diff --git a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch new file mode 100644 index 0000000..83a4985 --- /dev/null +++ b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch @@ -0,0 +1,74 @@ +From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Aug 2017 18:14:23 +0200 +Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 + +Signed-off-by: Andreas Schneider +Reviewed-by: Richard Sharpe +(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d) +--- + source3/libads/krb5_setpw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c +index 630c2e46631..bc96ac603b1 100644 +--- a/source3/libads/krb5_setpw.c ++++ b/source3/libads/krb5_setpw.c +@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, + ret = krb5_set_password(context, + &creds, + discard_const_p(char, newpw), +- princ, ++ NULL, + &result_code, + &result_code_string, + &result_string); +-- +2.14.0 + + +From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Aug 2017 12:14:34 +0200 +Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw' + +BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 + +Signed-off-by: Andreas Schneider +Reviewed-by: Richard Sharpe + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144 + +(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f) +--- + testprogs/blackbox/test_net_ads.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 99b886f53eb..bbd99b676bd 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed + + testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + ++testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` ++ + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + + # Test with kerberos method = secrets and keytab +@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC + + testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + ++testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` ++ + testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + rm -f $dedicated_keytab_file + +-- +2.14.0 + diff --git a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch new file mode 100644 index 0000000..5c66709 --- /dev/null +++ b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch @@ -0,0 +1,391 @@ +From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:08:46 +0200 +Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29) +--- + source3/include/proto.h | 3 ++- + source3/libsmb/passchange.c | 5 +++-- + source3/utils/smbpasswd.c | 3 ++- + 3 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index baa579995a5..9deb27b416b 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain, + + /* The following definitions come from libsmb/passchange.c */ + +-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, + const char *old_passwd, const char *new_passwd, + char **err_str); + +diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c +index c89b7ca85d1..48ffba8036f 100644 +--- a/source3/libsmb/passchange.c ++++ b/source3/libsmb/passchange.c +@@ -30,7 +30,8 @@ + Change a password on a remote machine using IPC calls. + *************************************************************/ + +-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, + const char *old_passwd, const char *new_passwd, + char **err_str) + { +@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam + + creds = cli_session_creds_init(cli, + user_name, +- NULL, /* domain */ ++ domain, + NULL, /* realm */ + old_passwd, + false, /* use_kerberos */ +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 437a5e551bb..4d7a3c739bc 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username, + fprintf(stderr, "Invalid remote operation!\n"); + return NT_STATUS_UNSUCCESSFUL; + } +- ret = remote_password_change(remote_mach, username, ++ ret = remote_password_change(remote_mach, ++ NULL, username, + old_passwd, new_pw, &err_str); + } else { + ret = local_password_change(username, local_flags, new_pw, +-- +2.14.1 + + +From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:10:06 +0200 +Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950) +--- + source3/include/proto.h | 7 ------- + source3/libsmb/proto.h | 10 ++++++++++ + source3/utils/smbpasswd.c | 1 + + 3 files changed, 11 insertions(+), 7 deletions(-) + +diff --git a/source3/include/proto.h b/source3/include/proto.h +index 9deb27b416b..67e1a9d750e 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain, + fstring srv_name, + struct sockaddr_storage *ss_out); + +-/* The following definitions come from libsmb/passchange.c */ +- +-NTSTATUS remote_password_change(const char *remote_machine, +- const char *domain, const char *user_name, +- const char *old_passwd, const char *new_passwd, +- char **err_str); +- + /* The following definitions come from libsmb/smberr.c */ + + const char *smb_dos_err_name(uint8_t e_class, uint16_t num); +diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h +index a583a8ee159..44f4d04cff5 100644 +--- a/source3/libsmb/proto.h ++++ b/source3/libsmb/proto.h +@@ -31,6 +31,9 @@ + + struct smb_trans_enc_state; + struct cli_credentials; ++struct cli_state; ++struct file_info; ++struct print_job_info; + + /* The following definitions come from libsmb/cliconnect.c */ + +@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname, + TALLOC_CTX *mem_ctx, char **psubstitute_name, + char **pprint_name, uint32_t *pflags); + ++/* The following definitions come from libsmb/passchange.c */ ++ ++NTSTATUS remote_password_change(const char *remote_machine, ++ const char *domain, const char *user_name, ++ const char *old_passwd, const char *new_passwd, ++ char **err_str); ++ + #endif /* _LIBSMB_PROTO_H_ */ +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 4d7a3c739bc..6eb2deb7a3b 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -21,6 +21,7 @@ + #include "secrets.h" + #include "../librpc/gen_ndr/samr.h" + #include "../lib/util/util_pw.h" ++#include "libsmb/proto.h" + #include "passdb.h" + + /* +-- +2.14.1 + + +From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:13:15 +0200 +Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change() + in smbpasswd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373) +--- + source3/utils/smbpasswd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 6eb2deb7a3b..b0e08cc0e58 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get) + Change a password either locally or remotely. + *************************************************************/ + +-static NTSTATUS password_change(const char *remote_mach, char *username, +- char *old_passwd, char *new_pw, ++static NTSTATUS password_change(const char *remote_mach, ++ const char *username, ++ const char *old_passwd, const char *new_pw, + int local_flags) + { + NTSTATUS ret; +-- +2.14.1 + + +From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:14:57 +0200 +Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit b483340639157fe95777672f5723455c48c3c616) +--- + source3/utils/smbpasswd.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index b0e08cc0e58..92712e38f6b 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get) + *************************************************************/ + + static NTSTATUS password_change(const char *remote_mach, +- const char *username, ++ const char *domain, const char *username, + const char *old_passwd, const char *new_pw, + int local_flags) + { +@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach, + return NT_STATUS_UNSUCCESSFUL; + } + ret = remote_password_change(remote_mach, +- NULL, username, ++ domain, username, + old_passwd, new_pw, &err_str); + } else { + ret = local_password_change(username, local_flags, new_pw, +@@ -466,7 +466,8 @@ static int process_root(int local_flags) + } + } + +- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, ++ if (!NT_STATUS_IS_OK(password_change(remote_machine, ++ NULL, user_name, + old_passwd, new_passwd, + local_flags))) { + result = 1; +@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags) + exit(1); + } + +- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw, +- new_pw, 0))) { ++ if (!NT_STATUS_IS_OK(password_change(remote_machine, ++ NULL, user_name, ++ old_pw, new_pw, 0))) { + result = 1; + goto done; + } +-- +2.14.1 + + +From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 18 Aug 2017 16:17:08 +0200 +Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name + in smbpasswd + +If a local user wants to change his password using smbpasswd and the +machine is a domain member, we need to make sure we authenticate against +our SAM and not ask winbind. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02) +--- + source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 92712e38f6b..556e6869da7 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -58,7 +58,7 @@ static void usage(void) + printf(" -c smb.conf file Use the given path to the smb.conf file\n"); + printf(" -D LEVEL debug level\n"); + printf(" -r MACHINE remote machine\n"); +- printf(" -U USER remote username\n"); ++ printf(" -U USER remote username (e.g. SAM/user)\n"); + + printf("extra options when run by root or in local mode:\n"); + printf(" -a add user\n"); +@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags) + + user_name[0] = '\0'; + +- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { ++ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) { + switch(ch) { + case 'L': + if (getuid() != 0) { +@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags) + int result = 0; + char *old_pw = NULL; + char *new_pw = NULL; ++ const char *username = user_name; ++ const char *domain = NULL; ++ char *p = NULL; + + if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) { + /* Extra flags that we can't honor non-root */ +@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags) + } + } + ++ /* Allow domain as part of the username */ ++ if ((p = strchr_m(user_name, '\\')) || ++ (p = strchr_m(user_name, '/')) || ++ (p = strchr_m(user_name, *lp_winbind_separator()))) { ++ *p = '\0'; ++ username = p + 1; ++ domain = user_name; ++ } ++ + /* + * A non-root user is always setting a password + * via a remote machine (even if that machine is +@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags) + + load_interfaces(); /* Delayed from main() */ + +- if (remote_machine == NULL) { ++ if (remote_machine != NULL) { ++ if (!is_ipaddress(remote_machine)) { ++ domain = remote_machine; ++ } ++ } else { + remote_machine = "127.0.0.1"; ++ ++ /* ++ * If we deal with a local user, change the password for the ++ * user in our SAM. ++ */ ++ domain = get_global_sam_name(); + } + + if (remote_machine != NULL) { +@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags) + } + + if (!NT_STATUS_IS_OK(password_change(remote_machine, +- NULL, user_name, ++ domain, username, + old_pw, new_pw, 0))) { + result = 1; + goto done; + } + +- printf("Password changed for user %s\n", user_name); ++ printf("Password changed for user %s\n", username); + + done: + SAFE_FREE(old_pw); +-- +2.14.1 + + +From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 22 Aug 2017 15:46:07 +0200 +Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 + +Review with: git show -U20 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e) +--- + source3/utils/smbpasswd.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 556e6869da7..fb7ad283995 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags) + domain = get_global_sam_name(); + } + +- if (remote_machine != NULL) { +- old_pw = get_pass("Old SMB password:",stdin_passwd_get); +- if (old_pw == NULL) { +- fprintf(stderr, "Unable to get old password.\n"); +- exit(1); +- } ++ old_pw = get_pass("Old SMB password:",stdin_passwd_get); ++ if (old_pw == NULL) { ++ fprintf(stderr, "Unable to get old password.\n"); ++ exit(1); + } + + if (!new_passwd) { +-- +2.14.1 + diff --git a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch new file mode 100644 index 0000000..74daaa8 --- /dev/null +++ b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch @@ -0,0 +1,53 @@ +From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 30 May 2017 16:30:33 +0200 +Subject: [PATCH] libcli:smb2: Gracefully handle not supported for + FSCTL_VALIDATE_NEGOTIATE_INFO + +If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only +server then gracefully handle NT_STATUS_NOT_SUPPORTED too. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808 + +Signed-off-by: Andreas Schneider +Signed-off-by: Guenther Deschner +Pair-Programmed-With: Guenther Deschner +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144 + +(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a) +--- + libcli/smb/smbXcli_base.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c +index a7b24f01497..593edf9ce78 100644 +--- a/libcli/smb/smbXcli_base.c ++++ b/libcli/smb/smbXcli_base.c +@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) + tevent_req_done(req); + return; + } ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ /* ++ * The response was signed, but not supported ++ * ++ * This might be returned by older Windows versions or by ++ * NetApp SMB server implementations. ++ * ++ * See ++ * ++ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/ ++ * ++ */ ++ tevent_req_done(req); ++ return; ++ } + if (tevent_req_nterror(req, status)) { + return; + } +-- +2.13.1.518.g3df882009-goog + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index fe73e2e..e167c3a 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 8 +%define main_release 10 %define samba_version 4.6.2 %define talloc_version 2.1.9 @@ -65,10 +65,7 @@ %global with_dc 1 %endif -%global required_mit_krb5 1.10 -%if %{with_dc} %global required_mit_krb5 1.15.1 -%endif %global with_clustering_support 0 @@ -128,6 +125,9 @@ Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch Patch14: samba-v4-6-fix_smbclient_username_parsing.patch Patch15: samba-v4-6-fix_winbind_normalize_names.patch +Patch16: samba-v4-6-fix_net_ads_changetrustpw.patch +Patch17: samba-v4.6-fix_smbpasswd_user_pwd_change.patch +Patch18: samba-v4.6-graceful_fsctl_validate_negotiate_info.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -291,6 +291,7 @@ Requires: %{name}-common = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} %endif +Requires: krb5-libs >= %{required_mit_krb5} %description client-libs The samba-client-libs package contains internal libraries needed by the @@ -430,7 +431,6 @@ the Kerberos credentials cache of the user issuing the print job. ### LIBS %package libs Summary: Samba libraries -Requires: krb5-libs >= 1.14 Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} @@ -2649,6 +2649,15 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Wed Aug 23 2017 Andreas Schneider - 4.6.2-10 +- resolves: #1484423 - Require at least krb5 version 1.15.1 +- resolves: #1484713 - Fix password changes for users via smbpasswd +- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO + returned errors + +* Mon Aug 14 2017 Andreas Schneider - 4.6.2-9 +- resolves: #1481188 - Fix 'net ads changetrustpw' + * Thu Jun 22 2017 Andreas Schneider - 4.6.2-8 - resolves: #1459936 - Fix regression with "follow symlinks = no"