diff --git a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch new file mode 100644 index 0000000..d72091e --- /dev/null +++ b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch @@ -0,0 +1,52 @@ +From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001 +From: Bryan Mason +Date: Mon, 16 Sep 2019 12:35:06 -0700 +Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI + +CUPS sanitizes argv[0] by removing username/password, so use +DEVICE_URI environment variable first. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128 + +Signed-off-by: Bryan Mason +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184 + +(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931) +--- + source3/client/smbspool.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index ad988eb0df9..36f7f67ca94 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */ + + /* + * Find the URI ... +- */ +- if (dev_uri == NULL) { +- env = getenv("DEVICE_URI"); +- if (env != NULL && env[0] != '\0') { +- dev_uri = env; +- } +- } ++ * ++ * The URI in argv[0] is sanitized to remove username/password, so ++ * use DEVICE_URI if available. Otherwise keep the URI already ++ * discovered in argv. ++ */ ++ env = getenv("DEVICE_URI"); ++ if (env != NULL && env[0] != '\0') { ++ dev_uri = env; ++ } + + if (dev_uri == NULL) { + fprintf(stderr, +-- +2.23.0 + diff --git a/SOURCES/samba-4.10-fix_spnego_downgrade.patch b/SOURCES/samba-4.10-fix_spnego_downgrade.patch new file mode 100644 index 0000000..e762571 --- /dev/null +++ b/SOURCES/samba-4.10-fix_spnego_downgrade.patch @@ -0,0 +1,160 @@ +From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 16:31:21 +0300 +Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic + token + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher +--- + auth/gensec/spnego.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c +index dc73e324d99..97472c26837 100644 +--- a/auth/gensec/spnego.c ++++ b/auth/gensec/spnego.c +@@ -136,6 +136,7 @@ struct spnego_state { + bool done_mic_check; + + bool simulate_w2k; ++ bool no_optimistic; + + /* + * The following is used to implement +@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi + + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); ++ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, ++ "spnego", ++ "client_no_optimistic", ++ false); + + gensec_security->private_data = spnego_state; + return NT_STATUS_OK; +@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req) + * blob and NT_STATUS_OK. + */ + state->sub.status = NT_STATUS_OK; ++ } else if (spnego_state->state_position == SPNEGO_CLIENT_START && ++ spnego_state->no_optimistic) { ++ /* ++ * Skip optimistic token per conf. ++ */ ++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* + * MORE_PROCESSING_REQUIRED => +-- +2.21.0 + + +From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 16:39:43 +0300 +Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher +--- + selftest/knownfail.d/spnego_no_optimistic | 1 + + source4/selftest/tests.py | 4 ++++ + 2 files changed, 5 insertions(+) + create mode 100644 selftest/knownfail.d/spnego_no_optimistic + +diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic +new file mode 100644 +index 00000000000..54f51446be0 +--- /dev/null ++++ b/selftest/knownfail.d/spnego_no_optimistic +@@ -0,0 +1 @@ ++^samba4.smb.spnego.*.no_optimistic +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 34ebe10cd79..d73d426ee3c 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha + plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon") + plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon") + ++# Test SPNEGO without issuing an optimistic token ++opt='--option=spnego:client_no_optimistic=yes' ++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic") ++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic") + + wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""] + +-- +2.21.0 + + +From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 17:04:12 +0300 +Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 +--- + auth/gensec/spnego.c | 13 +++++++++++++ + selftest/knownfail.d/spnego_no_optimistic | 1 - + 4 files changed, 13 insertions(+), 4 deletions(-) + delete mode 100644 selftest/knownfail.d/spnego_no_optimistic + +diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c +index 97472c26837..ddbe03c5d6b 100644 +--- a/auth/gensec/spnego.c ++++ b/auth/gensec/spnego.c +@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( + spnego_state->mic_requested = true; + } + ++ if (sub_in.length == 0) { ++ spnego_state->no_optimistic = true; ++ } ++ + /* + * Note that 'cur_sec' is temporary memory, but + * cur_sec->oid points to a const string in the +@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) + * Skip optimistic token per conf. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ } else if (spnego_state->state_position == SPNEGO_SERVER_START && ++ state->sub.in.length == 0 && spnego_state->no_optimistic) { ++ /* ++ * If we didn't like the mechanism for which the client sent us ++ * an optimistic token, or if he didn't send any, don't call ++ * the sub mechanism just yet. ++ */ ++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ spnego_state->no_optimistic = false; + } else { + /* + * MORE_PROCESSING_REQUIRED => +diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic +deleted file mode 100644 +index 54f51446be0..00000000000 +--- a/selftest/knownfail.d/spnego_no_optimistic ++++ /dev/null +@@ -1 +0,0 @@ +-^samba4.smb.spnego.*.no_optimistic +-- +2.21.0 + diff --git a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch new file mode 100644 index 0000000..6f7ca74 --- /dev/null +++ b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch @@ -0,0 +1,48 @@ +From 2d783791856be182d420555d8df5e31768b0d7d2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 12 Sep 2019 16:39:10 +0200 +Subject: [PATCH] s3-winbindd: fix forest trusts with additional trust + attributes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26) +--- + source3/winbindd/winbindd_ads.c | 2 +- + source3/winbindd/winbindd_util.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 5f20cfb7f76..485ca831be9 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -1457,7 +1457,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, + */ + + if ((trust->trust_attributes +- == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && ++ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && + !domain->primary ) + { + DEBUG(10,("trusted_domains: Skipping external trusted " +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index cc4c3f7391a..ee7651c9639 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -723,7 +723,7 @@ static void rescan_forest_trusts( void ) + + if ( (flags & NETR_TRUST_FLAG_INBOUND) && + (type == LSA_TRUST_TYPE_UPLEVEL) && +- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) ++ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) + { + /* add the trusted domain if we don't know + about it */ +-- +2.21.0 + diff --git a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch new file mode 100644 index 0000000..18aad34 --- /dev/null +++ b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch @@ -0,0 +1,52 @@ +From 1e8931dfc24a2576a3b1fe9115c4ccbfefbbd298 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 19 Dec 2018 09:38:33 +0100 +Subject: [PATCH] s3:auth: ignore create_builtin_guests() failing without a + valid idmap configuration + +This happens on standalone servers, where winbindd is automatically +started by init scripts if it's installed. But it's not really +used and may not have a valid idmap configuration ( +"idmap config * : range" has no default!) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 865538fabaea33741f5fa542dbc3f2e08308c2c1) +--- + source3/auth/token_util.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c +index f5b0e6944335..ee38d6c9645b 100644 +--- a/source3/auth/token_util.c ++++ b/source3/auth/token_util.c +@@ -745,7 +745,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result, + status = create_builtin_guests(domain_sid); + unbecome_root(); + +- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { ++ /* ++ * NT_STATUS_PROTOCOL_UNREACHABLE: ++ * => winbindd is not running. ++ * ++ * NT_STATUS_ACCESS_DENIED: ++ * => no idmap config at all ++ * and wbint_AllocateGid()/winbind_allocate_gid() ++ * failed. ++ * ++ * NT_STATUS_NO_SUCH_GROUP: ++ * => no idmap config at all and ++ * "tdbsam:map builtin = no" means ++ * wbint_Sids2UnixIDs() fails. ++ */ ++ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) || ++ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || ++ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) { + /* + * Add BUILTIN\Guests directly to token. + * But only if the token already indicates +-- +2.17.1 + diff --git a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch new file mode 100644 index 0000000..c196b55 --- /dev/null +++ b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch @@ -0,0 +1,48 @@ +From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001 +From: Evgeny Sinelnikov +Date: Wed, 31 Jul 2019 23:17:20 +0400 +Subject: [PATCH] s3:ldap: Fix join with don't exists machine account +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add check for requested replies of existing machine object during join +machine to domain. This solves regression fail during join with error: +"None of the information to be translated has been translated." + +https://bugzilla.samba.org/show_bug.cgi?id=14007 + +Reviewed-by: Guenther Deschner +Reviewed-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184 +--- + source3/libads/ldap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 4f3d43b02b1..2110390b65f 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + } + + ret = ads_find_machine_acct(ads, &res, machine_escaped); +- ads_msgfree(ads, res); +- if (ADS_ERR_OK(ret)) { ++ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { + DBG_DEBUG("Host account for %s already exists.\n", + machine_escaped); + ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); ++ ads_msgfree(ads, res); + goto done; + } ++ ads_msgfree(ads, res); + + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); +-- +2.21.0 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 50ebc80..0543006 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 6 +%define main_release 10 %define samba_version 4.9.1 %define talloc_version 2.1.14 @@ -145,6 +145,11 @@ Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch Patch15: samba-4.9-CVE-2019-3880.patch Patch16: samba-4.9-fix_smbspool_krb5_auth.patch Patch17: samba-4.9-fix_cups_printing.patch +Patch18: samba-4.9-net_ads_join_createcomputer.patch +Patch19: samba-4.10-fix_smbspool_username_passwd.patch +Patch20: samba-4.9-fix_builtin_groups_creation.patch +Patch21: samba-4.10-fix_winbind_trustdom_enum.patch +Patch22: samba-4.10-fix_spnego_downgrade.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -3240,6 +3245,21 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Mon Oct 21 2019 Isaac Boukris - 4.9.1.10 +- resolves: #1763650 - Fix spnego downgrade + +* Tue Oct 08 2019 Andreas Schneider - 4.9.1-9 +- resolves: #1759445 - Fix trusted domain enumeration in windind caused + a Active Directory update + +* Tue Sep 24 2019 Andreas Schneider - 4.9.1-8 +- resolves: #1754838 - Fix username/password auth with smbspool +- resolves: #1754835 - Fix builtin groups creation. + + +* Fri Sep 06 2019 Guenther Deschner - 4.9.1-7 +- resolves: #1749300 - Fix 'net ads join createcomputer=' + * Fri May 24 2019 Andreas Schneider - 4.9.1-6 - related: #1703204 - Fix printing with smbspool as CUPS backend