flags = 0; - } - -+ switch (sasl_state) { -+ case ADS_SASL_PLAIN: -+ break; -+ case ADS_SASL_SIGN: -+ wrap_flags |= ADS_AUTH_SASL_SIGN; -+ break; -+ case ADS_SASL_SEAL: -+ wrap_flags |= ADS_AUTH_SASL_SEAL; -+ break; -+ } -+ - ads->auth.flags = wrap_flags; - - /* Start with the configured page size when the connection is new, -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index d409d4ab78e..7bdda4b1768 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) - - if ( !ads->ldap.ld ) { - if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, -- ads->server.ldap_server )) == NULL ) -+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) - { - status = ADS_ERROR(LDAP_NO_MEMORY); - goto done; -@@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) - - if ( !ads->ldap.ld ) { - if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, -- ads->server.ldap_server )) == NULL ) -+ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) - { - status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index b876d7ea89f..a512afc238a 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - - my_ads = ads_init(dns_domain_name, - netbios_domain_name, -- dc_name); -+ dc_name, -+ ADS_SASL_SEAL); - if (!my_ads) { - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } -diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c -index 4ee5b5278e4..f63dde61603 100644 ---- a/source3/libsmb/namequery_dc.c -+++ b/source3/libsmb/namequery_dc.c -@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain, - - /* Try this 3 times then give up. */ - for( i =0 ; i < 3; i++) { -- ads = ads_init(realm, domain, NULL); -+ ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN); - if (!ads) { - TALLOC_FREE(sitename); - return False; -diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c -index 2588e1de7e7..a82f1361fc8 100644 ---- a/source3/printing/nt_printing_ads.c -+++ b/source3/printing/nt_printing_ads.c -@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, - return WERR_NOT_ENOUGH_MEMORY; - } - -- ads = ads_init(lp_realm(), lp_workgroup(), NULL); -+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); - if (ads == NULL) { - result = WERR_RPC_S_SERVER_UNAVAILABLE; - goto out; -@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, - - TALLOC_FREE(sinfo2); - -- ads = ads_init(lp_realm(), lp_workgroup(), NULL); -+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); - if (!ads) { - DEBUG(3, ("ads_init() failed\n")); - win_rc = WERR_RPC_S_SERVER_UNAVAILABLE; -@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY; - -- ads = ads_init(lp_realm(), lp_workgroup(), NULL); -+ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); - if (!ads) { - DEBUG(3, ("ads_init() failed\n")); - return WERR_RPC_S_SERVER_UNAVAILABLE; -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index d33031a0dbd..07a22098fb1 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -620,7 +620,10 @@ retry_connect: - realm = assume_own_realm(c); - } - -- ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); -+ ads = ads_init(realm, -+ c->opt_target_workgroup, -+ c->opt_host, -+ ADS_SASL_PLAIN); - - if (!c->opt_user_name) { - c->opt_user_name = "administrator"; -@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha - ADS_STRUCT *ads; - ADS_STATUS status; - -- if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { -+ ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN); -+ if (ads == NULL ) { - return -1; - } - -@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st - * kinit with the machine password to do dns update. - */ - -- ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name); -+ ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN); - - if (ads_dns == NULL) { - d_fprintf(stderr, _("DNS update failed: out of memory!\n")); -@@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) - - /* use the realm so we can eventually change passwords for users - in realms other than default */ -- if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) { -+ ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN); -+ if (ads == NULL) { - return -1; - } - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 922ca43764b..556b4523866 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, - /* we don't want this to affect the users ccache */ - setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); - -- ads = ads_init(target_realm, target_dom_name, ldap_server); -+ ads = ads_init(target_realm, -+ target_dom_name, -+ ldap_server, -+ ADS_SASL_SEAL); - if (!ads) { - DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); - return ADS_ERROR(LDAP_NO_MEMORY); -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 22d3dcaa92b..4bd03ed8b7a 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, - - print_sockaddr(addr, sizeof(addr), pss); - -- ads = ads_init(domain->alt_name, domain->name, addr); -+ ads = ads_init(domain->alt_name, -+ domain->name, -+ addr, -+ ADS_SASL_PLAIN); - ads->auth.flags |= ADS_AUTH_NO_BIND; - ads->config.flags |= request_flags; - ads->server.no_fallback = true; --- -2.23.0 - - -From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 13 Aug 2019 16:30:07 +0200 -Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in - ads_create_machine_acct() - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a) ---- - source3/libads/ldap.c | 34 +++++++++++++++++++++++----------- - 1 file changed, 23 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 7bdda4b1768..e492d0688a5 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - uint32_t etype_list) - { - ADS_STATUS ret; -- char *samAccountName, *controlstr; -- TALLOC_CTX *ctx; -+ char *samAccountName = NULL; -+ char *controlstr = NULL; -+ TALLOC_CTX *ctx = NULL; - ADS_MODLIST mods; - char *machine_escaped = NULL; -- char *new_dn; -+ char *new_dn = NULL; - const char *objectClass[] = {"top", "person", "organizationalPerson", - "user", "computer", NULL}; - LDAPMessage *res = NULL; -@@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - return ret; - } - -- if (!(ctx = talloc_init("ads_add_machine_acct"))) -+ ctx = talloc_init("ads_add_machine_acct"); -+ if (ctx == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); -- -- ret = ADS_ERROR(LDAP_NO_MEMORY); -+ } - - machine_escaped = escape_rdn_val_string_alloc(machine_name); -- if (!machine_escaped) { -+ if (machine_escaped == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -@@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - ads_msgfree(ads, res); - - new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); -- samAccountName = talloc_asprintf(ctx, "%s$", machine_name); -+ if (new_dn == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } - -- if ( !new_dn || !samAccountName ) { -+ samAccountName = talloc_asprintf(ctx, "%s$", machine_name); -+ if (samAccountName == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) { -+ controlstr = talloc_asprintf(ctx, "%u", acct_control); -+ if (controlstr == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -- if (!(mods = ads_init_mods(ctx))) { -+ mods = ads_init_mods(ctx); -+ if (mods == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -@@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - - etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); - if (etype_list_str == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", --- -2.23.0 - - -From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 21 Aug 2019 12:22:32 +0200 -Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in - ads_find_machine_acct() - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357) ---- - source3/libads/ldap.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index e492d0688a5..3bc9a2a06aa 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn) - ADS_STATUS status; - char *expr; - const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; -+ TALLOC_CTX *frame = talloc_stackframe(); - - *res = NULL; - - /* the easiest way to find a machine account anywhere in the tree - is to look for hostname$ */ -- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) { -- DEBUG(1, ("asprintf failed!\n")); -- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); -+ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine); -+ if (expr == NULL) { -+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); -+ goto done; - } - - status = ads_search(ads, res, expr, attrs); -- SAFE_FREE(expr); -+ -+done: -+ TALLOC_FREE(frame); - return status; - } - --- -2.23.0 - - -From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 14 Aug 2019 13:01:19 +0200 -Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in - ads_find_machine_count() - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d) ---- - source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++-------- - 1 file changed, 28 insertions(+), 8 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 3bc9a2a06aa..ec6ad61a55c 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn) - { - ADS_STATUS status; - char *expr; -- const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; -+ const char *attrs[] = { -+ /* This is how Windows checks for machine accounts */ -+ "objectClass", -+ "SamAccountName", -+ "userAccountControl", -+ "DnsHostName", -+ "ServicePrincipalName", -+ "unicodePwd", -+ -+ /* Additional attributes Samba checks */ -+ "msDS-SupportedEncryptionTypes", -+ "nTSecurityDescriptor", -+ -+ NULL -+ }; - TALLOC_CTX *frame = talloc_stackframe(); - - *res = NULL; -@@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn) - } - - status = ads_search(ads, res, expr, attrs); -+ if (ADS_ERR_OK(status)) { -+ if (ads_count_replies(ads, *res) != 1) { -+ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); -+ } -+ } - - done: - TALLOC_FREE(frame); -@@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin - char *dn_string = NULL; - - ret = ads_find_machine_acct(ads, &res, machine_name); -- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { -+ if (!ADS_ERR_OK(ret)) { - DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); - DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name)); - ads_msgfree(ads, res); -- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); -+ return ret; - } - - DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name)); -@@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, - const char **servicePrincipalName = spns; - - ret = ads_find_machine_acct(ads, &res, machine_name); -- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { -+ if (!ADS_ERR_OK(ret)) { - DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n", - machine_name)); - DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n")); - ads_msgfree(ads, res); -- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); -+ return ret; - } - - DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name)); -@@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - } - - ret = ads_find_machine_acct(ads, &res, machine_escaped); -- if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { -+ if (ADS_ERR_OK(ret)) { - DBG_DEBUG("Host account for %s already exists.\n", - machine_escaped); - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -@@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) - TALLOC_FREE(hostnameDN); - - status = ads_find_machine_acct(ads, &res, host); -- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { -+ if ((status.error_type == ENUM_ADS_ERROR_LDAP) && -+ (status.err.rc != LDAP_NO_SUCH_OBJECT)) { - DEBUG(3, ("Failed to remove host account.\n")); - SAFE_FREE(host); - return status; - } - - SAFE_FREE(host); -- return status; -+ return ADS_SUCCESS; - } - - /** --- -2.23.0 - - -From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 14 Aug 2019 12:17:20 +0200 -Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during - account creation - -This is already handled by libnet_join_post_processing_ads_modify() -which calls libnet_join_set_etypes() if encrytion types should be set. - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38) ---- - source3/libads/ldap.c | 18 ------------------ - 1 file changed, 18 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index ec6ad61a55c..8fbd97e25e2 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ - UF_DONT_EXPIRE_PASSWD |\ - UF_ACCOUNTDISABLE ); -- uint32_t func_level = 0; -- -- ret = ads_domain_func_level(ads, &func_level); -- if (!ADS_ERR_OK(ret)) { -- return ret; -- } - - ctx = talloc_init("ads_add_machine_acct"); - if (ctx == NULL) { -@@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - ads_mod_strlist(ctx, &mods, "objectClass", objectClass); - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - -- if (func_level >= DS_DOMAIN_FUNCTION_2008) { -- const char *etype_list_str; -- -- etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); -- if (etype_list_str == NULL) { -- ret = ADS_ERROR(LDAP_NO_MEMORY); -- goto done; -- } -- ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", -- etype_list_str); -- } -- - ret = ads_gen_add(ads, new_dn, mods); - - done: --- -2.23.0 - - -From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 13 Aug 2019 16:34:34 +0200 -Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP - -This implements the same behaviour as Windows. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 - -Pair-Programmed-With: Guenther Deschner -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292) ---- - source3/libads/ads_proto.h | 4 +- - source3/libads/ldap.c | 118 +++++++++++++++++++++++++++++++---- - source3/libnet/libnet_join.c | 23 ++++--- - 3 files changed, 124 insertions(+), 21 deletions(-) - -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h -index 92bb3a22cdb..495ef5d3325 100644 ---- a/source3/libads/ads_proto.h -+++ b/source3/libads/ads_proto.h -@@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_ - const char **spns); - ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - const char *machine_name, -+ const char *machine_password, - const char *org_unit, -- uint32_t etype_list); -+ uint32_t etype_list, -+ const char *dns_domain_name); - ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, - const char *org_unit, bool *moved); - int ads_count_replies(ADS_STRUCT *ads, void *res); -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 8fbd97e25e2..81efda0cf30 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, - name, (const void **) vals); - } - --#if 0 - /** - * Add a single ber-encoded value to a mod list - * @param ctx An initialized TALLOC_CTX -@@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, - return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, - name, (const void **) values); - } --#endif - - static void ads_print_error(int ret, LDAP *ld) - { -@@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, - - ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - const char *machine_name, -+ const char *machine_password, - const char *org_unit, -- uint32_t etype_list) -+ uint32_t etype_list, -+ const char *dns_domain_name) - { - ADS_STATUS ret; - char *samAccountName = NULL; -@@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - TALLOC_CTX *ctx = NULL; - ADS_MODLIST mods; - char *machine_escaped = NULL; -+ char *dns_hostname = NULL; - char *new_dn = NULL; -- const char *objectClass[] = {"top", "person", "organizationalPerson", -- "user", "computer", NULL}; -+ char *utf8_pw = NULL; -+ size_t utf8_pw_len = 0; -+ char *utf16_pw = NULL; -+ size_t utf16_pw_len = 0; -+ struct berval machine_pw_val; -+ bool ok; -+ const char **spn_array = NULL; -+ size_t num_spns = 0; -+ const char *spn_prefix[] = { -+ "HOST", -+ "RestrictedKrbHost", -+ }; -+ size_t i; - LDAPMessage *res = NULL; -- uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ -- UF_DONT_EXPIRE_PASSWD |\ -- UF_ACCOUNTDISABLE ); -+ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT; - - ctx = talloc_init("ads_add_machine_acct"); - if (ctx == NULL) { -@@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - goto done; - } - -+ /* Check if the machine account already exists. */ - ret = ads_find_machine_acct(ads, &res, machine_escaped); - if (ADS_ERR_OK(ret)) { -- DBG_DEBUG("Host account for %s already exists.\n", -- machine_escaped); - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); - ads_msgfree(ads, res); - goto done; -@@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - goto done; - } - -+ /* Create machine account */ -+ - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); - if (samAccountName == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -+ dns_hostname = talloc_asprintf(ctx, -+ "%s.%s", -+ machine_name, -+ dns_domain_name); -+ if (dns_hostname == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ /* Add dns_hostname SPNs */ -+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { -+ char *spn = talloc_asprintf(ctx, -+ "%s/%s", -+ spn_prefix[i], -+ dns_hostname); -+ if (spn == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ ok = add_string_to_array(spn_array, -+ spn, -+ &spn_array, -+ &num_spns); -+ if (!ok) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ } -+ -+ /* Add machine_name SPNs */ -+ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { -+ char *spn = talloc_asprintf(ctx, -+ "%s/%s", -+ spn_prefix[i], -+ machine_name); -+ if (spn == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ ok = add_string_to_array(spn_array, -+ spn, -+ &spn_array, -+ &num_spns); -+ if (!ok) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ } -+ -+ /* Make sure to NULL terminate the array */ -+ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1); -+ if (spn_array == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ spn_array[num_spns] = NULL; -+ - controlstr = talloc_asprintf(ctx, "%u", acct_control); - if (controlstr == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); -+ if (utf8_pw == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ utf8_pw_len = strlen(utf8_pw); -+ -+ ok = convert_string_talloc(ctx, -+ CH_UTF8, CH_UTF16MUNGED, -+ utf8_pw, utf8_pw_len, -+ (void *)&utf16_pw, &utf16_pw_len); -+ if (!ok) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ machine_pw_val = (struct berval) { -+ .bv_val = utf16_pw, -+ .bv_len = utf16_pw_len, -+ }; -+ - mods = ads_init_mods(ctx); - if (mods == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); - goto done; - } - -- ads_mod_str(ctx, &mods, "cn", machine_name); -- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); -- ads_mod_strlist(ctx, &mods, "objectClass", objectClass); -+ ads_mod_str(ctx, &mods, "objectClass", "Computer"); -+ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName); - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); -+ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname); -+ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array); -+ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val); - - ret = ads_gen_add(ads, new_dn, mods); - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a512afc238a..d5c8599beee 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, - /* Attempt to create the machine account and bail if this fails. - Assume that the admin wants exactly what they requested */ - -+ if (r->in.machine_password == NULL) { -+ r->in.machine_password = -+ trust_pw_new_value(mem_ctx, -+ r->in.secure_channel_type, -+ SEC_ADS); -+ if (r->in.machine_password == NULL) { -+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ } -+ } -+ - status = ads_create_machine_acct(r->in.ads, - r->in.machine_name, -+ r->in.machine_password, - r->in.account_ou, -- r->in.desired_encryption_types); -+ r->in.desired_encryption_types, -+ r->out.dns_domain_name); - - if (ADS_ERR_OK(status)) { - DEBUG(1,("machine account creation created\n")); -@@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - if (ADS_ERR_OK(ads_status)) { - - /* -- * LDAP object create succeeded, now go to the rpc -- * password set routines -+ * LDAP object creation succeeded. - */ -- - r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; -- goto rpc_join; -+ -+ return WERR_OK; - } - - if (initial_account_ou != NULL) { -@@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - DBG_INFO("Failed to pre-create account in OU %s: %s\n", - r->in.account_ou, ads_errstr(ads_status)); - } -- rpc_join: -- - #endif /* HAVE_ADS */ - - if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && --- -2.23.0 - - -From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 14 Aug 2019 10:15:19 +0200 -Subject: [PATCH 09/11] s3:libnet: Improve debug messages - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94) ---- - source3/libnet/libnet_join.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index d5c8599beee..31d1d221ed3 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, - r->out.dns_domain_name); - - if (ADS_ERR_OK(status)) { -- DEBUG(1,("machine account creation created\n")); -+ DBG_WARNING("Machine account successfully created\n"); - return status; - } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) && - (status.err.rc == LDAP_ALREADY_EXISTS)) { -@@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, - } - - if (!ADS_ERR_OK(status)) { -- DEBUG(1,("machine account creation failed\n")); -+ DBG_WARNING("Failed to create machine account\n"); - return status; - } - --- -2.23.0 - - -From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 8 Aug 2019 14:40:04 +0200 -Subject: [PATCH 10/11] s3:libads: Just change the machine password if account - already exists - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 - -Pair-Programmed-With: Guenther Deschner -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521) ---- - source3/libads/ldap.c | 167 ++++++++++++++++++++++++++++++----- - source3/libnet/libnet_join.c | 1 + - 2 files changed, 146 insertions(+), 22 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 81efda0cf30..afae46d2e79 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, - return ret; - } - -+static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads, -+ LDAPMessage *msg) -+{ -+ uint32_t acct_ctrl = 0; -+ bool ok; -+ -+ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl); -+ if (!ok) { -+ return 0; -+ } -+ -+ return acct_ctrl; -+} -+ -+static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads, -+ LDAPMessage *msg, -+ const struct berval *machine_pw_val) -+{ -+ ADS_MODLIST mods; -+ ADS_STATUS ret; -+ TALLOC_CTX *frame = talloc_stackframe(); -+ uint32_t acct_control; -+ char *control_str = NULL; -+ const char *attrs[] = { -+ "objectSid", -+ NULL -+ }; -+ LDAPMessage *res = NULL; -+ char *dn = NULL; -+ -+ dn = ads_get_dn(ads, frame, msg); -+ if (dn == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ acct_control = ads_get_acct_ctrl(ads, msg); -+ if (acct_control == 0) { -+ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); -+ goto done; -+ } -+ -+ /* -+ * Changing the password, disables the account. So we need to change the -+ * userAccountControl flags to enable it again. -+ */ -+ mods = ads_init_mods(frame); -+ if (mods == NULL) { -+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val); -+ -+ ret = ads_gen_mod(ads, dn, mods); -+ if (!ADS_ERR_OK(ret)) { -+ goto done; -+ } -+ TALLOC_FREE(mods); -+ -+ /* -+ * To activate the account, we need to disable and enable it. -+ */ -+ acct_control |= UF_ACCOUNTDISABLE; -+ -+ control_str = talloc_asprintf(frame, "%u", acct_control); -+ if (control_str == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ mods = ads_init_mods(frame); -+ if (mods == NULL) { -+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ ads_mod_str(frame, &mods, "userAccountControl", control_str); -+ -+ ret = ads_gen_mod(ads, dn, mods); -+ if (!ADS_ERR_OK(ret)) { -+ goto done; -+ } -+ TALLOC_FREE(mods); -+ TALLOC_FREE(control_str); -+ -+ /* -+ * Enable the account again. -+ */ -+ acct_control &= ~UF_ACCOUNTDISABLE; -+ -+ control_str = talloc_asprintf(frame, "%u", acct_control); -+ if (control_str == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ mods = ads_init_mods(frame); -+ if (mods == NULL) { -+ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ ads_mod_str(frame, &mods, "userAccountControl", control_str); -+ -+ ret = ads_gen_mod(ads, dn, mods); -+ if (!ADS_ERR_OK(ret)) { -+ goto done; -+ } -+ TALLOC_FREE(mods); -+ TALLOC_FREE(control_str); -+ -+ ret = ads_search_dn(ads, &res, dn, attrs); -+ ads_msgfree(ads, res); -+ -+done: -+ talloc_free(frame); -+ -+ return ret; -+} -+ - /** - * adds a machine account to the ADS server - * @param ads An intialized ADS_STRUCT -@@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - goto done; - } - -+ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); -+ if (utf8_pw == NULL) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ utf8_pw_len = strlen(utf8_pw); -+ -+ ok = convert_string_talloc(ctx, -+ CH_UTF8, CH_UTF16MUNGED, -+ utf8_pw, utf8_pw_len, -+ (void *)&utf16_pw, &utf16_pw_len); -+ if (!ok) { -+ ret = ADS_ERROR(LDAP_NO_MEMORY); -+ goto done; -+ } -+ -+ machine_pw_val = (struct berval) { -+ .bv_val = utf16_pw, -+ .bv_len = utf16_pw_len, -+ }; -+ - /* Check if the machine account already exists. */ - ret = ads_find_machine_acct(ads, &res, machine_escaped); - if (ADS_ERR_OK(ret)) { -- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -+ /* Change the machine account password */ -+ ret = ads_change_machine_acct(ads, res, &machine_pw_val); - ads_msgfree(ads, res); -+ - goto done; - } - ads_msgfree(ads, res); -@@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - goto done; - } - -- utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); -- if (utf8_pw == NULL) { -- ret = ADS_ERROR(LDAP_NO_MEMORY); -- goto done; -- } -- utf8_pw_len = strlen(utf8_pw); -- -- ok = convert_string_talloc(ctx, -- CH_UTF8, CH_UTF16MUNGED, -- utf8_pw, utf8_pw_len, -- (void *)&utf16_pw, &utf16_pw_len); -- if (!ok) { -- ret = ADS_ERROR(LDAP_NO_MEMORY); -- goto done; -- } -- -- machine_pw_val = (struct berval) { -- .bv_val = utf16_pw, -- .bv_len = utf16_pw_len, -- }; -- - mods = ads_init_mods(ctx); - if (mods == NULL) { - ret = ADS_ERROR(LDAP_NO_MEMORY); -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 31d1d221ed3..1052afde641 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx, - - if (r->in.ads->auth.ccache_name != NULL) { - ads_kdestroy(r->in.ads->auth.ccache_name); -+ r->in.ads->auth.ccache_name = NULL; - } - - ads_destroy(&r->in.ads); --- -2.23.0 - - -From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 22 Aug 2019 16:31:30 +0200 -Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer=' - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184 - -(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f) ---- - testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index 512aa9d2952..cc8345c4624 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then - ldbsearch="$BINDIR/ldbsearch" - fi - -+ldbadd="ldbadd" -+if [ -x "$BINDIR/ldbadd" ]; then -+ ldbadd="$BINDIR/ldbadd" -+fi -+ -+ldbdel="ldbdel" -+if [ -x "$BINDIR/ldbdel" ]; then -+ ldbdel="$BINDIR/ldbdel" -+fi -+ - # Load test functions - . `dirname $0`/subunit.sh - -@@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME% - - testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` - --computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com" --testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1` -+base_dn="DC=addom,DC=samba,DC=example,DC=com" -+computers_dn="CN=Computers,$base_dn" -+testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` - - testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - -@@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` - ##Goodbye... - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - -+# -+# Test createcomputer option of 'net ads join' -+# -+testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER < -Date: Mon, 27 Jan 2020 14:58:10 +0100 -Subject: [PATCH] lib:util: Log mkdir error on correct debug levels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -For smbd we want an error and for smbclient we only want it in NOTICE -debug level. -The default log level of smbclient is log level 1 so we need notice to -not spam the user. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184 - -(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1) ---- - lib/util/util.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/lib/util/util.c b/lib/util/util.c -index 3bdeded5c1b..0d9ffe5cb7b 100644 ---- a/lib/util/util.c -+++ b/lib/util/util.c -@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname, - old_umask = umask(0); - ret = mkdir(dname, dir_perms); - if (ret == -1 && errno != EEXIST) { -- DBG_WARNING("mkdir failed on directory %s: %s\n", -+ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE; -+ -+ DBG_PREFIX(dbg_level, -+ ("mkdir failed on directory %s: %s\n", - dname, -- strerror(errno)); -+ strerror(errno))); - umask(old_umask); - return false; - } --- -2.25.0 - diff --git a/SOURCES/samba-4.10-fix_smbspool.patch b/SOURCES/samba-4.10-fix_smbspool.patch deleted file mode 100644 index fa12f06..0000000 --- a/SOURCES/samba-4.10-fix_smbspool.patch +++ /dev/null @@ -1,1127 +0,0 @@ -From 16056895403f3c673dc5adc531b7e739d46292fb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:55:49 +0200 -Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups - -This is required to access files in /var/spool/cups which have been -temporarily created in there by CUPS. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b) ---- - source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 5c4da33238b..e6684fc0d0c 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -82,6 +82,7 @@ int main(int argc, char *argv[]) - { - char smbspool_cmd[PATH_MAX] = {0}; - struct passwd *pwd; -+ struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; - struct stat sb; - char *env = NULL; -@@ -89,6 +90,7 @@ int main(int argc, char *argv[]) - char device_uri[4096] = {0}; - uid_t uid = (uid_t)-1; - gid_t gid = (gid_t)-1; -+ gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; - int cmp; - int rc; -@@ -176,6 +178,26 @@ int main(int argc, char *argv[]) - return CUPS_BACKEND_FAILED; - } - -+ /* -+ * We need the primary group of the 'lp' user. This is needed to access -+ * temporary files in /var/spool/cups/. -+ */ -+ g = getgrnam("lp"); -+ if (g == NULL) { -+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ -+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid); -+ groups[0] = g->gr_gid; -+ rc = setgroups(sizeof(groups), groups); -+ if (rc != 0) { -+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ - CUPS_SMB_DEBUG("Switching to gid=%d", gid); - rc = setgid(gid); - if (rc != 0) { --- -2.21.0 - - -From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 13:41:02 +0200 -Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate - with - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5) ---- - source3/client/smbspool.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 22071613677..efbdd418fdb 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) { - return false; - } else { - krb5_principal default_princ = NULL; -+ char *princ_name = NULL; - - code = krb5_cc_get_principal(ctx, - ccache, -@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) { - krb5_free_context(ctx); - return false; - } -+ -+ code = krb5_unparse_name(ctx, -+ default_princ, -+ &princ_name); -+ if (code == 0) { -+ fprintf(stderr, -+ "DEBUG: Try to authenticate as %s\n", -+ princ_name); -+ krb5_free_unparsed_name(ctx, princ_name); -+ } - krb5_free_principal(ctx, default_princ); - } - krb5_cc_close(ctx, ccache); --- -2.21.0 - - -From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 14:25:00 +0200 -Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba) ---- - source3/client/smbspool_krb5_wrapper.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index e6684fc0d0c..2cdcd372ec6 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -219,10 +219,14 @@ int main(int argc, char *argv[]) - env = getenv("KRB5CCNAME"); - if (env != NULL && env[0] != 0) { - snprintf(gen_cc, sizeof(gen_cc), "%s", env); -+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache", -+ gen_cc); - - goto create_env; - } - -+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -+ - snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); - - rc = lstat(gen_cc, &sb); --- -2.21.0 - - -From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:10:57 +0200 -Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858) ---- - source3/client/smbspool_krb5_wrapper.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 2cdcd372ec6..3266b90ec1a 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -227,13 +227,13 @@ int main(int argc, char *argv[]) - - CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); - -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); - } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0 && S_ISDIR(sb.st_mode)) { --- -2.21.0 - - -From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:40:43 +0200 -Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is - not set - -This could also support the new KCM credential cache storage. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3) ---- - source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++-------- - source3/wscript_build | 1 + - 2 files changed, 55 insertions(+), 25 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 3266b90ec1a..bff1df417e8 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -21,6 +21,7 @@ - - #include "includes.h" - #include "system/filesys.h" -+#include "system/kerberos.h" - #include "system/passwd.h" - - #include -@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) - buffer); - } - -+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len) -+{ -+ krb5_context ctx; -+ const char *ccache_name = NULL; -+ char *full_ccache_name = NULL; -+ krb5_ccache ccache = NULL; -+ krb5_error_code code; -+ -+ code = krb5_init_context(&ctx); -+ if (code != 0) { -+ return false; -+ } -+ -+ ccache_name = krb5_cc_default_name(ctx); -+ if (ccache_name == NULL) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_resolve(ctx, ccache_name, &ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name); -+ krb5_cc_close(ctx, ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ snprintf(ccache_buf, len, "%s", full_ccache_name); -+ -+#ifdef SAMBA4_USES_HEIMDAL -+ free(full_ccache_name); -+#else -+ krb5_free_string(ctx, full_ccache_name); -+#endif -+ krb5_free_context(ctx); -+ -+ return true; -+} -+ - /* - * This is a helper binary to execute smbspool. - * -@@ -84,7 +129,6 @@ int main(int argc, char *argv[]) - struct passwd *pwd; - struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; -- struct stat sb; - char *env = NULL; - char auth_info_required[256] = {0}; - char device_uri[4096] = {0}; -@@ -92,6 +136,7 @@ int main(int argc, char *argv[]) - gid_t gid = (gid_t)-1; - gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; -+ bool ok; - int cmp; - int rc; - -@@ -225,32 +270,16 @@ int main(int argc, char *argv[]) - goto create_env; - } - -- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -- -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -- } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0 && S_ISDIR(sb.st_mode)) { -- snprintf(gen_cc, -- sizeof(gen_cc), -- "DIR:/run/user/%d/krb5cc", -- uid); -- } else { --#if defined(__linux__) -- snprintf(gen_cc, -- sizeof(gen_cc), -- "KEYRING:persistent:%d", -- uid); --#endif -- } -+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc)); -+ if (ok) { -+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]", -+ gen_cc); -+ goto create_env; - } - -+ /* Fallback to a FILE ccache */ -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -+ - create_env: - /* - * Make sure we do not have LD_PRELOAD or other security relevant -diff --git a/source3/wscript_build b/source3/wscript_build -index f67ce59fe52..8e34b7d0261 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - deps=''' - DYNCONFIG - cups -+ krb5 - ''', - install_path='${LIBEXECDIR}/samba', - enabled=bld.CONFIG_SET('HAVE_CUPS')) --- -2.21.0 - - -From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:48:31 +0200 -Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd) ---- - source3/client/smbspool.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index efbdd418fdb..ef16c2bed42 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -224,7 +224,9 @@ main(int argc, /* I - Number of command-line arguments */ - - fp = fopen(print_file, "rb"); - if (fp == NULL) { -- perror("ERROR: Unable to open print file"); -+ fprintf(stderr, -+ "ERROR: Unable to open print file: %s", -+ print_file); - goto done; - } - --- -2.21.0 - - -From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 18:54:02 +0200 -Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos - -If username and password is given, then fallback to NTLM. However try -kinit first. Also we correctly handle NULL passwords in the meantime and -this makes it easier to deal with issues. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d) ---- - source3/client/smbspool.c | 90 ++++++++++++++++++++++----------------- - 1 file changed, 51 insertions(+), 39 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ef16c2bed42..f21aac2ac58 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -88,8 +88,8 @@ main(int argc, /* I - Number of command-line arguments */ - int port; /* Port number */ - char uri[1024], /* URI */ - *sep, /* Pointer to separator */ -- *tmp, *tmp2, /* Temp pointers to do escaping */ -- *password; /* Password */ -+ *tmp, *tmp2; /* Temp pointers to do escaping */ -+ const char *password = NULL; /* Password */ - char *username, /* Username */ - *server, /* Server name */ - *printer;/* Printer name */ -@@ -293,8 +293,6 @@ main(int argc, /* I - Number of command-line arguments */ - if ((tmp2 = strchr_m(tmp, ':')) != NULL) { - *tmp2++ = '\0'; - password = uri_unescape_alloc(tmp2); -- } else { -- password = empty_str; - } - username = uri_unescape_alloc(tmp); - } else { -@@ -302,14 +300,15 @@ main(int argc, /* I - Number of command-line arguments */ - username = empty_str; - } - -- if ((password = getenv("AUTH_PASSWORD")) == NULL) { -- password = empty_str; -+ env = getenv("AUTH_PASSWORD"); -+ if (env != NULL && strlen(env) > 0) { -+ password = env; - } - - server = uri + 6; - } - -- if (password != empty_str) { -+ if (password != NULL) { - auth_info_required = "username,password"; - } - -@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname, - NTSTATUS nt_status; - struct cli_credentials *creds = NULL; - bool use_kerberos = false; -+ bool fallback_after_kerberos = false; - - /* Start the SMB connection */ - *need_auth = false; -@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname, - return NULL; - } - -- /* -- * We pretty much guarantee password must be valid or a pointer to a -- * 0 char. -- */ -- if (!password) { -- *need_auth = true; -- return NULL; -- } -- - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -- auth_info_required = "negotiate"; - use_kerberos = true; - } - -+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) { -+ fallback_after_kerberos = true; -+ } -+ - creds = cli_session_creds_init(cli, - username, - workgroup, - NULL, /* realm */ - password, - use_kerberos, -- false, /* fallback_after_kerberos */ -+ fallback_after_kerberos, - false, /* use_ccache */ - false); /* password_is_nt_hash */ - if (creds == NULL) { -@@ -663,6 +657,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - struct cli_state *cli; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; -+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS; -+ bool use_kerberos = false; -+ const char *user = username; -+ int cmp; - - /* - * Get the names and addresses of the client and server... -@@ -672,42 +670,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - return NULL; - } - -- /* -- * See if we have a username first. This is for backwards compatible -- * behavior with 3.0.14a -- */ - -- if (username == NULL || username[0] == '\0') { -- if (kerberos_ccache_is_valid()) { -- goto kerberos_auth; -+ cmp = strcmp(auth_info_required, "negotiate"); -+ if (cmp == 0) { -+ if (!kerberos_ccache_is_valid()) { -+ return NULL; - } -+ user = jobusername; -+ -+ use_kerberos = true; -+ fprintf(stderr, -+ "DEBUG: Try to connect using Kerberos ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "username,password"); -+ if (cmp == 0) { -+ if (username == NULL || username[0] == '\0') { -+ return NULL; -+ } -+ -+ /* Fallback to NTLM */ -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ -+ fprintf(stderr, -+ "DEBUG: Try to connect using username/password ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "none"); -+ if (cmp == 0) { -+ fprintf(stderr, -+ "DEBUG: This backend doesn't support none auth ...\n"); -+ return NULL; - } - - cli = smb_complete_connection(myname, - server, - port, -- username, -+ user, - password, - workgroup, - share, -- 0, -+ flags, - need_auth); - if (cli != NULL) { -- fputs("DEBUG: Connected with username/password...\n", stderr); -+ fprintf(stderr, "DEBUG: SMB connection established.\n"); - return (cli); - } - --kerberos_auth: -- /* -- * Try to use the user kerberos credentials (if any) to authenticate -- */ -- cli = smb_complete_connection(myname, server, port, jobusername, "", -- workgroup, share, -- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth); -- -- if (cli) { -- fputs("DEBUG: Connected using Kerberos...\n", stderr); -- return (cli); -+ if (!use_kerberos) { -+ fprintf(stderr, "ERROR: SMB connection failed!\n"); -+ return NULL; - } - - /* give a chance for a passwordless NTLMSSP session setup */ --- -2.21.0 - - -From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 18:24:32 +0200 -Subject: [PATCH 8/9] s3:smbspool: Add debug messages to - kerberos_ccache_is_valid() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3) ---- - source3/client/smbspool.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index f21aac2ac58..79e210dd12e 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) { - - ccache_name = krb5_cc_default_name(ctx); - if (ccache_name == NULL) { -+ DBG_ERR("Failed to get default ccache name\n"); - krb5_free_context(ctx); - return false; - } - - code = krb5_cc_resolve(ctx, ccache_name, &ccache); - if (code != 0) { -+ DBG_ERR("Failed to resolve ccache name: %s\n", -+ ccache_name); - krb5_free_context(ctx); - return false; - } else { -@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) { - ccache, - &default_princ); - if (code != 0) { -+ DBG_ERR("Failed to get default principal from " -+ "ccache: %s\n", -+ ccache_name); - krb5_cc_close(ctx, ccache); - krb5_free_context(ctx); - return false; --- -2.21.0 - - -From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 14 May 2019 11:35:46 +0200 -Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes - -This allows us to simplify some code and return better errors. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea) ---- - source3/client/smbspool.c | 250 ++++++++++++++++++++++---------------- - 1 file changed, 145 insertions(+), 105 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 79e210dd12e..ad988eb0df9 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -61,12 +61,27 @@ - * Local functions... - */ - --static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); -+static int get_exit_code(NTSTATUS nt_status); - static void list_devices(void); --static struct cli_state *smb_complete_connection(const char *, const char *, -- int, const char *, const char *, const char *, const char *, int, bool *need_auth); --static struct cli_state *smb_connect(const char *, const char *, int, const -- char *, const char *, const char *, const char *, bool *need_auth); -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, -+ const char *server, -+ int port, -+ const char *username, -+ const char *password, -+ const char *workgroup, -+ const char *share, -+ int flags); -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, -+ const char *server, -+ const int port, -+ const char *share, -+ const char *username, -+ const char *password, -+ const char *jobusername); - static int smb_print(struct cli_state *, const char *, FILE *); - static char *uri_unescape_alloc(const char *); - #if 0 -@@ -90,16 +105,15 @@ main(int argc, /* I - Number of command-line arguments */ - *sep, /* Pointer to separator */ - *tmp, *tmp2; /* Temp pointers to do escaping */ - const char *password = NULL; /* Password */ -- char *username, /* Username */ -- *server, /* Server name */ -+ const char *username = NULL; /* Username */ -+ char *server, /* Server name */ - *printer;/* Printer name */ - const char *workgroup; /* Workgroup */ - FILE *fp; /* File to print */ - int status = 1; /* Status of LPD job */ -- struct cli_state *cli; /* SMB interface */ -- char empty_str[] = ""; -+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; -+ struct cli_state *cli = NULL; /* SMB interface */ - int tries = 0; -- bool need_auth = true; - const char *dev_uri = NULL; - const char *env = NULL; - const char *config_file = NULL; -@@ -296,8 +310,9 @@ main(int argc, /* I - Number of command-line arguments */ - } - username = uri_unescape_alloc(tmp); - } else { -- if ((username = getenv("AUTH_USERNAME")) == NULL) { -- username = empty_str; -+ env = getenv("AUTH_USERNAME"); -+ if (env != NULL && strlen(env) > 0) { -+ username = env; - } - - env = getenv("AUTH_PASSWORD"); -@@ -369,27 +384,39 @@ main(int argc, /* I - Number of command-line arguments */ - load_interfaces(); - - do { -- cli = smb_connect(workgroup, -- server, -- port, -- printer, -- username, -- password, -- print_user, -- &need_auth); -- if (cli == NULL) { -- if (need_auth) { -- exit(2); -+ nt_status = smb_connect(&cli, -+ workgroup, -+ server, -+ port, -+ printer, -+ username, -+ password, -+ print_user); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ status = get_exit_code(nt_status); -+ if (status == 2) { -+ fprintf(stderr, -+ "DEBUG: Unable to connect to CIFS " -+ "host: %s", -+ nt_errstr(nt_status)); -+ goto done; - } else if (getenv("CLASS") == NULL) { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Will retry in 60 " -+ "seconds...\n", -+ nt_errstr(nt_status)); - sleep(60); - tries++; - } else { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Trying next printer...\n", -+ nt_errstr(nt_status)); - goto done; - } - } -- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT)); -+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT)); - - if (cli == NULL) { - fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries); -@@ -436,10 +463,9 @@ done: - */ - - static int --get_exit_code(struct cli_state * cli, -- NTSTATUS nt_status) -+get_exit_code(NTSTATUS nt_status) - { -- int i; -+ size_t i; - - /* List of NTSTATUS errors that are considered - * authentication errors -@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli, - }; - - -- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n", -- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status)); -+ fprintf(stderr, -+ "DEBUG: get_exit_code(nt_status=%s [%x])\n", -+ nt_errstr(nt_status), NT_STATUS_V(nt_status)); - - for (i = 0; i < ARRAY_SIZE(auth_errors); i++) { - if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) { - continue; - } - -- if (cli) { -- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); -- } -+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); - - /* - * 2 = authentication required... -@@ -498,16 +523,16 @@ list_devices(void) - } - - --static struct cli_state * --smb_complete_connection(const char *myname, -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, - const char *server, - int port, - const char *username, - const char *password, - const char *workgroup, - const char *share, -- int flags, -- bool *need_auth) -+ int flags) - { - struct cli_state *cli; /* New connection */ - NTSTATUS nt_status; -@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname, - bool fallback_after_kerberos = false; - - /* Start the SMB connection */ -- *need_auth = false; - nt_status = cli_start_connection(&cli, myname, server, NULL, port, - SMB_SIGNING_DEFAULT, flags); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status)); -- return NULL; -+ return nt_status; - } - - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname, - if (creds == NULL) { - fprintf(stderr, "ERROR: cli_session_creds_init failed\n"); - cli_shutdown(cli); -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - nt_status = cli_session_setup_creds(cli, creds); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - - nt_status = cli_tree_connect_creds(cli, share, "?????", creds); -@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname, - fprintf(stderr, "ERROR: Tree connect failed (%s)\n", - nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - #if 0 - /* Need to work out how to specify this on the URL. */ -@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname, - } - #endif - -- return cli; -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - static bool kerberos_ccache_is_valid(void) { -@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) { - * 'smb_connect()' - Return a connection to a server. - */ - --static struct cli_state * /* O - SMB connection */ --smb_connect(const char *workgroup, /* I - Workgroup */ -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, /* I - Workgroup */ - const char *server, /* I - Server */ - const int port, /* I - Port */ - const char *share, /* I - Printer */ - const char *username, /* I - Username */ - const char *password, /* I - Password */ -- const char *jobusername, /* I - User who issued the print job */ -- bool *need_auth) --{ /* O - Need authentication? */ -- struct cli_state *cli; /* New connection */ -+ const char *jobusername) /* I - User who issued the print job */ -+{ -+ struct cli_state *cli = NULL; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; - int flags = CLI_FULL_CONNECTION_USE_KERBEROS; - bool use_kerberos = false; - const char *user = username; -- int cmp; -+ NTSTATUS nt_status; - - /* - * Get the names and addresses of the client and server... - */ - myname = get_myname(talloc_tos()); - if (!myname) { -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - -- cmp = strcmp(auth_info_required, "negotiate"); -- if (cmp == 0) { -+ if (strcmp(auth_info_required, "negotiate") == 0) { - if (!kerberos_ccache_is_valid()) { -- return NULL; -+ fprintf(stderr, -+ "ERROR: No valid Kerberos credential cache " -+ "found!\n"); -+ return NT_STATUS_LOGON_FAILURE; - } - user = jobusername; - - use_kerberos = true; - fprintf(stderr, - "DEBUG: Try to connect using Kerberos ...\n"); -- } -- -- cmp = strcmp(auth_info_required, "username,password"); -- if (cmp == 0) { -- if (username == NULL || username[0] == '\0') { -- return NULL; -+ } else if (strcmp(auth_info_required, "username,password") == 0) { -+ if (username == NULL) { -+ return NT_STATUS_INVALID_ACCOUNT_NAME; - } - - /* Fallback to NTLM */ -@@ -700,59 +716,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - - fprintf(stderr, - "DEBUG: Try to connect using username/password ...\n"); -- } -+ } else { -+ if (username != NULL) { -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ } else if (kerberos_ccache_is_valid()) { -+ auth_info_required = "negotiate"; - -- cmp = strcmp(auth_info_required, "none"); -- if (cmp == 0) { -- fprintf(stderr, -- "DEBUG: This backend doesn't support none auth ...\n"); -- return NULL; -+ user = jobusername; -+ use_kerberos = true; -+ } else { -+ fprintf(stderr, -+ "DEBUG: This backend requires credentials!\n"); -+ return NT_STATUS_ACCESS_DENIED; -+ } - } - -- cli = smb_complete_connection(myname, -- server, -- port, -- user, -- password, -- workgroup, -- share, -- flags, -- need_auth); -- if (cli != NULL) { -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ user, -+ password, -+ workgroup, -+ share, -+ flags); -+ if (NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "DEBUG: SMB connection established.\n"); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - if (!use_kerberos) { - fprintf(stderr, "ERROR: SMB connection failed!\n"); -- return NULL; -+ return nt_status; - } - - /* give a chance for a passwordless NTLMSSP session setup */ - pwd = getpwuid(geteuid()); - if (pwd == NULL) { -- return NULL; -- } -- -- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "", -- workgroup, share, 0, need_auth); -- -- if (cli) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ pwd->pw_name, -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { - fputs("DEBUG: Connected with NTLMSSP...\n", stderr); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - /* - * last try. Use anonymous authentication - */ - -- cli = smb_complete_connection(myname, server, port, "", "", -- workgroup, share, 0, need_auth); -- /* -- * Return the new connection... -- */ -- -- return (cli); -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ "", -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { -+ *output_cli = cli; -+ return NT_STATUS_OK; -+ } -+ -+ return nt_status; - } - - -@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s opening remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } - - /* -@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, - tbytes, nbytes, NULL); - if (!NT_STATUS_IS_OK(status)) { -- int ret = get_exit_code(cli, status); -+ int ret = get_exit_code(status); - fprintf(stderr, "ERROR: Error writing spool: %s\n", - nt_errstr(status)); - fprintf(stderr, "DEBUG: Returning status %d...\n", -@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s closing remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } else { - return (0); - } --- -2.21.0 - -From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 18 Jun 2019 14:43:50 +0200 -Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba - -Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the -function we provide in krb5samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8) ---- - source3/wscript_build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/wscript_build b/source3/wscript_build -index 1ebb006781a..26e251f442a 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - deps=''' - DYNCONFIG - cups -- krb5 -+ krb5samba - ''', - install_path='${LIBEXECDIR}/samba', - enabled=bld.CONFIG_SET('HAVE_CUPS')) --- -2.21.0 - diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch deleted file mode 100644 index d72091e..0000000 --- a/SOURCES/samba-4.10-fix_smbspool_username_password.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001 -From: Bryan Mason -Date: Mon, 16 Sep 2019 12:35:06 -0700 -Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI - -CUPS sanitizes argv[0] by removing username/password, so use -DEVICE_URI environment variable first. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128 - -Signed-off-by: Bryan Mason -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184 - -(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931) ---- - source3/client/smbspool.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ad988eb0df9..36f7f67ca94 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */ - - /* - * Find the URI ... -- */ -- if (dev_uri == NULL) { -- env = getenv("DEVICE_URI"); -- if (env != NULL && env[0] != '\0') { -- dev_uri = env; -- } -- } -+ * -+ * The URI in argv[0] is sanitized to remove username/password, so -+ * use DEVICE_URI if available. Otherwise keep the URI already -+ * discovered in argv. -+ */ -+ env = getenv("DEVICE_URI"); -+ if (env != NULL && env[0] != '\0') { -+ dev_uri = env; -+ } - - if (dev_uri == NULL) { - fprintf(stderr, --- -2.23.0 - diff --git a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch deleted file mode 100644 index 6f7ca74..0000000 --- a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2d783791856be182d420555d8df5e31768b0d7d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 12 Sep 2019 16:39:10 +0200 -Subject: [PATCH] s3-winbindd: fix forest trusts with additional trust - attributes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26) ---- - source3/winbindd/winbindd_ads.c | 2 +- - source3/winbindd/winbindd_util.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 5f20cfb7f76..485ca831be9 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -1457,7 +1457,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, - */ - - if ((trust->trust_attributes -- == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && -+ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && - !domain->primary ) - { - DEBUG(10,("trusted_domains: Skipping external trusted " -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index cc4c3f7391a..ee7651c9639 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -723,7 +723,7 @@ static void rescan_forest_trusts( void ) - - if ( (flags & NETR_TRUST_FLAG_INBOUND) && - (type == LSA_TRUST_TYPE_UPLEVEL) && -- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) -+ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) - { - /* add the trusted domain if we don't know - about it */ --- -2.21.0 - diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch deleted file mode 100644 index c196b55..0000000 --- a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001 -From: Evgeny Sinelnikov -Date: Wed, 31 Jul 2019 23:17:20 +0400 -Subject: [PATCH] s3:ldap: Fix join with don't exists machine account -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add check for requested replies of existing machine object during join -machine to domain. This solves regression fail during join with error: -"None of the information to be translated has been translated." - -https://bugzilla.samba.org/show_bug.cgi?id=14007 - -Reviewed-by: Guenther Deschner -Reviewed-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184 ---- - source3/libads/ldap.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 4f3d43b02b1..2110390b65f 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - } - - ret = ads_find_machine_acct(ads, &res, machine_escaped); -- ads_msgfree(ads, res); -- if (ADS_ERR_OK(ret)) { -+ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { - DBG_DEBUG("Host account for %s already exists.\n", - machine_escaped); - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -+ ads_msgfree(ads, res); - goto done; - } -+ ads_msgfree(ads, res); - - new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); --- -2.21.0 - diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch new file mode 100644 index 0000000..cc36c48 --- /dev/null +++ b/SOURCES/samba-4.10-redhat.patch @@ -0,0 +1,798 @@ +From 0ef46723cad274d0fe7948a67b33f9f20fab3f0d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 7 Jan 2020 19:25:53 +0200 +Subject: [PATCH 1/7] s3-rpcserver: fix security level check for + DsRGetForestTrustInformation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which +didn't change since DCE RPC channel refactoring. + +With the current code we return RPC faul as can be seen in the logs: + +2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) + netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation + in: struct netr_DsRGetForestTrustInformation + server_name : * + server_name : '\\some-dc.example.com' + trusted_domain_name : NULL + flags : 0x00000000 (0) +[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) + api_rpcTNP: fault(5) return. + +This is due to this check in processing a request: + if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) + && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return WERR_ACCESS_DENIED; + } + +and since we get AuthZ response, + + Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] + Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] +[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) + JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", + "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, + "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", + "serviceDescription": "netlogon", "authType": "ncacn_np", + "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", + "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", + "transportProtection": "SMB", "accountFlags": "0x00000010"}} + +this means we are actually getting anonymous DCE/RPC access to netlogon +on top of authenticated SMB connection. In such case we have exactly +auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to +DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. + +Update the code to follow the same security level check as in s4 variant +of the call. + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184 + +(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index d799ba4feef..87613b99fde 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2425,10 +2425,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, + { + NTSTATUS status; + struct lsa_ForestTrustInformation *info, **info_ptr; ++ enum security_user_level security_level; + +- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) +- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { +- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; ++ security_level = security_session_user_level(p->session_info, NULL); ++ if (security_level < SECURITY_USER) { + return WERR_ACCESS_DENIED; + } + +-- +2.26.2 + + +From 67c40147a3c1da49a8d407282e1917ed3be511b0 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 16:50:45 +0200 +Subject: [PATCH 2/7] Add a test to check dNSHostName with netbios aliases + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/nb_alias_dnshostname | 2 ++ + testprogs/blackbox/test_net_ads.sh | 14 ++++++++++++++ + 2 files changed, 16 insertions(+) + create mode 100644 selftest/knownfail.d/nb_alias_dnshostname + +diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname +new file mode 100644 +index 00000000000..3c14e9931b9 +--- /dev/null ++++ b/selftest/knownfail.d/nb_alias_dnshostname +@@ -0,0 +1,2 @@ ++^samba4.blackbox.net_ads.nb_alias check dNSHostName ++^samba4.blackbox.net_ads.nb_alias check main SPN +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 95c0cf76f90..6073ea972f9 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -220,6 +220,20 @@ testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samac + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# netbios aliases tests ++testit "join nb_alias" $VALGRIND $net_tool --option=netbiosaliases=nb_alias1,nb_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ ++testit "testjoin nb_alias" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` ++ ++testit_grep "nb_alias check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` ++testit_grep "nb_alias check main SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "nb_alias1 SPN" nb_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++testit_grep "nb_alias2 SPN" nb_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++##Goodbye... ++testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ + # + # Test createcomputer option of 'net ads join' + # +-- +2.26.2 + + +From b3e19ea4f4f366e7f6b99114c71f65c303402ef8 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:52:46 +0200 +Subject: [PATCH 3/7] Fix accidental overwrite of dnsHostName by the last + netbios alias + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/nb_alias_dnshostname | 2 -- + source3/libnet/libnet_join.c | 5 +++-- + 2 files changed, 3 insertions(+), 4 deletions(-) + delete mode 100644 selftest/knownfail.d/nb_alias_dnshostname + +diff --git a/selftest/knownfail.d/nb_alias_dnshostname b/selftest/knownfail.d/nb_alias_dnshostname +deleted file mode 100644 +index 3c14e9931b9..00000000000 +--- a/selftest/knownfail.d/nb_alias_dnshostname ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba4.blackbox.net_ads.nb_alias check dNSHostName +-^samba4.blackbox.net_ads.nb_alias check main SPN +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 9d4f656ffec..a31011b0ff8 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -507,6 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + ADS_STATUS status; + ADS_MODLIST mods; + fstring my_fqdn; ++ fstring my_alias; + const char **spn_array = NULL; + size_t num_spns = 0; + char *spn = NULL; +@@ -587,11 +588,11 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/netbiosname.domainname + */ +- fstr_sprintf(my_fqdn, "%s.%s", ++ fstr_sprintf(my_alias, "%s.%s", + *netbios_aliases, + lp_dnsdomain()); + +- spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_alias); + if (spn == NULL) { + status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); + goto done; +-- +2.26.2 + + +From 134c761913dcf84c8c18751a8ba9cc3652995138 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 24 Oct 2019 19:04:51 +0300 +Subject: [PATCH 4/7] Refactor ads_keytab_add_entry() to make it iterable + +so we can more easily add msDS-AdditionalDnsHostName entries. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + source3/libads/kerberos_keytab.c | 197 +++++++++++++++++-------------- + 1 file changed, 107 insertions(+), 90 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 97d5535041c..0f450a09df5 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -228,18 +228,16 @@ out: + return ok; + } + +-/********************************************************************** +- Adds a single service principal, i.e. 'host' to the system keytab +-***********************************************************************/ +- +-int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) ++static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx, ++ ADS_STRUCT *ads, const char *salt_princ_s, ++ krb5_keytab keytab, krb5_kvno kvno, ++ const char *srvPrinc, const char *my_fqdn, ++ krb5_data *password, bool update_ads) + { + krb5_error_code ret = 0; +- krb5_context context = NULL; +- krb5_keytab keytab = NULL; +- krb5_data password; +- krb5_kvno kvno; +- krb5_enctype enctypes[6] = { ++ char *princ_s = NULL; ++ char *short_princ_s = NULL; ++ krb5_enctype enctypes[6] = { + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, + #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +@@ -251,65 +249,7 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + ENCTYPE_ARCFOUR_HMAC, + 0 + }; +- char *princ_s = NULL; +- char *short_princ_s = NULL; +- char *salt_princ_s = NULL; +- char *password_s = NULL; +- char *my_fqdn; +- TALLOC_CTX *tmpctx = NULL; +- int i; +- +- ret = smb_krb5_init_context_common(&context); +- if (ret) { +- DBG_ERR("kerberos init context failed (%s)\n", +- error_message(ret)); +- return -1; +- } +- +- ret = ads_keytab_open(context, &keytab); +- if (ret != 0) { +- goto out; +- } +- +- /* retrieve the password */ +- if (!secrets_init()) { +- DEBUG(1, (__location__ ": secrets_init failed\n")); +- ret = -1; +- goto out; +- } +- password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); +- if (!password_s) { +- DEBUG(1, (__location__ ": failed to fetch machine password\n")); +- ret = -1; +- goto out; +- } +- ZERO_STRUCT(password); +- password.data = password_s; +- password.length = strlen(password_s); +- +- /* we need the dNSHostName value here */ +- tmpctx = talloc_init(__location__); +- if (!tmpctx) { +- DEBUG(0, (__location__ ": talloc_init() failed!\n")); +- ret = -1; +- goto out; +- } +- +- my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); +- if (!my_fqdn) { +- DEBUG(0, (__location__ ": unable to determine machine " +- "account's dns name in AD!\n")); +- ret = -1; +- goto out; +- } +- +- /* make sure we have a single instance of a the computer account */ +- if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { +- DEBUG(0, (__location__ ": unable to determine machine " +- "account's short name in AD!\n")); +- ret = -1; +- goto out; +- } ++ size_t i; + + /* Construct our principal */ + if (strchr_m(srvPrinc, '@')) { +@@ -358,22 +298,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + } + } + +- kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); +- if (kvno == -1) { +- /* -1 indicates failure, everything else is OK */ +- DEBUG(1, (__location__ ": ads_get_machine_kvno failed to " +- "determine the system's kvno.\n")); +- ret = -1; +- goto out; +- } +- +- salt_princ_s = kerberos_secrets_fetch_salt_princ(); +- if (salt_princ_s == NULL) { +- DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); +- ret = -1; +- goto out; +- } +- + for (i = 0; enctypes[i]; i++) { + + /* add the fqdn principal to the keytab */ +@@ -383,11 +307,11 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + princ_s, + salt_princ_s, + enctypes[i], +- &password, ++ password, + false, + false); + if (ret) { +- DEBUG(1, (__location__ ": Failed to add entry to keytab\n")); ++ DBG_WARNING("Failed to add entry to keytab\n"); + goto out; + } + +@@ -399,16 +323,109 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + short_princ_s, + salt_princ_s, + enctypes[i], +- &password, ++ password, + false, + false); + if (ret) { +- DEBUG(1, (__location__ +- ": Failed to add short entry to keytab\n")); ++ DBG_WARNING("Failed to add short entry to keytab\n"); + goto out; + } + } + } ++out: ++ return ret; ++} ++ ++/********************************************************************** ++ Adds a single service principal, i.e. 'host' to the system keytab ++***********************************************************************/ ++ ++int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) ++{ ++ krb5_error_code ret = 0; ++ krb5_context context = NULL; ++ krb5_keytab keytab = NULL; ++ krb5_data password; ++ krb5_kvno kvno; ++ char *salt_princ_s = NULL; ++ char *password_s = NULL; ++ char *my_fqdn; ++ TALLOC_CTX *tmpctx = NULL; ++ ++ ret = smb_krb5_init_context_common(&context); ++ if (ret) { ++ DBG_ERR("kerberos init context failed (%s)\n", ++ error_message(ret)); ++ return -1; ++ } ++ ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { ++ goto out; ++ } ++ ++ /* retrieve the password */ ++ if (!secrets_init()) { ++ DBG_WARNING("secrets_init failed\n"); ++ ret = -1; ++ goto out; ++ } ++ password_s = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); ++ if (!password_s) { ++ DBG_WARNING("failed to fetch machine password\n"); ++ ret = -1; ++ goto out; ++ } ++ ZERO_STRUCT(password); ++ password.data = password_s; ++ password.length = strlen(password_s); ++ ++ /* we need the dNSHostName value here */ ++ tmpctx = talloc_init(__location__); ++ if (!tmpctx) { ++ DBG_ERR("talloc_init() failed!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ my_fqdn = ads_get_dnshostname(ads, tmpctx, lp_netbios_name()); ++ if (!my_fqdn) { ++ DBG_ERR("unable to determine machine account's dns name in " ++ "AD!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ /* make sure we have a single instance of a the computer account */ ++ if (!ads_has_samaccountname(ads, tmpctx, lp_netbios_name())) { ++ DBG_ERR("unable to determine machine account's short name in " ++ "AD!\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ kvno = (krb5_kvno)ads_get_machine_kvno(ads, lp_netbios_name()); ++ if (kvno == -1) { ++ /* -1 indicates failure, everything else is OK */ ++ DBG_WARNING("ads_get_machine_kvno failed to determine the " ++ "system's kvno.\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ salt_princ_s = kerberos_secrets_fetch_salt_princ(); ++ if (salt_princ_s == NULL) { ++ DBG_WARNING("kerberos_secrets_fetch_salt_princ() failed\n"); ++ ret = -1; ++ goto out; ++ } ++ ++ ret = add_kt_entry_etypes(context, tmpctx, ads, salt_princ_s, keytab, ++ kvno, srvPrinc, my_fqdn, &password, ++ update_ads); ++ if (ret != 0) { ++ goto out; ++ } + + out: + SAFE_FREE(salt_princ_s); +-- +2.26.2 + + +From 7b2295db8683bb9432f49e2f09912799e65e2e6b Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 17:55:12 +0200 +Subject: [PATCH 5/7] Add a test for msDS-AdditionalDnsHostName entries in + keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/dns_alias_keytab | 2 ++ + testprogs/blackbox/test_net_ads.sh | 9 +++++++++ + 2 files changed, 11 insertions(+) + create mode 100644 selftest/knownfail.d/dns_alias_keytab + +diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab +new file mode 100644 +index 00000000000..216592e1210 +--- /dev/null ++++ b/selftest/knownfail.d/dns_alias_keytab +@@ -0,0 +1,2 @@ ++^samba4.blackbox.net_ads.dns alias1 check keytab ++^samba4.blackbox.net_ads.dns alias2 check keytab +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 6073ea972f9..a40b477a173 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -217,6 +217,15 @@ testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samacc + testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` + ++dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab" ++ ++testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit_grep "dns alias1 check keytab" "host/${dns_alias1}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++testit_grep "dns alias2 check keytab" "host/${dns_alias2}@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++rm -f $dedicated_keytab_file ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.26.2 + + +From ca89f163524c317b6a2fffeb527194b34ede526d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:36:28 +0200 +Subject: [PATCH 6/7] Add msDS-AdditionalDnsHostName entries to the keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/dns_alias_keytab | 2 -- + source3/libads/ads_proto.h | 5 +++ + source3/libads/kerberos_keytab.c | 21 +++++++++++++ + source3/libads/ldap.c | 45 +++++++++++++++++++++++++++ + 4 files changed, 71 insertions(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/dns_alias_keytab + +diff --git a/selftest/knownfail.d/dns_alias_keytab b/selftest/knownfail.d/dns_alias_keytab +deleted file mode 100644 +index 216592e1210..00000000000 +--- a/selftest/knownfail.d/dns_alias_keytab ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba4.blackbox.net_ads.dns alias1 check keytab +-^samba4.blackbox.net_ads.dns alias2 check keytab +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index 495ef5d3325..cd9c1082681 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -137,6 +137,11 @@ ADS_STATUS ads_get_sid_from_extended_dn(TALLOC_CTX *mem_ctx, + enum ads_extended_dn_flags flags, + struct dom_sid *sid); + char* ads_get_dnshostname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); ++ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, ++ ADS_STRUCT *ads, ++ const char *machine_name, ++ char ***hostnames_array, ++ size_t *num_hostnames); + char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); + bool ads_has_samaccountname( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ); + ADS_STATUS ads_join_realm(ADS_STRUCT *ads, const char *machine_name, +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 0f450a09df5..818ec884a03 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -351,6 +351,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + char *password_s = NULL; + char *my_fqdn; + TALLOC_CTX *tmpctx = NULL; ++ char **hostnames_array = NULL; ++ size_t num_hostnames = 0; + + ret = smb_krb5_init_context_common(&context); + if (ret) { +@@ -427,6 +429,25 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + goto out; + } + ++ if (ADS_ERR_OK(ads_get_additional_dns_hostnames(tmpctx, ads, ++ lp_netbios_name(), ++ &hostnames_array, ++ &num_hostnames))) { ++ size_t i; ++ ++ for (i = 0; i < num_hostnames; i++) { ++ ++ ret = add_kt_entry_etypes(context, tmpctx, ads, ++ salt_princ_s, keytab, ++ kvno, srvPrinc, ++ hostnames_array[i], ++ &password, update_ads); ++ if (ret != 0) { ++ goto out; ++ } ++ } ++ } ++ + out: + SAFE_FREE(salt_princ_s); + TALLOC_FREE(tmpctx); +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index db2b72ab1b5..02a628ee0e6 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1377,6 +1377,7 @@ char *ads_parent_dn(const char *dn) + "unicodePwd", + + /* Additional attributes Samba checks */ ++ "msDS-AdditionalDnsHostName", + "msDS-SupportedEncryptionTypes", + "nTSecurityDescriptor", + +@@ -3663,6 +3664,50 @@ out: + /******************************************************************** + ********************************************************************/ + ++ADS_STATUS ads_get_additional_dns_hostnames(TALLOC_CTX *mem_ctx, ++ ADS_STRUCT *ads, ++ const char *machine_name, ++ char ***hostnames_array, ++ size_t *num_hostnames) ++{ ++ ADS_STATUS status; ++ LDAPMessage *res = NULL; ++ int count; ++ ++ status = ads_find_machine_acct(ads, ++ &res, ++ machine_name); ++ if (!ADS_ERR_OK(status)) { ++ DEBUG(1,("Host Account for %s not found... skipping operation.\n", ++ machine_name)); ++ return status; ++ } ++ ++ count = ads_count_replies(ads, res); ++ if (count != 1) { ++ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ goto done; ++ } ++ ++ *hostnames_array = ads_pull_strings(ads, mem_ctx, res, ++ "msDS-AdditionalDnsHostName", ++ num_hostnames); ++ if (*hostnames_array == NULL) { ++ DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", ++ machine_name)); ++ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ goto done; ++ } ++ ++done: ++ ads_msgfree(ads, res); ++ ++ return status; ++} ++ ++/******************************************************************** ++********************************************************************/ ++ + char* ads_get_upn( ADS_STRUCT *ads, TALLOC_CTX *ctx, const char *machine_name ) + { + LDAPMessage *res = NULL; +-- +2.26.2 + + +From 48d6a35118f2c8e51bbe3f31c1500f8ab097498e Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 27 May 2020 15:54:12 +0200 +Subject: [PATCH 7/7] Add net-ads-join dnshostname=fqdn option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184 +--- + docs-xml/manpages/net.8.xml | 7 ++++++- + source3/libnet/libnet_join.c | 7 ++++++- + source3/librpc/idl/libnet_join.idl | 1 + + source3/utils/net_ads.c | 9 ++++++++- + testprogs/blackbox/test_net_ads.sh | 15 +++++++++++++++ + 5 files changed, 36 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 37dfa2af694..69e18df8b6c 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -454,7 +454,7 @@ The remote server must be specified with the -S option. + + + [RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]] +-[createupn=UPN] [createcomputer=OU] [machinepass=PASS] ++[dnshostname=FQDN] [createupn=UPN] [createcomputer=OU] [machinepass=PASS] + [osName=string osVer=string] [options] + + +@@ -469,6 +469,11 @@ be created. + joining the domain. + + ++ ++[FQDN] (ADS only) set the dnsHosName attribute during the join. ++The default format is netbiosname.dnsdomain. ++ ++ + + [UPN] (ADS only) set the principalname attribute during the join. The default + format is host/netbiosname@REALM. +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a31011b0ff8..de558be4f91 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -546,7 +546,12 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); ++ if (r->in.dnshostname != NULL) { ++ fstr_sprintf(my_fqdn, "%s", r->in.dnshostname); ++ } else { ++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, ++ lp_dnsdomain()); ++ } + + if (!strlower_m(my_fqdn)) { + status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl +index e45034d40da..03d919863b5 100644 +--- a/source3/librpc/idl/libnet_join.idl ++++ b/source3/librpc/idl/libnet_join.idl +@@ -37,6 +37,7 @@ interface libnetjoin + [in] string os_servicepack, + [in] boolean8 create_upn, + [in] string upn, ++ [in] string dnshostname, + [in] boolean8 modify_config, + [in,unique] ads_struct *ads, + [in] boolean8 debug, +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 07a22098fb1..3cf8fbbf7c8 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -1710,6 +1710,8 @@ static int net_ads_join_usage(struct net_context *c, int argc, const char **argv + { + d_printf(_("net ads join [--no-dns-updates] [options]\n" + "Valid options:\n")); ++ d_printf(_(" dnshostname=FQDN Set the dnsHostName attribute during the join.\n" ++ " The default is in the form netbiosname.dnsdomain\n")); + d_printf(_(" createupn[=UPN] Set the userPrincipalName attribute during the join.\n" + " The default UPN is in the form host/netbiosname@REALM.\n")); + d_printf(_(" createcomputer=OU Precreate the computer account in a specific OU.\n" +@@ -1830,6 +1832,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + const char *domain = lp_realm(); + WERROR werr = WERR_NERR_SETUPNOTJOINED; + bool createupn = false; ++ const char *dnshostname = NULL; + const char *machineupn = NULL; + const char *machine_password = NULL; + const char *create_in_ou = NULL; +@@ -1870,7 +1873,10 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + /* process additional command line args */ + + for ( i=0; iin.domain_name_type = domain_name_type; + r->in.create_upn = createupn; + r->in.upn = machineupn; ++ r->in.dnshostname = dnshostname; + r->in.account_ou = create_in_ou; + r->in.os_name = os_name; + r->in.os_version = os_version; +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index a40b477a173..85257f445d8 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -277,6 +277,21 @@ rm -f $dedicated_keytab_file + + testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# ++# Test dnshostname option of 'net ads join' ++# ++testit "join+dnshostname" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD dnshostname="alt.hostname.$HOSTNAME" || failed=`expr $failed + 1` ++ ++testit_grep "check dnshostname opt" "dNSHostName: alt.hostname.$HOSTNAME" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1` ++ ++testit "create_keytab+dnshostname" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit_grep "check dnshostname+keytab" "host/alt.hostname.$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++rm -f $dedicated_keytab_file ++ ++testit "leave+dnshostname" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ + rm -rf $BASEDIR/$WORKDIR + + exit $failed +-- +2.26.2 + diff --git a/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch b/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch deleted file mode 100644 index baa9d48..0000000 --- a/SOURCES/samba-4.10-winbind_krb5_enterprise_princ.patch +++ /dev/null @@ -1,1540 +0,0 @@ -From 815da6970c8b973c514cc148b2caeca84f604f5c Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Thu, 8 Aug 2019 15:06:28 +0100 -Subject: [PATCH 01/22] s3/libads: clang: Fix Value stored to 'canon_princ' is - never read - -Fixes: - -source3/libads/kerberos.c:192:2: warning: Value stored to 'canon_princ' is never read <--[clang] - canon_princ = me; - ^ ~~ -1 warning generated. - -Signed-off-by: Noel Power -Reviewed-by: Gary Lockyer -(cherry picked from commit 52d20087f620704549f5a5cdcbec79cb08a36290) ---- - source3/libads/kerberos.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 721c3c2a929..9fbe7dd0f07 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -189,9 +189,10 @@ int kerberos_kinit_password_ext(const char *principal, - goto out; - } - -- canon_princ = me; - #ifndef SAMBA4_USES_HEIMDAL /* MIT */ - canon_princ = my_creds.client; -+#else -+ canon_princ = me; - #endif /* MIT */ - - if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { --- -2.24.1 - - -From 9db218df645bd15232b5bda98f51f0ecc05425c9 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Sep 2019 08:05:09 +0200 -Subject: [PATCH 02/22] s4:auth: use the correct client realm in - gensec_gssapi_update_internal() - -The function gensec_gssapi_client_creds() may call kinit and gets -a TGT for the user. The principal provided by the user may not -be canonicalized. The user may use 'given.last@example.com' -but that may be mapped to glast@AD.EXAMPLE.PRIVATE in the background. - -It means we should use client_realm = AD.EXAMPLE.PRIVATE -instead of client_realm = EXAMPLE.COM - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit db8fd3d6a315b140ebd6ccd0dcdfdcf27cd1bb38) ---- - source4/auth/gensec/gensec_gssapi.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index 4577c91c93a..045a0225741 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -437,8 +437,6 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec - const char *target_principal = gensec_get_target_principal(gensec_security); - const char *hostname = gensec_get_target_hostname(gensec_security); - const char *service = gensec_get_target_service(gensec_security); -- const char *client_realm = cli_credentials_get_realm(cli_creds); -- const char *server_realm = NULL; - gss_OID gss_oid_p = NULL; - OM_uint32 time_req = 0; - OM_uint32 time_rec = 0; -@@ -457,6 +455,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec - switch (gensec_security->gensec_role) { - case GENSEC_CLIENT: - { -+ const char *client_realm = NULL; - #ifdef SAMBA4_USES_HEIMDAL - struct gsskrb5_send_to_kdc send_to_kdc; - krb5_error_code ret; -@@ -532,6 +531,7 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec - * transitive forest trusts, would have to do the - * fallback ourself. - */ -+ client_realm = cli_credentials_get_realm(cli_creds); - #ifndef SAMBA4_USES_HEIMDAL - if (gensec_gssapi_state->server_name == NULL) { - nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, -@@ -575,6 +575,8 @@ static NTSTATUS gensec_gssapi_update_internal(struct gensec_security *gensec_sec - } - #endif /* !SAMBA4_USES_HEIMDAL */ - if (gensec_gssapi_state->server_name == NULL) { -+ const char *server_realm = NULL; -+ - server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, - hostname, - client_realm); --- -2.24.1 - - -From 7e70ce1c6a6bb4041dbad54628d4f93caff771d4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 16 Sep 2019 17:14:11 +0200 -Subject: [PATCH 03/22] s3:libads: let kerberos_kinit_password_ext() return the - canonicalized principal/realm - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit bc473e5cf088a137395842540ed8eb748373a236) ---- - source3/libads/authdata.c | 1 + - source3/libads/kerberos.c | 46 ++++++++++++++++++++++---- - source3/libads/kerberos_proto.h | 5 ++- - source3/libads/kerberos_util.c | 3 +- - source3/utils/net_ads.c | 3 ++ - source3/winbindd/winbindd_cred_cache.c | 6 ++++ - 6 files changed, 56 insertions(+), 8 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index 86a1be71bf9..6e6d5b397ff 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -170,6 +170,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - request_pac, - add_netbios_addr, - renewable_time, -+ NULL, NULL, NULL, - &status); - if (ret) { - DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 9fbe7dd0f07..3e09d70268f 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -106,7 +106,7 @@ kerb_prompter(krb5_context ctx, void *data, - place in default cache location. - remus@snapserver.com - */ --int kerberos_kinit_password_ext(const char *principal, -+int kerberos_kinit_password_ext(const char *given_principal, - const char *password, - int time_offset, - time_t *expire_time, -@@ -115,8 +115,12 @@ int kerberos_kinit_password_ext(const char *principal, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, -+ TALLOC_CTX *mem_ctx, -+ char **_canon_principal, -+ char **_canon_realm, - NTSTATUS *ntstatus) - { -+ TALLOC_CTX *frame = talloc_stackframe(); - krb5_context ctx = NULL; - krb5_error_code code = 0; - krb5_ccache cc = NULL; -@@ -125,6 +129,8 @@ int kerberos_kinit_password_ext(const char *principal, - krb5_creds my_creds; - krb5_get_init_creds_opt *opt = NULL; - smb_krb5_addresses *addr = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - - ZERO_STRUCT(my_creds); - -@@ -132,6 +138,7 @@ int kerberos_kinit_password_ext(const char *principal, - if (code != 0) { - DBG_ERR("kerberos init context failed (%s)\n", - error_message(code)); -+ TALLOC_FREE(frame); - return code; - } - -@@ -139,16 +146,16 @@ int kerberos_kinit_password_ext(const char *principal, - krb5_set_real_time(ctx, time(NULL) + time_offset, 0); - } - -- DEBUG(10,("kerberos_kinit_password: as %s using [%s] as ccache and config [%s]\n", -- principal, -- cache_name ? cache_name: krb5_cc_default_name(ctx), -- getenv("KRB5_CONFIG"))); -+ DBG_DEBUG("as %s using [%s] as ccache and config [%s]\n", -+ given_principal, -+ cache_name ? cache_name: krb5_cc_default_name(ctx), -+ getenv("KRB5_CONFIG")); - - if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) { - goto out; - } - -- if ((code = smb_krb5_parse_name(ctx, principal, &me))) { -+ if ((code = smb_krb5_parse_name(ctx, given_principal, &me))) { - goto out; - } - -@@ -195,6 +202,22 @@ int kerberos_kinit_password_ext(const char *principal, - canon_princ = me; - #endif /* MIT */ - -+ code = smb_krb5_unparse_name(frame, -+ ctx, -+ canon_princ, -+ &canon_principal); -+ if (code != 0) { -+ goto out; -+ } -+ -+ DBG_DEBUG("%s mapped to %s\n", given_principal, canon_principal); -+ -+ canon_realm = smb_krb5_principal_get_realm(frame, ctx, canon_princ); -+ if (canon_realm == NULL) { -+ code = ENOMEM; -+ goto out; -+ } -+ - if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) { - goto out; - } -@@ -210,6 +233,13 @@ int kerberos_kinit_password_ext(const char *principal, - if (renew_till_time) { - *renew_till_time = (time_t) my_creds.times.renew_till; - } -+ -+ if (_canon_principal != NULL) { -+ *_canon_principal = talloc_move(mem_ctx, &canon_principal); -+ } -+ if (_canon_realm != NULL) { -+ *_canon_realm = talloc_move(mem_ctx, &canon_realm); -+ } - out: - if (ntstatus) { - /* fast path */ -@@ -239,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal, - if (ctx) { - krb5_free_context(ctx); - } -+ TALLOC_FREE(frame); - return code; - } - -@@ -328,6 +359,9 @@ int kerberos_kinit_password(const char *principal, - False, - False, - 0, -+ NULL, -+ NULL, -+ NULL, - NULL); - } - -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index f92cabd757e..433bce9e0ec 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -45,7 +45,7 @@ struct PAC_DATA_CTR { - - /* The following definitions come from libads/kerberos.c */ - --int kerberos_kinit_password_ext(const char *principal, -+int kerberos_kinit_password_ext(const char *given_principal, - const char *password, - int time_offset, - time_t *expire_time, -@@ -54,6 +54,9 @@ int kerberos_kinit_password_ext(const char *principal, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, -+ TALLOC_CTX *mem_ctx, -+ char **_canon_principal, -+ char **_canon_realm, - NTSTATUS *ntstatus); - int ads_kdestroy(const char *cc_name); - -diff --git a/source3/libads/kerberos_util.c b/source3/libads/kerberos_util.c -index 68c0f302239..bfe53820aff 100644 ---- a/source3/libads/kerberos_util.c -+++ b/source3/libads/kerberos_util.c -@@ -66,7 +66,8 @@ int ads_kinit_password(ADS_STRUCT *ads) - ads->auth.time_offset, - &ads->auth.tgt_expire, NULL, - ads->auth.ccache_name, false, false, -- ads->auth.renewable, NULL); -+ ads->auth.renewable, -+ NULL, NULL, NULL, NULL); - - if (ret) { - DEBUG(0,("kerberos_kinit_password %s failed: %s\n", -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 1f055507ad7..d33031a0dbd 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -3352,6 +3352,9 @@ static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char ** - true, - true, - 2592000, /* one month */ -+ NULL, -+ NULL, -+ NULL, - &status); - if (ret) { - d_printf(_("failed to kinit password: %s\n"), -diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c -index 85ad426446a..5baecf906b9 100644 ---- a/source3/winbindd/winbindd_cred_cache.c -+++ b/source3/winbindd/winbindd_cred_cache.c -@@ -146,6 +146,9 @@ rekinit: - False, /* no PAC required anymore */ - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, -+ NULL, -+ NULL, -+ NULL, - NULL); - gain_root_privilege(); - -@@ -343,6 +346,9 @@ static void krb5_ticket_gain_handler(struct tevent_context *event_ctx, - False, /* no PAC required anymore */ - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, -+ NULL, -+ NULL, -+ NULL, - NULL); - gain_root_privilege(); - --- -2.24.1 - - -From 0455607124f93b72c1233d451efefbc0c445017e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Sep 2019 10:08:10 +0200 -Subject: [PATCH 04/22] s3:libsmb: avoid wrong debug message in - cli_session_creds_prepare_krb5() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 361fb0efabfb189526c851107eee49161da2293c) ---- - source3/libsmb/cliconnect.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index c416d10fa24..28f5fde0757 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -375,6 +375,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - /* - * Ignore the error and hope that NTLM will work - */ -+ TALLOC_FREE(frame); -+ return NT_STATUS_OK; - } - - DBG_DEBUG("Successfully authenticated as %s to access %s using " --- -2.24.1 - - -From 68c4e372ef66fda975c4db7eb4fd283bfe4218a7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 17 Sep 2019 08:49:13 +0200 -Subject: [PATCH 05/22] s3:libsmb: let cli_session_creds_prepare_krb5() update - the canonicalized principal to cli_credentials - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 6ed18c12c57efb2a010e0ce5196c51b48e57a4b9) ---- - source3/libsmb/cliconnect.c | 39 ++++++++++++++++++++++++++++++++----- - 1 file changed, 34 insertions(+), 5 deletions(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 28f5fde0757..ca6882c225e 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -229,6 +229,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - const char *user_account = NULL; - const char *user_domain = NULL; - const char *pass = NULL; -+ char *canon_principal = NULL; -+ char *canon_realm = NULL; - const char *target_hostname = NULL; - const DATA_BLOB *server_blob = NULL; - bool got_kerberos_mechanism = false; -@@ -237,6 +239,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - bool need_kinit = false; - bool auth_requested = true; - int ret; -+ bool ok; - - target_hostname = smbXcli_conn_remote_name(cli->conn); - server_blob = smbXcli_conn_server_gss_blob(cli->conn); -@@ -245,7 +248,6 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - if (server_blob != NULL && server_blob->length != 0) { - char *OIDs[ASN1_MAX_OIDS] = { NULL, }; - size_t i; -- bool ok; - - /* - * The server sent us the first part of the SPNEGO exchange in the -@@ -354,9 +356,19 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - * only if required! - */ - setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1); -- ret = kerberos_kinit_password(user_principal, pass, -- 0 /* no time correction for now */, -- NULL); -+ ret = kerberos_kinit_password_ext(user_principal, -+ pass, -+ 0, -+ 0, -+ 0, -+ NULL, -+ false, -+ false, -+ 0, -+ frame, -+ &canon_principal, -+ &canon_realm, -+ NULL); - if (ret != 0) { - int dbglvl = DBGLVL_NOTICE; - -@@ -379,9 +391,26 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - return NT_STATUS_OK; - } - -- DBG_DEBUG("Successfully authenticated as %s to access %s using " -+ ok = cli_credentials_set_principal(creds, -+ canon_principal, -+ CRED_SPECIFIED); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ ok = cli_credentials_set_realm(creds, -+ canon_realm, -+ CRED_SPECIFIED); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ DBG_DEBUG("Successfully authenticated as %s (%s) to access %s using " - "Kerberos\n", - user_principal, -+ canon_principal, - target_hostname); - - TALLOC_FREE(frame); --- -2.24.1 - - -From 38fd2f1fe94b63242296b2b1ce0a49065969a820 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Sep 2019 16:04:30 +0200 -Subject: [PATCH 06/22] s3:libads/kerberos: always use the canonicalized - principal after kinit - -We should always use krb5_get_init_creds_opt_set_canonicalize() -and krb5_get_init_creds_opt_set_win2k() for heimdal -and expect the client principal to be changed. - -There's no reason to have a different logic between MIT and Heimdal. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 0bced73bed481a8846a6b3e68be85941914390ba) ---- - source3/libads/kerberos.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 3e09d70268f..559ec3b7f53 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -167,7 +167,10 @@ int kerberos_kinit_password_ext(const char *given_principal, - krb5_get_init_creds_opt_set_forwardable(opt, True); - - /* Turn on canonicalization for lower case realm support */ --#ifndef SAMBA4_USES_HEIMDAL /* MIT */ -+#ifdef SAMBA4_USES_HEIMDAL -+ krb5_get_init_creds_opt_set_win2k(ctx, opt, true); -+ krb5_get_init_creds_opt_set_canonicalize(ctx, opt, true); -+#else /* MIT */ - krb5_get_init_creds_opt_set_canonicalize(opt, true); - #endif /* MIT */ - #if 0 -@@ -196,11 +199,7 @@ int kerberos_kinit_password_ext(const char *given_principal, - goto out; - } - --#ifndef SAMBA4_USES_HEIMDAL /* MIT */ - canon_princ = my_creds.client; --#else -- canon_princ = me; --#endif /* MIT */ - - code = smb_krb5_unparse_name(frame, - ctx, --- -2.24.1 - - -From 6e1a52f6f48ca6624c8988a03ecfe5a3327c537e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Sep 2019 16:04:30 +0200 -Subject: [PATCH 07/22] krb5_wrap: smb_krb5_kinit_password_ccache() should - always use the canonicalized principal - -We should always use krb5_get_init_creds_opt_set_canonicalize() -and krb5_get_init_creds_opt_set_win2k() for heimdal -and expect the client principal to be changed. - -There's no reason to have a different logic between MIT and Heimdal. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 5d0bf32ec0ad21d49587e3a1520ffdc8b5ae7614) ---- - lib/krb5_wrap/krb5_samba.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index f0dc86b1859..a63159812e1 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2111,14 +2111,12 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, - return code; - } - --#ifndef SAMBA4_USES_HEIMDAL /* MIT */ - /* - * We need to store the principal as returned from the KDC to the - * credentials cache. If we don't do that the KRB5 library is not - * able to find the tickets it is looking for - */ - principal = my_creds.client; --#endif - code = krb5_cc_initialize(ctx, cc, principal); - if (code) { - goto done; --- -2.24.1 - - -From b19c14b730b470f969ccb2e2a64f57dc3ece46de Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Sep 2019 16:04:30 +0200 -Subject: [PATCH 08/22] s4:auth: kinit_to_ccache() should always use the - canonicalized principal - -We should always use krb5_get_init_creds_opt_set_canonicalize() -and krb5_get_init_creds_opt_set_win2k() for heimdal -and expect the client principal to be changed. - -There's no reason to have a different logic between MIT and Heimdal. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 162b4199493c1f179e775a325a19ae7a136c418b) ---- - source4/auth/kerberos/kerberos_util.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c -index 50bf8feec96..950d91f1737 100644 ---- a/source4/auth/kerberos/kerberos_util.c -+++ b/source4/auth/kerberos/kerberos_util.c -@@ -313,6 +313,8 @@ done: - */ - krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context, - krb_options, true); -+ krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context, -+ krb_options, true); - #else /* MIT */ - krb5_get_init_creds_opt_set_canonicalize(krb_options, true); - #endif --- -2.24.1 - - -From 1cf9d944d7dd15d8c3c796f071f82d8ffff7095e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Sep 2019 16:04:30 +0200 -Subject: [PATCH 09/22] s3:libads: ads_krb5_chg_password() should always use - the canonicalized principal - -We should always use krb5_get_init_creds_opt_set_canonicalize() -and krb5_get_init_creds_opt_set_win2k() for heimdal -and expect the client principal to be changed. - -There's no reason to have a different logic between MIT and Heimdal. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 303b7e59a286896888ee2473995fc50bb2b5ce5e) ---- - source3/libads/krb5_setpw.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c -index c3c9477c4cf..67bc2f4640d 100644 ---- a/source3/libads/krb5_setpw.c -+++ b/source3/libads/krb5_setpw.c -@@ -203,6 +203,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, - krb5_get_init_creds_opt_set_renew_life(opts, 0); - krb5_get_init_creds_opt_set_forwardable(opts, 0); - krb5_get_init_creds_opt_set_proxiable(opts, 0); -+#ifdef SAMBA4_USES_HEIMDAL -+ krb5_get_init_creds_opt_set_win2k(context, opts, true); -+ krb5_get_init_creds_opt_set_canonicalize(context, opts, true); -+#else /* MIT */ -+ krb5_get_init_creds_opt_set_canonicalize(opts, true); -+#endif /* MIT */ - - /* note that heimdal will fill in the local addresses if the addresses - * in the creds_init_opt are all empty and then later fail with invalid --- -2.24.1 - - -From dc23b10c5c82f4587062fea5d68eb5d373d37bcb Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 13 Sep 2019 15:52:25 +0200 -Subject: [PATCH 10/22] krb5_wrap: let smb_krb5_parse_name() accept enterprise - principals - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 3bdf023956e861485be70430112ed38d0a5424f7) ---- - lib/krb5_wrap/krb5_samba.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index a63159812e1..abdcb308728 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -701,6 +701,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context, - } - - ret = krb5_parse_name(context, utf8_name, principal); -+ if (ret == KRB5_PARSE_MALFORMED) { -+ ret = krb5_parse_name_flags(context, utf8_name, -+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, -+ principal); -+ } - TALLOC_FREE(frame); - return ret; - } --- -2.24.1 - - -From 056fe4807255578204e56d247cd6ba003213e558 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 11 Sep 2019 16:44:43 +0200 -Subject: [PATCH 11/22] docs-xml: add "winbind use krb5 enterprise principals" - option - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 9520652399696010c333a3ce7247809ce5337a91) ---- - .../winbindusekrb5enterpriseprincipals.xml | 34 +++++++++++++++++++ - 1 file changed, 34 insertions(+) - create mode 100644 docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml - -diff --git a/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml -new file mode 100644 -index 00000000000..bfc11c8636c ---- /dev/null -+++ b/docs-xml/smbdotconf/winbind/winbindusekrb5enterpriseprincipals.xml -@@ -0,0 +1,34 @@ -+ -+ -+ winbindd is able to get kerberos tickets for -+ pam_winbind with krb5_auth or wbinfo -K/--krb5auth=. -+ -+ -+ winbindd (at least on a domain member) is never be able -+ to have a complete picture of the trust topology (which is managed by the DCs). -+ There might be uPNSuffixes and msDS-SPNSuffixes values, -+ which don't belong to any AD domain at all. -+ -+ -+ With no -+ winbindd don't even get an incomplete picture of the topology. -+ -+ -+ It is not really required to know about the trust topology. -+ We can just rely on the [K]DCs of our primary domain (e.g. PRIMARY.A.EXAMPLE.COM) -+ and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM -+ and follow the WRONG_REALM referrals in order to find the correct DC. -+ The final principal might be userfromB@INTERNALB.EXAMPLE.PRIVATE. -+ -+ -+ With yes -+ winbindd enterprise principals will be used. -+ -+ -+ -+no -+yes -+ --- -2.24.1 - - -From f2c43932e14173574177c9e36894a25e7d8a6609 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 19 Jul 2019 15:10:09 +0000 -Subject: [PATCH 12/22] s3:winbindd: implement the "winbind use krb5 enterprise - principals" logic - -We can use enterprise principals (e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM) -and delegate the routing decisions to the KDCs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit a77be15d28390c5d12202278adbe6b50200a2c1b) ---- - source3/winbindd/winbindd_pam.c | 57 +++++++++++++++++++-------------- - 1 file changed, 33 insertions(+), 24 deletions(-) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index b81f2722c42..35018fbe284 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -418,6 +418,15 @@ struct winbindd_domain *find_auth_domain(uint8_t flags, - return find_domain_from_name_noinit(domain_name); - } - -+ if (lp_winbind_use_krb5_enterprise_principals()) { -+ /* -+ * If we use enterprise principals -+ * we always go trough our primary domain -+ * and follow the WRONG_REALM replies. -+ */ -+ flags &= ~WBFLAG_PAM_CONTACT_TRUSTDOM; -+ } -+ - /* we can auth against trusted domains */ - if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) { - domain = find_domain_from_name_noinit(domain_name); -@@ -717,7 +726,20 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - return NT_STATUS_INVALID_PARAMETER; - } - -- principal_s = talloc_asprintf(mem_ctx, "%s@%s", name_user, realm); -+ if (lp_winbind_use_krb5_enterprise_principals() && -+ name_namespace[0] != '\0') -+ { -+ principal_s = talloc_asprintf(mem_ctx, -+ "%s@%s@%s", -+ name_user, -+ name_namespace, -+ realm); -+ } else { -+ principal_s = talloc_asprintf(mem_ctx, -+ "%s@%s", -+ name_user, -+ realm); -+ } - if (principal_s == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -1284,30 +1306,16 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, - - /* what domain should we contact? */ - -- if ( IS_DC ) { -- contact_domain = find_domain_from_name(name_namespace); -- if (contact_domain == NULL) { -- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", -- state->request->data.auth.user, name_domain, name_user, name_domain)); -- result = NT_STATUS_NO_SUCH_USER; -- goto done; -- } -- -+ if (lp_winbind_use_krb5_enterprise_principals()) { -+ contact_domain = find_auth_domain(0, name_namespace); - } else { -- if (is_myname(name_domain)) { -- DEBUG(3, ("Authentication for domain %s (local domain to this server) not supported at this stage\n", name_domain)); -- result = NT_STATUS_NO_SUCH_USER; -- goto done; -- } -- - contact_domain = find_domain_from_name(name_namespace); -- if (contact_domain == NULL) { -- DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", -- state->request->data.auth.user, name_domain, name_user, name_domain)); -- -- result = NT_STATUS_NO_SUCH_USER; -- goto done; -- } -+ } -+ if (contact_domain == NULL) { -+ DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n", -+ state->request->data.auth.user, name_domain, name_user, name_namespace)); -+ result = NT_STATUS_NO_SUCH_USER; -+ goto done; - } - - if (contact_domain->initialized && -@@ -1320,7 +1328,8 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain, - } - - if (!contact_domain->active_directory) { -- DEBUG(3,("krb5 auth requested but domain is not Active Directory\n")); -+ DEBUG(3,("krb5 auth requested but domain (%s) is not Active Directory\n", -+ contact_domain->name)); - return NT_STATUS_INVALID_LOGON_TYPE; - } - try_login: --- -2.24.1 - - -From eb1bdb032fe5f63cd53cb5a40702b8bcfac673ff Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 08:04:42 +0200 -Subject: [PATCH 13/22] tests/pam_winbind.py: turn pypamtest.PamTestError into - a failure - -A failure generated by the AssertionError() checks can be added -to selftest/knownfail.d/*. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit cd3ffaabb568db26e0de5e83178487e5947c4f09) ---- - python/samba/tests/pam_winbind.py | 15 ++++++++++++--- - python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- - python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- - 3 files changed, 20 insertions(+), 5 deletions(-) - -diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py -index 68b05b30d7d..b05e8af6ffb 100644 ---- a/python/samba/tests/pam_winbind.py -+++ b/python/samba/tests/pam_winbind.py -@@ -30,7 +30,10 @@ class SimplePamTests(samba.tests.TestCase): - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ try: -+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ except pypamtest.PamTestError as e: -+ raise AssertionError(str(e)) - - self.assertTrue(res is not None) - -@@ -42,7 +45,10 @@ class SimplePamTests(samba.tests.TestCase): - expected_rc = 7 # PAM_AUTH_ERR - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ try: -+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ except pypamtest.PamTestError as e: -+ raise AssertionError(str(e)) - - self.assertTrue(res is not None) - -@@ -52,6 +58,9 @@ class SimplePamTests(samba.tests.TestCase): - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ try: -+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ except pypamtest.PamTestError as e: -+ raise AssertionError(str(e)) - - self.assertTrue(res is not None) -diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py -index e5be3a83ce7..18c2705127a 100644 ---- a/python/samba/tests/pam_winbind_chauthtok.py -+++ b/python/samba/tests/pam_winbind_chauthtok.py -@@ -31,6 +31,9 @@ class PamChauthtokTests(samba.tests.TestCase): - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) -- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) -+ try: -+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password, newpassword, newpassword]) -+ except pypamtest.PamTestError as e: -+ raise AssertionError(str(e)) - - self.assertTrue(res is not None) -diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py -index df60bc5ace6..1af2f9befe1 100644 ---- a/python/samba/tests/pam_winbind_warn_pwd_expire.py -+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py -@@ -31,7 +31,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -- res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ try: -+ res = pypamtest.run_pamtest(unix_username, "samba", [tc], [password]) -+ except pypamtest.PamTestError as e: -+ raise AssertionError(str(e)) - - self.assertTrue(res is not None) - if warn_pwd_expire == 0: --- -2.24.1 - - -From 54999a5fccc1777c1ee766c552cf32bb489634c9 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 20 Sep 2019 08:13:28 +0200 -Subject: [PATCH 14/22] tests/pam_winbind.py: allow upn names to be used in - USERNAME with an empty DOMAIN value - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 653e90485854d978dc522e689cd78c19dcc22a70) ---- - python/samba/tests/pam_winbind.py | 10 ++++++++-- - python/samba/tests/pam_winbind_chauthtok.py | 5 ++++- - python/samba/tests/pam_winbind_warn_pwd_expire.py | 5 ++++- - 3 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/python/samba/tests/pam_winbind.py b/python/samba/tests/pam_winbind.py -index b05e8af6ffb..708f408f768 100644 ---- a/python/samba/tests/pam_winbind.py -+++ b/python/samba/tests/pam_winbind.py -@@ -26,7 +26,10 @@ class SimplePamTests(samba.tests.TestCase): - domain = os.environ["DOMAIN"] - username = os.environ["USERNAME"] - password = os.environ["PASSWORD"] -- unix_username = "%s/%s" % (domain, username) -+ if domain != "": -+ unix_username = "%s/%s" % (domain, username) -+ else: -+ unix_username = "%s" % username - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -@@ -41,7 +44,10 @@ class SimplePamTests(samba.tests.TestCase): - domain = os.environ["DOMAIN"] - username = os.environ["USERNAME"] - password = "WrongPassword" -- unix_username = "%s/%s" % (domain, username) -+ if domain != "": -+ unix_username = "%s/%s" % (domain, username) -+ else: -+ unix_username = "%s" % username - expected_rc = 7 # PAM_AUTH_ERR - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) -diff --git a/python/samba/tests/pam_winbind_chauthtok.py b/python/samba/tests/pam_winbind_chauthtok.py -index 18c2705127a..c1d569b3cd0 100644 ---- a/python/samba/tests/pam_winbind_chauthtok.py -+++ b/python/samba/tests/pam_winbind_chauthtok.py -@@ -27,7 +27,10 @@ class PamChauthtokTests(samba.tests.TestCase): - username = os.environ["USERNAME"] - password = os.environ["PASSWORD"] - newpassword = os.environ["NEWPASSWORD"] -- unix_username = "%s/%s" % (domain, username) -+ if domain != "": -+ unix_username = "%s/%s" % (domain, username) -+ else: -+ unix_username = "%s" % username - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, expected_rc) -diff --git a/python/samba/tests/pam_winbind_warn_pwd_expire.py b/python/samba/tests/pam_winbind_warn_pwd_expire.py -index 1af2f9befe1..56f5da94f98 100644 ---- a/python/samba/tests/pam_winbind_warn_pwd_expire.py -+++ b/python/samba/tests/pam_winbind_warn_pwd_expire.py -@@ -27,7 +27,10 @@ class PasswordExpirePamTests(samba.tests.TestCase): - username = os.environ["USERNAME"] - password = os.environ["PASSWORD"] - warn_pwd_expire = int(os.environ["WARN_PWD_EXPIRE"]) -- unix_username = "%s/%s" % (domain, username) -+ if domain != "": -+ unix_username = "%s/%s" % (domain, username) -+ else: -+ unix_username = "%s" % username - expected_rc = 0 # PAM_SUCCESS - - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rc) --- -2.24.1 - - -From a36c24e3553477c52864db8b4796cbe63ed6462a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 01:25:58 +0200 -Subject: [PATCH 15/22] test_pam_winbind.sh: allow different pam_winbindd - config options to be specified - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 3d38a8e9135bb72bc4ca079fab0eb5358942b3f1) ---- - python/samba/tests/test_pam_winbind.sh | 12 +++++++---- - .../samba/tests/test_pam_winbind_chauthtok.sh | 4 ++-- - .../tests/test_pam_winbind_warn_pwd_expire.sh | 20 +++++++++++-------- - selftest/tests.py | 6 +++--- - 4 files changed, 25 insertions(+), 17 deletions(-) - -diff --git a/python/samba/tests/test_pam_winbind.sh b/python/samba/tests/test_pam_winbind.sh -index 0406b108b31..755e67280fa 100755 ---- a/python/samba/tests/test_pam_winbind.sh -+++ b/python/samba/tests/test_pam_winbind.sh -@@ -12,6 +12,10 @@ PASSWORD="$3" - export PASSWORD - shift 3 - -+PAM_OPTIONS="$1" -+export PAM_OPTIONS -+shift 1 -+ - PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" - - pam_winbind="$BINDIR/shared/pam_winbind.so" -@@ -19,10 +23,10 @@ service_dir="$SELFTEST_TMPDIR/pam_services" - service_file="$service_dir/samba" - - mkdir $service_dir --echo "auth required $pam_winbind debug debug_state" > $service_file --echo "account required $pam_winbind debug debug_state" >> $service_file --echo "password required $pam_winbind debug debug_state" >> $service_file --echo "session required $pam_winbind debug debug_state" >> $service_file -+echo "auth required $pam_winbind debug debug_state $PAM_OPTIONS" > $service_file -+echo "account required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file -+echo "password required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file -+echo "session required $pam_winbind debug debug_state $PAM_OPTIONS" >> $service_file - - PAM_WRAPPER="1" - export PAM_WRAPPER -diff --git a/python/samba/tests/test_pam_winbind_chauthtok.sh b/python/samba/tests/test_pam_winbind_chauthtok.sh -index 5887699300a..48adc81859d 100755 ---- a/python/samba/tests/test_pam_winbind_chauthtok.sh -+++ b/python/samba/tests/test_pam_winbind_chauthtok.sh -@@ -53,11 +53,11 @@ PAM_WRAPPER_DEBUGLEVEL=${PAM_WRAPPER_DEBUGLEVEL:="2"} - export PAM_WRAPPER_DEBUGLEVEL - - case $PAM_OPTIONS in -- use_authtok) -+ *use_authtok*) - PAM_AUTHTOK="$NEWPASSWORD" - export PAM_AUTHTOK - ;; -- try_authtok) -+ *try_authtok*) - PAM_AUTHTOK="$NEWPASSWORD" - export PAM_AUTHTOK - ;; -diff --git a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh -index 16dede44227..348d2ae8387 100755 ---- a/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh -+++ b/python/samba/tests/test_pam_winbind_warn_pwd_expire.sh -@@ -12,6 +12,10 @@ PASSWORD="$3" - export PASSWORD - shift 3 - -+PAM_OPTIONS="$1" -+export PAM_OPTIONS -+shift 1 -+ - PAM_WRAPPER_PATH="$BINDIR/default/third_party/pam_wrapper" - - pam_winbind="$BINDIR/shared/pam_winbind.so" -@@ -37,10 +41,10 @@ export PAM_WRAPPER_DEBUGLEVEL - WARN_PWD_EXPIRE="50" - export WARN_PWD_EXPIRE - --echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file --echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file --echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file --echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file -+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file -+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file -+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file - - PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire - exit_code=$? -@@ -54,10 +58,10 @@ fi - WARN_PWD_EXPIRE="0" - export WARN_PWD_EXPIRE - --echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" > $service_file --echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file --echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file --echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE" >> $service_file -+echo "auth required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" > $service_file -+echo "account required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file -+echo "password required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file -+echo "session required $pam_winbind debug debug_state warn_pwd_expire=$WARN_PWD_EXPIRE $PAM_OPTIONS" >> $service_file - - PYTHONPATH="$PYTHONPATH:$PAM_WRAPPER_PATH:$(dirname $0)" $PYTHON -m samba.subunit.run samba.tests.pam_winbind_warn_pwd_expire - exit_code=$? -diff --git a/selftest/tests.py b/selftest/tests.py -index 7dbc0a9871f..507f7c3ea55 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -168,11 +168,11 @@ if with_pam: - plantestsuite("samba.tests.pam_winbind(local)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), - valgrindify(python), pam_wrapper_so_path, -- "$SERVER", "$USERNAME", "$PASSWORD"]) -+ "$SERVER", "$USERNAME", "$PASSWORD", "''"]) - plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), - valgrindify(python), pam_wrapper_so_path, -- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD"]) -+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) - - for pam_options in ["''", "use_authtok", "try_authtok"]: - plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", -@@ -185,7 +185,7 @@ if with_pam: - plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), - valgrindify(python), pam_wrapper_so_path, -- "$DOMAIN", "alice", "Secret007"]) -+ "$DOMAIN", "alice", "Secret007", "''"]) - - - plantestsuite("samba.unittests.krb5samba", "none", --- -2.24.1 - - -From a1a34241a96e2dc2bb5a1157c51f8d7b85973b32 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 01:25:23 +0200 -Subject: [PATCH 16/22] selftest/tests.py: prepare looping over pam_winbindd - tests - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 72daf99fd1ffd8269fce25d69458de35e2ae32cc) ---- - selftest/tests.py | 58 ++++++++++++++++++++++++++++++----------------- - 1 file changed, 37 insertions(+), 21 deletions(-) - -diff --git a/selftest/tests.py b/selftest/tests.py -index 507f7c3ea55..3224de493f9 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -165,27 +165,43 @@ planpythontestsuite("none", "samba.tests.tdb_util", py3_compatible=True) - planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) - - if with_pam: -- plantestsuite("samba.tests.pam_winbind(local)", "ad_member", -- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -- valgrindify(python), pam_wrapper_so_path, -- "$SERVER", "$USERNAME", "$PASSWORD", "''"]) -- plantestsuite("samba.tests.pam_winbind(domain)", "ad_member", -- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -- valgrindify(python), pam_wrapper_so_path, -- "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", "''"]) -- -- for pam_options in ["''", "use_authtok", "try_authtok"]: -- plantestsuite("samba.tests.pam_winbind_chauthtok with options %s" % pam_options, "ad_member", -- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), -- valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, -- "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", -- pam_options, 'yes', -- "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) -- -- plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain)", "ad_member", -- [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), -- valgrindify(python), pam_wrapper_so_path, -- "$DOMAIN", "alice", "Secret007", "''"]) -+ env = "ad_member" -+ options = [ -+ { -+ "description": "default", -+ "pam_options": "", -+ }, -+ ] -+ for o in options: -+ description = o["description"] -+ pam_options = "'%s'" % o["pam_options"] -+ -+ plantestsuite("samba.tests.pam_winbind(local+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$SERVER", "$USERNAME", "$PASSWORD", -+ pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", -+ pam_options]) -+ -+ for authtok_options in ["", "use_authtok", "try_authtok"]: -+ _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) -+ _description = "%s %s" % (description, authtok_options) -+ plantestsuite("samba.tests.pam_winbind_chauthtok(domain+%s)" % _description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_chauthtok.sh"), -+ valgrindify(python), pam_wrapper_so_path, pam_set_items_so_path, -+ "$DOMAIN", "TestPamOptionsUser", "oldp@ssword0", "newp@ssword0", -+ _pam_options, 'yes', -+ "$DC_SERVER", "$DC_USERNAME", "$DC_PASSWORD"]) -+ -+ plantestsuite("samba.tests.pam_winbind_warn_pwd_expire(domain+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind_warn_pwd_expire.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$DOMAIN", "alice", "Secret007", -+ pam_options]) - - - plantestsuite("samba.unittests.krb5samba", "none", --- -2.24.1 - - -From 71047f27e44dd9b3c7aaf421990199de408ee67b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 08:08:57 +0200 -Subject: [PATCH 17/22] selftest/tests.py: test pam_winbind with krb5_auth - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit 36e95e42ea8a7e5a4091a647215d06d2ab47fab6) ---- - selftest/tests.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/selftest/tests.py b/selftest/tests.py -index 3224de493f9..c2d94262c3c 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -167,6 +167,10 @@ planpythontestsuite("none", "samba.tests.samdb_api", py3_compatible=True) - if with_pam: - env = "ad_member" - options = [ -+ { -+ "description": "krb5", -+ "pam_options": "krb5_auth krb5_ccache_type=FILE", -+ }, - { - "description": "default", - "pam_options": "", --- -2.24.1 - - -From 2262c07316a247aa20b306767af172c22e47d438 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 14:03:34 +0200 -Subject: [PATCH 18/22] selftest/tests.py: test pam_winbind with a lot of - username variations - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(cherry picked from commit f07b542c61f84a97c097208e10bf9375ddfa9a15) ---- - selftest/tests.py | 27 ++++++++++++++++++++++++++- - 1 file changed, 26 insertions(+), 1 deletion(-) - -diff --git a/selftest/tests.py b/selftest/tests.py -index c2d94262c3c..c9529328359 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -185,11 +185,36 @@ if with_pam: - valgrindify(python), pam_wrapper_so_path, - "$SERVER", "$USERNAME", "$PASSWORD", - pam_options]) -- plantestsuite("samba.tests.pam_winbind(domain+%s)" % description, env, -+ plantestsuite("samba.tests.pam_winbind(domain1+%s)" % description, env, - [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), - valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "$DC_USERNAME", "$DC_PASSWORD", - pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain2+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$REALM", "$DC_USERNAME", "$DC_PASSWORD", -+ pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain3+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "''", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", -+ pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain4+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "''", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", -+ pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain5+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$REALM", "${DC_USERNAME}@${DOMAIN}", "$DC_PASSWORD", -+ pam_options]) -+ plantestsuite("samba.tests.pam_winbind(domain6+%s)" % description, env, -+ [os.path.join(srcdir(), "python/samba/tests/test_pam_winbind.sh"), -+ valgrindify(python), pam_wrapper_so_path, -+ "$DOMAIN", "${DC_USERNAME}@${REALM}", "$DC_PASSWORD", -+ pam_options]) - - for authtok_options in ["", "use_authtok", "try_authtok"]: - _pam_options = "'%s %s'" % (o["pam_options"], authtok_options) --- -2.24.1 - - -From 2ed154a74c10d77a1db4543e9c1b498875777a4c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 08:02:38 +0200 -Subject: [PATCH 19/22] selftest/Samba3.pm: use "winbind scan trusted domains = - no" for ad_member - -This demonstrates that we rely on knowning about trusted domains before -we can do krb5_auth in winbindd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner -(similar to commit e2737a74d4453a3d65e5466ddc4405d68444df27) ---- - selftest/target/Samba3.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 892a6a15e2d..751304d9166 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -412,6 +412,7 @@ sub setup_ad_member - realm = $dcvars->{REALM} - netbios aliases = foo bar - template homedir = /home/%D/%G/%U -+ winbind scan trusted domains = no - - [sub_dug] - path = $share_dir/D_%D/U_%U/G_%G --- -2.24.1 - - -From 27a48944cfbfb2932558a799d5b9c057e0d4ea42 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 Sep 2019 08:10:26 +0200 -Subject: [PATCH 20/22] selftest/Samba3.pm: use "winbind use krb5 enterprise - principals = yes" for ad_member -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This demonstrates that can do krb5_auth in winbindd without knowning about trusted domains. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14124 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Tue Sep 24 19:51:29 UTC 2019 on sn-devel-184 - -(similar to commit 0ee085b594878f5e0e83839f465303754f015459) ---- - selftest/target/Samba3.pm | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 751304d9166..89e75e54a91 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -413,6 +413,7 @@ sub setup_ad_member - netbios aliases = foo bar - template homedir = /home/%D/%G/%U - winbind scan trusted domains = no -+ winbind use krb5 enterprise principals = yes - - [sub_dug] - path = $share_dir/D_%D/U_%U/G_%G --- -2.24.1 - - -From f70c0339b7e0f22351bdb2604504bf4f2c794544 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Oct 2019 20:11:03 +0200 -Subject: [PATCH 21/22] lib:krb5_wrap: Do not create a temporary file for - MEMORY keytabs - -The autobuild cleanup script fails with: - -The tree has 3 new uncommitted files!!! -git clean -n -Would remove MEMORY:tmp_smb_creds_SK98Lv -Would remove MEMORY:tmp_smb_creds_kornU6 -Would remove MEMORY:tmp_smb_creds_ljR828 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit d888655244b4d8ec7a69a042e0ff3c074585b0de) -(cherry picked from commit d533a588b62829688824824da681cb360a399651) ---- - lib/krb5_wrap/krb5_samba.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index abdcb308728..6ce1d09952e 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2002,21 +2002,21 @@ krb5_error_code smb_krb5_kinit_keyblock_ccache(krb5_context ctx, - krb_options); - #elif defined(HAVE_KRB5_GET_INIT_CREDS_KEYTAB) - { --#define SMB_CREDS_KEYTAB "MEMORY:tmp_smb_creds_XXXXXX" -- char tmp_name[sizeof(SMB_CREDS_KEYTAB)]; -+#define SMB_CREDS_KEYTAB "MEMORY:tmp_kinit_keyblock_ccache" -+ char tmp_name[64] = {0}; - krb5_keytab_entry entry; - krb5_keytab keytab; -- mode_t mask; -+ int rc; - - memset(&entry, 0, sizeof(entry)); - entry.principal = principal; - *(KRB5_KT_KEY(&entry)) = *keyblock; - -- memcpy(tmp_name, SMB_CREDS_KEYTAB, sizeof(SMB_CREDS_KEYTAB)); -- mask = umask(S_IRWXO | S_IRWXG); -- mktemp(tmp_name); -- umask(mask); -- if (tmp_name[0] == 0) { -+ rc = snprintf(tmp_name, sizeof(tmp_name), -+ "%s-%p", -+ SMB_CREDS_KEYTAB, -+ &my_creds); -+ if (rc < 0) { - return KRB5_KT_BADNAME; - } - code = krb5_kt_resolve(ctx, tmp_name, &keytab); --- -2.24.1 - - -From 496c7702401cdce4603bdb143742fdf59e614fdd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Oct 2019 16:32:47 +0200 -Subject: [PATCH 22/22] s3:libads: Do not turn on canonicalization flag for MIT - Kerberos - -This partially reverts 303b7e59a286896888ee2473995fc50bb2b5ce5e. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 - -Pair-Programmed-With: Isaac Boukris - -Signed-off-by: Andreas Schneider -Signed-off-by: Isaac Boukris -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 123584294cfd153acc2d9a5be9d71c395c847a25) - -Autobuild-User(v4-10-test): Stefan Metzmacher -Autobuild-Date(v4-10-test): Wed Oct 16 16:43:59 UTC 2019 on sn-devel-144 - -(cherry picked from commit 3ad42536f873f21cc2db774ca3ea694ca7142253) ---- - source3/libads/krb5_setpw.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c -index 67bc2f4640d..028b0dcfa65 100644 ---- a/source3/libads/krb5_setpw.c -+++ b/source3/libads/krb5_setpw.c -@@ -207,7 +207,22 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, - krb5_get_init_creds_opt_set_win2k(context, opts, true); - krb5_get_init_creds_opt_set_canonicalize(context, opts, true); - #else /* MIT */ -+#if 0 -+ /* -+ * FIXME -+ * -+ * Due to an upstream MIT Kerberos bug, this feature is not -+ * not working. Affection versions (2019-10-09): <= 1.17 -+ * -+ * Reproducer: -+ * kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM -+ * -+ * This is NOT a problem if the service is a krbtgt. -+ * -+ * https://bugzilla.samba.org/show_bug.cgi?id=14155 -+ */ - krb5_get_init_creds_opt_set_canonicalize(opts, true); -+#endif - #endif /* MIT */ - - /* note that heimdal will fill in the local addresses if the addresses --- -2.24.1 - diff --git a/SOURCES/samba-4.10.16.tar.asc b/SOURCES/samba-4.10.16.tar.asc new file mode 100644 index 0000000..e3316d4 --- /dev/null +++ b/SOURCES/samba-4.10.16.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXsuCuxUcc2FtYmEtYnVn +c0BzYW1iYS5vcmcACgkQbzORW2Vot+rdkQCfe26wz1MVcIWrfsRVuPggVierWX0A +oLZwOatGzF6TFhLeN7VjkKJqqQsm +=N2N+ +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc deleted file mode 100644 index 29f805c..0000000 --- a/SOURCES/samba-4.10.4.tar.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn -c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA -n3v79/BJYEuD3vw98M5nW4GBN6C9 -=/Xfk ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch deleted file mode 100644 index 61635f8..0000000 --- a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 23 May 2019 13:33:21 -0700 -Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts. - -Previously the private context was caching a pointer to -a string returned from lp_XXX(). This string can change -on config file reload. Ensure the string is talloc_strup'ed -onto the owning context instead. - -Reported by Heinrich Mislik - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab) ---- - source3/winbindd/idmap_script.c | 20 ++++++++++++++++---- - source3/winbindd/idmap_tdb2.c | 22 +++++++++++++++++----- - 2 files changed, 33 insertions(+), 9 deletions(-) - -diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c -index 7ad6b806fb8..f382f896b35 100644 ---- a/source3/winbindd/idmap_script.c -+++ b/source3/winbindd/idmap_script.c -@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - NTSTATUS ret; - struct idmap_script_context *ctx; - const char * idmap_script = NULL; -+ const char *ctx_script = NULL; - - DEBUG(10, ("%s called ...\n", __func__)); - -@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - goto failed; - } - -- ctx->script = idmap_config_const_string(dom->name, "script", NULL); -+ ctx_script = idmap_config_const_string(dom->name, "script", NULL); - - /* Do we even need to handle this? */ - idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); -@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - " Please use 'idmap config * : script' instead!\n")); - } - -- if (strequal(dom->name, "*") && ctx->script == NULL) { -+ if (strequal(dom->name, "*") && ctx_script == NULL) { - /* fall back to idmap:script for backwards compatibility */ -- ctx->script = idmap_script; -+ ctx_script = idmap_script; - } - -- if (ctx->script) { -+ if (ctx_script) { - DEBUG(1, ("using idmap script '%s'\n", ctx->script)); -+ /* -+ * We must ensure this memory is owned by ctx. -+ * The ctx_script const pointer is a pointer into -+ * the config file data and may become invalid -+ * on config file reload. BUG: 13956 -+ */ -+ ctx->script = talloc_strdup(ctx, ctx_script); -+ if (ctx->script == NULL) { -+ ret = NT_STATUS_NO_MEMORY; -+ goto failed; -+ } - } - - dom->private_data = ctx; -diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c -index b784546bb33..eceab9c0784 100644 ---- a/source3/winbindd/idmap_tdb2.c -+++ b/source3/winbindd/idmap_tdb2.c -@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - struct idmap_tdb_common_context *commonctx; - struct idmap_tdb2_context *ctx; - const char * idmap_script = NULL; -+ const char *ctx_script = NULL; - - commonctx = talloc_zero(dom, struct idmap_tdb_common_context); - if(!commonctx) { -@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - goto failed; - } - -- ctx->script = idmap_config_const_string(dom->name, "script", NULL); -+ ctx_script = idmap_config_const_string(dom->name, "script", NULL); - - idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); - if (idmap_script != NULL) { -@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - " Please use 'idmap config * : script' instead!\n")); - } - -- if (strequal(dom->name, "*") && ctx->script == NULL) { -+ if (strequal(dom->name, "*") && ctx_script == NULL) { - /* fall back to idmap:script for backwards compatibility */ -- ctx->script = idmap_script; -+ ctx_script = idmap_script; - } - -- if (ctx->script) { -- DEBUG(1, ("using idmap script '%s'\n", ctx->script)); -+ if (ctx_script) { -+ DEBUG(1, ("using idmap script '%s'\n", ctx_script)); -+ /* -+ * We must ensure this memory is owned by ctx. -+ * The ctx_script const pointer is a pointer into -+ * the config file data and may become invalid -+ * on config file reload. BUG: 13956 -+ */ -+ ctx->script = talloc_strdup(ctx, ctx_script); -+ if (ctx->script == NULL) { -+ ret = NT_STATUS_NO_MEMORY; -+ goto failed; -+ } - } - - commonctx->max_id = dom->high_id; --- -2.22.0.rc1.257.g3120a18244-goog - diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch deleted file mode 100644 index 5bf463b..0000000 --- a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 1/2] s3-rpcserver: fix security level check for - DsRGetForestTrustInformation - -Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which -didn't change since DCE RPC channel refactoring. - -With the current code we return RPC faul as can be seen in the logs: - -2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) - netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation - in: struct netr_DsRGetForestTrustInformation - server_name : * - server_name : '\\some-dc.example.com' - trusted_domain_name : NULL - flags : 0x00000000 (0) -[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) - api_rpcTNP: fault(5) return. - -This is due to this check in processing a request: - if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) - && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { - p->fault_state = DCERPC_FAULT_ACCESS_DENIED; - return WERR_ACCESS_DENIED; - } - -and since we get AuthZ response, - - Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] - Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] -[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) - JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", - "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, - "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", - "serviceDescription": "netlogon", "authType": "ncacn_np", - "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", - "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", - "transportProtection": "SMB", "accountFlags": "0x00000010"}} - -this means we are actually getting anonymous DCE/RPC access to netlogon -on top of authenticated SMB connection. In such case we have exactly -auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to -DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. - -Update the code to follow the same security level check as in s4 variant -of the call. - -Signed-off-by: Alexander Bokovoy ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index cbbf9feedc7..52b17c10e61 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, - { - NTSTATUS status; - struct lsa_ForestTrustInformation *info, **info_ptr; -+ enum security_user_level security_level; - -- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) -- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { -- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; -+ security_level = security_session_user_level(p->session_info, NULL); -+ if (security_level < SECURITY_USER) { - return WERR_ACCESS_DENIED; - } - --- -2.24.1 - diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 10ee2c5..65fd987 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,9 +6,9 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 11 +%define main_release 5 -%define samba_version 4.10.4 +%define samba_version 4.10.16 %define talloc_version 2.1.16 %define tdb_version 1.3.18 %define tevent_version 0.9.39 @@ -127,20 +127,15 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.10-fix_smbspool.patch -Patch1: samba-4.10.6-fix_idmap_tdb2.patch -Patch2: samba-4.10-net_ads_join_createcomputer.patch -Patch3: CVE-2019-10197-v4-10-metze03.patches.txt -Patch4: samba-4.10-fix_smbspool_username_password.patch -Patch5: samba-4.10-fix_winbind_trustdom_enum.patch -Patch6: samba-4.10-fix-spnego-downgrade.patch -Patch7: samba-4.10-fix_net_ads_join_hardened_env.patch -Patch8: samba-4.10-fix-netbios-join.patch -Patch9: CVE-2019-10218-4.11.patch -Patch10: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch -Patch11: samba-4.10-winbind_krb5_enterprise_princ.patch -Patch12: samba-4.10-fix_smblcient_mkdir_debug_message.patch -Patch13: samba-4.10-fix_client_log_spam_for_messaging.patch +# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-10-redhat +# This will give us CI and makes it easy to generate patchsets. +# +# Generate the patchset using: git fpstd -N > samba-4.10-redhat.patch +Patch0: samba-4.10-redhat.patch + +# Set the libldb requirement back to 1.5.4, we don't need a newer version as +# we only build Samba FS. +Patch1000: libldb-require-version-1.5.4.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -298,6 +293,9 @@ Requires: %{name}-client-libs = %{samba_depver} %if %with_libsmbclient Requires: libsmbclient = %{samba_depver} %endif +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif Provides: samba4-client = %{samba_depver} Obsoletes: samba4-client < %{samba_depver} @@ -315,6 +313,7 @@ of SMB/CIFS shares and printing to SMB/CIFS printers. Summary: Samba client libraries Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} +Requires: samba-common-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} %endif @@ -468,6 +467,7 @@ Samba VFS module for GlusterFS integration. Summary: Samba CUPS backend for printing with Kerberos Requires(pre): %{name}-client Requires: %{name}-client +Requires: %{name}-client-libs Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives @@ -498,7 +498,11 @@ against the SMB, RPC and other protocols provided by the Samba suite. Summary: The SMB client library Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif %description -n libsmbclient The libsmbclient contains the SMB client library from the Samba suite. @@ -541,6 +545,12 @@ Summary: Samba Python libraries Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif +%if %with_libsmbclient +Requires: libsmbclient = %{samba_depver} +%endif Requires: python-tevent Requires: python-tdb Requires: pyldb @@ -620,6 +630,9 @@ packages of Samba. Summary: Libraries need by the testing tools for Samba servers and clients Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif Provides: %{name}-test-devel = %{samba_depver} Obsoletes: %{name}-test-devel < %{samba_depver} @@ -637,6 +650,9 @@ Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} +%if %with_libwbclient +Requires: libwbclient = %{samba_depver} +%endif Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} @@ -670,6 +686,7 @@ tool. Summary: Samba winbind krb5 locator %if %with_libwbclient Requires: libwbclient = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} %else Requires: %{name}-libs = %{samba_depver} @@ -1011,6 +1028,7 @@ for i in \ %{python_sitearch}/samba/samdb.py* \ %{python_sitearch}/samba/schema.py* \ %{python_sitearch}/samba/tests/krb5_credentials.py* \ + %{python_sitearch}/samba/tests/ldap_raw.py* \ %{python_sitearch}/samba/tests/password_quality.py* \ %{python_sitearch}/samba/gp_sec_ext.py* \ %{python_sitearch}/samba/mdb_util.py* \ @@ -1151,10 +1169,12 @@ fi /sbin/ldconfig %preun -n libwbclient -%{_sbindir}/update-alternatives \ - --remove \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +fi /sbin/ldconfig %posttrans -n libwbclient-devel @@ -1170,10 +1190,12 @@ fi # When downgrading to a version where alternatives is not used and # libwbclient.so is a link and not a file it will be removed. The following # check removes the alternatives files manually if that is the case. -if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then - /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null -else - %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so +if [ $1 -eq 0 ]; then + if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then + /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null + else + %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so + fi fi %endif # with_libwbclient @@ -1474,7 +1496,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libcli-spoolss-samba4.so %{_libdir}/samba/libcliauth-samba4.so %{_libdir}/samba/libclidns-samba4.so -%{_libdir}/samba/libcmdline-contexts-samba4.so %{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so @@ -1598,6 +1619,7 @@ rm -rf %{buildroot} %files common-libs %defattr(-,root,root) # common libraries +%{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libcmdline-contexts-samba4.so %{_libdir}/samba/libpopt-samba3-cmdline-samba4.so %{_libdir}/samba/libpopt-samba3-samba4.so @@ -1911,7 +1933,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so -%{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libdcerpc-samba4.so %{_libdir}/samba/libnon-posix-acls-samba4.so %{_libdir}/samba/libsamba-net-samba4.so @@ -2207,6 +2228,7 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/glue.py* %{python_sitearch}/samba/tests/graph.py* %{python_sitearch}/samba/tests/hostconfig.py* +%{python_sitearch}/samba/tests/ldap_referrals.py* %{python_sitearch}/samba/tests/libsmb.py* %{python_sitearch}/samba/tests/join.py* %{python_sitearch}/samba/tests/lsa_string.py* @@ -2236,9 +2258,11 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/provision.py* %{python_sitearch}/samba/tests/py_credentials.py* %{python_sitearch}/samba/tests/registry.py* +%{python_sitearch}/samba/tests/samba_upgradedns_lmdb* %{python_sitearch}/samba/tests/samba3sam.py* %{python_sitearch}/samba/tests/samdb.py* %{python_sitearch}/samba/tests/smbd_base.py* +%{python_sitearch}/samba/tests/smbd_fuzztest.py* %{python_sitearch}/samba/tests/security.py* %{python_sitearch}/samba/tests/source.py* %{python_sitearch}/samba/tests/strings.py* @@ -2261,6 +2285,7 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/blackbox/traffic_learner.py* %{python_sitearch}/samba/tests/blackbox/traffic_replay.py* %{python_sitearch}/samba/tests/blackbox/traffic_summary.py* +%{python_sitearch}/samba/tests/blackbox/undoguididx.py* %dir %{python_sitearch}/samba/tests/dcerpc %{python_sitearch}/samba/tests/dcerpc/__init__.py* @@ -2414,6 +2439,7 @@ rm -rf %{buildroot} # CTDB scripts, no config files # script with executable bit means activated %dir %{_sysconfdir}/ctdb/events +%dir %{_sysconfdir}/ctdb/events/legacy %dir %{_sysconfdir}/ctdb/events/notification %{_sysconfdir}/ctdb/events/notification/README @@ -2452,6 +2478,9 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/smnotify %dir %{_localstatedir}/lib/ctdb/ +%dir %{_localstatedir}/lib/ctdb/persistent +%dir %{_localstatedir}/lib/ctdb/state +%dir %{_localstatedir}/lib/ctdb/volatile %{_mandir}/man1/ctdb.1.gz %{_mandir}/man1/ctdb_diagnostics.1.gz @@ -2543,7 +2572,6 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/sock_io_test %{_libexecdir}/ctdb/tests/srvid_test %{_libexecdir}/ctdb/tests/system_socket_test -%{_libexecdir}/ctdb/tests/test_mutex_raw %{_libexecdir}/ctdb/tests/transaction_loop %{_libexecdir}/ctdb/tests/tunnel_cmd %{_libexecdir}/ctdb/tests/tunnel_test @@ -3271,10 +3299,46 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Wed Jun 03 2020 Andreas Schneider - 4.10-16-5 +- related: #1785121 - Add missing RPM Requires + +* Tue Jun 2 2020 Isaac Boukris - 4.10.16-2 +- resolves: #1828354 - add additioanl hostnames to the keytab +- resolves: #1836427 - add dnshostname option net-ads-join + +* Mon May 25 2020 Andreas Schneider - 4.10.16-1 +- related: #1785121 - Rebase to version 4.10.16 + +* Tue May 19 2020 Andreas Schneider - 4.10.15-5 +- resolves: #1831986 - Fix gencache for normal users + +* Thu May 07 2020 Andreas Schneider - 4.10.15-4 +- resolves: #1813017 - Fix smbclient log to file + +* Tue May 05 2020 Andreas Schneider - 4.10.15-3 +- Removed patch for #1634057 + +* Mon May 4 2020 Isaac Boukris - 4.10.15-2 +- resolves: #1825505 - Compilation of samba sources fails on RHEL + +* Thu Apr 30 2020 Andreas Schneider - 4.10.15-1 +- related: #1785121 - Rebase to version 4.10.15 +- resolves: #1828924 - Fix typo in pam_winbind documentation about require_membership_of +- resolves: #1801496 - Add missing ctdb directories + +* Thu Apr 16 2020 Isaac Boukris - 4.10.13-2 +- resolves: #1810511 - Fix net-ads-keytab-create to include UPN + +* Mon Feb 03 2020 Andreas Schneider - 4.10.13-1 +- resolves: #1785121 - Rebase to vesion 4.10.13 +- resolves: #1791208 - Fix CVE-2019-14907 +- resolves: #1737888 - Fix manual libwbclient alternative settings +- resolves: #1634057 - Return correct stat for SMB1 with POSIX extensions + * Mon Feb 03 2020 Andreas Schneider - 4.10.4-11 -- resolves: #1797560 - Fix Kerberos authentication with trusted domains -- resolves: #1797561 - Fix smbclient mkdir log spam -- resolves: #1797562 - Fix client tools log spam about messaging +- resolves: #1791823 - Fix Kerberos authentication with trusted domains +- resolves: #1781231 - Fix smbclient mkdir log spam +- resolves: #1776333 - Fix client tools log spam about messaging * Wed Jan 08 2020 Alexander Bokovoy - 4.10.4-10 - resolves: #1786324 - fix security level check for DsRGetForestTrustInformation