diff --git a/.gitignore b/.gitignore index c73d00b..6547baf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/samba-4.2.10.tar.xz +SOURCES/samba-4.4.4.tar.xz diff --git a/.samba.metadata b/.samba.metadata index c7c6b4f..7f1ab09 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1 +1 @@ -764564720be36081414c4632710bc0fba6d5b1d0 SOURCES/samba-4.2.10.tar.xz +f0b397800ce12a06021480f10846362ba2663f25 SOURCES/samba-4.4.4.tar.xz diff --git a/SOURCES/CVE-2016-2119-v4-2.patch b/SOURCES/CVE-2016-2119-v4-2.patch deleted file mode 100644 index abf9c0d..0000000 --- a/SOURCES/CVE-2016-2119-v4-2.patch +++ /dev/null @@ -1,124 +0,0 @@ -From ec42fe46d4c126d9c2ebc20c1cb168ad5e06a21e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 11:26:57 +0200 -Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if - we require signing - -Note real anonymous sessions (with "" as username) don't hit this -as we don't even call smb2cli_session_set_session_key() in that case. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index b07fdad..6797207 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -4952,6 +4952,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) - return false; - } - -+ if (session->conn->mandatory_signing) { -+ return false; -+ } -+ - if (session->conn->protocol >= PROTOCOL_SMB2_02) { - if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { - return true; -@@ -5177,7 +5181,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - const struct iovec *recv_iov) - { - struct smbXcli_conn *conn = session->conn; -- uint16_t no_sign_flags; -+ uint16_t no_sign_flags = 0; - uint8_t session_key[16]; - bool check_signature = true; - uint32_t hdr_flags; -@@ -5191,7 +5195,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - return NT_STATUS_INVALID_PARAMETER_MIX; - } - -- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; -+ if (!conn->mandatory_signing) { -+ /* -+ * only allow guest sessions without -+ * mandatory signing. -+ * -+ * If we try an authentication with username != "" -+ * and the server let us in without verifying the -+ * password we don't have a negotiated session key -+ * for signing. -+ */ -+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; -+ } - - if (session->smb2->session_flags & no_sign_flags) { - session->smb2->should_sign = false; --- -1.9.1 - - -From c303bd4bdf6e3f89e6821abb13e3ef40164944f5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 28 Apr 2016 02:36:35 +0200 -Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding - smbXcli_session_is_guest() with mandatory signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/cliconnect.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 420fe3c..3de3796 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1606,6 +1606,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) - * have a negotiated session key. - * - * So just pretend we are completely done. -+ * -+ * Note that smbXcli_session_is_guest() -+ * always returns false if we require signing. - */ - state->blob_in = data_blob_null; - state->local_ready = true; --- -1.9.1 - - -From fd0750e860b18b1182126dcf7ccc1f7dd38560ce Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 28 Apr 2016 02:24:52 +0200 -Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for - guest logins and mandatory signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh -index b8fc564..33a927f 100755 ---- a/source3/script/tests/test_smbclient_ntlm.sh -+++ b/source3/script/tests/test_smbclient_ntlm.sh -@@ -37,4 +37,8 @@ else - - testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS - testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS -+ -+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS -+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS -+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS - fi --- -1.9.1 - diff --git a/SOURCES/CVE-2016-2119-v4-4.patch b/SOURCES/CVE-2016-2119-v4-4.patch new file mode 100644 index 0000000..55da381 --- /dev/null +++ b/SOURCES/CVE-2016-2119-v4-4.patch @@ -0,0 +1,124 @@ +From 3f8b6a3c56ec188d662767027703999faf14e71f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 20 Apr 2016 11:26:57 +0200 +Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if + we require signing + +Note real anonymous sessions (with "" as username) don't hit this +as we don't even call smb2cli_session_set_session_key() in that case. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index 4332374..691b8ff 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) + return false; + } + ++ if (session->conn->mandatory_signing) { ++ return false; ++ } ++ + if (session->conn->protocol >= PROTOCOL_SMB2_02) { + if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { + return true; +@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, + const struct iovec *recv_iov) + { + struct smbXcli_conn *conn = session->conn; +- uint16_t no_sign_flags; ++ uint16_t no_sign_flags = 0; + uint8_t session_key[16]; + bool check_signature = true; + uint32_t hdr_flags; +@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, + return NT_STATUS_INVALID_PARAMETER_MIX; + } + +- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; ++ if (!conn->mandatory_signing) { ++ /* ++ * only allow guest sessions without ++ * mandatory signing. ++ * ++ * If we try an authentication with username != "" ++ * and the server let us in without verifying the ++ * password we don't have a negotiated session key ++ * for signing. ++ */ ++ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; ++ } + + if (session->smb2->session_flags & no_sign_flags) { + session->smb2->should_sign = false; +-- +1.9.1 + + +From 11db8ea97ddb3cf9fde48dbe5df14a71ebc308db Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 28 Apr 2016 02:36:35 +0200 +Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding + smbXcli_session_is_guest() with mandatory signing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/cliconnect.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index ea92c8f..ebba8f2 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) + * have a negotiated session key. + * + * So just pretend we are completely done. ++ * ++ * Note that smbXcli_session_is_guest() ++ * always returns false if we require signing. + */ + state->blob_in = data_blob_null; + state->local_ready = true; +-- +1.9.1 + + +From 28ed026b9486fb248daf713655ea307c478d2832 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 28 Apr 2016 02:24:52 +0200 +Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for + guest logins and mandatory signing + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 + +Signed-off-by: Stefan Metzmacher +--- + source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh +index b8fc564..33a927f 100755 +--- a/source3/script/tests/test_smbclient_ntlm.sh ++++ b/source3/script/tests/test_smbclient_ntlm.sh +@@ -37,4 +37,8 @@ else + + testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS + testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS ++ ++ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS ++ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS ++ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS + fi +-- +1.9.1 + diff --git a/SOURCES/samba-4.2.10-badlock-bugfixes.patch b/SOURCES/samba-4.2.10-badlock-bugfixes.patch deleted file mode 100644 index f913d34..0000000 --- a/SOURCES/samba-4.2.10-badlock-bugfixes.patch +++ /dev/null @@ -1,1853 +0,0 @@ -From 256f09848913caea3236ee7a5d0086a5906717e7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 22 Apr 2016 16:18:24 +0200 -Subject: [PATCH 01/30] s4:gensec_tstream: allow wrapped messages up to a size - of 0xfffffff -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d) ---- - source4/auth/gensec/gensec_tstream.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c -index 92f4fa6..c828170 100644 ---- a/source4/auth/gensec/gensec_tstream.c -+++ b/source4/auth/gensec/gensec_tstream.c -@@ -253,7 +253,11 @@ static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream, - - msg_len = RIVAL(state->wrapped.hdr, 0); - -- if (msg_len > 0x00FFFFFF) { -+ /* -+ * I got a Windows 2012R2 server responding with -+ * a message of 0x1b28a33. -+ */ -+ if (msg_len > 0x0FFFFFFF) { - errno = EMSGSIZE; - return -1; - } --- -1.9.1 - - -From 2790b1f017568218f1854f85ce301ccb740737ff Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 22 Apr 2016 16:31:55 +0200 -Subject: [PATCH 02/30] s3:libads/sasl: allow wrapped messages up to a size of - 0xfffffff -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 795e796658e6da0149c9c00ece7cca4ccc457717) ---- - source3/libads/sasl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index b8d4527..10f63e8 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -328,7 +328,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, - * arcfour-hmac-md5. - */ - ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); -- ads->ldap.in.max_wrapped = max_wrapped; -+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; - status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", -@@ -986,7 +986,7 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv - - ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped; - ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */ -- ads->ldap.in.max_wrapped = max_msg_size; -+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; - status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle); - if (!ADS_ERR_OK(status)) { - DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", --- -1.9.1 - - -From d5a662e47b710a05b274c23bc7fcbf9e6c88d92e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 28 Apr 2016 12:58:10 +0200 -Subject: [PATCH 03/30] lib:krb5_wrap:krb5_samba: increase debug level for - smb_krb5_get_default_realm_from_ccache(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1) ---- - lib/krb5_wrap/krb5_samba.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 5f0378b..c066c1d 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) - "Trying to read krb5 cache: %s\n", - krb5_cc_default_name(ctx))); - if (krb5_cc_default(ctx, &cc)) { -- DEBUG(0,("kerberos_get_default_realm_from_ccache: " -+ DEBUG(5,("kerberos_get_default_realm_from_ccache: " - "failed to read default cache\n")); - goto out; - } - if (krb5_cc_get_principal(ctx, cc, &princ)) { -- DEBUG(0,("kerberos_get_default_realm_from_ccache: " -+ DEBUG(5,("kerberos_get_default_realm_from_ccache: " - "failed to get default principal\n")); - goto out; - } --- -1.9.1 - - -From 64eafe403323471515067c2115f7b90f4985f99e Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 28 Apr 2016 12:58:33 +0200 -Subject: [PATCH 04/30] s3:librpc:crypto:gse: increase debug level for - gse_init_client(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit b6595037f3fcaafb957d9c08edfb89c72cded987) ---- - source3/librpc/crypto/gse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index fc31064..82c8085 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -239,7 +239,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - GSS_C_NT_USER_NAME, - &gse_ctx->server_name); - if (gss_maj) { -- DEBUG(0, ("gss_import_name failed for %s, with [%s]\n", -+ DEBUG(5, ("gss_import_name failed for %s, with [%s]\n", - (char *)name_buffer.value, - gse_errstr(gse_ctx, gss_maj, gss_min))); - status = NT_STATUS_INTERNAL_ERROR; --- -1.9.1 - - -From 1672168e6e13130ad98b8513b877c5071a2587ba Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 28 Apr 2016 12:26:16 +0200 -Subject: [PATCH 05/30] auth/spnego: change log level for 'Failed to setup - SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR' -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1) ---- - auth/gensec/spnego.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 1d4b172..5126952 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -661,7 +661,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec - talloc_free(spnego_state->sub_sec_security); - spnego_state->sub_sec_security = NULL; - -- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); -+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); - return nt_status; - } - --- -1.9.1 - - -From c06ae7f3e1e9ba5fa82d8d6b0665f2fd7cef2f4a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 23 Apr 2016 05:17:25 +0200 -Subject: [PATCH 06/30] auth/spnego: handle broken mechListMIC response from - Windows 2000 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 032c2733dea834e2c95178cdd0deb73e7bb13621) ---- - auth/gensec/spnego.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 5126952..33a4b46 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -1078,6 +1078,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - } - - if (spnego.negTokenTarg.mechListMIC.length > 0) { -+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC; -+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken; -+ -+ /* -+ * Windows 2000 has a bug, it repeats the -+ * responseToken in the mechListMIC field. -+ */ -+ if (m->length == r->length) { -+ int cmp; -+ -+ cmp = memcmp(m->data, r->data, m->length); -+ if (cmp == 0) { -+ data_blob_free(m); -+ } -+ } -+ } -+ -+ if (spnego.negTokenTarg.mechListMIC.length > 0) { - if (spnego_state->no_response_expected) { - spnego_state->needs_mic_check = true; - } --- -1.9.1 - - -From 1bf9b8a08263e71ac7f354884e8c9a244518140e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 18:44:21 +0200 -Subject: [PATCH 07/30] auth/ntlmssp: don't require any flags in the - ccache_resume code -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -ntlmssp_client_challenge() already checks for required flags -before asking winbindd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 5041adb6657596399049a33e6a739a040b4df0db) ---- - auth/ntlmssp/ntlmssp_client.c | 7 +------ - 1 file changed, 1 insertion(+), 6 deletions(-) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index b419615..8b367fc 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { - gensec_security->want_features |= GENSEC_FEATURE_SIGN; -- -- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - - if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { - gensec_security->want_features |= GENSEC_FEATURE_SEAL; -- -- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; -- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; - } - -- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; - ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; -+ ntlmssp_state->required_flags = 0; - - if (DEBUGLEVEL >= 10) { - struct NEGOTIATE_MESSAGE *negotiate = talloc( --- -1.9.1 - - -From d92fa261f8a3e1320309e5c515e4036cff31c0df Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 18:44:21 +0200 -Subject: [PATCH 08/30] auth/ntlmssp: don't require NTLMSSP_SIGN for smb - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Enforcement of SMB signing is done at the SMB layer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit d97b347d041f9b5c0aa71f35526cbefd56f3500b) ---- - auth/ntlmssp/ntlmssp_client.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index 8b367fc..b423f20 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -843,8 +843,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) - * Without this, Windows will not create the master key - * that it thinks is only used for NTLMSSP signing and - * sealing. (It is actually pulled out and used directly) -+ * -+ * We don't require this here as some servers (e.g. NetAPP) -+ * doesn't support this. - */ -- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; -+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; --- -1.9.1 - - -From be36cbcaf1f2e17301af73051ae7a1ab2dce84ea Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 19 Apr 2016 07:31:50 +0200 -Subject: [PATCH 09/30] s3:libsmb: use password = NULL for anonymous - connections -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 53be47410236ef7c90fe895f49f300e3fe47a8bf) ---- - source3/libsmb/cliconnect.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 039fba2..b518ab8 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1343,6 +1343,17 @@ static struct tevent_req *cli_session_setup_gensec_send( - talloc_set_destructor( - state, cli_session_setup_gensec_state_destructor); - -+ if (user == NULL || strlen(user) == 0) { -+ if (pass != NULL && strlen(pass) == 0) { -+ /* -+ * some callers pass "" as no password -+ * -+ * gensec only handles NULL as no password. -+ */ -+ pass = NULL; -+ } -+ } -+ - status = auth_generic_client_prepare(state, &state->auth_generic); - if (tevent_req_nterror(req, status)) { - return tevent_req_post(req, ev); --- -1.9.1 - - -From 495a374b65a8932bb1d83b326bcb974c65118760 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 20 Apr 2016 20:09:53 +0200 -Subject: [PATCH 10/30] libcli/smb: fix NULL pointer derreference in - smbXcli_session_is_authenticated(). - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a) ---- - libcli/smb/smbXcli_base.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 7bf48c8..193222c 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -4945,6 +4945,10 @@ bool smbXcli_session_is_authenticated(struct smbXcli_session *session) - { - const DATA_BLOB *application_key; - -+ if (session == NULL) { -+ return false; -+ } -+ - if (session->conn == NULL) { - return false; - } --- -1.9.1 - - -From 9a4ab7a5af1433016240732b1d4e1af48bb982ee Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 18 Apr 2016 17:33:11 +0200 -Subject: [PATCH 11/30] libcli/smb: add smb1cli_session_set_action() helper - function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd) ---- - libcli/smb/smbXcli_base.c | 7 +++++++ - libcli/smb/smbXcli_base.h | 2 ++ - 2 files changed, 9 insertions(+) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 193222c..c55875b 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -152,6 +152,7 @@ struct smbXcli_session { - - struct { - uint16_t session_id; -+ uint16_t action; - DATA_BLOB application_key; - bool protected_key; - } smb1; -@@ -5016,6 +5017,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session, - session->smb1.session_id = session_id; - } - -+void smb1cli_session_set_action(struct smbXcli_session *session, -+ uint16_t action) -+{ -+ session->smb1.action = action; -+} -+ - NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, - const DATA_BLOB _session_key) - { -diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h -index 9a957e2..29edd09 100644 ---- a/libcli/smb/smbXcli_base.h -+++ b/libcli/smb/smbXcli_base.h -@@ -379,6 +379,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session); - uint16_t smb1cli_session_current_id(struct smbXcli_session* session); - void smb1cli_session_set_id(struct smbXcli_session* session, - uint16_t session_id); -+void smb1cli_session_set_action(struct smbXcli_session *session, -+ uint16_t action); - NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, - const DATA_BLOB _session_key); - NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session); --- -1.9.1 - - -From 7d295b4b481701d0c668a8de20aed1ef4133cf4b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 18 Apr 2016 17:34:21 +0200 -Subject: [PATCH 12/30] libcli/smb: add SMB1 session setup action flags -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit cceaa61cf064926baca6db4b303d34ea90d40d52) ---- - libcli/smb/smb_constants.h | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h -index 9b1de50..c7a49ab 100644 ---- a/libcli/smb/smb_constants.h -+++ b/libcli/smb/smb_constants.h -@@ -276,6 +276,12 @@ enum smb_signing_setting { - CAP_LARGE_WRITEX | \ - 0) - -+/* -+ * The action flags in the SMB session setup response -+ */ -+#define SMB_SETUP_GUEST 0x0001 -+#define SMB_SETUP_USE_LANMAN_KEY 0x0002 -+ - /* Client-side offline caching policy types */ - enum csc_policy { - CSC_POLICY_MANUAL=0, --- -1.9.1 - - -From 2785ec5201f804ee17831e458647baca3c0ded76 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 18 Apr 2016 17:38:46 +0200 -Subject: [PATCH 13/30] libcli/smb: add smbXcli_session_is_guest() helper - function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2) ---- - libcli/smb/smbXcli_base.c | 24 ++++++++++++++++++++++++ - libcli/smb/smbXcli_base.h | 1 + - 2 files changed, 25 insertions(+) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index c55875b..b07fdad 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -4942,6 +4942,30 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, - return session; - } - -+bool smbXcli_session_is_guest(struct smbXcli_session *session) -+{ -+ if (session == NULL) { -+ return false; -+ } -+ -+ if (session->conn == NULL) { -+ return false; -+ } -+ -+ if (session->conn->protocol >= PROTOCOL_SMB2_02) { -+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { -+ return true; -+ } -+ return false; -+ } -+ -+ if (session->smb1.action & SMB_SETUP_GUEST) { -+ return true; -+ } -+ -+ return false; -+} -+ - bool smbXcli_session_is_authenticated(struct smbXcli_session *session) - { - const DATA_BLOB *application_key; -diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h -index 29edd09..50466b1 100644 ---- a/libcli/smb/smbXcli_base.h -+++ b/libcli/smb/smbXcli_base.h -@@ -371,6 +371,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx, - struct smbXcli_conn *conn); - struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, - struct smbXcli_session *src); -+bool smbXcli_session_is_guest(struct smbXcli_session *session); - bool smbXcli_session_is_authenticated(struct smbXcli_session *session); - NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session, - TALLOC_CTX *mem_ctx, --- -1.9.1 - - -From 7199058a6fdf26ed0739a3681ddce9f3cf31caee Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 19 Apr 2016 07:19:19 +0200 -Subject: [PATCH 14/30] s3:libsmb: record the session setup action flags -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 02c902103521e5a2b1d221db83e6c59d0ce31099) ---- - source3/libsmb/cliconnect.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index b518ab8..bad6c28 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -242,6 +242,7 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq) - p = bytes; - - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); -+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); - - status = smb_bytes_talloc_string(cli, - inhdr, -@@ -449,6 +450,7 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq) - p = bytes; - - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); -+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); - - status = smb_bytes_talloc_string(cli, - inhdr, -@@ -613,6 +615,7 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq) - p = bytes; - - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); -+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); - - status = smb_bytes_talloc_string(cli, - inhdr, -@@ -929,6 +932,7 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq) - p = bytes; - - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); -+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); - - status = smb_bytes_talloc_string(cli, - inhdr, -@@ -1178,6 +1182,7 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) - state->inbuf = in; - inhdr = in + NBT_HDR_SIZE; - cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); -+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); - - blob_length = SVAL(vwv+3, 0); - if (blob_length > num_bytes) { --- -1.9.1 - - -From 947c7f9232a5150bfe53815081aaff90ad5d8621 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 19 Apr 2016 07:20:28 +0200 -Subject: [PATCH 15/30] s3:libsmb: don't finish the gensec handshake for guest - logins -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit fa5799207e55ee8e329f36f784d027845eaf0e34) ---- - source3/libsmb/cliconnect.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index bad6c28..c4ac605 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1590,6 +1590,27 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) - } - - if (NT_STATUS_IS_OK(status)) { -+ struct smbXcli_session *session = NULL; -+ bool is_guest = false; -+ -+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { -+ session = state->cli->smb2.session; -+ } else { -+ session = state->cli->smb1.session; -+ } -+ -+ is_guest = smbXcli_session_is_guest(session); -+ if (is_guest) { -+ /* -+ * We can't finish the gensec handshake, we don't -+ * have a negotiated session key. -+ * -+ * So just pretend we are completely done. -+ */ -+ state->blob_in = data_blob_null; -+ state->local_ready = true; -+ } -+ - state->remote_ready = true; - } - --- -1.9.1 - - -From 4187e7a514392647fa5db841befc728de282112a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 19 Apr 2016 07:33:03 +0200 -Subject: [PATCH 16/30] s3:libsmb: use anonymous authentication via spnego if - possible -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This makes the authentication consistent between -SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000) -and SNB2. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38) ---- - source3/libsmb/cliconnect.c | 55 ++++++++++++++++++++++++--------------------- - 1 file changed, 29 insertions(+), 26 deletions(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index c4ac605..420fe3c 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1661,6 +1661,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) - } - } - -+ if (state->is_anonymous) { -+ /* -+ * Windows server does not set the -+ * SMB2_SESSION_FLAG_IS_NULL flag. -+ * -+ * This fix makes sure we do not try -+ * to verify a signature on the final -+ * session setup response. -+ */ -+ tevent_req_done(req); -+ return; -+ } -+ - status = gensec_session_key(state->auth_generic->gensec_security, - state, &state->session_key); - if (tevent_req_nterror(req, status)) { -@@ -1670,20 +1683,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) - if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { - struct smbXcli_session *session = state->cli->smb2.session; - -- if (state->is_anonymous) { -- /* -- * Windows server does not set the -- * SMB2_SESSION_FLAG_IS_GUEST nor -- * SMB2_SESSION_FLAG_IS_NULL flag. -- * -- * This fix makes sure we do not try -- * to verify a signature on the final -- * session setup response. -- */ -- tevent_req_done(req); -- return; -- } -- - status = smb2cli_session_set_session_key(session, - state->session_key, - state->recv_iov); -@@ -2121,6 +2120,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, - return req; - } - -+ /* -+ * if the server supports extended security then use SPNEGO -+ * even for anonymous connections. -+ */ -+ if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { -+ subreq = cli_session_setup_spnego_send( -+ state, ev, cli, user, pass, workgroup); -+ if (tevent_req_nomem(subreq, req)) { -+ return tevent_req_post(req, ev); -+ } -+ tevent_req_set_callback(subreq, cli_session_setup_done_spnego, -+ req); -+ return req; -+ } -+ - /* if no user is supplied then we have to do an anonymous connection. - passwords are ignored */ - -@@ -2169,18 +2183,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, - return req; - } - -- /* if the server supports extended security then use SPNEGO */ -- -- if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { -- subreq = cli_session_setup_spnego_send( -- state, ev, cli, user, pass, workgroup); -- if (tevent_req_nomem(subreq, req)) { -- return tevent_req_post(req, ev); -- } -- tevent_req_set_callback(subreq, cli_session_setup_done_spnego, -- req); -- return req; -- } else { -+ { - /* otherwise do a NT1 style session setup */ - if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) { - /* --- -1.9.1 - - -From d960e432ead98a170d34e07602c69c464e7afddc Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 22 Apr 2016 10:04:38 +0200 -Subject: [PATCH 17/30] auth/spnego: only try to verify the mechListMic if - signing was negotiated. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e) ---- - auth/gensec/spnego.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 33a4b46..1b23427 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - case SPNEGO_SERVER_TARG: - { - NTSTATUS nt_status; -+ bool have_sign = true; - bool new_spnego = false; - - if (!in.length) { -@@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - goto server_response; - } - -+ have_sign = gensec_have_feature(spnego_state->sub_sec_security, -+ GENSEC_FEATURE_SIGN); - new_spnego = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_NEW_SPNEGO); - if (spnego.negTokenTarg.mechListMIC.length > 0) { - new_spnego = true; - } - -- if (new_spnego) { -+ if (have_sign && new_spnego) { - spnego_state->needs_mic_check = true; - spnego_state->needs_mic_sign = true; - } - -- if (spnego.negTokenTarg.mechListMIC.length > 0) { -+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { - nt_status = gensec_check_packet(spnego_state->sub_sec_security, - spnego_state->mech_types.data, - spnego_state->mech_types.length, -@@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - if (spnego_state->no_response_expected && - !spnego_state->done_mic_check) - { -+ bool have_sign = true; - bool new_spnego = false; - -+ have_sign = gensec_have_feature(spnego_state->sub_sec_security, -+ GENSEC_FEATURE_SIGN); - new_spnego = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_NEW_SPNEGO); - -@@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - } - - if (spnego_state->mic_requested) { -- bool sign; -- -- sign = gensec_have_feature(spnego_state->sub_sec_security, -- GENSEC_FEATURE_SIGN); -- if (sign) { -+ if (have_sign) { - new_spnego = true; - } - } - -- if (new_spnego) { -+ if (have_sign && new_spnego) { - spnego_state->needs_mic_check = true; - spnego_state->needs_mic_sign = true; - } --- -1.9.1 - - -From f73ea5c9d0bb11732a485bb18e96fda1d72d1fdf Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 27 Apr 2016 01:44:56 +0200 -Subject: [PATCH 18/30] s4:auth_anonymous: anonymous authentication doesn't - allow a password -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit d247dceaaab24b568425f2360e40f5e91be452cc) ---- - source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c -index 28cbfe8..ab1aac2 100644 ---- a/source4/auth/ntlm/auth_anonymous.c -+++ b/source4/auth/ntlm/auth_anonymous.c -@@ -41,6 +41,36 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, - return NT_STATUS_NOT_IMPLEMENTED; - } - -+ switch (user_info->password_state) { -+ case AUTH_PASSWORD_PLAIN: -+ if (user_info->password.plaintext != NULL && -+ strlen(user_info->password.plaintext) > 0) -+ { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ case AUTH_PASSWORD_HASH: -+ if (user_info->password.hash.lanman != NULL) { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ if (user_info->password.hash.nt != NULL) { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ case AUTH_PASSWORD_RESPONSE: -+ if (user_info->password.response.lanman.length == 1) { -+ if (user_info->password.response.lanman.data[0] != '\0') { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ } else if (user_info->password.response.lanman.length > 1) { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ if (user_info->password.response.nt.length > 0) { -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ } -+ - return NT_STATUS_OK; - } - --- -1.9.1 - - -From df208ed074e6db304d0b8f123e6d0e69f46ad269 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 27 Apr 2016 01:48:32 +0200 -Subject: [PATCH 19/30] s3:auth_builtin: anonymous authentication doesn't allow - a password -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit ead483b0c0ec746c0869162024c97f2e08df7f4b) ---- - source3/auth/auth_builtin.c | 47 ++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 40 insertions(+), 7 deletions(-) - -diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c -index dce58bf..7480799 100644 ---- a/source3/auth/auth_builtin.c -+++ b/source3/auth/auth_builtin.c -@@ -38,17 +38,50 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, - const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) - { -- /* mark this as 'not for me' */ -- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; -- - DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); - -- if (!(user_info->mapped.account_name -- && *user_info->mapped.account_name)) { -- nt_status = make_server_info_guest(NULL, server_info); -+ if (user_info->mapped.account_name && *user_info->mapped.account_name) { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; - } - -- return nt_status; -+ switch (user_info->password_state) { -+ case AUTH_PASSWORD_PLAIN: -+ if (user_info->password.plaintext != NULL && -+ strlen(user_info->password.plaintext) > 0) -+ { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ case AUTH_PASSWORD_HASH: -+ if (user_info->password.hash.lanman != NULL) { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ if (user_info->password.hash.nt != NULL) { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ case AUTH_PASSWORD_RESPONSE: -+ if (user_info->password.response.lanman.length == 1) { -+ if (user_info->password.response.lanman.data[0] != '\0') { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ } else if (user_info->password.response.lanman.length > 1) { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ if (user_info->password.response.nt.length > 0) { -+ /* mark this as 'not for me' */ -+ return NT_STATUS_NOT_IMPLEMENTED; -+ } -+ break; -+ } -+ -+ return make_server_info_guest(NULL, server_info); - } - - /* Guest modules initialisation */ --- -1.9.1 - - -From aa8ccc2939df6bc477f90c901723e2c829b81b45 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 16:29:42 +0200 -Subject: [PATCH 20/30] libcli/security: implement SECURITY_GUEST -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 837e6176329330893d5a1e4ce4ac67dbac758e56) ---- - libcli/security/security_token.c | 5 +++++ - libcli/security/security_token.h | 2 ++ - libcli/security/session.c | 4 ++++ - libcli/security/session.h | 1 + - 4 files changed, 12 insertions(+) - -diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c -index 6812d42..2e5a87b 100644 ---- a/libcli/security/security_token.c -+++ b/libcli/security/security_token.c -@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha - return ret; - } - -+bool security_token_has_builtin_guests(const struct security_token *token) -+{ -+ return security_token_has_sid(token, &global_sid_Builtin_Guests); -+} -+ - bool security_token_has_builtin_administrators(const struct security_token *token) - { - return security_token_has_sid(token, &global_sid_Builtin_Administrators); -diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h -index b8ca990..5c5b30b 100644 ---- a/libcli/security/security_token.h -+++ b/libcli/security/security_token.h -@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom - - bool security_token_has_sid_string(const struct security_token *token, const char *sid_string); - -+bool security_token_has_builtin_guests(const struct security_token *token); -+ - bool security_token_has_builtin_administrators(const struct security_token *token); - - bool security_token_has_nt_authenticated_users(const struct security_token *token); -diff --git a/libcli/security/session.c b/libcli/security/session.c -index 0c32556..0fbb87d 100644 ---- a/libcli/security/session.c -+++ b/libcli/security/session.c -@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s - return SECURITY_ANONYMOUS; - } - -+ if (security_token_has_builtin_guests(session_info->security_token)) { -+ return SECURITY_GUEST; -+ } -+ - if (security_token_has_builtin_administrators(session_info->security_token)) { - return SECURITY_ADMINISTRATOR; - } -diff --git a/libcli/security/session.h b/libcli/security/session.h -index ee9187d..31e950e 100644 ---- a/libcli/security/session.h -+++ b/libcli/security/session.h -@@ -24,6 +24,7 @@ - - enum security_user_level { - SECURITY_ANONYMOUS = 0, -+ SECURITY_GUEST = 1, - SECURITY_USER = 10, - SECURITY_RO_DOMAIN_CONTROLLER = 20, - SECURITY_DOMAIN_CONTROLLER = 30, --- -1.9.1 - - -From af588816572e60d88c38ca345745d1370c9998a0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 18 Apr 2016 17:36:56 +0200 -Subject: [PATCH 21/30] s3:smbd: make use SMB_SETUP_GUEST constant -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396) ---- - source3/smbd/sesssetup.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c -index 33574f7..1dbc180 100644 ---- a/source3/smbd/sesssetup.c -+++ b/source3/smbd/sesssetup.c -@@ -286,7 +286,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - } - - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -- action = 1; -+ action |= SMB_SETUP_GUEST; - } - - if (session_info->session_key.length > 0) { -@@ -412,7 +412,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - } - - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -- action = 1; -+ action |= SMB_SETUP_GUEST; - } - - /* -@@ -940,7 +940,7 @@ void reply_sesssetup_and_X(struct smb_request *req) - } - - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -- action = 1; -+ action |= SMB_SETUP_GUEST; - } - - /* register the name and uid as being validated, so further connections --- -1.9.1 - - -From 4e4530282bdbe75c9d27611888548db7c5d00beb Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 16:34:28 +0200 -Subject: [PATCH 22/30] s3:smbd: only mark real guest sessions with the GUEST - flag -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Real anonymous sessions don't get it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(similar to commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441) ---- - source3/smbd/sesssetup.c | 6 +++--- - source3/smbd/smb2_sesssetup.c | 7 ++++--- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c -index 1dbc180..77b8077 100644 ---- a/source3/smbd/sesssetup.c -+++ b/source3/smbd/sesssetup.c -@@ -285,7 +285,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - return; - } - -- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { - action |= SMB_SETUP_GUEST; - } - -@@ -411,7 +411,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - return; - } - -- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { - action |= SMB_SETUP_GUEST; - } - -@@ -939,7 +939,7 @@ void reply_sesssetup_and_X(struct smb_request *req) - /* perhaps grab OS version here?? */ - } - -- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { - action |= SMB_SETUP_GUEST; - } - -diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c -index 8b239c9..c738856 100644 ---- a/source3/smbd/smb2_sesssetup.c -+++ b/source3/smbd/smb2_sesssetup.c -@@ -202,11 +202,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, - } - - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -- /* we map anonymous to guest internally */ -- *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; -- *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; -+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { -+ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; -+ } - /* force no signing */ - x->global->signing_required = false; -+ /* we map anonymous to guest internally */ - guest = true; - } - --- -1.9.1 - - -From 209ea55537c2e1141205465116c9d89b32b91dad Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 18:27:34 +0200 -Subject: [PATCH 23/30] auth/ntlmssp: do map to guest checking after the - authentication -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit d667520568996471b55007a42b503edbabb1eee0) ---- - auth/ntlmssp/gensec_ntlmssp_server.c | 16 +-------------- - auth/ntlmssp/ntlmssp_server.c | 40 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 41 insertions(+), 15 deletions(-) - -diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c -index 6147b14..f3c26c7 100644 ---- a/auth/ntlmssp/gensec_ntlmssp_server.c -+++ b/auth/ntlmssp/gensec_ntlmssp_server.c -@@ -130,21 +130,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) - ntlmssp_state->allow_lm_key = true; - } - -- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { -- /* -- * map to guest is not secure anyway, so -- * try to make it work and don't try to -- * negotiate new_spnego and MIC checking -- */ -- ntlmssp_state->force_old_spnego = true; -- } -- -- if (role == ROLE_ACTIVE_DIRECTORY_DC) { -- /* -- * map to guest is not supported on an AD DC. -- */ -- ntlmssp_state->force_old_spnego = false; -- } -+ ntlmssp_state->force_old_spnego = false; - - ntlmssp_state->neg_flags = - NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; -diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c -index 9549641..3f13ccb 100644 ---- a/auth/ntlmssp/ntlmssp_server.c -+++ b/auth/ntlmssp/ntlmssp_server.c -@@ -31,6 +31,9 @@ - #include "auth/gensec/gensec.h" - #include "auth/gensec/gensec_internal.h" - #include "auth/common_auth.h" -+#include "param/param.h" -+#include "param/loadparm.h" -+#include "libcli/security/session.h" - - /** - * Determine correct target name flags for reply, given server role -@@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec - struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - struct auth4_context *auth_context = gensec_security->auth_context; - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; -+ struct auth_session_info *session_info = NULL; - struct auth_usersupplied_info *user_info; - - user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); -@@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec - - NT_STATUS_NOT_OK_RETURN(nt_status); - -+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST -+ && auth_context->generate_session_info != NULL) -+ { -+ NTSTATUS tmp_status; -+ -+ /* -+ * We need to check if the auth is anonymous or mapped to guest -+ */ -+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, -+ gensec_ntlmssp->server_returned_info, -+ gensec_ntlmssp->ntlmssp_state->user, -+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, -+ &session_info); -+ if (!NT_STATUS_IS_OK(tmp_status)) { -+ /* -+ * We don't care about failures, -+ * the worst result is that we try MIC checking -+ * for a map to guest authentication. -+ */ -+ TALLOC_FREE(session_info); -+ } -+ } -+ -+ if (session_info != NULL) { -+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) { -+ /* -+ * Anonymous and GUEST are not secure anyway. -+ * avoid new_spnego and MIC checking. -+ */ -+ ntlmssp_state->new_spnego = false; -+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; -+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; -+ } -+ TALLOC_FREE(session_info); -+ } -+ - talloc_steal(mem_ctx, user_session_key->data); - talloc_steal(mem_ctx, lm_session_key->data); - --- -1.9.1 - - -From 9635bf9f38a98b353d58d9b918021dc306673b2d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 25 Apr 2016 14:45:55 +0200 -Subject: [PATCH 24/30] auth/spnego: add spnego:simulate_w2k option for testing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit db9c01a51975a0a3ec2564357617958c2f466091) ---- - auth/gensec/spnego.c | 28 +++++++++++++++++++++++++++- - 1 file changed, 27 insertions(+), 1 deletion(-) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 1b23427..6a82b5f 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -59,6 +59,8 @@ struct spnego_state { - bool needs_mic_check; - bool done_mic_check; - -+ bool simulate_w2k; -+ - /* - * The following is used to implement - * the update token fragmentation -@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi - spnego_state->out_max_length = gensec_max_update_size(gensec_security); - spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; - -+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, -+ "spnego", "simulate_w2k", false); -+ - gensec_security->private_data = spnego_state; - return NT_STATUS_OK; - } -@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi - spnego_state->out_max_length = gensec_max_update_size(gensec_security); - spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; - -+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, -+ "spnego", "simulate_w2k", false); -+ - gensec_security->private_data = spnego_state; - return NT_STATUS_OK; - } -@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - spnego.negTokenInit.mechToken, - &unwrapped_out); - -+ if (spnego_state->simulate_w2k) { -+ /* -+ * Windows 2000 returns the unwrapped token -+ * also in the mech_list_mic field. -+ * -+ * In order to verify our client code, -+ * we need a way to have a server with this -+ * broken behaviour -+ */ -+ mech_list_mic = unwrapped_out; -+ } -+ - nt_status = gensec_spnego_server_negTokenTarg(spnego_state, - out_mem_ctx, - nt_status, - unwrapped_out, -- null_data_blob, -+ mech_list_mic, - out); - - spnego_free_data(&spnego); -@@ -950,6 +970,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - - have_sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); -+ if (spnego_state->simulate_w2k) { -+ have_sign = false; -+ } - new_spnego = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_NEW_SPNEGO); - if (spnego.negTokenTarg.mechListMIC.length > 0) { -@@ -1150,6 +1173,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - - have_sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); -+ if (spnego_state->simulate_w2k) { -+ have_sign = false; -+ } - new_spnego = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_NEW_SPNEGO); - --- -1.9.1 - - -From 178dc27b2fb2a3d11ad026798209c71724e11284 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 25 Apr 2016 15:58:27 +0200 -Subject: [PATCH 25/30] auth/ntlmssp: add - ntlmssp_{client,server}:force_old_spnego option for testing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 7a2cb2c97611171613fc677a534277839348c56f) ---- - auth/ntlmssp/gensec_ntlmssp_server.c | 7 +++++++ - auth/ntlmssp/ntlmssp_client.c | 3 +++ - 2 files changed, 10 insertions(+) - -diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c -index f3c26c7..08a8c8f 100644 ---- a/auth/ntlmssp/gensec_ntlmssp_server.c -+++ b/auth/ntlmssp/gensec_ntlmssp_server.c -@@ -132,6 +132,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) - - ntlmssp_state->force_old_spnego = false; - -+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { -+ /* -+ * For testing Windows 2000 mode -+ */ -+ ntlmssp_state->force_old_spnego = true; -+ } -+ - ntlmssp_state->neg_flags = - NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index b423f20..5edd5f4 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -784,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) - - ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); - -+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, -+ "ntlmssp_client", "force_old_spnego", false); -+ - ntlmssp_state->expected_state = NTLMSSP_INITIAL; - - ntlmssp_state->neg_flags = --- -1.9.1 - - -From 0d826b092f20dbc70ea48210d41ec300b44d7ca8 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Apr 2016 08:50:00 +0200 -Subject: [PATCH 26/30] selftest:Samba4: provide DC_* variables for fl2000dc - and fl2008r2dc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit b8055cb42cadf48367867213a35635f3391c9b8d) ---- - selftest/target/Samba4.pm | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 7ea1544..e8d5915 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1154,6 +1154,13 @@ sub provision_fl2000dc($$) - warn("Unable to add wins configuration"); - return undef; - } -+ $ret->{DC_SERVER} = $ret->{SERVER}; -+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; -+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; -+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; -+ $ret->{DC_USERNAME} = $ret->{USERNAME}; -+ $ret->{DC_PASSWORD} = $ret->{PASSWORD}; -+ $ret->{DC_REALM} = $ret->{REALM}; - - return $ret; - } -@@ -1230,6 +1237,13 @@ sub provision_fl2008r2dc($$) - warn("Unable to add wins configuration"); - return undef; - } -+ $ret->{DC_SERVER} = $ret->{SERVER}; -+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; -+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; -+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; -+ $ret->{DC_USERNAME} = $ret->{USERNAME}; -+ $ret->{DC_PASSWORD} = $ret->{PASSWORD}; -+ $ret->{DC_REALM} = $ret->{REALM}; - - return $ret; - } --- -1.9.1 - - -From be28f570c5da6074d07f6fd3243daa580eb3fef7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 26 Apr 2016 11:33:52 +0200 -Subject: [PATCH 27/30] s3:test_smbclient_auth.sh: this script reqiures 5 - arguments -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 70910334caa176bf98fece7d638ed599979dc173) ---- - source3/script/tests/test_smbclient_auth.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh -index 2402f73..18fff75 100755 ---- a/source3/script/tests/test_smbclient_auth.sh -+++ b/source3/script/tests/test_smbclient_auth.sh -@@ -2,7 +2,7 @@ - - # this runs the file serving tests that are expected to pass with samba3 against shares with various options - --if [ $# -lt 4 ]; then -+if [ $# -lt 5 ]; then - cat < - EOF --- -1.9.1 - - -From 0ec99f370a1a4b02be063a458777fa0d3e81fff7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 27 Apr 2016 01:00:14 +0200 -Subject: [PATCH 28/30] selftest:Samba4: let fl2000dc use Windows2000 - supported_enctypes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(similar to commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd) ---- - selftest/target/Samba.pm | 13 +++++++++++++ - selftest/target/Samba4.pm | 3 +++ - 2 files changed, 16 insertions(+) - -diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm -index dabe442..069b85e 100644 ---- a/selftest/target/Samba.pm -+++ b/selftest/target/Samba.pm -@@ -204,6 +204,19 @@ sub mk_krb5_conf($$) - forwardable = yes - allow_weak_crypto = yes - -+"; -+ -+ if (defined($ctx->{supported_enctypes})) { -+ print KRB5CONF " -+ default_etypes = $ctx->{supported_enctypes} -+ default_as_etypes = $ctx->{supported_enctypes} -+ default_tgs_enctypes = $ctx->{supported_enctypes} -+ default_tkt_enctypes = $ctx->{supported_enctypes} -+ permitted_enctypes = $ctx->{supported_enctypes} -+"; -+ } -+ -+ print KRB5CONF " - [realms] - $our_realms_stanza - $other_realms_stanza -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index e8d5915..48ff9b8 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -282,6 +282,9 @@ sub provision_raw_prepare($$$$$$$$$$) - $ctx->{swiface} = $swiface; - $ctx->{password} = $password; - $ctx->{kdc_ipv4} = $kdc_ipv4; -+ if ($functional_level eq "2000") { -+ $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc" -+ } - - # - # Set smbd log level here. --- -1.9.1 - - -From 2db8fe86ebb7c5833fe9240a7abb7645ce5a8191 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 25 Apr 2016 16:02:22 +0200 -Subject: [PATCH 29/30] selftest:Samba4: let fl2000dc use Windows2000 style - SPNEGO/NTLMSSP -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(similar to commit 4de43387235cb17a185fdd1afd658972e8c174ef) ---- - selftest/target/Samba4.pm | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 48ff9b8..48186b1 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -1144,6 +1144,10 @@ sub provision_fl2000dc($$) - my ($self, $prefix) = @_; - - print "PROVISIONING DC..."; -+ my $extra_conf_options = " -+ spnego:simulate_w2k=yes -+ ntlmssp_server:force_old_spnego=yes -+"; - my $ret = $self->provision($prefix, - "domain controller", - "dc5", -@@ -1151,7 +1155,7 @@ sub provision_fl2000dc($$) - "samba2000.example.com", - "2000", - "locDCpass5", -- undef, "", "", undef); -+ undef, $extra_conf_options, "", undef); - - unless($self->add_wins_config("$prefix/private")) { - warn("Unable to add wins configuration"); --- -1.9.1 - - -From 314eec5def43b12eba026da90af4919f1f1c94e0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 25 Apr 2016 16:12:47 +0200 -Subject: [PATCH 30/30] s3:selftest: add smbclient_ntlm tests -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We test all combinations of NT1 with and without spnego and SMB3 -for user, anonymous and guest authentication. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144 - -(similar to commit eee88e07b3e68efb467b390536eea4155b5ced7e) ---- - source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++++++++++++++++++ - source3/selftest/tests.py | 4 ++- - 2 files changed, 43 insertions(+), 1 deletion(-) - create mode 100755 source3/script/tests/test_smbclient_ntlm.sh - -diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh -new file mode 100755 -index 0000000..b8fc564 ---- /dev/null -+++ b/source3/script/tests/test_smbclient_ntlm.sh -@@ -0,0 +1,40 @@ -+#!/bin/sh -+ -+# this runs a smbclient based authentication tests -+ -+if [ $# -lt 5 ]; then -+cat < -+EOF -+exit 1; -+fi -+ -+SERVER="$1" -+USERNAME="$2" -+PASSWORD="$3" -+MAPTOGUEST="$4" -+SMBCLIENT="$5" -+SMBCLIENT="$VALGRIND ${SMBCLIENT}" -+shift 5 -+ADDARGS="$*" -+ -+incdir=`dirname $0`/../../../testprogs/blackbox -+. $incdir/subunit.sh -+ -+testit "smbclient username.password.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS -+testit "smbclient username.password.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 -c quit $ADDARGS -+testit "smbclient username.password.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mSMB3 -c quit $ADDARGS -+ -+testit "smbclient anonymous.nopassword.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS -+testit "smbclient anonymous.nopassword.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 -c quit $ADDARGS -+testit "smbclient anonymous.nopassword.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mSMB3 -c quit $ADDARGS -+if test x"${MAPTOGUEST}" = x"never" ; then -+ testit_expect_failure "smbclient anonymous.badpassword.NT1NEW.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS -+ testit_expect_failure "smbclient anonymous.badpassword.SMB3.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS -+else -+ testit "smbclient anonymous.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS -+ testit "smbclient anonymous.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS -+ -+ testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS -+ testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS -+fi -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 8b92921..d27595c 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -128,8 +128,9 @@ for options in ["--option=clientusespnego=no", " --option=clientntlmv2auth=no -- - env = "s3dc" - plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) - --for env in ["s3dc", "member", "s3member", "dc", "s4member"]: -+for env in ["s3dc", "member", "s3member", "dc", "s4member", "fl2000dc"]: - plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) -+ plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) - - for env in ["s3dc", "member", "s3member"]: - plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration]) -@@ -155,6 +156,7 @@ for env in ["maptoguest", "simpleserver"]: - - env = "maptoguest" - plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) bad username" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', 'notmy$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"]) -+plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$USERNAME', '$PASSWORD', "baduser", smbclient3, configuration]) - - # plain - for env in ["s3dc"]: --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-fix_anon_with_singing_mandatory.patch b/SOURCES/samba-4.2.10-fix_anon_with_singing_mandatory.patch deleted file mode 100644 index 67f381a..0000000 --- a/SOURCES/samba-4.2.10-fix_anon_with_singing_mandatory.patch +++ /dev/null @@ -1,71 +0,0 @@ -From bbde6e61580e030a84d2f0ce1e47d54dd51f5d10 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 18 May 2016 09:56:02 +0200 -Subject: [PATCH] s3:smbd: fix anonymous authentication if signing is mandatory - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11910 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Wed May 18 15:49:46 CEST 2016 on sn-devel-144 - -(cherry picked from commit aa5760433b219de7b41d35ca7ad6d4d702b89adf) ---- - source3/smbd/sesssetup.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c -index 77b8077..5d92af1 100644 ---- a/source3/smbd/sesssetup.c -+++ b/source3/smbd/sesssetup.c -@@ -135,6 +135,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - struct smbXsrv_connection *xconn = req->xconn; - struct smbd_server_connection *sconn = req->sconn; - uint16_t action = 0; -+ bool is_authenticated = false; - NTTIME now = timeval_to_nttime(&req->request_time); - struct smbXsrv_session *session = NULL; - uint16_t smb_bufsize = SVAL(req->vwv+2, 0); -@@ -328,12 +329,13 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) - sconn->num_users++; - - if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { -+ is_authenticated = true; - session->compat->homes_snum = - register_homes_share(session_info->unix_info->unix_name); - } - - if (srv_is_signing_negotiated(xconn) && -- action == 0 && -+ is_authenticated && - session->global->signing_key.length > 0) - { - /* -@@ -592,6 +594,7 @@ void reply_sesssetup_and_X(struct smb_request *req) - struct auth_session_info *session_info = NULL; - uint16 smb_flag2 = req->flags2; - uint16_t action = 0; -+ bool is_authenticated = false; - NTTIME now = timeval_to_nttime(&req->request_time); - struct smbXsrv_session *session = NULL; - NTSTATUS nt_status; -@@ -1029,12 +1032,13 @@ void reply_sesssetup_and_X(struct smb_request *req) - sconn->num_users++; - - if (security_session_user_level(session_info, NULL) >= SECURITY_USER) { -+ is_authenticated = true; - session->compat->homes_snum = - register_homes_share(session_info->unix_info->unix_name); - } - - if (srv_is_signing_negotiated(xconn) && -- action == 0 && -+ is_authenticated && - session->global->signing_key.length > 0) - { - /* --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-fix_msrpc_parse.patch b/SOURCES/samba-4.2.10-fix_msrpc_parse.patch deleted file mode 100644 index a3852fa..0000000 --- a/SOURCES/samba-4.2.10-fix_msrpc_parse.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 7c26fab82d668199756ebf24a96c46c102250c6a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 9 May 2016 16:14:31 +0200 -Subject: [PATCH] libcli/auth: let msrpc_parse() return talloc'ed empty strings - -This make it more predictable for the callers. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11912 -BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1334356 -BUG: https://launchpad.net/bugs/1578576 - -Signed-off-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Mon May 9 22:27:21 CEST 2016 on sn-devel-144 - -(cherry picked from commit 58a83236294117d32d9883ac3024f81fa1730a87) ---- - libcli/auth/msrpc_parse.c | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/msrpc_parse.c b/libcli/auth/msrpc_parse.c -index d499d9e..74a7bcc 100644 ---- a/libcli/auth/msrpc_parse.c -+++ b/libcli/auth/msrpc_parse.c -@@ -262,7 +262,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, - - ps = va_arg(ap, char **); - if (len1 == 0 && len2 == 0) { -- *ps = (char *)discard_const(""); -+ *ps = talloc_strdup(mem_ctx, ""); -+ if (*ps == NULL) { -+ ret = false; -+ goto cleanup; -+ } - } else { - /* make sure its in the right format - be strict */ - if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { -@@ -289,7 +293,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, - goto cleanup; - } - } else { -- (*ps) = (char *)discard_const(""); -+ *ps = talloc_strdup(mem_ctx, ""); -+ if (*ps == NULL) { -+ ret = false; -+ goto cleanup; -+ } - } - } - break; -@@ -302,7 +310,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, - ps = (char **)va_arg(ap, char **); - /* make sure its in the right format - be strict */ - if (len1 == 0 && len2 == 0) { -- *ps = (char *)discard_const(""); -+ *ps = talloc_strdup(mem_ctx, ""); -+ if (*ps == NULL) { -+ ret = false; -+ goto cleanup; -+ } - } else { - if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) { - ret = false; -@@ -325,7 +337,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx, - goto cleanup; - } - } else { -- (*ps) = (char *)discard_const(""); -+ *ps = talloc_strdup(mem_ctx, ""); -+ if (*ps == NULL) { -+ ret = false; -+ goto cleanup; -+ } - } - } - break; --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-fix_ntlm_auth_issues.patch b/SOURCES/samba-4.2.10-fix_ntlm_auth_issues.patch deleted file mode 100644 index fb230b2..0000000 --- a/SOURCES/samba-4.2.10-fix_ntlm_auth_issues.patch +++ /dev/null @@ -1,104 +0,0 @@ -From db5a50fc60daaec47cbb520af1802f49c51cb5ec Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 11 May 2016 17:59:32 +0200 -Subject: [PATCH] s3:ntlm_auth: make ntlm_auth_generate_session_info() more - complete -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The generate_session_info() function maybe called more than once -per session. - -Some may try to look/dereference session_info->security_token, -so we provide simplified token. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11914 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -Reviewed-by: Günther Deschner -(cherry picked from commit 825cce1f88b797c80116769e1755328dee2ba0e1) ---- - source3/utils/ntlm_auth.c | 51 ++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 46 insertions(+), 5 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index d01c522..0fa8997 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -27,6 +27,7 @@ - #include "includes.h" - #include "lib/param/param.h" - #include "popt_common.h" -+#include "libcli/security/security.h" - #include "utils/ntlm_auth.h" - #include "../libcli/auth/libcli_auth.h" - #include "auth/ntlmssp/ntlmssp.h" -@@ -705,18 +706,58 @@ static NTSTATUS ntlm_auth_generate_session_info(struct auth4_context *auth_conte - uint32_t session_info_flags, - struct auth_session_info **session_info_out) - { -- char *unix_username = (char *)server_returned_info; -- struct auth_session_info *session_info = talloc_zero(mem_ctx, struct auth_session_info); -- if (!session_info) { -+ const char *unix_username = (const char *)server_returned_info; -+ bool ok; -+ struct dom_sid *sids = NULL; -+ struct auth_session_info *session_info = NULL; -+ -+ session_info = talloc_zero(mem_ctx, struct auth_session_info); -+ if (session_info == NULL) { - return NT_STATUS_NO_MEMORY; - } - - session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); -- if (!session_info->unix_info) { -+ if (session_info->unix_info == NULL) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_NO_MEMORY; -+ } -+ session_info->unix_info->unix_name = talloc_strdup(session_info->unix_info, -+ unix_username); -+ if (session_info->unix_info->unix_name == NULL) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ session_info->security_token = talloc_zero(session_info, struct security_token); -+ if (session_info->security_token == NULL) { - TALLOC_FREE(session_info); - return NT_STATUS_NO_MEMORY; - } -- session_info->unix_info->unix_name = talloc_steal(session_info->unix_info, unix_username); -+ -+ sids = talloc_zero_array(session_info->security_token, -+ struct dom_sid, 3); -+ if (sids == NULL) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_NO_MEMORY; -+ } -+ ok = dom_sid_parse(SID_WORLD, &sids[0]); -+ if (!ok) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ ok = dom_sid_parse(SID_NT_NETWORK, &sids[1]); -+ if (!ok) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ ok = dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[2]); -+ if (!ok) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ session_info->security_token->num_sids = talloc_array_length(sids); -+ session_info->security_token->sids = sids; - - *session_info_out = session_info; - --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-fix_rpcclient_ipc_signing.patch b/SOURCES/samba-4.2.10-fix_rpcclient_ipc_signing.patch deleted file mode 100644 index e5e55d2..0000000 --- a/SOURCES/samba-4.2.10-fix_rpcclient_ipc_signing.patch +++ /dev/null @@ -1,74 +0,0 @@ -From a1d2a9077978602f92c4ea38ce4f85a45ce821b3 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 19 May 2016 11:47:18 +0200 -Subject: [PATCH] s3:rpcclient: make use of SMB_SIGNING_IPC_DEFAULT - -This means we'll use the "client ipc min protocol", "client ipc max protocol" -and "client ipc signing" options. But "--signing=no" or "--signing=required" -still overwrite "client ipc signing". - -The following can be used to alter the max protocol - -rpcclient --option="client ipc max protocol=SMB2_10" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername" -Account Name: Administrator, Authority Name: W4EDOM-L4 - -rpcclient --option="client ipc max protocol=NT1" 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername" -Account Name: Administrator, Authority Name: W4EDOM-L4 - -rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c "getusername" -Account Name: Administrator, Authority Name: W4EDOM-L4 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11927 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Sat May 21 05:01:15 CEST 2016 on sn-devel-144 - -(cherry picked from commit 2eb824fbaf61dfc5e9c735589c80c41379dabe86) ---- - source3/rpcclient/rpcclient.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c -index a35e422..ebe72b9 100644 ---- a/source3/rpcclient/rpcclient.c -+++ b/source3/rpcclient/rpcclient.c -@@ -944,6 +944,7 @@ out_free: - const char *binding_string = NULL; - char *user, *domain, *q; - const char *host; -+ int signing_state = SMB_SIGNING_IPC_DEFAULT; - - /* make sure the vars that get altered (4th field) are in - a fixed location or certain compilers complain */ -@@ -1116,6 +1117,16 @@ out_free: - } - } - -+ signing_state = get_cmdline_auth_info_signing_state(rpcclient_auth_info); -+ switch (signing_state) { -+ case SMB_SIGNING_OFF: -+ lp_set_cmdline("client ipc signing", "no"); -+ break; -+ case SMB_SIGNING_REQUIRED: -+ lp_set_cmdline("client ipc signing", "required"); -+ break; -+ } -+ - if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) { - flags |= CLI_FULL_CONNECTION_USE_KERBEROS | - CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -@@ -1143,7 +1154,7 @@ out_free: - get_cmdline_auth_info_domain(rpcclient_auth_info), - get_cmdline_auth_info_password(rpcclient_auth_info), - flags, -- get_cmdline_auth_info_signing_state(rpcclient_auth_info)); -+ SMB_SIGNING_IPC_DEFAULT); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("Cannot connect to server. Error was %s\n", nt_errstr(nt_status))); --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-ldap-sasl-win2003.patch b/SOURCES/samba-4.2.10-ldap-sasl-win2003.patch deleted file mode 100644 index 379596f..0000000 --- a/SOURCES/samba-4.2.10-ldap-sasl-win2003.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 7a73e56dfa2ca8569ffdda0b9738516081889523 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Apr 2016 10:05:38 +0200 -Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with - kerberos and arcfour-hmac-md5 - -This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9 -(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos) -that prevents things like 'net ads join' from working against a Windows 2003 domain. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804 - -Signed-off-by: Stefan Metzmacher ---- - source3/libads/sasl.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 4fcd733..22aa9cf 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, - ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); - - ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; -- ads->ldap.in.min_wrapped = ads->ldap.out.sig_size; -+ /* -+ * Note that we have to truncate this to 0x2C -+ * (taken from a capture with LDAP unbind), as the -+ * signature size is not constant for Kerberos with -+ * arcfour-hmac-md5. -+ */ -+ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); - ads->ldap.in.max_wrapped = max_wrapped; - status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); - if (!ADS_ERR_OK(status)) { --- -1.9.1 - diff --git a/SOURCES/samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch b/SOURCES/samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch deleted file mode 100644 index 272c855..0000000 --- a/SOURCES/samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 137649fc01e6914bbb86a2f5f16c7e03a2fa132d Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 22 Jan 2016 11:44:03 +0200 -Subject: [PATCH] s3-parm: clean up defaults when removing global parameters - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11693 - -When globals are re-initialized, they are cleared and globals' talloc -context is freed. However, parm_table still contains a reference to the -global value in the defaults. This confuses lpcfg_string_free() after -commit 795c543d858b2452f062a02846c2f908fe4cffe4 because it tries to -free already freed pointer which is passed by lp_save_defaults(): - -.... - case P_STRING: - case P_USTRING: - lpcfg_string_set(Globals.ctx, - &parm_table[i].def.svalue, - *(char **)lp_parm_ptr(NULL, &parm_table[i])); -.... - -here &parm_table[i].def.svalue is passed to lpcfg_string_free() but it -is a pointer to a value allocated with previous Globals.ctx which -already was freed. - -This specifically affects registry backend of smb.conf in lp_load_ex() -where init_globals() called explicitly to re-init globals after -lp_save_defaults() if we have registry backend defined. - -Reviewed-by: Uri Simchoni -Signed-off-by: Alexander Bokovoy - -Autobuild-User(master): Uri Simchoni -Autobuild-Date(master): Mon Jan 25 23:58:42 CET 2016 on sn-devel-144 ---- - source3/param/loadparm.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 94de252..9bd47dc 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -402,8 +402,25 @@ static void free_parameters_by_snum(int snum) - */ - static void free_global_parameters(void) - { -+ uint32_t i; -+ struct parm_struct *parm; -+ - free_param_opts(&Globals.param_opt); - free_parameters_by_snum(GLOBAL_SECTION_SNUM); -+ -+ /* Reset references in the defaults because the context is going to be freed */ -+ for (i=0; parm_table[i].label; i++) { -+ parm = &parm_table[i]; -+ if ((parm->type == P_STRING) || -+ (parm->type == P_USTRING)) { -+ if ((parm->def.svalue != NULL) && -+ (*(parm->def.svalue) != '\0')) { -+ if (talloc_parent(parm->def.svalue) == Globals.ctx) { -+ parm->def.svalue = NULL; -+ } -+ } -+ } -+ } - TALLOC_FREE(Globals.ctx); - } - --- -2.5.5 - diff --git a/SOURCES/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch b/SOURCES/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch deleted file mode 100644 index 3d092ff..0000000 --- a/SOURCES/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 12 Apr 2016 09:36:12 +0300 -Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted - domains DCs - - Allow cm_connect_netlogon() to talk to trusted domains' DCs when - running in a domain member configuration. - -Signed-off-by: Alexander Bokovoy ---- - source3/winbindd/winbindd_cm.c | 15 +++++++++------ - 1 file changed, 9 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 63175e5..1ef3d17 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - anonymous: - - /* Finally fall back to anonymous. */ -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - status = NT_STATUS_DOWNGRADE_DETECTED; -- DEBUG(1, ("Unwilling to make SAMR connection to domain %s" -+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " - "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", -@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, - - anonymous: - -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - result = NT_STATUS_DOWNGRADE_DETECTED; -- DEBUG(1, ("Unwilling to make LSA connection to domain %s" -+ DEBUG(1, ("Unwilling to make LSA connection to domain %s " - "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", -@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, - - no_schannel: - if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { -- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { -+ if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) && -+ (IS_DC || domain->primary)) { - result = NT_STATUS_DOWNGRADE_DETECTED; -- DEBUG(1, ("Unwilling to make connection to domain %s" -+ DEBUG(1, ("Unwilling to make connection to domain %s " - "without connection level security, " - "must set 'winbind sealed pipes = false' and " - "'require strong key = false' to proceed: %s\n", --- -2.5.5 - diff --git a/SOURCES/samba-4.2.3-document_netbios_length.patch b/SOURCES/samba-4.2.3-document_netbios_length.patch deleted file mode 100644 index 7b79fe2..0000000 --- a/SOURCES/samba-4.2.3-document_netbios_length.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 86dfab1517d3417e3063812b1fe5ad10760a0bab Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 Jul 2015 13:22:40 +0200 -Subject: [PATCH] docs: Documents length limitations for NetBIOS name - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11401 - -Signed-off-by: Andreas Schneider -Reviewed-by: Michael Adam - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Jul 15 19:35:48 CEST 2015 on sn-devel-104 - -(cherry picked from commit e736a169d5dc76d0ef10d20f211ea6e7e6df4f59) ---- - docs-xml/smbdotconf/base/netbiosname.xml | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/docs-xml/smbdotconf/base/netbiosname.xml b/docs-xml/smbdotconf/base/netbiosname.xml -index 60bc082..542d058 100644 ---- a/docs-xml/smbdotconf/base/netbiosname.xml -+++ b/docs-xml/smbdotconf/base/netbiosname.xml -@@ -11,6 +11,8 @@ - the hosts DNS name) will be the name that these services are advertised under. - - -+ Note that the maximum length for a NetBIOS name is 15 charactars. -+ - - There is a bug in Samba that breaks operation of browsing and access to shares if the netbios name - is set to the literal name PIPE. To avoid this problem, do not name your Samba --- -2.4.5 - diff --git a/SOURCES/samba-4.2.3-fix_net_ads_keytab_segfault.patch b/SOURCES/samba-4.2.3-fix_net_ads_keytab_segfault.patch deleted file mode 100644 index 2b83483..0000000 --- a/SOURCES/samba-4.2.3-fix_net_ads_keytab_segfault.patch +++ /dev/null @@ -1,165 +0,0 @@ -From af7dfb4e2b288742d0f3a0b7c9f4c280f8c9738d Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 4 Mar 2015 10:09:18 +0100 -Subject: [PATCH 1/4] libads: Fix CID 1273306 Uninitialized scalar variable - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418 - -Signed-off-by: Volker Lendecke -Reviewed-by: David Disseldorp -(cherry picked from commit 4a686c5b0bbcf0bdb089348403a3c35b8aff67e4) ---- - source3/libads/kerberos_keytab.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index ae3d80e39..2d5c7ff 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -508,7 +508,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - krb5_context context = NULL; - krb5_keytab keytab = NULL; - krb5_kt_cursor cursor; -- krb5_keytab_entry kt_entry; -+ krb5_keytab_entry kt_entry = {0}; - krb5_kvno kvno; - size_t found = 0; - char *sam_account_name, *upn; --- -2.4.6 - - -From c2fc9c04e670fa4f2a4ad7bb037e40bed08a554f Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 4 Mar 2015 10:09:51 +0100 -Subject: [PATCH 2/4] libads: Fix CID 1273305 Uninitialized scalar variable - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418 - -Signed-off-by: Volker Lendecke -Reviewed-by: David Disseldorp -(cherry picked from commit 706770d7a8c4625ecb555db40c146126d2c160f0) ---- - source3/libads/kerberos_keytab.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 2d5c7ff..bbd981c 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -507,7 +507,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - krb5_error_code ret = 0; - krb5_context context = NULL; - krb5_keytab keytab = NULL; -- krb5_kt_cursor cursor; -+ krb5_kt_cursor cursor = {0}; - krb5_keytab_entry kt_entry = {0}; - krb5_kvno kvno; - size_t found = 0; --- -2.4.6 - - -From dec69489dfb6ed3f60a1ed9360ceb03800fe01d1 Mon Sep 17 00:00:00 2001 -From: Uri Simchoni -Date: Sat, 2 May 2015 13:44:52 +0300 -Subject: [PATCH 3/4] libads: Fix free of uninitialized pointer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418 - -In ads_keytab_creat_default(), if the keytab to be created cannot -be opened, the bail-out code calls smb_krb5_kt_free_entry() on -an uninitialized entry. - -To reproduce: -1. Join a domain -2. KRB5_KTNAME=FILE:/non-existant-path/krb5.keytab net ads keytab create -P - -Signed-off-by: Uri Simchoni -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit df91bc5159b24f6f10fd9742b49192921d51f821) ---- - source3/libads/kerberos_keytab.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index bbd981c..ef6374a 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -520,6 +520,9 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - size_t i; - ADS_STATUS status; - -+ ZERO_STRUCT(kt_entry); -+ ZERO_STRUCT(cursor); -+ - frame = talloc_stackframe(); - if (frame == NULL) { - ret = -1; -@@ -575,8 +578,6 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - #endif - - memset(princ_s, '\0', sizeof(princ_s)); -- ZERO_STRUCT(kt_entry); -- ZERO_STRUCT(cursor); - - initialize_krb5_error_table(); - ret = krb5_init_context(&context); --- -2.4.6 - - -From be29f73d746d2d356856eeeec7e958597e429bc0 Mon Sep 17 00:00:00 2001 -From: Uri Simchoni -Date: Sat, 2 May 2015 13:44:53 +0300 -Subject: [PATCH 4/4] libads: Fix deadlock when re-joining a domain and - updating keytab - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11418 - -When updating the system keytab as a result of joining a domain, -if the keytb had prior entries, ads_keytab_create_default tries to -update those entries. However, it starts updating before freeing the -cursor which was used for finding those entries, and hence causes -an an attempt to write-lock the keytab while a read-lock exists. - -To reproduce configure smb.conf for ads domain member and run this twice: -net ads join -U '--option=kerberos method=secrets and keytab' - -Signed-off-by: Uri Simchoni -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Mon May 4 21:01:41 CEST 2015 on sn-devel-104 - -(cherry picked from commit 38beef2ff63664d7d5805f1032bb9f69d0b965d7) ---- - source3/libads/kerberos_keytab.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index ef6374a..309e614 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -731,13 +731,14 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - smb_krb5_kt_free_entry(context, &kt_entry); - ZERO_STRUCT(kt_entry); - } -+ krb5_kt_end_seq_get(context, keytab, &cursor); -+ ZERO_STRUCT(cursor); -+ - ret = 0; - for (i = 0; oldEntries[i]; i++) { - ret |= ads_keytab_add_entry(ads, oldEntries[i]); - TALLOC_FREE(oldEntries[i]); - } -- krb5_kt_end_seq_get(context, keytab, &cursor); -- ZERO_STRUCT(cursor); - - done: - TALLOC_FREE(oldEntries); --- -2.4.6 - diff --git a/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path b/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path deleted file mode 100644 index 2bea56c..0000000 --- a/SOURCES/samba-4.2.99-fix_idmap_hash_with_other_modules.path +++ /dev/null @@ -1,1130 +0,0 @@ -From 8672b486a2c847361e0e157be19eb2143ac550ab Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 18 Aug 2015 13:18:33 +0200 -Subject: [PATCH 01/14] loadparm3: Add lp_wi_scan_global_parametrics() - -This routine takes a regex and goes through all parametric parameters -in [global], matching the regex. It can easily be extended to also -look at shares, but right now it will only be used to list all idmap -config domain names. - -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher -Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 -(cherry picked from commit 443dd9bbbc641ede10a2a3708465f61ea3dfbde3) ---- - source3/include/proto.h | 9 ++++++ - source3/param/loadparm.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 82 insertions(+) - -diff --git a/source3/include/proto.h b/source3/include/proto.h -index be90024..df7eecc 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -23,6 +23,9 @@ - #ifndef _PROTO_H_ - #define _PROTO_H_ - -+#include -+#include -+ - /* The following definitions come from lib/access.c */ - - bool client_match(const char *tok, const void *item); -@@ -951,6 +954,12 @@ int lp_smb2_max_credits(void); - int lp_cups_encrypt(void); - bool lp_widelinks(int ); - -+int lp_wi_scan_global_parametrics( -+ const char *regex, size_t max_matches, -+ bool (*cb)(const char *string, regmatch_t matches[], -+ void *private_data), -+ void *private_data); -+ - char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def); - const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def); - struct loadparm_service; -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index e805fa4..9e56aca 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -1074,6 +1074,79 @@ static struct parmlist_entry *get_parametrics(int snum, const char *type, - } - } - -+static void discard_whitespace(char *str) -+{ -+ size_t len = strlen(str); -+ size_t i = 0; -+ -+ while (i < len) { -+ if (isspace(str[i])) { -+ memmove(&str[i], &str[i+1], len-i); -+ len -= 1; -+ continue; -+ } -+ i += 1; -+ } -+} -+ -+/** -+ * @brief Go through all global parametric parameters -+ * -+ * @param regex_str A regular expression to scan param for -+ * @param max_matches Max number of submatches the regexp expects -+ * @param cb Function to call on match. Should return true -+ * when it wants wi_scan_global_parametrics to stop -+ * scanning -+ * @param private_data Anonymous pointer passed to cb -+ * -+ * @return 0: success, regcomp/regexec return value on error. -+ * See "man regexec" for possible errors -+ */ -+ -+int lp_wi_scan_global_parametrics( -+ const char *regex_str, size_t max_matches, -+ bool (*cb)(const char *string, regmatch_t matches[], -+ void *private_data), -+ void *private_data) -+{ -+ struct parmlist_entry *data; -+ regex_t regex; -+ int ret; -+ -+ ret = regcomp(®ex, regex_str, REG_ICASE); -+ if (ret != 0) { -+ return ret; -+ } -+ -+ for (data = Globals.param_opt; data != NULL; data = data->next) { -+ size_t keylen = strlen(data->key); -+ char key[keylen+1]; -+ regmatch_t matches[max_matches]; -+ bool stop; -+ -+ memcpy(key, data->key, sizeof(key)); -+ discard_whitespace(key); -+ -+ ret = regexec(®ex, key, max_matches, matches, 0); -+ if (ret == REG_NOMATCH) { -+ continue; -+ } -+ if (ret != 0) { -+ goto fail; -+ } -+ -+ stop = cb(key, matches, private_data); -+ if (stop) { -+ break; -+ } -+ } -+ -+ ret = 0; -+fail: -+ regfree(®ex); -+ return ret; -+} -+ - - #define MISSING_PARAMETER(name) \ - DEBUG(0, ("%s(): value is NULL or empty!\n", #name)) --- -2.9.0 - - -From ef3701654107528530141bb9a66ee1209060f21c Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Thu, 22 Jan 2015 12:08:52 +0000 -Subject: [PATCH 02/14] winbind: Fix idmap initialization - -The fix is in the sscanf line: %u in the sscanf format mandates the use of -a pointer to an "unsigned". idmap_domain->[low|high]_id are uint32_t. On -little endian 64-bit this might at least put the correct values into -low_id and high_id, but might overwrite the read_only bit set earlier, -depending on structure alignment and packing. On big endian 64-bit, -this will just fail. - -Automatic conversion to uint32_t will happen only at assignment, not -when you take a pointer of such a thing. - -Signed-off-by: Volker Lendecke -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Thu Jan 22 17:58:16 CET 2015 on sn-devel-104 - -(cherry picked from commit 63552f1c4c05a710143f12c2269754d0e547d945) ---- - source3/winbindd/idmap.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index a8beab7..841f710 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -172,6 +172,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, - NTSTATUS status; - char *config_option = NULL; - const char *range; -+ unsigned low_id, high_id; - - result = talloc_zero(mem_ctx, struct idmap_domain); - if (result == NULL) { -@@ -230,23 +231,24 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, - result->name)); - goto fail; - } -- } else if (sscanf(range, "%u - %u", &result->low_id, -- &result->high_id) != 2) -+ } else if (sscanf(range, "%u - %u", &low_id, &high_id) != 2) - { - DEBUG(1, ("invalid range '%s' specified for domain " - "'%s'\n", range, result->name)); - if (check_range) { - goto fail; - } -- } else if (result->low_id > result->high_id) { -- DEBUG(1, ("Error: invalid idmap range detected: %lu - %lu\n", -- (unsigned long)result->low_id, -- (unsigned long)result->high_id)); -+ } else if (low_id > high_id) { -+ DEBUG(1, ("Error: invalid idmap range detected: %u - %u\n", -+ low_id, high_id)); - if (check_range) { - goto fail; - } - } - -+ result->low_id = low_id; -+ result->high_id = high_id; -+ - status = result->methods->init(result); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("idmap initialization returned %s\n", --- -2.9.0 - - -From ad0688f0b2ed0e060fa2c5a612d10bf4daa2e9cf Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 4 Mar 2015 10:22:48 +0100 -Subject: [PATCH 03/14] winbind: Fix CID 1273295 Uninitialized scalar variable - -Signed-off-by: Volker Lendecke -Reviewed-by: David Disseldorp -(cherry picked from commit 25928b1bcc031469c5321ab283a8d0c32dde2f4f) ---- - source3/winbindd/idmap.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 841f710..70f4e02 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -172,7 +172,8 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, - NTSTATUS status; - char *config_option = NULL; - const char *range; -- unsigned low_id, high_id; -+ unsigned low_id = 0; -+ unsigned high_id; - - result = talloc_zero(mem_ctx, struct idmap_domain); - if (result == NULL) { --- -2.9.0 - - -From 940b73398d1e8847504db4d989ee548966f1e9c5 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 4 Mar 2015 10:28:20 +0100 -Subject: [PATCH 04/14] winbind: Fix CID 1273294 Uninitialized scalar variable - -Signed-off-by: Volker Lendecke -Reviewed-by: David Disseldorp -(cherry picked from commit 8e195fb52ecfa3c263f68b74f989fb48a3c9116f) ---- - source3/winbindd/idmap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 70f4e02..1e2feb9 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -173,7 +173,7 @@ static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, - char *config_option = NULL; - const char *range; - unsigned low_id = 0; -- unsigned high_id; -+ unsigned high_id = 0; - - result = talloc_zero(mem_ctx, struct idmap_domain); - if (result == NULL) { --- -2.9.0 - - -From 461e69a3cb81247f0d514de865981ad56517d901 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 18 Aug 2015 16:58:02 +0200 -Subject: [PATCH 05/14] idmap: Move idmap_init() under the static vars - -Just moving code, idmap_init will need to reference the variables - -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher -Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 -(cherry picked from commit d36de86639b7782e1e959d61917d8f19fdfc902c) ---- - source3/winbindd/idmap.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 1e2feb9..0ba8fda 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -32,21 +32,6 @@ - - static_decl_idmap; - --static void idmap_init(void) --{ -- static bool initialized; -- -- if (initialized) { -- return; -- } -- -- DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); -- -- static_init_idmap; -- -- initialized = true; --} -- - /** - * Pointer to the backend methods. Modules register themselves here via - * smb_register_idmap. -@@ -79,6 +64,21 @@ static struct idmap_domain *passdb_idmap_domain; - static struct idmap_domain **idmap_domains = NULL; - static int num_domains = 0; - -+static void idmap_init(void) -+{ -+ static bool initialized; -+ -+ if (initialized) { -+ return; -+ } -+ -+ DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); -+ -+ static_init_idmap; -+ -+ initialized = true; -+} -+ - static struct idmap_methods *get_methods(const char *name) - { - struct idmap_backend *b; --- -2.9.0 - - -From 5b3f88a29d5e9d6133f6a1e43e3db69dc6fdd1f2 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 19 Aug 2015 17:00:46 +0200 -Subject: [PATCH 06/14] idmap: Initialize all idmap domains at startup - -So far we have initialized idmap domains on demand indexed by name. -For sid2xid this works okay, because we could do lookupsids before -and thus get the name. For xid2sid this is more problematic. We -have to rely on enumtrustdoms to work completely, and we have to -look at the list of winbind domains in the parent to get the domain -name. Relying on domain->have_idmap_config is not particularly nice. - -This patch re-works initialization of idmap domains by scanning all -parametric parameters, scanning for :backend configuration settings. -This way we get a complete list of :range definitions. This means -we can rely on the idmap domain array to be complete. This in turn -means we can live without the domain name to find a domain, we can -do a range search by uid or gid. - -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher -Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 -(cherry picked from commit ef0c91195533d95ba4fb7947ff5f69c20aa677b8) ---- - source3/winbindd/idmap.c | 199 ++++++++++++++++++++++++++--------------------- - 1 file changed, 109 insertions(+), 90 deletions(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 0ba8fda..40d87a7 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -64,12 +64,22 @@ static struct idmap_domain *passdb_idmap_domain; - static struct idmap_domain **idmap_domains = NULL; - static int num_domains = 0; - --static void idmap_init(void) -+static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx, -+ const char *domname); -+static struct idmap_domain *idmap_init_domain(TALLOC_CTX *mem_ctx, -+ const char *domainname, -+ const char *modulename, -+ bool check_range); -+static bool idmap_found_domain_backend( -+ const char *string, regmatch_t matches[], void *private_data); -+ -+static bool idmap_init(void) - { - static bool initialized; -+ int ret; - - if (initialized) { -- return; -+ return true; - } - - DEBUG(10, ("idmap_init(): calling static_init_idmap\n")); -@@ -77,6 +87,80 @@ static void idmap_init(void) - static_init_idmap; - - initialized = true; -+ -+ if (!pdb_is_responsible_for_everything_else()) { -+ default_idmap_domain = idmap_init_named_domain(NULL, "*"); -+ if (default_idmap_domain == NULL) { -+ return false; -+ } -+ } -+ -+ passdb_idmap_domain = idmap_init_domain( -+ NULL, get_global_sam_name(), "passdb", false); -+ if (passdb_idmap_domain == NULL) { -+ TALLOC_FREE(default_idmap_domain); -+ return false; -+ } -+ -+ idmap_domains = talloc_array(NULL, struct idmap_domain *, 0); -+ if (idmap_domains == NULL) { -+ TALLOC_FREE(passdb_idmap_domain); -+ TALLOC_FREE(default_idmap_domain); -+ return false; -+ } -+ -+ ret = lp_wi_scan_global_parametrics( -+ "idmapconfig\\(.*\\):backend", 2, -+ idmap_found_domain_backend, NULL); -+ if (ret != 0) { -+ DEBUG(5, ("wi_scan_global_parametrics returned %d\n", ret)); -+ return false; -+ } -+ -+ return true; -+} -+ -+static bool idmap_found_domain_backend( -+ const char *string, regmatch_t matches[], void *private_data) -+{ -+ if (matches[1].rm_so == -1) { -+ DEBUG(5, ("Found match, but no name??\n")); -+ return false; -+ } -+ -+ { -+ struct idmap_domain *dom, **tmp; -+ regoff_t len = matches[1].rm_eo - matches[1].rm_so; -+ char domname[len+1]; -+ -+ memcpy(domname, string + matches[1].rm_so, len); -+ domname[len] = '\0'; -+ -+ DEBUG(7, ("Found idmap domain \"%s\"\n", domname)); -+ -+ if (strcmp(domname, "*") == 0) { -+ return false; -+ } -+ -+ dom = idmap_init_named_domain(idmap_domains, domname); -+ if (dom == NULL) { -+ DEBUG(3, ("Could not init idmap domain %s\n", -+ domname)); -+ } -+ -+ tmp = talloc_realloc(idmap_domains, idmap_domains, -+ struct idmap_domain *, num_domains + 1); -+ if (tmp == NULL) { -+ DEBUG(1, ("talloc_realloc failed\n")); -+ TALLOC_FREE(dom); -+ return false; -+ } -+ idmap_domains = tmp; -+ idmap_domains[num_domains] = dom; -+ num_domains += 1; -+ } -+ -+ return false; - } - - static struct idmap_methods *get_methods(const char *name) -@@ -280,8 +364,12 @@ static struct idmap_domain *idmap_init_named_domain(TALLOC_CTX *mem_ctx, - struct idmap_domain *result = NULL; - char *config_option; - const char *backend; -+ bool ok; - -- idmap_init(); -+ ok = idmap_init(); -+ if (!ok) { -+ return NULL; -+ } - - config_option = talloc_asprintf(talloc_tos(), "idmap config %s", - domname); -@@ -312,57 +400,6 @@ fail: - } - - /** -- * Initialize the default domain structure -- * @param[in] mem_ctx memory context for the result -- * @result The default domain structure -- * -- * This routine takes the module name from the "idmap backend" parameter, -- * passing a possible parameter like ldap:ldap://ldap-url/ to the module. -- */ -- --static struct idmap_domain *idmap_init_default_domain(TALLOC_CTX *mem_ctx) --{ -- return idmap_init_named_domain(mem_ctx, "*"); --} -- --/** -- * Initialize the passdb domain structure -- * @param[in] mem_ctx memory context for the result -- * @result The default domain structure -- * -- * No config, passdb has its own configuration. -- */ -- --static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx) --{ -- idmap_init(); -- -- if (!pdb_is_responsible_for_everything_else()) { -- /* -- * Always init the default domain, we can't go without one -- */ -- if (default_idmap_domain == NULL) { -- default_idmap_domain = idmap_init_default_domain(NULL); -- } -- if (default_idmap_domain == NULL) { -- return NULL; -- } -- } -- -- if (passdb_idmap_domain != NULL) { -- return passdb_idmap_domain; -- } -- -- passdb_idmap_domain = idmap_init_domain(mem_ctx, get_global_sam_name(), -- "passdb", false); -- if (passdb_idmap_domain == NULL) { -- DEBUG(1, ("Could not init passdb idmap domain\n")); -- } -- -- return passdb_idmap_domain; --} -- --/** - * Find a domain struct according to a domain name - * @param[in] domname Domain name to get the config for - * @result The default domain structure that fits -@@ -379,21 +416,14 @@ static struct idmap_domain *idmap_passdb_domain(TALLOC_CTX *mem_ctx) - - static struct idmap_domain *idmap_find_domain(const char *domname) - { -- struct idmap_domain *result; -+ bool ok; - int i; - - DEBUG(10, ("idmap_find_domain called for domain '%s'\n", - domname?domname:"NULL")); - -- idmap_init(); -- -- /* -- * Always init the default domain, we can't go without one -- */ -- if (default_idmap_domain == NULL) { -- default_idmap_domain = idmap_init_default_domain(NULL); -- } -- if (default_idmap_domain == NULL) { -+ ok = idmap_init(); -+ if (!ok) { - return NULL; - } - -@@ -407,38 +437,21 @@ static struct idmap_domain *idmap_find_domain(const char *domname) - } - } - -- if (idmap_domains == NULL) { -- /* -- * talloc context for all idmap domains -- */ -- idmap_domains = talloc_array(NULL, struct idmap_domain *, 1); -- } -- -- if (idmap_domains == NULL) { -- DEBUG(0, ("talloc failed\n")); -- return NULL; -- } -- -- result = idmap_init_named_domain(idmap_domains, domname); -- if (result == NULL) { -- /* -- * Could not init that domain -- try the default one -- */ -- return default_idmap_domain; -- } -- -- ADD_TO_ARRAY(idmap_domains, struct idmap_domain *, result, -- &idmap_domains, &num_domains); -- return result; -+ return default_idmap_domain; - } - - struct idmap_domain *idmap_find_domain_with_sid(const char *domname, - const struct dom_sid *sid) - { -- idmap_init(); -+ bool ok; -+ -+ ok = idmap_init(); -+ if (!ok) { -+ return NULL; -+ } - - if (sid_check_is_for_passdb(sid)) { -- return idmap_passdb_domain(NULL); -+ return passdb_idmap_domain; - } - - return idmap_find_domain(domname); -@@ -493,6 +506,12 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) - { - struct idmap_domain *dom; - struct id_map *maps[2]; -+ bool ok; -+ -+ ok = idmap_init(); -+ if (!ok) { -+ return NT_STATUS_NONE_MAPPED; -+ } - - DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d " - "(type %d)\n", -@@ -505,7 +524,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) - * Always give passdb a chance first - */ - -- dom = idmap_passdb_domain(NULL); -+ dom = passdb_idmap_domain; - if ((dom != NULL) - && NT_STATUS_IS_OK(dom->methods->unixids_to_sids(dom, maps)) - && id->status == ID_MAPPED) { --- -2.9.0 - - -From 808cde4e8490af596ec2c6d1df3a24c4e2b719cb Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 18 Aug 2015 17:30:27 +0200 -Subject: [PATCH 07/14] idmap: Use a range search in - idmap_backends_unixid_to_sid - -This obsoletes the domain name in the xid2sid calls - -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher -Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 -(cherry picked from commit ad626b9e6b3c200c70b0d840c956f7b6fff20660) ---- - source3/winbindd/idmap.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 40d87a7..aff5792 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -507,6 +507,7 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) - struct idmap_domain *dom; - struct id_map *maps[2]; - bool ok; -+ int i; - - ok = idmap_init(); - if (!ok) { -@@ -531,7 +532,16 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) - return NT_STATUS_OK; - } - -- dom = idmap_find_domain(domname); -+ dom = default_idmap_domain; -+ -+ for (i=0; ixid.id >= idmap_domains[i]->low_id) && -+ (id->xid.id <= idmap_domains[i]->high_id)) { -+ dom = idmap_domains[i]; -+ break; -+ } -+ } -+ - if (dom == NULL) { - return NT_STATUS_NONE_MAPPED; - } --- -2.9.0 - - -From ebc02665c40d38fca33df001a4f660a18719e33b Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 18 Aug 2015 17:34:29 +0200 -Subject: [PATCH 08/14] idmap: Remove "domname" from - idmap_backends_unixid_to_sid - -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher -Bug: https://bugzilla.samba.org/show_bug.cgi?id=11464 -(cherry picked from commit ac4cc243771fc3273872547087679db21c9bb1cb) ---- - source3/torture/test_idmap_tdb_common.c | 2 +- - source3/winbindd/idmap.c | 8 ++++---- - source3/winbindd/idmap_proto.h | 3 +-- - source3/winbindd/idmap_util.c | 4 ++-- - 4 files changed, 8 insertions(+), 9 deletions(-) - -diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c -index f7262a2..dd736ad 100644 ---- a/source3/torture/test_idmap_tdb_common.c -+++ b/source3/torture/test_idmap_tdb_common.c -@@ -62,7 +62,7 @@ bool idmap_is_online(void) - return true; - } - --NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) -+NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id) - { - return NT_STATUS_OK; - } -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index aff5792..56ebf21 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -146,6 +146,7 @@ static bool idmap_found_domain_backend( - if (dom == NULL) { - DEBUG(3, ("Could not init idmap domain %s\n", - domname)); -+ return false; - } - - tmp = talloc_realloc(idmap_domains, idmap_domains, -@@ -502,7 +503,7 @@ NTSTATUS idmap_allocate_gid(struct unixid *id) - return idmap_allocate_unixid(id); - } - --NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) -+NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id) - { - struct idmap_domain *dom; - struct id_map *maps[2]; -@@ -514,9 +515,8 @@ NTSTATUS idmap_backends_unixid_to_sid(const char *domname, struct id_map *id) - return NT_STATUS_NONE_MAPPED; - } - -- DEBUG(10, ("idmap_backend_unixid_to_sid: domain = '%s', xid = %d " -- "(type %d)\n", -- domname?domname:"NULL", id->xid.id, id->xid.type)); -+ DEBUG(10, ("idmap_backend_unixid_to_sid: xid = %d (type %d)\n", -+ id->xid.id, id->xid.type)); - - maps[0] = id; - maps[1] = NULL; -diff --git a/source3/winbindd/idmap_proto.h b/source3/winbindd/idmap_proto.h -index f7af8ed..159aac6 100644 ---- a/source3/winbindd/idmap_proto.h -+++ b/source3/winbindd/idmap_proto.h -@@ -34,8 +34,7 @@ NTSTATUS smb_register_idmap(int version, const char *name, - void idmap_close(void); - NTSTATUS idmap_allocate_uid(struct unixid *id); - NTSTATUS idmap_allocate_gid(struct unixid *id); --NTSTATUS idmap_backends_unixid_to_sid(const char *domname, -- struct id_map *id); -+NTSTATUS idmap_backends_unixid_to_sid(struct id_map *id); - - /* The following definitions come from winbindd/idmap_nss.c */ - -diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c -index e671acf..08857ab 100644 ---- a/source3/winbindd/idmap_util.c -+++ b/source3/winbindd/idmap_util.c -@@ -66,7 +66,7 @@ backend: - map.xid.type = ID_TYPE_UID; - map.xid.id = uid; - -- ret = idmap_backends_unixid_to_sid(domname, &map); -+ ret = idmap_backends_unixid_to_sid(&map); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping uid [%lu]: %s\n", (unsigned long)uid, - nt_errstr(ret))); -@@ -130,7 +130,7 @@ backend: - map.xid.type = ID_TYPE_GID; - map.xid.id = gid; - -- ret = idmap_backends_unixid_to_sid(domname, &map); -+ ret = idmap_backends_unixid_to_sid(&map); - if ( ! NT_STATUS_IS_OK(ret)) { - DEBUG(10, ("error mapping gid [%lu]: %s\n", (unsigned long)gid, - nt_errstr(ret))); --- -2.9.0 - - -From e7ca0730e3b3ba4eaa447b1ff487377978c70e64 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Thu, 10 Mar 2016 10:38:29 +0100 -Subject: [PATCH 09/14] s3:winbindd:idmap: add domain_has_idmap_config() helper - function. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 - -Pair-Programmed-With: Guenther Deschner - -Signed-off-by: Michael Adam -Signed-off-by: Guenther Deschner -Reviewed-by: Jeremy Allison -(cherry picked from commit fb80e1158bb1a14f2602e65464909a213296cde1) ---- - source3/winbindd/idmap.c | 15 +++++++++++++++ - source3/winbindd/winbindd_proto.h | 1 + - 2 files changed, 16 insertions(+) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 56ebf21..7a96b92 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -120,6 +120,21 @@ static bool idmap_init(void) - return true; - } - -+bool domain_has_idmap_config(const char *domname) -+{ -+ int i; -+ -+ idmap_init(); -+ -+ for (i=0; iname, domname)) { -+ return true; -+ } -+ } -+ -+ return false; -+} -+ - static bool idmap_found_domain_backend( - const char *string, regmatch_t matches[], void *private_data) - { -diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h -index 42fffc0..85aee5b 100644 ---- a/source3/winbindd/winbindd_proto.h -+++ b/source3/winbindd/winbindd_proto.h -@@ -339,6 +339,7 @@ void init_idmap_child(void); - struct winbindd_child *idmap_child(void); - struct idmap_domain *idmap_find_domain_with_sid(const char *domname, - const struct dom_sid *sid); -+bool domain_has_idmap_config(const char *domname); - - /* The following definitions come from winbindd/winbindd_locator.c */ - --- -2.9.0 - - -From d58905a6113fc0dc1e5cccb91568a550ee953999 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 10 Mar 2016 10:39:15 +0100 -Subject: [PATCH 10/14] s3:winbindd:idmap_hash: skip domains that already have - their own idmap configuration. - -Check if the domain from the list is not already configured to use another idmap -backend. Not checking this makes the idmap_hash module map IDs for *all* domains -implicitly. This is quite dangeorous in multi-idmap-config setups. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 - -Pair-Programmed-With: Michael Adam - -Signed-off-by: Guenther Deschner -Signed-off-by: Michael Adam -Reviewed-by: Jeremy Allison -(cherry picked from commit 55be1ee69743c94d33f4244ade848517fc98e264) ---- - source3/winbindd/idmap_hash/idmap_hash.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c -index 1dbd300..f77ee3b 100644 ---- a/source3/winbindd/idmap_hash/idmap_hash.c -+++ b/source3/winbindd/idmap_hash/idmap_hash.c -@@ -137,6 +137,19 @@ static NTSTATUS be_init(struct idmap_domain *dom) - - if (is_null_sid(&dom_list[i].sid)) - continue; -+ -+ /* -+ * Check if the domain from the list is not already configured -+ * to use another idmap backend. Not checking this makes the -+ * idmap_hash module map IDs for *all* domains implicitly. This -+ * is quite dangerous in setups that use multiple idmap -+ * configurations. -+ */ -+ -+ if (domain_has_idmap_config(dom_list[i].domain_name)) { -+ continue; -+ } -+ - if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) - continue; - --- -2.9.0 - - -From 87079a86d35e298a7ec8a4476c5ff15c4c12d7ca Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 10 Mar 2016 12:21:52 +0100 -Subject: [PATCH 11/14] s3:winbindd:idmap: check loadparm in - domain_has_idmap_config() helper as well. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 - -Pair-Programmed-With: Michael Adam - -Signed-off-by: Guenther Deschner -Signed-off-by: Michael Adam -Reviewed-by: Jeremy Allison -(cherry picked from commit 4632ad98c4af5a4e0a2723c0cf716439e376e61f) ---- - source3/winbindd/idmap.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index 7a96b92..f716b6d 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -123,6 +123,9 @@ static bool idmap_init(void) - bool domain_has_idmap_config(const char *domname) - { - int i; -+ char *config_option; -+ const char *range = NULL; -+ const char *backend = NULL; - - idmap_init(); - -@@ -132,6 +135,25 @@ bool domain_has_idmap_config(const char *domname) - } - } - -+ /* fallback: also check loadparm */ -+ -+ config_option = talloc_asprintf(talloc_tos(), "idmap config %s", -+ domname); -+ if (config_option == NULL) { -+ DEBUG(0, ("out of memory\n")); -+ return false; -+ } -+ -+ range = lp_parm_const_string(-1, config_option, "range", NULL); -+ backend = lp_parm_const_string(-1, config_option, "backend", NULL); -+ if (range != NULL && backend != NULL) { -+ DEBUG(5, ("idmap configuration specified for domain '%s'\n", -+ domname)); -+ TALLOC_FREE(config_option); -+ return true; -+ } -+ -+ TALLOC_FREE(config_option); - return false; - } - --- -2.9.0 - - -From d80f66cf98e47a7a8dfc8dd27c8c36529e36d235 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Mon, 14 Mar 2016 17:06:34 +0100 -Subject: [PATCH 12/14] idmap_hash: rename be_init() --> - idmap_hash_initialize() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 - -Pair-Programmed-With: Guenther Deschner - -Signed-off-by: Michael Adam -Signed-off-by: Guenther Deschner -Reviewed-by: Jeremy Allison -(cherry picked from commit 4172491cbe7bb8ad2a7089efe15fbe46fcc123fb) ---- - source3/winbindd/idmap_hash/idmap_hash.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c -index f77ee3b..773d5a9 100644 ---- a/source3/winbindd/idmap_hash/idmap_hash.c -+++ b/source3/winbindd/idmap_hash/idmap_hash.c -@@ -104,7 +104,7 @@ static void separate_hashes(uint32_t id, - /********************************************************************* - ********************************************************************/ - --static NTSTATUS be_init(struct idmap_domain *dom) -+static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) - { - struct sid_hash_table *hashed_domains; - NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; -@@ -153,10 +153,10 @@ static NTSTATUS be_init(struct idmap_domain *dom) - if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) - continue; - -- DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n", -- dom_list[i].domain_name, -- sid_string_dbg(&dom_list[i].sid), -- hash)); -+ DEBUG(3, ("Adding %s (%s) -> %d\n", -+ dom_list[i].domain_name, -+ sid_string_dbg(&dom_list[i].sid), -+ hash)); - - hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid); - sid_copy(hashed_domains[hash].sid, &dom_list[i].sid); -@@ -189,7 +189,7 @@ static NTSTATUS unixids_to_sids(struct idmap_domain *dom, - ids[i]->status = ID_UNKNOWN; - } - -- nt_status = be_init(dom); -+ nt_status = idmap_hash_initialize(dom); - BAIL_ON_NTSTATUS_ERROR(nt_status); - - for (i=0; ids[i]; i++) { -@@ -239,7 +239,7 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom, - ids[i]->status = ID_UNKNOWN; - } - -- nt_status = be_init(dom); -+ nt_status = idmap_hash_initialize(dom); - BAIL_ON_NTSTATUS_ERROR(nt_status); - - for (i=0; ids[i]; i++) { -@@ -360,7 +360,7 @@ static NTSTATUS nss_hash_close(void) - ********************************************************************/ - - static struct idmap_methods hash_idmap_methods = { -- .init = be_init, -+ .init = idmap_hash_initialize, - .unixids_to_sids = unixids_to_sids, - .sids_to_unixids = sids_to_unixids, - }; --- -2.9.0 - - -From e4216d31e54d9936b021bf57fbaeddfcd8731995 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Mon, 14 Mar 2016 17:07:34 +0100 -Subject: [PATCH 13/14] idmap_hash: only allow the hash module for default - idmap config. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 - -This module only makes sense as the default idmap config -("idmap config * : backend = hash" ...) - -Pair-Programmed-With: Guenther Deschner - -Signed-off-by: Michael Adam -Signed-off-by: Guenther Deschner -Reviewed-by: Jeremy Allison -(cherry picked from commit a16379c585a6f6e9470a8745b6043be8171eb615) ---- - source3/winbindd/idmap_hash/idmap_hash.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c -index 773d5a9..b3aab86 100644 ---- a/source3/winbindd/idmap_hash/idmap_hash.c -+++ b/source3/winbindd/idmap_hash/idmap_hash.c -@@ -112,6 +112,13 @@ static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) - size_t num_domains = 0; - int i; - -+ if (!strequal(dom->name, "*")) { -+ DEBUG(0, ("Error: idmap_hash configured for domain '%s'. " -+ "But the hash module can only be used for the default " -+ "idmap configuration.\n", dom->name)); -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ - /* If the domain SID hash table has been initialized, assume - that we completed this function previously */ - --- -2.9.0 - - -From 11a3354fcd7ff4bf6cd2cdb18e05b12c1ebc6cfd Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Tue, 22 Mar 2016 11:24:23 +0100 -Subject: [PATCH 14/14] winbind: Fix CID 1357100 Unchecked return value -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Signed-off-by: Volker Lendecke -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144 - -(cherry picked from commit 5291462bd8a683b2d21b5f21ad73f84939aa2d67) ---- - source3/winbindd/idmap.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c -index f716b6d..158fa81 100644 ---- a/source3/winbindd/idmap.c -+++ b/source3/winbindd/idmap.c -@@ -126,8 +126,12 @@ bool domain_has_idmap_config(const char *domname) - char *config_option; - const char *range = NULL; - const char *backend = NULL; -+ bool ok; - -- idmap_init(); -+ ok = idmap_init(); -+ if (!ok) { -+ return false; -+ } - - for (i=0; iname, domname)) { --- -2.9.0 - diff --git a/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch b/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch deleted file mode 100644 index 1115cee..0000000 --- a/SOURCES/samba-4.2.99-net_ads_join_fix_keytab_generation.patch +++ /dev/null @@ -1,1009 +0,0 @@ -From 203193d5b167b5d24911d0438eda65f05eec2b31 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 22 Jan 2016 09:57:04 +0100 -Subject: [PATCH 01/11] s3:libads: setup the msDS-SupportedEncryptionTypes - attribute on ldap_add -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We may not have the permission to modify the object after creation. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Björn Jacke -Reviewed-by: Günther Deschner - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Fri Feb 26 11:30:03 CET 2016 on sn-devel-144 ---- - source3/libads/ldap.c | 26 ++++++++++++++++++ - source3/libnet/libnet_join.c | 65 -------------------------------------------- - 2 files changed, 26 insertions(+), 65 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 121ba08..125c9d7 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -29,6 +29,7 @@ - #include "../libds/common/flags.h" - #include "smbldap.h" - #include "../libcli/security/security.h" -+#include "../librpc/gen_ndr/netlogon.h" - #include "lib/param/loadparm.h" - - #ifdef HAVE_LDAP -@@ -2006,6 +2007,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, - uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ - UF_DONT_EXPIRE_PASSWD |\ - UF_ACCOUNTDISABLE ); -+ uint32_t func_level = 0; -+ -+ ret = ads_domain_func_level(ads, &func_level); -+ if (!ADS_ERR_OK(ret)) { -+ return ret; -+ } - - if (!(ctx = talloc_init("ads_add_machine_acct"))) - return ADS_ERROR(LDAP_NO_MEMORY); -@@ -2041,6 +2048,25 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, - ads_mod_strlist(ctx, &mods, "objectClass", objectClass); - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - -+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { -+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; -+ const char *etype_list_str; -+ -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ etype_list |= ENC_HMAC_SHA1_96_AES128; -+#endif -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ etype_list |= ENC_HMAC_SHA1_96_AES256; -+#endif -+ -+ etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); -+ if (etype_list_str == NULL) { -+ goto done; -+ } -+ ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", -+ etype_list_str); -+ } -+ - ret = ads_gen_add(ads, new_dn, mods); - - done: -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index d7c7679..5564bd2 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -605,52 +605,6 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, - /**************************************************************** - ****************************************************************/ - --static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, -- struct libnet_JoinCtx *r) --{ -- ADS_STATUS status; -- ADS_MODLIST mods; -- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; -- const char *etype_list_str; -- --#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES128; --#endif --#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES256; --#endif -- -- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); -- if (!etype_list_str) { -- return ADS_ERROR(LDAP_NO_MEMORY); -- } -- -- /* Find our DN */ -- -- status = libnet_join_find_machine_acct(mem_ctx, r); -- if (!ADS_ERR_OK(status)) { -- return status; -- } -- -- /* now do the mods */ -- -- mods = ads_init_mods(mem_ctx); -- if (!mods) { -- return ADS_ERROR(LDAP_NO_MEMORY); -- } -- -- status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", -- etype_list_str); -- if (!ADS_ERR_OK(status)) { -- return status; -- } -- -- return ads_gen_mod(r->in.ads, r->out.dn, mods); --} -- --/**************************************************************** --****************************************************************/ -- - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -@@ -725,7 +679,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { - ADS_STATUS status; -- uint32_t func_level = 0; - - if (!r->in.ads) { - status = libnet_join_connect_ads(mem_ctx, r); -@@ -760,24 +713,6 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, - return status; - } - -- status = ads_domain_func_level(r->in.ads, &func_level); -- if (!ADS_ERR_OK(status)) { -- libnet_join_set_error_string(mem_ctx, r, -- "failed to query domain controller functional level: %s", -- ads_errstr(status)); -- return status; -- } -- -- if (func_level >= DS_DOMAIN_FUNCTION_2008) { -- status = libnet_join_set_etypes(mem_ctx, r); -- if (!ADS_ERR_OK(status)) { -- libnet_join_set_error_string(mem_ctx, r, -- "failed to set machine kerberos encryption types: %s", -- ads_errstr(status)); -- return status; -- } -- } -- - if (!libnet_join_derive_salting_principal(mem_ctx, r)) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - } --- -2.9.0 - - -From 3b269e29a5b91723749d16685782c5c590fda424 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 23:14:13 +0100 -Subject: [PATCH 02/11] Partly revert "s3:libads: setup the - msDS-SupportedEncryptionTypes attribute on ldap_add" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This partly reverts commit 0c74d62524db376b6a3fac00c688be0cdffcaa80. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Günther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 6686f67d2a91146c8bb2fb2a8104fcaa5710b855) ---- - source3/libnet/libnet_join.c | 46 ++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 46 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 5564bd2..343e5f1 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -604,6 +604,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, - - /**************************************************************** - ****************************************************************/ -+#if 0 -+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, -+ struct libnet_JoinCtx *r) -+{ -+ ADS_STATUS status; -+ ADS_MODLIST mods; -+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; -+ const char *etype_list_str; -+ -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ etype_list |= ENC_HMAC_SHA1_96_AES128; -+#endif -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ etype_list |= ENC_HMAC_SHA1_96_AES256; -+#endif -+ -+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); -+ if (!etype_list_str) { -+ return ADS_ERROR(LDAP_NO_MEMORY); -+ } -+ -+ /* Find our DN */ -+ -+ status = libnet_join_find_machine_acct(mem_ctx, r); -+ if (!ADS_ERR_OK(status)) { -+ return status; -+ } -+ -+ /* now do the mods */ -+ -+ mods = ads_init_mods(mem_ctx); -+ if (!mods) { -+ return ADS_ERROR(LDAP_NO_MEMORY); -+ } -+ -+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", -+ etype_list_str); -+ if (!ADS_ERR_OK(status)) { -+ return status; -+ } -+ -+ return ads_gen_mod(r->in.ads, r->out.dn, mods); -+} -+#endif -+/**************************************************************** -+****************************************************************/ - - static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) --- -2.9.0 - - -From 452f99fdd08f9c5e5dcc660dc8900115f0abb093 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 2 Mar 2016 18:07:53 +0100 -Subject: [PATCH 03/11] s3:libnet:libnet_join: prepare to allow connecting with - machine creds. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 71d5634ab58f0ca21db633990231bd01a22c956c) ---- - source3/libnet/libnet_join.c | 73 +++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 68 insertions(+), 5 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 343e5f1..cc93a85 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -42,6 +42,7 @@ - #include "lib/param/loadparm.h" - #include "libcli/auth/netlogon_creds_cli.h" - #include "auth/credentials/credentials.h" -+#include "krb5_env.h" - - /**************************************************************** - ****************************************************************/ -@@ -118,6 +119,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - const char *dc_name, - const char *user_name, - const char *password, -+ const char *ccname, - ADS_STRUCT **ads) - { - ADS_STATUS status; -@@ -150,6 +152,12 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - my_ads->auth.password = SMB_STRDUP(password); - } - -+ if (ccname != NULL) { -+ SAFE_FREE(my_ads->auth.ccache_name); -+ my_ads->auth.ccache_name = SMB_STRDUP(ccname); -+ setenv(KRB5_ENV_CCNAME, my_ads->auth.ccache_name, 1); -+ } -+ - status = ads_connect_user_creds(my_ads); - if (!ADS_ERR_OK(status)) { - ads_destroy(&my_ads); -@@ -164,15 +172,51 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - ****************************************************************/ - - static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, -- struct libnet_JoinCtx *r) -+ struct libnet_JoinCtx *r, -+ bool use_machine_creds) - { - ADS_STATUS status; -+ const char *username; -+ const char *password; -+ const char *ccname = NULL; -+ -+ if (use_machine_creds) { -+ if (r->in.machine_name == NULL || -+ r->in.machine_password == NULL) { -+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); -+ } -+ username = talloc_strdup(mem_ctx, r->in.machine_name); -+ if (username == NULL) { -+ return ADS_ERROR(LDAP_NO_MEMORY); -+ } -+ if (username[strlen(username)] != '$') { -+ username = talloc_asprintf(username, "%s$", username); -+ if (username == NULL) { -+ return ADS_ERROR(LDAP_NO_MEMORY); -+ } -+ } -+ password = r->in.machine_password; -+ ccname = "MEMORY:libnet_join_machine_creds"; -+ } else { -+ username = r->in.admin_account; -+ password = r->in.admin_password; -+ -+ /* -+ * when r->in.use_kerberos is set to allow "net ads join -k" we -+ * may not override the provided credential cache - gd -+ */ -+ -+ if (!r->in.use_kerberos) { -+ ccname = "MEMORY:libnet_join_user_creds"; -+ } -+ } - - status = libnet_connect_ads(r->out.dns_domain_name, - r->out.netbios_domain_name, - r->in.dc_name, -- r->in.admin_account, -- r->in.admin_password, -+ username, -+ password, -+ ccname, - &r->in.ads); - if (!ADS_ERR_OK(status)) { - libnet_join_set_error_string(mem_ctx, r, -@@ -201,6 +245,24 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, - /**************************************************************** - ****************************************************************/ - -+static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, -+ struct libnet_JoinCtx *r) -+{ -+ return libnet_join_connect_ads(mem_ctx, r, false); -+} -+ -+/**************************************************************** -+****************************************************************/ -+#if 0 -+static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, -+ struct libnet_JoinCtx *r) -+{ -+ return libnet_join_connect_ads(mem_ctx, r, true); -+} -+#endif -+/**************************************************************** -+****************************************************************/ -+ - static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, - struct libnet_UnjoinCtx *r) - { -@@ -211,6 +273,7 @@ static ADS_STATUS libnet_unjoin_connect_ads(TALLOC_CTX *mem_ctx, - r->in.dc_name, - r->in.admin_account, - r->in.admin_password, -+ NULL, - &r->in.ads); - if (!ADS_ERR_OK(status)) { - libnet_unjoin_set_error_string(mem_ctx, r, -@@ -727,7 +790,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, - ADS_STATUS status; - - if (!r->in.ads) { -- status = libnet_join_connect_ads(mem_ctx, r); -+ status = libnet_join_connect_ads_user(mem_ctx, r); - if (!ADS_ERR_OK(status)) { - return status; - } -@@ -2258,7 +2321,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - if (r->out.domain_is_ad && r->in.account_ou && - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { - -- ads_status = libnet_join_connect_ads(mem_ctx, r); -+ ads_status = libnet_join_connect_ads_user(mem_ctx, r); - if (!ADS_ERR_OK(ads_status)) { - return WERR_DEFAULT_JOIN_REQUIRED; - } --- -2.9.0 - - -From 3f6d9131abd68620bb35ef3bafbde586a1b751c2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 4 Mar 2016 17:42:05 +0100 -Subject: [PATCH 04/11] s3:libads:ldap: print LDAP error message with log level - 10. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 34030b025b9e4cd5e7321d6e242f6c03da2a60c0) ---- - source3/libads/ldap.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 125c9d7..91753d2 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1416,6 +1416,17 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, - } - #endif - -+static void ads_print_error(int ret, LDAP *ld) -+{ -+ if (ret != 0) { -+ char *ld_error = NULL; -+ ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); -+ DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, -+ ldap_err2string(ret), ld_error)); -+ SAFE_FREE(ld_error); -+ } -+} -+ - /** - * Perform an ldap modify - * @param ads connection to ads server -@@ -1451,6 +1462,7 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) - mods[i] = NULL; - ret = ldap_modify_ext_s(ads->ldap.ld, utf8_dn, - (LDAPMod **) mods, controls, NULL); -+ ads_print_error(ret, ads->ldap.ld); - TALLOC_FREE(utf8_dn); - return ADS_ERROR(ret); - } -@@ -1479,6 +1491,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) - mods[i] = NULL; - - ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); -+ ads_print_error(ret, ads->ldap.ld); - TALLOC_FREE(utf8_dn); - return ADS_ERROR(ret); - } -@@ -1500,6 +1513,7 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) - } - - ret = ldap_delete_s(ads->ldap.ld, utf8_dn); -+ ads_print_error(ret, ads->ldap.ld); - TALLOC_FREE(utf8_dn); - return ADS_ERROR(ret); - } --- -2.9.0 - - -From 6a2647247ab0abddc38c2abade36116e3a2e5788 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 12:13:24 +0100 -Subject: [PATCH 05/11] s3:libads:ndr: add ADS_AUTH_USER_CREDS to - ndr_print_ads_auth_flags() - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit e8f6acdeece990dc8953d494113dee856d80da45) ---- - source3/libads/ndr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/libads/ndr.c b/source3/libads/ndr.c -index fd0b63e..ac0b9e6 100644 ---- a/source3/libads/ndr.c -+++ b/source3/libads/ndr.c -@@ -37,6 +37,7 @@ static void ndr_print_ads_auth_flags(struct ndr_print *ndr, const char *name, ui - ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SIGN", ADS_AUTH_SASL_SIGN, r); - ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_SEAL", ADS_AUTH_SASL_SEAL, r); - ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_SASL_FORCE", ADS_AUTH_SASL_FORCE, r); -+ ndr_print_bitmap_flag(ndr, sizeof(uint32_t), "ADS_AUTH_USER_CREDS", ADS_AUTH_USER_CREDS, r); - ndr->depth--; - } - --- -2.9.0 - - -From 51657c35d3455226f697bef24a7d967944a2c67d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 12:15:14 +0100 -Subject: [PATCH 06/11] s3:libads:ldap: fix ads_check_ou_dn to deal with - account_ou not being initialized - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit c61b111e6fa3e138d4d9cf5038b69644248e834a) ---- - source3/libads/ldap.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 91753d2..8eac5c8 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -3870,10 +3870,16 @@ ADS_STATUS ads_check_ou_dn(TALLOC_CTX *mem_ctx, - const char *name; - char *ou_string; - -- exploded_dn = ldap_explode_dn(*account_ou, 0); -- if (exploded_dn) { -- ldap_value_free(exploded_dn); -- return ADS_SUCCESS; -+ if (account_ou == NULL) { -+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); -+ } -+ -+ if (*account_ou != NULL) { -+ exploded_dn = ldap_explode_dn(*account_ou, 0); -+ if (exploded_dn) { -+ ldap_value_free(exploded_dn); -+ return ADS_SUCCESS; -+ } - } - - ou_string = ads_ou_string(ads, *account_ou); --- -2.9.0 - - -From 7a1303f27904fafb8245b9ad9a26e7f846d9968d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 10 Mar 2016 18:03:47 +0100 -Subject: [PATCH 07/11] s3:libnet:libnet_join: always try to create - machineaccount via LDAP first. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit df8f79cc9d44ad7b2caa6b86b7ebde7bb1fd4c8c) ---- - source3/libnet/libnet_join.c | 28 +++++++++++++++++++++++++--- - 1 file changed, 25 insertions(+), 3 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index cc93a85..b10080d 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2318,16 +2318,36 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - r->out.dns_domain_name, r->out.netbios_domain_name, - NULL, smbXcli_conn_remote_sockaddr(cli->conn)); - -- if (r->out.domain_is_ad && r->in.account_ou && -+ if (r->out.domain_is_ad && - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { - -+ const char *initial_account_ou = r->in.account_ou; -+ -+ /* -+ * we want to create the msDS-SupportedEncryptionTypes attribute -+ * as early as possible so always try an LDAP create as the user -+ * first. We copy r->in.account_ou because it may be changed -+ * during the machine pre-creation. -+ */ -+ - ads_status = libnet_join_connect_ads_user(mem_ctx, r); - if (!ADS_ERR_OK(ads_status)) { - return WERR_DEFAULT_JOIN_REQUIRED; - } - - ads_status = libnet_join_precreate_machine_acct(mem_ctx, r); -- if (!ADS_ERR_OK(ads_status)) { -+ if (ADS_ERR_OK(ads_status)) { -+ -+ /* -+ * LDAP object create succeeded, now go to the rpc -+ * password set routines -+ */ -+ -+ r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; -+ goto rpc_join; -+ } -+ -+ if (initial_account_ou != NULL) { - libnet_join_set_error_string(mem_ctx, r, - "failed to precreate account in ou %s: %s", - r->in.account_ou, -@@ -2335,10 +2355,12 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - return WERR_DEFAULT_JOIN_REQUIRED; - } - -- r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; -+ DEBUG(5, ("failed to precreate account in ou %s: %s", -+ r->in.account_ou, ads_errstr(ads_status))); - } - #endif /* HAVE_ADS */ - -+ rpc_join: - if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && - (r->in.join_flags & WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED)) { - status = libnet_join_joindomain_rpc_unsecure(mem_ctx, r, cli); --- -2.9.0 - - -From d4cf8358ce96964443cae441f0808d744a1fd95d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 16:02:27 +0100 -Subject: [PATCH 08/11] s3:librpc:idl:libnet_join: add encryption types to - libnet_JoinCtx. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 4a49f6fac9d6c77d1eedf914308e67eb6e2baa8d) ---- - source3/librpc/idl/libnet_join.idl | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl -index ac0a350..0718739 100644 ---- a/source3/librpc/idl/libnet_join.idl -+++ b/source3/librpc/idl/libnet_join.idl -@@ -35,6 +35,7 @@ interface libnetjoin - [in] boolean8 use_kerberos, - [in] netr_SchannelType secure_channel_type, - [in,noprint] messaging_context *msg_ctx, -+ [in] uint32 desired_encryption_types, - [out] string account_name, - [out] string netbios_domain_name, - [out] string dns_domain_name, -@@ -43,7 +44,8 @@ interface libnetjoin - [out] dom_sid *domain_sid, - [out] boolean8 modified_config, - [out] string error_string, -- [out] boolean8 domain_is_ad -+ [out] boolean8 domain_is_ad, -+ [out] uint32 set_encryption_types - ); - - [nopush,nopull,noopnum] WERROR libnet_UnjoinCtx( --- -2.9.0 - - -From b6dae5b223f379dbdbd3b4ccca9492753f7f5286 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 16:04:52 +0100 -Subject: [PATCH 09/11] s3:libnet:libnet_join: define list of desired - encryption types only once. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit e0da059b39f9dd5ccb74f32f965e1ced384c77eb) ---- - source3/libads/ads_proto.h | 6 ++++-- - source3/libads/ldap.c | 14 ++++---------- - source3/libnet/libnet_join.c | 24 ++++++++++++++---------- - 3 files changed, 22 insertions(+), 22 deletions(-) - -diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h -index 1399f41..425c352 100644 ---- a/source3/libads/ads_proto.h -+++ b/source3/libads/ads_proto.h -@@ -97,8 +97,10 @@ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx, - ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name); - ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name, - const char *my_fqdn, const char *spn); --ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, -- const char *org_unit); -+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, -+ const char *machine_name, -+ const char *org_unit, -+ uint32_t etype_list); - ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, - const char *org_unit, bool *moved); - int ads_count_replies(ADS_STRUCT *ads, void *res); -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 8eac5c8..72bf4d9 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2006,8 +2006,10 @@ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_n - * @return 0 upon success, or non-zero otherwise - **/ - --ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, -- const char *org_unit) -+ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, -+ const char *machine_name, -+ const char *org_unit, -+ uint32_t etype_list) - { - ADS_STATUS ret; - char *samAccountName, *controlstr; -@@ -2063,16 +2065,8 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, const char *machine_name, - ads_mod_str(ctx, &mods, "userAccountControl", controlstr); - - if (func_level >= DS_DOMAIN_FUNCTION_2008) { -- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; - const char *etype_list_str; - --#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES128; --#endif --#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES256; --#endif -- - etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); - if (etype_list_str == NULL) { - goto done; -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index b10080d..876a453 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -318,7 +318,8 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, - - status = ads_create_machine_acct(r->in.ads, - r->in.machine_name, -- r->in.account_ou); -+ r->in.account_ou, -+ r->in.desired_encryption_types); - - if (ADS_ERR_OK(status)) { - DEBUG(1,("machine account creation created\n")); -@@ -673,17 +674,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - { - ADS_STATUS status; - ADS_MODLIST mods; -- uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; - const char *etype_list_str; - --#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES128; --#endif --#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -- etype_list |= ENC_HMAC_SHA1_96_AES256; --#endif -- -- etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); -+ etype_list_str = talloc_asprintf(mem_ctx, "%d", -+ r->in.desired_encryption_types); - if (!etype_list_str) { - return ADS_ERROR(LDAP_NO_MEMORY); - } -@@ -2143,6 +2137,16 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, - - ctx->in.secure_channel_type = SEC_CHAN_WKSTA; - -+ ctx->in.desired_encryption_types = ENC_CRC32 | -+ ENC_RSA_MD5 | -+ ENC_RC4_HMAC_MD5; -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; -+#endif -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; -+#endif -+ - *r = ctx; - - return WERR_OK; --- -2.9.0 - - -From 51a68159e119149b9527cac8a8a119f34bb6879a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 16:05:53 +0100 -Subject: [PATCH 10/11] s3:libnet:libnet_join: fill in output enctypes and only - modify when necessary. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 5d498d1b4d9b83f179fb7b2841a19ad984eec5f8) ---- - source3/libads/ldap.c | 2 +- - source3/libnet/libnet_join.c | 18 +++++++++++++++++- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 72bf4d9..f611da2 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1268,7 +1268,7 @@ char *ads_parent_dn(const char *dn) - { - ADS_STATUS status; - char *expr; -- const char *attrs[] = {"*", "nTSecurityDescriptor", NULL}; -+ const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; - - *res = NULL; - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 876a453..9f3d830 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -417,6 +417,11 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx, - goto done; - } - -+ if (!ads_pull_uint32(r->in.ads, res, "msDS-SupportedEncryptionTypes", -+ &r->out.set_encryption_types)) { -+ r->out.set_encryption_types = 0; -+ } -+ - done: - ads_msgfree(r->in.ads, res); - TALLOC_FREE(dn); -@@ -689,6 +694,10 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - return status; - } - -+ if (r->in.desired_encryption_types == r->out.set_encryption_types) { -+ return ADS_SUCCESS; -+ } -+ - /* now do the mods */ - - mods = ads_init_mods(mem_ctx); -@@ -702,7 +711,14 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - return status; - } - -- return ads_gen_mod(r->in.ads, r->out.dn, mods); -+ status = ads_gen_mod(r->in.ads, r->out.dn, mods); -+ if (!ADS_ERR_OK(status)) { -+ return status; -+ } -+ -+ r->out.set_encryption_types = r->in.desired_encryption_types; -+ -+ return ADS_SUCCESS; - } - #endif - /**************************************************************** --- -2.9.0 - - -From a489ac90045212decebbadf46a51fff42c224d3c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 11 Mar 2016 23:15:06 +0100 -Subject: [PATCH 11/11] s3:libnet:libnet_join: update - msDS-SupportedEncryptionTypes (if required) with machine creds. - -Guenther - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11755 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Guenther Deschner -Signed-off-by: Stefan Metzmacher - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Mon Mar 14 19:38:48 CET 2016 on sn-devel-144 - -(cherry picked from commit 06aefe4b956ae8748e20ae4c730aa344e81808b6) ---- - source3/libnet/libnet_join.c | 59 +++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 55 insertions(+), 4 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 9f3d830..84f0e40 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -253,13 +253,13 @@ static ADS_STATUS libnet_join_connect_ads_user(TALLOC_CTX *mem_ctx, - - /**************************************************************** - ****************************************************************/ --#if 0 -+ - static ADS_STATUS libnet_join_connect_ads_machine(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { - return libnet_join_connect_ads(mem_ctx, r, true); - } --#endif -+ - /**************************************************************** - ****************************************************************/ - -@@ -673,7 +673,7 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, - - /**************************************************************** - ****************************************************************/ --#if 0 -+ - static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { -@@ -720,7 +720,7 @@ static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, - - return ADS_SUCCESS; - } --#endif -+ - /**************************************************************** - ****************************************************************/ - -@@ -798,6 +798,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, - struct libnet_JoinCtx *r) - { - ADS_STATUS status; -+ bool need_etype_update = false; - - if (!r->in.ads) { - status = libnet_join_connect_ads_user(mem_ctx, r); -@@ -832,6 +833,56 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, - return status; - } - -+ status = libnet_join_find_machine_acct(mem_ctx, r); -+ if (!ADS_ERR_OK(status)) { -+ return status; -+ } -+ -+ if (r->in.desired_encryption_types != r->out.set_encryption_types) { -+ uint32_t func_level = 0; -+ -+ status = ads_domain_func_level(r->in.ads, &func_level); -+ if (!ADS_ERR_OK(status)) { -+ libnet_join_set_error_string(mem_ctx, r, -+ "failed to query domain controller functional level: %s", -+ ads_errstr(status)); -+ return status; -+ } -+ -+ if (func_level >= DS_DOMAIN_FUNCTION_2008) { -+ need_etype_update = true; -+ } -+ } -+ -+ if (need_etype_update) { -+ /* -+ * We need to reconnect as machine account in order -+ * to update msDS-SupportedEncryptionTypes reliable -+ */ -+ -+ if (r->in.ads->auth.ccache_name != NULL) { -+ ads_kdestroy(r->in.ads->auth.ccache_name); -+ } -+ -+ ads_destroy(&r->in.ads); -+ -+ status = libnet_join_connect_ads_machine(mem_ctx, r); -+ if (!ADS_ERR_OK(status)) { -+ libnet_join_set_error_string(mem_ctx, r, -+ "Failed to connect as machine account: %s", -+ ads_errstr(status)); -+ return status; -+ } -+ -+ status = libnet_join_set_etypes(mem_ctx, r); -+ if (!ADS_ERR_OK(status)) { -+ libnet_join_set_error_string(mem_ctx, r, -+ "failed to set machine kerberos encryption types: %s", -+ ads_errstr(status)); -+ return status; -+ } -+ } -+ - if (!libnet_join_derive_salting_principal(mem_ctx, r)) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - } --- -2.9.0 - diff --git a/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch b/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch new file mode 100644 index 0000000..ebd1cdf --- /dev/null +++ b/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch @@ -0,0 +1,191 @@ +From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 31 May 2016 18:47:34 +0200 +Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only + security=domain is set. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Initial patch from Matt Rogers @ RedHat. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 + +Guenther + +Pair-Programmed-With: Andreas Schneider +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144 + +(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18) +--- + source3/libnet/libnet_join.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a28864d..b5a5ae2 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, + W_ERROR_HAVE_NO_MEMORY(wrong_conf); + } + ++ /* ++ * We should generate the warning for the special case when ++ * domain is AD, "security = domain" and the realm parameter is ++ * not set. ++ */ ++ if (lp_security() == SEC_DOMAIN && ++ r->out.domain_is_ad && ++ !valid_realm) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "Warning: when joining AD domains with security=domain, " ++ "\"realm\" should be defined in the configuration (%s) " ++ "and configuration modification was not requested", ++ wrong_conf); ++ return WERR_OK; ++ } ++ + libnet_join_set_error_string(mem_ctx, r, + "Invalid configuration (%s) and configuration modification " + "was not requested", wrong_conf); ++ + return WERR_CAN_NOT_COMPLETE; + } + +-- +2.9.0 + +From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 15 Jun 2016 16:04:29 +0200 +Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly + completion of libnetjoin. + +Sometimes useful information should be printed to the users. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 + +Guenther + +Signed-off-by: Guenther Deschner +(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a) +--- + source3/utils/net_ads.c | 5 +++++ + source3/utils/net_rpc.c | 10 ++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 90af09e..c61aa0d 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + r->out.netbios_domain_name); + } + ++ /* print out informative error string in case there is one */ ++ if (r->out.error_string != NULL) { ++ d_printf("%s\n", r->out.error_string); ++ } ++ + /* + * We try doing the dns update (if it was compiled in + * and if it was not disabled on the command line). +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index 93caf04..1e3e286 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) + r->out.netbios_domain_name); + } + ++ /* print out informative error string in case there is one */ ++ if (r->out.error_string != NULL) { ++ d_printf("%s\n", r->out.error_string); ++ } ++ + TALLOC_FREE(mem_ctx); + + return 0; +@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a + r->out.netbios_domain_name); + } + ++ /* print out informative error string in case there is one */ ++ if (r->out.error_string != NULL) { ++ d_printf("%s\n", r->out.error_string); ++ } ++ + TALLOC_FREE(mem_ctx); + + return 0; +-- +2.5.5 + + +From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Wed, 15 Jun 2016 23:03:32 +0200 +Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to + AD domains if 'winbind rpc only = true' + +Inspired by initial patch from Matt Rogers @ RedHat. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 + +Signed-off-by: Michael Adam +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Michael Adam +Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144 + +(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899) +--- + source3/libnet/libnet_join.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index c007183..bab58f3 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, + bool valid_security = false; + bool valid_workgroup = false; + bool valid_realm = false; ++ bool ignored_realm = false; + + /* check if configuration is already set correctly */ + +@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, + valid_realm = strequal(lp_realm(), r->out.dns_domain_name); + switch (lp_security()) { + case SEC_DOMAIN: ++ if (!valid_realm && lp_winbind_rpc_only()) { ++ valid_realm = true; ++ ignored_realm = true; ++ } + case SEC_ADS: + valid_security = true; + } + + if (valid_workgroup && valid_realm && valid_security) { ++ if (ignored_realm && !r->in.modify_config) ++ { ++ libnet_join_set_error_string(mem_ctx, r, ++ "Warning: ignoring realm when " ++ "joining AD domain with " ++ "'security=domain' and " ++ "'winbind rpc only = yes'. " ++ "(realm set to '%s', " ++ "should be '%s').", lp_realm(), ++ r->out.dns_domain_name); ++ } + /* nothing to be done */ + return WERR_OK; + } +-- +2.5.5 + diff --git a/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch new file mode 100644 index 0000000..68d48a1 --- /dev/null +++ b/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch @@ -0,0 +1,68 @@ +From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 10 Jun 2016 16:51:18 +0200 +Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain + DCs + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 + +Pair-Programmed-With: Andreas Schneider +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) +--- + source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 45e3fad..f1f98db 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + struct cli_credentials *creds; + NTSTATUS status; + bool force_machine_account = false; ++ bool ok; + + /* If we are a DC and this is not our own domain */ + +@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, + CRED_DONT_USE_KERBEROS); + } + +- if (creds_domain != domain) { ++ /* ++ * When we contact our own domain and get a list of the trusted domain ++ * we have the information if we are able to contact the DC with ++ * with our machine account password. ++ */ ++ ok = winbindd_can_contact_domain(domain); ++ if (!ok) { + /* + * We can only use schannel against a direct trust + */ +@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + + sec_chan_type = cli_credentials_get_secure_channel_type(creds); + if (sec_chan_type == SEC_CHAN_NULL) { ++ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", ++ domain->name); + return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; + } + +@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, + conn->netlogon_flags = netlogon_creds->negotiate_flags; + TALLOC_FREE(netlogon_creds); + ++ /* ++ * FIXME: Document in which case we are not able to contact ++ * a DC without schannel. Which information do we try to get ++ * from this DC? ++ */ + if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { + if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { + result = NT_STATUS_DOWNGRADE_DETECTED; +-- +2.8.4 + diff --git a/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch b/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch new file mode 100644 index 0000000..6c50408 --- /dev/null +++ b/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch @@ -0,0 +1,46 @@ +From a3978285d05eb0bd9b52b0d1c2908388005b32e1 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 14 Jun 2016 22:37:31 +0300 +Subject: [PATCH] libnet_join: use sitename if it was set by pre-join detection + +When domain member is joined to AD, we need to use the same DC to +authenticate against after the join because the machine account might +not be replicated yet to other domain controllers, including off-site. + +Bug https://bugzilla.samba.org/show_bug.cgi?id=11769 dealt with +detection of the site pre-join. However, we rewrite private local +krb5.conf afterwards without taking the discovered site name into +account. + +Fix this by reusing the site discovered pre-join. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11975 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Jun 15 15:25:44 CEST 2016 on sn-devel-144 + +(cherry picked from commit 4c408f6de5c32a41fbb44971419118e5425d13e7) +--- + source3/libnet/libnet_join.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a28864d..c007183 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2500,7 +2500,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + + create_local_private_krb5_conf_for_domain( + r->out.dns_domain_name, r->out.netbios_domain_name, +- NULL, smbXcli_conn_remote_sockaddr(cli->conn)); ++ sitename, smbXcli_conn_remote_sockaddr(cli->conn)); + + if (r->out.domain_is_ad && + !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { +-- +2.9.0 + diff --git a/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch b/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch new file mode 100644 index 0000000..e71bc79 --- /dev/null +++ b/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch @@ -0,0 +1,51 @@ +From f8d4a51b02abd2f7bb4c5a874d8d83f4dedc7a6a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 29 Jun 2016 13:38:19 +0200 +Subject: [PATCH] s3-winbind: Fix memory leak with each cached credential login + +When we allow offline logon and have a lot of logins, windbind will leak +4k of memory which each log in. On systems with heavy load this can grow +quickly and the OOM killer will kill Winbind. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144 + +(cherry picked from commit 826f61960ec74deedc9d556a3b8fe04d9178dcd8) +--- + source3/winbindd/winbindd_cache.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c +index cf3ed71..5dd9f4f 100644 +--- a/source3/winbindd/winbindd_cache.c ++++ b/source3/winbindd/winbindd_cache.c +@@ -3471,7 +3471,7 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const + struct winbind_cache *cache = get_cache(domain); + NTSTATUS status; + int ret; +- struct cred_list *cred, *oldest = NULL; ++ struct cred_list *cred, *next, *oldest = NULL; + + if (!cache->tdb) { + return NT_STATUS_INTERNAL_DB_ERROR; +@@ -3540,7 +3540,11 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const + status = NT_STATUS_UNSUCCESSFUL; + } + done: +- SAFE_FREE(wcache_cred_list); ++ for (cred = wcache_cred_list; cred; cred = next) { ++ next = cred->next; ++ DLIST_REMOVE(wcache_cred_list, cred); ++ SAFE_FREE(cred); ++ } + SAFE_FREE(oldest); + + return status; +-- +2.9.0 + diff --git a/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch b/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch new file mode 100644 index 0000000..c75593a --- /dev/null +++ b/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch @@ -0,0 +1,107 @@ +From eb09689c3c1eeae14eeb08352c5342d89b7bf96d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 3 Aug 2016 13:23:31 +0200 +Subject: [PATCH] ctdb-waf: Move ctdb tests to libexec directory + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12104 + +Signed-off-by: Andreas Schneider +Reviewed-by: Martin Schwenke + +(cherry picked from commit f9c85d04e9edb3af9479e9c83d5b1ec77b9c2ee2) +--- + ctdb/wscript | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/ctdb/wscript b/ctdb/wscript +index 5739269..a6d1e68 100755 +--- a/ctdb/wscript ++++ b/ctdb/wscript +@@ -208,7 +208,7 @@ def configure(conf): + + conf.env.CTDB_TEST_DATADIR = os.path.join(conf.env.EXEC_PREFIX, + 'share/ctdb-tests') +- conf.env.CTDB_TEST_LIBDIR = os.path.join(conf.env.LIBDIR, 'ctdb-tests') ++ conf.env.CTDB_TEST_LIBEXECDIR = os.path.join(conf.env.LIBEXECDIR, 'ctdb/tests') + + # Allow unified compilation and separate compilation of utilities + # to find includes +@@ -637,12 +637,12 @@ def build(bld): + bld.SAMBA_BINARY(target, + source=src, + deps='talloc tevent tdb tevent-unix-util', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + bld.SAMBA_BINARY('reqid_test', + source='tests/src/reqid_test.c', + deps='samba-util', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + # Test binaries + ctdb_tests = [ +@@ -671,7 +671,7 @@ def build(bld): + source=src, + includes='include', + deps='ctdb-client ctdb-common ctdb-util', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + bld.SAMBA_BINARY('ctdb_takeover_tests', + source='tests/src/ctdb_takeover_tests.c', +@@ -680,21 +680,21 @@ def build(bld): + ctdb-protocol''' + + ib_deps, + includes='include', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + bld.SAMBA_BINARY('ctdb_functest', + source='tests/src/ctdb_functest.c', + deps='''replace tdb tevent talloc popt ctdb-system + samba-util tdb-wrap''', + includes='include', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + bld.SAMBA_BINARY('ctdb_stubtest', + source='tests/src/ctdb_test.c', + deps='''replace tdb tevent talloc popt ctdb-system + samba-util tdb-wrap''', + includes='include', +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + if bld.env.HAVE_INFINIBAND: + bld.SAMBA_BINARY('ibwrapper_test', +@@ -702,7 +702,7 @@ def build(bld): + includes='include', + deps='replace talloc ctdb-client ctdb-common' + + ib_deps, +- install_path='${CTDB_TEST_LIBDIR}') ++ install_path='${CTDB_TEST_LIBEXECDIR}') + + test_subdirs = [ + 'complex', +@@ -734,7 +734,7 @@ def build(bld): + destname=os.path.join('scripts', t)) + + sed_expr = 's@^TEST_SCRIPTS_DIR=.*@&\\nexport TEST_BIN_DIR=\"%s\"@' % ( +- bld.env.CTDB_TEST_LIBDIR) ++ bld.env.CTDB_TEST_LIBEXECDIR) + bld.SAMBA_GENERATOR('ctdb-test-wrap', + source='tests/scripts/test_wrap', + target='test_wrap', +@@ -743,7 +743,7 @@ def build(bld): + destname='test_wrap', chmod=0755) + + sed_expr1 = 's@^test_dir=.*@test_dir=%s\\nexport TEST_BIN_DIR=\"%s\"@' % ( +- bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBDIR) ++ bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBEXECDIR) + sed_expr2 = 's@^\(export CTDB_TESTS_ARE_INSTALLED\)=false@\\1=true@' + bld.SAMBA_GENERATOR('ctdb-test-runner', + source='tests/run_tests.sh', +-- +2.9.2 + diff --git a/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch b/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch new file mode 100644 index 0000000..44c16a1 --- /dev/null +++ b/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch @@ -0,0 +1,147 @@ +From d29b108d879b4de27d235a1692e090c0993582df Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 6 Jul 2016 12:48:11 +0200 +Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi + bind + +When doing gssapi sasl bind: +1. Try working without kinit only if a password is not + provided +2. When using kinit, ensure the KRB5CCNAME env var is set + to a private memory ccache, so that the bind is on behalf + of the requested user. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Uri Simchoni +(cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655) +--- + source3/libads/sasl.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index d76d872..6c054cd 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -26,6 +26,7 @@ + #include "smb_krb5.h" + #include "system/gssapi.h" + #include "lib/param/loadparm.h" ++#include "krb5_env.h" + + #ifdef HAVE_LDAP + +@@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) + { + ADS_STATUS status; + struct ads_service_principal p; ++ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind"; + + status = ads_generate_service_principal(ads, &p); + if (!ADS_ERR_OK(status)) { + return status; + } + +- status = ads_sasl_gssapi_do_bind(ads, p.name); +- if (ADS_ERR_OK(status)) { +- ads_free_service_principal(&p); +- return status; +- } ++ if (ads->auth.password == NULL || ++ ads->auth.password[0] == '\0') { ++ status = ads_sasl_gssapi_do_bind(ads, p.name); ++ if (ADS_ERR_OK(status)) { ++ ads_free_service_principal(&p); ++ return status; ++ } + +- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " +- "calling kinit\n", ads_errstr(status))); ++ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " ++ "calling kinit\n", ads_errstr(status))); ++ } + ++ if (ads->auth.ccache_name != NULL) { ++ ccache_name = ads->auth.ccache_name; ++ } ++ setenv(KRB5_ENV_CCNAME, ccache_name, 1); + status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { +-- +2.5.5 + + +From 416ba773c332288e948871d8f649c0310a94f906 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 6 Jul 2016 12:44:11 +0200 +Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego + bind + +When doing spnego sasl bind: +1. Try working without kinit only if a password is not + provided +2. When using kinit, ensure the KRB5CCNAME env var is set + to a private memory ccache, so that the bind is on behalf + of the requested user. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Uri Simchoni + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144 + +(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2) +--- + source3/libads/sasl.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 6c054cd..85a2eb0 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && + got_kerberos_mechanism) + { +- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +- CRED_MUST_USE_KERBEROS, +- p.service, p.hostname, +- blob); +- if (ADS_ERR_OK(status)) { +- ads_free_service_principal(&p); +- goto done; ++ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind"; ++ if (ads->auth.ccache_name != NULL) { ++ ccache_name = ads->auth.ccache_name; + } + +- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, " +- "calling kinit\n", ads_errstr(status))); ++ if (ads->auth.password == NULL || ++ ads->auth.password[0] == '\0') ++ { ++ ++ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", ++ CRED_MUST_USE_KERBEROS, ++ p.service, p.hostname, ++ blob); ++ if (ADS_ERR_OK(status)) { ++ ads_free_service_principal(&p); ++ goto done; ++ } ++ ++ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, " ++ "calling kinit\n", ads_errstr(status))); ++ } + ++ setenv(KRB5_ENV_CCNAME, ccache_name, 1); + status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { +-- +2.5.5 + diff --git a/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch b/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch new file mode 100644 index 0000000..34ca572 --- /dev/null +++ b/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch @@ -0,0 +1,88 @@ +From 70bab87ab37d30521a65056fd6f6a3f4f8bf6716 Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Mon, 15 Aug 2016 23:07:33 +0200 +Subject: [PATCH 1/2] idmap: don't generally forbid id==0 from + idmap_unix_id_is_in_range() + +If the range allows it, then id==0 should not be forbidden. +This seems to have been taken in from idmap_ldap when the +function was originally created. + +See 634cd2e0451d4388c3e3f78239495cf595368b15 . +The other backends don't seem to have had that +extra check for id == 0. + +The reasoning for this change is that the range check should +apply to all cases. If the range includes the 0, then it +should be possible to get it as result. In particular, +this way, the function becomes applicable also to the +passdb backend case, e.g. in a samba4-ad-dc setup where +the Admin gets uid == 0. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 + +Signed-off-by: Michael Adam +Reviewed-by: Volker Lendecke +Reviewed-by: Andreas Schneider +(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d) +--- + source3/winbindd/idmap_util.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c +index f90565f..b6f7b52 100644 +--- a/source3/winbindd/idmap_util.c ++++ b/source3/winbindd/idmap_util.c +@@ -160,11 +160,6 @@ backend: + */ + bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom) + { +- if (id == 0) { +- /* 0 is not an allowed unix id for id mapping */ +- return false; +- } +- + if ((dom->low_id && (id < dom->low_id)) || + (dom->high_id && (id > dom->high_id))) + { +-- +2.7.4 + + +From 739167276bc26dfc62acdd96cc9cadb5f88dd02b Mon Sep 17 00:00:00 2001 +From: Michael Adam +Date: Tue, 9 Aug 2016 18:25:12 +0200 +Subject: [PATCH 2/2] idmap: centrally check that unix IDs returned by the + idmap backends are in range + +Note: in the long run, it might be good to move this kind of +exit check (before handing the result back to the client) +to the parent winbindd code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 + +Signed-off-by: Michael Adam + +(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.) +--- + source3/winbindd/winbindd_dual_srv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c +index cdd9bbd..630d28a 100644 +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -203,6 +203,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, + for (j=0; jin.ids->ids[id_idx[j]]; + ++ if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) { ++ ids[j].status = ID_UNMAPPED; ++ } ++ + if (ids[j].status != ID_MAPPED) { + id->xid.id = UINT32_MAX; + id->xid.type = ID_TYPE_NOT_SPECIFIED; +-- +2.7.4 + diff --git a/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch b/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch new file mode 100644 index 0000000..2fc8f57 --- /dev/null +++ b/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch @@ -0,0 +1,60 @@ +From b863a62ef2c1e71f3cdf4c74994369baa45dbce7 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Wed, 3 Aug 2016 15:00:45 +0200 +Subject: [PATCH] async_req: make async_connect_send() "reentrant" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Allow callers to pass in socket fds that where already passed to an +earlier call of async_connect_send(). Callers expect this behaviour and +it was working until 05d4dbda8357712cb81008e0d611fdb0e7239587 broke it. + +The proper fix would be to change callers to close the fd and start from +scratch with a fresh socket. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=12105 + +Signed-off-by: Ralph Boehme +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Thu Aug 4 05:03:21 CEST 2016 on sn-devel-144 + +(cherry picked from commit 9c6a4ea2788808bdcc7bfea798d838ea56c3b5ec) +--- + lib/async_req/async_sock.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c +index c14acf3..3af1748 100644 +--- a/lib/async_req/async_sock.c ++++ b/lib/async_req/async_sock.c +@@ -128,11 +128,21 @@ struct tevent_req *async_connect_send( + } + + /* +- * The only errno indicating that the connect is still in +- * flight is EINPROGRESS, everything else is an error ++ * The only errno indicating that an initial connect is still ++ * in flight is EINPROGRESS. ++ * ++ * We get EALREADY when someone calls us a second time for a ++ * given fd and the connect is still in flight (and returned ++ * EINPROGRESS the first time). ++ * ++ * This allows callers like open_socket_out_send() to reuse ++ * fds and call us with an fd for which the connect is still ++ * in flight. The proper thing to do for callers would be ++ * closing the fd and starting from scratch with a fresh ++ * socket. + */ + +- if (errno != EINPROGRESS) { ++ if (errno != EINPROGRESS && errno != EALREADY) { + tevent_req_error(req, errno); + return tevent_req_post(req, ev); + } +-- +2.7.4 + diff --git a/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch b/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch new file mode 100644 index 0000000..ecde81b --- /dev/null +++ b/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch @@ -0,0 +1,72 @@ +From 8fec0f145a06d900bbcfc8959749cc78ab6be8ed Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 25 Aug 2016 14:24:08 +0200 +Subject: [PATCH] s3-util: Fix asking for username and password in smbget. + +If the user specified the username in the URI with with: + + smb://DOMAIN;user:secret@server/share + +the tool should not prompt for the username nor the password. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12175 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +(cherry picked from commit f5401ff3146aabc5fb2dac25e4856c6c3756c8f7) +--- + source3/utils/smbget.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c +index 4909fa2..74ca7f8 100644 +--- a/source3/utils/smbget.c ++++ b/source3/utils/smbget.c +@@ -105,7 +105,6 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen, + static char *savedwg; + static char *savedun; + static char *savedpw; +- char tmp[128]; + + if (hasasked) { + strncpy(wg, savedwg, wglen - 1); +@@ -115,23 +114,22 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen, + } + hasasked = true; + +- if (!opt.nonprompt && !opt.username_specified) { +- printf("Username for %s at %s [guest] ", shr, srv); +- if (fgets(tmp, sizeof(tmp), stdin) == NULL) { +- return; +- } +- if ((strlen(tmp) > 0) && (tmp[strlen(tmp) - 1] == '\n')) { +- tmp[strlen(tmp) - 1] = '\0'; +- } +- strncpy(un, tmp, unlen - 1); +- } else if (opt.username != NULL) { ++ /* ++ * If no user has been specified un is initialized with the current ++ * username of the user who started smbget. ++ */ ++ if (opt.username_specified) { + strncpy(un, opt.username, unlen - 1); + } + +- if (!opt.nonprompt && !opt.password_specified) { ++ if (!opt.nonprompt && !opt.password_specified && pw[0] == '\0') { + char *prompt; +- if (asprintf(&prompt, "Password for %s at %s: ", shr, srv) == +- -1) { ++ int rc; ++ ++ rc = asprintf(&prompt, ++ "Password for [%s] connecting to //%s/%s: ", ++ un, shr, srv); ++ if (rc == -1) { + return; + } + (void)samba_getpass(prompt, pw, pwlen, false, false); +-- +2.9.3 + diff --git a/SOURCES/smb.conf.default b/SOURCES/smb.conf.default deleted file mode 100644 index fe0d921..0000000 --- a/SOURCES/smb.conf.default +++ /dev/null @@ -1,320 +0,0 @@ -# This is the main Samba configuration file. For detailed information about the -# options listed here, refer to the smb.conf(5) manual page. Samba has a huge -# number of configurable options, most of which are not shown in this example. -# -# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step -# guides for installing, configuring, and using Samba: -# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf -# -# The Samba-3 by Example guide has working examples for smb.conf. This guide is -# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf -# -# In this file, lines starting with a semicolon (;) or a hash (#) are -# comments and are ignored. This file uses hashes to denote commentary and -# semicolons for parts of the file you may wish to configure. -# -# Note: Run the "testparm" command after modifying this file to check for basic -# syntax errors. -# -#--------------- -# Security-Enhanced Linux (SELinux) Notes: -# -# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd -# and groupadd family of binaries. Run the following command as the root user to -# turn this Boolean on: -# setsebool -P samba_domain_controller on -# -# Turn the samba_enable_home_dirs Boolean on if you want to share home -# directories via Samba. Run the following command as the root user to turn this -# Boolean on: -# setsebool -P samba_enable_home_dirs on -# -# If you create a new directory, such as a new top-level directory, label it -# with samba_share_t so that SELinux allows Samba to read and write to it. Do -# not label system directories, such as /etc/ and /home/, with samba_share_t, as -# such directories should already have an SELinux label. -# -# Run the "ls -ldZ /path/to/directory" command to view the current SELinux -# label for a given directory. -# -# Set SELinux labels only on files and directories you have created. Use the -# chcon command to temporarily change a label: -# chcon -t samba_share_t /path/to/directory -# -# Changes made via chcon are lost when the file system is relabeled or commands -# such as restorecon are run. -# -# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system -# directories. To share such directories and only allow read-only permissions: -# setsebool -P samba_export_all_ro on -# To share such directories and allow read and write permissions: -# setsebool -P samba_export_all_rw on -# -# To run scripts (preexec/root prexec/print command/...), copy them to the -# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. -# Note that if you move the scripts to /var/lib/samba/scripts/, they retain -# their existing SELinux labels, which may be labels that SELinux does not allow -# smbd to run. Copying the scripts will result in the correct SELinux labels. -# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to -# apply the correct SELinux labels to these files. -# -#-------------- -# -#======================= Global Settings ===================================== - -[global] - -# ----------------------- Network-Related Options ------------------------- -# -# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. -# -# server string = the equivalent of the Windows NT Description field. -# -# netbios name = used to specify a server name that is not tied to the hostname. -# -# interfaces = used to configure Samba to listen on multiple network interfaces. -# If you have multiple interfaces, you can use the "interfaces =" option to -# configure which of those interfaces Samba listens on. Never omit the localhost -# interface (lo). -# -# hosts allow = the hosts allowed to connect. This option can also be used on a -# per-share basis. -# -# hosts deny = the hosts not allowed to connect. This option can also be used on -# a per-share basis. -# -# max protocol = used to define the supported protocol. The default is NT1. You -# can set it to SMB2 if you want experimental SMB2 support. -# - workgroup = MYGROUP - server string = Samba Server Version %v - -; netbios name = MYSERVER - -; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 -; hosts allow = 127. 192.168.12. 192.168.13. - -; max protocol = SMB2 - -# --------------------------- Logging Options ----------------------------- -# -# log file = specify where log files are written to and how they are split. -# -# max log size = specify the maximum size log files are allowed to reach. Log -# files are rotated when they reach the size specified with "max log size". -# - - # log files split per-machine: - log file = /var/log/samba/log.%m - # maximum size of 50KB per log file, then rotate: - max log size = 50 - -# ----------------------- Standalone Server Options ------------------------ -# -# security = the mode Samba runs in. This can be set to user, share -# (deprecated), or server (deprecated). -# -# passdb backend = the backend used to store user information in. New -# installations should use either tdbsam or ldapsam. No additional configuration -# is required for tdbsam. The "smbpasswd" utility is available for backwards -# compatibility. -# - - security = user - passdb backend = tdbsam - - -# ----------------------- Domain Members Options ------------------------ -# -# security = must be set to domain or ads. -# -# passdb backend = the backend used to store user information in. New -# installations should use either tdbsam or ldapsam. No additional configuration -# is required for tdbsam. The "smbpasswd" utility is available for backwards -# compatibility. -# -# realm = only use the realm option when the "security = ads" option is set. -# The realm option specifies the Active Directory realm the host is a part of. -# -# password server = only use this option when the "security = server" -# option is set, or if you cannot use DNS to locate a Domain Controller. The -# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: -# -# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] -# -# Use "password server = *" to automatically locate Domain Controllers. - -; security = domain -; passdb backend = tdbsam -; realm = MY_REALM - -; password server = - -# ----------------------- Domain Controller Options ------------------------ -# -# security = must be set to user for domain controllers. -# -# passdb backend = the backend used to store user information in. New -# installations should use either tdbsam or ldapsam. No additional configuration -# is required for tdbsam. The "smbpasswd" utility is available for backwards -# compatibility. -# -# domain master = specifies Samba to be the Domain Master Browser, allowing -# Samba to collate browse lists between subnets. Do not use the "domain master" -# option if you already have a Windows NT domain controller performing this task. -# -# domain logons = allows Samba to provide a network logon service for Windows -# workstations. -# -# logon script = specifies a script to run at login time on the client. These -# scripts must be provided in a share named NETLOGON. -# -# logon path = specifies (with a UNC path) where user profiles are stored. -# -# -; security = user -; passdb backend = tdbsam - -; domain master = yes -; domain logons = yes - - # the following login script name is determined by the machine name - # (%m): -; logon script = %m.bat - # the following login script name is determined by the UNIX user used: -; logon script = %u.bat -; logon path = \\%L\Profiles\%u - # use an empty path to disable profile support: -; logon path = - - # various scripts can be used on a domain controller or a stand-alone - # machine to add or delete corresponding UNIX accounts: - -; add user script = /usr/sbin/useradd "%u" -n -g users -; add group script = /usr/sbin/groupadd "%g" -; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" -; delete user script = /usr/sbin/userdel "%u" -; delete user from group script = /usr/sbin/userdel "%u" "%g" -; delete group script = /usr/sbin/groupdel "%g" - - -# ----------------------- Browser Control Options ---------------------------- -# -# local master = when set to no, Samba does not become the master browser on -# your network. When set to yes, normal election rules apply. -# -# os level = determines the precedence the server has in master browser -# elections. The default value should be reasonable. -# -# preferred master = when set to yes, Samba forces a local browser election at -# start up (and gives itself a slightly higher chance of winning the election). -# -; local master = no -; os level = 33 -; preferred master = yes - -#----------------------------- Name Resolution ------------------------------- -# -# This section details the support for the Windows Internet Name Service (WINS). -# -# Note: Samba can be either a WINS server or a WINS client, but not both. -# -# wins support = when set to yes, the NMBD component of Samba enables its WINS -# server. -# -# wins server = tells the NMBD component of Samba to be a WINS client. -# -# wins proxy = when set to yes, Samba answers name resolution queries on behalf -# of a non WINS capable client. For this to work, there must be at least one -# WINS server on the network. The default is no. -# -# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS -# nslookups. - -; wins support = yes -; wins server = w.x.y.z -; wins proxy = yes - -; dns proxy = yes - -# --------------------------- Printing Options ----------------------------- -# -# The options in this section allow you to configure a non-default printing -# system. -# -# load printers = when set you yes, the list of printers is automatically -# loaded, rather than setting them up individually. -# -# cups options = allows you to pass options to the CUPS library. Setting this -# option to raw, for example, allows you to use drivers on your Windows clients. -# -# printcap name = used to specify an alternative printcap file. -# - - load printers = yes - cups options = raw - -; printcap name = /etc/printcap - # obtain a list of printers automatically on UNIX System V systems: -; printcap name = lpstat -; printing = cups - -# --------------------------- File System Options --------------------------- -# -# The options in this section can be un-commented if the file system supports -# extended attributes, and those attributes are enabled (usually via the -# "user_xattr" mount option). These options allow the administrator to specify -# that DOS attributes are stored in extended attributes and also make sure that -# Samba does not change the permission bits. -# -# Note: These options can be used on a per-share basis. Setting them globally -# (in the [global] section) makes them the default for all shares. - -; map archive = no -; map hidden = no -; map read only = no -; map system = no -; store dos attributes = yes - - -#============================ Share Definitions ============================== - -[homes] - comment = Home Directories - browseable = no - writable = yes -; valid users = %S -; valid users = MYDOMAIN\%S - -[printers] - comment = All Printers - path = /var/spool/samba - browseable = no - guest ok = no - writable = no - printable = yes - -# Un-comment the following and create the netlogon directory for Domain Logons: -; [netlogon] -; comment = Network Logon Service -; path = /var/lib/samba/netlogon -; guest ok = yes -; writable = no -; share modes = no - -# Un-comment the following to provide a specific roving profile share. -# The default is to use the user's home directory: -; [Profiles] -; path = /var/lib/samba/profiles -; browseable = no -; guest ok = yes - -# A publicly accessible directory that is read only, except for users in the -# "staff" group (which have write permissions): -; [public] -; comment = Public Stuff -; path = /home/samba -; public = yes -; writable = yes -; printable = no -; write list = +staff diff --git a/SOURCES/smb.conf.example b/SOURCES/smb.conf.example new file mode 100644 index 0000000..e672ce9 --- /dev/null +++ b/SOURCES/smb.conf.example @@ -0,0 +1,313 @@ +# This is the main Samba configuration file. For detailed information about the +# options listed here, refer to the smb.conf(5) manual page. Samba has a huge +# number of configurable options, most of which are not shown in this example. +# +# The Samba Wiki contains a lot of step-by-step guides installing, configuring, +# and using Samba: +# https://wiki.samba.org/index.php/User_Documentation +# +# In this file, lines starting with a semicolon (;) or a hash (#) are +# comments and are ignored. This file uses hashes to denote commentary and +# semicolons for parts of the file you may wish to configure. +# +# NOTE: Run the "testparm" command after modifying this file to check for basic +# syntax errors. +# +#--------------- +# Security-Enhanced Linux (SELinux) Notes: +# +# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the +# useradd and groupadd family of binaries. Run the following command as the +# root user to turn this Boolean on: +# setsebool -P samba_domain_controller on +# +# Turn the samba_enable_home_dirs Boolean on if you want to share home +# directories via Samba. Run the following command as the root user to turn this +# Boolean on: +# setsebool -P samba_enable_home_dirs on +# +# If you create a new directory, such as a new top-level directory, label it +# with samba_share_t so that SELinux allows Samba to read and write to it. Do +# not label system directories, such as /etc/ and /home/, with samba_share_t, as +# such directories should already have an SELinux label. +# +# Run the "ls -ldZ /path/to/directory" command to view the current SELinux +# label for a given directory. +# +# Set SELinux labels only on files and directories you have created. Use the +# chcon command to temporarily change a label: +# chcon -t samba_share_t /path/to/directory +# +# Changes made via chcon are lost when the file system is relabeled or commands +# such as restorecon are run. +# +# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system +# directories. To share such directories and only allow read-only permissions: +# setsebool -P samba_export_all_ro on +# To share such directories and allow read and write permissions: +# setsebool -P samba_export_all_rw on +# +# To run scripts (preexec/root prexec/print command/...), copy them to the +# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. +# Note that if you move the scripts to /var/lib/samba/scripts/, they retain +# their existing SELinux labels, which may be labels that SELinux does not allow +# smbd to run. Copying the scripts will result in the correct SELinux labels. +# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to +# apply the correct SELinux labels to these files. +# +#-------------- +# +#======================= Global Settings ===================================== + +[global] + +# ----------------------- Network-Related Options ------------------------- +# +# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. +# +# server string = the equivalent of the Windows NT Description field. +# +# netbios name = used to specify a server name that is not tied to the hostname, +# maximum is 15 characters. +# +# interfaces = used to configure Samba to listen on multiple network interfaces. +# If you have multiple interfaces, you can use the "interfaces =" option to +# configure which of those interfaces Samba listens on. Never omit the localhost +# interface (lo). +# +# hosts allow = the hosts allowed to connect. This option can also be used on a +# per-share basis. +# +# hosts deny = the hosts not allowed to connect. This option can also be used on +# a per-share basis. +# + workgroup = MYGROUP + server string = Samba Server Version %v + +; netbios name = MYSERVER + +; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 +; hosts allow = 127. 192.168.12. 192.168.13. + +# --------------------------- Logging Options ----------------------------- +# +# log file = specify where log files are written to and how they are split. +# +# max log size = specify the maximum size log files are allowed to reach. Log +# files are rotated when they reach the size specified with "max log size". +# + + # log files split per-machine: + log file = /var/log/samba/log.%m + # maximum size of 50KB per log file, then rotate: + max log size = 50 + +# ----------------------- Standalone Server Options ------------------------ +# +# security = the mode Samba runs in. This can be set to user, share +# (deprecated), or server (deprecated). +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# + + security = user + passdb backend = tdbsam + + +# ----------------------- Domain Members Options ------------------------ +# +# security = must be set to domain or ads. +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# +# realm = only use the realm option when the "security = ads" option is set. +# The realm option specifies the Active Directory realm the host is a part of. +# +# password server = only use this option when the "security = server" +# option is set, or if you cannot use DNS to locate a Domain Controller. The +# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: +# +# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] +# +# Use "password server = *" to automatically locate Domain Controllers. + +; security = domain +; passdb backend = tdbsam +; realm = MY_REALM + +; password server = + +# ----------------------- Domain Controller Options ------------------------ +# +# security = must be set to user for domain controllers. +# +# passdb backend = the backend used to store user information in. New +# installations should use either tdbsam or ldapsam. No additional configuration +# is required for tdbsam. The "smbpasswd" utility is available for backwards +# compatibility. +# +# domain master = specifies Samba to be the Domain Master Browser, allowing +# Samba to collate browse lists between subnets. Do not use the "domain master" +# option if you already have a Windows NT domain controller performing this task. +# +# domain logons = allows Samba to provide a network logon service for Windows +# workstations. +# +# logon script = specifies a script to run at login time on the client. These +# scripts must be provided in a share named NETLOGON. +# +# logon path = specifies (with a UNC path) where user profiles are stored. +# +# +; security = user +; passdb backend = tdbsam + +; domain master = yes +; domain logons = yes + + # the following login script name is determined by the machine name + # (%m): +; logon script = %m.bat + # the following login script name is determined by the UNIX user used: +; logon script = %u.bat +; logon path = \\%L\Profiles\%u + # use an empty path to disable profile support: +; logon path = + + # various scripts can be used on a domain controller or a stand-alone + # machine to add or delete corresponding UNIX accounts: + +; add user script = /usr/sbin/useradd "%u" -n -g users +; add group script = /usr/sbin/groupadd "%g" +; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" +; delete user script = /usr/sbin/userdel "%u" +; delete user from group script = /usr/sbin/userdel "%u" "%g" +; delete group script = /usr/sbin/groupdel "%g" + + +# ----------------------- Browser Control Options ---------------------------- +# +# local master = when set to no, Samba does not become the master browser on +# your network. When set to yes, normal election rules apply. +# +# os level = determines the precedence the server has in master browser +# elections. The default value should be reasonable. +# +# preferred master = when set to yes, Samba forces a local browser election at +# start up (and gives itself a slightly higher chance of winning the election). +# +; local master = no +; os level = 33 +; preferred master = yes + +#----------------------------- Name Resolution ------------------------------- +# +# This section details the support for the Windows Internet Name Service (WINS). +# +# Note: Samba can be either a WINS server or a WINS client, but not both. +# +# wins support = when set to yes, the NMBD component of Samba enables its WINS +# server. +# +# wins server = tells the NMBD component of Samba to be a WINS client. +# +# wins proxy = when set to yes, Samba answers name resolution queries on behalf +# of a non WINS capable client. For this to work, there must be at least one +# WINS server on the network. The default is no. +# +# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS +# nslookups. + +; wins support = yes +; wins server = w.x.y.z +; wins proxy = yes + +; dns proxy = yes + +# --------------------------- Printing Options ----------------------------- +# +# The options in this section allow you to configure a non-default printing +# system. +# +# load printers = when set you yes, the list of printers is automatically +# loaded, rather than setting them up individually. +# +# cups options = allows you to pass options to the CUPS library. Setting this +# option to raw, for example, allows you to use drivers on your Windows clients. +# +# printcap name = used to specify an alternative printcap file. +# + + load printers = yes + cups options = raw + +; printcap name = /etc/printcap + # obtain a list of printers automatically on UNIX System V systems: +; printcap name = lpstat +; printing = cups + +# --------------------------- File System Options --------------------------- +# +# The options in this section can be un-commented if the file system supports +# extended attributes, and those attributes are enabled (usually via the +# "user_xattr" mount option). These options allow the administrator to specify +# that DOS attributes are stored in extended attributes and also make sure that +# Samba does not change the permission bits. +# +# Note: These options can be used on a per-share basis. Setting them globally +# (in the [global] section) makes them the default for all shares. + +; map archive = no +; map hidden = no +; map read only = no +; map system = no +; store dos attributes = yes + + +#============================ Share Definitions ============================== + +[homes] + comment = Home Directories + browseable = no + writable = yes +; valid users = %S +; valid users = MYDOMAIN\%S + +[printers] + comment = All Printers + path = /var/spool/samba + browseable = no + guest ok = no + writable = no + printable = yes + +# Un-comment the following and create the netlogon directory for Domain Logons: +; [netlogon] +; comment = Network Logon Service +; path = /var/lib/samba/netlogon +; guest ok = yes +; writable = no +; share modes = no + +# Un-comment the following to provide a specific roaming profile share. +# The default is to use the user's home directory: +; [Profiles] +; path = /var/lib/samba/profiles +; browseable = no +; guest ok = yes + +# A publicly accessible directory that is read only, except for users in the +# "staff" group (which have write permissions): +; [public] +; comment = Public Stuff +; path = /home/samba +; public = yes +; writable = no +; printable = no +; write list = +staff diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor new file mode 100644 index 0000000..86c0aac --- /dev/null +++ b/SOURCES/smb.conf.vendor @@ -0,0 +1,36 @@ +# See smb.conf.example for a more detailed config file or +# read the smb.conf manpage. +# Run 'testparm' to verify the config is correct after +# you modified it. + +[global] + workgroup = SAMBA + security = user + + passdb backend = tdbsam + + printing = cups + printcap name = cups + load printers = yes + cups options = raw + +[homes] + comment = Home Directories + valid users = %S, %D%w%S + browseable = No + read only = No + inherit acls = Yes + +[printers] + comment = All Printers + path = /var/tmp + printable = Yes + create mask = 0600 + browseable = No + +[print$] + comment = Printer Drivers + path = /var/lib/samba/drivers + write list = root + create mask = 0664 + directory mask = 0775 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 9f2c0a0..c49f684 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,19 +1,18 @@ # rpmbuild --rebuild --with testsuite --without clustering samba.src.rpm # -# The testsuite is disabled by default. Set --with testsuite or %bcond_without +# The testsuite is disabled by default. Set --with testsuite or bcond_without # to run the Samba torture testsuite. %bcond_with testsuite # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 7 +%define main_release 9 -%define samba_version 4.2.10 -%define talloc_version 2.1.2 -%define ntdb_version 1.0 -%define tdb_version 1.3.4 -%define tevent_version 0.9.24 -%define ldb_version 1.1.20 +%define samba_version 4.4.4 +%define talloc_version 2.1.6 +%define tdb_version 1.3.8 +%define tevent_version 0.9.28 +%define ldb_version 1.1.26 # This should be rc1 or nil %define pre_release %nil @@ -23,18 +22,16 @@ %define samba_release %{main_release}%{?dist} %endif -# This is a network daemon, do a hardened build. +# This is a network daemon, do a hardened build # Enables PIE and full RELRO protection %global _hardened_build 1 %global with_libsmbclient 1 %global with_libwbclient 1 -%global with_pam_smbpass 0 %global with_internal_talloc 0 %global with_internal_tevent 0 %global with_internal_tdb 0 -%global with_internal_ntdb 1 %global with_internal_ldb 0 %global with_profiling 1 @@ -102,26 +99,24 @@ Source0: samba-%{version}%{pre_release}.tar.xz # Red Hat specific replacement-files Source1: samba.log Source2: samba.xinetd -Source4: smb.conf.default +Source3: smb.conf.vendor +Source4: smb.conf.example Source5: pam_winbind.conf Source6: samba.pamd Source200: README.dc Source201: README.downgrade -Patch1: samba-4.2.10-ldap-sasl-win2003.patch -Patch3: samba-4.2.3-document_netbios_length.patch -Patch4: samba-4.2.3-fix_net_ads_keytab_segfault.patch -Patch5: samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch -Patch6: samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch -Patch7: samba-4.2.10-badlock-bugfixes.patch -Patch8: samba-4.2.10-fix_rpcclient_ipc_signing.patch -Patch9: samba-4.2.10-fix_ntlm_auth_issues.patch -Patch10: samba-4.2.10-fix_msrpc_parse.patch -Patch11: samba-4.2.10-fix_anon_with_singing_mandatory.patch -Patch12: samba-4.2.99-fix_idmap_hash_with_other_modules.path -Patch13: samba-4.2.99-net_ads_join_fix_keytab_generation.patch -Patch14: CVE-2016-2119-v4-2.patch +Patch0: samba-4.4.5-fix_resolving_trusted_domain_users.patch +Patch1: samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch +Patch2: samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch +Patch3: samba-4.4.5-fix_winbind_cached_creds_memleak.patch +Patch4: CVE-2016-2119-v4-4.patch +Patch5: samba-4.4.7-fix-ctdb-test-install-dir.patch +Patch6: samba-4.4.7-fix_ads_krb5_ccname_handling.patch +Patch7: samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch +Patch8: samba-4.4.7-fix_idmap_range_checks.patch +Patch9: samba-4.4.7-fix_smget_auth_callback.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -131,7 +126,6 @@ Requires(preun): systemd Requires(postun): systemd Requires(pre): %{name}-common = %{samba_depver} -Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -146,19 +140,26 @@ Provides: samba4 = %{samba_depver} Obsoletes: samba4 < %{samba_depver} # We don't build it outdated docs anymore -Obsoletes: samba-doc +Provides: samba-doc = %{samba_depver} +Obsoletes: samba-doc < %{samba_depver} + # Is not supported yet -Obsoletes: samba-domainjoin-gui +Provides: samba-domainjoin-gui = %{samba_depver} +Obsoletes: samba-domainjoin-gui < %{samba_depver} + # SWAT been deprecated and removed from samba -Obsoletes: samba-swat -Obsoletes: samba4-swat +Provides: samba-swat = %{samba_depver} +Obsoletes: samba-swat < %{samba_depver} + +Provides: samba4-swat = %{samba_depver} +Obsoletes: samba4-swat < %{samba_depver} BuildRequires: cups-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl BuildRequires: e2fsprogs-devel BuildRequires: gawk -BuildRequires: krb5-devel >= 1.10 +BuildRequires: krb5-devel >= 1.14 BuildRequires: libacl-devel BuildRequires: libaio-devel BuildRequires: libarchive-devel @@ -172,6 +173,7 @@ BuildRequires: pam-devel BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Parse::Yapp) BuildRequires: popt-devel +BuildRequires: python BuildRequires: python-devel BuildRequires: python-tevent BuildRequires: quota-devel @@ -180,7 +182,6 @@ BuildRequires: sed BuildRequires: xfsprogs-devel BuildRequires: zlib-devel >= 1.2.3 -BuildRequires: pkgconfig(libsystemd-daemon) BuildRequires: pkgconfig(libsystemd) %if %{with_vfs_glusterfs} @@ -190,36 +191,40 @@ BuildRequires: glusterfs-devel >= 3.4.0.16 %if %{with_vfs_cephfs} BuildRequires: libcephfs1-devel %endif -%if %{with_dc} -BuildRequires: gnutls-devel -%endif + +# Allow build with testsuite which uses heimdal +#%if %{with_dc} +#BuildRequires: gnutls-devel >= 3.4.7 +# Required by samba-tool +#BuildRequires: python-crypto +#%endif # pidl requirements BuildRequires: perl(Parse::Yapp) %if ! %with_internal_talloc -%global libtalloc_version 2.1.2 +%global libtalloc_version 2.1.6 BuildRequires: libtalloc-devel >= %{libtalloc_version} BuildRequires: pytalloc-devel >= %{libtalloc_version} %endif %if ! %with_internal_tevent -%global libtevent_version 0.9.22 +%global libtevent_version 0.9.28 BuildRequires: libtevent-devel >= %{libtevent_version} BuildRequires: python-tevent >= %{libtevent_version} %endif %if ! %with_internal_ldb -%global libldb_version 1.1.20 +%global libldb_version 1.1.26 BuildRequires: libldb-devel >= %{libldb_version} BuildRequires: pyldb-devel >= %{libldb_version} %endif %if ! %with_internal_tdb -%global libtdb_version 1.3.4 +%global libtdb_version 1.3.8 BuildRequires: libtdb-devel >= %{libtdb_version} BuildRequires: python-tdb >= %{libtdb_version} @@ -238,14 +243,14 @@ BuildRequires: ldb-tools ### SAMBA %description -Samba is the standard Windows interoperability suite of programs for Linux and Unix. +Samba is the standard Windows interoperability suite of programs for Linux and +Unix. ### CLIENT %package client Summary: Samba client programs Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} -Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %if %with_libsmbclient @@ -255,8 +260,11 @@ Requires: libsmbclient = %{samba_depver} Provides: samba4-client = %{samba_depver} Obsoletes: samba4-client < %{samba_depver} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + %description client -The samba4-client package provides some SMB/CIFS clients to complement +The %{name}-client package provides some SMB/CIFS clients to complement the built-in SMB/CIFS filesystem in Linux. These clients allow access of SMB/CIFS shares and printing to SMB/CIFS printers. @@ -265,7 +273,6 @@ of SMB/CIFS shares and printing to SMB/CIFS printers. Summary: Samba client libraries Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} -Requires: %{name}-common = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} %endif @@ -281,7 +288,6 @@ Group: Applications/System BuildArch: noarch Requires(post): systemd -Requires: samba-common-tools = %{samba_depver} Provides: samba4-common = %{samba_depver} Obsoletes: samba4-common < %{samba_depver} @@ -295,7 +301,6 @@ packages of Samba. Summary: Libraries used by both Samba servers and clients Group: Applications/System Requires(pre): samba-common = %{samba_depver} -Requires: samba-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} @@ -324,9 +329,15 @@ SMB/CIFS clients. %package dc Summary: Samba AD Domain Controller Group: Applications/System +Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} Requires: %{name}-python = %{samba_depver} +Requires: %{name}-winbind = %{samba_depver} +%if %{with_dc} +# samba-tool requirements +Requires: python-crypto +%endif Provides: samba4-dc = %{samba_depver} Obsoletes: samba4-dc < %{samba_depver} @@ -345,7 +356,7 @@ Provides: samba4-dc-libs = %{samba_depver} Obsoletes: samba4-dc-libs < %{samba_depver} %description dc-libs -The samba4-dc-libs package contains the libraries needed by the DC to +The %{name}-dc-libs package contains the libraries needed by the DC to link against the SMB, RPC and other protocols. ### DEVEL @@ -359,7 +370,7 @@ Provides: samba4-devel = %{samba_depver} Obsoletes: samba4-devel < %{samba_depver} %description devel -The samba4-devel package contains the header files for the libraries +The %{name}-devel package contains the header files for the libraries needed to develop programs that link against the SMB, RPC and other libraries in the Samba suite. @@ -387,18 +398,32 @@ Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} -Obsoletes: samba-glusterfs -Provides: samba-glusterfs +Obsoletes: samba-glusterfs < %{samba_depver} +Provides: samba-glusterfs = %{samba_depver} %description vfs-glusterfs Samba VFS module for GlusterFS integration. %endif +### KRB5-PRINTING +%package krb5-printing +Summary: Samba CUPS backend for printing with Kerberos +Group: Applications/System +Requires(pre): %{name}-client + +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives + +%description krb5-printing +If you need Kerberos for print jobs to a printer connection to cups via the SMB +backend, then you need to install that package. It will allow cups to access +the Kerberos credentials cache of the user issuing the print job. + ### LIBS %package libs Summary: Samba libraries Group: Applications/System -Requires: krb5-libs >= 1.10 +Requires: krb5-libs >= 1.14 Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} @@ -408,8 +433,8 @@ Provides: samba4-libs = %{samba_depver} Obsoletes: samba4-libs < %{samba_depver} %description libs -The samba4-libs package contains the libraries needed by programs that -link against the SMB, RPC and other protocols provided by the Samba suite. +The %{name}-libs package contains the libraries needed by programs that link +against the SMB, RPC and other protocols provided by the Samba suite. ### LIBSMBCLIENT %if %with_libsmbclient @@ -417,7 +442,6 @@ link against the SMB, RPC and other protocols provided by the Samba suite. Summary: The SMB client library Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} -Requires: %{name}-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %description -n libsmbclient @@ -429,8 +453,9 @@ Group: Development/Libraries Requires: libsmbclient = %{samba_depver} %description -n libsmbclient-devel -The libsmbclient-devel package contains the header files and libraries needed to -develop programs that link against the SMB client library in the Samba suite. +The libsmbclient-devel package contains the header files and libraries needed +to develop programs that link against the SMB client library in the Samba +suite. %endif # with_libsmbclient ### LIBWBCLIENT @@ -441,17 +466,20 @@ Group: Applications/System Requires: %{name}-client-libs = %{samba_depver} %description -n libwbclient -The libwbclient package contains the winbind client library from the Samba suite. +The libwbclient package contains the winbind client library from the Samba +suite. %package -n libwbclient-devel Summary: Developer tools for the winbind library Group: Development/Libraries Requires: libwbclient = %{samba_depver} -Obsoletes: samba-winbind-devel -Provides: samba-winbind-devel + +Provides: samba-winbind-devel = %{samba_depver} +Obsoletes: samba-winbind-devel < %{samba_depver} %description -n libwbclient-devel -The libwbclient-devel package provides developer tools for the wbclient library. +The libwbclient-devel package provides developer tools for the wbclient +library. %endif # with_libwbclient ### PYTHON @@ -470,7 +498,7 @@ Provides: samba4-python = %{samba_depver} Obsoletes: samba4-python < %{samba_depver} %description python -The samba4-python package contains the Python libraries needed by programs +The %{name}-python package contains the Python libraries needed by programs that use SMB, RPC and other Samba provided protocols in Python programs. ### PIDL @@ -519,31 +547,22 @@ packages of Samba. ### TEST-LIBS %package test-libs -Summary: Libraries need by teh testing tools for Samba servers and clients +Summary: Libraries need by the testing tools for Samba servers and clients Group: Applications/System Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} +Provides: %{name}-test-devel = %{samba_depver} +Obsoletes: %{name}-test-devel < %{samba_depver} + %description test-libs %{name}-test-libs provides libraries required by the testing tools. -### TEST-DEVEL -%package test-devel -Summary: Testing devel files for Samba servers and clients -Group: Applications/System -Requires: %{name}-libs = %{samba_depver} -Requires: %{name}-test-libs = %{samba_depver} - -%description test-devel -samba-test-devel provides testing devel files for both the server and client -packages of Samba. - ### WINBIND %package winbind Summary: Samba winbind Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} -Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -554,9 +573,9 @@ Provides: samba4-winbind = %{samba_depver} Obsoletes: samba4-winbind < %{samba_depver} %description winbind -The samba-winbind package provides the winbind NSS library, and some -client tools. Winbind enables Linux to be a full member in Windows -domains and to use Windows user and group accounts on Linux. +The samba-winbind package provides the winbind NSS library, and some client +tools. Winbind enables Linux to be a full member in Windows domains and to use +Windows user and group accounts on Linux. ### WINBIND-CLIENTS %package winbind-clients @@ -617,8 +636,8 @@ Requires: libwbclient = %{samba_depver} Requires: pam %description winbind-modules -The samba-winbind-modules package provides the NSS library and a PAM -module necessary to communicate to the Winbind Daemon +The samba-winbind-modules package provides the NSS library and a PAM module +necessary to communicate to the Winbind Daemon ### CTDB %if %with_clustering_support @@ -656,21 +675,6 @@ projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead. -### CTDB-DEVEL -%package -n ctdb-devel -Summary: CTDB clustered database development package -Group: Development/Libraries - -Requires: ctdb = %{samba_depver} -Provides: ctdb-static = %{samba_depver} - -%description -n ctdb-devel -Libraries, include files, etc you can use to develop CTDB applications. -CTDB is a cluster implementation of the TDB database used by Samba and other -projects to store temporary data. If an application is already using TDB for -temporary data it is very easy to convert that application to be cluster aware -and use CTDB instead. - ### CTDB-TEST %package -n ctdb-tests Summary: CTDB clustered database test suite @@ -681,6 +685,9 @@ Requires: samba-client-libs = %{samba_depver} Requires: ctdb = %{samba_depver} Requires: nc +Provides: ctdb-devel = %{samba_depver} +Obsoletes: ctdb-devel < %{samba_depver} + %description -n ctdb-tests Test suite for CTDB. CTDB is a cluster implementation of the TDB database used by Samba and other @@ -694,25 +701,22 @@ and use CTDB instead. %prep %setup -q -n samba-%{version}%{pre_release} -%patch1 -p1 -b .samba-4.2.10-ldap-sasl-win2003.patch -%patch3 -p1 -b .samba-4.2.3-document_netbios_length.patch -%patch4 -p1 -b .samba-4.2.3-fix_net_ads_keytab_segfault.patch -%patch5 -p1 -b .samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch -%patch6 -p1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch -%patch7 -p1 -b .samba-4.2.10-badlock-bugfixes.patch -%patch8 -p1 -b .samba-4.2.10-fix_rpcclient_ipc_signing.patch -%patch9 -p1 -b .samba-4.2.10-fix_ntlm_auth_issues.patch -%patch10 -p1 -b .samba-4.2.10-fix_msrpc_parse.patch -%patch11 -p1 -b .samba-4.2.10-fix_anon_with_singing_mandatory.patch -%patch12 -p1 -b .samba-4.2.99-fix_idmap_hash_with_other_modules.path -%patch13 -p1 -b .samba-4.2.99-net_ads_join_fix_keytab_generation.patch -%patch14 -p1 -b .CVE-2016-2119-v4-2.patch +%patch0 -p1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch +%patch1 -p1 -b .samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch +%patch2 -p1 -b .samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch +%patch3 -p1 -b .samba-4.4.5-fix_winbind_cached_creds_memleak.patch +%patch4 -p1 -b .CVE-2016-2119-v4-4.patch +%patch5 -p1 -b .samba-4.4.7-fix-ctdb-test-install-dir.patch +%patch6 -p1 -b .samba-4.4.7-fix_ads_krb5_ccname_handling.patch +%patch7 -p1 -b .samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch +%patch8 -p1 -b .samba-4.4.7-fix_idmap_range_checks.patch +%patch9 -p1 -b .samba-4.4.7-fix_smget_auth_callback.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent %global _tdb_lib ,tdb,pytdb -%global _ldb_lib ,ldb,pyldb +%global _ldb_lib ,ldb,pyldb,pyldb-util %if ! %{with_internal_talloc} %global _talloc_lib ,!talloc,!pytalloc,!pytalloc-util @@ -727,7 +731,7 @@ and use CTDB instead. %endif %if ! %{with_internal_ldb} -%global _ldb_lib ,!ldb,!pyldb +%global _ldb_lib ,!ldb,!pyldb,!pyldb-util %endif %global _samba4_libraries heimdal,!zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} @@ -757,7 +761,8 @@ and use CTDB instead. --with-sockets-dir=/run/samba \ --with-modulesdir=%{_libdir}/samba \ --with-pammodulesdir=%{_libdir}/security \ - --with-lockdir=/var/lib/samba \ + --with-lockdir=/var/lib/samba/lock \ + --with-statedir=/var/lib/samba \ --with-cachedir=/var/lib/samba \ --disable-rpath-install \ --with-shared-modules=%{_samba4_modules} \ @@ -787,9 +792,6 @@ and use CTDB instead. %if %{with testsuite} --enable-selftest \ %endif -%if ! %with_pam_smbpass - --without-pam_smbpass \ -%endif --with-systemd make %{?_smp_mflags} @@ -801,15 +803,18 @@ make %{?_smp_mflags} install DESTDIR=%{buildroot} install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security install -d -m 0755 %{buildroot}/var/lib/samba +install -d -m 0755 %{buildroot}/var/lib/samba/drivers +install -d -m 0755 %{buildroot}/var/lib/samba/lock install -d -m 0755 %{buildroot}/var/lib/samba/private -install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol +install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/var/spool/samba install -d -m 0755 %{buildroot}/var/run/samba install -d -m 0755 %{buildroot}/var/run/winbindd install -d -m 0755 %{buildroot}/%{_libdir}/samba +install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig # Move libwbclient.so* into private directory, it cannot be just libdir/samba @@ -822,11 +827,15 @@ then exit -1 fi + +touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb + # Install other stuff install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba -install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf +install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/samba/smb.conf +install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf.example install -d -m 0755 %{buildroot}%{_sysconfdir}/security install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf @@ -842,10 +851,10 @@ install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/sch install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint -install -d -m 0755 %{buildroot}%{_prefix}/lib/tmpfiles.d/ -install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_prefix}/lib/tmpfiles.d/samba.conf +install -d -m 0755 %{buildroot}%{_tmpfilesdir} +install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf # create /run/samba too. -echo "d /run/samba 755 root root" >> %{buildroot}%{_prefix}/lib/tmpfiles.d/samba.conf +echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf %if %with_clustering_support echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif @@ -883,11 +892,11 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if ! %with_dc for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ - %{_mandir}/man8/samba.8 \ - %{_mandir}/man8/samba-tool.8 \ - %{_libdir}/samba/ldb/ildap.so \ - %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do + %{_libdir}/samba/libdnsserver-common-samba4.so \ + %{_mandir}/man8/samba.8 \ + %{_mandir}/man8/samba-tool.8 \ + %{_libdir}/samba/ldb/ildap.so \ + %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do rm -f %{buildroot}$i done %endif @@ -915,7 +924,7 @@ TDB_NO_FSYNC=1 make %{?_smp_mflags} test %post common /sbin/ldconfig -/usr/bin/systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/samba.conf +/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/samba.conf if [ -d /var/cache/samba ]; then mv /var/cache/samba/netsamlogon_cache.tdb /var/lib/samba/ 2>/dev/null mv /var/cache/samba/winbindd_cache.tdb /var/lib/samba/ 2>/dev/null @@ -923,13 +932,39 @@ if [ -d /var/cache/samba ]; then ln -sf /var/cache/samba /var/lib/samba/ fi -%postun common -p /sbin/ldconfig +%post client +%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ + cups_backend_smb \ + %{_bindir}/smbspool 10 + +%postun client +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool +fi + +%post client-libs -p /sbin/ldconfig + +%postun client-libs -p /sbin/ldconfig + +%post common-libs -p /sbin/ldconfig + +%postun common-libs -p /sbin/ldconfig %if %with_dc %post dc-libs -p /sbin/ldconfig %postun dc-libs -p /sbin/ldconfig -%endif # with_dc +%endif + +%post krb5-printing +%{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ + cups_backend_smb \ + %{_libexecdir}/samba/smbspool_krb5_wrapper 50 + +%postun krb5-printing +if [ $1 -eq 0 ] ; then + %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper +fi %post libs -p /sbin/ldconfig @@ -939,7 +974,7 @@ fi %post -n libsmbclient -p /sbin/ldconfig %postun -n libsmbclient -p /sbin/ldconfig -%endif # with_libsmbclient +%endif %if %with_libwbclient %posttrans -n libwbclient @@ -1010,7 +1045,7 @@ fi %if %with_clustering_support %post -n ctdb -/usr/bin/systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/ctdb.conf +/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ctdb.conf %systemd_post ctdb.service %preun -n ctdb @@ -1044,7 +1079,6 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/acl_xattr.so %{_libdir}/samba/vfs/aio_fork.so %{_libdir}/samba/vfs/aio_linux.so -%{_libdir}/samba/vfs/aio_posix.so %{_libdir}/samba/vfs/aio_pthread.so %{_libdir}/samba/vfs/audit.so %{_libdir}/samba/vfs/btrfs.so @@ -1063,19 +1097,20 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/linux_xfs_sgid.so %{_libdir}/samba/vfs/media_harmony.so %{_libdir}/samba/vfs/netatalk.so +%{_libdir}/samba/vfs/offline.so %{_libdir}/samba/vfs/preopen.so %{_libdir}/samba/vfs/readahead.so %{_libdir}/samba/vfs/readonly.so %{_libdir}/samba/vfs/recycle.so -%{_libdir}/samba/vfs/scannedonly.so %{_libdir}/samba/vfs/shadow_copy.so %{_libdir}/samba/vfs/shadow_copy2.so -%{_libdir}/samba/vfs/smb_traffic_analyzer.so +%{_libdir}/samba/vfs/shell_snap.so %{_libdir}/samba/vfs/snapper.so %{_libdir}/samba/vfs/streams_depot.so %{_libdir}/samba/vfs/streams_xattr.so %{_libdir}/samba/vfs/syncops.so %{_libdir}/samba/vfs/time_audit.so +%{_libdir}/samba/vfs/unityed_media.so %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so @@ -1083,13 +1118,12 @@ rm -rf %{buildroot} %{_unitdir}/smb.service %attr(1777,root,root) %dir /var/spool/samba %dir %{_sysconfdir}/openldap/schema -%{_sysconfdir}/openldap/schema/samba.schema -%{_sysconfdir}/pam.d/samba +%config %{_sysconfdir}/openldap/schema/samba.schema +%config(noreplace) %{_sysconfdir}/pam.d/samba %{_mandir}/man1/smbstatus.1* %{_mandir}/man8/eventlogadm.8* %{_mandir}/man8/smbd.8* %{_mandir}/man8/nmbd.8* -#%{_mandir}/man8/vfs_*.8* %{_mandir}/man8/vfs_acl_tdb.8* %{_mandir}/man8/vfs_acl_xattr.8* %{_mandir}/man8/vfs_aio_fork.8* @@ -1113,22 +1147,22 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_linux_xfs_sgid.8* %{_mandir}/man8/vfs_media_harmony.8* %{_mandir}/man8/vfs_netatalk.8* -%{_mandir}/man8/vfs_notify_fam.8* +%{_mandir}/man8/vfs_offline.8* %{_mandir}/man8/vfs_prealloc.8* %{_mandir}/man8/vfs_preopen.8* %{_mandir}/man8/vfs_readahead.8* %{_mandir}/man8/vfs_readonly.8* %{_mandir}/man8/vfs_recycle.8* -%{_mandir}/man8/vfs_scannedonly.8* %{_mandir}/man8/vfs_shadow_copy.8* %{_mandir}/man8/vfs_shadow_copy2.8* -%{_mandir}/man8/vfs_smb_traffic_analyzer.8* +%{_mandir}/man8/vfs_shell_snap.8* %{_mandir}/man8/vfs_snapper.8* %{_mandir}/man8/vfs_streams_depot.8* %{_mandir}/man8/vfs_streams_xattr.8* %{_mandir}/man8/vfs_syncops.8* %{_mandir}/man8/vfs_time_audit.8* %{_mandir}/man8/vfs_tsmsm.8* +%{_mandir}/man8/vfs_unityed_media.8* %{_mandir}/man8/vfs_worm.8* %{_mandir}/man8/vfs_xattr_tdb.8* @@ -1140,6 +1174,9 @@ rm -rf %{buildroot} %exclude %{_mandir}/man8/vfs_ceph.8* %endif +%dir /var/lib/samba/drivers +%dir /var/lib/samba/lock + ### CLIENT %files client %defattr(-,root,root) @@ -1158,12 +1195,12 @@ rm -rf %{buildroot} %{_bindir}/smbclient %{_bindir}/smbcquotas %{_bindir}/smbget -#%{_bindir}/smbiconv %{_bindir}/smbprint %{_bindir}/smbspool -%{_bindir}/smbta-util %{_bindir}/smbtar %{_bindir}/smbtree +%dir %{_libexecdir}/samba +%ghost %{_libexecdir}/samba/cups_backend_smb %{_mandir}/man1/dbwrap_tool.1* %{_mandir}/man1/nmblookup.1* %{_mandir}/man1/oLschema2ldif.1* @@ -1179,25 +1216,12 @@ rm -rf %{buildroot} %{_mandir}/man1/smbclient.1* %{_mandir}/man1/smbcquotas.1* %{_mandir}/man1/smbget.1* -%{_mandir}/man3/ntdb.3* %{_mandir}/man5/smbgetrc.5* %{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtree.1* -%{_mandir}/man8/ntdbbackup.8* -%{_mandir}/man8/ntdbdump.8* -%{_mandir}/man8/ntdbrestore.8* -%{_mandir}/man8/ntdbtool.8* +%{_mandir}/man8/cifsdd.8.* %{_mandir}/man8/samba-regedit.8* %{_mandir}/man8/smbspool.8* -%{_mandir}/man8/smbta-util.8* - -## we don't build it for now -%if %{with_internal_ntdb} -%{_bindir}/ntdbbackup -%{_bindir}/ntdbdump -%{_bindir}/ntdbrestore -%{_bindir}/ntdbtool -%endif %if %{with_internal_tdb} %{_bindir}/tdbbackup @@ -1217,8 +1241,7 @@ rm -rf %{buildroot} %{_bindir}/ldbmodify %{_bindir}/ldbrename %{_bindir}/ldbsearch -%{_libdir}/samba/libldb-cmdline.so -%dir %{_libdir}/samba/ldb +%{_libdir}/samba/libldb-cmdline-samba4.so %{_libdir}/samba/ldb/asq.so %{_libdir}/samba/ldb/paged_results.so %{_libdir}/samba/ldb/paged_searches.so @@ -1239,22 +1262,21 @@ rm -rf %{buildroot} %files client-libs %defattr(-,root,root) %{_libdir}/libdcerpc-binding.so.* -%{_libdir}/libgensec.so.* %{_libdir}/libndr.so.* %{_libdir}/libndr-krb5pac.so.* %{_libdir}/libndr-nbt.so.* %{_libdir}/libndr-standard.so.* %{_libdir}/libnetapi.so.* %{_libdir}/libsamba-credentials.so.* +%{_libdir}/libsamba-errors.so.* %{_libdir}/libsamba-passdb.so.* %{_libdir}/libsamba-util.so.* %{_libdir}/libsamba-hostconfig.so.* %{_libdir}/libsamdb.so.* %{_libdir}/libsmbconf.so.* -%{_libdir}/libsmbclient-raw.so.* %{_libdir}/libsmbldap.so.* +%{_libdir}/libtevent-unix-util.so.* %{_libdir}/libtevent-util.so.* -%{_libdir}/libregistry.so.* %{_libdir}/libdcerpc.so.* %dir %{_libdir}/samba @@ -1265,7 +1287,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libauth-sam-reply-samba4.so %{_libdir}/samba/libauth-samba4.so %{_libdir}/samba/libauthkrb5-samba4.so -%{_libdir}/samba/libccan-samba4.so %{_libdir}/samba/libcli-cldap-samba4.so %{_libdir}/samba/libcli-ldap-common-samba4.so %{_libdir}/samba/libcli-ldap-samba4.so @@ -1276,18 +1297,23 @@ rm -rf %{buildroot} %{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libdbwrap-samba4.so %{_libdir}/samba/libdcerpc-samba-samba4.so -%{_libdir}/samba/liberrors-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so +%{_libdir}/samba/libgenrand-samba4.so +%{_libdir}/samba/libgensec-samba4.so %{_libdir}/samba/libgpo-samba4.so %{_libdir}/samba/libgse-samba4.so %{_libdir}/samba/libhttp-samba4.so %{_libdir}/samba/libinterfaces-samba4.so +%{_libdir}/samba/libiov-buf-samba4.so %{_libdir}/samba/libkrb5samba-samba4.so %{_libdir}/samba/libldbsamba-samba4.so %{_libdir}/samba/liblibcli-lsa3-samba4.so %{_libdir}/samba/liblibcli-netlogon3-samba4.so %{_libdir}/samba/liblibsmb-samba4.so +%{_libdir}/samba/libmessages-dgm-samba4.so +%{_libdir}/samba/libmessages-util-samba4.so +%{_libdir}/samba/libmsghdr-samba4.so %{_libdir}/samba/libmsrpc3-samba4.so %{_libdir}/samba/libndr-samba-samba4.so %{_libdir}/samba/libndr-samba4.so @@ -1296,6 +1322,7 @@ rm -rf %{buildroot} %{_libdir}/samba/libnpa-tstream-samba4.so %{_libdir}/samba/libprinting-migrate-samba4.so %{_libdir}/samba/libreplace-samba4.so +%{_libdir}/samba/libregistry-samba4.so %{_libdir}/samba/libsamba-cluster-support-samba4.so %{_libdir}/samba/libsamba-debug-samba4.so %{_libdir}/samba/libsamba-modules-samba4.so @@ -1304,18 +1331,23 @@ rm -rf %{buildroot} %{_libdir}/samba/libsamba3-util-samba4.so %{_libdir}/samba/libsamdb-common-samba4.so %{_libdir}/samba/libsecrets3-samba4.so +%{_libdir}/samba/libserver-id-db-samba4.so %{_libdir}/samba/libserver-role-samba4.so %{_libdir}/samba/libsmb-transport-samba4.so +%{_libdir}/samba/libsmbclient-raw-samba4.so %{_libdir}/samba/libsmbd-base-samba4.so %{_libdir}/samba/libsmbd-conn-samba4.so %{_libdir}/samba/libsmbd-shim-samba4.so %{_libdir}/samba/libsmbldaphelper-samba4.so %{_libdir}/samba/libsmbregistry-samba4.so +%{_libdir}/samba/libsys-rw-samba4.so %{_libdir}/samba/libsocket-blocking-samba4.so +%{_libdir}/samba/libtalloc-report-samba4.so %{_libdir}/samba/libtdb-wrap-samba4.so +%{_libdir}/samba/libtime-basic-samba4.so +%{_libdir}/samba/libtorture-samba4.so %{_libdir}/samba/libtrusts-util-samba4.so %{_libdir}/samba/libutil-cmdline-samba4.so -%{_libdir}/samba/libutil-ntdb-samba4.so %{_libdir}/samba/libutil-reg-samba4.so %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so @@ -1330,11 +1362,6 @@ rm -rf %{buildroot} %{_mandir}/man7/libsmbclient.7* %endif # ! with_libsmbclient -%if %{with_internal_ntdb} -%{_libdir}/samba/libntdb.so.1 -%{_libdir}/samba/libntdb.so.%{ntdb_version} -%endif - %if %{with_internal_talloc} %{_libdir}/samba/libtalloc.so.2 %{_libdir}/samba/libtalloc.so.%{talloc_version} @@ -1356,24 +1383,26 @@ rm -rf %{buildroot} %if %{with_internal_ldb} %{_libdir}/samba/libldb.so.1 %{_libdir}/samba/libldb.so.%{ldb_version} +%{_libdir}/samba/libpyldb-util.so.1 +%{_libdir}/samba/libpyldb-util.so.%{ldb_version} %{_mandir}/man3/ldb.3.gz %endif ### COMMON %files common %defattr(-,root,root) -%{_prefix}/lib/tmpfiles.d/samba.conf -%{_datadir}/samba/codepages +%{_tmpfilesdir}/samba.conf %dir %{_sysconfdir}/logrotate.d/ %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba %attr(0700,root,root) %dir /var/log/samba/old -%attr(0755,root,root) %dir /var/lib/samba %ghost %dir /var/run/samba %ghost %dir /var/run/winbindd +%dir /var/lib/samba %attr(700,root,root) %dir /var/lib/samba/private %attr(755,root,root) %dir %{_sysconfdir}/samba %config(noreplace) %{_sysconfdir}/samba/smb.conf +%{_sysconfdir}/samba/smb.conf.example %config(noreplace) %{_sysconfdir}/samba/lmhosts %config(noreplace) %{_sysconfdir}/sysconfig/samba %{_mandir}/man5/lmhosts.5* @@ -1387,16 +1416,16 @@ rm -rf %{buildroot} # common libraries %{_libdir}/samba/libpopt-samba3-samba4.so +# We need this directory here because the net tool is looking +# for it. +%dir %{_libdir}/samba/ldb + %dir %{_libdir}/samba/pdb %{_libdir}/samba/pdb/ldapsam.so %{_libdir}/samba/pdb/smbpasswd.so %{_libdir}/samba/pdb/tdbsam.so %{_libdir}/samba/pdb/wbc_sam.so -%if %with_pam_smbpass -%{_libdir}/security/pam_smbpass.so -%endif - %files common-tools %defattr(-,root,root) %{_bindir}/net @@ -1423,7 +1452,6 @@ rm -rf %{buildroot} %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns -%{_libdir}/mit_samba.so %{_libdir}/samba/auth/samba4.so %{_libdir}/samba/bind9/dlz_bind9.so %{_libdir}/samba/bind9/dlz_bind9_10.so @@ -1439,6 +1467,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/anr.so %{_libdir}/samba/ldb/descriptor.so %{_libdir}/samba/ldb/dirsync.so +%{_libdir}/samba/ldb/dns_notify.so %{_libdir}/samba/ldb/extended_dn_in.so %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so @@ -1472,6 +1501,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/simple_ldap_map.so %{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_rename.so +%{_libdir}/samba/ldb/tombstone_reanimate.so %{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/wins_ldb.so %{_libdir}/samba/vfs/posix_eadb.so @@ -1490,8 +1520,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so %dir %{_libdir}/samba/process_model -%{_libdir}/samba/process_model/onefork.so -%{_libdir}/samba/process_model/prefork.so %{_libdir}/samba/process_model/standard.so %dir %{_libdir}/samba/service %{_libdir}/samba/service/cldap.so @@ -1505,9 +1533,7 @@ rm -rf %{buildroot} %{_libdir}/samba/service/nbtd.so %{_libdir}/samba/service/ntp_signd.so %{_libdir}/samba/service/s3fs.so -%{_libdir}/samba/service/smb.so %{_libdir}/samba/service/web.so -%{_libdir}/samba/service/winbind.so %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so %{_libdir}/libdcerpc-server.so.* @@ -1532,15 +1558,12 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/core/werror.h %{_includedir}/samba-4.0/credentials.h %{_includedir}/samba-4.0/dcerpc.h -%{_includedir}/samba-4.0/dlinklist.h %{_includedir}/samba-4.0/domain_credentials.h %{_includedir}/samba-4.0/gen_ndr/atsvc.h %{_includedir}/samba-4.0/gen_ndr/auth.h %{_includedir}/samba-4.0/gen_ndr/dcerpc.h -%{_includedir}/samba-4.0/gen_ndr/epmapper.h %{_includedir}/samba-4.0/gen_ndr/krb5pac.h %{_includedir}/samba-4.0/gen_ndr/lsa.h -%{_includedir}/samba-4.0/gen_ndr/mgmt.h %{_includedir}/samba-4.0/gen_ndr/misc.h %{_includedir}/samba-4.0/gen_ndr/nbt.h %{_includedir}/samba-4.0/gen_ndr/drsblobs.h @@ -1548,13 +1571,8 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/gen_ndr/ndr_drsblobs.h %{_includedir}/samba-4.0/gen_ndr/ndr_drsuapi.h %{_includedir}/samba-4.0/gen_ndr/ndr_atsvc.h -%{_includedir}/samba-4.0/gen_ndr/ndr_atsvc_c.h %{_includedir}/samba-4.0/gen_ndr/ndr_dcerpc.h -%{_includedir}/samba-4.0/gen_ndr/ndr_epmapper.h -%{_includedir}/samba-4.0/gen_ndr/ndr_epmapper_c.h %{_includedir}/samba-4.0/gen_ndr/ndr_krb5pac.h -%{_includedir}/samba-4.0/gen_ndr/ndr_mgmt.h -%{_includedir}/samba-4.0/gen_ndr/ndr_mgmt_c.h %{_includedir}/samba-4.0/gen_ndr/ndr_misc.h %{_includedir}/samba-4.0/gen_ndr/ndr_nbt.h %{_includedir}/samba-4.0/gen_ndr/ndr_samr.h @@ -1566,11 +1584,6 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/gen_ndr/security.h %{_includedir}/samba-4.0/gen_ndr/server_id.h %{_includedir}/samba-4.0/gen_ndr/svcctl.h -%{_includedir}/samba-4.0/gensec.h -%{_includedir}/samba-4.0/ldap-util.h -%{_includedir}/samba-4.0/ldap_errors.h -%{_includedir}/samba-4.0/ldap_message.h -%{_includedir}/samba-4.0/ldap_ndr.h %{_includedir}/samba-4.0/ldb_wrap.h %{_includedir}/samba-4.0/lookup_sid.h %{_includedir}/samba-4.0/machine_sid.h @@ -1585,41 +1598,17 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/param.h %{_includedir}/samba-4.0/passdb.h %{_includedir}/samba-4.0/policy.h -%{_includedir}/samba-4.0/read_smb.h -%{_includedir}/samba-4.0/registry.h -%{_includedir}/samba-4.0/roles.h %{_includedir}/samba-4.0/rpc_common.h %{_includedir}/samba-4.0/samba/session.h %{_includedir}/samba-4.0/samba/version.h %{_includedir}/samba-4.0/share.h -%{_includedir}/samba-4.0/smb2.h -%{_includedir}/samba-4.0/smb2_constants.h -%{_includedir}/samba-4.0/smb2_create_blob.h -%{_includedir}/samba-4.0/smb2_lease.h %{_includedir}/samba-4.0/smb2_lease_struct.h -%{_includedir}/samba-4.0/smb2_signing.h -%{_includedir}/samba-4.0/smb_cli.h -%{_includedir}/samba-4.0/smb_cliraw.h -%{_includedir}/samba-4.0/smb_common.h -%{_includedir}/samba-4.0/smb_composite.h %{_includedir}/samba-4.0/smbconf.h -%{_includedir}/samba-4.0/smb_constants.h %{_includedir}/samba-4.0/smb_ldap.h %{_includedir}/samba-4.0/smbldap.h -%{_includedir}/samba-4.0/smb_raw.h -%{_includedir}/samba-4.0/smb_raw_interfaces.h -%{_includedir}/samba-4.0/smb_raw_signing.h -%{_includedir}/samba-4.0/smb_raw_trans2.h -%{_includedir}/samba-4.0/smb_request.h -%{_includedir}/samba-4.0/smb_seal.h -%{_includedir}/samba-4.0/smb_signing.h -%{_includedir}/samba-4.0/smb_unix_ext.h -%{_includedir}/samba-4.0/smb_util.h %{_includedir}/samba-4.0/tdr.h %{_includedir}/samba-4.0/tsocket.h %{_includedir}/samba-4.0/tsocket_internal.h -%{_includedir}/samba-4.0/tstream_smbXcli_np.h -%{_includedir}/samba-4.0/samba_util.h %dir %{_includedir}/samba-4.0/util %{_includedir}/samba-4.0/util/attr.h %{_includedir}/samba-4.0/util/blocking.h @@ -1627,6 +1616,7 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/util/data_blob.h %{_includedir}/samba-4.0/util/debug.h %{_includedir}/samba-4.0/util/fault.h +%{_includedir}/samba-4.0/util/genrand.h %{_includedir}/samba-4.0/util/idtree.h %{_includedir}/samba-4.0/util/idtree_random.h %{_includedir}/samba-4.0/util/memory.h @@ -1641,41 +1631,35 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/util/time.h %{_includedir}/samba-4.0/util/xfile.h %{_includedir}/samba-4.0/util_ldb.h -%{_libdir}/libdcerpc-atsvc.so %{_libdir}/libdcerpc-binding.so %{_libdir}/libdcerpc-samr.so %{_libdir}/libdcerpc.so -%{_libdir}/libgensec.so %{_libdir}/libndr-krb5pac.so %{_libdir}/libndr-nbt.so %{_libdir}/libndr-standard.so %{_libdir}/libndr.so %{_libdir}/libnetapi.so -%{_libdir}/libregistry.so %{_libdir}/libsamba-credentials.so +%{_libdir}/libsamba-errors.so %{_libdir}/libsamba-hostconfig.so %{_libdir}/libsamba-policy.so %{_libdir}/libsamba-util.so %{_libdir}/libsamdb.so -%{_libdir}/libsmbclient-raw.so %{_libdir}/libsmbconf.so +%{_libdir}/libtevent-unix-util.so %{_libdir}/libtevent-util.so %{_libdir}/pkgconfig/dcerpc.pc -%{_libdir}/pkgconfig/dcerpc_atsvc.pc %{_libdir}/pkgconfig/dcerpc_samr.pc -%{_libdir}/pkgconfig/gensec.pc %{_libdir}/pkgconfig/ndr.pc %{_libdir}/pkgconfig/ndr_krb5pac.pc %{_libdir}/pkgconfig/ndr_nbt.pc %{_libdir}/pkgconfig/ndr_standard.pc %{_libdir}/pkgconfig/netapi.pc -%{_libdir}/pkgconfig/registry.pc %{_libdir}/pkgconfig/samba-credentials.pc %{_libdir}/pkgconfig/samba-hostconfig.pc %{_libdir}/pkgconfig/samba-policy.pc %{_libdir}/pkgconfig/samba-util.pc %{_libdir}/pkgconfig/samdb.pc -%{_libdir}/pkgconfig/smbclient-raw.pc %{_libdir}/libsamba-passdb.so %{_libdir}/libsmbldap.so @@ -1685,10 +1669,6 @@ rm -rf %{buildroot} %{_libdir}/pkgconfig/dcerpc_server.pc %endif -%if %with_internal_talloc -%{_includedir}/samba-4.0/pytalloc.h -%endif - %if ! %with_libsmbclient %{_includedir}/samba-4.0/libsmbclient.h %endif # ! with_libsmbclient @@ -1711,10 +1691,15 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_glusterfs.8* %endif +### KRB5-PRINTING +%files krb5-printing +%defattr(-,root,root) +%attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper +%{_mandir}/man8/smbspool_krb5_wrapper.8* + ### LIBS %files libs %defattr(-,root,root) -%{_libdir}/libdcerpc-atsvc.so.* %{_libdir}/libdcerpc-samr.so.* %{_libdir}/libsamba-policy.so.* @@ -1730,7 +1715,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libsamba-python-samba4.so %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so -%{_libdir}/samba/libtdb-compat-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so %if %with_dc @@ -1738,6 +1722,8 @@ rm -rf %{buildroot} %{_libdir}/samba/libHDB-SAMBA4-samba4.so %{_libdir}/samba/libasn1-samba4.so.8 %{_libdir}/samba/libasn1-samba4.so.8.0.0 +%{_libdir}/samba/libcom_err-samba4.so.0 +%{_libdir}/samba/libcom_err-samba4.so.0.25 %{_libdir}/samba/libgssapi-samba4.so.2 %{_libdir}/samba/libgssapi-samba4.so.2.0.0 %{_libdir}/samba/libhcrypto-samba4.so.5 @@ -1855,25 +1841,15 @@ rm -rf %{buildroot} ### TEST-LIBS %files test-libs %defattr(-,root,root) -%{_libdir}/libtorture.so.* -%{_libdir}/samba/libsubunit-samba4.so %if %with_dc %{_libdir}/samba/libdlz-bind9-for-torture-samba4.so %else %{_libdir}/samba/libdsdb-module-samba4.so %endif -### TEST-DEVEL -%files test-devel -%defattr(-,root,root) -%{_includedir}/samba-4.0/torture.h -%{_libdir}/libtorture.so -%{_libdir}/pkgconfig/torture.pc - ### WINBIND %files winbind %defattr(-,root,root) -#%{_bindir}/wbinfo3 %{_libdir}/samba/idmap %{_libdir}/samba/nss_info %{_libdir}/samba/libnss-info-samba4.so @@ -1915,40 +1891,68 @@ rm -rf %{buildroot} %defattr(-,root,root) %doc ctdb/README %config(noreplace) %{_sysconfdir}/sysconfig/ctdb -%config(noreplace) %{_sysconfdir}/ctdb/notify.sh -%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh -%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh -%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh -%config(noreplace) %{_sysconfdir}/ctdb/functions -%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh +%{_sysconfdir}/ctdb/notify.sh +%{_sysconfdir}/ctdb/debug-hung-script.sh +%{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh +%{_sysconfdir}/ctdb/gcore_trace.sh +%{_sysconfdir}/ctdb/functions +%{_sysconfdir}/ctdb/debug_locks.sh %dir %{_localstatedir}/lib/ctdb/ -%{_tmpfilesdir}/%{name}.conf %{_unitdir}/ctdb.service %dir %{_sysconfdir}/ctdb %{_sysconfdir}/ctdb/statd-callout -%dir %{_sysconfdir}/ctdb/nfs-rpc-checks.d -%{_sysconfdir}/ctdb/nfs-rpc-checks.d/10.statd.check -%{_sysconfdir}/ctdb/nfs-rpc-checks.d/20.nfsd.check -%{_sysconfdir}/ctdb/nfs-rpc-checks.d/30.lockd.check -%{_sysconfdir}/ctdb/nfs-rpc-checks.d/40.mountd.check -%{_sysconfdir}/ctdb/nfs-rpc-checks.d/50.rquotad.check -%{_sysconfdir}/sudoers.d/ctdb -%{_sysconfdir}/ctdb/events.d/ +# CTDB scripts, no config files +# script with executable bit means activated +%dir %{_sysconfdir}/ctdb/nfs-checks.d +%{_sysconfdir}/ctdb/nfs-checks.d/00.portmapper.check +%{_sysconfdir}/ctdb/nfs-checks.d/10.status.check +%{_sysconfdir}/ctdb/nfs-checks.d/20.nfs.check +%{_sysconfdir}/ctdb/nfs-checks.d/30.nlockmgr.check +%{_sysconfdir}/ctdb/nfs-checks.d/40.mountd.check +%{_sysconfdir}/ctdb/nfs-checks.d/50.rquotad.check +%{_sysconfdir}/ctdb/nfs-checks.d/README +%{_sysconfdir}/ctdb/nfs-linux-kernel-callout +%config %{_sysconfdir}/sudoers.d/ctdb +# CTDB scripts, no config files +# script with executable bit means activated +%dir %{_sysconfdir}/ctdb/events.d +%{_sysconfdir}/ctdb/events.d/00.ctdb +%{_sysconfdir}/ctdb/events.d/01.reclock +%{_sysconfdir}/ctdb/events.d/05.system +%{_sysconfdir}/ctdb/events.d/10.external +%{_sysconfdir}/ctdb/events.d/10.interface +%{_sysconfdir}/ctdb/events.d/11.natgw +%{_sysconfdir}/ctdb/events.d/11.routing +%{_sysconfdir}/ctdb/events.d/13.per_ip_routing +%{_sysconfdir}/ctdb/events.d/20.multipathd +%{_sysconfdir}/ctdb/events.d/31.clamd +%{_sysconfdir}/ctdb/events.d/40.vsftpd +%{_sysconfdir}/ctdb/events.d/41.httpd +%{_sysconfdir}/ctdb/events.d/49.winbind +%{_sysconfdir}/ctdb/events.d/50.samba +%{_sysconfdir}/ctdb/events.d/60.nfs +%{_sysconfdir}/ctdb/events.d/70.iscsi +%{_sysconfdir}/ctdb/events.d/91.lvs +%{_sysconfdir}/ctdb/events.d/99.timeout +%{_sysconfdir}/ctdb/events.d/README %dir %{_sysconfdir}/ctdb/notify.d %{_sysconfdir}/ctdb/notify.d/README -%{_prefix}/lib/tmpfiles.d/ctdb.conf +%{_tmpfilesdir}/ctdb.conf %{_sbindir}/ctdbd %{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb -%{_bindir}/smnotify %{_bindir}/ping_pong %{_bindir}/ltdbtool %{_bindir}/ctdb_diagnostics %{_bindir}/onnode -%{_bindir}/ctdb_lock_helper -%{_bindir}/ctdb_event_helper +%dir %{_libexecdir}/ctdb +%{_libexecdir}/ctdb/ctdb_natgw +%{_libexecdir}/ctdb/ctdb_recovery_helper +%{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/ctdb_lock_helper +%{_libexecdir}/ctdb/ctdb_event_helper %{_mandir}/man1/ctdb.1.gz %{_mandir}/man1/ctdbd.1.gz @@ -1961,103 +1965,163 @@ rm -rf %{buildroot} %{_mandir}/man7/ctdb-tunables.7.gz %{_mandir}/man7/ctdb-statistics.7.gz -%files -n ctdb-devel -%defattr(-,root,root) -%{_includedir}/samba-4.0/ctdb.h -%{_includedir}/samba-4.0/ctdb_client.h -%{_includedir}/samba-4.0/ctdb_protocol.h -%{_includedir}/samba-4.0/ctdb_private.h -%{_includedir}/samba-4.0/ctdb_typesafe_cb.h -%{_includedir}/samba-4.0/ctdb_version.h -%{_libdir}/pkgconfig/ctdb.pc - %files -n ctdb-tests %defattr(-,root,root) -%dir %{_libdir}/ctdb-tests -%{_libdir}/ctdb-tests/ctdb_bench -%{_libdir}/ctdb-tests/ctdb_fetch -%{_libdir}/ctdb-tests/ctdb_fetch_one -%{_libdir}/ctdb-tests/ctdb_fetch_readonly_loop -%{_libdir}/ctdb-tests/ctdb_fetch_readonly_once -%{_libdir}/ctdb-tests/ctdb_functest -%{_libdir}/ctdb-tests/ctdb_lock_tdb -%{_libdir}/ctdb-tests/ctdb_persistent -%{_libdir}/ctdb-tests/ctdb_porting_tests -%{_libdir}/ctdb-tests/ctdb_randrec -%{_libdir}/ctdb-tests/ctdb_store -%{_libdir}/ctdb-tests/ctdb_stubtest -%{_libdir}/ctdb-tests/ctdb_takeover_tests -%{_libdir}/ctdb-tests/ctdb_trackingdb_test -%{_libdir}/ctdb-tests/ctdb_transaction -%{_libdir}/ctdb-tests/ctdb_traverse -%{_libdir}/ctdb-tests/ctdb_update_record -%{_libdir}/ctdb-tests/ctdb_update_record_persistent -%{_libdir}/ctdb-tests/rb_test +%dir %{_libexecdir}/ctdb/tests +%{_libexecdir}/ctdb/tests/comm_client_test +%{_libexecdir}/ctdb/tests/comm_server_test +%{_libexecdir}/ctdb/tests/comm_test +%{_libexecdir}/ctdb/tests/ctdb_bench +%{_libexecdir}/ctdb/tests/ctdb_fetch +%{_libexecdir}/ctdb/tests/ctdb_fetch_one +%{_libexecdir}/ctdb/tests/ctdb_fetch_readonly_loop +%{_libexecdir}/ctdb/tests/ctdb_fetch_readonly_once +%{_libexecdir}/ctdb/tests/ctdb_functest +%{_libexecdir}/ctdb/tests/ctdb_lock_tdb +%{_libexecdir}/ctdb/tests/ctdb_persistent +%{_libexecdir}/ctdb/tests/ctdb_porting_tests +%{_libexecdir}/ctdb/tests/ctdb_randrec +%{_libexecdir}/ctdb/tests/ctdb_store +%{_libexecdir}/ctdb/tests/ctdb_stubtest +%{_libexecdir}/ctdb/tests/ctdb_takeover_tests +%{_libexecdir}/ctdb/tests/ctdb_trackingdb_test +%{_libexecdir}/ctdb/tests/ctdb_transaction +%{_libexecdir}/ctdb/tests/ctdb_traverse +%{_libexecdir}/ctdb/tests/ctdb_update_record +%{_libexecdir}/ctdb/tests/ctdb_update_record_persistent +%{_libexecdir}/ctdb/tests/db_hash_test +%{_libexecdir}/ctdb/tests/pkt_read_test +%{_libexecdir}/ctdb/tests/pkt_write_test +%{_libexecdir}/ctdb/tests/protocol_client_test +%{_libexecdir}/ctdb/tests/protocol_types_test +%{_libexecdir}/ctdb/tests/rb_test +%{_libexecdir}/ctdb/tests/reqid_test +%{_libexecdir}/ctdb/tests/srvid_test %{_bindir}/ctdb_run_tests %{_bindir}/ctdb_run_cluster_tests -%dir %{_datadir}/ctdb-tests +%dir %{_datadir}/ctdb-tests/eventscripts %{_datadir}/ctdb-tests/eventscripts/etc-ctdb/events.d %{_datadir}/ctdb-tests/eventscripts/etc-ctdb/functions -%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/nfs-rpc-checks.d +%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/nfs-checks.d +%{_datadir}/ctdb-tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout %{_datadir}/ctdb-tests/eventscripts/etc-ctdb/statd-callout +%dir %{_datadir}/ctdb-tests/onnode +%{_datadir}/ctdb-tests/onnode/functions +%dir %{_datadir}/ctdb-tests/scripts %{_datadir}/ctdb-tests/scripts/common.sh %{_datadir}/ctdb-tests/scripts/integration.bash %{_datadir}/ctdb-tests/scripts/test_wrap %{_datadir}/ctdb-tests/scripts/unit.sh +%dir %{_datadir}/ctdb-tests/simple +%{_datadir}/ctdb-tests/simple/functions +%{_datadir}/ctdb-tests/simple/nodes %doc ctdb/tests/README %endif # with_clustering_support %changelog -* Mon Jul 04 2016 Andreas Schneider - 4.2.10-7 -- resolves: #1351960 - Fix CVE-2016-2119 - -* Tue Jun 28 2016 Andreas Schneider - 4.2.10-6.3 -- resolves: #1350759 - Fix idmap_hash when used with other modules -- resolves: #1351260 - Fix krb5 encryption type setup during join - -* Wed Jun 01 2016 Andreas Schneider - 4.2.10-6.2 -- related: #1333794 - Fix issues caused by security tightening for Badlock - o ntlm_auth issues and segfault - o rpcclient doesn't respect "client ipc *" options - o fix anonymous authentication if signing is mandatory - -* Fri May 06 2016 Alexander Bokovoy - 4.2.10-6.1 -- Fix issues caused by security tightening for Badlock: - - Only validate MIC when "map to guest" is set - - NetApp SMB servers don't negotiate NTLMSSP_SIGN - - Anonymous connections don't work anymore - - wbinfo -u or 'net ads search' don't work anymore - - Handle empty session in client code -- resolves: #1333794 +* Wed Aug 31 2016 Andreas Schneider - 4.4.4-9 +- related: #1365479 - Fix idmap range check + +* Fri Aug 26 2016 Andreas Schneider - 4.4.4-8 +- related: #1193493 - Fix smbget url credentials parsing + +* Tue Aug 23 2016 Andreas Schneider - 4.4.4-7 +- resolves: #1365479 - Fix idmap range checks for ad and hash backend + +* Tue Aug 16 2016 Andreas Schneider - 4.4.4-6 +- resolves: #1367316 - Increase required Kerbersion version number +- resolves: #1366477 - Fix using the right krb5 ccache in libads +- resolves: #1356501 - Fix high CPU usage with smbclient connection to + non-reachable IP + +* Wed Aug 03 2016 Andreas Schneider - 4.4.4-5 +- resolves: #1359091 - Package /usr/lib/samba/ldb in the common-libs package +- resolves: #1360788 - Fix multilib issue with ctdb-tests package +- resolves: #1362385 - Fix Samba ignoring supplementary groups +- resolves: #1364051 - Fix smbd panic with stale ctdb entries + +* Mon Jul 04 2016 Andreas Schneider - 4.4.4-4 +- resolves: #1351655 - Fix winbind meomory leak with each cached credentials + login +- resolves: #1351961 - Fix CVE-2016-2119 + +* Thu Jun 23 2016 Andreas Schneider - 4.4.4-3 +- related: #1260214 - Correctly warn about missing realm for ad domains + with 'security=domain' + +* Tue Jun 21 2016 Andreas Schneider - 4.4.4-2 +- resolves: #1348223 - Fix sasl wrapped ldap connections + +* Wed Jun 08 2016 Andreas Schneider - 4.4.4-1 +- resolves: #1303076 - Rebase Samba to version 4.4.4 +- resolves: #1314673 - Fix CVE-2015-7560 +- resolves: #1263322 - Add '--no-dns-updates' option to 'net ads join' +- resolves: #1264433 - Fix segfault in pam_winbind.so with invalid config + options +- resolves: #1193504 - Fix smbget to retrieve files recursively +- resolves: #1193502 - Fix smbget to use command line credentials +- resolves: #1193493 - Fix smbget url credentials parsing +- resolves: #1273999 - Support printing with Kerberos credentials on newer + CUPS versions +- resolves: #1296821 - Define /etc/pam.d/samba as a non replaceable config +- resolves: #1261107 - Fix memory leak because of missing talloc stackframe +- resolves: #1333562 - Fix memory leak after smbc_free_context() +- resolves: #1315422 - Fix regression from CVE-2015-5252 +- resolves: #1316899 - Fixed idmap_hash module issues when used with others +- resolves: #1322691 - Fix badlock related bugs +- Fix CVE-2015-5370 +- Fix CVE-2016-2110 +- Fix CVE-2016-2111 +- Fix CVE-2016-2112 +- Fix CVE-2016-2113 +- Fix CVE-2016-2114 +- Fix CVE-2016-2115 +- Fix CVE-2016-2118 +- resolves: #1327951 - Fix regression with anonymous connections from OS X +- resolves: #1327845 - Fix pcap_cache_reload() with spoolssd +- resolves: #1289640 - Fix ctdb selinux issue with read only tracking dbs +- resolves: #1341208 - Fix enumerating groups over NSS with idmap_ad +- resolves: #1345827 - Fix resolving trusted domain users on domain member +- resolves: #1346334 - Fix typo in smb.conf.example +- resolves: #1335292 - Fix site-aware 'net ads join -k' +- resolves: #1260214 - Accept empty realm for ad domains with 'security=domain' + +* Tue May 24 2016 Guenther Deschner - 4.2.10-8 +- Fix krb5 encryption type setup during join (as admin and non-admin user) +- resolves: #1312109 + +* Mon May 02 2016 Alexander Bokovoy - 4.2.10-7 +- Fix regressions introduced with security tightening as part of Badlock release +- resolves: #1330199 * Tue Apr 12 2016 Alexander Bokovoy - 4.2.10-6 - Fix domain member winbind not being able to talk to trusted domains' DCs -- relates: #1322690 +- relates: #1322691 * Mon Apr 11 2016 Alexander Bokovoy - 4.2.10-5 - Fix crash in smb.conf processing -- relates: #1322690 +- relates: #1322691 * Fri Apr 08 2016 Alexander Bokovoy - 4.2.10-4 - Fix LDAP SASL bind with arcfour-hmac-md5 -- resolves: #1322690 +- resolves: #1322691 * Thu Apr 07 2016 Alexander Bokovoy - 4.2.10-3 - Make sure the package owns /var/lib/samba and uses it for cache purposes -- resolves: #1322690 +- resolves: #1322691 * Wed Apr 06 2016 Alexander Bokovoy - 4.2.10-2 - Remove ldb modules and internal libraries for DC when not packaging DC build -- resolves: #1322690 +- resolves: #1322691 * Mon Apr 04 2016 Alexander Bokovoy - 4.2.10-1 -- resolves: #1322690 +- resolves: #1322691 * Fri Mar 04 2016 Andreas Schneider - 4.2.3-12 -- resolves: #1314672 - Fix CVE-2015-7560 +- resolves: #1314673 - Fix CVE-2015-7560 * Fri Dec 11 2015 Guenther Deschner - 4.2.3-11 -- resolves: #1290710 +- resolves: #1290711 - CVE-2015-3223 Remote DoS in Samba (AD) LDAP server - CVE-2015-5299 Missing access control check in shadow copy code - CVE-2015-5252 Insufficient symlink verification in smbd