diff --git a/SOURCES/CVE-2016-2119-v4-2.patch b/SOURCES/CVE-2016-2119-v4-2.patch new file mode 100644 index 0000000..abf9c0d --- /dev/null +++ b/SOURCES/CVE-2016-2119-v4-2.patch @@ -0,0 +1,124 @@ +From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 20 Apr 2016 11:26:57 +0200 +Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if + we require signing + +Note real anonymous sessions (with "" as username) don't hit this +as we don't even call smb2cli_session_set_session_key() in that case. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index b07fdad..6797207 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) + return false; + } + ++ if (session->conn->mandatory_signing) { ++ return false; ++ } ++ + if (session->conn->protocol >= PROTOCOL_SMB2_02) { + if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { + return true; +@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, + const struct iovec *recv_iov) + { + struct smbXcli_conn *conn = session->conn; +- uint16_t no_sign_flags; ++ uint16_t no_sign_flags = 0; + uint8_t session_key[16]; + bool check_signature = true; + uint32_t hdr_flags; +@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, + return NT_STATUS_INVALID_PARAMETER_MIX; + } + +- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; ++ if (!conn->mandatory_signing) { ++ /* ++ * only allow guest sessions without ++ * mandatory signing. ++ * ++ * If we try an authentication with username != "" ++ * and the server let us in without verifying the ++ * password we don't have a negotiated session key ++ * for signing. ++ */ ++ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; ++ } + + if (session->smb2->session_flags & no_sign_flags) { + session->smb2->should_sign = false; +-- +1.9.1 + + +From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 28 Apr 2016 02:36:35 +0200 +Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding + smbXcli_session_is_guest() with mandatory signing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/cliconnect.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 420fe3c..3de3796 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) + * have a negotiated session key. + * + * So just pretend we are completely done. ++ * ++ * Note that smbXcli_session_is_guest() ++ * always returns false if we require signing. + */ + state->blob_in = data_blob_null; + state->local_ready = true; +-- +1.9.1 + + +From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 28 Apr 2016 02:24:52 +0200 +Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for + guest logins and mandatory signing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh +index b8fc564..33a927f 100755 +--- a/source3/script/tests/test_smbclient_ntlm.sh ++++ b/source3/script/tests/test_smbclient_ntlm.sh +@@ -37,4 +37,8 @@ else + + testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS + testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS ++ ++ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS ++ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS ++ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS + fi +-- +1.9.1 + diff --git a/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path b/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path new file mode 100644 index 0000000..2bea56c --- /dev/null +++ b/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path @@ -0,0 +1,1130 @@ +From 8672b486a2c847361e0e157be19eb2143ac550ab Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 18 Aug 2015 13:18:33 +0200 +Subject: [PATCH 01/14] loadparm3: Add lp_wi_scan_global_parametrics() + +This routine takes a regex and goes through all parametric parameters +in [global], matching the regex. It can easily be extended to also +look at shares, but right now it will only be used to list all idmap +config domain names. + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 +(cherry picked from commit 443dd9bbbc641ede10a2a3708465f61ea3dfbde3) +--- + source3/include/proto.h | 9 ++++++ + source3/param/loadparm.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 82 insertions(+) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index be90024..df7eecc 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -23,6 +23,9 @@ + #ifndef _PROTO_H_ + #define _PROTO_H_ + ++#include ++#include ++ + /* The following definitions come from lib/access.c */ + + bool client_match(const char *tok, const void *item); +@@ -951,6 +954,12 @@ int lp_smb2_max_credits(void); + int lp_cups_encrypt(void); + bool lp_widelinks(int ); + ++int lp_wi_scan_global_parametrics( ++ const char *regex, size_t max_matches, ++ bool (*cb)(const char *string, regmatch_t matches[], ++ void *private_data), ++ void *private_data); ++ + char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def); + const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); + struct loadparm_service; +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index e805fa4..9e56aca 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -1074,6 +1074,79 @@ static struct parmlist_entry *get_parametrics(int snum, const char *type, + } + } + ++static void discard_whitespace(char *str) ++{ ++ size_t len = strlen(str); ++ size_t i = 0; ++ ++ while (i < len) { ++ if (isspace(str[i])) { ++ memmove(&str[i], &str[i+1], len-i); ++ len -= 1; ++ continue; ++ } ++ i += 1; ++ } ++} ++ ++/** ++ * @brief Go through all global parametric parameters ++ * ++ * @param regex_str A regular expression to scan param for ++ * @param max_matches Max number of submatches the regexp expects ++ * @param cb Function to call on match. Should return true ++ * when it wants wi_scan_global_parametrics to stop ++ * scanning ++ * @param private_data Anonymous pointer passed to cb ++ * ++ * @return 0: success, regcomp/regexec return value on error. ++ * See "man regexec" for possible errors ++ */ ++ ++int lp_wi_scan_global_parametrics( ++ const char *regex_str, size_t max_matches, ++ bool (*cb)(const char *string, regmatch_t matches[], ++ void *private_data), ++ void *private_data) ++{ ++ struct parmlist_entry *data; ++ regex_t regex; ++ int ret; ++ ++ ret = regcomp(®ex, regex_str, REG_ICASE); ++ if (ret != 0) { ++ return ret; ++ } ++ ++ for (data = Globals.param_opt; data != NULL; data = data->next) { ++ size_t keylen = strlen(data->key); ++ char key[keylen+1]; ++ regmatch_t matches[max_matches]; ++ bool stop; ++ ++ memcpy(key, data->key, sizeof(key)); ++ discard_whitespace(key); ++ ++ ret = regexec(®ex, key, max_matches, matches, 0); ++ if (ret == REG_NOMATCH) { ++ continue; ++ } ++ if (ret != 0) { ++ goto fail; ++ } ++ ++ stop = cb(key, matches, private_data); ++ if (stop) { ++ break; ++ } ++ } ++ ++ ret = 0; ++fail: ++ regfree(®ex); ++ return ret; ++} ++ + + #define MISSING_PARAMETER(name) \ + DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) +-- +2.9.0 + + +From ef3701654107528530141bb9a66ee1209060f21c Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 22 Jan 2015 12:08:52 +0000 +Subject: [PATCH 02/14] winbind: Fix idmap initialization + +The fix is in the sscanf line: %u in the sscanf format mandates the use of +a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On +little endian 64-bit this might at least put the correct values into +low_id and high_id, but might overwrite the read_only bit set earlier, +depending on structure alignment and packing. On big endian 64-bit, +this will just fail. + +Automatic conversion to uint32_t will happen only at assignment, not +when you take a pointer of such a thing. + +Signed-off-by: Volker Lendecke +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104 + +(cherry picked from commit 63552f1c4c05a710143f12c2269754d0e547d945) +--- + source3/winbindd/idmap.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index a8beab7..841f710 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -172,6 +172,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, + NTSTATUS status; + char *config_option = NULL; + const char *range; ++ unsigned low_id, high_id; + + result = talloc_zero(mem_ctx, struct idmap_domain); + if (result == NULL) { +@@ -230,23 +231,24 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, + result->name)); + goto fail; + } +- } else if (sscanf(range, "%u - %u", &result->low_id, +- &result->high_id) != 2) ++ } else if (sscanf(range, "%u - %u", &low_id, &high_id) != 2) + { + DEBUG(1, ("invalid range '%s' specified for domain " + "'%s'\n", range, result->name)); + if (check_range) { + goto fail; + } +- } else if (result->low_id > result->high_id) { +- DEBUG(1, ("Error: invalid idmap range detected: %lu - %lu\n", +- (unsigned long)result->low_id, +- (unsigned long)result->high_id)); ++ } else if (low_id > high_id) { ++ DEBUG(1, ("Error: invalid idmap range detected: %u - %u\n", ++ low_id, high_id)); + if (check_range) { + goto fail; + } + } + ++ result->low_id = low_id; ++ result->high_id = high_id; ++ + status = result->methods->init(result); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("idmap initialization returned %s\n", +-- +2.9.0 + + +From ad0688f0b2ed0e060fa2c5a612d10bf4daa2e9cf Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 4 Mar 2015 10:22:48 +0100 +Subject: [PATCH 03/14] winbind: Fix CID 1273295 Uninitialized scalar variable + +Signed-off-by: Volker Lendecke +Reviewed-by: David Disseldorp +(cherry picked from commit 25928b1bcc031469c5321ab283a8d0c32dde2f4f) +--- + source3/winbindd/idmap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 841f710..70f4e02 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -172,7 +172,8 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, + NTSTATUS status; + char *config_option = NULL; + const char *range; +- unsigned low_id, high_id; ++ unsigned low_id = 0; ++ unsigned high_id; + + result = talloc_zero(mem_ctx, struct idmap_domain); + if (result == NULL) { +-- +2.9.0 + + +From 940b73398d1e8847504db4d989ee548966f1e9c5 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 4 Mar 2015 10:28:20 +0100 +Subject: [PATCH 04/14] winbind: Fix CID 1273294 Uninitialized scalar variable + +Signed-off-by: Volker Lendecke +Reviewed-by: David Disseldorp +(cherry picked from commit 8e195fb52ecfa3c263f68b74f989fb48a3c9116f) +--- + source3/winbindd/idmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 70f4e02..1e2feb9 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -173,7 +173,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, + char *config_option = NULL; + const char *range; + unsigned low_id = 0; +- unsigned high_id; ++ unsigned high_id = 0; + + result = talloc_zero(mem_ctx, struct idmap_domain); + if (result == NULL) { +-- +2.9.0 + + +From 461e69a3cb81247f0d514de865981ad56517d901 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 18 Aug 2015 16:58:02 +0200 +Subject: [PATCH 05/14] idmap: Move idmap_init() under the static vars + +Just moving code, idmap_init will need to reference the variables + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 +(cherry picked from commit d36de86639b7782e1e959d61917d8f19fdfc902c) +--- + source3/winbindd/idmap.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 1e2feb9..0ba8fda 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -32,21 +32,6 @@ + + static_decl_idmap; + +-static void idmap_init(void) +-{ +- static bool initialized; +- +- if (initialized) { +- return; +- } +- +- DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); +- +- static_init_idmap; +- +- initialized = true; +-} +- + /** + * Pointer to the backend methods. Modules register themselves here via + * smb_register_idmap. +@@ -79,6 +64,21 @@ static struct idmap_domain *passdb_idmap_domain; + static struct idmap_domain **idmap_domains = NULL; + static int num_domains = 0; + ++static void idmap_init(void) ++{ ++ static bool initialized; ++ ++ if (initialized) { ++ return; ++ } ++ ++ DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); ++ ++ static_init_idmap; ++ ++ initialized = true; ++} ++ + static struct idmap_methods *get_methods(const char *name) + { + struct idmap_backend *b; +-- +2.9.0 + + +From 5b3f88a29d5e9d6133f6a1e43e3db69dc6fdd1f2 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 19 Aug 2015 17:00:46 +0200 +Subject: [PATCH 06/14] idmap: Initialize all idmap domains at startup + +So far we have initialized idmap domains on demand indexed by name. +For sid2xid this works okay, because we could do lookupsids before +and thus get the name. For xid2sid this is more problematic. We +have to rely on enumtrustdoms to work completely, and we have to +look at the list of winbind domains in the parent to get the domain +name. Relying on domain->have_idmap_config is not particularly nice. + +This patch re-works initialization of idmap domains by scanning all +parametric parameters, scanning for :backend configuration settings. +This way we get a complete list of :range definitions. This means +we can rely on the idmap domain array to be complete. This in turn +means we can live without the domain name to find a domain, we can +do a range search by uid or gid. + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 +(cherry picked from commit ef0c91195533d95ba4fb7947ff5f69c20aa677b8) +--- + source3/winbindd/idmap.c | 199 ++++++++++++++++++++++++++--------------------- + 1 file changed, 109 insertions(+), 90 deletions(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 0ba8fda..40d87a7 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -64,12 +64,22 @@ static struct idmap_domain *passdb_idmap_domain; + static struct idmap_domain **idmap_domains = NULL; + static int num_domains = 0; + +-static void idmap_init(void) ++static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx, ++ const char *domname); ++static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, ++ const char *domainname, ++ const char *modulename, ++ bool check_range); ++static bool idmap_found_domain_backend( ++ const char *string, regmatch_t matches[], void *private_data); ++ ++static bool idmap_init(void) + { + static bool initialized; ++ int ret; + + if (initialized) { +- return; ++ return true; + } + + DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); +@@ -77,6 +87,80 @@ static void idmap_init(void) + static_init_idmap; + + initialized = true; ++ ++ if (!pdb_is_responsible_for_everything_else()) { ++ default_idmap_domain = idmap_init_named_domain(NULL, "*"); ++ if (default_idmap_domain == NULL) { ++ return false; ++ } ++ } ++ ++ passdb_idmap_domain = idmap_init_domain( ++ NULL, get_global_sam_name(), "passdb", false); ++ if (passdb_idmap_domain == NULL) { ++ TALLOC_FREE(default_idmap_domain); ++ return false; ++ } ++ ++ idmap_domains = talloc_array(NULL, struct idmap_domain *, 0); ++ if (idmap_domains == NULL) { ++ TALLOC_FREE(passdb_idmap_domain); ++ TALLOC_FREE(default_idmap_domain); ++ return false; ++ } ++ ++ ret = lp_wi_scan_global_parametrics( ++ "idmapconfig\\(.*\\):backend", 2, ++ idmap_found_domain_backend, NULL); ++ if (ret != 0) { ++ DEBUG(5, ("wi_scan_global_parametrics returned %d\n", ret)); ++ return false; ++ } ++ ++ return true; ++} ++ ++static bool idmap_found_domain_backend( ++ const char *string, regmatch_t matches[], void *private_data) ++{ ++ if (matches[1].rm_so == -1) { ++ DEBUG(5, ("Found match, but no name??\n")); ++ return false; ++ } ++ ++ { ++ struct idmap_domain *dom, **tmp; ++ regoff_t len = matches[1].rm_eo - matches[1].rm_so; ++ char domname[len+1]; ++ ++ memcpy(domname, string + matches[1].rm_so, len); ++ domname[len] = '\0'; ++ ++ DEBUG(7, ("Found idmap domain \"%s\"\n", domname)); ++ ++ if (strcmp(domname, "*") == 0) { ++ return false; ++ } ++ ++ dom = idmap_init_named_domain(idmap_domains, domname); ++ if (dom == NULL) { ++ DEBUG(3, ("Could not init idmap domain %s\n", ++ domname)); ++ } ++ ++ tmp = talloc_realloc(idmap_domains, idmap_domains, ++ struct idmap_domain *, num_domains + 1); ++ if (tmp == NULL) { ++ DEBUG(1, ("talloc_realloc failed\n")); ++ TALLOC_FREE(dom); ++ return false; ++ } ++ idmap_domains = tmp; ++ idmap_domains[num_domains] = dom; ++ num_domains += 1; ++ } ++ ++ return false; + } + + static struct idmap_methods *get_methods(const char *name) +@@ -280,8 +364,12 @@ static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx, + struct idmap_domain *result = NULL; + char *config_option; + const char *backend; ++ bool ok; + +- idmap_init(); ++ ok = idmap_init(); ++ if (!ok) { ++ return NULL; ++ } + + config_option = talloc_asprintf(talloc_tos(), "idmap config %s", + domname); +@@ -312,57 +400,6 @@ fail: + } + + /** +- * Initialize the default domain structure +- * @param[in] mem_ctx memory context for the result +- * @result The default domain structure +- * +- * This routine takes the module name from the "idmap backend" parameter, +- * passing a possible parameter like ldap:ldap://ldap-url/ to the module. +- */ +- +-static struct idmap_domain *idmap_init_default_domain(TALLOC_CTX *mem_ctx) +-{ +- return idmap_init_named_domain(mem_ctx, "*"); +-} +- +-/** +- * Initialize the passdb domain structure +- * @param[in] mem_ctx memory context for the result +- * @result The default domain structure +- * +- * No config, passdb has its own configuration. +- */ +- +-static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx) +-{ +- idmap_init(); +- +- if (!pdb_is_responsible_for_everything_else()) { +- /* +- * Always init the default domain, we can't go without one +- */ +- if (default_idmap_domain == NULL) { +- default_idmap_domain = idmap_init_default_domain(NULL); +- } +- if (default_idmap_domain == NULL) { +- return NULL; +- } +- } +- +- if (passdb_idmap_domain != NULL) { +- return passdb_idmap_domain; +- } +- +- passdb_idmap_domain = idmap_init_domain(mem_ctx, get_global_sam_name(), +- "passdb", false); +- if (passdb_idmap_domain == NULL) { +- DEBUG(1, ("Could not init passdb idmap domain\n")); +- } +- +- return passdb_idmap_domain; +-} +- +-/** + * Find a domain struct according to a domain name + * @param[in] domname Domain name to get the config for + * @result The default domain structure that fits +@@ -379,21 +416,14 @@ static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx) + + static struct idmap_domain *idmap_find_domain(const char *domname) + { +- struct idmap_domain *result; ++ bool ok; + int i; + + DEBUG(10, ("idmap_find_domain called for domain '%s'\n", + domname?domname:"NULL")); + +- idmap_init(); +- +- /* +- * Always init the default domain, we can't go without one +- */ +- if (default_idmap_domain == NULL) { +- default_idmap_domain = idmap_init_default_domain(NULL); +- } +- if (default_idmap_domain == NULL) { ++ ok = idmap_init(); ++ if (!ok) { + return NULL; + } + +@@ -407,38 +437,21 @@ static struct idmap_domain *idmap_find_domain(const char *domname) + } + } + +- if (idmap_domains == NULL) { +- /* +- * talloc context for all idmap domains +- */ +- idmap_domains = talloc_array(NULL, struct idmap_domain *, 1); +- } +- +- if (idmap_domains == NULL) { +- DEBUG(0, ("talloc failed\n")); +- return NULL; +- } +- +- result = idmap_init_named_domain(idmap_domains, domname); +- if (result == NULL) { +- /* +- * Could not init that domain -- try the default one +- */ +- return default_idmap_domain; +- } +- +- ADD_TO_ARRAY(idmap_domains, struct idmap_domain *, result, +- &idmap_domains, &num_domains); +- return result; ++ return default_idmap_domain; + } + + struct idmap_domain *idmap_find_domain_with_sid(const char *domname, + const struct dom_sid *sid) + { +- idmap_init(); ++ bool ok; ++ ++ ok = idmap_init(); ++ if (!ok) { ++ return NULL; ++ } + + if (sid_check_is_for_passdb(sid)) { +- return idmap_passdb_domain(NULL); ++ return passdb_idmap_domain; + } + + return idmap_find_domain(domname); +@@ -493,6 +506,12 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) + { + struct idmap_domain *dom; + struct id_map *maps[2]; ++ bool ok; ++ ++ ok = idmap_init(); ++ if (!ok) { ++ return NT_STATUS_NONE_MAPPED; ++ } + + DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d " + "(type %d)\n", +@@ -505,7 +524,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) + * Always give passdb a chance first + */ + +- dom = idmap_passdb_domain(NULL); ++ dom = passdb_idmap_domain; + if ((dom != NULL) + && NT_STATUS_IS_OK(dom->methods->unixids_to_sids(dom, maps)) + && id->status == ID_MAPPED) { +-- +2.9.0 + + +From 808cde4e8490af596ec2c6d1df3a24c4e2b719cb Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 18 Aug 2015 17:30:27 +0200 +Subject: [PATCH 07/14] idmap: Use a range search in + idmap_backends_unixid_to_sid + +This obsoletes the domain name in the xid2sid calls + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 +(cherry picked from commit ad626b9e6b3c200c70b0d840c956f7b6fff20660) +--- + source3/winbindd/idmap.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 40d87a7..aff5792 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -507,6 +507,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) + struct idmap_domain *dom; + struct id_map *maps[2]; + bool ok; ++ int i; + + ok = idmap_init(); + if (!ok) { +@@ -531,7 +532,16 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) + return NT_STATUS_OK; + } + +- dom = idmap_find_domain(domname); ++ dom = default_idmap_domain; ++ ++ for (i=0; ixid.id >= idmap_domains[i]->low_id) && ++ (id->xid.id <= idmap_domains[i]->high_id)) { ++ dom = idmap_domains[i]; ++ break; ++ } ++ } ++ + if (dom == NULL) { + return NT_STATUS_NONE_MAPPED; + } +-- +2.9.0 + + +From ebc02665c40d38fca33df001a4f660a18719e33b Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 18 Aug 2015 17:34:29 +0200 +Subject: [PATCH 08/14] idmap: Remove "domname" from + idmap_backends_unixid_to_sid + +Signed-off-by: Volker Lendecke +Reviewed-by: Stefan Metzmacher +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 +(cherry picked from commit ac4cc243771fc3273872547087679db21c9bb1cb) +--- + source3/torture/test_idmap_tdb_common.c | 2 +- + source3/winbindd/idmap.c | 8 ++++---- + source3/winbindd/idmap_proto.h | 3 +-- + source3/winbindd/idmap_util.c | 4 ++-- + 4 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c +index f7262a2..dd736ad 100644 +--- a/source3/torture/test_idmap_tdb_common.c ++++ b/source3/torture/test_idmap_tdb_common.c +@@ -62,7 +62,7 @@ bool idmap_is_online(void) + return true; + } + +-NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) ++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id) + { + return NT_STATUS_OK; + } +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index aff5792..56ebf21 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -146,6 +146,7 @@ static bool idmap_found_domain_backend( + if (dom == NULL) { + DEBUG(3, ("Could not init idmap domain %s\n", + domname)); ++ return false; + } + + tmp = talloc_realloc(idmap_domains, idmap_domains, +@@ -502,7 +503,7 @@ NTSTATUS idmap_allocate_gid(struct unixid *id) + return idmap_allocate_unixid(id); + } + +-NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) ++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id) + { + struct idmap_domain *dom; + struct id_map *maps[2]; +@@ -514,9 +515,8 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) + return NT_STATUS_NONE_MAPPED; + } + +- DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d " +- "(type %d)\n", +- domname?domname:"NULL", id->xid.id, id->xid.type)); ++ DEBUG(10, ("idmap_backend_unixid_to_sid: xid = %d (type %d)\n", ++ id->xid.id, id->xid.type)); + + maps[0] = id; + maps[1] = NULL; +diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h +index f7af8ed..159aac6 100644 +--- a/source3/winbindd/idmap_proto.h ++++ b/source3/winbindd/idmap_proto.h +@@ -34,8 +34,7 @@ NTSTATUS smb_register_idmap(int version, const char *name, + void idmap_close(void); + NTSTATUS idmap_allocate_uid(struct unixid *id); + NTSTATUS idmap_allocate_gid(struct unixid *id); +-NTSTATUS idmap_backends_unixid_to_sid(const char *domname, +- struct id_map *id); ++NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id); + + /* The following definitions come from winbindd/idmap_nss.c */ + +diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c +index e671acf..08857ab 100644 +--- a/source3/winbindd/idmap_util.c ++++ b/source3/winbindd/idmap_util.c +@@ -66,7 +66,7 @@ backend: + map.xid.type = ID_TYPE_UID; + map.xid.id = uid; + +- ret = idmap_backends_unixid_to_sid(domname, &map); ++ ret = idmap_backends_unixid_to_sid(&map); + if ( ! NT_STATUS_IS_OK(ret)) { + DEBUG(10, ("error mapping uid [%lu]: %s\n", (unsigned long)uid, + nt_errstr(ret))); +@@ -130,7 +130,7 @@ backend: + map.xid.type = ID_TYPE_GID; + map.xid.id = gid; + +- ret = idmap_backends_unixid_to_sid(domname, &map); ++ ret = idmap_backends_unixid_to_sid(&map); + if ( ! NT_STATUS_IS_OK(ret)) { + DEBUG(10, ("error mapping gid [%lu]: %s\n", (unsigned long)gid, + nt_errstr(ret))); +-- +2.9.0 + + +From e7ca0730e3b3ba4eaa447b1ff487377978c70e64 Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Thu, 10 Mar 2016 10:38:29 +0100 +Subject: [PATCH 09/14] s3:winbindd:idmap: add domain_has_idmap_config() helper + function. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 + +Pair-Programmed-With: Guenther Deschner + +Signed-off-by: Michael Adam +Signed-off-by: Guenther Deschner +Reviewed-by: Jeremy Allison +(cherry picked from commit fb80e1158bb1a14f2602e65464909a213296cde1) +--- + source3/winbindd/idmap.c | 15 +++++++++++++++ + source3/winbindd/winbindd_proto.h | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 56ebf21..7a96b92 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -120,6 +120,21 @@ static bool idmap_init(void) + return true; + } + ++bool domain_has_idmap_config(const char *domname) ++{ ++ int i; ++ ++ idmap_init(); ++ ++ for (i=0; iname, domname)) { ++ return true; ++ } ++ } ++ ++ return false; ++} ++ + static bool idmap_found_domain_backend( + const char *string, regmatch_t matches[], void *private_data) + { +diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h +index 42fffc0..85aee5b 100644 +--- a/source3/winbindd/winbindd_proto.h ++++ b/source3/winbindd/winbindd_proto.h +@@ -339,6 +339,7 @@ void init_idmap_child(void); + struct winbindd_child *idmap_child(void); + struct idmap_domain *idmap_find_domain_with_sid(const char *domname, + const struct dom_sid *sid); ++bool domain_has_idmap_config(const char *domname); + + /* The following definitions come from winbindd/winbindd_locator.c */ + +-- +2.9.0 + + +From d58905a6113fc0dc1e5cccb91568a550ee953999 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 10 Mar 2016 10:39:15 +0100 +Subject: [PATCH 10/14] s3:winbindd:idmap_hash: skip domains that already have + their own idmap configuration. + +Check if the domain from the list is not already configured to use another idmap +backend. Not checking this makes the idmap_hash module map IDs for *all* domains +implicitly. This is quite dangeorous in multi-idmap-config setups. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 + +Pair-Programmed-With: Michael Adam + +Signed-off-by: Guenther Deschner +Signed-off-by: Michael Adam +Reviewed-by: Jeremy Allison +(cherry picked from commit 55be1ee69743c94d33f4244ade848517fc98e264) +--- + source3/winbindd/idmap_hash/idmap_hash.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c +index 1dbd300..f77ee3b 100644 +--- a/source3/winbindd/idmap_hash/idmap_hash.c ++++ b/source3/winbindd/idmap_hash/idmap_hash.c +@@ -137,6 +137,19 @@ static NTSTATUS be_init(struct idmap_domain *dom) + + if (is_null_sid(&dom_list[i].sid)) + continue; ++ ++ /* ++ * Check if the domain from the list is not already configured ++ * to use another idmap backend. Not checking this makes the ++ * idmap_hash module map IDs for *all* domains implicitly. This ++ * is quite dangerous in setups that use multiple idmap ++ * configurations. ++ */ ++ ++ if (domain_has_idmap_config(dom_list[i].domain_name)) { ++ continue; ++ } ++ + if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) + continue; + +-- +2.9.0 + + +From 87079a86d35e298a7ec8a4476c5ff15c4c12d7ca Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 10 Mar 2016 12:21:52 +0100 +Subject: [PATCH 11/14] s3:winbindd:idmap: check loadparm in + domain_has_idmap_config() helper as well. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 + +Pair-Programmed-With: Michael Adam + +Signed-off-by: Guenther Deschner +Signed-off-by: Michael Adam +Reviewed-by: Jeremy Allison +(cherry picked from commit 4632ad98c4af5a4e0a2723c0cf716439e376e61f) +--- + source3/winbindd/idmap.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index 7a96b92..f716b6d 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -123,6 +123,9 @@ static bool idmap_init(void) + bool domain_has_idmap_config(const char *domname) + { + int i; ++ char *config_option; ++ const char *range = NULL; ++ const char *backend = NULL; + + idmap_init(); + +@@ -132,6 +135,25 @@ bool domain_has_idmap_config(const char *domname) + } + } + ++ /* fallback: also check loadparm */ ++ ++ config_option = talloc_asprintf(talloc_tos(), "idmap config %s", ++ domname); ++ if (config_option == NULL) { ++ DEBUG(0, ("out of memory\n")); ++ return false; ++ } ++ ++ range = lp_parm_const_string(-1, config_option, "range", NULL); ++ backend = lp_parm_const_string(-1, config_option, "backend", NULL); ++ if (range != NULL && backend != NULL) { ++ DEBUG(5, ("idmap configuration specified for domain '%s'\n", ++ domname)); ++ TALLOC_FREE(config_option); ++ return true; ++ } ++ ++ TALLOC_FREE(config_option); + return false; + } + +-- +2.9.0 + + +From d80f66cf98e47a7a8dfc8dd27c8c36529e36d235 Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Mon, 14 Mar 2016 17:06:34 +0100 +Subject: [PATCH 12/14] idmap_hash: rename be_init() --> + idmap_hash_initialize() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 + +Pair-Programmed-With: Guenther Deschner + +Signed-off-by: Michael Adam +Signed-off-by: Guenther Deschner +Reviewed-by: Jeremy Allison +(cherry picked from commit 4172491cbe7bb8ad2a7089efe15fbe46fcc123fb) +--- + source3/winbindd/idmap_hash/idmap_hash.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c +index f77ee3b..773d5a9 100644 +--- a/source3/winbindd/idmap_hash/idmap_hash.c ++++ b/source3/winbindd/idmap_hash/idmap_hash.c +@@ -104,7 +104,7 @@ static void separate_hashes(uint32_t id, + /********************************************************************* + ********************************************************************/ + +-static NTSTATUS be_init(struct idmap_domain *dom) ++static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) + { + struct sid_hash_table *hashed_domains; + NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; +@@ -153,10 +153,10 @@ static NTSTATUS be_init(struct idmap_domain *dom) + if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) + continue; + +- DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n", +- dom_list[i].domain_name, +- sid_string_dbg(&dom_list[i].sid), +- hash)); ++ DEBUG(3, ("Adding %s (%s) -> %d\n", ++ dom_list[i].domain_name, ++ sid_string_dbg(&dom_list[i].sid), ++ hash)); + + hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid); + sid_copy(hashed_domains[hash].sid, &dom_list[i].sid); +@@ -189,7 +189,7 @@ static NTSTATUS unixids_to_sids(struct idmap_domain *dom, + ids[i]->status = ID_UNKNOWN; + } + +- nt_status = be_init(dom); ++ nt_status = idmap_hash_initialize(dom); + BAIL_ON_NTSTATUS_ERROR(nt_status); + + for (i=0; ids[i]; i++) { +@@ -239,7 +239,7 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom, + ids[i]->status = ID_UNKNOWN; + } + +- nt_status = be_init(dom); ++ nt_status = idmap_hash_initialize(dom); + BAIL_ON_NTSTATUS_ERROR(nt_status); + + for (i=0; ids[i]; i++) { +@@ -360,7 +360,7 @@ static NTSTATUS nss_hash_close(void) + ********************************************************************/ + + static struct idmap_methods hash_idmap_methods = { +- .init = be_init, ++ .init = idmap_hash_initialize, + .unixids_to_sids = unixids_to_sids, + .sids_to_unixids = sids_to_unixids, + }; +-- +2.9.0 + + +From e4216d31e54d9936b021bf57fbaeddfcd8731995 Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Mon, 14 Mar 2016 17:07:34 +0100 +Subject: [PATCH 13/14] idmap_hash: only allow the hash module for default + idmap config. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 + +This module only makes sense as the default idmap config +("idmap config * : backend = hash" ...) + +Pair-Programmed-With: Guenther Deschner + +Signed-off-by: Michael Adam +Signed-off-by: Guenther Deschner +Reviewed-by: Jeremy Allison +(cherry picked from commit a16379c585a6f6e9470a8745b6043be8171eb615) +--- + source3/winbindd/idmap_hash/idmap_hash.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c +index 773d5a9..b3aab86 100644 +--- a/source3/winbindd/idmap_hash/idmap_hash.c ++++ b/source3/winbindd/idmap_hash/idmap_hash.c +@@ -112,6 +112,13 @@ static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) + size_t num_domains = 0; + int i; + ++ if (!strequal(dom->name, "*")) { ++ DEBUG(0, ("Error: idmap_hash configured for domain '%s'. " ++ "But the hash module can only be used for the default " ++ "idmap configuration.\n", dom->name)); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ + /* If the domain SID hash table has been initialized, assume + that we completed this function previously */ + +-- +2.9.0 + + +From 11a3354fcd7ff4bf6cd2cdb18e05b12c1ebc6cfd Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 22 Mar 2016 11:24:23 +0100 +Subject: [PATCH 14/14] winbind: Fix CID 1357100 Unchecked return value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144 + +(cherry picked from commit 5291462bd8a683b2d21b5f21ad73f84939aa2d67) +--- + source3/winbindd/idmap.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c +index f716b6d..158fa81 100644 +--- a/source3/winbindd/idmap.c ++++ b/source3/winbindd/idmap.c +@@ -126,8 +126,12 @@ bool domain_has_idmap_config(const char *domname) + char *config_option; + const char *range = NULL; + const char *backend = NULL; ++ bool ok; + +- idmap_init(); ++ ok = idmap_init(); ++ if (!ok) { ++ return false; ++ } + + for (i=0; iname, domname)) { +-- +2.9.0 + diff --git a/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch b/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch new file mode 100644 index 0000000..1115cee --- /dev/null +++ b/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch @@ -0,0 +1,1009 @@ +From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 22 Jan 2016 09:57:04 +0100 +Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes + attribute on ldap_add +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We may not have the permission to modify the object after creation. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Björn Jacke +Reviewed-by: Günther Deschner + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144 +--- + source3/libads/ldap.c | 26 ++++++++++++++++++ + source3/libnet/libnet_join.c | 65 -------------------------------------------- + 2 files changed, 26 insertions(+), 65 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 121ba08..125c9d7 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -29,6 +29,7 @@ + #include "../libds/common/flags.h" + #include "smbldap.h" + #include "../libcli/security/security.h" ++#include "../librpc/gen_ndr/netlogon.h" + #include "lib/param/loadparm.h" + + #ifdef HAVE_LDAP +@@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ + UF_DONT_EXPIRE_PASSWD |\ + UF_ACCOUNTDISABLE ); ++ uint32_t func_level = 0; ++ ++ ret = ads_domain_func_level(ads, &func_level); ++ if (!ADS_ERR_OK(ret)) { ++ return ret; ++ } + + if (!(ctx = talloc_init("ads_add_machine_acct"))) + return ADS_ERROR(LDAP_NO_MEMORY); +@@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + ++ if (func_level >= DS_DOMAIN_FUNCTION_2008) { ++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ const char *etype_list_str; ++ ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES128; ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES256; ++#endif ++ ++ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); ++ if (etype_list_str == NULL) { ++ goto done; ++ } ++ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", ++ etype_list_str); ++ } ++ + ret = ads_gen_add(ads, new_dn, mods); + + done: +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index d7c7679..5564bd2 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, + /**************************************************************** + ****************************************************************/ + +-static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, +- struct libnet_JoinCtx *r) +-{ +- ADS_STATUS status; +- ADS_MODLIST mods; +- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; +- const char *etype_list_str; +- +-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES128; +-#endif +-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES256; +-#endif +- +- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); +- if (!etype_list_str) { +- return ADS_ERROR(LDAP_NO_MEMORY); +- } +- +- /* Find our DN */ +- +- status = libnet_join_find_machine_acct(mem_ctx, r); +- if (!ADS_ERR_OK(status)) { +- return status; +- } +- +- /* now do the mods */ +- +- mods = ads_init_mods(mem_ctx); +- if (!mods) { +- return ADS_ERROR(LDAP_NO_MEMORY); +- } +- +- status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", +- etype_list_str); +- if (!ADS_ERR_OK(status)) { +- return status; +- } +- +- return ads_gen_mod(r->in.ads, r->out.dn, mods); +-} +- +-/**************************************************************** +-****************************************************************/ +- + static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { +@@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { + ADS_STATUS status; +- uint32_t func_level = 0; + + if (!r->in.ads) { + status = libnet_join_connect_ads(mem_ctx, r); +@@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + return status; + } + +- status = ads_domain_func_level(r->in.ads, &func_level); +- if (!ADS_ERR_OK(status)) { +- libnet_join_set_error_string(mem_ctx, r, +- "failed to query domain controller functional level: %s", +- ads_errstr(status)); +- return status; +- } +- +- if (func_level >= DS_DOMAIN_FUNCTION_2008) { +- status = libnet_join_set_etypes(mem_ctx, r); +- if (!ADS_ERR_OK(status)) { +- libnet_join_set_error_string(mem_ctx, r, +- "failed to set machine kerberos encryption types: %s", +- ads_errstr(status)); +- return status; +- } +- } +- + if (!libnet_join_derive_salting_principal(mem_ctx, r)) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } +-- +2.9.0 + + +From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 23:14:13 +0100 +Subject: [PATCH 02/11] Partly revert "s3:libads: setup the + msDS-SupportedEncryptionTypes attribute on ldap_add" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Günther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855) +--- + source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 5564bd2..343e5f1 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, + + /**************************************************************** + ****************************************************************/ ++#if 0 ++static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, ++ struct libnet_JoinCtx *r) ++{ ++ ADS_STATUS status; ++ ADS_MODLIST mods; ++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ const char *etype_list_str; ++ ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES128; ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ etype_list |= ENC_HMAC_SHA1_96_AES256; ++#endif ++ ++ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); ++ if (!etype_list_str) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ ++ /* Find our DN */ ++ ++ status = libnet_join_find_machine_acct(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ /* now do the mods */ ++ ++ mods = ads_init_mods(mem_ctx); ++ if (!mods) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ ++ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", ++ etype_list_str); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ return ads_gen_mod(r->in.ads, r->out.dn, mods); ++} ++#endif ++/**************************************************************** ++****************************************************************/ + + static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) +-- +2.9.0 + + +From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 2 Mar 2016 18:07:53 +0100 +Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with + machine creds. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c) +--- + source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 68 insertions(+), 5 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 343e5f1..cc93a85 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -42,6 +42,7 @@ + #include "lib/param/loadparm.h" + #include "libcli/auth/netlogon_creds_cli.h" + #include "auth/credentials/credentials.h" ++#include "krb5_env.h" + + /**************************************************************** + ****************************************************************/ +@@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + const char *dc_name, + const char *user_name, + const char *password, ++ const char *ccname, + ADS_STRUCT **ads) + { + ADS_STATUS status; +@@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + my_ads->auth.password = SMB_STRDUP(password); + } + ++ if (ccname != NULL) { ++ SAFE_FREE(my_ads->auth.ccache_name); ++ my_ads->auth.ccache_name = SMB_STRDUP(ccname); ++ setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1); ++ } ++ + status = ads_connect_user_creds(my_ads); + if (!ADS_ERR_OK(status)) { + ads_destroy(&my_ads); +@@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + ****************************************************************/ + + static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, +- struct libnet_JoinCtx *r) ++ struct libnet_JoinCtx *r, ++ bool use_machine_creds) + { + ADS_STATUS status; ++ const char *username; ++ const char *password; ++ const char *ccname = NULL; ++ ++ if (use_machine_creds) { ++ if (r->in.machine_name == NULL || ++ r->in.machine_password == NULL) { ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ username = talloc_strdup(mem_ctx, r->in.machine_name); ++ if (username == NULL) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ if (username[strlen(username)] != '$') { ++ username = talloc_asprintf(username, "%s$", username); ++ if (username == NULL) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } ++ } ++ password = r->in.machine_password; ++ ccname = "MEMORY:libnet_join_machine_creds"; ++ } else { ++ username = r->in.admin_account; ++ password = r->in.admin_password; ++ ++ /* ++ * when r->in.use_kerberos is set to allow "net ads join -k" we ++ * may not override the provided credential cache - gd ++ */ ++ ++ if (!r->in.use_kerberos) { ++ ccname = "MEMORY:libnet_join_user_creds"; ++ } ++ } + + status = libnet_connect_ads(r->out.dns_domain_name, + r->out.netbios_domain_name, + r->in.dc_name, +- r->in.admin_account, +- r->in.admin_password, ++ username, ++ password, ++ ccname, + &r->in.ads); + if (!ADS_ERR_OK(status)) { + libnet_join_set_error_string(mem_ctx, r, +@@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, + /**************************************************************** + ****************************************************************/ + ++static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, ++ struct libnet_JoinCtx *r) ++{ ++ return libnet_join_connect_ads(mem_ctx, r, false); ++} ++ ++/**************************************************************** ++****************************************************************/ ++#if 0 ++static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, ++ struct libnet_JoinCtx *r) ++{ ++ return libnet_join_connect_ads(mem_ctx, r, true); ++} ++#endif ++/**************************************************************** ++****************************************************************/ ++ + static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, + struct libnet_UnjoinCtx *r) + { +@@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, + r->in.dc_name, + r->in.admin_account, + r->in.admin_password, ++ NULL, + &r->in.ads); + if (!ADS_ERR_OK(status)) { + libnet_unjoin_set_error_string(mem_ctx, r, +@@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + ADS_STATUS status; + + if (!r->in.ads) { +- status = libnet_join_connect_ads(mem_ctx, r); ++ status = libnet_join_connect_ads_user(mem_ctx, r); + if (!ADS_ERR_OK(status)) { + return status; + } +@@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + if (r->out.domain_is_ad && r->in.account_ou && + !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { + +- ads_status = libnet_join_connect_ads(mem_ctx, r); ++ ads_status = libnet_join_connect_ads_user(mem_ctx, r); + if (!ADS_ERR_OK(ads_status)) { + return WERR_DEFAULT_JOIN_REQUIRED; + } +-- +2.9.0 + + +From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 4 Mar 2016 17:42:05 +0100 +Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level + 10. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0) +--- + source3/libads/ldap.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 125c9d7..91753d2 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, + } + #endif + ++static void ads_print_error(int ret, LDAP *ld) ++{ ++ if (ret != 0) { ++ char *ld_error = NULL; ++ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); ++ DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, ++ ldap_err2string(ret), ld_error)); ++ SAFE_FREE(ld_error); ++ } ++} ++ + /** + * Perform an ldap modify + * @param ads connection to ads server +@@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) + mods[i] = NULL; + ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn, + (LDAPMod **) mods, controls, NULL); ++ ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); + } +@@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) + mods[i] = NULL; + + ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); ++ ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); + } +@@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) + } + + ret = ldap_delete_s(ads->ldap.ld, utf8_dn); ++ ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); + } +-- +2.9.0 + + +From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 12:13:24 +0100 +Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to + ndr_print_ads_auth_flags() + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45) +--- + source3/libads/ndr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c +index fd0b63e..ac0b9e6 100644 +--- a/source3/libads/ndr.c ++++ b/source3/libads/ndr.c +@@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r); + ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r); ++ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r); + ndr->depth--; + } + +-- +2.9.0 + + +From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 12:15:14 +0100 +Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with + account_ou not being initialized + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a) +--- + source3/libads/ldap.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 91753d2..8eac5c8 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, + const char *name; + char *ou_string; + +- exploded_dn = ldap_explode_dn(*account_ou, 0); +- if (exploded_dn) { +- ldap_value_free(exploded_dn); +- return ADS_SUCCESS; ++ if (account_ou == NULL) { ++ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); ++ } ++ ++ if (*account_ou != NULL) { ++ exploded_dn = ldap_explode_dn(*account_ou, 0); ++ if (exploded_dn) { ++ ldap_value_free(exploded_dn); ++ return ADS_SUCCESS; ++ } + } + + ou_string = ads_ou_string(ads, *account_ou); +-- +2.9.0 + + +From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 10 Mar 2016 18:03:47 +0100 +Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create + machineaccount via LDAP first. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c) +--- + source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index cc93a85..b10080d 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + r->out.dns_domain_name, r->out.netbios_domain_name, + NULL, smbXcli_conn_remote_sockaddr(cli->conn)); + +- if (r->out.domain_is_ad && r->in.account_ou && ++ if (r->out.domain_is_ad && + !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { + ++ const char *initial_account_ou = r->in.account_ou; ++ ++ /* ++ * we want to create the msDS-SupportedEncryptionTypes attribute ++ * as early as possible so always try an LDAP create as the user ++ * first. We copy r->in.account_ou because it may be changed ++ * during the machine pre-creation. ++ */ ++ + ads_status = libnet_join_connect_ads_user(mem_ctx, r); + if (!ADS_ERR_OK(ads_status)) { + return WERR_DEFAULT_JOIN_REQUIRED; + } + + ads_status = libnet_join_precreate_machine_acct(mem_ctx, r); +- if (!ADS_ERR_OK(ads_status)) { ++ if (ADS_ERR_OK(ads_status)) { ++ ++ /* ++ * LDAP object create succeeded, now go to the rpc ++ * password set routines ++ */ ++ ++ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; ++ goto rpc_join; ++ } ++ ++ if (initial_account_ou != NULL) { + libnet_join_set_error_string(mem_ctx, r, + "failed to precreate account in ou %s: %s", + r->in.account_ou, +@@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + return WERR_DEFAULT_JOIN_REQUIRED; + } + +- r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; ++ DEBUG(5, ("failed to precreate account in ou %s: %s", ++ r->in.account_ou, ads_errstr(ads_status))); + } + #endif /* HAVE_ADS */ + ++ rpc_join: + if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && + (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { + status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli); +-- +2.9.0 + + +From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 16:02:27 +0100 +Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to + libnet_JoinCtx. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d) +--- + source3/librpc/idl/libnet_join.idl | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl +index ac0a350..0718739 100644 +--- a/source3/librpc/idl/libnet_join.idl ++++ b/source3/librpc/idl/libnet_join.idl +@@ -35,6 +35,7 @@ interface libnetjoin + [in] boolean8 use_kerberos, + [in] netr_SchannelType secure_channel_type, + [in,noprint] messaging_context *msg_ctx, ++ [in] uint32 desired_encryption_types, + [out] string account_name, + [out] string netbios_domain_name, + [out] string dns_domain_name, +@@ -43,7 +44,8 @@ interface libnetjoin + [out] dom_sid *domain_sid, + [out] boolean8 modified_config, + [out] string error_string, +- [out] boolean8 domain_is_ad ++ [out] boolean8 domain_is_ad, ++ [out] uint32 set_encryption_types + ); + + [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx( +-- +2.9.0 + + +From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 16:04:52 +0100 +Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired + encryption types only once. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb) +--- + source3/libads/ads_proto.h | 6 ++++-- + source3/libads/ldap.c | 14 ++++---------- + source3/libnet/libnet_join.c | 24 ++++++++++++++---------- + 3 files changed, 22 insertions(+), 22 deletions(-) + +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index 1399f41..425c352 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, + ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name); + ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, + const char *my_fqdn, const char *spn); +-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, +- const char *org_unit); ++ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, ++ const char *machine_name, ++ const char *org_unit, ++ uint32_t etype_list); + ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *org_unit, bool *moved); + int ads_count_replies(ADS_STRUCT *ads, void *res); +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 8eac5c8..72bf4d9 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n + * @return 0 upon success, or non-zero otherwise + **/ + +-ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, +- const char *org_unit) ++ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, ++ const char *machine_name, ++ const char *org_unit, ++ uint32_t etype_list) + { + ADS_STATUS ret; + char *samAccountName, *controlstr; +@@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + + if (func_level >= DS_DOMAIN_FUNCTION_2008) { +- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + const char *etype_list_str; + +-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES128; +-#endif +-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES256; +-#endif +- + etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); + if (etype_list_str == NULL) { + goto done; +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index b10080d..876a453 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, + + status = ads_create_machine_acct(r->in.ads, + r->in.machine_name, +- r->in.account_ou); ++ r->in.account_ou, ++ r->in.desired_encryption_types); + + if (ADS_ERR_OK(status)) { + DEBUG(1,("machine account creation created\n")); +@@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, + { + ADS_STATUS status; + ADS_MODLIST mods; +- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + const char *etype_list_str; + +-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES128; +-#endif +-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 +- etype_list |= ENC_HMAC_SHA1_96_AES256; +-#endif +- +- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); ++ etype_list_str = talloc_asprintf(mem_ctx, "%d", ++ r->in.desired_encryption_types); + if (!etype_list_str) { + return ADS_ERROR(LDAP_NO_MEMORY); + } +@@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, + + ctx->in.secure_channel_type = SEC_CHAN_WKSTA; + ++ ctx->in.desired_encryption_types = ENC_CRC32 | ++ ENC_RSA_MD5 | ++ ENC_RC4_HMAC_MD5; ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; ++#endif ++ + *r = ctx; + + return WERR_OK; +-- +2.9.0 + + +From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 16:05:53 +0100 +Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only + modify when necessary. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Signed-off-by: Guenther Deschner +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8) +--- + source3/libads/ldap.c | 2 +- + source3/libnet/libnet_join.c | 18 +++++++++++++++++- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 72bf4d9..f611da2 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn) + { + ADS_STATUS status; + char *expr; +- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; ++ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; + + *res = NULL; + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 876a453..9f3d830 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx, + goto done; + } + ++ if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes", ++ &r->out.set_encryption_types)) { ++ r->out.set_encryption_types = 0; ++ } ++ + done: + ads_msgfree(r->in.ads, res); + TALLOC_FREE(dn); +@@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, + return status; + } + ++ if (r->in.desired_encryption_types == r->out.set_encryption_types) { ++ return ADS_SUCCESS; ++ } ++ + /* now do the mods */ + + mods = ads_init_mods(mem_ctx); +@@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, + return status; + } + +- return ads_gen_mod(r->in.ads, r->out.dn, mods); ++ status = ads_gen_mod(r->in.ads, r->out.dn, mods); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ r->out.set_encryption_types = r->in.desired_encryption_types; ++ ++ return ADS_SUCCESS; + } + #endif + /**************************************************************** +-- +2.9.0 + + +From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 11 Mar 2016 23:15:06 +0100 +Subject: [PATCH 11/11] s3:libnet:libnet_join: update + msDS-SupportedEncryptionTypes (if required) with machine creds. + +Guenther + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Guenther Deschner +Signed-off-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144 + +(cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6) +--- + source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 55 insertions(+), 4 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 9f3d830..84f0e40 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, + + /**************************************************************** + ****************************************************************/ +-#if 0 ++ + static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { + return libnet_join_connect_ads(mem_ctx, r, true); + } +-#endif ++ + /**************************************************************** + ****************************************************************/ + +@@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, + + /**************************************************************** + ****************************************************************/ +-#if 0 ++ + static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { +@@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, + + return ADS_SUCCESS; + } +-#endif ++ + /**************************************************************** + ****************************************************************/ + +@@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { + ADS_STATUS status; ++ bool need_etype_update = false; + + if (!r->in.ads) { + status = libnet_join_connect_ads_user(mem_ctx, r); +@@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, + return status; + } + ++ status = libnet_join_find_machine_acct(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ return status; ++ } ++ ++ if (r->in.desired_encryption_types != r->out.set_encryption_types) { ++ uint32_t func_level = 0; ++ ++ status = ads_domain_func_level(r->in.ads, &func_level); ++ if (!ADS_ERR_OK(status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "failed to query domain controller functional level: %s", ++ ads_errstr(status)); ++ return status; ++ } ++ ++ if (func_level >= DS_DOMAIN_FUNCTION_2008) { ++ need_etype_update = true; ++ } ++ } ++ ++ if (need_etype_update) { ++ /* ++ * We need to reconnect as machine account in order ++ * to update msDS-SupportedEncryptionTypes reliable ++ */ ++ ++ if (r->in.ads->auth.ccache_name != NULL) { ++ ads_kdestroy(r->in.ads->auth.ccache_name); ++ } ++ ++ ads_destroy(&r->in.ads); ++ ++ status = libnet_join_connect_ads_machine(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "Failed to connect as machine account: %s", ++ ads_errstr(status)); ++ return status; ++ } ++ ++ status = libnet_join_set_etypes(mem_ctx, r); ++ if (!ADS_ERR_OK(status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "failed to set machine kerberos encryption types: %s", ++ ads_errstr(status)); ++ return status; ++ } ++ } ++ + if (!libnet_join_derive_salting_principal(mem_ctx, r)) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } +-- +2.9.0 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 9e1173b..9f2c0a0 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 6.2 +%define main_release 7 %define samba_version 4.2.10 %define talloc_version 2.1.2 @@ -119,6 +119,9 @@ Patch8: samba-4.2.10-fix_rpcclient_ipc_signing.patch Patch9: samba-4.2.10-fix_ntlm_auth_issues.patch Patch10: samba-4.2.10-fix_msrpc_parse.patch Patch11: samba-4.2.10-fix_anon_with_singing_mandatory.patch +Patch12: samba-4.2.99-fix_idmap_hash_with_other_modules.path +Patch13: samba-4.2.99-net_ads_join_fix_keytab_generation.patch +Patch14: CVE-2016-2119-v4-2.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -701,6 +704,9 @@ and use CTDB instead. %patch9 -p1 -b .samba-4.2.10-fix_ntlm_auth_issues.patch %patch10 -p1 -b .samba-4.2.10-fix_msrpc_parse.patch %patch11 -p1 -b .samba-4.2.10-fix_anon_with_singing_mandatory.patch +%patch12 -p1 -b .samba-4.2.99-fix_idmap_hash_with_other_modules.path +%patch13 -p1 -b .samba-4.2.99-net_ads_join_fix_keytab_generation.patch +%patch14 -p1 -b .CVE-2016-2119-v4-2.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -2002,6 +2008,13 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Mon Jul 04 2016 Andreas Schneider - 4.2.10-7 +- resolves: #1351960 - Fix CVE-2016-2119 + +* Tue Jun 28 2016 Andreas Schneider - 4.2.10-6.3 +- resolves: #1350759 - Fix idmap_hash when used with other modules +- resolves: #1351260 - Fix krb5 encryption type setup during join + * Wed Jun 01 2016 Andreas Schneider - 4.2.10-6.2 - related: #1333794 - Fix issues caused by security tightening for Badlock o ntlm_auth issues and segfault