From d028719cc75bf00b7052616ba5f30c5eae46612b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jun 09 2020 20:09:05 +0000 Subject: import samba-4.11.2-14.el8 --- diff --git a/SOURCES/0210-support-krb5-1.18.patch b/SOURCES/0210-support-krb5-1.18.patch new file mode 100644 index 0000000..7cfa02e --- /dev/null +++ b/SOURCES/0210-support-krb5-1.18.patch @@ -0,0 +1,191 @@ +From 6e3fd37ab243858e6494a37b3c805bff855ff5a7 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 16 Sep 2019 16:40:12 +0300 +Subject: [PATCH] Adapt sign_authdata in our KDB module for krb5 v1.18 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + source4/kdc/mit-kdb/kdb_samba.c | 2 +- + source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++++++++ + source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++ + 3 files changed, 49 insertions(+), 1 deletion(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c +index c5157d6ed1b..02bbdca9f54 100644 +--- a/source4/kdc/mit-kdb/kdb_samba.c ++++ b/source4/kdc/mit-kdb/kdb_samba.c +@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context, + + kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +- .min_ver = 1, ++ .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, + + .init_library = kdb_samba_init_library, + .fini_library = kdb_samba_fini_library, +diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h +index 22ef9085b6a..ad4f6e27573 100644 +--- a/source4/kdc/mit-kdb/kdb_samba.h ++++ b/source4/kdc/mit-kdb/kdb_samba.h +@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, + + /* from kdb_samba_policies.c */ + ++#if KRB5_KDB_API_VERSION < 10 + krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, +@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + krb5_authdata ***signed_auth_data); ++#else ++krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ++ unsigned int flags, ++ krb5_const_principal client_princ, ++ krb5_const_principal server_princ, ++ krb5_db_entry *client, ++ krb5_db_entry *server, ++ krb5_db_entry *krbtgt, ++ krb5_db_entry *local_krbtgt, ++ krb5_keyblock *client_key, ++ krb5_keyblock *server_key, ++ krb5_keyblock *krbtgt_key, ++ krb5_keyblock *local_krbtgt_key, ++ krb5_keyblock *session_key, ++ krb5_timestamp authtime, ++ krb5_authdata **tgt_auth_data, ++ void *authdata_info, ++ krb5_data ***auth_indicators, ++ krb5_authdata ***signed_auth_data); ++#endif + + krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, + krb5_kdc_req *kdcreq, +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index fc80329f221..586cf81451d 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -287,6 +287,7 @@ done: + return code; + } + ++#if KRB5_KDB_API_VERSION < 10 + krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, +@@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_authdata **tgt_auth_data, + krb5_authdata ***signed_auth_data) + { ++#else ++krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ++ unsigned int flags, ++ krb5_const_principal client_princ, ++ krb5_const_principal server_princ, ++ krb5_db_entry *client, ++ krb5_db_entry *server, ++ krb5_db_entry *krbtgt, ++ krb5_db_entry *local_krbtgt, ++ krb5_keyblock *client_key, ++ krb5_keyblock *server_key, ++ krb5_keyblock *krbtgt_key, ++ krb5_keyblock *local_krbtgt_key, ++ krb5_keyblock *session_key, ++ krb5_timestamp authtime, ++ krb5_authdata **tgt_auth_data, ++ void *authdata_info, ++ krb5_data ***auth_indicators, ++ krb5_authdata ***signed_auth_data) ++{ ++#endif + krb5_const_principal ks_client_princ; + krb5_authdata **authdata = NULL; + krb5_boolean is_as_req; +@@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_pac pac = NULL; + krb5_data pac_data; + ++#if KRB5_KDB_API_VERSION >= 10 ++ krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; ++ krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; ++#endif ++ + /* Prefer canonicalised name from client entry */ + if (client != NULL) { + ks_client_princ = client->princ; +-- +2.25.4 + +From 958807109845313c35a0c6949b33ffbc09eeba59 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 16 Jan 2020 22:00:21 +0100 +Subject: [PATCH] Sign and verify PAC with ticket principal instead of canon + principal + +With MIT library 1.18 the KDC no longer set +KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows +us to not canonicalize them (like in Windows / Heimdal). + +However, it now breaks the PAC signature verification as it was +wrongly done using canonical client rather than ticket client name. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Guenther Deschner +--- + source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index 586cf81451d..2eec496fa92 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_authdata ***signed_auth_data) + { + #endif +- krb5_const_principal ks_client_princ; + krb5_authdata **authdata = NULL; + krb5_boolean is_as_req; + krb5_error_code code; +@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; + #endif + +- /* Prefer canonicalised name from client entry */ +- if (client != NULL) { +- ks_client_princ = client->princ; +- } else { +- ks_client_princ = client_princ; +- } +- + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + + if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { +@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + if (!is_as_req) { + code = ks_verify_pac(context, + flags, +- ks_client_princ, ++ client_princ, + client, + server, + krbtgt, +@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + goto done; + } + +- code = krb5_pac_sign(context, pac, authtime, ks_client_princ, ++ code = krb5_pac_sign(context, pac, authtime, client_princ, + server_key, krbtgt_key, &pac_data); + if (code != 0) { + DBG_ERR("krb5_pac_sign failed: %d\n", code); +-- +2.25.4 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 51f3b9c..7a46d52 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 13 +%define main_release 14 %define samba_version 4.11.2 %define talloc_version 2.2.0 @@ -73,7 +73,7 @@ %global with_dc 1 %endif -%global required_mit_krb5 1.15.1 +%global required_mit_krb5 1.18 %global with_clustering_support 0 @@ -326,6 +326,7 @@ Patch0206: 0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch Patch0207: 0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch Patch0208: 0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch Patch0209: 0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch +Patch0210: 0210-support-krb5-1.18.patch Patch1000: samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch Patch1001: CVE-2019-14907-4.11.patch @@ -3725,6 +3726,10 @@ fi %endif %changelog +* Fri May 29 2020 Alexander Bokovoy - 4.11.2-14 +- Rebuild with krb5 1.18 +- Resolves: #1817578 - support krb5 1.18 + * Thu Feb 13 2020 Isaac Boukris - 4.11.2-13 - resolves: #1802182 - Fix join using netbios name