diff --git a/.gitignore b/.gitignore index 0db09e0..41cd890 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.14.5.tar.xz +SOURCES/samba-4.15.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 707bb47..b1ff8f6 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -46925b3ed9f63b1b936f2271253fdccccbf1575f SOURCES/samba-4.14.5.tar.xz +f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4-15-fix-autorid.patch b/SOURCES/samba-4-15-fix-autorid.patch new file mode 100644 index 0000000..f63464c --- /dev/null +++ b/SOURCES/samba-4-15-fix-autorid.patch @@ -0,0 +1,231 @@ +From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:06:30 +0100 +Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f) +--- + source3/winbindd/idmap_autorid.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c +index ad53b5810ee..c7d56a37684 100644 +--- a/source3/winbindd/idmap_autorid.c ++++ b/source3/winbindd/idmap_autorid.c +@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom) + config->maxranges = (dom->high_id - dom->low_id + 1) / + config->rangesize; + +- if (config->maxranges == 0) { +- DEBUG(1, ("Allowed uid range is smaller than rangesize. " +- "Increase uid range or decrease rangesize.\n")); ++ if (config->maxranges < 2) { ++ DBG_WARNING("Allowed idmap range is not a least double the " ++ "size of the rangesize. Please increase idmap " ++ "range.\n"); + status = NT_STATUS_INVALID_PARAMETER; + goto error; + } +-- +2.35.1 + + +From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:07:50 +0100 +Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4) +--- + source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 98bcc219b1e..58ba46bc15f 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string, + return false; /* Keep scanning */ + } + ++static int idmap_config_int(const char *domname, const char *option, int def) ++{ ++ int len = snprintf(NULL, 0, "idmap config %s", domname); ++ ++ if (len == -1) { ++ return def; ++ } ++ { ++ char config_option[len+1]; ++ snprintf(config_option, sizeof(config_option), ++ "idmap config %s", domname); ++ return lp_parm_int(-1, config_option, option, def); ++ } ++} ++ + static bool do_idmap_check(void) + { + struct idmap_domains *d; +@@ -157,6 +172,42 @@ static bool do_idmap_check(void) + rc); + } + ++ /* Check autorid backend */ ++ if (strequal(lp_idmap_default_backend(), "autorid")) { ++ struct idmap_config *c = NULL; ++ bool found = false; ++ ++ for (i = 0; i < d->count; i++) { ++ c = &d->c[i]; ++ ++ if (strequal(c->backend, "autorid")) { ++ found = true; ++ break; ++ } ++ } ++ ++ if (found) { ++ uint32_t rangesize = ++ idmap_config_int("*", "rangesize", 100000); ++ uint32_t maxranges = ++ (c->high - c->low + 1) / rangesize; ++ ++ if (maxranges < 2) { ++ fprintf(stderr, ++ "ERROR: The idmap autorid range " ++ "[%u-%u] needs to be at least twice as " ++ "big as the rangesize [%u]!" ++ "\n\n", ++ c->low, ++ c->high, ++ rangesize); ++ ok = false; ++ goto done; ++ } ++ } ++ } ++ ++ /* Check for overlapping idmap ranges */ + for (i = 0; i < d->count; i++) { + struct idmap_config *c = &d->c[i]; + uint32_t j; +-- +2.35.1 + + +From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 1 Feb 2022 10:05:19 +0100 +Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation + +What we want to avoid: + +$ ./bin/testparm -s | grep "idmap config" + idmap config * : rangesize = 10000 + idmap config * : range = 10000-19999 + idmap config * : backend = autorid + +$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators +S-1-5-32-544 SID_ALIAS (4) + +$ ./bin/wbinfo --sid-to-gid S-1-5-32-544 +10000 + +$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice +S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1) + +$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107 +failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND +Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid + +If only one range is configured we are either not able to map users/groups +from our primary *and* the BUILTIN domain. We need at least two ranges to also +cover the BUILTIN domain! + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de) +--- + docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml +index 6c4da1cad8a..980718f0bd4 100644 +--- a/docs-xml/manpages/idmap_autorid.8.xml ++++ b/docs-xml/manpages/idmap_autorid.8.xml +@@ -48,7 +48,13 @@ + and the corresponding map is discarded. It is + intended as a way to avoid accidental UID/GID + overlaps between local and remotely defined +- IDs. ++ IDs. Note that the range should be a multiple ++ of the rangesize and needs to be at least twice ++ as large in order to have sufficient id range ++ space for the mandatory BUILTIN domain. ++ With a default rangesize of 100000 the range ++ needs to span at least 200000. ++ This would be: range = 100000 - 299999. + + + +-- +2.35.1 + diff --git a/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch new file mode 100644 index 0000000..93c2caa --- /dev/null +++ b/SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch @@ -0,0 +1,411 @@ +From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 12:59:44 +0100 +Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error + path + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111) +--- + source3/libads/authdata.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index dd21d895fc2..c048510d480 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + { + krb5_error_code ret; + NTSTATUS status = NT_STATUS_INVALID_PARAMETER; +- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; ++ DATA_BLOB tkt = data_blob_null; ++ DATA_BLOB tkt_wrapped = data_blob_null; ++ DATA_BLOB ap_rep = data_blob_null; ++ DATA_BLOB sesskey1 = data_blob_null; + const char *auth_princ = NULL; + const char *cc = "MEMORY:kerberos_return_pac"; + struct auth_session_info *session_info; +@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + ZERO_STRUCT(sesskey1); + + if (!name || !pass) { +- return NT_STATUS_INVALID_PARAMETER; ++ status = NT_STATUS_INVALID_PARAMETER; ++ goto out; + } + + if (cache_name) { +@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + + if (expire_time && renew_till_time && + (*expire_time == 0) && (*renew_till_time == 0)) { +- return NT_STATUS_INVALID_LOGON_TYPE; ++ status = NT_STATUS_INVALID_LOGON_TYPE; ++ goto out; + } + + ret = ads_krb5_cli_get_ticket(mem_ctx, +-- +2.35.1 + + +From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:00:05 +0100 +Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug + macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865) +--- + lib/krb5_wrap/krb5_samba.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..42d4b950f80 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + goto done; + } + +- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string)); ++ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string); + + /* FIXME: we should not fall back to defaults */ + ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache); +-- +2.35.1 + + +From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:28 +0100 +Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer + debug macro + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a) +--- + lib/krb5_wrap/krb5_samba.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 42d4b950f80..76c2dcd2126 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, + + ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string)); + if (ret) { +- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret))); ++ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' " ++ "for client '%s' and service '%s' failed: %s\n", ++ ccache_string, client_string, service_string, ++ error_message(ret)); + goto done; + } + +-- +2.35.1 + + +From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:08:56 +0100 +Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from + kerberos_return_pac() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) +--- + source3/libads/authdata.c | 22 +++++++++++++++++++++- + source3/libads/kerberos_proto.h | 2 ++ + source3/utils/net_ads.c | 2 ++ + source3/winbindd/winbindd_pam.c | 2 ++ + 4 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c +index c048510d480..bf9a2335445 100644 +--- a/source3/libads/authdata.c ++++ b/source3/libads/authdata.c +@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **_pac_data_ctr) + { + krb5_error_code ret; +@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + struct auth4_context *auth_context; + struct loadparm_context *lp_ctx; + struct PAC_DATA_CTR *pac_data_ctr = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); +@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + goto out; + } + ++ if (_canon_principal != NULL) { ++ *_canon_principal = NULL; ++ } ++ ++ if (_canon_realm != NULL) { ++ *_canon_realm = NULL; ++ } ++ + if (cache_name) { + cc = cache_name; + } +@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + request_pac, + add_netbios_addr, + renewable_time, +- NULL, NULL, NULL, ++ tmp_ctx, ++ &canon_principal, ++ &canon_realm, + &status); + if (ret) { + DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", +@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + } + + *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); ++ if (_canon_principal != NULL) { ++ *_canon_principal = talloc_move(mem_ctx, &canon_principal); ++ } ++ if (_canon_realm != NULL) { ++ *_canon_realm = talloc_move(mem_ctx, &canon_realm); ++ } + + out: + talloc_free(tmp_ctx); +diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h +index 3d7b5bc074b..807381248c8 100644 +--- a/source3/libads/kerberos_proto.h ++++ b/source3/libads/kerberos_proto.h +@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, + time_t renewable_time, + const char *impersonate_princ_s, + const char *local_service, ++ char **_canon_principal, ++ char **_canon_realm, + struct PAC_DATA_CTR **pac_data_ctr); + + /* The following definitions come from libads/krb5_setpw.c */ +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 8f993f9ba4c..c41fb0afe9c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch + 2592000, /* one month */ + impersonate_princ_s, + local_service, ++ NULL, ++ NULL, + pac_data_ctr); + if (!NT_STATUS_IS_OK(status)) { + d_printf(_("failed to query kerberos PAC: %s\n"), +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 7606bfb4ecd..025a5cbc111 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, ++ NULL, ++ NULL, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +-- +2.35.1 + + +From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 13:19:02 +0100 +Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache + entry + +They will be used later to refresh the tickets. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b) +--- + source3/winbindd/winbindd.h | 2 ++ + source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++- + source3/winbindd/winbindd_pam.c | 14 ++++++++++---- + source3/winbindd/winbindd_proto.h | 4 +++- + 4 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h +index a6b2238cec1..dac4a1fa927 100644 +--- a/source3/winbindd/winbindd.h ++++ b/source3/winbindd/winbindd.h +@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY { + const char *service; + const char *username; + const char *realm; ++ const char *canon_principal; ++ const char *canon_realm; + struct WINBINDD_MEMORY_CREDS *cred_ptr; + int ref_count; + uid_t uid; +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index c3077e21989..88847b1ab97 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request) ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm) + { + struct WINBINDD_CCACHE_ENTRY *entry = NULL; + struct timeval t; +@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + goto no_mem; + } + } ++ if (canon_principal != NULL) { ++ entry->canon_principal = talloc_strdup(entry, canon_principal); ++ if (entry->canon_principal == NULL) { ++ goto no_mem; ++ } ++ } ++ if (canon_realm != NULL) { ++ entry->canon_realm = talloc_strdup(entry, canon_realm); ++ if (entry->canon_realm == NULL) { ++ goto no_mem; ++ } ++ } + + entry->ccname = talloc_strdup(entry, ccname); + if (!entry->ccname) { +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 025a5cbc111..a24cef78440 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + const char *local_service; + uint32_t i; + struct netr_SamInfo6 *info6_copy = NULL; ++ char *canon_principal = NULL; ++ char *canon_realm = NULL; + bool ok; + + *info6 = NULL; +@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + local_service, +- NULL, +- NULL, ++ &canon_principal, ++ &canon_realm, + &pac_data_ctr); + if (user_ccache_file != NULL) { + gain_root_privilege(); +@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, + time(NULL), + ticket_lifetime, + renewal_until, +- false); ++ false, ++ canon_principal, ++ canon_realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", +@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, + time(NULL), + time(NULL) + lp_winbind_cache_time(), + time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, +- true); ++ true, ++ principal_s, ++ realm); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(10,("winbindd_dual_pam_auth_cached: failed " +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index c0d653a6d77..16c23f3de40 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name, + time_t create_time, + time_t ticket_end, + time_t renew_until, +- bool postponed_request); ++ bool postponed_request, ++ const char *canon_principal, ++ const char *canon_realm); + NTSTATUS remove_ccache(const char *username); + struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username); + NTSTATUS winbindd_add_memory_creds(const char *username, +-- +2.35.1 + + +From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 22 Feb 2022 14:28:44 +0100 +Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the + credentials + +The principal name stored in the winbindd ccache entry might be an +enterprise principal name if enterprise principals are enabled. Use +the canonical name to renew the credentials. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27) +--- + source3/winbindd/winbindd_cred_cache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c +index 88847b1ab97..6c65db6a73f 100644 +--- a/source3/winbindd/winbindd_cred_cache.c ++++ b/source3/winbindd/winbindd_cred_cache.c +@@ -209,7 +209,7 @@ rekinit: + set_effective_uid(entry->uid); + + ret = smb_krb5_renew_ticket(entry->ccname, +- entry->principal_name, ++ entry->canon_principal, + entry->service, + &new_start); + #if defined(DEBUG_KRB5_TKT_RENEWAL) +-- +2.35.1 + diff --git a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch b/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch deleted file mode 100644 index de8d813..0000000 --- a/SOURCES/samba-4.14-raise-dfs-enoent-debug-level.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 4b192aaf503ea7f5eba27b6e43edcfe54ac6c5a6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 26 May 2021 15:04:08 +0200 -Subject: [PATCH] s3:modules: Reduce debug level if file doesn't exists on dfs - share - -There is software out there trying to open desktop.ini in every -directory. Avoid spamming the logs with error messages. - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Fri Jun 18 18:14:11 UTC 2021 on sn-devel-184 - -(cherry picked from commit 4079efae76718a84a4cf24b6613cdc53cdb2dd39) ---- - source3/modules/vfs_default.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index 8d592bbad64..ea036b24ddf 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -476,10 +476,17 @@ static NTSTATUS vfswrap_read_dfs_pathat(struct vfs_handle_struct *handle, - status = NT_STATUS_OBJECT_TYPE_MISMATCH; - } else { - status = map_nt_error_from_unix(errno); -- DBG_ERR("Error reading " -- "msdfs link %s: %s\n", -- smb_fname->base_name, -- strerror(errno)); -+ if (errno == ENOENT) { -+ DBG_NOTICE("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } else { -+ DBG_ERR("Error reading " -+ "msdfs link %s: %s\n", -+ smb_fname->base_name, -+ strerror(errno)); -+ } - } - goto err; - } --- -2.31.1 - diff --git a/SOURCES/samba-4.14.5.tar.asc b/SOURCES/samba-4.14.5.tar.asc deleted file mode 100644 index 24e5294..0000000 --- a/SOURCES/samba-4.14.5.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmC14EsACgkQqplEL7aA -tiDWUA//b0Dj/dJozZY/Q6OI9UjPNL9nvPGqpKF0Sl2sW5jO1KWdcq1OZk+H6eO5 -gaX9nuH8Qo/IMxVRIPZVW6lXwsLzSdAOhwPAV02D/feSNfuld078v5yN1My2x6gH -tmfEVXZJjNkObhLDz0Wgq3mxxKvwxSM4+q2SI9p2/Yk32+oT1l/EWT3WZRNa/I1x -MF8nr8p5BktPw7tQoITG/JhkWudfkPpvVA3LJYl+F0rjubMA3C3btvDNquPaNXQ0 -Jr0nOt8+OKpsrtBb6ED0su7CWqbHHjc7lTKLepruqnHzllk5/Tcsu6APVRb8qjim -B2ElieWYJKQ7vBchjuSw/3ufqOsJdvckO4znGM1bUFDnCV0DDOXPE/U5QmjcoQqE -kJ36m53WnGCHR3JbL+rSjrB1m0ip8tViNraV+Ch2sXNlNvKYPNNo3cgX62nnDWJz -aLlncx0W1LpZ8mhYVv0AvdoVKBDygzxheye8Fssz3Wz5RDzZ6Vm0AoJwBm+G8v1k -u0MXMyvBv1KLpBLL27PJm2m7r6KIDB0v9PuLK5iF107omkSWfY/lMLQR2UFph8oH -uCwV5PiEy/ecBhBfo3KzUG5yJLBBayYB2vGcXJh4yRpAByppFbpo3csr6UZSEsU8 -iImmN97Tg3QVd/FTn9qRiQ15NxzWC0XCE1glY87KqqC5kl5Lk9Y= -=i6jp ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc new file mode 100644 index 0000000..4e31e62 --- /dev/null +++ b/SOURCES/samba-4.15.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA +tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX +KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9 +j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt +b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY +0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v +/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj ++rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9 +g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y +5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ +f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB +OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo= +=oc6g +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-ctdb-etcd-reclock.patch b/SOURCES/samba-ctdb-etcd-reclock.patch new file mode 100644 index 0000000..2a55408 --- /dev/null +++ b/SOURCES/samba-ctdb-etcd-reclock.patch @@ -0,0 +1,30 @@ +From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001 +From: Martin Schwenke +Date: Tue, 27 Apr 2021 15:46:14 +1000 +Subject: [PATCH] utils: Use Python 3 + +Due to the number of flake8 and pylint warnings it is unclear if the +source has Python 3 incompatibilities. These will be cleaned up in +subsequent commits. + +Signed-off-by: "L.P.H. van Belle" +Reviewed-by: Martin Schwenke +Reviewed-by: David Disseldorp +Reviewed-by: Jose A. Rivera +--- + ctdb/utils/etcd/ctdb_etcd_lock | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock +index 000c6bb7208..7f5194eff0a 100755 +--- a/ctdb/utils/etcd/ctdb_etcd_lock ++++ b/ctdb/utils/etcd/ctdb_etcd_lock +@@ -1,4 +1,4 @@ +-#!/usr/bin/python ++#!/usr/bin/env python3 + # + # This program is free software: you can redistribute it and/or modify + # it under the terms of the GNU General Public License as published by +-- +2.31.1 + diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch new file mode 100644 index 0000000..d80e85b --- /dev/null +++ b/SOURCES/samba-disable-ntlmssp.patch @@ -0,0 +1,764 @@ +From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 10 Dec 2021 16:08:04 +0100 +Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) +--- + source3/utils/net_ads.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 6ab4a0096b1..8f993f9ba4c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, + char *cp; + const char *realm = NULL; + bool tried_closest_dc = false; ++ enum credentials_use_kerberos krb5_state = ++ CRED_USE_KERBEROS_DISABLED; + + /* lp_realm() should be handled by a command line param, + However, the join requires that realm be set in smb.conf +@@ -650,10 +652,28 @@ retry: + ads->auth.password = smb_xstrdup(c->opt_password); + } + +- ads->auth.flags |= auth_flags; + SAFE_FREE(ads->auth.user_name); + ads->auth.user_name = smb_xstrdup(c->opt_user_name); + ++ ads->auth.flags |= auth_flags; ++ ++ /* The ADS code will handle FIPS mode */ ++ krb5_state = cli_credentials_get_kerberos_state(c->creds); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } ++ + /* + * If the username is of the form "name@realm", + * extract the realm and convert to upper case. +-- +2.33.1 + + +From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 8 Dec 2021 16:05:17 +0100 +Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 60fa2bf80cb..b91e2d15bcf 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -1,18 +1,18 @@ +-/* ++/* + Unix SMB/CIFS implementation. + ads sasl code + Copyright (C) Andrew Tridgell 2001 +- ++ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. +- ++ + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. +- ++ + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ +@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { + .disconnect = ads_sasl_gensec_disconnect + }; + +-/* ++/* + perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can + we fit on one socket??) + */ +@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, + + #endif /* HAVE_KRB5 */ + +-/* ++/* + this performs a SASL/SPNEGO bind + */ + static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) +@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + file_save("sasl_spnego.dat", blob.data, blob.length); + #endif + +- /* the server sent us the first part of the SPNEGO exchange in the negprot ++ /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { +@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + #ifdef HAVE_KRB5 + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && +- got_kerberos_mechanism) ++ got_kerberos_mechanism) + { + mech = "KRB5"; + +@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + "calling kinit\n", ads_errstr(status))); + } + +- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); ++ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + } + + /* only fallback to NTLMSSP if allowed */ +- if (ADS_ERR_OK(status) || ++ if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { + goto done; + } +@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + #endif + + /* lets do NTLMSSP ... this has the big advantage that we don't need +- to sync clocks, and we don't rely on special versions of the krb5 ++ to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +-- +2.33.1 + + +From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 9 Dec 2021 13:43:08 +0100 +Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) +--- + source3/libads/sasl.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index b91e2d15bcf..992f7022a69 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " + "for %s/%s with user[%s] realm[%s]: %s, " +- "fallback to NTLMSSP\n", ++ "try to fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; ++ ++ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { ++ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" ++ " disallowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_DISABLED, + p.service, p.hostname, +-- +2.33.1 + + +From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 7 Jan 2022 10:31:19 +0100 +Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 992f7022a69..ea98aa47ecd 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + p.service, p.hostname, + blob); + if (!ADS_ERR_OK(status)) { +- DEBUG(0,("kinit succeeded but " +- "ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s\n", ++ DBG_ERR("kinit succeeded but " ++ "SPNEGO bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +- ads_errstr(status))); ++ ads_errstr(status)); + } + } + +@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + goto done; + } + +- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s, " +- "try to fallback to NTLMSSP\n", +- p.service, p.hostname, +- ads->auth.user_name, +- ads->auth.realm, +- ads_errstr(status))); ++ DBG_WARNING("SASL bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s, " ++ "try to fallback to NTLMSSP\n", ++ p.service, p.hostname, ++ ads->auth.user_name, ++ ads->auth.realm, ++ ads_errstr(status)); + } + #endif + +-- +2.33.1 + + +From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 11:13:06 +0100 +Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds + without kerberos) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) +--- + source3/libads/sasl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index ea98aa47ecd..1bcfe0490a8 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + ++ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { ++ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" + " disallowed.\n"); +-- +2.33.1 + + +From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 15:33:46 +0100 +Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) +--- + .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ + 1 file changed, 41 insertions(+) + create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh + +diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +new file mode 100755 +index 00000000000..2822ab29d14 +--- /dev/null ++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# Blackbox tests for diabing NTLMSSP for ldap clinet connections ++# Copyright (c) 2022 Pavel Filipenský ++ ++if [ $# -lt 2 ]; then ++cat <&1 || failed=`expr $failed + 1` ++ ++# We should be allowed to use NTLM for connecting ++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++GNUTLS_FORCE_FIPS_MODE=1 ++export GNUTLS_FORCE_FIPS_MODE ++ ++# Checks that testparm reports: Weak crypto is disallowed ++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` ++ ++# We should not be allowed to use NTLM for connecting ++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++unset GNUTLS_FORCE_FIPS_MODE ++ ++exit $failed +-- +2.33.1 + + +From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 4 Jan 2022 12:00:20 +0100 +Subject: [PATCH 07/10] s4:selftest: plan test suite + samba4.blackbox.test_weak_disable_ntlmssp_ldap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) +--- + source4/selftest/tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 1e4b2ae6dd3..3a6a716f061 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo + + if have_gnutls_fips_mode_support: + plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) ++ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) + + for env in ["ad_dc_fips", "ad_member_fips"]: + plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) +-- +2.33.1 + + +From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:47:38 +0100 +Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) +--- + source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 948c903f165..e415df347e6 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user_list: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * According to Section 5.1(4) of RFC 2251 if a value of a type is it's + * default value, it MUST be absent. In case of extensible matching the + * "dnattr" boolean defaults to FALSE and so it must be only be present +- * when set to TRUE. ++ * when set to TRUE. + * + * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a + * filter using bitwise matching rule then the buggy AD fails to decode +@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * + * Thanks to Ralf Haferkamp for input and testing - Guenther */ + +- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", ++ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", + ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, +- ADS_LDAP_MATCHING_RULE_BIT_AND, ++ ADS_LDAP_MATCHING_RULE_BIT_AND, + enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); + + if (filter == NULL) { +@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); + + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + struct wb_acct_info **info) + { + /* +- * This is a stub function only as we returned the domain ++ * This is a stub function only as we returned the domain + * local groups in enum_dom_groups() if the domain->native field + * was true. This is a simple performance optimization when + * using LDAP. + * +- * if we ever need to enumerate domain local groups separately, ++ * if we ever need to enumerate domain local groups separately, + * then this optimization in enum_dom_groups() will need + * to be split out + */ +@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, + tokenGroups are not available. */ + static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, +- const char *user_dn, ++ const char *user_dn, + struct dom_sid *primary_group, + uint32_t *p_num_groups, struct dom_sid **user_sids) + { +@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + if (count != 1) { + status = NT_STATUS_UNSUCCESSFUL; + DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " +- "invalid number of results (count=%d)\n", ++ "invalid number of results (count=%d)\n", + dom_sid_str_buf(sid, &buf), + count)); + goto done; + } + + if (!msg) { +- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", ++ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", + dom_sid_str_buf(sid, &buf))); + status = NT_STATUS_UNSUCCESSFUL; + goto done; +@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + } + + if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { +- DEBUG(1,("%s: No primary group for sid=%s !?\n", ++ DEBUG(1,("%s: No primary group for sid=%s !?\n", + domain->name, + dom_sid_str_buf(sid, &buf))); + goto done; +@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + + count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); + +- /* there must always be at least one group in the token, ++ /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ + + /* actually this only happens when the machine account has no read +@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + /* lookup what groups this user is a member of by DN search on + * "member" */ + +- status = lookup_usergroups_member(domain, mem_ctx, user_dn, ++ status = lookup_usergroups_member(domain, mem_ctx, user_dn, + &primary_group, + &num_groups, user_sids); + *p_num_groups = num_groups; +@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " + "not map any SIDs at all.\n")); + /* Don't handle this as an error here. +- * There is nothing left to do with respect to the ++ * There is nothing left to do with respect to the + * overall result... */ + } + else if (!NT_STATUS_IS_OK(status)) { +@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, + NETR_TRUST_FLAG_IN_FOREST; + } else { + flags = NETR_TRUST_FLAG_IN_FOREST; +- } ++ } + + result = cm_connect_netlogon(domain, &cli); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(5, ("trusted_domains: Could not open a connection to %s " +- "for PIPE_NETLOGON (%s)\n", ++ "for PIPE_NETLOGON (%s)\n", + domain->name, nt_errstr(result))); + return NT_STATUS_UNSUCCESSFUL; + } +-- +2.33.1 + + +From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:44:54 +0100 +Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) +--- + source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index e415df347e6..6f01ef6e334 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -34,6 +34,7 @@ + #include "../libds/common/flag_mapping.h" + #include "libsmb/samlogon_cache.h" + #include "passdb.h" ++#include "auth/credentials/credentials.h" + + #ifdef HAVE_ADS + +@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ADS_STATUS status; + struct sockaddr_storage dc_ss; + fstring dc_name; ++ enum credentials_use_kerberos krb5_state; + + if (auth_realm == NULL) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); +@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ads->auth.renewable = renewable; + ads->auth.password = password; + +- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + ads->auth.realm = SMB_STRDUP(auth_realm); + if (!strupper_m(ads->auth.realm)) { +-- +2.33.1 + + +From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 21 Jan 2022 12:01:33 +0100 +Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 + +(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) +--- + source3/libnet/libnet_join.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 02705f1c70c..4c67e9af5c4 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + ADS_STATUS status; + ADS_STRUCT *my_ads = NULL; + char *cp; ++ enum credentials_use_kerberos krb5_state; + + my_ads = ads_init(dns_domain_name, + netbios_domain_name, +@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + +- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + if (user_name) { + SAFE_FREE(my_ads->auth.user_name); +-- +2.33.1 + diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch new file mode 100644 index 0000000..9e57630 --- /dev/null +++ b/SOURCES/samba-disable-systemd-notifications.patch @@ -0,0 +1,36 @@ +From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 +From: "FeRD (Frank Dana)" +Date: Mon, 24 Jan 2022 22:14:31 -0500 +Subject: [PATCH] printing/bgqd: Disable systemd notifications + +samba-bgqd daemon is started by existing Samba daemons. When running +under systemd, those daemons control systemd notifications and +samba-bgqd messages need to be silenced. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 + +Signed-off-by: FeRD (Frank Dana) +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) +--- + source3/printing/samba-bgqd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c +index f21327fc622..59ed0cc40db 100644 +--- a/source3/printing/samba-bgqd.c ++++ b/source3/printing/samba-bgqd.c +@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) + + log_stdout = (debug_get_log_type() == DEBUG_STDOUT); + ++ /* main process will notify systemd */ ++ daemon_sd_notifications(false); ++ + if (!cmdline_daemon_cfg->fork) { + daemon_status(progname, "Starting process ... "); + } else { +-- +2.34.1 + diff --git a/SOURCES/samba-glibc-dns.patch b/SOURCES/samba-glibc-dns.patch new file mode 100644 index 0000000..c01d481 --- /dev/null +++ b/SOURCES/samba-glibc-dns.patch @@ -0,0 +1,64 @@ +From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 7 Oct 2021 15:55:37 +0200 +Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34 + +With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper +anymore. The res_* symbols have been moved from libresolv to libc. We are not +able to intercept any traffic inside of libc. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + selftest/wscript | 2 +- + third_party/resolv_wrapper/wscript | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/selftest/wscript b/selftest/wscript +index a6be06c2ae9..85d9338489a 100644 +--- a/selftest/wscript ++++ b/selftest/wscript +@@ -252,7 +252,7 @@ def cmd_testonly(opt): + if os.environ.get('USE_NAMESPACES') is None: + env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH') + +- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'): ++ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'): + env.OPTIONS += " --use-dns-faking" + + if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): +diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript +index a7f18389b0f..7e369bd90b5 100644 +--- a/third_party/resolv_wrapper/wscript ++++ b/third_party/resolv_wrapper/wscript +@@ -1,6 +1,7 @@ + #!/usr/bin/env python + + import os ++from waflib import Logs + + VERSION="1.1.7" + +@@ -49,6 +50,18 @@ def configure(conf): + if conf.CONFIG_SET('HAVE_RES_NCLOSE'): + conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1) + ++ # If we find res_nquery in libc, we can't do resolv.conf redirect ++ conf.CHECK_FUNCS('res_nquery __res_nquery') ++ if (conf.CONFIG_SET('HAVE_RES_NQUERY') ++ or conf.CONFIG_SET('HAVE___RES_NQUERY')): ++ Logs.warn("Detection for resolv_wrapper: " ++ "Only dns faking will be available") ++ else: ++ if conf.CHECK_FUNCS('res_nquery', lib='resolv'): ++ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) ++ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'): ++ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1) ++ + conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True) + conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True) + conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True) +-- +2.33.1 + diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch new file mode 100644 index 0000000..5dee86c --- /dev/null +++ b/SOURCES/samba-password-change-prompt.patch @@ -0,0 +1,100 @@ +From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 17 Nov 2021 09:56:09 +0100 +Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to + off). + +This change disables the prompt for the change of an expired password by +default (using the PAM_RADIO_TYPE mechanism if present). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) +--- + docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ + nsswitch/pam_winbind.c | 12 ++++++++++-- + nsswitch/pam_winbind.h | 1 + + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml +index 0bc288f91a1..bae9298fc32 100644 +--- a/docs-xml/manpages/pam_winbind.conf.5.xml ++++ b/docs-xml/manpages/pam_winbind.conf.5.xml +@@ -194,6 +194,13 @@ + + + ++ ++ pwd_change_prompt = yes|no ++ ++ Generate prompt for changing an expired password. Defaults to "no". ++ ++ ++ + + + +diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c +index 720a4b90d85..06098dd07d8 100644 +--- a/nsswitch/pam_winbind.c ++++ b/nsswitch/pam_winbind.c +@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, + ctrl |= WINBIND_MKHOMEDIR; + } + ++ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; ++ } ++ + config_from_pam: + /* step through arguments */ + for (i=argc,v=argv; i-- > 0; ++v) { +@@ -522,6 +526,8 @@ config_from_pam: + else if (!strncasecmp(*v, "warn_pwd_expire", + strlen("warn_pwd_expire"))) + ctrl |= WINBIND_WARN_PWD_EXPIRE; ++ else if (!strcasecmp(*v, "pwd_change_prompt")) ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; + else if (type != PAM_WINBIND_CLEANUP) { + __pam_log(pamh, ctrl, LOG_ERR, + "pam_parse: unknown option: %s", *v); +@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h +index c6786d65a4d..2f4a25729bd 100644 +--- a/nsswitch/pam_winbind.h ++++ b/nsswitch/pam_winbind.h +@@ -157,6 +157,7 @@ do { \ + #define WINBIND_WARN_PWD_EXPIRE 0x00002000 + #define WINBIND_MKHOMEDIR 0x00004000 + #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 ++#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 + + #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) + #define _(string) dgettext(MODULE_NAME, string) +-- +2.35.1 + diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch new file mode 100644 index 0000000..d1a6b6a --- /dev/null +++ b/SOURCES/samba-printing-win7.patch @@ -0,0 +1,229 @@ +From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 22 Jan 2022 01:08:26 +0100 +Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls + +This is important for the source3/rpc_server code as it might +be called embedded in smbd and may not run as root with access +to our private tdb/ldb files. + +Note this is only really needed for 4.15 and older, as +we no longer run the rpc_server embedded in smbd, +but we better be consistent for now. + +This should be able to fix the problem the printing no longer works +on Windows 7 with 2021-10 monthly rollup patch (KB5006743). + +Windows uses NTLMSSP with privacy at the DCERPC layer on top +of NCACN_NP (smb). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) +--- + librpc/rpc/dcesrv_auth.c | 5 +++++ + librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ + librpc/rpc/dcesrv_core.h | 2 ++ + source3/rpc_server/rpc_config.c | 2 ++ + source4/rpc_server/service_rpc.c | 10 ++++++++++ + 5 files changed, 37 insertions(+) + +diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c +index fec8df513a83..99d8e0162160 100644 +--- a/librpc/rpc/dcesrv_auth.c ++++ b/librpc/rpc/dcesrv_auth.c +@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) + auth->auth_level = call->in_auth_info.auth_level; + auth->auth_context_id = call->in_auth_info.auth_context_id; + ++ cb->auth.become_root(); + status = cb->auth.gensec_prepare( + auth, + call, + &auth->gensec_security, + cb->auth.private_data); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", + nt_errstr(status))); +@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) + NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + { + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + const char *pdu = ""; + + switch (call->pkt.ptype) { +@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + return status; + } + ++ cb->auth.become_root(); + status = gensec_session_info(auth->gensec_security, + auth, + &auth->session_info); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", + nt_errstr(status))); +diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c +index d16159b0b6cd..ea91fc689b4a 100644 +--- a/librpc/rpc/dcesrv_core.c ++++ b/librpc/rpc/dcesrv_core.c +@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + struct dcerpc_binding *ep_2nd_description = NULL; + const char *endpoint = NULL; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct dcerpc_ack_ctx *ack_features = NULL; + struct tevent_req *subreq = NULL; +@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + { + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct tevent_req *subreq = NULL; + NTSTATUS status; + +@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + return NT_STATUS_OK; + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + struct ncacn_packet *pkt = &call->ack_pkt; + uint32_t extra_flags = 0; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct tevent_req *subreq = NULL; + size_t i; +@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h +index d8d5f9030959..0538442e0ce6 100644 +--- a/librpc/rpc/dcesrv_core.h ++++ b/librpc/rpc/dcesrv_core.h +@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { + struct gensec_security **out, + void *private_data); + void *private_data; ++ void (*become_root)(void); ++ void (*unbecome_root)(void); + } auth; + struct { + NTSTATUS (*find)( +diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c +index 2f1a01da1c0b..289c4f398409 100644 +--- a/source3/rpc_server/rpc_config.c ++++ b/source3/rpc_server/rpc_config.c +@@ -31,6 +31,8 @@ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = dcesrv_log_successful_authz, + .auth.gensec_prepare = dcesrv_auth_gensec_prepare, ++ .auth.become_root = become_root, ++ .auth.unbecome_root = unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c +index d8c6746d7815..ebb50f8a7ef3 100644 +--- a/source4/rpc_server/service_rpc.c ++++ b/source4/rpc_server/service_rpc.c +@@ -40,9 +40,19 @@ + #include "../libcli/named_pipe_auth/npa_tstream.h" + #include "samba/process_model.h" + ++static void skip_become_root(void) ++{ ++} ++ ++static void skip_unbecome_root(void) ++{ ++} ++ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = log_successful_dcesrv_authz_event, + .auth.gensec_prepare = dcesrv_gensec_prepare, ++ .auth.become_root = skip_become_root, ++ .auth.unbecome_root = skip_unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +-- +2.25.1 + diff --git a/SOURCES/samba-s4u.patch b/SOURCES/samba-s4u.patch new file mode 100644 index 0000000..8e84d96 --- /dev/null +++ b/SOURCES/samba-s4u.patch @@ -0,0 +1,697 @@ +From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:25:03 +0300 +Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------ + source4/kdc/mit_samba.c | 47 ++------- + source4/kdc/mit_samba.h | 6 +- + 3 files changed, 71 insertions(+), 106 deletions(-) + +diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c +index f35210669c2..b1c7c5dcc5e 100644 +--- a/source4/kdc/mit-kdb/kdb_samba_policies.c ++++ b/source4/kdc/mit-kdb/kdb_samba_policies.c +@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, + krb5_keyblock *krbtgt_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, +- krb5_pac *pac) ++ krb5_pac *out_pac) + { + struct mit_samba_context *mit_ctx; + krb5_authdata **authdata = NULL; +- krb5_pac ipac = NULL; +- DATA_BLOB logon_data = { NULL, 0 }; ++ krb5_keyblock *header_server_key = NULL; ++ krb5_key_data *impersonator_kd = NULL; ++ krb5_keyblock impersonator_key = {0}; + krb5_error_code code; ++ krb5_pac pac; ++ ++ *out_pac = NULL; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { +@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = krb5_pac_parse(context, + authdata[0]->contents, + authdata[0]->length, +- &ipac); ++ &pac); + if (code != 0) { + goto done; + } + +- /* TODO: verify this is correct +- * +- * In the constrained delegation case, the PAC is from a service +- * ticket rather than a TGT; we must verify the server and KDC +- * signatures to assert that the server did not forge the PAC. ++ /* ++ * For constrained delegation in MIT version < 1.18 we aren't provided ++ * with the 2nd ticket server key to verify the PAC. ++ * We can workaround that by fetching the key from the client db entry, ++ * which is the impersonator account in that version. ++ * TODO: use the provided entry in the new 1.18 version. + */ + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- server_key, +- krbtgt_key); ++ /* The impersonator must be local. */ ++ if (client == NULL) { ++ code = KRB5KDC_ERR_BADOPTION; ++ goto done; ++ } ++ /* Fetch and decrypt 2nd ticket server's current key. */ ++ code = krb5_dbe_find_enctype(context, client, -1, -1, 0, ++ &impersonator_kd); ++ if (code != 0) { ++ goto done; ++ } ++ code = krb5_dbe_decrypt_key_data(context, NULL, ++ impersonator_kd, ++ &impersonator_key, NULL); ++ if (code != 0) { ++ goto done; ++ } ++ header_server_key = &impersonator_key; + } else { +- code = krb5_pac_verify(context, +- ipac, +- authtime, +- client_princ, +- krbtgt_key, +- NULL); +- } +- if (code != 0) { +- goto done; ++ header_server_key = krbtgt_key; + } + +- /* check and update PAC */ +- code = krb5_pac_parse(context, +- authdata[0]->contents, +- authdata[0]->length, +- pac); ++ code = krb5_pac_verify(context, pac, authtime, client_princ, ++ header_server_key, NULL); + if (code != 0) { + goto done; + } +@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, + code = mit_samba_reget_pac(mit_ctx, + context, + flags, +- client_princ, + client, + server, + krbtgt, + krbtgt_key, +- pac); ++ &pac); ++ if (code != 0) { ++ goto done; ++ } ++ ++ *out_pac = pac; ++ pac = NULL; + + done: ++ krb5_free_keyblock_contents(context, &impersonator_key); + krb5_free_authdata(context, authdata); +- krb5_pac_free(context, ipac); +- free(logon_data.data); ++ krb5_pac_free(context, pac); + + return code; + } +@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krb5_authdata **pac_auth_data = NULL; + krb5_authdata **authdata = NULL; + krb5_boolean is_as_req; ++ krb5_const_principal pac_client; + krb5_error_code code; + krb5_pac pac = NULL; + krb5_data pac_data; +@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; + +- /* FIXME: We don't support S4U yet */ +- if (flags & KRB5_KDB_FLAGS_S4U) { +- return KRB5_KDB_DBTYPE_NOSUP; +- } +- + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + + /* +@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + ks_client_princ = client->princ; + } + ++ /* In protocol transition, we are currently not provided with the tgt ++ * client name to verify the PAC, we could probably skip the name ++ * verification and just verify the signatures, but since we don't ++ * support cross-realm nor aliases, we can just use server->princ */ ++ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) { ++ pac_client = server->princ; ++ } else { ++ pac_client = ks_client_princ; ++ } ++ + if (client_entry == NULL) { + client_entry = client; + } +@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + + code = ks_verify_pac(context, + flags, +- ks_client_princ, ++ pac_client, + client_entry, + server, + krbtgt, +@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + is_as_req ? "AS-REQ" : "TGS-REQ", + client_name); + code = krb5_pac_sign(context, pac, authtime, ks_client_princ, +- server_key, krbtgt_key, &pac_data); ++ server_key, krbtgt_key, &pac_data); + if (code != 0) { + DBG_ERR("krb5_pac_sign failed: %d\n", code); + goto done; +@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + KRB5_AUTHDATA_IF_RELEVANT, + authdata, + signed_auth_data); +- if (code != 0) { +- goto done; +- } +- +- code = 0; +- + done: + if (client_entry != NULL && client_entry != client) { + ks_free_principal(context, client_entry); +@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, + * server; -> delegating service + * proxy; -> target principal + */ +- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server); +- +- char *target_name = NULL; +- bool is_enterprise; +- krb5_error_code code; + + mit_ctx = ks_get_context(context); + if (mit_ctx == NULL) { + return KRB5_KDB_DBNOTINITED; + } + +- code = krb5_unparse_name(context, proxy, &target_name); +- if (code) { +- goto done; +- } +- +- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL); +- +- code = mit_samba_check_s4u2proxy(mit_ctx, +- delegating_service, +- target_name, +- is_enterprise); +- +-done: +- free(target_name); +- return code; ++ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy); + } + + +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index 4239332f0d9..acc3cba6254 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + context, + *pac, + server->princ, +- discard_const(client_principal), ++ client->princ, + deleg_blob); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Update delegation info failed: %s\n", +@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + } + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name) ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal) + { +-#if 1 +- /* +- * This is disabled because mit_samba_update_pac_data() does not handle +- * S4U_DELEGATION_INFO +- */ +- +- return KRB5KDC_ERR_BADOPTION; +-#else +- krb5_principal target_principal; +- int flags = 0; +- int ret; +- +- if (is_nt_enterprise_name) { +- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; +- } +- +- ret = krb5_parse_name_flags(ctx->context, target_name, +- flags, &target_principal); +- if (ret) { +- return ret; +- } +- +- ret = samba_kdc_check_s4u2proxy(ctx->context, +- ctx->db_ctx, +- skdc_entry, +- target_principal); +- +- krb5_free_principal(ctx->context, target_principal); +- +- return ret; +-#endif ++ struct samba_kdc_entry *server_skdc_entry = ++ talloc_get_type_abort(server->e_data, ++ struct samba_kdc_entry); ++ ++ return samba_kdc_check_s4u2proxy(ctx->context, ++ ctx->db_ctx, ++ server_skdc_entry, ++ target_principal); + } + + static krb5_error_code mit_samba_change_pwd_error(krb5_context context, +diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h +index 636c77ec97c..9cb00c9610e 100644 +--- a/source4/kdc/mit_samba.h ++++ b/source4/kdc/mit_samba.h +@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, + krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, + krb5_context context, + int flags, +- krb5_const_principal client_principal, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, +@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, + DATA_BLOB *e_data); + + int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, +- krb5_db_entry *kentry, +- const char *target_name, +- bool is_nt_enterprise_name); ++ const krb5_db_entry *server, ++ krb5_const_principal target_principal); + + int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, + char *pwd, +-- +2.33.1 + + +From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 27 Sep 2019 18:35:30 +0300 +Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build + +Signed-off-by: Isaac Boukris +Pair-Programmed-With: Andreas Schneider +--- + lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++ + lib/krb5_wrap/krb5_samba.h | 2 - + source4/auth/kerberos/kerberos_util.c | 11 -- + 3 files changed, 185 insertions(+), 13 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index fff5b4e2a22..791b417d5ba 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + + return 0; + } ++ ++#else /* MIT */ ++ ++static bool princ_compare_no_dollar(krb5_context ctx, ++ krb5_principal a, ++ krb5_principal b) ++{ ++ bool cmp; ++ krb5_principal mod = NULL; ++ ++ if (a->length == 1 && b->length == 1 && ++ a->data[0].length != 0 && b->data[0].length != 0 && ++ a->data[0].data[a->data[0].length -1] != ++ b->data[0].data[b->data[0].length -1]) { ++ if (a->data[0].data[a->data[0].length -1] == '$') { ++ mod = a; ++ mod->data[0].length--; ++ } else if (b->data[0].data[b->data[0].length -1] == '$') { ++ mod = b; ++ mod->data[0].length--; ++ } ++ } ++ ++ cmp = krb5_principal_compare_flags(ctx, a, b, ++ KRB5_PRINCIPAL_COMPARE_CASEFOLD); ++ ++ if (mod != NULL) { ++ mod->data[0].length++; ++ } ++ ++ return cmp; ++} ++ ++krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, ++ krb5_ccache store_cc, ++ krb5_principal init_principal, ++ const char *init_password, ++ krb5_principal impersonate_principal, ++ const char *self_service, ++ const char *target_service, ++ krb5_get_init_creds_opt *krb_options, ++ time_t *expire_time, ++ time_t *kdc_time) ++{ ++ krb5_error_code code; ++ krb5_principal self_princ = NULL; ++ krb5_principal target_princ = NULL; ++ krb5_creds *store_creds; ++ krb5_creds *s4u2self_creds = NULL; ++ krb5_creds *s4u2proxy_creds = NULL; ++ krb5_creds init_creds = {0}; ++ krb5_creds mcreds = {0}; ++ krb5_flags options = KRB5_GC_NO_STORE; ++ krb5_ccache tmp_cc; ++ bool s4u2proxy; ++ ++ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc); ++ if (code != 0) { ++ return code; ++ } ++ ++ code = krb5_get_init_creds_password(ctx, &init_creds, ++ init_principal, ++ init_password, ++ NULL, NULL, ++ 0, ++ NULL, ++ krb_options); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* ++ * Check if we also need S4U2Proxy or if S4U2Self is ++ * enough in order to get a ticket for the target. ++ */ ++ if (target_service == NULL) { ++ s4u2proxy = false; ++ } else if (strcmp(target_service, self_service) == 0) { ++ s4u2proxy = false; ++ } else { ++ s4u2proxy = true; ++ } ++ ++ code = krb5_parse_name(ctx, self_service, &self_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt ++ * client and the request server to be the same principal name. */ ++ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ mcreds.client = impersonate_principal; ++ mcreds.server = init_creds.client; ++ ++ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds, ++ NULL, &s4u2self_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (s4u2proxy) { ++ code = krb5_parse_name(ctx, target_service, &target_princ); ++ if (code != 0) { ++ goto done; ++ } ++ ++ mcreds.client = init_creds.client; ++ mcreds.server = target_princ; ++ mcreds.second_ticket = s4u2self_creds->ticket; ++ ++ code = krb5_get_credentials(ctx, options | ++ KRB5_GC_CONSTRAINED_DELEGATION, ++ tmp_cc, &mcreds, &s4u2proxy_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ /* Check KDC support of S4U2Proxy extension */ ++ if (!krb5_principal_compare(ctx, s4u2self_creds->client, ++ s4u2proxy_creds->client)) { ++ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; ++ goto done; ++ } ++ ++ store_creds = s4u2proxy_creds; ++ } else { ++ store_creds = s4u2self_creds;; ++ ++ /* We need to save the ticket with the requested server name ++ * or the caller won't be able to find it in cache. */ ++ if (!krb5_principal_compare(ctx, self_princ, ++ store_creds->server)) { ++ krb5_free_principal(ctx, store_creds->server); ++ store_creds->server = NULL; ++ code = krb5_copy_principal(ctx, self_princ, ++ &store_creds->server); ++ if (code != 0) { ++ goto done; ++ } ++ } ++ } ++ ++ code = krb5_cc_initialize(ctx, store_cc, store_creds->client); ++ if (code != 0) { ++ goto done; ++ } ++ ++ code = krb5_cc_store_cred(ctx, store_cc, store_creds); ++ if (code != 0) { ++ goto done; ++ } ++ ++ if (expire_time) { ++ *expire_time = (time_t) store_creds->times.endtime; ++ } ++ ++ if (kdc_time) { ++ *kdc_time = (time_t) store_creds->times.starttime; ++ } ++ ++done: ++ krb5_cc_destroy(ctx, tmp_cc); ++ krb5_free_cred_contents(ctx, &init_creds); ++ krb5_free_creds(ctx, s4u2self_creds); ++ krb5_free_creds(ctx, s4u2proxy_creds); ++ krb5_free_principal(ctx, self_princ); ++ krb5_free_principal(ctx, target_princ); ++ ++ return code; ++} + #endif + + #if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA) +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index eab67f6d969..b5385c69a33 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#ifdef SAMBA4_USES_HEIMDAL + krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_ccache store_cc, + krb5_principal init_principal, +@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, + krb5_get_init_creds_opt *krb_options, + time_t *expire_time, + time_t *kdc_time); +-#endif + + #if defined(HAVE_KRB5_MAKE_PRINCIPAL) + #define smb_krb5_make_principal krb5_make_principal +diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c +index 544d9d853cc..c14d8c72d8c 100644 +--- a/source4/auth/kerberos/kerberos_util.c ++++ b/source4/auth/kerberos/kerberos_util.c +@@ -234,9 +234,7 @@ done: + { + krb5_error_code ret; + const char *password; +-#ifdef SAMBA4_USES_HEIMDAL + const char *self_service; +-#endif + const char *target_service; + time_t kdc_time = 0; + krb5_principal princ; +@@ -268,9 +266,7 @@ done: + return ret; + } + +-#ifdef SAMBA4_USES_HEIMDAL + self_service = cli_credentials_get_self_service(credentials); +-#endif + target_service = cli_credentials_get_target_service(credentials); + + password = cli_credentials_get_password(credentials); +@@ -331,7 +327,6 @@ done: + #endif + if (password) { + if (impersonate_principal) { +-#ifdef SAMBA4_USES_HEIMDAL + ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context, + ccache, + princ, +@@ -342,12 +337,6 @@ done: + krb_options, + NULL, + &kdc_time); +-#else +- talloc_free(mem_ctx); +- (*error_string) = "INTERNAL error: s4u2 ops " +- "are not supported with MIT build yet"; +- return EINVAL; +-#endif + } else { + ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, + ccache, +-- +2.33.1 + + +From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 19 Sep 2020 14:16:20 +0200 +Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code + +--- + source4/heimdal/lib/hdb/hdb.h | 1 + + source4/kdc/db-glue.c | 8 ++++++-- + source4/kdc/mit_samba.c | 3 +++ + source4/kdc/sdb.h | 1 + + 4 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h +index 5ef9d9565f3..dafaffc6c2d 100644 +--- a/source4/heimdal/lib/hdb/hdb.h ++++ b/source4/heimdal/lib/hdb/hdb.h +@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; + #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ + #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ + + /* hdb_capability_flags */ + #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index aff74f2ee71..d16b4c3329a 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, + } + } + +- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { ++ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { + krb5_clear_error_message(context); + goto out; + } +- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { ++ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ + /* + * SDB_F_CANON maps from the canonicalize flag in the + * packet, and has a different meaning between AS-REQ + * and TGS-REQ. We only change the principal in the AS-REQ case ++ * ++ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants ++ * the canonical name in all lookups, and takes care to canonicalize ++ * only when appropriate. + */ + ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); + if (ret) { +diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c +index acc3cba6254..f0b9df8b613 100644 +--- a/source4/kdc/mit_samba.c ++++ b/source4/kdc/mit_samba.c +@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, + if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { + sflags |= SDB_F_CANON; + } ++#if KRB5_KDB_API_VERSION >= 10 ++ sflags |= SDB_F_FORCE_CANON; ++#endif + if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | + KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* +diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h +index c929acccce6..a9115ec23d7 100644 +--- a/source4/kdc/sdb.h ++++ b/source4/kdc/sdb.h +@@ -116,6 +116,7 @@ struct sdb_entry_ex { + #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ + #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ + #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ ++#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ + + void sdb_free_entry(struct sdb_entry_ex *e); + void free_sdb_entry(struct sdb_entry *s); +-- +2.33.1 + diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch new file mode 100644 index 0000000..6e243da --- /dev/null +++ b/SOURCES/samba-virus_scanner.patch @@ -0,0 +1,597 @@ +From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Feb 2022 16:33:10 +0100 +Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd + +We have the env variable SERVER_LOG_LEVEL which allows you to change +the log level on the command line. If we force -d0 this will not work. + +make test TESTS="samba" SERVER_LOG_LEVEL=10 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index b901fd2677a..64a9a791a61 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -2153,7 +2153,7 @@ sub make_bin_cmd + { + my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; + +- my @optargs = ("-d0"); ++ my @optargs = (); + if (defined($options)) { + @optargs = split(/ /, $options); + } +-- +2.34.1 + + +From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 12:07:03 +0100 +Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses + filename matching +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1) +--- + source3/modules/vfs_virusfilter.c | 12 +++++ + source3/modules/vfs_virusfilter_common.h | 4 ++ + source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++ + source3/modules/wscript_build | 1 + + 4 files changed, 75 insertions(+) + create mode 100644 source3/modules/vfs_virusfilter_dummy.c + +diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c +index 9fafe4e5d41..e6cbee7cd45 100644 +--- a/source3/modules/vfs_virusfilter.c ++++ b/source3/modules/vfs_virusfilter.c +@@ -35,12 +35,14 @@ + + enum virusfilter_scanner_enum { + VIRUSFILTER_SCANNER_CLAMAV, ++ VIRUSFILTER_SCANNER_DUMMY, + VIRUSFILTER_SCANNER_FSAV, + VIRUSFILTER_SCANNER_SOPHOS + }; + + static const struct enum_list scanner_list[] = { + { VIRUSFILTER_SCANNER_CLAMAV, "clamav" }, ++ { VIRUSFILTER_SCANNER_DUMMY, "dummy" }, + { VIRUSFILTER_SCANNER_FSAV, "fsav" }, + { VIRUSFILTER_SCANNER_SOPHOS, "sophos" }, + { -1, NULL } +@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect( + int snum = SNUM(handle->conn); + struct virusfilter_config *config = NULL; + const char *exclude_files = NULL; ++ const char *infected_files = NULL; + const char *temp_quarantine_dir_mode = NULL; + const char *infected_file_command = NULL; + const char *scan_error_command = NULL; +@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect( + set_namearray(&config->exclude_files, exclude_files); + } + ++ infected_files = lp_parm_const_string( ++ snum, "virusfilter", "infected files", NULL); ++ if (infected_files != NULL) { ++ set_namearray(&config->infected_files, infected_files); ++ } ++ + config->cache_entry_limit = lp_parm_int( + snum, "virusfilter", "cache entry limit", 100); + +@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( + case VIRUSFILTER_SCANNER_CLAMAV: + ret = virusfilter_clamav_init(config); + break; ++ case VIRUSFILTER_SCANNER_DUMMY: ++ ret = virusfilter_dummy_init(config); ++ break; + default: + DBG_ERR("Unhandled scanner %d\n", backend); + return -1; +diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h +index f71b0b949a7..463a9d74e9c 100644 +--- a/source3/modules/vfs_virusfilter_common.h ++++ b/source3/modules/vfs_virusfilter_common.h +@@ -83,6 +83,9 @@ struct virusfilter_config { + /* Exclude files */ + name_compare_entry *exclude_files; + ++ /* Infected files */ ++ name_compare_entry *infected_files; ++ + /* Scan result cache */ + struct virusfilter_cache *cache; + int cache_entry_limit; +@@ -149,5 +152,6 @@ struct virusfilter_backend { + int virusfilter_sophos_init(struct virusfilter_config *config); + int virusfilter_fsav_init(struct virusfilter_config *config); + int virusfilter_clamav_init(struct virusfilter_config *config); ++int virusfilter_dummy_init(struct virusfilter_config *config); + + #endif /* _VIRUSFILTER_COMMON_H */ +diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c +new file mode 100644 +index 00000000000..03405cd6629 +--- /dev/null ++++ b/source3/modules/vfs_virusfilter_dummy.c +@@ -0,0 +1,58 @@ ++/* ++ Samba-VirusFilter VFS modules ++ Dummy scanner with infected files support. ++ Copyright (C) 2022 Pavel Filipenský ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "modules/vfs_virusfilter_utils.h" ++ ++static virusfilter_result virusfilter_dummy_scan( ++ struct vfs_handle_struct *handle, ++ struct virusfilter_config *config, ++ const struct files_struct *fsp, ++ char **reportp) ++{ ++ bool ok; ++ ++ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp)); ++ ok = is_in_path(fsp->fsp_name->base_name, ++ config->infected_files, ++ false); ++ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN; ++} ++ ++static struct virusfilter_backend_fns virusfilter_backend_dummy = { ++ .connect = NULL, ++ .disconnect = NULL, ++ .scan_init = NULL, ++ .scan = virusfilter_dummy_scan, ++ .scan_end = NULL, ++}; ++ ++int virusfilter_dummy_init(struct virusfilter_config *config) ++{ ++ struct virusfilter_backend *backend = NULL; ++ ++ backend = talloc_zero(config, struct virusfilter_backend); ++ if (backend == NULL) { ++ return -1; ++ } ++ ++ backend->fns = &virusfilter_backend_dummy; ++ backend->name = "dummy"; ++ config->backend = backend; ++ return 0; ++} +diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build +index 40df4539392..ff318c3fa06 100644 +--- a/source3/modules/wscript_build ++++ b/source3/modules/wscript_build +@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', + vfs_virusfilter_sophos.c + vfs_virusfilter_fsav.c + vfs_virusfilter_clamav.c ++ vfs_virusfilter_dummy.c + ''', + deps='samba-util VFS_VIRUSFILTER_UTILS', + init_function='', +-- +2.34.1 + + +From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 22:35:29 +0100 +Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and + 'virusfilter:infected files' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969) +--- + docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml +index 329a35af68a..88f91d73a42 100644 +--- a/docs-xml/manpages/vfs_virusfilter.8.xml ++++ b/docs-xml/manpages/vfs_virusfilter.8.xml +@@ -48,6 +48,10 @@ + scanner + clamav, the ClamAV + scanner ++ dummy, dummy scanner used in ++ tests. Checks against the infected files ++ parameter and flags any name that matches as infected. ++ + + + +@@ -264,6 +268,14 @@ + + + ++ ++ virusfilter:infected files = empty ++ ++ Files that virusfilter dummy flags as infected. ++ If this option is not set, the default is empty. ++ ++ ++ + + virusfilter:block access on error = false + +-- +2.34.1 + + +From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 15:34:56 +0100 +Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a) +--- + selftest/target/Samba3.pm | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 64a9a791a61..7584a0e7ba9 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -188,7 +188,7 @@ sub getlog_env_app($$$) + close(LOG); + + return "" if $out eq $title; +- ++ + return $out; + } + +@@ -2426,7 +2426,7 @@ sub provision($$) + my $nmbdsockdir="$prefix_abs/nmbd"; + unlink($nmbdsockdir); + +- ## ++ ## + ## create the test directory layout + ## + die ("prefix_abs = ''") if $prefix_abs eq ""; +@@ -3290,7 +3290,7 @@ sub provision($$) + unless (open(PASSWD, ">$nss_wrapper_passwd")) { + warn("Unable to open $nss_wrapper_passwd"); + return undef; +- } ++ } + print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false + $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false + pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false +-- +2.34.1 + + +From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 15:35:48 +0100 +Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský + +Pair-Programmed-With: Andreas Schneider +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544) +--- + selftest/knownfail.d/virus_scanner | 2 + + selftest/target/Samba3.pm | 12 ++ + source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++ + source3/selftest/tests.py | 9 ++ + 4 files changed, 147 insertions(+) + create mode 100644 selftest/knownfail.d/virus_scanner + create mode 100755 source3/script/tests/test_virus_scanner.sh + +diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner +new file mode 100644 +index 00000000000..6df3fd20627 +--- /dev/null ++++ b/selftest/knownfail.d/virus_scanner +@@ -0,0 +1,2 @@ ++^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') ++^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 7584a0e7ba9..c1d0c60d96a 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1688,6 +1688,9 @@ sub setup_fileserver + my $veto_sharedir="$share_dir/veto"; + push(@dirs,$veto_sharedir); + ++ my $virusfilter_sharedir="$share_dir/virusfilter"; ++ push(@dirs,$virusfilter_sharedir); ++ + my $ip4 = Samba::get_ipv4_addr("FILESERVER"); + my $fileserver_options = " + kernel change notify = yes +@@ -1813,6 +1816,15 @@ sub setup_fileserver + path = $veto_sharedir + delete veto files = yes + ++[virusfilter] ++ path = $virusfilter_sharedir ++ vfs objects = acl_xattr virusfilter ++ virusfilter:scanner = dummy ++ virusfilter:min file size = 0 ++ virusfilter:infected files = *infected* ++ virusfilter:infected file action = rename ++ virusfilter:scan on close = yes ++ + [homes] + comment = Home directories + browseable = No +diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh +new file mode 100755 +index 00000000000..2234ea6ca89 +--- /dev/null ++++ b/source3/script/tests/test_virus_scanner.sh +@@ -0,0 +1,124 @@ ++#!/bin/sh ++# Copyright (c) 2022 Pavel Filipenský ++# shellcheck disable=1091 ++ ++if [ $# -lt 4 ]; then ++cat <fsp_flags.modified ++ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/infected.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}" ++ ++ # check that virusfilter:rename prefix/suffix was added ++ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then ++ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing." ++ return 1 ++ fi ++ ++ # check that file was not uploaded ++ if [ -f "${sharedir}/infected.upload.txt" ]; then ++ echo "ERROR: {sharedir}/${smbfile} should not exist." ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++check_healthy_read() ++{ ++ rm -rf "${sharedir:?}"/* ++ ++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/healthy.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt" ++ ++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then ++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED" ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++check_healthy_write() ++{ ++ rm -rf "${sharedir:?}"/* ++ ++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/healthy.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt" ++ ++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then ++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED" ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++testit "check_infected_read" check_infected_read || failed=$((failed + 1)) ++testit "check_infected_write" check_infected_write || failed=$((failed + 1)) ++testit "check_healthy_read" check_healthy_read || failed=$((failed + 1)) ++testit "check_healthy_write" check_healthy_write || failed=$((failed + 1)) ++ ++testok "$0" "$failed" +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index 701be011f70..6b146c76381 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", + '$SERVER_IP', + "tmp"]) + ++env = 'fileserver' ++plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), ++ [os.path.join(samba3srcdir, ++ "script/tests/test_virus_scanner.sh"), ++ '$SERVER_IP', ++ "virusfilter", ++ '$LOCAL_PATH', ++ smbclient3]) ++ + for env in ['fileserver', 'simpleserver']: + plantestsuite("samba3.blackbox.smbclient.encryption", env, + [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"), +-- +2.34.1 + + +From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 7 Feb 2022 23:06:10 +0100 +Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský + +Pair-Programmed-With: Andreas Schneider +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184 + +(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c) +--- + selftest/knownfail.d/virus_scanner | 2 -- + source3/modules/vfs_virusfilter.c | 6 +++--- + 2 files changed, 3 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/virus_scanner + +diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner +deleted file mode 100644 +index 6df3fd20627..00000000000 +--- a/selftest/knownfail.d/virus_scanner ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') +-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') +diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c +index e6cbee7cd45..d1554967ad1 100644 +--- a/source3/modules/vfs_virusfilter.c ++++ b/source3/modules/vfs_virusfilter.c +@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, + */ + goto virusfilter_vfs_open_next; + } +- ret = S_ISREG(smb_fname->st.st_ex_mode); ++ ret = S_ISREG(sbuf.st_ex_mode); + if (ret == 0) { + DBG_INFO("Not scanned: Directory or special file: %s/%s\n", + cwd_fname, fname); + goto virusfilter_vfs_open_next; + } + if (config->max_file_size > 0 && +- smb_fname->st.st_ex_size > config->max_file_size) ++ sbuf.st_ex_size > config->max_file_size) + { + DBG_INFO("Not scanned: file size > max file size: %s/%s\n", + cwd_fname, fname); + goto virusfilter_vfs_open_next; + } + if (config->min_file_size > 0 && +- smb_fname->st.st_ex_size < config->min_file_size) ++ sbuf.st_ex_size < config->min_file_size) + { + DBG_INFO("Not scanned: file size < min file size: %s/%s\n", + cwd_fname, fname); +-- +2.34.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 8d636fa..47b704e 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -2,12 +2,16 @@ # # To build and run the tests use: # +# fedpkg local --with testsuite +# or # rpmbuild --rebuild --with testsuite samba.src.rpm # %bcond_with testsuite # Build with internal talloc, tevent, tdb and ldb. # +# fedpkg local --with=testsuite --with=includelibs +# or # rpmbuild --rebuild --with=testsuite --with=includelibs samba.src.rpm # %bcond_with includelibs @@ -15,6 +19,9 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering +# Define _make_verbose if it doesn't exist (RHEL8) +%{!?_make_verbose:%define _make_verbose V=1 VERBOSE=1} + # Build with Active Directory Domain Controller support by default on Fedora %if 0%{?fedora} %bcond_without dc @@ -42,18 +49,21 @@ %bcond_without winexe %endif -# Build vfs_ceph module by default on 64bit Fedora +# Build vfs_ceph module and ctdb cepth mutex helper by default on 64bit Fedora %if 0%{?fedora} %ifarch aarch64 ppc64le s390x x86_64 %bcond_without vfs_cephfs +%bcond_without ceph_mutex %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endifarch %endif %else %bcond_with vfs_cephfs +%bcond_with ceph_mutex #endif fedora %endif @@ -106,15 +116,29 @@ #endif fedora || rhel >= 8 %endif +# Build the ctdb-pcp-pmda package by default on Fedora +%if 0%{?fedora} +%bcond_without pcp_pmda +%else +%bcond_with pcp_pmda +%endif + +# Build the etcd helpers by default on Fedora +%if 0%{?fedora} +%bcond_without etcd_mutex +%else +%bcond_with etcd_mutex +%endif + %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 2 +%global baserelease 4 -%global samba_version 4.14.5 -%global talloc_version 2.3.2 -%global tdb_version 1.4.3 -%global tevent_version 0.10.2 -%global ldb_version 2.3.0 +%global samba_version 4.15.5 +%global talloc_version 2.3.3 +%global tdb_version 1.4.4 +%global tevent_version 0.11.0 +%global ldb_version 2.4.1 # This should be rc1 or nil %global pre_release %nil @@ -177,7 +201,16 @@ Source14: samba.pamd Source201: README.downgrade -Patch0: samba-4.14-raise-dfs-enoent-debug-level.patch +Patch0: samba-s4u.patch +Patch1: samba-ctdb-etcd-reclock.patch +Patch2: samba-glibc-dns.patch +Patch3: samba-printing-win7.patch +Patch4: samba-disable-systemd-notifications.patch +Patch5: samba-disable-ntlmssp.patch +Patch6: samba-password-change-prompt.patch +Patch7: samba-virus_scanner.patch +Patch8: samba-4-15-fix-autorid.patch +Patch9: samba-4-15-fix-winbind-refresh-tickets.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -285,6 +318,16 @@ BuildRequires: libcephfs-devel BuildRequires: liburing-devel >= 0.4 %endif +%if %{with pcp_pmda} +BuildRequires: pcp-libs-devel +%endif +%if %{with ceph_mutex} +BuildRequires: librados-devel +%endif +%if %{with etcd_mutex} +BuildRequires: python3-etcd +%endif + %if %{with dc} || %{with testsuite} # Add python3-iso8601 to avoid that the # version in Samba is being packaged @@ -314,9 +357,13 @@ BuildRequires: python3-tdb >= %{tdb_version} BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: python3-ldb >= %{ldb_version} BuildRequires: python3-ldb-devel >= %{ldb_version} -%else +%endif + +%if %{with includelibs} || %{with testsuite} +# lmdb-devel is required for the mdb ldb module, if samba is configured +# to build includelibs we need lmdb-devel for building that module on our own BuildRequires: lmdb-devel -#endif without testsuite +#endif without includelibs %endif %if %{with dc} || %{with testsuite} @@ -326,6 +373,7 @@ BuildRequires: ldb-tools BuildRequires: python3-gpg BuildRequires: python3-markdown BuildRequires: python3-setproctitle +BuildRequires: python3-cryptography BuildRequires: tdb-tools %endif @@ -423,7 +471,7 @@ Obsoletes: ctdb-tests-debuginfo < %{samba_depver} # endif with clustering %endif -# If only build glusterfs for RHGS and Fedora, so obsolete it on other version +# We only build glusterfs for RHGS and Fedora, so obsolete it on other versions # of the distro %if %{without vfs_glusterfs} Obsoletes: samba-vfs-glusterfs < %{samba_depver} @@ -444,6 +492,15 @@ Requires: samba-libs = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif +# samba-tool needs python3-samba +Requires: python3-%{name} = %{samba_depver} +# samba-tool needs tdbbackup +Requires: tdb-tools +%if %{with dc} +# samba-tool needs mdb_copy for domain backup or upgrade provision +Requires: lmdb +%endif + Provides: bundled(libreplace) %description common-tools @@ -465,10 +522,6 @@ Requires(post): libwbclient = %{samba_depver} Requires: libwbclient = %{samba_depver} %endif -# samba-tool needs tdbbackup -Requires: tdb-tools -# samba-tool needs mdb_copy -Requires: lmdb Requires: ldb-tools Requires: python3-setproctitle # Force using libldb version to be the same as build version @@ -561,6 +614,7 @@ Samba VFS module for Ceph distributed storage system integration. Summary: Samba VFS module for io_uring Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires: %{name}-client-libs = %{samba_depver} Provides: bundled(libreplace) @@ -704,7 +758,7 @@ Summary: Samba python devel files Requires: python3-%{name} = %{samba_depver} %description -n python3-%{name}-devel -The python3-%{name}-devel package contains the Python 3 defel files. +The python3-%{name}-devel package contains the Python 3 devel files. %package -n python3-samba-test Summary: Samba Python libraries @@ -799,9 +853,12 @@ Summary: Samba winbind Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} +Requires(post): %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} +Requires(post): %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Requires(post): %{name}-libs = %{samba_depver} Requires: %{name}-winbind-modules = %{samba_depver} %if %{with libwbclient} @@ -894,6 +951,7 @@ necessary to communicate to the Winbind Daemon Summary: Samba Winexe Windows Binary License: GPLv3 Requires: %{name}-client-libs = %{samba_depver} +Requires: %{name}-common-libs = %{samba_depver} Provides: bundled(libreplace) @@ -961,6 +1019,45 @@ and use CTDB instead. #endif with testsuite %endif + +%if %{with pcp_pmda} + +%package -n ctdb-pcp-pmda +Summary: CTDB PCP pmda support +Requires: ctdb = %{samba_depver} +Requires: pcp-libs + +%description -n ctdb-pcp-pmda +Performance Co-Pilot (PCP) support for CTDB + +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} + +%package -n ctdb-etcd-mutex +Summary: CTDB ETCD mutex helper +Requires: ctdb = %{samba_depver} +Requires: python3-etcd + +%description -n ctdb-etcd-mutex +Support for using an existing ETCD cluster as a mutex helper for CTDB + +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} + +%package -n ctdb-ceph-mutex +Summary: CTDB ceph mutex helper +Requires: ctdb = %{samba_depver} + +%description -n ctdb-ceph-mutex +Support for using an existing CEPH cluster as a mutex helper for CTDB + +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -1051,8 +1148,18 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" %if %{with testsuite} --enable-selftest \ %endif +%if %{with pcp_pmda} + --enable-pmda \ +%endif +%if %{with ceph_mutex} + --enable-ceph-reclock \ +%endif +%if %{with etcd_mutex} + --enable-etcd-reclock \ +%endif --with-profiling-data \ --with-systemd \ + --with-quotas \ --systemd-install-services \ --with-systemddir=/usr/lib/systemd/system \ --systemd-smb-extra=%{_systemd_extra} \ @@ -1061,7 +1168,7 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" --systemd-samba-extra=%{_systemd_extra} # Do not use %%make_build, make is just a wrapper around waf in Samba! -%{__make} %{?_smp_mflags} V=1 +%{__make} %{?_smp_mflags} %{_make_verbose} pushd pidl %__perl Makefile.PL PREFIX=%{_prefix} @@ -1070,7 +1177,8 @@ pushd pidl popd %install -%make_install +# Do not use %%make_install, make is just a wrapper around waf in Samba! +%{__make} %{?_smp_mflags} %{_make_verbose} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security @@ -1158,12 +1266,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if %{without dc} && %{without testsuite} for i in \ %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ - %{_mandir}/man8/samba-tool.8 \ %{_mandir}/man8/samba-gpupdate.8 \ %{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \ @@ -1514,6 +1620,8 @@ fi %{_libdir}/samba/vfs/nfs4acl_xattr.so %endif +%{_libexecdir}/samba/samba-bgqd + %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc %{_datadir}/samba/mdssvc/elasticsearch_mappings.json @@ -1525,6 +1633,7 @@ fi %config(noreplace) %{_sysconfdir}/pam.d/samba %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* +%{_mandir}/man8/samba-bgqd.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* %{_mandir}/man8/vfs_acl_tdb.8* @@ -1575,9 +1684,8 @@ fi %{_bindir}/cifsdd %{_bindir}/dbwrap_tool %{_bindir}/dumpmscat -%exclude %{_bindir}/findsmb %{_bindir}/mvxattr -%{_bindir}/mdfind +%{_bindir}/mdsearch %{_bindir}/nmblookup %{_bindir}/oLschema2ldif %{_bindir}/regdiff @@ -1604,9 +1712,8 @@ fi %{_mandir}/man1/regpatch.1* %{_mandir}/man1/regshell.1* %{_mandir}/man1/regtree.1* -%exclude %{_mandir}/man1/findsmb.1* %{_mandir}/man1/log2pcap.1* -%{_mandir}/man1/mdfind.1* +%{_mandir}/man1/mdsearch.1* %{_mandir}/man1/mvxattr.1* %{_mandir}/man1/rpcclient.1* %{_mandir}/man1/sharesec.1* @@ -1687,10 +1794,10 @@ fi %{_libdir}/samba/libclidns-samba4.so %{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so %{_libdir}/samba/libdbwrap-samba4.so +%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so %{_libdir}/samba/libdcerpc-samba-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so @@ -1745,7 +1852,6 @@ fi %{_libdir}/samba/libtime-basic-samba4.so %{_libdir}/samba/libtorture-samba4.so %{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-cmdline-samba4.so %{_libdir}/samba/libutil-reg-samba4.so %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so @@ -1771,7 +1877,7 @@ fi %{_libdir}/samba/ldb/asq.so %{_libdir}/samba/ldb/ldb.so -#%%{_libdir}/samba/ldb/mdb.so +%{_libdir}/samba/ldb/mdb.so %{_libdir}/samba/ldb/paged_searches.so %{_libdir}/samba/ldb/rdn_name.so %{_libdir}/samba/ldb/sample.so @@ -1809,8 +1915,7 @@ fi ### COMMON-libs %files common-libs # common libraries -%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so -%{_libdir}/samba/libpopt-samba3-samba4.so +%{_libdir}/samba/libcmdline-samba4.so %dir %{_libdir}/samba/ldb @@ -1823,6 +1928,7 @@ fi %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles +%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1831,13 +1937,13 @@ fi %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* %{_mandir}/man8/pdbedit.8* +%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/smbpasswd.8* ### DC %if %{with dc} || %{with testsuite} %files dc %{_unitdir}/samba.service -%{_bindir}/samba-tool %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db @@ -1905,7 +2011,6 @@ fi %{_mandir}/man8/samba.8* %{_mandir}/man8/samba_downgrade_db.8* %{_mandir}/man8/samba-gpupdate.8* -%{_mandir}/man8/samba-tool.8* %dir %{_datadir}/samba/admx %{_datadir}/samba/admx/samba.admx %dir %{_datadir}/samba/admx/en-US @@ -1948,7 +2053,6 @@ fi %endif %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so @@ -1957,8 +2061,6 @@ fi %files dc-bind-dlz %attr(770,root,named) %dir /var/lib/samba/bind-dns %dir %{_libdir}/samba/bind9 -%{_libdir}/samba/bind9/dlz_bind9.so -%{_libdir}/samba/bind9/dlz_bind9_9.so %{_libdir}/samba/bind9/dlz_bind9_10.so %{_libdir}/samba/bind9/dlz_bind9_11.so %{_libdir}/samba/bind9/dlz_bind9_12.so @@ -2132,6 +2234,7 @@ fi %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so @@ -2226,6 +2329,7 @@ fi %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc @@ -2248,7 +2352,14 @@ fi %{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -2277,6 +2388,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so %{python3_sitearch}/samba/dcerpc/messaging.*.so @@ -2305,9 +2417,12 @@ fi %{python3_sitearch}/samba/descriptor.py %{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py +%{python3_sitearch}/samba/dsdb.*.so +%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/gpclass.py +%{python3_sitearch}/samba/gp_gnome_settings_ext.py %{python3_sitearch}/samba/gp_scripts_ext.py %{python3_sitearch}/samba/gp_sec_ext.py %{python3_sitearch}/samba/gpo.*.so @@ -2318,6 +2433,7 @@ fi %{python3_sitearch}/samba/messaging.*.so %{python3_sitearch}/samba/ndr.py %{python3_sitearch}/samba/net.*.so +%{python3_sitearch}/samba/net_s3.*.so %{python3_sitearch}/samba/ntstatus.*.so %{python3_sitearch}/samba/posix_eadb.*.so %dir %{python3_sitearch}/samba/emulate @@ -2440,7 +2556,14 @@ fi %{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py +%{python3_sitearch}/samba/vgp_access_ext.py +%{python3_sitearch}/samba/vgp_files_ext.py +%{python3_sitearch}/samba/vgp_issue_ext.py +%{python3_sitearch}/samba/vgp_motd_ext.py +%{python3_sitearch}/samba/vgp_openssh_ext.py +%{python3_sitearch}/samba/vgp_startup_scripts_ext.py %{python3_sitearch}/samba/vgp_sudoers_ext.py +%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -2487,8 +2610,6 @@ fi %{python3_sitearch}/samba/dcerpc/dnsserver.*.so %{python3_sitearch}/samba/dckeytab.*.so -%{python3_sitearch}/samba/dsdb.*.so -%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -2555,6 +2676,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc @@ -2562,6 +2684,8 @@ fi %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc @@ -2573,17 +2697,22 @@ fi %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc %{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc %{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -2619,10 +2748,12 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc @@ -2657,7 +2788,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc -%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc @@ -2673,7 +2804,7 @@ fi %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py -%{python3_sitearch}/samba/tests/blackbox/mdfind.py +%{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py @@ -2701,6 +2832,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc @@ -2720,6 +2852,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/lsa.py %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py @@ -2735,6 +2868,7 @@ fi %{python3_sitearch}/samba/tests/dcerpc/unix.py %{python3_sitearch}/samba/tests/dckeytab.py %{python3_sitearch}/samba/tests/dns.py +%{python3_sitearch}/samba/tests/dns_aging.py %{python3_sitearch}/samba/tests/dns_base.py %{python3_sitearch}/samba/tests/dns_forwarder.py %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers @@ -2745,6 +2879,8 @@ fi %{python3_sitearch}/samba/tests/dns_tkey.py %{python3_sitearch}/samba/tests/dns_wildcard.py %{python3_sitearch}/samba/tests/dsdb.py +%{python3_sitearch}/samba/tests/dsdb_api.py +%{python3_sitearch}/samba/tests/dsdb_dns.py %{python3_sitearch}/samba/tests/dsdb_lock.py %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py %{python3_sitearch}/samba/tests/docs.py @@ -2764,9 +2900,11 @@ fi %{python3_sitearch}/samba/tests/get_opt.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py +%{python3_sitearch}/samba/tests/gpo_member.py %{python3_sitearch}/samba/tests/graph.py %{python3_sitearch}/samba/tests/group_audit.py %{python3_sitearch}/samba/tests/hostconfig.py +%{python3_sitearch}/samba/tests/imports.py %{python3_sitearch}/samba/tests/join.py %dir %{python3_sitearch}/samba/tests/kcc %{python3_sitearch}/samba/tests/kcc/__init__.py @@ -2782,37 +2920,66 @@ fi %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py %dir %{python3_sitearch}/samba/tests/krb5 %dir %{python3_sitearch}/samba/tests/krb5/__pycache__ +%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/alias_tests.py %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py +%{python3_sitearch}/samba/tests/krb5/as_req_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/kcrypto.py %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py %{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rodc_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py %{python3_sitearch}/samba/tests/krb5/simple_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py +%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ldap.py +%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py +%{python3_sitearch}/samba/tests/krb5/test_rpc.py +%{python3_sitearch}/samba/tests/krb5/test_smb.py %{python3_sitearch}/samba/tests/krb5/s4u_tests.py %{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py %{python3_sitearch}/samba/tests/ldap_referrals.py +%{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py +%{python3_sitearch}/samba/tests/ndr.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -2848,6 +3015,7 @@ fi %{python3_sitearch}/samba/tests/s3passdb.py %{python3_sitearch}/samba/tests/s3registry.py %{python3_sitearch}/samba/tests/s3windb.py +%{python3_sitearch}/samba/tests/s3_net_join.py %{python3_sitearch}/samba/tests/samba3sam.py %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool @@ -2864,6 +3032,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc @@ -2875,6 +3044,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc @@ -2898,6 +3068,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/forest.py %{python3_sitearch}/samba/tests/samba_tool/fsmo.py %{python3_sitearch}/samba/tests/samba_tool/gpo.py +%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py %{python3_sitearch}/samba/tests/samba_tool/group.py %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py @@ -2909,6 +3080,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py +%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py %{python3_sitearch}/samba/tests/samba_tool/sites.py @@ -2924,6 +3096,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py +%{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/smb.py @@ -3067,6 +3240,7 @@ fi %{_libexecdir}/ctdb/ctdb_recovery_helper %{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/tdb_mutex_check %dir %{_localstatedir}/lib/ctdb/ %dir %{_localstatedir}/lib/ctdb/persistent @@ -3897,6 +4071,33 @@ fi #endif with selftest %endif +%if %{with pcp_pmda} +%files -n ctdb-pcp-pmda +%dir %{_localstatedir}/lib/pcp/pmdas/ctdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/Install +%{_localstatedir}/lib/pcp/pmdas/ctdb/README +%{_localstatedir}/lib/pcp/pmdas/ctdb/Remove +%{_localstatedir}/lib/pcp/pmdas/ctdb/domain.h +%{_localstatedir}/lib/pcp/pmdas/ctdb/help +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmdactdb +%{_localstatedir}/lib/pcp/pmdas/ctdb/pmns +#endif with pcp_pmda +%endif + +%if %{with etcd_mutex} +%files -n ctdb-etcd-mutex +%{_libexecdir}/ctdb/ctdb_etcd_lock +%{_mandir}/man7/ctdb-etcd.7.gz +#endif with etcd_mutex +%endif + +%if %{with ceph_mutex} +%files -n ctdb-ceph-mutex +%{_libexecdir}/ctdb/ctdb_mutex_ceph_rados_helper +%{_mandir}/man7/ctdb_mutex_ceph_rados_helper.7.gz +#endif with ceph_mutex +%endif + #endif with clustering %endif @@ -3908,6 +4109,72 @@ fi %endif %changelog +* Thu Feb 24 2022 Andreas Schneider - 4.15.5-4 +- resolves: rhbz#2057503 - Fix winbind kerberos ticket refresh + +* Mon Feb 21 2022 Andreas Schneider - 4.15.5-3 +- related: rhbz#1979959 - Fix typo in testparm output + +* Thu Feb 17 2022 Andreas Schneider - 4.15.5-2 +- resolves: rhbz#1979959 - Improve idmap autorid sanity checks and documentation + +* Mon Feb 14 2022 Pavel Filipenský - 4.15.5-1 +- resolves: #1995849 - [RFE] Change change password change prompt phrasing +- resolves: #2029417 - virusfilter_vfs_openat: Not scanned: Directory or special file + +* Wed Feb 02 2022 Pavel Filipenský - 4.15.5-0 +- Update to Samba 4.15.5 +- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release +- resolves: rhbz#2046127 - Fix CVE-2021-44141 +- resolves: rhbz#2046153 - Fix CVE-2021-44142 +- resolves: rhbz#2044404 - Printing no longer works on Windows 7 +- resolves: rhbz#2043154 - Fix systemd notifications +- resolves: rhbz#2049602 - Disable NTLMSSP for ldap client connections (e.g. libads) + +* Fri Jan 21 2022 Pavel Filipenský - 4.15.4-0 +- Update to Samba 4.15.4 +- related: rhbz#2013596 - Rebase Samba to the the latest 4.15.x release +- resolves: rhbz#2039153 - Fix CVE-2021-20316 +- resolves: rhbz#1912549 - Winexe: Kerberos flag not invoking Kerberos Auth +- resolves: rhbz#2039157 - Fix CVE-2021-43566 +- resolves: rhbz#2038148 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7 +- resolves: rhbz#2035528 - [smb] Segmentation fault when joining the domain +- resolves: rhbz#2038796 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED + +* Thu Dec 16 2021 Pavel Filipenský - 4.15.3-1 +- related: rhbz#2013596 - Rebase to version 4.15.3 +- resolves: rhbz#2028029 - Fix possible null pointer dereference in winbind +- resolves: rhbz#1912549 - Winexe: Kerberos Auth is respected via --use-kerberos=desired + +* Fri Dec 03 2021 Andreas Schneider - 4.15.2-2 +- related: rhbz#2013596 - Remove unneeded lmdb dependency + +* Thu Nov 25 2021 Pavel Filipenský - 4.15.2-1 +- resolves: rhbz#2013596 - Rebase to version 4.15.2 +- resolves: rhbz#1999294 - Remove noisy error message in winbindd +- resolves: rhbz#1958881 - Don't require winbind being online for krb5 auth + with one-way trusts +- resolves: rhbz#2019461 - Fix deleting directories with dangling symlinks + +* Mon Nov 22 2021 Andreas Schneider - 4.14.5-14 +- related: rbhz#2019674 - Fix CVE-2020-25717 +- Fix running ktest (selftest) + +* Sat Nov 13 2021 Alexander Bokovoy - 4.14.5-13 +- related: rbhz#2019674 - Fix CVE-2020-25717 +- Add missing checks for IPA DC server role + +* Wed Nov 10 2021 Andreas Schneider - 4.14.5-12 +- related: rbhz#2019674 - Fix regression with 'allow trusted domains = no' + +* Tue Nov 09 2021 Andreas Schneider - 4.14.5-11 +- resolves: rhbz#2021425 - Add missing PAC buffer types to krb5pac.idl + +* Fri Nov 05 2021 Andreas Schneider - 4.14.4-3 +- resolves: rhbz#2019662 - Fix CVE-2016-2124 +- resolves: rhbz#2019668 - Fix CVE-2021-23192 +- resolves: rbhz#2019674 - Fix CVE-2020-25717 + * Tue Jul 13 2021 Andreas Schneider - 4.14.4-2 - related: rhbz#1980346 - Rebuild for libtalloc 0.11.0