diff --git a/.gitignore b/.gitignore
index 99161ff..a811c88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.10.4.tar.xz
+SOURCES/samba-4.10.13.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index 1e4e8c9..701a5b3 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz
+05276fe34eccbb090f259d3c2e632d71c732a19b SOURCES/samba-4.10.13.tar.xz
diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
deleted file mode 100644
index eec8124..0000000
--- a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt
+++ /dev/null
@@ -1,393 +0,0 @@
-From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 12 Jul 2019 12:10:35 -0700
-Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug
- info into a new function.
-
-Will be called on elsewhere on successful impersonation.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/smbd/uid.c | 37 +++++++++++++++++++++++--------------
- 1 file changed, 23 insertions(+), 14 deletions(-)
-
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index a4bcb747d37e..ce8e8d92131c 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn,
- return(True);
- }
-
-+static void print_impersonation_info(connection_struct *conn)
-+{
-+ struct smb_filename *cwdfname = NULL;
-+
-+ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) {
-+ return;
-+ }
-+
-+ cwdfname = vfs_GetWd(talloc_tos(), conn);
-+ if (cwdfname == NULL) {
-+ return;
-+ }
-+
-+ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
-+ (int)getuid(),
-+ (int)geteuid(),
-+ (int)getgid(),
-+ (int)getegid(),
-+ cwdfname->base_name);
-+ TALLOC_FREE(cwdfname);
-+}
-+
- /****************************************************************************
- Become the user of a connection number without changing the security context
- stack, but modify the current_user entries.
-@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn,
- current_user.done_chdir = true;
- }
-
-- if (CHECK_DEBUGLVL(DBGLVL_INFO)) {
-- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn);
-- if (cwdfname == NULL) {
-- return false;
-- }
-- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n",
-- (int)getuid(),
-- (int)geteuid(),
-- (int)getgid(),
-- (int)getegid(),
-- cwdfname->base_name);
-- TALLOC_FREE(cwdfname);
-- }
--
-+ print_impersonation_info(conn);
- return true;
- }
-
---
-2.17.1
-
-
-From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 11 Jul 2019 17:01:29 +0200
-Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that
- change_to_user_internal() always resets current_user.done_chdir
-
-We should not leave current_user.done_chdir as true if we didn't call
-chdir_current_service() with success.
-
-This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when
-chdir_current_service() worked once on one share but later failed on another
-share.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- source3/smbd/uid.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index ce8e8d92131c..77a81f602988 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn,
- current_user.conn = conn;
- current_user.vuid = vuid;
- current_user.need_chdir = conn->tcon_done;
-+ current_user.done_chdir = false;
-
- if (current_user.need_chdir) {
- ok = chdir_current_service(conn);
---
-2.17.1
-
-
-From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 18 Jun 2019 14:04:08 +0200
-Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset
- current_user.{need,done}_chdir in become_root()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/smbd/uid.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index 77a81f602988..50868ba8572a 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -624,6 +624,9 @@ void smbd_become_root(void)
- }
- push_conn_ctx();
- set_root_sec_ctx();
-+
-+ current_user.need_chdir = false;
-+ current_user.done_chdir = false;
- }
-
- /* Unbecome the root user */
---
-2.17.1
-
-
-From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 30 Jul 2019 17:16:59 +0200
-Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own
- independent subdirectory
-
-The next patch will otherwise break the fsrvp related tests.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- selftest/target/Samba3.pm | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index 9d88253c9fe7..f7eb314138a0 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$)
- my $widelinks_linkdir="$shrdir/widelinks_foo";
- push(@dirs,$widelinks_linkdir);
-
-+ my $fsrvp_shrdir="$shrdir/fsrvp";
-+ push(@dirs,$fsrvp_shrdir);
-+
- my $shadow_tstdir="$shrdir/shadow";
- push(@dirs,$shadow_tstdir);
- my $shadow_mntdir="$shadow_tstdir/mount";
-@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$)
- guest ok = yes
-
- [fsrvp_share]
-- path = $shrdir
-+ path = $fsrvp_shrdir
- comment = fake shapshots using rsync
- vfs objects = shell_snap shadow_copy2
- shell_snap:check path command = $fake_snap_pl --check
- shell_snap:create command = $fake_snap_pl --create
- shell_snap:delete command = $fake_snap_pl --delete
- # a relative path here fails, the snapshot dir is no longer found
-- shadow:snapdir = $shrdir/.snapshots
-+ shadow:snapdir = $fsrvp_shrdir/.snapshots
-
- [shadow1]
- path = $shadow_shrdir
---
-2.17.1
-
-
-From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 16 Jul 2019 15:40:38 +0200
-Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test
- for the no permission on share root problem
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- selftest/knownfail.d/CVE-2019-10197 | 1 +
- selftest/target/Samba3.pm | 12 +++++++++
- source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++
- 3 files changed, 43 insertions(+)
- create mode 100644 selftest/knownfail.d/CVE-2019-10197
-
-diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
-new file mode 100644
-index 000000000000..f7056bbf3ad4
---- /dev/null
-+++ b/selftest/knownfail.d/CVE-2019-10197
-@@ -0,0 +1 @@
-+^samba3.blackbox.smbclient_s3.*.noperm.share.regression
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index f7eb314138a0..2f491441815f 100755
---- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$)
- my $ro_shrdir="$shrdir/root-tmp";
- push(@dirs,$ro_shrdir);
-
-+ my $noperm_shrdir="$shrdir/noperm-tmp";
-+ push(@dirs,$noperm_shrdir);
-+
- my $msdfs_shrdir="$shrdir/msdfsshare";
- push(@dirs,$msdfs_shrdir);
-
-@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$)
- chmod 0755, $piddir;
-
-
-+ ##
-+ ## Create a directory without permissions to enter
-+ ##
-+ chmod 0000, $noperm_shrdir;
-+
- ##
- ## create ro and msdfs share layout
- ##
-@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$)
- [ro-tmp]
- path = $ro_shrdir
- guest ok = yes
-+[noperm]
-+ path = $noperm_shrdir
-+ wide links = yes
-+ guest ok = yes
- [write-list-tmp]
- path = $shrdir
- read only = yes
-diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh
-index bf033ccd2fbf..0bae1d78fac9 100755
---- a/source3/script/tests/test_smbclient_s3.sh
-+++ b/source3/script/tests/test_smbclient_s3.sh
-@@ -1329,6 +1329,32 @@ EOF
- fi
- }
-
-+#
-+# Regression test for CVE-2019-10197
-+# we should always get ACCESS_DENIED
-+#
-+test_noperm_share_regression()
-+{
-+ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1'
-+ eval echo "$cmd"
-+ out=`eval $cmd`
-+ ret=$?
-+ if [ $ret -eq 0 ] ; then
-+ echo "$out"
-+ echo "failed accessing no perm share should not work"
-+ return 1
-+ fi
-+
-+ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l`
-+ if [ "$num" -ne "2" ] ; then
-+ echo "$out"
-+ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected"
-+ return 1
-+ fi
-+
-+ return 0
-+}
-+
- # Test smbclient deltree command
- test_deltree()
- {
-@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \
- test_local_symlinks || \
- failed=`expr $failed + 1`
-
-+testit "noperm share regression" \
-+ test_noperm_share_regression || \
-+ failed=`expr $failed + 1`
-+
- testit "smbclient deltree command" \
- test_deltree || \
- failed=`expr $failed + 1`
---
-2.17.1
-
-
-From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 11 Jul 2019 17:02:15 +0200
-Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate()
- out of change_to_user_internal()
-
-This makes sure we always call chdir_current_service() even
-when we still impersonated the user. Which is important
-in order to run the SMB* request within the correct working directory
-and only if the user has permissions to enter that directory.
-
-It makes sure we always update conn->lastused_count
-in chdir_current_service() for each request.
-
-Note that vfs_ChDir() (called from chdir_current_service())
-maintains its own cache and avoids calling SMB_VFS_CHDIR()
-if possible.
-
-It means we still avoid syscalls if we get a multiple requests
-for the same session/tcon tuple.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
----
- selftest/knownfail.d/CVE-2019-10197 | 1 -
- source3/smbd/uid.c | 21 +++++++++++++++++----
- 2 files changed, 17 insertions(+), 5 deletions(-)
- delete mode 100644 selftest/knownfail.d/CVE-2019-10197
-
-diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197
-deleted file mode 100644
-index f7056bbf3ad4..000000000000
---- a/selftest/knownfail.d/CVE-2019-10197
-+++ /dev/null
-@@ -1 +0,0 @@
--^samba3.blackbox.smbclient_s3.*.noperm.share.regression
-diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
-index 50868ba8572a..5c39baade5cf 100644
---- a/source3/smbd/uid.c
-+++ b/source3/smbd/uid.c
-@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn)
- stack, but modify the current_user entries.
- ****************************************************************************/
-
--static bool change_to_user_internal(connection_struct *conn,
-- const struct auth_session_info *session_info,
-- uint64_t vuid)
-+static bool change_to_user_impersonate(connection_struct *conn,
-+ const struct auth_session_info *session_info,
-+ uint64_t vuid)
- {
- int snum;
- gid_t gid;
-@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn,
-
- if ((current_user.conn == conn) &&
- (current_user.vuid == vuid) &&
-- (current_user.need_chdir == conn->tcon_done) &&
- (current_user.ut.uid == session_info->unix_token->uid))
- {
- DBG_INFO("Skipping user change - already user\n");
-@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn,
-
- current_user.conn = conn;
- current_user.vuid = vuid;
-+ return true;
-+}
-+
-+static bool change_to_user_internal(connection_struct *conn,
-+ const struct auth_session_info *session_info,
-+ uint64_t vuid)
-+{
-+ bool ok;
-+
-+ ok = change_to_user_impersonate(conn, session_info, vuid);
-+ if (!ok) {
-+ return false;
-+ }
-+
- current_user.need_chdir = conn->tcon_done;
- current_user.done_chdir = false;
-
---
-2.17.1
-
diff --git a/SOURCES/libldb-require-version-1.5.4.patch b/SOURCES/libldb-require-version-1.5.4.patch
new file mode 100644
index 0000000..ef33d66
--- /dev/null
+++ b/SOURCES/libldb-require-version-1.5.4.patch
@@ -0,0 +1,13 @@
+Index: samba-4.10.13/lib/ldb/wscript
+===================================================================
+--- samba-4.10.13.orig/lib/ldb/wscript
++++ samba-4.10.13/lib/ldb/wscript
+@@ -1,7 +1,7 @@
+ #!/usr/bin/env python
+
+ APPNAME = 'ldb'
+-VERSION = '1.5.6'
++VERSION = '1.5.4'
+
+ import sys, os
+
diff --git a/SOURCES/net-ads-keytab-create-upn.patch b/SOURCES/net-ads-keytab-create-upn.patch
new file mode 100644
index 0000000..bec2f26
--- /dev/null
+++ b/SOURCES/net-ads-keytab-create-upn.patch
@@ -0,0 +1,83 @@
+From d813722a34597dd33d06a558de6bc6cc2c2adb97 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 3 Apr 2020 15:58:28 +0200
+Subject: [PATCH 1/2] s3:libads: Fix ads_get_upn()
+
+This adds the userPrincipalName to ads_find_machine_acct() which
+fetches the data for us.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14336
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit ec69752cb963ae850568d3f4905d2941e485627e)
+---
+ source3/libads/ldap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 979192eb3ed..8ad76ed0ae9 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1373,6 +1373,7 @@ char *ads_parent_dn(const char *dn)
+ "userAccountControl",
+ "DnsHostName",
+ "ServicePrincipalName",
++ "userPrincipalName",
+ "unicodePwd",
+
+ /* Additional attributes Samba checks */
+--
+2.26.0
+
+
+From 9ecf7552c15ca4c7ff71b5c9348aae03b0012bc0 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 3 Apr 2020 15:40:48 +0200
+Subject: [PATCH 2/2] testprogs: Add 'net ads join createupn' test also
+ verifying the keytab
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14336
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Mon Apr 6 19:09:53 UTC 2020 on sn-devel-184
+
+(cherry picked from commit c4be195da2845be4f64e47883e3c911dedd90e48)
+---
+ testprogs/blackbox/test_net_ads.sh | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
+index 8bcff006b8e..95c0cf76f90 100755
+--- a/testprogs/blackbox/test_net_ads.sh
++++ b/testprogs/blackbox/test_net_ads.sh
+@@ -237,6 +237,23 @@ testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_P
+
+ testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn"
+
++#
++# Test createupn option of 'net ads join'
++#
++testit "join+createupn" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createupn="host/test-$HOSTNAME@$REALM" || failed=`expr $failed + 1`
++
++testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
++
++dedicated_keytab_file="$PREFIX_ABS/test_net_create_dedicated_krb5.keytab"
++
++testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++
++testit_grep "checkupn+keytab" "host/test-$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
++
++rm -f $dedicated_keytab_file
++
++testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
++
+ rm -rf $BASEDIR/$WORKDIR
+
+ exit $failed
+--
+2.26.0
+
diff --git a/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch
new file mode 100644
index 0000000..ff175fe
--- /dev/null
+++ b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch
@@ -0,0 +1,48 @@
+From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 27 Jan 2020 14:58:10 +0100
+Subject: [PATCH] lib:util: Log mkdir error on correct debug levels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For smbd we want an error and for smbclient we only want it in NOTICE
+debug level.
+The default log level of smbclient is log level 1 so we need notice to
+not spam the user.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184
+
+(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1)
+---
+ lib/util/util.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/util.c b/lib/util/util.c
+index 3bdeded5c1b..0d9ffe5cb7b 100644
+--- a/lib/util/util.c
++++ b/lib/util/util.c
+@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname,
+ old_umask = umask(0);
+ ret = mkdir(dname, dir_perms);
+ if (ret == -1 && errno != EEXIST) {
+- DBG_WARNING("mkdir failed on directory %s: %s\n",
++ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE;
++
++ DBG_PREFIX(dbg_level,
++ ("mkdir failed on directory %s: %s\n",
+ dname,
+- strerror(errno));
++ strerror(errno)));
+ umask(old_umask);
+ return false;
+ }
+--
+2.25.0
+
diff --git a/SOURCES/samba-4.10-fix_smbspool.patch b/SOURCES/samba-4.10-fix_smbspool.patch
deleted file mode 100644
index fa12f06..0000000
--- a/SOURCES/samba-4.10-fix_smbspool.patch
+++ /dev/null
@@ -1,1127 +0,0 @@
-From 16056895403f3c673dc5adc531b7e739d46292fb Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:55:49 +0200
-Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
-
-This is required to access files in /var/spool/cups which have been
-temporarily created in there by CUPS.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b)
----
- source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 5c4da33238b..e6684fc0d0c 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -82,6 +82,7 @@ int main(int argc, char *argv[])
- {
- char smbspool_cmd[PATH_MAX] = {0};
- struct passwd *pwd;
-+ struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
- struct stat sb;
- char *env = NULL;
-@@ -89,6 +90,7 @@ int main(int argc, char *argv[])
- char device_uri[4096] = {0};
- uid_t uid = (uid_t)-1;
- gid_t gid = (gid_t)-1;
-+ gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
- int cmp;
- int rc;
-@@ -176,6 +178,26 @@ int main(int argc, char *argv[])
- return CUPS_BACKEND_FAILED;
- }
-
-+ /*
-+ * We need the primary group of the 'lp' user. This is needed to access
-+ * temporary files in /var/spool/cups/.
-+ */
-+ g = getgrnam("lp");
-+ if (g == NULL) {
-+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
-+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid);
-+ groups[0] = g->gr_gid;
-+ rc = setgroups(sizeof(groups), groups);
-+ if (rc != 0) {
-+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s",
-+ strerror(errno));
-+ return CUPS_BACKEND_FAILED;
-+ }
-+
- CUPS_SMB_DEBUG("Switching to gid=%d", gid);
- rc = setgid(gid);
- if (rc != 0) {
---
-2.21.0
-
-
-From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 13:41:02 +0200
-Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
- with
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5)
----
- source3/client/smbspool.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 22071613677..efbdd418fdb 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) {
- return false;
- } else {
- krb5_principal default_princ = NULL;
-+ char *princ_name = NULL;
-
- code = krb5_cc_get_principal(ctx,
- ccache,
-@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) {
- krb5_free_context(ctx);
- return false;
- }
-+
-+ code = krb5_unparse_name(ctx,
-+ default_princ,
-+ &princ_name);
-+ if (code == 0) {
-+ fprintf(stderr,
-+ "DEBUG: Try to authenticate as %s\n",
-+ princ_name);
-+ krb5_free_unparsed_name(ctx, princ_name);
-+ }
- krb5_free_principal(ctx, default_princ);
- }
- krb5_cc_close(ctx, ccache);
---
-2.21.0
-
-
-From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 14:25:00 +0200
-Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba)
----
- source3/client/smbspool_krb5_wrapper.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index e6684fc0d0c..2cdcd372ec6 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -219,10 +219,14 @@ int main(int argc, char *argv[])
- env = getenv("KRB5CCNAME");
- if (env != NULL && env[0] != 0) {
- snprintf(gen_cc, sizeof(gen_cc), "%s", env);
-+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache",
-+ gen_cc);
-
- goto create_env;
- }
-
-+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-+
- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-
- rc = lstat(gen_cc, &sb);
---
-2.21.0
-
-
-From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:10:57 +0200
-Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858)
----
- source3/client/smbspool_krb5_wrapper.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 2cdcd372ec6..3266b90ec1a 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -227,13 +227,13 @@ int main(int argc, char *argv[])
-
- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
-
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid);
-+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
-
- rc = lstat(gen_cc, &sb);
- if (rc == 0 && S_ISDIR(sb.st_mode)) {
---
-2.21.0
-
-
-From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 17:40:43 +0200
-Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
- not set
-
-This could also support the new KCM credential cache storage.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3)
----
- source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++--------
- source3/wscript_build | 1 +
- 2 files changed, 55 insertions(+), 25 deletions(-)
-
-diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
-index 3266b90ec1a..bff1df417e8 100644
---- a/source3/client/smbspool_krb5_wrapper.c
-+++ b/source3/client/smbspool_krb5_wrapper.c
-@@ -21,6 +21,7 @@
-
- #include "includes.h"
- #include "system/filesys.h"
-+#include "system/kerberos.h"
- #include "system/passwd.h"
-
- #include <errno.h>
-@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...)
- buffer);
- }
-
-+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len)
-+{
-+ krb5_context ctx;
-+ const char *ccache_name = NULL;
-+ char *full_ccache_name = NULL;
-+ krb5_ccache ccache = NULL;
-+ krb5_error_code code;
-+
-+ code = krb5_init_context(&ctx);
-+ if (code != 0) {
-+ return false;
-+ }
-+
-+ ccache_name = krb5_cc_default_name(ctx);
-+ if (ccache_name == NULL) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_resolve(ctx, ccache_name, &ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name);
-+ krb5_cc_close(ctx, ccache);
-+ if (code != 0) {
-+ krb5_free_context(ctx);
-+ return false;
-+ }
-+
-+ snprintf(ccache_buf, len, "%s", full_ccache_name);
-+
-+#ifdef SAMBA4_USES_HEIMDAL
-+ free(full_ccache_name);
-+#else
-+ krb5_free_string(ctx, full_ccache_name);
-+#endif
-+ krb5_free_context(ctx);
-+
-+ return true;
-+}
-+
- /*
- * This is a helper binary to execute smbspool.
- *
-@@ -84,7 +129,6 @@ int main(int argc, char *argv[])
- struct passwd *pwd;
- struct group *g = NULL;
- char gen_cc[PATH_MAX] = {0};
-- struct stat sb;
- char *env = NULL;
- char auth_info_required[256] = {0};
- char device_uri[4096] = {0};
-@@ -92,6 +136,7 @@ int main(int argc, char *argv[])
- gid_t gid = (gid_t)-1;
- gid_t groups[1] = { (gid_t)-1 };
- unsigned long tmp;
-+ bool ok;
- int cmp;
- int rc;
-
-@@ -225,32 +270,16 @@ int main(int argc, char *argv[])
- goto create_env;
- }
-
-- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)");
--
-- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0) {
-- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-- } else {
-- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid);
--
-- rc = lstat(gen_cc, &sb);
-- if (rc == 0 && S_ISDIR(sb.st_mode)) {
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "DIR:/run/user/%d/krb5cc",
-- uid);
-- } else {
--#if defined(__linux__)
-- snprintf(gen_cc,
-- sizeof(gen_cc),
-- "KEYRING:persistent:%d",
-- uid);
--#endif
-- }
-+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc));
-+ if (ok) {
-+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]",
-+ gen_cc);
-+ goto create_env;
- }
-
-+ /* Fallback to a FILE ccache */
-+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid);
-+
- create_env:
- /*
- * Make sure we do not have LD_PRELOAD or other security relevant
-diff --git a/source3/wscript_build b/source3/wscript_build
-index f67ce59fe52..8e34b7d0261 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
- deps='''
- DYNCONFIG
- cups
-+ krb5
- ''',
- install_path='${LIBEXECDIR}/samba',
- enabled=bld.CONFIG_SET('HAVE_CUPS'))
---
-2.21.0
-
-
-From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 16:48:31 +0200
-Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd)
----
- source3/client/smbspool.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index efbdd418fdb..ef16c2bed42 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -224,7 +224,9 @@ main(int argc, /* I - Number of command-line arguments */
-
- fp = fopen(print_file, "rb");
- if (fp == NULL) {
-- perror("ERROR: Unable to open print file");
-+ fprintf(stderr,
-+ "ERROR: Unable to open print file: %s",
-+ print_file);
- goto done;
- }
-
---
-2.21.0
-
-
-From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 13 May 2019 18:54:02 +0200
-Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
-
-If username and password is given, then fallback to NTLM. However try
-kinit first. Also we correctly handle NULL passwords in the meantime and
-this makes it easier to deal with issues.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d)
----
- source3/client/smbspool.c | 90 ++++++++++++++++++++++-----------------
- 1 file changed, 51 insertions(+), 39 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ef16c2bed42..f21aac2ac58 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -88,8 +88,8 @@ main(int argc, /* I - Number of command-line arguments */
- int port; /* Port number */
- char uri[1024], /* URI */
- *sep, /* Pointer to separator */
-- *tmp, *tmp2, /* Temp pointers to do escaping */
-- *password; /* Password */
-+ *tmp, *tmp2; /* Temp pointers to do escaping */
-+ const char *password = NULL; /* Password */
- char *username, /* Username */
- *server, /* Server name */
- *printer;/* Printer name */
-@@ -293,8 +293,6 @@ main(int argc, /* I - Number of command-line arguments */
- if ((tmp2 = strchr_m(tmp, ':')) != NULL) {
- *tmp2++ = '\0';
- password = uri_unescape_alloc(tmp2);
-- } else {
-- password = empty_str;
- }
- username = uri_unescape_alloc(tmp);
- } else {
-@@ -302,14 +300,15 @@ main(int argc, /* I - Number of command-line arguments */
- username = empty_str;
- }
-
-- if ((password = getenv("AUTH_PASSWORD")) == NULL) {
-- password = empty_str;
-+ env = getenv("AUTH_PASSWORD");
-+ if (env != NULL && strlen(env) > 0) {
-+ password = env;
- }
-
- server = uri + 6;
- }
-
-- if (password != empty_str) {
-+ if (password != NULL) {
- auth_info_required = "username,password";
- }
-
-@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname,
- NTSTATUS nt_status;
- struct cli_credentials *creds = NULL;
- bool use_kerberos = false;
-+ bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
- *need_auth = false;
-@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname,
- return NULL;
- }
-
-- /*
-- * We pretty much guarantee password must be valid or a pointer to a
-- * 0 char.
-- */
-- if (!password) {
-- *need_auth = true;
-- return NULL;
-- }
--
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-- auth_info_required = "negotiate";
- use_kerberos = true;
- }
-
-+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) {
-+ fallback_after_kerberos = true;
-+ }
-+
- creds = cli_session_creds_init(cli,
- username,
- workgroup,
- NULL, /* realm */
- password,
- use_kerberos,
-- false, /* fallback_after_kerberos */
-+ fallback_after_kerberos,
- false, /* use_ccache */
- false); /* password_is_nt_hash */
- if (creds == NULL) {
-@@ -663,6 +657,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- struct cli_state *cli; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
-+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
-+ bool use_kerberos = false;
-+ const char *user = username;
-+ int cmp;
-
- /*
- * Get the names and addresses of the client and server...
-@@ -672,42 +670,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */
- return NULL;
- }
-
-- /*
-- * See if we have a username first. This is for backwards compatible
-- * behavior with 3.0.14a
-- */
-
-- if (username == NULL || username[0] == '\0') {
-- if (kerberos_ccache_is_valid()) {
-- goto kerberos_auth;
-+ cmp = strcmp(auth_info_required, "negotiate");
-+ if (cmp == 0) {
-+ if (!kerberos_ccache_is_valid()) {
-+ return NULL;
- }
-+ user = jobusername;
-+
-+ use_kerberos = true;
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using Kerberos ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "username,password");
-+ if (cmp == 0) {
-+ if (username == NULL || username[0] == '\0') {
-+ return NULL;
-+ }
-+
-+ /* Fallback to NTLM */
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+
-+ fprintf(stderr,
-+ "DEBUG: Try to connect using username/password ...\n");
-+ }
-+
-+ cmp = strcmp(auth_info_required, "none");
-+ if (cmp == 0) {
-+ fprintf(stderr,
-+ "DEBUG: This backend doesn't support none auth ...\n");
-+ return NULL;
- }
-
- cli = smb_complete_connection(myname,
- server,
- port,
-- username,
-+ user,
- password,
- workgroup,
- share,
-- 0,
-+ flags,
- need_auth);
- if (cli != NULL) {
-- fputs("DEBUG: Connected with username/password...\n", stderr);
-+ fprintf(stderr, "DEBUG: SMB connection established.\n");
- return (cli);
- }
-
--kerberos_auth:
-- /*
-- * Try to use the user kerberos credentials (if any) to authenticate
-- */
-- cli = smb_complete_connection(myname, server, port, jobusername, "",
-- workgroup, share,
-- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth);
--
-- if (cli) {
-- fputs("DEBUG: Connected using Kerberos...\n", stderr);
-- return (cli);
-+ if (!use_kerberos) {
-+ fprintf(stderr, "ERROR: SMB connection failed!\n");
-+ return NULL;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
---
-2.21.0
-
-
-From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 16 May 2019 18:24:32 +0200
-Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
- kerberos_ccache_is_valid()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3)
----
- source3/client/smbspool.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index f21aac2ac58..79e210dd12e 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) {
-
- ccache_name = krb5_cc_default_name(ctx);
- if (ccache_name == NULL) {
-+ DBG_ERR("Failed to get default ccache name\n");
- krb5_free_context(ctx);
- return false;
- }
-
- code = krb5_cc_resolve(ctx, ccache_name, &ccache);
- if (code != 0) {
-+ DBG_ERR("Failed to resolve ccache name: %s\n",
-+ ccache_name);
- krb5_free_context(ctx);
- return false;
- } else {
-@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) {
- ccache,
- &default_princ);
- if (code != 0) {
-+ DBG_ERR("Failed to get default principal from "
-+ "ccache: %s\n",
-+ ccache_name);
- krb5_cc_close(ctx, ccache);
- krb5_free_context(ctx);
- return false;
---
-2.21.0
-
-
-From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 14 May 2019 11:35:46 +0200
-Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
-
-This allows us to simplify some code and return better errors.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea)
----
- source3/client/smbspool.c | 250 ++++++++++++++++++++++----------------
- 1 file changed, 145 insertions(+), 105 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index 79e210dd12e..ad988eb0df9 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -61,12 +61,27 @@
- * Local functions...
- */
-
--static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
-+static int get_exit_code(NTSTATUS nt_status);
- static void list_devices(void);
--static struct cli_state *smb_complete_connection(const char *, const char *,
-- int, const char *, const char *, const char *, const char *, int, bool *need_auth);
--static struct cli_state *smb_connect(const char *, const char *, int, const
-- char *, const char *, const char *, const char *, bool *need_auth);
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
-+ const char *server,
-+ int port,
-+ const char *username,
-+ const char *password,
-+ const char *workgroup,
-+ const char *share,
-+ int flags);
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup,
-+ const char *server,
-+ const int port,
-+ const char *share,
-+ const char *username,
-+ const char *password,
-+ const char *jobusername);
- static int smb_print(struct cli_state *, const char *, FILE *);
- static char *uri_unescape_alloc(const char *);
- #if 0
-@@ -90,16 +105,15 @@ main(int argc, /* I - Number of command-line arguments */
- *sep, /* Pointer to separator */
- *tmp, *tmp2; /* Temp pointers to do escaping */
- const char *password = NULL; /* Password */
-- char *username, /* Username */
-- *server, /* Server name */
-+ const char *username = NULL; /* Username */
-+ char *server, /* Server name */
- *printer;/* Printer name */
- const char *workgroup; /* Workgroup */
- FILE *fp; /* File to print */
- int status = 1; /* Status of LPD job */
-- struct cli_state *cli; /* SMB interface */
-- char empty_str[] = "";
-+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-+ struct cli_state *cli = NULL; /* SMB interface */
- int tries = 0;
-- bool need_auth = true;
- const char *dev_uri = NULL;
- const char *env = NULL;
- const char *config_file = NULL;
-@@ -296,8 +310,9 @@ main(int argc, /* I - Number of command-line arguments */
- }
- username = uri_unescape_alloc(tmp);
- } else {
-- if ((username = getenv("AUTH_USERNAME")) == NULL) {
-- username = empty_str;
-+ env = getenv("AUTH_USERNAME");
-+ if (env != NULL && strlen(env) > 0) {
-+ username = env;
- }
-
- env = getenv("AUTH_PASSWORD");
-@@ -369,27 +384,39 @@ main(int argc, /* I - Number of command-line arguments */
- load_interfaces();
-
- do {
-- cli = smb_connect(workgroup,
-- server,
-- port,
-- printer,
-- username,
-- password,
-- print_user,
-- &need_auth);
-- if (cli == NULL) {
-- if (need_auth) {
-- exit(2);
-+ nt_status = smb_connect(&cli,
-+ workgroup,
-+ server,
-+ port,
-+ printer,
-+ username,
-+ password,
-+ print_user);
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ status = get_exit_code(nt_status);
-+ if (status == 2) {
-+ fprintf(stderr,
-+ "DEBUG: Unable to connect to CIFS "
-+ "host: %s",
-+ nt_errstr(nt_status));
-+ goto done;
- } else if (getenv("CLASS") == NULL) {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Will retry in 60 "
-+ "seconds...\n",
-+ nt_errstr(nt_status));
- sleep(60);
- tries++;
- } else {
-- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n");
-+ fprintf(stderr,
-+ "ERROR: Unable to connect to CIFS "
-+ "host: %s. Trying next printer...\n",
-+ nt_errstr(nt_status));
- goto done;
- }
- }
-- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT));
-+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT));
-
- if (cli == NULL) {
- fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries);
-@@ -436,10 +463,9 @@ done:
- */
-
- static int
--get_exit_code(struct cli_state * cli,
-- NTSTATUS nt_status)
-+get_exit_code(NTSTATUS nt_status)
- {
-- int i;
-+ size_t i;
-
- /* List of NTSTATUS errors that are considered
- * authentication errors
-@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli,
- };
-
-
-- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n",
-- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status));
-+ fprintf(stderr,
-+ "DEBUG: get_exit_code(nt_status=%s [%x])\n",
-+ nt_errstr(nt_status), NT_STATUS_V(nt_status));
-
- for (i = 0; i < ARRAY_SIZE(auth_errors); i++) {
- if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) {
- continue;
- }
-
-- if (cli) {
-- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-- }
-+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
-
- /*
- * 2 = authentication required...
-@@ -498,16 +523,16 @@ list_devices(void)
- }
-
-
--static struct cli_state *
--smb_complete_connection(const char *myname,
-+static NTSTATUS
-+smb_complete_connection(struct cli_state **output_cli,
-+ const char *myname,
- const char *server,
- int port,
- const char *username,
- const char *password,
- const char *workgroup,
- const char *share,
-- int flags,
-- bool *need_auth)
-+ int flags)
- {
- struct cli_state *cli; /* New connection */
- NTSTATUS nt_status;
-@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname,
- bool fallback_after_kerberos = false;
-
- /* Start the SMB connection */
-- *need_auth = false;
- nt_status = cli_start_connection(&cli, myname, server, NULL, port,
- SMB_SIGNING_DEFAULT, flags);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status));
-- return NULL;
-+ return nt_status;
- }
-
- if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
-@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname,
- if (creds == NULL) {
- fprintf(stderr, "ERROR: cli_session_creds_init failed\n");
- cli_shutdown(cli);
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = cli_session_setup_creds(cli, creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
-
- nt_status = cli_tree_connect_creds(cli, share, "?????", creds);
-@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname,
- fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
- nt_errstr(nt_status));
-
-- if (get_exit_code(cli, nt_status) == 2) {
-- *need_auth = true;
-- }
--
- cli_shutdown(cli);
-
-- return NULL;
-+ return nt_status;
- }
- #if 0
- /* Need to work out how to specify this on the URL. */
-@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname,
- }
- #endif
-
-- return cli;
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- static bool kerberos_ccache_is_valid(void) {
-@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) {
- * 'smb_connect()' - Return a connection to a server.
- */
-
--static struct cli_state * /* O - SMB connection */
--smb_connect(const char *workgroup, /* I - Workgroup */
-+static NTSTATUS
-+smb_connect(struct cli_state **output_cli,
-+ const char *workgroup, /* I - Workgroup */
- const char *server, /* I - Server */
- const int port, /* I - Port */
- const char *share, /* I - Printer */
- const char *username, /* I - Username */
- const char *password, /* I - Password */
-- const char *jobusername, /* I - User who issued the print job */
-- bool *need_auth)
--{ /* O - Need authentication? */
-- struct cli_state *cli; /* New connection */
-+ const char *jobusername) /* I - User who issued the print job */
-+{
-+ struct cli_state *cli = NULL; /* New connection */
- char *myname = NULL; /* Client name */
- struct passwd *pwd;
- int flags = CLI_FULL_CONNECTION_USE_KERBEROS;
- bool use_kerberos = false;
- const char *user = username;
-- int cmp;
-+ NTSTATUS nt_status;
-
- /*
- * Get the names and addresses of the client and server...
- */
- myname = get_myname(talloc_tos());
- if (!myname) {
-- return NULL;
-+ return NT_STATUS_NO_MEMORY;
- }
-
-
-- cmp = strcmp(auth_info_required, "negotiate");
-- if (cmp == 0) {
-+ if (strcmp(auth_info_required, "negotiate") == 0) {
- if (!kerberos_ccache_is_valid()) {
-- return NULL;
-+ fprintf(stderr,
-+ "ERROR: No valid Kerberos credential cache "
-+ "found!\n");
-+ return NT_STATUS_LOGON_FAILURE;
- }
- user = jobusername;
-
- use_kerberos = true;
- fprintf(stderr,
- "DEBUG: Try to connect using Kerberos ...\n");
-- }
--
-- cmp = strcmp(auth_info_required, "username,password");
-- if (cmp == 0) {
-- if (username == NULL || username[0] == '\0') {
-- return NULL;
-+ } else if (strcmp(auth_info_required, "username,password") == 0) {
-+ if (username == NULL) {
-+ return NT_STATUS_INVALID_ACCOUNT_NAME;
- }
-
- /* Fallback to NTLM */
-@@ -700,59 +716,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */
-
- fprintf(stderr,
- "DEBUG: Try to connect using username/password ...\n");
-- }
-+ } else {
-+ if (username != NULL) {
-+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS;
-+ } else if (kerberos_ccache_is_valid()) {
-+ auth_info_required = "negotiate";
-
-- cmp = strcmp(auth_info_required, "none");
-- if (cmp == 0) {
-- fprintf(stderr,
-- "DEBUG: This backend doesn't support none auth ...\n");
-- return NULL;
-+ user = jobusername;
-+ use_kerberos = true;
-+ } else {
-+ fprintf(stderr,
-+ "DEBUG: This backend requires credentials!\n");
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
- }
-
-- cli = smb_complete_connection(myname,
-- server,
-- port,
-- user,
-- password,
-- workgroup,
-- share,
-- flags,
-- need_auth);
-- if (cli != NULL) {
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ user,
-+ password,
-+ workgroup,
-+ share,
-+ flags);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "DEBUG: SMB connection established.\n");
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- if (!use_kerberos) {
- fprintf(stderr, "ERROR: SMB connection failed!\n");
-- return NULL;
-+ return nt_status;
- }
-
- /* give a chance for a passwordless NTLMSSP session setup */
- pwd = getpwuid(geteuid());
- if (pwd == NULL) {
-- return NULL;
-- }
--
-- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "",
-- workgroup, share, 0, need_auth);
--
-- if (cli) {
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ pwd->pw_name,
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
- fputs("DEBUG: Connected with NTLMSSP...\n", stderr);
-- return (cli);
-+
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
- }
-
- /*
- * last try. Use anonymous authentication
- */
-
-- cli = smb_complete_connection(myname, server, port, "", "",
-- workgroup, share, 0, need_auth);
-- /*
-- * Return the new connection...
-- */
--
-- return (cli);
-+ nt_status = smb_complete_connection(&cli,
-+ myname,
-+ server,
-+ port,
-+ "",
-+ "",
-+ workgroup,
-+ share,
-+ 0);
-+ if (NT_STATUS_IS_OK(nt_status)) {
-+ *output_cli = cli;
-+ return NT_STATUS_OK;
-+ }
-+
-+ return nt_status;
- }
-
-
-@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s opening remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- }
-
- /*
-@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
- tbytes, nbytes, NULL);
- if (!NT_STATUS_IS_OK(status)) {
-- int ret = get_exit_code(cli, status);
-+ int ret = get_exit_code(status);
- fprintf(stderr, "ERROR: Error writing spool: %s\n",
- nt_errstr(status));
- fprintf(stderr, "DEBUG: Returning status %d...\n",
-@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
- if (!NT_STATUS_IS_OK(nt_status)) {
- fprintf(stderr, "ERROR: %s closing remote spool %s\n",
- nt_errstr(nt_status), title);
-- return get_exit_code(cli, nt_status);
-+ return get_exit_code(nt_status);
- } else {
- return (0);
- }
---
-2.21.0
-
-From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 18 Jun 2019 14:43:50 +0200
-Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba
-
-Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the
-function we provide in krb5samba.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8)
----
- source3/wscript_build | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/wscript_build b/source3/wscript_build
-index 1ebb006781a..26e251f442a 100644
---- a/source3/wscript_build
-+++ b/source3/wscript_build
-@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
- deps='''
- DYNCONFIG
- cups
-- krb5
-+ krb5samba
- ''',
- install_path='${LIBEXECDIR}/samba',
- enabled=bld.CONFIG_SET('HAVE_CUPS'))
---
-2.21.0
-
diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch
deleted file mode 100644
index d72091e..0000000
--- a/SOURCES/samba-4.10-fix_smbspool_username_password.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001
-From: Bryan Mason <bmason@redhat.com>
-Date: Mon, 16 Sep 2019 12:35:06 -0700
-Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI
-
-CUPS sanitizes argv[0] by removing username/password, so use
-DEVICE_URI environment variable first.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128
-
-Signed-off-by: Bryan Mason <bmason@redhat.com>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184
-
-(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931)
----
- source3/client/smbspool.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
-index ad988eb0df9..36f7f67ca94 100644
---- a/source3/client/smbspool.c
-+++ b/source3/client/smbspool.c
-@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */
-
- /*
- * Find the URI ...
-- */
-- if (dev_uri == NULL) {
-- env = getenv("DEVICE_URI");
-- if (env != NULL && env[0] != '\0') {
-- dev_uri = env;
-- }
-- }
-+ *
-+ * The URI in argv[0] is sanitized to remove username/password, so
-+ * use DEVICE_URI if available. Otherwise keep the URI already
-+ * discovered in argv.
-+ */
-+ env = getenv("DEVICE_URI");
-+ if (env != NULL && env[0] != '\0') {
-+ dev_uri = env;
-+ }
-
- if (dev_uri == NULL) {
- fprintf(stderr,
---
-2.23.0
-
diff --git a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch
deleted file mode 100644
index 6f7ca74..0000000
--- a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 2d783791856be182d420555d8df5e31768b0d7d2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 12 Sep 2019 16:39:10 +0200
-Subject: [PATCH] s3-winbindd: fix forest trusts with additional trust
- attributes.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130
-
-Guenther
-
-Signed-off-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26)
----
- source3/winbindd/winbindd_ads.c | 2 +-
- source3/winbindd/winbindd_util.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
-index 5f20cfb7f76..485ca831be9 100644
---- a/source3/winbindd/winbindd_ads.c
-+++ b/source3/winbindd/winbindd_ads.c
-@@ -1457,7 +1457,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
- */
-
- if ((trust->trust_attributes
-- == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
-+ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) &&
- !domain->primary )
- {
- DEBUG(10,("trusted_domains: Skipping external trusted "
-diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
-index cc4c3f7391a..ee7651c9639 100644
---- a/source3/winbindd/winbindd_util.c
-+++ b/source3/winbindd/winbindd_util.c
-@@ -723,7 +723,7 @@ static void rescan_forest_trusts( void )
-
- if ( (flags & NETR_TRUST_FLAG_INBOUND) &&
- (type == LSA_TRUST_TYPE_UPLEVEL) &&
-- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
-+ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) )
- {
- /* add the trusted domain if we don't know
- about it */
---
-2.21.0
-
diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
deleted file mode 100644
index c196b55..0000000
--- a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001
-From: Evgeny Sinelnikov <sin@altlinux.org>
-Date: Wed, 31 Jul 2019 23:17:20 +0400
-Subject: [PATCH] s3:ldap: Fix join with don't exists machine account
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add check for requested replies of existing machine object during join
-machine to domain. This solves regression fail during join with error:
-"None of the information to be translated has been translated."
-
-https://bugzilla.samba.org/show_bug.cgi?id=14007
-
-Reviewed-by: Guenther Deschner <gd@samba.org>
-Reviewed-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184
----
- source3/libads/ldap.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
-index 4f3d43b02b1..2110390b65f 100644
---- a/source3/libads/ldap.c
-+++ b/source3/libads/ldap.c
-@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
- }
-
- ret = ads_find_machine_acct(ads, &res, machine_escaped);
-- ads_msgfree(ads, res);
-- if (ADS_ERR_OK(ret)) {
-+ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) {
- DBG_DEBUG("Host account for %s already exists.\n",
- machine_escaped);
- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
-+ ads_msgfree(ads, res);
- goto done;
- }
-+ ads_msgfree(ads, res);
-
- new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
- samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
---
-2.21.0
-
diff --git a/SOURCES/samba-4.10.13.tar.asc b/SOURCES/samba-4.10.13.tar.asc
new file mode 100644
index 0000000..52c7fd5
--- /dev/null
+++ b/SOURCES/samba-4.10.13.tar.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXim+jBUcc2FtYmEtYnVn
+c0BzYW1iYS5vcmcACgkQbzORW2Vot+oozACfbyVyqQ3idZj8ukEB/l7/4Hdp2JEA
+n1sm6+H+pWwmgi66wTKGJ4L+dpa1
+=eWDt
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc
deleted file mode 100644
index 29f805c..0000000
--- a/SOURCES/samba-4.10.4.tar.asc
+++ /dev/null
@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn
-c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA
-n3v79/BJYEuD3vw98M5nW4GBN6C9
-=/Xfk
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
deleted file mode 100644
index 61635f8..0000000
--- a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 23 May 2019 13:33:21 -0700
-Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts.
-
-Previously the private context was caching a pointer to
-a string returned from lp_XXX(). This string can change
-on config file reload. Ensure the string is talloc_strup'ed
-onto the owning context instead.
-
-Reported by Heinrich Mislik <Heinrich.Mislik@univie.ac.at>
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab)
----
- source3/winbindd/idmap_script.c | 20 ++++++++++++++++----
- source3/winbindd/idmap_tdb2.c | 22 +++++++++++++++++-----
- 2 files changed, 33 insertions(+), 9 deletions(-)
-
-diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c
-index 7ad6b806fb8..f382f896b35 100644
---- a/source3/winbindd/idmap_script.c
-+++ b/source3/winbindd/idmap_script.c
-@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
- NTSTATUS ret;
- struct idmap_script_context *ctx;
- const char * idmap_script = NULL;
-+ const char *ctx_script = NULL;
-
- DEBUG(10, ("%s called ...\n", __func__));
-
-@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
- goto failed;
- }
-
-- ctx->script = idmap_config_const_string(dom->name, "script", NULL);
-+ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
-
- /* Do we even need to handle this? */
- idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
-@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom)
- " Please use 'idmap config * : script' instead!\n"));
- }
-
-- if (strequal(dom->name, "*") && ctx->script == NULL) {
-+ if (strequal(dom->name, "*") && ctx_script == NULL) {
- /* fall back to idmap:script for backwards compatibility */
-- ctx->script = idmap_script;
-+ ctx_script = idmap_script;
- }
-
-- if (ctx->script) {
-+ if (ctx_script) {
- DEBUG(1, ("using idmap script '%s'\n", ctx->script));
-+ /*
-+ * We must ensure this memory is owned by ctx.
-+ * The ctx_script const pointer is a pointer into
-+ * the config file data and may become invalid
-+ * on config file reload. BUG: 13956
-+ */
-+ ctx->script = talloc_strdup(ctx, ctx_script);
-+ if (ctx->script == NULL) {
-+ ret = NT_STATUS_NO_MEMORY;
-+ goto failed;
-+ }
- }
-
- dom->private_data = ctx;
-diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
-index b784546bb33..eceab9c0784 100644
---- a/source3/winbindd/idmap_tdb2.c
-+++ b/source3/winbindd/idmap_tdb2.c
-@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
- struct idmap_tdb_common_context *commonctx;
- struct idmap_tdb2_context *ctx;
- const char * idmap_script = NULL;
-+ const char *ctx_script = NULL;
-
- commonctx = talloc_zero(dom, struct idmap_tdb_common_context);
- if(!commonctx) {
-@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
- goto failed;
- }
-
-- ctx->script = idmap_config_const_string(dom->name, "script", NULL);
-+ ctx_script = idmap_config_const_string(dom->name, "script", NULL);
-
- idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL);
- if (idmap_script != NULL) {
-@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom)
- " Please use 'idmap config * : script' instead!\n"));
- }
-
-- if (strequal(dom->name, "*") && ctx->script == NULL) {
-+ if (strequal(dom->name, "*") && ctx_script == NULL) {
- /* fall back to idmap:script for backwards compatibility */
-- ctx->script = idmap_script;
-+ ctx_script = idmap_script;
- }
-
-- if (ctx->script) {
-- DEBUG(1, ("using idmap script '%s'\n", ctx->script));
-+ if (ctx_script) {
-+ DEBUG(1, ("using idmap script '%s'\n", ctx_script));
-+ /*
-+ * We must ensure this memory is owned by ctx.
-+ * The ctx_script const pointer is a pointer into
-+ * the config file data and may become invalid
-+ * on config file reload. BUG: 13956
-+ */
-+ ctx->script = talloc_strdup(ctx, ctx_script);
-+ if (ctx->script == NULL) {
-+ ret = NT_STATUS_NO_MEMORY;
-+ goto failed;
-+ }
- }
-
- commonctx->max_id = dom->high_id;
---
-2.22.0.rc1.257.g3120a18244-goog
-
diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
new file mode 100644
index 0000000..5bf463b
--- /dev/null
+++ b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
@@ -0,0 +1,75 @@
+From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <ab@samba.org>
+Date: Tue, 7 Jan 2020 19:25:53 +0200
+Subject: [PATCH 1/2] s3-rpcserver: fix security level check for
+ DsRGetForestTrustInformation
+
+Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which
+didn't change since DCE RPC channel refactoring.
+
+With the current code we return RPC faul as can be seen in the logs:
+
+2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug)
+ netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation
+ in: struct netr_DsRGetForestTrustInformation
+ server_name : *
+ server_name : '\\some-dc.example.com'
+ trusted_domain_name : NULL
+ flags : 0x00000000 (0)
+[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP)
+ api_rpcTNP: fault(5) return.
+
+This is due to this check in processing a request:
+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return WERR_ACCESS_DENIED;
+ }
+
+and since we get AuthZ response,
+
+ Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC]
+ Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445]
+[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
+ JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000",
+ "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1},
+ "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017",
+ "serviceDescription": "netlogon", "authType": "ncacn_np",
+ "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500",
+ "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC",
+ "transportProtection": "SMB", "accountFlags": "0x00000010"}}
+
+this means we are actually getting anonymous DCE/RPC access to netlogon
+on top of authenticated SMB connection. In such case we have exactly
+auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to
+DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error.
+
+Update the code to follow the same security level check as in s4 variant
+of the call.
+
+Signed-off-by: Alexander Bokovoy <ab@samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index cbbf9feedc7..52b17c10e61 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p,
+ {
+ NTSTATUS status;
+ struct lsa_ForestTrustInformation *info, **info_ptr;
++ enum security_user_level security_level;
+
+- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE)
+- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) {
+- p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
++ security_level = security_session_user_level(p->session_info, NULL);
++ if (security_level < SECURITY_USER) {
+ return WERR_ACCESS_DENIED;
+ }
+
+--
+2.24.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 70a637d..3bbc5cc 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,9 +6,9 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 6
+%define main_release 2
-%define samba_version 4.10.4
+%define samba_version 4.10.13
%define talloc_version 2.1.16
%define tdb_version 1.3.18
%define tevent_version 0.9.39
@@ -127,12 +127,12 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-4.10-fix_smbspool.patch
-Patch1: samba-4.10.6-fix_idmap_tdb2.patch
-Patch2: samba-4.10-net_ads_join_createcomputer.patch
-Patch3: CVE-2019-10197-v4-10-metze03.patches.txt
-Patch4: samba-4.10-fix_smbspool_username_password.patch
-Patch5: samba-4.10-fix_winbind_trustdom_enum.patch
+# Set the libldb requirement back to 1.5.4, we don't need a newer version as
+# we only build Samba FS.
+Patch0: libldb-require-version-1.5.4.patch
+Patch1: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch
+Patch2: samba-4.10-fix_smblcient_mkdir_debug_message.patch
+Patch3: net-ads-keytab-create-upn.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -1143,10 +1143,12 @@ fi
/sbin/ldconfig
%preun -n libwbclient
-%{_sbindir}/update-alternatives \
- --remove \
- libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
- %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+if [ $1 -eq 0 ]; then
+ %{_sbindir}/update-alternatives \
+ --remove \
+ libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \
+ %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version}
+fi
/sbin/ldconfig
%posttrans -n libwbclient-devel
@@ -1162,10 +1164,12 @@ fi
# When downgrading to a version where alternatives is not used and
# libwbclient.so is a link and not a file it will be removed. The following
# check removes the alternatives files manually if that is the case.
-if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
- /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
-else
- %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so
+if [ $1 -eq 0 ]; then
+ if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then
+ /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
+ else
+ %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so
+ fi
fi
%endif # with_libwbclient
@@ -2199,6 +2203,7 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/glue.py*
%{python_sitearch}/samba/tests/graph.py*
%{python_sitearch}/samba/tests/hostconfig.py*
+%{python_sitearch}/samba/tests/ldap_referrals.py*
%{python_sitearch}/samba/tests/libsmb.py*
%{python_sitearch}/samba/tests/join.py*
%{python_sitearch}/samba/tests/lsa_string.py*
@@ -2228,9 +2233,11 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/provision.py*
%{python_sitearch}/samba/tests/py_credentials.py*
%{python_sitearch}/samba/tests/registry.py*
+%{python_sitearch}/samba/tests/samba_upgradedns_lmdb*
%{python_sitearch}/samba/tests/samba3sam.py*
%{python_sitearch}/samba/tests/samdb.py*
%{python_sitearch}/samba/tests/smbd_base.py*
+%{python_sitearch}/samba/tests/smbd_fuzztest.py*
%{python_sitearch}/samba/tests/security.py*
%{python_sitearch}/samba/tests/source.py*
%{python_sitearch}/samba/tests/strings.py*
@@ -2253,6 +2260,7 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
+%{python_sitearch}/samba/tests/blackbox/undoguididx.py*
%dir %{python_sitearch}/samba/tests/dcerpc
%{python_sitearch}/samba/tests/dcerpc/__init__.py*
@@ -2535,7 +2543,6 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/sock_io_test
%{_libexecdir}/ctdb/tests/srvid_test
%{_libexecdir}/ctdb/tests/system_socket_test
-%{_libexecdir}/ctdb/tests/test_mutex_raw
%{_libexecdir}/ctdb/tests/transaction_loop
%{_libexecdir}/ctdb/tests/tunnel_cmd
%{_libexecdir}/ctdb/tests/tunnel_test
@@ -3263,11 +3270,38 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Fri Oct 04 2019 Andreas Schneider <asn@redhat.com> - 4.10.5-6
+* Thu Apr 16 2020 Isaac Boukris <iboukris@redhat.com> - 4.10.13-2
+- resolves: #1810511 - Fix net-ads-keytab-create to include UPN
+
+* Mon Feb 03 2020 Andreas Schneider <asn@redhat.com> - 4.10.13-1
+- resolves: #1785121 - Rebase to vesion 4.10.13
+- resolves: #1791208 - Fix CVE-2019-14907
+- resolves: #1737888 - Fix manual libwbclient alternative settings
+- resolves: #1634057 - Return correct stat for SMB1 with POSIX extensions
+
+* Mon Feb 03 2020 Andreas Schneider <asn@redhat.com> - 4.10.4-11
+- resolves: #1791823 - Fix Kerberos authentication with trusted domains
+- resolves: #1781231 - Fix smbclient mkdir log spam
+- resolves: #1776333 - Fix client tools log spam about messaging
+
+* Wed Jan 08 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.10.4-10
+- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation
+
+* Thu Oct 31 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-9
+- resolves: #1764468 - Fix CVE-2019-10218
+
+* Wed Oct 30 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-8
+- resolves: #1656541 - Fix join using netbios name
+
+* Mon Oct 14 2019 Isaac Boukris <iboukris@redhat.com> - 4.10.4-7
+- resolves: #1657428 - Fix spnego downgrade
+- resolves: #1663064 - Fix net ads join in hardened environments
+
+* Fri Oct 04 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-6
- resolves: #1753254 - Fix trusted domain enumeration in windind caused
a Active Directory update
-* Thu Sep 19 2019 Andreas Schneider <asn@redhat.com> - 4.10.5-5
+* Thu Sep 19 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-5
- resolves: #1751335 - Fix username/passwd auth with smbspool
* Mon Sep 16 2019 Andreas Schneider <asn@redhat.com> - 4.10.4-4