diff --git a/SOURCES/ldapsslads-v4-12.patch b/SOURCES/ldapsslads-v4-12.patch new file mode 100644 index 0000000..b8bb84d --- /dev/null +++ b/SOURCES/ldapsslads-v4-12.patch @@ -0,0 +1,609 @@ +From 9691c65234f2833792977d6e25a314baca724c64 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= +Date: Mon, 10 Feb 2020 19:19:44 +0100 +Subject: [PATCH 1/7] s3-libads: use dns name to open a ldap session +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Required for working certificate verification. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 +Signed-off-by: Björn Baumbach +Reviewed-by: Bjoern Jacke + +Autobuild-User(master): Björn Baumbach +Autobuild-Date(master): Thu Mar 5 12:29:26 UTC 2020 on sn-devel-184 + +(cherry picked from commit e45e0912d99335f4feec7f937180ea21f7f62a72) +--- + source3/libads/ldap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 7ef7e7e8420..b7f819d876b 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -669,7 +669,7 @@ got_connection: + + /* Otherwise setup the TCP LDAP session */ + +- ads->ldap.ld = ldap_open_with_timeout(addr, ++ ads->ldap.ld = ldap_open_with_timeout(ads->config.ldap_server_name, + &ads->ldap.ss, + ads->ldap.port, lp_ldap_timeout()); + if (ads->ldap.ld == NULL) { +-- +2.25.4 + + +From b0cdea726ef5d90c531a49d2bf8b343cdb788719 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= +Date: Wed, 3 Jun 2020 19:40:59 +0200 +Subject: [PATCH 2/7] s3-libads: use ldap_init_fd() to initialize a ldap + session if possible +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use the known ip address of the ldap server to open the connection and +initialize the ldap session with ldap_init_fd(). + +This avoid unnecessary DNS lookups which might block or prevent the +successful connection. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124 + +Signed-off-by: Björn Baumbach +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit c8080bbd708eaa3212fa516861ac9e3b267989a0) +--- + source3/libads/ldap.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index b7f819d876b..36e73440495 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -92,7 +92,23 @@ static void gotalarm_sig(int signum) + return NULL; + } + +-#ifdef HAVE_LDAP_INITIALIZE ++#ifdef HAVE_LDAP_INIT_FD ++ { ++ int fd = -1; ++ NTSTATUS status = NT_STATUS_UNSUCCESSFUL; ++ ++ status = open_socket_out(ss, port, to, &fd); ++ if (!NT_STATUS_IS_OK(status)) { ++ return NULL; ++ } ++ ++/* define LDAP_PROTO_TCP from openldap.h if required */ ++#ifndef LDAP_PROTO_TCP ++#define LDAP_PROTO_TCP 1 ++#endif ++ ldap_err = ldap_init_fd(fd, LDAP_PROTO_TCP, uri, &ldp); ++ } ++#elif defined(HAVE_LDAP_INITIALIZE) + ldap_err = ldap_initialize(&ldp, uri); + #else + ldp = ldap_open(server, port); +-- +2.25.4 + + +From 6c5b4317b150d3d2aed77c207dd3cb0039392bd6 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 29 Jun 2020 16:55:33 +0300 +Subject: [PATCH 3/7] selftest: add tests for net-ads over TLS + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + selftest/knownfail.d/net_ads_ntlm_fallback | 10 +++ + selftest/knownfail.d/net_ads_tls | 1 + + source4/selftest/tests.py | 7 ++ + testprogs/blackbox/test_net_ads_base.sh | 76 ++++++++++++++++++++++ + 4 files changed, 94 insertions(+) + create mode 100644 selftest/knownfail.d/net_ads_ntlm_fallback + create mode 100644 selftest/knownfail.d/net_ads_tls + create mode 100755 testprogs/blackbox/test_net_ads_base.sh + +diff --git a/selftest/knownfail.d/net_ads_ntlm_fallback b/selftest/knownfail.d/net_ads_ntlm_fallback +new file mode 100644 +index 00000000000..b16a39d134d +--- /dev/null ++++ b/selftest/knownfail.d/net_ads_ntlm_fallback +@@ -0,0 +1,10 @@ ++# net-ads commands that fail with: --option=gensec:gse_krb5=no ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.testjoin ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check dNSHostName ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.check SPN ++^samba4.blackbox.net_ads_base.nomech=gse_krb5.test setspn list ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.testjoin ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check dNSHostName ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check ldapssl=off ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.check SPN ++^samba4.blackbox.net_ads_tls.nomech=gse_krb5.test setspn list +diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls +new file mode 100644 +index 00000000000..251c948b6a9 +--- /dev/null ++++ b/selftest/knownfail.d/net_ads_tls +@@ -0,0 +1 @@ ++^samba4.blackbox.net_ads_tls +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 1d965c751a4..a394afa177f 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -511,6 +511,13 @@ plantestsuite("samba4.blackbox.client_etypes_legacy(ad_dc:client)", "ad_dc:clien + plantestsuite("samba4.blackbox.client_etypes_strong(ad_dc:client)", "ad_dc:client", [os.path.join(bbdir, "test_client_etypes.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$PREFIX_ABS', 'strong', '17_18']) + plantestsuite("samba4.blackbox.net_ads_dns(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_net_ads_dns.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', '$REALM', '$USERNAME', '$PASSWORD']) + plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:local", [os.path.join(bbdir, "test_samba-tool_ntacl.sh"), '$PREFIX', '$DOMSID']) ++ ++for nomech in ["none", "gse_krb5", "ntlmssp"]: ++ # we can't test TLS with ad_dc env as it doesn't allow SASL over TLS ++ plantestsuite("samba4.blackbox.net_ads_base.nomech=%s" % nomech, "ad_dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'no', nomech, '$PREFIX_ABS']) ++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'yes', nomech, '$PREFIX_ABS']) ++ plantestsuite("samba4.blackbox.net_ads_tls.nomech=%s" % nomech, "fl2008r2dc:client", [os.path.join(bbdir, "test_net_ads_base.sh"), '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD', 'noverify', nomech, '$PREFIX_ABS']) ++ + plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "ad_dc_ntvfs", [valgrindify(smbtorture4), "$LISTOPT", "$LOADLIST", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo']) + # json tests hook into ``chgdcpass'' to make them run in contributor CI on + # gitlab +diff --git a/testprogs/blackbox/test_net_ads_base.sh b/testprogs/blackbox/test_net_ads_base.sh +new file mode 100755 +index 00000000000..59e3da67a7f +--- /dev/null ++++ b/testprogs/blackbox/test_net_ads_base.sh +@@ -0,0 +1,76 @@ ++#!/bin/sh ++ ++if [ $# -lt 5 ]; then ++cat </dev/null | sha1sum | cut -b 1-10` ++HOSTNAME=`echo hn$HOSTNAME | tr '[:lower:]' '[:upper:]'` ++LCHOSTNAME=`echo $HOSTNAME | tr '[:upper:]' '[:lower:]'` ++ ++RUNDIR=`pwd` ++cd $BASEDIR ++WORKDIR=`mktemp -d -p .` ++WORKDIR=`basename $WORKDIR` ++cp -a client/* $WORKDIR/ ++sed -ri "s@(dir|directory) = (.*)/client/@\1 = \2/$WORKDIR/@" $WORKDIR/client.conf ++sed -ri "s/netbios name = .*/netbios name = $HOSTNAME/" $WORKDIR/client.conf ++sed -ri "s/workgroup = .*/workgroup = $DOMAIN/" $WORKDIR/client.conf ++sed -ri "s/realm = .*/realm = $REALM/" $WORKDIR/client.conf ++rm -f $WORKDIR/private/secrets.tdb ++cd $RUNDIR ++ ++failed=0 ++ ++export LDAPTLS_CACERT=$(grep "tls cafile" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') ++ ++xoptions="" ++if [ $TLS_MODE != "no" ]; then ++ xoptions="--option=ldapsslads=yes" ++fi ++ ++if [ $NO_MECH != "none" ]; then ++ xoptions="$xoptions --option=gensec:$NO_MECH=no" ++fi ++ ++if [ $TLS_MODE = "noverify" ]; then ++ export LDAPTLS_REQCERT=allow ++fi ++ ++net_tool="$VALGRIND $BINDIR/net -s $BASEDIR/$WORKDIR/client.conf --option=security=ads -k $xoptions" ++ ++# Load test functions ++. `dirname $0`/subunit.sh ++ ++testit "join" $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --no-dns-updates || failed=`expr $failed + 1` ++ ++testit "testjoin" $net_tool ads testjoin -P || failed=`expr $failed + 1` ++ ++testit_grep "check dNSHostName" $LCHOSTNAME $net_tool ads search -P samaccountname=$HOSTNAME\$ dNSHostName || failed=`expr $failed + 1` ++ ++tls_log="StartTLS issued: using a TLS connection" ++opt="-d3 --option=ldapssl=off" ++if [ $TLS_MODE != "no" ]; then ++ testit_grep "check ldapssl=off" "$tls_log" $net_tool $opt ads search -P samaccountname=$HOSTNAME\$ dn || failed=`expr $failed + 1` ++fi ++ ++testit_grep "check SPN" "HOST/$HOSTNAME" $net_tool ads search -P samaccountname=$HOSTNAME\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "test setspn list" "HOST/$HOSTNAME" $net_tool ads setspn list $HOSTNAME -P || failed=`expr $failed + 1` ++ ++testit "leave" $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ ++rm -rf $BASEDIR/$WORKDIR ++ ++exit $failed +-- +2.25.4 + + +From 94d20b09d565c0f4b0809e1cd778f7082e4733f8 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 24 Jun 2020 15:28:45 +0300 +Subject: [PATCH 4/7] Decouple ldap-ssl-ads from ldap-ssl option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + WHATSNEW.txt | 6 +++++ + docs-xml/smbdotconf/ldap/ldapsslads.xml | 7 ++---- + source3/include/smbldap.h | 1 + + source3/lib/ABI/smbldap-2.1.0.sigs | 33 +++++++++++++++++++++++++ + source3/lib/smbldap.c | 19 +++++++++----- + source3/libads/ldap.c | 2 +- + source3/wscript_build | 2 +- + 7 files changed, 57 insertions(+), 13 deletions(-) + create mode 100644 source3/lib/ABI/smbldap-2.1.0.sigs + +diff --git a/WHATSNEW.txt b/WHATSNEW.txt +index a5b554fe11f..8935876d247 100644 +--- a/WHATSNEW.txt ++++ b/WHATSNEW.txt +@@ -557,6 +557,12 @@ CTDB changes + helper exits. This triggers an election. + + ++The "ldap ssl ads" option no longer depends on "ldap ssl" option: ++----------------------------------------------------------------- ++With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" ++is off. ++ ++ + REMOVED FEATURES + ================ + +diff --git a/docs-xml/smbdotconf/ldap/ldapsslads.xml b/docs-xml/smbdotconf/ldap/ldapsslads.xml +index 98c39651f1e..f99afe5bbad 100644 +--- a/docs-xml/smbdotconf/ldap/ldapsslads.xml ++++ b/docs-xml/smbdotconf/ldap/ldapsslads.xml +@@ -7,13 +7,10 @@ + This option is used to define whether or not Samba should + use SSL when connecting to the ldap server using + ads methods. +- Rpc methods are not affected by this parameter. Please note, that +- this parameter won't have any effect if +- is set to no. ++ Rpc methods are not affected by this parameter. + + +- See smb.conf5 +- for more information on . ++ See also . + + + +diff --git a/source3/include/smbldap.h b/source3/include/smbldap.h +index 878268aebd6..d063f44afbc 100644 +--- a/source3/include/smbldap.h ++++ b/source3/include/smbldap.h +@@ -72,6 +72,7 @@ int smbldap_modify(struct smbldap_state *ldap_state, + const char *dn, + LDAPMod *attrs[]); + int smbldap_start_tls(LDAP *ldap_struct, int version); ++int smbldap_start_tls_start(LDAP *ldap_struct, int version); + int smbldap_setup_full_conn(LDAP **ldap_struct, const char *uri); + int smbldap_search(struct smbldap_state *ldap_state, + const char *base, int scope, const char *filter, +diff --git a/source3/lib/ABI/smbldap-2.1.0.sigs b/source3/lib/ABI/smbldap-2.1.0.sigs +new file mode 100644 +index 00000000000..67dcc9a8a78 +--- /dev/null ++++ b/source3/lib/ABI/smbldap-2.1.0.sigs +@@ -0,0 +1,33 @@ ++smbldap_add: int (struct smbldap_state *, const char *, LDAPMod **) ++smbldap_delete: int (struct smbldap_state *, const char *) ++smbldap_extended_operation: int (struct smbldap_state *, const char *, struct berval *, LDAPControl **, LDAPControl **, char **, struct berval **) ++smbldap_free_struct: void (struct smbldap_state **) ++smbldap_get_ldap: LDAP *(struct smbldap_state *) ++smbldap_get_paged_results: bool (struct smbldap_state *) ++smbldap_get_single_attribute: bool (LDAP *, LDAPMessage *, const char *, char *, int) ++smbldap_has_control: bool (LDAP *, const char *) ++smbldap_has_extension: bool (LDAP *, const char *) ++smbldap_has_naming_context: bool (LDAP *, const char *) ++smbldap_init: NTSTATUS (TALLOC_CTX *, struct tevent_context *, const char *, bool, const char *, const char *, struct smbldap_state **) ++smbldap_make_mod: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const char *) ++smbldap_make_mod_blob: void (LDAP *, LDAPMessage *, LDAPMod ***, const char *, const DATA_BLOB *) ++smbldap_modify: int (struct smbldap_state *, const char *, LDAPMod **) ++smbldap_pull_sid: bool (LDAP *, LDAPMessage *, const char *, struct dom_sid *) ++smbldap_search: int (struct smbldap_state *, const char *, int, const char *, const char **, int, LDAPMessage **) ++smbldap_search_paged: int (struct smbldap_state *, const char *, int, const char *, const char **, int, int, LDAPMessage **, void **) ++smbldap_search_suffix: int (struct smbldap_state *, const char *, const char **, LDAPMessage **) ++smbldap_set_bind_callback: void (struct smbldap_state *, smbldap_bind_callback_fn, void *) ++smbldap_set_creds: bool (struct smbldap_state *, bool, const char *, const char *) ++smbldap_set_mod: void (LDAPMod ***, int, const char *, const char *) ++smbldap_set_mod_blob: void (LDAPMod ***, int, const char *, const DATA_BLOB *) ++smbldap_set_paged_results: void (struct smbldap_state *, bool) ++smbldap_setup_full_conn: int (LDAP **, const char *) ++smbldap_start_tls: int (LDAP *, int) ++smbldap_start_tls_start: int (LDAP *, int) ++smbldap_talloc_autofree_ldapmod: void (TALLOC_CTX *, LDAPMod **) ++smbldap_talloc_autofree_ldapmsg: void (TALLOC_CTX *, LDAPMessage *) ++smbldap_talloc_dn: char *(TALLOC_CTX *, LDAP *, LDAPMessage *) ++smbldap_talloc_first_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) ++smbldap_talloc_single_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) ++smbldap_talloc_single_blob: bool (TALLOC_CTX *, LDAP *, LDAPMessage *, const char *, DATA_BLOB *) ++smbldap_talloc_smallest_attribute: char *(LDAP *, LDAPMessage *, const char *, TALLOC_CTX *) +diff --git a/source3/lib/smbldap.c b/source3/lib/smbldap.c +index 34c841f9243..4815dd81fc3 100644 +--- a/source3/lib/smbldap.c ++++ b/source3/lib/smbldap.c +@@ -598,20 +598,27 @@ static void smbldap_store_state(LDAP *ld, struct smbldap_state *smbldap_state) + } + + /******************************************************************** +- start TLS on an existing LDAP connection ++ start TLS on an existing LDAP connection per config + *******************************************************************/ + + int smbldap_start_tls(LDAP *ldap_struct, int version) +-{ +-#ifdef LDAP_OPT_X_TLS +- int rc,tls; +-#endif +- ++{ + if (lp_ldap_ssl() != LDAP_SSL_START_TLS) { + return LDAP_SUCCESS; + } + ++ return smbldap_start_tls_start(ldap_struct, version); ++} ++ ++/******************************************************************** ++ start TLS on an existing LDAP connection unconditionally ++*******************************************************************/ ++ ++int smbldap_start_tls_start(LDAP *ldap_struct, int version) ++{ + #ifdef LDAP_OPT_X_TLS ++ int rc,tls; ++ + /* check if we use ldaps already */ + ldap_get_option(ldap_struct, LDAP_OPT_X_TLS, &tls); + if (tls == LDAP_OPT_X_TLS_HARD) { +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 36e73440495..16c32b2d5a7 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -703,7 +703,7 @@ got_connection: + ldap_set_option(ads->ldap.ld, LDAP_OPT_PROTOCOL_VERSION, &version); + + if ( lp_ldap_ssl_ads() ) { +- status = ADS_ERROR(smbldap_start_tls(ads->ldap.ld, version)); ++ status = ADS_ERROR(smbldap_start_tls_start(ads->ldap.ld, version)); + if (!ADS_ERR_OK(status)) { + goto out; + } +diff --git a/source3/wscript_build b/source3/wscript_build +index 10d9f71ae76..76d01a78f64 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -520,7 +520,7 @@ bld.SAMBA3_LIBRARY('smbldap', + abi_directory='lib/ABI', + abi_match='smbldap_*', + pc_files=[], +- vnum='2', ++ vnum='2.1.0', + public_headers='include/smbldap.h include/smb_ldap.h') + + bld.SAMBA3_LIBRARY('ads', +-- +2.25.4 + + +From a7d674b519b363c6e20fa5784ab998fc622c9859 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 2 Jul 2020 10:59:18 +0200 +Subject: [PATCH 5/7] Fix ads_set_sasl_wrap_flags to only change sasl flags + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + source3/libads/ads_proto.h | 2 +- + source3/libads/ads_struct.c | 8 ++++++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index cd9c1082681..6cdde0cf6eb 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -47,7 +47,7 @@ ADS_STRUCT *ads_init(const char *realm, + const char *workgroup, + const char *ldap_server, + enum ads_sasl_state_e sasl_state); +-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); ++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags); + void ads_destroy(ADS_STRUCT **ads); + + /* The following definitions come from libads/disp_sec.c */ +diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c +index 043a1b21247..67a9a7cf75e 100644 +--- a/source3/libads/ads_struct.c ++++ b/source3/libads/ads_struct.c +@@ -176,13 +176,17 @@ ADS_STRUCT *ads_init(const char *realm, + /**************************************************************** + ****************************************************************/ + +-bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags) ++bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, unsigned flags) + { ++ unsigned other_flags; ++ + if (!ads) { + return false; + } + +- ads->auth.flags = flags; ++ other_flags = ads->auth.flags & ~(ADS_AUTH_SASL_SIGN|ADS_AUTH_SASL_SEAL); ++ ++ ads->auth.flags = flags | other_flags; + + return true; + } +-- +2.25.4 + + +From e75511bf6b6b516db3336cd5f1d8f27307805801 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 2 Jul 2020 09:33:12 +0200 +Subject: [PATCH 6/7] ads: set sasl-wrapping to plain when over TLS + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +--- + WHATSNEW.txt | 5 +++++ + selftest/knownfail.d/net_ads_tls | 1 - + source3/libads/ldap.c | 4 ++++ + 3 files changed, 9 insertions(+), 1 deletion(-) + delete mode 100644 selftest/knownfail.d/net_ads_tls + +diff --git a/WHATSNEW.txt b/WHATSNEW.txt +index 8935876d247..927b9a0fa59 100644 +--- a/WHATSNEW.txt ++++ b/WHATSNEW.txt +@@ -562,6 +562,11 @@ The "ldap ssl ads" option no longer depends on "ldap ssl" option: + With this release, the "ldap ssl ads" can be set to "yes" even if "ldap ssl" + is off. + ++The "ldap ssl ads" no longer requires sasl-wrapping to be set to plain: ++----------------------------------------------------------------------- ++This is now done implicitly when over TLS, so "client ldap sasl wrapping" ++does not need to be set to "plain" in order for it to work. ++ + + REMOVED FEATURES + ================ +diff --git a/selftest/knownfail.d/net_ads_tls b/selftest/knownfail.d/net_ads_tls +deleted file mode 100644 +index 251c948b6a9..00000000000 +--- a/selftest/knownfail.d/net_ads_tls ++++ /dev/null +@@ -1 +0,0 @@ +-^samba4.blackbox.net_ads_tls +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 16c32b2d5a7..3f41e990085 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -707,6 +707,10 @@ got_connection: + if (!ADS_ERR_OK(status)) { + goto out; + } ++ if (!ads_set_sasl_wrap_flags(ads, 0)) { ++ status = ADS_ERROR(LDAP_OPERATIONS_ERROR); ++ goto out; ++ } + } + + /* fill in the current time and offsets */ +-- +2.25.4 + + +From 43694fbfa79b255a27a4becaf8743d2b110495e9 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 11 Jul 2020 05:04:59 +0200 +Subject: [PATCH 7/7] net: ignore possible SIGPIPE upon ldap_unbind when over + TLS + +From local tests with strace: + +socket(AF_UNIX, SOCK_STREAM, 0) = 12 +write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38 +... +write(2, "ads_domain_func_level: 3\n", 25) = 25 +write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36 +write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe) +--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} --- ++++ killed by SIGPIPE +++ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Isaac Boukris +Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184 +--- + source3/utils/net.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 683b46794e4..e289b2814bc 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -1289,6 +1289,9 @@ static void get_credentials_file(struct net_context *c, + POPT_TABLEEND + }; + ++ /* Ignore possible SIGPIPE upon ldap_unbind when over TLS */ ++ BlockSignals(True, SIGPIPE); ++ + zero_sockaddr(&c->opt_dest_ip); + + setup_logging(argv[0], DEBUG_STDERR); +-- +2.25.4 + +From 0a58060cb223a1ee6629f4ba706834369dd42a3d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 14 Jul 2020 22:38:06 +0200 +Subject: [PATCH] s3-libads: pass timeout to open_socket_out in ms + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13124 + +Signed-off-by: Isaac Boukris +--- + source3/libads/ldap.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 1ffe96d32c9..d431156912f 100755 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -96,9 +96,11 @@ static void gotalarm_sig(int signum) + { + int fd = -1; + NTSTATUS status = NT_STATUS_UNSUCCESSFUL; ++ unsigned timeout_ms = 1000 * to; + +- status = open_socket_out(ss, port, to, &fd); ++ status = open_socket_out(ss, port, timeout_ms, &fd); + if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(3, ("open_socket_out: failed to open socket\n")); + return NULL; + } + +-- +2.25.4 + diff --git a/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch new file mode 100644 index 0000000..3b488f8 --- /dev/null +++ b/SOURCES/samba-4.12-fix_pam_winbind_manpage.patch @@ -0,0 +1,41 @@ +From 069ba5774a5ccc72dcc3567bc6d17141d68ddff5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Jul 2020 11:48:26 +0200 +Subject: [PATCH] docs: Fix documentation for require_membership_of of + pam_winbind + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri Jul 10 09:40:37 UTC 2020 on sn-devel-184 + +(cherry picked from commit 4c74db6978c682f8ba4e74a6ee8157cfcbb54971) +--- + docs-xml/manpages/pam_winbind.8.xml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml +index a9a227f1647..a61fb2d58e5 100644 +--- a/docs-xml/manpages/pam_winbind.8.xml ++++ b/docs-xml/manpages/pam_winbind.8.xml +@@ -84,9 +84,11 @@ + If this option is set, pam_winbind will only succeed if the user is a member of the given SID or NAME. A SID + can be either a group-SID, an alias-SID or even an user-SID. It is also possible to give a NAME instead of the + SID. That name must have the form: MYDOMAIN\mygroup or +- MYDOMAIN\myuser. pam_winbind will, in that case, lookup the SID internally. Note that +- NAME may not contain any spaces. It is thus recommended to only use SIDs. You can verify the list of SIDs a +- user is a member of with wbinfo --user-sids=SID. ++ MYDOMAIN\myuser (where '\' character corresponds to the value of ++ winbind separator parameter). It is also possible to use a UPN in the form ++ user@REALM or group@REALM. pam_winbind will, in that case, lookup ++ the SID internally. Note that NAME may not contain any spaces. It is thus recommended to only use SIDs. You can ++ verify the list of SIDs a user is a member of with wbinfo --user-sids=SID. + + + +-- +2.27.0 + diff --git a/SOURCES/samba-4.12-fix_winbind_lookuprids.patch b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch new file mode 100644 index 0000000..43cda48 --- /dev/null +++ b/SOURCES/samba-4.12-fix_winbind_lookuprids.patch @@ -0,0 +1,130 @@ +From 3b8312df417b1a1fbd712b9494d5dad495e33f6d Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 8 Jul 2020 15:00:49 +0200 +Subject: [PATCH 1/2] winbind: Add test for lookuprids cache problem + +When reading entries from gencache, wb_cache_rids_to_names() can +return STATUS_SOME_UNMAPPED, which _wbint_LookupRids() does not handle +correctly. + +This test enforces this situation by filling gencache with one wbinfo +-R and then erasing the winbindd_cache.tdb. This forces winbind to +enter the domain helper process, which will then read from gencache +filled with the previous wbinfo -R. + +Without having the entries cached this does not happen because +wb_cache_rids_to_names() via the do_query: path calls deep inside +calls dcerpc_lsa_lookup_sids_noalloc(), which hides the +STATUS_SOME_UNMAPPED that came in as lsa_LookupSids result value. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme +(cherry picked from commit 04eafce653afcff517317d2b190acc4f0cbf4c61) +--- + selftest/knownfail.d/lookuprids_cache | 1 + + .../tests/test_wbinfo_lookuprids_cache.sh | 21 +++++++++++++++++++ + source3/selftest/tests.py | 5 +++++ + 3 files changed, 27 insertions(+) + create mode 100644 selftest/knownfail.d/lookuprids_cache + create mode 100755 source3/script/tests/test_wbinfo_lookuprids_cache.sh + +diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache +new file mode 100644 +index 00000000000..d3c40a62b45 +--- /dev/null ++++ b/selftest/knownfail.d/lookuprids_cache +@@ -0,0 +1 @@ ++^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\) +\ No newline at end of file +diff --git a/source3/script/tests/test_wbinfo_lookuprids_cache.sh b/source3/script/tests/test_wbinfo_lookuprids_cache.sh +new file mode 100755 +index 00000000000..0b21ffcd7c9 +--- /dev/null ++++ b/source3/script/tests/test_wbinfo_lookuprids_cache.sh +@@ -0,0 +1,21 @@ ++#!/bin/sh ++ ++WBINFO="$VALGRIND ${WBINFO:-$BINDIR/wbinfo}" ++TDBTOOL="${TDBTOOL:-$BINDIR/tdbtool}" ++TDBDUMP="${TDBDUMP:-$BINDIR/tdbdump}" ++NET="$VALGRIND ${NET:-$BINDIR/net}" ++ ++cache="$LOCK_DIR"/winbindd_cache.tdb ++ ++incdir=`dirname $0`/../../../testprogs/blackbox ++. $incdir/subunit.sh ++ ++testit "flush" "$NET" "cache" "flush" || failed=`expr $failed + 1` ++testit "lookuprids1" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` ++ ++key=$("$TDBDUMP" "$cache" | grep ^key.*NDR.*/16/ | cut -d\" -f2) ++ ++testit "delete" "$TDBTOOL" "$cache" delete "$key" ++testit "lookuprids2" "$WBINFO" "-R" "512,12345" || failed=`expr $failed + 1` ++ ++testok $0 $failed +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index dc44160e50d..b01a3c1aad1 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -332,6 +332,11 @@ env = "nt4_member:local" + plantestsuite("samba3.wbinfo_sids_to_xids", env, + [os.path.join(srcdir(), + "nsswitch/tests/test_wbinfo_sids_to_xids.sh")]) ++plantestsuite( ++ "samba.wbinfo_lookuprids_cache", ++ env, ++ [os.path.join(samba3srcdir, ++ "script/tests/test_wbinfo_lookuprids_cache.sh")]) + + env = "ad_member" + t = "WBCLIENT-MULTI-PING" +-- +2.20.1 + + +From 7389996f5e04acb79a760cb72b9d5c5a617262b8 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 8 Jul 2020 15:09:45 +0200 +Subject: [PATCH 2/2] winbind: Fix lookuprids cache problem + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14435 +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Jul 9 21:40:52 UTC 2020 on sn-devel-184 + +(cherry picked from commit cd4122d91e942ca465c03505d5e148117f505ba4) +--- + selftest/knownfail.d/lookuprids_cache | 1 - + source3/winbindd/winbindd_dual_srv.c | 3 ++- + 2 files changed, 2 insertions(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/lookuprids_cache + +diff --git a/selftest/knownfail.d/lookuprids_cache b/selftest/knownfail.d/lookuprids_cache +deleted file mode 100644 +index d3c40a62b45..00000000000 +--- a/selftest/knownfail.d/lookuprids_cache ++++ /dev/null +@@ -1 +0,0 @@ +-^samba.wbinfo_lookuprids_cache.lookuprids2\(nt4_member:local\) +\ No newline at end of file +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index 13345caa41b..63bb614a0ca 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -672,7 +672,8 @@ NTSTATUS _wbint_LookupRids(struct pipes_struct *p, struct wbint_LookupRids *r) + r->in.rids->rids, r->in.rids->num_rids, + &domain_name, &names, &types); + reset_cm_connection_on_error(domain, NULL, status); +- if (!NT_STATUS_IS_OK(status)) { ++ if (!NT_STATUS_IS_OK(status) && ++ !NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) { + return status; + } + +-- +2.20.1 + diff --git a/SOURCES/samba-4.12-gnutls-priority-list.patch b/SOURCES/samba-4.12-gnutls-priority-list.patch index f41e8dc..4b143d9 100644 --- a/SOURCES/samba-4.12-gnutls-priority-list.patch +++ b/SOURCES/samba-4.12-gnutls-priority-list.patch @@ -1,7 +1,7 @@ -From 6981475bbe11029d88de8294734d7cb29f1d0799 Mon Sep 17 00:00:00 2001 +From 2840bd0becee307f4ee896b26e9f29baac03c347 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 15 Jun 2020 11:50:16 +0200 -Subject: [PATCH] s3:lib:tls: Use better priority lists for modern GnuTLS +Subject: [PATCH 1/2] s3:lib:tls: Use better priority lists for modern GnuTLS We should use the default priority list. That is a good practice, because TLS protocol hardening and phasing out of legacy algorithms, @@ -12,7 +12,9 @@ BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy -(cherry picked from commit 53e3a959b958a3b099df6ecc5f6e294e96bd948e) + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Jun 17 17:42:02 UTC 2020 on sn-devel-184 --- docs-xml/smbdotconf/security/tlspriority.xml | 10 ++--- lib/param/loadparm.c | 10 ++++- @@ -211,5 +213,130 @@ index b2b955f3c90..631405fa34c 100644 # # This is available since version 3.6.10, but 3.6.10 has a bug which got fixed -- -2.27.0 +2.26.2 + + +From fdcf9f23f659025f174b32109a273e80b2ad289e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 30 Jun 2020 17:12:17 +0200 +Subject: [PATCH 2/2] tls: Use NORMAL:-VERS-SSL3.0 as the default configuration + +This seems to be really broken in GnuTLS and the documentation is also +not correct. + +This partially reverts 53e3a959b958a3b099df6ecc5f6e294e96bd948e + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14408 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Wed Jul 1 14:56:33 UTC 2020 on sn-devel-184 +--- + docs-xml/smbdotconf/security/tlspriority.xml | 6 ++---- + lib/param/loadparm.c | 6 ------ + python/samba/tests/docs.py | 21 -------------------- + source3/param/loadparm.c | 8 +------- + 4 files changed, 3 insertions(+), 38 deletions(-) + +diff --git a/docs-xml/smbdotconf/security/tlspriority.xml b/docs-xml/smbdotconf/security/tlspriority.xml +index 6d1f0dcb912..471dc25ba3b 100644 +--- a/docs-xml/smbdotconf/security/tlspriority.xml ++++ b/docs-xml/smbdotconf/security/tlspriority.xml +@@ -12,10 +12,8 @@ + GNUTLS + Priority-Strings documentation at http://gnutls.org/manual/html_node/Priority-Strings.html + +- By default it will try to find a config file matching "SAMBA", but if +- that does not exist will use the entry for "SYSTEM" and last fallback to +- NORMAL. In all cases the SSL3.0 protocol will be disabled. ++ The SSL3.0 protocol will be disabled. + + +- @SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0 ++ NORMAL:-VERS-SSL3.0 + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 8fdd844fbaa..4e7e3f599dd 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2803,15 +2803,9 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "tls keyfile", "tls/key.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls certfile", "tls/cert.pem"); + lpcfg_do_global_parameter(lp_ctx, "tls cafile", "tls/ca.pem"); +-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND +- lpcfg_do_global_parameter(lp_ctx, +- "tls priority", +- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); +-#else + lpcfg_do_global_parameter(lp_ctx, + "tls priority", + "NORMAL:-VERS-SSL3.0"); +-#endif + + lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g"); + +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 789865221cb..654a192b510 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -26,22 +26,6 @@ import os + import subprocess + import xml.etree.ElementTree as ET + +-config_h = os.path.join("bin/default/include/config.h") +-config_hash = dict() +- +-if os.path.exists(config_h): +- config_hash = dict() +- f = open(config_h, 'r') +- try: +- lines = f.readlines() +- config_hash = dict((x[0], ' '.join(x[1:])) +- for x in map(lambda line: line.strip().split(' ')[1:], +- list(filter(lambda line: (line[0:7] == '#define') and (len(line.split(' ')) > 2), lines)))) +- finally: +- f.close() +- +-have_gnutls_system_config_support = ("HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND" in config_hash) +- + class TestCase(samba.tests.TestCaseInTempDir): + + def _format_message(self, parameters, message): +@@ -142,11 +126,6 @@ class SmbDotConfTests(TestCase): + 'smbd max async dosmode', + ]) + +- # 'tls priority' has a legacy default value if we don't link against a +- # modern GnuTLS version. +- if not have_gnutls_system_config_support: +- special_cases.add('tls priority') +- + def setUp(self): + super(SmbDotConfTests, self).setUp() + # create a minimal smb.conf file for testparm +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 2b1a63998d6..901f01b1c6a 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -885,15 +885,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + lpcfg_string_set(Globals.ctx, &Globals._tls_keyfile, "tls/key.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_certfile, "tls/cert.pem"); + lpcfg_string_set(Globals.ctx, &Globals._tls_cafile, "tls/ca.pem"); +-#ifdef HAVE_GNUTLS_SET_DEFAULT_PRIORITY_APPEND + lpcfg_string_set(Globals.ctx, + &Globals.tls_priority, +- "@SAMBA,SYSTEM,NORMAL:!-VERS-SSL3.0"); +-#else +- lpcfg_string_set(Globals.ctx, +- &Globals.tls_priority, +- "NORMAL!-VERS-SSL3.0"); +-#endif ++ "NORMAL:-VERS-SSL3.0"); + + lpcfg_string_set(Globals.ctx, &Globals.share_backend, "classic"); + +-- +2.26.2 diff --git a/SOURCES/samba-4.12-user-gencache.patch b/SOURCES/samba-4.12-user-gencache.patch new file mode 100644 index 0000000..7836c91 --- /dev/null +++ b/SOURCES/samba-4.12-user-gencache.patch @@ -0,0 +1,478 @@ +From 3dbdb8c3d8cd0498e1afb47758fea700f5061435 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 7 May 2020 12:25:24 +0200 +Subject: [PATCH 1/4] lib:util: Add path_expand_tilde() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1) +--- + lib/util/util_paths.c | 72 +++++++++++++++++++++++++++++++++++++++++++ + lib/util/util_paths.h | 9 ++++++ + 2 files changed, 81 insertions(+) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index 0473557dfc6..c05246a7407 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -6,6 +6,7 @@ + Copyright (C) Simo Sorce 2001 + Copyright (C) Jim McDonough 2003 + Copyright (C) James Peach 2006 ++ Copyright (c) 2020 Andreas Schneider + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -24,6 +25,7 @@ + #include "includes.h" + #include "dynconfig/dynconfig.h" + #include "lib/util/util_paths.h" ++#include "system/passwd.h" + + /** + * @brief Returns an absolute path to a file in the Samba modules directory. +@@ -62,3 +64,73 @@ const char *shlib_ext(void) + return get_dyn_SHLIBEXT(); + } + ++static char *get_user_home_dir(TALLOC_CTX *mem_ctx) ++{ ++ struct passwd pwd = {0}; ++ struct passwd *pwdbuf = NULL; ++ char buf[NSS_BUFLEN_PASSWD] = {0}; ++ int rc; ++ ++ rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); ++ if (rc != 0 || pwdbuf == NULL ) { ++ const char *szPath = getenv("HOME"); ++ if (szPath == NULL) { ++ return NULL; ++ } ++ snprintf(buf, sizeof(buf), "%s", szPath); ++ ++ return talloc_strdup(mem_ctx, buf); ++ } ++ ++ return talloc_strdup(mem_ctx, pwd.pw_dir); ++} ++ ++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d) ++{ ++ char *h = NULL, *r = NULL; ++ const char *p = NULL; ++ struct stat sb = {0}; ++ int rc; ++ ++ if (d[0] != '~') { ++ return talloc_strdup(mem_ctx, d); ++ } ++ d++; ++ ++ /* handle ~user/path */ ++ p = strchr(d, '/'); ++ if (p != NULL && p > d) { ++ struct passwd *pw; ++ size_t s = p - d; ++ char u[128]; ++ ++ if (s >= sizeof(u)) { ++ return NULL; ++ } ++ memcpy(u, d, s); ++ u[s] = '\0'; ++ ++ pw = getpwnam(u); ++ if (pw == NULL) { ++ return NULL; ++ } ++ h = talloc_strdup(mem_ctx, pw->pw_dir); ++ } else { ++ p = d; ++ h = get_user_home_dir(mem_ctx); ++ } ++ if (h == NULL) { ++ return NULL; ++ } ++ ++ rc = stat(h, &sb); ++ if (rc != 0) { ++ TALLOC_FREE(h); ++ return NULL; ++ } ++ ++ r = talloc_asprintf(mem_ctx, "%s%s", h, p); ++ TALLOC_FREE(h); ++ ++ return r; ++} +diff --git a/lib/util/util_paths.h b/lib/util/util_paths.h +index 80e8aaac6e9..cf34f691e5f 100644 +--- a/lib/util/util_paths.h ++++ b/lib/util/util_paths.h +@@ -51,4 +51,13 @@ char *data_path(TALLOC_CTX *mem_ctx, const char *name); + **/ + const char *shlib_ext(void); + ++/** ++ * @brief Expand a directory starting with a tilde '~' ++ * ++ * @param[in] d The directory to expand. ++ * ++ * @return The expanded directory, NULL on error. ++ */ ++char *path_expand_tilde(TALLOC_CTX *mem_ctx, const char *d); ++ + #endif +-- +2.26.2 + + +From d43c586576353cba5082ba396c521dde1cde4929 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 11 May 2020 12:50:11 +0200 +Subject: [PATCH 2/4] lib:util: Add test for path_expand_tilde() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a) +--- + lib/util/tests/test_util_paths.c | 127 +++++++++++++++++++++++++++++++ + lib/util/wscript_build | 6 ++ + selftest/tests.py | 2 + + 3 files changed, 135 insertions(+) + create mode 100644 lib/util/tests/test_util_paths.c + +diff --git a/lib/util/tests/test_util_paths.c b/lib/util/tests/test_util_paths.c +new file mode 100644 +index 00000000000..b89abf0aea1 +--- /dev/null ++++ b/lib/util/tests/test_util_paths.c +@@ -0,0 +1,127 @@ ++/* ++ * Unix SMB/CIFS implementation. ++ * ++ * Copyright (C) 2020 Andreas Schneider ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include "lib/replace/replace.h" ++#include "lib/util/util_paths.c" ++ ++static int setup(void **state) ++{ ++ TALLOC_CTX *mem_ctx = talloc_new(NULL); ++ ++ assert_non_null(mem_ctx); ++ *state = mem_ctx; ++ ++ return 0; ++} ++ ++static int teardown(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ TALLOC_FREE(mem_ctx); ++ ++ return 0; ++} ++ ++static void test_get_user_home_dir(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ struct passwd *pwd = getpwuid(getuid()); ++ char *user; ++ ++ user = get_user_home_dir(mem_ctx); ++ assert_non_null(user); ++ assert_string_equal(user, pwd->pw_dir); ++ ++ TALLOC_FREE(user); ++} ++ ++static void test_path_expand_tilde(void **state) ++{ ++ TALLOC_CTX *mem_ctx = *state; ++ char h[256] = {0}; ++ char *d = NULL; ++ const char *user = NULL; ++ char *home = NULL; ++ ++ user = getenv("USER"); ++ if (user == NULL){ ++ user = getenv("LOGNAME"); ++ } ++ ++ /* In certain CIs there no such variables */ ++ if (user == NULL) { ++ struct passwd *pw = getpwuid(getuid()); ++ if (pw){ ++ user = pw->pw_name; ++ } ++ } ++ ++ home = getenv("HOME"); ++ assert_non_null(home); ++ snprintf(h, sizeof(h), "%s/.cache", home); ++ ++ d = path_expand_tilde(mem_ctx, "~/.cache"); ++ assert_non_null(d); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++ ++ snprintf(h, sizeof(h), "%s/.cache/X~", home); ++ d = path_expand_tilde(mem_ctx, "~/.cache/X~"); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++ ++ d = path_expand_tilde(mem_ctx, "/guru/meditation"); ++ assert_non_null(d); ++ assert_string_equal(d, "/guru/meditation"); ++ TALLOC_FREE(d); ++ ++ snprintf(h, sizeof(h), "~%s/.cache", user); ++ d = path_expand_tilde(mem_ctx, h); ++ assert_non_null(d); ++ ++ snprintf(h, sizeof(h), "%s/.cache", home); ++ assert_string_equal(d, h); ++ TALLOC_FREE(d); ++} ++ ++int main(int argc, char *argv[]) ++{ ++ int rc; ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_get_user_home_dir), ++ cmocka_unit_test(test_path_expand_tilde), ++ }; ++ ++ if (argc == 2) { ++ cmocka_set_test_filter(argv[1]); ++ } ++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); ++ ++ rc = cmocka_run_group_tests(tests, setup, teardown); ++ ++ return rc; ++} +diff --git a/lib/util/wscript_build b/lib/util/wscript_build +index a827eea3ed9..608f7b3dd73 100644 +--- a/lib/util/wscript_build ++++ b/lib/util/wscript_build +@@ -288,3 +288,9 @@ else: + deps='cmocka replace samba-util', + local_include=False, + for_selftest=True) ++ ++ bld.SAMBA_BINARY('test_util_paths', ++ source='tests/test_util_paths.c', ++ deps='cmocka replace talloc samba-util', ++ local_include=False, ++ for_selftest=True) +diff --git a/selftest/tests.py b/selftest/tests.py +index 96d3f8d6317..b72a6fb65eb 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -389,6 +389,8 @@ plantestsuite("samba.unittests.ms_fnmatch", "none", + [os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")]) + plantestsuite("samba.unittests.byteorder", "none", + [os.path.join(bindir(), "default/lib/util/test_byteorder")]) ++plantestsuite("samba.unittests.util_paths", "none", ++ [os.path.join(bindir(), "default/lib/util/test_util_paths")]) + plantestsuite("samba.unittests.ntlm_check", "none", + [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) + plantestsuite("samba.unittests.gnutls", "none", +-- +2.26.2 + + +From 133edb95814adc43072fd33876caf9d720eaac1f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 6 May 2020 17:10:51 +0200 +Subject: [PATCH 3/4] s3:gencache: Allow to open gencache as read-only + +This allows client tools to access the cache for ready-only operations +as a normal user. + +Example: + net ads status + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184 + +(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27) +--- + source3/lib/gencache.c | 63 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 60 insertions(+), 3 deletions(-) + +diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c +index 9ad85bbf55f..896bf50cbd7 100644 +--- a/source3/lib/gencache.c ++++ b/source3/lib/gencache.c +@@ -29,10 +29,13 @@ + #include "tdb_wrap/tdb_wrap.h" + #include "zlib.h" + #include "lib/util/strv.h" ++#include "lib/util/util_paths.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_TDB + ++#define GENCACHE_USER_PATH "~/.cache/samba/gencache.tdb" ++ + static struct tdb_wrap *cache; + + /** +@@ -68,6 +71,7 @@ static bool gencache_init(void) + { + char* cache_fname = NULL; + int open_flags = O_RDWR|O_CREAT; ++ int tdb_flags = TDB_INCOMPATIBLE_HASH|TDB_NOSYNC|TDB_MUTEX_LOCKING; + int hash_size; + + /* skip file open if it's already opened */ +@@ -85,10 +89,63 @@ static bool gencache_init(void) + DEBUG(5, ("Opening cache file at %s\n", cache_fname)); + + cache = tdb_wrap_open(NULL, cache_fname, hash_size, +- TDB_INCOMPATIBLE_HASH| +- TDB_NOSYNC| +- TDB_MUTEX_LOCKING, ++ tdb_flags, + open_flags, 0644); ++ /* ++ * Allow client tools to create a gencache in the home directory ++ * as a normal user. ++ */ ++ if (cache == NULL && errno == EACCES && geteuid() != 0) { ++ char *cache_dname = NULL, *tmp = NULL; ++ bool ok; ++ ++ TALLOC_FREE(cache_fname); ++ ++ cache_fname = path_expand_tilde(talloc_tos(), ++ GENCACHE_USER_PATH); ++ if (cache_fname == NULL) { ++ DBG_ERR("Failed to expand path: %s\n", ++ GENCACHE_USER_PATH); ++ return false; ++ } ++ ++ tmp = talloc_strdup(talloc_tos(), cache_fname); ++ if (tmp == NULL) { ++ DBG_ERR("No memory!\n"); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ ++ cache_dname = dirname(tmp); ++ if (cache_dname == NULL) { ++ DBG_ERR("Invalid path: %s\n", cache_fname); ++ TALLOC_FREE(tmp); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ ++ ok = directory_create_or_exist(cache_dname, 0700); ++ if (!ok) { ++ DBG_ERR("Failed to create directory: %s - %s\n", ++ cache_dname, strerror(errno)); ++ TALLOC_FREE(tmp); ++ TALLOC_FREE(cache_fname); ++ return false; ++ } ++ TALLOC_FREE(tmp); ++ ++ cache = tdb_wrap_open(NULL, ++ cache_fname, ++ hash_size, ++ tdb_flags, ++ open_flags, ++ 0644); ++ if (cache != NULL) { ++ DBG_INFO("Opening user cache file %s.\n", ++ cache_fname); ++ } ++ } ++ + if (cache == NULL) { + DEBUG(5, ("Opening %s failed: %s\n", cache_fname, + strerror(errno))); +-- +2.26.2 + + +From de71248d86e29ca7d1d2df0f197b930ae8472d5b Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 15 May 2020 12:18:02 -0700 +Subject: [PATCH 4/4] s3: lib: Paranoia around use of snprintf copying into a + fixed-size buffer from a getenv() pointer. + +Post checks for overflow/error. + +Signed-off-by: Jeremy Allison +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184 + +(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7) +--- + lib/util/util_paths.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/util/util_paths.c b/lib/util/util_paths.c +index c05246a7407..c0ee5c32c30 100644 +--- a/lib/util/util_paths.c ++++ b/lib/util/util_paths.c +@@ -73,12 +73,16 @@ static char *get_user_home_dir(TALLOC_CTX *mem_ctx) + + rc = getpwuid_r(getuid(), &pwd, buf, NSS_BUFLEN_PASSWD, &pwdbuf); + if (rc != 0 || pwdbuf == NULL ) { ++ int len_written; + const char *szPath = getenv("HOME"); + if (szPath == NULL) { + return NULL; + } +- snprintf(buf, sizeof(buf), "%s", szPath); +- ++ len_written = snprintf(buf, sizeof(buf), "%s", szPath); ++ if (len_written >= sizeof(buf) || len_written < 0) { ++ /* Output was truncated or an error. */ ++ return NULL; ++ } + return talloc_strdup(mem_ctx, buf); + } + +-- +2.26.2 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 095620c..68b5726 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -8,7 +8,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%define main_release 5 +%define main_release 11 %define samba_version 4.12.3 %define talloc_version 2.3.1 @@ -135,6 +135,10 @@ Source201: README.downgrade Patch0: samba-4.12-gnutls-priority-list.patch Patch1: dnshostname_all.patch +Patch2: samba-4.12-fix_pam_winbind_manpage.patch +Patch3: ldapsslads-v4-12.patch +Patch4: samba-4.12-fix_winbind_lookuprids.patch +Patch5: samba-4.12-user-gencache.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -1339,6 +1343,10 @@ fi %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so +%dir %{_datadir}/samba +%dir %{_datadir}/samba/mdssvc +%{_datadir}/samba/mdssvc/elasticsearch_mappings.json + %{_unitdir}/nmb.service %{_unitdir}/smb.service %attr(1777,root,root) %dir /var/spool/samba @@ -1446,9 +1454,6 @@ fi %{_mandir}/man8/cifsdd.8.* %{_mandir}/man8/samba-regedit.8* %{_mandir}/man8/smbspool.8* -%dir %{_datadir}/samba -%dir %{_datadir}/samba/mdssvc -%{_datadir}/samba/mdssvc/elasticsearch_mappings.json ### CLIENT-LIBS %files client-libs @@ -3576,6 +3581,26 @@ fi %endif %changelog +* Wed Jul 22 2020 Andreas Schneider - 4.12.3-11 +- resolves: #1859277 - Allow a user to use gencache + +* Wed Jul 15 2020 Isaac Boukris - 4.12.3-10 +- related: #1856315 - Fix net-ads-join with LDAP over TLS + +* Tue Jul 14 2020 Andreas Schneider - 4.12.3-9 +- related: #1817557 - Move DECRPC mdssvc data files to correct package +- resolves: #1856676 - Fix lookuprids in winbind + +* Mon Jul 13 2020 Isaac Boukris - 4.12.3-8 +- resolves: #1856315 - Fix net-ads-join with LDAP over TLS + +* Fri Jul 10 2020 Andreas Schneider - 4.12.3-7 +- resolves: #1855711 - Fix 'require_membership_of' documentation in + pam_winbind manpage + +* Thu Jul 09 2020 Andreas Schneider - 4.12.3-6 +- related: #1842844 - Fix TLS connections with GnuTLS + * Wed Jul 01 2020 Andreas Schneider - 4.12.3-5 - resolves: #1823612 - Fix segfault in 'net ads dns gethostbyname' - resolves: #1792553 - Fix 'net ads join createcomputer=OU'