diff --git a/.gitignore b/.gitignore index 1b087cf..99161ff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.9.1.tar.xz +SOURCES/samba-4.10.4.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 638f3b8..1e4e8c9 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -81b7c9a13d48fa25c58c90ae85e7d256e9952227 SOURCES/samba-4.9.1.tar.xz +c24e15add96d79950552f0ffbb44234e4142342c SOURCES/samba-4.10.4.tar.xz diff --git a/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt new file mode 100644 index 0000000..eec8124 --- /dev/null +++ b/SOURCES/CVE-2019-10197-v4-10-metze03.patches.txt @@ -0,0 +1,393 @@ +From 5e94fe726e9af81374c697ce603b3728ccaaebf3 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 12 Jul 2019 12:10:35 -0700 +Subject: [PATCH 1/6] CVE-2019-10197: smbd: separate out impersonation debug + info into a new function. + +Will be called on elsewhere on successful impersonation. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +--- + source3/smbd/uid.c | 37 +++++++++++++++++++++++-------------- + 1 file changed, 23 insertions(+), 14 deletions(-) + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index a4bcb747d37e..ce8e8d92131c 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -279,6 +279,28 @@ static bool check_user_ok(connection_struct *conn, + return(True); + } + ++static void print_impersonation_info(connection_struct *conn) ++{ ++ struct smb_filename *cwdfname = NULL; ++ ++ if (!CHECK_DEBUGLVL(DBGLVL_INFO)) { ++ return; ++ } ++ ++ cwdfname = vfs_GetWd(talloc_tos(), conn); ++ if (cwdfname == NULL) { ++ return; ++ } ++ ++ DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", ++ (int)getuid(), ++ (int)geteuid(), ++ (int)getgid(), ++ (int)getegid(), ++ cwdfname->base_name); ++ TALLOC_FREE(cwdfname); ++} ++ + /**************************************************************************** + Become the user of a connection number without changing the security context + stack, but modify the current_user entries. +@@ -415,20 +437,7 @@ static bool change_to_user_internal(connection_struct *conn, + current_user.done_chdir = true; + } + +- if (CHECK_DEBUGLVL(DBGLVL_INFO)) { +- struct smb_filename *cwdfname = vfs_GetWd(talloc_tos(), conn); +- if (cwdfname == NULL) { +- return false; +- } +- DBG_INFO("Impersonated user: uid=(%d,%d), gid=(%d,%d), cwd=[%s]\n", +- (int)getuid(), +- (int)geteuid(), +- (int)getgid(), +- (int)getegid(), +- cwdfname->base_name); +- TALLOC_FREE(cwdfname); +- } +- ++ print_impersonation_info(conn); + return true; + } + +-- +2.17.1 + + +From b4cd0dcbc38ae61cfb075e5f659384df889e99f7 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 11 Jul 2019 17:01:29 +0200 +Subject: [PATCH 2/6] CVE-2019-10197: smbd: make sure that + change_to_user_internal() always resets current_user.done_chdir + +We should not leave current_user.done_chdir as true if we didn't call +chdir_current_service() with success. + +This caused problems in when calling vfs_ChDir() in pop_conn_ctx() when +chdir_current_service() worked once on one share but later failed on another +share. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme +--- + source3/smbd/uid.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index ce8e8d92131c..77a81f602988 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -427,6 +427,7 @@ static bool change_to_user_internal(connection_struct *conn, + current_user.conn = conn; + current_user.vuid = vuid; + current_user.need_chdir = conn->tcon_done; ++ current_user.done_chdir = false; + + if (current_user.need_chdir) { + ok = chdir_current_service(conn); +-- +2.17.1 + + +From b1496ce793129302c9959ebc6330219c6a3143f0 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 18 Jun 2019 14:04:08 +0200 +Subject: [PATCH 3/6] CVE-2019-10197: smbd: make sure we reset + current_user.{need,done}_chdir in become_root() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Stefan Metzmacher +--- + source3/smbd/uid.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index 77a81f602988..50868ba8572a 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -624,6 +624,9 @@ void smbd_become_root(void) + } + push_conn_ctx(); + set_root_sec_ctx(); ++ ++ current_user.need_chdir = false; ++ current_user.done_chdir = false; + } + + /* Unbecome the root user */ +-- +2.17.1 + + +From 03a0719d6d5c1a81b44bc3cedc76563a1eb04491 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 30 Jul 2019 17:16:59 +0200 +Subject: [PATCH 4/6] CVE-2019-10197: selftest: make fsrvp_share its own + independent subdirectory + +The next patch will otherwise break the fsrvp related tests. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Stefan Metzmacher +--- + selftest/target/Samba3.pm | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 9d88253c9fe7..f7eb314138a0 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1540,6 +1540,9 @@ sub provision($$$$$$$$$) + my $widelinks_linkdir="$shrdir/widelinks_foo"; + push(@dirs,$widelinks_linkdir); + ++ my $fsrvp_shrdir="$shrdir/fsrvp"; ++ push(@dirs,$fsrvp_shrdir); ++ + my $shadow_tstdir="$shrdir/shadow"; + push(@dirs,$shadow_tstdir); + my $shadow_mntdir="$shadow_tstdir/mount"; +@@ -2083,14 +2086,14 @@ sub provision($$$$$$$$$) + guest ok = yes + + [fsrvp_share] +- path = $shrdir ++ path = $fsrvp_shrdir + comment = fake shapshots using rsync + vfs objects = shell_snap shadow_copy2 + shell_snap:check path command = $fake_snap_pl --check + shell_snap:create command = $fake_snap_pl --create + shell_snap:delete command = $fake_snap_pl --delete + # a relative path here fails, the snapshot dir is no longer found +- shadow:snapdir = $shrdir/.snapshots ++ shadow:snapdir = $fsrvp_shrdir/.snapshots + + [shadow1] + path = $shadow_shrdir +-- +2.17.1 + + +From 409447f3258b87745a2248570278b1c6da8991f4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 16 Jul 2019 15:40:38 +0200 +Subject: [PATCH 5/6] CVE-2019-10197: test_smbclient_s3.sh: add regression test + for the no permission on share root problem + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Stefan Metzmacher +--- + selftest/knownfail.d/CVE-2019-10197 | 1 + + selftest/target/Samba3.pm | 12 +++++++++ + source3/script/tests/test_smbclient_s3.sh | 30 +++++++++++++++++++++++ + 3 files changed, 43 insertions(+) + create mode 100644 selftest/knownfail.d/CVE-2019-10197 + +diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 +new file mode 100644 +index 000000000000..f7056bbf3ad4 +--- /dev/null ++++ b/selftest/knownfail.d/CVE-2019-10197 +@@ -0,0 +1 @@ ++^samba3.blackbox.smbclient_s3.*.noperm.share.regression +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index f7eb314138a0..2f491441815f 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1516,6 +1516,9 @@ sub provision($$$$$$$$$) + my $ro_shrdir="$shrdir/root-tmp"; + push(@dirs,$ro_shrdir); + ++ my $noperm_shrdir="$shrdir/noperm-tmp"; ++ push(@dirs,$noperm_shrdir); ++ + my $msdfs_shrdir="$shrdir/msdfsshare"; + push(@dirs,$msdfs_shrdir); + +@@ -1586,6 +1589,11 @@ sub provision($$$$$$$$$) + chmod 0755, $piddir; + + ++ ## ++ ## Create a directory without permissions to enter ++ ## ++ chmod 0000, $noperm_shrdir; ++ + ## + ## create ro and msdfs share layout + ## +@@ -1902,6 +1910,10 @@ sub provision($$$$$$$$$) + [ro-tmp] + path = $ro_shrdir + guest ok = yes ++[noperm] ++ path = $noperm_shrdir ++ wide links = yes ++ guest ok = yes + [write-list-tmp] + path = $shrdir + read only = yes +diff --git a/source3/script/tests/test_smbclient_s3.sh b/source3/script/tests/test_smbclient_s3.sh +index bf033ccd2fbf..0bae1d78fac9 100755 +--- a/source3/script/tests/test_smbclient_s3.sh ++++ b/source3/script/tests/test_smbclient_s3.sh +@@ -1329,6 +1329,32 @@ EOF + fi + } + ++# ++# Regression test for CVE-2019-10197 ++# we should always get ACCESS_DENIED ++# ++test_noperm_share_regression() ++{ ++ cmd='$SMBCLIENT -U$USERNAME%$PASSWORD //$SERVER/noperm -I $SERVER_IP $LOCAL_ADDARGS -c "ls;ls" 2>&1' ++ eval echo "$cmd" ++ out=`eval $cmd` ++ ret=$? ++ if [ $ret -eq 0 ] ; then ++ echo "$out" ++ echo "failed accessing no perm share should not work" ++ return 1 ++ fi ++ ++ num=`echo "$out" | grep 'NT_STATUS_ACCESS_DENIED' | wc -l` ++ if [ "$num" -ne "2" ] ; then ++ echo "$out" ++ echo "failed num[$num] - two NT_STATUS_ACCESS_DENIED lines expected" ++ return 1 ++ fi ++ ++ return 0 ++} ++ + # Test smbclient deltree command + test_deltree() + { +@@ -1857,6 +1883,10 @@ testit "follow local symlinks" \ + test_local_symlinks || \ + failed=`expr $failed + 1` + ++testit "noperm share regression" \ ++ test_noperm_share_regression || \ ++ failed=`expr $failed + 1` ++ + testit "smbclient deltree command" \ + test_deltree || \ + failed=`expr $failed + 1` +-- +2.17.1 + + +From 501e034aa5b6ba50bf14e41c59674fbbc28a2e9c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 11 Jul 2019 17:02:15 +0200 +Subject: [PATCH 6/6] CVE-2019-10197: smbd: split change_to_user_impersonate() + out of change_to_user_internal() + +This makes sure we always call chdir_current_service() even +when we still impersonated the user. Which is important +in order to run the SMB* request within the correct working directory +and only if the user has permissions to enter that directory. + +It makes sure we always update conn->lastused_count +in chdir_current_service() for each request. + +Note that vfs_ChDir() (called from chdir_current_service()) +maintains its own cache and avoids calling SMB_VFS_CHDIR() +if possible. + +It means we still avoid syscalls if we get a multiple requests +for the same session/tcon tuple. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14035 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme +--- + selftest/knownfail.d/CVE-2019-10197 | 1 - + source3/smbd/uid.c | 21 +++++++++++++++++---- + 2 files changed, 17 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/CVE-2019-10197 + +diff --git a/selftest/knownfail.d/CVE-2019-10197 b/selftest/knownfail.d/CVE-2019-10197 +deleted file mode 100644 +index f7056bbf3ad4..000000000000 +--- a/selftest/knownfail.d/CVE-2019-10197 ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.blackbox.smbclient_s3.*.noperm.share.regression +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index 50868ba8572a..5c39baade5cf 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -306,9 +306,9 @@ static void print_impersonation_info(connection_struct *conn) + stack, but modify the current_user entries. + ****************************************************************************/ + +-static bool change_to_user_internal(connection_struct *conn, +- const struct auth_session_info *session_info, +- uint64_t vuid) ++static bool change_to_user_impersonate(connection_struct *conn, ++ const struct auth_session_info *session_info, ++ uint64_t vuid) + { + int snum; + gid_t gid; +@@ -321,7 +321,6 @@ static bool change_to_user_internal(connection_struct *conn, + + if ((current_user.conn == conn) && + (current_user.vuid == vuid) && +- (current_user.need_chdir == conn->tcon_done) && + (current_user.ut.uid == session_info->unix_token->uid)) + { + DBG_INFO("Skipping user change - already user\n"); +@@ -426,6 +425,20 @@ static bool change_to_user_internal(connection_struct *conn, + + current_user.conn = conn; + current_user.vuid = vuid; ++ return true; ++} ++ ++static bool change_to_user_internal(connection_struct *conn, ++ const struct auth_session_info *session_info, ++ uint64_t vuid) ++{ ++ bool ok; ++ ++ ok = change_to_user_impersonate(conn, session_info, vuid); ++ if (!ok) { ++ return false; ++ } ++ + current_user.need_chdir = conn->tcon_done; + current_user.done_chdir = false; + +-- +2.17.1 + diff --git a/SOURCES/CVE-2019-10218-4.11.patch b/SOURCES/CVE-2019-10218-4.11.patch new file mode 100644 index 0000000..49bec9e --- /dev/null +++ b/SOURCES/CVE-2019-10218-4.11.patch @@ -0,0 +1,170 @@ +From d429b48596c63140696ba600bddb0908f2350f70 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Mon, 5 Aug 2019 13:39:53 -0700 +Subject: [PATCH 1/2] CVE-2019-10218 - s3: libsmb: Protect SMB1 client code + from evil server returned names. + +Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 + +Signed-off-by: Jeremy Allison +--- + source3/libsmb/clilist.c | 75 ++++++++++++++++++++++++++++++++++++++++ + source3/libsmb/proto.h | 3 ++ + 2 files changed, 78 insertions(+) + +diff --git a/source3/libsmb/clilist.c b/source3/libsmb/clilist.c +index 5cb1fce4338..4f518339e2b 100644 +--- a/source3/libsmb/clilist.c ++++ b/source3/libsmb/clilist.c +@@ -24,6 +24,66 @@ + #include "trans2.h" + #include "../libcli/smb/smbXcli_base.h" + ++/**************************************************************************** ++ Check if a returned directory name is safe. ++****************************************************************************/ ++ ++static NTSTATUS is_bad_name(bool windows_names, const char *name) ++{ ++ const char *bad_name_p = NULL; ++ ++ bad_name_p = strchr(name, '/'); ++ if (bad_name_p != NULL) { ++ /* ++ * Windows and POSIX names can't have '/'. ++ * Server is attacking us. ++ */ ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ if (windows_names) { ++ bad_name_p = strchr(name, '\\'); ++ if (bad_name_p != NULL) { ++ /* ++ * Windows names can't have '\\'. ++ * Server is attacking us. ++ */ ++ return NT_STATUS_INVALID_NETWORK_RESPONSE; ++ } ++ } ++ return NT_STATUS_OK; ++} ++ ++/**************************************************************************** ++ Check if a returned directory name is safe. Disconnect if server is ++ sending bad names. ++****************************************************************************/ ++ ++NTSTATUS is_bad_finfo_name(const struct cli_state *cli, ++ const struct file_info *finfo) ++{ ++ NTSTATUS status = NT_STATUS_OK; ++ bool windows_names = true; ++ ++ if (cli->requested_posix_capabilities & CIFS_UNIX_POSIX_PATHNAMES_CAP) { ++ windows_names = false; ++ } ++ if (finfo->name != NULL) { ++ status = is_bad_name(windows_names, finfo->name); ++ if (!NT_STATUS_IS_OK(status)) { ++ DBG_ERR("bad finfo->name\n"); ++ return status; ++ } ++ } ++ if (finfo->short_name != NULL) { ++ status = is_bad_name(windows_names, finfo->short_name); ++ if (!NT_STATUS_IS_OK(status)) { ++ DBG_ERR("bad finfo->short_name\n"); ++ return status; ++ } ++ } ++ return NT_STATUS_OK; ++} ++ + /**************************************************************************** + Calculate a safe next_entry_offset. + ****************************************************************************/ +@@ -492,6 +552,13 @@ static NTSTATUS cli_list_old_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + TALLOC_FREE(finfo); + return NT_STATUS_NO_MEMORY; + } ++ ++ status = is_bad_finfo_name(state->cli, finfo); ++ if (!NT_STATUS_IS_OK(status)) { ++ smbXcli_conn_disconnect(state->cli->conn, status); ++ TALLOC_FREE(finfo); ++ return status; ++ } + } + *pfinfo = finfo; + return NT_STATUS_OK; +@@ -727,6 +794,14 @@ static void cli_list_trans_done(struct tevent_req *subreq) + ff_eos = true; + break; + } ++ ++ status = is_bad_finfo_name(state->cli, finfo); ++ if (!NT_STATUS_IS_OK(status)) { ++ smbXcli_conn_disconnect(state->cli->conn, status); ++ tevent_req_nterror(req, status); ++ return; ++ } ++ + if (!state->first && (state->mask[0] != '\0') && + strcsequal(finfo->name, state->mask)) { + DEBUG(1, ("Error: Looping in FIND_NEXT as name %s has " +diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h +index 6a647da58c8..48855d7112c 100644 +--- a/source3/libsmb/proto.h ++++ b/source3/libsmb/proto.h +@@ -760,6 +760,9 @@ NTSTATUS cli_posix_whoami(struct cli_state *cli, + + /* The following definitions come from libsmb/clilist.c */ + ++NTSTATUS is_bad_finfo_name(const struct cli_state *cli, ++ const struct file_info *finfo); ++ + NTSTATUS cli_list_old(struct cli_state *cli,const char *Mask,uint16_t attribute, + NTSTATUS (*fn)(const char *, struct file_info *, + const char *, void *), void *state); +-- +2.23.0.866.gb869b98d4c-goog + + +From c61e75b5755efab938c1b2045eb4d539a0724c47 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 6 Aug 2019 12:08:09 -0700 +Subject: [PATCH 2/2] CVE-2019-10218 - s3: libsmb: Protect SMB2 client code + from evil server returned names. + +Disconnect with NT_STATUS_INVALID_NETWORK_RESPONSE if so. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14071 + +Signed-off-by: Jeremy Allison +--- + source3/libsmb/cli_smb2_fnum.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c +index 535beaab841..3fa322c243b 100644 +--- a/source3/libsmb/cli_smb2_fnum.c ++++ b/source3/libsmb/cli_smb2_fnum.c +@@ -1442,6 +1442,13 @@ NTSTATUS cli_smb2_list(struct cli_state *cli, + goto fail; + } + ++ /* Protect against server attack. */ ++ status = is_bad_finfo_name(cli, finfo); ++ if (!NT_STATUS_IS_OK(status)) { ++ smbXcli_conn_disconnect(cli->conn, status); ++ goto fail; ++ } ++ + if (dir_check_ftype((uint32_t)finfo->mode, + (uint32_t)attribute)) { + /* +-- +2.23.0.866.gb869b98d4c-goog + diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch new file mode 100644 index 0000000..9dd2eec --- /dev/null +++ b/SOURCES/samba-4.10-fix-netbios-join.patch @@ -0,0 +1,723 @@ +From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 30 Aug 2019 00:22:15 +0300 +Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and + lp_dnsdomain() + +This make the join process much more reliable, and avoids "Constraint +violation" error when the fqdn returned from getaddrinfo has already +got assigned an SPN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 31 +++++++++++------------------- + testprogs/blackbox/test_net_ads.sh | 7 +++++-- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 7943bef2cf6..818b3039cb9 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + +- if (!name_to_fqdn(my_fqdn, r->in.machine_name) +- || (strchr(my_fqdn, '.') == NULL)) { +- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, +- r->out.dns_domain_name); +- } ++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); + + if (!strlower_m(my_fqdn)) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + +- if (!strequal(my_fqdn, r->in.machine_name)) { +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); +- if (!spn) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ if (spn == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (!ok) { ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + } + +@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/netbiosname.domainname + */ +- if (r->out.dns_domain_name == NULL) { +- continue; +- } + fstr_sprintf(my_fqdn, "%s.%s", + *netbios_aliases, +- r->out.dns_domain_name); ++ lp_dnsdomain()); + + spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); + if (spn == NULL) { +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index cc8345c4624..ef6f99ddea4 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai + netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') + lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') +-fqdns="$netbios.$lc_realm" ++fqdn="$netbios.$lc_realm" + + krb_princ="primary/instance@$REALM" + testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin + service="nfs" + testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +-search_str="$service/$fqdns@$REALM" ++search_str="$service/$fqdn@$REALM" + found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` + testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed + + testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + ++testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` ++testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.21.0 + + +From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 20:00:34 +0300 +Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit + room for indentation + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------ + 1 file changed, 47 insertions(+), 48 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 818b3039cb9..67ab50c68a8 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* Windows only creates HOST/shortname & HOST/fqdn. */ + + spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); +- if (!spn) { ++ if (spn == NULL) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + if (!strupper_m(spn)) { +@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + +- netbios_aliases = lp_netbios_aliases(); +- if (netbios_aliases != NULL) { +- for (; *netbios_aliases != NULL; netbios_aliases++) { +- /* +- * Add HOST/NETBIOSNAME +- */ +- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); +- if (spn == NULL) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } +- if (!strupper_m(spn)) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ for (netbios_aliases = lp_netbios_aliases(); ++ netbios_aliases != NULL && *netbios_aliases != NULL; ++ netbios_aliases++) { ++ /* ++ * Add HOST/NETBIOSNAME ++ */ ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); ++ if (spn == NULL) { ++ TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ if (!strupper_m(spn)) { ++ TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- TALLOC_FREE(spn); +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (ok) { ++ TALLOC_FREE(spn); ++ continue; ++ } ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); ++ if (!ok) { + TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ TALLOC_FREE(spn); + +- /* +- * Add HOST/netbiosname.domainname +- */ +- fstr_sprintf(my_fqdn, "%s.%s", +- *netbios_aliases, +- lp_dnsdomain()); ++ /* ++ * Add HOST/netbiosname.domainname ++ */ ++ fstr_sprintf(my_fqdn, "%s.%s", ++ *netbios_aliases, ++ lp_dnsdomain()); + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); +- if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ if (spn == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- TALLOC_FREE(spn); +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (ok) { ++ TALLOC_FREE(spn); ++ continue; ++ } ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); ++ if (!ok) { + TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } ++ TALLOC_FREE(spn); + } + + /* make sure to NULL terminate the array */ +-- +2.21.0 + + +From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 21:29:47 +0300 +Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling + +and avoid a possible memory leak when passing null to +add_string_to_array() as mem_ctx. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 74 ++++++++++++++++++++---------------- + 1 file changed, 42 insertions(+), 32 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 67ab50c68a8..43035370526 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, + static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { ++ TALLOC_CTX *frame = talloc_stackframe(); + ADS_STATUS status; + ADS_MODLIST mods; + fstring my_fqdn; +@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + return status; + } + +- status = libnet_join_get_machine_spns(mem_ctx, ++ status = libnet_join_get_machine_spns(frame, + r, + discard_const_p(char **, &spn_array), + &num_spns); +@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + + /* Windows only creates HOST/shortname & HOST/fqdn. */ + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); ++ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + if (!strupper_m(spn)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, ++ ok = add_string_to_array(frame, spn, + &spn_array, &num_spns); + if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + } + + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); + + if (!strlower_m(my_fqdn)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, ++ ok = add_string_to_array(frame, spn, + &spn_array, &num_spns); + if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + } + +@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/NETBIOSNAME + */ +- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); ++ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases); + if (spn == NULL) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + if (!strupper_m(spn)) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (ok) { +- TALLOC_FREE(spn); + continue; + } + ok = add_string_to_array(spn_array, spn, + &spn_array, &num_spns); + if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } +- TALLOC_FREE(spn); + + /* + * Add HOST/netbiosname.domainname +@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + *netbios_aliases, + lp_dnsdomain()); + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (ok) { +- TALLOC_FREE(spn); + continue; + } + ok = add_string_to_array(spn_array, spn, + &spn_array, &num_spns); + if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } +- TALLOC_FREE(spn); + } + + /* make sure to NULL terminate the array */ +- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1); ++ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + spn_array[num_spns] = NULL; + + mods = ads_init_mods(mem_ctx); + if (!mods) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + /* fields of primary importance */ + + status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn); + if (!ADS_ERR_OK(status)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName", + spn_array); + if (!ADS_ERR_OK(status)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + +- return ads_gen_mod(r->in.ads, r->out.dn, mods); ++ status = ads_gen_mod(r->in.ads, r->out.dn, mods); ++ ++done: ++ TALLOC_FREE(frame); ++ return status; + } + + /**************************************************************** +-- +2.21.0 + + +From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 23:15:57 +0300 +Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to + array + +and do not skip adding a fully qualified spn to netbios-aliases +in case a short spn already existed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 56 +++++++++++++++--------------------- + 1 file changed, 23 insertions(+), 33 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 43035370526..a1d8a25bbc2 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, + return status; + } + ++static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn, ++ const char ***array, size_t *num) ++{ ++ bool ok = ads_element_in_array(*array, *num, spn); ++ if (!ok) { ++ ok = add_string_to_array(mem_ctx, spn, array, num); ++ if (!ok) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ } ++ return ADS_SUCCESS; ++} ++ + /**************************************************************** + Set a machines dNSHostName and servicePrincipalName attributes + ****************************************************************/ +@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + const char **spn_array = NULL; + size_t num_spns = 0; + char *spn = NULL; +- bool ok; + const char **netbios_aliases = NULL; + + /* Find our DN */ +@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (!ok) { +- ok = add_string_to_array(frame, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- goto done; +- } ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; + } + + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); +@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (!ok) { +- ok = add_string_to_array(frame, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- goto done; +- } ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; + } + + for (netbios_aliases = lp_netbios_aliases(); +@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { + goto done; + } + +@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { + goto done; + } + } +-- +2.21.0 + + +From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 17 Sep 2019 21:38:07 +0300 +Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml + +diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml +new file mode 100644 +index 00000000000..ddc04ee9f81 +--- /dev/null ++++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml +@@ -0,0 +1,11 @@ ++ ++ ++ A list of additional DNS names by which this host can be identified ++ ++ ++empty string (no additional dns names) ++ host2.example.com host3.other.com ++ +-- +2.21.0 + + +From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 13 Sep 2019 10:56:10 +0300 +Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames + entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +and set msDS-AdditionalDnsHostName to the specified list. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184 +--- + source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++ + testprogs/blackbox/test_net_ads.sh | 10 +++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a1d8a25bbc2..eb8e0ea17f7 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + size_t num_spns = 0; + char *spn = NULL; + const char **netbios_aliases = NULL; ++ const char **addl_hostnames = NULL; + + /* Find our DN */ + +@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + ++ for (addl_hostnames = lp_additional_dns_hostnames(); ++ addl_hostnames != NULL && *addl_hostnames != NULL; ++ addl_hostnames++) { ++ ++ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames); ++ if (spn == NULL) { ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ } ++ + /* make sure to NULL terminate the array */ + spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { +@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + ++ addl_hostnames = lp_additional_dns_hostnames(); ++ if (addl_hostnames != NULL && *addl_hostnames != NULL) { ++ status = ads_mod_strlist(mem_ctx, &mods, ++ "msDS-AdditionalDnsHostName", ++ addl_hostnames); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ } ++ + status = ads_gen_mod(r->in.ads, r->out.dn, mods); + + done: +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index ef6f99ddea4..8bcff006b8e 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com" + computers_dn="CN=Computers,$base_dn" + testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` + +-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++dns_alias1="${netbios}_alias1.other.${lc_realm}" ++dns_alias2="${netbios}_alias2.other2.${lc_realm}" ++testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + + testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + + testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` + testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + ++testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` ++testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.21.0 + diff --git a/SOURCES/samba-4.10-fix-spnego-downgrade.patch b/SOURCES/samba-4.10-fix-spnego-downgrade.patch new file mode 100644 index 0000000..0f3c786 --- /dev/null +++ b/SOURCES/samba-4.10-fix-spnego-downgrade.patch @@ -0,0 +1,160 @@ +From 55d19011faa99fae6ddcd778e433a0b253e0c7b4 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 16:31:21 +0300 +Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic + token + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher +--- + auth/gensec/spnego.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c +index 0b3fbdce7ac..6bb5c8b6417 100644 +--- a/auth/gensec/spnego.c ++++ b/auth/gensec/spnego.c +@@ -136,6 +136,7 @@ struct spnego_state { + bool done_mic_check; + + bool simulate_w2k; ++ bool no_optimistic; + + /* + * The following is used to implement +@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi + + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); ++ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, ++ "spnego", ++ "client_no_optimistic", ++ false); + + gensec_security->private_data = spnego_state; + return NT_STATUS_OK; +@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req) + * blob and NT_STATUS_OK. + */ + state->sub.status = NT_STATUS_OK; ++ } else if (spnego_state->state_position == SPNEGO_CLIENT_START && ++ spnego_state->no_optimistic) { ++ /* ++ * Skip optimistic token per conf. ++ */ ++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* + * MORE_PROCESSING_REQUIRED => +-- +2.21.0 + + +From e03ce41c911d5fead3f11c2eedce6baf7164e232 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 16:39:43 +0300 +Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher +--- + selftest/knownfail.d/spnego_no_optimistic | 1 + + source4/selftest/tests.py | 4 ++++ + 2 files changed, 5 insertions(+) + create mode 100644 selftest/knownfail.d/spnego_no_optimistic + +diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic +new file mode 100644 +index 00000000000..54f51446be0 +--- /dev/null ++++ b/selftest/knownfail.d/spnego_no_optimistic +@@ -0,0 +1 @@ ++^samba4.smb.spnego.*.no_optimistic +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index aa54308c524..9c3c77f1c56 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -513,6 +513,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha + plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon") + plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon") + ++# Test SPNEGO without issuing an optimistic token ++opt='--option=spnego:client_no_optimistic=yes' ++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic") ++plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic") + + wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""] + +-- +2.21.0 + + +From 7e1be4ab8ff1ab8869b79f42828489dfa5450f2b Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 4 Sep 2019 17:04:12 +0300 +Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 +--- + auth/gensec/spnego.c | 13 +++++++++++++ + selftest/knownfail.d/spnego_no_optimistic | 1 - + 2 files changed, 13 insertions(+), 1 deletion(-) + delete mode 100644 selftest/knownfail.d/spnego_no_optimistic + +diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c +index 6bb5c8b6417..5f78267281d 100644 +--- a/auth/gensec/spnego.c ++++ b/auth/gensec/spnego.c +@@ -1300,6 +1300,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( + spnego_state->mic_requested = true; + } + ++ if (sub_in.length == 0) { ++ spnego_state->no_optimistic = true; ++ } ++ + /* + * Note that 'cur_sec' is temporary memory, but + * cur_sec->oid points to a const string in the +@@ -1934,6 +1938,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) + * Skip optimistic token per conf. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ } else if (spnego_state->state_position == SPNEGO_SERVER_START && ++ state->sub.in.length == 0 && spnego_state->no_optimistic) { ++ /* ++ * If we didn't like the mechanism for which the client sent us ++ * an optimistic token, or if he didn't send any, don't call ++ * the sub mechanism just yet. ++ */ ++ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ spnego_state->no_optimistic = false; + } else { + /* + * MORE_PROCESSING_REQUIRED => +diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic +deleted file mode 100644 +index 54f51446be0..00000000000 +--- a/selftest/knownfail.d/spnego_no_optimistic ++++ /dev/null +@@ -1 +0,0 @@ +-^samba4.smb.spnego.*.no_optimistic +-- +2.21.0 + diff --git a/SOURCES/samba-4.10-fix_gencache_debug_message.patch b/SOURCES/samba-4.10-fix_gencache_debug_message.patch deleted file mode 100644 index 2440c97..0000000 --- a/SOURCES/samba-4.10-fix_gencache_debug_message.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 17 Jan 2019 13:58:14 +0100 -Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries. - -To get correct values, we need to cast 'timeout' to 'long int' first in -order to do calculation in that integer space! Calculations are don in -the space of the lvalue! - -Signed-off-by: Andreas Schneider -Reviewed-by: Volker Lendecke ---- - source3/lib/gencache.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c -index ab12fc1c531..9f4e1cfcaa3 100644 ---- a/source3/lib/gencache.c -+++ b/source3/lib/gencache.c -@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob, - dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len }; - dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length }; - -- DEBUG(10, ("Adding cache entry with key=[%s] and timeout=" -- "[%s] (%d seconds %s)\n", keystr, -+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout=" -+ "[%s] (%ld seconds %s)\n", keystr, - timestring(talloc_tos(), timeout), -- (int)(timeout - time(NULL)), -- timeout > time(NULL) ? "ahead" : "in the past")); -+ ((long int)timeout) - time(NULL), -+ timeout > time(NULL) ? "ahead" : "in the past"); - - ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr), - dbufs, 2, 0); --- -2.20.1 - diff --git a/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch new file mode 100644 index 0000000..b3e0247 --- /dev/null +++ b/SOURCES/samba-4.10-fix_net_ads_join_hardened_env.patch @@ -0,0 +1,1276 @@ +From 0d1179d5c3585678e6b4097425a4137b8666d333 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 8 Aug 2019 14:35:38 +0200 +Subject: [PATCH 01/11] testprogs: Fix failure count in test_net_ads.sh + +There are missing ` at the end of the line. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 320b5be4dce95d8dac4b3c0847faf5b730754a37) +--- + testprogs/blackbox/test_net_ads.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index d3c4de5b741..512aa9d2952 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -141,10 +141,10 @@ testit "test spn service doensn't exist in AD but is present in keytab file afte + # SPN parser is very basic but does detect some illegal combination + + windows_spn="$spn_service/$spn_host:" +-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 ++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing port" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + + windows_spn="$spn_service/$spn_host/" +-testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1 ++testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + + testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + +-- +2.23.0 + + +From 5acc6ededece33202fe3aa26cb9de9c052e32ba2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 13 Aug 2019 17:06:58 +0200 +Subject: [PATCH 02/11] s3:libads: Use ldap_add_ext_s() in ads_gen_add() + +ldap_add_s() is marked as deprecated. + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 456322a61319a10aaedda5244488ea4e5aa5cb64) +--- + source3/libads/ldap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 8d13a7cf18c..d409d4ab78e 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1596,7 +1596,7 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) + /* make sure the end of the list is NULL */ + mods[i] = NULL; + +- ret = ldap_add_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods); ++ ret = ldap_add_ext_s(ads->ldap.ld, utf8_dn, (LDAPMod**)mods, NULL, NULL); + ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); + return ADS_ERROR(ret); +-- +2.23.0 + + +From 17d370a97ee2c7e6359aafc0248efae90c654857 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 13 Aug 2019 17:41:40 +0200 +Subject: [PATCH 03/11] s3:libnet: Require sealed LDAP SASL connections for + joining + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit b84abb3a46211dc84e52ef95750627e4dd081f2f) +--- + libgpo/pygpo.c | 2 +- + source3/lib/netapi/joindomain.c | 5 ++++- + source3/libads/ads_proto.h | 9 ++++++++- + source3/libads/ads_struct.c | 14 +++++++++++++- + source3/libads/ldap.c | 4 ++-- + source3/libnet/libnet_join.c | 3 ++- + source3/libsmb/namequery_dc.c | 2 +- + source3/printing/nt_printing_ads.c | 6 +++--- + source3/utils/net_ads.c | 13 +++++++++---- + source3/winbindd/winbindd_ads.c | 5 ++++- + source3/winbindd/winbindd_cm.c | 5 ++++- + 11 files changed, 51 insertions(+), 17 deletions(-) + +diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c +index cd107318860..4db8cad7ca4 100644 +--- a/libgpo/pygpo.c ++++ b/libgpo/pygpo.c +@@ -212,7 +212,7 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) + return -1; + } + +- self->ads_ptr = ads_init(realm, workgroup, ldap_server); ++ self->ads_ptr = ads_init(realm, workgroup, ldap_server, ADS_SASL_PLAIN); + if (self->ads_ptr == NULL) { + return -1; + } +diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c +index ff2154ba803..8d0752f4531 100644 +--- a/source3/lib/netapi/joindomain.c ++++ b/source3/lib/netapi/joindomain.c +@@ -411,7 +411,10 @@ WERROR NetGetJoinableOUs_l(struct libnetapi_ctx *ctx, + + dc = strip_hostname(info->dc_unc); + +- ads = ads_init(info->domain_name, info->domain_name, dc); ++ ads = ads_init(info->domain_name, ++ info->domain_name, ++ dc, ++ ADS_SASL_PLAIN); + if (!ads) { + return WERR_GEN_FAILURE; + } +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index 154bf67f964..92bb3a22cdb 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -32,6 +32,12 @@ + #ifndef _LIBADS_ADS_PROTO_H_ + #define _LIBADS_ADS_PROTO_H_ + ++enum ads_sasl_state_e { ++ ADS_SASL_PLAIN = 0, ++ ADS_SASL_SIGN, ++ ADS_SASL_SEAL, ++}; ++ + /* The following definitions come from libads/ads_struct.c */ + + char *ads_build_path(const char *realm, const char *sep, const char *field, int reverse); +@@ -39,7 +45,8 @@ char *ads_build_dn(const char *realm); + char *ads_build_domain(const char *dn); + ADS_STRUCT *ads_init(const char *realm, + const char *workgroup, +- const char *ldap_server); ++ const char *ldap_server, ++ enum ads_sasl_state_e sasl_state); + bool ads_set_sasl_wrap_flags(ADS_STRUCT *ads, int flags); + void ads_destroy(ADS_STRUCT **ads); + +diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c +index 3ab682c0e38..043a1b21247 100644 +--- a/source3/libads/ads_struct.c ++++ b/source3/libads/ads_struct.c +@@ -132,7 +132,8 @@ char *ads_build_domain(const char *dn) + */ + ADS_STRUCT *ads_init(const char *realm, + const char *workgroup, +- const char *ldap_server) ++ const char *ldap_server, ++ enum ads_sasl_state_e sasl_state) + { + ADS_STRUCT *ads; + int wrap_flags; +@@ -152,6 +153,17 @@ ADS_STRUCT *ads_init(const char *realm, + wrap_flags = 0; + } + ++ switch (sasl_state) { ++ case ADS_SASL_PLAIN: ++ break; ++ case ADS_SASL_SIGN: ++ wrap_flags |= ADS_AUTH_SASL_SIGN; ++ break; ++ case ADS_SASL_SEAL: ++ wrap_flags |= ADS_AUTH_SASL_SEAL; ++ break; ++ } ++ + ads->auth.flags = wrap_flags; + + /* Start with the configured page size when the connection is new, +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index d409d4ab78e..7bdda4b1768 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2964,7 +2964,7 @@ ADS_STATUS ads_current_time(ADS_STRUCT *ads) + + if ( !ads->ldap.ld ) { + if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, +- ads->server.ldap_server )) == NULL ) ++ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) + { + status = ADS_ERROR(LDAP_NO_MEMORY); + goto done; +@@ -3026,7 +3026,7 @@ ADS_STATUS ads_domain_func_level(ADS_STRUCT *ads, uint32_t *val) + + if ( !ads->ldap.ld ) { + if ( (ads_s = ads_init( ads->server.realm, ads->server.workgroup, +- ads->server.ldap_server )) == NULL ) ++ ads->server.ldap_server, ADS_SASL_PLAIN )) == NULL ) + { + status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + goto done; +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index b876d7ea89f..a512afc238a 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -140,7 +140,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + + my_ads = ads_init(dns_domain_name, + netbios_domain_name, +- dc_name); ++ dc_name, ++ ADS_SASL_SEAL); + if (!my_ads) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } +diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c +index 4ee5b5278e4..f63dde61603 100644 +--- a/source3/libsmb/namequery_dc.c ++++ b/source3/libsmb/namequery_dc.c +@@ -69,7 +69,7 @@ static bool ads_dc_name(const char *domain, + + /* Try this 3 times then give up. */ + for( i =0 ; i < 3; i++) { +- ads = ads_init(realm, domain, NULL); ++ ads = ads_init(realm, domain, NULL, ADS_SASL_PLAIN); + if (!ads) { + TALLOC_FREE(sitename); + return False; +diff --git a/source3/printing/nt_printing_ads.c b/source3/printing/nt_printing_ads.c +index 2588e1de7e7..a82f1361fc8 100644 +--- a/source3/printing/nt_printing_ads.c ++++ b/source3/printing/nt_printing_ads.c +@@ -227,7 +227,7 @@ WERROR nt_printer_guid_retrieve(TALLOC_CTX *mem_ctx, const char *printer, + return WERR_NOT_ENOUGH_MEMORY; + } + +- ads = ads_init(lp_realm(), lp_workgroup(), NULL); ++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); + if (ads == NULL) { + result = WERR_RPC_S_SERVER_UNAVAILABLE; + goto out; +@@ -577,7 +577,7 @@ WERROR nt_printer_publish(TALLOC_CTX *mem_ctx, + + TALLOC_FREE(sinfo2); + +- ads = ads_init(lp_realm(), lp_workgroup(), NULL); ++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); + if (!ads) { + DEBUG(3, ("ads_init() failed\n")); + win_rc = WERR_RPC_S_SERVER_UNAVAILABLE; +@@ -633,7 +633,7 @@ WERROR check_published_printers(struct messaging_context *msg_ctx) + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return WERR_NOT_ENOUGH_MEMORY; + +- ads = ads_init(lp_realm(), lp_workgroup(), NULL); ++ ads = ads_init(lp_realm(), lp_workgroup(), NULL, ADS_SASL_PLAIN); + if (!ads) { + DEBUG(3, ("ads_init() failed\n")); + return WERR_RPC_S_SERVER_UNAVAILABLE; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index d33031a0dbd..07a22098fb1 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -620,7 +620,10 @@ retry_connect: + realm = assume_own_realm(c); + } + +- ads = ads_init(realm, c->opt_target_workgroup, c->opt_host); ++ ads = ads_init(realm, ++ c->opt_target_workgroup, ++ c->opt_host, ++ ADS_SASL_PLAIN); + + if (!c->opt_user_name) { + c->opt_user_name = "administrator"; +@@ -729,7 +732,8 @@ static int net_ads_check_int(const char *realm, const char *workgroup, const cha + ADS_STRUCT *ads; + ADS_STATUS status; + +- if ( (ads = ads_init( realm, workgroup, host )) == NULL ) { ++ ads = ads_init(realm, workgroup, host, ADS_SASL_PLAIN); ++ if (ads == NULL ) { + return -1; + } + +@@ -1764,7 +1768,7 @@ static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx, st + * kinit with the machine password to do dns update. + */ + +- ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name); ++ ads_dns = ads_init(lp_realm(), NULL, r->in.dc_name, ADS_SASL_PLAIN); + + if (ads_dns == NULL) { + d_fprintf(stderr, _("DNS update failed: out of memory!\n")); +@@ -2654,7 +2658,8 @@ static int net_ads_password(struct net_context *c, int argc, const char **argv) + + /* use the realm so we can eventually change passwords for users + in realms other than default */ +- if (!(ads = ads_init(realm, c->opt_workgroup, c->opt_host))) { ++ ads = ads_init(realm, c->opt_workgroup, c->opt_host, ADS_SASL_PLAIN); ++ if (ads == NULL) { + return -1; + } + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 922ca43764b..556b4523866 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -110,7 +110,10 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + /* we don't want this to affect the users ccache */ + setenv("KRB5CCNAME", WINBIND_CCACHE_NAME, 1); + +- ads = ads_init(target_realm, target_dom_name, ldap_server); ++ ads = ads_init(target_realm, ++ target_dom_name, ++ ldap_server, ++ ADS_SASL_SEAL); + if (!ads) { + DEBUG(1,("ads_init for domain %s failed\n", target_dom_name)); + return ADS_ERROR(LDAP_NO_MEMORY); +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 22d3dcaa92b..4bd03ed8b7a 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -1414,7 +1414,10 @@ static bool dcip_check_name(TALLOC_CTX *mem_ctx, + + print_sockaddr(addr, sizeof(addr), pss); + +- ads = ads_init(domain->alt_name, domain->name, addr); ++ ads = ads_init(domain->alt_name, ++ domain->name, ++ addr, ++ ADS_SASL_PLAIN); + ads->auth.flags |= ADS_AUTH_NO_BIND; + ads->config.flags |= request_flags; + ads->server.no_fallback = true; +-- +2.23.0 + + +From 244ecd7d839340858e96d75118548942b44bbd5c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 13 Aug 2019 16:30:07 +0200 +Subject: [PATCH 04/11] s3:libads: Cleanup error code paths in + ads_create_machine_acct() + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 8ed993789f93624b7b60dd5314fe5472e69e903a) +--- + source3/libads/ldap.c | 34 +++++++++++++++++++++++----------- + 1 file changed, 23 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 7bdda4b1768..e492d0688a5 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2092,11 +2092,12 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + uint32_t etype_list) + { + ADS_STATUS ret; +- char *samAccountName, *controlstr; +- TALLOC_CTX *ctx; ++ char *samAccountName = NULL; ++ char *controlstr = NULL; ++ TALLOC_CTX *ctx = NULL; + ADS_MODLIST mods; + char *machine_escaped = NULL; +- char *new_dn; ++ char *new_dn = NULL; + const char *objectClass[] = {"top", "person", "organizationalPerson", + "user", "computer", NULL}; + LDAPMessage *res = NULL; +@@ -2110,13 +2111,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + return ret; + } + +- if (!(ctx = talloc_init("ads_add_machine_acct"))) ++ ctx = talloc_init("ads_add_machine_acct"); ++ if (ctx == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); +- +- ret = ADS_ERROR(LDAP_NO_MEMORY); ++ } + + machine_escaped = escape_rdn_val_string_alloc(machine_name); +- if (!machine_escaped) { ++ if (machine_escaped == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + +@@ -2131,17 +2133,26 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + ads_msgfree(ads, res); + + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); +- samAccountName = talloc_asprintf(ctx, "%s$", machine_name); ++ if (new_dn == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } + +- if ( !new_dn || !samAccountName ) { ++ samAccountName = talloc_asprintf(ctx, "%s$", machine_name); ++ if (samAccountName == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + +- if (!(controlstr = talloc_asprintf(ctx, "%u", acct_control))) { ++ controlstr = talloc_asprintf(ctx, "%u", acct_control); ++ if (controlstr == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + +- if (!(mods = ads_init_mods(ctx))) { ++ mods = ads_init_mods(ctx); ++ if (mods == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + +@@ -2155,6 +2166,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + + etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); + if (etype_list_str == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", +-- +2.23.0 + + +From 8d0e49716b7039fee4785186c67de774b34bd85b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 21 Aug 2019 12:22:32 +0200 +Subject: [PATCH 05/11] s3:libads: Use a talloc_asprintf in + ads_find_machine_acct() + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 35f3e4aed1f1c2ba1c8dc50921f238937f343357) +--- + source3/libads/ldap.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index e492d0688a5..3bc9a2a06aa 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1367,18 +1367,22 @@ char *ads_parent_dn(const char *dn) + ADS_STATUS status; + char *expr; + const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; ++ TALLOC_CTX *frame = talloc_stackframe(); + + *res = NULL; + + /* the easiest way to find a machine account anywhere in the tree + is to look for hostname$ */ +- if (asprintf(&expr, "(samAccountName=%s$)", machine) == -1) { +- DEBUG(1, ("asprintf failed!\n")); +- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); ++ expr = talloc_asprintf(frame, "(samAccountName=%s$)", machine); ++ if (expr == NULL) { ++ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); ++ goto done; + } + + status = ads_search(ads, res, expr, attrs); +- SAFE_FREE(expr); ++ ++done: ++ TALLOC_FREE(frame); + return status; + } + +-- +2.23.0 + + +From be247641382d1cc730ab5cd1e8bebe92e1d3a6fc Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 14 Aug 2019 13:01:19 +0200 +Subject: [PATCH 06/11] s3:libads: Fix detection if acount already exists in + ads_find_machine_count() + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 4f389c1f78cdc2424795e3b2a1ce43818c400c2d) +--- + source3/libads/ldap.c | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 3bc9a2a06aa..ec6ad61a55c 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1366,7 +1366,21 @@ char *ads_parent_dn(const char *dn) + { + ADS_STATUS status; + char *expr; +- const char *attrs[] = {"*", "msDS-SupportedEncryptionTypes", "nTSecurityDescriptor", NULL}; ++ const char *attrs[] = { ++ /* This is how Windows checks for machine accounts */ ++ "objectClass", ++ "SamAccountName", ++ "userAccountControl", ++ "DnsHostName", ++ "ServicePrincipalName", ++ "unicodePwd", ++ ++ /* Additional attributes Samba checks */ ++ "msDS-SupportedEncryptionTypes", ++ "nTSecurityDescriptor", ++ ++ NULL ++ }; + TALLOC_CTX *frame = talloc_stackframe(); + + *res = NULL; +@@ -1380,6 +1394,11 @@ char *ads_parent_dn(const char *dn) + } + + status = ads_search(ads, res, expr, attrs); ++ if (ADS_ERR_OK(status)) { ++ if (ads_count_replies(ads, *res) != 1) { ++ status = ADS_ERROR_LDAP(LDAP_NO_SUCH_OBJECT); ++ } ++ } + + done: + TALLOC_FREE(frame); +@@ -1867,11 +1886,11 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin + char *dn_string = NULL; + + ret = ads_find_machine_acct(ads, &res, machine_name); +- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { ++ if (!ADS_ERR_OK(ret)) { + DEBUG(5,("ads_clear_service_principal_names: WARNING: Host Account for %s not found... skipping operation.\n", machine_name)); + DEBUG(5,("ads_clear_service_principal_names: WARNING: Service Principals for %s have NOT been cleared.\n", machine_name)); + ads_msgfree(ads, res); +- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ return ret; + } + + DEBUG(5,("ads_clear_service_principal_names: Host account for %s found\n", machine_name)); +@@ -2027,12 +2046,12 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, + const char **servicePrincipalName = spns; + + ret = ads_find_machine_acct(ads, &res, machine_name); +- if (!ADS_ERR_OK(ret) || ads_count_replies(ads, res) != 1) { ++ if (!ADS_ERR_OK(ret)) { + DEBUG(1,("ads_add_service_principal_name: WARNING: Host Account for %s not found... skipping operation.\n", + machine_name)); + DEBUG(1,("ads_add_service_principal_name: WARNING: Service Principals have NOT been added.\n")); + ads_msgfree(ads, res); +- return ADS_ERROR(LDAP_NO_SUCH_OBJECT); ++ return ret; + } + + DEBUG(1,("ads_add_service_principal_name: Host account for %s found\n", machine_name)); +@@ -2127,7 +2146,7 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + } + + ret = ads_find_machine_acct(ads, &res, machine_escaped); +- if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { ++ if (ADS_ERR_OK(ret)) { + DBG_DEBUG("Host account for %s already exists.\n", + machine_escaped); + ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); +@@ -3684,14 +3703,15 @@ ADS_STATUS ads_leave_realm(ADS_STRUCT *ads, const char *hostname) + TALLOC_FREE(hostnameDN); + + status = ads_find_machine_acct(ads, &res, host); +- if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) { ++ if ((status.error_type == ENUM_ADS_ERROR_LDAP) && ++ (status.err.rc != LDAP_NO_SUCH_OBJECT)) { + DEBUG(3, ("Failed to remove host account.\n")); + SAFE_FREE(host); + return status; + } + + SAFE_FREE(host); +- return status; ++ return ADS_SUCCESS; + } + + /** +-- +2.23.0 + + +From d7485cee3652a91ac199f912d656713cf1ddafa9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 14 Aug 2019 12:17:20 +0200 +Subject: [PATCH 07/11] s3:libads: Don't set supported encryption types during + account creation + +This is already handled by libnet_join_post_processing_ads_modify() +which calls libnet_join_set_etypes() if encrytion types should be set. + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit b755a6438022579dab1a403c81d60b1ed7efca38) +--- + source3/libads/ldap.c | 18 ------------------ + 1 file changed, 18 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index ec6ad61a55c..8fbd97e25e2 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2127,12 +2127,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ + UF_DONT_EXPIRE_PASSWD |\ + UF_ACCOUNTDISABLE ); +- uint32_t func_level = 0; +- +- ret = ads_domain_func_level(ads, &func_level); +- if (!ADS_ERR_OK(ret)) { +- return ret; +- } + + ctx = talloc_init("ads_add_machine_acct"); + if (ctx == NULL) { +@@ -2184,18 +2178,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + ads_mod_strlist(ctx, &mods, "objectClass", objectClass); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); + +- if (func_level >= DS_DOMAIN_FUNCTION_2008) { +- const char *etype_list_str; +- +- etype_list_str = talloc_asprintf(ctx, "%d", (int)etype_list); +- if (etype_list_str == NULL) { +- ret = ADS_ERROR(LDAP_NO_MEMORY); +- goto done; +- } +- ads_mod_str(ctx, &mods, "msDS-SupportedEncryptionTypes", +- etype_list_str); +- } +- + ret = ads_gen_add(ads, new_dn, mods); + + done: +-- +2.23.0 + + +From f8f7158ac639c516e6dcdeca9d41b94ba6d06134 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 13 Aug 2019 16:34:34 +0200 +Subject: [PATCH 08/11] s3:libads: Fix creating machine account using LDAP + +This implements the same behaviour as Windows. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit ce7762935051c862ecdd3e82d93096aac61dd292) +--- + source3/libads/ads_proto.h | 4 +- + source3/libads/ldap.c | 118 +++++++++++++++++++++++++++++++---- + source3/libnet/libnet_join.c | 23 ++++--- + 3 files changed, 124 insertions(+), 21 deletions(-) + +diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h +index 92bb3a22cdb..495ef5d3325 100644 +--- a/source3/libads/ads_proto.h ++++ b/source3/libads/ads_proto.h +@@ -114,8 +114,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, const char *machine_ + const char **spns); + ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + const char *machine_name, ++ const char *machine_password, + const char *org_unit, +- uint32_t etype_list); ++ uint32_t etype_list, ++ const char *dns_domain_name); + ADS_STATUS ads_move_machine_acct(ADS_STRUCT *ads, const char *machine_name, + const char *org_unit, bool *moved); + int ads_count_replies(ADS_STRUCT *ads, void *res); +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 8fbd97e25e2..81efda0cf30 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1516,7 +1516,6 @@ ADS_STATUS ads_mod_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods, + name, (const void **) vals); + } + +-#if 0 + /** + * Add a single ber-encoded value to a mod list + * @param ctx An initialized TALLOC_CTX +@@ -1537,7 +1536,6 @@ static ADS_STATUS ads_mod_ber(TALLOC_CTX *ctx, ADS_MODLIST *mods, + return ads_modlist_add(ctx, mods, LDAP_MOD_REPLACE|LDAP_MOD_BVALUES, + name, (const void **) values); + } +-#endif + + static void ads_print_error(int ret, LDAP *ld) + { +@@ -2111,8 +2109,10 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, + + ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + const char *machine_name, ++ const char *machine_password, + const char *org_unit, +- uint32_t etype_list) ++ uint32_t etype_list, ++ const char *dns_domain_name) + { + ADS_STATUS ret; + char *samAccountName = NULL; +@@ -2120,13 +2120,23 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + TALLOC_CTX *ctx = NULL; + ADS_MODLIST mods; + char *machine_escaped = NULL; ++ char *dns_hostname = NULL; + char *new_dn = NULL; +- const char *objectClass[] = {"top", "person", "organizationalPerson", +- "user", "computer", NULL}; ++ char *utf8_pw = NULL; ++ size_t utf8_pw_len = 0; ++ char *utf16_pw = NULL; ++ size_t utf16_pw_len = 0; ++ struct berval machine_pw_val; ++ bool ok; ++ const char **spn_array = NULL; ++ size_t num_spns = 0; ++ const char *spn_prefix[] = { ++ "HOST", ++ "RestrictedKrbHost", ++ }; ++ size_t i; + LDAPMessage *res = NULL; +- uint32_t acct_control = ( UF_WORKSTATION_TRUST_ACCOUNT |\ +- UF_DONT_EXPIRE_PASSWD |\ +- UF_ACCOUNTDISABLE ); ++ uint32_t acct_control = UF_WORKSTATION_TRUST_ACCOUNT; + + ctx = talloc_init("ads_add_machine_acct"); + if (ctx == NULL) { +@@ -2139,10 +2149,9 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + goto done; + } + ++ /* Check if the machine account already exists. */ + ret = ads_find_machine_acct(ads, &res, machine_escaped); + if (ADS_ERR_OK(ret)) { +- DBG_DEBUG("Host account for %s already exists.\n", +- machine_escaped); + ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); + ads_msgfree(ads, res); + goto done; +@@ -2155,28 +2164,111 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + goto done; + } + ++ /* Create machine account */ ++ + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); + if (samAccountName == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + ++ dns_hostname = talloc_asprintf(ctx, ++ "%s.%s", ++ machine_name, ++ dns_domain_name); ++ if (dns_hostname == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ /* Add dns_hostname SPNs */ ++ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { ++ char *spn = talloc_asprintf(ctx, ++ "%s/%s", ++ spn_prefix[i], ++ dns_hostname); ++ if (spn == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ ok = add_string_to_array(spn_array, ++ spn, ++ &spn_array, ++ &num_spns); ++ if (!ok) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ } ++ ++ /* Add machine_name SPNs */ ++ for (i = 0; i < ARRAY_SIZE(spn_prefix); i++) { ++ char *spn = talloc_asprintf(ctx, ++ "%s/%s", ++ spn_prefix[i], ++ machine_name); ++ if (spn == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ ok = add_string_to_array(spn_array, ++ spn, ++ &spn_array, ++ &num_spns); ++ if (!ok) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ } ++ ++ /* Make sure to NULL terminate the array */ ++ spn_array = talloc_realloc(ctx, spn_array, const char *, num_spns + 1); ++ if (spn_array == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ spn_array[num_spns] = NULL; ++ + controlstr = talloc_asprintf(ctx, "%u", acct_control); + if (controlstr == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + ++ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); ++ if (utf8_pw == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ utf8_pw_len = strlen(utf8_pw); ++ ++ ok = convert_string_talloc(ctx, ++ CH_UTF8, CH_UTF16MUNGED, ++ utf8_pw, utf8_pw_len, ++ (void *)&utf16_pw, &utf16_pw_len); ++ if (!ok) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ machine_pw_val = (struct berval) { ++ .bv_val = utf16_pw, ++ .bv_len = utf16_pw_len, ++ }; ++ + mods = ads_init_mods(ctx); + if (mods == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); + goto done; + } + +- ads_mod_str(ctx, &mods, "cn", machine_name); +- ads_mod_str(ctx, &mods, "sAMAccountName", samAccountName); +- ads_mod_strlist(ctx, &mods, "objectClass", objectClass); ++ ads_mod_str(ctx, &mods, "objectClass", "Computer"); ++ ads_mod_str(ctx, &mods, "SamAccountName", samAccountName); + ads_mod_str(ctx, &mods, "userAccountControl", controlstr); ++ ads_mod_str(ctx, &mods, "DnsHostName", dns_hostname); ++ ads_mod_strlist(ctx, &mods, "ServicePrincipalName", spn_array); ++ ads_mod_ber(ctx, &mods, "unicodePwd", &machine_pw_val); + + ret = ads_gen_add(ads, new_dn, mods); + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a512afc238a..d5c8599beee 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -338,10 +338,22 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, + /* Attempt to create the machine account and bail if this fails. + Assume that the admin wants exactly what they requested */ + ++ if (r->in.machine_password == NULL) { ++ r->in.machine_password = ++ trust_pw_new_value(mem_ctx, ++ r->in.secure_channel_type, ++ SEC_ADS); ++ if (r->in.machine_password == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ } ++ + status = ads_create_machine_acct(r->in.ads, + r->in.machine_name, ++ r->in.machine_password, + r->in.account_ou, +- r->in.desired_encryption_types); ++ r->in.desired_encryption_types, ++ r->out.dns_domain_name); + + if (ADS_ERR_OK(status)) { + DEBUG(1,("machine account creation created\n")); +@@ -2668,12 +2680,11 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + if (ADS_ERR_OK(ads_status)) { + + /* +- * LDAP object create succeeded, now go to the rpc +- * password set routines ++ * LDAP object creation succeeded. + */ +- + r->in.join_flags &= ~WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE; +- goto rpc_join; ++ ++ return WERR_OK; + } + + if (initial_account_ou != NULL) { +@@ -2687,8 +2698,6 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + DBG_INFO("Failed to pre-create account in OU %s: %s\n", + r->in.account_ou, ads_errstr(ads_status)); + } +- rpc_join: +- + #endif /* HAVE_ADS */ + + if ((r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE) && +-- +2.23.0 + + +From f37eaa71dbd1cb206e8f3bcf251fc42308aa561d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 14 Aug 2019 10:15:19 +0200 +Subject: [PATCH 09/11] s3:libnet: Improve debug messages + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 39b8c8b30a5d5bd70f8da3a02cf77f7592788b94) +--- + source3/libnet/libnet_join.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index d5c8599beee..31d1d221ed3 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -356,7 +356,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, + r->out.dns_domain_name); + + if (ADS_ERR_OK(status)) { +- DEBUG(1,("machine account creation created\n")); ++ DBG_WARNING("Machine account successfully created\n"); + return status; + } else if ((status.error_type == ENUM_ADS_ERROR_LDAP) && + (status.err.rc == LDAP_ALREADY_EXISTS)) { +@@ -364,7 +364,7 @@ static ADS_STATUS libnet_join_precreate_machine_acct(TALLOC_CTX *mem_ctx, + } + + if (!ADS_ERR_OK(status)) { +- DEBUG(1,("machine account creation failed\n")); ++ DBG_WARNING("Failed to create machine account\n"); + return status; + } + +-- +2.23.0 + + +From d590cf9739393e15aa4d9cc86ca56f93db6f1a2b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 8 Aug 2019 14:40:04 +0200 +Subject: [PATCH 10/11] s3:libads: Just change the machine password if account + already exists + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13884 + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +(cherry picked from commit 14f320fa1e40ecc3a43dabb0cecd57430270a521) +--- + source3/libads/ldap.c | 167 ++++++++++++++++++++++++++++++----- + source3/libnet/libnet_join.c | 1 + + 2 files changed, 146 insertions(+), 22 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 81efda0cf30..afae46d2e79 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2098,6 +2098,127 @@ ADS_STATUS ads_add_service_principal_names(ADS_STRUCT *ads, + return ret; + } + ++static uint32_t ads_get_acct_ctrl(ADS_STRUCT *ads, ++ LDAPMessage *msg) ++{ ++ uint32_t acct_ctrl = 0; ++ bool ok; ++ ++ ok = ads_pull_uint32(ads, msg, "userAccountControl", &acct_ctrl); ++ if (!ok) { ++ return 0; ++ } ++ ++ return acct_ctrl; ++} ++ ++static ADS_STATUS ads_change_machine_acct(ADS_STRUCT *ads, ++ LDAPMessage *msg, ++ const struct berval *machine_pw_val) ++{ ++ ADS_MODLIST mods; ++ ADS_STATUS ret; ++ TALLOC_CTX *frame = talloc_stackframe(); ++ uint32_t acct_control; ++ char *control_str = NULL; ++ const char *attrs[] = { ++ "objectSid", ++ NULL ++ }; ++ LDAPMessage *res = NULL; ++ char *dn = NULL; ++ ++ dn = ads_get_dn(ads, frame, msg); ++ if (dn == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ acct_control = ads_get_acct_ctrl(ads, msg); ++ if (acct_control == 0) { ++ ret = ADS_ERROR(LDAP_NO_RESULTS_RETURNED); ++ goto done; ++ } ++ ++ /* ++ * Changing the password, disables the account. So we need to change the ++ * userAccountControl flags to enable it again. ++ */ ++ mods = ads_init_mods(frame); ++ if (mods == NULL) { ++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ ads_mod_ber(frame, &mods, "unicodePwd", machine_pw_val); ++ ++ ret = ads_gen_mod(ads, dn, mods); ++ if (!ADS_ERR_OK(ret)) { ++ goto done; ++ } ++ TALLOC_FREE(mods); ++ ++ /* ++ * To activate the account, we need to disable and enable it. ++ */ ++ acct_control |= UF_ACCOUNTDISABLE; ++ ++ control_str = talloc_asprintf(frame, "%u", acct_control); ++ if (control_str == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ mods = ads_init_mods(frame); ++ if (mods == NULL) { ++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ ads_mod_str(frame, &mods, "userAccountControl", control_str); ++ ++ ret = ads_gen_mod(ads, dn, mods); ++ if (!ADS_ERR_OK(ret)) { ++ goto done; ++ } ++ TALLOC_FREE(mods); ++ TALLOC_FREE(control_str); ++ ++ /* ++ * Enable the account again. ++ */ ++ acct_control &= ~UF_ACCOUNTDISABLE; ++ ++ control_str = talloc_asprintf(frame, "%u", acct_control); ++ if (control_str == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ mods = ads_init_mods(frame); ++ if (mods == NULL) { ++ ret = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ ads_mod_str(frame, &mods, "userAccountControl", control_str); ++ ++ ret = ads_gen_mod(ads, dn, mods); ++ if (!ADS_ERR_OK(ret)) { ++ goto done; ++ } ++ TALLOC_FREE(mods); ++ TALLOC_FREE(control_str); ++ ++ ret = ads_search_dn(ads, &res, dn, attrs); ++ ads_msgfree(ads, res); ++ ++done: ++ talloc_free(frame); ++ ++ return ret; ++} ++ + /** + * adds a machine account to the ADS server + * @param ads An intialized ADS_STRUCT +@@ -2149,11 +2270,34 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + goto done; + } + ++ utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); ++ if (utf8_pw == NULL) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ utf8_pw_len = strlen(utf8_pw); ++ ++ ok = convert_string_talloc(ctx, ++ CH_UTF8, CH_UTF16MUNGED, ++ utf8_pw, utf8_pw_len, ++ (void *)&utf16_pw, &utf16_pw_len); ++ if (!ok) { ++ ret = ADS_ERROR(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ machine_pw_val = (struct berval) { ++ .bv_val = utf16_pw, ++ .bv_len = utf16_pw_len, ++ }; ++ + /* Check if the machine account already exists. */ + ret = ads_find_machine_acct(ads, &res, machine_escaped); + if (ADS_ERR_OK(ret)) { +- ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); ++ /* Change the machine account password */ ++ ret = ads_change_machine_acct(ads, res, &machine_pw_val); + ads_msgfree(ads, res); ++ + goto done; + } + ads_msgfree(ads, res); +@@ -2236,27 +2380,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + goto done; + } + +- utf8_pw = talloc_asprintf(ctx, "\"%s\"", machine_password); +- if (utf8_pw == NULL) { +- ret = ADS_ERROR(LDAP_NO_MEMORY); +- goto done; +- } +- utf8_pw_len = strlen(utf8_pw); +- +- ok = convert_string_talloc(ctx, +- CH_UTF8, CH_UTF16MUNGED, +- utf8_pw, utf8_pw_len, +- (void *)&utf16_pw, &utf16_pw_len); +- if (!ok) { +- ret = ADS_ERROR(LDAP_NO_MEMORY); +- goto done; +- } +- +- machine_pw_val = (struct berval) { +- .bv_val = utf16_pw, +- .bv_len = utf16_pw_len, +- }; +- + mods = ads_init_mods(ctx); + if (mods == NULL) { + ret = ADS_ERROR(LDAP_NO_MEMORY); +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 31d1d221ed3..1052afde641 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -968,6 +968,7 @@ static ADS_STATUS libnet_join_post_processing_ads_modify(TALLOC_CTX *mem_ctx, + + if (r->in.ads->auth.ccache_name != NULL) { + ads_kdestroy(r->in.ads->auth.ccache_name); ++ r->in.ads->auth.ccache_name = NULL; + } + + ads_destroy(&r->in.ads); +-- +2.23.0 + + +From 2209c01f8069d47b47c8fc5df376cc9c41c552e1 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 22 Aug 2019 16:31:30 +0200 +Subject: [PATCH 11/11] testprogs: Add test for 'net ads join createcomputer=' + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Oct 9 08:26:17 UTC 2019 on sn-devel-184 + +(cherry picked from commit 459b43e5776180dc1540cd845b72ff78747ecd6f) +--- + testprogs/blackbox/test_net_ads.sh | 32 ++++++++++++++++++++++++++++-- + 1 file changed, 30 insertions(+), 2 deletions(-) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 512aa9d2952..cc8345c4624 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -31,6 +31,16 @@ if [ -x "$BINDIR/ldbsearch" ]; then + ldbsearch="$BINDIR/ldbsearch" + fi + ++ldbadd="ldbadd" ++if [ -x "$BINDIR/ldbadd" ]; then ++ ldbadd="$BINDIR/ldbadd" ++fi ++ ++ldbdel="ldbdel" ++if [ -x "$BINDIR/ldbdel" ]; then ++ ldbdel="$BINDIR/ldbdel" ++fi ++ + # Load test functions + . `dirname $0`/subunit.sh + +@@ -188,8 +198,9 @@ testit "testjoin user+password" $VALGRIND $net_tool ads testjoin -U$DC_USERNAME% + + testit "leave+keep_account" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD --keep-account || failed=`expr $failed + 1` + +-computers_ldb_ou="CN=Computers,DC=addom,DC=samba,DC=example,DC=com" +-testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_ldb_ou" || failed=`expr $failed + 1` ++base_dn="DC=addom,DC=samba,DC=example,DC=com" ++computers_dn="CN=Computers,$base_dn" ++testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` + + testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +@@ -198,6 +209,23 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# ++# Test createcomputer option of 'net ads join' ++# ++testit "Create OU=Servers,$base_dn" $VALGRIND $ldbadd -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER < +Date: Mon, 13 May 2019 16:55:49 +0200 +Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups + +This is required to access files in /var/spool/cups which have been +temporarily created in there by CUPS. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b) +--- + source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 5c4da33238b..e6684fc0d0c 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -82,6 +82,7 @@ int main(int argc, char *argv[]) + { + char smbspool_cmd[PATH_MAX] = {0}; + struct passwd *pwd; ++ struct group *g = NULL; + char gen_cc[PATH_MAX] = {0}; + struct stat sb; + char *env = NULL; +@@ -89,6 +90,7 @@ int main(int argc, char *argv[]) + char device_uri[4096] = {0}; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; ++ gid_t groups[1] = { (gid_t)-1 }; + unsigned long tmp; + int cmp; + int rc; +@@ -176,6 +178,26 @@ int main(int argc, char *argv[]) + return CUPS_BACKEND_FAILED; + } + ++ /* ++ * We need the primary group of the 'lp' user. This is needed to access ++ * temporary files in /var/spool/cups/. ++ */ ++ g = getgrnam("lp"); ++ if (g == NULL) { ++ CUPS_SMB_ERROR("Failed to find user 'lp' - %s", ++ strerror(errno)); ++ return CUPS_BACKEND_FAILED; ++ } ++ ++ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid); ++ groups[0] = g->gr_gid; ++ rc = setgroups(sizeof(groups), groups); ++ if (rc != 0) { ++ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s", ++ strerror(errno)); ++ return CUPS_BACKEND_FAILED; ++ } ++ + CUPS_SMB_DEBUG("Switching to gid=%d", gid); + rc = setgid(gid); + if (rc != 0) { +-- +2.21.0 + + +From a6b29458e833db85057ef1b7c0403e90f76adfa4 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 13:41:02 +0200 +Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate + with + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5) +--- + source3/client/smbspool.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 22071613677..efbdd418fdb 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -616,6 +616,7 @@ static bool kerberos_ccache_is_valid(void) { + return false; + } else { + krb5_principal default_princ = NULL; ++ char *princ_name = NULL; + + code = krb5_cc_get_principal(ctx, + ccache, +@@ -625,6 +626,16 @@ static bool kerberos_ccache_is_valid(void) { + krb5_free_context(ctx); + return false; + } ++ ++ code = krb5_unparse_name(ctx, ++ default_princ, ++ &princ_name); ++ if (code == 0) { ++ fprintf(stderr, ++ "DEBUG: Try to authenticate as %s\n", ++ princ_name); ++ krb5_free_unparsed_name(ctx, princ_name); ++ } + krb5_free_principal(ctx, default_princ); + } + krb5_cc_close(ctx, ccache); +-- +2.21.0 + + +From b64ed8bb51c7c78d757881fc3944f7bc812f5457 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 14:25:00 +0200 +Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba) +--- + source3/client/smbspool_krb5_wrapper.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index e6684fc0d0c..2cdcd372ec6 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -219,10 +219,14 @@ int main(int argc, char *argv[]) + env = getenv("KRB5CCNAME"); + if (env != NULL && env[0] != 0) { + snprintf(gen_cc, sizeof(gen_cc), "%s", env); ++ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache", ++ gen_cc); + + goto create_env; + } + ++ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); ++ + snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); + + rc = lstat(gen_cc, &sb); +-- +2.21.0 + + +From 3b7be905d256955e7e8c056f14626547e08fea2d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 17:10:57 +0200 +Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858) +--- + source3/client/smbspool_krb5_wrapper.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 2cdcd372ec6..3266b90ec1a 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -227,13 +227,13 @@ int main(int argc, char *argv[]) + + CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); + +- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); + + rc = lstat(gen_cc, &sb); + if (rc == 0) { +- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); + } else { +- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); ++ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); + + rc = lstat(gen_cc, &sb); + if (rc == 0 && S_ISDIR(sb.st_mode)) { +-- +2.21.0 + + +From 6e2069b014358b6f7e04121fa39c5f2750506d78 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 17:40:43 +0200 +Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is + not set + +This could also support the new KCM credential cache storage. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3) +--- + source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++-------- + source3/wscript_build | 1 + + 2 files changed, 55 insertions(+), 25 deletions(-) + +diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c +index 3266b90ec1a..bff1df417e8 100644 +--- a/source3/client/smbspool_krb5_wrapper.c ++++ b/source3/client/smbspool_krb5_wrapper.c +@@ -21,6 +21,7 @@ + + #include "includes.h" + #include "system/filesys.h" ++#include "system/kerberos.h" + #include "system/passwd.h" + + #include +@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) + buffer); + } + ++static bool kerberos_get_default_ccache(char *ccache_buf, size_t len) ++{ ++ krb5_context ctx; ++ const char *ccache_name = NULL; ++ char *full_ccache_name = NULL; ++ krb5_ccache ccache = NULL; ++ krb5_error_code code; ++ ++ code = krb5_init_context(&ctx); ++ if (code != 0) { ++ return false; ++ } ++ ++ ccache_name = krb5_cc_default_name(ctx); ++ if (ccache_name == NULL) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ code = krb5_cc_resolve(ctx, ccache_name, &ccache); ++ if (code != 0) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name); ++ krb5_cc_close(ctx, ccache); ++ if (code != 0) { ++ krb5_free_context(ctx); ++ return false; ++ } ++ ++ snprintf(ccache_buf, len, "%s", full_ccache_name); ++ ++#ifdef SAMBA4_USES_HEIMDAL ++ free(full_ccache_name); ++#else ++ krb5_free_string(ctx, full_ccache_name); ++#endif ++ krb5_free_context(ctx); ++ ++ return true; ++} ++ + /* + * This is a helper binary to execute smbspool. + * +@@ -84,7 +129,6 @@ int main(int argc, char *argv[]) + struct passwd *pwd; + struct group *g = NULL; + char gen_cc[PATH_MAX] = {0}; +- struct stat sb; + char *env = NULL; + char auth_info_required[256] = {0}; + char device_uri[4096] = {0}; +@@ -92,6 +136,7 @@ int main(int argc, char *argv[]) + gid_t gid = (gid_t)-1; + gid_t groups[1] = { (gid_t)-1 }; + unsigned long tmp; ++ bool ok; + int cmp; + int rc; + +@@ -225,32 +270,16 @@ int main(int argc, char *argv[]) + goto create_env; + } + +- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); +- +- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); +- +- rc = lstat(gen_cc, &sb); +- if (rc == 0) { +- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); +- } else { +- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); +- +- rc = lstat(gen_cc, &sb); +- if (rc == 0 && S_ISDIR(sb.st_mode)) { +- snprintf(gen_cc, +- sizeof(gen_cc), +- "DIR:/run/user/%d/krb5cc", +- uid); +- } else { +-#if defined(__linux__) +- snprintf(gen_cc, +- sizeof(gen_cc), +- "KEYRING:persistent:%d", +- uid); +-#endif +- } ++ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc)); ++ if (ok) { ++ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]", ++ gen_cc); ++ goto create_env; + } + ++ /* Fallback to a FILE ccache */ ++ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); ++ + create_env: + /* + * Make sure we do not have LD_PRELOAD or other security relevant +diff --git a/source3/wscript_build b/source3/wscript_build +index f67ce59fe52..8e34b7d0261 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -1134,6 +1134,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', + deps=''' + DYNCONFIG + cups ++ krb5 + ''', + install_path='${LIBEXECDIR}/samba', + enabled=bld.CONFIG_SET('HAVE_CUPS')) +-- +2.21.0 + + +From d6673500b639ad1402014aa35113bd395e35d4f5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 May 2019 16:48:31 +0200 +Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd) +--- + source3/client/smbspool.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index efbdd418fdb..ef16c2bed42 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -224,7 +224,9 @@ main(int argc, /* I - Number of command-line arguments */ + + fp = fopen(print_file, "rb"); + if (fp == NULL) { +- perror("ERROR: Unable to open print file"); ++ fprintf(stderr, ++ "ERROR: Unable to open print file: %s", ++ print_file); + goto done; + } + +-- +2.21.0 + + +From ea931f33d92506cdab17a7b746e43831d6bf2112 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 May 2019 18:54:02 +0200 +Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos + +If username and password is given, then fallback to NTLM. However try +kinit first. Also we correctly handle NULL passwords in the meantime and +this makes it easier to deal with issues. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d) +--- + source3/client/smbspool.c | 90 ++++++++++++++++++++++----------------- + 1 file changed, 51 insertions(+), 39 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index ef16c2bed42..f21aac2ac58 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -88,8 +88,8 @@ main(int argc, /* I - Number of command-line arguments */ + int port; /* Port number */ + char uri[1024], /* URI */ + *sep, /* Pointer to separator */ +- *tmp, *tmp2, /* Temp pointers to do escaping */ +- *password; /* Password */ ++ *tmp, *tmp2; /* Temp pointers to do escaping */ ++ const char *password = NULL; /* Password */ + char *username, /* Username */ + *server, /* Server name */ + *printer;/* Printer name */ +@@ -293,8 +293,6 @@ main(int argc, /* I - Number of command-line arguments */ + if ((tmp2 = strchr_m(tmp, ':')) != NULL) { + *tmp2++ = '\0'; + password = uri_unescape_alloc(tmp2); +- } else { +- password = empty_str; + } + username = uri_unescape_alloc(tmp); + } else { +@@ -302,14 +300,15 @@ main(int argc, /* I - Number of command-line arguments */ + username = empty_str; + } + +- if ((password = getenv("AUTH_PASSWORD")) == NULL) { +- password = empty_str; ++ env = getenv("AUTH_PASSWORD"); ++ if (env != NULL && strlen(env) > 0) { ++ password = env; + } + + server = uri + 6; + } + +- if (password != empty_str) { ++ if (password != NULL) { + auth_info_required = "username,password"; + } + +@@ -514,6 +513,7 @@ smb_complete_connection(const char *myname, + NTSTATUS nt_status; + struct cli_credentials *creds = NULL; + bool use_kerberos = false; ++ bool fallback_after_kerberos = false; + + /* Start the SMB connection */ + *need_auth = false; +@@ -524,27 +524,21 @@ smb_complete_connection(const char *myname, + return NULL; + } + +- /* +- * We pretty much guarantee password must be valid or a pointer to a +- * 0 char. +- */ +- if (!password) { +- *need_auth = true; +- return NULL; +- } +- + if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { +- auth_info_required = "negotiate"; + use_kerberos = true; + } + ++ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) { ++ fallback_after_kerberos = true; ++ } ++ + creds = cli_session_creds_init(cli, + username, + workgroup, + NULL, /* realm */ + password, + use_kerberos, +- false, /* fallback_after_kerberos */ ++ fallback_after_kerberos, + false, /* use_ccache */ + false); /* password_is_nt_hash */ + if (creds == NULL) { +@@ -663,6 +657,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + struct cli_state *cli; /* New connection */ + char *myname = NULL; /* Client name */ + struct passwd *pwd; ++ int flags = CLI_FULL_CONNECTION_USE_KERBEROS; ++ bool use_kerberos = false; ++ const char *user = username; ++ int cmp; + + /* + * Get the names and addresses of the client and server... +@@ -672,42 +670,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + return NULL; + } + +- /* +- * See if we have a username first. This is for backwards compatible +- * behavior with 3.0.14a +- */ + +- if (username == NULL || username[0] == '\0') { +- if (kerberos_ccache_is_valid()) { +- goto kerberos_auth; ++ cmp = strcmp(auth_info_required, "negotiate"); ++ if (cmp == 0) { ++ if (!kerberos_ccache_is_valid()) { ++ return NULL; + } ++ user = jobusername; ++ ++ use_kerberos = true; ++ fprintf(stderr, ++ "DEBUG: Try to connect using Kerberos ...\n"); ++ } ++ ++ cmp = strcmp(auth_info_required, "username,password"); ++ if (cmp == 0) { ++ if (username == NULL || username[0] == '\0') { ++ return NULL; ++ } ++ ++ /* Fallback to NTLM */ ++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; ++ ++ fprintf(stderr, ++ "DEBUG: Try to connect using username/password ...\n"); ++ } ++ ++ cmp = strcmp(auth_info_required, "none"); ++ if (cmp == 0) { ++ fprintf(stderr, ++ "DEBUG: This backend doesn't support none auth ...\n"); ++ return NULL; + } + + cli = smb_complete_connection(myname, + server, + port, +- username, ++ user, + password, + workgroup, + share, +- 0, ++ flags, + need_auth); + if (cli != NULL) { +- fputs("DEBUG: Connected with username/password...\n", stderr); ++ fprintf(stderr, "DEBUG: SMB connection established.\n"); + return (cli); + } + +-kerberos_auth: +- /* +- * Try to use the user kerberos credentials (if any) to authenticate +- */ +- cli = smb_complete_connection(myname, server, port, jobusername, "", +- workgroup, share, +- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth); +- +- if (cli) { +- fputs("DEBUG: Connected using Kerberos...\n", stderr); +- return (cli); ++ if (!use_kerberos) { ++ fprintf(stderr, "ERROR: SMB connection failed!\n"); ++ return NULL; + } + + /* give a chance for a passwordless NTLMSSP session setup */ +-- +2.21.0 + + +From 8689e83030160fbdbe9b72ff0c86826b49f707a1 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 16 May 2019 18:24:32 +0200 +Subject: [PATCH 8/9] s3:smbspool: Add debug messages to + kerberos_ccache_is_valid() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3) +--- + source3/client/smbspool.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index f21aac2ac58..79e210dd12e 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -602,12 +602,15 @@ static bool kerberos_ccache_is_valid(void) { + + ccache_name = krb5_cc_default_name(ctx); + if (ccache_name == NULL) { ++ DBG_ERR("Failed to get default ccache name\n"); + krb5_free_context(ctx); + return false; + } + + code = krb5_cc_resolve(ctx, ccache_name, &ccache); + if (code != 0) { ++ DBG_ERR("Failed to resolve ccache name: %s\n", ++ ccache_name); + krb5_free_context(ctx); + return false; + } else { +@@ -618,6 +621,9 @@ static bool kerberos_ccache_is_valid(void) { + ccache, + &default_princ); + if (code != 0) { ++ DBG_ERR("Failed to get default principal from " ++ "ccache: %s\n", ++ ccache_name); + krb5_cc_close(ctx, ccache); + krb5_free_context(ctx); + return false; +-- +2.21.0 + + +From d1cee66a5e66d83b2aee3a803351c51d4f5a8118 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 14 May 2019 11:35:46 +0200 +Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes + +This allows us to simplify some code and return better errors. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea) +--- + source3/client/smbspool.c | 250 ++++++++++++++++++++++---------------- + 1 file changed, 145 insertions(+), 105 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index 79e210dd12e..ad988eb0df9 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -61,12 +61,27 @@ + * Local functions... + */ + +-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); ++static int get_exit_code(NTSTATUS nt_status); + static void list_devices(void); +-static struct cli_state *smb_complete_connection(const char *, const char *, +- int, const char *, const char *, const char *, const char *, int, bool *need_auth); +-static struct cli_state *smb_connect(const char *, const char *, int, const +- char *, const char *, const char *, const char *, bool *need_auth); ++static NTSTATUS ++smb_complete_connection(struct cli_state **output_cli, ++ const char *myname, ++ const char *server, ++ int port, ++ const char *username, ++ const char *password, ++ const char *workgroup, ++ const char *share, ++ int flags); ++static NTSTATUS ++smb_connect(struct cli_state **output_cli, ++ const char *workgroup, ++ const char *server, ++ const int port, ++ const char *share, ++ const char *username, ++ const char *password, ++ const char *jobusername); + static int smb_print(struct cli_state *, const char *, FILE *); + static char *uri_unescape_alloc(const char *); + #if 0 +@@ -90,16 +105,15 @@ main(int argc, /* I - Number of command-line arguments */ + *sep, /* Pointer to separator */ + *tmp, *tmp2; /* Temp pointers to do escaping */ + const char *password = NULL; /* Password */ +- char *username, /* Username */ +- *server, /* Server name */ ++ const char *username = NULL; /* Username */ ++ char *server, /* Server name */ + *printer;/* Printer name */ + const char *workgroup; /* Workgroup */ + FILE *fp; /* File to print */ + int status = 1; /* Status of LPD job */ +- struct cli_state *cli; /* SMB interface */ +- char empty_str[] = ""; ++ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; ++ struct cli_state *cli = NULL; /* SMB interface */ + int tries = 0; +- bool need_auth = true; + const char *dev_uri = NULL; + const char *env = NULL; + const char *config_file = NULL; +@@ -296,8 +310,9 @@ main(int argc, /* I - Number of command-line arguments */ + } + username = uri_unescape_alloc(tmp); + } else { +- if ((username = getenv("AUTH_USERNAME")) == NULL) { +- username = empty_str; ++ env = getenv("AUTH_USERNAME"); ++ if (env != NULL && strlen(env) > 0) { ++ username = env; + } + + env = getenv("AUTH_PASSWORD"); +@@ -369,27 +384,39 @@ main(int argc, /* I - Number of command-line arguments */ + load_interfaces(); + + do { +- cli = smb_connect(workgroup, +- server, +- port, +- printer, +- username, +- password, +- print_user, +- &need_auth); +- if (cli == NULL) { +- if (need_auth) { +- exit(2); ++ nt_status = smb_connect(&cli, ++ workgroup, ++ server, ++ port, ++ printer, ++ username, ++ password, ++ print_user); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ status = get_exit_code(nt_status); ++ if (status == 2) { ++ fprintf(stderr, ++ "DEBUG: Unable to connect to CIFS " ++ "host: %s", ++ nt_errstr(nt_status)); ++ goto done; + } else if (getenv("CLASS") == NULL) { +- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n"); ++ fprintf(stderr, ++ "ERROR: Unable to connect to CIFS " ++ "host: %s. Will retry in 60 " ++ "seconds...\n", ++ nt_errstr(nt_status)); + sleep(60); + tries++; + } else { +- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n"); ++ fprintf(stderr, ++ "ERROR: Unable to connect to CIFS " ++ "host: %s. Trying next printer...\n", ++ nt_errstr(nt_status)); + goto done; + } + } +- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT)); ++ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT)); + + if (cli == NULL) { + fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries); +@@ -436,10 +463,9 @@ done: + */ + + static int +-get_exit_code(struct cli_state * cli, +- NTSTATUS nt_status) ++get_exit_code(NTSTATUS nt_status) + { +- int i; ++ size_t i; + + /* List of NTSTATUS errors that are considered + * authentication errors +@@ -455,17 +481,16 @@ get_exit_code(struct cli_state * cli, + }; + + +- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n", +- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status)); ++ fprintf(stderr, ++ "DEBUG: get_exit_code(nt_status=%s [%x])\n", ++ nt_errstr(nt_status), NT_STATUS_V(nt_status)); + + for (i = 0; i < ARRAY_SIZE(auth_errors); i++) { + if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) { + continue; + } + +- if (cli) { +- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); +- } ++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); + + /* + * 2 = authentication required... +@@ -498,16 +523,16 @@ list_devices(void) + } + + +-static struct cli_state * +-smb_complete_connection(const char *myname, ++static NTSTATUS ++smb_complete_connection(struct cli_state **output_cli, ++ const char *myname, + const char *server, + int port, + const char *username, + const char *password, + const char *workgroup, + const char *share, +- int flags, +- bool *need_auth) ++ int flags) + { + struct cli_state *cli; /* New connection */ + NTSTATUS nt_status; +@@ -516,12 +541,11 @@ smb_complete_connection(const char *myname, + bool fallback_after_kerberos = false; + + /* Start the SMB connection */ +- *need_auth = false; + nt_status = cli_start_connection(&cli, myname, server, NULL, port, + SMB_SIGNING_DEFAULT, flags); + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status)); +- return NULL; ++ return nt_status; + } + + if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { +@@ -544,20 +568,16 @@ smb_complete_connection(const char *myname, + if (creds == NULL) { + fprintf(stderr, "ERROR: cli_session_creds_init failed\n"); + cli_shutdown(cli); +- return NULL; ++ return NT_STATUS_NO_MEMORY; + } + + nt_status = cli_session_setup_creds(cli, creds); + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status) == 2) { +- *need_auth = true; +- } +- + cli_shutdown(cli); + +- return NULL; ++ return nt_status; + } + + nt_status = cli_tree_connect_creds(cli, share, "?????", creds); +@@ -565,13 +585,9 @@ smb_complete_connection(const char *myname, + fprintf(stderr, "ERROR: Tree connect failed (%s)\n", + nt_errstr(nt_status)); + +- if (get_exit_code(cli, nt_status) == 2) { +- *need_auth = true; +- } +- + cli_shutdown(cli); + +- return NULL; ++ return nt_status; + } + #if 0 + /* Need to work out how to specify this on the URL. */ +@@ -584,7 +600,8 @@ smb_complete_connection(const char *myname, + } + #endif + +- return cli; ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + static bool kerberos_ccache_is_valid(void) { +@@ -650,49 +667,48 @@ static bool kerberos_ccache_is_valid(void) { + * 'smb_connect()' - Return a connection to a server. + */ + +-static struct cli_state * /* O - SMB connection */ +-smb_connect(const char *workgroup, /* I - Workgroup */ ++static NTSTATUS ++smb_connect(struct cli_state **output_cli, ++ const char *workgroup, /* I - Workgroup */ + const char *server, /* I - Server */ + const int port, /* I - Port */ + const char *share, /* I - Printer */ + const char *username, /* I - Username */ + const char *password, /* I - Password */ +- const char *jobusername, /* I - User who issued the print job */ +- bool *need_auth) +-{ /* O - Need authentication? */ +- struct cli_state *cli; /* New connection */ ++ const char *jobusername) /* I - User who issued the print job */ ++{ ++ struct cli_state *cli = NULL; /* New connection */ + char *myname = NULL; /* Client name */ + struct passwd *pwd; + int flags = CLI_FULL_CONNECTION_USE_KERBEROS; + bool use_kerberos = false; + const char *user = username; +- int cmp; ++ NTSTATUS nt_status; + + /* + * Get the names and addresses of the client and server... + */ + myname = get_myname(talloc_tos()); + if (!myname) { +- return NULL; ++ return NT_STATUS_NO_MEMORY; + } + + +- cmp = strcmp(auth_info_required, "negotiate"); +- if (cmp == 0) { ++ if (strcmp(auth_info_required, "negotiate") == 0) { + if (!kerberos_ccache_is_valid()) { +- return NULL; ++ fprintf(stderr, ++ "ERROR: No valid Kerberos credential cache " ++ "found!\n"); ++ return NT_STATUS_LOGON_FAILURE; + } + user = jobusername; + + use_kerberos = true; + fprintf(stderr, + "DEBUG: Try to connect using Kerberos ...\n"); +- } +- +- cmp = strcmp(auth_info_required, "username,password"); +- if (cmp == 0) { +- if (username == NULL || username[0] == '\0') { +- return NULL; ++ } else if (strcmp(auth_info_required, "username,password") == 0) { ++ if (username == NULL) { ++ return NT_STATUS_INVALID_ACCOUNT_NAME; + } + + /* Fallback to NTLM */ +@@ -700,59 +716,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */ + + fprintf(stderr, + "DEBUG: Try to connect using username/password ...\n"); +- } ++ } else { ++ if (username != NULL) { ++ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; ++ } else if (kerberos_ccache_is_valid()) { ++ auth_info_required = "negotiate"; + +- cmp = strcmp(auth_info_required, "none"); +- if (cmp == 0) { +- fprintf(stderr, +- "DEBUG: This backend doesn't support none auth ...\n"); +- return NULL; ++ user = jobusername; ++ use_kerberos = true; ++ } else { ++ fprintf(stderr, ++ "DEBUG: This backend requires credentials!\n"); ++ return NT_STATUS_ACCESS_DENIED; ++ } + } + +- cli = smb_complete_connection(myname, +- server, +- port, +- user, +- password, +- workgroup, +- share, +- flags, +- need_auth); +- if (cli != NULL) { ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ user, ++ password, ++ workgroup, ++ share, ++ flags); ++ if (NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "DEBUG: SMB connection established.\n"); +- return (cli); ++ ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + if (!use_kerberos) { + fprintf(stderr, "ERROR: SMB connection failed!\n"); +- return NULL; ++ return nt_status; + } + + /* give a chance for a passwordless NTLMSSP session setup */ + pwd = getpwuid(geteuid()); + if (pwd == NULL) { +- return NULL; +- } +- +- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "", +- workgroup, share, 0, need_auth); +- +- if (cli) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ pwd->pw_name, ++ "", ++ workgroup, ++ share, ++ 0); ++ if (NT_STATUS_IS_OK(nt_status)) { + fputs("DEBUG: Connected with NTLMSSP...\n", stderr); +- return (cli); ++ ++ *output_cli = cli; ++ return NT_STATUS_OK; + } + + /* + * last try. Use anonymous authentication + */ + +- cli = smb_complete_connection(myname, server, port, "", "", +- workgroup, share, 0, need_auth); +- /* +- * Return the new connection... +- */ +- +- return (cli); ++ nt_status = smb_complete_connection(&cli, ++ myname, ++ server, ++ port, ++ "", ++ "", ++ workgroup, ++ share, ++ 0); ++ if (NT_STATUS_IS_OK(nt_status)) { ++ *output_cli = cli; ++ return NT_STATUS_OK; ++ } ++ ++ return nt_status; + } + + +@@ -798,7 +838,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s opening remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status); ++ return get_exit_code(nt_status); + } + + /* +@@ -816,7 +856,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, + tbytes, nbytes, NULL); + if (!NT_STATUS_IS_OK(status)) { +- int ret = get_exit_code(cli, status); ++ int ret = get_exit_code(status); + fprintf(stderr, "ERROR: Error writing spool: %s\n", + nt_errstr(status)); + fprintf(stderr, "DEBUG: Returning status %d...\n", +@@ -832,7 +872,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ + if (!NT_STATUS_IS_OK(nt_status)) { + fprintf(stderr, "ERROR: %s closing remote spool %s\n", + nt_errstr(nt_status), title); +- return get_exit_code(cli, nt_status); ++ return get_exit_code(nt_status); + } else { + return (0); + } +-- +2.21.0 + +From ffa5f8b65c662130c2d23e47df6d00fef3b73cc3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 18 Jun 2019 14:43:50 +0200 +Subject: [PATCH] s3:client: Link smbspool_krb5_wrapper against krb5samba + +Heimdal doesn't provide krb5_free_unparsed_name(), so we need to use the +function we provide in krb5samba. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 9268919e046190c7b423133de3f9d0edada3f1b8) +--- + source3/wscript_build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/wscript_build b/source3/wscript_build +index 1ebb006781a..26e251f442a 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -1133,7 +1133,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', + deps=''' + DYNCONFIG + cups +- krb5 ++ krb5samba + ''', + install_path='${LIBEXECDIR}/samba', + enabled=bld.CONFIG_SET('HAVE_CUPS')) +-- +2.21.0 + diff --git a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch b/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch deleted file mode 100644 index d72091e..0000000 --- a/SOURCES/samba-4.10-fix_smbspool_username_passwd.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001 -From: Bryan Mason -Date: Mon, 16 Sep 2019 12:35:06 -0700 -Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI - -CUPS sanitizes argv[0] by removing username/password, so use -DEVICE_URI environment variable first. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128 - -Signed-off-by: Bryan Mason -Reviewed-by: Alexander Bokovoy -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184 - -(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931) ---- - source3/client/smbspool.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ad988eb0df9..36f7f67ca94 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */ - - /* - * Find the URI ... -- */ -- if (dev_uri == NULL) { -- env = getenv("DEVICE_URI"); -- if (env != NULL && env[0] != '\0') { -- dev_uri = env; -- } -- } -+ * -+ * The URI in argv[0] is sanitized to remove username/password, so -+ * use DEVICE_URI if available. Otherwise keep the URI already -+ * discovered in argv. -+ */ -+ env = getenv("DEVICE_URI"); -+ if (env != NULL && env[0] != '\0') { -+ dev_uri = env; -+ } - - if (dev_uri == NULL) { - fprintf(stderr, --- -2.23.0 - diff --git a/SOURCES/samba-4.10-fix_smbspool_username_password.patch b/SOURCES/samba-4.10-fix_smbspool_username_password.patch new file mode 100644 index 0000000..d72091e --- /dev/null +++ b/SOURCES/samba-4.10-fix_smbspool_username_password.patch @@ -0,0 +1,52 @@ +From 24aa04cee5ce3cdab1fd3cf970e285dbd065305e Mon Sep 17 00:00:00 2001 +From: Bryan Mason +Date: Mon, 16 Sep 2019 12:35:06 -0700 +Subject: [PATCH] s3:client:Use DEVICE_URI, instead of argv[0],for Device URI + +CUPS sanitizes argv[0] by removing username/password, so use +DEVICE_URI environment variable first. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14128 + +Signed-off-by: Bryan Mason +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Sep 18 12:31:11 UTC 2019 on sn-devel-184 + +(cherry picked from commit d65b17c3f7f9959ed95b03cc09e020d7387b7931) +--- + source3/client/smbspool.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c +index ad988eb0df9..36f7f67ca94 100644 +--- a/source3/client/smbspool.c ++++ b/source3/client/smbspool.c +@@ -256,13 +256,15 @@ main(int argc, /* I - Number of command-line arguments */ + + /* + * Find the URI ... +- */ +- if (dev_uri == NULL) { +- env = getenv("DEVICE_URI"); +- if (env != NULL && env[0] != '\0') { +- dev_uri = env; +- } +- } ++ * ++ * The URI in argv[0] is sanitized to remove username/password, so ++ * use DEVICE_URI if available. Otherwise keep the URI already ++ * discovered in argv. ++ */ ++ env = getenv("DEVICE_URI"); ++ if (env != NULL && env[0] != '\0') { ++ dev_uri = env; ++ } + + if (dev_uri == NULL) { + fprintf(stderr, +-- +2.23.0 + diff --git a/SOURCES/samba-4.10-fix_spnego_downgrade.patch b/SOURCES/samba-4.10-fix_spnego_downgrade.patch deleted file mode 100644 index e762571..0000000 --- a/SOURCES/samba-4.10-fix_spnego_downgrade.patch +++ /dev/null @@ -1,160 +0,0 @@ -From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 16:31:21 +0300 -Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic - token - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher ---- - auth/gensec/spnego.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index dc73e324d99..97472c26837 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -136,6 +136,7 @@ struct spnego_state { - bool done_mic_check; - - bool simulate_w2k; -+ bool no_optimistic; - - /* - * The following is used to implement -@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi - - spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, - "spnego", "simulate_w2k", false); -+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, -+ "spnego", -+ "client_no_optimistic", -+ false); - - gensec_security->private_data = spnego_state; - return NT_STATUS_OK; -@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req) - * blob and NT_STATUS_OK. - */ - state->sub.status = NT_STATUS_OK; -+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START && -+ spnego_state->no_optimistic) { -+ /* -+ * Skip optimistic token per conf. -+ */ -+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; - } else { - /* - * MORE_PROCESSING_REQUIRED => --- -2.21.0 - - -From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 16:39:43 +0300 -Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher ---- - selftest/knownfail.d/spnego_no_optimistic | 1 + - source4/selftest/tests.py | 4 ++++ - 2 files changed, 5 insertions(+) - create mode 100644 selftest/knownfail.d/spnego_no_optimistic - -diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic -new file mode 100644 -index 00000000000..54f51446be0 ---- /dev/null -+++ b/selftest/knownfail.d/spnego_no_optimistic -@@ -0,0 +1 @@ -+^samba4.smb.spnego.*.no_optimistic -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 34ebe10cd79..d73d426ee3c 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha - plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon") - plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon") - -+# Test SPNEGO without issuing an optimistic token -+opt='--option=spnego:client_no_optimistic=yes' -+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic") -+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic") - - wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""] - --- -2.21.0 - - -From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Wed, 4 Sep 2019 17:04:12 +0300 -Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 - -Signed-off-by: Isaac Boukris -Reviewed-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 ---- - auth/gensec/spnego.c | 13 +++++++++++++ - selftest/knownfail.d/spnego_no_optimistic | 1 - - 4 files changed, 13 insertions(+), 4 deletions(-) - delete mode 100644 selftest/knownfail.d/spnego_no_optimistic - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index 97472c26837..ddbe03c5d6b 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( - spnego_state->mic_requested = true; - } - -+ if (sub_in.length == 0) { -+ spnego_state->no_optimistic = true; -+ } -+ - /* - * Note that 'cur_sec' is temporary memory, but - * cur_sec->oid points to a const string in the -@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) - * Skip optimistic token per conf. - */ - state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ } else if (spnego_state->state_position == SPNEGO_SERVER_START && -+ state->sub.in.length == 0 && spnego_state->no_optimistic) { -+ /* -+ * If we didn't like the mechanism for which the client sent us -+ * an optimistic token, or if he didn't send any, don't call -+ * the sub mechanism just yet. -+ */ -+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; -+ spnego_state->no_optimistic = false; - } else { - /* - * MORE_PROCESSING_REQUIRED => -diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic -deleted file mode 100644 -index 54f51446be0..00000000000 ---- a/selftest/knownfail.d/spnego_no_optimistic -+++ /dev/null -@@ -1 +0,0 @@ --^samba4.smb.spnego.*.no_optimistic --- -2.21.0 - diff --git a/SOURCES/samba-4.10-net_ads_join_createcomputer.patch b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch new file mode 100644 index 0000000..c196b55 --- /dev/null +++ b/SOURCES/samba-4.10-net_ads_join_createcomputer.patch @@ -0,0 +1,48 @@ +From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001 +From: Evgeny Sinelnikov +Date: Wed, 31 Jul 2019 23:17:20 +0400 +Subject: [PATCH] s3:ldap: Fix join with don't exists machine account +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add check for requested replies of existing machine object during join +machine to domain. This solves regression fail during join with error: +"None of the information to be translated has been translated." + +https://bugzilla.samba.org/show_bug.cgi?id=14007 + +Reviewed-by: Guenther Deschner +Reviewed-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184 +--- + source3/libads/ldap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 4f3d43b02b1..2110390b65f 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + } + + ret = ads_find_machine_acct(ads, &res, machine_escaped); +- ads_msgfree(ads, res); +- if (ADS_ERR_OK(ret)) { ++ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { + DBG_DEBUG("Host account for %s already exists.\n", + machine_escaped); + ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); ++ ads_msgfree(ads, res); + goto done; + } ++ ads_msgfree(ads, res); + + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); +-- +2.21.0 + diff --git a/SOURCES/samba-4.10.4.tar.asc b/SOURCES/samba-4.10.4.tar.asc new file mode 100644 index 0000000..29f805c --- /dev/null +++ b/SOURCES/samba-4.10.4.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- + +iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXOUjjhUcc2FtYmEtYnVn +c0BzYW1iYS5vcmcACgkQbzORW2Vot+oeXQCgkgjBBjMDA7WRd7pl8akT65XmGaAA +n3v79/BJYEuD3vw98M5nW4GBN6C9 +=/Xfk +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch new file mode 100644 index 0000000..61635f8 --- /dev/null +++ b/SOURCES/samba-4.10.6-fix_idmap_tdb2.patch @@ -0,0 +1,124 @@ +From 41794e74876f3cba648b18b3f4bdedac9717061e Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 23 May 2019 13:33:21 -0700 +Subject: [PATCH] s3: winbind: Fix crash when invoking winbind idmap scripts. + +Previously the private context was caching a pointer to +a string returned from lp_XXX(). This string can change +on config file reload. Ensure the string is talloc_strup'ed +onto the owning context instead. + +Reported by Heinrich Mislik + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13956 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +(cherry picked from commit a1f95ba5db6fc017fad35377fbf76c048f2dd8ab) +--- + source3/winbindd/idmap_script.c | 20 ++++++++++++++++---- + source3/winbindd/idmap_tdb2.c | 22 +++++++++++++++++----- + 2 files changed, 33 insertions(+), 9 deletions(-) + +diff --git a/source3/winbindd/idmap_script.c b/source3/winbindd/idmap_script.c +index 7ad6b806fb8..f382f896b35 100644 +--- a/source3/winbindd/idmap_script.c ++++ b/source3/winbindd/idmap_script.c +@@ -615,6 +615,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) + NTSTATUS ret; + struct idmap_script_context *ctx; + const char * idmap_script = NULL; ++ const char *ctx_script = NULL; + + DEBUG(10, ("%s called ...\n", __func__)); + +@@ -625,7 +626,7 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) + goto failed; + } + +- ctx->script = idmap_config_const_string(dom->name, "script", NULL); ++ ctx_script = idmap_config_const_string(dom->name, "script", NULL); + + /* Do we even need to handle this? */ + idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); +@@ -634,13 +635,24 @@ static NTSTATUS idmap_script_db_init(struct idmap_domain *dom) + " Please use 'idmap config * : script' instead!\n")); + } + +- if (strequal(dom->name, "*") && ctx->script == NULL) { ++ if (strequal(dom->name, "*") && ctx_script == NULL) { + /* fall back to idmap:script for backwards compatibility */ +- ctx->script = idmap_script; ++ ctx_script = idmap_script; + } + +- if (ctx->script) { ++ if (ctx_script) { + DEBUG(1, ("using idmap script '%s'\n", ctx->script)); ++ /* ++ * We must ensure this memory is owned by ctx. ++ * The ctx_script const pointer is a pointer into ++ * the config file data and may become invalid ++ * on config file reload. BUG: 13956 ++ */ ++ ctx->script = talloc_strdup(ctx, ctx_script); ++ if (ctx->script == NULL) { ++ ret = NT_STATUS_NO_MEMORY; ++ goto failed; ++ } + } + + dom->private_data = ctx; +diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c +index b784546bb33..eceab9c0784 100644 +--- a/source3/winbindd/idmap_tdb2.c ++++ b/source3/winbindd/idmap_tdb2.c +@@ -522,6 +522,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) + struct idmap_tdb_common_context *commonctx; + struct idmap_tdb2_context *ctx; + const char * idmap_script = NULL; ++ const char *ctx_script = NULL; + + commonctx = talloc_zero(dom, struct idmap_tdb_common_context); + if(!commonctx) { +@@ -543,7 +544,7 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) + goto failed; + } + +- ctx->script = idmap_config_const_string(dom->name, "script", NULL); ++ ctx_script = idmap_config_const_string(dom->name, "script", NULL); + + idmap_script = lp_parm_const_string(-1, "idmap", "script", NULL); + if (idmap_script != NULL) { +@@ -551,13 +552,24 @@ static NTSTATUS idmap_tdb2_db_init(struct idmap_domain *dom) + " Please use 'idmap config * : script' instead!\n")); + } + +- if (strequal(dom->name, "*") && ctx->script == NULL) { ++ if (strequal(dom->name, "*") && ctx_script == NULL) { + /* fall back to idmap:script for backwards compatibility */ +- ctx->script = idmap_script; ++ ctx_script = idmap_script; + } + +- if (ctx->script) { +- DEBUG(1, ("using idmap script '%s'\n", ctx->script)); ++ if (ctx_script) { ++ DEBUG(1, ("using idmap script '%s'\n", ctx_script)); ++ /* ++ * We must ensure this memory is owned by ctx. ++ * The ctx_script const pointer is a pointer into ++ * the config file data and may become invalid ++ * on config file reload. BUG: 13956 ++ */ ++ ctx->script = talloc_strdup(ctx, ctx_script); ++ if (ctx->script == NULL) { ++ ret = NT_STATUS_NO_MEMORY; ++ goto failed; ++ } + } + + commonctx->max_id = dom->high_id; +-- +2.22.0.rc1.257.g3120a18244-goog + diff --git a/SOURCES/samba-4.9-CVE-2019-3880.patch b/SOURCES/samba-4.9-CVE-2019-3880.patch deleted file mode 100644 index eded5d9..0000000 --- a/SOURCES/samba-4.9-CVE-2019-3880.patch +++ /dev/null @@ -1,151 +0,0 @@ -From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 21 Mar 2019 14:51:30 -0700 -Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of - SaveKey/RestoreKey. - -The were not using VFS backend calls and could only work -locally, and were unsafe against symlink races and other -security issues. - -If the incoming handle is valid, return WERR_BAD_PATHNAME. - -[MS-RRP] states "The format of the file name is implementation-specific" -so ensure we don't allow this. - -As reported by Michael Hanselmann. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andrew Bartlett ---- - source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++----------------------------- - 1 file changed, 4 insertions(+), 88 deletions(-) - -diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c -index d9ee8d0602d..816c6bb2a12 100644 ---- a/source3/rpc_server/winreg/srv_winreg_nt.c -+++ b/source3/rpc_server/winreg/srv_winreg_nt.c -@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p, - } - - /******************************************************************* -- ********************************************************************/ -- --static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname ) --{ -- char *p = NULL; -- int num_services = lp_numservices(); -- int snum = -1; -- const char *share_path = NULL; -- char *fname = *pp_fname; -- -- /* convert to a unix path, stripping the C:\ along the way */ -- -- if (!(p = valid_share_pathname(ctx, fname))) { -- return -1; -- } -- -- /* has to exist within a valid file share */ -- -- for (snum=0; snumin.handle ); -- char *fname = NULL; -- int snum = -1; - -- if ( !regkey ) -+ if ( !regkey ) { - return WERR_INVALID_HANDLE; -- -- if ( !r->in.filename || !r->in.filename->name ) -- return WERR_INVALID_PARAMETER; -- -- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); -- if (!fname) { -- return WERR_NOT_ENOUGH_MEMORY; - } -- -- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from " -- "\"%s\"\n", regkey->key->name, fname)); -- -- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1) -- return WERR_BAD_PATHNAME; -- -- /* user must posses SeRestorePrivilege for this this proceed */ -- -- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) { -- return WERR_ACCESS_DENIED; -- } -- -- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", -- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); -- -- return reg_restorekey(regkey, fname); -+ return WERR_BAD_PATHNAME; - } - - /******************************************************************* -@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p, - struct winreg_SaveKey *r) - { - struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); -- char *fname = NULL; -- int snum = -1; - -- if ( !regkey ) -+ if ( !regkey ) { - return WERR_INVALID_HANDLE; -- -- if ( !r->in.filename || !r->in.filename->name ) -- return WERR_INVALID_PARAMETER; -- -- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); -- if (!fname) { -- return WERR_NOT_ENOUGH_MEMORY; - } -- -- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n", -- regkey->key->name, fname)); -- -- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 ) -- return WERR_BAD_PATHNAME; -- -- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n", -- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); -- -- return reg_savekey(regkey, fname); -+ return WERR_BAD_PATHNAME; - } - - /******************************************************************* --- -2.11.0 - diff --git a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch b/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch deleted file mode 100644 index 08c88a1..0000000 --- a/SOURCES/samba-4.9-add_smbc_setOptionProtocols.patch +++ /dev/null @@ -1,280 +0,0 @@ -From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 4 Sep 2018 15:48:03 +0200 -Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6) ---- - source3/include/libsmbclient.h | 19 ++- - source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++ - source3/libsmb/libsmb_setget.c | 18 +++ - source3/libsmb/wscript | 2 +- - 4 files changed, 222 insertions(+), 2 deletions(-) - create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs - -diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h -index ca5c7f87f71..5e4a1715402 100644 ---- a/source3/include/libsmbclient.h -+++ b/source3/include/libsmbclient.h -@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c); - void - smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b); - -- -+/** -+ * @brief Set the 'client min protocol' and the 'client max protocol'. -+ * -+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max -+ * protocol' set in the smb.conf file! -+ * -+ * @param[in] c The smbc context to use. -+ * -+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it -+ * untouched. -+ * -+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it -+ * untouched. -+ * -+ * @returns true for success, false otherwise -+ */ -+smbc_bool -+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto); - - /************************************* - * Getters and setters for FUNCTIONS * -diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs -new file mode 100644 -index 00000000000..b4245979c24 ---- /dev/null -+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs -@@ -0,0 +1,185 @@ -+smbc_chmod: int (const char *, mode_t) -+smbc_close: int (int) -+smbc_closedir: int (int) -+smbc_creat: int (const char *, mode_t) -+smbc_fgetxattr: int (int, const char *, const void *, size_t) -+smbc_flistxattr: int (int, char *, size_t) -+smbc_free_context: int (SMBCCTX *, int) -+smbc_fremovexattr: int (int, const char *) -+smbc_fsetxattr: int (int, const char *, const void *, size_t, int) -+smbc_fstat: int (int, struct stat *) -+smbc_fstatvfs: int (int, struct statvfs *) -+smbc_ftruncate: int (int, off_t) -+smbc_getDebug: int (SMBCCTX *) -+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *) -+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *) -+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *) -+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *) -+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *) -+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *) -+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *) -+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *) -+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *) -+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *) -+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *) -+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *) -+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *) -+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *) -+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *) -+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *) -+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *) -+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *) -+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *) -+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *) -+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *) -+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *) -+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *) -+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *) -+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *) -+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *) -+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *) -+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *) -+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *) -+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *) -+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *) -+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *) -+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *) -+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *) -+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *) -+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *) -+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *) -+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *) -+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *) -+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *) -+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *) -+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *) -+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *) -+smbc_getNetbiosName: const char *(SMBCCTX *) -+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *) -+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *) -+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *) -+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *) -+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *) -+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *) -+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *) -+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *) -+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *) -+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *) -+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *) -+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *) -+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *) -+smbc_getOptionUserData: void *(SMBCCTX *) -+smbc_getPort: uint16_t (SMBCCTX *) -+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *) -+smbc_getTimeout: int (SMBCCTX *) -+smbc_getUser: const char *(SMBCCTX *) -+smbc_getWorkgroup: const char *(SMBCCTX *) -+smbc_getdents: int (unsigned int, struct smbc_dirent *, int) -+smbc_getxattr: int (const char *, const char *, const void *, size_t) -+smbc_init: int (smbc_get_auth_data_fn, int) -+smbc_init_context: SMBCCTX *(SMBCCTX *) -+smbc_lgetxattr: int (const char *, const char *, const void *, size_t) -+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn) -+smbc_listxattr: int (const char *, char *, size_t) -+smbc_llistxattr: int (const char *, char *, size_t) -+smbc_lremovexattr: int (const char *, const char *) -+smbc_lseek: off_t (int, off_t, int) -+smbc_lseekdir: int (int, off_t) -+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int) -+smbc_mkdir: int (const char *, mode_t) -+smbc_new_context: SMBCCTX *(void) -+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *) -+smbc_open: int (const char *, int, mode_t) -+smbc_open_print_job: int (const char *) -+smbc_opendir: int (const char *) -+smbc_option_get: void *(SMBCCTX *, char *) -+smbc_option_set: void (SMBCCTX *, char *, ...) -+smbc_print_file: int (const char *, const char *) -+smbc_read: ssize_t (int, void *, size_t) -+smbc_readdir: struct smbc_dirent *(unsigned int) -+smbc_readdirplus: const struct libsmb_file_info *(unsigned int) -+smbc_removexattr: int (const char *, const char *) -+smbc_rename: int (const char *, const char *) -+smbc_rmdir: int (const char *) -+smbc_setConfiguration: int (SMBCCTX *, const char *) -+smbc_setDebug: void (SMBCCTX *, int) -+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn) -+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn) -+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn) -+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn) -+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn) -+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn) -+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn) -+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn) -+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn) -+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn) -+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn) -+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn) -+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn) -+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn) -+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn) -+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn) -+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn) -+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn) -+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn) -+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn) -+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn) -+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn) -+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn) -+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn) -+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn) -+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn) -+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn) -+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn) -+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn) -+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn) -+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn) -+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn) -+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn) -+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn) -+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn) -+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn) -+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn) -+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn) -+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn) -+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn) -+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn) -+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn) -+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn) -+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn) -+smbc_setNetbiosName: void (SMBCCTX *, const char *) -+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int) -+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool) -+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool) -+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool) -+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool) -+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool) -+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool) -+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode) -+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *) -+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level) -+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool) -+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool) -+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool) -+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool) -+smbc_setOptionUserData: void (SMBCCTX *, void *) -+smbc_setPort: void (SMBCCTX *, uint16_t) -+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *) -+smbc_setTimeout: void (SMBCCTX *, int) -+smbc_setUser: void (SMBCCTX *, const char *) -+smbc_setWorkgroup: void (SMBCCTX *, const char *) -+smbc_set_context: SMBCCTX *(SMBCCTX *) -+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *) -+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *) -+smbc_setxattr: int (const char *, const char *, const void *, size_t, int) -+smbc_stat: int (const char *, struct stat *) -+smbc_statvfs: int (char *, struct statvfs *) -+smbc_telldir: off_t (int) -+smbc_unlink: int (const char *) -+smbc_unlink_print_job: int (const char *, int) -+smbc_urldecode: int (char *, char *, size_t) -+smbc_urlencode: int (char *, char *, int) -+smbc_utime: int (const char *, struct utimbuf *) -+smbc_utimes: int (const char *, struct timeval *) -+smbc_version: const char *(void) -+smbc_write: ssize_t (int, const void *, size_t) -diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c -index 60b822a395c..b1c4ff3b557 100644 ---- a/source3/libsmb/libsmb_setget.c -+++ b/source3/libsmb/libsmb_setget.c -@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b) - } - } - -+smbc_bool -+smbc_setOptionProtocols(SMBCCTX *c, -+ const char *min_proto, -+ const char *max_proto) -+{ -+ bool ok = true; -+ -+ if (min_proto != NULL) { -+ ok = lp_set_cmdline("client min protocol", min_proto); -+ } -+ -+ if (max_proto != NULL) { -+ ok &= lp_set_cmdline("client min protocol", max_proto); -+ } -+ -+ return ok; -+} -+ - /** Get the function for obtaining authentication data */ - smbc_get_auth_data_fn - smbc_getFunctionAuthData(SMBCCTX *c) -diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript -index 5482aea7d9c..298afc3c0e3 100644 ---- a/source3/libsmb/wscript -+++ b/source3/libsmb/wscript -@@ -27,5 +27,5 @@ def build(bld): - public_headers='../include/libsmbclient.h', - abi_directory='ABI', - abi_match='smbc_*', -- vnum='0.4.0', -+ vnum='0.5.0', - pc_files='smbclient.pc') --- -2.19.2 - diff --git a/SOURCES/samba-4.9-disable_netbios.patch b/SOURCES/samba-4.9-disable_netbios.patch deleted file mode 100644 index 4191502..0000000 --- a/SOURCES/samba-4.9-disable_netbios.patch +++ /dev/null @@ -1,252 +0,0 @@ -From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Thu, 3 Jan 2019 12:07:01 -0500 -Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect - -If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED -for a port 139 connection in the low level socket connection code. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 - -Signed-off-by: Justin Stephenson -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9) ---- - source3/libsmb/smbsock_connect.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c -index 9f915e1bb42..bb3cb07646c 100644 ---- a/source3/libsmb/smbsock_connect.c -+++ b/source3/libsmb/smbsock_connect.c -@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx, - tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup); - - if (port == NBT_SMB_PORT) { -+ if (lp_disable_netbios()) { -+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED); -+ return tevent_req_post(req, ev); -+ } -+ - state->req_139 = nb_connect_send(state, state->ev, state->addr, - state->called_name, - state->called_type, --- -2.20.1 - - -From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 17 Dec 2018 14:40:33 -0500 -Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios - -With a preceding patch, cli_connect_nb() will return -NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. - -Print an informative error message to indicate Netbios is disabled -if this occurs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 - -Signed-off-by: Justin Stephenson -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b) ---- - source3/libsmb/clidfs.c | 10 +++++++--- - source3/libsmb/libsmb_server.c | 4 ++++ - 2 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c -index 0dfb8b33606..4342a3b1d1b 100644 ---- a/source3/libsmb/clidfs.c -+++ b/source3/libsmb/clidfs.c -@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, - flags, &c); - - if (!NT_STATUS_IS_OK(status)) { -- d_printf("Connection to %s failed (Error %s)\n", -- server, -- nt_errstr(status)); -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { -+ DBG_ERR("NetBIOS support disabled, unable to connect"); -+ } -+ -+ DBG_WARNING("Connection to %s failed (Error %s)\n", -+ server, -+ nt_errstr(status)); - return status; - } - -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c -index 67dfcf72327..0067df48cac 100644 ---- a/source3/libsmb/libsmb_server.c -+++ b/source3/libsmb/libsmb_server.c -@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx, - } - - if (!NT_STATUS_IS_OK(status)) { -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { -+ DBG_ERR("NetBIOS support disabled, unable to connect"); -+ } -+ - errno = map_errno_from_nt_status(status); - return NULL; - } --- -2.20.1 - - -From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 17 Dec 2018 14:57:59 -0500 -Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios - -With a preceding patch, cli_connect_nb() will return -NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. - -Print an informative error message to indicate Netbios is disabled -if this occurs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 - -Signed-off-by: Justin Stephenson -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098) ---- - source3/libsmb/passchange.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c -index 48ffba8036f..f60e3079975 100644 ---- a/source3/libsmb/passchange.c -+++ b/source3/libsmb/passchange.c -@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine, - result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL, - SMB_SIGNING_IPC_DEFAULT, 0, &cli); - if (!NT_STATUS_IS_OK(result)) { -- if (asprintf(err_str, "Unable to connect to SMB server on " -- "machine %s. Error was : %s.\n", -- remote_machine, nt_errstr(result))==-1) { -- *err_str = NULL; -+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) { -+ if (asprintf(err_str, "Unable to connect to SMB server on " -+ "machine %s. NetBIOS support disabled\n", -+ remote_machine) == -1) { -+ *err_str = NULL; -+ } -+ } else { -+ if (asprintf(err_str, "Unable to connect to SMB server on " -+ "machine %s. Error was : %s.\n", -+ remote_machine, nt_errstr(result))==-1) { -+ *err_str = NULL; -+ } - } - return result; - } --- -2.20.1 - - -From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 17 Dec 2018 15:17:24 -0500 -Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios - -With a preceding patch, cli_connect_nb() will return -NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. - -Print an informative error message to indicate Netbios is disabled -if this occurs. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 - -Signed-off-by: Justin Stephenson -Reviewed-by: Noel Power -Reviewed-by: Jeremy Allison -(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397) ---- - source3/utils/net_rpc.c | 3 +++ - source3/utils/net_time.c | 9 +++++++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index 67fff2f4d1b..91ad90f9594 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags) - lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT, - 0, &cli); - if (!NT_STATUS_IS_OK(status)) { -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { -+ DBG_ERR("NetBIOS support disabled, unable to connect\n"); -+ } - return false; - } - status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE, -diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c -index 0091fc86333..5e6cf2ea15d 100644 ---- a/source3/utils/net_time.c -+++ b/source3/utils/net_time.c -@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host, - status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(), - SMB_SIGNING_DEFAULT, 0, &cli); - if (!NT_STATUS_IS_OK(status)) { -- fprintf(stderr, _("Can't contact server %s. Error %s\n"), -- host, nt_errstr(status)); -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { -+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled," -+ " Error %s\n", host, nt_errstr(status)); -+ } else { -+ fprintf(stderr, "Can't contact server %s. Error %s\n", -+ host, nt_errstr(status)); -+ } - goto done; - } - --- -2.20.1 - - -From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 14 Jan 2019 10:36:47 -0500 -Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in - smbsock_connect_send - -If disable_netbios is set, return before the tevent timer is triggered -to prevent outgoing netbios connections. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 - -Signed-off-by: Justin Stephenson -Reviewed-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8) ---- - source3/libsmb/smbsock_connect.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c -index bb3cb07646c..be52b9a4f79 100644 ---- a/source3/libsmb/smbsock_connect.c -+++ b/source3/libsmb/smbsock_connect.c -@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx, - tevent_req_set_callback(state->req_445, smbsock_connect_connected, - req); - -+ /* -+ * Check for disable_netbios -+ */ -+ if (lp_disable_netbios()) { -+ return req; -+ } -+ - /* - * After 5 msecs, fire the 139 (NBT) request - */ --- -2.20.1 - diff --git a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch b/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch deleted file mode 100644 index 748a515..0000000 --- a/SOURCES/samba-4.9-doc_smbclient_max_protocol.patch +++ /dev/null @@ -1,37 +0,0 @@ -From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 22 Mar 2019 14:39:11 +0100 -Subject: [PATCH] docs: Update smbclient manpage for --max-protocol - -We default to SMB3 now. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -Reviewed-by: Ralph Boehme -(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9) ---- - docs-xml/manpages/smbclient.1.xml | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml -index e71a21a95e3..e25f7d3517b 100644 ---- a/docs-xml/manpages/smbclient.1.xml -+++ b/docs-xml/manpages/smbclient.1.xml -@@ -261,9 +261,9 @@ - This allows the user to select the - highest SMB protocol level that smbclient will use to - connect to the server. By default this is set to -- NT1, which is the highest available SMB1 protocol. -- To connect using SMB2 or SMB3 protocol, use the -- strings SMB2 or SMB3 respectively. Note that to connect -+ highest available SMB3 protocol version. -+ To connect using SMB2 or SMB1 protocol, use the -+ strings SMB2 or NT1 respectively. Note that to connect - to a Windows 2012 server with encrypted transport selecting - a max-protocol of SMB3 is required. - --- -2.21.0 - diff --git a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch b/SOURCES/samba-4.9-fix_builtin_groups_creation.patch deleted file mode 100644 index 18aad34..0000000 --- a/SOURCES/samba-4.9-fix_builtin_groups_creation.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 1e8931dfc24a2576a3b1fe9115c4ccbfefbbd298 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 19 Dec 2018 09:38:33 +0100 -Subject: [PATCH] s3:auth: ignore create_builtin_guests() failing without a - valid idmap configuration - -This happens on standalone servers, where winbindd is automatically -started by init scripts if it's installed. But it's not really -used and may not have a valid idmap configuration ( -"idmap config * : range" has no default!) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Alexander Bokovoy -(cherry picked from commit 865538fabaea33741f5fa542dbc3f2e08308c2c1) ---- - source3/auth/token_util.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index f5b0e6944335..ee38d6c9645b 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -745,7 +745,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result, - status = create_builtin_guests(domain_sid); - unbecome_root(); - -- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { -+ /* -+ * NT_STATUS_PROTOCOL_UNREACHABLE: -+ * => winbindd is not running. -+ * -+ * NT_STATUS_ACCESS_DENIED: -+ * => no idmap config at all -+ * and wbint_AllocateGid()/winbind_allocate_gid() -+ * failed. -+ * -+ * NT_STATUS_NO_SUCH_GROUP: -+ * => no idmap config at all and -+ * "tdbsam:map builtin = no" means -+ * wbint_Sids2UnixIDs() fails. -+ */ -+ if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) || -+ NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) || -+ NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) { - /* - * Add BUILTIN\Guests directly to token. - * But only if the token already indicates --- -2.17.1 - diff --git a/SOURCES/samba-4.9-fix_cups_printing.patch b/SOURCES/samba-4.9-fix_cups_printing.patch deleted file mode 100644 index 80da965..0000000 --- a/SOURCES/samba-4.9-fix_cups_printing.patch +++ /dev/null @@ -1,1094 +0,0 @@ -From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:55:49 +0200 -Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups - -This is required to access files in /var/spool/cups which have been -temporarily created in there by CUPS. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6086efb6808089c431e7307fa239924bfda1185b) ---- - source3/client/smbspool_krb5_wrapper.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 5c4da33238b..e6684fc0d0c 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -82,6 +82,7 @@ int main(int argc, char *argv[]) - { - char smbspool_cmd[PATH_MAX] = {0}; - struct passwd *pwd; -+ struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; - struct stat sb; - char *env = NULL; -@@ -89,6 +90,7 @@ int main(int argc, char *argv[]) - char device_uri[4096] = {0}; - uid_t uid = (uid_t)-1; - gid_t gid = (gid_t)-1; -+ gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; - int cmp; - int rc; -@@ -176,6 +178,26 @@ int main(int argc, char *argv[]) - return CUPS_BACKEND_FAILED; - } - -+ /* -+ * We need the primary group of the 'lp' user. This is needed to access -+ * temporary files in /var/spool/cups/. -+ */ -+ g = getgrnam("lp"); -+ if (g == NULL) { -+ CUPS_SMB_ERROR("Failed to find user 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ -+ CUPS_SMB_DEBUG("Adding group 'lp' (%u)", g->gr_gid); -+ groups[0] = g->gr_gid; -+ rc = setgroups(sizeof(groups), groups); -+ if (rc != 0) { -+ CUPS_SMB_ERROR("Failed to set groups for 'lp' - %s", -+ strerror(errno)); -+ return CUPS_BACKEND_FAILED; -+ } -+ - CUPS_SMB_DEBUG("Switching to gid=%d", gid); - rc = setgid(gid); - if (rc != 0) { --- -2.21.0 - - -From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 13:41:02 +0200 -Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate - with - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 42492d547661cb7a98c237b32d42ee93de35aba5) ---- - source3/client/smbspool.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index c404b3a3f69..78c13b9ebdb 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) { - return false; - } else { - krb5_principal default_princ = NULL; -+ char *princ_name = NULL; - - code = krb5_cc_get_principal(ctx, - ccache, -@@ -621,6 +622,16 @@ static bool kerberos_ccache_is_valid(void) { - krb5_free_context(ctx); - return false; - } -+ -+ code = krb5_unparse_name(ctx, -+ default_princ, -+ &princ_name); -+ if (code == 0) { -+ fprintf(stderr, -+ "DEBUG: Try to authenticate as %s\n", -+ princ_name); -+ krb5_free_unparsed_name(ctx, princ_name); -+ } - krb5_free_principal(ctx, default_princ); - } - krb5_cc_close(ctx, ccache); --- -2.21.0 - - -From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 14:25:00 +0200 -Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3632bfef25e471075886eb7aecddd4cc260db8ba) ---- - source3/client/smbspool_krb5_wrapper.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index e6684fc0d0c..2cdcd372ec6 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -219,10 +219,14 @@ int main(int argc, char *argv[]) - env = getenv("KRB5CCNAME"); - if (env != NULL && env[0] != 0) { - snprintf(gen_cc, sizeof(gen_cc), "%s", env); -+ CUPS_SMB_DEBUG("User already set KRB5CCNAME [%s] as ccache", -+ gen_cc); - - goto create_env; - } - -+ CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -+ - snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); - - rc = lstat(gen_cc, &sb); --- -2.21.0 - - -From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:10:57 +0200 -Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit be596ce3d2455bd49a8ebd311d8c764c37852858) ---- - source3/client/smbspool_krb5_wrapper.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 2cdcd372ec6..3266b90ec1a 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -227,13 +227,13 @@ int main(int argc, char *argv[]) - - CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); - -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%d", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); - } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%d/krb5cc", uid); -+ snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); - - rc = lstat(gen_cc, &sb); - if (rc == 0 && S_ISDIR(sb.st_mode)) { --- -2.21.0 - - -From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 17:40:43 +0200 -Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is - not set - -This could also support the new KCM credential cache storage. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 6bbdf69e406916107400e2cabdbc831e2a2bbee3) ---- - source3/client/smbspool_krb5_wrapper.c | 79 ++++++++++++++++++-------- - source3/wscript_build | 1 + - 2 files changed, 55 insertions(+), 25 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index 3266b90ec1a..bff1df417e8 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -21,6 +21,7 @@ - - #include "includes.h" - #include "system/filesys.h" -+#include "system/kerberos.h" - #include "system/passwd.h" - - #include -@@ -68,6 +69,50 @@ static void cups_smb_debug(enum cups_smb_dbglvl_e lvl, const char *format, ...) - buffer); - } - -+static bool kerberos_get_default_ccache(char *ccache_buf, size_t len) -+{ -+ krb5_context ctx; -+ const char *ccache_name = NULL; -+ char *full_ccache_name = NULL; -+ krb5_ccache ccache = NULL; -+ krb5_error_code code; -+ -+ code = krb5_init_context(&ctx); -+ if (code != 0) { -+ return false; -+ } -+ -+ ccache_name = krb5_cc_default_name(ctx); -+ if (ccache_name == NULL) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_resolve(ctx, ccache_name, &ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ code = krb5_cc_get_full_name(ctx, ccache, &full_ccache_name); -+ krb5_cc_close(ctx, ccache); -+ if (code != 0) { -+ krb5_free_context(ctx); -+ return false; -+ } -+ -+ snprintf(ccache_buf, len, "%s", full_ccache_name); -+ -+#ifdef SAMBA4_USES_HEIMDAL -+ free(full_ccache_name); -+#else -+ krb5_free_string(ctx, full_ccache_name); -+#endif -+ krb5_free_context(ctx); -+ -+ return true; -+} -+ - /* - * This is a helper binary to execute smbspool. - * -@@ -84,7 +129,6 @@ int main(int argc, char *argv[]) - struct passwd *pwd; - struct group *g = NULL; - char gen_cc[PATH_MAX] = {0}; -- struct stat sb; - char *env = NULL; - char auth_info_required[256] = {0}; - char device_uri[4096] = {0}; -@@ -92,6 +136,7 @@ int main(int argc, char *argv[]) - gid_t gid = (gid_t)-1; - gid_t groups[1] = { (gid_t)-1 }; - unsigned long tmp; -+ bool ok; - int cmp; - int rc; - -@@ -225,32 +270,16 @@ int main(int argc, char *argv[]) - goto create_env; - } - -- CUPS_SMB_DEBUG("Trying to guess KRB5CCNAME (FILE, DIR, KEYRING)"); -- -- snprintf(gen_cc, sizeof(gen_cc), "/tmp/krb5cc_%u", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0) { -- snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -- } else { -- snprintf(gen_cc, sizeof(gen_cc), "/run/user/%u/krb5cc", uid); -- -- rc = lstat(gen_cc, &sb); -- if (rc == 0 && S_ISDIR(sb.st_mode)) { -- snprintf(gen_cc, -- sizeof(gen_cc), -- "DIR:/run/user/%d/krb5cc", -- uid); -- } else { --#if defined(__linux__) -- snprintf(gen_cc, -- sizeof(gen_cc), -- "KEYRING:persistent:%d", -- uid); --#endif -- } -+ ok = kerberos_get_default_ccache(gen_cc, sizeof(gen_cc)); -+ if (ok) { -+ CUPS_SMB_DEBUG("Use default KRB5CCNAME [%s]", -+ gen_cc); -+ goto create_env; - } - -+ /* Fallback to a FILE ccache */ -+ snprintf(gen_cc, sizeof(gen_cc), "FILE:/tmp/krb5cc_%u", uid); -+ - create_env: - /* - * Make sure we do not have LD_PRELOAD or other security relevant -diff --git a/source3/wscript_build b/source3/wscript_build -index bbcfc72a714..a601ab4e9b1 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', - deps=''' - DYNCONFIG - cups -+ krb5 - ''', - install_path='${LIBEXECDIR}/samba', - enabled=bld.CONFIG_SET('HAVE_CUPS')) --- -2.21.0 - - -From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 16:48:31 +0200 -Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 281274572bcc3125fe6026a01ef7bf7ef584a0dd) ---- - source3/client/smbspool.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 78c13b9ebdb..805ad88b88d 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */ - - fp = fopen(print_file, "rb"); - if (fp == NULL) { -- perror("ERROR: Unable to open print file"); -+ fprintf(stderr, -+ "ERROR: Unable to open print file: %s", -+ print_file); - goto done; - } - --- -2.21.0 - - -From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 May 2019 18:54:02 +0200 -Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos - -If username and password is given, then fallback to NTLM. However try -kinit first. Also we correctly handle NULL passwords in the meantime and -this makes it easier to deal with issues. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 3d719a1f85db8e423dc3a4116a2228961d5ac48d) ---- - source3/client/smbspool.c | 90 ++++++++++++++++++++++----------------- - 1 file changed, 51 insertions(+), 39 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 805ad88b88d..d336cd08209 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */ - int port; /* Port number */ - char uri[1024], /* URI */ - *sep, /* Pointer to separator */ -- *tmp, *tmp2, /* Temp pointers to do escaping */ -- *password; /* Password */ -+ *tmp, *tmp2; /* Temp pointers to do escaping */ -+ const char *password = NULL; /* Password */ - char *username, /* Username */ - *server, /* Server name */ - *printer;/* Printer name */ -@@ -292,8 +292,6 @@ main(int argc, /* I - Number of command-line arguments */ - if ((tmp2 = strchr_m(tmp, ':')) != NULL) { - *tmp2++ = '\0'; - password = uri_unescape_alloc(tmp2); -- } else { -- password = empty_str; - } - username = uri_unescape_alloc(tmp); - } else { -@@ -301,14 +299,15 @@ main(int argc, /* I - Number of command-line arguments */ - username = empty_str; - } - -- if ((password = getenv("AUTH_PASSWORD")) == NULL) { -- password = empty_str; -+ env = getenv("AUTH_PASSWORD"); -+ if (env != NULL && strlen(env) > 0) { -+ password = env; - } - - server = uri + 6; - } - -- if (password != empty_str) { -+ if (password != NULL) { - auth_info_required = "username,password"; - } - -@@ -513,6 +512,7 @@ smb_complete_connection(const char *myname, - NTSTATUS nt_status; - struct cli_credentials *creds = NULL; - bool use_kerberos = false; -+ bool fallback_after_kerberos = false; - - /* Start the SMB connection */ - *need_auth = false; -@@ -523,27 +523,21 @@ smb_complete_connection(const char *myname, - return NULL; - } - -- /* -- * We pretty much guarantee password must be valid or a pointer to a -- * 0 char. -- */ -- if (!password) { -- *need_auth = true; -- return NULL; -- } -- - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -- auth_info_required = "negotiate"; - use_kerberos = true; - } - -+ if (flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) { -+ fallback_after_kerberos = true; -+ } -+ - creds = cli_session_creds_init(cli, - username, - workgroup, - NULL, /* realm */ - password, - use_kerberos, -- false, /* fallback_after_kerberos */ -+ fallback_after_kerberos, - false, /* use_ccache */ - false); /* password_is_nt_hash */ - if (creds == NULL) { -@@ -659,6 +653,10 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - struct cli_state *cli; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; -+ int flags = CLI_FULL_CONNECTION_USE_KERBEROS; -+ bool use_kerberos = false; -+ const char *user = username; -+ int cmp; - - /* - * Get the names and addresses of the client and server... -@@ -668,42 +666,56 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - return NULL; - } - -- /* -- * See if we have a username first. This is for backwards compatible -- * behavior with 3.0.14a -- */ - -- if (username == NULL || username[0] == '\0') { -- if (kerberos_ccache_is_valid()) { -- goto kerberos_auth; -+ cmp = strcmp(auth_info_required, "negotiate"); -+ if (cmp == 0) { -+ if (!kerberos_ccache_is_valid()) { -+ return NULL; - } -+ user = jobusername; -+ -+ use_kerberos = true; -+ fprintf(stderr, -+ "DEBUG: Try to connect using Kerberos ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "username,password"); -+ if (cmp == 0) { -+ if (username == NULL || username[0] == '\0') { -+ return NULL; -+ } -+ -+ /* Fallback to NTLM */ -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ -+ fprintf(stderr, -+ "DEBUG: Try to connect using username/password ...\n"); -+ } -+ -+ cmp = strcmp(auth_info_required, "none"); -+ if (cmp == 0) { -+ fprintf(stderr, -+ "DEBUG: This backend doesn't support none auth ...\n"); -+ return NULL; - } - - cli = smb_complete_connection(myname, - server, - port, -- username, -+ user, - password, - workgroup, - share, -- 0, -+ flags, - need_auth); - if (cli != NULL) { -- fputs("DEBUG: Connected with username/password...\n", stderr); -+ fprintf(stderr, "DEBUG: SMB connection established.\n"); - return (cli); - } - --kerberos_auth: -- /* -- * Try to use the user kerberos credentials (if any) to authenticate -- */ -- cli = smb_complete_connection(myname, server, port, jobusername, "", -- workgroup, share, -- CLI_FULL_CONNECTION_USE_KERBEROS, need_auth); -- -- if (cli) { -- fputs("DEBUG: Connected using Kerberos...\n", stderr); -- return (cli); -+ if (!use_kerberos) { -+ fprintf(stderr, "ERROR: SMB connection failed!\n"); -+ return NULL; - } - - /* give a chance for a passwordless NTLMSSP session setup */ --- -2.21.0 - - -From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 16 May 2019 18:24:32 +0200 -Subject: [PATCH 8/9] s3:smbspool: Add debug messages to - kerberos_ccache_is_valid() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 93acd880801524c5e621df7b5bf5ad650f93cec3) ---- - source3/client/smbspool.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index d336cd08209..221c50af196 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) { - - ccache_name = krb5_cc_default_name(ctx); - if (ccache_name == NULL) { -+ DBG_ERR("Failed to get default ccache name\n"); -+ krb5_free_context(ctx); - return false; - } - - code = krb5_cc_resolve(ctx, ccache_name, &ccache); - if (code != 0) { -+ DBG_ERR("Failed to resolve ccache name: %s\n", -+ ccache_name); - krb5_free_context(ctx); - return false; - } else { -@@ -614,6 +618,9 @@ static bool kerberos_ccache_is_valid(void) { - ccache, - &default_princ); - if (code != 0) { -+ DBG_ERR("Failed to get default principal from " -+ "ccache: %s\n", -+ ccache_name); - krb5_cc_close(ctx, ccache); - krb5_free_context(ctx); - return false; --- -2.21.0 - - -From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 14 May 2019 11:35:46 +0200 -Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes - -This allows us to simplify some code and return better errors. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit d9af3dc02e98a3eb22441dfbdeddbaca0af078ea) ---- - source3/client/smbspool.c | 250 ++++++++++++++++++++++---------------- - 1 file changed, 145 insertions(+), 105 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 221c50af196..5ab286cd3e9 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -60,12 +60,27 @@ - * Local functions... - */ - --static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); -+static int get_exit_code(NTSTATUS nt_status); - static void list_devices(void); --static struct cli_state *smb_complete_connection(const char *, const char *, -- int, const char *, const char *, const char *, const char *, int, bool *need_auth); --static struct cli_state *smb_connect(const char *, const char *, int, const -- char *, const char *, const char *, const char *, bool *need_auth); -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, -+ const char *server, -+ int port, -+ const char *username, -+ const char *password, -+ const char *workgroup, -+ const char *share, -+ int flags); -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, -+ const char *server, -+ const int port, -+ const char *share, -+ const char *username, -+ const char *password, -+ const char *jobusername); - static int smb_print(struct cli_state *, const char *, FILE *); - static char *uri_unescape_alloc(const char *); - #if 0 -@@ -89,16 +104,15 @@ main(int argc, /* I - Number of command-line arguments */ - *sep, /* Pointer to separator */ - *tmp, *tmp2; /* Temp pointers to do escaping */ - const char *password = NULL; /* Password */ -- char *username, /* Username */ -- *server, /* Server name */ -+ const char *username = NULL; /* Username */ -+ char *server, /* Server name */ - *printer;/* Printer name */ - const char *workgroup; /* Workgroup */ - FILE *fp; /* File to print */ - int status = 1; /* Status of LPD job */ -- struct cli_state *cli; /* SMB interface */ -- char empty_str[] = ""; -+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; -+ struct cli_state *cli = NULL; /* SMB interface */ - int tries = 0; -- bool need_auth = true; - const char *dev_uri = NULL; - const char *env = NULL; - const char *config_file = NULL; -@@ -295,8 +309,9 @@ main(int argc, /* I - Number of command-line arguments */ - } - username = uri_unescape_alloc(tmp); - } else { -- if ((username = getenv("AUTH_USERNAME")) == NULL) { -- username = empty_str; -+ env = getenv("AUTH_USERNAME"); -+ if (env != NULL && strlen(env) > 0) { -+ username = env; - } - - env = getenv("AUTH_PASSWORD"); -@@ -368,27 +383,39 @@ main(int argc, /* I - Number of command-line arguments */ - load_interfaces(); - - do { -- cli = smb_connect(workgroup, -- server, -- port, -- printer, -- username, -- password, -- print_user, -- &need_auth); -- if (cli == NULL) { -- if (need_auth) { -- exit(2); -+ nt_status = smb_connect(&cli, -+ workgroup, -+ server, -+ port, -+ printer, -+ username, -+ password, -+ print_user); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ status = get_exit_code(nt_status); -+ if (status == 2) { -+ fprintf(stderr, -+ "DEBUG: Unable to connect to CIFS " -+ "host: %s", -+ nt_errstr(nt_status)); -+ goto done; - } else if (getenv("CLASS") == NULL) { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, will retry in 60 seconds...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Will retry in 60 " -+ "seconds...\n", -+ nt_errstr(nt_status)); - sleep(60); - tries++; - } else { -- fprintf(stderr, "ERROR: Unable to connect to CIFS host, trying next printer...\n"); -+ fprintf(stderr, -+ "ERROR: Unable to connect to CIFS " -+ "host: %s. Trying next printer...\n", -+ nt_errstr(nt_status)); - goto done; - } - } -- } while ((cli == NULL) && (tries < MAX_RETRY_CONNECT)); -+ } while (!NT_STATUS_IS_OK(nt_status) && (tries < MAX_RETRY_CONNECT)); - - if (cli == NULL) { - fprintf(stderr, "ERROR: Unable to connect to CIFS host after (tried %d times)\n", tries); -@@ -435,10 +462,9 @@ done: - */ - - static int --get_exit_code(struct cli_state * cli, -- NTSTATUS nt_status) -+get_exit_code(NTSTATUS nt_status) - { -- int i; -+ size_t i; - - /* List of NTSTATUS errors that are considered - * authentication errors -@@ -454,17 +480,16 @@ get_exit_code(struct cli_state * cli, - }; - - -- fprintf(stderr, "DEBUG: get_exit_code(cli=%p, nt_status=%s [%x])\n", -- cli, nt_errstr(nt_status), NT_STATUS_V(nt_status)); -+ fprintf(stderr, -+ "DEBUG: get_exit_code(nt_status=%s [%x])\n", -+ nt_errstr(nt_status), NT_STATUS_V(nt_status)); - - for (i = 0; i < ARRAY_SIZE(auth_errors); i++) { - if (!NT_STATUS_EQUAL(nt_status, auth_errors[i])) { - continue; - } - -- if (cli) { -- fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); -- } -+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); - - /* - * 2 = authentication required... -@@ -497,16 +522,16 @@ list_devices(void) - } - - --static struct cli_state * --smb_complete_connection(const char *myname, -+static NTSTATUS -+smb_complete_connection(struct cli_state **output_cli, -+ const char *myname, - const char *server, - int port, - const char *username, - const char *password, - const char *workgroup, - const char *share, -- int flags, -- bool *need_auth) -+ int flags) - { - struct cli_state *cli; /* New connection */ - NTSTATUS nt_status; -@@ -515,12 +540,11 @@ smb_complete_connection(const char *myname, - bool fallback_after_kerberos = false; - - /* Start the SMB connection */ -- *need_auth = false; - nt_status = cli_start_connection(&cli, myname, server, NULL, port, - SMB_SIGNING_DEFAULT, flags); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Connection failed: %s\n", nt_errstr(nt_status)); -- return NULL; -+ return nt_status; - } - - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -@@ -543,20 +567,16 @@ smb_complete_connection(const char *myname, - if (creds == NULL) { - fprintf(stderr, "ERROR: cli_session_creds_init failed\n"); - cli_shutdown(cli); -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - nt_status = cli_session_setup_creds(cli, creds); - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - - nt_status = cli_tree_connect_creds(cli, share, "?????", creds); -@@ -564,13 +584,9 @@ smb_complete_connection(const char *myname, - fprintf(stderr, "ERROR: Tree connect failed (%s)\n", - nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status) == 2) { -- *need_auth = true; -- } -- - cli_shutdown(cli); - -- return NULL; -+ return nt_status; - } - #if 0 - /* Need to work out how to specify this on the URL. */ -@@ -583,7 +599,8 @@ smb_complete_connection(const char *myname, - } - #endif - -- return cli; -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - static bool kerberos_ccache_is_valid(void) { -@@ -647,49 +664,48 @@ static bool kerberos_ccache_is_valid(void) { - * 'smb_connect()' - Return a connection to a server. - */ - --static struct cli_state * /* O - SMB connection */ --smb_connect(const char *workgroup, /* I - Workgroup */ -+static NTSTATUS -+smb_connect(struct cli_state **output_cli, -+ const char *workgroup, /* I - Workgroup */ - const char *server, /* I - Server */ - const int port, /* I - Port */ - const char *share, /* I - Printer */ - const char *username, /* I - Username */ - const char *password, /* I - Password */ -- const char *jobusername, /* I - User who issued the print job */ -- bool *need_auth) --{ /* O - Need authentication? */ -- struct cli_state *cli; /* New connection */ -+ const char *jobusername) /* I - User who issued the print job */ -+{ -+ struct cli_state *cli = NULL; /* New connection */ - char *myname = NULL; /* Client name */ - struct passwd *pwd; - int flags = CLI_FULL_CONNECTION_USE_KERBEROS; - bool use_kerberos = false; - const char *user = username; -- int cmp; -+ NTSTATUS nt_status; - - /* - * Get the names and addresses of the client and server... - */ - myname = get_myname(talloc_tos()); - if (!myname) { -- return NULL; -+ return NT_STATUS_NO_MEMORY; - } - - -- cmp = strcmp(auth_info_required, "negotiate"); -- if (cmp == 0) { -+ if (strcmp(auth_info_required, "negotiate") == 0) { - if (!kerberos_ccache_is_valid()) { -- return NULL; -+ fprintf(stderr, -+ "ERROR: No valid Kerberos credential cache " -+ "found!\n"); -+ return NT_STATUS_LOGON_FAILURE; - } - user = jobusername; - - use_kerberos = true; - fprintf(stderr, - "DEBUG: Try to connect using Kerberos ...\n"); -- } -- -- cmp = strcmp(auth_info_required, "username,password"); -- if (cmp == 0) { -- if (username == NULL || username[0] == '\0') { -- return NULL; -+ } else if (strcmp(auth_info_required, "username,password") == 0) { -+ if (username == NULL) { -+ return NT_STATUS_INVALID_ACCOUNT_NAME; - } - - /* Fallback to NTLM */ -@@ -697,59 +713,83 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - - fprintf(stderr, - "DEBUG: Try to connect using username/password ...\n"); -- } -+ } else { -+ if (username != NULL) { -+ flags |= CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS; -+ } else if (kerberos_ccache_is_valid()) { -+ auth_info_required = "negotiate"; - -- cmp = strcmp(auth_info_required, "none"); -- if (cmp == 0) { -- fprintf(stderr, -- "DEBUG: This backend doesn't support none auth ...\n"); -- return NULL; -+ user = jobusername; -+ use_kerberos = true; -+ } else { -+ fprintf(stderr, -+ "DEBUG: This backend requires credentials!\n"); -+ return NT_STATUS_ACCESS_DENIED; -+ } - } - -- cli = smb_complete_connection(myname, -- server, -- port, -- user, -- password, -- workgroup, -- share, -- flags, -- need_auth); -- if (cli != NULL) { -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ user, -+ password, -+ workgroup, -+ share, -+ flags); -+ if (NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "DEBUG: SMB connection established.\n"); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - if (!use_kerberos) { - fprintf(stderr, "ERROR: SMB connection failed!\n"); -- return NULL; -+ return nt_status; - } - - /* give a chance for a passwordless NTLMSSP session setup */ - pwd = getpwuid(geteuid()); - if (pwd == NULL) { -- return NULL; -- } -- -- cli = smb_complete_connection(myname, server, port, pwd->pw_name, "", -- workgroup, share, 0, need_auth); -- -- if (cli) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ pwd->pw_name, -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { - fputs("DEBUG: Connected with NTLMSSP...\n", stderr); -- return (cli); -+ -+ *output_cli = cli; -+ return NT_STATUS_OK; - } - - /* - * last try. Use anonymous authentication - */ - -- cli = smb_complete_connection(myname, server, port, "", "", -- workgroup, share, 0, need_auth); -- /* -- * Return the new connection... -- */ -- -- return (cli); -+ nt_status = smb_complete_connection(&cli, -+ myname, -+ server, -+ port, -+ "", -+ "", -+ workgroup, -+ share, -+ 0); -+ if (NT_STATUS_IS_OK(nt_status)) { -+ *output_cli = cli; -+ return NT_STATUS_OK; -+ } -+ -+ return nt_status; - } - - -@@ -795,7 +835,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s opening remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } - - /* -@@ -813,7 +853,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, - tbytes, nbytes, NULL); - if (!NT_STATUS_IS_OK(status)) { -- int ret = get_exit_code(cli, status); -+ int ret = get_exit_code(status); - fprintf(stderr, "ERROR: Error writing spool: %s\n", - nt_errstr(status)); - fprintf(stderr, "DEBUG: Returning status %d...\n", -@@ -829,7 +869,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s closing remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status); -+ return get_exit_code(nt_status); - } else { - return (0); - } --- -2.21.0 - diff --git a/SOURCES/samba-4.9-fix_debug_segfault.patch b/SOURCES/samba-4.9-fix_debug_segfault.patch deleted file mode 100644 index edbbd33..0000000 --- a/SOURCES/samba-4.9-fix_debug_segfault.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 7 Nov 2018 14:32:29 +0100 -Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation - -This fixes a segfault in pyglue: - -==10142== Process terminating with default action of signal 11 (SIGSEGV) -==10142== Bad permissions for mapped region at address 0x6F00A20 -==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0) ---- - lib/util/debug.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/util/debug.c b/lib/util/debug.c -index d41e0f99c77..847ec1f0a0c 100644 ---- a/lib/util/debug.c -+++ b/lib/util/debug.c -@@ -557,10 +557,10 @@ static const char *default_classname_table[] = { - * This is to allow reading of DEBUGLEVEL_CLASS before the debug - * system has been initialized. - */ --static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)]; -+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)]; - - static size_t debug_num_classes = 0; --int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial); -+int *DEBUGLEVEL_CLASS = debug_class_list_initial; - - - /* -------------------------------------------------------------------------- ** --- -2.19.1 - diff --git a/SOURCES/samba-4.9-fix_force_group_panic.patch b/SOURCES/samba-4.9-fix_force_group_panic.patch deleted file mode 100644 index e228ccf..0000000 --- a/SOURCES/samba-4.9-fix_force_group_panic.patch +++ /dev/null @@ -1,87 +0,0 @@ -From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 18 Jan 2019 14:24:30 -0800 -Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an - existing share connection. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -smbd could crash if "force group" is added to a -share definition whilst an existing connection -to that share exists. In that case, don't change -the existing credentials for force group, only -do so for new connections. - -Remove knownfail from regression test. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144 - -(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a) ---- - source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++-- - 2 files changed, 33 insertions(+), 4 deletions(-) - -diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c -index 9d5321cf4cc..ced2d450f8e 100644 ---- a/source3/smbd/uid.c -+++ b/source3/smbd/uid.c -@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn, - int snum; - gid_t gid; - uid_t uid; -+ const char *force_group_name; - char group_c; - int num_groups = 0; - gid_t *group_list = NULL; -@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn, - * See if we should force group for this service. If so this overrides - * any group set in the force user code. - */ -- if((group_c = *lp_force_group(talloc_tos(), snum))) { -+ force_group_name = lp_force_group(talloc_tos(), snum); -+ group_c = *force_group_name; - -- SMB_ASSERT(conn->force_group_gid != (gid_t)-1); -+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) { -+ /* -+ * This can happen if "force group" is added to a -+ * share definition whilst an existing connection -+ * to that share exists. In that case, don't change -+ * the existing credentials for force group, only -+ * do so for new connections. -+ * -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 -+ */ -+ DBG_INFO("Not forcing group %s on existing connection to " -+ "share %s for SMB user %s (unix user %s)\n", -+ force_group_name, -+ lp_const_servicename(snum), -+ session_info->unix_info->sanitized_username, -+ session_info->unix_info->unix_name); -+ } -+ -+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) { -+ /* -+ * Only force group for connections where -+ * conn->force_group_gid has already been set -+ * to the correct value (i.e. the connection -+ * happened after the 'force group' definition -+ * was added to the share definition. Connections -+ * that were made before force group was added -+ * should stay with their existing credentials. -+ * -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 -+ */ - - if (group_c == '+') { - int i; --- -2.20.1.495.gaa96b0ce6b-goog - diff --git a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch b/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch deleted file mode 100644 index 8cd6b4e..0000000 --- a/SOURCES/samba-4.9-fix_net_ads_join_admin_otherdomain.patch +++ /dev/null @@ -1,544 +0,0 @@ -From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 29 Mar 2019 11:34:53 +0100 -Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails - -Currently we just get an error but don't know what exactly we tried to -do in 'net ads join -d10'. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5) ---- - source3/libads/ldap.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 13846695bd4..110f74a2dbb 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld) - if (ret != 0) { - char *ld_error = NULL; - ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); -- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, -- ldap_err2string(ret), ld_error)); -+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n", -+ ret, -+ ldap_err2string(ret), -+ ld_error); - SAFE_FREE(ld_error); - } - } -@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) - (char) 1}; - LDAPControl *controls[2]; - -+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn); -+ - controls[0] = &PermitModify; - controls[1] = NULL; - -@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) - char *utf8_dn = NULL; - size_t converted_size; - -+ DBG_INFO("AD LDAP: Adding %s\n", new_dn); -+ - if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) { - DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!")); - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); -@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - -+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn); -+ - ret = ldap_delete_s(ads->ldap.ld, utf8_dn); - ads_print_error(ret, ads->ldap.ld); - TALLOC_FREE(utf8_dn); --- -2.21.0 - - -From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Mar 2019 16:45:39 +0100 -Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8) ---- - source3/libsmb/cliconnect.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 837299d9220..9a3d3c769f9 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - return NT_STATUS_OK; - } - -+ DBG_INFO("Doing kinit for %s to access %s\n", -+ user_principal, target_hostname); - - /* - * TODO: This should be done within the gensec layer -@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - */ - } - -+ DBG_DEBUG("Successfully authenticated as %s to access %s using " -+ "Kerberos\n", -+ user_principal, -+ target_hostname); -+ - TALLOC_FREE(frame); - return NT_STATUS_OK; - } -@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send( - return tevent_req_post(req, ev); - } - -+ DBG_INFO("Connect to %s as %s using SPNEGO\n", -+ target_hostname, -+ cli_credentials_get_principal(creds, talloc_tos())); -+ - subreq = cli_session_setup_gensec_send(state, ev, cli, creds, - target_service, target_hostname); - if (tevent_req_nomem(subreq, req)) { -@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, - return tevent_req_post(req, ev); - } - -+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username); -+ - if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { - bool use_unicode = smbXcli_conn_use_unicode(cli->conn); - uint8_t *bytes = NULL; --- -2.21.0 - - -From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001 -From: Guenther Deschner -Date: Mon, 1 Apr 2019 17:46:39 +0200 -Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin() - -A newline is missing but also use DBG_INFO macro and cleanup spelling. - -Signed-off-by: Guenther Deschner -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662) ---- - source3/libnet/libnet_join.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 27fc5135442..ddc00f7ad7c 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - return WERR_NERR_DEFAULTJOINREQUIRED; - } - -- DEBUG(5, ("failed to precreate account in ou %s: %s", -- r->in.account_ou, ads_errstr(ads_status))); -+ DBG_INFO("Failed to pre-create account in OU %s: %s\n", -+ r->in.account_ou, ads_errstr(ads_status)); - } - rpc_join: - --- -2.21.0 - - -From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001 -From: Guenther Deschner -Date: Wed, 27 Mar 2019 17:51:04 +0100 -Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output - -This got lost somehow during refactoring. This is still viable -information when trying to figure out what is going wrong when -authenticating a user over NTLMSSP. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Signed-off-by: Guenther Deschner -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7) ---- - auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++ - 1 file changed, 32 insertions(+) - -diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c -index ab406a2c5be..8e49dcee5ea 100644 ---- a/auth/ntlmssp/ntlmssp_client.c -+++ b/auth/ntlmssp/ntlmssp_client.c -@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, - } - } - -+ if (DEBUGLEVEL >= 10) { -+ struct CHALLENGE_MESSAGE *challenge = -+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE); -+ if (challenge != NULL) { -+ NTSTATUS status; -+ challenge->NegotiateFlags = chal_flags; -+ status = ntlmssp_pull_CHALLENGE_MESSAGE( -+ &in, challenge, challenge); -+ if (NT_STATUS_IS_OK(status)) { -+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, -+ challenge); -+ } -+ TALLOC_FREE(challenge); -+ } -+ } -+ - if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { - ntlmssp_state->server.is_standalone = true; - } else { -@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, - return nt_status; - } - -+ if (DEBUGLEVEL >= 10) { -+ struct AUTHENTICATE_MESSAGE *authenticate = -+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE); -+ if (authenticate != NULL) { -+ NTSTATUS status; -+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags; -+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE( -+ out, authenticate, authenticate); -+ if (NT_STATUS_IS_OK(status)) { -+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, -+ authenticate); -+ } -+ TALLOC_FREE(authenticate); -+ } -+ } -+ - /* - * We always include the MIC, even without: - * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; --- -2.21.0 - - -From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 1 Apr 2019 15:59:10 +0200 -Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username - when using NTLM - -If we want to authenticate using -Wadmin@otherdomain the DC should do -take care of the authentication with the right DC for us. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Pair-Programmed-With: Guenther Deschner -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3) ---- - auth/credentials/credentials.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index 4663185c979..7ef58d0752c 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c - const char **username, - const char **domain) - { -- if (cred->principal_obtained > cred->username_obtained) { -+ if (cred->principal_obtained >= cred->username_obtained) { - *domain = talloc_strdup(mem_ctx, ""); - *username = cli_credentials_get_principal(cred, mem_ctx); - } else { --- -2.21.0 - - -From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 1 Apr 2019 16:39:45 +0200 -Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf - -Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753) ---- - source3/libnet/libnet_join.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index ddc00f7ad7c..e052306523d 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - } - - /* The domain parameter is only used as modifier -- * to krb5.conf file name. .JOIN is is not a valid -+ * to krb5.conf file name. _JOIN_ is is not a valid - * NetBIOS name so it cannot clash with another domain - * -- Uri. - */ -- create_local_private_krb5_conf_for_domain( -- pre_connect_realm, ".JOIN", sitename, &ss); -+ create_local_private_krb5_conf_for_domain(pre_connect_realm, -+ "_JOIN_", -+ sitename, -+ &ss); - } - - status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli); --- -2.21.0 - - -From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 1 Apr 2019 16:47:26 +0200 -Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not - configured - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Pair-Programmed-With: Guenther Deschner -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6) ---- - source3/libads/kerberos.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index e623f2456a8..360cdd741da 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - } - #endif - -+ /* -+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup -+ * KDCs which are not configured via DNS SRV records, eg. if we do: -+ * -+ * net ads join -Uadmin@otherdomain -+ */ - file_contents = - talloc_asprintf(fname, -- "[libdefaults]\n\tdefault_realm = %s\n" -+ "[libdefaults]\n" -+ "\tdefault_realm = %s\n" - "%s" -- "\tdns_lookup_realm = false\n\n" -+ "\tdns_lookup_realm = false\n" -+ "\tdns_lookup_kdc = true\n\n" - "[realms]\n\t%s = {\n" - "%s\t}\n" - "%s\n", --- -2.21.0 - - -From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001 -From: Guenther Deschner -Date: Mon, 1 Apr 2019 17:40:03 +0200 -Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing - accounts - -This avoids numerous LDAP constraint violation errors when we try to -re-precreate an already existing machine account. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Pair-Programmed-With: Andreas Schneider -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -Reviewed-by: Andrew Bartlett -(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68) ---- - source3/libads/ldap.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 110f74a2dbb..e191ea792a8 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - goto done; - } - -+ ret = ads_find_machine_acct(ads, &res, machine_escaped); -+ ads_msgfree(ads, res); -+ if (ADS_ERR_OK(ret)) { -+ DBG_DEBUG("Host account for %s already exists.\n", -+ machine_escaped); -+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -+ goto done; -+ } -+ - new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); - -@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - - done: - SAFE_FREE(machine_escaped); -- ads_msgfree(ads, res); - talloc_destroy(ctx); - - return ret; --- -2.21.0 - - -From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Apr 2019 13:14:06 +0200 -Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads - layer - -Otherwise we could loose the information that a non-default domain name -has been used for admin creds. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider -(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d) ---- - source3/libnet/libnet_join.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index e052306523d..fc7429e6a23 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, - password = r->in.machine_password; - ccname = "MEMORY:libnet_join_machine_creds"; - } else { -+ char *p = NULL; -+ - username = r->in.admin_account; -+ -+ p = strchr(r->in.admin_account, '@'); -+ if (p == NULL) { -+ username = talloc_asprintf(mem_ctx, "%s@%s", -+ r->in.admin_account, -+ r->in.admin_domain); -+ } -+ if (username == NULL) { -+ return ADS_ERROR(LDAP_NO_MEMORY); -+ } - password = r->in.admin_password; - - /* --- -2.21.0 - - -From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Apr 2019 13:16:11 +0200 -Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD - connect fails - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider -(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26) ---- - source3/libnet/libnet_join.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index fc7429e6a23..6d3fc1fe01f 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - - ads_status = libnet_join_connect_ads_user(mem_ctx, r); - if (!ADS_ERR_OK(ads_status)) { -+ libnet_join_set_error_string(mem_ctx, r, -+ "failed to connect to AD: %s", -+ ads_errstr(ads_status)); - return WERR_NERR_DEFAULTJOINREQUIRED; - } - --- -2.21.0 - - -From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 2 Apr 2019 13:16:55 +0200 -Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in - libnet_join - -When a non-DNS and non-default admin domain is provided during the join -sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME' -(e.g. when the winbind krb5 locator is not installed). In that case lets -fallback to NTLMSSP, like we do in winbind. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144 - -(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5) ---- - source3/libnet/libnet_join.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index 6d3fc1fe01f..b876d7ea89f 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, - return ADS_ERROR_LDAP(LDAP_NO_MEMORY); - } - -+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; -+ - if (user_name) { - SAFE_FREE(my_ads->auth.user_name); - my_ads->auth.user_name = SMB_STRDUP(user_name); --- -2.21.0 - diff --git a/SOURCES/samba-4.9-fix_net_ads_krb5.patch b/SOURCES/samba-4.9-fix_net_ads_krb5.patch deleted file mode 100644 index a8aedde..0000000 --- a/SOURCES/samba-4.9-fix_net_ads_krb5.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 17 Dec 2018 11:26:11 -0500 -Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k - -This affects net rpc getsid and net rpc changetrustpw commands. -This avoids an anonymous IPC connection being made when -k is used, -this only affects net rpc getsid and net rpc changetrustpw commands. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726 - -Signed-off-by: Justin Stephenson -Reviewed-by: Andreas Schneider -Reviewed-by: Noel Power ---- - source3/utils/net_rpc.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index b99a036fca1..67fff2f4d1b 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c, - - int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv) - { -+ int conn_flags = NET_FLAGS_PDC; -+ -+ if (!c->opt_user_specified && !c->opt_kerberos) { -+ conn_flags |= NET_FLAGS_ANONYMOUS; -+ } -+ - if (c->display_usage) { - d_printf( "%s\n" - "net rpc changetrustpw\n" -@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv) - } - - return run_rpc_command(c, NULL, &ndr_table_netlogon, -- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, -+ conn_flags, - rpc_changetrustpw_internals, - argc, argv); - } -@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv) - { - int conn_flags = NET_FLAGS_PDC; - -- if (!c->opt_user_specified) { -+ if (!c->opt_user_specified && !c->opt_kerberos) { - conn_flags |= NET_FLAGS_ANONYMOUS; - } - --- -2.20.1 - diff --git a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch b/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch deleted file mode 100644 index 013eebc..0000000 --- a/SOURCES/samba-4.9-fix_smbspool_as_cups_backend.patch +++ /dev/null @@ -1,521 +0,0 @@ -From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 12 Mar 2019 10:15:05 +0100 -Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 - -Signed-off-by: Andreas Schneider -Reviewed-by: Bryan Mason -Signed-off-by: Guenther Deschner -(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a) ---- - source3/script/tests/test_smbspool.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh -index d95ed064634..f28c0909334 100755 ---- a/source3/script/tests/test_smbspool.sh -+++ b/source3/script/tests/test_smbspool.sh -@@ -99,8 +99,8 @@ test_vlp_verify() - fi - - jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };') -- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then -- echo "failed to get jobid" -+ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then -+ echo "Invalid jobid: $jobid" - echo "$out" - return 1 - fi --- -2.20.1 - - -From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 12 Mar 2019 09:40:58 +0100 -Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to - smbspool - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 - -Signed-off-by: Andreas Schneider -Reviewed-by: Bryan Mason -Signed-off-by: Guenther Deschner -(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a) ---- - source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c -index dee3b4c54be..5c4da33238b 100644 ---- a/source3/client/smbspool_krb5_wrapper.c -+++ b/source3/client/smbspool_krb5_wrapper.c -@@ -84,24 +84,36 @@ int main(int argc, char *argv[]) - struct passwd *pwd; - char gen_cc[PATH_MAX] = {0}; - struct stat sb; -- char *env; -+ char *env = NULL; -+ char auth_info_required[256] = {0}; -+ char device_uri[4096] = {0}; - uid_t uid = (uid_t)-1; - gid_t gid = (gid_t)-1; - unsigned long tmp; - int cmp; - int rc; - -+ env = getenv("DEVICE_URI"); -+ if (env != NULL && strlen(env) > 2) { -+ snprintf(device_uri, sizeof(device_uri), "%s", env); -+ } -+ - /* Check if AuthInfoRequired is set to negotiate */ - env = getenv("AUTH_INFO_REQUIRED"); - - /* If not set, then just call smbspool. */ -- if (env == NULL) { -+ if (env == NULL || env[0] == 0) { - CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - " - "execute smbspool"); - goto smbspool; - } else { - CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env); - -+ snprintf(auth_info_required, -+ sizeof(auth_info_required), -+ "%s", -+ env); -+ - cmp = strcmp(env, "username,password"); - if (cmp == 0) { - CUPS_SMB_DEBUG("Authenticate using username/password - " -@@ -223,12 +235,18 @@ create_env: - #else - { - extern char **environ; -- environ = calloc(1, sizeof(*environ)); -+ environ = calloc(3, sizeof(*environ)); - } - #endif - - CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc); - setenv("KRB5CCNAME", gen_cc, 1); -+ if (device_uri[0] != '\0') { -+ setenv("DEVICE_URI", device_uri, 1); -+ } -+ if (auth_info_required[0] != '\0') { -+ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1); -+ } - - smbspool: - snprintf(smbspool_cmd, --- -2.20.1 - - -From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 4 Jan 2019 09:21:24 +0100 -Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set - by cups - -This should not switch to username,password if cups has been configured -to use negotiate (Kerberos authentication). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 - -Signed-off-by: Andreas Schneider -Reviewed-by: Bryan Mason -Signed-off-by: Guenther Deschner -(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845) ---- - source3/client/smbspool.c | 32 ++++++++++++++++++++------------ - 1 file changed, 20 insertions(+), 12 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 389e4ea553f..3dbf6be014b 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -60,7 +60,7 @@ - * Local functions... - */ - --static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos); -+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status); - static void list_devices(void); - static struct cli_state *smb_complete_connection(const char *, const char *, - int, const char *, const char *, const char *, const char *, int, bool *need_auth); -@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *); - static bool smb_encrypt; - #endif - -+static const char *auth_info_required; -+ - /* - * 'main()' - Main entry for SMB backend. - */ -@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */ - } - } - -+ auth_info_required = getenv("AUTH_INFO_REQUIRED"); -+ if (auth_info_required == NULL) { -+ auth_info_required = "none"; -+ } -+ - cmp = strncmp(dev_uri, "smb://", 6); - if (cmp != 0) { - fprintf(stderr, -@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */ - server = uri + 6; - } - -+ if (password != empty_str) { -+ auth_info_required = "username,password"; -+ } -+ - tmp = server; - - if ((sep = strchr_m(tmp, '/')) == NULL) { -@@ -352,8 +363,7 @@ done: - - static int - get_exit_code(struct cli_state * cli, -- NTSTATUS nt_status, -- bool use_kerberos) -+ NTSTATUS nt_status) - { - int i; - -@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli, - } - - if (cli) { -- if (use_kerberos) -- fputs("ATTR: auth-info-required=negotiate\n", stderr); -- else -- fputs("ATTR: auth-info-required=username,password\n", stderr); -+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required); - } - - /* -@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname, - } - - if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { -+ auth_info_required = "negotiate"; - use_kerberos = true; - } - -@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname, - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status, use_kerberos) == 2) { -+ if (get_exit_code(cli, nt_status) == 2) { - *need_auth = true; - } - -@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname, - fprintf(stderr, "ERROR: Tree connect failed (%s)\n", - nt_errstr(nt_status)); - -- if (get_exit_code(cli, nt_status, use_kerberos) == 2) { -+ if (get_exit_code(cli, nt_status) == 2) { - *need_auth = true; - } - -@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s opening remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status, false); -+ return get_exit_code(cli, nt_status); - } - - /* -@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, - tbytes, nbytes, NULL); - if (!NT_STATUS_IS_OK(status)) { -- int ret = get_exit_code(cli, status, false); -+ int ret = get_exit_code(cli, status); - fprintf(stderr, "ERROR: Error writing spool: %s\n", - nt_errstr(status)); - fprintf(stderr, "DEBUG: Returning status %d...\n", -@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - if (!NT_STATUS_IS_OK(nt_status)) { - fprintf(stderr, "ERROR: %s closing remote spool %s\n", - nt_errstr(nt_status), title); -- return get_exit_code(cli, nt_status, false); -+ return get_exit_code(cli, nt_status); - } else { - return (0); - } --- -2.20.1 - - -From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 12 Mar 2019 10:09:14 +0100 -Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title - -We can't be sure we can write to the input buffer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 - -Signed-off-by: Andreas Schneider -Reviewed-by: Bryan Mason -Signed-off-by: Guenther Deschner -(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282) ---- - source3/client/smbspool.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 3dbf6be014b..94c7ea368a2 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *, - int, const char *, const char *, const char *, const char *, int, bool *need_auth); - static struct cli_state *smb_connect(const char *, const char *, int, const - char *, const char *, const char *, const char *, bool *need_auth); --static int smb_print(struct cli_state *, char *, FILE *); -+static int smb_print(struct cli_state *, const char *, FILE *); - static char *uri_unescape_alloc(const char *); - #if 0 - static bool smb_encrypt; -@@ -655,7 +655,7 @@ kerberos_auth: - - static int /* O - 0 = success, non-0 = failure */ - smb_print(struct cli_state * cli, /* I - SMB connection */ -- char *title, /* I - Title/job name */ -+ const char *print_title, /* I - Title/job name */ - FILE * fp) - { /* I - File to print */ - uint16_t fnum; /* File number */ -@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ - tbytes; /* Total bytes read */ - char buffer[8192], /* Buffer for copy */ - *ptr; /* Pointer into title */ -+ char title[1024] = {0}; -+ int len; - NTSTATUS nt_status; - - - /* -- * Sanitize the title... -- */ -+ * Sanitize the title... -+ */ -+ len = snprintf(title, sizeof(title), "%s", print_title); -+ if (len != strlen(print_title)) { -+ return 2; -+ } - - for (ptr = title; *ptr; ptr++) { - if (!isalnum((int) *ptr) && !isspace((int) *ptr)) { --- -2.20.1 - - -From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 12 Mar 2019 11:40:30 +0100 -Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling - -If we are executed as a CUPS backend, argv[0] is set to the device uri. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832 - -Signed-off-by: Andreas Schneider -Reviewed-by: Bryan Mason -Signed-off-by: Guenther Deschner - -(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a) ---- - source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++-------- - 1 file changed, 96 insertions(+), 24 deletions(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 94c7ea368a2..97d00bdd011 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */ - char empty_str[] = ""; - int tries = 0; - bool need_auth = true; -- const char *dev_uri; -+ const char *dev_uri = NULL; -+ const char *env = NULL; - const char *config_file = NULL; - TALLOC_CTX *frame = talloc_stackframe(); -- bool device_uri_cmdline = false; -+ const char *print_user = NULL; -+ const char *print_title = NULL; - const char *print_file = NULL; - const char *print_copies = NULL; - int cmp; -@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */ - } - - /* -- * If we have 6 arguments find out if we have the device_uri from the -- * command line or the print data -+ * Find out if we have the device_uri in the command line. -+ * -+ * If we are started as a CUPS backend argv[0] is normally the -+ * device_uri! - */ -- if (argc == 7) { -- cmp = strncmp(argv[1], "smb://", 6); -- if (cmp == 0) { -- device_uri_cmdline = true; -+ if (argc == 8) { -+ /* -+ * smbspool <copies> <options> <file> -+ * 0 1 2 3 4 5 6 7 -+ */ -+ -+ dev_uri = argv[1]; -+ -+ print_user = argv[3]; -+ print_title = argv[4]; -+ print_copies = argv[5]; -+ print_file = argv[7]; -+ } else if (argc == 7) { -+ int cmp1; -+ int cmp2; -+ -+ /* -+ * <uri> <job> <user> <title> <copies> <options> <file> -+ * smbspool <uri> <job> <user> <title> <copies> <options> -+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI -+ */ -+ cmp1 = strncmp(argv[0], "smb://", 6); -+ cmp2 = strncmp(argv[1], "smb://", 6); -+ -+ if (cmp1 == 0) { -+ /* -+ * <uri> <job> <user> <title> <copies> <options> <file> -+ * 0 1 2 3 4 5 6 -+ */ -+ dev_uri = argv[0]; -+ -+ print_user = argv[2]; -+ print_title = argv[3]; -+ print_copies = argv[4]; -+ print_file = argv[6]; -+ } else if (cmp2 == 0) { -+ /* -+ * smbspool <uri> <job> <user> <title> <copies> <options> -+ * 0 1 2 3 4 5 6 -+ */ -+ dev_uri = argv[1]; -+ -+ print_user = argv[3]; -+ print_title = argv[4]; -+ print_copies = argv[5]; -+ print_file = NULL; - } else { -+ /* -+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI -+ * 0 1 2 3 4 5 6 -+ */ -+ print_user = argv[2]; -+ print_title = argv[3]; - print_copies = argv[4]; - print_file = argv[6]; - } -- } else if (argc == 8) { -- device_uri_cmdline = true; -- print_copies = argv[5]; -- print_file = argv[7]; -+ } else if (argc == 6) { -+ /* -+ * <uri> <job> <user> <title> <copies> <options> -+ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI -+ * 0 1 2 3 4 5 -+ */ -+ cmp = strncmp(argv[0], "smb://", 6); -+ if (cmp == 0) { -+ dev_uri = argv[0]; -+ } -+ -+ print_user = argv[2]; -+ print_title = argv[3]; -+ print_copies = argv[4]; - } - - if (print_file != NULL) { -@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */ - /* - * Find the URI ... - */ -- if (device_uri_cmdline) { -- dev_uri = argv[1]; -- } else { -- dev_uri = getenv("DEVICE_URI"); -- if (dev_uri == NULL || strlen(dev_uri) == 0) { -- dev_uri = ""; -+ if (dev_uri == NULL) { -+ env = getenv("DEVICE_URI"); -+ if (env != NULL && env[0] != '\0') { -+ dev_uri = env; - } - } - -- auth_info_required = getenv("AUTH_INFO_REQUIRED"); -- if (auth_info_required == NULL) { -- auth_info_required = "none"; -+ if (dev_uri == NULL) { -+ fprintf(stderr, -+ "ERROR: No valid device URI has been specified\n"); -+ goto done; - } - - cmp = strncmp(dev_uri, "smb://", 6); -@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */ - goto done; - } - -+ auth_info_required = getenv("AUTH_INFO_REQUIRED"); -+ if (auth_info_required == NULL) { -+ auth_info_required = "none"; -+ } -+ - /* - * Extract the destination from the URI... - */ -@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */ - load_interfaces(); - - do { -- cli = smb_connect(workgroup, server, port, printer, -- username, password, argv[3], &need_auth); -+ cli = smb_connect(workgroup, -+ server, -+ port, -+ printer, -+ username, -+ password, -+ print_user, -+ &need_auth); - if (cli == NULL) { - if (need_auth) { - exit(2); -@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */ - */ - - for (i = 0; i < copies; i++) { -- status = smb_print(cli, argv[4] /* title */ , fp); -+ status = smb_print(cli, print_title, fp); - if (status != 0) { - break; - } --- -2.20.1 - diff --git a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch b/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch deleted file mode 100644 index b04c8cc..0000000 --- a/SOURCES/samba-4.9-fix_smbspool_krb5_auth.patch +++ /dev/null @@ -1,33 +0,0 @@ -From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 9 May 2019 16:18:51 +0200 -Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos - credentials - -This is a regression which has been introduced with Samba 4.8. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Guenther Deschner <gd@samba.org> -(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a) ---- - source3/client/smbspool.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 97d00bdd011..c404b3a3f69 100644 ---- a/source3/client/smbspool.c -+++ b/source3/client/smbspool.c -@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */ - * behavior with 3.0.14a - */ - -- if (username != NULL && username[0] != '\0') { -+ if (username == NULL || username[0] == '\0') { - if (kerberos_ccache_is_valid()) { - goto kerberos_auth; - } --- -2.21.0 - diff --git a/SOURCES/samba-4.9-fix_testparm_crash.patch b/SOURCES/samba-4.9-fix_testparm_crash.patch deleted file mode 100644 index 74a8a52..0000000 --- a/SOURCES/samba-4.9-fix_testparm_crash.patch +++ /dev/null @@ -1,2126 +0,0 @@ -From 425bed0731a02b2e310b8835e9b75bff73582d99 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Mon, 9 Jul 2018 17:11:57 +0200 -Subject: [PATCH 01/22] s3:lib/server_contexts: make server_event_ctx and - server_msg_ctx static - -server_event_ctx and server_msg_ctx static shouldn't be accessible from -outside this compilation unit. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Christof Schmitt <cs@samba.org> -(cherry picked from commit d920a725ee19215190bbccaefd5b426bedc98860) ---- - source3/lib/server_contexts.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/source3/lib/server_contexts.c b/source3/lib/server_contexts.c -index 50072e680b6..b21cf0a4c81 100644 ---- a/source3/lib/server_contexts.c -+++ b/source3/lib/server_contexts.c -@@ -21,7 +21,7 @@ - #include "includes.h" - #include "messages.h" - --struct tevent_context *server_event_ctx = NULL; -+static struct tevent_context *server_event_ctx = NULL; - - struct tevent_context *server_event_context(void) - { -@@ -44,7 +44,7 @@ void server_event_context_free(void) - TALLOC_FREE(server_event_ctx); - } - --struct messaging_context *server_msg_ctx = NULL; -+static struct messaging_context *server_msg_ctx = NULL; - - struct messaging_context *server_messaging_context(void) - { --- -2.13.6 - - -From 1e8feaa20bfba475d6e2cbe69b5e1447586a7411 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 13 Aug 2018 15:07:20 -0700 -Subject: [PATCH 02/22] s3/lib:popt_common: Move setup_logging to common - callback - -The flag is set in the common callback, so be consistent - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit dff1028e8ba4c70e726283c12531853681034014) ---- - source3/lib/popt_common.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c -index cc93a756c3b..454884fbb5c 100644 ---- a/source3/lib/popt_common.c -+++ b/source3/lib/popt_common.c -@@ -93,6 +93,10 @@ static void popt_common_callback(poptContext con, - } - } - -+ if (override_logfile) { -+ setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE ); -+ } -+ - /* Further 'every Samba program must do this' hooks here. */ - return; - } -@@ -288,10 +292,6 @@ static void popt_common_credentials_callback(poptContext con, - if (reason == POPT_CALLBACK_REASON_POST) { - bool ok; - -- if (override_logfile) { -- setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE ); -- } -- - ok = lp_load_client(get_dyn_CONFIGFILE()); - if (!ok) { - const char *pname = poptGetInvocationName(con); --- -2.13.6 - - -From a1954bee751b35c3888be7c3c36ce59bb857e3f3 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 13 Aug 2018 15:39:08 -0700 -Subject: [PATCH 03/22] s3:lib: Move popt_common_credentials to separate file - -This is only used by command line utilities and has additional -dependencies. Move to a separate file to contain the dependencies to the -command line tools. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit b7464fd89bc22b71c82bbaa424bcbfcf947db651) ---- - source3/client/client.c | 2 +- - source3/include/popt_common.h | 10 -- - source3/include/popt_common_cmdline.h | 47 +++++++ - source3/lib/popt_common.c | 208 ----------------------------- - source3/lib/popt_common_cmdline.c | 241 ++++++++++++++++++++++++++++++++++ - source3/rpcclient/cmd_spoolss.c | 2 +- - source3/rpcclient/rpcclient.c | 2 +- - source3/rpcclient/wscript_build | 2 +- - source3/utils/net.c | 2 +- - source3/utils/regedit.c | 2 +- - source3/utils/smbcacls.c | 2 +- - source3/utils/smbcquotas.c | 2 +- - source3/utils/smbget.c | 2 +- - source3/utils/smbtree.c | 2 +- - source3/utils/wscript_build | 14 +- - source3/wscript_build | 9 +- - 16 files changed, 313 insertions(+), 236 deletions(-) - create mode 100644 source3/include/popt_common_cmdline.h - create mode 100644 source3/lib/popt_common_cmdline.c - -diff --git a/source3/client/client.c b/source3/client/client.c -index 25ba01d6216..2f193459d5d 100644 ---- a/source3/client/client.c -+++ b/source3/client/client.c -@@ -23,7 +23,7 @@ - - #include "includes.h" - #include "system/filesys.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "rpc_client/cli_pipe.h" - #include "client/client_proto.h" - #include "client/clitar_proto.h" -diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h -index a8c778473e9..e001a5369b7 100644 ---- a/source3/include/popt_common.h -+++ b/source3/include/popt_common.h -@@ -21,7 +21,6 @@ - #define _POPT_COMMON_H - - #include <popt.h> --#include "auth_info.h" - - /* Common popt structures */ - extern struct poptOption popt_common_samba[]; -@@ -41,19 +40,10 @@ extern const struct poptOption popt_common_dynconfig[]; - #define POPT_COMMON_CONNECTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_connection, 0, "Connection options:", NULL }, - #define POPT_COMMON_VERSION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version, 0, "Common samba options:", NULL }, - #define POPT_COMMON_CONFIGFILE { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile, 0, "Common samba config:", NULL }, --#define POPT_COMMON_CREDENTIALS { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_credentials, 0, "Authentication options:", NULL }, - #define POPT_COMMON_DYNCONFIG { NULL, 0, POPT_ARG_INCLUDE_TABLE, \ - discard_const_p(poptOption, popt_common_dynconfig), 0, \ - "Build-time configuration overrides:", NULL }, - #define POPT_COMMON_DEBUGLEVEL { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debuglevel, 0, "Common samba debugging:", NULL }, - #define POPT_COMMON_OPTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_option, 0, "Common samba commandline config:", NULL }, - --struct user_auth_info *popt_get_cmdline_auth_info(void); --void popt_free_cmdline_auth_info(void); -- --void popt_common_credentials_set_ignore_missing_conf(void); --void popt_common_credentials_set_delay_post(void); --void popt_common_credentials_post(void); --void popt_burn_cmdline_password(int argc, char *argv[]); -- - #endif /* _POPT_COMMON_H */ -diff --git a/source3/include/popt_common_cmdline.h b/source3/include/popt_common_cmdline.h -new file mode 100644 -index 00000000000..21130cff071 ---- /dev/null -+++ b/source3/include/popt_common_cmdline.h -@@ -0,0 +1,47 @@ -+/* -+ Unix SMB/CIFS implementation. -+ Common popt arguments -+ Copyright (C) Jelmer Vernooij 2003 -+ Copyright (C) Christof Schmitt 2018 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+ -+#ifndef _POPT_COMMON_CREDENTIALS_H -+#define _POPT_COMMON_CREDENTIALS_H -+ -+#include "popt_common.h" -+ -+extern struct poptOption popt_common_credentials[]; -+#define POPT_COMMON_CREDENTIALS \ -+ { \ -+ NULL, \ -+ 0, \ -+ POPT_ARG_INCLUDE_TABLE, \ -+ popt_common_credentials, \ -+ 0, \ -+ "Authentication options:", \ -+ NULL \ -+ }, -+ -+struct user_auth_info *popt_get_cmdline_auth_info(void); -+void popt_free_cmdline_auth_info(void); -+ -+void popt_common_credentials_set_ignore_missing_conf(void); -+void popt_common_credentials_set_delay_post(void); -+void popt_common_credentials_post(void); -+void popt_burn_cmdline_password(int argc, char *argv[]); -+ -+#endif -diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c -index 454884fbb5c..11db080c82d 100644 ---- a/source3/lib/popt_common.c -+++ b/source3/lib/popt_common.c -@@ -213,211 +213,3 @@ struct poptOption popt_common_option[] = { - { "option", 0, POPT_ARG_STRING, NULL, OPT_OPTION, "Set smb.conf option from command line", "name=value" }, - POPT_TABLEEND - }; -- --/* Handle command line options: -- * -U,--user -- * -A,--authentication-file -- * -k,--use-kerberos -- * -N,--no-pass -- * -S,--signing -- * -P --machine-pass -- * -e --encrypt -- * -C --use-ccache -- */ -- --static struct user_auth_info *cmdline_auth_info; -- --struct user_auth_info *popt_get_cmdline_auth_info(void) --{ -- return cmdline_auth_info; --} --void popt_free_cmdline_auth_info(void) --{ -- TALLOC_FREE(cmdline_auth_info); --} -- --static bool popt_common_credentials_ignore_missing_conf; --static bool popt_common_credentials_delay_post; -- --void popt_common_credentials_set_ignore_missing_conf(void) --{ -- popt_common_credentials_delay_post = true; --} -- --void popt_common_credentials_set_delay_post(void) --{ -- popt_common_credentials_delay_post = true; --} -- --void popt_common_credentials_post(void) --{ -- if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) && -- !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info)) -- { -- fprintf(stderr, -- "Failed to use machine account credentials\n"); -- exit(1); -- } -- -- set_cmdline_auth_info_getpass(cmdline_auth_info); -- -- /* -- * When we set the username during the handling of the options passed to -- * the binary we haven't loaded the config yet. This means that we -- * didnn't take the 'winbind separator' into account. -- * -- * The username might contain the domain name and thus it hasn't been -- * correctly parsed yet. If we have a username we need to set it again -- * to run the string parser for the username correctly. -- */ -- reset_cmdline_auth_info_username(cmdline_auth_info); --} -- --static void popt_common_credentials_callback(poptContext con, -- enum poptCallbackReason reason, -- const struct poptOption *opt, -- const char *arg, const void *data) --{ -- if (reason == POPT_CALLBACK_REASON_PRE) { -- struct user_auth_info *auth_info = -- user_auth_info_init(NULL); -- if (auth_info == NULL) { -- fprintf(stderr, "user_auth_info_init() failed\n"); -- exit(1); -- } -- cmdline_auth_info = auth_info; -- return; -- } -- -- if (reason == POPT_CALLBACK_REASON_POST) { -- bool ok; -- -- ok = lp_load_client(get_dyn_CONFIGFILE()); -- if (!ok) { -- const char *pname = poptGetInvocationName(con); -- -- fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n", -- pname, get_dyn_CONFIGFILE()); -- if (!popt_common_credentials_ignore_missing_conf) { -- exit(1); -- } -- } -- -- load_interfaces(); -- -- set_cmdline_auth_info_guess(cmdline_auth_info); -- -- if (popt_common_credentials_delay_post) { -- return; -- } -- -- popt_common_credentials_post(); -- return; -- } -- -- switch(opt->val) { -- case 'U': -- set_cmdline_auth_info_username(cmdline_auth_info, arg); -- break; -- -- case 'A': -- set_cmdline_auth_info_from_file(cmdline_auth_info, arg); -- break; -- -- case 'k': --#ifndef HAVE_KRB5 -- d_printf("No kerberos support compiled in\n"); -- exit(1); --#else -- set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info); --#endif -- break; -- -- case 'S': -- if (!set_cmdline_auth_info_signing_state(cmdline_auth_info, -- arg)) { -- fprintf(stderr, "Unknown signing option %s\n", arg ); -- exit(1); -- } -- break; -- case 'P': -- set_cmdline_auth_info_use_machine_account(cmdline_auth_info); -- break; -- case 'N': -- set_cmdline_auth_info_password(cmdline_auth_info, ""); -- break; -- case 'e': -- set_cmdline_auth_info_smb_encrypt(cmdline_auth_info); -- break; -- case 'C': -- set_cmdline_auth_info_use_ccache(cmdline_auth_info, true); -- break; -- case 'H': -- set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true); -- break; -- } --} -- --/** -- * @brief Burn the commandline password. -- * -- * This function removes the password from the command line so we -- * don't leak the password e.g. in 'ps aux'. -- * -- * It should be called after processing the options and you should pass down -- * argv from main(). -- * -- * @param[in] argc The number of arguments. -- * -- * @param[in] argv[] The argument array we will find the array. -- */ --void popt_burn_cmdline_password(int argc, char *argv[]) --{ -- bool found = false; -- char *p = NULL; -- int i, ulen = 0; -- -- for (i = 0; i < argc; i++) { -- p = argv[i]; -- if (strncmp(p, "-U", 2) == 0) { -- ulen = 2; -- found = true; -- } else if (strncmp(p, "--user", 6) == 0) { -- ulen = 6; -- found = true; -- } -- -- if (found) { -- if (p == NULL) { -- return; -- } -- -- if (strlen(p) == ulen) { -- continue; -- } -- -- p = strchr_m(p, '%'); -- if (p != NULL) { -- memset(p, '\0', strlen(p)); -- } -- found = false; -- } -- } --} -- --struct poptOption popt_common_credentials[] = { -- { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, -- (void *)popt_common_credentials_callback, 0, NULL }, -- { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" }, -- { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" }, -- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" }, -- { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, -- { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, -- {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" }, -- {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport" }, -- {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C', -- "Use the winbind ccache for authentication" }, -- {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H', -- "The supplied password is the NT hash" }, -- POPT_TABLEEND --}; -diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c -new file mode 100644 -index 00000000000..57f77e0868a ---- /dev/null -+++ b/source3/lib/popt_common_cmdline.c -@@ -0,0 +1,241 @@ -+/* -+ Unix SMB/CIFS implementation. -+ Common popt routines only used by cmdline utils -+ -+ Copyright (C) Tim Potter 2001,2002 -+ Copyright (C) Jelmer Vernooij 2002,2003 -+ Copyright (C) James Peach 2006 -+ Copyright (C) Christof Schmitt 2018 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+/* Handle command line options: -+ * -U,--user -+ * -A,--authentication-file -+ * -k,--use-kerberos -+ * -N,--no-pass -+ * -S,--signing -+ * -P --machine-pass -+ * -e --encrypt -+ * -C --use-ccache -+ */ -+ -+#include "popt_common_cmdline.h" -+#include "includes.h" -+#include "auth_info.h" -+ -+static struct user_auth_info *cmdline_auth_info; -+ -+struct user_auth_info *popt_get_cmdline_auth_info(void) -+{ -+ return cmdline_auth_info; -+} -+void popt_free_cmdline_auth_info(void) -+{ -+ TALLOC_FREE(cmdline_auth_info); -+} -+ -+static bool popt_common_credentials_ignore_missing_conf; -+static bool popt_common_credentials_delay_post; -+ -+void popt_common_credentials_set_ignore_missing_conf(void) -+{ -+ popt_common_credentials_delay_post = true; -+} -+ -+void popt_common_credentials_set_delay_post(void) -+{ -+ popt_common_credentials_delay_post = true; -+} -+ -+void popt_common_credentials_post(void) -+{ -+ if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) && -+ !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info)) -+ { -+ fprintf(stderr, -+ "Failed to use machine account credentials\n"); -+ exit(1); -+ } -+ -+ set_cmdline_auth_info_getpass(cmdline_auth_info); -+ -+ /* -+ * When we set the username during the handling of the options passed to -+ * the binary we haven't loaded the config yet. This means that we -+ * didn't take the 'winbind separator' into account. -+ * -+ * The username might contain the domain name and thus it hasn't been -+ * correctly parsed yet. If we have a username we need to set it again -+ * to run the string parser for the username correctly. -+ */ -+ reset_cmdline_auth_info_username(cmdline_auth_info); -+} -+ -+static void popt_common_credentials_callback(poptContext con, -+ enum poptCallbackReason reason, -+ const struct poptOption *opt, -+ const char *arg, const void *data) -+{ -+ if (reason == POPT_CALLBACK_REASON_PRE) { -+ struct user_auth_info *auth_info = -+ user_auth_info_init(NULL); -+ if (auth_info == NULL) { -+ fprintf(stderr, "user_auth_info_init() failed\n"); -+ exit(1); -+ } -+ cmdline_auth_info = auth_info; -+ return; -+ } -+ -+ if (reason == POPT_CALLBACK_REASON_POST) { -+ bool ok; -+ -+ ok = lp_load_client(get_dyn_CONFIGFILE()); -+ if (!ok) { -+ const char *pname = poptGetInvocationName(con); -+ -+ fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n", -+ pname, get_dyn_CONFIGFILE()); -+ if (!popt_common_credentials_ignore_missing_conf) { -+ exit(1); -+ } -+ } -+ -+ load_interfaces(); -+ -+ set_cmdline_auth_info_guess(cmdline_auth_info); -+ -+ if (popt_common_credentials_delay_post) { -+ return; -+ } -+ -+ popt_common_credentials_post(); -+ return; -+ } -+ -+ switch(opt->val) { -+ case 'U': -+ set_cmdline_auth_info_username(cmdline_auth_info, arg); -+ break; -+ -+ case 'A': -+ set_cmdline_auth_info_from_file(cmdline_auth_info, arg); -+ break; -+ -+ case 'k': -+#ifndef HAVE_KRB5 -+ d_printf("No kerberos support compiled in\n"); -+ exit(1); -+#else -+ set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info); -+#endif -+ break; -+ -+ case 'S': -+ if (!set_cmdline_auth_info_signing_state(cmdline_auth_info, -+ arg)) { -+ fprintf(stderr, "Unknown signing option %s\n", arg ); -+ exit(1); -+ } -+ break; -+ case 'P': -+ set_cmdline_auth_info_use_machine_account(cmdline_auth_info); -+ break; -+ case 'N': -+ set_cmdline_auth_info_password(cmdline_auth_info, ""); -+ break; -+ case 'e': -+ set_cmdline_auth_info_smb_encrypt(cmdline_auth_info); -+ break; -+ case 'C': -+ set_cmdline_auth_info_use_ccache(cmdline_auth_info, true); -+ break; -+ case 'H': -+ set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true); -+ break; -+ } -+} -+ -+/** -+ * @brief Burn the commandline password. -+ * -+ * This function removes the password from the command line so we -+ * don't leak the password e.g. in 'ps aux'. -+ * -+ * It should be called after processing the options and you should pass down -+ * argv from main(). -+ * -+ * @param[in] argc The number of arguments. -+ * -+ * @param[in] argv[] The argument array we will find the array. -+ */ -+void popt_burn_cmdline_password(int argc, char *argv[]) -+{ -+ bool found = false; -+ char *p = NULL; -+ int i, ulen = 0; -+ -+ for (i = 0; i < argc; i++) { -+ p = argv[i]; -+ if (strncmp(p, "-U", 2) == 0) { -+ ulen = 2; -+ found = true; -+ } else if (strncmp(p, "--user", 6) == 0) { -+ ulen = 6; -+ found = true; -+ } -+ -+ if (found) { -+ if (p == NULL) { -+ return; -+ } -+ -+ if (strlen(p) == ulen) { -+ continue; -+ } -+ -+ p = strchr_m(p, '%'); -+ if (p != NULL) { -+ memset(p, '\0', strlen(p)); -+ } -+ found = false; -+ } -+ } -+} -+ -+struct poptOption popt_common_credentials[] = { -+ { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, -+ (void *)popt_common_credentials_callback, 0, NULL }, -+ { "user", 'U', POPT_ARG_STRING, NULL, 'U', -+ "Set the network username", "USERNAME" }, -+ { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', -+ "Don't ask for a password" }, -+ { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', -+ "Use kerberos (active directory) authentication" }, -+ { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', -+ "Get the credentials from a file", "FILE" }, -+ { "signing", 'S', POPT_ARG_STRING, NULL, 'S', -+ "Set the client signing state", "on|off|required" }, -+ {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', -+ "Use stored machine account password" }, -+ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', -+ "Encrypt SMB transport" }, -+ {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C', -+ "Use the winbind ccache for authentication" }, -+ {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H', -+ "The supplied password is the NT hash" }, -+ POPT_TABLEEND -+}; -diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c -index 1d24476e9a5..8d330afdeb0 100644 ---- a/source3/rpcclient/cmd_spoolss.c -+++ b/source3/rpcclient/cmd_spoolss.c -@@ -33,7 +33,7 @@ - #include "../libcli/security/security_descriptor.h" - #include "../libcli/registry/util_reg.h" - #include "libsmb/libsmb.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - - #define RPCCLIENT_PRINTERNAME(_printername, _cli, _arg) \ - { \ -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c -index b4e25e6e479..f7e196226cf 100644 ---- a/source3/rpcclient/rpcclient.c -+++ b/source3/rpcclient/rpcclient.c -@@ -21,7 +21,7 @@ - - #include "includes.h" - #include "../libcli/auth/netlogon_creds_cli.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "rpcclient.h" - #include "../libcli/auth/libcli_auth.h" - #include "../librpc/gen_ndr/ndr_lsa_c.h" -diff --git a/source3/rpcclient/wscript_build b/source3/rpcclient/wscript_build -index c24a5670db9..11a64f3248a 100644 ---- a/source3/rpcclient/wscript_build -+++ b/source3/rpcclient/wscript_build -@@ -25,7 +25,7 @@ bld.SAMBA3_BINARY('rpcclient', - ''', - deps=''' - talloc -- popt_samba3 -+ popt_samba3_cmdline - pdb - libsmb - smbconf -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 44daa6088ca..76b8677bf78 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -41,7 +41,7 @@ - /*****************************************************/ - - #include "includes.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "utils/net.h" - #include "secrets.h" - #include "lib/netapi/netapi.h" -diff --git a/source3/utils/regedit.c b/source3/utils/regedit.c -index 27bd6f8f2c2..20115ae1624 100644 ---- a/source3/utils/regedit.c -+++ b/source3/utils/regedit.c -@@ -18,7 +18,7 @@ - */ - - #include "includes.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "lib/util/data_blob.h" - #include "lib/registry/registry.h" - #include "regedit.h" -diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c -index 0a5eeb31d0b..33eb78c41ec 100644 ---- a/source3/utils/smbcacls.c -+++ b/source3/utils/smbcacls.c -@@ -22,7 +22,7 @@ - */ - - #include "includes.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "rpc_client/cli_pipe.h" - #include "../librpc/gen_ndr/ndr_lsa.h" - #include "rpc_client/cli_lsarpc.h" -diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c -index 798b8b6f177..a4b1b8111a5 100644 ---- a/source3/utils/smbcquotas.c -+++ b/source3/utils/smbcquotas.c -@@ -22,7 +22,7 @@ - */ - - #include "includes.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "rpc_client/cli_pipe.h" - #include "../librpc/gen_ndr/ndr_lsa.h" - #include "rpc_client/cli_lsarpc.h" -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index e1be42917fb..37462fa131f 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -18,7 +18,7 @@ - - #include "includes.h" - #include "system/filesys.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "libsmbclient.h" - - static int columns = 0; -diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c -index 3b539ef1045..fb0f165a18d 100644 ---- a/source3/utils/smbtree.c -+++ b/source3/utils/smbtree.c -@@ -20,7 +20,7 @@ - */ - - #include "includes.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "rpc_client/cli_pipe.h" - #include "../librpc/gen_ndr/ndr_srvsvc_c.h" - #include "libsmb/libsmb.h" -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 93e6abaac0d..67bb87e7a74 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -27,7 +27,7 @@ bld.SAMBA3_BINARY('smbtree', - smbconf - libsmb - msrpc3 -- popt_samba3 -+ popt_samba3_cmdline - RPC_NDR_SRVSVC''') - - bld.SAMBA3_BINARY('smbpasswd', -@@ -52,7 +52,7 @@ bld.SAMBA3_BINARY('smbget', - source='smbget.c', - deps=''' - talloc -- popt_samba3 -+ popt_samba3_cmdline - smbclient''') - - bld.SAMBA3_BINARY('nmblookup', -@@ -67,7 +67,7 @@ bld.SAMBA3_BINARY('smbcacls', - source='smbcacls.c ../lib/util_sd.c', - deps=''' - talloc -- popt_samba3 -+ popt_samba3_cmdline - msrpc3 - libcli_lsa3 - krb5samba''') -@@ -76,7 +76,7 @@ bld.SAMBA3_BINARY('smbcquotas', - source='smbcquotas.c', - deps=''' - talloc -- popt_samba3 -+ popt_samba3_cmdline - libsmb - msrpc3 - libcli_lsa3''') -@@ -150,7 +150,9 @@ bld.SAMBA3_BINARY('samba-regedit', - regedit_wrap.c regedit_treeview.c - regedit_valuelist.c regedit_dialog.c - regedit_hexedit.c regedit_list.c""", -- deps='ncurses menu panel form registry smbconf popt_samba3', -+ deps=''' -+ ncurses menu panel form registry smbconf popt_samba3_cmdline -+ ''', - enabled=bld.env.build_regedit) - - bld.SAMBA3_BINARY('testparm', -@@ -217,7 +219,7 @@ bld.SAMBA3_BINARY('net', - netapi - addns - samba_intl -- popt_samba3 -+ popt_samba3_cmdline - pdb - libsmb - smbconf -diff --git a/source3/wscript_build b/source3/wscript_build -index c7c69a9bee1..5ecf23d531d 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -268,7 +268,12 @@ bld.SAMBA3_SUBSYSTEM('REG_FULL', - - bld.SAMBA3_LIBRARY('popt_samba3', - source='lib/popt_common.c', -- deps='popt samba-util util_cmdline', -+ deps='popt samba-util smbconf', -+ private_library=True) -+ -+bld.SAMBA3_LIBRARY('popt_samba3_cmdline', -+ source='lib/popt_common_cmdline.c', -+ deps='popt_samba3 util_cmdline', - private_library=True) - - bld.SAMBA3_LIBRARY('util_cmdline', -@@ -1094,7 +1099,7 @@ bld.SAMBA3_BINARY('client/smbclient', - ''', - deps=''' - talloc -- popt_samba3 -+ popt_samba3_cmdline - smbconf - ndr-standard - SMBREADLINE --- -2.13.6 - - -From a98b2df2121c129326c64e35ba63e780aeb44a19 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 14:44:28 -0700 -Subject: [PATCH 04/22] s3:lib: Introduce cmdline context wrapper - -Command line tools need acccess to the same messaging context provided -by server_messaging_context, as common code for db_open uses that -context. We want to have additional checking for command line tools -without having that code part of the servers. Introduce a wrapper -library to use for command line tools with the additional checks, that -then acquires the server_messaging_context. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 8c3b62e6231e62feafacf2a7ee4c9d41cd27a4a1) ---- - source3/lib/cmdline_contexts.c | 70 ++++++++++++++++++++++++++++++++++++++++++ - source3/lib/cmdline_contexts.h | 27 ++++++++++++++++ - source3/wscript_build | 5 +++ - 3 files changed, 102 insertions(+) - create mode 100644 source3/lib/cmdline_contexts.c - create mode 100644 source3/lib/cmdline_contexts.h - -diff --git a/source3/lib/cmdline_contexts.c b/source3/lib/cmdline_contexts.c -new file mode 100644 -index 00000000000..5713f7f7956 ---- /dev/null -+++ b/source3/lib/cmdline_contexts.c -@@ -0,0 +1,70 @@ -+/* -+ Unix SMB/CIFS implementation. -+ cmdline context wrapper. -+ -+ Copyright (C) Christof Schmitt <cs@samba.org> 2018 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+#include "cmdline_contexts.h" -+#include "includes.h" -+#include "messages.h" -+ -+struct messaging_context *cmdline_messaging_context(const char *config_file) -+{ -+ struct messaging_context *msg_ctx = NULL; -+ -+ /* -+ * Ensure that a config is loaded, in case the underlying -+ * messaging_init needs to create directories or sockets. -+ */ -+ if (!lp_loaded()) { -+ if (!lp_load_initial_only(config_file)) { -+ return NULL; -+ } -+ } -+ -+ /* -+ * Clustered Samba can only work as root due to required -+ * access to the registry and ctdb, which in turn requires -+ * messaging access as root. -+ */ -+ if (lp_clustering() && geteuid() != 0) { -+ fprintf(stderr, "Cluster mode requires running as root.\n"); -+ exit(1); -+ } -+ -+ msg_ctx = server_messaging_context(); -+ if (msg_ctx == NULL) { -+ if (geteuid() == 0) { -+ fprintf(stderr, -+ "Unable to initialize messaging context!\n"); -+ exit(1); -+ } else { -+ /* -+ * Non-cluster, non-root: Log error, but leave -+ * it up to the caller how to proceed. -+ */ -+ DBG_NOTICE("Unable to initialize messaging context.\n"); -+ } -+ } -+ -+ return msg_ctx; -+} -+ -+void cmdline_messaging_context_free(void) -+{ -+ server_messaging_context_free(); -+} -diff --git a/source3/lib/cmdline_contexts.h b/source3/lib/cmdline_contexts.h -new file mode 100644 -index 00000000000..21f81f0f1cd ---- /dev/null -+++ b/source3/lib/cmdline_contexts.h -@@ -0,0 +1,27 @@ -+/* -+ Unix SMB/CIFS implementation. -+ cmdline context wrapper. -+ -+ Copyright (C) Christof Schmitt <cs@samba.org> 2018 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see <http://www.gnu.org/licenses/>. -+*/ -+ -+#ifndef _LIB_CMDLINE_CONTEXTS_H -+#define _LIB_CMDLINE_CONTEXTS_H -+ -+struct messaging_context *cmdline_messaging_context(const char *config_file); -+void cmdline_messaging_context_free(void); -+ -+#endif -diff --git a/source3/wscript_build b/source3/wscript_build -index 5ecf23d531d..6fb09f7fbeb 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -281,6 +281,11 @@ bld.SAMBA3_LIBRARY('util_cmdline', - deps='secrets3', - private_library=True) - -+bld.SAMBA3_LIBRARY('cmdline_contexts', -+ source='lib/cmdline_contexts.c', -+ deps='samba3core', -+ private_library=True) -+ - bld.SAMBA3_SUBSYSTEM('KRBCLIENT', - source='libads/kerberos.c libads/ads_status.c', - public_deps='krb5samba asn1util k5crypto gssapi LIBTSOCKET CLDAP LIBNMB') --- -2.13.6 - - -From d5d7a587f7476835bc48aae0dda5e064c2fd573c Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 10 Jul 2018 08:11:31 +0200 -Subject: [PATCH 05/22] s3:loadparm: reinit_globals in - lp_load_with_registry_shares() - -This was set to false in 0e0d77519c27038b30fec92d542198e97be767d9 based -on the assumption that callers would have no need to call -lp_load_initial_only() with a later call to lp_load_something(). - -This is not quite correct, since for accessing registry config on a -cluster with include=registry, we need messaging up and running which -*itself* requires loadparm to be initialized to get the statedir, -lockdir asf. directories. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Christof Schmitt <cs@samba.org> -(cherry picked from commit 3aca3f24d4bdacc11278388934b0b411d518d7b0) ---- - source3/param/loadparm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 291ba57e0bb..322934c55f0 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -4120,7 +4120,7 @@ bool lp_load_with_registry_shares(const char *pszFname) - false, /* global_only */ - true, /* save_defaults */ - false, /* add_ipc */ -- false, /* reinit_globals */ -+ true, /* reinit_globals */ - true, /* allow_include_registry */ - true); /* load_all_shares*/ - } --- -2.13.6 - - -From 88291681f03bb928d31e89717d2a19292f433024 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 10 Jul 2018 10:38:10 +0200 -Subject: [PATCH 06/22] selftest: pass configfile to pdbedit - -This is needed otherwise pdbedit fails to initialize messaging in -autobuild. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Christof Schmitt <cs@samba.org> -(cherry picked from commit 10e1a6ebb3d95b8a1584a9b90c2584536aa9c96d) ---- - testprogs/blackbox/test_pdbtest.sh | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh -index 2ffded9af4e..02615094451 100755 ---- a/testprogs/blackbox/test_pdbtest.sh -+++ b/testprogs/blackbox/test_pdbtest.sh -@@ -44,12 +44,12 @@ send ${NEWUSERPASS}\n - send ${NEWUSERPASS}\n - EOF - --testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` -+testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -s $SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` - USERPASS=$NEWUSERPASS - - test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1` - --testit "modify user" $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` -+testit "modify user" $VALGRIND $pdbedit -s $SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` - - test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` - -@@ -87,11 +87,11 @@ test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -k no -U$USER%$NEW - NEWUSERPASS=testPaSS@03% - NEWUSERHASH=062519096c45739c1938800f80906731 - --testit "Set user password with password hash" $VALGRIND $pdbedit -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1` -+testit "Set user password with password hash" $VALGRIND $pdbedit -s $SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1` - - test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` - --testit "del user" $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1` -+testit "del user" $VALGRIND $pdbedit -s $SMB_CONF -x $USER $@ || failed=`expr $failed + 1` - - rm ./tmpsmbpasswdscript - --- -2.13.6 - - -From 31a50b15bfbe2c97ca19313e2536332979bfcef2 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 10 Jul 2018 15:26:40 +0200 -Subject: [PATCH 07/22] s3:popt_common: use cmdline_messaging_context() in - popt_common_credentials_callback() - -This adds a call to cmdline_messaging_context() to the popt -popt_common_credentials_callback() hook and ensures that any client tool -that uses POPT_COMMON_CREDENTIALS gets an implicit messaging context, -ensuring it doesn't crash in the subsequent lp_load_client() with -include=registry in a cluster. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Christof Schmitt <cs@samba.org> -(cherry picked from commit 2c63ce94ef3a55ab0aa1aae4f6fee88e29ac2efe) ---- - source3/lib/popt_common_cmdline.c | 8 ++++++++ - source3/wscript_build | 2 +- - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c -index 57f77e0868a..d1ba90dd43e 100644 ---- a/source3/lib/popt_common_cmdline.c -+++ b/source3/lib/popt_common_cmdline.c -@@ -35,6 +35,7 @@ - #include "popt_common_cmdline.h" - #include "includes.h" - #include "auth_info.h" -+#include "cmdline_contexts.h" - - static struct user_auth_info *cmdline_auth_info; - -@@ -101,8 +102,15 @@ static void popt_common_credentials_callback(poptContext con, - } - - if (reason == POPT_CALLBACK_REASON_POST) { -+ struct messaging_context *msg_ctx = NULL; - bool ok; - -+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ if (msg_ctx == NULL) { -+ fprintf(stderr, "Unable to initialize " -+ "messaging context\n"); -+ } -+ - ok = lp_load_client(get_dyn_CONFIGFILE()); - if (!ok) { - const char *pname = poptGetInvocationName(con); -diff --git a/source3/wscript_build b/source3/wscript_build -index 6fb09f7fbeb..250b7f1ff52 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -273,7 +273,7 @@ bld.SAMBA3_LIBRARY('popt_samba3', - - bld.SAMBA3_LIBRARY('popt_samba3_cmdline', - source='lib/popt_common_cmdline.c', -- deps='popt_samba3 util_cmdline', -+ deps='popt_samba3 util_cmdline cmdline_contexts', - private_library=True) - - bld.SAMBA3_LIBRARY('util_cmdline', --- -2.13.6 - - -From db6cce7786809a96f81c575a3cbbbf87bdec3047 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Tue, 21 Aug 2018 14:58:01 -0700 -Subject: [PATCH 08/22] test:doc: Skip 'clustering=yes' - -As testparm will error out when running clustering=yes as non-root, skip -this step to avoid a test failure. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883) ---- - python/samba/tests/docs.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py -index 0f029ae02d2..620383caebd 100644 ---- a/python/samba/tests/docs.py -+++ b/python/samba/tests/docs.py -@@ -163,7 +163,8 @@ import xml.etree.ElementTree as ET - 'registry shares', - 'smb ports', - 'rpc server dynamic port range', -- 'name resolve order']) -+ 'name resolve order', -+ 'clustering']) - self._test_empty(['bin/testparm']) - - def test_default_s4(self): --- -2.13.6 - - -From 7608714a4a0796c8ef747c0cbce160fc3d0fa325 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 15:38:33 -0700 -Subject: [PATCH 09/22] s3:smbpasswd: Use cmdline_messaging_context - -smbpasswd does not use POPT_CREDENTIALS. Call cmdline_messaging_context -to initialize a messaging_context with proper error checking before -calling lp_load_global. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 29fd2c2e5ad3c2d44f3629c6b7b4139772fe350c) ---- - source3/utils/smbpasswd.c | 17 +++-------------- - source3/utils/wscript_build | 4 +++- - 2 files changed, 6 insertions(+), 15 deletions(-) - -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 04f34aa9b69..8e2b9d7f80f 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -23,6 +23,7 @@ - #include "../lib/util/util_pw.h" - #include "libsmb/proto.h" - #include "passdb.h" -+#include "cmdline_contexts.h" - - /* - * Next two lines needed for SunOS and don't -@@ -196,6 +197,8 @@ static int process_options(int argc, char **argv, int local_flags) - usage(); - } - -+ cmdline_messaging_context(configfile); -+ - if (!lp_load_global(configfile)) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", - configfile); -@@ -614,7 +617,6 @@ static int process_nonroot(int local_flags) - int main(int argc, char **argv) - { - TALLOC_CTX *frame = talloc_stackframe(); -- struct messaging_context *msg_ctx = NULL; - int local_flags = 0; - int ret; - -@@ -632,19 +634,6 @@ int main(int argc, char **argv) - - setup_logging("smbpasswd", DEBUG_STDERR); - -- msg_ctx = server_messaging_context(); -- if (msg_ctx == NULL) { -- if (geteuid() != 0) { -- DBG_NOTICE("Unable to initialize messaging context. " -- "Must be root to do that.\n"); -- } else { -- fprintf(stderr, -- "smbpasswd is not able to initialize the " -- "messaging context!\n"); -- return 1; -- } -- } -- - /* - * Set the machine NETBIOS name if not already - * set from the config file. -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 67bb87e7a74..06a986cada4 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -37,7 +37,9 @@ bld.SAMBA3_BINARY('smbpasswd', - smbconf - pdb - PASSWD_UTIL -- PASSCHANGE''') -+ PASSCHANGE -+ cmdline_contexts -+ ''') - - bld.SAMBA3_BINARY('pdbedit', - source='pdbedit.c', --- -2.13.6 - - -From 305cf6a251e395c895f04b2590125dec430a08e6 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 15:46:27 -0700 -Subject: [PATCH 10/22] s3:smbstatus: Use cmdline_messaging_context - -Use cmdline_messaging_context to initialize a messaging context instead -of open coding the same steps. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit d7fa3815a83a50fd9e3d78cac0d5ef3eb79235e5) ---- - source3/utils/status.c | 25 +++---------------------- - source3/wscript_build | 1 + - 2 files changed, 4 insertions(+), 22 deletions(-) - -diff --git a/source3/utils/status.c b/source3/utils/status.c -index d04efedee3f..1d68219a5ac 100644 ---- a/source3/utils/status.c -+++ b/source3/utils/status.c -@@ -48,6 +48,7 @@ - #include "serverid.h" - #include "status_profile.h" - #include "smbd/notifyd/notifyd.h" -+#include "cmdline_contexts.h" - - #define SMB_MAXPIDS 2048 - static uid_t Ucrit_uid = 0; /* added by OH */ -@@ -528,7 +529,6 @@ int main(int argc, const char *argv[]) - }; - TALLOC_CTX *frame = talloc_stackframe(); - int ret = 0; -- struct tevent_context *ev; - struct messaging_context *msg_ctx = NULL; - char *db_path; - bool ok; -@@ -607,28 +607,9 @@ int main(int argc, const char *argv[]) - d_printf("using configfile = %s\n", get_dyn_CONFIGFILE()); - } - -- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { -- fprintf(stderr, "Can't load %s - run testparm to debug it\n", -- get_dyn_CONFIGFILE()); -- ret = -1; -- goto done; -- } -- -- -- /* -- * This implicitly initializes the global ctdbd connection, -- * usable by the db_open() calls further down. -- */ -- ev = samba_tevent_context_init(NULL); -- if (ev == NULL) { -- fprintf(stderr, "samba_tevent_context_init failed\n"); -- ret = -1; -- goto done; -- } -- -- msg_ctx = messaging_init(NULL, ev); -+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); - if (msg_ctx == NULL) { -- fprintf(stderr, "messaging_init failed\n"); -+ fprintf(stderr, "Could not initialize messaging, not root?\n"); - ret = -1; - goto done; - } -diff --git a/source3/wscript_build b/source3/wscript_build -index 250b7f1ff52..36cfd5dada7 100644 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1157,6 +1157,7 @@ bld.SAMBA3_BINARY('smbstatus', - talloc - smbconf - popt_samba3 -+ cmdline_contexts - smbd_base - LOCKING - PROFILE --- -2.13.6 - - -From 27e80482d1d37aaacbca7ca6eff6000c78349da7 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 15:54:11 -0700 -Subject: [PATCH 11/22] rpcclient: Use cmdline_messaging_context - -Use cmdline_messaging_context with its error checking instead of open -coding the same steps. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit dd3ae2ffdc66be4707471bfccf27ef446b5599cb) ---- - source3/rpcclient/rpcclient.c | 28 ++-------------------------- - 1 file changed, 2 insertions(+), 26 deletions(-) - -diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c -index f7e196226cf..9f95f1a7a8c 100644 ---- a/source3/rpcclient/rpcclient.c -+++ b/source3/rpcclient/rpcclient.c -@@ -35,6 +35,7 @@ - #include "auth/gensec/gensec.h" - #include "../libcli/smb/smbXcli_base.h" - #include "messages.h" -+#include "cmdline_contexts.h" - - enum pipe_auth_type_spnego { - PIPE_AUTH_TYPE_SPNEGO_NONE = 0, -@@ -950,7 +951,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, - const char *binding_string = NULL; - const char *host; - int signing_state = SMB_SIGNING_IPC_DEFAULT; -- struct tevent_context *ev_ctx = NULL; - - /* make sure the vars that get altered (4th field) are in - a fixed location or certain compilers complain */ -@@ -1016,30 +1016,7 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, - poptFreeContext(pc); - popt_burn_cmdline_password(argc, argv); - -- ev_ctx = samba_tevent_context_init(frame); -- if (ev_ctx == NULL) { -- fprintf(stderr, "Could not init event context\n"); -- result = 1; -- goto done; -- } -- -- nt_status = messaging_init_client(ev_ctx, -- ev_ctx, -- &rpcclient_msg_ctx); -- if (geteuid() != 0 && -- NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { -- /* -- * Normal to fail to initialize messaging context -- * if we're not root as we don't have ability to -- * read lock directory. -- */ -- DBG_NOTICE("Unable to initialize messaging context. " -- "Must be root to do that.\n"); -- } else if (!NT_STATUS_IS_OK(nt_status)) { -- fprintf(stderr, "Could not init messaging context\n"); -- result = 1; -- goto done; -- } -+ rpcclient_msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); - - if (!init_names()) { - result = 1; -@@ -1258,7 +1235,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, - popt_free_cmdline_auth_info(); - netlogon_creds_cli_close_global_db(); - TALLOC_FREE(rpcclient_msg_ctx); -- TALLOC_FREE(ev_ctx); - TALLOC_FREE(frame); - return result; - } --- -2.13.6 - - -From eaa0cb2c039c9c8ef838f259efcaffc59033bbbf Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:01:00 -0700 -Subject: [PATCH 12/22] s3:net: Use cmdline_messaging_context - -Use cmdline_messaging_context with its error checking instead of open -coding the same steps. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit f2b659e4f518ccb06f221dd028f99883ca1a1847) ---- - source3/utils/net.c | 29 ++--------------------------- - 1 file changed, 2 insertions(+), 27 deletions(-) - -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 76b8677bf78..759d8cd442b 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -48,6 +48,7 @@ - #include "../libcli/security/security.h" - #include "passdb.h" - #include "messages.h" -+#include "cmdline_contexts.h" - - #ifdef WITH_FAKE_KASERVER - #include "utils/net_afs.h" -@@ -915,9 +916,7 @@ static struct functable net_func[] = { - const char **argv_const = discard_const_p(const char *, argv); - poptContext pc; - TALLOC_CTX *frame = talloc_stackframe(); -- struct tevent_context *ev; - struct net_context *c = talloc_zero(frame, struct net_context); -- NTSTATUS status; - - struct poptOption long_options[] = { - {"help", 'h', POPT_ARG_NONE, 0, 'h'}, -@@ -1031,31 +1030,7 @@ static struct functable net_func[] = { - } - } - -- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { -- d_fprintf(stderr, "Can't load %s - run testparm to debug it\n", -- get_dyn_CONFIGFILE()); -- exit(1); -- } -- -- ev = samba_tevent_context_init(c); -- if (ev == NULL) { -- d_fprintf(stderr, "samba_tevent_context_init failed\n"); -- exit(1); -- } -- status = messaging_init_client(c, ev, &c->msg_ctx); -- if (geteuid() != 0 && -- NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { -- /* -- * Normal to fail to initialize messaging context -- * if we're not root as we don't have ability to -- * read lock directory. -- */ -- DBG_NOTICE("Unable to initialize messaging context. " -- "Must be root to do that.\n"); -- } else if (!NT_STATUS_IS_OK(status)) { -- d_fprintf(stderr, "Failed to init messaging context\n"); -- exit(1); -- } -+ c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); - - if (!lp_load_global(get_dyn_CONFIGFILE())) { - d_fprintf(stderr, "Can't load %s - run testparm to debug it\n", --- -2.13.6 - - -From 8cb95d9ad621db6adf627b439745691c8ff09d66 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme <slow@samba.org> -Date: Tue, 10 Jul 2018 16:29:46 +0200 -Subject: [PATCH 13/22] s3:messaging: remove unused messaging_init_client() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Ralph Boehme <slow@samba.org> -Reviewed-by: Christof Schmitt <cs@samba.org> -(cherry picked from commit f56496b11469f0e9af9ba81cefb796ca1febabb1) ---- - source3/include/messages.h | 3 --- - source3/lib/messages.c | 9 --------- - 2 files changed, 12 deletions(-) - -diff --git a/source3/include/messages.h b/source3/include/messages.h -index 29c394af317..f7b40664b0b 100644 ---- a/source3/include/messages.h -+++ b/source3/include/messages.h -@@ -46,9 +46,6 @@ struct messaging_rec; - - struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev); --NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev, -- struct messaging_context **pmsg_ctx); - - struct server_id messaging_server_id(const struct messaging_context *msg_ctx); - struct tevent_context *messaging_tevent_context( -diff --git a/source3/lib/messages.c b/source3/lib/messages.c -index dab53f1c48e..90fffa2c872 100644 ---- a/source3/lib/messages.c -+++ b/source3/lib/messages.c -@@ -635,15 +635,6 @@ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, - return ctx; - } - --NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev, -- struct messaging_context **pmsg_ctx) --{ -- return messaging_init_internal(mem_ctx, -- ev, -- pmsg_ctx); --} -- - struct server_id messaging_server_id(const struct messaging_context *msg_ctx) - { - return msg_ctx->id; --- -2.13.6 - - -From 37ad220effcfea97929483e84477fae2e48d0be8 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:08:21 -0700 -Subject: [PATCH 14/22] s3:pdbedit: Use cmdline_messaging_context - -Initialize the messaging context through cmdline_messaging_context to -allow access to config in clustered Samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 4661537c201acebee991d219d151cb481f56265c) ---- - source3/utils/pdbedit.c | 3 +++ - source3/utils/wscript_build | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c -index 5c947e2fbde..a2394880c65 100644 ---- a/source3/utils/pdbedit.c -+++ b/source3/utils/pdbedit.c -@@ -25,6 +25,7 @@ - #include "../librpc/gen_ndr/samr.h" - #include "../libcli/security/security.h" - #include "passdb.h" -+#include "cmdline_contexts.h" - - #define BIT_BACKEND 0x00000004 - #define BIT_VERBOSE 0x00000008 -@@ -1121,6 +1122,8 @@ int main(int argc, const char **argv) - if (user_name == NULL) - user_name = poptGetArg(pc); - -+ cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ - if (!lp_load_global(get_dyn_CONFIGFILE())) { - fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE()); - exit(1); -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 06a986cada4..570c4506bee 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -47,6 +47,7 @@ bld.SAMBA3_BINARY('pdbedit', - talloc - smbconf - popt_samba3 -+ cmdline_contexts - pdb - PASSWD_UTIL''') - --- -2.13.6 - - -From 375f013eaeb9d4c2592f68cd10374f61e2d12533 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:11:11 -0700 -Subject: [PATCH 15/22] s3:testparm: Use cmdline_messaging_context - -Call cmdline_messaging_context to initialize a messaging config before -accessing clustered Samba config. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit ea7a4ff7ae5ef2b22fb7ef5640d6b946c064cfc3) ---- - source3/utils/testparm.c | 3 +++ - source3/utils/wscript_build | 4 +++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c -index 8113eea0020..88dfc42d492 100644 ---- a/source3/utils/testparm.c -+++ b/source3/utils/testparm.c -@@ -35,6 +35,7 @@ - #include "system/filesys.h" - #include "popt_common.h" - #include "lib/param/loadparm.h" -+#include "cmdline_contexts.h" - - #include <regex.h> - -@@ -698,6 +699,8 @@ static void do_per_share_checks(int s) - goto done; - } - -+ cmdline_messaging_context(config_file); -+ - fprintf(stderr,"Load smb config files from %s\n",config_file); - - if (!lp_load_with_registry_shares(config_file)) { -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 570c4506bee..ffa0762d828 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -163,7 +163,9 @@ bld.SAMBA3_BINARY('testparm', - deps=''' - talloc - smbconf -- popt_samba3''') -+ popt_samba3 -+ cmdline_contexts -+ ''') - - bld.SAMBA3_BINARY('net', - source='''net.c --- -2.13.6 - - -From 96d91b1d4c60552b1ed7058a4d9ed2b06a929c57 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:15:02 -0700 -Subject: [PATCH 16/22] s3:sharesec: Use cmdline_messaging_context - -Call cmdline_messasging_context to initialize messaging context before -accessing clustered Samba config. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit cab8f27bbc927e48c52bac6350325e8ec38092b2) ---- - source3/utils/sharesec.c | 2 ++ - source3/utils/wscript_build | 4 +++- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c -index d9f81587f0e..375ae582ae5 100644 ---- a/source3/utils/sharesec.c -+++ b/source3/utils/sharesec.c -@@ -28,6 +28,7 @@ struct cli_state; - #include "../libcli/security/security.h" - #include "passdb/machine_sid.h" - #include "util_sd.h" -+#include "cmdline_contexts.h" - - static TALLOC_CTX *ctx; - -@@ -420,6 +421,7 @@ int main(int argc, const char *argv[]) - - setlinebuf(stdout); - -+ cmdline_messaging_context(get_dyn_CONFIGFILE()); - lp_load_with_registry_shares(get_dyn_CONFIGFILE()); - - /* check for initializing secrets.tdb first */ -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index ffa0762d828..7e586dc268d 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -98,7 +98,9 @@ bld.SAMBA3_BINARY('sharesec', - talloc - msrpc3 - libcli_lsa3 -- popt_samba3''') -+ popt_samba3 -+ cmdline_contexts -+ ''') - - bld.SAMBA3_BINARY('log2pcap', - source='log2pcaphex.c', --- -2.13.6 - - -From 389d7e32dc9f02b037ab9c2d0db1095f88f64145 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:18:20 -0700 -Subject: [PATCH 17/22] s3: ntlm_auth: Use cmdline_messaging_context - -Call cmdline_messaging_context to initialize the messaging context -before accessing clustered Samba config. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 9ed617474f588ceb42c8929ee8a51071a408c219) ---- - source3/utils/ntlm_auth.c | 3 +++ - source3/utils/wscript_build | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 7d27712980b..b8014ec1034 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -47,6 +47,7 @@ - #include "nsswitch/libwbclient/wbclient.h" - #include "lib/param/loadparm.h" - #include "lib/util/base64.h" -+#include "cmdline_contexts.h" - - #if HAVE_KRB5 - #include "auth/kerberos/pac_utils.h" -@@ -2380,6 +2381,8 @@ enum { - - poptFreeContext(pc); - -+ cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ - if (!lp_load_global(get_dyn_CONFIGFILE())) { - d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n", - get_dyn_CONFIGFILE(), strerror(errno)); -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 7e586dc268d..92404a61c2d 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -128,6 +128,7 @@ bld.SAMBA3_BINARY('ntlm_auth', - tiniparser - libsmb - popt_samba3 -+ cmdline_contexts - gse gensec''') - - bld.SAMBA3_BINARY('dbwrap_tool', --- -2.13.6 - - -From 6a08003f378ddc270597465509cf4b34837d8dc8 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Mon, 20 Aug 2018 16:21:51 -0700 -Subject: [PATCH 18/22] s3:eventlogadm: Use cmdline_messaging_context - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 095123df945270bc51635a19125a7abdfcd4ab80) ---- - source3/utils/eventlogadm.c | 4 ++++ - source3/utils/wscript_build | 1 + - 2 files changed, 5 insertions(+) - -diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c -index 5ef091a9ae3..db874dfae8a 100644 ---- a/source3/utils/eventlogadm.c -+++ b/source3/utils/eventlogadm.c -@@ -30,6 +30,7 @@ - #include "registry/reg_util_token.h" - #include "registry/reg_backend_db.h" - #include "../libcli/registry/util_reg.h" -+#include "cmdline_contexts.h" - - extern int optind; - extern char *optarg; -@@ -472,6 +473,9 @@ int main( int argc, char *argv[] ) - exit( 1 ); - } - -+ cmdline_messaging_context(configfile == NULL ? -+ get_dyn_CONFIGFILE() : configfile); -+ - if ( configfile == NULL ) { - lp_load_global(get_dyn_CONFIGFILE()); - } else if (!lp_load_global(configfile)) { -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 92404a61c2d..eabebcf3d52 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -89,6 +89,7 @@ bld.SAMBA3_BINARY('eventlogadm', - deps=''' - talloc - smbconf -+ cmdline_contexts - LIBEVENTLOG''', - install_path='${SBINDIR}') - --- -2.13.6 - - -From 6f32f75ad43b4e49de5af794beb134252267b768 Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Tue, 21 Aug 2018 12:34:34 -0700 -Subject: [PATCH 19/22] s3:dbwrap_tool: Use cmdline_messaging_context - -Initialize the messaging context through cmdline_messaging_context to -allow access to config in clustered Samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 7eeff96b826711b5a8d44ab24603dafcc0343d84) ---- - source3/utils/dbwrap_tool.c | 3 +++ - source3/utils/wscript_build | 4 +++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c -index 94aacd8ba26..b182e9cbfab 100644 ---- a/source3/utils/dbwrap_tool.c -+++ b/source3/utils/dbwrap_tool.c -@@ -28,6 +28,7 @@ - #include "dbwrap/dbwrap_watch.h" - #include "messages.h" - #include "util_tdb.h" -+#include "cmdline_contexts.h" - - enum dbwrap_op { OP_FETCH, OP_STORE, OP_DELETE, OP_ERASE, OP_LISTKEYS, - OP_EXISTS }; -@@ -428,6 +429,8 @@ int main(int argc, const char **argv) - while (extra_argv[extra_argc]) extra_argc++; - } - -+ cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ - lp_load_global(get_dyn_CONFIGFILE()); - - if ((extra_argc < 2) || (extra_argc > 5)) { -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index eabebcf3d52..11bd2015c3a 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -136,7 +136,9 @@ bld.SAMBA3_BINARY('dbwrap_tool', - source='dbwrap_tool.c', - deps=''' - talloc -- popt_samba3''') -+ popt_samba3 -+ cmdline_contexts -+ ''') - - bld.SAMBA3_BINARY('dbwrap_torture', - source='dbwrap_torture.c', --- -2.13.6 - - -From f23f129047edd4b6fd6163a7795e48be3e59b49c Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Tue, 21 Aug 2018 12:35:11 -0700 -Subject: [PATCH 20/22] s3:smbcontrol: Use cmdline_messaging_context - -Initialize the messaging context through cmdline_messaging_context to -allow access to config in clustered Samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit de040eafbd7d729316d757c14c44df163a4b36ad) ---- - source3/utils/smbcontrol.c | 19 +++++++++++-------- - source3/utils/wscript_build | 1 + - 2 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c -index bd89b9ebf0a..ecf27801f8a 100644 ---- a/source3/utils/smbcontrol.c -+++ b/source3/utils/smbcontrol.c -@@ -35,6 +35,7 @@ - #include "util_tdb.h" - #include "../lib/util/pidfile.h" - #include "serverid.h" -+#include "cmdline_contexts.h" - - #if HAVE_LIBUNWIND_H - #include <libunwind.h> -@@ -1609,21 +1610,23 @@ int main(int argc, const char **argv) - if (argc <= 1) - usage(pc); - -+ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ if (msg_ctx == NULL) { -+ fprintf(stderr, -+ "Could not init messaging context, not root?\n"); -+ TALLOC_FREE(frame); -+ exit(1); -+ } -+ -+ evt_ctx = server_event_context(); -+ - lp_load_global(get_dyn_CONFIGFILE()); - - /* Need to invert sense of return code -- samba - * routines mostly return True==1 for success, but - * shell needs 0. */ - -- if (!(evt_ctx = samba_tevent_context_init(NULL)) || -- !(msg_ctx = messaging_init(NULL, evt_ctx))) { -- fprintf(stderr, "could not init messaging context\n"); -- TALLOC_FREE(frame); -- exit(1); -- } -- - ret = !do_command(evt_ctx, msg_ctx, argc, argv); -- TALLOC_FREE(msg_ctx); - TALLOC_FREE(frame); - return ret; - } -diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build -index 11bd2015c3a..6793c6d5c8a 100644 ---- a/source3/utils/wscript_build -+++ b/source3/utils/wscript_build -@@ -18,6 +18,7 @@ bld.SAMBA3_BINARY('smbcontrol', - talloc - smbconf - popt_samba3 -+ cmdline_contexts - PRINTBASE''') - - bld.SAMBA3_BINARY('smbtree', --- -2.13.6 - - -From 4f57a7b28cc1b705f34444f795724e3d3a06d99c Mon Sep 17 00:00:00 2001 -From: Christof Schmitt <cs@samba.org> -Date: Tue, 21 Aug 2018 16:11:02 -0700 -Subject: [PATCH 21/22] s3:smbget: Use cmdline_messaging_context - -Initialize the messaging context through cmdline_messaging_context to -allow access to config in clustered Samba. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Christof Schmitt <cs@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 20ed13923ed3c55e1b293e5440028d29384e9d3a) ---- - source3/utils/smbget.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index 37462fa131f..4653c6894e0 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -20,6 +20,7 @@ - #include "system/filesys.h" - #include "popt_common_cmdline.h" - #include "libsmbclient.h" -+#include "cmdline_contexts.h" - - static int columns = 0; - -@@ -879,6 +880,8 @@ int main(int argc, char **argv) - - popt_burn_cmdline_password(argc, argv); - -+ cmdline_messaging_context(get_dyn_CONFIGFILE()); -+ - if (smbc_init(get_auth_data, opt.debuglevel) < 0) { - fprintf(stderr, "Unable to initialize libsmbclient\n"); - return 1; --- -2.13.6 - - -From 8fb42e4a751af55e6e56cd4e64029228f1cc36c3 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke <vl@samba.org> -Date: Fri, 7 Sep 2018 07:27:46 +0200 -Subject: [PATCH 22/22] examples: Fix the smb2mount build - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 - -Signed-off-by: Volker Lendecke <vl@samba.org> -Reviewed-by: Ralph Boehme <slow@samba.org> -(cherry picked from commit 94852e3544bf2cace3ddba8b9c89d986d77fdab5) ---- - examples/fuse/smb2mount.c | 2 +- - examples/fuse/wscript_build | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c -index 816b0b597ad..ec4be809f6d 100644 ---- a/examples/fuse/smb2mount.c -+++ b/examples/fuse/smb2mount.c -@@ -20,7 +20,7 @@ - - #include "source3/include/includes.h" - #include "popt.h" --#include "popt_common.h" -+#include "popt_common_cmdline.h" - #include "client.h" - #include "libsmb/proto.h" - #include "clifuse.h" -diff --git a/examples/fuse/wscript_build b/examples/fuse/wscript_build -index 9ec5fc0a0f2..31341e4357d 100644 ---- a/examples/fuse/wscript_build -+++ b/examples/fuse/wscript_build -@@ -3,5 +3,5 @@ - if bld.env.HAVE_FUSE: - bld.SAMBA_BINARY('smb2mount', - source='smb2mount.c clifuse.c', -- deps='smbconf popt_samba3 libsmb fuse', -+ deps='smbconf popt_samba3_cmdline libsmb fuse', - install=False) --- -2.13.6 - diff --git a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch b/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch deleted file mode 100644 index 3d678a2..0000000 --- a/SOURCES/samba-4.9-fix_winbind_passdb_segfault.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Mon, 29 Oct 2018 19:45:58 +0100 -Subject: [PATCH] s3:winbind: Check return code of initialize_password_db() - -See https://retrace.fedoraproject.org/faf/reports/1577174/ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Jeremy Allison <jra@samba.org> - -(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac) ---- - source3/winbindd/winbindd.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c -index 254d93b344d..a8ffc31778c 100644 ---- a/source3/winbindd/winbindd.c -+++ b/source3/winbindd/winbindd.c -@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv) - if (!NT_STATUS_IS_OK(status)) { - exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status)); - } -- initialize_password_db(true, server_event_context()); -+ -+ ok = initialize_password_db(true, server_event_context()); -+ if (!ok) { -+ exit_daemon("Failed to initialize passdb backend! " -+ "Check the 'passdb backend' variable in your " -+ "smb.conf file.", EINVAL); -+ } - - /* - * Do not initialize the parent-child-pipe before becoming --- -2.19.1 - diff --git a/SOURCES/samba-4.9-harden_homes_share.patch b/SOURCES/samba-4.9-harden_homes_share.patch deleted file mode 100644 index 60ca5c6..0000000 --- a/SOURCES/samba-4.9-harden_homes_share.patch +++ /dev/null @@ -1,402 +0,0 @@ -From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 15 Nov 2018 16:06:49 +0100 -Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Ralph Böhme <slow@samba.org> -Reviewed-by: Jeremy Allison <jra@samba.org> -(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0) ---- - selftest/target/Samba3.pm | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 438cb3409bb..373f8152ca3 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$) - my ($gid_force_user); - my ($uid_user1); - my ($uid_user2); -+ my ($uid_gooduser); -+ my ($uid_eviluser); - -- if ($unix_uid < 0xffff - 10) { -+ if ($unix_uid < 0xffff - 12) { - $max_uid = 0xffff; - } else { - $max_uid = $unix_uid; -@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$) - $uid_smbget = $max_uid - 8; - $uid_user1 = $max_uid - 9; - $uid_user2 = $max_uid - 10; -+ $uid_gooduser = $max_uid - 11; -+ $uid_eviluser = $max_uid - 12; - - if ($unix_gids[0] < 0xffff - 8) { - $max_gid = 0xffff; -@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f - smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false - user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false - user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false -+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false -+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false - "; - if ($unix_uid != 0) { - print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false -@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user: - createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user"); - createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1"); - createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); -+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); -+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); - - open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); - print DNS_UPDATE_LIST "A $server. $server_ip\n"; --- -2.19.2 - - -From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Fri, 16 Nov 2018 15:40:59 +0100 -Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes' - share -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This adds a test for CVE-2009-2813. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Ralph Böhme <slow@samba.org> -(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6) ---- - selftest/target/Samba3.pm | 4 ++ - source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++ - source3/selftest/tests.py | 1 + - 3 files changed, 104 insertions(+) - create mode 100755 source3/script/tests/test_homes.sh - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 373f8152ca3..2031003210c 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -921,6 +921,10 @@ sub setup_fileserver - comment = inherit only unix owner - inherit owner = unix only - acl_xattr:ignore system acls = yes -+[homes] -+ comment = Home directories -+ browseable = No -+ read only = No - "; - - my $vars = $self->provision($path, "WORKGROUP", -diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh -new file mode 100755 -index 00000000000..06de0a0c301 ---- /dev/null -+++ b/source3/script/tests/test_homes.sh -@@ -0,0 +1,99 @@ -+#!/bin/sh -+ -+# Copyright (c) Andreas Schneider <asn@samba.org> -+# License: GPLv3 -+ -+if [ $# -lt 7 ]; then -+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION" -+ exit 1 -+fi -+ -+SERVER="${1}" -+USERNAME="${2}" -+PASSWORD="${3}" -+LOCAL_PATH="${4}" -+PREFIX="${5}" -+SMBCLIENT="${6}" -+CONFIGURATION="${7}" -+shift 7 -+ -+incdir=`dirname $0`/../../../testprogs/blackbox -+. $incdir/subunit.sh -+ -+failed=0 -+ -+test_gooduser_home() -+{ -+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands -+ cat > $tmpfile <<EOF -+ls -+quit -+EOF -+ -+ USERNAME=gooduser -+ -+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' -+ eval echo "$cmd" -+ out=$(eval $cmd) -+ ret=$? -+ rm -f $tmpfile -+ -+ if [ $ret -ne 0 ] ; then -+ echo "$out" -+ echo "failed to connect error $ret" -+ return 1 -+ fi -+ -+ echo "$out" | grep 'Try "help" to get a list of possible commands.' -+ ret=$? -+ if [ $ret -ne 0 ] ; then -+ echo "$out" -+ echo 'failed - should get: Try "help" to get a list of possible commands.' -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+test_eviluser_home() -+{ -+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands -+ cat > $tmpfile <<EOF -+ls -+quit -+EOF -+ -+ USERNAME=eviluser -+ -+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' -+ eval echo "$cmd" -+ out=$(eval $cmd) -+ ret=$? -+ rm -f $tmpfile -+ -+ if [ $ret -ne 1 ] ; then -+ echo "$out" -+ echo "The server should reject connecting ret=$ret" -+ return 1 -+ fi -+ -+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME' -+ ret=$? -+ if [ $ret -ne 0 ] ; then -+ echo "$out" -+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.' -+ return 1 -+ fi -+ -+ return 0 -+} -+ -+testit "test gooduser home" \ -+ test_gooduser_home || \ -+ failed=`expr $failed + 1` -+ -+testit "test eviluser home reject" \ -+ test_eviluser_home || \ -+ failed=`expr $failed + 1` -+ -+testok $0 $failed -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 09cd5159a0d..4aef7a4d596 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -290,6 +290,7 @@ for env in ["fileserver"]: - plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1']) - plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3']) - plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp']) -+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration]) - - # - # tar command tests --- -2.19.2 - - -From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Thu, 22 Nov 2018 18:23:24 +0100 -Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home - dir -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If "/" (root) is returned as the home directory, prevent exporting it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Ralph Böhme <slow@samba.org> -(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af) ---- - source3/param/service.c | 6 +++++- - source3/smbd/password.c | 7 +++++++ - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/source3/param/service.c b/source3/param/service.c -index b21be6093d4..22f46f08894 100644 ---- a/source3/param/service.c -+++ b/source3/param/service.c -@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out) - DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out, - phome_dir?phome_dir:"(NULL)")); - -- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir); -+ if (!strequal(phome_dir, "/")) { -+ iService = add_home_service(*p_service_out, -+ *p_service_out, /* username */ -+ phome_dir); -+ } - } - - /* If we still don't have a service, attempt to add it as a printer. */ -diff --git a/source3/smbd/password.c b/source3/smbd/password.c -index f472bda2c70..0576d2563eb 100644 ---- a/source3/smbd/password.c -+++ b/source3/smbd/password.c -@@ -129,6 +129,13 @@ int register_homes_share(const char *username) - return -1; - } - -+ if (strequal(pwd->pw_dir, "/")) { -+ DBG_NOTICE("Invalid home directory defined for user '%s'\n", -+ username); -+ TALLOC_FREE(pwd); -+ return -1; -+ } -+ - DEBUG(3, ("Adding homes service for user '%s' using home directory: " - "'%s'\n", username, pwd->pw_dir)); - --- -2.19.2 - - -From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider <asn@samba.org> -Date: Mon, 3 Dec 2018 11:05:46 +0100 -Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed - as home dir -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 - -Signed-off-by: Andreas Schneider <asn@samba.org> -Reviewed-by: Ralph Böhme <slow@samba.org> -Reviewed-by: Jeremy Allison <jra@samba.org> - -Autobuild-User(master): Jeremy Allison <jra@samba.org> -Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144 - -(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87) ---- - selftest/target/Samba3.pm | 6 ++++- - source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++ - 2 files changed, 42 insertions(+), 1 deletion(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 2031003210c..583396b3818 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$) - my ($uid_user2); - my ($uid_gooduser); - my ($uid_eviluser); -+ my ($uid_slashuser); - -- if ($unix_uid < 0xffff - 12) { -+ if ($unix_uid < 0xffff - 13) { - $max_uid = 0xffff; - } else { - $max_uid = $unix_uid; -@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$) - $uid_user2 = $max_uid - 10; - $uid_gooduser = $max_uid - 11; - $uid_eviluser = $max_uid - 12; -+ $uid_slashuser = $max_uid - 13; - - if ($unix_gids[0] < 0xffff - 8) { - $max_gid = 0xffff; -@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false - user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false - gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false - eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false -+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false - "; - if ($unix_uid != 0) { - print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false -@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user: - createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); - createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); - createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); -+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); - - open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); - print DNS_UPDATE_LIST "A $server. $server_ip\n"; -diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh -index 06de0a0c301..90e84550dbc 100755 ---- a/source3/script/tests/test_homes.sh -+++ b/source3/script/tests/test_homes.sh -@@ -88,6 +88,39 @@ EOF - return 0 - } - -+test_slashuser_home() -+{ -+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands -+ cat > $tmpfile <<EOF -+ls -+quit -+EOF -+ -+ USERNAME=slashuser -+ -+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1' -+ eval echo "$cmd" -+ out=$(eval $cmd) -+ ret=$? -+ rm -f $tmpfile -+ -+ if [ $ret -ne 1 ] ; then -+ echo "$out" -+ echo "The server should reject connecting ret=$ret" -+ return 1 -+ fi -+ -+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME' -+ ret=$? -+ if [ $ret -ne 0 ] ; then -+ echo "$out" -+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.' -+ return 1 -+ fi -+ -+ return 0 -+} -+ - testit "test gooduser home" \ - test_gooduser_home || \ - failed=`expr $failed + 1` -@@ -96,4 +129,8 @@ testit "test eviluser home reject" \ - test_eviluser_home || \ - failed=`expr $failed + 1` - -+testit "test slashuser home reject" \ -+ test_slashuser_home || \ -+ failed=`expr $failed + 1` -+ - testok $0 $failed --- -2.19.2 diff --git a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch b/SOURCES/samba-4.9-net_ads_join_createcomputer.patch deleted file mode 100644 index c196b55..0000000 --- a/SOURCES/samba-4.9-net_ads_join_createcomputer.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ad4ef1657e9b2a088a3bfadcce196cfcceead1dc Mon Sep 17 00:00:00 2001 -From: Evgeny Sinelnikov <sin@altlinux.org> -Date: Wed, 31 Jul 2019 23:17:20 +0400 -Subject: [PATCH] s3:ldap: Fix join with don't exists machine account -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add check for requested replies of existing machine object during join -machine to domain. This solves regression fail during join with error: -"None of the information to be translated has been translated." - -https://bugzilla.samba.org/show_bug.cgi?id=14007 - -Reviewed-by: Guenther Deschner <gd@samba.org> -Reviewed-by: Alexander Bokovoy <ab@samba.org> -Reviewed-by: Stefan Metzmacher <metze@samba.org> - -Autobuild-User(master): Günther Deschner <gd@samba.org> -Autobuild-Date(master): Wed Sep 4 17:02:37 UTC 2019 on sn-devel-184 ---- - source3/libads/ldap.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c -index 4f3d43b02b1..2110390b65f 100644 ---- a/source3/libads/ldap.c -+++ b/source3/libads/ldap.c -@@ -2121,13 +2121,14 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, - } - - ret = ads_find_machine_acct(ads, &res, machine_escaped); -- ads_msgfree(ads, res); -- if (ADS_ERR_OK(ret)) { -+ if (ADS_ERR_OK(ret) && ads_count_replies(ads, res) == 1) { - DBG_DEBUG("Host account for %s already exists.\n", - machine_escaped); - ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); -+ ads_msgfree(ads, res); - goto done; - } -+ ads_msgfree(ads, res); - - new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); - samAccountName = talloc_asprintf(ctx, "%s$", machine_name); --- -2.21.0 - diff --git a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch b/SOURCES/samba-4.9-net_ads_leave_keep_account.patch deleted file mode 100644 index 4590081..0000000 --- a/SOURCES/samba-4.9-net_ads_leave_keep_account.patch +++ /dev/null @@ -1,119 +0,0 @@ -From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson <jstephen@redhat.com> -Date: Wed, 27 Jun 2018 11:32:31 -0400 -Subject: [PATCH] s3:libads: Add net ads leave keep-account option - -Add the ability to leave the domain with --keep-account argument to avoid -removal of the host machine account. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498 - -Signed-off-by: Justin Stephenson <jstephen@redhat.com> -Reviewed-by: Andrew Bartlett <abartlet@samba.org> -Reviewed-by: Alexander Bokovoy <ab@samba.org> -(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694) ---- - docs-xml/manpages/net.8.xml | 9 ++++++++- - source3/libnet/libnet_join.c | 2 ++ - source3/utils/net.c | 3 ++- - source3/utils/net.h | 1 + - source3/utils/net_ads.c | 9 +++++++-- - 5 files changed, 20 insertions(+), 4 deletions(-) - -diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml -index 3154ee5ff85..d2bcd24c502 100644 ---- a/docs-xml/manpages/net.8.xml -+++ b/docs-xml/manpages/net.8.xml -@@ -377,6 +377,13 @@ - </para></listitem> - </varlistentry> - -+ <varlistentry> -+ <term>--keep-account</term> -+ <listitem><para>Prevent the machine account removal as -+ part of "net ads leave". -+ </para></listitem> -+ </varlistentry> -+ - &stdarg.encrypt; - &popt.common.samba.client; - -@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller. - </refsect2> - - <refsect2> --<title>ADS LEAVE -+ADS LEAVE [--keep-account] - - Make the remote host leave the domain it is part of. - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a9405e8d288..27fc5135442 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, - return ntstatus_to_werror(status); - } - -+ r->out.dns_domain_name = talloc_strdup(mem_ctx, -+ r->in.domain_name); - r->out.disabled_machine_account = true; - } - -diff --git a/source3/utils/net.c b/source3/utils/net.c -index 759d8cd442b..b3bd4b67118 100644 ---- a/source3/utils/net.c -+++ b/source3/utils/net.c -@@ -970,8 +970,9 @@ static struct functable net_func[] = { - {"wipe", 0, POPT_ARG_NONE, &c->opt_wipe}, - /* Options for 'net registry import' */ - {"precheck", 0, POPT_ARG_STRING, &c->opt_precheck}, -- /* Options for 'net ads join' */ -+ /* Options for 'net ads join or leave' */ - {"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates}, -+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account}, - POPT_COMMON_SAMBA - { 0, 0, 0, 0} - }; -diff --git a/source3/utils/net.h b/source3/utils/net.h -index d6dfeb6208f..5e70fd3aafa 100644 ---- a/source3/utils/net.h -+++ b/source3/utils/net.h -@@ -85,6 +85,7 @@ struct net_context { - int opt_wipe; - const char *opt_precheck; - int opt_no_dns_updates; -+ int opt_keep_account; - - int opt_have_ip; - struct sockaddr_storage opt_dest_ip; -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index ffa67d8f525..afe47dad839 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) - - if (c->display_usage) { - d_printf( "%s\n" -- "net ads leave\n" -+ "net ads leave [--keep-account]\n" - " %s\n", - _("Usage:"), - _("Leave an AD domain")); -@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) - WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */ - r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | - WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; -- r->in.delete_machine_account = true; -+ if (c->opt_keep_account) { -+ r->in.delete_machine_account = false; -+ } else { -+ r->in.delete_machine_account = true; -+ } -+ - r->in.msg_ctx = c->msg_ctx; - - werr = libnet_Unjoin(ctx, r); --- -2.17.1 - diff --git a/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch new file mode 100644 index 0000000..5bf463b --- /dev/null +++ b/SOURCES/samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch @@ -0,0 +1,75 @@ +From 54db478fccac0ac3b0cc63f5eacfeae23bc26d4a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 7 Jan 2020 19:25:53 +0200 +Subject: [PATCH 1/2] s3-rpcserver: fix security level check for + DsRGetForestTrustInformation + +Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which +didn't change since DCE RPC channel refactoring. + +With the current code we return RPC faul as can be seen in the logs: + +2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) + netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation + in: struct netr_DsRGetForestTrustInformation + server_name : * + server_name : '\\some-dc.example.com' + trusted_domain_name : NULL + flags : 0x00000000 (0) +[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) + api_rpcTNP: fault(5) return. + +This is due to this check in processing a request: + if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) + && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return WERR_ACCESS_DENIED; + } + +and since we get AuthZ response, + + Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] + Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] +[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) + JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", + "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, + "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", + "serviceDescription": "netlogon", "authType": "ncacn_np", + "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", + "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", + "transportProtection": "SMB", "accountFlags": "0x00000010"}} + +this means we are actually getting anonymous DCE/RPC access to netlogon +on top of authenticated SMB connection. In such case we have exactly +auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to +DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. + +Update the code to follow the same security level check as in s4 variant +of the call. + +Signed-off-by: Alexander Bokovoy +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index cbbf9feedc7..52b17c10e61 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2451,10 +2451,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, + { + NTSTATUS status; + struct lsa_ForestTrustInformation *info, **info_ptr; ++ enum security_user_level security_level; + +- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) +- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { +- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; ++ security_level = security_session_user_level(p->session_info, NULL); ++ if (security_level < SECURITY_USER) { + return WERR_ACCESS_DENIED; + } + +-- +2.24.1 + diff --git a/SOURCES/samba-4.9-static_analysis_fixes.patch b/SOURCES/samba-4.9-static_analysis_fixes.patch deleted file mode 100644 index 06b10cf..0000000 --- a/SOURCES/samba-4.9-static_analysis_fixes.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Nov 2018 10:09:23 +0100 -Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name - -This could be passed uninitialized to dcerpc_netr_DsRGetDCName() - -Found by cppcheck. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d) ---- - source3/rpcclient/cmd_netlogon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c -index 8d62ef7e095..631740562c6 100644 ---- a/source3/rpcclient/cmd_netlogon.c -+++ b/source3/rpcclient/cmd_netlogon.c -@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, - WERROR werr = WERR_OK; - uint32_t flags = DS_RETURN_DNS_NAME; - const char *server_name = cli->desthost; -- const char *domain_name; -+ const char *domain_name = NULL; - struct GUID domain_guid = GUID_zero(); - struct GUID site_guid = GUID_zero(); - struct netr_DsRGetDCNameInfo *info = NULL; --- -2.19.2 - - -From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Nov 2018 10:13:51 +0100 -Subject: [PATCH 2/5] librpc:ndr: Initialize inblob - -Found by cppcheck. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83) ---- - librpc/ndr/ndr_backupkey.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c -index 827bc694230..adb6e393287 100644 ---- a/librpc/ndr/ndr_backupkey.c -+++ b/librpc/ndr/ndr_backupkey.c -@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name, - ndr->flags |= LIBNDR_PRINT_SET_VALUES; - } - if (flags & NDR_IN) { -- union bkrp_data_in_blob inblob; -+ union bkrp_data_in_blob inblob = { -+ .empty._empty_ = '\0', -+ }; - DATA_BLOB blob; - uint32_t level; - enum ndr_err_code ndr_err; --- -2.19.2 - - -From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Nov 2018 10:16:06 +0100 -Subject: [PATCH 3/5] libgpo: Make sure status is intialized - -Found by cppcheck. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7) ---- - libgpo/gpo_ldap.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c -index fec00053b49..f087203f28a 100644 ---- a/libgpo/gpo_ldap.c -+++ b/libgpo/gpo_ldap.c -@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, - const char *guid_name, - struct GROUP_POLICY_OBJECT *gpo) - { -- ADS_STATUS status; -+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); - LDAPMessage *res = NULL; - char *dn; - const char *filter; --- -2.19.2 - - -From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Nov 2018 10:17:37 +0100 -Subject: [PATCH 4/5] lib:util Always initialize start and space - -Found by cppcheck. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45) ---- - lib/util/talloc_report.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c -index 63213a014b6..bed0fd91e43 100644 ---- a/lib/util/talloc_report.c -+++ b/lib/util/talloc_report.c -@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len, - const char *fmt, va_list ap) - { - ssize_t str_len = *pstr_len; -- size_t buflen, needed, space; -- char *start, *tmpbuf; -+ size_t buflen, needed, space = 0; -+ char *start = NULL, *tmpbuf = NULL; - va_list ap2; - int printlen; - -@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len, - if (buflen > str_len) { - start = buf + str_len; - space = buflen - str_len; -- } else { -- start = NULL; -- space = 0; - } - - va_copy(ap2, ap); --- -2.19.2 - - -From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 12 Nov 2018 10:21:15 +0100 -Subject: [PATCH 5/5] ctdb: Fix an out of bound array access - -Found by cppcheck. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9) ---- - ctdb/common/logging.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c -index dc8c4f75058..55e5d541735 100644 ---- a/ctdb/common/logging.c -+++ b/ctdb/common/logging.c -@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level) - { - int i; - -- for (i=0; ARRAY_SIZE(log_string_map); i++) { -+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) { - if (log_string_map[i].log_level == log_level) { - return log_string_map[i].log_string; - } --- -2.19.2 diff --git a/SOURCES/samba-4.9.0rc5-stack-protector.patch b/SOURCES/samba-4.9.0rc5-stack-protector.patch deleted file mode 100644 index 51bc83a..0000000 --- a/SOURCES/samba-4.9.0rc5-stack-protector.patch +++ /dev/null @@ -1,117 +0,0 @@ -From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 3 Sep 2018 10:35:08 +0200 -Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support - -The -fstack-protector* flags are compiler only flags, don't pass them to -the linker. - -https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371) ---- - buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++------------- - 1 file changed, 19 insertions(+), 17 deletions(-) - -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py -index c4391d0c4dc..bfd6f9710db 100644 ---- a/buildtools/wafsamba/samba_autoconf.py -+++ b/buildtools/wafsamba/samba_autoconf.py -@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None): - return - - # we need to build real code that can't be optimized away to test -- if conf.check(fragment=''' -- #include -- -- int main(void) -- { -- char t[100000]; -- while (fgets(t, sizeof(t), stdin)); -- return 0; -- } -- ''', -- execute=0, -- ccflags='-fstack-protector', -- ldflags='-fstack-protector', -- mandatory=False, -- msg='Checking if toolchain accepts -fstack-protector'): -- conf.ADD_CFLAGS('-fstack-protector') -- conf.ADD_LDFLAGS('-fstack-protector') -+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector'] -+ for stack_protect_flag in stack_protect_list: -+ flag_supported = conf.check(fragment=''' -+ #include -+ -+ int main(void) -+ { -+ char t[100000]; -+ while (fgets(t, sizeof(t), stdin)); -+ return 0; -+ } -+ ''', -+ execute=0, -+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag], -+ mandatory=False, -+ msg='Checking if compiler accepts %s' % (stack_protect_flag)) -+ if flag_supported: -+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) -+ break - - if Options.options.debug: - conf.ADD_CFLAGS('-g', testflags=True) --- -2.18.0 - - -From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 3 Sep 2018 10:49:52 +0200 -Subject: [PATCH 2/2] waf: Add -fstack-clash-protection - -https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0) ---- - buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py -index bfd6f9710db..f2b3ec8db8d 100644 ---- a/buildtools/wafsamba/samba_autoconf.py -+++ b/buildtools/wafsamba/samba_autoconf.py -@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None): - conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) - break - -+ flag_supported = conf.check(fragment=''' -+ #include -+ -+ int main(void) -+ { -+ char t[100000]; -+ while (fgets(t, sizeof(t), stdin)); -+ return 0; -+ } -+ ''', -+ execute=0, -+ ccflags=[ '-Werror', '-fstack-clash-protection'], -+ mandatory=False, -+ msg='Checking if compiler accepts -fstack-clash-protection') -+ if flag_supported: -+ conf.ADD_CFLAGS('-fstack-clash-protection') -+ - if Options.options.debug: - conf.ADD_CFLAGS('-g', testflags=True) - --- -2.18.0 - diff --git a/SOURCES/samba-4.9.1.tar.asc b/SOURCES/samba-4.9.1.tar.asc deleted file mode 100644 index 3a95975..0000000 --- a/SOURCES/samba-4.9.1.tar.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq -Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg== -=2NTz ------END PGP SIGNATURE----- diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 0543006..90d65b7 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -8,11 +8,11 @@ %define main_release 10 -%define samba_version 4.9.1 -%define talloc_version 2.1.14 -%define tdb_version 1.3.16 -%define tevent_version 0.9.37 -%define ldb_version 1.4.2 +%define samba_version 4.10.4 +%define talloc_version 2.1.16 +%define tdb_version 1.3.18 +%define tevent_version 0.9.39 +%define ldb_version 1.5.4 # This should be rc1 or nil %define pre_release %nil @@ -63,7 +63,7 @@ %global with_intel_aes_accel 1 %endif -%global libwbc_alternatives_version 0.14 +%global libwbc_alternatives_version 0.15 %global libwbc_alternatives_suffix %nil %if 0%{?__isa_bits} == 64 %global libwbc_alternatives_suffix -64 @@ -127,29 +127,17 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.9.0rc5-stack-protector.patch -Patch1: samba-4.9-harden_homes_share.patch -Patch2: samba-4.9-static_analysis_fixes.patch -Patch3: samba-4.9-fix_debug_segfault.patch -Patch4: samba-4.9-fix_winbind_passdb_segfault.patch -Patch5: samba-4.9-fix_testparm_crash.patch -Patch6: samba-4.9-disable_netbios.patch -Patch7: samba-4.9-net_ads_leave_keep_account.patch -Patch8: samba-4.9-fix_force_group_panic.patch -Patch9: samba-4.10-fix_gencache_debug_message.patch -Patch10: samba-4.9-fix_net_ads_krb5.patch -Patch11: samba-4.9-add_smbc_setOptionProtocols.patch -Patch12: samba-4.9-fix_smbspool_as_cups_backend.patch -Patch13: samba-4.9-doc_smbclient_max_protocol.patch -Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch -Patch15: samba-4.9-CVE-2019-3880.patch -Patch16: samba-4.9-fix_smbspool_krb5_auth.patch -Patch17: samba-4.9-fix_cups_printing.patch -Patch18: samba-4.9-net_ads_join_createcomputer.patch -Patch19: samba-4.10-fix_smbspool_username_passwd.patch -Patch20: samba-4.9-fix_builtin_groups_creation.patch -Patch21: samba-4.10-fix_winbind_trustdom_enum.patch -Patch22: samba-4.10-fix_spnego_downgrade.patch +Patch0: samba-4.10-fix_smbspool.patch +Patch1: samba-4.10.6-fix_idmap_tdb2.patch +Patch2: samba-4.10-net_ads_join_createcomputer.patch +Patch3: CVE-2019-10197-v4-10-metze03.patches.txt +Patch4: samba-4.10-fix_smbspool_username_password.patch +Patch5: samba-4.10-fix_winbind_trustdom_enum.patch +Patch6: samba-4.10-fix-spnego-downgrade.patch +Patch7: samba-4.10-fix_net_ads_join_hardened_env.patch +Patch8: samba-4.10-fix-netbios-join.patch +Patch9: CVE-2019-10218-4.11.patch +Patch10: samba-4.9-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -223,6 +211,8 @@ BuildRequires: python2-markdown BuildRequires: quota-devel BuildRequires: readline-devel BuildRequires: sed +BuildRequires: libtasn1-devel +BuildRequires: libtasn1-tools BuildRequires: xfsprogs-devel BuildRequires: xz BuildRequires: zlib-devel >= 1.2.3 @@ -240,6 +230,8 @@ BuildRequires: libcephfs-devel BuildRequires: gnutls-devel >= 3.4.7 # Required by samba-tool to run tests BuildRequires: python2-crypto +%else +BuildRequires: gnutls-devel >= 3.2.0 %endif # pidl requirements @@ -814,6 +806,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %global _samba_private_libraries %{_libsmbclient}%{_libwbclient} +export PYTHON=/usr/bin/python2 %configure \ --enable-fhs \ --with-piddir=/run \ @@ -865,7 +858,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - make %{?_smp_mflags} %install -rm -rf %{buildroot} +PYTHON=/usr/bin/python2 \ make %{?_smp_mflags} install DESTDIR=%{buildroot} export PYTHON=%{__python2} @@ -1061,7 +1054,7 @@ find %{buildroot}%{python2_sitearch} -name "*.pyc" -print -delete %if %{with testsuite} %check -TDB_NO_FSYNC=1 make %{?_smp_mflags} test +PYTHON=/usr/bin/python2 TDB_NO_FSYNC=1 make %{?_smp_mflags} test %endif %post @@ -1239,7 +1232,7 @@ rm -rf %{buildroot} %files %defattr(-,root,root,-) %license COPYING -%doc README WHATSNEW.txt +%doc README.md WHATSNEW.txt %doc examples/autofs examples/LDAP examples/misc %doc examples/printer-accounting examples/printing %doc packaging/README.downgrade @@ -1276,6 +1269,7 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/fileid.so %{_libdir}/samba/vfs/fruit.so %{_libdir}/samba/vfs/full_audit.so +%{_libdir}/samba/vfs/glusterfs_fuse.so %{_libdir}/samba/vfs/linux_xfs_sgid.so %{_libdir}/samba/vfs/media_harmony.so %{_libdir}/samba/vfs/netatalk.so @@ -1313,7 +1307,6 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_aio_pthread.8* %{_mandir}/man8/vfs_audit.8* %{_mandir}/man8/vfs_btrfs.8* -%{_mandir}/man8/vfs_cacheprime.8* %{_mandir}/man8/vfs_cap.8* %{_mandir}/man8/vfs_catia.8* %{_mandir}/man8/vfs_commit.8* @@ -1325,13 +1318,11 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_fileid.8* %{_mandir}/man8/vfs_fruit.8* %{_mandir}/man8/vfs_full_audit.8* -%{_mandir}/man8/vfs_gpfs.8* +%{_mandir}/man8/vfs_glusterfs_fuse.8* %{_mandir}/man8/vfs_linux_xfs_sgid.8* %{_mandir}/man8/vfs_media_harmony.8* %{_mandir}/man8/vfs_netatalk.8* -%{_mandir}/man8/vfs_nfs4acl_xattr.8* %{_mandir}/man8/vfs_offline.8* -%{_mandir}/man8/vfs_prealloc.8* %{_mandir}/man8/vfs_preopen.8* %{_mandir}/man8/vfs_readahead.8* %{_mandir}/man8/vfs_readonly.8* @@ -1344,7 +1335,6 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_streams_xattr.8* %{_mandir}/man8/vfs_syncops.8* %{_mandir}/man8/vfs_time_audit.8* -%{_mandir}/man8/vfs_tsmsm.8* %{_mandir}/man8/vfs_unityed_media.8* %{_mandir}/man8/vfs_virusfilter.8* %{_mandir}/man8/vfs_worm.8* @@ -1354,10 +1344,6 @@ rm -rf %{buildroot} %exclude %{_mandir}/man8/vfs_glusterfs.8* %endif -%if ! %{with_vfs_cephfs} -%exclude %{_mandir}/man8/vfs_ceph.8* -%endif - %attr(775,root,printadmin) %dir /var/lib/samba/drivers ### CLIENT @@ -1430,8 +1416,11 @@ rm -rf %{buildroot} %{_bindir}/ldbrename %{_bindir}/ldbsearch %{_libdir}/samba/libldb-cmdline-samba4.so +%{_libdir}/samba/libldb-key-value-samba4.so +%{_libdir}/samba/libldb-tdb-err-map-samba4.so +%{_libdir}/samba/libldb-tdb-int-samba4.so %{_libdir}/samba/ldb/asq.so -%{_libdir}/samba/ldb/paged_results.so +%{_libdir}/samba/ldb/ldb.so %{_libdir}/samba/ldb/paged_searches.so %{_libdir}/samba/ldb/rdn_name.so %{_libdir}/samba/ldb/sample.so @@ -1481,6 +1470,8 @@ rm -rf %{buildroot} %{_libdir}/samba/libcli-smb-common-samba4.so %{_libdir}/samba/libcli-spoolss-samba4.so %{_libdir}/samba/libcliauth-samba4.so +%{_libdir}/samba/libclidns-samba4.so +%{_libdir}/samba/libcmdline-contexts-samba4.so %{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so @@ -1827,16 +1818,14 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/util/byteorder.h %{_includedir}/samba-4.0/util/data_blob.h %{_includedir}/samba-4.0/util/debug.h +%{_includedir}/samba-4.0/util/discard.h %{_includedir}/samba-4.0/util/fault.h %{_includedir}/samba-4.0/util/genrand.h %{_includedir}/samba-4.0/util/idtree.h %{_includedir}/samba-4.0/util/idtree_random.h -%{_includedir}/samba-4.0/util/memory.h -%{_includedir}/samba-4.0/util/safe_string.h %{_includedir}/samba-4.0/util/signal.h %{_includedir}/samba-4.0/util/string_wrappers.h %{_includedir}/samba-4.0/util/substitute.h -%{_includedir}/samba-4.0/util/talloc_stack.h %{_includedir}/samba-4.0/util/tevent_ntstatus.h %{_includedir}/samba-4.0/util/tevent_unix.h %{_includedir}/samba-4.0/util/tevent_werror.h @@ -2015,9 +2004,11 @@ rm -rf %{buildroot} %{python_sitearch}/samba/descriptor.py* %{python_sitearch}/samba/gensec.so %{python_sitearch}/samba/getopt.py* +%{python_sitearch}/samba/gp_ext_loader.py* %{python_sitearch}/samba/hostconfig.py* %{python_sitearch}/samba/idmap.py* %{python_sitearch}/samba/join.py* +%{python_sitearch}/samba/logger.py* %{python_sitearch}/samba/messaging.so %{python_sitearch}/samba/ms_display_specifiers.py* %{python_sitearch}/samba/ms_schema.py* @@ -2036,8 +2027,10 @@ rm -rf %{buildroot} %{python_sitearch}/samba/sites.py* %{python_sitearch}/samba/smb.so %{python_sitearch}/samba/subnets.py* + %{python_sitearch}/samba/upgrade.py* %{python_sitearch}/samba/upgradehelpers.py* +%{python_sitearch}/samba/uptodateness.py* %{python_sitearch}/samba/werror.so %{python_sitearch}/samba/xattr.py* %{python_sitearch}/samba/xattr_native.so @@ -2056,6 +2049,7 @@ rm -rf %{buildroot} %{python_sitearch}/samba/dcerpc/drsuapi.so %{python_sitearch}/samba/dcerpc/echo.so %{python_sitearch}/samba/dcerpc/epmapper.so +%{python_sitearch}/samba/dcerpc/preg.so %{python_sitearch}/samba/dcerpc/idmap.so %{python_sitearch}/samba/dcerpc/initshutdown.so %{python_sitearch}/samba/dcerpc/irpc.so @@ -2071,11 +2065,15 @@ rm -rf %{buildroot} %{python_sitearch}/samba/dcerpc/security.so %{python_sitearch}/samba/dcerpc/server_id.so %{python_sitearch}/samba/dcerpc/smb_acl.so +%{python_sitearch}/samba/dcerpc/spoolss.so %{python_sitearch}/samba/dcerpc/srvsvc.so %{python_sitearch}/samba/dcerpc/svcctl.so %{python_sitearch}/samba/dcerpc/unixinfo.so %{python_sitearch}/samba/dcerpc/winbind.so +%{python_sitearch}/samba/dcerpc/windows_event_ids.so %{python_sitearch}/samba/dcerpc/winreg.so +%{python_sitearch}/samba/dcerpc/winspool.so +%{python_sitearch}/samba/dcerpc/witness.so %{python_sitearch}/samba/dcerpc/wkssvc.so %{python_sitearch}/samba/dcerpc/xattr.so @@ -2084,6 +2082,14 @@ rm -rf %{buildroot} %{python_sitearch}/samba/emulate/traffic.py* %{python_sitearch}/samba/emulate/traffic_packets.py* +%dir %{python_sitearch}/samba/gp_parse +%{python_sitearch}/samba/gp_parse/__init__.py* +%{python_sitearch}/samba/gp_parse/gp_aas.py* +%{python_sitearch}/samba/gp_parse/gp_csv.py* +%{python_sitearch}/samba/gp_parse/gp_inf.py* +%{python_sitearch}/samba/gp_parse/gp_ini.py* +%{python_sitearch}/samba/gp_parse/gp_pol.py* + %dir %{python_sitearch}/samba/netcmd %{python_sitearch}/samba/netcmd/__init__.py* %{python_sitearch}/samba/netcmd/common.py* @@ -2178,64 +2184,28 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py* %{python_sitearch}/samba/tests/auth_log_pass_change.py* %{python_sitearch}/samba/tests/auth_log_samlogon.py* -%dir %{python_sitearch}/samba/tests/blackbox -%{python_sitearch}/samba/tests/blackbox/__init__.py* -%{python_sitearch}/samba/tests/blackbox/check_output.py* -%{python_sitearch}/samba/tests/blackbox/ndrdump.py* -%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py* -%{python_sitearch}/samba/tests/blackbox/smbcontrol.py* -%{python_sitearch}/samba/tests/blackbox/traffic_learner.py* -%{python_sitearch}/samba/tests/blackbox/traffic_replay.py* -%{python_sitearch}/samba/tests/blackbox/traffic_summary.py* +%{python_sitearch}/samba/tests/complex_expressions.py* %{python_sitearch}/samba/tests/common.py* %{python_sitearch}/samba/tests/core.py* %{python_sitearch}/samba/tests/credentials.py* -%dir %{python_sitearch}/samba/tests/dcerpc -%{python_sitearch}/samba/tests/dcerpc/__init__.py* -%{python_sitearch}/samba/tests/dcerpc/array.py* -%{python_sitearch}/samba/tests/dcerpc/bare.py* -%{python_sitearch}/samba/tests/dcerpc/dnsserver.py* -%{python_sitearch}/samba/tests/dcerpc/integer.py* -%{python_sitearch}/samba/tests/dcerpc/misc.py* -%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py* -%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py* -%{python_sitearch}/samba/tests/dcerpc/registry.py* -%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py* -%{python_sitearch}/samba/tests/dcerpc/rpcecho.py* -%{python_sitearch}/samba/tests/dcerpc/sam.py* -%{python_sitearch}/samba/tests/dcerpc/srvsvc.py* -%{python_sitearch}/samba/tests/dcerpc/string.py* -%{python_sitearch}/samba/tests/dcerpc/testrpc.py* -%{python_sitearch}/samba/tests/dcerpc/unix.py* %{python_sitearch}/samba/tests/dns.py* %{python_sitearch}/samba/tests/dns_base.py* %{python_sitearch}/samba/tests/dns_forwarder.py* -%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers -%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py* %{python_sitearch}/samba/tests/dns_tkey.py* %{python_sitearch}/samba/tests/dns_wildcard.py* %{python_sitearch}/samba/tests/docs.py* %{python_sitearch}/samba/tests/dsdb.py* %{python_sitearch}/samba/tests/dsdb_lock.py* %{python_sitearch}/samba/tests/dsdb_schema_attributes.py* -%dir %{python_sitearch}/samba/tests/emulate -%{python_sitearch}/samba/tests/emulate/__init__.py* -%{python_sitearch}/samba/tests/emulate/traffic.py* -%{python_sitearch}/samba/tests/emulate/traffic_packet.py* +%{python_sitearch}/samba/tests/domain_backup_offline.py* %{python_sitearch}/samba/tests/encrypted_secrets.py* %{python_sitearch}/samba/tests/gensec.py* %{python_sitearch}/samba/tests/get_opt.py* %{python_sitearch}/samba/tests/glue.py* %{python_sitearch}/samba/tests/graph.py* %{python_sitearch}/samba/tests/hostconfig.py* +%{python_sitearch}/samba/tests/libsmb.py* %{python_sitearch}/samba/tests/join.py* -%dir %{python_sitearch}/samba/tests/kcc -%{python_sitearch}/samba/tests/kcc/__init__.py* -%{python_sitearch}/samba/tests/kcc/graph.py* -%{python_sitearch}/samba/tests/kcc/graph_utils.py* -%{python_sitearch}/samba/tests/kcc/kcc_utils.py* -%{python_sitearch}/samba/tests/kcc/ldif_import_export.py* -%{python_sitearch}/samba/tests/libsmb_samba_internal.py* %{python_sitearch}/samba/tests/lsa_string.py* %{python_sitearch}/samba/tests/messaging.py* %{python_sitearch}/samba/tests/net_join.py* @@ -2243,8 +2213,12 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/netcmd.py* %{python_sitearch}/samba/tests/netlogonsvc.py* %{python_sitearch}/samba/tests/ntacls.py* +%{python_sitearch}/samba/tests/ntlm_auth.py* +%{python_sitearch}/samba/tests/ntlm_auth_base.py* +%{python_sitearch}/samba/tests/ntlm_auth_krb5.py* %{python_sitearch}/samba/tests/ntlmdisabled.py* %{python_sitearch}/samba/tests/pam_winbind.py* +%{python_sitearch}/samba/tests/pam_winbind_chauthtok.py* %{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py* %{python_sitearch}/samba/tests/param.py* %{python_sitearch}/samba/tests/password_hash.py* @@ -2254,10 +2228,71 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/password_hash_ldap.py* %{python_sitearch}/samba/tests/policy.py* %{python_sitearch}/samba/tests/posixacl.py* +%{python_sitearch}/samba/tests/prefork_restart.py* +%{python_sitearch}/samba/tests/process_limits.py* %{python_sitearch}/samba/tests/provision.py* %{python_sitearch}/samba/tests/py_credentials.py* %{python_sitearch}/samba/tests/registry.py* %{python_sitearch}/samba/tests/samba3sam.py* +%{python_sitearch}/samba/tests/samdb.py* +%{python_sitearch}/samba/tests/smbd_base.py* +%{python_sitearch}/samba/tests/security.py* +%{python_sitearch}/samba/tests/source.py* +%{python_sitearch}/samba/tests/strings.py* +%{python_sitearch}/samba/tests/subunitrun.py* +%{python_sitearch}/samba/tests/tdb_util.py* +%{python_sitearch}/samba/tests/upgrade.py* +%{python_sitearch}/samba/tests/upgradeprovision.py* +%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py* +%{python_sitearch}/samba/tests/xattr.py* + +%dir %{python_sitearch}/samba/tests/blackbox +%{python_sitearch}/samba/tests/blackbox/__init__.py* +%{python_sitearch}/samba/tests/blackbox/bug13653.py* +%{python_sitearch}/samba/tests/blackbox/check_output.py* +%{python_sitearch}/samba/tests/blackbox/netads_json.py* +%{python_sitearch}/samba/tests/blackbox/ndrdump.py* +%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py* +%{python_sitearch}/samba/tests/blackbox/smbcontrol.py* +%{python_sitearch}/samba/tests/blackbox/smbcontrol_process.py* +%{python_sitearch}/samba/tests/blackbox/traffic_learner.py* +%{python_sitearch}/samba/tests/blackbox/traffic_replay.py* +%{python_sitearch}/samba/tests/blackbox/traffic_summary.py* + +%dir %{python_sitearch}/samba/tests/dcerpc +%{python_sitearch}/samba/tests/dcerpc/__init__.py* +%{python_sitearch}/samba/tests/dcerpc/array.py* +%{python_sitearch}/samba/tests/dcerpc/bare.py* +%{python_sitearch}/samba/tests/dcerpc/dnsserver.py* +%{python_sitearch}/samba/tests/dcerpc/integer.py* +%{python_sitearch}/samba/tests/dcerpc/misc.py* +%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py* +%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py* +%{python_sitearch}/samba/tests/dcerpc/registry.py* +%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py* +%{python_sitearch}/samba/tests/dcerpc/rpcecho.py* +%{python_sitearch}/samba/tests/dcerpc/sam.py* +%{python_sitearch}/samba/tests/dcerpc/srvsvc.py* +%{python_sitearch}/samba/tests/dcerpc/string_tests.py* +%{python_sitearch}/samba/tests/dcerpc/testrpc.py* +%{python_sitearch}/samba/tests/dcerpc/unix.py* + +%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers +%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py* +%{python_sitearch}/samba/tests/dns_forwarder_helpers/dns_hub.py* + +%dir %{python_sitearch}/samba/tests/emulate +%{python_sitearch}/samba/tests/emulate/__init__.py* +%{python_sitearch}/samba/tests/emulate/traffic.py* +%{python_sitearch}/samba/tests/emulate/traffic_packet.py* + +%dir %{python_sitearch}/samba/tests/kcc +%{python_sitearch}/samba/tests/kcc/__init__.py* +%{python_sitearch}/samba/tests/kcc/graph.py* +%{python_sitearch}/samba/tests/kcc/graph_utils.py* +%{python_sitearch}/samba/tests/kcc/kcc_utils.py* +%{python_sitearch}/samba/tests/kcc/ldif_import_export.py* + %dir %{python_sitearch}/samba/tests/samba_tool %{python_sitearch}/samba/tests/samba_tool/__init__.py* %{python_sitearch}/samba/tests/samba_tool/base.py* @@ -2279,17 +2314,6 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/samba_tool/user_wdigest.py* %{python_sitearch}/samba/tests/samba_tool/visualize.py* %{python_sitearch}/samba/tests/samba_tool/visualize_drs.py* -%{python_sitearch}/samba/tests/samdb.py* -%{python_sitearch}/samba/tests/security.py* -%{python_sitearch}/samba/tests/source.py* -%{python_sitearch}/samba/tests/strings.py* -%{python_sitearch}/samba/tests/subunitrun.py* -%{python_sitearch}/samba/tests/tdb_util.py* -%{python_sitearch}/samba/tests/unicodenames.py* -%{python_sitearch}/samba/tests/upgrade.py* -%{python_sitearch}/samba/tests/upgradeprovision.py* -%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py* -%{python_sitearch}/samba/tests/xattr.py* ### TEST %files test @@ -2321,6 +2345,7 @@ rm -rf %{buildroot} %else %{_libdir}/samba/libdsdb-module-samba4.so %endif +%{_libdir}/samba/libcmocka-samba4.so ### WINBIND %files winbind @@ -2403,6 +2428,7 @@ rm -rf %{buildroot} %{_sbindir}/ctdbd %{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb +%{_bindir}/ctdb_local_daemons %{_bindir}/ping_pong %{_bindir}/ltdbtool %{_bindir}/ctdb_diagnostics @@ -2478,6 +2504,7 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/conf_test %{_libexecdir}/ctdb/tests/ctdb_packet_parse %{_libexecdir}/ctdb/tests/ctdb_takeover_tests +%{_libexecdir}/ctdb/tests/ctdb_io_test %{_libexecdir}/ctdb/tests/db_hash_test %{_libexecdir}/ctdb/tests/dummy_client %{_libexecdir}/ctdb/tests/errcode @@ -2512,6 +2539,7 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/sock_daemon_test %{_libexecdir}/ctdb/tests/sock_io_test %{_libexecdir}/ctdb/tests/srvid_test +%{_libexecdir}/ctdb/tests/system_socket_test %{_libexecdir}/ctdb/tests/test_mutex_raw %{_libexecdir}/ctdb/tests/transaction_loop %{_libexecdir}/ctdb/tests/tunnel_cmd @@ -2523,7 +2551,6 @@ rm -rf %{buildroot} %dir %{_datadir}/ctdb/tests/complex %{_datadir}/ctdb/tests/complex/README -%{_datadir}/ctdb/tests/complex/00_ctdb_init.sh %{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh %{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh %{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh @@ -2556,6 +2583,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/cunit/config_test_005.sh %{_datadir}/ctdb/tests/cunit/config_test_006.sh %{_datadir}/ctdb/tests/cunit/config_test_007.sh +%{_datadir}/ctdb/tests/cunit/ctdb_io_test_001.sh %{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh %{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh %{_datadir}/ctdb/tests/cunit/event_script_test_001.sh @@ -2579,7 +2607,11 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh %{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh %{_datadir}/ctdb/tests/cunit/srvid_test_001.sh - +%{_datadir}/ctdb/tests/cunit/system_socket_test_001.sh +%dir %{_datadir}/ctdb/tests/etc-ctdb +%dir %{_datadir}/ctdb/tests/etc-ctdb/events +%dir %{_datadir}/ctdb/tests/etc-ctdb/events/legacy +%{_datadir}/ctdb/tests/etc-ctdb/events/legacy/00.test.script %dir %{_datadir}/ctdb/tests/eventd %{_datadir}/ctdb/tests/eventd/README %dir %{_datadir}/ctdb/tests/eventd/etc-ctdb @@ -2921,6 +2953,8 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/onnode/0004.sh %{_datadir}/ctdb/tests/onnode/0005.sh %{_datadir}/ctdb/tests/onnode/0006.sh +%{_datadir}/ctdb/tests/onnode/0010.sh +%{_datadir}/ctdb/tests/onnode/0011.sh %{_datadir}/ctdb/tests/onnode/0070.sh %{_datadir}/ctdb/tests/onnode/0071.sh %{_datadir}/ctdb/tests/onnode/0072.sh @@ -2957,12 +2991,9 @@ rm -rf %{buildroot} %dir %{_datadir}/ctdb/tests/simple %{_datadir}/ctdb/tests/simple/README -%{_datadir}/ctdb/tests/simple/00_ctdb_init.sh %{_datadir}/ctdb/tests/simple/00_ctdb_onnode.sh -%{_datadir}/ctdb/tests/simple/01_ctdb_version.sh -%{_datadir}/ctdb/tests/simple/02_ctdb_listvars.sh -%{_datadir}/ctdb/tests/simple/03_ctdb_getvar.sh -%{_datadir}/ctdb/tests/simple/04_ctdb_setvar.sh +%{_datadir}/ctdb/tests/simple/01_ctdb_reclock_command.sh +%{_datadir}/ctdb/tests/simple/02_ctdb_tunables.sh %{_datadir}/ctdb/tests/simple/05_ctdb_listnodes.sh %{_datadir}/ctdb/tests/simple/06_ctdb_getpid.sh %{_datadir}/ctdb/tests/simple/07_ctdb_process_exists.sh @@ -2985,11 +3016,9 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/26_ctdb_config_check_error_on_unreachable_ctdb.sh %{_datadir}/ctdb/tests/simple/27_ctdb_detach.sh %{_datadir}/ctdb/tests/simple/28_zero_eventscripts.sh -%{_datadir}/ctdb/tests/simple/31_ctdb_disable.sh -%{_datadir}/ctdb/tests/simple/32_ctdb_enable.sh +%{_datadir}/ctdb/tests/simple/32_ctdb_disable_enable.sh %{_datadir}/ctdb/tests/simple/35_ctdb_getreclock.sh -%{_datadir}/ctdb/tests/simple/41_ctdb_stop.sh -%{_datadir}/ctdb/tests/simple/42_ctdb_continue.sh +%{_datadir}/ctdb/tests/simple/42_ctdb_stop_continue.sh %{_datadir}/ctdb/tests/simple/43_stop_recmaster_yield.sh %{_datadir}/ctdb/tests/simple/51_message_ring.sh %{_datadir}/ctdb/tests/simple/52_fetch_ring.sh @@ -2999,6 +3028,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh %{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh %{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh +%{_datadir}/ctdb/tests/simple/69_recovery_resurrect_deleted.sh %{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh %{_datadir}/ctdb/tests/simple/71_ctdb_wipedb.sh %{_datadir}/ctdb/tests/simple/72_update_record_persistent.sh @@ -3011,17 +3041,10 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh %{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh %{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh -%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh - -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events -%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy -%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script %dir %{_datadir}/ctdb/tests/simple/scripts %{_datadir}/ctdb/tests/simple/scripts/local.bash %{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash -%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh %dir %{_datadir}/ctdb/tests/takeover %{_datadir}/ctdb/tests/takeover/README @@ -3245,20 +3268,42 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Mon Oct 21 2019 Isaac Boukris - 4.9.1.10 -- resolves: #1763650 - Fix spnego downgrade +* Wed Jan 08 2020 Alexander Bokovoy - 4.10.4-10 +- resolves: #1786324 - fix security level check for DsRGetForestTrustInformation + +* Thu Oct 31 2019 Isaac Boukris - 4.10.4-9 +- resolves: #1764468 - Fix CVE-2019-10218 + +* Wed Oct 30 2019 Isaac Boukris - 4.10.4-8 +- resolves: #1656541 - Fix join using netbios name + +* Mon Oct 14 2019 Isaac Boukris - 4.10.4-7 +- resolves: #1657428 - Fix spnego downgrade +- resolves: #1663064 - Fix net ads join in hardened environments -* Tue Oct 08 2019 Andreas Schneider - 4.9.1-9 -- resolves: #1759445 - Fix trusted domain enumeration in windind caused +* Fri Oct 04 2019 Andreas Schneider - 4.10.4-6 +- resolves: #1753254 - Fix trusted domain enumeration in windind caused a Active Directory update -* Tue Sep 24 2019 Andreas Schneider - 4.9.1-8 -- resolves: #1754838 - Fix username/password auth with smbspool -- resolves: #1754835 - Fix builtin groups creation. +* Thu Sep 19 2019 Andreas Schneider - 4.10.4-5 +- resolves: #1751335 - Fix username/passwd auth with smbspool + +* Mon Sep 16 2019 Andreas Schneider - 4.10.4-4 +- resolves: #1740986 - Fix issues creating BUILTIN\Guests + +* Thu Sep 05 2019 Guenther Deschner - 4.10.4-3 +- resolves: #1746240 - Security fix for CVE-2019-10197 + +* Wed Sep 04 2019 Guenther Deschner - 4.10.4-2 +- resolves: #1740000 - Fix 'net ads join createcomputer=' +* Wed Aug 14 2019 Andreas Schneider - 4.10.4-1 +- resolves: #1497809 - Add --resolve-uids for 'smbstatus -L' +- resolves: #1714947 - Fix idmap_tdb2 scripts -* Fri Sep 06 2019 Guenther Deschner - 4.9.1-7 -- resolves: #1749300 - Fix 'net ads join createcomputer=' +* Wed Aug 14 2019 Andreas Schneider - 4.10.4-0 +- resolves: #1724991 - Update to version 4.10.4 +- resolves: #1595277 - Update manpage for 'net ads lookup' * Fri May 24 2019 Andreas Schneider - 4.9.1-6 - related: #1703204 - Fix printing with smbspool as CUPS backend