diff --git a/.gitignore b/.gitignore index 99161ff..a811c88 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.10.4.tar.xz +SOURCES/samba-4.10.13.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 1e4e8c9..701a5b3 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz +05276fe34eccbb090f259d3c2e632d71c732a19b SOURCES/samba-4.10.13.tar.xz diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt deleted file mode 100644 index eec8124..0000000 --- a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt +++ /dev/null @@ -1,393 +0,0 @@ -From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 12 Jul 2019 12:10:35 -0700 -Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug - info into a new function. - -Will be called on elsewhere on successful impersonation. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -Reviewed-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 37 +++++++++++++++++++++++-------------- - 1 file changed, 23 insertions(+), 14 deletions(-) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index a4bcb747d37e..ce8e8d92131c 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn, - return(True); - } - -+static void print_impersonation_info(connection_struct *conn) -+{ -+ struct smb_filename *cwdfname = NULL; -+ -+ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) { -+ return; -+ } -+ -+ cwdfname = vfs_GetWd(talloc_tos(), conn); -+ if (cwdfname == NULL) { -+ return; -+ } -+ -+ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -+ (int)getuid(), -+ (int)geteuid(), -+ (int)getgid(), -+ (int)getegid(), -+ cwdfname->base_name); -+ TALLOC_FREE(cwdfname); -+} -+ - /**************************************************************************** - Become the user of a connection number without changing the security context - stack, but modify the current_user entries. -@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.done_chdir = true; - } - -- if (CHECK_DEBUGLVL(DBGLVL_INFO)) { -- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn); -- if (cwdfname == NULL) { -- return false; -- } -- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", -- (int)getuid(), -- (int)geteuid(), -- (int)getgid(), -- (int)getegid(), -- cwdfname->base_name); -- TALLOC_FREE(cwdfname); -- } -- -+ print_impersonation_info(conn); - return true; - } - --- -2.17.1 - - -From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:01:29 +0200 -Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that - change_to_user_internal() always resets current_user.done_chdir - -We should not leave current_user.done_chdir as true if we didn't call -chdir_current_service() with success. - -This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when -chdir_current_service() worked once on one share but later failed on another -share. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - source3/smbd/uid.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index ce8e8d92131c..77a81f602988 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn, - current_user.conn = conn; - current_user.vuid = vuid; - current_user.need_chdir = conn->tcon_done; -+ current_user.done_chdir = false; - - if (current_user.need_chdir) { - ok = chdir_current_service(conn); --- -2.17.1 - - -From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 18 Jun 2019 14:04:08 +0200 -Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset - current_user.{need,done}_chdir in become_root() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - source3/smbd/uid.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 77a81f602988..50868ba8572a 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -624,6 +624,9 @@ void smbd_become_root(void) - } - push_conn_ctx(); - set_root_sec_ctx(); -+ -+ current_user.need_chdir = false; -+ current_user.done_chdir = false; - } - - /* Unbecome the root user */ --- -2.17.1 - - -From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 30 Jul 2019 17:16:59 +0200 -Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own - independent subdirectory - -The next patch will otherwise break the fsrvp related tests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/target/Samba3.pm | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 9d88253c9fe7..f7eb314138a0 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$) - my $widelinks_linkdir="$shrdir/widelinks_foo"; - push(@dirs,$widelinks_linkdir); - -+ my $fsrvp_shrdir="$shrdir/fsrvp"; -+ push(@dirs,$fsrvp_shrdir); -+ - my $shadow_tstdir="$shrdir/shadow"; - push(@dirs,$shadow_tstdir); - my $shadow_mntdir="$shadow_tstdir/mount"; -@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$) - guest ok = yes - - [fsrvp_share] -- path = $shrdir -+ path = $fsrvp_shrdir - comment = fake shapshots using rsync - vfs objects = shell_snap shadow_copy2 - shell_snap:check path command = $fake_snap_pl --check - shell_snap:create command = $fake_snap_pl --create - shell_snap:delete command = $fake_snap_pl --delete - # a relative path here fails, the snapshot dir is no longer found -- shadow:snapdir = $shrdir/.snapshots -+ shadow:snapdir = $fsrvp_shrdir/.snapshots - - [shadow1] - path = $shadow_shrdir --- -2.17.1 - - -From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 16 Jul 2019 15:40:38 +0200 -Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test - for the no permission on share root problem - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher ---- - selftest/knownfail.d/CVE-2019-10197 | 1 + - selftest/target/Samba3.pm | 12 +++++++++ - source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++ - 3 files changed, 43 insertions(+) - create mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -new file mode 100644 -index 000000000000..f7056bbf3ad4 ---- /dev/null -+++ b/selftest/knownfail.d/CVE-2019-10197 -@@ -0,0 +1 @@ -+^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index f7eb314138a0..2f491441815f 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$) - my $ro_shrdir="$shrdir/root-tmp"; - push(@dirs,$ro_shrdir); - -+ my $noperm_shrdir="$shrdir/noperm-tmp"; -+ push(@dirs,$noperm_shrdir); -+ - my $msdfs_shrdir="$shrdir/msdfsshare"; - push(@dirs,$msdfs_shrdir); - -@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$) - chmod 0755, $piddir; - - -+ ## -+ ## Create a directory without permissions to enter -+ ## -+ chmod 0000, $noperm_shrdir; -+ - ## - ## create ro and msdfs share layout - ## -@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$) - [ro-tmp] - path = $ro_shrdir - guest ok = yes -+[noperm] -+ path = $noperm_shrdir -+ wide links = yes -+ guest ok = yes - [write-list-tmp] - path = $shrdir - read only = yes -diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh -index bf033ccd2fbf..0bae1d78fac9 100755 ---- a/source3/script/tests/test_smbclient_s3.sh -+++ b/source3/script/tests/test_smbclient_s3.sh -@@ -1329,6 +1329,32 @@ EOF - fi - } - -+# -+# Regression test for CVE-2019-10197 -+# we should always get ACCESS_DENIED -+# -+test_noperm_share_regression() -+{ -+ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1' -+ eval echo "$cmd" -+ out=`eval $cmd` -+ ret=$? -+ if [ $ret -eq 0 ] ; then -+ echo "$out" -+ echo "failed accessing no perm share should not work" -+ return 1 -+ fi -+ -+ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l` -+ if [ "$num" -ne "2" ] ; then -+ echo "$out" -+ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected" -+ return 1 -+ fi -+ -+ return 0 -+} -+ - # Test smbclient deltree command - test_deltree() - { -@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \ - test_local_symlinks || \ - failed=`expr $failed + 1` - -+testit "noperm share regression" \ -+ test_noperm_share_regression || \ -+ failed=`expr $failed + 1` -+ - testit "smbclient deltree command" \ - test_deltree || \ - failed=`expr $failed + 1` --- -2.17.1 - - -From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 11 Jul 2019 17:02:15 +0200 -Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate() - out of change_to_user_internal() - -This makes sure we always call chdir_current_service() even -when we still impersonated the user. Which is important -in order to run the SMB* request within the correct working directory -and only if the user has permissions to enter that directory. - -It makes sure we always update conn->lastused_count -in chdir_current_service() for each request. - -Note that vfs_ChDir() (called from chdir_current_service()) -maintains its own cache and avoids calling SMB_VFS_CHDIR() -if possible. - -It means we still avoid syscalls if we get a multiple requests -for the same session/tcon tuple. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme ---- - selftest/knownfail.d/CVE-2019-10197 | 1 - - source3/smbd/uid.c | 21 +++++++++++++++++---- - 2 files changed, 17 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/CVE-2019-10197 - -diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 -deleted file mode 100644 -index f7056bbf3ad4..000000000000 ---- a/selftest/knownfail.d/CVE-2019-10197 -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.blackbox.smbclient_s3.*.noperm.share.regression -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 50868ba8572a..5c39baade5cf 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn) - stack, but modify the current_user entries. - ****************************************************************************/ - --static bool change_to_user_internal(connection_struct *conn, -- const struct auth_session_info *session_info, -- uint64_t vuid) -+static bool change_to_user_impersonate(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) - { - int snum; - gid_t gid; -@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn, - - if ((current_user.conn == conn) && - (current_user.vuid == vuid) && -- (current_user.need_chdir == conn->tcon_done) && - (current_user.ut.uid == session_info->unix_token->uid)) - { - DBG_INFO("Skipping user change - already user\n"); -@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn, - - current_user.conn = conn; - current_user.vuid = vuid; -+ return true; -+} -+ -+static bool change_to_user_internal(connection_struct *conn, -+ const struct auth_session_info *session_info, -+ uint64_t vuid) -+{ -+ bool ok; -+ -+ ok = change_to_user_impersonate(conn, session_info, vuid); -+ if (!ok) { -+ return false; -+ } -+ - current_user.need_chdir = conn->tcon_done; - current_user.done_chdir = false; - --- -2.17.1 - diff --git a/SOURCES/libldb-require-version-1.5.4.patch b/SOURCES/libldb-require-version-1.5.4.patch new file mode 100644 index 0000000..ef33d66 --- /dev/null +++ b/SOURCES/libldb-require-version-1.5.4.patch @@ -0,0 +1,13 @@ +Index: samba-4.10.13/lib/ldb/wscript +=================================================================== +--- samba-4.10.13.orig/lib/ldb/wscript ++++ samba-4.10.13/lib/ldb/wscript +@@ -1,7 +1,7 @@ + #!/usr/bin/env python + + APPNAME = 'ldb' +-VERSION = '1.5.6' ++VERSION = '1.5.4' + + import sys, os + diff --git a/SOURCES/net-ads-keytab-create-upn.patch b/SOURCES/net-ads-keytab-create-upn.patch new file mode 100644 index 0000000..bec2f26 --- /dev/null +++ b/SOURCES/net-ads-keytab-create-upn.patch @@ -0,0 +1,83 @@ +From d813722a34597dd33d06a558de6bc6cc2c2adb97 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 3 Apr 2020 15:58:28 +0200 +Subject: [PATCH 1/2] s3:libads: Fix ads_get_upn() + +This adds the userPrincipalName to ads_find_machine_acct() which +fetches the data for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14336 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit ec69752cb963ae850568d3f4905d2941e485627e) +--- + source3/libads/ldap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 979192eb3ed..8ad76ed0ae9 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1373,6 +1373,7 @@ char *ads_parent_dn(const char *dn) + "userAccountControl", + "DnsHostName", + "ServicePrincipalName", ++ "userPrincipalName", + "unicodePwd", + + /* Additional attributes Samba checks */ +-- +2.26.0 + + +From 9ecf7552c15ca4c7ff71b5c9348aae03b0012bc0 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 3 Apr 2020 15:40:48 +0200 +Subject: [PATCH 2/2] testprogs: Add 'net ads join createupn' test also + verifying the keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14336 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Apr 6 19:09:53 UTC 2020 on sn-devel-184 + +(cherry picked from commit c4be195da2845be4f64e47883e3c911dedd90e48) +--- + testprogs/blackbox/test_net_ads.sh | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 8bcff006b8e..95c0cf76f90 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -237,6 +237,23 @@ testit "leave+createcomputer" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_P + + testit "Remove OU=Servers" $VALGRIND $ldbdel -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER "OU=Servers,$base_dn" + ++# ++# Test createupn option of 'net ads join' ++# ++testit "join+createupn" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD createupn="host/test-$HOSTNAME@$REALM" || failed=`expr $failed + 1` ++ ++testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1` ++ ++dedicated_keytab_file="$PREFIX_ABS/test_net_create_dedicated_krb5.keytab" ++ ++testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit_grep "checkupn+keytab" "host/test-$HOSTNAME@$REALM" $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++rm -f $dedicated_keytab_file ++ ++testit "leave+createupn" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ + rm -rf $BASEDIR/$WORKDIR + + exit $failed +-- +2.26.0 + diff --git a/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch new file mode 100644 index 0000000..ff175fe --- /dev/null +++ b/SOURCES/samba-4.10-fix_smblcient_mkdir_debug_message.patch @@ -0,0 +1,48 @@ +From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 27 Jan 2020 14:58:10 +0100 +Subject: [PATCH] lib:util: Log mkdir error on correct debug levels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For smbd we want an error and for smbclient we only want it in NOTICE +debug level. +The default log level of smbclient is log level 1 so we need notice to +not spam the user. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184 + +(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1) +--- + lib/util/util.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/util/util.c b/lib/util/util.c +index 3bdeded5c1b..0d9ffe5cb7b 100644 +--- a/lib/util/util.c ++++ b/lib/util/util.c +@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname, + old_umask = umask(0); + ret = mkdir(dname, dir_perms); + if (ret == -1 && errno != EEXIST) { +- DBG_WARNING("mkdir failed on directory %s: %s\n", ++ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE; ++ ++ DBG_PREFIX(dbg_level, ++ ("mkdir failed on directory %s: %s\n", + dname, +- strerror(errno)); ++ strerror(errno))); + umask(old_umask); + return false; + } +-- +2.25.0 + diff --git a/SOURCES/samba-4.10-fix_smbspool.patch b/SOURCES/samba-4.10-fix_smbspool.patch deleted file mode 100644 index fa12f06..0000000 --- a/SOURCES/samba-4.10-fix_smbspool.patch +++ /dev/null @@ -1,1127 +0,0 @@ -From 16056895403f3c673dc5adc531b7e739d46292fb Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:55:49 +0200 -Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups - -This is required to access files in /var/spool/cups which have been -temporarily created in there by CUPS. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b) ---- - source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 5c4da33238b..e6684fc0d0c 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -82,6 +82,7 @@ int main(int argc, char *argv[]) - { - char smbspool_cmd[PATH_MAX] = {0}; - struct passwd *pwd; -+ struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; - struct stat sb; - char *env = NULL; -@@ -89,6 +90,7 @@ int main(int argc, char *argv[]) - char device_uri[4096] = {0}; - uid_t uid = (uid_t)-1; - gid_t gid = (gid_t)-1; -+ gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; - int cmp; - int rc; -@@ -176,6 +178,26 @@ int main(int argc, char *argv[]) - return CUPS_BACKEND_FAILED; - } - -+ /* -+ * We need the primary group of the 'lp' user. This is needed to access -+ * temporary files in /var/spool/cups/. -+ */ -+ g = getgrnam("lp"); -+ if (g == NULL) { -+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ -+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid); -+ groups[0] = g->gr_gid; -+ rc = setgroups(sizeof(groups), groups); -+ if (rc != 0) { -+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ - CUPS_SMB_DEBUG("Switching to gid=%d", gid); - rc = setgid(gid); - if (rc != 0) { --- -2.21.0 - - -From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 13:41:02 +0200 -Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate - with - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5) ---- - source3/client/smbspool.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 22071613677..efbdd418fdb 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) { - return false; - } else { - krb5_principal default_princ = NULL; -+ char *princ_name = NULL; - - code = krb5_cc_get_principal(ctx, - ccache, -@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) { - krb5_free_context(ctx); - return false; - } -+ -+ code = krb5_unparse_name(ctx, -+ default_princ, -+ &princ_name); -+ if (code == 0) { -+ fprintf(stderr, -+ "DEBUG: Try to authenticate as %s\n", -+ princ_name); -+ krb5_free_unparsed_name(ctx, princ_name); -+ } - krb5_free_principal(ctx, default_princ); - } - krb5_cc_close(ctx, ccache); --- -2.21.0 - - -From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 14:25:00 +0200 -Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba) ---- - source3/client/smbspool_krb5_wrapper.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index e6684fc0d0c..2cdcd372ec6 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -219,10 +219,14 @@ int main(int argc, char *argv[]) - env = getenv("KRB5CCNAME"); - if (env != NULL && env[0] != 0) { - snprintf(gen_cc, sizeof(gen_cc), "%s", env); -+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache", -+ gen_cc); - - goto create_env; - } - -+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -+ - snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); - - rc = lstat(gen_cc, &sb); --- -2.21.0 - - -From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:10:57 +0200 -Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858) ---- - source3/client/smbspool_krb5_wrapper.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 2cdcd372ec6..3266b90ec1a 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -227,13 +227,13 @@ int main(int argc, char *argv[]) - - CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); - -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); - } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0 && S_ISDIR(sb.st_mode)) { --- -2.21.0 - - -From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:40:43 +0200 -Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is - not set - -This could also support the new KCM credential cache storage. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3) ---- - source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++-------- - source3/wscript_build | 1 + - 2 files changed, 55 insertions(+), 25 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 3266b90ec1a..bff1df417e8 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -21,6 +21,7 @@ - - #include "includes.h" - #include "system/filesys.h" -+#include "system/kerberos.h" - #include "system/passwd.h" - - #include -@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) - buffer); - } - -+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len) -+{ -+ krb5_context ctx; -+ const char *ccache_name = NULL; -+ char *full_ccache_name = NULL; -+ krb5_ccache ccache = NULL; -+ krb5_error_code code; -+ -+ code = krb5_init_context(&ctx); -+ if (code != 0) { -+ return false; -+ } -+ -+ ccache_name = krb5_cc_default_name(ctx); -+ if (ccache_name == NULL) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_resolve(ctx, ccache_name, &ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name); -+ krb5_cc_close(ctx, ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ snprintf(ccache_buf, len, "%s", full_ccache_name); -+ -+#ifdef SAMBA4_USES_HEIMDAL -+ free(full_ccache_name); -+#else -+ krb5_free_string(ctx, full_ccache_name); -+#endif -+ krb5_free_context(ctx); -+ -+ return true; -+} -+ - /* - * This is a helper binary to execute smbspool. - * -@@ -84,7 +129,6 @@ int main(int argc, char *argv[]) - struct passwd *pwd; - struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; -- struct stat sb; - char *env = NULL; - char auth_info_required[256] = {0}; - char device_uri[4096] = {0}; -@@ -92,6 +136,7 @@ int main(int argc, char *argv[]) - gid_t gid = (gid_t)-1; - gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; -+ bool ok; - int cmp; - int rc; - -@@ -225,32 +270,16 @@ int main(int argc, char *argv[]) - goto create_env; - } - -- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -- -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -- } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0 && S_ISDIR(sb.st_mode)) { -- snprintf(gen_cc, -- sizeof(gen_cc), -- "DIR:/run/user/%d/krb5cc", -- uid); -- } else { --#if defined(__linux__) -- snprintf(gen_cc, -- sizeof(gen_cc), -- "KEYRING:persistent:%d", -- uid); --#endif -- } -+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc)); -+ if (ok) { -+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]", -+ gen_cc); -+ goto create_env; - } - -+ /* Fallback to a FILE ccache */ -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -+ - create_env: - /* - * Make sure we do not have LD_PRELOAD or other security relevant -diff --git a/source3/wscript_build b/source3/wscript_build -index f67ce59fe52..8e34b7d0261 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - deps=''' - DYNCONFIG - cups -+ krb5 - ''', - install_path='${LIBEXECDIR}/samba', - enabled=bld.CONFIG_SET('HAVE_CUPS')) --- -2.21.0 - - -From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:48:31 +0200 -Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd) ---- - source3/client/smbspool.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index efbdd418fdb..ef16c2bed42 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -224,7 +224,9 @@ main(int argc, /* I - Number of command-line arguments */ - - fp = fopen(print_file, "rb"); - if (fp == NULL) { -- perror("ERROR: Unable to open print file"); -+ fprintf(stderr, -+ "ERROR: Unable to open print file: %s", -+ print_file); - goto done; - } - --- -2.21.0 - - -From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 18:54:02 +0200 -Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos - -If username and password is given, then fallback to NTLM. However try -kinit first. Also we correctly handle NULL passwords in the meantime and -this makes it easier to deal with issues. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d) ---- - source3/client/smbspool.c | 90 ++++++++++++++++++++++----------------- - 1 file changed, 51 insertions(+), 39 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ef16c2bed42..f21aac2ac58 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -88,8 +88,8 @@ main(int argc, /* I - Number of command-line arguments */ - int port; /* Port number */ - char uri[1024], /* URI */ - *sep, /* Pointer to separator */ -- *tmp, *tmp2, /* Temp pointers to do escaping */ -- *password; /* Password */ -+ *tmp, *tmp2; /* Temp pointers to do escaping */ -+ const char *password = NULL; /* Password */ - char *username, /* Username */ - *server, /* Server name */ - *printer;/* Printer name */ -@@ -293,8 +293,6 @@ main(int argc, /* I - Number of command-line arguments */ - if ((tmp2 = strchr_m(tmp, ':')) != NULL) { - *tmp2++ = '\0'; - password = uri_unescape_alloc(tmp2); -- } else { -- password = empty_str; - } - username = uri_unescape_alloc(tmp); - } else { -@@ -302,14 +300,15 @@ main(int argc, /* I - Number of command-line arguments */ - username = empty_str; - } - -- if ((password = getenv("AUTH_PASSWORD")) == NULL) { -- password = empty_str; -+ env = getenv("AUTH_PASSWORD"); -+ if (env != NULL && strlen(env) > 0) { -+ password = env; - } - - server = uri + 6; - } - -- if (password != empty_str) { -+ if (password != NULL) { - auth_info_required = "username,password"; - } - -@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname, - NTSTATUS nt_status; - struct cli_credentials *creds = NULL; - bool use_kerberos = false; -+ bool fallback_after_kerberos = false; - - /* Start the SMB connection */ - *need_auth = false; -@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname, - return NULL; - } - -- /* -- * We pretty much guarantee password must be valid or a pointer to a -- * 0 char. -- */ -- if (!password) { -- *need_auth = true; -- return NULL; -- } -- - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -- auth_info_required = "negotiate"; - use_kerberos = true; - } - -+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) { -+ fallback_after_kerberos = true; -+ } -+ - creds = cli_session_creds_init(cli, - username, - workgroup, - NULL, /* realm */ - password, - use_kerberos, -- false, /* fallback_after_kerberos */ -+ fallback_after_kerberos, - false, /* use_ccache */ - false); /* password_is_nt_hash */ - if (creds == NULL) { -@@ -663,6 +657,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - struct cli_state *cli; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; -+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS; -+ bool use_kerberos = false; -+ const char *user = username; -+ int cmp; - - /* - * Get the names and addresses of the client and server... -@@ -672,42 +670,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - return NULL; - } - -- /* -- * See if we have a username first. This is for backwards compatible -- * behavior with 3.0.14a -- */ - -- if (username == NULL || username[0] == '\0') { -- if (kerberos_ccache_is_valid()) { -- goto kerberos_auth; -+ cmp = strcmp(auth_info_required, "negotiate"); -+ if (cmp == 0) { -+ if (!kerberos_ccache_is_valid()) { -+ return NULL; - } -+ user = jobusername; -+ -+ use_kerberos = true; -+ fprintf(stderr, -+ "DEBUG: Try to connect using Kerberos ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "username,password"); -+ if (cmp == 0) { -+ if (username == NULL || username[0] == '\0') { -+ return NULL; -+ } -+ -+ /* Fallback to NTLM */ -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ -+ fprintf(stderr, -+ "DEBUG: Try to connect using username/password ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "none"); -+ if (cmp == 0) { -+ fprintf(stderr, -+ "DEBUG: This backend doesn't support none auth ...\n"); -+ return NULL; - } - - cli = smb_complete_connection(myname, - server, - port, -- username, -+ user, - password, - workgroup, - share, -- 0, -+ flags, - need_auth); - if (cli != NULL) { -- fputs("DEBUG: Connected with username/password...\n", stderr); -+ fprintf(stderr, "DEBUG: SMB connection established.\n"); - return (cli); - } - --kerberos_auth: -- /* -- * Try to use the user kerberos credentials (if any) to authenticate -- */ -- cli = smb_complete_connection(myname, server, port, jobusername, "", -- workgroup, share, -- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth); -- -- if (cli) { -- fputs("DEBUG: Connected using Kerberos...\n", stderr); -- return (cli); -+ if (!use_kerberos) { -+ fprintf(stderr, "ERROR: SMB connection failed!\n"); -+ return NULL; - } - - /* give a chance for a passwordless NTLMSSP session setup */ --- -2.21.0 - - -From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 18:24:32 +0200 -Subject: [PATCH 8/9] s3:smbspool: Add debug messages to - kerberos_ccache_is_valid() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3) ---- - source3/client/smbspool.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index f21aac2ac58..79e210dd12e 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) { - - ccache_name = krb5_cc_default_name(ctx); - if (ccache_name == NULL) { -+ DBG_ERR("Failed to get default ccache name\n"); - krb5_free_context(ctx); - return false; - } - - code = krb5_cc_resolve(ctx, ccache_name, &ccache); - if (code != 0) { -+ DBG_ERR("Failed to resolve ccache name: %s\n", -+ ccache_name); - krb5_free_context(ctx); - return false; - } else { -@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) { - ccache, - &default_princ); - if (code != 0) { -+ DBG_ERR("Failed to get default principal from " -+ "ccache: %s\n", -+ ccache_name); - krb5_cc_close(ctx, ccache); - krb5_free_context(ctx); - return false; --- -2.21.0 - - -From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 14 May 2019 11:35:46 +0200 -Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes - -This allows us to simplify some code and return better errors. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea) ---- - source3/client/smbspool.c | 250 ++++++++++++++++++++++---------------- - 1 file changed, 145 insertions(+), 105 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 79e210dd12e..ad988eb0df9 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -61,12 +61,27 @@ - * Local functions... - */ - --static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); -+static int get_exit_code(NTSTATUS nt_status); - static void list_devices(void); --static struct cli_state *smb_complete_connection(const char *, const char *, -- int, const char *, const char *, const char *, const char *, int, bool *need_auth); --static struct cli_state *smb_connect(const char *, const char *, int, const -- char *, const char *, const char *, const char *, bool *need_auth); -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, -+ const char *server, -+ int port, -+ const char *username, -+ const char *password, -+ const char *workgroup, -+ const char *share, -+ int flags); -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, -+ const char *server, -+ const int port, -+ const char *share, -+ const char *username, -+ const char *password, -+ const char *jobusername); - static int smb_print(struct cli_state *, const char *, FILE *); - static char *uri_unescape_alloc(const char *); - #if 0 -@@ -90,16 +105,15 @@ main(int argc, /* I - Number of command-line arguments */ - *sep, /* Pointer to separator */ - *tmp, *tmp2; /* Temp pointers to do escaping */ - const char *password = NULL; /* Password */ -- char *username, /* Username */ -- *server, /* Server name */ -+ const char *username = NULL; /* Username */ -+ char *server, /* Server name */ - *printer;/* Printer name */ - const char *workgroup; /* Workgroup */ - FILE *fp; /* File to print */ - int status = 1; /* Status of LPD job */ -- struct cli_state *cli; /* SMB interface */ -- char empty_str[] = ""; -+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; -+ struct cli_state *cli = NULL; /* SMB interface */ - int tries = 0; -- bool need_auth = true; - const char *dev_uri = NULL; - const char *env = NULL; - const char *config_file = NULL; -@@ -296,8 +310,9 @@ main(int argc, /* I - Number of command-line arguments */ - } - username = uri_unescape_alloc(tmp); - } else { -- if ((username = getenv("AUTH_USERNAME")) == NULL) { -- username = empty_str; -+ env = getenv("AUTH_USERNAME"); -+ if (env != NULL && strlen(env) > 0) { -+ username = env; - } - - env = getenv("AUTH_PASSWORD"); -@@ -369,27 +384,39 @@ main(int argc, /* I - Number of command-line arguments */ - load_interfaces(); - - do { -- cli = smb_connect(workgroup, -- server, -- port, -- printer, -- username, -- password, -- print_user, -- &need_auth); -- if (cli == NULL) { -- if (need_auth) { -- exit(2); -+ nt_status = smb_connect(&cli, -+ workgroup, -+ server, -+ port, -+ printer, -+ username, -+ password, -+ print_user); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ status = get_exit_code(nt_status); -+ if (status == 2) { -+ fprintf(stderr, -+ "DEBUG: Unable to connect to CIFS " -+ "host: %s", -+ nt_errstr(nt_status)); -+ goto done; - } else if (getenv("CLASS") == NULL) { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Will retry in 60 " -+ "seconds...\n", -+ nt_errstr(nt_status)); - sleep(60); - tries++; - } else { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Trying next printer...\n", -+ nt_errstr(nt_status)); - goto done; - } - } -- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT)); -+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT)); - - if (cli == NULL) { - fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries); -@@ -436,10 +463,9 @@ done: - */ - - static int --get_exit_code(struct cli_state * cli, -- NTSTATUS nt_status) -+get_exit_code(NTSTATUS nt_status) - { -- int i; -+ size_t i; - - /* List of NTSTATUS errors that are considered - * authentication errors -@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli, - }; - - -- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n", -- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status)); -+ fprintf(stderr, -+ "DEBUG: get_exit_code(nt_status=%s [%x])\n", -+ nt_errstr(nt_status), NT_STATUS_V(nt_status)); - - for (i = 0; i < ARRAY_SIZE(auth_errors); i++) { - if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) { - continue; - } - -- if (cli) { -- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); -- } -+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); - - /* - * 2 = authentication required... -@@ -498,16 +523,16 @@ list_devices(void) - } - - --static struct cli_state * --smb_complete_connection(const char *myname, -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, - const char *server, - int port, - const char *username, - const char *password, - const char *workgroup, - const char *share, -- int flags, -- bool *need_auth) -+ int flags) - { - struct cli_state *cli; /* New connection */ - NTSTATUS nt_status; -@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname, - bool fallback_after_kerberos = false; - - /* Start the SMB connection */ -- *need_auth = false; - nt_status = cli_start_connection(&cli, myname, server, NULL, port, - SMB_SIGNING_DEFAULT, flags); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status)); -- return NULL; -+ return nt_status; - } - - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname, - if (creds == NULL) { - fprintf(stderr, "ERROR: cli_session_creds_init failed\n"); - cli_shutdown(cli); -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - nt_status = cli_session_setup_creds(cli, creds); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - - nt_status = cli_tree_connect_creds(cli, share, "?????", creds); -@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname, - fprintf(stderr, "ERROR: Tree connect failed (%s)\n", - nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - #if 0 - /* Need to work out how to specify this on the URL. */ -@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname, - } - #endif - -- return cli; -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - static bool kerberos_ccache_is_valid(void) { -@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) { - * 'smb_connect()' - Return a connection to a server. - */ - --static struct cli_state * /* O - SMB connection */ --smb_connect(const char *workgroup, /* I - Workgroup */ -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, /* I - Workgroup */ - const char *server, /* I - Server */ - const int port, /* I - Port */ - const char *share, /* I - Printer */ - const char *username, /* I - Username */ - const char *password, /* I - Password */ -- const char *jobusername, /* I - User who issued the print job */ -- bool *need_auth) --{ /* O - Need authentication? */ -- struct cli_state *cli; /* New connection */ -+ const char *jobusername) /* I - User who issued the print job */ -+{ -+ struct cli_state *cli = NULL; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; - int flags = CLI_FULL_CONNECTION_USE_KERBEROS; - bool use_kerberos = false; - const char *user = username; -- int cmp; -+ NTSTATUS nt_status; - - /* - * Get the names and addresses of the client and server... - */ - myname = get_myname(talloc_tos()); - if (!myname) { -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - -- cmp = strcmp(auth_info_required, "negotiate"); -- if (cmp == 0) { -+ if (strcmp(auth_info_required, "negotiate") == 0) { - if (!kerberos_ccache_is_valid()) { -- return NULL; -+ fprintf(stderr, -+ "ERROR: No valid Kerberos credential cache " -+ "found!\n"); -+ return NT_STATUS_LOGON_FAILURE; - } - user = jobusername; - - use_kerberos = true; - fprintf(stderr, - "DEBUG: Try to connect using Kerberos ...\n"); -- } -- -- cmp = strcmp(auth_info_required, "username,password"); -- if (cmp == 0) { -- if (username == NULL || username[0] == '\0') { -- return NULL; -+ } else if (strcmp(auth_info_required, "username,password") == 0) { -+ if (username == NULL) { -+ return NT_STATUS_INVALID_ACCOUNT_NAME; - } - - /* Fallback to NTLM */ -@@ -700,59 +716,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - - fprintf(stderr, - "DEBUG: Try to connect using username/password ...\n"); -- } -+ } else { -+ if (username != NULL) { -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ } else if (kerberos_ccache_is_valid()) { -+ auth_info_required = "negotiate"; - -- cmp = strcmp(auth_info_required, "none"); -- if (cmp == 0) { -- fprintf(stderr, -- "DEBUG: This backend doesn't support none auth ...\n"); -- return NULL; -+ user = jobusername; -+ use_kerberos = true; -+ } else { -+ fprintf(stderr, -+ "DEBUG: This backend requires credentials!\n"); -+ return NT_STATUS_ACCESS_DENIED; -+ } - } - -- cli = smb_complete_connection(myname, -- server, -- port, -- user, -- password, -- workgroup, -- share, -- flags, -- need_auth); -- if (cli != NULL) { -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ user, -+ password, -+ workgroup, -+ share, -+ flags); -+ if (NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "DEBUG: SMB connection established.\n"); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - if (!use_kerberos) { - fprintf(stderr, "ERROR: SMB connection failed!\n"); -- return NULL; -+ return nt_status; - } - - /* give a chance for a passwordless NTLMSSP session setup */ - pwd = getpwuid(geteuid()); - if (pwd == NULL) { -- return NULL; -- } -- -- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "", -- workgroup, share, 0, need_auth); -- -- if (cli) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ pwd->pw_name, -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { - fputs("DEBUG: Connected with NTLMSSP...\n", stderr); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - /* - * last try. Use anonymous authentication - */ - -- cli = smb_complete_connection(myname, server, port, "", "", -- workgroup, share, 0, need_auth); -- /* -- * Return the new connection... -- */ -- -- return (cli); -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ "", -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { -+ *output_cli = cli; -+ return NT_STATUS_OK; -+ } -+ -+ return nt_status; - } - - -@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s opening remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } - - /* -@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, - tbytes, nbytes, NULL); - if (!NT_STATUS_IS_OK(status)) { -- int ret = get_exit_code(cli, status); -+ int ret = get_exit_code(status); - fprintf(stderr, "ERROR: Error writing spool: %s\n", - nt_errstr(status)); - fprintf(stderr, "DEBUG: Returning status %d...\n", -@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s closing remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } else { - return (0); - } --- -2.21.0 - -From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 18 Jun 2019 14:43:50 +0200 -Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba - -Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the -function we provide in krb5samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8) ---- - source3/wscript_build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/wscript_build b/source3/wscript_build -index 1ebb006781a..26e251f442a 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - deps=''' - DYNCONFIG - cups -- krb5 -+ krb5samba - ''', - install_path='${LIBEXECDIR}/samba', - enabled=bld.CONFIG_SET('HAVE_CUPS')) --- -2.21.0 - diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch deleted file mode 100644 index d72091e..0000000 --- a/SOURCES/samba-4.10-fix_smbspool_username_password.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001 -From: Bryan Mason -Date: Mon, 16 Sep 2019 12:35:06 -0700 -Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI - -CUPS sanitizes argv[0] by removing username/password, so use -DEVICE_URI environment variable first. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128 - -Signed-off-by: Bryan Mason -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184 - -(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931) ---- - source3/client/smbspool.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ad988eb0df9..36f7f67ca94 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */ - - /* - * Find the URI ... -- */ -- if (dev_uri == NULL) { -- env = getenv("DEVICE_URI"); -- if (env != NULL && env[0] != '\0') { -- dev_uri = env; -- } -- } -+ * -+ * The URI in argv[0] is sanitized to remove username/password, so -+ * use DEVICE_URI if available. Otherwise keep the URI already -+ * discovered in argv. -+ */ -+ env = getenv("DEVICE_URI"); -+ if (env != NULL && env[0] != '\0') { -+ dev_uri = env; -+ } - - if (dev_uri == NULL) { - fprintf(stderr, --- -2.23.0 - diff --git a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch b/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch deleted file mode 100644 index 6f7ca74..0000000 --- a/SOURCES/samba-4.10-fix_winbind_trustdom_enum.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 2d783791856be182d420555d8df5e31768b0d7d2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 12 Sep 2019 16:39:10 +0200 -Subject: [PATCH] s3-winbindd: fix forest trusts with additional trust - attributes. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14130 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit d78c87e665e23e6470a19a69383ede7137172c26) ---- - source3/winbindd/winbindd_ads.c | 2 +- - source3/winbindd/winbindd_util.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c -index 5f20cfb7f76..485ca831be9 100644 ---- a/source3/winbindd/winbindd_ads.c -+++ b/source3/winbindd/winbindd_ads.c -@@ -1457,7 +1457,7 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, - */ - - if ((trust->trust_attributes -- == LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && -+ & LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) && - !domain->primary ) - { - DEBUG(10,("trusted_domains: Skipping external trusted " -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index cc4c3f7391a..ee7651c9639 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -723,7 +723,7 @@ static void rescan_forest_trusts( void ) - - if ( (flags & NETR_TRUST_FLAG_INBOUND) && - (type == LSA_TRUST_TYPE_UPLEVEL) && -- (attribs == LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) -+ (attribs & LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE) ) - { - /* add the trusted domain if we don't know - about it */ --- -2.21.0 - diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch deleted file mode 100644 index c196b55..0000000 --- a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001 -From: Evgeny Sinelnikov -Date: Wed, 31 Jul 2019 23:17:20 +0400 -Subject: [PATCH] s3:ldap: Fix join with don't exists machine account -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add check for requested replies of existing machine object during join -machine to domain. This solves regression fail during join with error: -"None of the information to be translated has been translated." - -https://bugzilla.samba.org/show_bug.cgi?id=14007 - -Reviewed-by: Guenther Deschner -Reviewed-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184 ---- - source3/libads/ldap.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 4f3d43b02b1..2110390b65f 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - } - - ret = ads_find_machine_acct(ads, &res, machine_escaped); -- ads_msgfree(ads, res); -- if (ADS_ERR_OK(ret)) { -+ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { - DBG_DEBUG("Host account for %s already exists.\n", - machine_escaped); - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -+ ads_msgfree(ads, res); - goto done; - } -+ ads_msgfree(ads, res); - - new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); --- -2.21.0 - diff --git a/SOURCES/samba-4.10.13.tar.asc b/SOURCES/samba-4.10.13.tar.asc new file mode 100644 index 0000000..52c7fd5 --- /dev/null +++ b/SOURCES/samba-4.10.13.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXim+jBUcc2FtYmEtYnVn +c0BzYW1iYS5vcmcACgkQbzORW2Vot+oozACfbyVyqQ3idZj8ukEB/l7/4Hdp2JEA +n1sm6+H+pWwmgi66wTKGJ4L+dpa1 +=eWDt +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc deleted file mode 100644 index 29f805c..0000000 --- a/SOURCES/samba-4.10.4.tar.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn -c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA -n3v79/BJYEuD3vw98M5nW4GBN6C9 -=/Xfk ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch deleted file mode 100644 index 61635f8..0000000 --- a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 23 May 2019 13:33:21 -0700 -Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts. - -Previously the private context was caching a pointer to -a string returned from lp_XXX(). This string can change -on config file reload. Ensure the string is talloc_strup'ed -onto the owning context instead. - -Reported by Heinrich Mislik - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme -(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab) ---- - source3/winbindd/idmap_script.c | 20 ++++++++++++++++---- - source3/winbindd/idmap_tdb2.c | 22 +++++++++++++++++----- - 2 files changed, 33 insertions(+), 9 deletions(-) - -diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c -index 7ad6b806fb8..f382f896b35 100644 ---- a/source3/winbindd/idmap_script.c -+++ b/source3/winbindd/idmap_script.c -@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - NTSTATUS ret; - struct idmap_script_context *ctx; - const char * idmap_script = NULL; -+ const char *ctx_script = NULL; - - DEBUG(10, ("%s called ...\n", __func__)); - -@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - goto failed; - } - -- ctx->script = idmap_config_const_string(dom->name, "script", NULL); -+ ctx_script = idmap_config_const_string(dom->name, "script", NULL); - - /* Do we even need to handle this? */ - idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); -@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) - " Please use 'idmap config * : script' instead!\n")); - } - -- if (strequal(dom->name, "*") && ctx->script == NULL) { -+ if (strequal(dom->name, "*") && ctx_script == NULL) { - /* fall back to idmap:script for backwards compatibility */ -- ctx->script = idmap_script; -+ ctx_script = idmap_script; - } - -- if (ctx->script) { -+ if (ctx_script) { - DEBUG(1, ("using idmap script '%s'\n", ctx->script)); -+ /* -+ * We must ensure this memory is owned by ctx. -+ * The ctx_script const pointer is a pointer into -+ * the config file data and may become invalid -+ * on config file reload. BUG: 13956 -+ */ -+ ctx->script = talloc_strdup(ctx, ctx_script); -+ if (ctx->script == NULL) { -+ ret = NT_STATUS_NO_MEMORY; -+ goto failed; -+ } - } - - dom->private_data = ctx; -diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c -index b784546bb33..eceab9c0784 100644 ---- a/source3/winbindd/idmap_tdb2.c -+++ b/source3/winbindd/idmap_tdb2.c -@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - struct idmap_tdb_common_context *commonctx; - struct idmap_tdb2_context *ctx; - const char * idmap_script = NULL; -+ const char *ctx_script = NULL; - - commonctx = talloc_zero(dom, struct idmap_tdb_common_context); - if(!commonctx) { -@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - goto failed; - } - -- ctx->script = idmap_config_const_string(dom->name, "script", NULL); -+ ctx_script = idmap_config_const_string(dom->name, "script", NULL); - - idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); - if (idmap_script != NULL) { -@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) - " Please use 'idmap config * : script' instead!\n")); - } - -- if (strequal(dom->name, "*") && ctx->script == NULL) { -+ if (strequal(dom->name, "*") && ctx_script == NULL) { - /* fall back to idmap:script for backwards compatibility */ -- ctx->script = idmap_script; -+ ctx_script = idmap_script; - } - -- if (ctx->script) { -- DEBUG(1, ("using idmap script '%s'\n", ctx->script)); -+ if (ctx_script) { -+ DEBUG(1, ("using idmap script '%s'\n", ctx_script)); -+ /* -+ * We must ensure this memory is owned by ctx. -+ * The ctx_script const pointer is a pointer into -+ * the config file data and may become invalid -+ * on config file reload. BUG: 13956 -+ */ -+ ctx->script = talloc_strdup(ctx, ctx_script); -+ if (ctx->script == NULL) { -+ ret = NT_STATUS_NO_MEMORY; -+ goto failed; -+ } - } - - commonctx->max_id = dom->high_id; --- -2.22.0.rc1.257.g3120a18244-goog - diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch new file mode 100644 index 0000000..5bf463b --- /dev/null +++ b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch @@ -0,0 +1,75 @@ +From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 7 Jan 2020 19:25:53 +0200 +Subject: [PATCH 1/2] s3-rpcserver: fix security level check for + DsRGetForestTrustInformation + +Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which +didn't change since DCE RPC channel refactoring. + +With the current code we return RPC faul as can be seen in the logs: + +2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) + netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation + in: struct netr_DsRGetForestTrustInformation + server_name : * + server_name : '\\some-dc.example.com' + trusted_domain_name : NULL + flags : 0x00000000 (0) +[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) + api_rpcTNP: fault(5) return. + +This is due to this check in processing a request: + if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) + && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return WERR_ACCESS_DENIED; + } + +and since we get AuthZ response, + + Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] + Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] +[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) + JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", + "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, + "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", + "serviceDescription": "netlogon", "authType": "ncacn_np", + "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", + "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", + "transportProtection": "SMB", "accountFlags": "0x00000010"}} + +this means we are actually getting anonymous DCE/RPC access to netlogon +on top of authenticated SMB connection. In such case we have exactly +auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to +DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. + +Update the code to follow the same security level check as in s4 variant +of the call. + +Signed-off-by: Alexander Bokovoy +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index cbbf9feedc7..52b17c10e61 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, + { + NTSTATUS status; + struct lsa_ForestTrustInformation *info, **info_ptr; ++ enum security_user_level security_level; + +- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) +- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { +- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; ++ security_level = security_session_user_level(p->session_info, NULL); ++ if (security_level < SECURITY_USER) { + return WERR_ACCESS_DENIED; + } + +-- +2.24.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 70a637d..3bbc5cc 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,9 +6,9 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 6 +%define main_release 2 -%define samba_version 4.10.4 +%define samba_version 4.10.13 %define talloc_version 2.1.16 %define tdb_version 1.3.18 %define tevent_version 0.9.39 @@ -127,12 +127,12 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.10-fix_smbspool.patch -Patch1: samba-4.10.6-fix_idmap_tdb2.patch -Patch2: samba-4.10-net_ads_join_createcomputer.patch -Patch3: CVE-2019-10197-v4-10-metze03.patches.txt -Patch4: samba-4.10-fix_smbspool_username_password.patch -Patch5: samba-4.10-fix_winbind_trustdom_enum.patch +# Set the libldb requirement back to 1.5.4, we don't need a newer version as +# we only build Samba FS. +Patch0: libldb-require-version-1.5.4.patch +Patch1: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch +Patch2: samba-4.10-fix_smblcient_mkdir_debug_message.patch +Patch3: net-ads-keytab-create-upn.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -1143,10 +1143,12 @@ fi /sbin/ldconfig %preun -n libwbclient -%{_sbindir}/update-alternatives \ - --remove \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +fi /sbin/ldconfig %posttrans -n libwbclient-devel @@ -1162,10 +1164,12 @@ fi # When downgrading to a version where alternatives is not used and # libwbclient.so is a link and not a file it will be removed. The following # check removes the alternatives files manually if that is the case. -if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then - /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null -else - %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so +if [ $1 -eq 0 ]; then + if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then + /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null + else + %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so + fi fi %endif # with_libwbclient @@ -2199,6 +2203,7 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/glue.py* %{python_sitearch}/samba/tests/graph.py* %{python_sitearch}/samba/tests/hostconfig.py* +%{python_sitearch}/samba/tests/ldap_referrals.py* %{python_sitearch}/samba/tests/libsmb.py* %{python_sitearch}/samba/tests/join.py* %{python_sitearch}/samba/tests/lsa_string.py* @@ -2228,9 +2233,11 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/provision.py* %{python_sitearch}/samba/tests/py_credentials.py* %{python_sitearch}/samba/tests/registry.py* +%{python_sitearch}/samba/tests/samba_upgradedns_lmdb* %{python_sitearch}/samba/tests/samba3sam.py* %{python_sitearch}/samba/tests/samdb.py* %{python_sitearch}/samba/tests/smbd_base.py* +%{python_sitearch}/samba/tests/smbd_fuzztest.py* %{python_sitearch}/samba/tests/security.py* %{python_sitearch}/samba/tests/source.py* %{python_sitearch}/samba/tests/strings.py* @@ -2253,6 +2260,7 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/blackbox/traffic_learner.py* %{python_sitearch}/samba/tests/blackbox/traffic_replay.py* %{python_sitearch}/samba/tests/blackbox/traffic_summary.py* +%{python_sitearch}/samba/tests/blackbox/undoguididx.py* %dir %{python_sitearch}/samba/tests/dcerpc %{python_sitearch}/samba/tests/dcerpc/__init__.py* @@ -2535,7 +2543,6 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/sock_io_test %{_libexecdir}/ctdb/tests/srvid_test %{_libexecdir}/ctdb/tests/system_socket_test -%{_libexecdir}/ctdb/tests/test_mutex_raw %{_libexecdir}/ctdb/tests/transaction_loop %{_libexecdir}/ctdb/tests/tunnel_cmd %{_libexecdir}/ctdb/tests/tunnel_test @@ -3263,11 +3270,38 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Fri Oct 04 2019 Andreas Schneider - 4.10.5-6 +* Thu Apr 16 2020 Isaac Boukris - 4.10.13-2 +- resolves: #1810511 - Fix net-ads-keytab-create to include UPN + +* Mon Feb 03 2020 Andreas Schneider - 4.10.13-1 +- resolves: #1785121 - Rebase to vesion 4.10.13 +- resolves: #1791208 - Fix CVE-2019-14907 +- resolves: #1737888 - Fix manual libwbclient alternative settings +- resolves: #1634057 - Return correct stat for SMB1 with POSIX extensions + +* Mon Feb 03 2020 Andreas Schneider - 4.10.4-11 +- resolves: #1791823 - Fix Kerberos authentication with trusted domains +- resolves: #1781231 - Fix smbclient mkdir log spam +- resolves: #1776333 - Fix client tools log spam about messaging + +* Wed Jan 08 2020 Alexander Bokovoy - 4.10.4-10 +- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation + +* Thu Oct 31 2019 Isaac Boukris - 4.10.4-9 +- resolves: #1764468 - Fix CVE-2019-10218 + +* Wed Oct 30 2019 Isaac Boukris - 4.10.4-8 +- resolves: #1656541 - Fix join using netbios name + +* Mon Oct 14 2019 Isaac Boukris - 4.10.4-7 +- resolves: #1657428 - Fix spnego downgrade +- resolves: #1663064 - Fix net ads join in hardened environments + +* Fri Oct 04 2019 Andreas Schneider - 4.10.4-6 - resolves: #1753254 - Fix trusted domain enumeration in windind caused a Active Directory update -* Thu Sep 19 2019 Andreas Schneider - 4.10.5-5 +* Thu Sep 19 2019 Andreas Schneider - 4.10.4-5 - resolves: #1751335 - Fix username/passwd auth with smbspool * Mon Sep 16 2019 Andreas Schneider - 4.10.4-4