diff --git a/.gitignore b/.gitignore index 6547baf..15a87be 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/samba-4.4.4.tar.xz +SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg +SOURCES/samba-4.6.2.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 7f1ab09..ac19222 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1 +1,2 @@ -f0b397800ce12a06021480f10846362ba2663f25 SOURCES/samba-4.4.4.tar.xz +6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg +57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz diff --git a/SOURCES/CVE-2016-2119-v4-4.patch b/SOURCES/CVE-2016-2119-v4-4.patch deleted file mode 100644 index 55da381..0000000 --- a/SOURCES/CVE-2016-2119-v4-4.patch +++ /dev/null @@ -1,124 +0,0 @@ -From 3f8b6a3c56ec188d662767027703999faf14e71f Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 20 Apr 2016 11:26:57 +0200 -Subject: [PATCH 1/3] CVE-2016-2019: libcli/smb: don't allow guest sessions if - we require signing - -Note real anonymous sessions (with "" as username) don't hit this -as we don't even call smb2cli_session_set_session_key() in that case. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - libcli/smb/smbXcli_base.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index 4332374..691b8ff 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session) - return false; - } - -+ if (session->conn->mandatory_signing) { -+ return false; -+ } -+ - if (session->conn->protocol >= PROTOCOL_SMB2_02) { - if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { - return true; -@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - const struct iovec *recv_iov) - { - struct smbXcli_conn *conn = session->conn; -- uint16_t no_sign_flags; -+ uint16_t no_sign_flags = 0; - uint8_t session_key[16]; - bool check_signature = true; - uint32_t hdr_flags; -@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, - return NT_STATUS_INVALID_PARAMETER_MIX; - } - -- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL; -+ if (!conn->mandatory_signing) { -+ /* -+ * only allow guest sessions without -+ * mandatory signing. -+ * -+ * If we try an authentication with username != "" -+ * and the server let us in without verifying the -+ * password we don't have a negotiated session key -+ * for signing. -+ */ -+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST; -+ } - - if (session->smb2->session_flags & no_sign_flags) { - session->smb2->should_sign = false; --- -1.9.1 - - -From 11db8ea97ddb3cf9fde48dbe5df14a71ebc308db Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 28 Apr 2016 02:36:35 +0200 -Subject: [PATCH 2/3] CVE-2016-2019: s3:libsmb: add comment regarding - smbXcli_session_is_guest() with mandatory signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/cliconnect.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index ea92c8f..ebba8f2 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) - * have a negotiated session key. - * - * So just pretend we are completely done. -+ * -+ * Note that smbXcli_session_is_guest() -+ * always returns false if we require signing. - */ - state->blob_in = data_blob_null; - state->local_ready = true; --- -1.9.1 - - -From 28ed026b9486fb248daf713655ea307c478d2832 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 28 Apr 2016 02:24:52 +0200 -Subject: [PATCH 3/3] CVE-2016-2019: s3:selftest: add regression tests for - guest logins and mandatory signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860 - -Signed-off-by: Stefan Metzmacher ---- - source3/script/tests/test_smbclient_ntlm.sh | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh -index b8fc564..33a927f 100755 ---- a/source3/script/tests/test_smbclient_ntlm.sh -+++ b/source3/script/tests/test_smbclient_ntlm.sh -@@ -37,4 +37,8 @@ else - - testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS - testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS -+ -+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS -+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS -+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS - fi --- -1.9.1 - diff --git a/SOURCES/CVE-2016-2125-v4-4.patch b/SOURCES/CVE-2016-2125-v4-4.patch deleted file mode 100644 index 20a98a8..0000000 --- a/SOURCES/CVE-2016-2125-v4-4.patch +++ /dev/null @@ -1,104 +0,0 @@ -From f775874f1c9e388d51fe04cb9df849c66bc6e8b6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Nov 2016 11:41:10 +0100 -Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG - in nsupdate-gss - -This is just an example script that's not directly used by samba, -but we should avoid sending delegated credentials to dns servers. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Alexander Bokovoy -Reviewed-by: Simo Sorce ---- - source4/scripting/bin/nsupdate-gss | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss -index dec5916..509220d 100755 ---- a/source4/scripting/bin/nsupdate-gss -+++ b/source4/scripting/bin/nsupdate-gss -@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) - my $flags = - GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | - GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | -- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; -+ GSS_C_INTEG_FLAG; - - - $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, --- -1.9.1 - - -From 1bee1eb5d75191e142c503cf9c5dc36df2453307 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Nov 2016 11:42:59 +0100 -Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG - -We should only use GSS_C_DELEG_POLICY_FLAG in order to let -the KDC decide if we should send delegated credentials to -a remote server. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Alexander Bokovoy -Reviewed-by: Simo Sorce ---- - source3/librpc/crypto/gse.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index 963c98a..c4c4bbc 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, - memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); - - gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | -- GSS_C_DELEG_FLAG | - GSS_C_DELEG_POLICY_FLAG | - GSS_C_REPLAY_FLAG | - GSS_C_SEQUENCE_FLAG; --- -1.9.1 - - -From 2c9d1648745ddc9facaf5b9cc84ea7f1117d7710 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 23 Nov 2016 11:44:22 +0100 -Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use - GSS_C_DELEG_FLAG by default - -This disabled the usage of GSS_C_DELEG_FLAG by default, as -GSS_C_DELEG_POLICY_FLAG is still used by default we let the -KDC decide if we should send delegated credentials to a remote server. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Alexander Bokovoy -Reviewed-by: Simo Sorce ---- - source4/auth/gensec/gensec_gssapi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index e0b2bf2..e2994f6 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { - gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; - } -- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { -+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { - gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; - } - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { --- -1.9.1 - diff --git a/SOURCES/CVE-2016-2126-v4-4.patch b/SOURCES/CVE-2016-2126-v4-4.patch deleted file mode 100644 index fd854ba..0000000 --- a/SOURCES/CVE-2016-2126-v4-4.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 77631ca7c747796bf3d4dc347afb3f0cb5e4be78 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 22 Nov 2016 17:08:46 +0100 -Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types - in check_pac_checksum() - -aes based checksums can only be checked with the -corresponding aes based keytype. - -Otherwise we may trigger an undefined code path -deep in the kerberos libraries, which can leed to -segmentation faults. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 - -Signed-off-by: Stefan Metzmacher ---- - auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c -index 32d9d7f..7b6efdc 100644 ---- a/auth/kerberos/kerberos_pac.c -+++ b/auth/kerberos/kerberos_pac.c -@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, - krb5_boolean checksum_valid = false; - krb5_data input; - -+ switch (sig->type) { -+ case CKSUMTYPE_HMAC_MD5: -+ /* ignores the key type */ -+ break; -+ case CKSUMTYPE_HMAC_SHA1_96_AES_256: -+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { -+ return EINVAL; -+ } -+ /* ok */ -+ break; -+ case CKSUMTYPE_HMAC_SHA1_96_AES_128: -+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { -+ return EINVAL; -+ } -+ /* ok */ -+ break; -+ default: -+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", -+ (int)sig->type)); -+ return EINVAL; -+ } -+ - #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ - cksum.cksumtype = (krb5_cksumtype)sig->type; - cksum.checksum.length = sig->signature.length; --- -1.9.1 - -From b6da00dee93b832e271040d80d4f6b6165b51f08 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 19 Jul 2016 16:31:01 +0200 -Subject: [PATCH] krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_* -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128, -while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128. - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6) ---- - lib/krb5_wrap/krb5_samba.h | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index cef9144..20ef6a3 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -74,6 +74,17 @@ - #define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR - #endif - -+/* -+ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal -+ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT -+ */ -+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128) -+#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128 -+#endif -+#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256) -+#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256 -+#endif -+ - typedef struct { - #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */ - krb5_address **addrs; --- -1.9.1 - diff --git a/SOURCES/CVE-2017-2619-v4-4.patch b/SOURCES/CVE-2017-2619-v4-4.patch deleted file mode 100644 index 9d07941..0000000 --- a/SOURCES/CVE-2017-2619-v4-4.patch +++ /dev/null @@ -1,986 +0,0 @@ -From 72e7e7b7d378e7ba3afe18ea41802aac5366b094 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sun, 19 Mar 2017 15:58:17 +0100 -Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after - dptr_CloseDir() - -dptr_CloseDir() will close and invalidate the fsp's file descriptor, we -have to reopen it. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Ralph Boehme -Reviewed-by: Uri Simchoni ---- - source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c -index 4b6ca1b..1703310 100644 ---- a/source3/smbd/smb2_query_directory.c -+++ b/source3/smbd/smb2_query_directory.c -@@ -24,6 +24,7 @@ - #include "../libcli/smb/smb_common.h" - #include "trans2.h" - #include "../lib/util/tevent_ntstatus.h" -+#include "system/filesys.h" - - static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, -@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx, - } - - if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) { -+ int flags; -+ - dptr_CloseDir(fsp); -+ -+ /* -+ * dptr_CloseDir() will close and invalidate the fsp's file -+ * descriptor, we have to reopen it. -+ */ -+ -+ flags = O_RDONLY; -+#ifdef O_DIRECTORY -+ flags |= O_DIRECTORY; -+#endif -+ status = fd_open(conn, fsp, flags, 0); -+ if (tevent_req_nterror(req, status)) { -+ return tevent_req_post(req, ev); -+ } - } - - if (!smbreq->posix_pathnames) { --- -2.9.3 - - -From f9a9e7ed2f11c8eb9f8f9f40ec054e9735614e91 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Sun, 19 Mar 2017 18:52:10 +0100 -Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with - SMB2_CONTINUE_FLAG_REOPEN flag - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Ralph Boehme -Reviewed-by: Uri Simchoni ---- - source4/torture/smb2/dir.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c -index 98844b4..db8e456 100644 ---- a/source4/torture/smb2/dir.c -+++ b/source4/torture/smb2/dir.c -@@ -674,7 +674,7 @@ bool fill_result(void *private_data, - return true; - } - --enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART}; -+enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN}; - - static NTSTATUS multiple_smb2_search(struct smb2_tree *tree, - TALLOC_CTX *tctx, -@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree, - - /* The search should start from the beginning everytime */ - f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART; -+ if (cont_type == CONT_REOPEN) { -+ f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN; -+ } - - do { - status = smb2_find_level(tree, tree, &f, &count, &d); -@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx, - {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE}, - {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX}, - {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART}, -+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_REOPEN}, - {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE}, - {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX}, - {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART}, -+ {"SMB2_FIND_DIRECTORY_INFO", "REOPEN", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_REOPEN}, - {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE}, - {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX}, - {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART}, -+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_REOPEN}, - {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE}, - {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX}, - {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART}, -+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN}, - {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE}, - {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX}, -- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART} -+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}, -+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN}, - }; - - smb2_deltree(tree, DNAME); --- -2.9.3 - - -From d329035b5bda87ab95a33b8d4af1936079db6fd1 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 11:55:56 -0800 -Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for - OpenDir in preparation for making robust. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 15 ++++++++++++++- - 1 file changed, 14 insertions(+), 1 deletion(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index 3805915..cbd32e3 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1588,7 +1588,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp) - Open a directory. - ********************************************************************/ - --struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, -+static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, -+ connection_struct *conn, - const char *name, - const char *mask, - uint32_t attr) -@@ -1628,6 +1629,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, - return NULL; - } - -+struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, -+ const char *name, -+ const char *mask, -+ uint32_t attr) -+{ -+ return OpenDir_internal(mem_ctx, -+ conn, -+ name, -+ mask, -+ attr); -+} -+ - /******************************************************************* - Open a directory from an fsp. - ********************************************************************/ --- -2.9.3 - - -From 484dda03a69f5c687b6ec6db1332bcc51e72e0c2 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 16:25:26 -0800 -Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early - return if SMB_VFS_OPENDIR failed. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index cbd32e3..ea4b301 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1601,20 +1601,12 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, - return NULL; - } - -- dirp->conn = conn; -- dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); -- - dirp->dir_path = talloc_strdup(dirp, name); - if (!dirp->dir_path) { - errno = ENOMEM; - goto fail; - } - -- if (sconn && !sconn->using_smb2) { -- sconn->searches.dirhandles_open++; -- } -- talloc_set_destructor(dirp, smb_Dir_destructor); -- - dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr); - if (!dirp->dir) { - DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path, -@@ -1622,6 +1614,14 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, - goto fail; - } - -+ dirp->conn = conn; -+ dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn)); -+ -+ if (sconn && !sconn->using_smb2) { -+ sconn->searches.dirhandles_open++; -+ } -+ talloc_set_destructor(dirp, smb_Dir_destructor); -+ - return dirp; - - fail: --- -2.9.3 - - -From 84d4bbde7c1682e4c8daf680f930a14e3444f659 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 16:35:00 -0800 -Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use - open_dir_safely(). Use from OpenDir(). - -Hardens OpenDir against TOC/TOU races. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++------- - 1 file changed, 61 insertions(+), 9 deletions(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index ea4b301..39a6e67 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1601,15 +1601,9 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, - return NULL; - } - -- dirp->dir_path = talloc_strdup(dirp, name); -- if (!dirp->dir_path) { -- errno = ENOMEM; -- goto fail; -- } -- -- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr); -+ dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr); - if (!dirp->dir) { -- DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path, -+ DEBUG(5,("OpenDir: Can't open %s. %s\n", name, - strerror(errno) )); - goto fail; - } -@@ -1629,12 +1623,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx, - return NULL; - } - -+/**************************************************************************** -+ Open a directory handle by pathname, ensuring it's under the share path. -+****************************************************************************/ -+ -+static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx, -+ connection_struct *conn, -+ const char *name, -+ const char *wcard, -+ uint32_t attr) -+{ -+ struct smb_Dir *dir_hnd = NULL; -+ char *saved_dir = vfs_GetWd(ctx, conn); -+ NTSTATUS status; -+ -+ if (saved_dir == NULL) { -+ return NULL; -+ } -+ -+ if (vfs_ChDir(conn, name) == -1) { -+ goto out; -+ } -+ -+ /* -+ * Now the directory is pinned, use -+ * REALPATH to ensure we can access it. -+ */ -+ status = check_name(conn, "."); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto out; -+ } -+ -+ dir_hnd = OpenDir_internal(ctx, -+ conn, -+ ".", -+ wcard, -+ attr); -+ -+ if (dir_hnd == NULL) { -+ goto out; -+ } -+ -+ /* -+ * OpenDir_internal only gets "." as the dir name. -+ * Store the real dir name here. -+ */ -+ -+ dir_hnd->dir_path = talloc_strdup(dir_hnd, name); -+ if (!dir_hnd->dir_path) { -+ errno = ENOMEM; -+ } -+ -+ out: -+ -+ vfs_ChDir(conn, saved_dir); -+ TALLOC_FREE(saved_dir); -+ return dir_hnd; -+} -+ - struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn, - const char *name, - const char *mask, - uint32_t attr) - { -- return OpenDir_internal(mem_ctx, -+ return open_dir_safely(mem_ctx, - conn, - name, - mask, --- -2.9.3 - - -From 8aece1e0d15bf059daf70259142e8ad35a7658ed Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 12:13:20 -0800 -Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early - returns. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 34 +++++++++++++++++++++------------- - 1 file changed, 21 insertions(+), 13 deletions(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index 39a6e67..ea4f1ab 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - struct smbd_server_connection *sconn = conn->sconn; - - if (!dirp) { -- return NULL; -+ goto fail; -+ } -+ -+ if (!fsp->is_directory) { -+ errno = EBADF; -+ goto fail; -+ } -+ -+ if (fsp->fh->fd == -1) { -+ errno = EBADF; -+ goto fail; - } - - dirp->conn = conn; -@@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - } - talloc_set_destructor(dirp, smb_Dir_destructor); - -- if (fsp->is_directory && fsp->fh->fd != -1) { -- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); -- if (dirp->dir != NULL) { -- dirp->fsp = fsp; -- } else { -- DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " -- "NULL (%s)\n", -- dirp->dir_path, -- strerror(errno))); -- if (errno != ENOSYS) { -- return NULL; -- } -+ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); -+ if (dirp->dir != NULL) { -+ dirp->fsp = fsp; -+ } else { -+ DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned " -+ "NULL (%s)\n", -+ dirp->dir_path, -+ strerror(errno))); -+ if (errno != ENOSYS) { -+ return NULL; - } - } - --- -2.9.3 - - -From 16fa5af1a491c410d4579434b7e9f6e388ea319b Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 12:15:59 -0800 -Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory - leak on error. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index ea4f1ab..b8034be 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1742,7 +1742,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - dirp->dir_path, - strerror(errno))); - if (errno != ENOSYS) { -- return NULL; -+ goto fail; - } - } - --- -2.9.3 - - -From 2c1830915b0b59646503ee4d043fd9176090627f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 12:32:07 -0800 -Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting - and destructor setup to just before retuning success. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index b8034be..6b62f14 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1728,11 +1728,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - goto fail; - } - -- if (sconn && !sconn->using_smb2) { -- sconn->searches.dirhandles_open++; -- } -- talloc_set_destructor(dirp, smb_Dir_destructor); -- - dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr); - if (dirp->dir != NULL) { - dirp->fsp = fsp; -@@ -1757,6 +1752,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - goto fail; - } - -+ if (sconn && !sconn->using_smb2) { -+ sconn->searches.dirhandles_open++; -+ } -+ talloc_set_destructor(dirp, smb_Dir_destructor); -+ - return dirp; - - fail: --- -2.9.3 - - -From 72bf8c2c2b2c4aff1ac4da52aa087c060ea5eef1 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Mon, 19 Dec 2016 12:35:32 -0800 -Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to - open_dir_safely if FDOPENDIR not supported on system. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/dir.c | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c -index 6b62f14..3432788 100644 ---- a/source3/smbd/dir.c -+++ b/source3/smbd/dir.c -@@ -1742,14 +1742,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn, - } - - if (dirp->dir == NULL) { -- /* FDOPENDIR didn't work. Use OPENDIR instead. */ -- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr); -- } -- -- if (!dirp->dir) { -- DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path, -- strerror(errno) )); -- goto fail; -+ /* FDOPENDIR is not supported. Use OPENDIR instead. */ -+ TALLOC_FREE(dirp); -+ return open_dir_safely(mem_ctx, -+ conn, -+ fsp->fsp_name->base_name, -+ mask, -+ attr); - } - - if (sconn && !sconn->using_smb2) { --- -2.9.3 - - -From 015e488ce39e097944acdad7a88a801386d9935b Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 15 Dec 2016 12:52:13 -0800 -Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We - insist on O_NOFOLLOW existing. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/open.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 1c67684..a014b5e 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -363,8 +363,7 @@ NTSTATUS fd_open(struct connection_struct *conn, - struct smb_filename *smb_fname = fsp->fsp_name; - NTSTATUS status = NT_STATUS_OK; - --#ifdef O_NOFOLLOW -- /* -+ /* - * Never follow symlinks on a POSIX client. The - * client should be doing this. - */ -@@ -372,12 +371,10 @@ NTSTATUS fd_open(struct connection_struct *conn, - if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) { - flags |= O_NOFOLLOW; - } --#endif - - fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); - if (fsp->fh->fd == -1) { - int posix_errno = errno; --#ifdef O_NOFOLLOW - #if defined(ENOTSUP) && defined(OSF1) - /* handle special Tru64 errno */ - if (errno == ENOTSUP) { -@@ -394,7 +391,6 @@ NTSTATUS fd_open(struct connection_struct *conn, - if (errno == EMLINK) { - posix_errno = ELOOP; - } --#endif /* O_NOFOLLOW */ - status = map_nt_error_from_unix(posix_errno); - if (errno == EMFILE) { - static time_t last_warned = 0L; --- -2.9.3 - - -From b7199aaa0a4d10dd6b3d2a040e345a209ec0c42f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 15 Dec 2016 12:56:08 -0800 -Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of - symlink errno's into a utility function. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/open.c | 43 ++++++++++++++++++++++++++----------------- - 1 file changed, 26 insertions(+), 17 deletions(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index a014b5e..b4b77cd 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -352,6 +352,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn, - } - - /**************************************************************************** -+ Handle differing symlink errno's -+****************************************************************************/ -+ -+static int link_errno_convert(int err) -+{ -+#if defined(ENOTSUP) && defined(OSF1) -+ /* handle special Tru64 errno */ -+ if (err == ENOTSUP) { -+ err = ELOOP; -+ } -+#endif /* ENOTSUP */ -+#ifdef EFTYPE -+ /* fix broken NetBSD errno */ -+ if (err == EFTYPE) { -+ err = ELOOP; -+ } -+#endif /* EFTYPE */ -+ /* fix broken FreeBSD errno */ -+ if (err == EMLINK) { -+ err = ELOOP; -+ } -+ return err; -+} -+ -+/**************************************************************************** - fd support routines - attempt to do a dos_open. - ****************************************************************************/ - -@@ -374,23 +399,7 @@ NTSTATUS fd_open(struct connection_struct *conn, - - fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); - if (fsp->fh->fd == -1) { -- int posix_errno = errno; --#if defined(ENOTSUP) && defined(OSF1) -- /* handle special Tru64 errno */ -- if (errno == ENOTSUP) { -- posix_errno = ELOOP; -- } --#endif /* ENOTSUP */ --#ifdef EFTYPE -- /* fix broken NetBSD errno */ -- if (errno == EFTYPE) { -- posix_errno = ELOOP; -- } --#endif /* EFTYPE */ -- /* fix broken FreeBSD errno */ -- if (errno == EMLINK) { -- posix_errno = ELOOP; -- } -+ int posix_errno = link_errno_convert(errno); - status = map_nt_error_from_unix(posix_errno); - if (errno == EMFILE) { - static time_t last_warned = 0L; --- -2.9.3 - - -From eda8d6ed343b32efb7055778b13252842b8c4f61 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 15 Dec 2016 13:04:46 -0800 -Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to - prevent symlink open races. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/open.c | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 237 insertions(+) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index b4b77cd..aa5df2c 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -376,6 +376,243 @@ static int link_errno_convert(int err) - return err; - } - -+static int non_widelink_open(struct connection_struct *conn, -+ const char *conn_rootdir, -+ files_struct *fsp, -+ struct smb_filename *smb_fname, -+ int flags, -+ mode_t mode, -+ unsigned int link_depth); -+ -+/**************************************************************************** -+ Follow a symlink in userspace. -+****************************************************************************/ -+ -+static int process_symlink_open(struct connection_struct *conn, -+ const char *conn_rootdir, -+ files_struct *fsp, -+ struct smb_filename *smb_fname, -+ int flags, -+ mode_t mode, -+ unsigned int link_depth) -+{ -+ int fd = -1; -+ char *link_target = NULL; -+ int link_len = -1; -+ char *oldwd = NULL; -+ size_t rootdir_len = 0; -+ char *resolved_name = NULL; -+ bool matched = false; -+ int saved_errno = 0; -+ -+ /* -+ * Ensure we don't get stuck in a symlink loop. -+ */ -+ link_depth++; -+ if (link_depth >= 20) { -+ errno = ELOOP; -+ goto out; -+ } -+ -+ /* Allocate space for the link target. */ -+ link_target = talloc_array(talloc_tos(), char, PATH_MAX); -+ if (link_target == NULL) { -+ errno = ENOMEM; -+ goto out; -+ } -+ -+ /* Read the link target. */ -+ link_len = SMB_VFS_READLINK(conn, -+ smb_fname->base_name, -+ link_target, -+ PATH_MAX - 1); -+ if (link_len == -1) { -+ goto out; -+ } -+ -+ /* Ensure it's at least null terminated. */ -+ link_target[link_len] = '\0'; -+ -+ /* Convert to an absolute path. */ -+ resolved_name = SMB_VFS_REALPATH(conn, link_target); -+ if (resolved_name == NULL) { -+ goto out; -+ } -+ -+ /* -+ * We know conn_rootdir starts with '/' and -+ * does not end in '/'. FIXME ! Should we -+ * smb_assert this ? -+ */ -+ rootdir_len = strlen(conn_rootdir); -+ -+ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0); -+ if (!matched) { -+ errno = EACCES; -+ goto out; -+ } -+ -+ /* -+ * Turn into a path relative to the share root. -+ */ -+ if (resolved_name[rootdir_len] == '\0') { -+ /* Link to the root of the share. */ -+ smb_fname->base_name = talloc_strdup(talloc_tos(), "."); -+ if (smb_fname->base_name == NULL) { -+ errno = ENOMEM; -+ goto out; -+ } -+ } else if (resolved_name[rootdir_len] == '/') { -+ smb_fname->base_name = &resolved_name[rootdir_len+1]; -+ } else { -+ errno = EACCES; -+ goto out; -+ } -+ -+ oldwd = vfs_GetWd(talloc_tos(), conn); -+ if (oldwd == NULL) { -+ goto out; -+ } -+ -+ /* Ensure we operate from the root of the share. */ -+ if (vfs_ChDir(conn, conn_rootdir) == -1) { -+ goto out; -+ } -+ -+ /* And do it all again.. */ -+ fd = non_widelink_open(conn, -+ conn_rootdir, -+ fsp, -+ smb_fname, -+ flags, -+ mode, -+ link_depth); -+ if (fd == -1) { -+ saved_errno = errno; -+ } -+ -+ out: -+ -+ SAFE_FREE(resolved_name); -+ TALLOC_FREE(link_target); -+ if (oldwd != NULL) { -+ int ret = vfs_ChDir(conn, oldwd); -+ if (ret == -1) { -+ smb_panic("unable to get back to old directory\n"); -+ } -+ TALLOC_FREE(oldwd); -+ } -+ if (saved_errno != 0) { -+ errno = saved_errno; -+ } -+ return fd; -+} -+ -+/**************************************************************************** -+ Non-widelink open. -+****************************************************************************/ -+ -+static int non_widelink_open(struct connection_struct *conn, -+ const char *conn_rootdir, -+ files_struct *fsp, -+ struct smb_filename *smb_fname, -+ int flags, -+ mode_t mode, -+ unsigned int link_depth) -+{ -+ NTSTATUS status; -+ int fd = -1; -+ struct smb_filename *smb_fname_rel = NULL; -+ int saved_errno = 0; -+ char *oldwd = NULL; -+ char *parent_dir = NULL; -+ const char *final_component = NULL; -+ -+ if (!parent_dirname(talloc_tos(), -+ smb_fname->base_name, -+ &parent_dir, -+ &final_component)) { -+ goto out; -+ } -+ -+ oldwd = vfs_GetWd(talloc_tos(), conn); -+ if (oldwd == NULL) { -+ goto out; -+ } -+ -+ /* Pin parent directory in place. */ -+ if (vfs_ChDir(conn, parent_dir) == -1) { -+ goto out; -+ } -+ -+ /* Ensure the relative path is below the share. */ -+ status = check_reduced_name(conn, final_component); -+ if (!NT_STATUS_IS_OK(status)) { -+ saved_errno = map_errno_from_nt_status(status); -+ goto out; -+ } -+ -+ smb_fname_rel = synthetic_smb_fname(talloc_tos(), -+ final_component, -+ smb_fname->stream_name, -+ &smb_fname->st); -+ -+ flags |= O_NOFOLLOW; -+ -+ { -+ struct smb_filename *tmp_name = fsp->fsp_name; -+ fsp->fsp_name = smb_fname_rel; -+ fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode); -+ fsp->fsp_name = tmp_name; -+ } -+ -+ if (fd == -1) { -+ saved_errno = link_errno_convert(errno); -+ if (saved_errno == ELOOP) { -+ if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) { -+ /* Never follow symlinks on posix open. */ -+ goto out; -+ } -+ if (!lp_follow_symlinks(SNUM(conn))) { -+ /* Explicitly no symlinks. */ -+ goto out; -+ } -+ /* -+ * We have a symlink. Follow in userspace -+ * to ensure it's under the share definition. -+ */ -+ fd = process_symlink_open(conn, -+ conn_rootdir, -+ fsp, -+ smb_fname_rel, -+ flags, -+ mode, -+ link_depth); -+ if (fd == -1) { -+ saved_errno = -+ link_errno_convert(errno); -+ } -+ } -+ } -+ -+ out: -+ -+ TALLOC_FREE(parent_dir); -+ TALLOC_FREE(smb_fname_rel); -+ -+ if (oldwd != NULL) { -+ int ret = vfs_ChDir(conn, oldwd); -+ if (ret == -1) { -+ smb_panic("unable to get back to old directory\n"); -+ } -+ TALLOC_FREE(oldwd); -+ } -+ if (saved_errno != 0) { -+ errno = saved_errno; -+ } -+ return fd; -+} -+ - /**************************************************************************** - fd support routines - attempt to do a dos_open. - ****************************************************************************/ --- -2.9.3 - - -From 81094d0c7519936b08d22efc22ba78e5bab24cd1 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Thu, 15 Dec 2016 13:06:31 -0800 -Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new - non_widelink_open() function. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496 - -Signed-off-by: Jeremy Allison -Reviewed-by: Uri Simchoni ---- - source3/smbd/open.c | 23 ++++++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index aa5df2c..0b66487 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -634,7 +634,28 @@ NTSTATUS fd_open(struct connection_struct *conn, - flags |= O_NOFOLLOW; - } - -- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); -+ /* Ensure path is below share definition. */ -+ if (!lp_widelinks(SNUM(conn))) { -+ const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn, -+ smb_fname->base_name); -+ if (conn_rootdir == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ /* -+ * Only follow symlinks within a share -+ * definition. -+ */ -+ fsp->fh->fd = non_widelink_open(conn, -+ conn_rootdir, -+ fsp, -+ smb_fname, -+ flags, -+ mode, -+ 0); -+ } else { -+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode); -+ } -+ - if (fsp->fh->fd == -1) { - int posix_errno = link_errno_convert(errno); - status = map_nt_error_from_unix(posix_errno); --- -2.9.3 - diff --git a/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch b/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch deleted file mode 100644 index ebd1cdf..0000000 --- a/SOURCES/samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch +++ /dev/null @@ -1,191 +0,0 @@ -From a24fa6abf4f8a937554d292448a765677f9dec53 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 31 May 2016 18:47:34 +0200 -Subject: [PATCH] s3:libnet: accept empty realm for AD domains when only - security=domain is set. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Initial patch from Matt Rogers @ RedHat. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 - -Guenther - -Pair-Programmed-With: Andreas Schneider -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Wed Jun 15 20:28:31 CEST 2016 on sn-devel-144 - -(cherry picked from commit 234a470f198f8f09f46aaeaf58f966faccedef18) ---- - source3/libnet/libnet_join.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a28864d..b5a5ae2 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2367,9 +2367,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, - W_ERROR_HAVE_NO_MEMORY(wrong_conf); - } - -+ /* -+ * We should generate the warning for the special case when -+ * domain is AD, "security = domain" and the realm parameter is -+ * not set. -+ */ -+ if (lp_security() == SEC_DOMAIN && -+ r->out.domain_is_ad && -+ !valid_realm) { -+ libnet_join_set_error_string(mem_ctx, r, -+ "Warning: when joining AD domains with security=domain, " -+ "\"realm\" should be defined in the configuration (%s) " -+ "and configuration modification was not requested", -+ wrong_conf); -+ return WERR_OK; -+ } -+ - libnet_join_set_error_string(mem_ctx, r, - "Invalid configuration (%s) and configuration modification " - "was not requested", wrong_conf); -+ - return WERR_CAN_NOT_COMPLETE; - } - --- -2.9.0 - -From 872207a7dcbb6272e6a4e8bf2fd366128a63e087 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 15 Jun 2016 16:04:29 +0200 -Subject: [PATCH 1/2] s3-libnet: Print error string even on successfuly - completion of libnetjoin. - -Sometimes useful information should be printed to the users. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 - -Guenther - -Signed-off-by: Guenther Deschner -(cherry picked from commit 632faa87610b3afca3f8d3e9f3f46ee6b87f362a) ---- - source3/utils/net_ads.c | 5 +++++ - source3/utils/net_rpc.c | 10 ++++++++++ - 2 files changed, 15 insertions(+) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 90af09e..c61aa0d 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -1596,6 +1596,11 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) - r->out.netbios_domain_name); - } - -+ /* print out informative error string in case there is one */ -+ if (r->out.error_string != NULL) { -+ d_printf("%s\n", r->out.error_string); -+ } -+ - /* - * We try doing the dns update (if it was compiled in - * and if it was not disabled on the command line). -diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c -index 93caf04..1e3e286 100644 ---- a/source3/utils/net_rpc.c -+++ b/source3/utils/net_rpc.c -@@ -428,6 +428,11 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) - r->out.netbios_domain_name); - } - -+ /* print out informative error string in case there is one */ -+ if (r->out.error_string != NULL) { -+ d_printf("%s\n", r->out.error_string); -+ } -+ - TALLOC_FREE(mem_ctx); - - return 0; -@@ -607,6 +612,11 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a - r->out.netbios_domain_name); - } - -+ /* print out informative error string in case there is one */ -+ if (r->out.error_string != NULL) { -+ d_printf("%s\n", r->out.error_string); -+ } -+ - TALLOC_FREE(mem_ctx); - - return 0; --- -2.5.5 - - -From 3f5af70f63f2ca141da8bd28ae131079b7f93f55 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Wed, 15 Jun 2016 23:03:32 +0200 -Subject: [PATCH 2/2] libnet: ignore realm setting for domain security joins to - AD domains if 'winbind rpc only = true' - -Inspired by initial patch from Matt Rogers @ RedHat. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11977 - -Signed-off-by: Michael Adam -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Michael Adam -Autobuild-Date(master): Wed Jun 22 05:05:47 CEST 2016 on sn-devel-144 - -(cherry picked from commit e29d8f108cd090706dc3f54282f5c33ec30df899) ---- - source3/libnet/libnet_join.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index c007183..bab58f3 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2303,6 +2303,7 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, - bool valid_security = false; - bool valid_workgroup = false; - bool valid_realm = false; -+ bool ignored_realm = false; - - /* check if configuration is already set correctly */ - -@@ -2322,11 +2323,26 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx, - valid_realm = strequal(lp_realm(), r->out.dns_domain_name); - switch (lp_security()) { - case SEC_DOMAIN: -+ if (!valid_realm && lp_winbind_rpc_only()) { -+ valid_realm = true; -+ ignored_realm = true; -+ } - case SEC_ADS: - valid_security = true; - } - - if (valid_workgroup && valid_realm && valid_security) { -+ if (ignored_realm && !r->in.modify_config) -+ { -+ libnet_join_set_error_string(mem_ctx, r, -+ "Warning: ignoring realm when " -+ "joining AD domain with " -+ "'security=domain' and " -+ "'winbind rpc only = yes'. " -+ "(realm set to '%s', " -+ "should be '%s').", lp_realm(), -+ r->out.dns_domain_name); -+ } - /* nothing to be done */ - return WERR_OK; - } --- -2.5.5 - diff --git a/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch b/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch deleted file mode 100644 index 68d48a1..0000000 --- a/SOURCES/samba-4.4.5-fix_resolving_trusted_domain_users.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 9845aff09ac6b136ee363f7fb869bfd3a8f9b8c1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 10 Jun 2016 16:51:18 +0200 -Subject: [PATCH] s3-winbind: Fix schannel connections against trusted domain - DCs - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11830 - -Pair-Programmed-With: Andreas Schneider -Signed-off-by: Guenther Deschner -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy -(cherry picked from commit d2379caa77fe02264323d69fee1bcad33f1bfeee) ---- - source3/winbindd/winbindd_cm.c | 16 +++++++++++++++- - 1 file changed, 15 insertions(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c -index 45e3fad..f1f98db 100644 ---- a/source3/winbindd/winbindd_cm.c -+++ b/source3/winbindd/winbindd_cm.c -@@ -903,6 +903,7 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, - struct cli_credentials *creds; - NTSTATUS status; - bool force_machine_account = false; -+ bool ok; - - /* If we are a DC and this is not our own domain */ - -@@ -947,7 +948,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain, - CRED_DONT_USE_KERBEROS); - } - -- if (creds_domain != domain) { -+ /* -+ * When we contact our own domain and get a list of the trusted domain -+ * we have the information if we are able to contact the DC with -+ * with our machine account password. -+ */ -+ ok = winbindd_can_contact_domain(domain); -+ if (!ok) { - /* - * We can only use schannel against a direct trust - */ -@@ -3284,6 +3291,8 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, - - sec_chan_type = cli_credentials_get_secure_channel_type(creds); - if (sec_chan_type == SEC_CHAN_NULL) { -+ DBG_WARNING("get_secure_channel_type gave SEC_CHAN_NULL for %s\n", -+ domain->name); - return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - -@@ -3323,6 +3332,11 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, - conn->netlogon_flags = netlogon_creds->negotiate_flags; - TALLOC_FREE(netlogon_creds); - -+ /* -+ * FIXME: Document in which case we are not able to contact -+ * a DC without schannel. Which information do we try to get -+ * from this DC? -+ */ - if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) { - if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { - result = NT_STATUS_DOWNGRADE_DETECTED; --- -2.8.4 - diff --git a/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch b/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch deleted file mode 100644 index 6c50408..0000000 --- a/SOURCES/samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a3978285d05eb0bd9b52b0d1c2908388005b32e1 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 14 Jun 2016 22:37:31 +0300 -Subject: [PATCH] libnet_join: use sitename if it was set by pre-join detection - -When domain member is joined to AD, we need to use the same DC to -authenticate against after the join because the machine account might -not be replicated yet to other domain controllers, including off-site. - -Bug https://bugzilla.samba.org/show_bug.cgi?id=11769 dealt with -detection of the site pre-join. However, we rewrite private local -krb5.conf afterwards without taking the discovered site name into -account. - -Fix this by reusing the site discovered pre-join. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11975 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Jun 15 15:25:44 CEST 2016 on sn-devel-144 - -(cherry picked from commit 4c408f6de5c32a41fbb44971419118e5425d13e7) ---- - source3/libnet/libnet_join.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c -index a28864d..c007183 100644 ---- a/source3/libnet/libnet_join.c -+++ b/source3/libnet/libnet_join.c -@@ -2500,7 +2500,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, - - create_local_private_krb5_conf_for_domain( - r->out.dns_domain_name, r->out.netbios_domain_name, -- NULL, smbXcli_conn_remote_sockaddr(cli->conn)); -+ sitename, smbXcli_conn_remote_sockaddr(cli->conn)); - - if (r->out.domain_is_ad && - !(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) { --- -2.9.0 - diff --git a/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch b/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch deleted file mode 100644 index e71bc79..0000000 --- a/SOURCES/samba-4.4.5-fix_winbind_cached_creds_memleak.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f8d4a51b02abd2f7bb4c5a874d8d83f4dedc7a6a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 29 Jun 2016 13:38:19 +0200 -Subject: [PATCH] s3-winbind: Fix memory leak with each cached credential login - -When we allow offline logon and have a lot of logins, windbind will leak -4k of memory which each log in. On systems with heavy load this can grow -quickly and the OOM killer will kill Winbind. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11999 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Jun 29 19:03:53 CEST 2016 on sn-devel-144 - -(cherry picked from commit 826f61960ec74deedc9d556a3b8fe04d9178dcd8) ---- - source3/winbindd/winbindd_cache.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c -index cf3ed71..5dd9f4f 100644 ---- a/source3/winbindd/winbindd_cache.c -+++ b/source3/winbindd/winbindd_cache.c -@@ -3471,7 +3471,7 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const - struct winbind_cache *cache = get_cache(domain); - NTSTATUS status; - int ret; -- struct cred_list *cred, *oldest = NULL; -+ struct cred_list *cred, *next, *oldest = NULL; - - if (!cache->tdb) { - return NT_STATUS_INTERNAL_DB_ERROR; -@@ -3540,7 +3540,11 @@ NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const - status = NT_STATUS_UNSUCCESSFUL; - } - done: -- SAFE_FREE(wcache_cred_list); -+ for (cred = wcache_cred_list; cred; cred = next) { -+ next = cred->next; -+ DLIST_REMOVE(wcache_cred_list, cred); -+ SAFE_FREE(cred); -+ } - SAFE_FREE(oldest); - - return status; --- -2.9.0 - diff --git a/SOURCES/samba-4.4.6-fix_nss_wins.patch b/SOURCES/samba-4.4.6-fix_nss_wins.patch deleted file mode 100644 index ac848bc..0000000 --- a/SOURCES/samba-4.4.6-fix_nss_wins.patch +++ /dev/null @@ -1,314 +0,0 @@ -From 119825e3df9b65ea24f28a7faf39b54861d62f0c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Sep 2016 16:21:31 +0200 -Subject: [PATCH] waf: Explicitly link libreplace against libnss_wins.so - -If we do not specify replace as a depencency here, it will not link to -libreplace using an rpath. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12277 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Jim McDonough - -(cherry picked from commit d8a5565ae647352d11d622bd4e73ff4568678a7c) ---- - nsswitch/wscript_build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build -index f286896..ab8f8ea 100644 ---- a/nsswitch/wscript_build -+++ b/nsswitch/wscript_build -@@ -42,7 +42,7 @@ if (Utils.unversioned_sys_platform() == 'linux' or (host_os.rfind('gnu') > -1)): - bld.SAMBA3_LIBRARY('nss_wins', - keep_underscore=True, - source='wins.c', -- deps='''wbclient''', -+ deps='wbclient replace', - public_headers=[], - public_headers_install=False, - pc_files=[], --- -2.10.0 - -From 33bc85d9060340e4ce3d2edecb3fb76dd85a5195 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Sep 2016 16:17:11 +0200 -Subject: [PATCH 1/2] nsswitch: Add missing arguments to wins gethostbyname* - -The errno pointer argument is missing. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -Reviewed-by: Jim McDonough -(cherry picked from commit 124ae4e861f048fe015bff32ace4abff4d3e6c62) ---- - nsswitch/wins.c | 51 +++++++++++++++++++++++++++++++++++++++++---------- - 1 file changed, 41 insertions(+), 10 deletions(-) - -diff --git a/nsswitch/wins.c b/nsswitch/wins.c -index fc65c03..be84f2e 100644 ---- a/nsswitch/wins.c -+++ b/nsswitch/wins.c -@@ -39,10 +39,19 @@ static pthread_mutex_t wins_nss_mutex = PTHREAD_MUTEX_INITIALIZER; - #define INADDRSZ 4 - #endif - --NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, -- char *buffer, size_t buflen, int *h_errnop); --NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he, -- char *buffer, size_t buflen, int *h_errnop); -+NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname, -+ struct hostent *he, -+ char *buffer, -+ size_t buflen, -+ int *errnop, -+ int *h_errnop); -+NSS_STATUS _nss_wins_gethostbyname2_r(const char *name, -+ int af, -+ struct hostent *he, -+ char *buffer, -+ size_t buflen, -+ int *errnop, -+ int *h_errnop); - - static char *lookup_byname_backend(const char *name) - { -@@ -225,8 +234,12 @@ gethostbyname() - we ignore any domain portion of the name and only - handle names that are at most 15 characters long - **************************************************************************/ - NSS_STATUS --_nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, -- char *buffer, size_t buflen, int *h_errnop) -+_nss_wins_gethostbyname_r(const char *hostname, -+ struct hostent *he, -+ char *buffer, -+ size_t buflen, -+ int *errnop, -+ int *h_errnop) - { - NSS_STATUS nss_status = NSS_STATUS_SUCCESS; - char *ip; -@@ -247,6 +260,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - - ip = lookup_byname_backend(name); - if (ip == NULL) { -+ *errnop = EINVAL; - nss_status = NSS_STATUS_NOTFOUND; - goto out; - } -@@ -254,6 +268,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - rc = inet_pton(AF_INET, ip, &in); - wbcFreeMemory(ip); - if (rc == 0) { -+ *errnop = errno; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -263,6 +278,7 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - namelen = strlen(name) + 1; - - if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -275,18 +291,21 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - i = sizeof(char*) - i; - - if (get_static(&buffer, &buflen, i) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } - - if ((he->h_addr_list = (char **)get_static( - &buffer, &buflen, 2 * sizeof(char *))) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } - - if ((he->h_addr_list[0] = get_static(&buffer, &buflen, - INADDRSZ)) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -306,12 +325,14 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - i = sizeof(char*) - i; - - if (get_static(&buffer, &buflen, i) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } - - if ((he->h_aliases = (char **)get_static( - &buffer, &buflen, sizeof(char *))) == NULL) { -+ *errnop = EAGAIN; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -330,17 +351,27 @@ _nss_wins_gethostbyname_r(const char *hostname, struct hostent *he, - - - NSS_STATUS --_nss_wins_gethostbyname2_r(const char *name, int af, struct hostent *he, -- char *buffer, size_t buflen, int *h_errnop) -+_nss_wins_gethostbyname2_r(const char *name, -+ int af, -+ struct hostent *he, -+ char *buffer, -+ size_t buflen, -+ int *errnop, -+ int *h_errnop) - { - NSS_STATUS nss_status; - - if(af!=AF_INET) { -+ *errnop = EAFNOSUPPORT; - *h_errnop = NO_DATA; - nss_status = NSS_STATUS_UNAVAIL; - } else { -- nss_status = _nss_wins_gethostbyname_r( -- name, he, buffer, buflen, h_errnop); -+ nss_status = _nss_wins_gethostbyname_r(name, -+ he, -+ buffer, -+ buflen, -+ errnop, -+ h_errnop); - } - return nss_status; - } --- -2.10.0 - - -From b8d9c7b69509555f40335a0dd7b93ef032354b0d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 20 Sep 2016 13:26:52 +0200 -Subject: [PATCH 2/2] nsswitch: Also set h_errnop for nss_wins functions - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jim McDonough - -(cherry picked from commit 382345126c56e26d3dbc319f1c7c1dae3c4fafc9) ---- - nsswitch/wins.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/nsswitch/wins.c b/nsswitch/wins.c -index be84f2e..dccb6dd 100644 ---- a/nsswitch/wins.c -+++ b/nsswitch/wins.c -@@ -261,6 +261,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - ip = lookup_byname_backend(name); - if (ip == NULL) { - *errnop = EINVAL; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_NOTFOUND; - goto out; - } -@@ -269,6 +270,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - wbcFreeMemory(ip); - if (rc == 0) { - *errnop = errno; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -279,6 +281,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - - if ((he->h_name = get_static(&buffer, &buflen, namelen)) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -292,6 +295,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - - if (get_static(&buffer, &buflen, i) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -299,6 +303,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - if ((he->h_addr_list = (char **)get_static( - &buffer, &buflen, 2 * sizeof(char *))) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -306,6 +311,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - if ((he->h_addr_list[0] = get_static(&buffer, &buflen, - INADDRSZ)) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -326,6 +332,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - - if (get_static(&buffer, &buflen, i) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } -@@ -333,12 +340,14 @@ _nss_wins_gethostbyname_r(const char *hostname, - if ((he->h_aliases = (char **)get_static( - &buffer, &buflen, sizeof(char *))) == NULL) { - *errnop = EAGAIN; -+ *h_errnop = NETDB_INTERNAL; - nss_status = NSS_STATUS_TRYAGAIN; - goto out; - } - - he->h_aliases[0] = NULL; - -+ *h_errnop = NETDB_SUCCESS; - nss_status = NSS_STATUS_SUCCESS; - - out: --- -2.10.0 - -From c91544eb234af9a13ab08f2b1e31d2915965985b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Sun, 13 Nov 2016 17:40:21 +0100 -Subject: [PATCH] nss_wins: Fix errno values for HOST_NOT_FOUND - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12269 - -Signed-off-by: Andreas Schneider ---- - nsswitch/wins.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/nsswitch/wins.c b/nsswitch/wins.c -index dccb6dd..19d3c5b 100644 ---- a/nsswitch/wins.c -+++ b/nsswitch/wins.c -@@ -260,8 +260,7 @@ _nss_wins_gethostbyname_r(const char *hostname, - - ip = lookup_byname_backend(name); - if (ip == NULL) { -- *errnop = EINVAL; -- *h_errnop = NETDB_INTERNAL; -+ *h_errnop = HOST_NOT_FOUND; - nss_status = NSS_STATUS_NOTFOUND; - goto out; - } --- -2.10.2 - diff --git a/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch b/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch deleted file mode 100644 index 488e8d6..0000000 --- a/SOURCES/samba-4.4.6-fix_smbclient_against_apple_and_azure.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 2a9e5a9a226a4628546dbaaea59ff78fe32a2352 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 1 Sep 2016 08:08:23 +0200 -Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB - servers - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Christian Ambach - -Autobuild-User(master): Christian Ambach -Autobuild-Date(master): Fri Sep 2 18:10:44 CEST 2016 on sn-devel-144 - -(cherry picked from commit 9b45ba5cd53bd513eb777590815a0b8408af64e2) ---- - auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 68 insertions(+), 1 deletion(-) - -diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c -index ef30ab7..5f5047a 100644 ---- a/auth/gensec/spnego.c -+++ b/auth/gensec/spnego.c -@@ -55,9 +55,11 @@ struct spnego_state { - - DATA_BLOB mech_types; - size_t num_targs; -+ bool downgraded; - bool mic_requested; - bool needs_mic_sign; - bool needs_mic_check; -+ bool may_skip_mic_check; - bool done_mic_check; - - bool simulate_w2k; -@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ - * Indicate the downgrade and request a - * mic. - */ -+ spnego_state->downgraded = true; - spnego_state->mic_requested = true; - break; - } -@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", - gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid), - gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech))); -- -+ spnego_state->downgraded = true; - spnego_state->no_response_expected = false; - talloc_free(spnego_state->sub_sec_security); - nt_status = gensec_subcontext_start(spnego_state, -@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - return NT_STATUS_INVALID_PARAMETER; - } - -+ if (spnego.negTokenTarg.mechListMIC.length == 0 -+ && spnego_state->may_skip_mic_check) { -+ /* -+ * In this case we don't require -+ * a mechListMIC from the server. -+ * -+ * This works around bugs in the Azure -+ * and Apple spnego implementations. -+ * -+ * See -+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 -+ */ -+ spnego_state->needs_mic_check = false; -+ nt_status = NT_STATUS_OK; -+ goto client_response; -+ } -+ - nt_status = gensec_check_packet(spnego_state->sub_sec_security, - spnego_state->mech_types.data, - spnego_state->mech_types.length, -@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA - */ - new_spnego = false; - } -+ - break; - - case SPNEGO_ACCEPT_INCOMPLETE: -+ if (spnego.negTokenTarg.mechListMIC.length > 0) { -+ new_spnego = true; -+ break; -+ } -+ -+ if (spnego_state->downgraded) { -+ /* -+ * A downgrade should be protected if -+ * supported -+ */ -+ break; -+ } -+ -+ /* -+ * The caller may just asked for -+ * GENSEC_FEATURE_SESSION_KEY, this -+ * is only reflected in the want_features. -+ * -+ * As it will imply -+ * gensec_have_features(GENSEC_FEATURE_SIGN) -+ * to return true. -+ */ -+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { -+ break; -+ } -+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { -+ break; -+ } -+ /* -+ * Here we're sure our preferred mech was -+ * selected by the server and our caller doesn't -+ * need GENSEC_FEATURE_SIGN nor -+ * GENSEC_FEATURE_SEAL support. -+ * -+ * In this case we don't require -+ * a mechListMIC from the server. -+ * -+ * This works around bugs in the Azure -+ * and Apple spnego implementations. -+ * -+ * See -+ * https://bugzilla.samba.org/show_bug.cgi?id=11994 -+ */ -+ spnego_state->may_skip_mic_check = true; -+ break; -+ - case SPNEGO_REQUEST_MIC: - if (spnego.negTokenTarg.mechListMIC.length > 0) { - new_spnego = true; --- -2.8.0.rc3.226.g39d4020 - diff --git a/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch b/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch deleted file mode 100644 index c75593a..0000000 --- a/SOURCES/samba-4.4.7-fix-ctdb-test-install-dir.patch +++ /dev/null @@ -1,107 +0,0 @@ -From eb09689c3c1eeae14eeb08352c5342d89b7bf96d Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 3 Aug 2016 13:23:31 +0200 -Subject: [PATCH] ctdb-waf: Move ctdb tests to libexec directory - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12104 - -Signed-off-by: Andreas Schneider -Reviewed-by: Martin Schwenke - -(cherry picked from commit f9c85d04e9edb3af9479e9c83d5b1ec77b9c2ee2) ---- - ctdb/wscript | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/ctdb/wscript b/ctdb/wscript -index 5739269..a6d1e68 100755 ---- a/ctdb/wscript -+++ b/ctdb/wscript -@@ -208,7 +208,7 @@ def configure(conf): - - conf.env.CTDB_TEST_DATADIR = os.path.join(conf.env.EXEC_PREFIX, - 'share/ctdb-tests') -- conf.env.CTDB_TEST_LIBDIR = os.path.join(conf.env.LIBDIR, 'ctdb-tests') -+ conf.env.CTDB_TEST_LIBEXECDIR = os.path.join(conf.env.LIBEXECDIR, 'ctdb/tests') - - # Allow unified compilation and separate compilation of utilities - # to find includes -@@ -637,12 +637,12 @@ def build(bld): - bld.SAMBA_BINARY(target, - source=src, - deps='talloc tevent tdb tevent-unix-util', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - bld.SAMBA_BINARY('reqid_test', - source='tests/src/reqid_test.c', - deps='samba-util', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - # Test binaries - ctdb_tests = [ -@@ -671,7 +671,7 @@ def build(bld): - source=src, - includes='include', - deps='ctdb-client ctdb-common ctdb-util', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - bld.SAMBA_BINARY('ctdb_takeover_tests', - source='tests/src/ctdb_takeover_tests.c', -@@ -680,21 +680,21 @@ def build(bld): - ctdb-protocol''' + - ib_deps, - includes='include', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - bld.SAMBA_BINARY('ctdb_functest', - source='tests/src/ctdb_functest.c', - deps='''replace tdb tevent talloc popt ctdb-system - samba-util tdb-wrap''', - includes='include', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - bld.SAMBA_BINARY('ctdb_stubtest', - source='tests/src/ctdb_test.c', - deps='''replace tdb tevent talloc popt ctdb-system - samba-util tdb-wrap''', - includes='include', -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - if bld.env.HAVE_INFINIBAND: - bld.SAMBA_BINARY('ibwrapper_test', -@@ -702,7 +702,7 @@ def build(bld): - includes='include', - deps='replace talloc ctdb-client ctdb-common' + - ib_deps, -- install_path='${CTDB_TEST_LIBDIR}') -+ install_path='${CTDB_TEST_LIBEXECDIR}') - - test_subdirs = [ - 'complex', -@@ -734,7 +734,7 @@ def build(bld): - destname=os.path.join('scripts', t)) - - sed_expr = 's@^TEST_SCRIPTS_DIR=.*@&\\nexport TEST_BIN_DIR=\"%s\"@' % ( -- bld.env.CTDB_TEST_LIBDIR) -+ bld.env.CTDB_TEST_LIBEXECDIR) - bld.SAMBA_GENERATOR('ctdb-test-wrap', - source='tests/scripts/test_wrap', - target='test_wrap', -@@ -743,7 +743,7 @@ def build(bld): - destname='test_wrap', chmod=0755) - - sed_expr1 = 's@^test_dir=.*@test_dir=%s\\nexport TEST_BIN_DIR=\"%s\"@' % ( -- bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBDIR) -+ bld.env.CTDB_TEST_DATADIR, bld.env.CTDB_TEST_LIBEXECDIR) - sed_expr2 = 's@^\(export CTDB_TESTS_ARE_INSTALLED\)=false@\\1=true@' - bld.SAMBA_GENERATOR('ctdb-test-runner', - source='tests/run_tests.sh', --- -2.9.2 - diff --git a/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch b/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch deleted file mode 100644 index 44c16a1..0000000 --- a/SOURCES/samba-4.4.7-fix_ads_krb5_ccname_handling.patch +++ /dev/null @@ -1,147 +0,0 @@ -From d29b108d879b4de27d235a1692e090c0993582df Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 6 Jul 2016 12:48:11 +0200 -Subject: [PATCH 1/2] libads: ensure the right ccache is used during gssapi - bind - -When doing gssapi sasl bind: -1. Try working without kinit only if a password is not - provided -2. When using kinit, ensure the KRB5CCNAME env var is set - to a private memory ccache, so that the bind is on behalf - of the requested user. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Uri Simchoni -(cherry picked from commit 2672968851966e5c01e4fc4d906b45b5c047e655) ---- - source3/libads/sasl.c | 23 ++++++++++++++++------- - 1 file changed, 16 insertions(+), 7 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index d76d872..6c054cd 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -26,6 +26,7 @@ - #include "smb_krb5.h" - #include "system/gssapi.h" - #include "lib/param/loadparm.h" -+#include "krb5_env.h" - - #ifdef HAVE_LDAP - -@@ -1015,21 +1016,29 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) - { - ADS_STATUS status; - struct ads_service_principal p; -+ const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind"; - - status = ads_generate_service_principal(ads, &p); - if (!ADS_ERR_OK(status)) { - return status; - } - -- status = ads_sasl_gssapi_do_bind(ads, p.name); -- if (ADS_ERR_OK(status)) { -- ads_free_service_principal(&p); -- return status; -- } -+ if (ads->auth.password == NULL || -+ ads->auth.password[0] == '\0') { -+ status = ads_sasl_gssapi_do_bind(ads, p.name); -+ if (ADS_ERR_OK(status)) { -+ ads_free_service_principal(&p); -+ return status; -+ } - -- DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " -- "calling kinit\n", ads_errstr(status))); -+ DEBUG(10,("ads_sasl_gssapi_do_bind failed with: %s, " -+ "calling kinit\n", ads_errstr(status))); -+ } - -+ if (ads->auth.ccache_name != NULL) { -+ ccache_name = ads->auth.ccache_name; -+ } -+ setenv(KRB5_ENV_CCNAME, ccache_name, 1); - status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { --- -2.5.5 - - -From 416ba773c332288e948871d8f649c0310a94f906 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 6 Jul 2016 12:44:11 +0200 -Subject: [PATCH 2/2] libads: ensure the right ccache is used during spnego - bind - -When doing spnego sasl bind: -1. Try working without kinit only if a password is not - provided -2. When using kinit, ensure the KRB5CCNAME env var is set - to a private memory ccache, so that the bind is on behalf - of the requested user. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12007 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Uri Simchoni - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Tue Jul 12 03:23:33 CEST 2016 on sn-devel-144 - -(cherry picked from commit a1743de74f09d5bf695f077f5127d02352a014e2) ---- - source3/libads/sasl.c | 29 ++++++++++++++++++++--------- - 1 file changed, 20 insertions(+), 9 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 6c054cd..85a2eb0 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -749,18 +749,29 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && - got_kerberos_mechanism) - { -- status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", -- CRED_MUST_USE_KERBEROS, -- p.service, p.hostname, -- blob); -- if (ADS_ERR_OK(status)) { -- ads_free_service_principal(&p); -- goto done; -+ const char *ccache_name = "MEMORY:ads_sasl_spnego_bind"; -+ if (ads->auth.ccache_name != NULL) { -+ ccache_name = ads->auth.ccache_name; - } - -- DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, " -- "calling kinit\n", ads_errstr(status))); -+ if (ads->auth.password == NULL || -+ ads->auth.password[0] == '\0') -+ { -+ -+ status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", -+ CRED_MUST_USE_KERBEROS, -+ p.service, p.hostname, -+ blob); -+ if (ADS_ERR_OK(status)) { -+ ads_free_service_principal(&p); -+ goto done; -+ } -+ -+ DEBUG(10,("ads_sasl_spnego_gensec_bind(KRB5) failed with: %s, " -+ "calling kinit\n", ads_errstr(status))); -+ } - -+ setenv(KRB5_ENV_CCNAME, ccache_name, 1); - status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { --- -2.5.5 - diff --git a/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch b/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch deleted file mode 100644 index 0941e07..0000000 --- a/SOURCES/samba-4.4.7-fix_group_substituion_with_ad.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 6dfc274ce5ae036a95ac2d7f6f9182c7f5a5b50f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Sep 2016 13:59:54 +0200 -Subject: [PATCH] s3-lib: Fix %G substitution in AD member environment - -If we are a domain member we should look up the user with the domain -name specified else it will only work if we have -'winbind use default domain' set. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 619ca5f63c47ff8b021692aaa756dcb0d883b8dd) ---- - source3/lib/substitute.c | 24 ++++++++++++++++++------ - 1 file changed, 18 insertions(+), 6 deletions(-) - -diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c -index 4e2ce9b..1f98327 100644 ---- a/source3/lib/substitute.c -+++ b/source3/lib/substitute.c -@@ -499,15 +499,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, - break; - case 'G' : { - struct passwd *pass; -+ bool is_domain_name = false; -+ const char *sep = lp_winbind_separator(); - - if (domain_name != NULL && domain_name[0] != '\0' && -- !strequal(domain_name, my_sam_name())) -- { -+ (lp_security() == SEC_ADS || -+ lp_security() == SEC_DOMAIN)) { - r = talloc_asprintf(tmp_ctx, - "%s%c%s", - domain_name, -- *lp_winbind_separator(), -+ *sep, - smb_name); -+ is_domain_name = true; - } else { - r = talloc_strdup(tmp_ctx, smb_name); - } -@@ -517,9 +520,18 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, - - pass = Get_Pwnam_alloc(tmp_ctx, r); - if (pass != NULL) { -- a_string = realloc_string_sub( -- a_string, "%G", -- gidtoname(pass->pw_gid)); -+ char *group_name; -+ -+ group_name = gidtoname(pass->pw_gid); -+ if (is_domain_name) { -+ p = strchr_m(group_name, *sep); -+ if (p != NULL) { -+ group_name = p + 1; -+ } -+ } -+ a_string = realloc_string_sub(a_string, -+ "%G", -+ group_name); - } - TALLOC_FREE(pass); - break; --- -2.10.1 - -From d851e487422808b6d3ba2738daa1c697e569bd27 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 12 Oct 2016 12:35:12 +0200 -Subject: [PATCH] lib: Fix CID 1373623 Dereference after null check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We should not overload "p", this is used in the outer loop - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12276 -Signed-off-by: Volker Lendecke -Reviewed-by: Ralph Böhme -Reviewed-by: Jeremy Allison -(cherry picked from commit 6ec81ca3c196f3c4659a4e1c473759b393708d12) ---- - source3/lib/substitute.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c -index 1f98327..f56e2c4 100644 ---- a/source3/lib/substitute.c -+++ b/source3/lib/substitute.c -@@ -524,9 +524,10 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, - - group_name = gidtoname(pass->pw_gid); - if (is_domain_name) { -- p = strchr_m(group_name, *sep); -- if (p != NULL) { -- group_name = p + 1; -+ char *group_sep; -+ group_sep = strchr_m(group_name, *sep); -+ if (group_sep != NULL) { -+ group_name = group_sep + 1; - } - } - a_string = realloc_string_sub(a_string, --- -2.10.1 - diff --git a/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch b/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch deleted file mode 100644 index 34ca572..0000000 --- a/SOURCES/samba-4.4.7-fix_idmap_range_checks.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 70bab87ab37d30521a65056fd6f6a3f4f8bf6716 Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Mon, 15 Aug 2016 23:07:33 +0200 -Subject: [PATCH 1/2] idmap: don't generally forbid id==0 from - idmap_unix_id_is_in_range() - -If the range allows it, then id==0 should not be forbidden. -This seems to have been taken in from idmap_ldap when the -function was originally created. - -See 634cd2e0451d4388c3e3f78239495cf595368b15 . -The other backends don't seem to have had that -extra check for id == 0. - -The reasoning for this change is that the range check should -apply to all cases. If the range includes the 0, then it -should be possible to get it as result. In particular, -this way, the function becomes applicable also to the -passdb backend case, e.g. in a samba4-ad-dc setup where -the Admin gets uid == 0. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 - -Signed-off-by: Michael Adam -Reviewed-by: Volker Lendecke -Reviewed-by: Andreas Schneider -(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d) ---- - source3/winbindd/idmap_util.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c -index f90565f..b6f7b52 100644 ---- a/source3/winbindd/idmap_util.c -+++ b/source3/winbindd/idmap_util.c -@@ -160,11 +160,6 @@ backend: - */ - bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom) - { -- if (id == 0) { -- /* 0 is not an allowed unix id for id mapping */ -- return false; -- } -- - if ((dom->low_id && (id < dom->low_id)) || - (dom->high_id && (id > dom->high_id))) - { --- -2.7.4 - - -From 739167276bc26dfc62acdd96cc9cadb5f88dd02b Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Tue, 9 Aug 2016 18:25:12 +0200 -Subject: [PATCH 2/2] idmap: centrally check that unix IDs returned by the - idmap backends are in range - -Note: in the long run, it might be good to move this kind of -exit check (before handing the result back to the client) -to the parent winbindd code. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 - -Signed-off-by: Michael Adam - -(Backported from master commit b2bf61307cffd8ff7b6fb9852c107ab763653119.) ---- - source3/winbindd/winbindd_dual_srv.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c -index cdd9bbd..630d28a 100644 ---- a/source3/winbindd/winbindd_dual_srv.c -+++ b/source3/winbindd/winbindd_dual_srv.c -@@ -203,6 +203,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, - for (j=0; jin.ids->ids[id_idx[j]]; - -+ if (!idmap_unix_id_is_in_range(ids[j].xid.id, dom)) { -+ ids[j].status = ID_UNMAPPED; -+ } -+ - if (ids[j].status != ID_MAPPED) { - id->xid.id = UINT32_MAX; - id->xid.type = ID_TYPE_NOT_SPECIFIED; --- -2.7.4 - diff --git a/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch b/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch deleted file mode 100644 index 2fc8f57..0000000 --- a/SOURCES/samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch +++ /dev/null @@ -1,60 +0,0 @@ -From b863a62ef2c1e71f3cdf4c74994369baa45dbce7 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Wed, 3 Aug 2016 15:00:45 +0200 -Subject: [PATCH] async_req: make async_connect_send() "reentrant" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Allow callers to pass in socket fds that where already passed to an -earlier call of async_connect_send(). Callers expect this behaviour and -it was working until 05d4dbda8357712cb81008e0d611fdb0e7239587 broke it. - -The proper fix would be to change callers to close the fd and start from -scratch with a fresh socket. - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=12105 - -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Thu Aug 4 05:03:21 CEST 2016 on sn-devel-144 - -(cherry picked from commit 9c6a4ea2788808bdcc7bfea798d838ea56c3b5ec) ---- - lib/async_req/async_sock.c | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c -index c14acf3..3af1748 100644 ---- a/lib/async_req/async_sock.c -+++ b/lib/async_req/async_sock.c -@@ -128,11 +128,21 @@ struct tevent_req *async_connect_send( - } - - /* -- * The only errno indicating that the connect is still in -- * flight is EINPROGRESS, everything else is an error -+ * The only errno indicating that an initial connect is still -+ * in flight is EINPROGRESS. -+ * -+ * We get EALREADY when someone calls us a second time for a -+ * given fd and the connect is still in flight (and returned -+ * EINPROGRESS the first time). -+ * -+ * This allows callers like open_socket_out_send() to reuse -+ * fds and call us with an fd for which the connect is still -+ * in flight. The proper thing to do for callers would be -+ * closing the fd and starting from scratch with a fresh -+ * socket. - */ - -- if (errno != EINPROGRESS) { -+ if (errno != EINPROGRESS && errno != EALREADY) { - tevent_req_error(req, errno); - return tevent_req_post(req, ev); - } --- -2.7.4 - diff --git a/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch b/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch deleted file mode 100644 index ecde81b..0000000 --- a/SOURCES/samba-4.4.7-fix_smget_auth_callback.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 8fec0f145a06d900bbcfc8959749cc78ab6be8ed Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 25 Aug 2016 14:24:08 +0200 -Subject: [PATCH] s3-util: Fix asking for username and password in smbget. - -If the user specified the username in the URI with with: - - smb://DOMAIN;user:secret@server/share - -the tool should not prompt for the username nor the password. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12175 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -(cherry picked from commit f5401ff3146aabc5fb2dac25e4856c6c3756c8f7) ---- - source3/utils/smbget.c | 26 ++++++++++++-------------- - 1 file changed, 12 insertions(+), 14 deletions(-) - -diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c -index 4909fa2..74ca7f8 100644 ---- a/source3/utils/smbget.c -+++ b/source3/utils/smbget.c -@@ -105,7 +105,6 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen, - static char *savedwg; - static char *savedun; - static char *savedpw; -- char tmp[128]; - - if (hasasked) { - strncpy(wg, savedwg, wglen - 1); -@@ -115,23 +114,22 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen, - } - hasasked = true; - -- if (!opt.nonprompt && !opt.username_specified) { -- printf("Username for %s at %s [guest] ", shr, srv); -- if (fgets(tmp, sizeof(tmp), stdin) == NULL) { -- return; -- } -- if ((strlen(tmp) > 0) && (tmp[strlen(tmp) - 1] == '\n')) { -- tmp[strlen(tmp) - 1] = '\0'; -- } -- strncpy(un, tmp, unlen - 1); -- } else if (opt.username != NULL) { -+ /* -+ * If no user has been specified un is initialized with the current -+ * username of the user who started smbget. -+ */ -+ if (opt.username_specified) { - strncpy(un, opt.username, unlen - 1); - } - -- if (!opt.nonprompt && !opt.password_specified) { -+ if (!opt.nonprompt && !opt.password_specified && pw[0] == '\0') { - char *prompt; -- if (asprintf(&prompt, "Password for %s at %s: ", shr, srv) == -- -1) { -+ int rc; -+ -+ rc = asprintf(&prompt, -+ "Password for [%s] connecting to //%s/%s: ", -+ un, shr, srv); -+ if (rc == -1) { - return; - } - (void)samba_getpass(prompt, pw, pwlen, false, false); --- -2.9.3 - diff --git a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch deleted file mode 100644 index 0802eb5..0000000 --- a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 66668deb267d63f17c70aaea6f720a7c440bb71c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 10 Oct 2016 15:53:26 +0200 -Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -Reviewed-by: Uri Simchoni -(cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113) ---- - source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++------------- - 1 file changed, 35 insertions(+), 17 deletions(-) - -diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c -index e4b90c1..dc79b87 100644 ---- a/source4/heimdal/lib/krb5/mcache.c -+++ b/source4/heimdal/lib/krb5/mcache.c -@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id) - return 0; - } - -+static void KRB5_CALLCONV -+mcc_destroy_internal(krb5_context context, -+ krb5_mcache *m) -+{ -+ struct link *l; -+ -+ if (m->primary_principal != NULL) { -+ krb5_free_principal (context, m->primary_principal); -+ m->primary_principal = NULL; -+ } -+ m->dead = 1; -+ -+ l = m->creds; -+ while (l != NULL) { -+ struct link *old; -+ -+ krb5_free_cred_contents (context, &l->cred); -+ old = l; -+ l = l->next; -+ free (old); -+ } -+ -+ m->creds = NULL; -+ return; -+} -+ - static krb5_error_code KRB5_CALLCONV - mcc_initialize(krb5_context context, - krb5_ccache id, - krb5_principal primary_principal) - { - krb5_mcache *m = MCACHE(id); -+ /* -+ * It's important to destroy any existing -+ * creds here, that matches the baheviour -+ * of all other backends and also the -+ * MEMORY: backend in MIT. -+ */ -+ mcc_destroy_internal(context, m); - m->dead = 0; -+ m->kdc_offset = 0; - m->mtime = time(NULL); - return krb5_copy_principal (context, - primary_principal, -@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context, - krb5_ccache id) - { - krb5_mcache **n, *m = MCACHE(id); -- struct link *l; - - if (m->refcnt == 0) - krb5_abortx(context, "mcc_destroy: refcnt already 0"); -@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context, - } - } - HEIMDAL_MUTEX_unlock(&mcc_mutex); -- if (m->primary_principal != NULL) { -- krb5_free_principal (context, m->primary_principal); -- m->primary_principal = NULL; -- } -- m->dead = 1; -- -- l = m->creds; -- while (l != NULL) { -- struct link *old; -- -- krb5_free_cred_contents (context, &l->cred); -- old = l; -- l = l->next; -- free (old); -- } -- m->creds = NULL; -+ mcc_destroy_internal(context, m); - } - return 0; - } --- -1.9.1 - - -From 5484f6cb0d812d11234347f592dff1a15ef5ef50 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 10 Oct 2016 17:07:12 +0200 -Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor - set "KRB5CCNAME" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -Reviewed-by: Uri Simchoni -(cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd) ---- - source3/libads/sasl.c | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 85a2eb0..4e4486f 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) - { - ADS_STATUS status; - struct ads_service_principal p; -- const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind"; - - status = ads_generate_service_principal(ads, &p); - if (!ADS_ERR_OK(status)) { -@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads) - "calling kinit\n", ads_errstr(status))); - } - -- if (ads->auth.ccache_name != NULL) { -- ccache_name = ads->auth.ccache_name; -- } -- setenv(KRB5_ENV_CCNAME, ccache_name, 1); - status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { --- -1.9.1 - - -From 012e763219f42071ced497fcc0ecd387789efd4f Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 10 Oct 2016 17:07:12 +0200 -Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set - "KRB5CCNAME" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Günther Deschner -Reviewed-by: Uri Simchoni - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144 - -(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca) ---- - source3/libads/sasl.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 4e4486f..39c60c3 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && - got_kerberos_mechanism) - { -- const char *ccache_name = "MEMORY:ads_sasl_spnego_bind"; -- if (ads->auth.ccache_name != NULL) { -- ccache_name = ads->auth.ccache_name; -- } -- - if (ads->auth.password == NULL || - ads->auth.password[0] == '\0') - { -@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) - "calling kinit\n", ads_errstr(status))); - } - -- setenv(KRB5_ENV_CCNAME, ccache_name, 1); - status = ADS_ERROR_KRB5(ads_kinit_password(ads)); - - if (ADS_ERR_OK(status)) { --- -1.9.1 - diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc new file mode 100644 index 0000000..9d1e563 --- /dev/null +++ b/SOURCES/samba-4.6.2.tar.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz +DQw3KuAbWCKIgkHcy1zZr2o= +=bIg5 +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch new file mode 100644 index 0000000..f89ec30 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch @@ -0,0 +1,37 @@ +From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 5 Jan 2017 09:34:36 +0100 +Subject: [PATCH] replace: Include sysmacros.h + +In the GNU C Library, "makedev" is defined by . For +historical compatibility, it is currently defined by as +well, but it is planned to remove this soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686 + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke + +(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741) +--- + lib/replace/replace.h | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/replace/replace.h b/lib/replace/replace.h +index c69a069e4b3..1dbeacfff66 100644 +--- a/lib/replace/replace.h ++++ b/lib/replace/replace.h +@@ -171,6 +171,10 @@ + #include + #endif + ++#ifdef HAVE_SYS_SYSMACROS_H ++#include ++#endif ++ + #ifdef HAVE_SETPROCTITLE_H + #include + #endif +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch new file mode 100644 index 0000000..02db440 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch @@ -0,0 +1,1731 @@ +From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 29 Dec 2016 14:00:36 +0100 +Subject: [PATCH 01/20] s4:gensec_gssapi: the value + gensec_get_target_principal() should overwrite gensec_get_target_hostname() + +If gensec_get_target_principal() has a value, we no longer have to verify +the gensec_get_target_hostname() value, it can be just an ipadress. + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04) +--- + source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index a6c4019aa6f..3974c3d42a0 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + gss_buffer_desc name_token; + gss_OID name_type; + OM_uint32 maj_stat, min_stat; ++ const char *target_principal = NULL; + const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *realm = cli_credentials_get_realm(creds); ++ ++ target_principal = gensec_get_target_principal(gensec_security); ++ if (target_principal != NULL) { ++ goto do_start; ++ } + + if (!hostname) { + DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n")); +@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + return NT_STATUS_INVALID_PARAMETER; + } + ++do_start: ++ + nt_status = gensec_gssapi_start(gensec_security); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; +@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security); +- if (gensec_gssapi_state->target_principal) { ++ if (target_principal != NULL) { + name_type = GSS_C_NULL_OID; + } else { +- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s", +- gensec_get_target_service(gensec_security), +- hostname, cli_credentials_get_realm(creds)); +- ++ target_principal = talloc_asprintf(gensec_gssapi_state, ++ "%s/%s@%s", service, hostname, realm); ++ if (target_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } + name_type = GSS_C_NT_USER_NAME; + } ++ gensec_gssapi_state->target_principal = target_principal; ++ + name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); + name_token.length = strlen(gensec_gssapi_state->target_principal); + +-- +2.12.0 + + +From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 29 Dec 2016 15:20:00 +0100 +Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in + gensec_gssapi_client_start() + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46) +--- + source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 3974c3d42a0..957cfa4229d 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + return NT_STATUS_INVALID_PARAMETER; + } + ++ if (realm == NULL) { ++ const char *cred_name = cli_credentials_get_unparsed_name(creds, ++ gensec_security); ++ DEBUG(3, ("cli_credentials(%s) without realm, " ++ "cannot use kerberos for this connection %s/%s\n", ++ cred_name, service, hostname)); ++ talloc_free(discard_const_p(char, cred_name)); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ + do_start: + + nt_status = gensec_gssapi_start(gensec_security); +-- +2.12.0 + + +From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:13:09 +0100 +Subject: [PATCH 03/20] testprogs: Use smbclient by default in + test_kinit_trusts + +This is the tool we use by default and we should test with it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356) +--- + testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +index 073e0e7517e..040bf919203 100755 +--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh ++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then + samba4kinit=$samba4bindir/samba4kinit + fi + +-smbclient="$samba4bindir/smbclient4" ++smbclient="$samba4bindir/smbclient" + wbinfo="$samba4bindir/wbinfo" + rpcclient="$samba4bindir/rpcclient" + samba_tool="$samba4bindir/samba-tool" +-- +2.12.0 + + +From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:15:45 +0100 +Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed) +--- + testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +index 040bf919203..e67f77361a4 100755 +--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh ++++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh +@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH + echo $TRUST_PASSWORD > $PREFIX/tmppassfile + testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` ++rm -rf $KRB5CCNAME_PATH ++ ++# Test with smbclient4 ++smbclient="$samba4bindir/smbclient4" ++testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` ++test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` ++rm -rf $KRB5CCNAME_PATH + + testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` ++smbclient="$samba4bindir/smbclient" + test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` + + if test x"${TYPE}" = x"forest" ;then +-- +2.12.0 + + +From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 10:40:08 +0100 +Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from + smb_krb5_get_realm_from_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b) +--- + lib/krb5_wrap/krb5_samba.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 10b42dec53f..9dc7304d566 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + goto out; + } + +- if (realm_list && realm_list[0]) { ++ if (realm_list != NULL && ++ realm_list[0] != NULL && ++ realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); + } + +-- +2.12.0 + + +From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 10:48:52 +0100 +Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the + service hostname + +If we do not get a realm mapping from the krb5.conf or from the Kerberos +library try to guess it from the service hostname. The guessing of the +realm from the service hostname is already implemented in Heimdal. This +makes the behavior of smb_krb5_get_realm_from_hostname() consistent +with both MIT and Heimdal. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68) +--- + lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 9dc7304d566..f8ef9f1df0f 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + realm_list[0] != NULL && + realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); ++ } else { ++ const char *p = NULL; ++ ++ /* ++ * "dc6.samba2003.example.com" ++ * returns a realm of "SAMBA2003.EXAMPLE.COM" ++ * ++ * "dc6." returns realm as NULL ++ */ ++ p = strchr_m(hostname, '.'); ++ if (p != NULL && p[1] != '\0') { ++ realm = talloc_strdup_upper(mem_ctx, p + 1); ++ } + } + + out: +-- +2.12.0 + + +From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:56:30 +0100 +Subject: [PATCH 07/20] krb5_wrap: pass client_realm to + smb_krb5_get_realm_from_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802) +--- + lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index f8ef9f1df0f..36bcc65e22a 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) + ************************************************************************/ + + static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, +- const char *hostname) ++ const char *hostname, ++ const char *client_realm) + { + #if defined(HAVE_KRB5_REALM_TYPE) + /* Heimdal. */ +@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + realm_list[0] != NULL && + realm_list[0][0] != '\0') { + realm = talloc_strdup(mem_ctx, realm_list[0]); ++ if (realm == NULL) { ++ goto out; ++ } + } else { + const char *p = NULL; + +@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + p = strchr_m(hostname, '.'); + if (p != NULL && p[1] != '\0') { + realm = talloc_strdup_upper(mem_ctx, p + 1); ++ if (realm == NULL) { ++ goto out; ++ } + } + } + ++ if (realm == NULL) { ++ realm = talloc_strdup(mem_ctx, client_realm); ++ } ++ + out: + + if (ctx) { +@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + if (host) { + /* DNS name. */ + realm = smb_krb5_get_realm_from_hostname(talloc_tos(), +- remote_name); ++ remote_name, ++ default_realm); + } else { + /* NetBIOS name - use our realm. */ + realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); +-- +2.12.0 + + +From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:56:30 +0100 +Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname() + public + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7) +--- + lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++------- + lib/krb5_wrap/krb5_samba.h | 4 ++++ + 2 files changed, 25 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 36bcc65e22a..2b0ec6bfa0e 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) + return realm; + } + +-/************************************************************************ +- Routine to get the realm from a given DNS name. +-************************************************************************/ +- +-static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, +- const char *hostname, +- const char *client_realm) ++/** ++ * @brief Get the realm from the service hostname. ++ * ++ * This function will look for a domain realm mapping in the [domain_realm] ++ * section of the krb5.conf first and fallback to extract the realm from ++ * the provided service hostname. As a last resort it will return the ++ * provided client_realm. ++ * ++ * @param[in] mem_ctx The talloc context ++ * ++ * @param[in] hostname The service hostname ++ * ++ * @param[in] client_realm If we can not find a mapping, fall back to ++ * this realm. ++ * ++ * @return The realm to use for the service hostname, NULL if a fatal error ++ * occured. ++ */ ++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, ++ const char *hostname, ++ const char *client_realm) + { + #if defined(HAVE_KRB5_REALM_TYPE) + /* Heimdal. */ +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index 71e81ea26e1..accae449a0e 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, + krb5_principal principal, + const char *realm); + ++char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, ++ const char *hostname, ++ const char *client_realm); ++ + char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, + const char *service, + const char *remote_name, +-- +2.12.0 + + +From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 09:19:13 +0100 +Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup + server_principal + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a) +--- + source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------ + source4/auth/gensec/gensec_gssapi.h | 2 +- + 2 files changed, 61 insertions(+), 29 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 957cfa4229d..ec57d193714 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st + return 0; + } + ++static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx, ++ const char *target_principal, ++ const char *service, ++ const char *hostname, ++ const char *realm, ++ const gss_OID mech, ++ char **pserver_principal, ++ gss_name_t *pserver_name) ++{ ++ char *server_principal = NULL; ++ gss_buffer_desc name_token; ++ gss_OID name_type; ++ OM_uint32 maj_stat, min_stat = 0; ++ ++ if (target_principal != NULL) { ++ server_principal = talloc_strdup(mem_ctx, target_principal); ++ name_type = GSS_C_NULL_OID; ++ } else { ++ server_principal = talloc_asprintf(mem_ctx, ++ "%s/%s@%s", ++ service, hostname, realm); ++ name_type = GSS_C_NT_USER_NAME; ++ } ++ if (server_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ name_token.value = (uint8_t *)server_principal; ++ name_token.length = strlen(server_principal); ++ ++ maj_stat = gss_import_name(&min_stat, ++ &name_token, ++ name_type, ++ pserver_name); ++ if (maj_stat) { ++ DBG_WARNING("GSS Import name of %s failed: %s\n", ++ server_principal, ++ gssapi_error_string(mem_ctx, ++ maj_stat, ++ min_stat, ++ mech)); ++ TALLOC_FREE(server_principal); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ ++ *pserver_principal = server_principal; ++ ++ return NT_STATUS_OK; ++} ++ + static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) + { + struct gensec_gssapi_state *gensec_gssapi_state; +@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi + struct gensec_gssapi_state *gensec_gssapi_state; + struct cli_credentials *creds = gensec_get_credentials(gensec_security); + NTSTATUS nt_status; +- gss_buffer_desc name_token; +- gss_OID name_type; +- OM_uint32 maj_stat, min_stat; + const char *target_principal = NULL; + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); +@@ -353,31 +400,16 @@ do_start: + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- if (target_principal != NULL) { +- name_type = GSS_C_NULL_OID; +- } else { +- target_principal = talloc_asprintf(gensec_gssapi_state, +- "%s/%s@%s", service, hostname, realm); +- if (target_principal == NULL) { +- return NT_STATUS_NO_MEMORY; +- } +- name_type = GSS_C_NT_USER_NAME; +- } +- gensec_gssapi_state->target_principal = target_principal; +- +- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); +- name_token.length = strlen(gensec_gssapi_state->target_principal); +- +- +- maj_stat = gss_import_name (&min_stat, +- &name_token, +- name_type, +- &gensec_gssapi_state->server_name); +- if (maj_stat) { +- DEBUG(2, ("GSS Import name of %s failed: %s\n", +- (char *)name_token.value, +- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); +- return NT_STATUS_INVALID_PARAMETER; ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; + } + + return NT_STATUS_OK; +diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h +index cf0e3a8d914..d788b5ebc38 100644 +--- a/source4/auth/gensec/gensec_gssapi.h ++++ b/source4/auth/gensec/gensec_gssapi.h +@@ -65,5 +65,5 @@ struct gensec_gssapi_state { + int gss_exchange_count; + size_t sig_size; + +- const char *target_principal; ++ char *target_principal; + }; +-- +2.12.0 + + +From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 12:34:59 +0100 +Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to + update function + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6) +--- + source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++------------- + 1 file changed, 20 insertions(+), 13 deletions(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index ec57d193714..6cb4431e0d9 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -400,18 +400,6 @@ do_start: + gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); + } + +- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, +- target_principal, +- service, +- hostname, +- realm, +- gensec_gssapi_state->gss_oid, +- &gensec_gssapi_state->target_principal, +- &gensec_gssapi_state->server_name); +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- + return NT_STATUS_OK; + } + +@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + OM_uint32 min_stat2; + gss_buffer_desc input_token = { 0, NULL }; + gss_buffer_desc output_token = { 0, NULL }; +- ++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *target_principal = gensec_get_target_principal(gensec_security); ++ const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *client_realm = cli_credentials_get_realm(cli_creds); + gss_OID gss_oid_p = NULL; + OM_uint32 time_req = 0; + OM_uint32 time_rec = 0; +@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + return NT_STATUS_INTERNAL_ERROR; + } + #endif ++ ++ if (gensec_gssapi_state->server_name == NULL) { ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ } ++ + maj_stat = gss_init_sec_context(&min_stat, + gensec_gssapi_state->client_cred->creds, + &gensec_gssapi_state->gssapi_context, +-- +2.12.0 + + +From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 11:03:17 +0100 +Subject: [PATCH 11/20] s4:gensec_gssapi: Use + smb_krb5_get_realm_from_hostname() + +With credentials for administrator@FOREST1.EXAMPLE.COM +this patch changes the target_principal for +the ldap service of host dc2.forest2.example.com +from + + ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM + +to + + ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM + +Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM +should be used in order to allow the KDC of FOREST1.EXAMPLE.COM +to generate a referral ticket for +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. + +The problem is that KDCs only return such referral tickets +if there's a forest trust between FOREST1.EXAMPLE.COM +and FOREST2.EXAMPLE.COM. If there's only an external domain +trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM +the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN +when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. + +In the case of an external trust the client can still ask +explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +and the KDC of FOREST1.EXAMPLE.COM will generate it. + +From there the client can use the +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +ticket and ask a KDC of FOREST2.EXAMPLE.COM for a +service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. + +With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior +when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as +target principal. As _krb5_get_cred_kdc_any() first calls +get_cred_kdc_referral() (which always starts with the client realm) +and falls back to get_cred_kdc_capath() (which starts with the given realm). + +MIT krb5 only tries the given realm of the target principal, +if we want to autodetect support for transitive forest trusts, +we'll have to do the fallback ourself. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd) +--- + source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 61 insertions(+), 1 deletion(-) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 6cb4431e0d9..57392a04e60 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *client_realm = cli_credentials_get_realm(cli_creds); ++ const char *server_realm = NULL; + gss_OID gss_oid_p = NULL; + OM_uint32 time_req = 0; + OM_uint32 time_rec = 0; +@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + } + #endif + ++ /* ++ * With credentials for ++ * administrator@FOREST1.EXAMPLE.COM this patch changes ++ * the target_principal for the ldap service of host ++ * dc2.forest2.example.com from ++ * ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * ++ * to ++ * ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM ++ * ++ * Typically ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * should be used in order to allow the KDC of ++ * FOREST1.EXAMPLE.COM to generate a referral ticket ++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. ++ * ++ * The problem is that KDCs only return such referral ++ * tickets if there's a forest trust between ++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If ++ * there's only an external domain trust between ++ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC ++ * of FOREST1.EXAMPLE.COM will respond with ++ * S_PRINCIPAL_UNKNOWN when being asked for ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. ++ * ++ * In the case of an external trust the client can ++ * still ask explicitly for ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and ++ * the KDC of FOREST1.EXAMPLE.COM will generate it. ++ * ++ * From there the client can use the ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ++ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a ++ * service ticket for ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. ++ * ++ * With Heimdal we'll get the fallback on ++ * S_PRINCIPAL_UNKNOWN behavior when we pass ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as ++ * target principal. As _krb5_get_cred_kdc_any() first ++ * calls get_cred_kdc_referral() (which always starts ++ * with the client realm) and falls back to ++ * get_cred_kdc_capath() (which starts with the given ++ * realm). ++ * ++ * MIT krb5 only tries the given realm of the target ++ * principal, if we want to autodetect support for ++ * transitive forest trusts, would have to do the ++ * fallback ourself. ++ */ + if (gensec_gssapi_state->server_name == NULL) { ++ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, ++ hostname, ++ client_realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, + target_principal, + service, + hostname, +- client_realm, ++ server_realm, + gensec_gssapi_state->gss_oid, + &gensec_gssapi_state->target_principal, + &gensec_gssapi_state->server_name); +-- +2.12.0 + + +From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 8 Mar 2017 13:10:05 +0100 +Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with + MIT + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab) +--- + source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + +diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c +index 57392a04e60..61911aae9d9 100644 +--- a/source4/auth/gensec/gensec_gssapi.c ++++ b/source4/auth/gensec/gensec_gssapi.c +@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: + { ++ bool fallback = false; + #ifdef SAMBA4_USES_HEIMDAL + struct gsskrb5_send_to_kdc send_to_kdc; + krb5_error_code ret; +@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + * transitive forest trusts, would have to do the + * fallback ourself. + */ ++#ifndef SAMBA4_USES_HEIMDAL ++ if (gensec_gssapi_state->server_name == NULL) { ++ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ gensec_gssapi_state->gss_oid, ++ &gensec_gssapi_state->target_principal, ++ &gensec_gssapi_state->server_name); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ ++ maj_stat = gss_init_sec_context(&min_stat, ++ gensec_gssapi_state->client_cred->creds, ++ &gensec_gssapi_state->gssapi_context, ++ gensec_gssapi_state->server_name, ++ gensec_gssapi_state->gss_oid, ++ gensec_gssapi_state->gss_want_flags, ++ time_req, ++ gensec_gssapi_state->input_chan_bindings, ++ &input_token, ++ &gss_oid_p, ++ &output_token, ++ &gensec_gssapi_state->gss_got_flags, /* ret flags */ ++ &time_rec); ++ if (maj_stat != GSS_S_FAILURE) { ++ goto init_sec_context_done; ++ } ++ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { ++ goto init_sec_context_done; ++ } ++ if (target_principal != NULL) { ++ goto init_sec_context_done; ++ } ++ ++ fallback = true; ++ TALLOC_FREE(gensec_gssapi_state->target_principal); ++ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name); ++ } ++#endif /* !SAMBA4_USES_HEIMDAL */ + if (gensec_gssapi_state->server_name == NULL) { + server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, + hostname, +@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + return NT_STATUS_NO_MEMORY; + } + ++ if (fallback && ++ strequal(client_realm, server_realm)) { ++ goto init_sec_context_done; ++ } ++ + nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, + target_principal, + service, +@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, + &output_token, + &gensec_gssapi_state->gss_got_flags, /* ret flags */ + &time_rec); ++ goto init_sec_context_done; ++ /* JUMP! */ ++init_sec_context_done: + if (gss_oid_p) { + gensec_gssapi_state->gss_oid = gss_oid_p; + } +-- +2.12.0 + + +From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 07:54:29 +0100 +Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname() + +With credentials for administrator@FOREST1.EXAMPLE.COM +this patch changes the target_principal for +the ldap service of host dc2.forest2.example.com +from + + ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM + +to + + ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM + +Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM +should be used in order to allow the KDC of FOREST1.EXAMPLE.COM +to generate a referral ticket for +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. + +The problem is that KDCs only return such referral tickets +if there's a forest trust between FOREST1.EXAMPLE.COM +and FOREST2.EXAMPLE.COM. If there's only an external domain +trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM +the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN +when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. + +In the case of an external trust the client can still ask +explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +and the KDC of FOREST1.EXAMPLE.COM will generate it. + +From there the client can use the +krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM +ticket and ask a KDC of FOREST2.EXAMPLE.COM for a +service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. + +With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior +when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as +target principal. As _krb5_get_cred_kdc_any() first calls +get_cred_kdc_referral() (which always starts with the client realm) +and falls back to get_cred_kdc_capath() (which starts with the given realm). + +MIT krb5 only tries the given realm of the target principal, +if we want to autodetect support for transitive forest trusts, +we'll have to do the fallback ourself. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34) +--- + source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 68 insertions(+), 25 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index abf20bc7dfd..57632f6cc8f 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr) + return 0; + } + ++static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx, ++ const char *target_principal, ++ const char *service, ++ const char *hostname, ++ const char *realm, ++ char **pserver_principal, ++ gss_name_t *pserver_name) ++{ ++ char *server_principal = NULL; ++ gss_buffer_desc name_token; ++ gss_OID name_type; ++ OM_uint32 maj_stat, min_stat = 0; ++ ++ if (target_principal != NULL) { ++ server_principal = talloc_strdup(mem_ctx, target_principal); ++ name_type = GSS_C_NULL_OID; ++ } else { ++ server_principal = talloc_asprintf(mem_ctx, ++ "%s/%s@%s", ++ service, ++ hostname, ++ realm); ++ name_type = GSS_C_NT_USER_NAME; ++ } ++ if (server_principal == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ name_token.value = (uint8_t *)server_principal; ++ name_token.length = strlen(server_principal); ++ ++ maj_stat = gss_import_name(&min_stat, ++ &name_token, ++ name_type, ++ pserver_name); ++ if (maj_stat) { ++ DBG_WARNING("GSS Import name of %s failed: %s\n", ++ server_principal, ++ gse_errstr(mem_ctx, maj_stat, min_stat)); ++ TALLOC_FREE(server_principal); ++ return NT_STATUS_INVALID_PARAMETER; ++ } ++ ++ *pserver_principal = server_principal; ++ ++ return NT_STATUS_OK; ++} ++ + static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, + bool do_sign, bool do_seal, + const char *ccache_name, +@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + { + struct gse_context *gse_ctx; + OM_uint32 gss_maj, gss_min; +- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER; + #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); + #endif ++ char *server_principal = NULL; ++ char *server_realm = NULL; + NTSTATUS status; + + if (!server || !service) { +@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + + /* Guess the realm based on the supplied service, and avoid the GSS libs + doing DNS lookups which may fail. +- +- TODO: Loop with the KDC on some more combinations (local +- realm in particular), possibly falling back to +- GSS_C_NT_HOSTBASED_SERVICE + */ +- name_buffer.value = +- smb_krb5_get_principal_from_service_hostname(gse_ctx, +- service, +- server, +- realm); +- if (!name_buffer.value) { +- status = NT_STATUS_NO_MEMORY; +- goto err_out; ++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, ++ server, ++ realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; + } +- name_buffer.length = strlen((char *)name_buffer.value); +- gss_maj = gss_import_name(&gss_min, &name_buffer, +- GSS_C_NT_USER_NAME, +- &gse_ctx->server_name); +- if (gss_maj) { +- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n", +- (char *)name_buffer.value, +- gse_errstr(gse_ctx, gss_maj, gss_min))); +- status = NT_STATUS_INTERNAL_ERROR; +- goto err_out; ++ ++ status = gse_setup_server_principal(mem_ctx, ++ NULL, ++ service, ++ server, ++ server_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ TALLOC_FREE(server_realm); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } + + /* TODO: get krb5 ticket using username/password, if no valid +@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + #endif + + *_gse_ctx = gse_ctx; +- TALLOC_FREE(name_buffer.value); ++ TALLOC_FREE(server_principal); + return NT_STATUS_OK; + + err_out: +- TALLOC_FREE(name_buffer.value); ++ TALLOC_FREE(server_principal); + TALLOC_FREE(gse_ctx); + return status; + } +-- +2.12.0 + + +From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 09:10:12 +0100 +Subject: [PATCH 14/20] krb5_wrap: Remove obsolete + smb_krb5_get_principal_from_service_hostname() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0) +--- + lib/krb5_wrap/krb5_samba.c | 111 --------------------------------------------- + lib/krb5_wrap/krb5_samba.h | 5 -- + 2 files changed, 116 deletions(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 2b0ec6bfa0e..0b67ea52a19 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, + } + + +-/************************************************************************ +- Routine to get the default realm from the kerberos credentials cache. +- Caller must free if the return value is not NULL. +-************************************************************************/ +- +-static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) +-{ +- char *realm = NULL; +- krb5_context ctx = NULL; +- krb5_ccache cc = NULL; +- krb5_principal princ = NULL; +- +- initialize_krb5_error_table(); +- if (krb5_init_context(&ctx)) { +- return NULL; +- } +- +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "Trying to read krb5 cache: %s\n", +- krb5_cc_default_name(ctx))); +- if (krb5_cc_default(ctx, &cc)) { +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "failed to read default cache\n")); +- goto out; +- } +- if (krb5_cc_get_principal(ctx, cc, &princ)) { +- DEBUG(5,("kerberos_get_default_realm_from_ccache: " +- "failed to get default principal\n")); +- goto out; +- } +- +-#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) +- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ)); +-#elif defined(HAVE_KRB5_PRINC_REALM) +- { +- krb5_data *realm_data = krb5_princ_realm(ctx, princ); +- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length); +- } +-#endif +- +- out: +- +- if (ctx) { +- if (princ) { +- krb5_free_principal(ctx, princ); +- } +- if (cc) { +- krb5_cc_close(ctx, cc); +- } +- krb5_free_context(ctx); +- } +- +- return realm; +-} +- + /** + * @brief Get the realm from the service hostname. + * +@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + } + + /** +- * @brief Get the principal as a string from the service hostname. +- * +- * @param[in] mem_ctx The talloc context +- * +- * @param[in] service The service name +- * +- * @param[in] remote_name The remote name +- * +- * @param[in] default_realm The default_realm if we cannot get it from the +- * hostname or netbios name. +- * +- * @return A talloc'ed principal string or NULL if an error occured. +- * +- * The caller needs to free the principal with talloc_free() if it isn't needed +- * anymore. +- */ +-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, +- const char *service, +- const char *remote_name, +- const char *default_realm) +-{ +- char *realm = NULL; +- char *host = NULL; +- char *principal; +- host = strchr_m(remote_name, '.'); +- if (host) { +- /* DNS name. */ +- realm = smb_krb5_get_realm_from_hostname(talloc_tos(), +- remote_name, +- default_realm); +- } else { +- /* NetBIOS name - use our realm. */ +- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); +- } +- +- if (realm == NULL || *realm == '\0') { +- realm = talloc_strdup(talloc_tos(), default_realm); +- if (!realm) { +- return NULL; +- } +- DEBUG(3,("Cannot get realm from, " +- "desthost %s or default ccache. Using default " +- "smb.conf realm %s\n", +- remote_name, +- realm)); +- } +- +- principal = talloc_asprintf(mem_ctx, +- "%s/%s@%s", +- service, remote_name, +- realm); +- TALLOC_FREE(realm); +- return principal; +-} +- +-/** + * @brief Get an error string from a Kerberos error code. + * + * @param[in] context The library context. +diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h +index accae449a0e..c921538efcb 100644 +--- a/lib/krb5_wrap/krb5_samba.h ++++ b/lib/krb5_wrap/krb5_samba.h +@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, + const char *hostname, + const char *client_realm); + +-char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, +- const char *service, +- const char *remote_name, +- const char *default_realm); +- + char *smb_get_krb5_error_message(krb5_context context, + krb5_error_code code, + TALLOC_CTX *mem_ctx); +-- +2.12.0 + + +From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 6 Mar 2017 08:16:11 +0100 +Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc) +--- + source3/librpc/crypto/gse.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 57632f6cc8f..5a39522a828 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -352,10 +352,13 @@ err_out: + } + + static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, +- struct gse_context *gse_ctx, ++ struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) + { ++ struct gse_context *gse_ctx = ++ talloc_get_type_abort(gensec_security->private_data, ++ struct gse_context); + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; +@@ -542,10 +545,13 @@ done: + } + + static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, +- struct gse_context *gse_ctx, ++ struct gensec_security *gensec_security, + const DATA_BLOB *token_in, + DATA_BLOB *token_out) + { ++ struct gse_context *gse_ctx = ++ talloc_get_type_abort(gensec_security->private_data, ++ struct gse_context); + OM_uint32 gss_maj, gss_min; + gss_buffer_desc in_data; + gss_buffer_desc out_data; +@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security, + const DATA_BLOB in, DATA_BLOB *out) + { + NTSTATUS status; +- struct gse_context *gse_ctx = +- talloc_get_type_abort(gensec_security->private_data, +- struct gse_context); + + switch (gensec_security->gensec_role) { + case GENSEC_CLIENT: +- status = gse_get_client_auth_token(mem_ctx, gse_ctx, ++ status = gse_get_client_auth_token(mem_ctx, ++ gensec_security, + &in, out); + break; + case GENSEC_SERVER: +- status = gse_get_server_auth_token(mem_ctx, gse_ctx, ++ status = gse_get_server_auth_token(mem_ctx, ++ gensec_security, + &in, out); + break; + } +-- +2.12.0 + + +From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:05:26 +0100 +Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update + function + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf) +--- + source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------ + 1 file changed, 71 insertions(+), 26 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 5a39522a828..3580181061e 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); + #endif +- char *server_principal = NULL; +- char *server_realm = NULL; + NTSTATUS status; + + if (!server || !service) { +@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- /* Guess the realm based on the supplied service, and avoid the GSS libs +- doing DNS lookups which may fail. +- */ +- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, +- server, +- realm); +- if (server_realm == NULL) { +- return NT_STATUS_NO_MEMORY; +- } +- +- status = gse_setup_server_principal(mem_ctx, +- NULL, +- service, +- server, +- server_realm, +- &server_principal, +- &gse_ctx->server_name); +- TALLOC_FREE(server_realm); +- if (!NT_STATUS_IS_OK(status)) { +- return status; +- } +- + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + +@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + #endif + + *_gse_ctx = gse_ctx; +- TALLOC_FREE(server_principal); + return NT_STATUS_OK; + + err_out: +- TALLOC_FREE(server_principal); + TALLOC_FREE(gse_ctx); + return status; + } +@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + NTSTATUS status; + OM_uint32 time_rec = 0; + struct timeval tv; ++ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *hostname = gensec_get_target_hostname(gensec_security); ++ const char *service = gensec_get_target_service(gensec_security); ++ const char *client_realm = cli_credentials_get_realm(cli_creds); ++ char *server_principal = NULL; ++ char *server_realm = NULL; + + in_data.value = token_in->data; + in_data.length = token_in->length; + ++ /* ++ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch ++ * changes the target_principal for the ldap service of host ++ * dc2.forest2.example.com from ++ * ++ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM ++ * ++ * to ++ * ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM ++ * ++ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be ++ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a ++ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. ++ * ++ * The problem is that KDCs only return such referral tickets if ++ * there's a forest trust between FOREST1.EXAMPLE.COM and ++ * FOREST2.EXAMPLE.COM. If there's only an external domain trust ++ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of ++ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being ++ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. ++ * ++ * In the case of an external trust the client can still ask explicitly ++ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of ++ * FOREST1.EXAMPLE.COM will generate it. ++ * ++ * From there the client can use the ++ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC ++ * of FOREST2.EXAMPLE.COM for a service ticket for ++ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. ++ * ++ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior ++ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as ++ * target principal. As _krb5_get_cred_kdc_any() first calls ++ * get_cred_kdc_referral() (which always starts with the client realm) ++ * and falls back to get_cred_kdc_capath() (which starts with the given ++ * realm). ++ * ++ * MIT krb5 only tries the given realm of the target principal, if we ++ * want to autodetect support for transitive forest trusts, would have ++ * to do the fallback ourself. ++ */ ++ if (gse_ctx->server_name == NULL) { ++ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, ++ hostname, ++ client_realm); ++ if (server_realm == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ status = gse_setup_server_principal(mem_ctx, ++ NULL, ++ service, ++ hostname, ++ server_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ TALLOC_FREE(server_realm); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ TALLOC_FREE(server_principal); ++ } ++ + gss_maj = gss_init_sec_context(&gss_min, + gse_ctx->creds, + &gse_ctx->gssapi_context, +-- +2.12.0 + + +From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:11:07 +0100 +Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we + should use + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74) +--- + source3/librpc/crypto/gse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 3580181061e..721fd8c1625 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + OM_uint32 time_rec = 0; + struct timeval tv; + struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); ++ const char *target_principal = gensec_get_target_principal(gensec_security); + const char *hostname = gensec_get_target_hostname(gensec_security); + const char *service = gensec_get_target_service(gensec_security); + const char *client_realm = cli_credentials_get_realm(cli_creds); +@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + } + + status = gse_setup_server_principal(mem_ctx, +- NULL, ++ target_principal, + service, + hostname, + server_realm, +-- +2.12.0 + + +From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 9 Mar 2017 08:18:27 +0100 +Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3) +--- + source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index 721fd8c1625..3abf774633b 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + const char *client_realm = cli_credentials_get_realm(cli_creds); + char *server_principal = NULL; + char *server_realm = NULL; ++ bool fallback = false; + + in_data.value = token_in->data; + in_data.length = token_in->length; +@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + * want to autodetect support for transitive forest trusts, would have + * to do the fallback ourself. + */ ++#ifndef SAMBA4_USES_HEIMDAL ++ if (gse_ctx->server_name == NULL) { ++ OM_uint32 gss_min2 = 0; ++ ++ status = gse_setup_server_principal(mem_ctx, ++ target_principal, ++ service, ++ hostname, ++ client_realm, ++ &server_principal, ++ &gse_ctx->server_name); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ gss_maj = gss_init_sec_context(&gss_min, ++ gse_ctx->creds, ++ &gse_ctx->gssapi_context, ++ gse_ctx->server_name, ++ &gse_ctx->gss_mech, ++ gse_ctx->gss_want_flags, ++ 0, ++ GSS_C_NO_CHANNEL_BINDINGS, ++ &in_data, ++ NULL, ++ &out_data, ++ &gse_ctx->gss_got_flags, ++ &time_rec); ++ if (gss_maj != GSS_S_FAILURE) { ++ goto init_sec_context_done; ++ } ++ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { ++ goto init_sec_context_done; ++ } ++ if (target_principal != NULL) { ++ goto init_sec_context_done; ++ } ++ ++ fallback = true; ++ TALLOC_FREE(server_principal); ++ gss_release_name(&gss_min2, &gse_ctx->server_name); ++ } ++#endif /* !SAMBA4_USES_HEIMDAL */ ++ + if (gse_ctx->server_name == NULL) { + server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, + hostname, +@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + ++ if (fallback && ++ strequal(client_realm, server_realm)) { ++ goto init_sec_context_done; ++ } ++ + status = gse_setup_server_principal(mem_ctx, + target_principal, + service, +@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, + 0, GSS_C_NO_CHANNEL_BINDINGS, + &in_data, NULL, &out_data, + &gse_ctx->gss_got_flags, &time_rec); ++ goto init_sec_context_done; ++ /* JUMP! */ ++init_sec_context_done: ++ + switch (gss_maj) { + case GSS_S_COMPLETE: + /* we are done with it */ +-- +2.12.0 + + +From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sun, 29 Jan 2017 17:19:14 +0100 +Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal + based referral detection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0) +--- + source4/heimdal/kdc/default_config.c | 1 + + source4/heimdal/kdc/kdc.h | 2 ++ + source4/heimdal/kdc/krb5tgs.c | 4 +++- + 3 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c +index 6fbf5fdae15..0129c5d3c54 100644 +--- a/source4/heimdal/kdc/default_config.c ++++ b/source4/heimdal/kdc/default_config.c +@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) + c->preauth_use_strongest_session_key = FALSE; + c->tgs_use_strongest_session_key = FALSE; + c->use_strongest_server_key = TRUE; ++ c->autodetect_referrals = TRUE; + c->check_ticket_addresses = TRUE; + c->allow_null_ticket_addresses = TRUE; + c->allow_anonymous = FALSE; +diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h +index 9d52fd4c2ec..16263d6919b 100644 +--- a/source4/heimdal/kdc/kdc.h ++++ b/source4/heimdal/kdc/kdc.h +@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration { + krb5_boolean allow_anonymous; + enum krb5_kdc_trpolicy trpolicy; + ++ krb5_boolean autodetect_referrals; ++ + krb5_boolean enable_pkinit; + krb5_boolean pkinit_princ_in_cert; + const char *pkinit_kdc_identity; +diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c +index 334a6eb1dc8..a888788bb6f 100644 +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -1660,7 +1660,9 @@ server_lookup: + Realm req_rlm; + krb5_realm *realms; + +- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { ++ if (!config->autodetect_referrals) { ++ /* noop */ ++ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { + if(nloop++ < 2) { + new_rlm = find_rpath(context, tgt->crealm, req_rlm); + if(new_rlm) { +-- +2.12.0 + + +From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sun, 29 Jan 2017 17:20:09 +0100 +Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral + detection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d) +--- + source4/kdc/kdc-heimdal.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c +index f2927e5cb9f..061296a4f40 100644 +--- a/source4/kdc/kdc-heimdal.c ++++ b/source4/kdc/kdc-heimdal.c +@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task) + kdc_config->tgs_use_strongest_session_key = false; + kdc_config->use_strongest_server_key = true; + ++ kdc_config->autodetect_referrals = false; ++ + /* Register hdb-samba4 hooks for use as a keytab */ + + kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context); +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch new file mode 100644 index 0000000..dbce123 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch @@ -0,0 +1,39 @@ +From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 20 Mar 2017 16:08:20 +0100 +Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +--- + source3/libsmb/cliconnect.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 029c3d4760e..93f873079db 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + 0 /* no time correction for now */, + NULL); + if (ret != 0) { +- DEBUG(0, ("Kinit for %s to access %s failed: %s\n", +- user_principal, target_hostname, +- error_message(ret))); ++ int dbglvl = DBGLVL_WARNING; ++ ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ dbglvl = DBGLVL_ERR; ++ } ++ ++ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n", ++ user_principal, target_hostname, ++ error_message(ret))); + if (krb5_state == CRED_MUST_USE_KERBEROS) { + TALLOC_FREE(frame); + return krb5_to_nt_status(ret); +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch new file mode 100644 index 0000000..6d96e52 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch @@ -0,0 +1,293 @@ +From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 17:30:37 +0100 +Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters + +The old behaviour is: + + for var in $* + do + echo "$var" + done + +And you get this: + +$ sh test.sh 1 2 '3 4' +1 +2 +3 +4 + +Changing it to: + + for var in "$@" + do + echo "$var" + done + +will correctly expand to: + +$ sh test.sh 1 2 '3 4' +1 +2 +3 4 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144 + +(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71) +--- + testprogs/blackbox/subunit.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh +index 0791d775d27..5c81ce20a11 100755 +--- a/testprogs/blackbox/subunit.sh ++++ b/testprogs/blackbox/subunit.sh +@@ -78,7 +78,7 @@ subunit_skip_test () { + testit () { + name="$1" + shift +- cmdline="$*" ++ cmdline="$@" + subunit_start_test "$name" + output=`$cmdline 2>&1` + status=$? +@@ -93,7 +93,7 @@ testit () { + testit_expect_failure () { + name="$1" + shift +- cmdline="$*" ++ cmdline="$@" + subunit_start_test "$name" + output=`$cmdline 2>&1` + status=$? +-- +2.12.0 + + +From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:11:39 +0100 +Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4) +--- + lib/krb5_wrap/krb5_samba.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 10b42dec53f..fd8e4a96071 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context, + goto open_keytab; + } + ++ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req); ++ + return KRB5_KT_BADNAME; + + open_keytab: +-- +2.12.0 + + +From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:24:52 +0100 +Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad) +--- + source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++------- + 1 file changed, 57 insertions(+), 12 deletions(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index 3c73b089bbb..96df10fcf65 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -34,6 +34,57 @@ + + #ifdef HAVE_ADS + ++/* This MAX_NAME_LEN is a constant defined in krb5.h */ ++#ifndef MAX_KEYTAB_NAME_LEN ++#define MAX_KEYTAB_NAME_LEN 1100 ++#endif ++ ++static krb5_error_code ads_keytab_open(krb5_context context, ++ krb5_keytab *keytab) ++{ ++ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0}; ++ const char *keytab_name = NULL; ++ krb5_error_code ret = 0; ++ ++ switch (lp_kerberos_method()) { ++ case KERBEROS_VERIFY_SYSTEM_KEYTAB: ++ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB: ++ ret = krb5_kt_default_name(context, ++ keytab_str, ++ sizeof(keytab_str) - 2); ++ if (ret != 0) { ++ DBG_WARNING("Failed to get default keytab name"); ++ goto out; ++ } ++ keytab_name = keytab_str; ++ break; ++ case KERBEROS_VERIFY_DEDICATED_KEYTAB: ++ keytab_name = lp_dedicated_keytab_file(); ++ break; ++ default: ++ DBG_ERR("Invalid kerberos method set (%d)\n", ++ lp_kerberos_method()); ++ ret = KRB5_KT_BADNAME; ++ goto out; ++ } ++ ++ if (keytab_name == NULL || keytab_name[0] == '\0') { ++ DBG_ERR("Invalid keytab name\n"); ++ ret = KRB5_KT_BADNAME; ++ goto out; ++ } ++ ++ ret = smb_krb5_kt_open(context, keytab_name, true, keytab); ++ if (ret != 0) { ++ DBG_WARNING("smb_krb5_kt_open failed (%s)\n", ++ error_message(ret)); ++ goto out; ++ } ++ ++out: ++ return ret; ++} ++ + /********************************************************************** + Adds a single service principal, i.e. 'host' to the system keytab + ***********************************************************************/ +@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) + return -1; + } + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto out; + } + +@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads) + return ret; + } + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto out; + } + +@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads) + DEBUG(3, (__location__ ": Searching for keytab entries to preserve " + "and update.\n")); + +- ret = smb_krb5_kt_open(context, NULL, True, &keytab); +- if (ret) { +- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", +- error_message(ret))); ++ ret = ads_keytab_open(context, &keytab); ++ if (ret != 0) { + goto done; + } + +-- +2.12.0 + + +From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 17:28:58 +0100 +Subject: [PATCH 4/5] param: Allow to specify kerberos method on the + commandline + +We support --option for our tools but you cannot set an option where the +value of the option includes a space. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0) +--- + lib/param/param_table.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/param/param_table.c b/lib/param/param_table.c +index 4b5234a7c9e..9a944ef19b3 100644 +--- a/lib/param/param_table.c ++++ b/lib/param/param_table.c +@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = { + static const struct enum_list enum_kerberos_method[] = { + {KERBEROS_VERIFY_SECRETS, "default"}, + {KERBEROS_VERIFY_SECRETS, "secrets only"}, ++ {KERBEROS_VERIFY_SECRETS, "secretsonly"}, + {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"}, ++ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"}, + {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"}, ++ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"}, + {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"}, ++ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"}, + {-1, NULL} + }; + +-- +2.12.0 + + +From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 13 Mar 2017 16:34:05 +0100 +Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab + +This checks that a 'net ads join' can create the keytab and make sure we +will not regress in future. + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlet +(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3) +--- + testprogs/blackbox/test_net_ads.sh | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index 8e915cdcf1f..99b886f53eb 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + + + testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` + ++# Test with kerberos method = secrets and keytab ++dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" ++testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ ++testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` ++ ++testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++rm -f $dedicated_keytab_file ++ + testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` + + testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch new file mode 100644 index 0000000..4e21154 --- /dev/null +++ b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch @@ -0,0 +1,245 @@ +From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 4 May 2017 17:48:42 +0200 +Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with + COPY_FROM_DIRECTORY + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05) +--- + source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++------------- + 1 file changed, 35 insertions(+), 16 deletions(-) + +diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c +index 394a3e5..49be5d9 100644 +--- a/source3/printing/nt_printing.c ++++ b/source3/printing/nt_printing.c +@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver + static uint32_t get_correct_cversion(struct auth_session_info *session_info, + const char *architecture, + const char *driverpath_in, ++ const char *driver_directory, + WERROR *perr) + { + int cversion = -1; + NTSTATUS nt_status; + struct smb_filename *smb_fname = NULL; +- char *driverpath = NULL; + files_struct *fsp = NULL; + connection_struct *conn = NULL; + char *oldcwd; + char *printdollar = NULL; ++ char *printdollar_path = NULL; ++ char *working_dir = NULL; + int printdollar_snum; + + *perr = WERR_INVALID_PARAMETER; +@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, + return -1; + } + ++ printdollar_path = lp_path(talloc_tos(), printdollar_snum); ++ if (printdollar_path == NULL) { ++ *perr = WERR_NOT_ENOUGH_MEMORY; ++ return -1; ++ } ++ ++ working_dir = talloc_asprintf(talloc_tos(), ++ "%s/%s", ++ printdollar_path, ++ architecture); ++ /* ++ * If the driver has been uploaded into a temorpary driver ++ * directory, switch to the driver directory. ++ */ ++ if (driver_directory != NULL) { ++ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s", ++ printdollar_path, ++ architecture, ++ driver_directory); ++ } ++ + nt_status = create_conn_struct_cwd(talloc_tos(), + server_event_context(), + server_messaging_context(), + &conn, + printdollar_snum, +- lp_path(talloc_tos(), printdollar_snum), ++ working_dir, + session_info, &oldcwd); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("get_correct_cversion: create_conn_struct " +@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, + goto error_free_conn; + } + +- /* Open the driver file (Portable Executable format) and determine the +- * deriver the cversion. */ +- driverpath = talloc_asprintf(talloc_tos(), +- "%s/%s", +- architecture, +- driverpath_in); +- if (!driverpath) { +- *perr = WERR_NOT_ENOUGH_MEMORY; +- goto error_exit; +- } +- +- nt_status = driver_unix_convert(conn, driverpath, &smb_fname); ++ /* ++ * We switch to the directory where the driver files are located, ++ * so only work on the file names ++ */ ++ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname); + if (!NT_STATUS_IS_OK(nt_status)) { + *perr = ntstatus_to_werror(nt_status); + goto error_exit; +@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx, + * NT2K: cversion=3 + */ + +- *version = get_correct_cversion(session_info, short_architecture, +- *driver_path, &err); ++ *version = get_correct_cversion(session_info, ++ short_architecture, ++ *driver_path, ++ *driver_directory, ++ &err); + if (*version == -1) { + return err; + } +-- +2.9.3 + + +From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 5 May 2017 11:11:25 +0200 +Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test + for 64bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e) +--- + source4/torture/rpc/spoolss.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c +index 409ba57..c4b7bf1 100644 +--- a/source4/torture/rpc/spoolss.c ++++ b/source4/torture/rpc/spoolss.c +@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx, + } + + static bool test_driver_copy_from_directory(struct torture_context *tctx, +- struct dcerpc_pipe *p) ++ struct dcerpc_pipe *p, ++ const char *architecture) + { + struct torture_driver_context *d; + struct spoolss_StringArray *a; +@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, + d = talloc_zero(tctx, struct torture_driver_context); + torture_assert_not_null(tctx, d, "ENOMEM"); + +- d->local.environment = +- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64); ++ d->local.environment = talloc_strdup(d, architecture); + torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); + + d->local.driver_directory = +@@ -11208,6 +11208,12 @@ done: + return ok; + } + ++static bool test_driver_copy_from_directory_64(struct torture_context *tctx, ++ struct dcerpc_pipe *p) ++{ ++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); ++} ++ + static bool test_del_driver_all_files(struct torture_context *tctx, + struct dcerpc_pipe *p) + { +@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) + torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers); + + torture_rpc_tcase_add_test(tcase, +- "test_driver_copy_from_directory", +- test_driver_copy_from_directory); ++ "test_driver_copy_from_directory_64", ++ test_driver_copy_from_directory_64); + + torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); + +-- +2.9.3 + + +From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 5 May 2017 11:12:02 +0200 +Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for + copy_from_directory + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0) +--- + source4/torture/rpc/spoolss.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c +index c4b7bf1..e17ac6f 100644 +--- a/source4/torture/rpc/spoolss.c ++++ b/source4/torture/rpc/spoolss.c +@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, + d->local.environment = talloc_strdup(d, architecture); + torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); + +- d->local.driver_directory = +- talloc_asprintf(d, "/usr/share/cups/drivers/x64"); ++ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) { ++ d->local.driver_directory = ++ talloc_strdup(d, "/usr/share/cups/drivers/x64"); ++ } else { ++ d->local.driver_directory = ++ talloc_strdup(d, "/usr/share/cups/drivers/i386"); ++ } + torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM"); + + d->remote.driver_upload_directory = GUID_string2(d, &guid); +@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx, + return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); + } + ++static bool test_driver_copy_from_directory_32(struct torture_context *tctx, ++ struct dcerpc_pipe *p) ++{ ++ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86); ++} ++ + static bool test_del_driver_all_files(struct torture_context *tctx, + struct dcerpc_pipe *p) + { +@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) + "test_driver_copy_from_directory_64", + test_driver_copy_from_directory_64); + ++ torture_rpc_tcase_add_test(tcase, ++ "test_driver_copy_from_directory_32", ++ test_driver_copy_from_directory_32); ++ + torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); + + torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files); +-- +2.9.3 + diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch new file mode 100644 index 0000000..7441e1d --- /dev/null +++ b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch @@ -0,0 +1,211 @@ +From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 14 Mar 2017 16:12:20 +0100 +Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file + +The arguments get passed in the wrong order to read_target_host(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Signed-off-by: Andreas Schneider +(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0) +--- + source3/modules/vfs_expand_msdfs.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c +index ffbfa333bad..e42d0098b32 100644 +--- a/source3/modules/vfs_expand_msdfs.c ++++ b/source3/modules/vfs_expand_msdfs.c +@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx, + return NULL; + } + +- targethost = read_target_host( +- ctx, raddr, mapfilename); ++ targethost = read_target_host(ctx, mapfilename, raddr); + if (targethost == NULL) { + DEBUG(1, ("Could not expand target host from file %s\n", + mapfilename)); +-- +2.12.0 + +From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 21 Mar 2017 15:32:37 +0100 +Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to + get_referred_path() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Pair-Programmed-With: Ralph Boehme + +Signed-off-by: Andreas Schneider +Signed-off-by: Ralph Boehme +Reviewed-by: Jeremy Allison +(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e) +--- + source3/modules/vfs_default.c | 2 ++ + source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++ + source3/smbd/msdfs.c | 12 +++++++----- + source3/smbd/proto.h | 12 +++++++----- + 4 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index e0b6125f7d8..dcae861103d 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle, + + /* The following call can change cwd. */ + status = get_referred_path(r, pathnamep, ++ handle->conn->sconn->remote_address, ++ handle->conn->sconn->local_address, + !handle->conn->sconn->using_smb2, + junction, &consumedcnt, &self_referral); + if (!NT_STATUS_IS_OK(status)) { +diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c +index ab2af53c0ba..0a4d6d31b7c 100644 +--- a/source3/rpc_server/dfs/srv_dfs_nt.c ++++ b/source3/rpc_server/dfs/srv_dfs_nt.c +@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r) + + /* The following call can change the cwd. */ + status = get_referred_path(ctx, r->in.path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status)) { +@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r) + } + + status = get_referred_path(ctx, r->in.dfs_entry_path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status)) { +@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r) + + /* The following call can change the cwd. */ + status = get_referred_path(ctx, r->in.dfs_entry_path, ++ p->remote_address, ++ p->local_address, + true, /*allow_broken_path */ + jn, &consumedcnt, &self_ref); + if(!NT_STATUS_IS_OK(status) || +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 61538cec832..3cf82d3b430 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx, + **********************************************************************/ + + NTSTATUS get_referred_path(TALLOC_CTX *ctx, +- const char *dfs_path, +- bool allow_broken_path, +- struct junction_map *jucn, +- int *consumedcntp, +- bool *self_referralp) ++ const char *dfs_path, ++ const struct tsocket_address *remote_address, ++ const struct tsocket_address *local_address, ++ bool allow_broken_path, ++ struct junction_map *jucn, ++ int *consumedcntp, ++ bool *self_referralp) + { + struct connection_struct *conn; + char *targetpath = NULL; +diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h +index c1b8201b472..e64457cf9e0 100644 +--- a/source3/smbd/proto.h ++++ b/source3/smbd/proto.h +@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn, + SMB_STRUCT_STAT *sbufp); + struct junction_map; + NTSTATUS get_referred_path(TALLOC_CTX *ctx, +- const char *dfs_path, +- bool allow_broken_path, +- struct junction_map *jucn, +- int *consumedcntp, +- bool *self_referralp); ++ const char *dfs_path, ++ const struct tsocket_address *remote_address, ++ const struct tsocket_address *local_address, ++ bool allow_broken_path, ++ struct junction_map *jucn, ++ int *consumedcntp, ++ bool *self_referralp); + int setup_dfs_referral(connection_struct *orig_conn, + const char *dfs_path, + int max_referral_level, +-- +2.13.0 + + +From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 21 Mar 2017 15:45:34 +0100 +Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake + connection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 + +Pair-Programmed-With: Ralph Boehme + +Signed-off-by: Andreas Schneider +Signed-off-by: Ralph Boehme +Reviewed-by: Jeremy Allison + +(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9) +--- + source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c +index 3cf82d3b430..c25fb17cee8 100644 +--- a/source3/smbd/msdfs.c ++++ b/source3/smbd/msdfs.c +@@ -31,6 +31,7 @@ + #include "lib/param/loadparm.h" + #include "libcli/security/security.h" + #include "librpc/gen_ndr/ndr_dfsblobs.h" ++#include "lib/tsocket/tsocket.h" + + /********************************************************************** + Parse a DFS pathname of the form \hostname\service\reqpath +@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx, + return status; + } + ++ /* ++ * TODO ++ * ++ * The remote and local address should be passed down to ++ * create_conn_struct_cwd. ++ */ ++ if (conn->sconn->remote_address == NULL) { ++ conn->sconn->remote_address = ++ tsocket_address_copy(remote_address, conn->sconn); ++ if (conn->sconn->remote_address == NULL) { ++ TALLOC_FREE(pdp); ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ if (conn->sconn->local_address == NULL) { ++ conn->sconn->local_address = ++ tsocket_address_copy(local_address, conn->sconn); ++ if (conn->sconn->local_address == NULL) { ++ TALLOC_FREE(pdp); ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ + /* If this is a DFS path dfs_lookup should return + * NT_STATUS_PATH_NOT_COVERED. */ + +-- +2.13.0 + diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch new file mode 100644 index 0000000..178c44d --- /dev/null +++ b/SOURCES/samba-v4-6-fix_path_substitutions.patch @@ -0,0 +1,194 @@ +From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Fri, 17 Mar 2017 13:52:57 +0100 +Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user + information + +This fixes the substitution for 'template homedir'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +Signed-off-by: Volker Lendecke +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Volker Lendecke +Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144 + +(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5) +--- + source3/winbindd/wb_queryuser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c +index be4d3d3e665..69b4c8dad5a 100644 +--- a/source3/winbindd/wb_queryuser.c ++++ b/source3/winbindd/wb_queryuser.c +@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq) + NTSTATUS status; + const char *domain_name; + +- status = wb_lookupsid_recv(subreq, state, &type, &domain_name, ++ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name, + &state->info->primary_group_name); + TALLOC_FREE(subreq); + if (tevent_req_nterror(req, status)) { +-- +2.12.0 + + +From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 15 Mar 2017 12:37:08 +0100 +Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660) +--- + selftest/target/Samba3.pm | 19 ++++++++++++++++++- + source3/script/tests/test_substitutions.sh | 9 +++++++-- + 2 files changed, 25 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index f5b2c510224..1e053f12297 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -394,16 +394,33 @@ sub setup_admember($$$$) + $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users"; + push(@dirs, $substitution_path); + ++ # Using '/' as the winbind separator is a bad idea ... ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN"; ++ push(@dirs, $substitution_path); ++ ++ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users"; ++ push(@dirs, $substitution_path); ++ + my $member_options = " + security = ads + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + netbios aliases = foo bar + +-[subDUG] ++[sub_dug] + path = $share_dir/D_%D/U_%U/G_%G + writeable = yes + ++[sub_dug2] ++ path = $share_dir/D_%D/u_%u/g_%g ++ writeable = yes ++ + "; + + my $ret = $self->provision($prefix, +diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh +index 0852ad969f0..1a46f11c85d 100755 +--- a/source3/script/tests/test_substitutions.sh ++++ b/source3/script/tests/test_substitutions.sh +@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient" + . $samba_srcdir/testprogs/blackbox/subunit.sh + . $samba_srcdir/testprogs/blackbox/common_test_fns.inc + +-SMB_UNC="//$SERVER/subDUG" ++SMB_UNC="//$SERVER/sub_dug" + +-test_smbclient "Test login to share with substitution" \ ++test_smbclient "Test login to share with substitution (DUG)" \ ++ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) ++ ++SMB_UNC="//$SERVER/sub_dug2" ++ ++test_smbclient "Test login to share with substitution (Dug)" \ + "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) + + exit $failed +-- +2.12.0 + + +From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 17 Mar 2017 10:04:19 +0100 +Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 + +With this set, the samba3.local.nss test for ad_member will ensure that +we correctly substitute those smb.conf options. + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144 + +(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03) +--- + nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------ + selftest/target/Samba3.pm | 1 + + 2 files changed, 12 insertions(+), 6 deletions(-) + +diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh +index cfe582df068..f9c040e5f43 100755 +--- a/nsswitch/tests/test_wbinfo.sh ++++ b/nsswitch/tests/test_wbinfo.sh +@@ -205,13 +205,18 @@ subunit_start_test "$test_name" + # The full name (GECOS) is based on name (the RDN, in this case CN) + # and displayName in winbindd_ads, and is based only on displayName in + # winbindd_msrpc and winbindd_rpc. Allow both versions. +-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" +-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" ++if test "$TARGET" = "ad_member"; then ++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false" ++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false" ++else ++ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" ++ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" ++fi + +-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then ++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" + else +- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" ++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=`expr $failed + 1` + fi + +@@ -227,10 +232,10 @@ fi + + test_name="confirm output of wbinfo --uid-info against $TARGET" + subunit_start_test "$test_name" +-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then ++if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then + subunit_pass_test "$test_name" + else +- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" ++ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" + failed=`expr $failed + 1` + fi + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 1e053f12297..cb4970828a5 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -412,6 +412,7 @@ sub setup_admember($$$$) + workgroup = $dcvars->{DOMAIN} + realm = $dcvars->{REALM} + netbios aliases = foo bar ++ template homedir = /home/%D/%G/%U + + [sub_dug] + path = $share_dir/D_%D/U_%U/G_%G +-- +2.12.0 + diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch new file mode 100644 index 0000000..7b754ae --- /dev/null +++ b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch @@ -0,0 +1,339 @@ +From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 15 Mar 2017 17:04:30 +0000 +Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of + smb_bytes_pull_str() + +This function needs to get the whole smb buffer in order to get +the alignment for unicode correct. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24) +--- + libcli/smb/smb1cli_session.c | 28 +++++++++++++------------- + libcli/smb/smb_util.h | 3 ++- + libcli/smb/util.c | 47 +++++++++++++++++++++++++++++--------------- + 3 files changed, 47 insertions(+), 31 deletions(-) + +diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c +index 9d92aa6aed4..11614df0ae4 100644 +--- a/libcli/smb/smb1cli_session.c ++++ b/libcli/smb/smb1cli_session.c +@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq) + p = bytes; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq) + p = bytes; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_primary_domain, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq) + p += out_security_blob_length; + + status = smb_bytes_pull_str(state, &state->out_native_os, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } + p += ret; + + status = smb_bytes_pull_str(state, &state->out_native_lm, +- use_unicode, p, +- bytes+num_bytes-p, &ret); ++ use_unicode, bytes, num_bytes, ++ p, &ret); + if (tevent_req_nterror(req, status)) { + return; + } +diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h +index 7e6f0a4ebc4..2884786339d 100644 +--- a/libcli/smb/smb_util.h ++++ b/libcli/smb/smb_util.h +@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, + const uint8_t *bytes, size_t num_bytes); + NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, + const uint8_t *buf, size_t buf_len, +- size_t *pbuf_consumed); ++ const uint8_t *position, ++ size_t *_consumed); +diff --git a/libcli/smb/util.c b/libcli/smb/util.c +index ef8c9fafa35..7ef909c6077 100644 +--- a/libcli/smb/util.c ++++ b/libcli/smb/util.c +@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, + static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, + bool ucs2, bool align_odd, + const uint8_t *buf, size_t buf_len, +- size_t *pbuf_consumed) ++ const uint8_t *position, ++ size_t *p_consumed) + { + size_t pad = 0; ++ size_t offset; + char *str = NULL; + size_t str_len = 0; + bool ok; + + *_str = NULL; +- if (pbuf_consumed != NULL) { +- *pbuf_consumed = 0; ++ if (p_consumed != NULL) { ++ *p_consumed = 0; ++ } ++ ++ if (position < buf) { ++ return NT_STATUS_INTERNAL_ERROR; ++ } ++ ++ offset = PTR_DIFF(position, buf); ++ if (offset > buf_len) { ++ return NT_STATUS_BUFFER_TOO_SMALL; + } + + if (ucs2 && +- ((align_odd && (buf_len % 2 == 0)) || +- (!align_odd && (buf_len % 2 == 1)))) { +- if (buf_len < 1) { +- return NT_STATUS_BUFFER_TOO_SMALL; +- } +- pad = 1; +- buf_len -= pad; +- buf += pad; ++ ((align_odd && (offset % 2 == 0)) || ++ (!align_odd && (offset % 2 == 1)))) { ++ pad += 1; ++ offset += 1; ++ } ++ ++ if (offset > buf_len) { ++ return NT_STATUS_BUFFER_TOO_SMALL; + } + ++ buf_len -= offset; ++ buf += offset; ++ + if (ucs2) { + buf_len = utf16_len_n(buf, buf_len); + } else { +@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, + return map_nt_error_from_unix_common(errno); + } + +- if (pbuf_consumed != NULL) { +- *pbuf_consumed = buf_len + pad; ++ if (p_consumed != NULL) { ++ *p_consumed = buf_len + pad; + } + *_str = str; +- return NT_STATUS_OK;; ++ return NT_STATUS_OK; + } + + NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, + const uint8_t *buf, size_t buf_len, +- size_t *_buf_consumed) ++ const uint8_t *position, ++ size_t *_consumed) + { + return internal_bytes_pull_str(mem_ctx, _str, ucs2, true, +- buf, buf_len, _buf_consumed); ++ buf, buf_len, position, _consumed); + } +-- +2.13.1 + + +From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 15 Mar 2017 17:04:44 +0000 +Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper + function + +This function updates cli->server_{os,type,domain} to valid values +after a session setup. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3) +--- + source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++-------------- + 1 file changed, 52 insertions(+), 22 deletions(-) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index a2362ceb863..ef03da17eec 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + return NT_STATUS_OK; + } + ++static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli, ++ const char *native_os, ++ const char *native_lm, ++ const char *primary_domain) ++{ ++#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0') ++ ++ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) { ++ cli->server_os = talloc_strdup(cli, native_os); ++ if (cli->server_os == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) { ++ cli->server_type = talloc_strdup(cli, native_lm); ++ if (cli->server_type == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) { ++ cli->server_domain = talloc_strdup(cli, primary_domain); ++ if (cli->server_domain == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ } ++ ++#undef _VALID_STRING ++ return NT_STATUS_OK; ++} ++ + /******************************************************** + Utility function to ensure we always return at least + a valid char * pointer to an empty string for the +@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) + subreq, struct tevent_req); + struct cli_sesssetup_blob_state *state = tevent_req_data( + req, struct cli_sesssetup_blob_state); +- struct cli_state *cli = state->cli; + NTSTATUS status; + + if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { +@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); +- } +- + state->status = status; + ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ NULL); ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ + if (state->blob.length != 0) { + /* + * More to send +@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); +- } +- if (cli->server_domain == NULL) { +- cli->server_domain = talloc_move(cli, &state->out_primary_domain); ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ state->out_primary_domain); ++ if (tevent_req_nterror(req, status)) { ++ return; + } + + ok = smb1cli_conn_activate_signing(cli->conn, +@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) + subreq, struct tevent_req); + struct cli_session_setup_creds_state *state = tevent_req_data( + req, struct cli_session_setup_creds_state); +- struct cli_state *cli = state->cli; + NTSTATUS status; + + status = smb1cli_session_setup_lm21_recv(subreq, state, +@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) + return; + } + +- if (cli->server_os == NULL) { +- cli->server_os = talloc_move(cli, &state->out_native_os); +- } +- if (cli->server_type == NULL) { +- cli->server_type = talloc_move(cli, &state->out_native_lm); ++ status = cli_state_update_after_sesssetup(state->cli, ++ state->out_native_os, ++ state->out_native_lm, ++ NULL); ++ if (tevent_req_nterror(req, status)) { ++ return; + } + + tevent_req_done(req); +-- +2.13.1 + diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch new file mode 100644 index 0000000..5c52aa9 --- /dev/null +++ b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch @@ -0,0 +1,162 @@ +From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 19 Jun 2017 14:50:33 +0200 +Subject: [PATCH 1/2] s3:popt_common: Reparse the username in + popt_common_credentials_post() + +When we parse the username in the options handling, the smb.conf file +has not been loaded yet. So we are not aware of a 'winbind separator' +set in the config file. + +We need to read and set the username again in the post-processing of the +credentials. + +https://bugzilla.samba.org/show_bug.cgi?id=12849 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b) +--- + source3/lib/popt_common.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c +index 3589a4fbd2b..9928c708e89 100644 +--- a/source3/lib/popt_common.c ++++ b/source3/lib/popt_common.c +@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void) + void popt_common_credentials_post(void) + { + struct user_auth_info *auth_info = cmdline_auth_info; ++ const char *username = NULL; + + if (get_cmdline_auth_info_use_machine_account(auth_info) && + !set_cmdline_auth_info_machine_account_creds(auth_info)) +@@ -248,6 +249,20 @@ void popt_common_credentials_post(void) + } + + set_cmdline_auth_info_getpass(auth_info); ++ ++ /* ++ * When we set the username during the handling of the options passed to ++ * the binary we haven't loaded the config yet. This means that we ++ * didnn't take the 'winbind separator' into account. ++ * ++ * The username might contain the domain name and thus it hasn't been ++ * correctly parsed yet. If we have a username we need to set it again ++ * to run the string parser for the username correctly. ++ */ ++ username = get_cmdline_auth_info_username(auth_info); ++ if (username != NULL && username[0] != '\0') { ++ set_cmdline_auth_info_username(auth_info, username); ++ } + } + + static void popt_common_credentials_callback(poptContext con, +-- +2.13.1 + + +From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 19 Jun 2017 15:52:23 +0200 +Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144 + +(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af) +--- + source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++ + source3/selftest/tests.py | 1 + + 2 files changed, 63 insertions(+) + create mode 100755 source3/script/tests/test_smbclient_basic.sh + +diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh +new file mode 100755 +index 00000000000..90e579b68e9 +--- /dev/null ++++ b/source3/script/tests/test_smbclient_basic.sh +@@ -0,0 +1,62 @@ ++#!/bin/sh ++ ++# this runs the file serving tests that are expected to pass with samba3 against shares with various options ++ ++if [ $# -lt 5 ]; then ++cat < ++EOF ++exit 1; ++fi ++ ++SERVER="$1" ++SERVER_IP="$2" ++USERNAME="$3" ++PASSWORD="$4" ++smbclient="$5" ++CONFIGURATION="$6" ++shift 6 ++ADDARGS="$@" ++ ++incdir=`dirname $0`/../../../testprogs/blackbox ++. $incdir/subunit.sh ++ ++test_smbclient() { ++ name="$1" ++ cmd="$2" ++ shift ++ shift ++ echo "test: $name" ++ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@ ++ status=$? ++ if [ x$status = x0 ]; then ++ echo "success: $name" ++ else ++ echo "failure: $name" ++ fi ++ return $status ++} ++ ++# TEST using \ as the separator (default) ++test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` ++# TEST using / as the separator (default) ++test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` ++ ++# TEST using 'winbind separator = +' ++test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1` ++ ++# TEST using 'winbind separator = +' set in a config file ++smbclient_config="$PREFIX/tmpsmbconf" ++cat > $smbclient_config < +Date: Tue, 21 Mar 2017 09:57:30 +0100 +Subject: [PATCH 1/2] s3:libads: Remove obsolete + smb_krb5_get_ntstatus_from_init_creds() + +There is no way we can get a better error code out of this. The original +function called was krb5_get_init_creds_opt_get_error() which has been +deprecated in 2008. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 + +Signed-off-by: Andreas Schneider +Reviewed-by: Uri Simchoni +(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e) +--- + source3/libads/kerberos.c | 169 ---------------------------------------------- + 1 file changed, 169 deletions(-) + +Index: samba-4.6.2/source3/libads/kerberos.c +=================================================================== +--- samba-4.6.2.orig/source3/libads/kerberos.c ++++ samba-4.6.2/source3/libads/kerberos.c +@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da + return 0; + } + +-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, +- DATA_BLOB *edata, +- DATA_BLOB *edata_out) +-{ +- DATA_BLOB edata_contents; +- ASN1_DATA *data; +- int edata_type; +- +- if (!edata->length) { +- return false; +- } +- +- data = asn1_init(mem_ctx); +- if (data == NULL) { +- return false; +- } +- +- if (!asn1_load(data, *edata)) goto err; +- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; +- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; +- if (!asn1_read_Integer(data, &edata_type)) goto err; +- +- if (edata_type != KRB5_PADATA_PW_SALT) { +- DEBUG(0,("edata is not of required type %d but of type %d\n", +- KRB5_PADATA_PW_SALT, edata_type)); +- goto err; +- } +- +- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; +- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; +- if (!asn1_end_tag(data)) goto err; +- if (!asn1_end_tag(data)) goto err; +- if (!asn1_end_tag(data)) goto err; +- asn1_free(data); +- +- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); +- +- data_blob_free(&edata_contents); +- +- return true; +- +- err: +- +- asn1_free(data); +- return false; +-} +- +- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, +- NTSTATUS *nt_status) +-{ +- DATA_BLOB edata; +- DATA_BLOB unwrapped_edata; +- TALLOC_CTX *mem_ctx; +- struct KRB5_EDATA_NTSTATUS parsed_edata; +- enum ndr_err_code ndr_err; +- +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- edata = data_blob(error->e_data->data, error->e_data->length); +-#else +- edata = data_blob(error->e_data.data, error->e_data.length); +-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ +- +-#ifdef DEVELOPER +- dump_data(10, edata.data, edata.length); +-#endif /* DEVELOPER */ +- +- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); +- if (mem_ctx == NULL) { +- data_blob_free(&edata); +- return False; +- } +- +- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { +- data_blob_free(&edata); +- TALLOC_FREE(mem_ctx); +- return False; +- } +- +- data_blob_free(&edata); +- +- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, +- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); +- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { +- data_blob_free(&unwrapped_edata); +- TALLOC_FREE(mem_ctx); +- return False; +- } +- +- data_blob_free(&unwrapped_edata); +- +- if (nt_status) { +- *nt_status = parsed_edata.ntstatus; +- } +- +- TALLOC_FREE(mem_ctx); +- +- return True; +-} +- +-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, +- krb5_principal client, +- krb5_get_init_creds_opt *opt, +- NTSTATUS *nt_status) +-{ +- krb5_init_creds_context icc; +- krb5_error_code code; +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- /* HEIMDAL */ +- krb5_error error; +-#else +- krb5_error *error = NULL; +-#endif +- bool ok; +- +- code = krb5_init_creds_init(ctx, +- client, +- NULL, +- NULL, +- 0, +- opt, +- &icc); +- if (code != 0) { +- DBG_WARNING("krb5_init_creds_init failed with: %s\n", +- error_message(code)); +- return false; +- } +- +- code = krb5_init_creds_get_error(ctx, +- icc, +- &error); +- if (code != 0) { +- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", +- error_message(code)); +- return false; +- } +- krb5_init_creds_free(ctx, icc); +- +-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR +- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); +- +- krb5_free_error_contents(ctx, &error); +-#else +- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); +- +- krb5_free_error(ctx, error); +-#endif +- +- return ok; +-} +- + /* + simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL + place in default cache location. +@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch + } + out: + if (ntstatus) { +- +- NTSTATUS status; +- + /* fast path */ + if (code == 0) { + *ntstatus = NT_STATUS_OK; + goto cleanup; + } + +- /* try to get ntstatus code out of krb5_error when we have it +- * inside the krb5_get_init_creds_opt - gd */ +- +- if (opt != NULL) { +- bool ok; +- +- ok = smb_krb5_get_ntstatus_from_init_creds(ctx, +- me, +- opt, +- &status); +- if (ok) { +- *ntstatus = status; +- goto cleanup; +- } +- } +- + /* fall back to self-made-mapping */ + *ntstatus = krb5_to_nt_status(code); + } +Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh +=================================================================== +--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh ++++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh +@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d + + testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` + ++testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` ++ ++testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` ++ + rm -f $KRB5CCNAME_PATH + + exit $failed diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch new file mode 100644 index 0000000..f29cddb --- /dev/null +++ b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch @@ -0,0 +1,76 @@ +From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 20 Jun 2017 10:27:07 +0200 +Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851 + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke +--- + source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++--- + 1 file changed, 31 insertions(+), 3 deletions(-) + +diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c +index 8c764f77b08..b0bf6784ba6 100644 +--- a/source3/winbindd/wb_getpwsid.c ++++ b/source3/winbindd/wb_getpwsid.c +@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + req, struct wb_getpwsid_state); + struct winbindd_pw *pw = state->pw; + struct wbint_userinfo *info; ++ struct winbindd_domain *domain = NULL; + fstring acct_name, output_username; ++ char *mapped_name = NULL; + char *tmp; + NTSTATUS status; + +@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + return; + } + +- fill_domain_username(output_username, info->domain_name, +- acct_name, true); ++ domain = find_domain_from_name_noinit(info->domain_name); ++ if (tevent_req_nomem(domain, req)) { ++ return; ++ } ++ ++ /* ++ * TODO: ++ * This function should be called in 'idmap winbind child'. It shouldn't ++ * be a blocking call, but for this we need to add a new function for ++ * winbind.idl. This is a fix which can be backported for now. ++ */ ++ status = normalize_name_map(state, ++ domain, ++ acct_name, ++ &mapped_name); ++ if (NT_STATUS_IS_OK(status)) { ++ fill_domain_username(output_username, ++ info->domain_name, ++ mapped_name, true); ++ fstrcpy(acct_name, mapped_name); ++ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { ++ fstrcpy(acct_name, mapped_name); ++ } else { ++ fill_domain_username(output_username, ++ info->domain_name, ++ acct_name, true); ++ } ++ + strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name)); + + strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "", +@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) + TALLOC_FREE(tmp); + + tmp = talloc_sub_specified( +- state, info->shell, info->acct_name, ++ state, info->shell, acct_name, + info->primary_group_name, info->domain_name, + pw->pw_uid, pw->pw_gid); + if (tevent_req_nomem(tmp, req)) { +-- +2.13.1 + diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch new file mode 100644 index 0000000..8583d5b --- /dev/null +++ b/SOURCES/samba-v4.6-credentials-fix-realm.patch @@ -0,0 +1,54 @@ +commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c +Author: Andreas Schneider +Date: Wed Dec 21 22:17:22 2016 +0100 + + auth/credentials: Always set the the realm if we set the principal from the ccache + + This fixes a bug in gensec_gssapi_client_start() where an invalid realm + is used to get a Kerberos ticket. + + Signed-off-by: Andreas Schneider + Reviewed-by: Stefan Metzmacher + (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7) + +diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c +index 0e68012..1912c48 100644 +--- a/auth/credentials/credentials_krb5.c ++++ b/auth/credentials/credentials_krb5.c +@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + enum credentials_obtained obtained, + const char **error_string) + { +- ++ bool ok; ++ char *realm; + krb5_principal princ; + krb5_error_code ret; + char *name; +@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, + return ret; + } + +- cli_credentials_set_principal(cred, name, obtained); +- ++ ok = cli_credentials_set_principal(cred, name, obtained); ++ if (!ok) { ++ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); ++ return ENOMEM; ++ } + free(name); + ++ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context, ++ princ); + krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); ++ if (realm == NULL) { ++ return ENOMEM; ++ } ++ ok = cli_credentials_set_realm(cred, realm, obtained); ++ SAFE_FREE(realm); ++ if (!ok) { ++ return ENOMEM; ++ } + + /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ + cred->ccache_obtained = obtained; diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch new file mode 100644 index 0000000..72f2904 --- /dev/null +++ b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch @@ -0,0 +1,543 @@ +From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 17:08:09 +0200 +Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108) +--- + wscript_configure_system_mitkrb5 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 +index 06a9821..d3e8ebf 100644 +--- a/wscript_configure_system_mitkrb5 ++++ b/wscript_configure_system_mitkrb5 +@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN(''' + gsskrb5_extract_authz_data_from_sec_context + gss_krb5_export_lucid_sec_context + gss_import_cred gss_export_cred ++ gss_acquire_cred_from + ''', 'gssapi gssapi_krb5') + conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers) + conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') +-- +2.9.3 + + +From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:14:57 +0200 +Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper + +Wrap gss_krb5_import_cred() to allow re-implementing it with +gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from() +works fine with GSSAPI interposer (GSS-proxy) while +gss_krb5_import_cred() is not interposed yet. + +The wrapper has additional parameter, krb5_context handle, to facilitate +with credentials cache name discovery. All our callers to +gss_krb5_import_cred() already have krb5 context handy. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d) +--- + lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++ + lib/krb5_wrap/gss_samba.h | 13 +++++ + 2 files changed, 134 insertions(+) + +diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c +index b444633..757ffc5 100644 +--- a/lib/krb5_wrap/gss_samba.c ++++ b/lib/krb5_wrap/gss_samba.c +@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid) + } + #endif /* !HAVE_GSS_OID_EQUAL */ + ++ ++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() ++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly ++ * interposed by GSSPROXY while gss_krb5_import_cred() is not. ++ * ++ * This wrapper requires a proper krb5_context to resolve ccache name. ++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ ++uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, ++ krb5_ccache id, krb5_principal keytab_principal, ++ krb5_keytab keytab, gss_cred_id_t *cred) ++{ ++ uint32_t major_status = 0; ++ ++#if HAVE_GSS_ACQUIRE_CRED_FROM ++ uint32_t minor = 0; ++ gss_key_value_element_desc ccache_element = { ++ .key = "ccache", ++ .value = NULL, ++ }; ++ ++ gss_key_value_element_desc keytab_element = { ++ .key = "keytab", ++ .value = NULL, ++ }; ++ ++ gss_key_value_element_desc elements[2]; ++ ++ gss_key_value_set_desc cred_store = { ++ .elements = &ccache_element, ++ .count = 1, ++ }; ++ ++ gss_OID_set mech_set = GSS_C_NO_OID_SET; ++ gss_cred_usage_t cred_usage = GSS_C_INITIATE; ++ gss_name_t name = NULL; ++ gss_buffer_desc pr_name = { ++ .value = NULL, ++ .length = 0, ++ }; ++ ++ if (id != NULL) { ++ major_status = krb5_cc_get_full_name(ctx, ++ id, ++ discard_const(&ccache_element.value)); ++ if (major_status != 0) { ++ return major_status; ++ } ++ } ++ ++ if (keytab != NULL) { ++ keytab_element.value = malloc(4096); ++ if (!keytab_element.value) { ++ return ENOMEM; ++ } ++ major_status = krb5_kt_get_name(ctx, ++ keytab, ++ discard_const(keytab_element.value), 4096); ++ if (major_status != 0) { ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ cred_usage = GSS_C_ACCEPT; ++ cred_store.elements = &keytab_element; ++ ++ if (keytab_principal != NULL) { ++ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value); ++ if (major_status != 0) { ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ pr_name.length = strlen(pr_name.value); ++ ++ major_status = gss_import_name(minor_status, ++ &pr_name, ++ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME), ++ &name); ++ if (major_status != 0) { ++ krb5_free_unparsed_name(ctx, pr_name.value); ++ free(discard_const(keytab_element.value)); ++ return major_status; ++ } ++ } ++ } ++ ++ if (id != NULL && keytab != NULL) { ++ elements[0] = ccache_element; ++ elements[1] = keytab_element; ++ ++ cred_store.elements = elements; ++ cred_store.count = 2; ++ cred_usage = GSS_C_BOTH; ++ } ++ ++ major_status = gss_acquire_cred_from(minor_status, ++ name, ++ 0, ++ mech_set, ++ cred_usage, ++ &cred_store, ++ cred, ++ NULL, ++ NULL); ++ ++ if (pr_name.value != NULL) { ++ (void)gss_release_name(&minor, &name); ++ krb5_free_unparsed_name(ctx, pr_name.value); ++ } ++ if (keytab_element.value != NULL) { ++ free(discard_const(keytab_element.value)); ++ } ++ krb5_free_string(ctx, discard_const(ccache_element.value)); ++#else ++ major_status = gss_krb5_import_cred(minor_status, ++ id, ++ keytab_principal, ++ keytab, cred); ++#endif ++ return major_status; ++} ++ ++ + #endif /* HAVE_GSSAPI */ +diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h +index 5319932..89aee34 100644 +--- a/lib/krb5_wrap/gss_samba.h ++++ b/lib/krb5_wrap/gss_samba.h +@@ -25,6 +25,7 @@ + #ifdef HAVE_GSSAPI + + #include "system/gssapi.h" ++#include "krb5_samba.h" + + #if defined(HAVE_GSS_OID_EQUAL) + #define smb_gss_oid_equal gss_oid_equal +@@ -32,5 +33,17 @@ + int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid); + #endif /* HAVE_GSS_OID_EQUAL */ + ++/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() ++ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly ++ * interposed by GSS-proxy while gss_krb5_import_cred() is not. ++ * ++ * This wrapper requires a proper krb5_context to resolve the ccache name for ++ * gss_acquire_cred_from(). ++ * ++ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ ++uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx, ++ krb5_ccache id, krb5_principal keytab_principal, ++ krb5_keytab keytab, gss_cred_id_t *cred); ++ + #endif /* HAVE_GSSAPI */ + #endif /* _GSS_SAMBA_H */ +-- +2.9.3 + + +From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:57:13 +0200 +Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1) +--- + auth/credentials/credentials_krb5.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c +index e974df9..0e68012 100644 +--- a/auth/credentials/credentials_krb5.c ++++ b/auth/credentials/credentials_krb5.c +@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + return ENOMEM; + } + +- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, ++ ccache->ccache, NULL, NULL, ++ &gcc->creds); + if ((maj_stat == GSS_S_FAILURE) && + (min_stat == (OM_uint32)KRB5_CC_END || + min_stat == (OM_uint32)KRB5_CC_NOTFOUND || +@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + return ret; + } + +- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, ++ ccache->ccache, NULL, NULL, ++ &gcc->creds); + + } + +@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + } else { + ret = EINVAL; + } +- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret)); ++ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret)); + return ret; + } + +@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + + if (ktc->password_based || obtained < CRED_SPECIFIED) { + /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ +- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, ++ NULL, NULL, ktc->keytab, ++ &gcc->creds); + } else { + /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ +- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, +- &gcc->creds); ++ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, ++ NULL, princ, ktc->keytab, ++ &gcc->creds); + } + if (maj_stat) { + if (min_stat) { +-- +2.9.3 + + +From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:57:50 +0200 +Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9) +--- + source3/libads/sasl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 8570788..30127fa 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred) + goto done; + } + +- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred); ++ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred); + if (maj != GSS_S_COMPLETE) { + status = ADS_ERROR_GSS(maj, min); + goto done; +-- +2.9.3 + + +From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 3 Mar 2017 16:58:14 +0200 +Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7) +--- + source3/librpc/crypto/gse.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index abf20bc..f4238f3 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + /* TODO: get krb5 ticket using username/password, if no valid + * one already available in ccache */ + +- gss_maj = gss_krb5_import_cred(&gss_min, +- gse_ctx->ccache, +- NULL, /* keytab_principal */ +- NULL, /* keytab */ +- &gse_ctx->creds); ++ gss_maj = smb_gss_krb5_import_cred(&gss_min, ++ gse_ctx->k5ctx, ++ gse_ctx->ccache, ++ NULL, /* keytab_principal */ ++ NULL, /* keytab */ ++ &gse_ctx->creds); + if (gss_maj) { + char *ccache = NULL; + int kret; +@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, + ccache = NULL; + } + +- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" ++ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -" + "the caller may retry after a kinit.\n", + ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); + SAFE_FREE(ccache); +@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, + } + + /* This creates a GSSAPI cred_id_t with the keytab set */ +- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, +- &gse_ctx->creds); ++ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx, ++ NULL, NULL, gse_ctx->keytab, ++ &gse_ctx->creds); + + if (gss_maj != 0 + && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { +- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", ++ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; +-- +2.9.3 + + +From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 8 Mar 2017 12:38:49 +0200 +Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred + wrapper + +MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing +credentials from a keytab without specifying actual principal. +This was fixed in MIT krb5 1.9.2 (see commit +71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git +master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5). + +Move fallback code to the smb_gss_krb5_import_cred wrapper. We only +expect this fallback to happen with krb5 GSSAPI mechanism, thus hard +code use of krb5 mech when calling to gss_acquire_cred. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Alexander Bokovoy +Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144 + +(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32) +--- + lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++--- + source3/librpc/crypto/gse.c | 49 +-------------------------------------------- + 2 files changed, 44 insertions(+), 51 deletions(-) + +diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c +index 757ffc5..9e5ad4a 100644 +--- a/lib/krb5_wrap/gss_samba.c ++++ b/lib/krb5_wrap/gss_samba.c +@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, + krb5_free_string(ctx, discard_const(ccache_element.value)); + #else + major_status = gss_krb5_import_cred(minor_status, +- id, +- keytab_principal, +- keytab, cred); ++ id, ++ keytab_principal, ++ keytab, cred); ++ ++ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { ++ if ((keytab_principal == NULL) && (keytab != NULL)) { ++ /* No principal was specified and MIT krb5 1.9 version failed. ++ * We have to fall back to set global acceptor identity */ ++ gss_OID_set_desc mech_set; ++ char *kt_name = NULL; ++ ++ kt_name = malloc(4096); ++ if (!kt_name) { ++ return ENOMEM; ++ } ++ ++ major_status = krb5_kt_get_name(ctx, ++ keytab, ++ kt_name, 4096); ++ if (major_status != 0) { ++ free(kt_name); ++ return major_status; ++ } ++ ++ major_status = gsskrb5_register_acceptor_identity(kt_name); ++ if (major_status) { ++ free(kt_name); ++ return major_status; ++ } ++ ++ /* We are dealing with krb5 GSSAPI mech in this fallback */ ++ mech_set.count = 1; ++ mech_set.elements = gss_mech_krb5; ++ major_status = gss_acquire_cred(minor_status, ++ GSS_C_NO_NAME, ++ GSS_C_INDEFINITE, ++ &mech_set, ++ GSS_C_ACCEPT, ++ cred, ++ NULL, NULL); ++ free(kt_name); ++ } ++ } + #endif + return major_status; + } +diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c +index f4238f3..a111320 100644 +--- a/source3/librpc/crypto/gse.c ++++ b/source3/librpc/crypto/gse.c +@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, + NULL, NULL, gse_ctx->keytab, + &gse_ctx->creds); + +- if (gss_maj != 0 +- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { ++ if (gss_maj != 0) { + DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", + gse_errstr(gse_ctx, gss_maj, gss_min))); + status = NT_STATUS_INTERNAL_ERROR; + goto done; +- +- /* This is the error the MIT krb5 1.9 gives when it +- * implements the function, but we do not specify the +- * principal. However, when we specify the principal +- * as host$@REALM the GSS acceptor fails with 'wrong +- * principal in request'. Work around the issue by +- * falling back to the alternate approach below. */ +- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) +- /* FIXME!!! +- * This call sets the default keytab for the whole server, not +- * just for this context. Need to find a way that does not alter +- * the state of the whole server ... */ +- { +- const char *ktname; +- gss_OID_set_desc mech_set; +- +- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx, +- gse_ctx->keytab, &ktname); +- if (ret) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- +- ret = gsskrb5_register_acceptor_identity(ktname); +- if (ret) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- +- mech_set.count = 1; +- mech_set.elements = &gse_ctx->gss_mech; +- +- gss_maj = gss_acquire_cred(&gss_min, +- GSS_C_NO_NAME, +- GSS_C_INDEFINITE, +- &mech_set, +- GSS_C_ACCEPT, +- &gse_ctx->creds, +- NULL, NULL); +- +- if (gss_maj) { +- DEBUG(0, ("gss_acquire_creds failed with [%s]\n", +- gse_errstr(gse_ctx, gss_maj, gss_min))); +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } + } + + status = NT_STATUS_OK; +-- +2.9.3 + diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch new file mode 100644 index 0000000..73c72cd --- /dev/null +++ b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch @@ -0,0 +1,179 @@ +From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 10 Mar 2017 16:20:06 +0200 +Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Implement a small Python module that exposes arcfour_crypt_blob() +function widely used in Samba C code. + +When Samba Python bindings are used to call LSA CreateTrustedDomainEx2, +there is a need to encrypt trusted credentials with RC4 cipher. + +Current Samba Python code relies on Python runtime to provide RC4 +cipher. However, in FIPS 140-2 mode system crypto libraries do not +provide access RC4 cipher at all. According to Microsoft dochelp team, +Windows is treating AuthenticationInformation blob encryption as 'plain +text' in terms of FIPS 140-2, thus doing application-level encryption. + +Replace samba.arcfour_encrypt() implementation with a call to +samba.crypto.arcfour_crypt_blob(). + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Simo Sorce +Reviewed-by: Guenther Deschner + +Autobuild-User(master): Günther Deschner +Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144 + +(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c) +--- + lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ + lib/crypto/wscript_build | 7 ++++ + python/samba/__init__.py | 16 ++------- + 3 files changed, 99 insertions(+), 14 deletions(-) + create mode 100644 lib/crypto/py_crypto.c + +diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c +new file mode 100644 +index 0000000..bf7f9f4 +--- /dev/null ++++ b/lib/crypto/py_crypto.c +@@ -0,0 +1,90 @@ ++/* ++ Unix SMB/CIFS implementation. ++ Samba crypto functions ++ ++ Copyright (C) Alexander Bokovoy 2017 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include ++#include "includes.h" ++#include "python/py3compat.h" ++#include "lib/crypto/arcfour.h" ++ ++static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs) ++{ ++ DATA_BLOB data, key; ++ PyObject *py_data, *py_key, *result; ++ TALLOC_CTX *ctx; ++ ++ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key)) ++ return NULL; ++ ++ if (!PyBytes_Check(py_data)) { ++ PyErr_Format(PyExc_TypeError, "bytes expected"); ++ return NULL; ++ } ++ ++ if (!PyBytes_Check(py_key)) { ++ PyErr_Format(PyExc_TypeError, "bytes expected"); ++ return NULL; ++ } ++ ++ ctx = talloc_new(NULL); ++ ++ data.length = PyBytes_Size(py_data); ++ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length); ++ if (!data.data) { ++ talloc_free(ctx); ++ return PyErr_NoMemory(); ++ } ++ ++ key.data = (uint8_t *)PyBytes_AsString(py_key); ++ key.length = PyBytes_Size(py_key); ++ ++ arcfour_crypt_blob(data.data, data.length, &key); ++ ++ result = PyBytes_FromStringAndSize((const char*) data.data, data.length); ++ talloc_free(ctx); ++ return result; ++} ++ ++ ++static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n" ++ "Encrypt the data with RC4 algorithm using the key"; ++ ++static PyMethodDef py_crypto_methods[] = { ++ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc }, ++ { NULL }, ++}; ++ ++static struct PyModuleDef moduledef = { ++ PyModuleDef_HEAD_INIT, ++ .m_name = "crypto", ++ .m_doc = "Crypto functions required for SMB", ++ .m_size = -1, ++ .m_methods = py_crypto_methods, ++}; ++ ++MODULE_INIT_FUNC(crypto) ++{ ++ PyObject *m; ++ ++ m = PyModule_Create(&moduledef); ++ if (m == NULL) ++ return NULL; ++ ++ return m; ++} +diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build +index 7f94532..d1f152e 100644 +--- a/lib/crypto/wscript_build ++++ b/lib/crypto/wscript_build +@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', + autoproto='test_proto.h', + deps='LIBCRYPTO' + ) ++ ++for env in bld.gen_python_environments(): ++ bld.SAMBA_PYTHON('python_crypto', ++ source='py_crypto.c', ++ deps='LIBCRYPTO', ++ realname='samba/crypto.so' ++ ) +diff --git a/python/samba/__init__.py b/python/samba/__init__.py +index 19d5e38..fa4244a 100644 +--- a/python/samba/__init__.py ++++ b/python/samba/__init__.py +@@ -371,20 +371,8 @@ def string_to_byte_array(string): + return blob + + def arcfour_encrypt(key, data): +- try: +- from Crypto.Cipher import ARC4 +- c = ARC4.new(key) +- return c.encrypt(data) +- except ImportError as e: +- pass +- try: +- from M2Crypto.RC4 import RC4 +- c = RC4(key) +- return c.update(data) +- except ImportError as e: +- pass +- raise Exception("arcfour_encrypt() requires " + +- "python*-crypto or python*-m2crypto or m2crypto") ++ from samba.crypto import arcfour_crypt_blob ++ return arcfour_crypt_blob(data, key) + + import _glue + version = _glue.version +-- +2.9.3 + diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch new file mode 100644 index 0000000..f2f7cb6 --- /dev/null +++ b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch @@ -0,0 +1,405 @@ +From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Jan 2017 11:43:12 +0100 +Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows + +Since Windows Server 2008 Microsoft uses a different port range for RPC +services. Before it was 1024-65535 and they changed it to 49152-65535. + +We should use the same range as these are the ports the firewall in AD +networks normally allow. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 + +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3) +--- + source3/rpc_server/rpc_server.c | 4 ++-- + source4/smbd/service_stream.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c +index 5effe66d9bb..37fe68fc36d 100644 +--- a/source3/rpc_server/rpc_server.c ++++ b/source3/rpc_server/rpc_server.c +@@ -34,8 +34,8 @@ + #include "rpc_server/srv_pipe_hnd.h" + #include "rpc_server/srv_pipe.h" + +-#define SERVER_TCP_LOW_PORT 1024 +-#define SERVER_TCP_HIGH_PORT 1300 ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 + + /* Creates a pipes_struct and initializes it with the information + * sent from the client */ +diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c +index f0a379acf6a..96a303fc6a9 100644 +--- a/source4/smbd/service_stream.c ++++ b/source4/smbd/service_stream.c +@@ -30,8 +30,8 @@ + #include "lib/util/util_net.h" + + /* the range of ports to try for dcerpc over tcp endpoints */ +-#define SERVER_TCP_LOW_PORT 1024 +-#define SERVER_TCP_HIGH_PORT 1300 ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 + + /* size of listen() backlog in smbd */ + #define SERVER_LISTEN_BACKLOG 10 +-- +2.11.0 + + +From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Jan 2017 12:05:09 +0100 +Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC + services + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andreas Schneider +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d) +--- + docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++-- + .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++ + lib/param/loadparm.c | 47 ++++++++++++++++++++++ + lib/param/loadparm.h | 9 ++++- + lib/param/param.h | 3 ++ + python/samba/tests/docs.py | 11 +++-- + source3/include/proto.h | 2 + + source3/param/loadparm.c | 16 ++++++++ + source3/rpc_server/rpc_server.c | 5 +-- + source4/smbd/service_stream.c | 8 ++-- + 10 files changed, 120 insertions(+), 17 deletions(-) + create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml + +diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml +index 8a70835612f..0fd87d69212 100644 +--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml ++++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml +@@ -4,11 +4,19 @@ + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> + + Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic. +- This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used. +- The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000. ++ This controls the default port for all protocols, except for NETLOGON. ++ If unset, the first available port from is used, e.g. 49152. ++ The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000. + Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000. + ++ This option applies currently only when ++ samba 8 ++ runs as an active directory domain controller. ++ ++ The default value 0 causes Samba to select the first available port from . + +-The default value 0 causes Samba to select the first available port after 1024. ++ ++rpc server dynamic port range ++ + 0 + +diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml +new file mode 100644 +index 00000000000..a9c51d2fe41 +--- /dev/null ++++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml +@@ -0,0 +1,22 @@ ++ ++ ++ ++ This parameter tells the RPC server which port range it is ++ allowed to use to create a listening socket for LSA, SAM, ++ Netlogon and others without wellknown tcp ports. ++ The first value is the lowest number of the port ++ range and the second the hightest. ++ ++ ++ This applies to RPC servers in all server roles. ++ ++ ++ ++rpc server port ++ ++49152-65535 ++ +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 6aa757f7c6b..3b54ff232aa 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx) + return lp_ctx->sDefault; + } + ++int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx) ++{ ++ return lp_ctx->globals->rpc_low_port; ++} ++ ++int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) ++{ ++ return lp_ctx->globals->rpc_high_port; ++} ++ + /** + * Convenience routine to grab string parameters into temporary memory + * and run standard_sub_basic on them. +@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service * + return true; + } + ++bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx, ++ struct loadparm_service *service, ++ const char *pszParmValue, ++ char **ptr) ++{ ++ int low_port = -1, high_port = -1; ++ int rc; ++ ++ if (pszParmValue == NULL || pszParmValue[0] == '\0') { ++ return false; ++ } ++ ++ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port); ++ if (rc != 2) { ++ return false; ++ } ++ ++ if (low_port > high_port) { ++ return false; ++ } ++ ++ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) { ++ return false; ++ } ++ ++ lp_ctx->globals->rpc_low_port = low_port; ++ lp_ctx->globals->rpc_high_port = high_port; ++ ++ return true; ++} ++ + bool handle_smb2_max_credits(struct loadparm_context *lp_ctx, + struct loadparm_service *service, + const char *pszParmValue, char **ptr) +@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global); + /* This appears odd, but globals in s3 isn't a pointer */ + lp_ctx->globals->ctx = lp_ctx->globals; ++ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; ++ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; + lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); + lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); + +@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + + lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all"); + ++ lpcfg_do_global_parameter(lp_ctx, ++ "rpc server dynamic port range", ++ "49152-65535"); ++ + /* Allow modules to adjust defaults */ + for (defaults_hook = defaults_hooks; defaults_hook; + defaults_hook = defaults_hook->next) { +diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h +index f9fb7d8d804..c63683d6b66 100644 +--- a/lib/param/loadparm.h ++++ b/lib/param/loadparm.h +@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, + #endif /* DEVELOPER */ + }; + ++#define SERVER_TCP_LOW_PORT 49152 ++#define SERVER_TCP_HIGH_PORT 65535 ++ ++#define SERVER_TCP_PORT_MIN 1024 ++#define SERVER_TCP_PORT_MAX 65535 + + + +@@ -272,7 +277,9 @@ enum inheritowner_options { + #define LOADPARM_EXTRA_GLOBALS \ + struct parmlist_entry *param_opt; \ + char *dnsdomain; \ +- char *realm_original; ++ char *realm_original; \ ++ int rpc_low_port; \ ++ int rpc_high_port; + + const char* server_role_str(uint32_t role); + int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); +diff --git a/lib/param/param.h b/lib/param/param.h +index 66037e2ef1b..e123e67a990 100644 +--- a/lib/param/param.h ++++ b/lib/param/param.h +@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx, + time_t *usr_tkt_lifetime, + time_t *renewal_lifetime); + ++int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx); ++int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); ++ + /* The following definitions come from lib/version.c */ + + const char *samba_version_string(void); +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 22e022583f6..65df573a350 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase): + 'lprm command', 'lpq command', 'print command', 'template homedir', + 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build', + 'max open files', 'fss: prune stale', 'fss: sequence timeout', +- 'include system krb5 conf']) ++ 'include system krb5 conf', 'rpc server dynamic port range']) + + def setUp(self): + super(SmbDotConfTests, self).setUp() +@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase): + exceptions = ['client lanman auth', + 'client plaintext auth', + 'registry shares', +- 'smb ports']) ++ 'smb ports', ++ 'rpc server dynamic port range']) + self._test_empty(['bin/testparm']) + + def test_default_s4(self): + self._test_default(['bin/samba-tool', 'testparm']) + self._set_defaults(['bin/samba-tool', 'testparm']) + self._set_arbitrary(['bin/samba-tool', 'testparm'], +- exceptions = ['smb ports']) ++ exceptions = ['smb ports', ++ 'rpc server dynamic port range']) + self._test_empty(['bin/samba-tool', 'testparm']) + + def _test_default(self, program): +@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase): + + for tuples in self.defaults: + param, default, context, param_type = tuples ++ + if param in self.special_cases: + continue + section = None +@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase): + for tuples in self.defaults: + param, default, context, param_type = tuples + +- if param in ['printing']: ++ if param in ['printing', 'rpc server dynamic port range']: + continue + + section = None +diff --git a/source3/include/proto.h b/source3/include/proto.h +index 642900ed67c..b3d3ca0e5d1 100644 +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void); + int lp_smb2_max_credits(void); + int lp_cups_encrypt(void); + bool lp_widelinks(int ); ++int lp_rpc_low_port(void); ++int lp_rpc_high_port(void); + + int lp_wi_scan_global_parametrics( + const char *regex, size_t max_matches, +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index d8da749ccba..2c8380067f6 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.aio_max_threads = 100; + ++ lpcfg_string_set(Globals.ctx, ++ &Globals.rpc_server_dynamic_port_range, ++ "49152-65535"); ++ Globals.rpc_low_port = SERVER_TCP_LOW_PORT; ++ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT; ++ + /* Now put back the settings that were set with lp_set_cmdline() */ + apply_lp_set_cmdline(); + } +@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void) + return client_ipc_signing; + } + ++int lp_rpc_low_port(void) ++{ ++ return Globals.rpc_low_port; ++} ++ ++int lp_rpc_high_port(void) ++{ ++ return Globals.rpc_high_port; ++} ++ + struct loadparm_global * get_globals(void) + { + return &Globals; +diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c +index 37fe68fc36d..f7fb8ef5207 100644 +--- a/source3/rpc_server/rpc_server.c ++++ b/source3/rpc_server/rpc_server.c +@@ -34,9 +34,6 @@ + #include "rpc_server/srv_pipe_hnd.h" + #include "rpc_server/srv_pipe.h" + +-#define SERVER_TCP_LOW_PORT 49152 +-#define SERVER_TCP_HIGH_PORT 65535 +- + /* Creates a pipes_struct and initializes it with the information + * sent from the client */ + int make_server_pipes_struct(TALLOC_CTX *mem_ctx, +@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port) + if (*port == 0) { + uint16_t i; + +- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) { ++ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) { + fd = open_socket_in(SOCK_STREAM, + i, + 0, +diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c +index 96a303fc6a9..deb96d8d69d 100644 +--- a/source4/smbd/service_stream.c ++++ b/source4/smbd/service_stream.c +@@ -29,10 +29,6 @@ + #include "../lib/tsocket/tsocket.h" + #include "lib/util/util_net.h" + +-/* the range of ports to try for dcerpc over tcp endpoints */ +-#define SERVER_TCP_LOW_PORT 49152 +-#define SERVER_TCP_HIGH_PORT 65535 +- + /* size of listen() backlog in smbd */ + #define SERVER_LISTEN_BACKLOG 10 + +@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx, + if (!port) { + status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0); + } else if (*port == 0) { +- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) { ++ for (i = lpcfg_rpc_low_port(lp_ctx); ++ i <= lpcfg_rpc_high_port(lp_ctx); ++ i++) { + socket_address->port = i; + status = socket_listen(stream_socket->sock, socket_address, + SERVER_LISTEN_BACKLOG, 0); +-- +2.11.0 + diff --git a/SOURCES/samba.xinetd b/SOURCES/samba.xinetd deleted file mode 100644 index 8b62348..0000000 --- a/SOURCES/samba.xinetd +++ /dev/null @@ -1,15 +0,0 @@ -# default: off -# description: SWAT is the Samba Web Admin Tool. Use swat \ -# to configure your Samba server. To use SWAT, \ -# connect to port 901 with your favorite web browser. -service swat -{ - port = 901 - socket_type = stream - wait = no - only_from = 127.0.0.1 - user = root - server = /usr/sbin/swat - log_on_failure += USERID - disable = yes -} diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 153d214..fe73e2e 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,13 +6,13 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 14 +%define main_release 8 -%define samba_version 4.4.4 -%define talloc_version 2.1.6 -%define tdb_version 1.3.8 -%define tevent_version 0.9.28 -%define ldb_version 1.1.26 +%define samba_version 4.6.2 +%define talloc_version 2.1.9 +%define tdb_version 1.3.12 +%define tevent_version 0.9.31 +%define ldb_version 1.1.29 # This should be rc1 or nil %define pre_release %nil @@ -50,7 +50,7 @@ %endif %endif -%global libwbc_alternatives_version 0.12 +%global libwbc_alternatives_version 0.13 %global libwbc_alternatives_suffix %nil %if 0%{?__isa_bits} == 64 %global libwbc_alternatives_suffix -64 @@ -65,6 +65,11 @@ %global with_dc 1 %endif +%global required_mit_krb5 1.10 +%if %{with_dc} +%global required_mit_krb5 1.15.1 +%endif + %global with_clustering_support 0 %if %{with clustering} @@ -91,42 +96,38 @@ Epoch: 2 Summary: Server and Client software to interoperate with Windows machines License: GPLv3+ and LGPLv3+ -Group: System Environment/Daemons URL: http://www.samba.org/ Source0: samba-%{version}%{pre_release}.tar.xz +Source1: samba-%{version}%{pre_release}.tar.asc +Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg # Red Hat specific replacement-files -Source1: samba.log -Source2: samba.xinetd -Source3: smb.conf.vendor -Source4: smb.conf.example -Source5: pam_winbind.conf -Source6: samba.pamd +Source10: samba.log +Source11: smb.conf.vendor +Source12: smb.conf.example +Source13: pam_winbind.conf +Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.4.5-fix_resolving_trusted_domain_users.patch -Patch1: samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch -Patch2: samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch -Patch3: samba-4.4.5-fix_winbind_cached_creds_memleak.patch -Patch4: CVE-2016-2119-v4-4.patch -Patch5: samba-4.4.7-fix-ctdb-test-install-dir.patch -Patch6: samba-4.4.7-fix_ads_krb5_ccname_handling.patch -Patch7: samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch -Patch8: samba-4.4.7-fix_idmap_range_checks.patch -Patch9: samba-4.4.7-fix_smget_auth_callback.patch -Patch10: samba-4.4.6-fix_nss_wins.patch -Patch11: samba-4.4.7-fix_group_substituion_with_ad.patch -Patch12: samba-4.4.6-fix_smbclient_against_apple_and_azure.patch -Patch13: samba-4.4.x-fix_libads_krb5_memcache.patch -Patch14: CVE-2016-2125-v4-4.patch -Patch15: CVE-2016-2126-v4-4.patch -Patch16: CVE-2017-2619-v4-4.patch -Patch17: CVE-2017-7494.patch - -BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +Patch0: samba-v4.6-gss_krb5_import_cred.patch +Patch1: samba-v4.6-credentials-fix-realm.patch +Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch +Patch3: samba-v4-6-fix-building-with-new-glibc.patch +Patch4: samba-v4-6-fix-cross-realm-refferals.patch +Patch5: samba-v4-6-fix-kerberos-debug-message.patch +Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch +Patch7: samba-v4-6-fix_winbind_child_crash.patch +Patch8: samba-v4-6-fix_path_substitutions.patch +Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch +Patch10: CVE-2017-7494.patch +Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch +Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch +Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch +Patch14: samba-v4-6-fix_smbclient_username_parsing.patch +Patch15: samba-v4-6-fix_winbind_normalize_names.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -134,6 +135,7 @@ Requires(preun): systemd Requires(postun): systemd Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -167,7 +169,8 @@ BuildRequires: dbus-devel BuildRequires: docbook-style-xsl BuildRequires: e2fsprogs-devel BuildRequires: gawk -BuildRequires: krb5-devel >= 1.14 +BuildRequires: gnupg2 +BuildRequires: krb5-devel >= %{required_mit_krb5} BuildRequires: libacl-devel BuildRequires: libaio-devel BuildRequires: libarchive-devel @@ -178,16 +181,20 @@ BuildRequires: libxslt BuildRequires: ncurses-devel BuildRequires: openldap-devel BuildRequires: pam-devel +#BuildRequires: perl-generators +BuildRequires: perl(Test::More) BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Parse::Yapp) BuildRequires: popt-devel -BuildRequires: python BuildRequires: python-devel +#BuildRequires: python2-pygpgme +#BuildRequires: python2-subunit BuildRequires: python-tevent BuildRequires: quota-devel BuildRequires: readline-devel BuildRequires: sed BuildRequires: xfsprogs-devel +BuildRequires: xz BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) @@ -199,40 +206,38 @@ BuildRequires: glusterfs-devel >= 3.4.0.16 %if %{with_vfs_cephfs} BuildRequires: libcephfs1-devel %endif - -# Allow build with testsuite which uses heimdal -#%if %{with_dc} -#BuildRequires: gnutls-devel >= 3.4.7 -# Required by samba-tool -#BuildRequires: python-crypto -#%endif +%if %{with_dc} +BuildRequires: gnutls-devel >= 3.4.7 +# Required by samba-tool to run tests +BuildRequires: python-crypto +%endif # pidl requirements BuildRequires: perl(Parse::Yapp) %if ! %with_internal_talloc -%global libtalloc_version 2.1.6 +%global libtalloc_version 2.1.9 BuildRequires: libtalloc-devel >= %{libtalloc_version} BuildRequires: pytalloc-devel >= %{libtalloc_version} %endif %if ! %with_internal_tevent -%global libtevent_version 0.9.28 +%global libtevent_version 0.9.31 BuildRequires: libtevent-devel >= %{libtevent_version} BuildRequires: python-tevent >= %{libtevent_version} %endif %if ! %with_internal_ldb -%global libldb_version 1.1.26 +%global libldb_version 1.1.29 BuildRequires: libldb-devel >= %{libldb_version} BuildRequires: pyldb-devel >= %{libldb_version} %endif %if ! %with_internal_tdb -%global libtdb_version 1.3.8 +%global libtdb_version 1.3.12 BuildRequires: libtdb-devel >= %{libtdb_version} BuildRequires: python-tdb >= %{libtdb_version} @@ -240,6 +245,8 @@ BuildRequires: python-tdb >= %{libtdb_version} %if %{with testsuite} BuildRequires: ldb-tools +BuildRequires: libcmocka-devel +BuildRequires: python2-pygpgme %endif # filter out perl requirements pulled in from examples in the docdir. @@ -257,8 +264,8 @@ Unix. ### CLIENT %package client Summary: Samba client programs -Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %if %with_libsmbclient @@ -279,8 +286,8 @@ of SMB/CIFS shares and printing to SMB/CIFS printers. ### CLIENT-LIBS %package client-libs Summary: Samba client libraries -Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} %endif @@ -292,7 +299,6 @@ SMB/CIFS clients. ### COMMON %package common Summary: Files used by both Samba servers and clients -Group: Applications/System BuildArch: noarch Requires(post): systemd @@ -307,8 +313,8 @@ packages of Samba. ### COMMON-LIBS %package common-libs Summary: Libraries used by both Samba servers and clients -Group: Applications/System Requires(pre): samba-common = %{samba_depver} +Requires: samba-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient Requires: libwbclient = %{samba_depver} @@ -321,7 +327,6 @@ SMB/CIFS clients. ### COMMON-TOOLS %package common-tools Summary: Tools for Samba servers and clients -Group: Applications/System Requires: samba-common-libs = %{samba_depver} Requires: samba-client-libs = %{samba_depver} Requires: samba-libs = %{samba_depver} @@ -336,7 +341,6 @@ SMB/CIFS clients. ### DC %package dc Summary: Samba AD Domain Controller -Group: Applications/System Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} @@ -356,7 +360,6 @@ The samba-dc package provides AD Domain Controller functionality ### DC-LIBS %package dc-libs Summary: Samba AD Domain Controller Libraries -Group: Applications/System Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -370,7 +373,6 @@ link against the SMB, RPC and other protocols. ### DEVEL %package devel Summary: Developer tools for Samba libraries -Group: Development/Libraries Requires: %{name}-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -386,7 +388,6 @@ libraries in the Samba suite. %if %{with_vfs_cephfs} %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system -Group: Applications/System Requires: libcephfs1 Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -399,7 +400,6 @@ Samba VFS module for Ceph distributed storage system integration. %if %{with_vfs_glusterfs} %package vfs-glusterfs Summary: Samba VFS module for GlusterFS -Group: Applications/System Requires: glusterfs-api >= 3.4.0.16 Requires: glusterfs >= 3.4.0.16 Requires: %{name} = %{samba_depver} @@ -416,8 +416,8 @@ Samba VFS module for GlusterFS integration. ### KRB5-PRINTING %package krb5-printing Summary: Samba CUPS backend for printing with Kerberos -Group: Applications/System Requires(pre): %{name}-client +Requires: %{name}-client Requires(post): %{_sbindir}/update-alternatives Requires(postun): %{_sbindir}/update-alternatives @@ -430,7 +430,6 @@ the Kerberos credentials cache of the user issuing the print job. ### LIBS %package libs Summary: Samba libraries -Group: Applications/System Requires: krb5-libs >= 1.14 Requires: %{name}-client-libs = %{samba_depver} %if %with_libwbclient @@ -448,8 +447,8 @@ against the SMB, RPC and other protocols provided by the Samba suite. %if %with_libsmbclient %package -n libsmbclient Summary: The SMB client library -Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} %description -n libsmbclient @@ -457,7 +456,6 @@ The libsmbclient contains the SMB client library from the Samba suite. %package -n libsmbclient-devel Summary: Developer tools for the SMB client library -Group: Development/Libraries Requires: libsmbclient = %{samba_depver} %description -n libsmbclient-devel @@ -470,7 +468,6 @@ suite. %if %with_libwbclient %package -n libwbclient Summary: The winbind client library -Group: Applications/System Requires: %{name}-client-libs = %{samba_depver} %description -n libwbclient @@ -479,7 +476,6 @@ suite. %package -n libwbclient-devel Summary: Developer tools for the winbind library -Group: Development/Libraries Requires: libwbclient = %{samba_depver} Provides: samba-winbind-devel = %{samba_depver} @@ -493,7 +489,6 @@ library. ### PYTHON %package python Summary: Samba Python libraries -Group: Applications/System Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -512,7 +507,6 @@ that use SMB, RPC and other Samba provided protocols in Python programs. ### PIDL %package pidl Summary: Perl IDL compiler -Group: Development/Tools Requires: perl(Parse::Yapp) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) BuildArch: noarch @@ -527,7 +521,6 @@ and Wireshark to parse IDL and similar protocols ### TEST %package test Summary: Testing tools for Samba servers and clients -Group: Applications/System Requires: %{name} = %{samba_depver} Requires: %{name}-common = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} @@ -556,7 +549,6 @@ packages of Samba. ### TEST-LIBS %package test-libs Summary: Libraries need by the testing tools for Samba servers and clients -Group: Applications/System Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -569,8 +561,8 @@ Obsoletes: %{name}-test-devel < %{samba_depver} ### WINBIND %package winbind Summary: Samba winbind -Group: Applications/System Requires(pre): %{name}-common = %{samba_depver} +Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-common-tools = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -588,7 +580,6 @@ Windows user and group accounts on Linux. ### WINBIND-CLIENTS %package winbind-clients Summary: Samba winbind clients -Group: Applications/System Requires: %{name}-common = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} @@ -608,7 +599,6 @@ tool. ### WINBIND-KRB5-LOCATOR %package winbind-krb5-locator Summary: Samba winbind krb5 locator -Group: Applications/System %if %with_libwbclient Requires: libwbclient = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} @@ -635,7 +625,6 @@ the local kerberos library to use the same KDC as samba and winbind use ### WINBIND-MODULES %package winbind-modules Summary: Samba winbind modules -Group: Applications/System Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} %if %with_libwbclient @@ -651,7 +640,6 @@ necessary to communicate to the Winbind Daemon %if %with_clustering_support %package -n ctdb Summary: A Clustered Database based on Samba's Trivial Database (TDB) -Group: System Environment/Daemons Requires: %{name}-client-libs = %{samba_depver} @@ -686,7 +674,6 @@ and use CTDB instead. ### CTDB-TEST %package -n ctdb-tests Summary: CTDB clustered database test suite -Group: Development/Tools Requires: samba-client-libs = %{samba_depver} @@ -707,26 +694,8 @@ and use CTDB instead. %prep -%setup -q -n samba-%{version}%{pre_release} - -%patch0 -p1 -b .samba-4.4.5-fix_resolving_trusted_domain_users.patch -%patch1 -p1 -b .samba-4.4.5-fix_site_aware_net_ads_join_with_krb5.patch -%patch2 -p1 -b .samba-4.4.5-accept_empty_realm_for_ad_domains_with_security_domain.patch -%patch3 -p1 -b .samba-4.4.5-fix_winbind_cached_creds_memleak.patch -%patch4 -p1 -b .CVE-2016-2119-v4-4.patch -%patch5 -p1 -b .samba-4.4.7-fix-ctdb-test-install-dir.patch -%patch6 -p1 -b .samba-4.4.7-fix_ads_krb5_ccname_handling.patch -%patch7 -p1 -b .samba-4.4.7-fix_smbclient_cpu_usage_with_unreachable_ip.patch -%patch8 -p1 -b .samba-4.4.7-fix_idmap_range_checks.patch -%patch9 -p1 -b .samba-4.4.7-fix_smget_auth_callback.patch -%patch10 -p1 -b .samba-4.4.6-fix_nss_wins.patch -%patch11 -p1 -b .samba-4.4.7-fix_group_substituion_with_ad.patch -%patch12 -p1 -b .samba-4.4.6-fix_smbclient_against_apple_and_azure.patch -%patch13 -p1 -b .samba-4.4.x-fix_libads_krb5_memcache.patch -%patch14 -p1 -b .CVE-2016-2125-v4-4.patch -%patch15 -p1 -b .CVE-2016-2126-v4-4.patch -%patch16 -p1 -b .CVE-2017-2619-v4-4.patch -%patch17 -p1 -b .CVE-2017-7494.patch +xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - +%autosetup -n samba-%{version}%{pre_release} -p1 %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -848,16 +817,16 @@ touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb # Install other stuff install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d -install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba +install -m 0644 %{SOURCE10} %{buildroot}%{_sysconfdir}/logrotate.d/samba -install -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/samba/smb.conf -install -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf.example +install -m 0644 %{SOURCE11} %{buildroot}%{_sysconfdir}/samba/smb.conf +install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/samba/smb.conf.example install -d -m 0755 %{buildroot}%{_sysconfdir}/security -install -m 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf +install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/security/pam_winbind.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/pam.d -install -m 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pam.d/samba +install -m 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/pam.d/samba echo 127.0.0.1 localhost > %{buildroot}%{_sysconfdir}/samba/lmhosts @@ -878,7 +847,12 @@ echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %with_clustering_support -install -m 0644 ctdb/config/ctdb.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/ctdb +cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb < - 4.4.4-14 -- resolves: #1450784 - Security fix for CVE-2017-7494 - -* Wed Apr 05 2017 Andreas Schneider - 4.4.4-13 -- resolves: #1437816 - Fix krb5 memory cache in libads sasl code -- resolves: #1437741 - Fix CVE-2016-2125, CVE-2016-2126 and CVE-2017-2619 - -* Tue Nov 15 2016 Andreas Schneider - 4.4.4-12 -- related: #1393051 - Fix return code if ip not defined in gethostbyname +* Thu Jun 22 2017 Andreas Schneider - 4.6.2-8 +- resolves: #1459936 - Fix regression with "follow symlinks = no" + +* Tue Jun 20 2017 Andreas Schneider - 4.6.2-7 +- resolves: #1461336 - Fix smbclient username parsing +- resolves: #1460937 - Fix username normalization with winbind + +* Tue Jun 13 2017 Andreas Schneider - 4.6.2-6 +- resolves: #1459179 - Fix smbclient session setup printing + +* Wed Jun 07 2017 Andreas Schneider - 4.6.2-5 +- related: #1277999 - Add missing patchset + +* Wed May 31 2017 Andreas Schneider - 4.6.2-4 +- resolves: #1431986 - Fix expand_msdfs VFS module + +* Thu May 18 2017 Guenther Deschner - 4.6.2-3 +- resolves: #1450785 - Security fix for CVE-2017-7494 + +* Tue May 09 2017 Andreas Schneider - 4.6.2-2 +- resolves: #1448544 - Fix spoolss 32bit driver upload + +* Mon Apr 03 2017 Andreas Schneider - 4.6.2-1 +- resolves: #1435734 - Fix refreshing winbind tickets + +* Fri Mar 31 2017 Guenther Deschner - 4.6.2-0 +- Update to Samba 4.6.2 +- related: #1430260 - Security fix for CVE-2017-2619 + +* Thu Mar 23 2017 Guenther Deschner - 4.6.1-0 +- Update to Samba 4.6.1 +- resolves: #1430260 - Security fix for CVE-2017-2619 + +* Tue Mar 21 2017 Andreas Schneider - 4.6.0-5 +- related: #1391954 - Fix kerberos cross-realm referrals +- resolves: #1430755 - Fix 'net ads' keytab handling + +* Wed Mar 15 2017 Alexander Bokovoy - 4.6.0-4 +- Export internal arcfour_crypt_blob in Python as samba.arcfour_encrypt +- related: #1391954 - Update to Samba 4.6.0 + +* Fri Mar 10 2017 Alexander Bokovoy - 4.6.0-3 +- Ensure we set realm when updating ccache in auth/credentials +- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support + +* Fri Mar 10 2017 Alexander Bokovoy - 4.6.0-2 +- resolves: #1430759 - use GSSAPI gss_acquire_cred_from call for gssproxy support + +* Tue Mar 07 2017 Andreas Schneider - 4.6.0-1 +- related: #1391954 - Update to Samba 4.6.0 +- resolves: #1401505 - Improved idmap_hash documentation +- resolves: #1218926 - Samba ignores default_keytab_name in krb5.conf +- resolves: #1389786 - Add 'net ads dns unregister' + +* Thu Mar 02 2017 Andreas Schneider - 4.6.0-0.1.rc4 +- related: #1391954 - Update to Samba 4.6.0rc4 +- resolves: #1420130 - samba_krb5_wrapper does not list devices when called with + no arguments +- resolves: #1277999 - Change RPC port range to Windows defaults + +* Wed Feb 15 2017 Andreas Schneider - 4.6.0-0.1.rc3 +- resolves: #1391954 - Update to Samba 4.6.0rc3 +- resolves: #1271082 - Wrong groups listed when id command is called before login +- resolves: #1327810 - Use 'printcap cache time' for the house keeping interval +- resolves: #1356932 - Improve documentation for 'ldap ssl' in smb.conf manpage +- resolves: #1365111 - Fix printer removal if "List in Directory" checkbox is + unticked and printer is not listed in AD +- resolves: #1368439 - Fix ntlm_auth wrong password issues +- resolves: #1397871 - Include the system krb5.conf in winbinds generated conf +- resolves: #1397891 - Fix marsalling of spoolss SetPrinter info level 2 +- resolves: #1397895 - Add missing support APD_COPY_FROM_DIRECTORY in + AddPrinterDriver +- resolves: #1403242 - Samba can not access trusted domains through transitive + trusts +- resolves: #1403975 - Fix trusted domain logins +- resolves: #1411978 - Include the system krb5.conf in winbinds generated conf +- resolves: #1416746 - Fix division by zero error in ctdb 05.system event script + +* Tue Nov 15 2016 Andreas Schneider - 4.4.4-11 +- related: #1377729 - Fix return code if ip not defined in gethostbyname * Wed Nov 09 2016 Andreas Schneider - 4.4.4-11 -- related: #1393048 - Add missing patch to patchset +- related: #1377307 - Add missing patch to patchset * Tue Nov 08 2016 Andreas Schneider - 4.4.4-10 -- resolves: #1393050 - Fix linking nss_wins with libreplace -- resolves: #1393051 - Fix nss_wins function definitions for gethostbyname* -- resolves: #1393048 - Fix %G substitution in AD case -- resolves: #1393052 - Fix regression of smbclient unable to connect to +- resolves: #1377690 - Fix linking nss_wins with libreplace +- resolves: #1377729 - Fix nss_wins function definitions for gethostbyname* +- resolves: #1377307 - Fix %G substitution in AD case +- resolves: #1377751 - Fix regression of smbclient unable to connect to Apple and Azure * Wed Aug 31 2016 Andreas Schneider - 4.4.4-9