diff --git a/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch b/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch new file mode 100644 index 0000000..90ec59d --- /dev/null +++ b/SOURCES/0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch @@ -0,0 +1,84 @@ +From 2a7249a43c82d720191e29510db5633f3a92a08c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 7 Jan 2020 19:25:53 +0200 +Subject: [PATCH 209/209] s3-rpcserver: fix security level check for + DsRGetForestTrustInformation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Harmonize _netr_DsRGetForestTrustInformation with source4/ logic which +didn't change since DCE RPC channel refactoring. + +With the current code we return RPC faul as can be seen in the logs: + +2019/12/11 17:12:55.463081, 1, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_parse] ../librpc/ndr/ndr.c:471(ndr_print_function_debug) + netr_DsRGetForestTrustInformation: struct netr_DsRGetForestTrustInformation + in: struct netr_DsRGetForestTrustInformation + server_name : * + server_name : '\\some-dc.example.com' + trusted_domain_name : NULL + flags : 0x00000000 (0) +[2019/12/11 17:12:55.463122, 4, pid=20939, effective(1284200000, 1284200000), real(1284200000, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1561(api_rpcTNP) + api_rpcTNP: fault(5) return. + +This is due to this check in processing a request: + if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) + && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return WERR_ACCESS_DENIED; + } + +and since we get AuthZ response, + + Successful AuthZ: [netlogon,ncacn_np] user [EXAMPLE]\[admin] [S-1-5-21-1234567-890123456-500] at [Wed, 11 Dec 2019 17:12:55.461164 UTC] + Remote host [ipv4:Y.Y.Y.Y:59017] local host [ipv4:X.X.X.X:445] +[2019/12/11 17:12:55.461584, 4, pid=20939, effective(0, 0), real(0, 0)] ../lib/audit_logging/audit_logging.c:141(audit_log_json) + JSON Authorization: {"timestamp": "2019-12-11T17:12:55.461491+0000", + "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, + "localAddress": "ipv4:X.X.X.X:445", "remoteAddress": "ipv4:Y.Y.Y.Y:59017", + "serviceDescription": "netlogon", "authType": "ncacn_np", + "domain": "EXAMPLE", "account": "admin", "sid": "S-1-5-21-1234567-890123456-500", + "sessionId": "c5a2386f-f2cc-4241-9a9e-d104cf5859d5", "logonServer": "SOME-DC", + "transportProtection": "SMB", "accountFlags": "0x00000010"}} + +this means we are actually getting anonymous DCE/RPC access to netlogon +on top of authenticated SMB connection. In such case we have exactly +auth_type set to DCERPC_AUTH_TYPE_NONE and auth_level set to +DCERPC_AUTH_LEVEL_NONE in the pipe->auth. Thus, returning an error. + +Update the code to follow the same security level check as in s4 variant +of the call. + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 13 15:05:28 UTC 2020 on sn-devel-184 + +(cherry picked from commit c6d880a115095c336b8b74f45854a99abb1bbb87) +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 3dd8ecf5ca8..3fb62d3f82e 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2454,10 +2454,10 @@ WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, + { + NTSTATUS status; + struct lsa_ForestTrustInformation *info, **info_ptr; ++ enum security_user_level security_level; + +- if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) +- && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { +- p->fault_state = DCERPC_FAULT_ACCESS_DENIED; ++ security_level = security_session_user_level(p->session_info, NULL); ++ if (security_level < SECURITY_USER) { + return WERR_ACCESS_DENIED; + } + +-- +2.24.1 + diff --git a/SOURCES/CVE-2019-14907-4.11.patch b/SOURCES/CVE-2019-14907-4.11.patch new file mode 100644 index 0000000..1465ec8 --- /dev/null +++ b/SOURCES/CVE-2019-14907-4.11.patch @@ -0,0 +1,100 @@ +From 588b74189958630b39cb393c47495d39dead83a1 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 29 Nov 2019 20:58:47 +1300 +Subject: [PATCH] CVE-2019-14907 lib/util: Do not print the failed to convert + string into the logs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The string may be in another charset, or may be sensitive and +certainly may not be terminated. It is not safe to just print. + +Found by Robert Święcki using a fuzzer he wrote for smbd. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208 +Signed-off-by: Andrew Bartlett +--- + lib/util/charset/convert_string.c | 38 ++++++++++++++++--------------- + 1 file changed, 20 insertions(+), 18 deletions(-) + +diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c +index d274e305a0c..b725b53cb5a 100644 +--- a/lib/util/charset/convert_string.c ++++ b/lib/util/charset/convert_string.c +@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic, + switch(errno) { + case EINVAL: + reason="Incomplete multibyte sequence"; +- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", +- reason, (const char *)src)); ++ DBG_NOTICE("Conversion error: %s\n", ++ reason); + break; + case E2BIG: + { + reason="No more room"; + if (from == CH_UNIX) { +- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n", +- charset_name(ic, from), charset_name(ic, to), +- (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason)); ++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", ++ charset_name(ic, from), charset_name(ic, to), ++ (unsigned int)srclen, (unsigned int)destlen, reason); + } else { +- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", +- charset_name(ic, from), charset_name(ic, to), +- (unsigned int)srclen, (unsigned int)destlen, reason)); ++ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n", ++ charset_name(ic, from), charset_name(ic, to), ++ (unsigned int)srclen, (unsigned int)destlen, reason); + } + break; + } + case EILSEQ: + reason="Illegal multibyte sequence"; +- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n", +- reason, (const char *)src)); ++ DBG_NOTICE("convert_string_internal: Conversion error: %s\n", ++ reason); + break; + default: +- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n", +- reason, (const char *)src)); ++ DBG_ERR("convert_string_internal: Conversion error: %s\n", ++ reason); + break; + } + /* smb_panic(reason); */ +@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic, + switch(errno) { + case EINVAL: + reason="Incomplete multibyte sequence"; +- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); ++ DBG_NOTICE("Conversion error: %s\n", ++ reason); + break; + case E2BIG: + reason = "output buffer is too small"; +- DBG_NOTICE("convert_string_talloc: " +- "Conversion error: %s(%s)\n", +- reason, inbuf); ++ DBG_NOTICE("Conversion error: %s\n", ++ reason); + break; + case EILSEQ: + reason="Illegal multibyte sequence"; +- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf)); ++ DBG_NOTICE("Conversion error: %s\n", ++ reason); + break; + default: +- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf)); ++ DBG_ERR("Conversion error: %s\n", ++ reason); + break; + } + /* smb_panic(reason); */ +-- +2.17.1 + diff --git a/SOURCES/krb5_no_des_411.patch b/SOURCES/krb5_no_des_411.patch new file mode 100644 index 0000000..0fd1286 --- /dev/null +++ b/SOURCES/krb5_no_des_411.patch @@ -0,0 +1,613 @@ +From d8c48f3773d72a5e36bb46a1c09ba11fc64ae38d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 6 Nov 2019 09:17:52 +0100 +Subject: [PATCH 01/10] selftest/remote_pac: remove + test_PACVerify_workstation_des + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source4/torture/rpc/remote_pac.c | 37 -------------------------------- + 1 file changed, 37 deletions(-) + +diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c +index 7a5cda74b74..f12060e3c8f 100644 +--- a/source4/torture/rpc/remote_pac.c ++++ b/source4/torture/rpc/remote_pac.c +@@ -38,7 +38,6 @@ + + #define TEST_MACHINE_NAME_BDC "torturepacbdc" + #define TEST_MACHINE_NAME_WKSTA "torturepacwksta" +-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes" + #define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc" + #define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk" + +@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx, + NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES); + } + +-static bool test_PACVerify_workstation_des(struct torture_context *tctx, +- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx) +-{ +- struct samr_SetUserInfo r; +- union samr_UserInfo user_info; +- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx); +- struct smb_krb5_context *smb_krb5_context; +- krb5_error_code ret; +- +- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(), +- tctx->lp_ctx, &smb_krb5_context); +- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed"); +- +- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) { +- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes"); +- } +- +- /* Mark this workstation with DES-only */ +- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST; +- r.in.user_handle = torture_join_samr_user_policy(join_ctx); +- r.in.level = 16; +- r.in.info = &user_info; +- +- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r), +- "failed to set DES info account flags"); +- torture_assert_ntstatus_ok(tctx, r.out.result, +- "failed to set DES into account flags"); +- +- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA, +- TEST_MACHINE_NAME_WKSTA_DES, +- NETLOGON_NEG_AUTH2_ADS_FLAGS); +-} +- + #ifdef SAMBA4_USES_HEIMDAL + static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx, + uint16_t validation_level, +@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx) + &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA); + torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes); + +- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des", +- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES); +- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des); + #ifdef SAMBA4_USES_HEIMDAL + tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour", + &ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC); +-- +2.24.1 + + +From c19bef15eba2f8436d3ffafae5e640c6581fdb81 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 31 Oct 2019 19:41:46 +0100 +Subject: [PATCH 02/10] selftest: exclude msDS-SupportedEncryptionType in + ldapcmp + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Pair-Programmed-With: Alexander Bokovoy + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + testprogs/blackbox/dbcheck-oldrelease.sh | 2 +- + testprogs/blackbox/functionalprep.sh | 2 +- + testprogs/blackbox/upgradeprovision-oldrelease.sh | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh +index 3d0ee2c165a..41c55178d4e 100755 +--- a/testprogs/blackbox/dbcheck-oldrelease.sh ++++ b/testprogs/blackbox/dbcheck-oldrelease.sh +@@ -388,7 +388,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE = x"release-4-0-0" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh +index 80e82252d45..1d37611ef7a 100755 +--- a/testprogs/blackbox/functionalprep.sh ++++ b/testprogs/blackbox/functionalprep.sh +@@ -61,7 +61,7 @@ provision_2012r2() { + ldapcmp_ignore() { + # At some point we will need to ignore, but right now, it should be perfect + IGNORE_ATTRS=$1 +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes + } + + ldapcmp() { +diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh +index 76276168011..208baa54a02 100755 +--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh ++++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh +@@ -106,7 +106,7 @@ referenceprovision() { + + ldapcmp() { + if [ x$RELEASE != x"alpha13" ]; then +- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName ++ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes + fi + } + +-- +2.24.1 + + +From afb8e18c42122841111b6077bb26bd5dd95e5c55 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 24 Oct 2019 12:20:05 +0300 +Subject: [PATCH 03/10] kerberos: remove single DES enctypes from ENC_ALL_TYPES + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source4/auth/kerberos/kerberos.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h +index 2ff9e3868af..1dd63acc838 100644 +--- a/source4/auth/kerberos/kerberos.h ++++ b/source4/auth/kerberos/kerberos.h +@@ -50,7 +50,7 @@ struct keytab_container { + #define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01") + #define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01") + +-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ ++#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \ + ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) + + #ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES +-- +2.24.1 + + +From 4747d04bd8c9d694b613cdec92640312208aee9d Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 24 Oct 2019 18:53:34 +0300 +Subject: [PATCH 04/10] kdc/db-glue: do not fetch single DES keys from db + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source4/kdc/db-glue.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index f62a633c6c7..023ae7b580d 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, + + /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ + if (userAccountControl & UF_USE_DES_KEY_ONLY) { +- supported_enctypes = ENC_CRC32|ENC_RSA_MD5; ++ supported_enctypes = 0; + } else { + /* Otherwise, add in the default enc types */ +- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; ++ supported_enctypes |= ENC_RC4_HMAC_MD5; + } + + /* Is this the krbtgt or a RODC krbtgt */ +-- +2.24.1 + + +From 5c460fe678eb5db9f0f2eed67a6be8c07ca8d53c Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 24 Oct 2019 18:32:37 +0300 +Subject: [PATCH 05/10] password_hash: do not generate single DES keys + +Per RFC-6649 single DES enctypes should not be used. + +MIT has retired single DES encryption types, see: +https://web.mit.edu/kerberos/krb5-1.12/doc/admin/advanced/retiring-des.html + +As a workaround, store random keys instead, making the usage of signle DES +encryption types virtually impossible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + .../dsdb/samdb/ldb_modules/password_hash.c | 49 +++---------------- + 1 file changed, 7 insertions(+), 42 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c +index 006e35c46d5..ffd48da616e 100644 +--- a/source4/dsdb/samdb/ldb_modules/password_hash.c ++++ b/source4/dsdb/samdb/ldb_modules/password_hash.c +@@ -783,56 +783,21 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io) + } + + /* +- * create ENCTYPE_DES_CBC_MD5 key out of +- * the salt and the cleartext password ++ * As per RFC-6649 single DES encryption types are no longer considered ++ * secure to be used in Kerberos, we store random keys instead of the ++ * ENCTYPE_DES_CBC_MD5 and ENCTYPE_DES_CBC_CRC keys. + */ +- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, +- NULL, +- &salt, +- &cleartext_data, +- ENCTYPE_DES_CBC_MD5, +- &key); +- if (krb5_ret) { +- ldb_asprintf_errstring(ldb, +- "setup_kerberos_keys: " +- "generation of a des-cbc-md5 key failed: %s", +- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, +- krb5_ret, io->ac)); +- return LDB_ERR_OPERATIONS_ERROR; +- } +- io->g.des_md5 = data_blob_talloc(io->ac, +- KRB5_KEY_DATA(&key), +- KRB5_KEY_LENGTH(&key)); +- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8); + if (!io->g.des_md5.data) { + return ldb_oom(ldb); + } ++ generate_secret_buffer(io->g.des_md5.data, 8); + +- /* +- * create ENCTYPE_DES_CBC_CRC key out of +- * the salt and the cleartext password +- */ +- krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context, +- NULL, +- &salt, +- &cleartext_data, +- ENCTYPE_DES_CBC_CRC, +- &key); +- if (krb5_ret) { +- ldb_asprintf_errstring(ldb, +- "setup_kerberos_keys: " +- "generation of a des-cbc-crc key failed: %s", +- smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, +- krb5_ret, io->ac)); +- return LDB_ERR_OPERATIONS_ERROR; +- } +- io->g.des_crc = data_blob_talloc(io->ac, +- KRB5_KEY_DATA(&key), +- KRB5_KEY_LENGTH(&key)); +- krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key); ++ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8); + if (!io->g.des_crc.data) { + return ldb_oom(ldb); + } ++ generate_secret_buffer(io->g.des_crc.data, 8); + + return LDB_SUCCESS; + } +-- +2.24.1 + + +From 000abe4e405ce5fa4eae6235335bfca2a8152e3c Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 24 Oct 2019 19:04:51 +0300 +Subject: [PATCH 06/10] kerberos_keytab: do not add single DES keys to keytab + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source3/libads/kerberos_keytab.c | 2 -- + testprogs/blackbox/test_export_keytab_heimdal.sh | 16 ++++++++-------- + 2 files changed, 8 insertions(+), 10 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 97d5535041c..7d193e1a600 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads) + krb5_data password; + krb5_kvno kvno; + krb5_enctype enctypes[6] = { +- ENCTYPE_DES_CBC_CRC, +- ENCTYPE_DES_CBC_MD5, + #ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ENCTYPE_AES128_CTS_HMAC_SHA1_96, + #endif +diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh +index cfa245fd4de..6a2595cd684 100755 +--- a/testprogs/blackbox/test_export_keytab_heimdal.sh ++++ b/testprogs/blackbox/test_export_keytab_heimdal.sh +@@ -43,7 +43,7 @@ test_keytab() { + + echo "test: $testname" + +- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour") ++ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour") + status=$? + if [ x$status != x0 ]; then + echo "failure: $testname" +@@ -64,22 +64,22 @@ unc="//$SERVER/tmp" + testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1` + + testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5 ++test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3 + + testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1` +-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5 ++test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3 + + testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5 ++test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3 + + testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1` +-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5 ++test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3 + + KRB5CCNAME="$PREFIX/tmpuserccache" + export KRB5CCNAME +-- +2.24.1 + + +From 4e96a263c2c038bc4c835b78161623cc4d050c61 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Mon, 16 Sep 2019 15:17:08 +0300 +Subject: [PATCH 07/10] machine_account_secrets: do not generate single DES + keys + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source3/passdb/machine_account_secrets.c | 36 ------------------------ + 1 file changed, 36 deletions(-) + +diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c +index dfc21f295a1..efba80f1474 100644 +--- a/source3/passdb/machine_account_secrets.c ++++ b/source3/passdb/machine_account_secrets.c +@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + krb5_keyblock key; + DATA_BLOB aes_256_b = data_blob_null; + DATA_BLOB aes_128_b = data_blob_null; +- DATA_BLOB des_md5_b = data_blob_null; + bool ok; + #endif /* HAVE_ADS */ + DATA_BLOB arc4_b = data_blob_null; +@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor + return ENOMEM; + } + +- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, +- NULL, +- &salt, +- &cleartext_utf8, +- ENCTYPE_DES_CBC_MD5, +- &key); +- if (krb5_ret != 0) { +- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n", +- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys)); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return krb5_ret; +- } +- des_md5_b = data_blob_talloc(keys, +- KRB5_KEY_DATA(&key), +- KRB5_KEY_LENGTH(&key)); +- krb5_free_keyblock_contents(krb5_ctx, &key); +- if (des_md5_b.data == NULL) { +- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n"); +- krb5_free_context(krb5_ctx); +- TALLOC_FREE(keys); +- TALLOC_FREE(salt_data); +- return ENOMEM; +- } +- + krb5_free_context(krb5_ctx); + no_kerberos: + +@@ -1227,15 +1200,6 @@ no_kerberos: + keys[idx].value = arc4_b; + idx += 1; + +-#ifdef HAVE_ADS +- if (des_md5_b.length != 0) { +- keys[idx].keytype = ENCTYPE_DES_CBC_MD5; +- keys[idx].iteration_count = 4096; +- keys[idx].value = des_md5_b; +- idx += 1; +- } +-#endif /* HAVE_ADS */ +- + p->salt_data = salt_data; + p->default_iteration_count = 4096; + p->num_keys = idx; +-- +2.24.1 + + +From 79fce8cfb906ca8b5bfa5f1954bf81ff950c3d23 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 12 Nov 2019 12:00:34 +0100 +Subject: [PATCH 08/10] selftest: mitm-s4u2self: use zlib for CRC32_checksum + calc + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source4/torture/krb5/kdc-canon-heimdal.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c +index ee3045181dc..7dec67bc49b 100644 +--- a/source4/torture/krb5/kdc-canon-heimdal.c ++++ b/source4/torture/krb5/kdc-canon-heimdal.c +@@ -33,6 +33,7 @@ + #include "auth/auth_sam_reply.h" + #include "auth/gensec/gensec.h" + #include "param/param.h" ++#include "zlib.h" + + #define TEST_CANONICALIZE 0x0000001 + #define TEST_ENTERPRISE 0x0000002 +@@ -214,6 +215,17 @@ static bool test_accept_ticket(struct torture_context *tctx, + return true; + } + ++static void ++zCRC32_checksum(const void *data, ++ size_t len, ++ Checksum *C) ++{ ++ uint32_t *crc = C->checksum.data; ++ *crc = ~(crc32(0xffffffff, data, len)); ++ C->checksum.length = 4; ++ C->cksumtype = 1; ++} ++ + krb5_error_code + _krb5_s4u2self_to_checksumdata(krb5_context context, + const PA_S4U2Self *self, +@@ -252,11 +264,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, + torture_assert_int_equal(test_context->tctx, + _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), + 0, "_krb5_s4u2self_to_checksumdata() failed"); +- torture_assert_int_equal(test_context->tctx, +- krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, +- CKSUMTYPE_CRC32, cksum_data.data, +- cksum_data.length, &mod_self.cksum), +- 0, "krb5_create_checksum() failed"); ++ zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum); + + ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, + &mod_self, &used, ret); +@@ -270,7 +278,6 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, + + free_PA_S4U2Self(&self); + krb5_data_free(&cksum_data); +- free_Checksum(&mod_self.cksum); + + return true; + } +-- +2.24.1 + + +From 1a658936884a9a18616fcb1d13b8f9b6be587322 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 16 Nov 2019 22:46:19 +0100 +Subject: [PATCH 09/10] selftest: allow any kdc error in mitm-s4u2self test + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + source4/torture/krb5/kdc-canon-heimdal.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c +index 7dec67bc49b..5315afa9252 100644 +--- a/source4/torture/krb5/kdc-canon-heimdal.c ++++ b/source4/torture/krb5/kdc-canon-heimdal.c +@@ -737,13 +737,12 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex + error.pvno, 5, + "Got wrong error.pvno"); + expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; +- if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { +- expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; ++ if (!test_context->test_data->mitm_s4u2self) { ++ torture_assert_int_equal(test_context->tctx, ++ error.error_code, ++ expected_error, ++ "Got wrong error.error_code"); + } +- torture_assert_int_equal(test_context->tctx, +- error.error_code, +- expected_error, +- "Got wrong error.error_code"); + } else { + torture_assert_int_equal(test_context->tctx, + decode_TGS_REP(recv_buf->data, recv_buf->length, +@@ -2090,8 +2089,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * + || test_data->upn == false)) { + + if (test_data->mitm_s4u2self) { +- torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, +- assertion_message); ++ torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message); + /* Done testing mitm-s4u2self */ + return true; + } +-- +2.24.1 + + +From 80ebb75804312a848df4cf5ab883291eaf816130 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 16 Nov 2019 23:03:34 +0100 +Subject: [PATCH 10/10] heimdal: do not compile weak crypto + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14202 + +Signed-off-by: Isaac Boukris +Reviewed-by: Andrew Bartlett +--- + selftest/target/Samba.pm | 1 - + source4/heimdal_build/roken.h | 3 --- + 2 files changed, 4 deletions(-) + +diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm +index c30f6fe33ce..3f5ac64c8c2 100644 +--- a/selftest/target/Samba.pm ++++ b/selftest/target/Samba.pm +@@ -261,7 +261,6 @@ sub mk_krb5_conf($$) + dns_lookup_kdc = true + ticket_lifetime = 24h + forwardable = yes +- allow_weak_crypto = yes + + # We are running on the same machine, do not correct + # system clock differences +diff --git a/source4/heimdal_build/roken.h b/source4/heimdal_build/roken.h +index 9752c04a741..559021c0a0e 100644 +--- a/source4/heimdal_build/roken.h ++++ b/source4/heimdal_build/roken.h +@@ -6,9 +6,6 @@ + + #include "config.h" + +-/* Support 'weak' keys for now, it can't be worse than NTLM and we don't want to hard-code the behaviour at this point */ +-#define HEIM_WEAK_CRYPTO 1 +- + /* path to sysconf - should we force this to samba LIBDIR ? */ + #define SYSCONFDIR "/etc" + +-- +2.24.1 + diff --git a/SOURCES/samba-4.10-fix-netbios-join.patch b/SOURCES/samba-4.10-fix-netbios-join.patch new file mode 100644 index 0000000..9dd2eec --- /dev/null +++ b/SOURCES/samba-4.10-fix-netbios-join.patch @@ -0,0 +1,723 @@ +From 05f7e9a72a1769af9d41b1ca40fe6a14b3f069d1 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 30 Aug 2019 00:22:15 +0300 +Subject: [PATCH 1/6] libnet_join: build dnsHostName from netbios name and + lp_dnsdomain() + +This make the join process much more reliable, and avoids "Constraint +violation" error when the fqdn returned from getaddrinfo has already +got assigned an SPN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 31 +++++++++++------------------- + testprogs/blackbox/test_net_ads.sh | 7 +++++-- + 2 files changed, 16 insertions(+), 22 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 7943bef2cf6..818b3039cb9 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -533,29 +533,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + +- if (!name_to_fqdn(my_fqdn, r->in.machine_name) +- || (strchr(my_fqdn, '.') == NULL)) { +- fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, +- r->out.dns_domain_name); +- } ++ fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); + + if (!strlower_m(my_fqdn)) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + +- if (!strequal(my_fqdn, r->in.machine_name)) { +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); +- if (!spn) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ if (spn == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (!ok) { ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + } + +@@ -591,12 +585,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/netbiosname.domainname + */ +- if (r->out.dns_domain_name == NULL) { +- continue; +- } + fstr_sprintf(my_fqdn, "%s.%s", + *netbios_aliases, +- r->out.dns_domain_name); ++ lp_dnsdomain()); + + spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); + if (spn == NULL) { +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index cc8345c4624..ef6f99ddea4 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -81,7 +81,7 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai + netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1') + uc_netbios=$(echo $netbios | tr '[:lower:]' '[:upper:]') + lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]') +-fqdns="$netbios.$lc_realm" ++fqdn="$netbios.$lc_realm" + + krb_princ="primary/instance@$REALM" + testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` +@@ -99,7 +99,7 @@ testit "test (dedicated keytab) at least one krb5 principal created from $machin + service="nfs" + testit "test (dedicated keytab) add a $service service to keytab" $VALGRIND $net_tool ads keytab add $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` + +-search_str="$service/$fqdns@$REALM" ++search_str="$service/$fqdn@$REALM" + found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l` + testit "test (dedicated keytab) at least one (long form) krb5 principal created from service added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1` + +@@ -206,6 +206,9 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed + + testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + ++testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` ++testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.21.0 + + +From 4cbad1eb46896bbd74c5b19dbb0a8937ffde90c2 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 20:00:34 +0300 +Subject: [PATCH 2/6] libnet_join_set_machine_spn: improve style and make a bit + room for indentation + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 95 ++++++++++++++++++------------------ + 1 file changed, 47 insertions(+), 48 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 818b3039cb9..67ab50c68a8 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -517,7 +517,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* Windows only creates HOST/shortname & HOST/fqdn. */ + + spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); +- if (!spn) { ++ if (spn == NULL) { + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + if (!strupper_m(spn)) { +@@ -553,60 +553,59 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + +- netbios_aliases = lp_netbios_aliases(); +- if (netbios_aliases != NULL) { +- for (; *netbios_aliases != NULL; netbios_aliases++) { +- /* +- * Add HOST/NETBIOSNAME +- */ +- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); +- if (spn == NULL) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } +- if (!strupper_m(spn)) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ for (netbios_aliases = lp_netbios_aliases(); ++ netbios_aliases != NULL && *netbios_aliases != NULL; ++ netbios_aliases++) { ++ /* ++ * Add HOST/NETBIOSNAME ++ */ ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); ++ if (spn == NULL) { ++ TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ if (!strupper_m(spn)) { ++ TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- TALLOC_FREE(spn); +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (ok) { ++ TALLOC_FREE(spn); ++ continue; ++ } ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); ++ if (!ok) { + TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ TALLOC_FREE(spn); + +- /* +- * Add HOST/netbiosname.domainname +- */ +- fstr_sprintf(my_fqdn, "%s.%s", +- *netbios_aliases, +- lp_dnsdomain()); ++ /* ++ * Add HOST/netbiosname.domainname ++ */ ++ fstr_sprintf(my_fqdn, "%s.%s", ++ *netbios_aliases, ++ lp_dnsdomain()); + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); +- if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ if (spn == NULL) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- TALLOC_FREE(spn); +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- } ++ ok = ads_element_in_array(spn_array, num_spns, spn); ++ if (ok) { ++ TALLOC_FREE(spn); ++ continue; ++ } ++ ok = add_string_to_array(spn_array, spn, ++ &spn_array, &num_spns); ++ if (!ok) { + TALLOC_FREE(spn); ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } ++ TALLOC_FREE(spn); + } + + /* make sure to NULL terminate the array */ +-- +2.21.0 + + +From b8e1264ececf38681ca9a519a51e8336044673f0 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 21:29:47 +0300 +Subject: [PATCH 3/6] libnet_join_set_machine_spn: simplify memory handling + +and avoid a possible memory leak when passing null to +add_string_to_array() as mem_ctx. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 74 ++++++++++++++++++++---------------- + 1 file changed, 42 insertions(+), 32 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 67ab50c68a8..43035370526 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -490,6 +490,7 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, + static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + struct libnet_JoinCtx *r) + { ++ TALLOC_CTX *frame = talloc_stackframe(); + ADS_STATUS status; + ADS_MODLIST mods; + fstring my_fqdn; +@@ -506,7 +507,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + return status; + } + +- status = libnet_join_get_machine_spns(mem_ctx, ++ status = libnet_join_get_machine_spns(frame, + r, + discard_const_p(char **, &spn_array), + &num_spns); +@@ -516,40 +517,46 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + + /* Windows only creates HOST/shortname & HOST/fqdn. */ + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name); ++ spn = talloc_asprintf(frame, "HOST/%s", r->in.machine_name); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + if (!strupper_m(spn)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, ++ ok = add_string_to_array(frame, spn, + &spn_array, &num_spns); + if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + } + + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); + + if (!strlower_m(my_fqdn)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (!ok) { +- ok = add_string_to_array(spn_array, spn, ++ ok = add_string_to_array(frame, spn, + &spn_array, &num_spns); + if (!ok) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + } + +@@ -559,28 +566,26 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + /* + * Add HOST/NETBIOSNAME + */ +- spn = talloc_asprintf(mem_ctx, "HOST/%s", *netbios_aliases); ++ spn = talloc_asprintf(frame, "HOST/%s", *netbios_aliases); + if (spn == NULL) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + if (!strupper_m(spn)) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (ok) { +- TALLOC_FREE(spn); + continue; + } + ok = add_string_to_array(spn_array, spn, + &spn_array, &num_spns); + if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } +- TALLOC_FREE(spn); + + /* + * Add HOST/netbiosname.domainname +@@ -589,51 +594,56 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + *netbios_aliases, + lp_dnsdomain()); + +- spn = talloc_asprintf(mem_ctx, "HOST/%s", my_fqdn); ++ spn = talloc_asprintf(frame, "HOST/%s", my_fqdn); + if (spn == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + ok = ads_element_in_array(spn_array, num_spns, spn); + if (ok) { +- TALLOC_FREE(spn); + continue; + } + ok = add_string_to_array(spn_array, spn, + &spn_array, &num_spns); + if (!ok) { +- TALLOC_FREE(spn); +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } +- TALLOC_FREE(spn); + } + + /* make sure to NULL terminate the array */ +- spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1); ++ spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + spn_array[num_spns] = NULL; + + mods = ads_init_mods(mem_ctx); + if (!mods) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + /* fields of primary importance */ + + status = ads_mod_str(mem_ctx, &mods, "dNSHostName", my_fqdn); + if (!ADS_ERR_OK(status)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + + status = ads_mod_strlist(mem_ctx, &mods, "servicePrincipalName", + spn_array); + if (!ADS_ERR_OK(status)) { +- return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; + } + +- return ads_gen_mod(r->in.ads, r->out.dn, mods); ++ status = ads_gen_mod(r->in.ads, r->out.dn, mods); ++ ++done: ++ TALLOC_FREE(frame); ++ return status; + } + + /**************************************************************** +-- +2.21.0 + + +From 3e65f72b141a7ee256ae581e5f48f1d930aed76a Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Wed, 18 Sep 2019 23:15:57 +0300 +Subject: [PATCH 4/6] libnet_join_set_machine_spn: simplify adding uniq spn to + array + +and do not skip adding a fully qualified spn to netbios-aliases +in case a short spn already existed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + source3/libnet/libnet_join.c | 56 +++++++++++++++--------------------- + 1 file changed, 23 insertions(+), 33 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 43035370526..a1d8a25bbc2 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -483,6 +483,19 @@ static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx, + return status; + } + ++static ADS_STATUS add_uniq_spn(TALLOC_CTX *mem_ctx, const char *spn, ++ const char ***array, size_t *num) ++{ ++ bool ok = ads_element_in_array(*array, *num, spn); ++ if (!ok) { ++ ok = add_string_to_array(mem_ctx, spn, array, num); ++ if (!ok) { ++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ } ++ } ++ return ADS_SUCCESS; ++} ++ + /**************************************************************** + Set a machines dNSHostName and servicePrincipalName attributes + ****************************************************************/ +@@ -497,7 +510,6 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + const char **spn_array = NULL; + size_t num_spns = 0; + char *spn = NULL; +- bool ok; + const char **netbios_aliases = NULL; + + /* Find our DN */ +@@ -527,14 +539,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (!ok) { +- ok = add_string_to_array(frame, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- goto done; +- } ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; + } + + fstr_sprintf(my_fqdn, "%s.%s", r->in.machine_name, lp_dnsdomain()); +@@ -550,14 +557,9 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (!ok) { +- ok = add_string_to_array(frame, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); +- goto done; +- } ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; + } + + for (netbios_aliases = lp_netbios_aliases(); +@@ -576,14 +578,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { + goto done; + } + +@@ -600,14 +596,8 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + +- ok = ads_element_in_array(spn_array, num_spns, spn); +- if (ok) { +- continue; +- } +- ok = add_string_to_array(spn_array, spn, +- &spn_array, &num_spns); +- if (!ok) { +- status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { + goto done; + } + } +-- +2.21.0 + + +From db7560ff0fb861552406bb4c422cff55c82f58bf Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 17 Sep 2019 21:38:07 +0300 +Subject: [PATCH 5/6] docs-xml: add "additional dns hostnames" smb.conf option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy +--- + docs-xml/smbdotconf/base/additionaldnshostnames.xml | 11 +++++++++++ + 1 file changed, 11 insertions(+) + create mode 100644 docs-xml/smbdotconf/base/additionaldnshostnames.xml + +diff --git a/docs-xml/smbdotconf/base/additionaldnshostnames.xml b/docs-xml/smbdotconf/base/additionaldnshostnames.xml +new file mode 100644 +index 00000000000..ddc04ee9f81 +--- /dev/null ++++ b/docs-xml/smbdotconf/base/additionaldnshostnames.xml +@@ -0,0 +1,11 @@ ++ ++ ++ A list of additional DNS names by which this host can be identified ++ ++ ++empty string (no additional dns names) ++ host2.example.com host3.other.com ++ +-- +2.21.0 + + +From 2669cecc51f8f7d6675b4dac9b345b3c5a7fc879 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Fri, 13 Sep 2019 10:56:10 +0300 +Subject: [PATCH 6/6] libnet_join: add SPNs for additional-dns-hostnames + entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +and set msDS-AdditionalDnsHostName to the specified list. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14116 + +Signed-off-by: Isaac Boukris +Reviewed-by: Ralph Boehme +Reviewed-by: Alexander Bokovoy + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Fri Oct 25 10:43:08 UTC 2019 on sn-devel-184 +--- + source3/libnet/libnet_join.c | 27 +++++++++++++++++++++++++++ + testprogs/blackbox/test_net_ads.sh | 10 +++++++++- + 2 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a1d8a25bbc2..eb8e0ea17f7 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -511,6 +511,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + size_t num_spns = 0; + char *spn = NULL; + const char **netbios_aliases = NULL; ++ const char **addl_hostnames = NULL; + + /* Find our DN */ + +@@ -602,6 +603,22 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + } + } + ++ for (addl_hostnames = lp_additional_dns_hostnames(); ++ addl_hostnames != NULL && *addl_hostnames != NULL; ++ addl_hostnames++) { ++ ++ spn = talloc_asprintf(frame, "HOST/%s", *addl_hostnames); ++ if (spn == NULL) { ++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); ++ goto done; ++ } ++ ++ status = add_uniq_spn(frame, spn, &spn_array, &num_spns); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ } ++ + /* make sure to NULL terminate the array */ + spn_array = talloc_realloc(frame, spn_array, const char *, num_spns + 1); + if (spn_array == NULL) { +@@ -629,6 +646,16 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx, + goto done; + } + ++ addl_hostnames = lp_additional_dns_hostnames(); ++ if (addl_hostnames != NULL && *addl_hostnames != NULL) { ++ status = ads_mod_strlist(mem_ctx, &mods, ++ "msDS-AdditionalDnsHostName", ++ addl_hostnames); ++ if (!ADS_ERR_OK(status)) { ++ goto done; ++ } ++ } ++ + status = ads_gen_mod(r->in.ads, r->out.dn, mods); + + done: +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index ef6f99ddea4..8bcff006b8e 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -202,13 +202,21 @@ base_dn="DC=addom,DC=samba,DC=example,DC=com" + computers_dn="CN=Computers,$base_dn" + testit "ldb check for existence of machine account" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM -s base -b "cn=$HOSTNAME,$computers_dn" || failed=`expr $failed + 1` + +-testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++dns_alias1="${netbios}_alias1.other.${lc_realm}" ++dns_alias2="${netbios}_alias2.other2.${lc_realm}" ++testit "join" $VALGRIND $net_tool --option=additionaldnshostnames=$dns_alias1,$dns_alias2 ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + + testit "testjoin" $VALGRIND $net_tool ads testjoin || failed=`expr $failed + 1` + + testit_grep "check dNSHostName" $fqdn $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ dNSHostName || failed=`expr $failed + 1` + testit_grep "check SPN" ${uc_netbios}.${lc_realm} $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` + ++testit_grep "dns alias SPN" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++testit_grep "dns alias SPN" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ servicePrincipalName || failed=`expr $failed + 1` ++ ++testit_grep "dns alias addl" $dns_alias1 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` ++testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1` ++ + ##Goodbye... + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + +-- +2.21.0 + diff --git a/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch b/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch new file mode 100644 index 0000000..b8afd92 --- /dev/null +++ b/SOURCES/samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch @@ -0,0 +1,172 @@ +From f38cf794fe16e5b160db1a3f4f17d5e5c7601d5c Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 17 Oct 2019 11:39:02 -0700 +Subject: [PATCH 1/2] s3: libsmb: Ensure SMB1 cli_qpathinfo2() doesn't return + an inode number. + +The info level it uses doesn't return that, previously we +were using the field that is returned as the EA size as +the inode number (which is usually zero, so the code in +libsmbclient would then synthesize an inode number from +a hash of the pathname, which is all it can do for SMB1). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161 + +Signed-off-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit d495074ee27a5f528d5156a69800ee58d799b1eb) +--- + source3/libsmb/clirap.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c +index e80dfc92a77..b4b40ebdab4 100644 +--- a/source3/libsmb/clirap.c ++++ b/source3/libsmb/clirap.c +@@ -855,7 +855,15 @@ NTSTATUS cli_qpathinfo2_recv(struct tevent_req *req, + *size = IVAL2_TO_SMB_BIG_UINT(state->data,48); + } + if (ino) { +- *ino = IVAL(state->data, 64); ++ /* ++ * SMB1 qpathinfo2 uses SMB_QUERY_FILE_ALL_INFO ++ * which doesn't return an inode number (fileid). ++ * We can't change this to one of the FILE_ID ++ * info levels as only Win2003 and above support ++ * these [MS-SMB: 2.2.2.3.1] and the SMB1 code ++ * needs to support older servers. ++ */ ++ *ino = 0; + } + return NT_STATUS_OK; + } +-- +2.23.0.866.gb869b98d4c-goog + + +From 9c1abe9348c83a2ecd63563f2b47ddf22fd814be Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 17 Oct 2019 12:41:08 -0700 +Subject: [PATCH 2/2] s3: torture: Ensure SMB1 cli_qpathinfo2() doesn't return + an inode number. + +Piggyback on existing tests, ensure we don't regress on: + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14161 + +Signed-off-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 8e55a8562951924e4b1aad5a6d67fc8b309590c1) +--- + source3/torture/torture.c | 49 +++++++++++++++++++++++++++++++++++++-- + 1 file changed, 47 insertions(+), 2 deletions(-) + +diff --git a/source3/torture/torture.c b/source3/torture/torture.c +index 66dc0cf4d1c..a795e61125f 100644 +--- a/source3/torture/torture.c ++++ b/source3/torture/torture.c +@@ -4211,6 +4211,7 @@ static bool run_trans2test(int dummy) + bool correct = True; + NTSTATUS status; + uint32_t fs_attr; ++ uint64_t ino; + + printf("starting trans2 test\n"); + +@@ -4218,6 +4219,14 @@ static bool run_trans2test(int dummy) + return False; + } + ++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { ++ /* Ensure ino is zero, SMB2 gets a real one. */ ++ ino = 0; ++ } else { ++ /* Ensure ino is -1, SMB1 never gets a real one. */ ++ ino = (uint64_t)-1; ++ } ++ + status = cli_get_fs_attr_info(cli, &fs_attr); + if (!NT_STATUS_IS_OK(status)) { + printf("ERROR: cli_get_fs_attr_info returned %s\n", +@@ -4289,7 +4298,7 @@ static bool run_trans2test(int dummy) + O_RDWR | O_CREAT | O_TRUNC, DENY_NONE, &fnum); + cli_close(cli, fnum); + status = cli_qpathinfo2(cli, fname, &c_time_ts, &a_time_ts, &w_time_ts, +- &m_time_ts, &size, NULL, NULL); ++ &m_time_ts, &size, NULL, &ino); + if (!NT_STATUS_IS_OK(status)) { + printf("ERROR: qpathinfo2 failed (%s)\n", nt_errstr(status)); + correct = False; +@@ -4299,6 +4308,19 @@ static bool run_trans2test(int dummy) + printf("This system appears to set a initial 0 write time\n"); + correct = False; + } ++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { ++ /* SMB2 should always return an inode. */ ++ if (ino == 0) { ++ printf("SMB2 bad inode (0)\n"); ++ correct = false; ++ } ++ } else { ++ /* SMB1 must always return zero here. */ ++ if (ino != 0) { ++ printf("SMB1 bad inode (!0)\n"); ++ correct = false; ++ } ++ } + } + + cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); +@@ -11593,11 +11615,20 @@ static bool run_dir_createtime(int dummy) + struct timespec create_time1; + uint16_t fnum; + bool ret = false; ++ uint64_t ino; + + if (!torture_open_connection(&cli, 0)) { + return false; + } + ++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { ++ /* Ensure ino is zero, SMB2 gets a real one. */ ++ ino = 0; ++ } else { ++ /* Ensure ino is -1, SMB1 never gets a real one. */ ++ ino = (uint64_t)-1; ++ } ++ + cli_unlink(cli, fname, FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN); + cli_rmdir(cli, dname); + +@@ -11608,13 +11639,27 @@ static bool run_dir_createtime(int dummy) + } + + status = cli_qpathinfo2(cli, dname, &create_time, NULL, NULL, NULL, +- NULL, NULL, NULL); ++ NULL, NULL, &ino); + if (!NT_STATUS_IS_OK(status)) { + printf("cli_qpathinfo2 returned %s\n", + nt_errstr(status)); + goto out; + } + ++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { ++ /* SMB2 should always return an inode. */ ++ if (ino == 0) { ++ printf("SMB2 bad inode (0)\n"); ++ goto out; ++ } ++ } else { ++ /* SMB1 must always return zero here. */ ++ if (ino != 0) { ++ printf("SMB1 bad inode (!0)\n"); ++ goto out; ++ } ++ } ++ + /* Sleep 3 seconds, then create a file. */ + sleep(3); + +-- +2.23.0.866.gb869b98d4c-goog + diff --git a/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch b/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch new file mode 100644 index 0000000..d079d31 --- /dev/null +++ b/SOURCES/samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch @@ -0,0 +1,33 @@ +From 7de67a994e84c2fadccb48c2448f2cba529a57fd Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 31 Jul 2019 10:42:24 +0200 +Subject: [PATCH] smbd: Fix the build with clang + +clang correctly complains that "close_fsp" is used uninitialized if +"get_posix_fsp" fails and we end up in "goto out;". + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14251 + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison +(cherry picked from commit a8a1ca3f83dce6d725392989cbc97271cbf52f4a) +--- + source3/smbd/trans2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c +index b0616f15ade..8164c8fd213 100644 +--- a/source3/smbd/trans2.c ++++ b/source3/smbd/trans2.c +@@ -4848,7 +4848,7 @@ static NTSTATUS smb_query_posix_acl(connection_struct *conn, + unsigned int size_needed = 0; + NTSTATUS status; + bool ok; +- bool close_fsp; ++ bool close_fsp = false; + + /* + * Ensure we always operate on a file descriptor, not just +-- +2.24.1 + diff --git a/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch b/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch new file mode 100644 index 0000000..ff175fe --- /dev/null +++ b/SOURCES/samba-4.11.7-fix_smbclient_debug_spam.patch @@ -0,0 +1,48 @@ +From c50d91d16292a13d29b1125c0aa85c7a7963de5f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 27 Jan 2020 14:58:10 +0100 +Subject: [PATCH] lib:util: Log mkdir error on correct debug levels +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For smbd we want an error and for smbclient we only want it in NOTICE +debug level. +The default log level of smbclient is log level 1 so we need notice to +not spam the user. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14253 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Mon Jan 27 15:55:24 UTC 2020 on sn-devel-184 + +(cherry picked from commit 0ad6a243b259d284064c0c5abcc7d430d55be7e1) +--- + lib/util/util.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/util/util.c b/lib/util/util.c +index 3bdeded5c1b..0d9ffe5cb7b 100644 +--- a/lib/util/util.c ++++ b/lib/util/util.c +@@ -353,9 +353,12 @@ _PUBLIC_ bool directory_create_or_exist(const char *dname, + old_umask = umask(0); + ret = mkdir(dname, dir_perms); + if (ret == -1 && errno != EEXIST) { +- DBG_WARNING("mkdir failed on directory %s: %s\n", ++ int dbg_level = geteuid() == 0 ? DBGLVL_ERR : DBGLVL_NOTICE; ++ ++ DBG_PREFIX(dbg_level, ++ ("mkdir failed on directory %s: %s\n", + dname, +- strerror(errno)); ++ strerror(errno))); + umask(old_umask); + return false; + } +-- +2.25.0 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index ad1bc72..51f3b9c 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 7 +%define main_release 13 %define samba_version 4.11.2 %define talloc_version 2.2.0 @@ -325,8 +325,15 @@ Patch0205: 0205-param-Do-not-use-weak-crypto-for-kerberos-if-disallo.patch Patch0206: 0206-param-Do-not-use-weak-crypto-in-ldap-server-if-disal.patch Patch0207: 0207-libcli-auth-If-weak-crypto-is-disallowed-reject-md5-.patch Patch0208: 0208-s3-librpc-Only-use-RC4-if-our-systems-supports-it.patch +Patch0209: 0209-s3-rpcserver-fix-security-level-check-for-DsRGetFore.patch Patch1000: samba-4.11.3-only_link_libnsl_libsocket_if_needed.patch +Patch1001: CVE-2019-14907-4.11.patch +Patch1002: krb5_no_des_411.patch +Patch1003: samba-4.11.7-fix_smbclient_debug_spam.patch +Patch1004: samba-4.11.3-fix_smb1_cli_qpathinfo_2_3.patch +Patch1005: samba-4.11.7-fix_segfault_in_smbd_do_qfilepathinfo.patch +Patch1006: samba-4.10-fix-netbios-join.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -422,9 +429,6 @@ BuildRequires: libcephfs-devel # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 -BuildRequires: python3-subunit-test -# Required by samba-tool to run tests -BuildRequires: python3-crypto BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} @@ -1272,7 +1276,7 @@ popd %if %{with testsuite} %check -TDB_NO_FSYNC=1 make %{?_smp_mflags} test +TDB_NO_FSYNC=1 make %{?_smp_mflags} test FAIL_IMMEDIATELY=1 #endif with testsuite %endif @@ -1358,10 +1362,12 @@ fi %{?ldconfig} %preun -n libwbclient -%{_sbindir}/update-alternatives \ - --remove \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ - %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +fi /sbin/ldconfig %posttrans -n libwbclient-devel @@ -1377,10 +1383,16 @@ fi # When downgrading to a version where alternatives is not used and # libwbclient.so is a link and not a file it will be removed. The following # check removes the alternatives files manually if that is the case. -if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then - /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null -else - %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so +if [ $1 -eq 0 ]; then + if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.%{libwbc_alternatives_version}" ]; then + /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} \ + /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null + else + %{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so + fi fi #endif with_libwbclient @@ -3713,6 +3725,28 @@ fi %endif %changelog +* Thu Feb 13 2020 Isaac Boukris - 4.11.2-13 +- resolves: #1802182 - Fix join using netbios name + +* Wed Jan 29 2020 Andreas Schneider - 4.11.2-12 +- related: #1781232 - Improve debug output of smbclient +- resolves: #1794461 - Do not return bogus inode numbers in + cli_qpathinfo2()/cli_qpathinfo3() for SMB1 +- resolves: #1794442 - Fix segfault in smbd_do_qfilepathinfo() + +* Thu Jan 23 2020 Isaac Boukris - 4.11.2-11 +- resolves: #1778130 - Remove usage of DES encryption types in krb5 + +* Fri Jan 17 2020 Alexander Bokovoy - 4.11.2-10 +- resolves: #1790353 - Fix access check in DsRGetForestTrustInformation +- resolves: #1791209 - Fix CVE-2019-14907 + +* Fri Jan 10 2020 Andreas Schneider - 4.11.2-9 +- resolves: #1785134 - Fix libwbclient manual alternative settings + +* Fri Jan 10 2020 Andreas Schneider - 4.11.2-8 +- resolves: #1781232 - Fix smbclient debug message + * Thu Dec 12 2019 Andreas Schneider - 4.11.2-7 - related: #1637861 - Fix trust creation if weak crypto is disallowed