From e01448612256d58911a90d4af93203fada48d935 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 20 2022 08:00:05 +0000 Subject: import samba-4.10.16-20.el7_9 --- diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch index 6528a01..9ca06c2 100644 --- a/SOURCES/samba-4.10-redhat.patch +++ b/SOURCES/samba-4.10-redhat.patch @@ -1,7 +1,7 @@ From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 001/100] s3-rpcserver: fix security level check for +Subject: [PATCH 001/101] s3-rpcserver: fix security level check for DsRGetForestTrustInformation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644 } -- -2.36.0 +2.37.2 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 16:50:45 +0200 -Subject: [PATCH 002/100] Add a test to check dNSHostName with netbios aliases +Subject: [PATCH 002/101] Add a test to check dNSHostName with netbios aliases BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755 # Test createcomputer option of 'net ads join' # -- -2.36.0 +2.37.2 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:52:46 +0200 -Subject: [PATCH 003/100] Fix accidental overwrite of dnsHostName by the last +Subject: [PATCH 003/101] Fix accidental overwrite of dnsHostName by the last netbios alias BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); goto done; -- -2.36.0 +2.37.2 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 24 Oct 2019 19:04:51 +0300 -Subject: [PATCH 004/100] Refactor ads_keytab_add_entry() to make it iterable +Subject: [PATCH 004/101] Refactor ads_keytab_add_entry() to make it iterable so we can more easily add msDS-AdditionalDnsHostName entries. @@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644 out: SAFE_FREE(salt_princ_s); -- -2.36.0 +2.37.2 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 17:55:12 +0200 -Subject: [PATCH 005/100] Add a test for msDS-AdditionalDnsHostName entries in +Subject: [PATCH 005/101] Add a test for msDS-AdditionalDnsHostName entries in keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -- -2.36.0 +2.37.2 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:36:28 +0200 -Subject: [PATCH 006/100] Add msDS-AdditionalDnsHostName entries to the keytab +Subject: [PATCH 006/101] Add msDS-AdditionalDnsHostName entries to the keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644 { LDAPMessage *res = NULL; -- -2.36.0 +2.37.2 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:54:12 +0200 -Subject: [PATCH 007/100] Add net-ads-join dnshostname=fqdn option +Subject: [PATCH 007/101] Add net-ads-join dnshostname=fqdn option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755 exit $failed -- -2.36.0 +2.37.2 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:04:57 +0200 -Subject: [PATCH 008/100] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 008/101] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() It's good to have just a single isolated function that will generate @@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -- -2.36.0 +2.37.2 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:07:30 +0200 -Subject: [PATCH 009/100] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of +Subject: [PATCH 009/101] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to @@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), "ServerReqChallenge"); -- -2.36.0 +2.37.2 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:08:38 +0200 -Subject: [PATCH 010/100] CVE-2020-1472(ZeroLogon): libcli/auth: make use of +Subject: [PATCH 010/101] CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate @@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, state->binding_handle, -- -2.36.0 +2.37.2 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 011/100] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: +Subject: [PATCH 011/101] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.36.0 +2.37.2 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 012/100] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: +Subject: [PATCH 012/101] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.36.0 +2.37.2 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:15:26 +0200 -Subject: [PATCH 013/100] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 013/101] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, @@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -- -2.36.0 +2.37.2 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:17:29 +0200 -Subject: [PATCH 014/100] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak +Subject: [PATCH 014/101] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: @@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644 ) -- -2.36.0 +2.37.2 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 19:20:25 +0200 -Subject: [PATCH 015/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 015/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644 ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, -- -2.36.0 +2.37.2 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Sep 2020 12:53:50 -0700 -Subject: [PATCH 016/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 016/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644 p->session_info, p->msg_ctx, -- -2.36.0 +2.37.2 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:18:45 +0200 -Subject: [PATCH 017/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 017/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. @@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644 /* -- -2.36.0 +2.37.2 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:56:53 +0200 -Subject: [PATCH 018/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 018/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". @@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.36.0 +2.37.2 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 13:37:26 +0200 -Subject: [PATCH 019/100] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log +Subject: [PATCH 019/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644 return NT_STATUS_OK; } -- -2.36.0 +2.37.2 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:57:22 +0200 -Subject: [PATCH 020/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 020/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644 -- -2.36.0 +2.37.2 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:23:16 +0200 -Subject: [PATCH 021/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 021/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.36.0 +2.37.2 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:42:52 +0200 -Subject: [PATCH 022/100] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log +Subject: [PATCH 022/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644 return NT_STATUS_OK; } -- -2.36.0 +2.37.2 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 17:27:54 +0200 -Subject: [PATCH 023/100] CVE-2020-1472(ZeroLogon): docs-xml: document 'server +Subject: [PATCH 023/101] CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644 + -- -2.36.0 +2.37.2 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 12:39:54 +1200 -Subject: [PATCH 024/100] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty +Subject: [PATCH 024/101] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd Ensure that an empty machine account password can't be set by @@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644 /* now try a random password */ password = generate_random_password(tctx, 8, 255); -- -2.36.0 +2.37.2 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 15:57:34 +1200 -Subject: [PATCH 025/100] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated +Subject: [PATCH 025/101] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge Ensure that client challenges with the first 5 bytes identical are @@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644 } -- -2.36.0 +2.37.2 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 10 Jul 2020 15:09:33 -0700 -Subject: [PATCH 026/100] s4: torture: Add smb2.notify.handle-permissions test. +Subject: [PATCH 026/101] s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. @@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644 suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); -- -2.36.0 +2.37.2 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Jul 2020 18:25:23 -0700 -Subject: [PATCH 027/100] s3: smbd: Ensure change notifies can't get set unless +Subject: [PATCH 027/101] s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. @@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644 DEBUG(1, ("change_notify_create: fsp->notify != NULL, " "fname = %s\n", fsp->fsp_name->base_name)); -- -2.36.0 +2.37.2 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:49:25 +0200 -Subject: [PATCH 028/100] CVE-2020-14323 winbind: Fix invalid lookupsids DoS +Subject: [PATCH 028/101] CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. @@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644 } if (request->extra_data.data[request->extra_len-1] != '\0') { -- -2.36.0 +2.37.2 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:48:57 +0200 -Subject: [PATCH 029/100] CVE-2020-14323 torture4: Add a simple test for +Subject: [PATCH 029/101] CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix @@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644 suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); -- -2.36.0 +2.37.2 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001 From: Laurent Menase Date: Wed, 20 May 2020 12:31:53 +0200 -Subject: [PATCH 030/100] winbind: Fix a memleak +Subject: [PATCH 030/101] winbind: Fix a memleak Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388 Signed-off-by: Laurent Menase @@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644 } -- -2.36.0 +2.37.2 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 13:39:58 +0200 -Subject: [PATCH 031/100] s3:tests: Add test for 'valid users = DOMAIN\%U' +Subject: [PATCH 031/101] s3:tests: Add test for 'valid users = DOMAIN\%U' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467 @@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755 + exit $failed -- -2.36.0 +2.37.2 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 14:12:48 +0200 -Subject: [PATCH 032/100] s3:smbd: Fix %U substitutions if it contains a domain +Subject: [PATCH 032/101] s3:smbd: Fix %U substitutions if it contains a domain name 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer @@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644 if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); -- -2.36.0 +2.37.2 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 Jul 2020 11:48:26 +0200 -Subject: [PATCH 033/100] docs: Fix documentation for require_membership_of of +Subject: [PATCH 033/101] docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644 -- -2.36.0 +2.37.2 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Jul 2020 12:14:16 +0200 -Subject: [PATCH 034/100] docs: Fix documentation for require_membership_of of +Subject: [PATCH 034/101] docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644 This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login). -- -2.36.0 +2.37.2 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 21:05:07 +0300 -Subject: [PATCH 035/100] Fix a typo in recent net man page changes +Subject: [PATCH 035/101] Fix a typo in recent net man page changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644 -- -2.36.0 +2.37.2 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 16 Jun 2020 22:01:49 +0300 -Subject: [PATCH 036/100] selftest: add tests for binary +Subject: [PATCH 036/101] selftest: add tests for binary msDS-AdditionalDnsHostName Like the short names added implicitly by Windows DC. @@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755 rm -f $dedicated_keytab_file -- -2.36.0 +2.37.2 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 16:51:27 +0300 -Subject: [PATCH 037/100] Properly handle msDS-AdditionalDnsHostName returned +Subject: [PATCH 037/101] Properly handle msDS-AdditionalDnsHostName returned from Windows DC Windows DC adds short names for each specified msDS-AdditionalDnsHostName @@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644 DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", machine_name)); -- -2.36.0 +2.37.2 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 20 Jun 2020 17:17:33 +0200 -Subject: [PATCH 038/100] Fix usage of ldap_get_values_len for +Subject: [PATCH 038/101] Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644 return NULL; } -- -2.36.0 +2.37.2 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 15 Dec 2020 15:17:04 +0100 -Subject: [PATCH 039/100] HACK:s3:winbind: Rely on the domain child for online +Subject: [PATCH 039/101] HACK:s3:winbind: Rely on the domain child for online check --- @@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644 /* Handle online/offline messages. */ -- -2.36.0 +2.37.2 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 Sep 2020 16:00:52 +0200 -Subject: [PATCH 040/100] s3:smbd: Use fsp al the talloc memory context +Subject: [PATCH 040/101] s3:smbd: Use fsp al the talloc memory context Somehow the lck pointer gets freed before we call TALLOC_FREE(). @@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644 &mtimespec); -- -2.36.0 +2.37.2 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 12:58:31 +0100 -Subject: [PATCH 041/100] Revert "s3:smbd: Use fsp al the talloc memory +Subject: [PATCH 041/101] Revert "s3:smbd: Use fsp al the talloc memory context" This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49. @@ -3494,13 +3494,13 @@ index 9a24e331ab1..de557f53a20 100644 &mtimespec); -- -2.36.0 +2.37.2 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 22 Jul 2020 22:42:09 -0700 -Subject: [PATCH 042/100] nsswitch/nsstest.c: Avoid nss function conflicts with +Subject: [PATCH 042/101] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h glibc 2.32 will define these varibles [1] which results in conflicts @@ -3597,13 +3597,13 @@ index 6d92806cffc..46f96795f39 100644 static void nss_test_errors(void) -- -2.36.0 +2.37.2 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:30:08 +0100 -Subject: [PATCH 043/100] lib:util: Add basic memcache unit test +Subject: [PATCH 043/101] lib:util: Add basic memcache unit test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3773,13 +3773,13 @@ index e7639c4da27..e3f7d9acb4a 100644 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) plantestsuite("samba.unittests.test_registry_regfio", "none", -- -2.36.0 +2.37.2 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:37:12 +0100 -Subject: [PATCH 044/100] lib:util: Add cache oversize test for memcache +Subject: [PATCH 044/101] lib:util: Add cache oversize test for memcache BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3857,13 +3857,13 @@ index 00000000000..0a74ace3003 @@ -0,0 +1 @@ +^samba.unittests.memcache.torture_memcache_add_oversize -- -2.36.0 +2.37.2 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 2 Feb 2021 18:10:38 +0100 -Subject: [PATCH 045/100] lib:util: Avoid free'ing our own pointer +Subject: [PATCH 045/101] lib:util: Avoid free'ing our own pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3933,13 +3933,13 @@ index 0a74ace3003..00000000000 @@ -1 +0,0 @@ -^samba.unittests.memcache.torture_memcache_add_oversize -- -2.36.0 +2.37.2 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Nov 2020 15:48:08 -0800 -Subject: [PATCH 046/100] s3: spoolss: Make parameters in call to +Subject: [PATCH 046/101] s3: spoolss: Make parameters in call to user_ok_token() match all other uses. We already have p->session_info->unix_info->unix_name, we don't @@ -3973,13 +3973,13 @@ index f32b465afb6..c0f1803c2fa 100644 !W_ERROR_IS_OK(print_access_check(p->session_info, p->msg_ctx, -- -2.36.0 +2.37.2 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 11 Nov 2020 13:42:06 +0100 -Subject: [PATCH 047/100] s3:smbd: Fix possible null pointer dereference in +Subject: [PATCH 047/101] s3:smbd: Fix possible null pointer dereference in token_contains_name() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572 @@ -4009,13 +4009,13 @@ index 0705e197975..64276c79fbe 100644 /* Check if username starts with domain name */ if (domain_len > 0) { -- -2.36.0 +2.37.2 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 20 Feb 2021 15:50:12 +0100 -Subject: [PATCH 048/100] passdb: Simplify sids_to_unixids() +Subject: [PATCH 048/101] passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. @@ -4239,13 +4239,13 @@ index 1bb15ccb8b4..186ba17fda6 100644 } break; -- -2.36.0 +2.37.2 From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Nov 2016 09:12:59 +0100 -Subject: [PATCH 049/100] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to +Subject: [PATCH 049/101] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos @@ -4301,13 +4301,13 @@ index 6ee4929e8d7..a0a1f4baa56 100644 } else { struct tevent_req *subreq = NULL; -- -2.36.0 +2.37.2 From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Oct 2016 10:40:28 +0200 -Subject: [PATCH 050/100] CVE-2016-2124: s3:libsmb: don't fallback to non +Subject: [PATCH 050/101] CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user @@ -4339,13 +4339,13 @@ index 9bba2665663..9a69d4b7217 100644 /* * SessionSetupAndX was introduced by LANMAN 1.0. So we skip -- -2.36.0 +2.37.2 From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 18 Jan 2020 08:06:45 +0100 -Subject: [PATCH 051/100] s3/auth: use set_current_user_info() in +Subject: [PATCH 051/101] s3/auth: use set_current_user_info() in auth3_generate_session_info_pac() This delays reloading config slightly, but I don't see how could affect @@ -4395,13 +4395,13 @@ index 167d4e00367..0e9c423efef 100644 ntuser, ntdomain, rhost)); -- -2.36.0 +2.37.2 From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Thu, 4 Nov 2021 11:51:08 +0100 -Subject: [PATCH 052/100] selftest: Fix ktest usermap file +Subject: [PATCH 052/101] selftest: Fix ktest usermap file The user was not mapped: @@ -4430,13 +4430,13 @@ index 9e4da0e6a08..2eb5003112e 100755 close(USERMAP); -- -2.36.0 +2.37.2 From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 16:42:00 +0200 -Subject: [PATCH 053/100] selftest/Samba3: replace (winbindd => "yes", +Subject: [PATCH 053/101] selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") This is much more flexible and concentrates the logic in a single place. @@ -4490,13 +4490,13 @@ index 2eb5003112e..bbbefea44b7 100755 do { if ($ret != 0) { -- -2.36.0 +2.37.2 From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Oct 2021 16:20:36 +0200 -Subject: [PATCH 054/100] CVE-2020-25719 CVE-2020-25717: selftest: remove +Subject: [PATCH 054/101] CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -4535,13 +4535,13 @@ index a7a6c4c9587..0f644661176 100755 log level = $ctx->{server_loglevel} lanman auth = Yes -- -2.36.0 +2.37.2 From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 055/100] CVE-2020-25717: s3:winbindd: make sure we default to +Subject: [PATCH 055/101] CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4709,13 +4709,13 @@ index 3245c70bb8e..315eb366a52 100644 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); -- -2.36.0 +2.37.2 From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 056/100] CVE-2020-25717: s4:auth/ntlm: make sure +Subject: [PATCH 056/101] CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4745,13 +4745,13 @@ index 3a3fa7eaa59..f754bd5cd44 100644 ev, auth_ctx, -- -2.36.0 +2.37.2 From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 057/100] CVE-2020-25717: s4:torture: start with authoritative +Subject: [PATCH 057/101] CVE-2020-25717: s4:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4801,13 +4801,13 @@ index c237c82bbe7..72d0bf28fdd 100644 DATA_BLOB names_blob, chal, lm_resp, nt_resp; int i; -- -2.36.0 +2.37.2 From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 058/100] CVE-2020-25717: s4:smb_server: start with +Subject: [PATCH 058/101] CVE-2020-25717: s4:smb_server: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4843,13 +4843,13 @@ index 13f13934412..5e817eecd4b 100644 NTSTATUS status; -- -2.36.0 +2.37.2 From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 059/100] CVE-2020-25717: s4:auth_simple: start with +Subject: [PATCH 059/101] CVE-2020-25717: s4:auth_simple: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4876,13 +4876,13 @@ index fcd9050979d..da8f094a838 100644 NTSTATUS nt_status; -- -2.36.0 +2.37.2 From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 060/100] CVE-2020-25717: s3:ntlm_auth: start with +Subject: [PATCH 060/101] CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4968,13 +4968,13 @@ index 41591a8de33..fc0fc19bacb 100644 uchar lm_key[16]; static const uchar zeros[8] = { 0, }; -- -2.36.0 +2.37.2 From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 061/100] CVE-2020-25717: s3:torture: start with authoritative +Subject: [PATCH 061/101] CVE-2020-25717: s3:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5005,13 +5005,13 @@ index 64bc45e6a7c..48190e78bf8 100644 SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, local_nt_response); -- -2.36.0 +2.37.2 From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 062/100] CVE-2020-25717: s3:rpcclient: start with +Subject: [PATCH 062/101] CVE-2020-25717: s3:rpcclient: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5038,13 +5038,13 @@ index 631740562c6..30fa1ed7816 100644 uint16_t validation_level; union netr_Validation *validation = NULL; -- -2.36.0 +2.37.2 From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 063/100] CVE-2020-25717: s3:auth: start with authoritative = 1 +Subject: [PATCH 063/101] CVE-2020-25717: s3:auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5088,13 +5088,13 @@ index a71c75631d7..bf7ccb4348c 100644 nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); if (!NT_STATUS_IS_OK(nt_status)) { -- -2.36.0 +2.37.2 From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 064/100] CVE-2020-25717: auth/ntlmssp: start with +Subject: [PATCH 064/101] CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5121,13 +5121,13 @@ index 140e89daeb1..eebada670be 100644 status = auth_context->check_ntlm_password_recv(subreq, -- -2.36.0 +2.37.2 From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:43:40 +0200 -Subject: [PATCH 065/100] CVE-2020-25717: loadparm: Add new parameter "min +Subject: [PATCH 065/101] CVE-2020-25717: loadparm: Add new parameter "min domain uid" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -5220,13 +5220,13 @@ index 0db44e92d19..57d1d909099 100644 apply_lp_set_cmdline(); } -- -2.36.0 +2.37.2 From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 19:57:18 +0200 -Subject: [PATCH 066/100] CVE-2020-25717: s3:auth: let +Subject: [PATCH 066/101] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors Mapping everything to ACCESS_DENIED makes it hard to debug problems, @@ -5254,13 +5254,13 @@ index 4ef2270cb34..26a38f92b30 100644 } -- -2.36.0 +2.37.2 From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:45:11 +0200 -Subject: [PATCH 067/100] CVE-2020-25717: s3:auth: Check minimum domain uid +Subject: [PATCH 067/101] CVE-2020-25717: s3:auth: Check minimum domain uid BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 @@ -5301,13 +5301,13 @@ index 8ff20c33759..8801d3f0f0b 100644 result = make_server_info(tmp_ctx); -- -2.36.0 +2.37.2 From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:40:30 +0200 -Subject: [PATCH 068/100] CVE-2020-25717: s3:auth: we should not try to +Subject: [PATCH 068/101] CVE-2020-25717: s3:auth: we should not try to autocreate the guest account We should avoid autocreation of users as much as possible. @@ -5334,13 +5334,13 @@ index 8998f9c8f8a..074e8c7eb71 100644 /* extra sanity check that the guest account is valid */ -- -2.36.0 +2.37.2 From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:08:20 +0200 -Subject: [PATCH 069/100] CVE-2020-25717: s3:auth: no longer let +Subject: [PATCH 069/101] CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users So far we autocreated local user accounts based on just the @@ -5373,13 +5373,13 @@ index 8801d3f0f0b..6ee500493e6 100644 DEBUG(3, ("Failed to find authenticated user %s via " "getpwnam(), denying access.\n", dom_user)); -- -2.36.0 +2.37.2 From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 8 Oct 2021 12:33:16 +0200 -Subject: [PATCH 070/100] CVE-2020-25717: s3:auth: remove fallbacks in +Subject: [PATCH 070/101] CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() So far we tried getpwnam("DOMAIN\account") first and @@ -5517,13 +5517,13 @@ index 6ee500493e6..161e05c2106 100644 /* Create local user if requested but only if winbindd -- -2.36.0 +2.37.2 From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 18:03:55 +0200 -Subject: [PATCH 071/100] CVE-2020-25717: s3:auth: don't let create_local_token +Subject: [PATCH 071/101] CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so @@ -5562,13 +5562,13 @@ index 161e05c2106..c0e5cfd7fa8 100644 status = create_token_from_username(session_info, server_info->unix_name, -- -2.36.0 +2.37.2 From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 11 Nov 2020 18:50:45 +0200 -Subject: [PATCH 072/100] CVE-2020-25717: Add FreeIPA domain controller role +Subject: [PATCH 072/101] CVE-2020-25717: Add FreeIPA domain controller role As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain @@ -5975,13 +5975,13 @@ index 51fed4da62b..1f09b721408 100644 return NT_STATUS_INTERNAL_ERROR; case ROLE_DOMAIN_MEMBER: -- -2.36.0 +2.37.2 From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:11:57 +0200 -Subject: [PATCH 073/100] CVE-2020-25717: auth/gensec: always require a PAC in +Subject: [PATCH 073/101] CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set @@ -6045,13 +6045,13 @@ index e185acc0c20..694661b53b5 100644 DBG_NOTICE("Unable to find PAC for %s, resorting to local " "user lookup\n", principal_string); -- -2.36.0 +2.37.2 From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 11 Oct 2021 23:17:19 +0200 -Subject: [PATCH 074/100] CVE-2020-25717: s4:auth: remove unused +Subject: [PATCH 074/101] CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() We'll require a PAC at the main gensec layer already. @@ -6189,13 +6189,13 @@ index fb88cb87f66..a8c7d8b4b85 100644 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); -- -2.36.0 +2.37.2 From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:27:28 +0200 -Subject: [PATCH 075/100] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in +Subject: [PATCH 075/101] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -6263,13 +6263,13 @@ index 3f70732a837..fefdd32bf11 100644 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); } -- -2.36.0 +2.37.2 From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:44:01 +0200 -Subject: [PATCH 076/100] CVE-2020-25717: s3:ntlm_auth: let +Subject: [PATCH 076/101] CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only @@ -6405,13 +6405,13 @@ index fefdd32bf11..ff2fd30a9ae 100644 if (!unixuser) { status = NT_STATUS_NO_MEMORY; -- -2.36.0 +2.37.2 From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 19:42:20 +0200 -Subject: [PATCH 077/100] CVE-2020-25717: s3:auth: let +Subject: [PATCH 077/101] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() @@ -6726,13 +6726,13 @@ index 26a38f92b30..3099e8f9057 100644 status = NT_STATUS_OK; -- -2.36.0 +2.37.2 From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 17:14:01 +0200 -Subject: [PATCH 078/100] CVE-2020-25717: selftest: configure 'ktest' env with +Subject: [PATCH 078/101] CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid The 'ktest' environment was/is designed to test kerberos in an active @@ -6777,13 +6777,13 @@ index bbbefea44b7..7034127ef0b 100755 } return $ret; -- -2.36.0 +2.37.2 From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:12:49 +0200 -Subject: [PATCH 079/100] CVE-2020-25717: s3:auth: let +Subject: [PATCH 079/101] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode We should be strict in standalone mode, that we only support MIT realms @@ -6862,13 +6862,13 @@ index 3099e8f9057..23f746c078e 100644 if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", -- -2.36.0 +2.37.2 From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:59:59 +0200 -Subject: [PATCH 080/100] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 080/101] CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument This code is only every called in standalone mode on a MIT realm, @@ -7012,13 +7012,13 @@ index 074e8c7eb71..7b69ca6c222 100644 bool *mapped_to_guest, char **ntuser, -- -2.36.0 +2.37.2 From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:03:04 +0200 -Subject: [PATCH 081/100] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 081/101] CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments This is only ever be called in standalone mode with an MIT realm, @@ -7115,13 +7115,13 @@ index 7b69ca6c222..b8f37cbeee0 100644 { return NT_STATUS_NOT_IMPLEMENTED; -- -2.36.0 +2.37.2 From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:39:19 +1200 -Subject: [PATCH 082/100] krb5pac.idl: Add ticket checksum PAC buffer type +Subject: [PATCH 082/101] krb5pac.idl: Add ticket checksum PAC buffer type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7155,13 +7155,13 @@ index f27e7243ee4..711b7f94b6c 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.36.0 +2.37.2 From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:40:59 +1200 -Subject: [PATCH 083/100] security.idl: Add well-known SIDs for FAST +Subject: [PATCH 083/101] security.idl: Add well-known SIDs for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7187,13 +7187,13 @@ index 5930f448955..e6065a35691 100644 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx */ -- -2.36.0 +2.37.2 From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:15:26 +1300 -Subject: [PATCH 084/100] krb5pac.idl: Add missing buffer type values +Subject: [PATCH 084/101] krb5pac.idl: Add missing buffer type values BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7219,13 +7219,13 @@ index 711b7f94b6c..141894ec5f1 100644 } PAC_TYPE; -- -2.36.0 +2.37.2 From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:38 +1300 -Subject: [PATCH 085/100] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO +Subject: [PATCH 085/101] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7276,13 +7276,13 @@ index 141894ec5f1..4bfec2de5e6 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.36.0 +2.37.2 From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:49 +1300 -Subject: [PATCH 086/100] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC +Subject: [PATCH 086/101] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7327,13 +7327,13 @@ index 4bfec2de5e6..f750359a069 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.36.0 +2.37.2 From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 27 Sep 2021 11:20:19 +1300 -Subject: [PATCH 087/100] CVE-2020-25721 krb5pac: Add new buffers for +Subject: [PATCH 087/101] CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. @@ -7414,13 +7414,13 @@ index a9ae2c4a789..57b28df9e52 100644 NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size)); NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type)); -- -2.36.0 +2.37.2 From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 12 Nov 2021 19:06:01 +0200 -Subject: [PATCH 088/100] IPA DC: add missing checks +Subject: [PATCH 088/101] IPA DC: add missing checks When introducing FreeIPA support, two places were forgotten: @@ -7466,13 +7466,13 @@ index 57bfc596005..3f77856457e 100644 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); if (!sid) { -- -2.36.0 +2.37.2 From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Nov 2021 15:27:58 +0100 -Subject: [PATCH 089/100] CVE-2020-25717: idmap_nss: verify that the name of +Subject: [PATCH 089/101] CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain We already check the sid belongs to the domain, but checking the name @@ -7558,13 +7558,13 @@ index 3fe98cbc729..243b67ccafd 100644 } return NT_STATUS_OK; -- -2.36.0 +2.37.2 From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 12 Nov 2021 20:53:30 +1300 -Subject: [PATCH 090/100] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non +Subject: [PATCH 090/101] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 @@ -7591,13 +7591,13 @@ index 46f96795f39..8ce7493d1b6 100644 total_errors++; printf("ERROR Non existent uid gave error %d\n", last_error); -- -2.36.0 +2.37.2 From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Nov 2021 16:10:31 +1300 -Subject: [PATCH 091/100] CVE-2020-25717: s3:auth: Fallback to a SID/UID based +Subject: [PATCH 091/101] CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -7707,13 +7707,13 @@ index c0e5cfd7fa8..b463059f259 100644 &pwd, &username_was_mapped); -- -2.36.0 +2.37.2 From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 10:57:17 +0100 -Subject: [PATCH 092/100] CVE-2020-25717: s3-auth: fix MIT Realm regression +Subject: [PATCH 092/101] CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. @@ -7770,13 +7770,13 @@ index b8f37cbeee0..169bf563368 100644 if (!unixuser) { return NT_STATUS_NO_MEMORY; -- -2.36.0 +2.37.2 From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 16:48:01 +0100 -Subject: [PATCH 093/100] CVE-2021-44142: libadouble: add defines for icon +Subject: [PATCH 093/101] CVE-2021-44142: libadouble: add defines for icon lengths From https://www.ietf.org/rfc/rfc1740.txt @@ -7802,13 +7802,13 @@ index afad70ce180..3a35620bfe4 100644 #define ADEDLEN_PRIVDEV 8 #define ADEDLEN_PRIVINO 8 -- -2.36.0 +2.37.2 From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 20 Nov 2021 16:36:42 +0100 -Subject: [PATCH 094/100] CVE-2021-44142: smbd: add Netatalk xattr used by +Subject: [PATCH 094/101] CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs This is an internal xattr that should not be user visible. @@ -7851,13 +7851,13 @@ index f8d987bbe63..406087c0419 100644 }; -- -2.36.0 +2.37.2 From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 07:19:32 +0100 -Subject: [PATCH 095/100] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() +Subject: [PATCH 095/101] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, which is used for parsing ._ AppleDouble sidecar files, and the buffer @@ -7921,13 +7921,13 @@ index 3a35620bfe4..76139e51047 100644 } -- -2.36.0 +2.37.2 From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Nov 2021 15:04:03 +0100 -Subject: [PATCH 096/100] CVE-2021-44142: libadouble: add basic cmocka tests +Subject: [PATCH 096/101] CVE-2021-44142: libadouble: add basic cmocka tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8377,13 +8377,13 @@ index 26e251f442a..5230ae32934 100644 source='smbd/server.c smbd/smbd_cleanupd.c', deps=''' -- -2.36.0 +2.37.2 From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 17:03:02 +0100 -Subject: [PATCH 097/100] CVE-2021-44142: libadouble: harden parsing code +Subject: [PATCH 097/101] CVE-2021-44142: libadouble: harden parsing code BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8545,13 +8545,13 @@ index 76139e51047..17e97d15bdb 100644 } -- -2.36.0 +2.37.2 From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 15:48:29 -0700 -Subject: [PATCH 098/100] winbind: Only use unixid2sid mapping when module +Subject: [PATCH 098/101] winbind: Only use unixid2sid mapping when module reports ID_MAPPED Only consider a mapping to be valid when the idmap module reports @@ -8585,13 +8585,13 @@ index 0842241e02e..94331163006 100644 TALLOC_FREE(maps); -- -2.36.0 +2.37.2 From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:01:13 -0700 -Subject: [PATCH 099/100] idmap_rfc2307: Do not return SID from unixids_to_sids +Subject: [PATCH 099/101] idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map @@ -8654,13 +8654,13 @@ index 94331163006..34375b3858f 100644 } -- -2.36.0 +2.37.2 From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:07:54 -0700 -Subject: [PATCH 100/100] idmap_nss: Do not return SID from unixids_to_sids on +Subject: [PATCH 100/101] idmap_nss: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map @@ -8722,5 +8722,41 @@ index 243b67ccafd..e4bf1923786 100644 } break; -- -2.36.0 +2.37.2 + + +From 4ef3d95fb680cf278e68b6794459ff7bce1489aa Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 23 Nov 2021 15:48:57 +0100 +Subject: [PATCH 101/101] s3:winbind: Fix possible NULL pointer dereference + +BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888 + +Signed-off-by: Andreas Schneider +Rewiewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon Nov 29 19:40:50 UTC 2021 on sn-devel-184 + +(cherry picked from commit cbf312f02bc86f9325fb89f6f5441bc61fd3974f) +--- + source3/winbindd/winbindd_util.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 04e79e70f6b..d1bd81b2372 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -1691,6 +1691,9 @@ char *fill_domain_username_talloc(TALLOC_CTX *mem_ctx, + } + + tmp_user = talloc_strdup(mem_ctx, user); ++ if (tmp_user == NULL) { ++ return NULL; ++ } + if (!strlower_m(tmp_user)) { + TALLOC_FREE(tmp_user); + return NULL; +-- +2.37.2 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 3f39602..fe0f452 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 19 +%define main_release 20 %define samba_version 4.10.16 %define talloc_version 2.1.16 @@ -3305,6 +3305,9 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Tue Aug 30 2022 Andreas Schneider - 4.10.16-20 +- resolves: #2119058 - Fix possible segfault in winbind + * Tue May 10 2022 Andreas Schneider - 4.10.16-19 - resolves: #2081649 - Fix idmap_rfc2307 and idmap_nss returning wrong mapping for uid/gid conflict