diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch
index 2923d4a..e0ebc3c 100644
--- a/SOURCES/samba-4.10-redhat.patch
+++ b/SOURCES/samba-4.10-redhat.patch
@@ -1,7 +1,7 @@
From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Tue, 7 Jan 2020 19:25:53 +0200
-Subject: [PATCH 001/142] s3-rpcserver: fix security level check for
+Subject: [PATCH 001/146] s3-rpcserver: fix security level check for
DsRGetForestTrustInformation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644
}
--
-2.39.0
+2.41.0
From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 16:50:45 +0200
-Subject: [PATCH 002/142] Add a test to check dNSHostName with netbios aliases
+Subject: [PATCH 002/146] Add a test to check dNSHostName with netbios aliases
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755
# Test createcomputer option of 'net ads join'
#
--
-2.39.0
+2.41.0
From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:52:46 +0200
-Subject: [PATCH 003/142] Fix accidental overwrite of dnsHostName by the last
+Subject: [PATCH 003/146] Fix accidental overwrite of dnsHostName by the last
netbios alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644
status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
goto done;
--
-2.39.0
+2.41.0
From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 24 Oct 2019 19:04:51 +0300
-Subject: [PATCH 004/142] Refactor ads_keytab_add_entry() to make it iterable
+Subject: [PATCH 004/146] Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.
@@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644
out:
SAFE_FREE(salt_princ_s);
--
-2.39.0
+2.41.0
From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 17:55:12 +0200
-Subject: [PATCH 005/142] Add a test for msDS-AdditionalDnsHostName entries in
+Subject: [PATCH 005/146] Add a test for msDS-AdditionalDnsHostName entries in
keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
-2.39.0
+2.41.0
From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:36:28 +0200
-Subject: [PATCH 006/142] Add msDS-AdditionalDnsHostName entries to the keytab
+Subject: [PATCH 006/146] Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644
{
LDAPMessage *res = NULL;
--
-2.39.0
+2.41.0
From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 27 May 2020 15:54:12 +0200
-Subject: [PATCH 007/142] Add net-ads-join dnshostname=fqdn option
+Subject: [PATCH 007/146] Add net-ads-join dnshostname=fqdn option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
@@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755
exit $failed
--
-2.39.0
+2.41.0
From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:04:57 +0200
-Subject: [PATCH 008/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 008/146] CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_random_challenge()
It's good to have just a single isolated function that will generate
@@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644
void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass);
--
-2.39.0
+2.41.0
From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:07:30 +0200
-Subject: [PATCH 009/142] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
+Subject: [PATCH 009/146] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
netlogon_creds_random_challenge()
This will avoid getting flakey tests once our server starts to
@@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644
torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r),
"ServerReqChallenge");
--
-2.39.0
+2.41.0
From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:08:38 +0200
-Subject: [PATCH 010/142] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
+Subject: [PATCH 010/146] CVE-2020-1472(ZeroLogon): libcli/auth: make use of
netlogon_creds_random_challenge() in netlogon_creds_cli.c
This will avoid getting rejected by the server if we generate
@@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
state->binding_handle,
--
-2.39.0
+2.41.0
From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 011/142] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon:
+Subject: [PATCH 011/146] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon:
make use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
@@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644
*r->out.return_credentials = pipe_state->server_challenge;
--
-2.39.0
+2.41.0
From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:10:53 +0200
-Subject: [PATCH 012/142] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon:
+Subject: [PATCH 012/146] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon:
make use of netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
@@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644
*r->out.return_credentials = pipe_state->server_challenge;
--
-2.39.0
+2.41.0
From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:15:26 +0200
-Subject: [PATCH 013/142] CVE-2020-1472(ZeroLogon): libcli/auth: add
+Subject: [PATCH 013/146] CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_is_random_challenge() to avoid weak values
This is the check Windows is using, so we won't generate challenges,
@@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644
void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key);
--
-2.39.0
+2.41.0
From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 16:17:29 +0200
-Subject: [PATCH 014/142] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
+Subject: [PATCH 014/146] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
client challenges in netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
@@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644
)
--
-2.39.0
+2.41.0
From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 19:20:25 +0200
-Subject: [PATCH 015/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 015/146] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644
ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs,
--
-2.39.0
+2.41.0
From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 16 Sep 2020 12:53:50 -0700
-Subject: [PATCH 016/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 016/146] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644
p->session_info,
p->msg_ctx,
--
-2.39.0
+2.41.0
From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 10:18:45 +0200
-Subject: [PATCH 017/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 017/146] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
@@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644
/*
--
-2.39.0
+2.41.0
From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 16 Sep 2020 10:56:53 +0200
-Subject: [PATCH 018/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
+Subject: [PATCH 018/146] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
@@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644
*creds_out = creds;
return NT_STATUS_OK;
--
-2.39.0
+2.41.0
From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Sep 2020 13:37:26 +0200
-Subject: [PATCH 019/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
+Subject: [PATCH 019/146] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
warnings about unsecure configurations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644
return NT_STATUS_OK;
}
--
-2.39.0
+2.41.0
From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:57:22 +0200
-Subject: [PATCH 020/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 020/146] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644
--
-2.39.0
+2.41.0
From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:23:16 +0200
-Subject: [PATCH 021/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
+Subject: [PATCH 021/146] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644
*creds_out = creds;
return NT_STATUS_OK;
--
-2.39.0
+2.41.0
From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 17 Sep 2020 14:42:52 +0200
-Subject: [PATCH 022/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
+Subject: [PATCH 022/146] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
warnings about unsecure configurations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644
return NT_STATUS_OK;
}
--
-2.39.0
+2.41.0
From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Sep 2020 17:27:54 +0200
-Subject: [PATCH 023/142] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
+Subject: [PATCH 023/146] CVE-2020-1472(ZeroLogon): docs-xml: document 'server
require schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
@@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644
+
</samba:parameter>
--
-2.39.0
+2.41.0
From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 18 Sep 2020 12:39:54 +1200
-Subject: [PATCH 024/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
+Subject: [PATCH 024/146] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
machine acct pwd
Ensure that an empty machine account password can't be set by
@@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644
/* now try a random password */
password = generate_random_password(tctx, 8, 255);
--
-2.39.0
+2.41.0
From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 18 Sep 2020 15:57:34 +1200
-Subject: [PATCH 025/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
+Subject: [PATCH 025/146] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
bytes in client challenge
Ensure that client challenges with the first 5 bytes identical are
@@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644
}
--
-2.39.0
+2.41.0
From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 10 Jul 2020 15:09:33 -0700
-Subject: [PATCH 026/142] s4: torture: Add smb2.notify.handle-permissions test.
+Subject: [PATCH 026/146] s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.
@@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644
suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");
--
-2.39.0
+2.41.0
From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 7 Jul 2020 18:25:23 -0700
-Subject: [PATCH 027/142] s3: smbd: Ensure change notifies can't get set unless
+Subject: [PATCH 027/146] s3: smbd: Ensure change notifies can't get set unless
the directory handle is open for SEC_DIR_LIST.
Remove knownfail entry.
@@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644
DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
"fname = %s\n", fsp->fsp_name->base_name));
--
-2.39.0
+2.41.0
From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 9 Jul 2020 21:49:25 +0200
-Subject: [PATCH 028/142] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
+Subject: [PATCH 028/146] CVE-2020-14323 winbind: Fix invalid lookupsids DoS
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.
@@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644
}
if (request->extra_data.data[request->extra_len-1] != '\0') {
--
-2.39.0
+2.41.0
From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 9 Jul 2020 21:48:57 +0200
-Subject: [PATCH 029/142] CVE-2020-14323 torture4: Add a simple test for
+Subject: [PATCH 029/146] CVE-2020-14323 torture4: Add a simple test for
invalid lookup_sids winbind call
We can't add this test before the fix, add it to knownfail and have the fix
@@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644
suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");
--
-2.39.0
+2.41.0
From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001
From: Laurent Menase <laurent.menase@hpe.com>
Date: Wed, 20 May 2020 12:31:53 +0200
-Subject: [PATCH 030/142] winbind: Fix a memleak
+Subject: [PATCH 030/146] winbind: Fix a memleak
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388
Signed-off-by: Laurent Menase <laurent.menase@hpe.com>
@@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644
}
--
-2.39.0
+2.41.0
From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 17 Aug 2020 13:39:58 +0200
-Subject: [PATCH 031/142] s3:tests: Add test for 'valid users = DOMAIN\%U'
+Subject: [PATCH 031/146] s3:tests: Add test for 'valid users = DOMAIN\%U'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467
@@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755
+
exit $failed
--
-2.39.0
+2.41.0
From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 17 Aug 2020 14:12:48 +0200
-Subject: [PATCH 032/142] s3:smbd: Fix %U substitutions if it contains a domain
+Subject: [PATCH 032/146] s3:smbd: Fix %U substitutions if it contains a domain
name
'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer
@@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644
if (sharename != NULL) {
name = talloc_string_sub(mem_ctx, name, "%S", sharename);
--
-2.39.0
+2.41.0
From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 Jul 2020 11:48:26 +0200
-Subject: [PATCH 033/142] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 033/146] docs: Fix documentation for require_membership_of of
pam_winbind
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644
<para>
--
-2.39.0
+2.41.0
From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 17 Jul 2020 12:14:16 +0200
-Subject: [PATCH 034/142] docs: Fix documentation for require_membership_of of
+Subject: [PATCH 034/146] docs: Fix documentation for require_membership_of of
pam_winbind.conf
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358
@@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644
<para>This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login).</para>
</listitem>
--
-2.39.0
+2.41.0
From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 21:05:07 +0300
-Subject: [PATCH 035/142] Fix a typo in recent net man page changes
+Subject: [PATCH 035/146] Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644
</para>
--
-2.39.0
+2.41.0
From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 16 Jun 2020 22:01:49 +0300
-Subject: [PATCH 036/142] selftest: add tests for binary
+Subject: [PATCH 036/146] selftest: add tests for binary
msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
@@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755
rm -f $dedicated_keytab_file
--
-2.39.0
+2.41.0
From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 11 Jun 2020 16:51:27 +0300
-Subject: [PATCH 037/142] Properly handle msDS-AdditionalDnsHostName returned
+Subject: [PATCH 037/146] Properly handle msDS-AdditionalDnsHostName returned
from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
@@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644
DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n",
machine_name));
--
-2.39.0
+2.41.0
From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 20 Jun 2020 17:17:33 +0200
-Subject: [PATCH 038/142] Fix usage of ldap_get_values_len for
+Subject: [PATCH 038/146] Fix usage of ldap_get_values_len for
msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
@@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644
return NULL;
}
--
-2.39.0
+2.41.0
From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 15 Dec 2020 15:17:04 +0100
-Subject: [PATCH 039/142] HACK:s3:winbind: Rely on the domain child for online
+Subject: [PATCH 039/146] HACK:s3:winbind: Rely on the domain child for online
check
---
@@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644
/* Handle online/offline messages. */
--
-2.39.0
+2.41.0
From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Sep 2020 16:00:52 +0200
-Subject: [PATCH 040/142] s3:smbd: Use fsp al the talloc memory context
+Subject: [PATCH 040/146] s3:smbd: Use fsp al the talloc memory context
Somehow the lck pointer gets freed before we call TALLOC_FREE().
@@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644
&mtimespec);
--
-2.39.0
+2.41.0
From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 12:58:31 +0100
-Subject: [PATCH 041/142] Revert "s3:smbd: Use fsp al the talloc memory
+Subject: [PATCH 041/146] Revert "s3:smbd: Use fsp al the talloc memory
context"
This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49.
@@ -3494,13 +3494,13 @@ index 9a24e331ab1..de557f53a20 100644
&mtimespec);
--
-2.39.0
+2.41.0
From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 22 Jul 2020 22:42:09 -0700
-Subject: [PATCH 042/142] nsswitch/nsstest.c: Avoid nss function conflicts with
+Subject: [PATCH 042/146] nsswitch/nsstest.c: Avoid nss function conflicts with
glibc nss.h
glibc 2.32 will define these varibles [1] which results in conflicts
@@ -3597,13 +3597,13 @@ index 6d92806cffc..46f96795f39 100644
static void nss_test_errors(void)
--
-2.39.0
+2.41.0
From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 10:30:08 +0100
-Subject: [PATCH 043/142] lib:util: Add basic memcache unit test
+Subject: [PATCH 043/146] lib:util: Add basic memcache unit test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
@@ -3773,13 +3773,13 @@ index e7639c4da27..e3f7d9acb4a 100644
[os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
plantestsuite("samba.unittests.test_registry_regfio", "none",
--
-2.39.0
+2.41.0
From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 3 Feb 2021 10:37:12 +0100
-Subject: [PATCH 044/142] lib:util: Add cache oversize test for memcache
+Subject: [PATCH 044/146] lib:util: Add cache oversize test for memcache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625
@@ -3857,13 +3857,13 @@ index 00000000000..0a74ace3003
@@ -0,0 +1 @@
+^samba.unittests.memcache.torture_memcache_add_oversize
--
-2.39.0
+2.41.0
From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 2 Feb 2021 18:10:38 +0100
-Subject: [PATCH 045/142] lib:util: Avoid free'ing our own pointer
+Subject: [PATCH 045/146] lib:util: Avoid free'ing our own pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
@@ -3933,13 +3933,13 @@ index 0a74ace3003..00000000000
@@ -1 +0,0 @@
-^samba.unittests.memcache.torture_memcache_add_oversize
--
-2.39.0
+2.41.0
From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 5 Nov 2020 15:48:08 -0800
-Subject: [PATCH 046/142] s3: spoolss: Make parameters in call to
+Subject: [PATCH 046/146] s3: spoolss: Make parameters in call to
user_ok_token() match all other uses.
We already have p->session_info->unix_info->unix_name, we don't
@@ -3973,13 +3973,13 @@ index f32b465afb6..c0f1803c2fa 100644
!W_ERROR_IS_OK(print_access_check(p->session_info,
p->msg_ctx,
--
-2.39.0
+2.41.0
From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 11 Nov 2020 13:42:06 +0100
-Subject: [PATCH 047/142] s3:smbd: Fix possible null pointer dereference in
+Subject: [PATCH 047/146] s3:smbd: Fix possible null pointer dereference in
token_contains_name()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572
@@ -4009,13 +4009,13 @@ index 0705e197975..64276c79fbe 100644
/* Check if username starts with domain name */
if (domain_len > 0) {
--
-2.39.0
+2.41.0
From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 20 Feb 2021 15:50:12 +0100
-Subject: [PATCH 048/142] passdb: Simplify sids_to_unixids()
+Subject: [PATCH 048/146] passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
@@ -4239,13 +4239,13 @@ index 1bb15ccb8b4..186ba17fda6 100644
}
break;
--
-2.39.0
+2.41.0
From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2016 09:12:59 +0100
-Subject: [PATCH 049/142] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
+Subject: [PATCH 049/146] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to
non spnego authentication if we require kerberos
We should not send NTLM[v2] data on the wire if the user asked for kerberos
@@ -4301,13 +4301,13 @@ index 6ee4929e8d7..a0a1f4baa56 100644
} else {
struct tevent_req *subreq = NULL;
--
-2.39.0
+2.41.0
From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 27 Oct 2016 10:40:28 +0200
-Subject: [PATCH 050/142] CVE-2016-2124: s3:libsmb: don't fallback to non
+Subject: [PATCH 050/146] CVE-2016-2124: s3:libsmb: don't fallback to non
spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
@@ -4339,13 +4339,13 @@ index 9bba2665663..9a69d4b7217 100644
/*
* SessionSetupAndX was introduced by LANMAN 1.0. So we skip
--
-2.39.0
+2.41.0
From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Sat, 18 Jan 2020 08:06:45 +0100
-Subject: [PATCH 051/142] s3/auth: use set_current_user_info() in
+Subject: [PATCH 051/146] s3/auth: use set_current_user_info() in
auth3_generate_session_info_pac()
This delays reloading config slightly, but I don't see how could affect
@@ -4395,13 +4395,13 @@ index 167d4e00367..0e9c423efef 100644
ntuser, ntdomain, rhost));
--
-2.39.0
+2.41.0
From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 4 Nov 2021 11:51:08 +0100
-Subject: [PATCH 052/142] selftest: Fix ktest usermap file
+Subject: [PATCH 052/146] selftest: Fix ktest usermap file
The user was not mapped:
@@ -4430,13 +4430,13 @@ index 9e4da0e6a08..2eb5003112e 100755
close(USERMAP);
--
-2.39.0
+2.41.0
From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 16:42:00 +0200
-Subject: [PATCH 053/142] selftest/Samba3: replace (winbindd => "yes",
+Subject: [PATCH 053/146] selftest/Samba3: replace (winbindd => "yes",
skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
@@ -4490,13 +4490,13 @@ index 2eb5003112e..bbbefea44b7 100755
do {
if ($ret != 0) {
--
-2.39.0
+2.41.0
From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 Oct 2021 16:20:36 +0200
-Subject: [PATCH 054/142] CVE-2020-25719 CVE-2020-25717: selftest: remove
+Subject: [PATCH 054/146] CVE-2020-25719 CVE-2020-25717: selftest: remove
"gensec:require_pac" settings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -4535,13 +4535,13 @@ index a7a6c4c9587..0f644661176 100755
log level = $ctx->{server_loglevel}
lanman auth = Yes
--
-2.39.0
+2.41.0
From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 4 Oct 2021 17:29:34 +0200
-Subject: [PATCH 055/142] CVE-2020-25717: s3:winbindd: make sure we default to
+Subject: [PATCH 055/146] CVE-2020-25717: s3:winbindd: make sure we default to
r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
@@ -4709,13 +4709,13 @@ index 3245c70bb8e..315eb366a52 100644
fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result));
--
-2.39.0
+2.41.0
From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 4 Oct 2021 17:29:34 +0200
-Subject: [PATCH 056/142] CVE-2020-25717: s4:auth/ntlm: make sure
+Subject: [PATCH 056/146] CVE-2020-25717: s4:auth/ntlm: make sure
auth_check_password() defaults to r->out.authoritative = true
We need to make sure that temporary failures don't trigger a fallback
@@ -4745,13 +4745,13 @@ index 3a3fa7eaa59..f754bd5cd44 100644
ev,
auth_ctx,
--
-2.39.0
+2.41.0
From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 057/142] CVE-2020-25717: s4:torture: start with authoritative
+Subject: [PATCH 057/146] CVE-2020-25717: s4:torture: start with authoritative
= 1
This is not strictly needed, but makes it easier to audit
@@ -4801,13 +4801,13 @@ index c237c82bbe7..72d0bf28fdd 100644
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
int i;
--
-2.39.0
+2.41.0
From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 058/142] CVE-2020-25717: s4:smb_server: start with
+Subject: [PATCH 058/146] CVE-2020-25717: s4:smb_server: start with
authoritative = 1
This is not strictly needed, but makes it easier to audit
@@ -4843,13 +4843,13 @@ index 13f13934412..5e817eecd4b 100644
NTSTATUS status;
--
-2.39.0
+2.41.0
From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 059/142] CVE-2020-25717: s4:auth_simple: start with
+Subject: [PATCH 059/146] CVE-2020-25717: s4:auth_simple: start with
authoritative = 1
This is not strictly needed, but makes it easier to audit
@@ -4876,13 +4876,13 @@ index fcd9050979d..da8f094a838 100644
NTSTATUS nt_status;
--
-2.39.0
+2.41.0
From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 060/142] CVE-2020-25717: s3:ntlm_auth: start with
+Subject: [PATCH 060/146] CVE-2020-25717: s3:ntlm_auth: start with
authoritative = 1
This is not strictly needed, but makes it easier to audit
@@ -4968,13 +4968,13 @@ index 41591a8de33..fc0fc19bacb 100644
uchar lm_key[16];
static const uchar zeros[8] = { 0, };
--
-2.39.0
+2.41.0
From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 061/142] CVE-2020-25717: s3:torture: start with authoritative
+Subject: [PATCH 061/146] CVE-2020-25717: s3:torture: start with authoritative
= 1
This is not strictly needed, but makes it easier to audit
@@ -5005,13 +5005,13 @@ index 64bc45e6a7c..48190e78bf8 100644
SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8,
local_nt_response);
--
-2.39.0
+2.41.0
From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 062/142] CVE-2020-25717: s3:rpcclient: start with
+Subject: [PATCH 062/146] CVE-2020-25717: s3:rpcclient: start with
authoritative = 1
This is not strictly needed, but makes it easier to audit
@@ -5038,13 +5038,13 @@ index 631740562c6..30fa1ed7816 100644
uint16_t validation_level;
union netr_Validation *validation = NULL;
--
-2.39.0
+2.41.0
From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 063/142] CVE-2020-25717: s3:auth: start with authoritative = 1
+Subject: [PATCH 063/146] CVE-2020-25717: s3:auth: start with authoritative = 1
This is not strictly needed, but makes it easier to audit
that we don't miss important places.
@@ -5088,13 +5088,13 @@ index a71c75631d7..bf7ccb4348c 100644
nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
if (!NT_STATUS_IS_OK(nt_status)) {
--
-2.39.0
+2.41.0
From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 26 Oct 2021 17:42:41 +0200
-Subject: [PATCH 064/142] CVE-2020-25717: auth/ntlmssp: start with
+Subject: [PATCH 064/146] CVE-2020-25717: auth/ntlmssp: start with
authoritative = 1
This is not strictly needed, but makes it easier to audit
@@ -5121,13 +5121,13 @@ index 140e89daeb1..eebada670be 100644
status = auth_context->check_ntlm_password_recv(subreq,
--
-2.39.0
+2.41.0
From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Tue, 28 Sep 2021 10:43:40 +0200
-Subject: [PATCH 065/142] CVE-2020-25717: loadparm: Add new parameter "min
+Subject: [PATCH 065/146] CVE-2020-25717: loadparm: Add new parameter "min
domain uid"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -5220,13 +5220,13 @@ index 0db44e92d19..57d1d909099 100644
apply_lp_set_cmdline();
}
--
-2.39.0
+2.41.0
From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 19:57:18 +0200
-Subject: [PATCH 066/142] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 066/146] CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() forward the low level errors
Mapping everything to ACCESS_DENIED makes it hard to debug problems,
@@ -5254,13 +5254,13 @@ index 4ef2270cb34..26a38f92b30 100644
}
--
-2.39.0
+2.41.0
From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Tue, 28 Sep 2021 10:45:11 +0200
-Subject: [PATCH 067/142] CVE-2020-25717: s3:auth: Check minimum domain uid
+Subject: [PATCH 067/146] CVE-2020-25717: s3:auth: Check minimum domain uid
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
@@ -5301,13 +5301,13 @@ index 8ff20c33759..8801d3f0f0b 100644
result = make_server_info(tmp_ctx);
--
-2.39.0
+2.41.0
From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 17:40:30 +0200
-Subject: [PATCH 068/142] CVE-2020-25717: s3:auth: we should not try to
+Subject: [PATCH 068/146] CVE-2020-25717: s3:auth: we should not try to
autocreate the guest account
We should avoid autocreation of users as much as possible.
@@ -5334,13 +5334,13 @@ index 8998f9c8f8a..074e8c7eb71 100644
/* extra sanity check that the guest account is valid */
--
-2.39.0
+2.41.0
From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 18:08:20 +0200
-Subject: [PATCH 069/142] CVE-2020-25717: s3:auth: no longer let
+Subject: [PATCH 069/146] CVE-2020-25717: s3:auth: no longer let
check_account() autocreate local users
So far we autocreated local user accounts based on just the
@@ -5373,13 +5373,13 @@ index 8801d3f0f0b..6ee500493e6 100644
DEBUG(3, ("Failed to find authenticated user %s via "
"getpwnam(), denying access.\n", dom_user));
--
-2.39.0
+2.41.0
From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 8 Oct 2021 12:33:16 +0200
-Subject: [PATCH 070/142] CVE-2020-25717: s3:auth: remove fallbacks in
+Subject: [PATCH 070/146] CVE-2020-25717: s3:auth: remove fallbacks in
smb_getpwnam()
So far we tried getpwnam("DOMAIN\account") first and
@@ -5517,13 +5517,13 @@ index 6ee500493e6..161e05c2106 100644
/* Create local user if requested but only if winbindd
--
-2.39.0
+2.41.0
From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 4 Oct 2021 18:03:55 +0200
-Subject: [PATCH 071/142] CVE-2020-25717: s3:auth: don't let create_local_token
+Subject: [PATCH 071/146] CVE-2020-25717: s3:auth: don't let create_local_token
depend on !winbind_ping()
We always require a running winbindd on a domain member, so
@@ -5562,13 +5562,13 @@ index 161e05c2106..c0e5cfd7fa8 100644
status = create_token_from_username(session_info,
server_info->unix_name,
--
-2.39.0
+2.41.0
From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 11 Nov 2020 18:50:45 +0200
-Subject: [PATCH 072/142] CVE-2020-25717: Add FreeIPA domain controller role
+Subject: [PATCH 072/146] CVE-2020-25717: Add FreeIPA domain controller role
As we want to reduce use of 'classic domain controller' role but FreeIPA
relies on it internally, add a separate role to mark FreeIPA domain
@@ -5975,13 +5975,13 @@ index 51fed4da62b..1f09b721408 100644
return NT_STATUS_INTERNAL_ERROR;
case ROLE_DOMAIN_MEMBER:
--
-2.39.0
+2.41.0
From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 18:11:57 +0200
-Subject: [PATCH 073/142] CVE-2020-25717: auth/gensec: always require a PAC in
+Subject: [PATCH 073/146] CVE-2020-25717: auth/gensec: always require a PAC in
domain mode (DC or member)
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
@@ -6045,13 +6045,13 @@ index e185acc0c20..694661b53b5 100644
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);
--
-2.39.0
+2.41.0
From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 11 Oct 2021 23:17:19 +0200
-Subject: [PATCH 074/142] CVE-2020-25717: s4:auth: remove unused
+Subject: [PATCH 074/146] CVE-2020-25717: s4:auth: remove unused
auth_generate_session_info_principal()
We'll require a PAC at the main gensec layer already.
@@ -6189,13 +6189,13 @@ index fb88cb87f66..a8c7d8b4b85 100644
_PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
--
-2.39.0
+2.41.0
From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 21 Sep 2021 12:27:28 +0200
-Subject: [PATCH 075/142] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
+Subject: [PATCH 075/146] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in
ntlm_auth_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
@@ -6263,13 +6263,13 @@ index 3f70732a837..fefdd32bf11 100644
DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
}
--
-2.39.0
+2.41.0
From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 21 Sep 2021 12:44:01 +0200
-Subject: [PATCH 076/142] CVE-2020-25717: s3:ntlm_auth: let
+Subject: [PATCH 076/146] CVE-2020-25717: s3:ntlm_auth: let
ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO
only
@@ -6405,13 +6405,13 @@ index fefdd32bf11..ff2fd30a9ae 100644
if (!unixuser) {
status = NT_STATUS_NO_MEMORY;
--
-2.39.0
+2.41.0
From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 4 Oct 2021 19:42:20 +0200
-Subject: [PATCH 077/142] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 077/146] CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() delegate everything to
make_server_info_wbcAuthUserInfo()
@@ -6726,13 +6726,13 @@ index 26a38f92b30..3099e8f9057 100644
status = NT_STATUS_OK;
--
-2.39.0
+2.41.0
From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 17:14:01 +0200
-Subject: [PATCH 078/142] CVE-2020-25717: selftest: configure 'ktest' env with
+Subject: [PATCH 078/146] CVE-2020-25717: selftest: configure 'ktest' env with
winbindd and idmap_autorid
The 'ktest' environment was/is designed to test kerberos in an active
@@ -6777,13 +6777,13 @@ index bbbefea44b7..7034127ef0b 100755
}
return $ret;
--
-2.39.0
+2.41.0
From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 18:12:49 +0200
-Subject: [PATCH 079/142] CVE-2020-25717: s3:auth: let
+Subject: [PATCH 079/146] CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
@@ -6862,13 +6862,13 @@ index 3099e8f9057..23f746c078e 100644
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
--
-2.39.0
+2.41.0
From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 17:59:59 +0200
-Subject: [PATCH 080/142] CVE-2020-25717: s3:auth: simplify
+Subject: [PATCH 080/146] CVE-2020-25717: s3:auth: simplify
get_user_from_kerberos_info() by removing the unused logon_info argument
This code is only every called in standalone mode on a MIT realm,
@@ -7012,13 +7012,13 @@ index 074e8c7eb71..7b69ca6c222 100644
bool *mapped_to_guest,
char **ntuser,
--
-2.39.0
+2.41.0
From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 18:03:04 +0200
-Subject: [PATCH 081/142] CVE-2020-25717: s3:auth: simplify
+Subject: [PATCH 081/146] CVE-2020-25717: s3:auth: simplify
make_session_info_krb5() by removing unused arguments
This is only ever be called in standalone mode with an MIT realm,
@@ -7115,13 +7115,13 @@ index 7b69ca6c222..b8f37cbeee0 100644
{
return NT_STATUS_NOT_IMPLEMENTED;
--
-2.39.0
+2.41.0
From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 1 Sep 2021 15:39:19 +1200
-Subject: [PATCH 082/142] krb5pac.idl: Add ticket checksum PAC buffer type
+Subject: [PATCH 082/146] krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
@@ -7155,13 +7155,13 @@ index f27e7243ee4..711b7f94b6c 100644
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
-2.39.0
+2.41.0
From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 1 Sep 2021 15:40:59 +1200
-Subject: [PATCH 083/142] security.idl: Add well-known SIDs for FAST
+Subject: [PATCH 083/146] security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
@@ -7187,13 +7187,13 @@ index 5930f448955..e6065a35691 100644
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
--
-2.39.0
+2.41.0
From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 29 Sep 2021 16:15:26 +1300
-Subject: [PATCH 084/142] krb5pac.idl: Add missing buffer type values
+Subject: [PATCH 084/146] krb5pac.idl: Add missing buffer type values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
@@ -7219,13 +7219,13 @@ index 711b7f94b6c..141894ec5f1 100644
} PAC_TYPE;
--
-2.39.0
+2.41.0
From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 26 Oct 2021 20:33:38 +1300
-Subject: [PATCH 085/142] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO
+Subject: [PATCH 085/146] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO
PAC buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
@@ -7276,13 +7276,13 @@ index 141894ec5f1..4bfec2de5e6 100644
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
-2.39.0
+2.41.0
From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 26 Oct 2021 20:33:49 +1300
-Subject: [PATCH 086/142] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
+Subject: [PATCH 086/146] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC
buffer type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
@@ -7327,13 +7327,13 @@ index 4bfec2de5e6..f750359a069 100644
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
--
-2.39.0
+2.41.0
From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 27 Sep 2021 11:20:19 +1300
-Subject: [PATCH 087/142] CVE-2020-25721 krb5pac: Add new buffers for
+Subject: [PATCH 087/146] CVE-2020-25721 krb5pac: Add new buffers for
samAccountName and objectSID
These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set.
@@ -7414,13 +7414,13 @@ index a9ae2c4a789..57b28df9e52 100644
NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size));
NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type));
--
-2.39.0
+2.41.0
From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 12 Nov 2021 19:06:01 +0200
-Subject: [PATCH 088/142] IPA DC: add missing checks
+Subject: [PATCH 088/146] IPA DC: add missing checks
When introducing FreeIPA support, two places were forgotten:
@@ -7466,13 +7466,13 @@ index 57bfc596005..3f77856457e 100644
sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
if (!sid) {
--
-2.39.0
+2.41.0
From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 Nov 2021 15:27:58 +0100
-Subject: [PATCH 089/142] CVE-2020-25717: idmap_nss: verify that the name of
+Subject: [PATCH 089/146] CVE-2020-25717: idmap_nss: verify that the name of
the sid belongs to the configured domain
We already check the sid belongs to the domain, but checking the name
@@ -7558,13 +7558,13 @@ index 3fe98cbc729..243b67ccafd 100644
}
return NT_STATUS_OK;
--
-2.39.0
+2.41.0
From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 12 Nov 2021 20:53:30 +1300
-Subject: [PATCH 090/142] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non
+Subject: [PATCH 090/146] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non
existent uid' to make room for new accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
@@ -7591,13 +7591,13 @@ index 46f96795f39..8ce7493d1b6 100644
total_errors++;
printf("ERROR Non existent uid gave error %d\n", last_error);
--
-2.39.0
+2.41.0
From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 12 Nov 2021 16:10:31 +1300
-Subject: [PATCH 091/142] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
+Subject: [PATCH 091/146] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
mapping if the named based lookup fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
@@ -7707,13 +7707,13 @@ index c0e5cfd7fa8..b463059f259 100644
&pwd,
&username_was_mapped);
--
-2.39.0
+2.41.0
From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 Nov 2021 10:57:17 +0100
-Subject: [PATCH 092/142] CVE-2020-25717: s3-auth: fix MIT Realm regression
+Subject: [PATCH 092/146] CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
@@ -7770,13 +7770,13 @@ index b8f37cbeee0..169bf563368 100644
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
--
-2.39.0
+2.41.0
From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 13 Jan 2022 16:48:01 +0100
-Subject: [PATCH 093/142] CVE-2021-44142: libadouble: add defines for icon
+Subject: [PATCH 093/146] CVE-2021-44142: libadouble: add defines for icon
lengths
From https://www.ietf.org/rfc/rfc1740.txt
@@ -7802,13 +7802,13 @@ index afad70ce180..3a35620bfe4 100644
#define ADEDLEN_PRIVDEV 8
#define ADEDLEN_PRIVINO 8
--
-2.39.0
+2.41.0
From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Sat, 20 Nov 2021 16:36:42 +0100
-Subject: [PATCH 094/142] CVE-2021-44142: smbd: add Netatalk xattr used by
+Subject: [PATCH 094/146] CVE-2021-44142: smbd: add Netatalk xattr used by
vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
@@ -7851,13 +7851,13 @@ index f8d987bbe63..406087c0419 100644
};
--
-2.39.0
+2.41.0
From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Fri, 26 Nov 2021 07:19:32 +0100
-Subject: [PATCH 095/142] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
+Subject: [PATCH 095/146] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
@@ -7921,13 +7921,13 @@ index 3a35620bfe4..76139e51047 100644
}
--
-2.39.0
+2.41.0
From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 25 Nov 2021 15:04:03 +0100
-Subject: [PATCH 096/142] CVE-2021-44142: libadouble: add basic cmocka tests
+Subject: [PATCH 096/146] CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
@@ -8377,13 +8377,13 @@ index 26e251f442a..5230ae32934 100644
source='smbd/server.c smbd/smbd_cleanupd.c',
deps='''
--
-2.39.0
+2.41.0
From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 13 Jan 2022 17:03:02 +0100
-Subject: [PATCH 097/142] CVE-2021-44142: libadouble: harden parsing code
+Subject: [PATCH 097/146] CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
@@ -8545,13 +8545,13 @@ index 76139e51047..17e97d15bdb 100644
}
--
-2.39.0
+2.41.0
From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 5 Mar 2021 15:48:29 -0700
-Subject: [PATCH 098/142] winbind: Only use unixid2sid mapping when module
+Subject: [PATCH 098/146] winbind: Only use unixid2sid mapping when module
reports ID_MAPPED
Only consider a mapping to be valid when the idmap module reports
@@ -8585,13 +8585,13 @@ index 0842241e02e..94331163006 100644
TALLOC_FREE(maps);
--
-2.39.0
+2.41.0
From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 5 Mar 2021 16:01:13 -0700
-Subject: [PATCH 099/142] idmap_rfc2307: Do not return SID from unixids_to_sids
+Subject: [PATCH 099/146] idmap_rfc2307: Do not return SID from unixids_to_sids
on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
@@ -8654,13 +8654,13 @@ index 94331163006..34375b3858f 100644
}
--
-2.39.0
+2.41.0
From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 5 Mar 2021 16:07:54 -0700
-Subject: [PATCH 100/142] idmap_nss: Do not return SID from unixids_to_sids on
+Subject: [PATCH 100/146] idmap_nss: Do not return SID from unixids_to_sids on
type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
@@ -8722,13 +8722,13 @@ index 243b67ccafd..e4bf1923786 100644
}
break;
--
-2.39.0
+2.41.0
From 4ef3d95fb680cf278e68b6794459ff7bce1489aa Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 23 Nov 2021 15:48:57 +0100
-Subject: [PATCH 101/142] s3:winbind: Fix possible NULL pointer dereference
+Subject: [PATCH 101/146] s3:winbind: Fix possible NULL pointer dereference
BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888
@@ -8758,13 +8758,13 @@ index 04e79e70f6b..d1bd81b2372 100644
TALLOC_FREE(tmp_user);
return NULL;
--
-2.39.0
+2.41.0
From 95c9485bb600e965f24712534850d1a7fd325c44 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Dec 2022 16:00:36 +0100
-Subject: [PATCH 102/142] CVE-2022-38023 docs-xml: improve wording for several
+Subject: [PATCH 102/146] CVE-2022-38023 docs-xml: improve wording for several
options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -8833,13 +8833,13 @@ index 4db62bfb02d..b17620ec8f1 100644
<value type="default">yes</value>
--
-2.39.0
+2.41.0
From d6ab8377e55e4bda76c86de9bba1ddee30361481 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Dec 2022 16:05:26 +0100
-Subject: [PATCH 103/142] CVE-2022-38023 docs-xml: improve wording for several
+Subject: [PATCH 103/146] CVE-2022-38023 docs-xml: improve wording for several
options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -8922,13 +8922,13 @@ index b17620ec8f1..9c1c1d7af14 100644
<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
</description>
--
-2.39.0
+2.41.0
From 976080e72039b68ab66b757f1c3cb258eaca23df Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:46:59 +0100
-Subject: [PATCH 104/142] CVE-2022-38023 libcli/auth: pass lp_ctx to
+Subject: [PATCH 104/146] CVE-2022-38023 libcli/auth: pass lp_ctx to
netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -8998,13 +8998,13 @@ index 137ac8393e7..95a650f4654 100644
fprintf(stderr,
"netlogon_creds_cli_set_global_db failed: %s\n",
--
-2.39.0
+2.41.0
From dfe17c3453980d53445a2cc6221cb8728fc9e3cf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:47:33 +0100
-Subject: [PATCH 105/142] CVE-2022-38023 libcli/auth: add/use
+Subject: [PATCH 105/146] CVE-2022-38023 libcli/auth: add/use
netlogon_creds_cli_warn_options()
This warns the admin about insecure options
@@ -9128,13 +9128,13 @@ index 2ce5de9d305..e4e0232e92f 100644
struct messaging_context *msg_ctx,
const char *client_account,
--
-2.39.0
+2.41.0
From 75c44fdccf18bfa34530f05937e8e3305b2c927e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 16:16:05 +0100
-Subject: [PATCH 106/142] CVE-2022-38023 s3:net: add and use
+Subject: [PATCH 106/146] CVE-2022-38023 s3:net: add and use
net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
@@ -9376,13 +9376,13 @@ index a84b4f5500e..94a8dc9defe 100644
{
switch(num_type) {
--
-2.39.0
+2.41.0
From 9d7eba489e7f798dd3115439da1bc92a87059ce1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:59:36 +0100
-Subject: [PATCH 107/142] CVE-2022-38023 s3:winbindd: also allow per domain
+Subject: [PATCH 107/146] CVE-2022-38023 s3:winbindd: also allow per domain
"winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
@@ -9478,13 +9478,13 @@ index 502331f7260..1a8017cf4cc 100644
}
--
-2.39.0
+2.41.0
From b310b2672f80a717188675b6c762d184436a190c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:22:23 +0100
-Subject: [PATCH 108/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
+Subject: [PATCH 108/146] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
@@ -9568,13 +9568,13 @@ index 98e05d13d59..fbc987e119a 100644
Globals.read_raw = true;
Globals.write_raw = true;
--
-2.39.0
+2.41.0
From b62fb90dd434c99131086f27cb74cf2c109fb9d2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Dec 2022 10:56:29 +0100
-Subject: [PATCH 109/142] CVE-2022-38023 s4:rpc_server/netlogon: 'server
+Subject: [PATCH 109/146] CVE-2022-38023 s4:rpc_server/netlogon: 'server
schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
@@ -9641,13 +9641,13 @@ index 7668a9eb923..e7f8cd5c075 100644
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) WITH schannel from "
--
-2.39.0
+2.41.0
From dbddee016499bddab42870226eda0b19facca936 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2022 14:03:50 +0100
-Subject: [PATCH 110/142] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
+Subject: [PATCH 110/146] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
@@ -9696,13 +9696,13 @@ index e7f8cd5c075..bd3a36e60cc 100644
"server require schannel",
creds->account_name);
--
-2.39.0
+2.41.0
From da1c4d9055c0b7fcb5e6952e3e63c7089b2b0432 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2022 14:03:50 +0100
-Subject: [PATCH 111/142] CVE-2022-38023 s4:rpc_server/netlogon: add
+Subject: [PATCH 111/146] CVE-2022-38023 s4:rpc_server/netlogon: add
talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
@@ -9808,13 +9808,13 @@ index bd3a36e60cc..b842fa6a556 100644
}
--
-2.39.0
+2.41.0
From 01d4d64eaca505da9c542f2149c0bd362ad180d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:37:03 +0100
-Subject: [PATCH 112/142] CVE-2022-38023 s4:rpc_server/netlogon: re-order
+Subject: [PATCH 112/146] CVE-2022-38023 s4:rpc_server/netlogon: re-order
checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
@@ -9891,13 +9891,13 @@ index b842fa6a556..9b3a933abca 100644
DBG_INFO("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) without schannel from "
--
-2.39.0
+2.41.0
From 90531a4cb89b0d390261de1920f17a8ea7a9cbcb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:37:03 +0100
-Subject: [PATCH 113/142] CVE-2022-38023 s4:rpc_server/netlogon: improve
+Subject: [PATCH 113/146] CVE-2022-38023 s4:rpc_server/netlogon: improve
CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
@@ -10106,13 +10106,13 @@ index 9b3a933abca..8084061aabc 100644
*creds_out = creds;
--
-2.39.0
+2.41.0
From 2ea49737a5cac8ead895da30d40f18019103b285 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:26:01 +0100
-Subject: [PATCH 114/142] CVE-2022-38023 selftest:Samba4: avoid global 'server
+Subject: [PATCH 114/146] CVE-2022-38023 selftest:Samba4: avoid global 'server
schannel = auto'
Instead of using the generic deprecated option use the specific
@@ -10185,13 +10185,13 @@ index 0f644661176..8dad74cae43 100755
dsdb password event notification = true
dsdb group change notification = true
--
-2.39.0
+2.41.0
From a9ad04a6a886c4f17120fcf585bba7b979752d3c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 28 Nov 2022 15:02:13 +0100
-Subject: [PATCH 115/142] CVE-2022-38023 s4:torture: use
+Subject: [PATCH 115/146] CVE-2022-38023 s4:torture: use
NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
@@ -10367,13 +10367,13 @@ index 9cd479c9baf..6fc4ed326d2 100644
r.in.logon = &logon;
r.out.return_authenticator = &return_authenticator;
--
-2.39.0
+2.41.0
From 6088b76def86b8f56511707c69b6cdd016722715 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 09:54:17 +0100
-Subject: [PATCH 116/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
+Subject: [PATCH 116/146] CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
@@ -10533,13 +10533,13 @@ index 8084061aabc..6a00fe4efcf 100644
case SEC_CHAN_WKSTA:
case SEC_CHAN_DNS_DOMAIN:
--
-2.39.0
+2.41.0
From 3e43111a1417414b545fcc46a72e701cf6e71c59 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:26:18 +0100
-Subject: [PATCH 117/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
+Subject: [PATCH 117/146] CVE-2022-38023 docs-xml/smbdotconf: change 'reject
md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
@@ -10630,13 +10630,13 @@ index fbc987e119a..1cf468b1009 100644
Globals.write_raw = true;
Globals.null_passwords = false;
--
-2.39.0
+2.41.0
From 886878d18d22eb4a2f3b63663e0ffe284ed9788b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 10:31:08 +0100
-Subject: [PATCH 118/142] CVE-2022-38023 s4:rpc_server/netlogon: defer
+Subject: [PATCH 118/146] CVE-2022-38023 s4:rpc_server/netlogon: defer
downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
@@ -10817,13 +10817,13 @@ index 6a00fe4efcf..1c180343252 100644
if (user_account_control & UF_ACCOUNTDISABLE) {
--
-2.39.0
+2.41.0
From ed628f5bf355801023c1bb2ac4aabd06c5c878a6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:13:36 +0100
-Subject: [PATCH 119/142] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
+Subject: [PATCH 119/146] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4
crypto:COMPUTERACCOUNT = yes'
@@ -11019,13 +11019,13 @@ index 1c180343252..b605daea794 100644
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
--
-2.39.0
+2.41.0
From b15c69701d065504588671187a5cec9eea9dcf57 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:31:14 +0100
-Subject: [PATCH 120/142] CVE-2022-38023 docs-xml/smbdotconf: document "allow
+Subject: [PATCH 120/146] CVE-2022-38023 docs-xml/smbdotconf: document "allow
nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -11138,13 +11138,13 @@ index 06afcef73b1..bbd03a42db7 100644
+
+</samba:parameter>
--
-2.39.0
+2.41.0
From bbc9f54fdc1ebbfc0c27b61aff43a63a16aed9d9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 14:02:11 +0100
-Subject: [PATCH 121/142] CVE-2022-38023 docs-xml/smbdotconf: document "server
+Subject: [PATCH 121/146] CVE-2022-38023 docs-xml/smbdotconf: document "server
reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -11314,13 +11314,13 @@ index edcbe02e99a..fe7701d9277 100644
+
+</samba:parameter>
--
-2.39.0
+2.41.0
From 88311bae73bfdd2863ee94f421ef89266bff97f0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:13:36 +0100
-Subject: [PATCH 122/142] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
+Subject: [PATCH 122/146] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
@@ -11507,13 +11507,13 @@ index b605daea794..b93ff08abcd 100644
}
--
-2.39.0
+2.41.0
From 73230d08dd1ec2390e52b24f0398d328a55e5866 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:57:20 +0100
-Subject: [PATCH 123/142] CVE-2022-38023 selftest:Samba4: avoid global 'allow
+Subject: [PATCH 123/146] CVE-2022-38023 selftest:Samba4: avoid global 'allow
nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
@@ -11641,13 +11641,13 @@ index 7e3d7c9de8e..aafb9ee14ca 100755
server require schannel:schannel1\$ = no
server require schannel:schannel2\$ = no
--
-2.39.0
+2.41.0
From 2efdacb36c42985595284db6db90953feecc6e1a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 16:57:24 +0100
-Subject: [PATCH 124/142] CVE-2022-38023 s4:rpc_server/netlogon: split out
+Subject: [PATCH 124/146] CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
@@ -11810,13 +11810,13 @@ index b93ff08abcd..94adb74165f 100644
Change the machine account password for the currently connected
client. Supplies only the NT#.
--
-2.39.0
+2.41.0
From b95d07ebad63544c585a43590bdeaf5247cbaf46 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 17:15:36 +0100
-Subject: [PATCH 125/142] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
+Subject: [PATCH 125/146] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
@@ -11894,13 +11894,13 @@ index 94adb74165f..f4413d7a03b 100644
if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
--
-2.39.0
+2.41.0
From 5e5019dbdf9b49e07bd5f88bafa7275d5d076166 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 16:53:35 +0100
-Subject: [PATCH 126/142] CVE-2022-38023 docs-xml/smbdotconf: add "server
+Subject: [PATCH 126/146] CVE-2022-38023 docs-xml/smbdotconf: add "server
schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -12150,13 +12150,13 @@ index 1cf468b1009..8dab202fc17 100644
Globals.read_raw = true;
Globals.write_raw = true;
--
-2.39.0
+2.41.0
From 83be39efadc4c4fad4a873e23016e1c5a8d65380 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Dec 2022 14:31:26 +0100
-Subject: [PATCH 127/142] CVE-2022-38023 s4:rpc_server/netlogon: add a per
+Subject: [PATCH 127/146] CVE-2022-38023 s4:rpc_server/netlogon: add a per
connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
@@ -12454,13 +12454,13 @@ index f4413d7a03b..474d0806e6b 100644
}
--
-2.39.0
+2.41.0
From ef51add9def64d75f17b394924c238fffc81168f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 14:05:30 +0100
-Subject: [PATCH 128/142] CVE-2022-38023 s4:rpc_server/netlogon: implement
+Subject: [PATCH 128/146] CVE-2022-38023 s4:rpc_server/netlogon: implement
"server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
@@ -12892,13 +12892,13 @@ index 474d0806e6b..343cd53473c 100644
D_INFO("CVE-2020-1472(ZeroLogon): Option "
"'server require schannel:%s = no' "
--
-2.39.0
+2.41.0
From fe38dc0186d3505db4c105f78dc46c2270c43240 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 15:13:47 +0100
-Subject: [PATCH 129/142] CVE-2022-38023 testparm: warn about server/client
+Subject: [PATCH 129/146] CVE-2022-38023 testparm: warn about server/client
schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -12944,13 +12944,13 @@ index c673ef71a92..aa990b729d7 100644
}
--
-2.39.0
+2.41.0
From c870a61377d0245a3fd25f5d5c8663d965fe469a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Dec 2022 13:36:17 +0100
-Subject: [PATCH 130/142] CVE-2022-38023 testparm: warn about unsecure schannel
+Subject: [PATCH 130/146] CVE-2022-38023 testparm: warn about unsecure schannel
related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
@@ -13043,13 +13043,13 @@ index aa990b729d7..f9253d323aa 100644
return ret;
}
--
-2.39.0
+2.41.0
From 938168a5f7c3225562ed772bf8a9bbecc0badb62 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Sep 2022 16:31:05 +0200
-Subject: [PATCH 131/142] s3:auth: Flush the GETPWSID in memory cache for NTLM
+Subject: [PATCH 131/146] s3:auth: Flush the GETPWSID in memory cache for NTLM
auth
Example valgrind output:
@@ -13132,13 +13132,13 @@ index 53b6da53dc1..4276c3060ed 100644
data_blob_free(&user_sess_key);
data_blob_free(&lm_sess_key);
--
-2.39.0
+2.41.0
From 296612a8c1dda253e1f2c0618f1f8330e2e23b34 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 16:46:15 +0100
-Subject: [PATCH 132/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
+Subject: [PATCH 132/146] CVE-2022-38023 selftest:Samba3: avoid global 'server
schannel = auto'
Instead of using the generic deprecated option use the specific
@@ -13190,13 +13190,13 @@ index 7034127ef0b..0c14f02be11 100755
check parent directory delete on close = yes
";
--
-2.39.0
+2.41.0
From 1a90fc7cbc4054f9815ffaca710b5bdba0dffd6f Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 11:33:12 +0100
-Subject: [PATCH 133/142] CVE-2022-38023 s3:rpc_server/netlogon: add
+Subject: [PATCH 133/146] CVE-2022-38023 s3:rpc_server/netlogon: add
talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
@@ -13322,13 +13322,13 @@ index 7f6704adbda..f9b674d0052 100644
}
--
-2.39.0
+2.41.0
From d3e503e670501186fcce9702b72cda3b03afc0cf Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 21 Dec 2022 18:17:57 +0100
-Subject: [PATCH 134/142] CVE-2022-38023 s3:rpc_server/netlogon: re-order
+Subject: [PATCH 134/146] CVE-2022-38023 s3:rpc_server/netlogon: re-order
checking in netr_creds_server_step_check()
This will simplify the following changes.
@@ -13401,13 +13401,13 @@ index f9b674d0052..b42794eea8d 100644
DBG_INFO("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) without schannel from "
--
-2.39.0
+2.41.0
From 44de3ae0d4b6f1a728124429dfc748c538714a05 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 11:35:57 +0100
-Subject: [PATCH 135/142] CVE-2022-38023 s3:rpc_server/netlogon: improve
+Subject: [PATCH 135/146] CVE-2022-38023 s3:rpc_server/netlogon: improve
CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
@@ -13629,13 +13629,13 @@ index b42794eea8d..1d261c9a639 100644
*creds_out = creds;
--
-2.39.0
+2.41.0
From 7e0bfe3db2b4d274b3bf2e5f011ae8207ce6f4ab Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 21 Dec 2022 18:37:05 +0100
-Subject: [PATCH 136/142] CVE-2022-38023 selftest:Samba3: avoid global 'server
+Subject: [PATCH 136/146] CVE-2022-38023 selftest:Samba3: avoid global 'server
schannel = auto'
Instead of using the generic deprecated option use the specific
@@ -13703,13 +13703,13 @@ index 0c14f02be11..e8a4c3bbbb6 100755
$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
--
-2.39.0
+2.41.0
From 340bdcc92d979eb67d67e2a2d8056f939a011f37 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 11:42:51 +0100
-Subject: [PATCH 137/142] CVE-2022-38023 s3:rpc_server/netlogon: split out
+Subject: [PATCH 137/146] CVE-2022-38023 s3:rpc_server/netlogon: split out
netr_check_schannel() function
This will allow us to reuse the function in other places.
@@ -13888,13 +13888,13 @@ index 1d261c9a639..eb364eaf29a 100644
/*************************************************************************
*************************************************************************/
--
-2.39.0
+2.41.0
From 8b52bfc3bb274d7d1607b505c18b4ccafe25cad7 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 09:29:04 +0100
-Subject: [PATCH 138/142] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
+Subject: [PATCH 138/146] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
@@ -13968,13 +13968,13 @@ index eb364eaf29a..ca343d3e28a 100644
if (lp_ctx == NULL) {
DEBUG(0, ("loadparm_init_s3 failed\n"));
--
-2.39.0
+2.41.0
From 43dca97088ce82a5e346887b8078f346e8249929 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 4 Jan 2023 17:23:41 +0100
-Subject: [PATCH 139/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
+Subject: [PATCH 139/146] CVE-2022-38023 s3:rpc_server/netlogon: Rename
variable
This will simplify the following changes.
@@ -14060,13 +14060,13 @@ index ca343d3e28a..5500a421334 100644
"'server require schannel:%s = no' "
"still needed for '%s'!\n",
--
-2.39.0
+2.41.0
From 4ae0a15ed4ebde7b1725f9ada406c179de238267 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 4 Jan 2023 17:39:20 +0100
-Subject: [PATCH 140/142] CVE-2022-38023 s3:rpc_server/netlogon: Return error
+Subject: [PATCH 140/146] CVE-2022-38023 s3:rpc_server/netlogon: Return error
on invalid auth level
Signed-off-by: Samuel Cabrero <scabrero@suse.de>
@@ -14121,13 +14121,13 @@ index 5500a421334..fb5a05b75c8 100644
* We don't use lp_parm_bool(), as we
* need the explicit_opt pointer in order to
--
-2.39.0
+2.41.0
From f59b49f3c23a9a7879a6975aa77e9cf2560a68be Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 4 Jan 2023 17:42:37 +0100
-Subject: [PATCH 141/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename
+Subject: [PATCH 141/146] CVE-2022-38023 s3:rpc_server/netlogon: Rename
variable
This will simplify the following changes.
@@ -14168,13 +14168,13 @@ index fb5a05b75c8..fd128a70c8b 100644
status = NT_STATUS_OK;
--
-2.39.0
+2.41.0
From 6b038af7f70f0331d85dac00647cfe8dedefec28 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Wed, 4 Jan 2023 17:50:04 +0100
-Subject: [PATCH 142/142] CVE-2022-38023 s3:rpc_server/netlogon: implement
+Subject: [PATCH 142/146] CVE-2022-38023 s3:rpc_server/netlogon: implement
"server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
@@ -14546,5 +14546,362 @@ index fd128a70c8b..38772586d81 100644
static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
--
-2.39.0
+2.41.0
+
+
+From 91f9dac1f8431b3670efd403643cdbbc93b3738a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 17:20:32 +0200
+Subject: [PATCH 143/146] netlogon.idl: add support for
+ netr_LogonGetCapabilities response level 2
+
+We don't have any documentation about this yet, but tests against
+a Windows Server 2022 patched with KB5028166 revealed that
+the response for query_level=2 is exactly the same as
+for querey_level=1.
+
+Until we know the reason for query_level=2 we won't
+use it as client nor support it in the server, but
+we want ndrdump to work.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
+---
+ librpc/idl/netlogon.idl | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
+index 22f86b92076..c7945d023c4 100644
+--- a/librpc/idl/netlogon.idl
++++ b/librpc/idl/netlogon.idl
+@@ -1195,6 +1195,7 @@ interface netlogon
+ /* Function 0x15 */
+ typedef [switch_type(uint32)] union {
+ [case(1)] netr_NegotiateFlags server_capabilities;
++ [case(2)] netr_NegotiateFlags server_capabilities;
+ } netr_Capabilities;
+
+ NTSTATUS netr_LogonGetCapabilities(
+--
+2.41.0
+
+
+From 016cb0817938e8dbb7be126d263f83d590b7045c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 17:25:05 +0200
+Subject: [PATCH 144/146] s4:torture/rpc: let rpc.schannel also check
+ netr_LogonGetCapabilities with different levels
+
+The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
+for unsupported query_levels, we allow it to work with servers
+with or without support for query_level=2.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)
+---
+ .../knownfail.d/netr_LogonGetCapabilities | 3 +
+ source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++-
+ 2 files changed, 79 insertions(+), 1 deletion(-)
+ create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+new file mode 100644
+index 00000000000..30aadf3bb9d
+--- /dev/null
++++ b/selftest/knownfail.d/netr_LogonGetCapabilities
+@@ -0,0 +1,3 @@
++^samba3.rpc.schannel.*\.schannel\(nt4_dc
++^samba3.rpc.schannel.*\.schannel\(ad_dc
++^samba4.rpc.schannel.*\.schannel\(ad_dc
+diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
+index 1fceeae88cc..49ad1e6760f 100644
+--- a/source4/torture/rpc/netlogon.c
++++ b/source4/torture/rpc/netlogon.c
+@@ -1469,8 +1469,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
+ r.out.capabilities = &capabilities;
+ r.out.return_authenticator = &return_auth;
+
+- torture_comment(tctx, "Testing LogonGetCapabilities\n");
++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
+
++ r.in.query_level = 0;
++ ZERO_STRUCT(return_auth);
++
++ /*
++ * we need to operate on a temporary copy of creds
++ * because dcerpc_netr_LogonGetCapabilities with
++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
++ * without looking a the authenticator.
++ */
++ tmp_creds = *creds;
++ netlogon_creds_client_authenticator(&tmp_creds, &auth);
++
++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
++ "LogonGetCapabilities query_level=0 failed");
++
++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
++
++ r.in.query_level = 3;
++ ZERO_STRUCT(return_auth);
++
++ /*
++ * we need to operate on a temporary copy of creds
++ * because dcerpc_netr_LogonGetCapabilities with
++ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
++ * without looking a the authenticator.
++ */
++ tmp_creds = *creds;
++ netlogon_creds_client_authenticator(&tmp_creds, &auth);
++
++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
++ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
++ "LogonGetCapabilities query_level=0 failed");
++
++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
++
++ r.in.query_level = 1;
+ ZERO_STRUCT(return_auth);
+
+ /*
+@@ -1490,6 +1529,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
+
+ *creds = tmp_creds;
+
++ torture_assert(tctx, netlogon_creds_client_check(creds,
++ &r.out.return_authenticator->cred),
++ "Credential chaining failed");
++
++ torture_assert_int_equal(tctx, creds->negotiate_flags,
++ capabilities.server_capabilities,
++ "negotiate flags");
++
++ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
++
++ r.in.query_level = 2;
++ ZERO_STRUCT(return_auth);
++
++ /*
++ * we need to operate on a temporary copy of creds
++ * because dcerpc_netr_LogonGetCapabilities with
++ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
++ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
++ * without looking a the authenticator.
++ */
++ tmp_creds = *creds;
++ netlogon_creds_client_authenticator(&tmp_creds, &auth);
++
++ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
++ /*
++ * an server without KB5028166 returns
++ * DCERPC_NCA_S_FAULT_INVALID_TAG =>
++ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
++ */
++ return true;
++ }
++ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
++
++ *creds = tmp_creds;
++
+ torture_assert(tctx, netlogon_creds_client_check(creds,
+ &r.out.return_authenticator->cred),
+ "Credential chaining failed");
+--
+2.41.0
+
+
+From 68811d0faa78c8610c5249d3422fa41d461f5bcf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 16:11:48 +0200
+Subject: [PATCH 145/146] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG
+ for invalid netr_LogonGetCapabilities levels
+
+This is important as Windows clients with KB5028166 seem to
+call netr_LogonGetCapabilities with query_level=2 after
+a call with query_level=1.
+
+An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
+for query_level values other than 1.
+While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
+later fails to marshall the response, which results
+in DCERPC_FAULT_BAD_STUB_DATA instead.
+
+Because we don't have any documentation for level 2 yet,
+we just try to behave like an unpatched server and
+generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
+DCERPC_FAULT_BAD_STUB_DATA.
+Which allows patched Windows clients to keep working
+against a Samba DC.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
+---
+ .../knownfail.d/netr_LogonGetCapabilities | 2 --
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+index 30aadf3bb9d..99c7ac711ed 100644
+--- a/selftest/knownfail.d/netr_LogonGetCapabilities
++++ b/selftest/knownfail.d/netr_LogonGetCapabilities
+@@ -1,3 +1 @@
+ ^samba3.rpc.schannel.*\.schannel\(nt4_dc
+-^samba3.rpc.schannel.*\.schannel\(ad_dc
+-^samba4.rpc.schannel.*\.schannel\(ad_dc
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 343cd53473c..72c6dc3d74e 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -2910,6 +2910,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ struct netlogon_creds_CredentialState *creds;
+ NTSTATUS status;
+
++ switch (r->in.query_level) {
++ case 1:
++ break;
++ case 2:
++ /*
++ * Until we know the details behind KB5028166
++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
++ * like an unpatched Windows Server.
++ */
++ FALL_THROUGH;
++ default:
++ /*
++ * There would not be a way to marshall the
++ * the response. Which would mean our final
++ * ndr_push would fail an we would return
++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
++ *
++ * But it's important to match a Windows server
++ * especially before KB5028166, see also our bug #15418
++ * Otherwise Windows client would stop talking to us.
++ */
++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
++ }
++
+ status = dcesrv_netr_creds_server_step_check(dce_call,
+ mem_ctx,
+ r->in.computer_name,
+@@ -2921,10 +2945,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ }
+ NT_STATUS_NOT_OK_RETURN(status);
+
+- if (r->in.query_level != 1) {
+- return NT_STATUS_NOT_SUPPORTED;
+- }
+-
+ r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+ return NT_STATUS_OK;
+--
+2.41.0
+
+
+From 517a2ee8570a31283491fca09a8f11a7826a7ed2 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jul 2023 16:11:48 +0200
+Subject: [PATCH 146/146] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG
+ for invalid netr_LogonGetCapabilities levels
+
+This is important as Windows clients with KB5028166 seem to
+call netr_LogonGetCapabilities with query_level=2 after
+a call with query_level=1.
+
+An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
+for query_level values other than 1.
+While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
+later fails to marshall the response, which results
+in DCERPC_FAULT_BAD_STUB_DATA instead.
+
+Because we don't have any documentation for level 2 yet,
+we just try to behave like an unpatched server and
+generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
+DCERPC_FAULT_BAD_STUB_DATA.
+Which allows patched Windows clients to keep working
+against a Samba DC.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
+
+(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
+---
+ .../knownfail.d/netr_LogonGetCapabilities | 1 -
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++---
+ 2 files changed, 25 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
+
+diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
+deleted file mode 100644
+index 99c7ac711ed..00000000000
+--- a/selftest/knownfail.d/netr_LogonGetCapabilities
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.rpc.schannel.*\.schannel\(nt4_dc
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 38772586d81..bf75a9f1adc 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2672,6 +2672,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ struct netlogon_creds_CredentialState *creds;
+ NTSTATUS status;
+
++ switch (r->in.query_level) {
++ case 1:
++ break;
++ case 2:
++ /*
++ * Until we know the details behind KB5028166
++ * just return DCERPC_NCA_S_FAULT_INVALID_TAG
++ * like an unpatched Windows Server.
++ */
++ FALL_THROUGH;
++ default:
++ /*
++ * There would not be a way to marshall the
++ * the response. Which would mean our final
++ * ndr_push would fail an we would return
++ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
++ *
++ * But it's important to match a Windows server
++ * especially before KB5028166, see also our bug #15418
++ * Otherwise Windows client would stop talking to us.
++ */
++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
++ return NT_STATUS_NOT_SUPPORTED;
++ }
++
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+@@ -2683,10 +2708,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ return status;
+ }
+
+- if (r->in.query_level != 1) {
+- return NT_STATUS_NOT_SUPPORTED;
+- }
+-
+ r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+ return NT_STATUS_OK;
+--
+2.41.0
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 2da3891..8ede3ab 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 24
+%define main_release 25
%define samba_version 4.10.16
%define talloc_version 2.1.16
@@ -3305,6 +3305,9 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
+* Tue Jul 25 2023 Andreas Schneider <asn@redhat.com> - 4.10.16-25
+- resolves: #2222250 - Fix netlogon capabilities level 2
+
* Fri Jan 20 2023 Andreas Schneider <asn@redhat.com> - 4.10.16-24
- related: #2154364 - Add additional patches for CVE-2022-38023