diff --git a/.gitignore b/.gitignore index 15a87be..e6501c9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.6.2.tar.xz +SOURCES/samba-4.7.1.tar.xz diff --git a/.samba.metadata b/.samba.metadata index ac19222..44641bf 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -57a1a9dce118fa9059f9d3e7a595db3491e265bc SOURCES/samba-4.6.2.tar.xz +3c58fef85ceff87968b9e79c665e861f5442f0f1 SOURCES/samba-4.7.1.tar.xz diff --git a/SOURCES/CVE-2017-12150.patch b/SOURCES/CVE-2017-12150.patch deleted file mode 100644 index 7eb1ef8..0000000 --- a/SOURCES/CVE-2017-12150.patch +++ /dev/null @@ -1,381 +0,0 @@ -From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 29 Aug 2017 17:06:21 +0200 -Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed - username into a specified one - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - source3/include/auth_info.h | 1 + - source3/lib/popt_common.c | 6 +----- - source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++ - 3 files changed, 31 insertions(+), 5 deletions(-) - -diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h -index c6f71ad..8212c27 100644 ---- a/source3/include/auth_info.h -+++ b/source3/include/auth_info.h -@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, - const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info); - void set_cmdline_auth_info_username(struct user_auth_info *auth_info, - const char *username); -+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info); - const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info); - void set_cmdline_auth_info_domain(struct user_auth_info *auth_info, - const char *domain); -diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c -index 9928c70..36b5e92 100644 ---- a/source3/lib/popt_common.c -+++ b/source3/lib/popt_common.c -@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void) - void popt_common_credentials_post(void) - { - struct user_auth_info *auth_info = cmdline_auth_info; -- const char *username = NULL; - - if (get_cmdline_auth_info_use_machine_account(auth_info) && - !set_cmdline_auth_info_machine_account_creds(auth_info)) -@@ -259,10 +258,7 @@ void popt_common_credentials_post(void) - * correctly parsed yet. If we have a username we need to set it again - * to run the string parser for the username correctly. - */ -- username = get_cmdline_auth_info_username(auth_info); -- if (username != NULL && username[0] != '\0') { -- set_cmdline_auth_info_username(auth_info, username); -- } -+ reset_cmdline_auth_info_username(auth_info); - } - - static void popt_common_credentials_callback(poptContext con, -diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c -index ad51a4f..80142e2 100644 ---- a/source3/lib/util_cmdline.c -+++ b/source3/lib/util_cmdline.c -@@ -37,6 +37,7 @@ - struct user_auth_info { - struct cli_credentials *creds; - struct loadparm_context *lp_ctx; -+ bool got_username; - bool got_pass; - int signing_state; - bool smb_encrypt; -@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info, - if (!ok) { - exit(EIO); - } -+ auth_info->got_username = true; - } - - const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info) -@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info, - exit(ENOMEM); - } - -+ auth_info->got_username = true; - if (strchr_m(username, '%') != NULL) { - auth_info->got_pass = true; - } - } - -+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info) -+{ -+ const char *username = NULL; -+ const char *new_val = NULL; -+ -+ if (!auth_info->got_username) { -+ return; -+ } -+ -+ username = cli_credentials_get_username(auth_info->creds); -+ if (username == NULL) { -+ return; -+ } -+ if (username[0] == '\0') { -+ return; -+ } -+ -+ cli_credentials_parse_string(auth_info->creds, -+ username, -+ CRED_SPECIFIED); -+ new_val = cli_credentials_get_username(auth_info->creds); -+ if (new_val == NULL) { -+ exit(ENOMEM); -+ } -+} -+ - const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info) - { - const char *domain = NULL; --- -1.9.1 - - -From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 3 Nov 2016 17:16:43 +0100 -Subject: [PATCH 2/7] CVE-2017-12150: s3:lib: - get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED - -This is an addition to the fixes for CVE-2015-5296. - -It applies to smb2mount -e, smbcacls -e and smbcquotas -e. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - source3/lib/util_cmdline.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c -index 80142e2..90ee67c 100644 ---- a/source3/lib/util_cmdline.c -+++ b/source3/lib/util_cmdline.c -@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info, - - int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info) - { -+ if (auth_info->smb_encrypt) { -+ return SMB_SIGNING_REQUIRED; -+ } - return auth_info->signing_state; - } - --- -1.9.1 - - -From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 9 Dec 2016 09:26:32 +0100 -Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of - SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal' - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/pylibsmb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c -index 59c0998..350c6d4 100644 ---- a/source3/libsmb/pylibsmb.c -+++ b/source3/libsmb/pylibsmb.c -@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args, - - req = cli_full_connection_creds_send( - NULL, self->ev, "myname", host, NULL, 0, share, "?????", -- cli_creds, 0, 0); -+ cli_creds, 0, SMB_SIGNING_DEFAULT); - if (!py_tevent_req_wait_exc(self->ev, req)) { - return -1; - } --- -1.9.1 - - -From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 12 Dec 2016 05:49:46 +0100 -Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED - in gpo_connect_server() - -It's important that we use a signed connection to get the GPOs! - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - libgpo/gpo_fetch.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c -index 836bc23..3740d4e 100644 ---- a/libgpo/gpo_fetch.c -+++ b/libgpo/gpo_fetch.c -@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, - ads->auth.password, - CLI_FULL_CONNECTION_USE_KERBEROS | - CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, -- Undefined); -+ SMB_SIGNING_REQUIRED); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("check_refresh_gpo: " - "failed to connect: %s\n", --- -1.9.1 - - -From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 29 Aug 2017 15:24:14 +0200 -Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials: - cli_credentials_authentication_requested() should check for - NTLM_CCACHE/SIGN/SEAL - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - auth/credentials/credentials.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c -index 06648c7..5e3b5e8 100644 ---- a/auth/credentials/credentials.c -+++ b/auth/credentials/credentials.c -@@ -25,6 +25,7 @@ - #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */ - #include "auth/credentials/credentials.h" - #include "auth/credentials/credentials_internal.h" -+#include "auth/gensec/gensec.h" - #include "libcli/auth/libcli_auth.h" - #include "tevent.h" - #include "param/param.h" -@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre - - _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) - { -+ uint32_t gensec_features = 0; -+ - if (cred->bind_dn) { - return true; - } -@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c - return true; - } - -+ gensec_features = cli_credentials_get_gensec_features(cred); -+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) { -+ return true; -+ } -+ -+ if (gensec_features & GENSEC_FEATURE_SIGN) { -+ return true; -+ } -+ -+ if (gensec_features & GENSEC_FEATURE_SEAL) { -+ return true; -+ } -+ - return false; - } - --- -1.9.1 - - -From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 29 Aug 2017 15:35:49 +0200 -Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add - smbXcli_conn_signing_mandatory() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - libcli/smb/smbXcli_base.c | 5 +++++ - libcli/smb/smbXcli_base.h | 1 + - 2 files changed, 6 insertions(+) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index b21d796..239e5eb 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn) - return false; - } - -+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn) -+{ -+ return conn->mandatory_signing; -+} -+ - void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options) - { - set_socket_options(conn->sock_fd, options); -diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h -index e48fc35..2594f07 100644 ---- a/libcli/smb/smbXcli_base.h -+++ b/libcli/smb/smbXcli_base.h -@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn); - - enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn); - bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn); -+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn); - - void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options); - const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn); --- -1.9.1 - - -From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 12 Dec 2016 06:07:56 +0100 -Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if - authentication was not requested - -With forced encryption or required signing we should also don't fallback. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/clidfs.c | 16 ++++------------ - 1 file changed, 4 insertions(+), 12 deletions(-) - -diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c -index 75012b2..fdcd665 100644 ---- a/source3/libsmb/clidfs.c -+++ b/source3/libsmb/clidfs.c -@@ -26,6 +26,7 @@ - #include "trans2.h" - #include "libsmb/nmblib.h" - #include "../libcli/smb/smbXcli_base.h" -+#include "auth/credentials/credentials.h" - - /******************************************************************** - Important point. -@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, - char *servicename; - char *sharename; - char *newserver, *newshare; -- const char *username; -- const char *password; -- const char *domain; - NTSTATUS status; - int flags = 0; - int signing_state = get_cmdline_auth_info_signing_state(auth_info); -@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, - smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS); - } - -- username = get_cmdline_auth_info_username(auth_info); -- password = get_cmdline_auth_info_password(auth_info); -- domain = get_cmdline_auth_info_domain(auth_info); -- if ((domain == NULL) || (domain[0] == '\0')) { -- domain = lp_workgroup(); -- } -- - creds = get_cmdline_auth_info_creds(auth_info); - - status = cli_session_setup_creds(c, creds); - if (!NT_STATUS_IS_OK(status)) { - /* If a password was not supplied then - * try again with a null username. */ -- if (password[0] || !username[0] || -- get_cmdline_auth_info_use_kerberos(auth_info) || -+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) || -+ cli_credentials_authentication_requested(creds) || -+ cli_credentials_is_anonymous(creds) || - !NT_STATUS_IS_OK(status = cli_session_setup_anon(c))) - { - d_printf("session setup failed: %s\n", --- -1.9.1 - diff --git a/SOURCES/CVE-2017-12151.patch b/SOURCES/CVE-2017-12151.patch deleted file mode 100644 index bfd6f80..0000000 --- a/SOURCES/CVE-2017-12151.patch +++ /dev/null @@ -1,111 +0,0 @@ -From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Mon, 14 Aug 2017 12:13:18 +0200 -Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add - cli_state_is_encryption_on() helper function - -This allows to check if the current cli_state uses encryption -(either via unix extentions or via SMB3). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/clientgen.c | 13 +++++++++++++ - source3/libsmb/proto.h | 1 + - 2 files changed, 14 insertions(+) - -diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c -index bc5c1b1ce3c..3e8523e5ce8 100644 ---- a/source3/libsmb/clientgen.c -+++ b/source3/libsmb/clientgen.c -@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli) - return cli->smb1.pid; - } - -+bool cli_state_is_encryption_on(struct cli_state *cli) -+{ -+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { -+ return smb1cli_conn_encryption_on(cli->conn); -+ } -+ -+ if (cli->smb2.tcon == NULL) { -+ return false; -+ } -+ -+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon); -+} -+ - bool cli_state_has_tcon(struct cli_state *cli) - { - uint16_t tid = cli_state_get_tid(cli); -diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h -index 764f3fc1b12..67fa43e4e4a 100644 ---- a/source3/libsmb/proto.h -+++ b/source3/libsmb/proto.h -@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli); - uint16_t cli_state_get_vc_num(struct cli_state *cli); - uint32_t cli_setpid(struct cli_state *cli, uint32_t pid); - uint32_t cli_getpid(struct cli_state *cli); -+bool cli_state_is_encryption_on(struct cli_state *cli); - bool cli_state_has_tcon(struct cli_state *cli); - uint16_t cli_state_get_tid(struct cli_state *cli); - uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid); --- -2.13.5 - - -From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 17 Dec 2016 10:36:49 +0100 -Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of - cli_state_is_encryption_on() - -This will keep enforced encryption across dfs referrals. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996 - -Signed-off-by: Stefan Metzmacher ---- - source3/libsmb/clidfs.c | 4 ++-- - source3/libsmb/libsmb_context.c | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c -index c477d7c6a46..99818a681e3 100644 ---- a/source3/libsmb/clidfs.c -+++ b/source3/libsmb/clidfs.c -@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, - "IPC$", - dfs_auth_info, - false, -- smb1cli_conn_encryption_on(rootcli->conn), -+ cli_state_is_encryption_on(rootcli), - smbXcli_conn_protocol(rootcli->conn), - 0, - 0x20, -@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx, - dfs_refs[count].share, - dfs_auth_info, - false, -- smb1cli_conn_encryption_on(rootcli->conn), -+ cli_state_is_encryption_on(rootcli), - smbXcli_conn_protocol(rootcli->conn), - 0, - 0x20, -diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c -index ed6ca2b1b9f..b55cf1e2d15 100644 ---- a/source3/libsmb/libsmb_context.c -+++ b/source3/libsmb/libsmb_context.c -@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context, - - for (s = context->internal->servers; s; s = s->next) { - num_servers++; -- if (!smb1cli_conn_encryption_on(s->cli->conn)) { -+ if (!cli_state_is_encryption_on(s->cli)) { - return (void *)false; - } - } --- -2.13.5 - diff --git a/SOURCES/CVE-2017-12163.patch b/SOURCES/CVE-2017-12163.patch deleted file mode 100644 index 1e9f99e..0000000 --- a/SOURCES/CVE-2017-12163.patch +++ /dev/null @@ -1,141 +0,0 @@ -From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 8 Sep 2017 10:13:14 -0700 -Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from - writing server memory to file. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020 - -Signed-off-by: Jeremy Allison -Signed-off-by: Stefan Metzmacher ---- - source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 50 insertions(+) - -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c -index 317143f..7b07078 100644 ---- a/source3/smbd/reply.c -+++ b/source3/smbd/reply.c -@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req) - } - - /* Ensure we don't write bytes past the end of this packet. */ -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); - error_to_writebrawerr(req); -@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req) - exit_server_cleanly("secondary writebraw failed"); - } - -+ /* -+ * We are not vulnerable to CVE-2017-12163 -+ * here as we are guarenteed to have numtowrite -+ * bytes available - we just read from the client. -+ */ - nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite); - if (nwritten == -1) { - TALLOC_FREE(buf); -@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req) - connection_struct *conn = req->conn; - ssize_t nwritten = -1; - size_t numtowrite; -+ size_t remaining; - off_t startpos; - const char *data; - NTSTATUS status = NT_STATUS_OK; -@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req) - startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); - data = (const char *)req->buf + 3; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwriteunlock); -+ return; -+ } -+ - if (!fsp->print_file && numtowrite > 0) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req) - { - connection_struct *conn = req->conn; - size_t numtowrite; -+ size_t remaining; - ssize_t nwritten = -1; - off_t startpos; - const char *data; -@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req) - startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0); - data = (const char *)req->buf + 3; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwrite); -+ return; -+ } -+ - if (!fsp->print_file) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req) - goto out; - } - } else { -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (smb_doff > smblen || smb_doff + numtowrite < numtowrite || - smb_doff + numtowrite > smblen) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req) - { - connection_struct *conn = req->conn; - size_t numtowrite; -+ size_t remaining; - ssize_t nwritten = -1; - NTSTATUS close_status = NT_STATUS_OK; - off_t startpos; -@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req) - mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4)); - data = (const char *)req->buf + 1; - -+ /* -+ * Ensure client isn't asking us to write more than -+ * they sent. CVE-2017-12163. -+ */ -+ remaining = smbreq_bufrem(req, data); -+ if (numtowrite > remaining) { -+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER); -+ END_PROFILE(SMBwriteclose); -+ return; -+ } -+ - if (fsp->print_file == NULL) { - init_strict_lock_struct(fsp, (uint64_t)req->smbpid, - (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK, -@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req) - - numtowrite = SVAL(req->buf, 1); - -+ /* -+ * This already protects us against CVE-2017-12163. -+ */ - if (req->buflen < numtowrite + 3) { - reply_nterror(req, NT_STATUS_INVALID_PARAMETER); - END_PROFILE(SMBsplwr); --- -1.9.1 - diff --git a/SOURCES/CVE-2017-7494.patch b/SOURCES/CVE-2017-7494.patch deleted file mode 100644 index 34b4437..0000000 --- a/SOURCES/CVE-2017-7494.patch +++ /dev/null @@ -1,34 +0,0 @@ -From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Mon, 8 May 2017 21:40:40 +0200 -Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with / - inside - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780 - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison -Reviewed-by: Stefan Metzmacher ---- - source3/rpc_server/srv_pipe.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c -index 0633b5f..c3f0cd8 100644 ---- a/source3/rpc_server/srv_pipe.c -+++ b/source3/rpc_server/srv_pipe.c -@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax) - { - NTSTATUS status; - -+ if (strchr(pipename, '/')) { -+ DEBUG(1, ("Refusing open on pipe %s\n", pipename)); -+ return false; -+ } -+ - if (lp_disable_spoolss() && strequal(pipename, "spoolss")) { - DEBUG(10, ("refusing spoolss access\n")); - return false; --- -1.9.1 - diff --git a/SOURCES/samba-4.6.2.tar.asc b/SOURCES/samba-4.6.2.tar.asc deleted file mode 100644 index 9d1e563..0000000 --- a/SOURCES/samba-4.6.2.tar.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz -DQw3KuAbWCKIgkHcy1zZr2o= -=bIg5 ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.7-fix_aesni_intel_support.patch b/SOURCES/samba-4.7-fix_aesni_intel_support.patch new file mode 100644 index 0000000..9e37d86 --- /dev/null +++ b/SOURCES/samba-4.7-fix_aesni_intel_support.patch @@ -0,0 +1,72 @@ +From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= +Date: Mon, 4 Dec 2017 10:49:19 +0100 +Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z + noexecstack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174 + +Signed-off-by: Björn Baumbach +Reviewed-by: Andreas Schneider +--- + third_party/aesni-intel/wscript | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript +index eb92d6626fe..0ccd9eb1e5b 100644 +--- a/third_party/aesni-intel/wscript ++++ b/third_party/aesni-intel/wscript +@@ -12,6 +12,8 @@ def configure(conf): + raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU') + else: + raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') ++ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'): ++ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack') + + def build(bld): + if not bld.CONFIG_SET('HAVE_AESNI_INTEL'): +@@ -20,4 +22,5 @@ def build(bld): + bld.SAMBA_LIBRARY('aesni-intel', + source='aesni-intel_asm.c', + cflags='-Wp,-E,-lang-asm', ++ ldflags='-Wl,-z,noexecstack', + private_library=True) +-- +2.15.0 + + +From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 4 Dec 2017 11:00:10 +0100 +Subject: [PATCH 2/2] third_party: Fix a typo in the option name + +Signed-off-by: Andreas Schneider +--- + third_party/aesni-intel/wscript | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript +index 0ccd9eb1e5b..f0723a52501 100644 +--- a/third_party/aesni-intel/wscript ++++ b/third_party/aesni-intel/wscript +@@ -9,11 +9,11 @@ def configure(conf): + print("Compiling with Intel AES instructions") + conf.DEFINE('HAVE_AESNI_INTEL', 1) + else: +- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU') ++ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU') + else: +- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') ++ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') + if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'): +- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack') ++ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack') + + def build(bld): + if not bld.CONFIG_SET('HAVE_AESNI_INTEL'): +-- +2.15.0 + diff --git a/SOURCES/samba-4.7-fix_samba_with_systemd.patch b/SOURCES/samba-4.7-fix_samba_with_systemd.patch new file mode 100644 index 0000000..a12f130 --- /dev/null +++ b/SOURCES/samba-4.7-fix_samba_with_systemd.patch @@ -0,0 +1,313 @@ +From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001 +From: Gary Lockyer +Date: Mon, 21 Aug 2017 15:12:04 +1200 +Subject: [PATCH 1/4] s4/smbd: set the process group. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Set the process group in the samba daemon, the --no-process-group option +allows this to be disabled. The no-process-group option needs to be +disabled in self test. + +Signed-off-by: Gary Lockyer +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144 +--- + selftest/target/Samba4.pm | 2 +- + source4/smbd/server.c | 18 +++++++++++++++++- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 772f982cb9d..6a1856ef642 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -158,7 +158,7 @@ sub check_or_start($$$) + close($env_vars->{STDIN_PIPE}); + open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!"; + +- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); ++ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); + } + $env_vars->{SAMBA_PID} = $pid; + print "DONE ($pid)\n"; +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index a8bad06bed3..ba520e0a8f5 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name, + { + bool opt_daemon = false; + bool opt_interactive = false; ++ bool opt_no_process_group = false; + int opt; + poptContext pc; + #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *); +@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name, + OPT_DAEMON = 1000, + OPT_INTERACTIVE, + OPT_PROCESS_MODEL, +- OPT_SHOW_BUILD ++ OPT_SHOW_BUILD, ++ OPT_NO_PROCESS_GROUP, + }; + struct poptOption long_options[] = { + POPT_AUTOHELP +@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name, + "till autotermination", "seconds"}, + {"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD, + "show build info", NULL }, ++ {"no-process-group", '\0', POPT_ARG_NONE, NULL, ++ OPT_NO_PROCESS_GROUP, "Don't create a new process group" }, + POPT_COMMON_SAMBA + POPT_COMMON_VERSION + { NULL } +@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name, + case OPT_SHOW_BUILD: + show_build(); + break; ++ case OPT_NO_PROCESS_GROUP: ++ opt_no_process_group = true; ++ break; + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); +@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name, + stdin_event_flags = 0; + } + ++#if HAVE_SETPGID ++ /* ++ * If we're interactive we want to set our own process group for ++ * signal management, unless --no-process-group specified. ++ */ ++ if (opt_interactive && !opt_no_process_group) ++ setpgid((pid_t)0, (pid_t)0); ++#endif ++ + /* catch EOF on stdin */ + #ifdef SIGTTIN + signal(SIGTTIN, SIG_IGN); +-- +2.15.0 + + +From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 15 Nov 2017 10:00:52 +0100 +Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209) +--- + source4/smbd/server.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index ba520e0a8f5..406f79593b9 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx) + { + char *path; + TALLOC_CTX *mem_ctx = talloc_new(NULL); ++ if (mem_ctx == NULL) { ++ exit_daemon("Failed to create memory context", ++ ENOMEM); ++ } + + path = smbd_tmp_path(mem_ctx, lp_ctx, NULL); ++ if (path == NULL) { ++ exit_daemon("Failed to cleanup temporary files", ++ EINVAL); ++ } + + recursive_delete(path); + talloc_free(mem_ctx); +-- +2.15.0 + + +From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 10 Nov 2017 09:18:18 +0100 +Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground + +We are passing the no_process_group to become_daemon() that setsid() is +not called. In case we are double forking, we run in SysV daemon mode, +setsid() should be called! + +See: +https://www.freedesktop.org/software/systemd/man/daemon.html + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett + +(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909) +--- + source3/smbd/server.c | 2 +- + source4/smbd/server.c | 13 ++++++++++--- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/source3/smbd/server.c b/source3/smbd/server.c +index 181bcd1e123..252b43190d7 100644 +--- a/source3/smbd/server.c ++++ b/source3/smbd/server.c +@@ -1592,7 +1592,7 @@ extern void build_options(bool screen); + struct poptOption long_options[] = { + POPT_AUTOHELP + {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" }, +- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"}, ++ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"}, + {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" }, + {"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" }, + {"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" }, +diff --git a/source4/smbd/server.c b/source4/smbd/server.c +index 406f79593b9..2349d5c7fa0 100644 +--- a/source4/smbd/server.c ++++ b/source4/smbd/server.c +@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name, + const char *argv[]) + { + bool opt_daemon = false; ++ bool opt_fork = true; + bool opt_interactive = false; + bool opt_no_process_group = false; + int opt; +@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name, + struct stat st; + enum { + OPT_DAEMON = 1000, ++ OPT_FOREGROUND, + OPT_INTERACTIVE, + OPT_PROCESS_MODEL, + OPT_SHOW_BUILD, +@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name, + POPT_AUTOHELP + {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, + "Become a daemon (default)", NULL }, ++ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND, ++ "Run the daemon in foreground", NULL }, + {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, + "Run interactive (not a daemon)", NULL}, + {"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL, +@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name, + case OPT_DAEMON: + opt_daemon = true; + break; ++ case OPT_FOREGROUND: ++ opt_fork = false; ++ break; + case OPT_INTERACTIVE: + opt_interactive = true; + break; +@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name, + "not allowed together with -D|--daemon\n\n"); + poptPrintUsage(pc, stderr, 0); + return 1; +- } else if (!opt_interactive) { ++ } else if (!opt_interactive && !opt_fork) { + /* default is --daemon */ + opt_daemon = true; + } +@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name, + } + + if (opt_daemon) { +- DEBUG(3,("Becoming a daemon.\n")); +- become_daemon(true, false, false); ++ DBG_NOTICE("Becoming a daemon.\n"); ++ become_daemon(opt_fork, opt_no_process_group, false); + } + + /* Create the memory context to hang everything off. */ +-- +2.15.0 + + +From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 10 Nov 2017 09:32:27 +0100 +Subject: [PATCH 4/4] systemd: Start processes in forground and without a + process group + +We should not double fork in notify mode or systemd think something +during startup will be wrong and send SIGTERM to the process. So +sometimes the daemon will not start up correctly. + +systemd will also handle the process group. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett + +(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77) +--- + packaging/systemd/nmb.service | 2 +- + packaging/systemd/samba.service | 2 +- + packaging/systemd/smb.service | 2 +- + packaging/systemd/winbind.service | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service +index 992c0cd9d2b..71c93d6088b 100644 +--- a/packaging/systemd/nmb.service ++++ b/packaging/systemd/nmb.service +@@ -7,7 +7,7 @@ Type=notify + NotifyAccess=all + PIDFile=/run/nmbd.pid + EnvironmentFile=-/etc/sysconfig/samba +-ExecStart=/usr/sbin/nmbd $NMBDOPTIONS ++ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS + ExecReload=/usr/bin/kill -HUP $MAINPID + LimitCORE=infinity + +diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service +index 824f89c2030..1b64c3b779d 100644 +--- a/packaging/systemd/samba.service ++++ b/packaging/systemd/samba.service +@@ -8,7 +8,7 @@ NotifyAccess=all + PIDFile=/run/samba.pid + LimitNOFILE=16384 + EnvironmentFile=-/etc/sysconfig/samba +-ExecStart=/usr/sbin/samba $SAMBAOPTIONS ++ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS + ExecReload=/usr/bin/kill -HUP $MAINPID + + [Install] +diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service +index 6053a5caaa5..adf6684c7d9 100644 +--- a/packaging/systemd/smb.service ++++ b/packaging/systemd/smb.service +@@ -8,7 +8,7 @@ NotifyAccess=all + PIDFile=/run/smbd.pid + LimitNOFILE=16384 + EnvironmentFile=-/etc/sysconfig/samba +-ExecStart=/usr/sbin/smbd $SMBDOPTIONS ++ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS + ExecReload=/usr/bin/kill -HUP $MAINPID + LimitCORE=infinity + +diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service +index c511488166e..46b3797251d 100644 +--- a/packaging/systemd/winbind.service ++++ b/packaging/systemd/winbind.service +@@ -7,7 +7,7 @@ Type=notify + NotifyAccess=all + PIDFile=/run/winbindd.pid + EnvironmentFile=-/etc/sysconfig/samba +-ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" ++ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS" + ExecReload=/usr/bin/kill -HUP $MAINPID + LimitCORE=infinity + +-- +2.15.0 + diff --git a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch new file mode 100644 index 0000000..cc1aaec --- /dev/null +++ b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch @@ -0,0 +1,47 @@ +From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 29 Nov 2017 09:21:30 -0800 +Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in + cli_smb2_close_fnum_recv(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which +frees req, then uses the state pointer which was owned by req. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Böhme + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144 + +(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787) +--- + source3/libsmb/cli_smb2_fnum.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c +index 5d46d543002..237e6bb2b54 100644 +--- a/source3/libsmb/cli_smb2_fnum.c ++++ b/source3/libsmb/cli_smb2_fnum.c +@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req) + { + struct cli_smb2_close_fnum_state *state = tevent_req_data( + req, struct cli_smb2_close_fnum_state); +- NTSTATUS status = tevent_req_simple_recv_ntstatus(req); +- state->cli->raw_status = status; ++ NTSTATUS status = NT_STATUS_OK; ++ ++ if (tevent_req_is_nterror(req, &status)) { ++ state->cli->raw_status = status; ++ } ++ tevent_req_received(req); + return status; + } + +-- +2.15.0.531.g2ccb3012c9-goog + diff --git a/SOURCES/samba-4.7-fix_smbclient_volume.patch b/SOURCES/samba-4.7-fix_smbclient_volume.patch new file mode 100644 index 0000000..1f0692a --- /dev/null +++ b/SOURCES/samba-4.7-fix_smbclient_volume.patch @@ -0,0 +1,165 @@ +From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 14 Nov 2017 13:52:03 -0800 +Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2 + calls. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138 + +Signed-off-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea) +--- + source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++ + source3/libsmb/cli_smb2_fnum.h | 6 +++ + source3/libsmb/clifsinfo.c | 9 ++++ + 3 files changed, 112 insertions(+) + +diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c +index a478c41f068..89cb1f479d5 100644 +--- a/source3/libsmb/cli_smb2_fnum.c ++++ b/source3/libsmb/cli_smb2_fnum.c +@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path, + return status; + } + ++/*************************************************************** ++ Wrapper that allows SMB2 to query file system sizes. ++ Synchronous only. ++***************************************************************/ ++ ++NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli, ++ uint64_t *total_allocation_units, ++ uint64_t *caller_allocation_units, ++ uint64_t *actual_allocation_units, ++ uint64_t *sectors_per_allocation_unit, ++ uint64_t *bytes_per_sector) ++{ ++ NTSTATUS status; ++ uint16_t fnum = 0xffff; ++ DATA_BLOB outbuf = data_blob_null; ++ struct smb2_hnd *ph = NULL; ++ TALLOC_CTX *frame = talloc_stackframe(); ++ ++ if (smbXcli_conn_has_async_calls(cli->conn)) { ++ /* ++ * Can't use sync call while an async call is in flight ++ */ ++ status = NT_STATUS_INVALID_PARAMETER; ++ goto fail; ++ } ++ ++ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { ++ status = NT_STATUS_INVALID_PARAMETER; ++ goto fail; ++ } ++ ++ /* First open the top level directory. */ ++ status = ++ cli_smb2_create_fnum(cli, "", 0, /* create_flags */ ++ FILE_READ_ATTRIBUTES, /* desired_access */ ++ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */ ++ FILE_SHARE_READ | FILE_SHARE_WRITE | ++ FILE_SHARE_DELETE, /* share_access */ ++ FILE_OPEN, /* create_disposition */ ++ FILE_DIRECTORY_FILE, /* create_options */ ++ &fnum, ++ NULL); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ goto fail; ++ } ++ ++ status = map_fnum_to_smb2_handle(cli, fnum, &ph); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto fail; ++ } ++ ++ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2), ++ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */ ++ ++ status = smb2cli_query_info(cli->conn, ++ cli->timeout, ++ cli->smb2.session, ++ cli->smb2.tcon, ++ SMB2_GETINFO_FS, /* in_info_type */ ++ /* in_file_info_class */ ++ SMB_FS_FULL_SIZE_INFORMATION - 1000, ++ 0xFFFF, /* in_max_output_length */ ++ NULL, /* in_input_buffer */ ++ 0, /* in_additional_info */ ++ 0, /* in_flags */ ++ ph->fid_persistent, ++ ph->fid_volatile, ++ frame, ++ &outbuf); ++ if (!NT_STATUS_IS_OK(status)) { ++ goto fail; ++ } ++ ++ if (outbuf.length < 32) { ++ status = NT_STATUS_INVALID_NETWORK_RESPONSE; ++ goto fail; ++ } ++ ++ *total_allocation_units = BIG_UINT(outbuf.data, 0); ++ *caller_allocation_units = BIG_UINT(outbuf.data, 8); ++ *actual_allocation_units = BIG_UINT(outbuf.data, 16); ++ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24); ++ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28); ++ ++fail: ++ ++ if (fnum != 0xffff) { ++ cli_smb2_close_fnum(cli, fnum); ++ } ++ ++ cli->raw_status = status; ++ ++ TALLOC_FREE(frame); ++ return status; ++} ++ + /*************************************************************** + Wrapper that allows SMB2 to query file system attributes. + Synchronous only. +diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h +index 9a709e85d96..c9325b66902 100644 +--- a/source3/libsmb/cli_smb2_fnum.h ++++ b/source3/libsmb/cli_smb2_fnum.h +@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, + uint64_t *total, + uint64_t *avail); + NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr); ++NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli, ++ uint64_t *total_allocation_units, ++ uint64_t *caller_allocation_units, ++ uint64_t *actual_allocation_units, ++ uint64_t *sectors_per_allocation_unit, ++ uint64_t *bytes_per_sector); + NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli, + uint16_t fnum, + uint32_t sec_info, +diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c +index 119b1216fb2..46236390022 100644 +--- a/source3/libsmb/clifsinfo.c ++++ b/source3/libsmb/clifsinfo.c +@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli, + uint32_t rdata_count; + NTSTATUS status; + ++ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { ++ return cli_smb2_get_fs_full_size_info(cli, ++ total_allocation_units, ++ caller_allocation_units, ++ actual_allocation_units, ++ sectors_per_allocation_unit, ++ bytes_per_sector); ++ } ++ + SSVAL(setup, 0, TRANSACT2_QFSINFO); + SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION); + +-- +2.15.0.448.gf294e3d99a-goog + diff --git a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch new file mode 100644 index 0000000..e9d581c --- /dev/null +++ b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch @@ -0,0 +1,66 @@ +From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 8 Sep 2017 16:20:34 -0700 +Subject: [PATCH] libsmbclient: Allow server (NetApp) to return + STATUS_INVALID_PARAMETER from an echo. + +It does this if we send a session ID of zero. The server still replied. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 + +Signed-off-by: Jeremy Allison +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144 + +(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142) +--- + source3/client/client.c | 8 +++++++- + source3/libsmb/libsmb_server.c | 11 ++++++++++- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/source3/client/client.c b/source3/client/client.c +index b4a6c7d0389..9c57375881d 100644 +--- a/source3/client/client.c ++++ b/source3/client/client.c +@@ -5900,7 +5900,13 @@ static void readline_callback(void) + /* Ping the server to keep the connection alive using SMBecho. */ + memset(garbage, 0xf0, sizeof(garbage)); + status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage))); +- if (NT_STATUS_IS_OK(status)) { ++ if (NT_STATUS_IS_OK(status) || ++ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { ++ /* ++ * Even if server returns NT_STATUS_INVALID_PARAMETER ++ * it still responded. ++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 ++ */ + return; + } + +diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c +index b0e5926fa65..2d41f2facf3 100644 +--- a/source3/libsmb/libsmb_server.c ++++ b/source3/libsmb/libsmb_server.c +@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context, + 1, + data_blob_const(data, sizeof(data))); + if (!NT_STATUS_IS_OK(status)) { +- return 1; ++ /* ++ * Some NetApp servers return ++ * NT_STATUS_INVALID_PARAMETER.That's OK, they still ++ * replied. ++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 ++ */ ++ if (!NT_STATUS_EQUAL(status, ++ NT_STATUS_INVALID_PARAMETER)) { ++ return 1; ++ } + } + server->last_echo_time = now; + } +-- +2.15.0.448.gf294e3d99a-goog + diff --git a/SOURCES/samba-4.7-net_ads_keytab_list.patch b/SOURCES/samba-4.7-net_ads_keytab_list.patch new file mode 100644 index 0000000..f77b271 --- /dev/null +++ b/SOURCES/samba-4.7-net_ads_keytab_list.patch @@ -0,0 +1,84 @@ +From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Thu, 23 Nov 2017 15:55:21 +0000 +Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name + malformed" + +When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open +instead, this function will determine the correct keytab to use. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463) +--- + source3/libads/kerberos_keytab.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index ff12ec04af6..ffd100c5636 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name) + return ret; + } + +- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab); ++ if (keytab_name == NULL) { ++ ret = ads_keytab_open(context, &keytab); ++ } else { ++ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab); ++ } + if (ret) { + DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", + error_message(ret))); +-- +2.15.0 + + +From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Fri, 24 Nov 2017 07:06:27 +0000 +Subject: [PATCH 2/2] testprogs: Test net ads keytab list + +Test that correct keytab is picked up. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2) +--- + testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh +index bbd99b676bd..c5dbaf69ba2 100755 +--- a/testprogs/blackbox/test_net_ads.sh ++++ b/testprogs/blackbox/test_net_ads.sh +@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai + testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` + + testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` ++ ++# if there is no keytab, try and create it ++if [ ! -f $dedicated_keytab_file ]; then ++ if [ $(command -v ktutil) >/dev/null ]; then ++ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil ++ fi ++fi ++ ++if [ -f $dedicated_keytab_file ]; then ++ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` ++ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1` ++fi ++ + rm -f $dedicated_keytab_file + + testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` +-- +2.15.0 + diff --git a/SOURCES/samba-4.7.1.tar.asc b/SOURCES/samba-4.7.1.tar.asc new file mode 100644 index 0000000..78fce48 --- /dev/null +++ b/SOURCES/samba-4.7.1.tar.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq +uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew== +=LZI3 +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch b/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch deleted file mode 100644 index f89ec30..0000000 --- a/SOURCES/samba-v4-6-fix-building-with-new-glibc.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 5 Jan 2017 09:34:36 +0100 -Subject: [PATCH] replace: Include sysmacros.h - -In the GNU C Library, "makedev" is defined by . For -historical compatibility, it is currently defined by as -well, but it is planned to remove this soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686 - -Signed-off-by: Andreas Schneider -Reviewed-by: Volker Lendecke - -(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741) ---- - lib/replace/replace.h | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/replace/replace.h b/lib/replace/replace.h -index c69a069e4b3..1dbeacfff66 100644 ---- a/lib/replace/replace.h -+++ b/lib/replace/replace.h -@@ -171,6 +171,10 @@ - #include - #endif - -+#ifdef HAVE_SYS_SYSMACROS_H -+#include -+#endif -+ - #ifdef HAVE_SETPROCTITLE_H - #include - #endif --- -2.12.0 - diff --git a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch b/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch deleted file mode 100644 index 02db440..0000000 --- a/SOURCES/samba-v4-6-fix-cross-realm-refferals.patch +++ /dev/null @@ -1,1731 +0,0 @@ -From 76aae7405595ca76bc0419a97f4a69e0ed528b32 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 29 Dec 2016 14:00:36 +0100 -Subject: [PATCH 01/20] s4:gensec_gssapi: the value - gensec_get_target_principal() should overwrite gensec_get_target_hostname() - -If gensec_get_target_principal() has a value, we no longer have to verify -the gensec_get_target_hostname() value, it can be just an ipadress. - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 48bcca566ebb3a5385b15b0525d7fbdd06361e04) ---- - source4/auth/gensec/gensec_gssapi.c | 24 ++++++++++++++++++------ - 1 file changed, 18 insertions(+), 6 deletions(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index a6c4019aa6f..3974c3d42a0 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -307,7 +307,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi - gss_buffer_desc name_token; - gss_OID name_type; - OM_uint32 maj_stat, min_stat; -+ const char *target_principal = NULL; - const char *hostname = gensec_get_target_hostname(gensec_security); -+ const char *service = gensec_get_target_service(gensec_security); -+ const char *realm = cli_credentials_get_realm(creds); -+ -+ target_principal = gensec_get_target_principal(gensec_security); -+ if (target_principal != NULL) { -+ goto do_start; -+ } - - if (!hostname) { - DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n")); -@@ -322,6 +330,8 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi - return NT_STATUS_INVALID_PARAMETER; - } - -+do_start: -+ - nt_status = gensec_gssapi_start(gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; -@@ -333,16 +343,18 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi - gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); - } - -- gensec_gssapi_state->target_principal = gensec_get_target_principal(gensec_security); -- if (gensec_gssapi_state->target_principal) { -+ if (target_principal != NULL) { - name_type = GSS_C_NULL_OID; - } else { -- gensec_gssapi_state->target_principal = talloc_asprintf(gensec_gssapi_state, "%s/%s@%s", -- gensec_get_target_service(gensec_security), -- hostname, cli_credentials_get_realm(creds)); -- -+ target_principal = talloc_asprintf(gensec_gssapi_state, -+ "%s/%s@%s", service, hostname, realm); -+ if (target_principal == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } - name_type = GSS_C_NT_USER_NAME; - } -+ gensec_gssapi_state->target_principal = target_principal; -+ - name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); - name_token.length = strlen(gensec_gssapi_state->target_principal); - --- -2.12.0 - - -From 12d74cd165db3603ba2f3a58343e9a82fb22ee93 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 29 Dec 2016 15:20:00 +0100 -Subject: [PATCH 02/20] s4:gensec_gssapi: require a realm in - gensec_gssapi_client_start() - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3a870baee8d9dbe5359f04a108814afc27e57d46) ---- - source4/auth/gensec/gensec_gssapi.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index 3974c3d42a0..957cfa4229d 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -330,6 +330,16 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi - return NT_STATUS_INVALID_PARAMETER; - } - -+ if (realm == NULL) { -+ const char *cred_name = cli_credentials_get_unparsed_name(creds, -+ gensec_security); -+ DEBUG(3, ("cli_credentials(%s) without realm, " -+ "cannot use kerberos for this connection %s/%s\n", -+ cred_name, service, hostname)); -+ talloc_free(discard_const_p(char, cred_name)); -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ - do_start: - - nt_status = gensec_gssapi_start(gensec_security); --- -2.12.0 - - -From beb9e4379333872ff1e5a3422ba70ccb409e9915 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 6 Mar 2017 09:13:09 +0100 -Subject: [PATCH 03/20] testprogs: Use smbclient by default in - test_kinit_trusts - -This is the tool we use by default and we should test with it. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 9b3ff90dbc5cc1017dfc89831a1081272e6c2356) ---- - testprogs/blackbox/test_kinit_trusts_heimdal.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh -index 073e0e7517e..040bf919203 100755 ---- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh -+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh -@@ -32,7 +32,7 @@ if test -x $samba4bindir/samba4kinit; then - samba4kinit=$samba4bindir/samba4kinit - fi - --smbclient="$samba4bindir/smbclient4" -+smbclient="$samba4bindir/smbclient" - wbinfo="$samba4bindir/wbinfo" - rpcclient="$samba4bindir/rpcclient" - samba_tool="$samba4bindir/samba-tool" --- -2.12.0 - - -From 7feebdec869ed633bea612630ebca8d9b85a3e2e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 6 Mar 2017 09:15:45 +0100 -Subject: [PATCH 04/20] testprogs: Add kinit_trusts tests with smbclient4 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 42bd003f468ab95b6ac97c774e2cd217d06c05ed) ---- - testprogs/blackbox/test_kinit_trusts_heimdal.sh | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh -index 040bf919203..e67f77361a4 100755 ---- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh -+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh -@@ -52,8 +52,16 @@ rm -rf $KRB5CCNAME_PATH - echo $TRUST_PASSWORD > $PREFIX/tmppassfile - testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` - test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` -+rm -rf $KRB5CCNAME_PATH -+ -+# Test with smbclient4 -+smbclient="$samba4bindir/smbclient4" -+testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` -+test_smbclient "Test login with user kerberos ccache (smbclient4)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` -+rm -rf $KRB5CCNAME_PATH - - testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` -+smbclient="$samba4bindir/smbclient" - test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" -k yes || failed=`expr $failed + 1` - - if test x"${TYPE}" = x"forest" ;then --- -2.12.0 - - -From cae7475df03e7d464dc8642a7a02dad388215d1e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 10:40:08 +0100 -Subject: [PATCH 05/20] krb5_wrap: Do not return an empty realm from - smb_krb5_get_realm_from_hostname() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 946f9dd1170be63b91e31ce825ea123f3c07329b) ---- - lib/krb5_wrap/krb5_samba.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 10b42dec53f..9dc7304d566 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2691,7 +2691,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - goto out; - } - -- if (realm_list && realm_list[0]) { -+ if (realm_list != NULL && -+ realm_list[0] != NULL && -+ realm_list[0][0] != '\0') { - realm = talloc_strdup(mem_ctx, realm_list[0]); - } - --- -2.12.0 - - -From 1d2b4a00e2a1213df81192e01f2d833ed4a6ec54 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 10:48:52 +0100 -Subject: [PATCH 06/20] krb5_wrap: Try to guess the correct realm from the - service hostname - -If we do not get a realm mapping from the krb5.conf or from the Kerberos -library try to guess it from the service hostname. The guessing of the -realm from the service hostname is already implemented in Heimdal. This -makes the behavior of smb_krb5_get_realm_from_hostname() consistent -with both MIT and Heimdal. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 65228925ab3c4da4ae299f77cae219fc7d37cc68) ---- - lib/krb5_wrap/krb5_samba.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 9dc7304d566..f8ef9f1df0f 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2695,6 +2695,19 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - realm_list[0] != NULL && - realm_list[0][0] != '\0') { - realm = talloc_strdup(mem_ctx, realm_list[0]); -+ } else { -+ const char *p = NULL; -+ -+ /* -+ * "dc6.samba2003.example.com" -+ * returns a realm of "SAMBA2003.EXAMPLE.COM" -+ * -+ * "dc6." returns realm as NULL -+ */ -+ p = strchr_m(hostname, '.'); -+ if (p != NULL && p[1] != '\0') { -+ realm = talloc_strdup_upper(mem_ctx, p + 1); -+ } - } - - out: --- -2.12.0 - - -From 0e99683587c9047055ca6432fae0a11604710b69 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 11:56:30 +0100 -Subject: [PATCH 07/20] krb5_wrap: pass client_realm to - smb_krb5_get_realm_from_hostname() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit f0c4fcace586197d5c170f6a9dcc175df23e3802) ---- - lib/krb5_wrap/krb5_samba.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index f8ef9f1df0f..36bcc65e22a 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2664,7 +2664,8 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) - ************************************************************************/ - - static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, -- const char *hostname) -+ const char *hostname, -+ const char *client_realm) - { - #if defined(HAVE_KRB5_REALM_TYPE) - /* Heimdal. */ -@@ -2695,6 +2696,9 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - realm_list[0] != NULL && - realm_list[0][0] != '\0') { - realm = talloc_strdup(mem_ctx, realm_list[0]); -+ if (realm == NULL) { -+ goto out; -+ } - } else { - const char *p = NULL; - -@@ -2707,9 +2711,16 @@ static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - p = strchr_m(hostname, '.'); - if (p != NULL && p[1] != '\0') { - realm = talloc_strdup_upper(mem_ctx, p + 1); -+ if (realm == NULL) { -+ goto out; -+ } - } - } - -+ if (realm == NULL) { -+ realm = talloc_strdup(mem_ctx, client_realm); -+ } -+ - out: - - if (ctx) { -@@ -2752,7 +2763,8 @@ char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, - if (host) { - /* DNS name. */ - realm = smb_krb5_get_realm_from_hostname(talloc_tos(), -- remote_name); -+ remote_name, -+ default_realm); - } else { - /* NetBIOS name - use our realm. */ - realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); --- -2.12.0 - - -From 6876b0d12f8aad4448f4a7d770db7ff129df6c50 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 11:56:30 +0100 -Subject: [PATCH 08/20] krb5_wrap: Make smb_krb5_get_realm_from_hostname() - public - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 339a2ecb3f05d0c9e860a5dd59b8bdbc51d4ffa7) ---- - lib/krb5_wrap/krb5_samba.c | 28 +++++++++++++++++++++------- - lib/krb5_wrap/krb5_samba.h | 4 ++++ - 2 files changed, 25 insertions(+), 7 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 36bcc65e22a..2b0ec6bfa0e 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2659,13 +2659,27 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) - return realm; - } - --/************************************************************************ -- Routine to get the realm from a given DNS name. --************************************************************************/ -- --static char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, -- const char *hostname, -- const char *client_realm) -+/** -+ * @brief Get the realm from the service hostname. -+ * -+ * This function will look for a domain realm mapping in the [domain_realm] -+ * section of the krb5.conf first and fallback to extract the realm from -+ * the provided service hostname. As a last resort it will return the -+ * provided client_realm. -+ * -+ * @param[in] mem_ctx The talloc context -+ * -+ * @param[in] hostname The service hostname -+ * -+ * @param[in] client_realm If we can not find a mapping, fall back to -+ * this realm. -+ * -+ * @return The realm to use for the service hostname, NULL if a fatal error -+ * occured. -+ */ -+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, -+ const char *hostname, -+ const char *client_realm) - { - #if defined(HAVE_KRB5_REALM_TYPE) - /* Heimdal. */ -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index 71e81ea26e1..accae449a0e 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -314,6 +314,10 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, - krb5_principal principal, - const char *realm); - -+char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, -+ const char *hostname, -+ const char *client_realm); -+ - char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, - const char *service, - const char *remote_name, --- -2.12.0 - - -From 08a81c315129c3d07637a8a5064b4ef988864efd Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 6 Mar 2017 09:19:13 +0100 -Subject: [PATCH 09/20] s4:gensec-gssapi: Create a helper function to setup - server_principal - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 8f7c4529420316b553c80cd3d19b6996525b029a) ---- - source4/auth/gensec/gensec_gssapi.c | 88 +++++++++++++++++++++++++------------ - source4/auth/gensec/gensec_gssapi.h | 2 +- - 2 files changed, 61 insertions(+), 29 deletions(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index 957cfa4229d..ec57d193714 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -83,6 +83,56 @@ static int gensec_gssapi_destructor(struct gensec_gssapi_state *gensec_gssapi_st - return 0; - } - -+static NTSTATUS gensec_gssapi_setup_server_principal(TALLOC_CTX *mem_ctx, -+ const char *target_principal, -+ const char *service, -+ const char *hostname, -+ const char *realm, -+ const gss_OID mech, -+ char **pserver_principal, -+ gss_name_t *pserver_name) -+{ -+ char *server_principal = NULL; -+ gss_buffer_desc name_token; -+ gss_OID name_type; -+ OM_uint32 maj_stat, min_stat = 0; -+ -+ if (target_principal != NULL) { -+ server_principal = talloc_strdup(mem_ctx, target_principal); -+ name_type = GSS_C_NULL_OID; -+ } else { -+ server_principal = talloc_asprintf(mem_ctx, -+ "%s/%s@%s", -+ service, hostname, realm); -+ name_type = GSS_C_NT_USER_NAME; -+ } -+ if (server_principal == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ name_token.value = (uint8_t *)server_principal; -+ name_token.length = strlen(server_principal); -+ -+ maj_stat = gss_import_name(&min_stat, -+ &name_token, -+ name_type, -+ pserver_name); -+ if (maj_stat) { -+ DBG_WARNING("GSS Import name of %s failed: %s\n", -+ server_principal, -+ gssapi_error_string(mem_ctx, -+ maj_stat, -+ min_stat, -+ mech)); -+ TALLOC_FREE(server_principal); -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ -+ *pserver_principal = server_principal; -+ -+ return NT_STATUS_OK; -+} -+ - static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) - { - struct gensec_gssapi_state *gensec_gssapi_state; -@@ -304,9 +354,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi - struct gensec_gssapi_state *gensec_gssapi_state; - struct cli_credentials *creds = gensec_get_credentials(gensec_security); - NTSTATUS nt_status; -- gss_buffer_desc name_token; -- gss_OID name_type; -- OM_uint32 maj_stat, min_stat; - const char *target_principal = NULL; - const char *hostname = gensec_get_target_hostname(gensec_security); - const char *service = gensec_get_target_service(gensec_security); -@@ -353,31 +400,16 @@ do_start: - gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); - } - -- if (target_principal != NULL) { -- name_type = GSS_C_NULL_OID; -- } else { -- target_principal = talloc_asprintf(gensec_gssapi_state, -- "%s/%s@%s", service, hostname, realm); -- if (target_principal == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- name_type = GSS_C_NT_USER_NAME; -- } -- gensec_gssapi_state->target_principal = target_principal; -- -- name_token.value = discard_const_p(uint8_t, gensec_gssapi_state->target_principal); -- name_token.length = strlen(gensec_gssapi_state->target_principal); -- -- -- maj_stat = gss_import_name (&min_stat, -- &name_token, -- name_type, -- &gensec_gssapi_state->server_name); -- if (maj_stat) { -- DEBUG(2, ("GSS Import name of %s failed: %s\n", -- (char *)name_token.value, -- gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); -- return NT_STATUS_INVALID_PARAMETER; -+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, -+ target_principal, -+ service, -+ hostname, -+ realm, -+ gensec_gssapi_state->gss_oid, -+ &gensec_gssapi_state->target_principal, -+ &gensec_gssapi_state->server_name); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; - } - - return NT_STATUS_OK; -diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h -index cf0e3a8d914..d788b5ebc38 100644 ---- a/source4/auth/gensec/gensec_gssapi.h -+++ b/source4/auth/gensec/gensec_gssapi.h -@@ -65,5 +65,5 @@ struct gensec_gssapi_state { - int gss_exchange_count; - size_t sig_size; - -- const char *target_principal; -+ char *target_principal; - }; --- -2.12.0 - - -From 78a76c53e9b0e7caf67a43eeb7929a4fe94fa25e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 12:34:59 +0100 -Subject: [PATCH 10/20] s4:gensec_gssapi: Move setup of service_principal to - update function - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit bf6358bf035e7ad48bd15cc2164afab2a19e7ad6) ---- - source4/auth/gensec/gensec_gssapi.c | 33 ++++++++++++++++++++------------- - 1 file changed, 20 insertions(+), 13 deletions(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index ec57d193714..6cb4431e0d9 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -400,18 +400,6 @@ do_start: - gensec_gssapi_state->gss_want_flags &= ~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG); - } - -- nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, -- target_principal, -- service, -- hostname, -- realm, -- gensec_gssapi_state->gss_oid, -- &gensec_gssapi_state->target_principal, -- &gensec_gssapi_state->server_name); -- if (!NT_STATUS_IS_OK(nt_status)) { -- return nt_status; -- } -- - return NT_STATUS_OK; - } - -@@ -452,7 +440,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - OM_uint32 min_stat2; - gss_buffer_desc input_token = { 0, NULL }; - gss_buffer_desc output_token = { 0, NULL }; -- -+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); -+ const char *target_principal = gensec_get_target_principal(gensec_security); -+ const char *hostname = gensec_get_target_hostname(gensec_security); -+ const char *service = gensec_get_target_service(gensec_security); -+ const char *client_realm = cli_credentials_get_realm(cli_creds); - gss_OID gss_oid_p = NULL; - OM_uint32 time_req = 0; - OM_uint32 time_rec = 0; -@@ -491,6 +483,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - return NT_STATUS_INTERNAL_ERROR; - } - #endif -+ -+ if (gensec_gssapi_state->server_name == NULL) { -+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, -+ target_principal, -+ service, -+ hostname, -+ client_realm, -+ gensec_gssapi_state->gss_oid, -+ &gensec_gssapi_state->target_principal, -+ &gensec_gssapi_state->server_name); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } -+ } -+ - maj_stat = gss_init_sec_context(&min_stat, - gensec_gssapi_state->client_cred->creds, - &gensec_gssapi_state->gssapi_context, --- -2.12.0 - - -From 7541d4a3c1a665925c8d3aa97963729874c70761 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 11:03:17 +0100 -Subject: [PATCH 11/20] s4:gensec_gssapi: Use - smb_krb5_get_realm_from_hostname() - -With credentials for administrator@FOREST1.EXAMPLE.COM -this patch changes the target_principal for -the ldap service of host dc2.forest2.example.com -from - - ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM - -to - - ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM - -Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM -should be used in order to allow the KDC of FOREST1.EXAMPLE.COM -to generate a referral ticket for -krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. - -The problem is that KDCs only return such referral tickets -if there's a forest trust between FOREST1.EXAMPLE.COM -and FOREST2.EXAMPLE.COM. If there's only an external domain -trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM -the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN -when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. - -In the case of an external trust the client can still ask -explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM -and the KDC of FOREST1.EXAMPLE.COM will generate it. - -From there the client can use the -krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM -ticket and ask a KDC of FOREST2.EXAMPLE.COM for a -service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. - -With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior -when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as -target principal. As _krb5_get_cred_kdc_any() first calls -get_cred_kdc_referral() (which always starts with the client realm) -and falls back to get_cred_kdc_capath() (which starts with the given realm). - -MIT krb5 only tries the given realm of the target principal, -if we want to autodetect support for transitive forest trusts, -we'll have to do the fallback ourself. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 3781eb250173981a8890b82d1ff9358f144034cd) ---- - source4/auth/gensec/gensec_gssapi.c | 62 ++++++++++++++++++++++++++++++++++++- - 1 file changed, 61 insertions(+), 1 deletion(-) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index 6cb4431e0d9..57392a04e60 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -445,6 +445,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - const char *hostname = gensec_get_target_hostname(gensec_security); - const char *service = gensec_get_target_service(gensec_security); - const char *client_realm = cli_credentials_get_realm(cli_creds); -+ const char *server_realm = NULL; - gss_OID gss_oid_p = NULL; - OM_uint32 time_req = 0; - OM_uint32 time_rec = 0; -@@ -484,12 +485,71 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - } - #endif - -+ /* -+ * With credentials for -+ * administrator@FOREST1.EXAMPLE.COM this patch changes -+ * the target_principal for the ldap service of host -+ * dc2.forest2.example.com from -+ * -+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM -+ * -+ * to -+ * -+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM -+ * -+ * Typically -+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM -+ * should be used in order to allow the KDC of -+ * FOREST1.EXAMPLE.COM to generate a referral ticket -+ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. -+ * -+ * The problem is that KDCs only return such referral -+ * tickets if there's a forest trust between -+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM. If -+ * there's only an external domain trust between -+ * FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC -+ * of FOREST1.EXAMPLE.COM will respond with -+ * S_PRINCIPAL_UNKNOWN when being asked for -+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. -+ * -+ * In the case of an external trust the client can -+ * still ask explicitly for -+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and -+ * the KDC of FOREST1.EXAMPLE.COM will generate it. -+ * -+ * From there the client can use the -+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM -+ * ticket and ask a KDC of FOREST2.EXAMPLE.COM for a -+ * service ticket for -+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. -+ * -+ * With Heimdal we'll get the fallback on -+ * S_PRINCIPAL_UNKNOWN behavior when we pass -+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as -+ * target principal. As _krb5_get_cred_kdc_any() first -+ * calls get_cred_kdc_referral() (which always starts -+ * with the client realm) and falls back to -+ * get_cred_kdc_capath() (which starts with the given -+ * realm). -+ * -+ * MIT krb5 only tries the given realm of the target -+ * principal, if we want to autodetect support for -+ * transitive forest trusts, would have to do the -+ * fallback ourself. -+ */ - if (gensec_gssapi_state->server_name == NULL) { -+ server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, -+ hostname, -+ client_realm); -+ if (server_realm == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ - nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, - target_principal, - service, - hostname, -- client_realm, -+ server_realm, - gensec_gssapi_state->gss_oid, - &gensec_gssapi_state->target_principal, - &gensec_gssapi_state->server_name); --- -2.12.0 - - -From 97935a1164d328b466bc305c37869e78d306173a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 8 Mar 2017 13:10:05 +0100 -Subject: [PATCH 12/20] s4:gensec_gssapi: Correctly handle external trusts with - MIT - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 2dd4887648bf006a577e03fc027e881738ca04ab) ---- - source4/auth/gensec/gensec_gssapi.c | 51 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 51 insertions(+) - -diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c -index 57392a04e60..61911aae9d9 100644 ---- a/source4/auth/gensec/gensec_gssapi.c -+++ b/source4/auth/gensec/gensec_gssapi.c -@@ -464,6 +464,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - switch (gensec_security->gensec_role) { - case GENSEC_CLIENT: - { -+ bool fallback = false; - #ifdef SAMBA4_USES_HEIMDAL - struct gsskrb5_send_to_kdc send_to_kdc; - krb5_error_code ret; -@@ -537,6 +538,48 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - * transitive forest trusts, would have to do the - * fallback ourself. - */ -+#ifndef SAMBA4_USES_HEIMDAL -+ if (gensec_gssapi_state->server_name == NULL) { -+ nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, -+ target_principal, -+ service, -+ hostname, -+ client_realm, -+ gensec_gssapi_state->gss_oid, -+ &gensec_gssapi_state->target_principal, -+ &gensec_gssapi_state->server_name); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ return nt_status; -+ } -+ -+ maj_stat = gss_init_sec_context(&min_stat, -+ gensec_gssapi_state->client_cred->creds, -+ &gensec_gssapi_state->gssapi_context, -+ gensec_gssapi_state->server_name, -+ gensec_gssapi_state->gss_oid, -+ gensec_gssapi_state->gss_want_flags, -+ time_req, -+ gensec_gssapi_state->input_chan_bindings, -+ &input_token, -+ &gss_oid_p, -+ &output_token, -+ &gensec_gssapi_state->gss_got_flags, /* ret flags */ -+ &time_rec); -+ if (maj_stat != GSS_S_FAILURE) { -+ goto init_sec_context_done; -+ } -+ if (min_stat != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { -+ goto init_sec_context_done; -+ } -+ if (target_principal != NULL) { -+ goto init_sec_context_done; -+ } -+ -+ fallback = true; -+ TALLOC_FREE(gensec_gssapi_state->target_principal); -+ gss_release_name(&min_stat2, &gensec_gssapi_state->server_name); -+ } -+#endif /* !SAMBA4_USES_HEIMDAL */ - if (gensec_gssapi_state->server_name == NULL) { - server_realm = smb_krb5_get_realm_from_hostname(gensec_gssapi_state, - hostname, -@@ -545,6 +588,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - return NT_STATUS_NO_MEMORY; - } - -+ if (fallback && -+ strequal(client_realm, server_realm)) { -+ goto init_sec_context_done; -+ } -+ - nt_status = gensec_gssapi_setup_server_principal(gensec_gssapi_state, - target_principal, - service, -@@ -571,6 +619,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - &output_token, - &gensec_gssapi_state->gss_got_flags, /* ret flags */ - &time_rec); -+ goto init_sec_context_done; -+ /* JUMP! */ -+init_sec_context_done: - if (gss_oid_p) { - gensec_gssapi_state->gss_oid = gss_oid_p; - } --- -2.12.0 - - -From 71a49b84ebb8d45d91d21ebf92d3c7302b24f490 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 9 Mar 2017 07:54:29 +0100 -Subject: [PATCH 13/20] s3:gse: Use smb_krb5_get_realm_from_hostname() - -With credentials for administrator@FOREST1.EXAMPLE.COM -this patch changes the target_principal for -the ldap service of host dc2.forest2.example.com -from - - ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM - -to - - ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM - -Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM -should be used in order to allow the KDC of FOREST1.EXAMPLE.COM -to generate a referral ticket for -krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. - -The problem is that KDCs only return such referral tickets -if there's a forest trust between FOREST1.EXAMPLE.COM -and FOREST2.EXAMPLE.COM. If there's only an external domain -trust between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM -the KDC of FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN -when being asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. - -In the case of an external trust the client can still ask -explicitly for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM -and the KDC of FOREST1.EXAMPLE.COM will generate it. - -From there the client can use the -krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM -ticket and ask a KDC of FOREST2.EXAMPLE.COM for a -service ticket for ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. - -With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior -when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as -target principal. As _krb5_get_cred_kdc_any() first calls -get_cred_kdc_referral() (which always starts with the client realm) -and falls back to get_cred_kdc_capath() (which starts with the given realm). - -MIT krb5 only tries the given realm of the target principal, -if we want to autodetect support for transitive forest trusts, -we'll have to do the fallback ourself. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit a3d95ed9037fb8b14a451da02dcadf011485ae34) ---- - source3/librpc/crypto/gse.c | 93 +++++++++++++++++++++++++++++++++------------ - 1 file changed, 68 insertions(+), 25 deletions(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index abf20bc7dfd..57632f6cc8f 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -120,6 +120,54 @@ static int gse_context_destructor(void *ptr) - return 0; - } - -+static NTSTATUS gse_setup_server_principal(TALLOC_CTX *mem_ctx, -+ const char *target_principal, -+ const char *service, -+ const char *hostname, -+ const char *realm, -+ char **pserver_principal, -+ gss_name_t *pserver_name) -+{ -+ char *server_principal = NULL; -+ gss_buffer_desc name_token; -+ gss_OID name_type; -+ OM_uint32 maj_stat, min_stat = 0; -+ -+ if (target_principal != NULL) { -+ server_principal = talloc_strdup(mem_ctx, target_principal); -+ name_type = GSS_C_NULL_OID; -+ } else { -+ server_principal = talloc_asprintf(mem_ctx, -+ "%s/%s@%s", -+ service, -+ hostname, -+ realm); -+ name_type = GSS_C_NT_USER_NAME; -+ } -+ if (server_principal == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ name_token.value = (uint8_t *)server_principal; -+ name_token.length = strlen(server_principal); -+ -+ maj_stat = gss_import_name(&min_stat, -+ &name_token, -+ name_type, -+ pserver_name); -+ if (maj_stat) { -+ DBG_WARNING("GSS Import name of %s failed: %s\n", -+ server_principal, -+ gse_errstr(mem_ctx, maj_stat, min_stat)); -+ TALLOC_FREE(server_principal); -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ -+ *pserver_principal = server_principal; -+ -+ return NT_STATUS_OK; -+} -+ - static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, - bool do_sign, bool do_seal, - const char *ccache_name, -@@ -203,11 +251,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - { - struct gse_context *gse_ctx; - OM_uint32 gss_maj, gss_min; -- gss_buffer_desc name_buffer = GSS_C_EMPTY_BUFFER; - #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X - gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; - gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); - #endif -+ char *server_principal = NULL; -+ char *server_realm = NULL; - NTSTATUS status; - - if (!server || !service) { -@@ -223,30 +272,24 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - - /* Guess the realm based on the supplied service, and avoid the GSS libs - doing DNS lookups which may fail. -- -- TODO: Loop with the KDC on some more combinations (local -- realm in particular), possibly falling back to -- GSS_C_NT_HOSTBASED_SERVICE - */ -- name_buffer.value = -- smb_krb5_get_principal_from_service_hostname(gse_ctx, -- service, -- server, -- realm); -- if (!name_buffer.value) { -- status = NT_STATUS_NO_MEMORY; -- goto err_out; -+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, -+ server, -+ realm); -+ if (server_realm == NULL) { -+ return NT_STATUS_NO_MEMORY; - } -- name_buffer.length = strlen((char *)name_buffer.value); -- gss_maj = gss_import_name(&gss_min, &name_buffer, -- GSS_C_NT_USER_NAME, -- &gse_ctx->server_name); -- if (gss_maj) { -- DEBUG(5, ("gss_import_name failed for %s, with [%s]\n", -- (char *)name_buffer.value, -- gse_errstr(gse_ctx, gss_maj, gss_min))); -- status = NT_STATUS_INTERNAL_ERROR; -- goto err_out; -+ -+ status = gse_setup_server_principal(mem_ctx, -+ NULL, -+ service, -+ server, -+ server_realm, -+ &server_principal, -+ &gse_ctx->server_name); -+ TALLOC_FREE(server_realm); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; - } - - /* TODO: get krb5 ticket using username/password, if no valid -@@ -299,11 +342,11 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - #endif - - *_gse_ctx = gse_ctx; -- TALLOC_FREE(name_buffer.value); -+ TALLOC_FREE(server_principal); - return NT_STATUS_OK; - - err_out: -- TALLOC_FREE(name_buffer.value); -+ TALLOC_FREE(server_principal); - TALLOC_FREE(gse_ctx); - return status; - } --- -2.12.0 - - -From 905cdd3ee1fea0bf0e2081da4489934944c55fa9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 9 Mar 2017 09:10:12 +0100 -Subject: [PATCH 14/20] krb5_wrap: Remove obsolete - smb_krb5_get_principal_from_service_hostname() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 804e828d52ec922f3970e847652ab1ee5538b9b0) ---- - lib/krb5_wrap/krb5_samba.c | 111 --------------------------------------------- - lib/krb5_wrap/krb5_samba.h | 5 -- - 2 files changed, 116 deletions(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 2b0ec6bfa0e..0b67ea52a19 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -2604,61 +2604,6 @@ krb5_error_code smb_krb5_principal_set_realm(krb5_context context, - } - - --/************************************************************************ -- Routine to get the default realm from the kerberos credentials cache. -- Caller must free if the return value is not NULL. --************************************************************************/ -- --static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) --{ -- char *realm = NULL; -- krb5_context ctx = NULL; -- krb5_ccache cc = NULL; -- krb5_principal princ = NULL; -- -- initialize_krb5_error_table(); -- if (krb5_init_context(&ctx)) { -- return NULL; -- } -- -- DEBUG(5,("kerberos_get_default_realm_from_ccache: " -- "Trying to read krb5 cache: %s\n", -- krb5_cc_default_name(ctx))); -- if (krb5_cc_default(ctx, &cc)) { -- DEBUG(5,("kerberos_get_default_realm_from_ccache: " -- "failed to read default cache\n")); -- goto out; -- } -- if (krb5_cc_get_principal(ctx, cc, &princ)) { -- DEBUG(5,("kerberos_get_default_realm_from_ccache: " -- "failed to get default principal\n")); -- goto out; -- } -- --#if defined(HAVE_KRB5_PRINCIPAL_GET_REALM) -- realm = talloc_strdup(mem_ctx, krb5_principal_get_realm(ctx, princ)); --#elif defined(HAVE_KRB5_PRINC_REALM) -- { -- krb5_data *realm_data = krb5_princ_realm(ctx, princ); -- realm = talloc_strndup(mem_ctx, realm_data->data, realm_data->length); -- } --#endif -- -- out: -- -- if (ctx) { -- if (princ) { -- krb5_free_principal(ctx, princ); -- } -- if (cc) { -- krb5_cc_close(ctx, cc); -- } -- krb5_free_context(ctx); -- } -- -- return realm; --} -- - /** - * @brief Get the realm from the service hostname. - * -@@ -2749,62 +2694,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - } - - /** -- * @brief Get the principal as a string from the service hostname. -- * -- * @param[in] mem_ctx The talloc context -- * -- * @param[in] service The service name -- * -- * @param[in] remote_name The remote name -- * -- * @param[in] default_realm The default_realm if we cannot get it from the -- * hostname or netbios name. -- * -- * @return A talloc'ed principal string or NULL if an error occured. -- * -- * The caller needs to free the principal with talloc_free() if it isn't needed -- * anymore. -- */ --char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, -- const char *service, -- const char *remote_name, -- const char *default_realm) --{ -- char *realm = NULL; -- char *host = NULL; -- char *principal; -- host = strchr_m(remote_name, '.'); -- if (host) { -- /* DNS name. */ -- realm = smb_krb5_get_realm_from_hostname(talloc_tos(), -- remote_name, -- default_realm); -- } else { -- /* NetBIOS name - use our realm. */ -- realm = smb_krb5_get_default_realm_from_ccache(talloc_tos()); -- } -- -- if (realm == NULL || *realm == '\0') { -- realm = talloc_strdup(talloc_tos(), default_realm); -- if (!realm) { -- return NULL; -- } -- DEBUG(3,("Cannot get realm from, " -- "desthost %s or default ccache. Using default " -- "smb.conf realm %s\n", -- remote_name, -- realm)); -- } -- -- principal = talloc_asprintf(mem_ctx, -- "%s/%s@%s", -- service, remote_name, -- realm); -- TALLOC_FREE(realm); -- return principal; --} -- --/** - * @brief Get an error string from a Kerberos error code. - * - * @param[in] context The library context. -diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h -index accae449a0e..c921538efcb 100644 ---- a/lib/krb5_wrap/krb5_samba.h -+++ b/lib/krb5_wrap/krb5_samba.h -@@ -318,11 +318,6 @@ char *smb_krb5_get_realm_from_hostname(TALLOC_CTX *mem_ctx, - const char *hostname, - const char *client_realm); - --char *smb_krb5_get_principal_from_service_hostname(TALLOC_CTX *mem_ctx, -- const char *service, -- const char *remote_name, -- const char *default_realm); -- - char *smb_get_krb5_error_message(krb5_context context, - krb5_error_code code, - TALLOC_CTX *mem_ctx); --- -2.12.0 - - -From 0ea7203430b580e93816035b8201ddd11346cd4e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 6 Mar 2017 08:16:11 +0100 -Subject: [PATCH 15/20] s3:gse: Pass down the gensec_security pointer - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit e6b1e58874de30d094f9bce474479cfddb39d3fc) ---- - source3/librpc/crypto/gse.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index 57632f6cc8f..5a39522a828 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -352,10 +352,13 @@ err_out: - } - - static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, -- struct gse_context *gse_ctx, -+ struct gensec_security *gensec_security, - const DATA_BLOB *token_in, - DATA_BLOB *token_out) - { -+ struct gse_context *gse_ctx = -+ talloc_get_type_abort(gensec_security->private_data, -+ struct gse_context); - OM_uint32 gss_maj, gss_min; - gss_buffer_desc in_data; - gss_buffer_desc out_data; -@@ -542,10 +545,13 @@ done: - } - - static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, -- struct gse_context *gse_ctx, -+ struct gensec_security *gensec_security, - const DATA_BLOB *token_in, - DATA_BLOB *token_out) - { -+ struct gse_context *gse_ctx = -+ talloc_get_type_abort(gensec_security->private_data, -+ struct gse_context); - OM_uint32 gss_maj, gss_min; - gss_buffer_desc in_data; - gss_buffer_desc out_data; -@@ -762,17 +768,16 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security, - const DATA_BLOB in, DATA_BLOB *out) - { - NTSTATUS status; -- struct gse_context *gse_ctx = -- talloc_get_type_abort(gensec_security->private_data, -- struct gse_context); - - switch (gensec_security->gensec_role) { - case GENSEC_CLIENT: -- status = gse_get_client_auth_token(mem_ctx, gse_ctx, -+ status = gse_get_client_auth_token(mem_ctx, -+ gensec_security, - &in, out); - break; - case GENSEC_SERVER: -- status = gse_get_server_auth_token(mem_ctx, gse_ctx, -+ status = gse_get_server_auth_token(mem_ctx, -+ gensec_security, - &in, out); - break; - } --- -2.12.0 - - -From 36b353247939414cd7f91abd27bfc553bd62c06f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 9 Mar 2017 08:05:26 +0100 -Subject: [PATCH 16/20] s3:gse: Move setup of service_principal to update - function - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 3ba1ad1f8c7871070d0ecbe5d49c5c44afe98bbf) ---- - source3/librpc/crypto/gse.c | 97 +++++++++++++++++++++++++++++++++------------ - 1 file changed, 71 insertions(+), 26 deletions(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index 5a39522a828..3580181061e 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -255,8 +255,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; - gss_OID oid = discard_const(GSS_KRB5_CRED_NO_CI_FLAGS_X); - #endif -- char *server_principal = NULL; -- char *server_realm = NULL; - NTSTATUS status; - - if (!server || !service) { -@@ -270,28 +268,6 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -- /* Guess the realm based on the supplied service, and avoid the GSS libs -- doing DNS lookups which may fail. -- */ -- server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, -- server, -- realm); -- if (server_realm == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- -- status = gse_setup_server_principal(mem_ctx, -- NULL, -- service, -- server, -- server_realm, -- &server_principal, -- &gse_ctx->server_name); -- TALLOC_FREE(server_realm); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- - /* TODO: get krb5 ticket using username/password, if no valid - * one already available in ccache */ - -@@ -342,11 +318,9 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - #endif - - *_gse_ctx = gse_ctx; -- TALLOC_FREE(server_principal); - return NT_STATUS_OK; - - err_out: -- TALLOC_FREE(server_principal); - TALLOC_FREE(gse_ctx); - return status; - } -@@ -366,10 +340,81 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - NTSTATUS status; - OM_uint32 time_rec = 0; - struct timeval tv; -+ struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); -+ const char *hostname = gensec_get_target_hostname(gensec_security); -+ const char *service = gensec_get_target_service(gensec_security); -+ const char *client_realm = cli_credentials_get_realm(cli_creds); -+ char *server_principal = NULL; -+ char *server_realm = NULL; - - in_data.value = token_in->data; - in_data.length = token_in->length; - -+ /* -+ * With credentials for administrator@FOREST1.EXAMPLE.COM this patch -+ * changes the target_principal for the ldap service of host -+ * dc2.forest2.example.com from -+ * -+ * ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM -+ * -+ * to -+ * -+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM -+ * -+ * Typically ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM should be -+ * used in order to allow the KDC of FOREST1.EXAMPLE.COM to generate a -+ * referral ticket for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM. -+ * -+ * The problem is that KDCs only return such referral tickets if -+ * there's a forest trust between FOREST1.EXAMPLE.COM and -+ * FOREST2.EXAMPLE.COM. If there's only an external domain trust -+ * between FOREST1.EXAMPLE.COM and FOREST2.EXAMPLE.COM the KDC of -+ * FOREST1.EXAMPLE.COM will respond with S_PRINCIPAL_UNKNOWN when being -+ * asked for ldap/dc2.forest2.example.com@FOREST1.EXAMPLE.COM. -+ * -+ * In the case of an external trust the client can still ask explicitly -+ * for krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM and the KDC of -+ * FOREST1.EXAMPLE.COM will generate it. -+ * -+ * From there the client can use the -+ * krbtgt/FOREST2.EXAMPLE.COM@FOREST1.EXAMPLE.COM ticket and ask a KDC -+ * of FOREST2.EXAMPLE.COM for a service ticket for -+ * ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM. -+ * -+ * With Heimdal we'll get the fallback on S_PRINCIPAL_UNKNOWN behavior -+ * when we pass ldap/dc2.forest2.example.com@FOREST2.EXAMPLE.COM as -+ * target principal. As _krb5_get_cred_kdc_any() first calls -+ * get_cred_kdc_referral() (which always starts with the client realm) -+ * and falls back to get_cred_kdc_capath() (which starts with the given -+ * realm). -+ * -+ * MIT krb5 only tries the given realm of the target principal, if we -+ * want to autodetect support for transitive forest trusts, would have -+ * to do the fallback ourself. -+ */ -+ if (gse_ctx->server_name == NULL) { -+ server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, -+ hostname, -+ client_realm); -+ if (server_realm == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ status = gse_setup_server_principal(mem_ctx, -+ NULL, -+ service, -+ hostname, -+ server_realm, -+ &server_principal, -+ &gse_ctx->server_name); -+ TALLOC_FREE(server_realm); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ TALLOC_FREE(server_principal); -+ } -+ - gss_maj = gss_init_sec_context(&gss_min, - gse_ctx->creds, - &gse_ctx->gssapi_context, --- -2.12.0 - - -From 5ca321eaa79cdf9de1166f49365051d4d67560f9 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 9 Mar 2017 08:11:07 +0100 -Subject: [PATCH 17/20] s3:gse: Check if we have a target_princpal set we - should use - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit ada31d65d6c5929d2fbddfea5611a5f5fe5a0d74) ---- - source3/librpc/crypto/gse.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index 3580181061e..721fd8c1625 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -341,6 +341,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - OM_uint32 time_rec = 0; - struct timeval tv; - struct cli_credentials *cli_creds = gensec_get_credentials(gensec_security); -+ const char *target_principal = gensec_get_target_principal(gensec_security); - const char *hostname = gensec_get_target_hostname(gensec_security); - const char *service = gensec_get_target_service(gensec_security); - const char *client_realm = cli_credentials_get_realm(cli_creds); -@@ -401,7 +402,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - } - - status = gse_setup_server_principal(mem_ctx, -- NULL, -+ target_principal, - service, - hostname, - server_realm, --- -2.12.0 - - -From 8b88c6bf158e5da0cc238472390f3346aa05ef53 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 9 Mar 2017 08:18:27 +0100 -Subject: [PATCH 18/20] s3:gse: Correctly handle external trusts with MIT - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit b8bca7d08fe05758e536767b1146cdcdd8b9fee3) ---- - source3/librpc/crypto/gse.c | 54 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 54 insertions(+) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index 721fd8c1625..3abf774633b 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -347,6 +347,7 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - const char *client_realm = cli_credentials_get_realm(cli_creds); - char *server_principal = NULL; - char *server_realm = NULL; -+ bool fallback = false; - - in_data.value = token_in->data; - in_data.length = token_in->length; -@@ -393,6 +394,50 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - * want to autodetect support for transitive forest trusts, would have - * to do the fallback ourself. - */ -+#ifndef SAMBA4_USES_HEIMDAL -+ if (gse_ctx->server_name == NULL) { -+ OM_uint32 gss_min2 = 0; -+ -+ status = gse_setup_server_principal(mem_ctx, -+ target_principal, -+ service, -+ hostname, -+ client_realm, -+ &server_principal, -+ &gse_ctx->server_name); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ gss_maj = gss_init_sec_context(&gss_min, -+ gse_ctx->creds, -+ &gse_ctx->gssapi_context, -+ gse_ctx->server_name, -+ &gse_ctx->gss_mech, -+ gse_ctx->gss_want_flags, -+ 0, -+ GSS_C_NO_CHANNEL_BINDINGS, -+ &in_data, -+ NULL, -+ &out_data, -+ &gse_ctx->gss_got_flags, -+ &time_rec); -+ if (gss_maj != GSS_S_FAILURE) { -+ goto init_sec_context_done; -+ } -+ if (gss_min != (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) { -+ goto init_sec_context_done; -+ } -+ if (target_principal != NULL) { -+ goto init_sec_context_done; -+ } -+ -+ fallback = true; -+ TALLOC_FREE(server_principal); -+ gss_release_name(&gss_min2, &gse_ctx->server_name); -+ } -+#endif /* !SAMBA4_USES_HEIMDAL */ -+ - if (gse_ctx->server_name == NULL) { - server_realm = smb_krb5_get_realm_from_hostname(mem_ctx, - hostname, -@@ -401,6 +446,11 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -+ if (fallback && -+ strequal(client_realm, server_realm)) { -+ goto init_sec_context_done; -+ } -+ - status = gse_setup_server_principal(mem_ctx, - target_principal, - service, -@@ -425,6 +475,10 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, - 0, GSS_C_NO_CHANNEL_BINDINGS, - &in_data, NULL, &out_data, - &gse_ctx->gss_got_flags, &time_rec); -+ goto init_sec_context_done; -+ /* JUMP! */ -+init_sec_context_done: -+ - switch (gss_maj) { - case GSS_S_COMPLETE: - /* we are done with it */ --- -2.12.0 - - -From 290de34d42477022d8b5a236b3d0953a178c5e40 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sun, 29 Jan 2017 17:19:14 +0100 -Subject: [PATCH 19/20] HEIMDAL:kdc: make it possible to disable the principal - based referral detection - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 209886e95c3afe1e4e50bacc30b40a543856a7a0) ---- - source4/heimdal/kdc/default_config.c | 1 + - source4/heimdal/kdc/kdc.h | 2 ++ - source4/heimdal/kdc/krb5tgs.c | 4 +++- - 3 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source4/heimdal/kdc/default_config.c b/source4/heimdal/kdc/default_config.c -index 6fbf5fdae15..0129c5d3c54 100644 ---- a/source4/heimdal/kdc/default_config.c -+++ b/source4/heimdal/kdc/default_config.c -@@ -55,6 +55,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) - c->preauth_use_strongest_session_key = FALSE; - c->tgs_use_strongest_session_key = FALSE; - c->use_strongest_server_key = TRUE; -+ c->autodetect_referrals = TRUE; - c->check_ticket_addresses = TRUE; - c->allow_null_ticket_addresses = TRUE; - c->allow_anonymous = FALSE; -diff --git a/source4/heimdal/kdc/kdc.h b/source4/heimdal/kdc/kdc.h -index 9d52fd4c2ec..16263d6919b 100644 ---- a/source4/heimdal/kdc/kdc.h -+++ b/source4/heimdal/kdc/kdc.h -@@ -69,6 +69,8 @@ typedef struct krb5_kdc_configuration { - krb5_boolean allow_anonymous; - enum krb5_kdc_trpolicy trpolicy; - -+ krb5_boolean autodetect_referrals; -+ - krb5_boolean enable_pkinit; - krb5_boolean pkinit_princ_in_cert; - const char *pkinit_kdc_identity; -diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c -index 334a6eb1dc8..a888788bb6f 100644 ---- a/source4/heimdal/kdc/krb5tgs.c -+++ b/source4/heimdal/kdc/krb5tgs.c -@@ -1660,7 +1660,9 @@ server_lookup: - Realm req_rlm; - krb5_realm *realms; - -- if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { -+ if (!config->autodetect_referrals) { -+ /* noop */ -+ } else if ((req_rlm = get_krbtgt_realm(&sp->name)) != NULL) { - if(nloop++ < 2) { - new_rlm = find_rpath(context, tgt->crealm, req_rlm); - if(new_rlm) { --- -2.12.0 - - -From b98d399a9b3076443fa12fab5f5e13b8d6e2fe26 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sun, 29 Jan 2017 17:20:09 +0100 -Subject: [PATCH 20/20] s4:kdc: disable principal based autodetected referral - detection - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12554 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit 3314bf52aaef60ef5cc1110587b53064df7c475d) ---- - source4/kdc/kdc-heimdal.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c -index f2927e5cb9f..061296a4f40 100644 ---- a/source4/kdc/kdc-heimdal.c -+++ b/source4/kdc/kdc-heimdal.c -@@ -379,6 +379,8 @@ static void kdc_task_init(struct task_server *task) - kdc_config->tgs_use_strongest_session_key = false; - kdc_config->use_strongest_server_key = true; - -+ kdc_config->autodetect_referrals = false; -+ - /* Register hdb-samba4 hooks for use as a keytab */ - - kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context); --- -2.12.0 - diff --git a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch b/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch deleted file mode 100644 index dbce123..0000000 --- a/SOURCES/samba-v4-6-fix-kerberos-debug-message.patch +++ /dev/null @@ -1,39 +0,0 @@ -From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 20 Mar 2017 16:08:20 +0100 -Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme ---- - source3/libsmb/cliconnect.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 029c3d4760e..93f873079db 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - 0 /* no time correction for now */, - NULL); - if (ret != 0) { -- DEBUG(0, ("Kinit for %s to access %s failed: %s\n", -- user_principal, target_hostname, -- error_message(ret))); -+ int dbglvl = DBGLVL_WARNING; -+ -+ if (krb5_state == CRED_MUST_USE_KERBEROS) { -+ dbglvl = DBGLVL_ERR; -+ } -+ -+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n", -+ user_principal, target_hostname, -+ error_message(ret))); - if (krb5_state == CRED_MUST_USE_KERBEROS) { - TALLOC_FREE(frame); - return krb5_to_nt_status(ret); --- -2.12.0 - diff --git a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch b/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch deleted file mode 100644 index 6d96e52..0000000 --- a/SOURCES/samba-v4-6-fix-net-ads-keytab-handling.patch +++ /dev/null @@ -1,293 +0,0 @@ -From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 Mar 2017 17:30:37 +0100 -Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters - -The old behaviour is: - - for var in $* - do - echo "$var" - done - -And you get this: - -$ sh test.sh 1 2 '3 4' -1 -2 -3 -4 - -Changing it to: - - for var in "$@" - do - echo "$var" - done - -will correctly expand to: - -$ sh test.sh 1 2 '3 4' -1 -2 -3 4 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144 - -(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71) ---- - testprogs/blackbox/subunit.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh -index 0791d775d27..5c81ce20a11 100755 ---- a/testprogs/blackbox/subunit.sh -+++ b/testprogs/blackbox/subunit.sh -@@ -78,7 +78,7 @@ subunit_skip_test () { - testit () { - name="$1" - shift -- cmdline="$*" -+ cmdline="$@" - subunit_start_test "$name" - output=`$cmdline 2>&1` - status=$? -@@ -93,7 +93,7 @@ testit () { - testit_expect_failure () { - name="$1" - shift -- cmdline="$*" -+ cmdline="$@" - subunit_start_test "$name" - output=`$cmdline 2>&1` - status=$? --- -2.12.0 - - -From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 Mar 2017 16:11:39 +0100 -Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4) ---- - lib/krb5_wrap/krb5_samba.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 10b42dec53f..fd8e4a96071 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context, - goto open_keytab; - } - -+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req); -+ - return KRB5_KT_BADNAME; - - open_keytab: --- -2.12.0 - - -From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 Mar 2017 16:24:52 +0100 -Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad) ---- - source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++------- - 1 file changed, 57 insertions(+), 12 deletions(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index 3c73b089bbb..96df10fcf65 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -34,6 +34,57 @@ - - #ifdef HAVE_ADS - -+/* This MAX_NAME_LEN is a constant defined in krb5.h */ -+#ifndef MAX_KEYTAB_NAME_LEN -+#define MAX_KEYTAB_NAME_LEN 1100 -+#endif -+ -+static krb5_error_code ads_keytab_open(krb5_context context, -+ krb5_keytab *keytab) -+{ -+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0}; -+ const char *keytab_name = NULL; -+ krb5_error_code ret = 0; -+ -+ switch (lp_kerberos_method()) { -+ case KERBEROS_VERIFY_SYSTEM_KEYTAB: -+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB: -+ ret = krb5_kt_default_name(context, -+ keytab_str, -+ sizeof(keytab_str) - 2); -+ if (ret != 0) { -+ DBG_WARNING("Failed to get default keytab name"); -+ goto out; -+ } -+ keytab_name = keytab_str; -+ break; -+ case KERBEROS_VERIFY_DEDICATED_KEYTAB: -+ keytab_name = lp_dedicated_keytab_file(); -+ break; -+ default: -+ DBG_ERR("Invalid kerberos method set (%d)\n", -+ lp_kerberos_method()); -+ ret = KRB5_KT_BADNAME; -+ goto out; -+ } -+ -+ if (keytab_name == NULL || keytab_name[0] == '\0') { -+ DBG_ERR("Invalid keytab name\n"); -+ ret = KRB5_KT_BADNAME; -+ goto out; -+ } -+ -+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab); -+ if (ret != 0) { -+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n", -+ error_message(ret)); -+ goto out; -+ } -+ -+out: -+ return ret; -+} -+ - /********************************************************************** - Adds a single service principal, i.e. 'host' to the system keytab - ***********************************************************************/ -@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) - return -1; - } - -- ret = smb_krb5_kt_open(context, NULL, True, &keytab); -- if (ret) { -- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", -- error_message(ret))); -+ ret = ads_keytab_open(context, &keytab); -+ if (ret != 0) { - goto out; - } - -@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads) - return ret; - } - -- ret = smb_krb5_kt_open(context, NULL, True, &keytab); -- if (ret) { -- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", -- error_message(ret))); -+ ret = ads_keytab_open(context, &keytab); -+ if (ret != 0) { - goto out; - } - -@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads) - DEBUG(3, (__location__ ": Searching for keytab entries to preserve " - "and update.\n")); - -- ret = smb_krb5_kt_open(context, NULL, True, &keytab); -- if (ret) { -- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", -- error_message(ret))); -+ ret = ads_keytab_open(context, &keytab); -+ if (ret != 0) { - goto done; - } - --- -2.12.0 - - -From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 Mar 2017 17:28:58 +0100 -Subject: [PATCH 4/5] param: Allow to specify kerberos method on the - commandline - -We support --option for our tools but you cannot set an option where the -value of the option includes a space. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0) ---- - lib/param/param_table.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/param/param_table.c b/lib/param/param_table.c -index 4b5234a7c9e..9a944ef19b3 100644 ---- a/lib/param/param_table.c -+++ b/lib/param/param_table.c -@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = { - static const struct enum_list enum_kerberos_method[] = { - {KERBEROS_VERIFY_SECRETS, "default"}, - {KERBEROS_VERIFY_SECRETS, "secrets only"}, -+ {KERBEROS_VERIFY_SECRETS, "secretsonly"}, - {KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"}, -+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"}, - {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"}, -+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"}, - {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"}, -+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"}, - {-1, NULL} - }; - --- -2.12.0 - - -From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 13 Mar 2017 16:34:05 +0100 -Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab - -This checks that a 'net ads join' can create the keytab and make sure we -will not regress in future. - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3) ---- - testprogs/blackbox/test_net_ads.sh | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index 8e915cdcf1f..99b886f53eb 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + - - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - -+# Test with kerberos method = secrets and keytab -+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab" -+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` -+ -+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` -+ -+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -+rm -f $dedicated_keytab_file -+ - testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` - - testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` --- -2.12.0 - diff --git a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch b/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch deleted file mode 100644 index 4e21154..0000000 --- a/SOURCES/samba-v4-6-fix-spoolss-32bit-driver-upload.patch +++ /dev/null @@ -1,245 +0,0 @@ -From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 4 May 2017 17:48:42 +0200 -Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with - COPY_FROM_DIRECTORY - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05) ---- - source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++------------- - 1 file changed, 35 insertions(+), 16 deletions(-) - -diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c -index 394a3e5..49be5d9 100644 ---- a/source3/printing/nt_printing.c -+++ b/source3/printing/nt_printing.c -@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver - static uint32_t get_correct_cversion(struct auth_session_info *session_info, - const char *architecture, - const char *driverpath_in, -+ const char *driver_directory, - WERROR *perr) - { - int cversion = -1; - NTSTATUS nt_status; - struct smb_filename *smb_fname = NULL; -- char *driverpath = NULL; - files_struct *fsp = NULL; - connection_struct *conn = NULL; - char *oldcwd; - char *printdollar = NULL; -+ char *printdollar_path = NULL; -+ char *working_dir = NULL; - int printdollar_snum; - - *perr = WERR_INVALID_PARAMETER; -@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, - return -1; - } - -+ printdollar_path = lp_path(talloc_tos(), printdollar_snum); -+ if (printdollar_path == NULL) { -+ *perr = WERR_NOT_ENOUGH_MEMORY; -+ return -1; -+ } -+ -+ working_dir = talloc_asprintf(talloc_tos(), -+ "%s/%s", -+ printdollar_path, -+ architecture); -+ /* -+ * If the driver has been uploaded into a temorpary driver -+ * directory, switch to the driver directory. -+ */ -+ if (driver_directory != NULL) { -+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s", -+ printdollar_path, -+ architecture, -+ driver_directory); -+ } -+ - nt_status = create_conn_struct_cwd(talloc_tos(), - server_event_context(), - server_messaging_context(), - &conn, - printdollar_snum, -- lp_path(talloc_tos(), printdollar_snum), -+ working_dir, - session_info, &oldcwd); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0,("get_correct_cversion: create_conn_struct " -@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info, - goto error_free_conn; - } - -- /* Open the driver file (Portable Executable format) and determine the -- * deriver the cversion. */ -- driverpath = talloc_asprintf(talloc_tos(), -- "%s/%s", -- architecture, -- driverpath_in); -- if (!driverpath) { -- *perr = WERR_NOT_ENOUGH_MEMORY; -- goto error_exit; -- } -- -- nt_status = driver_unix_convert(conn, driverpath, &smb_fname); -+ /* -+ * We switch to the directory where the driver files are located, -+ * so only work on the file names -+ */ -+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname); - if (!NT_STATUS_IS_OK(nt_status)) { - *perr = ntstatus_to_werror(nt_status); - goto error_exit; -@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx, - * NT2K: cversion=3 - */ - -- *version = get_correct_cversion(session_info, short_architecture, -- *driver_path, &err); -+ *version = get_correct_cversion(session_info, -+ short_architecture, -+ *driver_path, -+ *driver_directory, -+ &err); - if (*version == -1) { - return err; - } --- -2.9.3 - - -From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 May 2017 11:11:25 +0200 -Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test - for 64bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e) ---- - source4/torture/rpc/spoolss.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c -index 409ba57..c4b7bf1 100644 ---- a/source4/torture/rpc/spoolss.c -+++ b/source4/torture/rpc/spoolss.c -@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx, - } - - static bool test_driver_copy_from_directory(struct torture_context *tctx, -- struct dcerpc_pipe *p) -+ struct dcerpc_pipe *p, -+ const char *architecture) - { - struct torture_driver_context *d; - struct spoolss_StringArray *a; -@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, - d = talloc_zero(tctx, struct torture_driver_context); - torture_assert_not_null(tctx, d, "ENOMEM"); - -- d->local.environment = -- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64); -+ d->local.environment = talloc_strdup(d, architecture); - torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); - - d->local.driver_directory = -@@ -11208,6 +11208,12 @@ done: - return ok; - } - -+static bool test_driver_copy_from_directory_64(struct torture_context *tctx, -+ struct dcerpc_pipe *p) -+{ -+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); -+} -+ - static bool test_del_driver_all_files(struct torture_context *tctx, - struct dcerpc_pipe *p) - { -@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) - torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers); - - torture_rpc_tcase_add_test(tcase, -- "test_driver_copy_from_directory", -- test_driver_copy_from_directory); -+ "test_driver_copy_from_directory_64", -+ test_driver_copy_from_directory_64); - - torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); - --- -2.9.3 - - -From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 5 May 2017 11:12:02 +0200 -Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for - copy_from_directory - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761 - -Signed-off-by: Andreas Schneider -Reviewed-by: Guenther Deschner -(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0) ---- - source4/torture/rpc/spoolss.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c -index c4b7bf1..e17ac6f 100644 ---- a/source4/torture/rpc/spoolss.c -+++ b/source4/torture/rpc/spoolss.c -@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx, - d->local.environment = talloc_strdup(d, architecture); - torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM"); - -- d->local.driver_directory = -- talloc_asprintf(d, "/usr/share/cups/drivers/x64"); -+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) { -+ d->local.driver_directory = -+ talloc_strdup(d, "/usr/share/cups/drivers/x64"); -+ } else { -+ d->local.driver_directory = -+ talloc_strdup(d, "/usr/share/cups/drivers/i386"); -+ } - torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM"); - - d->remote.driver_upload_directory = GUID_string2(d, &guid); -@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx, - return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64); - } - -+static bool test_driver_copy_from_directory_32(struct torture_context *tctx, -+ struct dcerpc_pipe *p) -+{ -+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86); -+} -+ - static bool test_del_driver_all_files(struct torture_context *tctx, - struct dcerpc_pipe *p) - { -@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx) - "test_driver_copy_from_directory_64", - test_driver_copy_from_directory_64); - -+ torture_rpc_tcase_add_test(tcase, -+ "test_driver_copy_from_directory_32", -+ test_driver_copy_from_directory_32); -+ - torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files); - - torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files); --- -2.9.3 - diff --git a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch b/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch deleted file mode 100644 index 7441e1d..0000000 --- a/SOURCES/samba-v4-6-fix-vfs-expand-msdfs.patch +++ /dev/null @@ -1,211 +0,0 @@ -From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 14 Mar 2017 16:12:20 +0100 -Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file - -The arguments get passed in the wrong order to read_target_host(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 - -Signed-off-by: Andreas Schneider -(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0) ---- - source3/modules/vfs_expand_msdfs.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c -index ffbfa333bad..e42d0098b32 100644 ---- a/source3/modules/vfs_expand_msdfs.c -+++ b/source3/modules/vfs_expand_msdfs.c -@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx, - return NULL; - } - -- targethost = read_target_host( -- ctx, raddr, mapfilename); -+ targethost = read_target_host(ctx, mapfilename, raddr); - if (targethost == NULL) { - DEBUG(1, ("Could not expand target host from file %s\n", - mapfilename)); --- -2.12.0 - -From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 21 Mar 2017 15:32:37 +0100 -Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to - get_referred_path() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 - -Pair-Programmed-With: Ralph Boehme - -Signed-off-by: Andreas Schneider -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison -(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e) ---- - source3/modules/vfs_default.c | 2 ++ - source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++ - source3/smbd/msdfs.c | 12 +++++++----- - source3/smbd/proto.h | 12 +++++++----- - 4 files changed, 22 insertions(+), 10 deletions(-) - -diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c -index e0b6125f7d8..dcae861103d 100644 ---- a/source3/modules/vfs_default.c -+++ b/source3/modules/vfs_default.c -@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle, - - /* The following call can change cwd. */ - status = get_referred_path(r, pathnamep, -+ handle->conn->sconn->remote_address, -+ handle->conn->sconn->local_address, - !handle->conn->sconn->using_smb2, - junction, &consumedcnt, &self_referral); - if (!NT_STATUS_IS_OK(status)) { -diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c -index ab2af53c0ba..0a4d6d31b7c 100644 ---- a/source3/rpc_server/dfs/srv_dfs_nt.c -+++ b/source3/rpc_server/dfs/srv_dfs_nt.c -@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r) - - /* The following call can change the cwd. */ - status = get_referred_path(ctx, r->in.path, -+ p->remote_address, -+ p->local_address, - true, /*allow_broken_path */ - jn, &consumedcnt, &self_ref); - if(!NT_STATUS_IS_OK(status)) { -@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r) - } - - status = get_referred_path(ctx, r->in.dfs_entry_path, -+ p->remote_address, -+ p->local_address, - true, /*allow_broken_path */ - jn, &consumedcnt, &self_ref); - if(!NT_STATUS_IS_OK(status)) { -@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r) - - /* The following call can change the cwd. */ - status = get_referred_path(ctx, r->in.dfs_entry_path, -+ p->remote_address, -+ p->local_address, - true, /*allow_broken_path */ - jn, &consumedcnt, &self_ref); - if(!NT_STATUS_IS_OK(status) || -diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c -index 61538cec832..3cf82d3b430 100644 ---- a/source3/smbd/msdfs.c -+++ b/source3/smbd/msdfs.c -@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx, - **********************************************************************/ - - NTSTATUS get_referred_path(TALLOC_CTX *ctx, -- const char *dfs_path, -- bool allow_broken_path, -- struct junction_map *jucn, -- int *consumedcntp, -- bool *self_referralp) -+ const char *dfs_path, -+ const struct tsocket_address *remote_address, -+ const struct tsocket_address *local_address, -+ bool allow_broken_path, -+ struct junction_map *jucn, -+ int *consumedcntp, -+ bool *self_referralp) - { - struct connection_struct *conn; - char *targetpath = NULL; -diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h -index c1b8201b472..e64457cf9e0 100644 ---- a/source3/smbd/proto.h -+++ b/source3/smbd/proto.h -@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn, - SMB_STRUCT_STAT *sbufp); - struct junction_map; - NTSTATUS get_referred_path(TALLOC_CTX *ctx, -- const char *dfs_path, -- bool allow_broken_path, -- struct junction_map *jucn, -- int *consumedcntp, -- bool *self_referralp); -+ const char *dfs_path, -+ const struct tsocket_address *remote_address, -+ const struct tsocket_address *local_address, -+ bool allow_broken_path, -+ struct junction_map *jucn, -+ int *consumedcntp, -+ bool *self_referralp); - int setup_dfs_referral(connection_struct *orig_conn, - const char *dfs_path, - int max_referral_level, --- -2.13.0 - - -From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 21 Mar 2017 15:45:34 +0100 -Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake - connection - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687 - -Pair-Programmed-With: Ralph Boehme - -Signed-off-by: Andreas Schneider -Signed-off-by: Ralph Boehme -Reviewed-by: Jeremy Allison - -(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9) ---- - source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c -index 3cf82d3b430..c25fb17cee8 100644 ---- a/source3/smbd/msdfs.c -+++ b/source3/smbd/msdfs.c -@@ -31,6 +31,7 @@ - #include "lib/param/loadparm.h" - #include "libcli/security/security.h" - #include "librpc/gen_ndr/ndr_dfsblobs.h" -+#include "lib/tsocket/tsocket.h" - - /********************************************************************** - Parse a DFS pathname of the form \hostname\service\reqpath -@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx, - return status; - } - -+ /* -+ * TODO -+ * -+ * The remote and local address should be passed down to -+ * create_conn_struct_cwd. -+ */ -+ if (conn->sconn->remote_address == NULL) { -+ conn->sconn->remote_address = -+ tsocket_address_copy(remote_address, conn->sconn); -+ if (conn->sconn->remote_address == NULL) { -+ TALLOC_FREE(pdp); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ if (conn->sconn->local_address == NULL) { -+ conn->sconn->local_address = -+ tsocket_address_copy(local_address, conn->sconn); -+ if (conn->sconn->local_address == NULL) { -+ TALLOC_FREE(pdp); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ - /* If this is a DFS path dfs_lookup should return - * NT_STATUS_PATH_NOT_COVERED. */ - --- -2.13.0 - diff --git a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch b/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch deleted file mode 100644 index 83a4985..0000000 --- a/SOURCES/samba-v4-6-fix_net_ads_changetrustpw.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Aug 2017 18:14:23 +0200 -Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 - -Signed-off-by: Andreas Schneider -Reviewed-by: Richard Sharpe -(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d) ---- - source3/libads/krb5_setpw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c -index 630c2e46631..bc96ac603b1 100644 ---- a/source3/libads/krb5_setpw.c -+++ b/source3/libads/krb5_setpw.c -@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host, - ret = krb5_set_password(context, - &creds, - discard_const_p(char, newpw), -- princ, -+ NULL, - &result_code, - &result_code_string, - &result_string); --- -2.14.0 - - -From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 9 Aug 2017 12:14:34 +0200 -Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw' - -BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956 - -Signed-off-by: Andreas Schneider -Reviewed-by: Richard Sharpe - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144 - -(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f) ---- - testprogs/blackbox/test_net_ads.sh | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index 99b886f53eb..bbd99b676bd 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed - - testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` - -+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` -+ - testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - - # Test with kerberos method = secrets and keytab -@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC - - testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` - -+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` -+ - testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` - rm -f $dedicated_keytab_file - --- -2.14.0 - diff --git a/SOURCES/samba-v4-6-fix_path_substitutions.patch b/SOURCES/samba-v4-6-fix_path_substitutions.patch deleted file mode 100644 index 178c44d..0000000 --- a/SOURCES/samba-v4-6-fix_path_substitutions.patch +++ /dev/null @@ -1,194 +0,0 @@ -From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Fri, 17 Mar 2017 13:52:57 +0100 -Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user - information - -This fixes the substitution for 'template homedir'. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 - -Signed-off-by: Volker Lendecke -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Volker Lendecke -Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144 - -(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5) ---- - source3/winbindd/wb_queryuser.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c -index be4d3d3e665..69b4c8dad5a 100644 ---- a/source3/winbindd/wb_queryuser.c -+++ b/source3/winbindd/wb_queryuser.c -@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq) - NTSTATUS status; - const char *domain_name; - -- status = wb_lookupsid_recv(subreq, state, &type, &domain_name, -+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name, - &state->info->primary_group_name); - TALLOC_FREE(subreq); - if (tevent_req_nterror(req, status)) { --- -2.12.0 - - -From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 Mar 2017 12:37:08 +0100 -Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660) ---- - selftest/target/Samba3.pm | 19 ++++++++++++++++++- - source3/script/tests/test_substitutions.sh | 9 +++++++-- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index f5b2c510224..1e053f12297 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -394,16 +394,33 @@ sub setup_admember($$$$) - $substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users"; - push(@dirs, $substitution_path); - -+ # Using '/' as the winbind separator is a bad idea ... -+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN"; -+ push(@dirs, $substitution_path); -+ -+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice"; -+ push(@dirs, $substitution_path); -+ -+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN"; -+ push(@dirs, $substitution_path); -+ -+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users"; -+ push(@dirs, $substitution_path); -+ - my $member_options = " - security = ads - workgroup = $dcvars->{DOMAIN} - realm = $dcvars->{REALM} - netbios aliases = foo bar - --[subDUG] -+[sub_dug] - path = $share_dir/D_%D/U_%U/G_%G - writeable = yes - -+[sub_dug2] -+ path = $share_dir/D_%D/u_%u/g_%g -+ writeable = yes -+ - "; - - my $ret = $self->provision($prefix, -diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh -index 0852ad969f0..1a46f11c85d 100755 ---- a/source3/script/tests/test_substitutions.sh -+++ b/source3/script/tests/test_substitutions.sh -@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient" - . $samba_srcdir/testprogs/blackbox/subunit.sh - . $samba_srcdir/testprogs/blackbox/common_test_fns.inc - --SMB_UNC="//$SERVER/subDUG" -+SMB_UNC="//$SERVER/sub_dug" - --test_smbclient "Test login to share with substitution" \ -+test_smbclient "Test login to share with substitution (DUG)" \ -+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) -+ -+SMB_UNC="//$SERVER/sub_dug2" -+ -+test_smbclient "Test login to share with substitution (Dug)" \ - "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1) - - exit $failed --- -2.12.0 - - -From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 17 Mar 2017 10:04:19 +0100 -Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699 - -With this set, the samba3.local.nss test for ad_member will ensure that -we correctly substitute those smb.conf options. - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144 - -(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03) ---- - nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------ - selftest/target/Samba3.pm | 1 + - 2 files changed, 12 insertions(+), 6 deletions(-) - -diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh -index cfe582df068..f9c040e5f43 100755 ---- a/nsswitch/tests/test_wbinfo.sh -+++ b/nsswitch/tests/test_wbinfo.sh -@@ -205,13 +205,18 @@ subunit_start_test "$test_name" - # The full name (GECOS) is based on name (the RDN, in this case CN) - # and displayName in winbindd_ads, and is based only on displayName in - # winbindd_msrpc and winbindd_rpc. Allow both versions. --expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" --expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" -+if test "$TARGET" = "ad_member"; then -+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false" -+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false" -+else -+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false" -+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false" -+fi - --if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then -+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then - subunit_pass_test "$test_name" - else -- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" -+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" - failed=`expr $failed + 1` - fi - -@@ -227,10 +232,10 @@ fi - - test_name="confirm output of wbinfo --uid-info against $TARGET" - subunit_start_test "$test_name" --if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then -+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then - subunit_pass_test "$test_name" - else -- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" -+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name" - failed=`expr $failed + 1` - fi - -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index 1e053f12297..cb4970828a5 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -412,6 +412,7 @@ sub setup_admember($$$$) - workgroup = $dcvars->{DOMAIN} - realm = $dcvars->{REALM} - netbios aliases = foo bar -+ template homedir = /home/%D/%G/%U - - [sub_dug] - path = $share_dir/D_%D/U_%U/G_%G --- -2.12.0 - diff --git a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch b/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch deleted file mode 100644 index 7b754ae..0000000 --- a/SOURCES/samba-v4-6-fix_smbclient_session_setup_info.patch +++ /dev/null @@ -1,339 +0,0 @@ -From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 15 Mar 2017 17:04:30 +0000 -Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of - smb_bytes_pull_str() - -This function needs to get the whole smb buffer in order to get -the alignment for unicode correct. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24) ---- - libcli/smb/smb1cli_session.c | 28 +++++++++++++------------- - libcli/smb/smb_util.h | 3 ++- - libcli/smb/util.c | 47 +++++++++++++++++++++++++++++--------------- - 3 files changed, 47 insertions(+), 31 deletions(-) - -diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c -index 9d92aa6aed4..11614df0ae4 100644 ---- a/libcli/smb/smb1cli_session.c -+++ b/libcli/smb/smb1cli_session.c -@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq) - p = bytes; - - status = smb_bytes_pull_str(state, &state->out_native_os, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } - p += ret; - - status = smb_bytes_pull_str(state, &state->out_native_lm, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } -@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq) - p = bytes; - - status = smb_bytes_pull_str(state, &state->out_native_os, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } - p += ret; - - status = smb_bytes_pull_str(state, &state->out_native_lm, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } - p += ret; - - status = smb_bytes_pull_str(state, &state->out_primary_domain, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } -@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq) - p += out_security_blob_length; - - status = smb_bytes_pull_str(state, &state->out_native_os, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } - p += ret; - - status = smb_bytes_pull_str(state, &state->out_native_lm, -- use_unicode, p, -- bytes+num_bytes-p, &ret); -+ use_unicode, bytes, num_bytes, -+ p, &ret); - if (tevent_req_nterror(req, status)) { - return; - } -diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h -index 7e6f0a4ebc4..2884786339d 100644 ---- a/libcli/smb/smb_util.h -+++ b/libcli/smb/smb_util.h -@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, - const uint8_t *bytes, size_t num_bytes); - NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, - const uint8_t *buf, size_t buf_len, -- size_t *pbuf_consumed); -+ const uint8_t *position, -+ size_t *_consumed); -diff --git a/libcli/smb/util.c b/libcli/smb/util.c -index ef8c9fafa35..7ef909c6077 100644 ---- a/libcli/smb/util.c -+++ b/libcli/smb/util.c -@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf, - static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, - bool ucs2, bool align_odd, - const uint8_t *buf, size_t buf_len, -- size_t *pbuf_consumed) -+ const uint8_t *position, -+ size_t *p_consumed) - { - size_t pad = 0; -+ size_t offset; - char *str = NULL; - size_t str_len = 0; - bool ok; - - *_str = NULL; -- if (pbuf_consumed != NULL) { -- *pbuf_consumed = 0; -+ if (p_consumed != NULL) { -+ *p_consumed = 0; -+ } -+ -+ if (position < buf) { -+ return NT_STATUS_INTERNAL_ERROR; -+ } -+ -+ offset = PTR_DIFF(position, buf); -+ if (offset > buf_len) { -+ return NT_STATUS_BUFFER_TOO_SMALL; - } - - if (ucs2 && -- ((align_odd && (buf_len % 2 == 0)) || -- (!align_odd && (buf_len % 2 == 1)))) { -- if (buf_len < 1) { -- return NT_STATUS_BUFFER_TOO_SMALL; -- } -- pad = 1; -- buf_len -= pad; -- buf += pad; -+ ((align_odd && (offset % 2 == 0)) || -+ (!align_odd && (offset % 2 == 1)))) { -+ pad += 1; -+ offset += 1; -+ } -+ -+ if (offset > buf_len) { -+ return NT_STATUS_BUFFER_TOO_SMALL; - } - -+ buf_len -= offset; -+ buf += offset; -+ - if (ucs2) { - buf_len = utf16_len_n(buf, buf_len); - } else { -@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, - return map_nt_error_from_unix_common(errno); - } - -- if (pbuf_consumed != NULL) { -- *pbuf_consumed = buf_len + pad; -+ if (p_consumed != NULL) { -+ *p_consumed = buf_len + pad; - } - *_str = str; -- return NT_STATUS_OK;; -+ return NT_STATUS_OK; - } - - NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2, - const uint8_t *buf, size_t buf_len, -- size_t *_buf_consumed) -+ const uint8_t *position, -+ size_t *_consumed) - { - return internal_bytes_pull_str(mem_ctx, _str, ucs2, true, -- buf, buf_len, _buf_consumed); -+ buf, buf_len, position, _consumed); - } --- -2.13.1 - - -From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 15 Mar 2017 17:04:44 +0000 -Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper - function - -This function updates cli->server_{os,type,domain} to valid values -after a session setup. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andreas Schneider -(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3) ---- - source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++-------------- - 1 file changed, 52 insertions(+), 22 deletions(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index a2362ceb863..ef03da17eec 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - return NT_STATUS_OK; - } - -+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli, -+ const char *native_os, -+ const char *native_lm, -+ const char *primary_domain) -+{ -+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0') -+ -+ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) { -+ cli->server_os = talloc_strdup(cli, native_os); -+ if (cli->server_os == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) { -+ cli->server_type = talloc_strdup(cli, native_lm); -+ if (cli->server_type == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) { -+ cli->server_domain = talloc_strdup(cli, primary_domain); -+ if (cli->server_domain == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+#undef _VALID_STRING -+ return NT_STATUS_OK; -+} -+ - /******************************************************** - Utility function to ensure we always return at least - a valid char * pointer to an empty string for the -@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) - subreq, struct tevent_req); - struct cli_sesssetup_blob_state *state = tevent_req_data( - req, struct cli_sesssetup_blob_state); -- struct cli_state *cli = state->cli; - NTSTATUS status; - - if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { -@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) - return; - } - -- if (cli->server_os == NULL) { -- cli->server_os = talloc_move(cli, &state->out_native_os); -- } -- if (cli->server_type == NULL) { -- cli->server_type = talloc_move(cli, &state->out_native_lm); -- } -- - state->status = status; - -+ status = cli_state_update_after_sesssetup(state->cli, -+ state->out_native_os, -+ state->out_native_lm, -+ NULL); -+ if (tevent_req_nterror(req, status)) { -+ return; -+ } -+ - if (state->blob.length != 0) { - /* - * More to send -@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq) - return; - } - -- if (cli->server_os == NULL) { -- cli->server_os = talloc_move(cli, &state->out_native_os); -- } -- if (cli->server_type == NULL) { -- cli->server_type = talloc_move(cli, &state->out_native_lm); -- } -- if (cli->server_domain == NULL) { -- cli->server_domain = talloc_move(cli, &state->out_primary_domain); -+ status = cli_state_update_after_sesssetup(state->cli, -+ state->out_native_os, -+ state->out_native_lm, -+ state->out_primary_domain); -+ if (tevent_req_nterror(req, status)) { -+ return; - } - - ok = smb1cli_conn_activate_signing(cli->conn, -@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) - subreq, struct tevent_req); - struct cli_session_setup_creds_state *state = tevent_req_data( - req, struct cli_session_setup_creds_state); -- struct cli_state *cli = state->cli; - NTSTATUS status; - - status = smb1cli_session_setup_lm21_recv(subreq, state, -@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq) - return; - } - -- if (cli->server_os == NULL) { -- cli->server_os = talloc_move(cli, &state->out_native_os); -- } -- if (cli->server_type == NULL) { -- cli->server_type = talloc_move(cli, &state->out_native_lm); -+ status = cli_state_update_after_sesssetup(state->cli, -+ state->out_native_os, -+ state->out_native_lm, -+ NULL); -+ if (tevent_req_nterror(req, status)) { -+ return; - } - - tevent_req_done(req); --- -2.13.1 - diff --git a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch b/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch deleted file mode 100644 index 5c52aa9..0000000 --- a/SOURCES/samba-v4-6-fix_smbclient_username_parsing.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Jun 2017 14:50:33 +0200 -Subject: [PATCH 1/2] s3:popt_common: Reparse the username in - popt_common_credentials_post() - -When we parse the username in the options handling, the smb.conf file -has not been loaded yet. So we are not aware of a 'winbind separator' -set in the config file. - -We need to read and set the username again in the post-processing of the -credentials. - -https://bugzilla.samba.org/show_bug.cgi?id=12849 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b) ---- - source3/lib/popt_common.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c -index 3589a4fbd2b..9928c708e89 100644 ---- a/source3/lib/popt_common.c -+++ b/source3/lib/popt_common.c -@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void) - void popt_common_credentials_post(void) - { - struct user_auth_info *auth_info = cmdline_auth_info; -+ const char *username = NULL; - - if (get_cmdline_auth_info_use_machine_account(auth_info) && - !set_cmdline_auth_info_machine_account_creds(auth_info)) -@@ -248,6 +249,20 @@ void popt_common_credentials_post(void) - } - - set_cmdline_auth_info_getpass(auth_info); -+ -+ /* -+ * When we set the username during the handling of the options passed to -+ * the binary we haven't loaded the config yet. This means that we -+ * didnn't take the 'winbind separator' into account. -+ * -+ * The username might contain the domain name and thus it hasn't been -+ * correctly parsed yet. If we have a username we need to set it again -+ * to run the string parser for the username correctly. -+ */ -+ username = get_cmdline_auth_info_username(auth_info); -+ if (username != NULL && username[0] != '\0') { -+ set_cmdline_auth_info_username(auth_info, username); -+ } - } - - static void popt_common_credentials_callback(poptContext con, --- -2.13.1 - - -From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Jun 2017 15:52:23 +0200 -Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144 - -(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af) ---- - source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++ - source3/selftest/tests.py | 1 + - 2 files changed, 63 insertions(+) - create mode 100755 source3/script/tests/test_smbclient_basic.sh - -diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh -new file mode 100755 -index 00000000000..90e579b68e9 ---- /dev/null -+++ b/source3/script/tests/test_smbclient_basic.sh -@@ -0,0 +1,62 @@ -+#!/bin/sh -+ -+# this runs the file serving tests that are expected to pass with samba3 against shares with various options -+ -+if [ $# -lt 5 ]; then -+cat < -+EOF -+exit 1; -+fi -+ -+SERVER="$1" -+SERVER_IP="$2" -+USERNAME="$3" -+PASSWORD="$4" -+smbclient="$5" -+CONFIGURATION="$6" -+shift 6 -+ADDARGS="$@" -+ -+incdir=`dirname $0`/../../../testprogs/blackbox -+. $incdir/subunit.sh -+ -+test_smbclient() { -+ name="$1" -+ cmd="$2" -+ shift -+ shift -+ echo "test: $name" -+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@ -+ status=$? -+ if [ x$status = x0 ]; then -+ echo "success: $name" -+ else -+ echo "failure: $name" -+ fi -+ return $status -+} -+ -+# TEST using \ as the separator (default) -+test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` -+# TEST using / as the separator (default) -+test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1` -+ -+# TEST using 'winbind separator = +' -+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1` -+ -+# TEST using 'winbind separator = +' set in a config file -+smbclient_config="$PREFIX/tmpsmbconf" -+cat > $smbclient_config < -Date: Tue, 21 Mar 2017 09:57:30 +0100 -Subject: [PATCH 1/2] s3:libads: Remove obsolete - smb_krb5_get_ntstatus_from_init_creds() - -There is no way we can get a better error code out of this. The original -function called was krb5_get_init_creds_opt_get_error() which has been -deprecated in 2008. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708 - -Signed-off-by: Andreas Schneider -Reviewed-by: Uri Simchoni -(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e) ---- - source3/libads/kerberos.c | 169 ---------------------------------------------- - 1 file changed, 169 deletions(-) - -Index: samba-4.6.2/source3/libads/kerberos.c -=================================================================== ---- samba-4.6.2.orig/source3/libads/kerberos.c -+++ samba-4.6.2/source3/libads/kerberos.c -@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da - return 0; - } - --static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx, -- DATA_BLOB *edata, -- DATA_BLOB *edata_out) --{ -- DATA_BLOB edata_contents; -- ASN1_DATA *data; -- int edata_type; -- -- if (!edata->length) { -- return false; -- } -- -- data = asn1_init(mem_ctx); -- if (data == NULL) { -- return false; -- } -- -- if (!asn1_load(data, *edata)) goto err; -- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err; -- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err; -- if (!asn1_read_Integer(data, &edata_type)) goto err; -- -- if (edata_type != KRB5_PADATA_PW_SALT) { -- DEBUG(0,("edata is not of required type %d but of type %d\n", -- KRB5_PADATA_PW_SALT, edata_type)); -- goto err; -- } -- -- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err; -- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err; -- if (!asn1_end_tag(data)) goto err; -- if (!asn1_end_tag(data)) goto err; -- if (!asn1_end_tag(data)) goto err; -- asn1_free(data); -- -- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length); -- -- data_blob_free(&edata_contents); -- -- return true; -- -- err: -- -- asn1_free(data); -- return false; --} -- -- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error, -- NTSTATUS *nt_status) --{ -- DATA_BLOB edata; -- DATA_BLOB unwrapped_edata; -- TALLOC_CTX *mem_ctx; -- struct KRB5_EDATA_NTSTATUS parsed_edata; -- enum ndr_err_code ndr_err; -- --#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR -- edata = data_blob(error->e_data->data, error->e_data->length); --#else -- edata = data_blob(error->e_data.data, error->e_data.length); --#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */ -- --#ifdef DEVELOPER -- dump_data(10, edata.data, edata.length); --#endif /* DEVELOPER */ -- -- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error"); -- if (mem_ctx == NULL) { -- data_blob_free(&edata); -- return False; -- } -- -- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) { -- data_blob_free(&edata); -- TALLOC_FREE(mem_ctx); -- return False; -- } -- -- data_blob_free(&edata); -- -- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, -- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS); -- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -- data_blob_free(&unwrapped_edata); -- TALLOC_FREE(mem_ctx); -- return False; -- } -- -- data_blob_free(&unwrapped_edata); -- -- if (nt_status) { -- *nt_status = parsed_edata.ntstatus; -- } -- -- TALLOC_FREE(mem_ctx); -- -- return True; --} -- --static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx, -- krb5_principal client, -- krb5_get_init_creds_opt *opt, -- NTSTATUS *nt_status) --{ -- krb5_init_creds_context icc; -- krb5_error_code code; --#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR -- /* HEIMDAL */ -- krb5_error error; --#else -- krb5_error *error = NULL; --#endif -- bool ok; -- -- code = krb5_init_creds_init(ctx, -- client, -- NULL, -- NULL, -- 0, -- opt, -- &icc); -- if (code != 0) { -- DBG_WARNING("krb5_init_creds_init failed with: %s\n", -- error_message(code)); -- return false; -- } -- -- code = krb5_init_creds_get_error(ctx, -- icc, -- &error); -- if (code != 0) { -- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n", -- error_message(code)); -- return false; -- } -- krb5_init_creds_free(ctx, icc); -- --#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR -- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status); -- -- krb5_free_error_contents(ctx, &error); --#else -- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status); -- -- krb5_free_error(ctx, error); --#endif -- -- return ok; --} -- - /* - simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL - place in default cache location. -@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch - } - out: - if (ntstatus) { -- -- NTSTATUS status; -- - /* fast path */ - if (code == 0) { - *ntstatus = NT_STATUS_OK; - goto cleanup; - } - -- /* try to get ntstatus code out of krb5_error when we have it -- * inside the krb5_get_init_creds_opt - gd */ -- -- if (opt != NULL) { -- bool ok; -- -- ok = smb_krb5_get_ntstatus_from_init_creds(ctx, -- me, -- opt, -- &status); -- if (ok) { -- *ntstatus = status; -- goto cleanup; -- } -- } -- - /* fall back to self-made-mapping */ - *ntstatus = krb5_to_nt_status(code); - } -Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh -=================================================================== ---- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh -+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh -@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d - - testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1` - -+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` -+ -+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1` -+ - rm -f $KRB5CCNAME_PATH - - exit $failed diff --git a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch b/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch deleted file mode 100644 index f29cddb..0000000 --- a/SOURCES/samba-v4-6-fix_winbind_normalize_names.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 20 Jun 2017 10:27:07 +0200 -Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851 - -Signed-off-by: Andreas Schneider -Reviewed-by: Volker Lendecke ---- - source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++--- - 1 file changed, 31 insertions(+), 3 deletions(-) - -diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c -index 8c764f77b08..b0bf6784ba6 100644 ---- a/source3/winbindd/wb_getpwsid.c -+++ b/source3/winbindd/wb_getpwsid.c -@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) - req, struct wb_getpwsid_state); - struct winbindd_pw *pw = state->pw; - struct wbint_userinfo *info; -+ struct winbindd_domain *domain = NULL; - fstring acct_name, output_username; -+ char *mapped_name = NULL; - char *tmp; - NTSTATUS status; - -@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) - return; - } - -- fill_domain_username(output_username, info->domain_name, -- acct_name, true); -+ domain = find_domain_from_name_noinit(info->domain_name); -+ if (tevent_req_nomem(domain, req)) { -+ return; -+ } -+ -+ /* -+ * TODO: -+ * This function should be called in 'idmap winbind child'. It shouldn't -+ * be a blocking call, but for this we need to add a new function for -+ * winbind.idl. This is a fix which can be backported for now. -+ */ -+ status = normalize_name_map(state, -+ domain, -+ acct_name, -+ &mapped_name); -+ if (NT_STATUS_IS_OK(status)) { -+ fill_domain_username(output_username, -+ info->domain_name, -+ mapped_name, true); -+ fstrcpy(acct_name, mapped_name); -+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) { -+ fstrcpy(acct_name, mapped_name); -+ } else { -+ fill_domain_username(output_username, -+ info->domain_name, -+ acct_name, true); -+ } -+ - strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name)); - - strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "", -@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq) - TALLOC_FREE(tmp); - - tmp = talloc_sub_specified( -- state, info->shell, info->acct_name, -+ state, info->shell, acct_name, - info->primary_group_name, info->domain_name, - pw->pw_uid, pw->pw_gid); - if (tevent_req_nomem(tmp, req)) { --- -2.13.1 - diff --git a/SOURCES/samba-v4.6-credentials-fix-realm.patch b/SOURCES/samba-v4.6-credentials-fix-realm.patch deleted file mode 100644 index 8583d5b..0000000 --- a/SOURCES/samba-v4.6-credentials-fix-realm.patch +++ /dev/null @@ -1,54 +0,0 @@ -commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c -Author: Andreas Schneider -Date: Wed Dec 21 22:17:22 2016 +0100 - - auth/credentials: Always set the the realm if we set the principal from the ccache - - This fixes a bug in gensec_gssapi_client_start() where an invalid realm - is used to get a Kerberos ticket. - - Signed-off-by: Andreas Schneider - Reviewed-by: Stefan Metzmacher - (cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7) - -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c -index 0e68012..1912c48 100644 ---- a/auth/credentials/credentials_krb5.c -+++ b/auth/credentials/credentials_krb5.c -@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, - enum credentials_obtained obtained, - const char **error_string) - { -- -+ bool ok; -+ char *realm; - krb5_principal princ; - krb5_error_code ret; - char *name; -@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred, - return ret; - } - -- cli_credentials_set_principal(cred, name, obtained); -- -+ ok = cli_credentials_set_principal(cred, name, obtained); -+ if (!ok) { -+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); -+ return ENOMEM; -+ } - free(name); - -+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context, -+ princ); - krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ); -+ if (realm == NULL) { -+ return ENOMEM; -+ } -+ ok = cli_credentials_set_realm(cred, realm, obtained); -+ SAFE_FREE(realm); -+ if (!ok) { -+ return ENOMEM; -+ } - - /* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */ - cred->ccache_obtained = obtained; diff --git a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch b/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch deleted file mode 100644 index 5c66709..0000000 --- a/SOURCES/samba-v4.6-fix_smbpasswd_user_pwd_change.patch +++ /dev/null @@ -1,391 +0,0 @@ -From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 18 Aug 2017 16:08:46 +0200 -Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29) ---- - source3/include/proto.h | 3 ++- - source3/libsmb/passchange.c | 5 +++-- - source3/utils/smbpasswd.c | 3 ++- - 3 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/source3/include/proto.h b/source3/include/proto.h -index baa579995a5..9deb27b416b 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain, - - /* The following definitions come from libsmb/passchange.c */ - --NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, -+NTSTATUS remote_password_change(const char *remote_machine, -+ const char *domain, const char *user_name, - const char *old_passwd, const char *new_passwd, - char **err_str); - -diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c -index c89b7ca85d1..48ffba8036f 100644 ---- a/source3/libsmb/passchange.c -+++ b/source3/libsmb/passchange.c -@@ -30,7 +30,8 @@ - Change a password on a remote machine using IPC calls. - *************************************************************/ - --NTSTATUS remote_password_change(const char *remote_machine, const char *user_name, -+NTSTATUS remote_password_change(const char *remote_machine, -+ const char *domain, const char *user_name, - const char *old_passwd, const char *new_passwd, - char **err_str) - { -@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam - - creds = cli_session_creds_init(cli, - user_name, -- NULL, /* domain */ -+ domain, - NULL, /* realm */ - old_passwd, - false, /* use_kerberos */ -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 437a5e551bb..4d7a3c739bc 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username, - fprintf(stderr, "Invalid remote operation!\n"); - return NT_STATUS_UNSUCCESSFUL; - } -- ret = remote_password_change(remote_mach, username, -+ ret = remote_password_change(remote_mach, -+ NULL, username, - old_passwd, new_pw, &err_str); - } else { - ret = local_password_change(username, local_flags, new_pw, --- -2.14.1 - - -From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 18 Aug 2017 16:10:06 +0200 -Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950) ---- - source3/include/proto.h | 7 ------- - source3/libsmb/proto.h | 10 ++++++++++ - source3/utils/smbpasswd.c | 1 + - 3 files changed, 11 insertions(+), 7 deletions(-) - -diff --git a/source3/include/proto.h b/source3/include/proto.h -index 9deb27b416b..67e1a9d750e 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain, - fstring srv_name, - struct sockaddr_storage *ss_out); - --/* The following definitions come from libsmb/passchange.c */ -- --NTSTATUS remote_password_change(const char *remote_machine, -- const char *domain, const char *user_name, -- const char *old_passwd, const char *new_passwd, -- char **err_str); -- - /* The following definitions come from libsmb/smberr.c */ - - const char *smb_dos_err_name(uint8_t e_class, uint16_t num); -diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h -index a583a8ee159..44f4d04cff5 100644 ---- a/source3/libsmb/proto.h -+++ b/source3/libsmb/proto.h -@@ -31,6 +31,9 @@ - - struct smb_trans_enc_state; - struct cli_credentials; -+struct cli_state; -+struct file_info; -+struct print_job_info; - - /* The following definitions come from libsmb/cliconnect.c */ - -@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname, - TALLOC_CTX *mem_ctx, char **psubstitute_name, - char **pprint_name, uint32_t *pflags); - -+/* The following definitions come from libsmb/passchange.c */ -+ -+NTSTATUS remote_password_change(const char *remote_machine, -+ const char *domain, const char *user_name, -+ const char *old_passwd, const char *new_passwd, -+ char **err_str); -+ - #endif /* _LIBSMB_PROTO_H_ */ -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 4d7a3c739bc..6eb2deb7a3b 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -21,6 +21,7 @@ - #include "secrets.h" - #include "../librpc/gen_ndr/samr.h" - #include "../lib/util/util_pw.h" -+#include "libsmb/proto.h" - #include "passdb.h" - - /* --- -2.14.1 - - -From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 18 Aug 2017 16:13:15 +0200 -Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change() - in smbpasswd - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373) ---- - source3/utils/smbpasswd.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 6eb2deb7a3b..b0e08cc0e58 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get) - Change a password either locally or remotely. - *************************************************************/ - --static NTSTATUS password_change(const char *remote_mach, char *username, -- char *old_passwd, char *new_pw, -+static NTSTATUS password_change(const char *remote_mach, -+ const char *username, -+ const char *old_passwd, const char *new_pw, - int local_flags) - { - NTSTATUS ret; --- -2.14.1 - - -From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 18 Aug 2017 16:14:57 +0200 -Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit b483340639157fe95777672f5723455c48c3c616) ---- - source3/utils/smbpasswd.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index b0e08cc0e58..92712e38f6b 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get) - *************************************************************/ - - static NTSTATUS password_change(const char *remote_mach, -- const char *username, -+ const char *domain, const char *username, - const char *old_passwd, const char *new_pw, - int local_flags) - { -@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach, - return NT_STATUS_UNSUCCESSFUL; - } - ret = remote_password_change(remote_mach, -- NULL, username, -+ domain, username, - old_passwd, new_pw, &err_str); - } else { - ret = local_password_change(username, local_flags, new_pw, -@@ -466,7 +466,8 @@ static int process_root(int local_flags) - } - } - -- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, -+ if (!NT_STATUS_IS_OK(password_change(remote_machine, -+ NULL, user_name, - old_passwd, new_passwd, - local_flags))) { - result = 1; -@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags) - exit(1); - } - -- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw, -- new_pw, 0))) { -+ if (!NT_STATUS_IS_OK(password_change(remote_machine, -+ NULL, user_name, -+ old_pw, new_pw, 0))) { - result = 1; - goto done; - } --- -2.14.1 - - -From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 18 Aug 2017 16:17:08 +0200 -Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name - in smbpasswd - -If a local user wants to change his password using smbpasswd and the -machine is a domain member, we need to make sure we authenticate against -our SAM and not ask winbind. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02) ---- - source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++----- - 1 file changed, 27 insertions(+), 5 deletions(-) - -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 92712e38f6b..556e6869da7 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -58,7 +58,7 @@ static void usage(void) - printf(" -c smb.conf file Use the given path to the smb.conf file\n"); - printf(" -D LEVEL debug level\n"); - printf(" -r MACHINE remote machine\n"); -- printf(" -U USER remote username\n"); -+ printf(" -U USER remote username (e.g. SAM/user)\n"); - - printf("extra options when run by root or in local mode:\n"); - printf(" -a add user\n"); -@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags) - - user_name[0] = '\0'; - -- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) { -+ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) { - switch(ch) { - case 'L': - if (getuid() != 0) { -@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags) - int result = 0; - char *old_pw = NULL; - char *new_pw = NULL; -+ const char *username = user_name; -+ const char *domain = NULL; -+ char *p = NULL; - - if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) { - /* Extra flags that we can't honor non-root */ -@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags) - } - } - -+ /* Allow domain as part of the username */ -+ if ((p = strchr_m(user_name, '\\')) || -+ (p = strchr_m(user_name, '/')) || -+ (p = strchr_m(user_name, *lp_winbind_separator()))) { -+ *p = '\0'; -+ username = p + 1; -+ domain = user_name; -+ } -+ - /* - * A non-root user is always setting a password - * via a remote machine (even if that machine is -@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags) - - load_interfaces(); /* Delayed from main() */ - -- if (remote_machine == NULL) { -+ if (remote_machine != NULL) { -+ if (!is_ipaddress(remote_machine)) { -+ domain = remote_machine; -+ } -+ } else { - remote_machine = "127.0.0.1"; -+ -+ /* -+ * If we deal with a local user, change the password for the -+ * user in our SAM. -+ */ -+ domain = get_global_sam_name(); - } - - if (remote_machine != NULL) { -@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags) - } - - if (!NT_STATUS_IS_OK(password_change(remote_machine, -- NULL, user_name, -+ domain, username, - old_pw, new_pw, 0))) { - result = 1; - goto done; - } - -- printf("Password changed for user %s\n", user_name); -+ printf("Password changed for user %s\n", username); - - done: - SAFE_FREE(old_pw); --- -2.14.1 - - -From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 22 Aug 2017 15:46:07 +0200 -Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975 - -Review with: git show -U20 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlet -(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e) ---- - source3/utils/smbpasswd.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c -index 556e6869da7..fb7ad283995 100644 ---- a/source3/utils/smbpasswd.c -+++ b/source3/utils/smbpasswd.c -@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags) - domain = get_global_sam_name(); - } - -- if (remote_machine != NULL) { -- old_pw = get_pass("Old SMB password:",stdin_passwd_get); -- if (old_pw == NULL) { -- fprintf(stderr, "Unable to get old password.\n"); -- exit(1); -- } -+ old_pw = get_pass("Old SMB password:",stdin_passwd_get); -+ if (old_pw == NULL) { -+ fprintf(stderr, "Unable to get old password.\n"); -+ exit(1); - } - - if (!new_passwd) { --- -2.14.1 - diff --git a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch b/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch deleted file mode 100644 index 74daaa8..0000000 --- a/SOURCES/samba-v4.6-graceful_fsctl_validate_negotiate_info.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 30 May 2017 16:30:33 +0200 -Subject: [PATCH] libcli:smb2: Gracefully handle not supported for - FSCTL_VALIDATE_NEGOTIATE_INFO - -If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only -server then gracefully handle NT_STATUS_NOT_SUPPORTED too. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808 - -Signed-off-by: Andreas Schneider -Signed-off-by: Guenther Deschner -Pair-Programmed-With: Guenther Deschner -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Volker Lendecke -Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144 - -(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a) ---- - libcli/smb/smbXcli_base.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c -index a7b24f01497..593edf9ce78 100644 ---- a/libcli/smb/smbXcli_base.c -+++ b/libcli/smb/smbXcli_base.c -@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq) - tevent_req_done(req); - return; - } -+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { -+ /* -+ * The response was signed, but not supported -+ * -+ * This might be returned by older Windows versions or by -+ * NetApp SMB server implementations. -+ * -+ * See -+ * -+ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/ -+ * -+ */ -+ tevent_req_done(req); -+ return; -+ } - if (tevent_req_nterror(req, status)) { - return; - } --- -2.13.1.518.g3df882009-goog - diff --git a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch b/SOURCES/samba-v4.6-gss_krb5_import_cred.patch deleted file mode 100644 index 72f2904..0000000 --- a/SOURCES/samba-v4.6-gss_krb5_import_cred.patch +++ /dev/null @@ -1,543 +0,0 @@ -From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 3 Mar 2017 17:08:09 +0200 -Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher -(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108) ---- - wscript_configure_system_mitkrb5 | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 -index 06a9821..d3e8ebf 100644 ---- a/wscript_configure_system_mitkrb5 -+++ b/wscript_configure_system_mitkrb5 -@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN(''' - gsskrb5_extract_authz_data_from_sec_context - gss_krb5_export_lucid_sec_context - gss_import_cred gss_export_cred -+ gss_acquire_cred_from - ''', 'gssapi gssapi_krb5') - conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers) - conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5') --- -2.9.3 - - -From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 3 Mar 2017 16:14:57 +0200 -Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper - -Wrap gss_krb5_import_cred() to allow re-implementing it with -gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from() -works fine with GSSAPI interposer (GSS-proxy) while -gss_krb5_import_cred() is not interposed yet. - -The wrapper has additional parameter, krb5_context handle, to facilitate -with credentials cache name discovery. All our callers to -gss_krb5_import_cred() already have krb5 context handy. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d) ---- - lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++ - lib/krb5_wrap/gss_samba.h | 13 +++++ - 2 files changed, 134 insertions(+) - -diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c -index b444633..757ffc5 100644 ---- a/lib/krb5_wrap/gss_samba.c -+++ b/lib/krb5_wrap/gss_samba.c -@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid) - } - #endif /* !HAVE_GSS_OID_EQUAL */ - -+ -+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() -+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly -+ * interposed by GSSPROXY while gss_krb5_import_cred() is not. -+ * -+ * This wrapper requires a proper krb5_context to resolve ccache name. -+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ -+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, -+ krb5_ccache id, krb5_principal keytab_principal, -+ krb5_keytab keytab, gss_cred_id_t *cred) -+{ -+ uint32_t major_status = 0; -+ -+#if HAVE_GSS_ACQUIRE_CRED_FROM -+ uint32_t minor = 0; -+ gss_key_value_element_desc ccache_element = { -+ .key = "ccache", -+ .value = NULL, -+ }; -+ -+ gss_key_value_element_desc keytab_element = { -+ .key = "keytab", -+ .value = NULL, -+ }; -+ -+ gss_key_value_element_desc elements[2]; -+ -+ gss_key_value_set_desc cred_store = { -+ .elements = &ccache_element, -+ .count = 1, -+ }; -+ -+ gss_OID_set mech_set = GSS_C_NO_OID_SET; -+ gss_cred_usage_t cred_usage = GSS_C_INITIATE; -+ gss_name_t name = NULL; -+ gss_buffer_desc pr_name = { -+ .value = NULL, -+ .length = 0, -+ }; -+ -+ if (id != NULL) { -+ major_status = krb5_cc_get_full_name(ctx, -+ id, -+ discard_const(&ccache_element.value)); -+ if (major_status != 0) { -+ return major_status; -+ } -+ } -+ -+ if (keytab != NULL) { -+ keytab_element.value = malloc(4096); -+ if (!keytab_element.value) { -+ return ENOMEM; -+ } -+ major_status = krb5_kt_get_name(ctx, -+ keytab, -+ discard_const(keytab_element.value), 4096); -+ if (major_status != 0) { -+ free(discard_const(keytab_element.value)); -+ return major_status; -+ } -+ cred_usage = GSS_C_ACCEPT; -+ cred_store.elements = &keytab_element; -+ -+ if (keytab_principal != NULL) { -+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value); -+ if (major_status != 0) { -+ free(discard_const(keytab_element.value)); -+ return major_status; -+ } -+ pr_name.length = strlen(pr_name.value); -+ -+ major_status = gss_import_name(minor_status, -+ &pr_name, -+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME), -+ &name); -+ if (major_status != 0) { -+ krb5_free_unparsed_name(ctx, pr_name.value); -+ free(discard_const(keytab_element.value)); -+ return major_status; -+ } -+ } -+ } -+ -+ if (id != NULL && keytab != NULL) { -+ elements[0] = ccache_element; -+ elements[1] = keytab_element; -+ -+ cred_store.elements = elements; -+ cred_store.count = 2; -+ cred_usage = GSS_C_BOTH; -+ } -+ -+ major_status = gss_acquire_cred_from(minor_status, -+ name, -+ 0, -+ mech_set, -+ cred_usage, -+ &cred_store, -+ cred, -+ NULL, -+ NULL); -+ -+ if (pr_name.value != NULL) { -+ (void)gss_release_name(&minor, &name); -+ krb5_free_unparsed_name(ctx, pr_name.value); -+ } -+ if (keytab_element.value != NULL) { -+ free(discard_const(keytab_element.value)); -+ } -+ krb5_free_string(ctx, discard_const(ccache_element.value)); -+#else -+ major_status = gss_krb5_import_cred(minor_status, -+ id, -+ keytab_principal, -+ keytab, cred); -+#endif -+ return major_status; -+} -+ -+ - #endif /* HAVE_GSSAPI */ -diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h -index 5319932..89aee34 100644 ---- a/lib/krb5_wrap/gss_samba.h -+++ b/lib/krb5_wrap/gss_samba.h -@@ -25,6 +25,7 @@ - #ifdef HAVE_GSSAPI - - #include "system/gssapi.h" -+#include "krb5_samba.h" - - #if defined(HAVE_GSS_OID_EQUAL) - #define smb_gss_oid_equal gss_oid_equal -@@ -32,5 +33,17 @@ - int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid); - #endif /* HAVE_GSS_OID_EQUAL */ - -+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from() -+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly -+ * interposed by GSS-proxy while gss_krb5_import_cred() is not. -+ * -+ * This wrapper requires a proper krb5_context to resolve the ccache name for -+ * gss_acquire_cred_from(). -+ * -+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */ -+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx, -+ krb5_ccache id, krb5_principal keytab_principal, -+ krb5_keytab keytab, gss_cred_id_t *cred); -+ - #endif /* HAVE_GSSAPI */ - #endif /* _GSS_SAMBA_H */ --- -2.9.3 - - -From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 3 Mar 2017 16:57:13 +0200 -Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher -(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1) ---- - auth/credentials/credentials_krb5.c | 22 +++++++++++++--------- - 1 file changed, 13 insertions(+), 9 deletions(-) - -diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c -index e974df9..0e68012 100644 ---- a/auth/credentials/credentials_krb5.c -+++ b/auth/credentials/credentials_krb5.c -@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, - return ENOMEM; - } - -- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, -- &gcc->creds); -+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, -+ ccache->ccache, NULL, NULL, -+ &gcc->creds); - if ((maj_stat == GSS_S_FAILURE) && - (min_stat == (OM_uint32)KRB5_CC_END || - min_stat == (OM_uint32)KRB5_CC_NOTFOUND || -@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, - return ret; - } - -- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, -- &gcc->creds); -+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context, -+ ccache->ccache, NULL, NULL, -+ &gcc->creds); - - } - -@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, - } else { - ret = EINVAL; - } -- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret)); -+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret)); - return ret; - } - -@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, - - if (ktc->password_based || obtained < CRED_SPECIFIED) { - /* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */ -- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab, -- &gcc->creds); -+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, -+ NULL, NULL, ktc->keytab, -+ &gcc->creds); - } else { - /* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */ -- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab, -- &gcc->creds); -+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context, -+ NULL, princ, ktc->keytab, -+ &gcc->creds); - } - if (maj_stat) { - if (min_stat) { --- -2.9.3 - - -From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 3 Mar 2017 16:57:50 +0200 -Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9) ---- - source3/libads/sasl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c -index 8570788..30127fa 100644 ---- a/source3/libads/sasl.c -+++ b/source3/libads/sasl.c -@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred) - goto done; - } - -- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred); -+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred); - if (maj != GSS_S_COMPLETE) { - status = ADS_ERROR_GSS(maj, min); - goto done; --- -2.9.3 - - -From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 3 Mar 2017 16:58:14 +0200 -Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7) ---- - source3/librpc/crypto/gse.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index abf20bc..f4238f3 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - /* TODO: get krb5 ticket using username/password, if no valid - * one already available in ccache */ - -- gss_maj = gss_krb5_import_cred(&gss_min, -- gse_ctx->ccache, -- NULL, /* keytab_principal */ -- NULL, /* keytab */ -- &gse_ctx->creds); -+ gss_maj = smb_gss_krb5_import_cred(&gss_min, -+ gse_ctx->k5ctx, -+ gse_ctx->ccache, -+ NULL, /* keytab_principal */ -+ NULL, /* keytab */ -+ &gse_ctx->creds); - if (gss_maj) { - char *ccache = NULL; - int kret; -@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, - ccache = NULL; - } - -- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -" -+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -" - "the caller may retry after a kinit.\n", - ccache, gse_errstr(gse_ctx, gss_maj, gss_min))); - SAFE_FREE(ccache); -@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, - } - - /* This creates a GSSAPI cred_id_t with the keytab set */ -- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab, -- &gse_ctx->creds); -+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx, -+ NULL, NULL, gse_ctx->keytab, -+ &gse_ctx->creds); - - if (gss_maj != 0 - && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { -- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n", -+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", - gse_errstr(gse_ctx, gss_maj, gss_min))); - status = NT_STATUS_INTERNAL_ERROR; - goto done; --- -2.9.3 - - -From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 8 Mar 2017 12:38:49 +0200 -Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred - wrapper - -MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing -credentials from a keytab without specifying actual principal. -This was fixed in MIT krb5 1.9.2 (see commit -71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git -master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5). - -Move fallback code to the smb_gss_krb5_import_cred wrapper. We only -expect this fallback to happen with krb5 GSSAPI mechanism, thus hard -code use of krb5 mech when calling to gss_acquire_cred. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611 - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Alexander Bokovoy -Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144 - -(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32) ---- - lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++--- - source3/librpc/crypto/gse.c | 49 +-------------------------------------------- - 2 files changed, 44 insertions(+), 51 deletions(-) - -diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c -index 757ffc5..9e5ad4a 100644 ---- a/lib/krb5_wrap/gss_samba.c -+++ b/lib/krb5_wrap/gss_samba.c -@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx, - krb5_free_string(ctx, discard_const(ccache_element.value)); - #else - major_status = gss_krb5_import_cred(minor_status, -- id, -- keytab_principal, -- keytab, cred); -+ id, -+ keytab_principal, -+ keytab, cred); -+ -+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { -+ if ((keytab_principal == NULL) && (keytab != NULL)) { -+ /* No principal was specified and MIT krb5 1.9 version failed. -+ * We have to fall back to set global acceptor identity */ -+ gss_OID_set_desc mech_set; -+ char *kt_name = NULL; -+ -+ kt_name = malloc(4096); -+ if (!kt_name) { -+ return ENOMEM; -+ } -+ -+ major_status = krb5_kt_get_name(ctx, -+ keytab, -+ kt_name, 4096); -+ if (major_status != 0) { -+ free(kt_name); -+ return major_status; -+ } -+ -+ major_status = gsskrb5_register_acceptor_identity(kt_name); -+ if (major_status) { -+ free(kt_name); -+ return major_status; -+ } -+ -+ /* We are dealing with krb5 GSSAPI mech in this fallback */ -+ mech_set.count = 1; -+ mech_set.elements = gss_mech_krb5; -+ major_status = gss_acquire_cred(minor_status, -+ GSS_C_NO_NAME, -+ GSS_C_INDEFINITE, -+ &mech_set, -+ GSS_C_ACCEPT, -+ cred, -+ NULL, NULL); -+ free(kt_name); -+ } -+ } - #endif - return major_status; - } -diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c -index f4238f3..a111320 100644 ---- a/source3/librpc/crypto/gse.c -+++ b/source3/librpc/crypto/gse.c -@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx, - NULL, NULL, gse_ctx->keytab, - &gse_ctx->creds); - -- if (gss_maj != 0 -- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) { -+ if (gss_maj != 0) { - DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n", - gse_errstr(gse_ctx, gss_maj, gss_min))); - status = NT_STATUS_INTERNAL_ERROR; - goto done; -- -- /* This is the error the MIT krb5 1.9 gives when it -- * implements the function, but we do not specify the -- * principal. However, when we specify the principal -- * as host$@REALM the GSS acceptor fails with 'wrong -- * principal in request'. Work around the issue by -- * falling back to the alternate approach below. */ -- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) -- /* FIXME!!! -- * This call sets the default keytab for the whole server, not -- * just for this context. Need to find a way that does not alter -- * the state of the whole server ... */ -- { -- const char *ktname; -- gss_OID_set_desc mech_set; -- -- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx, -- gse_ctx->keytab, &ktname); -- if (ret) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- -- ret = gsskrb5_register_acceptor_identity(ktname); -- if (ret) { -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } -- -- mech_set.count = 1; -- mech_set.elements = &gse_ctx->gss_mech; -- -- gss_maj = gss_acquire_cred(&gss_min, -- GSS_C_NO_NAME, -- GSS_C_INDEFINITE, -- &mech_set, -- GSS_C_ACCEPT, -- &gse_ctx->creds, -- NULL, NULL); -- -- if (gss_maj) { -- DEBUG(0, ("gss_acquire_creds failed with [%s]\n", -- gse_errstr(gse_ctx, gss_maj, gss_min))); -- status = NT_STATUS_INTERNAL_ERROR; -- goto done; -- } - } - - status = NT_STATUS_OK; --- -2.9.3 - diff --git a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch b/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch deleted file mode 100644 index 73c72cd..0000000 --- a/SOURCES/samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 10 Mar 2017 16:20:06 +0200 -Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Implement a small Python module that exposes arcfour_crypt_blob() -function widely used in Samba C code. - -When Samba Python bindings are used to call LSA CreateTrustedDomainEx2, -there is a need to encrypt trusted credentials with RC4 cipher. - -Current Samba Python code relies on Python runtime to provide RC4 -cipher. However, in FIPS 140-2 mode system crypto libraries do not -provide access RC4 cipher at all. According to Microsoft dochelp team, -Windows is treating AuthenticationInformation blob encryption as 'plain -text' in terms of FIPS 140-2, thus doing application-level encryption. - -Replace samba.arcfour_encrypt() implementation with a call to -samba.crypto.arcfour_crypt_blob(). - -Signed-off-by: Alexander Bokovoy -Reviewed-by: Simo Sorce -Reviewed-by: Guenther Deschner - -Autobuild-User(master): Günther Deschner -Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144 - -(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c) ---- - lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++ - lib/crypto/wscript_build | 7 ++++ - python/samba/__init__.py | 16 ++------- - 3 files changed, 99 insertions(+), 14 deletions(-) - create mode 100644 lib/crypto/py_crypto.c - -diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c -new file mode 100644 -index 0000000..bf7f9f4 ---- /dev/null -+++ b/lib/crypto/py_crypto.c -@@ -0,0 +1,90 @@ -+/* -+ Unix SMB/CIFS implementation. -+ Samba crypto functions -+ -+ Copyright (C) Alexander Bokovoy 2017 -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; either version 3 of the License, or -+ (at your option) any later version. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see . -+*/ -+ -+#include -+#include "includes.h" -+#include "python/py3compat.h" -+#include "lib/crypto/arcfour.h" -+ -+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs) -+{ -+ DATA_BLOB data, key; -+ PyObject *py_data, *py_key, *result; -+ TALLOC_CTX *ctx; -+ -+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key)) -+ return NULL; -+ -+ if (!PyBytes_Check(py_data)) { -+ PyErr_Format(PyExc_TypeError, "bytes expected"); -+ return NULL; -+ } -+ -+ if (!PyBytes_Check(py_key)) { -+ PyErr_Format(PyExc_TypeError, "bytes expected"); -+ return NULL; -+ } -+ -+ ctx = talloc_new(NULL); -+ -+ data.length = PyBytes_Size(py_data); -+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length); -+ if (!data.data) { -+ talloc_free(ctx); -+ return PyErr_NoMemory(); -+ } -+ -+ key.data = (uint8_t *)PyBytes_AsString(py_key); -+ key.length = PyBytes_Size(py_key); -+ -+ arcfour_crypt_blob(data.data, data.length, &key); -+ -+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length); -+ talloc_free(ctx); -+ return result; -+} -+ -+ -+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n" -+ "Encrypt the data with RC4 algorithm using the key"; -+ -+static PyMethodDef py_crypto_methods[] = { -+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc }, -+ { NULL }, -+}; -+ -+static struct PyModuleDef moduledef = { -+ PyModuleDef_HEAD_INIT, -+ .m_name = "crypto", -+ .m_doc = "Crypto functions required for SMB", -+ .m_size = -1, -+ .m_methods = py_crypto_methods, -+}; -+ -+MODULE_INIT_FUNC(crypto) -+{ -+ PyObject *m; -+ -+ m = PyModule_Create(&moduledef); -+ if (m == NULL) -+ return NULL; -+ -+ return m; -+} -diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build -index 7f94532..d1f152e 100644 ---- a/lib/crypto/wscript_build -+++ b/lib/crypto/wscript_build -@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO', - autoproto='test_proto.h', - deps='LIBCRYPTO' - ) -+ -+for env in bld.gen_python_environments(): -+ bld.SAMBA_PYTHON('python_crypto', -+ source='py_crypto.c', -+ deps='LIBCRYPTO', -+ realname='samba/crypto.so' -+ ) -diff --git a/python/samba/__init__.py b/python/samba/__init__.py -index 19d5e38..fa4244a 100644 ---- a/python/samba/__init__.py -+++ b/python/samba/__init__.py -@@ -371,20 +371,8 @@ def string_to_byte_array(string): - return blob - - def arcfour_encrypt(key, data): -- try: -- from Crypto.Cipher import ARC4 -- c = ARC4.new(key) -- return c.encrypt(data) -- except ImportError as e: -- pass -- try: -- from M2Crypto.RC4 import RC4 -- c = RC4(key) -- return c.update(data) -- except ImportError as e: -- pass -- raise Exception("arcfour_encrypt() requires " + -- "python*-crypto or python*-m2crypto or m2crypto") -+ from samba.crypto import arcfour_crypt_blob -+ return arcfour_crypt_blob(data, key) - - import _glue - version = _glue.version --- -2.9.3 - diff --git a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch b/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch deleted file mode 100644 index f2f7cb6..0000000 --- a/SOURCES/samba-v4.7-config-dynamic-rpc-port-range.patch +++ /dev/null @@ -1,405 +0,0 @@ -From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 16 Jan 2017 11:43:12 +0100 -Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows - -Since Windows Server 2008 Microsoft uses a different port range for RPC -services. Before it was 1024-65535 and they changed it to 49152-65535. - -We should use the same range as these are the ports the firewall in AD -networks normally allow. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher -(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3) ---- - source3/rpc_server/rpc_server.c | 4 ++-- - source4/smbd/service_stream.c | 4 ++-- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c -index 5effe66d9bb..37fe68fc36d 100644 ---- a/source3/rpc_server/rpc_server.c -+++ b/source3/rpc_server/rpc_server.c -@@ -34,8 +34,8 @@ - #include "rpc_server/srv_pipe_hnd.h" - #include "rpc_server/srv_pipe.h" - --#define SERVER_TCP_LOW_PORT 1024 --#define SERVER_TCP_HIGH_PORT 1300 -+#define SERVER_TCP_LOW_PORT 49152 -+#define SERVER_TCP_HIGH_PORT 65535 - - /* Creates a pipes_struct and initializes it with the information - * sent from the client */ -diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c -index f0a379acf6a..96a303fc6a9 100644 ---- a/source4/smbd/service_stream.c -+++ b/source4/smbd/service_stream.c -@@ -30,8 +30,8 @@ - #include "lib/util/util_net.h" - - /* the range of ports to try for dcerpc over tcp endpoints */ --#define SERVER_TCP_LOW_PORT 1024 --#define SERVER_TCP_HIGH_PORT 1300 -+#define SERVER_TCP_LOW_PORT 49152 -+#define SERVER_TCP_HIGH_PORT 65535 - - /* size of listen() backlog in smbd */ - #define SERVER_LISTEN_BACKLOG 10 --- -2.11.0 - - -From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 16 Jan 2017 12:05:09 +0100 -Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC - services - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Andreas Schneider -Signed-off-by: Stefan Metzmacher -(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d) ---- - docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++-- - .../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++ - lib/param/loadparm.c | 47 ++++++++++++++++++++++ - lib/param/loadparm.h | 9 ++++- - lib/param/param.h | 3 ++ - python/samba/tests/docs.py | 11 +++-- - source3/include/proto.h | 2 + - source3/param/loadparm.c | 16 ++++++++ - source3/rpc_server/rpc_server.c | 5 +-- - source4/smbd/service_stream.c | 8 ++-- - 10 files changed, 120 insertions(+), 17 deletions(-) - create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml - -diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml -index 8a70835612f..0fd87d69212 100644 ---- a/docs-xml/smbdotconf/protocol/rpcserverport.xml -+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml -@@ -4,11 +4,19 @@ - xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - - Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic. -- This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used. -- The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000. -+ This controls the default port for all protocols, except for NETLOGON. -+ If unset, the first available port from is used, e.g. 49152. -+ The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000. - Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000. - -+ This option applies currently only when -+ samba 8 -+ runs as an active directory domain controller. -+ -+ The default value 0 causes Samba to select the first available port from . - --The default value 0 causes Samba to select the first available port after 1024. -+ -+rpc server dynamic port range -+ - 0 - -diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml -new file mode 100644 -index 00000000000..a9c51d2fe41 ---- /dev/null -+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml -@@ -0,0 +1,22 @@ -+ -+ -+ -+ This parameter tells the RPC server which port range it is -+ allowed to use to create a listening socket for LSA, SAM, -+ Netlogon and others without wellknown tcp ports. -+ The first value is the lowest number of the port -+ range and the second the hightest. -+ -+ -+ This applies to RPC servers in all server roles. -+ -+ -+ -+rpc server port -+ -+49152-65535 -+ -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 6aa757f7c6b..3b54ff232aa 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx) - return lp_ctx->sDefault; - } - -+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx) -+{ -+ return lp_ctx->globals->rpc_low_port; -+} -+ -+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx) -+{ -+ return lp_ctx->globals->rpc_high_port; -+} -+ - /** - * Convenience routine to grab string parameters into temporary memory - * and run standard_sub_basic on them. -@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service * - return true; - } - -+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx, -+ struct loadparm_service *service, -+ const char *pszParmValue, -+ char **ptr) -+{ -+ int low_port = -1, high_port = -1; -+ int rc; -+ -+ if (pszParmValue == NULL || pszParmValue[0] == '\0') { -+ return false; -+ } -+ -+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port); -+ if (rc != 2) { -+ return false; -+ } -+ -+ if (low_port > high_port) { -+ return false; -+ } -+ -+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) { -+ return false; -+ } -+ -+ lp_ctx->globals->rpc_low_port = low_port; -+ lp_ctx->globals->rpc_high_port = high_port; -+ -+ return true; -+} -+ - bool handle_smb2_max_credits(struct loadparm_context *lp_ctx, - struct loadparm_service *service, - const char *pszParmValue, char **ptr) -@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global); - /* This appears odd, but globals in s3 isn't a pointer */ - lp_ctx->globals->ctx = lp_ctx->globals; -+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT; -+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT; - lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service); - lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters()); - -@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - - lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all"); - -+ lpcfg_do_global_parameter(lp_ctx, -+ "rpc server dynamic port range", -+ "49152-65535"); -+ - /* Allow modules to adjust defaults */ - for (defaults_hook = defaults_hooks; defaults_hook; - defaults_hook = defaults_hook->next) { -diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h -index f9fb7d8d804..c63683d6b66 100644 ---- a/lib/param/loadparm.h -+++ b/lib/param/loadparm.h -@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX, - #endif /* DEVELOPER */ - }; - -+#define SERVER_TCP_LOW_PORT 49152 -+#define SERVER_TCP_HIGH_PORT 65535 -+ -+#define SERVER_TCP_PORT_MIN 1024 -+#define SERVER_TCP_PORT_MAX 65535 - - - -@@ -272,7 +277,9 @@ enum inheritowner_options { - #define LOADPARM_EXTRA_GLOBALS \ - struct parmlist_entry *param_opt; \ - char *dnsdomain; \ -- char *realm_original; -+ char *realm_original; \ -+ int rpc_low_port; \ -+ int rpc_high_port; - - const char* server_role_str(uint32_t role); - int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master); -diff --git a/lib/param/param.h b/lib/param/param.h -index 66037e2ef1b..e123e67a990 100644 ---- a/lib/param/param.h -+++ b/lib/param/param.h -@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx, - time_t *usr_tkt_lifetime, - time_t *renewal_lifetime); - -+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx); -+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx); -+ - /* The following definitions come from lib/version.c */ - - const char *samba_version_string(void); -diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py -index 22e022583f6..65df573a350 100644 ---- a/python/samba/tests/docs.py -+++ b/python/samba/tests/docs.py -@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase): - 'lprm command', 'lpq command', 'print command', 'template homedir', - 'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build', - 'max open files', 'fss: prune stale', 'fss: sequence timeout', -- 'include system krb5 conf']) -+ 'include system krb5 conf', 'rpc server dynamic port range']) - - def setUp(self): - super(SmbDotConfTests, self).setUp() -@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase): - exceptions = ['client lanman auth', - 'client plaintext auth', - 'registry shares', -- 'smb ports']) -+ 'smb ports', -+ 'rpc server dynamic port range']) - self._test_empty(['bin/testparm']) - - def test_default_s4(self): - self._test_default(['bin/samba-tool', 'testparm']) - self._set_defaults(['bin/samba-tool', 'testparm']) - self._set_arbitrary(['bin/samba-tool', 'testparm'], -- exceptions = ['smb ports']) -+ exceptions = ['smb ports', -+ 'rpc server dynamic port range']) - self._test_empty(['bin/samba-tool', 'testparm']) - - def _test_default(self, program): -@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase): - - for tuples in self.defaults: - param, default, context, param_type = tuples -+ - if param in self.special_cases: - continue - section = None -@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase): - for tuples in self.defaults: - param, default, context, param_type = tuples - -- if param in ['printing']: -+ if param in ['printing', 'rpc server dynamic port range']: - continue - - section = None -diff --git a/source3/include/proto.h b/source3/include/proto.h -index 642900ed67c..b3d3ca0e5d1 100644 ---- a/source3/include/proto.h -+++ b/source3/include/proto.h -@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void); - int lp_smb2_max_credits(void); - int lp_cups_encrypt(void); - bool lp_widelinks(int ); -+int lp_rpc_low_port(void); -+int lp_rpc_high_port(void); - - int lp_wi_scan_global_parametrics( - const char *regex, size_t max_matches, -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index d8da749ccba..2c8380067f6 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - - Globals.aio_max_threads = 100; - -+ lpcfg_string_set(Globals.ctx, -+ &Globals.rpc_server_dynamic_port_range, -+ "49152-65535"); -+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT; -+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT; -+ - /* Now put back the settings that were set with lp_set_cmdline() */ - apply_lp_set_cmdline(); - } -@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void) - return client_ipc_signing; - } - -+int lp_rpc_low_port(void) -+{ -+ return Globals.rpc_low_port; -+} -+ -+int lp_rpc_high_port(void) -+{ -+ return Globals.rpc_high_port; -+} -+ - struct loadparm_global * get_globals(void) - { - return &Globals; -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c -index 37fe68fc36d..f7fb8ef5207 100644 ---- a/source3/rpc_server/rpc_server.c -+++ b/source3/rpc_server/rpc_server.c -@@ -34,9 +34,6 @@ - #include "rpc_server/srv_pipe_hnd.h" - #include "rpc_server/srv_pipe.h" - --#define SERVER_TCP_LOW_PORT 49152 --#define SERVER_TCP_HIGH_PORT 65535 -- - /* Creates a pipes_struct and initializes it with the information - * sent from the client */ - int make_server_pipes_struct(TALLOC_CTX *mem_ctx, -@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port) - if (*port == 0) { - uint16_t i; - -- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) { -+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) { - fd = open_socket_in(SOCK_STREAM, - i, - 0, -diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c -index 96a303fc6a9..deb96d8d69d 100644 ---- a/source4/smbd/service_stream.c -+++ b/source4/smbd/service_stream.c -@@ -29,10 +29,6 @@ - #include "../lib/tsocket/tsocket.h" - #include "lib/util/util_net.h" - --/* the range of ports to try for dcerpc over tcp endpoints */ --#define SERVER_TCP_LOW_PORT 49152 --#define SERVER_TCP_HIGH_PORT 65535 -- - /* size of listen() backlog in smbd */ - #define SERVER_LISTEN_BACKLOG 10 - -@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx, - if (!port) { - status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0); - } else if (*port == 0) { -- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) { -+ for (i = lpcfg_rpc_low_port(lp_ctx); -+ i <= lpcfg_rpc_high_port(lp_ctx); -+ i++) { - socket_address->port = i; - status = socket_listen(stream_socket->sock, socket_address, - SERVER_LISTEN_BACKLOG, 0); --- -2.11.0 - diff --git a/SOURCES/smb.conf.vendor b/SOURCES/smb.conf.vendor index 86c0aac..fe3f806 100644 --- a/SOURCES/smb.conf.vendor +++ b/SOURCES/smb.conf.vendor @@ -31,6 +31,7 @@ [print$] comment = Printer Drivers path = /var/lib/samba/drivers - write list = root + write list = @printadmin root + force group = @printadmin create mask = 0664 directory mask = 0775 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 538d62f..09e2455 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,13 +6,13 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 12 +%define main_release 6 -%define samba_version 4.6.2 +%define samba_version 4.7.1 %define talloc_version 2.1.9 -%define tdb_version 1.3.12 -%define tevent_version 0.9.31 -%define ldb_version 1.1.29 +%define tdb_version 1.3.14 +%define tevent_version 0.9.33 +%define ldb_version 1.2.2 # This should be rc1 or nil %define pre_release %nil @@ -36,9 +36,11 @@ %global with_profiling 1 -%global with_vfs_cephfs 1 -%if 0%{?rhel} %global with_vfs_cephfs 0 +%if 0%{?fedora} +%ifarch aarch64 ppc64le s390x x86_64 +%global with_vfs_cephfs 1 +%endif %endif %global with_vfs_glusterfs 1 @@ -50,18 +52,25 @@ %endif %endif -%global libwbc_alternatives_version 0.13 +%global with_intel_aes_accel 0 +%ifarch x86_64 +%global with_intel_aes_accel 1 +%endif + +%global libwbc_alternatives_version 0.14 %global libwbc_alternatives_suffix %nil %if 0%{?__isa_bits} == 64 %global libwbc_alternatives_suffix -64 %endif %global with_mitkrb5 1 +%global with_dc 1 + +%if 0%{?rhel} %global with_dc 0 +%endif %if %{with testsuite} -# The testsuite only works with a full build right now. -%global with_mitkrb5 0 %global with_dc 1 %endif @@ -95,8 +104,9 @@ Summary: Server and Client software to interoperate with Windows machines License: GPLv3+ and LGPLv3+ URL: http://www.samba.org/ +# This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.gz Source0: samba-%{version}%{pre_release}.tar.xz -Source1: samba-%{version}%{pre_release}.tar.asc +Source1: https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.asc Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg # Red Hat specific replacement-files @@ -109,30 +119,14 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-v4.6-gss_krb5_import_cred.patch -Patch1: samba-v4.6-credentials-fix-realm.patch -Patch2: samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch -Patch3: samba-v4-6-fix-building-with-new-glibc.patch -Patch4: samba-v4-6-fix-cross-realm-refferals.patch -Patch5: samba-v4-6-fix-kerberos-debug-message.patch -Patch6: samba-v4-6-fix-net-ads-keytab-handling.patch -Patch7: samba-v4-6-fix_winbind_child_crash.patch -Patch8: samba-v4-6-fix_path_substitutions.patch -Patch9: samba-v4-6-fix-spoolss-32bit-driver-upload.patch -Patch10: CVE-2017-7494.patch -Patch11: samba-v4-6-fix-vfs-expand-msdfs.patch -Patch12: samba-v4.7-config-dynamic-rpc-port-range.patch -Patch13: samba-v4-6-fix_smbclient_session_setup_info.patch -Patch14: samba-v4-6-fix_smbclient_username_parsing.patch -Patch15: samba-v4-6-fix_winbind_normalize_names.patch -Patch16: samba-v4-6-fix_net_ads_changetrustpw.patch -Patch17: samba-v4.6-fix_smbpasswd_user_pwd_change.patch -Patch18: samba-v4.6-graceful_fsctl_validate_negotiate_info.patch -Patch19: CVE-2017-12150.patch -Patch20: CVE-2017-12151.patch -Patch21: CVE-2017-12163.patch -Patch22: CVE-2017-14746.patch -Patch23: CVE-2017-15275.patch +Patch0: CVE-2017-14746.patch +Patch1: CVE-2017-15275.patch +Patch2: samba-4.7-fix_smbclient_volume.patch +Patch3: samba-4.7-fix_samba_with_systemd.patch +Patch4: samba-4.7-net_ads_keytab_list.patch +Patch5: samba-4.7-fix_aesni_intel_support.patch +Patch6: samba-4.7-handle_smb_echo_gracefully.patch +Patch7: samba-4.7-fix_smb2_client_read_after_free.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -169,6 +163,7 @@ Obsoletes: samba-swat < %{samba_depver} Provides: samba4-swat = %{samba_depver} Obsoletes: samba4-swat < %{samba_depver} +BuildRequires: avahi-devel BuildRequires: cups-devel BuildRequires: dbus-devel BuildRequires: docbook-style-xsl @@ -181,20 +176,25 @@ BuildRequires: libaio-devel BuildRequires: libarchive-devel BuildRequires: libattr-devel BuildRequires: libcap-devel +BuildRequires: libcmocka-devel BuildRequires: libuuid-devel BuildRequires: libxslt BuildRequires: ncurses-devel BuildRequires: openldap-devel BuildRequires: pam-devel -#BuildRequires: perl-generators BuildRequires: perl(Test::More) BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Parse::Yapp) BuildRequires: popt-devel -BuildRequires: python-devel -#BuildRequires: python2-pygpgme -#BuildRequires: python2-subunit -BuildRequires: python-tevent +BuildRequires: python2-devel +BuildRequires: python-dns +# This is required to avoid packaging the in tree +# copy of Samba +BuildRequires: python-iso8601 +%if %{with testsuite} +BuildRequires: python2-pygpgme +BuildRequires: python2-subunit +%endif BuildRequires: quota-devel BuildRequires: readline-devel BuildRequires: sed @@ -209,12 +209,12 @@ BuildRequires: glusterfs-api-devel >= 3.4.0.16 BuildRequires: glusterfs-devel >= 3.4.0.16 %endif %if %{with_vfs_cephfs} -BuildRequires: libcephfs1-devel +BuildRequires: libcephfs-devel %endif %if %{with_dc} BuildRequires: gnutls-devel >= 3.4.7 # Required by samba-tool to run tests -BuildRequires: python-crypto +BuildRequires: python2-crypto %endif # pidl requirements @@ -228,21 +228,21 @@ BuildRequires: pytalloc-devel >= %{libtalloc_version} %endif %if ! %with_internal_tevent -%global libtevent_version 0.9.31 +%global libtevent_version 0.9.33 BuildRequires: libtevent-devel >= %{libtevent_version} BuildRequires: python-tevent >= %{libtevent_version} %endif %if ! %with_internal_ldb -%global libldb_version 1.1.29 +%global libldb_version 1.2.2 BuildRequires: libldb-devel >= %{libldb_version} BuildRequires: pyldb-devel >= %{libldb_version} %endif %if ! %with_internal_tdb -%global libtdb_version 1.3.12 +%global libtdb_version 1.3.14 BuildRequires: libtdb-devel >= %{libtdb_version} BuildRequires: python-tdb >= %{libtdb_version} @@ -250,16 +250,18 @@ BuildRequires: python-tdb >= %{libtdb_version} %if %{with testsuite} BuildRequires: ldb-tools -BuildRequires: libcmocka-devel +BuildRequires: tdb-tools BuildRequires: python2-pygpgme %endif +%if %{with_dc} +BuildRequires: krb5-server >= %{required_mit_krb5} +BuildRequires: bind +%endif + # filter out perl requirements pulled in from examples in the docdir. -%{?filter_setup: -%filter_provides_in %{_docdir} -%filter_requires_in %{_docdir} -%filter_setup -} +%global __requires_exclude_from ^%{_docdir}/.*$ +%global __provides_exclude_from ^%{_docdir}/.*$ ### SAMBA %description @@ -350,11 +352,20 @@ Summary: Samba AD Domain Controller Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} -Requires: %{name}-python = %{samba_depver} Requires: %{name}-winbind = %{samba_depver} %if %{with_dc} -# samba-tool requirements -Requires: python-crypto +# samba-tool requirements, explicitly require python2 right now +Requires: python2 +Requires: python2-%{name} = %{samba_depver} +Requires: python2-crypto + +### Note that samba-dc right now cannot be used with Python 3 +### so we should make sure it does use python2 explicitly +%if 0 +Requires: python3-crypto +Requires: python3-%{name} = %{samba_depver} +%endif +Requires: krb5-server >= %{required_mit_krb5} %endif Provides: samba4-dc = %{samba_depver} @@ -376,6 +387,20 @@ Obsoletes: samba4-dc-libs < %{samba_depver} The %{name}-dc-libs package contains the libraries needed by the DC to link against the SMB, RPC and other protocols. +### DC-BIND +%if %with_dc +%package dc-bind-dlz +Summary: Bind DLZ module for Samba AD +Requires: %{name}-common = %{samba_depver} +Requires: %{name}-dc-libs = %{samba_depver} +Requires: %{name}-dc = %{samba_depver} +Requires: bind + +%description dc-bind-dlz +The %{name}-dc-bind-dlz package contains the libraries for bind to manage all +name server related details of Samba AD. +%endif # with_dc + ### DEVEL %package devel Summary: Developer tools for Samba libraries @@ -394,7 +419,6 @@ libraries in the Samba suite. %if %{with_vfs_cephfs} %package vfs-cephfs Summary: Samba VFS module for Ceph distributed storage system -Requires: libcephfs1 Requires: %{name} = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -501,6 +525,7 @@ Requires: python-tevent Requires: python-tdb Requires: pyldb Requires: pytalloc +Requires: python-dns Provides: samba4-python = %{samba_depver} Obsoletes: samba4-python < %{samba_depver} @@ -509,6 +534,24 @@ Obsoletes: samba4-python < %{samba_depver} The %{name}-python package contains the Python libraries needed by programs that use SMB, RPC and other Samba provided protocols in Python programs. +%package python-test +Summary: Samba Python libraries +Requires: samba-python = %{samba_depver} + +%description python-test +The %{name}-python-test package contains the Python libraries used by the test suite of Samba. +If you want to run full set of Samba tests, you need to install this package. + +%if %{with_dc} +%package python-dc +Summary: Samba Python libraries for Samba AD +Requires: samba-python = %{samba_depver} + +%description python-dc +The %{name}-python-dc package contains the Python libraries needed by programs +managing Samba AD. +%endif + ### PIDL %package pidl Summary: Perl IDL compiler @@ -724,13 +767,14 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %global _ldb_lib ,!ldb,!pyldb,!pyldb-util %endif -%global _samba4_libraries heimdal,!zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} +%global _samba_libraries !zlib,!popt%{_talloc_lib}%{_tevent_lib}%{_tdb_lib}%{_ldb_lib} -%global _samba4_idmap_modules idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 -%global _samba4_pdb_modules pdb_tdbsam,pdb_ldap,pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 -%global _samba4_auth_modules auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4 +%global _samba_idmap_modules idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2 +%global _samba_pdb_modules pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4 +%global _samba_auth_modules auth_wbc,auth_unix,auth_server,auth_script,auth_samba4 +%global _samba_vfs_modules vfs_dfs_samba4 -%global _samba4_modules %{_samba4_idmap_modules},%{_samba4_pdb_modules},%{_samba4_auth_modules} +%global _samba_modules %{_samba_idmap_modules},%{_samba_pdb_modules},%{_samba_auth_modules},%{_samba_vfs_modules} %global _libsmbclient %nil %global _libwbclient %nil @@ -743,7 +787,7 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %global _libwbclient wbclient, %endif -%global _samba4_private_libraries %{_libsmbclient}%{_libwbclient} +%global _samba_private_libraries %{_libsmbclient}%{_libwbclient} %configure \ --enable-fhs \ @@ -755,14 +799,14 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - --with-statedir=/var/lib/samba \ --with-cachedir=/var/lib/samba \ --disable-rpath-install \ - --with-shared-modules=%{_samba4_modules} \ - --bundled-libraries=%{_samba4_libraries} \ + --with-shared-modules=%{_samba_modules} \ + --bundled-libraries=%{_samba_libraries} \ --with-pam \ --with-pie \ --with-relro \ --without-fam \ %if (! %with_libsmbclient) || (! %with_libwbclient) - --private-libraries=%{_samba4_private_libraries} \ + --private-libraries=%{_samba_private_libraries} \ %endif %if %with_mitkrb5 --with-system-mitkrb5 \ @@ -782,6 +826,9 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %if %{with testsuite} --enable-selftest \ %endif +%if %with_intel_aes_accel + --accel-aes=intelaesni \ +%endif --with-systemd make %{?_smp_mflags} @@ -790,6 +837,18 @@ make %{?_smp_mflags} rm -rf %{buildroot} make %{?_smp_mflags} install DESTDIR=%{buildroot} +export PYTHON=%{__python2} +# Workaround: make sure all general Python shebangs are pointing to Python 2 +# otherwise it will not work when default python is different from Python 2. +# Samba tools aren't ready for Python 3 yet. +for i in %{buildroot}%{_bindir} %{buildroot}%{_sbindir} ; do + find $i \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; +done + install -d -m 0755 %{buildroot}/usr/{sbin,bin} install -d -m 0755 %{buildroot}%{_libdir}/security install -d -m 0755 %{buildroot}/var/lib/samba @@ -868,7 +927,11 @@ install -m 0644 %{SOURCE200} packaging/README.dc-libs %endif install -d -m 0755 %{buildroot}%{_unitdir} -for i in nmb smb winbind ; do +services="nmb smb winbind" +%if %with_dc +services="$services samba" +%endif +for i in $services ; do cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service done @@ -887,12 +950,37 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if ! %with_dc for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ - %{_mandir}/man8/samba.8 \ - %{_mandir}/man8/samba-tool.8 \ - %{_libdir}/samba/ldb/ildap.so \ - %{_libdir}/samba/ldb/ldbsamba_extensions.so ; do - rm -f %{buildroot}$i + %{_libdir}/samba/libdnsserver-common-samba4.so \ + %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ + %{_mandir}/man8/samba.8 \ + %{_mandir}/man8/samba-tool.8 \ + %{_libdir}/samba/ldb/ildap.so \ + %{_libdir}/samba/ldb/ldbsamba_extensions.so \ + %{python_sitearch}/samba/dcerpc/dnsserver.so \ + %{python_sitearch}/samba/netcmd/fsmo.py* \ + %{python_sitearch}/samba/netcmd/rodc.py* \ + %{python_sitearch}/samba/kcc/__init__.py* \ + %{python_sitearch}/samba/kcc/debug.py* \ + %{python_sitearch}/samba/kcc/graph.py* \ + %{python_sitearch}/samba/kcc/graph_utils.py* \ + %{python_sitearch}/samba/kcc/kcc_utils.py* \ + %{python_sitearch}/samba/kcc/ldif_import_export.py* \ + %{python_sitearch}/samba/provision/__init__.py* \ + %{python_sitearch}/samba/provision/backend.py* \ + %{python_sitearch}/samba/provision/common.py* \ + %{python_sitearch}/samba/provision/kerberos.py* \ + %{python_sitearch}/samba/provision/kerberos_implementation.py* \ + %{python_sitearch}/samba/provision/sambadns.py* \ + %{python_sitearch}/samba/web_server/__init__.py* \ + %{python_sitearch}/samba/dckeytab.so \ + %{python_sitearch}/samba/dnsserver.py* \ + %{python_sitearch}/samba/drs_utils.py* \ + %{python_sitearch}/samba/dsdb.so \ + %{python_sitearch}/samba/dsdb_dns.so \ + %{python_sitearch}/samba/samdb.py* \ + %{python_sitearch}/samba/schema.py* \ + ; do + rm -f %{buildroot}$i done %endif @@ -900,6 +988,10 @@ done # the ldconfig-created links be recorded in the RPM. /sbin/ldconfig -N -n %{buildroot}%{_libdir} +# FIXME +find %{buildroot}%{python2_sitearch} -name "*.pyc" -print -delete + + %if %{with testsuite} %check TDB_NO_FSYNC=1 make %{?_smp_mflags} test @@ -917,6 +1009,9 @@ TDB_NO_FSYNC=1 make %{?_smp_mflags} test %systemd_postun_with_restart smb.service %systemd_postun_with_restart nmb.service +%pre common +getent group printadmin >/dev/null || groupadd -r printadmin || : + %post common /sbin/ldconfig /usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/samba.conf @@ -949,6 +1044,15 @@ fi %post dc-libs -p /sbin/ldconfig %postun dc-libs -p /sbin/ldconfig + +%post dc +%systemd_post samba.service + +%preun dc +%systemd_preun samba.service + +%postun dc +%systemd_postun_with_restart samba.service %endif %post krb5-printing @@ -975,17 +1079,27 @@ fi %posttrans -n libwbclient # It has to be posttrans here to make sure all files of a previous version # without alternatives support are removed -%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ - libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} 10 +%{_sbindir}/update-alternatives \ + --install \ + %{_libdir}/libwbclient.so.%{libwbc_alternatives_version} \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} \ + 10 /sbin/ldconfig %preun -n libwbclient -%{_sbindir}/update-alternatives --remove libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} +%{_sbindir}/update-alternatives \ + --remove \ + libwbclient.so.%{libwbc_alternatives_version}%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so.%{libwbc_alternatives_version} /sbin/ldconfig %posttrans -n libwbclient-devel -%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \ - libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so 10 +%{_sbindir}/update-alternatives \ + --install %{_libdir}/libwbclient.so \ + libwbclient.so%{libwbc_alternatives_suffix} \ + %{_libdir}/samba/wbclient/libwbclient.so \ + 10 %preun -n libwbclient-devel # alternatives checks if the file which should be removed is a link or not, but @@ -1066,10 +1180,13 @@ rm -rf %{buildroot} %{_bindir}/eventlogadm %{_sbindir}/nmbd %{_sbindir}/smbd +%if %with_dc +# This is only used by vfs_dfs_samba4 +%{_libdir}/samba/libdfs-server-ad-samba4.so +%endif %dir %{_libdir}/samba/auth %{_libdir}/samba/auth/script.so %{_libdir}/samba/auth/unix.so -%{_libdir}/samba/auth/wbc.so %dir %{_libdir}/samba/vfs %{_libdir}/samba/vfs/acl_tdb.so %{_libdir}/samba/vfs/acl_xattr.so @@ -1083,6 +1200,9 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/commit.so %{_libdir}/samba/vfs/crossrename.so %{_libdir}/samba/vfs/default_quota.so +%if %with_dc +%{_libdir}/samba/vfs/dfs_samba4.so +%endif %{_libdir}/samba/vfs/dirsort.so %{_libdir}/samba/vfs/expand_msdfs.so %{_libdir}/samba/vfs/extd_audit.so @@ -1170,8 +1290,7 @@ rm -rf %{buildroot} %exclude %{_mandir}/man8/vfs_ceph.8* %endif -%dir /var/lib/samba/drivers -%dir /var/lib/samba/lock +%attr(775,root,printadmin) %dir /var/lib/samba/drivers ### CLIENT %files client @@ -1179,9 +1298,9 @@ rm -rf %{buildroot} %{_bindir}/cifsdd %{_bindir}/dbwrap_tool %{_bindir}/findsmb +%{_bindir}/mvxattr %{_bindir}/nmblookup %{_bindir}/oLschema2ldif -%{_bindir}/mvxattr %{_bindir}/regdiff %{_bindir}/regpatch %{_bindir}/regshell @@ -1282,7 +1401,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libaddns-samba4.so %{_libdir}/samba/libads-samba4.so %{_libdir}/samba/libasn1util-samba4.so -%{_libdir}/samba/libauth-sam-reply-samba4.so %{_libdir}/samba/libauth-samba4.so %{_libdir}/samba/libauthkrb5-samba4.so %{_libdir}/samba/libcli-cldap-samba4.so @@ -1293,9 +1411,9 @@ rm -rf %{buildroot} %{_libdir}/samba/libcli-spoolss-samba4.so %{_libdir}/samba/libcliauth-samba4.so %{_libdir}/samba/libcmdline-credentials-samba4.so +%{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libdbwrap-samba4.so %{_libdir}/samba/libdcerpc-samba-samba4.so -%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so %{_libdir}/samba/libgenrand-samba4.so @@ -1399,6 +1517,7 @@ rm -rf %{buildroot} %ghost %dir /var/run/winbindd %dir /var/lib/samba %attr(700,root,root) %dir /var/lib/samba/private +%dir /var/lib/samba/lock %attr(755,root,root) %dir %{_sysconfdir}/samba %config(noreplace) %{_sysconfdir}/samba/smb.conf %{_sysconfdir}/samba/smb.conf.example @@ -1414,6 +1533,9 @@ rm -rf %{buildroot} %defattr(-,root,root) # common libraries %{_libdir}/samba/libpopt-samba3-samba4.so +%if %{with_intel_aes_accel} +%{_libdir}/samba/libaesni-intel-samba4.so +%endif %dir %{_libdir}/samba/ldb @@ -1421,7 +1543,6 @@ rm -rf %{buildroot} %{_libdir}/samba/pdb/ldapsam.so %{_libdir}/samba/pdb/smbpasswd.so %{_libdir}/samba/pdb/tdbsam.so -%{_libdir}/samba/pdb/wbc_sam.so %files common-tools %defattr(-,root,root) @@ -1443,19 +1564,17 @@ rm -rf %{buildroot} %defattr(-,root,root) %if %with_dc +%{_unitdir}/samba.service %{_bindir}/samba-tool %{_sbindir}/samba %{_sbindir}/samba_kcc %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns + +%{_libdir}/krb5/plugins/kdb/samba.so + %{_libdir}/samba/auth/samba4.so -%{_libdir}/samba/bind9/dlz_bind9.so -%{_libdir}/samba/bind9/dlz_bind9_10.so -%{_libdir}/samba/libheimntlm-samba4.so.1 -%{_libdir}/samba/libheimntlm-samba4.so.1.0.1 -%{_libdir}/samba/libkdc-samba4.so.2 -%{_libdir}/samba/libkdc-samba4.so.2.0.0 %{_libdir}/samba/libpac-samba4.so %dir %{_libdir}/samba/gensec %{_libdir}/samba/gensec/krb5.so @@ -1465,6 +1584,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/descriptor.so %{_libdir}/samba/ldb/dirsync.so %{_libdir}/samba/ldb/dns_notify.so +%{_libdir}/samba/ldb/dsdb_notification.so %{_libdir}/samba/ldb/extended_dn_in.so %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so @@ -1500,6 +1620,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/tombstone_reanimate.so %{_libdir}/samba/ldb/update_keytab.so +%{_libdir}/samba/ldb/vlv.so %{_libdir}/samba/ldb/wins_ldb.so %{_libdir}/samba/vfs/posix_eadb.so %dir /var/lib/samba/sysvol @@ -1514,6 +1635,7 @@ rm -rf %{buildroot} %files dc-libs %defattr(-,root,root) %if %with_dc +%{_libdir}/samba/libdb-glue-samba4.so %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so %dir %{_libdir}/samba/process_model @@ -1534,15 +1656,24 @@ rm -rf %{buildroot} %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libdfs-server-ad-samba4.so %{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so -%{_libdir}/samba/libntvfs-samba4.so -%{_libdir}/samba/bind9/dlz_bind9_9.so +%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %else %doc packaging/README.dc-libs %endif # with_dc +### DC-BIND +%if %with_dc +%files dc-bind-dlz +%attr(770,root,named) %dir /var/lib/samba/bind-dns +%dir %{_libdir}/samba/bind9 +%{_libdir}/samba/bind9/dlz_bind9.so +%{_libdir}/samba/bind9/dlz_bind9_9.so +%{_libdir}/samba/bind9/dlz_bind9_10.so +%{_libdir}/samba/bind9/dlz_bind9_11.so +%endif # with_dc + ### DEVEL %files devel %defattr(-,root,root) @@ -1551,7 +1682,9 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/core/error.h %{_includedir}/samba-4.0/core/hresult.h %{_includedir}/samba-4.0/core/ntstatus.h +%{_includedir}/samba-4.0/core/ntstatus_gen.h %{_includedir}/samba-4.0/core/werror.h +%{_includedir}/samba-4.0/core/werror_gen.h %{_includedir}/samba-4.0/credentials.h %{_includedir}/samba-4.0/dcerpc.h %{_includedir}/samba-4.0/domain_credentials.h @@ -1626,6 +1759,7 @@ rm -rf %{buildroot} %{_includedir}/samba-4.0/util/tevent_unix.h %{_includedir}/samba-4.0/util/tevent_werror.h %{_includedir}/samba-4.0/util/time.h +%{_includedir}/samba-4.0/util/tfork.h %{_includedir}/samba-4.0/util_ldb.h %{_libdir}/libdcerpc-binding.so %{_libdir}/libdcerpc-samr.so @@ -1700,6 +1834,7 @@ rm -rf %{buildroot} # libraries needed by the public libraries %{_libdir}/samba/libMESSAGING-samba4.so +%{_libdir}/samba/libMESSAGING-SEND-samba4.so %{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so @@ -1712,31 +1847,6 @@ rm -rf %{buildroot} %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so -%if %with_dc -%{_libdir}/samba/libdb-glue-samba4.so -%{_libdir}/samba/libHDB-SAMBA4-samba4.so -%{_libdir}/samba/libasn1-samba4.so.8 -%{_libdir}/samba/libasn1-samba4.so.8.0.0 -%{_libdir}/samba/libcom_err-samba4.so.0 -%{_libdir}/samba/libcom_err-samba4.so.0.25 -%{_libdir}/samba/libgssapi-samba4.so.2 -%{_libdir}/samba/libgssapi-samba4.so.2.0.0 -%{_libdir}/samba/libhcrypto-samba4.so.5 -%{_libdir}/samba/libhcrypto-samba4.so.5.0.1 -%{_libdir}/samba/libhdb-samba4.so.11 -%{_libdir}/samba/libhdb-samba4.so.11.0.2 -%{_libdir}/samba/libheimbase-samba4.so.1 -%{_libdir}/samba/libheimbase-samba4.so.1.0.0 -%{_libdir}/samba/libhx509-samba4.so.5 -%{_libdir}/samba/libhx509-samba4.so.5.0.0 -%{_libdir}/samba/libkrb5-samba4.so.26 -%{_libdir}/samba/libkrb5-samba4.so.26.0.0 -%{_libdir}/samba/libroken-samba4.so.19 -%{_libdir}/samba/libroken-samba4.so.19.0.1 -%{_libdir}/samba/libwind-samba4.so.0 -%{_libdir}/samba/libwind-samba4.so.0.0.0 -%endif - ### LIBSMBCLIENT %if %with_libsmbclient %files -n libsmbclient @@ -1809,7 +1919,256 @@ rm -rf %{buildroot} ### PYTHON %files python %defattr(-,root,root,-) -%{python_sitearch}/* +%dir %{python_sitearch}/samba +%{python_sitearch}/samba/__init__.py* +%{python_sitearch}/samba/_glue.so +%{python_sitearch}/samba/_ldb.so +%{python_sitearch}/samba/auth.so +%{python_sitearch}/samba/common.py* +%{python_sitearch}/samba/compat.py* +%{python_sitearch}/samba/credentials.so +%{python_sitearch}/samba/crypto.so +%{python_sitearch}/samba/dbchecker.py* +%dir %{python_sitearch}/samba/dcerpc +%{python_sitearch}/samba/dcerpc/__init__.py* +%{python_sitearch}/samba/dcerpc/atsvc.so +%{python_sitearch}/samba/dcerpc/auth.so +%{python_sitearch}/samba/dcerpc/base.so +%{python_sitearch}/samba/dcerpc/dcerpc.so +%{python_sitearch}/samba/dcerpc/dfs.so +%{python_sitearch}/samba/dcerpc/dns.so +%{python_sitearch}/samba/dcerpc/dnsp.so +%{python_sitearch}/samba/dcerpc/drsblobs.so +%{python_sitearch}/samba/dcerpc/drsuapi.so +%{python_sitearch}/samba/dcerpc/echo.so +%{python_sitearch}/samba/dcerpc/epmapper.so +%{python_sitearch}/samba/dcerpc/idmap.so +%{python_sitearch}/samba/dcerpc/initshutdown.so +%{python_sitearch}/samba/dcerpc/irpc.so +%{python_sitearch}/samba/dcerpc/krb5pac.so +%{python_sitearch}/samba/dcerpc/lsa.so +%{python_sitearch}/samba/dcerpc/messaging.so +%{python_sitearch}/samba/dcerpc/mgmt.so +%{python_sitearch}/samba/dcerpc/misc.so +%{python_sitearch}/samba/dcerpc/nbt.so +%{python_sitearch}/samba/dcerpc/netlogon.so +%{python_sitearch}/samba/dcerpc/ntlmssp.so +%{python_sitearch}/samba/dcerpc/samr.so +%{python_sitearch}/samba/dcerpc/security.so +%{python_sitearch}/samba/dcerpc/server_id.so +%{python_sitearch}/samba/dcerpc/smb_acl.so +%{python_sitearch}/samba/dcerpc/srvsvc.so +%{python_sitearch}/samba/dcerpc/svcctl.so +%{python_sitearch}/samba/dcerpc/unixinfo.so +%{python_sitearch}/samba/dcerpc/winbind.so +%{python_sitearch}/samba/dcerpc/winreg.so +%{python_sitearch}/samba/dcerpc/wkssvc.so +%{python_sitearch}/samba/dcerpc/xattr.so +%{python_sitearch}/samba/descriptor.py* +%{python_sitearch}/samba/gensec.so +%{python_sitearch}/samba/getopt.py* +%{python_sitearch}/samba/hostconfig.py* +%{python_sitearch}/samba/idmap.py* +%{python_sitearch}/samba/join.py* +%{python_sitearch}/samba/messaging.so +%{python_sitearch}/samba/ms_display_specifiers.py* +%{python_sitearch}/samba/ms_schema.py* +%{python_sitearch}/samba/ndr.py* +%{python_sitearch}/samba/net.so +%{python_sitearch}/samba/netbios.so +%dir %{python_sitearch}/samba/netcmd +%{python_sitearch}/samba/netcmd/__init__.py* +%{python_sitearch}/samba/netcmd/common.py* +%{python_sitearch}/samba/netcmd/dbcheck.py* +%{python_sitearch}/samba/netcmd/delegation.py* +%{python_sitearch}/samba/netcmd/dns.py* +%{python_sitearch}/samba/netcmd/domain.py* +%{python_sitearch}/samba/netcmd/drs.py* +%{python_sitearch}/samba/netcmd/dsacl.py* +%{python_sitearch}/samba/netcmd/gpo.py* +%{python_sitearch}/samba/netcmd/group.py* +%{python_sitearch}/samba/netcmd/ldapcmp.py* +%{python_sitearch}/samba/netcmd/main.py* +%{python_sitearch}/samba/netcmd/nettime.py* +%{python_sitearch}/samba/netcmd/ntacl.py* +%{python_sitearch}/samba/netcmd/processes.py* +%{python_sitearch}/samba/netcmd/sites.py* +%{python_sitearch}/samba/netcmd/spn.py* +%{python_sitearch}/samba/netcmd/testparm.py* +%{python_sitearch}/samba/netcmd/user.py* +%{python_sitearch}/samba/ntacls.py* +%{python_sitearch}/samba/ntstatus.so +%{python_sitearch}/samba/param.so +%{python_sitearch}/samba/policy.so +%{python_sitearch}/samba/posix_eadb.so +%{python_sitearch}/samba/registry.so +%{python_sitearch}/samba/remove_dc.py* +%dir %{python_sitearch}/samba/samba3 +%{python_sitearch}/samba/samba3/__init__.py* +%{python_sitearch}/samba/samba3/libsmb_samba_internal.so +%{python_sitearch}/samba/samba3/param.so +%{python_sitearch}/samba/samba3/passdb.so +%{python_sitearch}/samba/samba3/smbd.so +%{python_sitearch}/samba/sd_utils.py* +%{python_sitearch}/samba/security.so +%{python_sitearch}/samba/sites.py* +%{python_sitearch}/samba/smb.so +%{python_sitearch}/samba/subnets.py* +%dir %{python_sitearch}/samba/subunit +%{python_sitearch}/samba/subunit/__init__.py* +%{python_sitearch}/samba/subunit/run.py* +%{python_sitearch}/samba/tdb_util.py* +%dir %{python_sitearch}/samba/third_party +%{python_sitearch}/samba/third_party/__init__.py* +%{python_sitearch}/samba/upgrade.py* +%{python_sitearch}/samba/upgradehelpers.py* +%{python_sitearch}/samba/werror.so +%{python_sitearch}/samba/xattr.py* +%{python_sitearch}/samba/xattr_native.so +%{python_sitearch}/samba/xattr_tdb.so + +%if %{with_dc} +%files python-dc +%defattr(-,root,root,-) +%{python_sitearch}/samba/dcerpc/dnsserver.so +%{python_sitearch}/samba/netcmd/fsmo.py* +%{python_sitearch}/samba/netcmd/rodc.py* + +%dir %{python_sitearch}/samba/kcc +%{python_sitearch}/samba/kcc/__init__.py* +%{python_sitearch}/samba/kcc/debug.py* +%{python_sitearch}/samba/kcc/graph.py* +%{python_sitearch}/samba/kcc/graph_utils.py* +%{python_sitearch}/samba/kcc/kcc_utils.py* +%{python_sitearch}/samba/kcc/ldif_import_export.py* + +%dir %{python_sitearch}/samba/provision +%{python_sitearch}/samba/provision/__init__.py* +%{python_sitearch}/samba/provision/backend.py* +%{python_sitearch}/samba/provision/common.py* +%{python_sitearch}/samba/provision/kerberos.py* +%{python_sitearch}/samba/provision/kerberos_implementation.py* +%{python_sitearch}/samba/provision/sambadns.py* + +%dir %{python_sitearch}/samba/web_server +%{python_sitearch}/samba/web_server/__init__.py* + +%{python_sitearch}/samba/dckeytab.so +%{python_sitearch}/samba/dnsserver.py* +%{python_sitearch}/samba/drs_utils.py* +%{python_sitearch}/samba/dsdb.so +%{python_sitearch}/samba/dsdb_dns.so +%{python_sitearch}/samba/samdb.py* +%{python_sitearch}/samba/schema.py* +%endif + +%files python-test +%defattr(-,root,root,-) +%dir %{python_sitearch}/samba/tests +%{python_sitearch}/samba/tests/__init__.py* +%{python_sitearch}/samba/tests/auth.py* +%{python_sitearch}/samba/tests/auth_log.py* +%{python_sitearch}/samba/tests/auth_log_base.py* +%{python_sitearch}/samba/tests/auth_log_ncalrpc.py* +%{python_sitearch}/samba/tests/auth_log_netlogon.py* +%{python_sitearch}/samba/tests/auth_log_netlogon_bad_creds.py* +%{python_sitearch}/samba/tests/auth_log_pass_change.py* +%{python_sitearch}/samba/tests/auth_log_samlogon.py* +%dir %{python_sitearch}/samba/tests/blackbox +%{python_sitearch}/samba/tests/blackbox/__init__.py* +%{python_sitearch}/samba/tests/blackbox/ndrdump.py* +%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py* +%{python_sitearch}/samba/tests/common.py* +%{python_sitearch}/samba/tests/core.py* +%{python_sitearch}/samba/tests/credentials.py* +%dir %{python_sitearch}/samba/tests/dcerpc +%{python_sitearch}/samba/tests/dcerpc/__init__.py* +%{python_sitearch}/samba/tests/dcerpc/array.py* +%{python_sitearch}/samba/tests/dcerpc/bare.py* +%{python_sitearch}/samba/tests/dcerpc/dnsserver.py* +%{python_sitearch}/samba/tests/dcerpc/integer.py* +%{python_sitearch}/samba/tests/dcerpc/misc.py* +%{python_sitearch}/samba/tests/dcerpc/raw_protocol.py* +%{python_sitearch}/samba/tests/dcerpc/raw_testcase.py* +%{python_sitearch}/samba/tests/dcerpc/registry.py* +%{python_sitearch}/samba/tests/dcerpc/rpc_talloc.py* +%{python_sitearch}/samba/tests/dcerpc/rpcecho.py* +%{python_sitearch}/samba/tests/dcerpc/sam.py* +%{python_sitearch}/samba/tests/dcerpc/srvsvc.py* +%{python_sitearch}/samba/tests/dcerpc/string.py* +%{python_sitearch}/samba/tests/dcerpc/testrpc.py* +%{python_sitearch}/samba/tests/dcerpc/unix.py* +%{python_sitearch}/samba/tests/dns.py* +%{python_sitearch}/samba/tests/dns_base.py* +%{python_sitearch}/samba/tests/dns_forwarder.py* +%dir %{python_sitearch}/samba/tests/dns_forwarder_helpers +%{python_sitearch}/samba/tests/dns_forwarder_helpers/server.py* +%{python_sitearch}/samba/tests/dns_tkey.py* +%{python_sitearch}/samba/tests/dns_wildcard.py* +%{python_sitearch}/samba/tests/docs.py* +%{python_sitearch}/samba/tests/dsdb.py* +%{python_sitearch}/samba/tests/dsdb_schema_attributes.py* +%{python_sitearch}/samba/tests/gensec.py* +%{python_sitearch}/samba/tests/get_opt.py* +%{python_sitearch}/samba/tests/glue.py* +%{python_sitearch}/samba/tests/hostconfig.py* +%{python_sitearch}/samba/tests/join.py* +%dir %{python_sitearch}/samba/tests/kcc +%{python_sitearch}/samba/tests/kcc/__init__.py* +%{python_sitearch}/samba/tests/kcc/graph.py* +%{python_sitearch}/samba/tests/kcc/graph_utils.py* +%{python_sitearch}/samba/tests/kcc/kcc_utils.py* +%{python_sitearch}/samba/tests/kcc/ldif_import_export.py* +%{python_sitearch}/samba/tests/libsmb_samba_internal.py* +%{python_sitearch}/samba/tests/lsa_string.py* +%{python_sitearch}/samba/tests/messaging.py* +%{python_sitearch}/samba/tests/net_join.py* +%{python_sitearch}/samba/tests/net_join_no_spnego.py* +%{python_sitearch}/samba/tests/netcmd.py* +%{python_sitearch}/samba/tests/netlogonsvc.py* +%{python_sitearch}/samba/tests/ntacls.py* +%{python_sitearch}/samba/tests/ntlmauth.py* +%{python_sitearch}/samba/tests/pam_winbind.py* +%{python_sitearch}/samba/tests/param.py* +%{python_sitearch}/samba/tests/password_hash.py* +%{python_sitearch}/samba/tests/password_hash_fl2003.py* +%{python_sitearch}/samba/tests/password_hash_fl2008.py* +%{python_sitearch}/samba/tests/password_hash_gpgme.py* +%{python_sitearch}/samba/tests/password_hash_ldap.py* +%{python_sitearch}/samba/tests/policy.py* +%{python_sitearch}/samba/tests/posixacl.py* +%{python_sitearch}/samba/tests/provision.py* +%{python_sitearch}/samba/tests/py_credentials.py* +%{python_sitearch}/samba/tests/registry.py* +%{python_sitearch}/samba/tests/samba3.py* +%{python_sitearch}/samba/tests/samba3sam.py* +%dir %{python_sitearch}/samba/tests/samba_tool +%{python_sitearch}/samba/tests/samba_tool/__init__.py* +%{python_sitearch}/samba/tests/samba_tool/base.py* +%{python_sitearch}/samba/tests/samba_tool/dnscmd.py* +%{python_sitearch}/samba/tests/samba_tool/fsmo.py* +%{python_sitearch}/samba/tests/samba_tool/gpo.py* +%{python_sitearch}/samba/tests/samba_tool/group.py* +%{python_sitearch}/samba/tests/samba_tool/join.py* +%{python_sitearch}/samba/tests/samba_tool/ntacl.py* +%{python_sitearch}/samba/tests/samba_tool/processes.py* +%{python_sitearch}/samba/tests/samba_tool/rodc.py* +%{python_sitearch}/samba/tests/samba_tool/sites.py* +%{python_sitearch}/samba/tests/samba_tool/timecmd.py* +%{python_sitearch}/samba/tests/samba_tool/user.py* +%{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py* +%{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py* +%{python_sitearch}/samba/tests/samba_tool/user_wdigest.py* +%{python_sitearch}/samba/tests/samdb.py* +%{python_sitearch}/samba/tests/security.py* +%{python_sitearch}/samba/tests/source.py* +%{python_sitearch}/samba/tests/strings.py* +%{python_sitearch}/samba/tests/subunitrun.py* +%{python_sitearch}/samba/tests/unicodenames.py* +%{python_sitearch}/samba/tests/upgrade.py* +%{python_sitearch}/samba/tests/upgradeprovision.py* +%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py* +%{python_sitearch}/samba/tests/xattr.py* ### TEST %files test @@ -1976,7 +2335,6 @@ rm -rf %{buildroot} %{_unitdir}/ctdb.service - %files -n ctdb-tests %defattr(-,root,root) %doc ctdb/tests/README @@ -1991,6 +2349,7 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/ctdb_packet_parse %{_libexecdir}/ctdb/tests/ctdb_takeover_tests %{_libexecdir}/ctdb/tests/db_hash_test +%{_libexecdir}/ctdb/tests/dummy_client %{_libexecdir}/ctdb/tests/fake_ctdbd %{_libexecdir}/ctdb/tests/fetch_loop %{_libexecdir}/ctdb/tests/fetch_loop_key @@ -1998,6 +2357,7 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/fetch_readonly_loop %{_libexecdir}/ctdb/tests/fetch_ring %{_libexecdir}/ctdb/tests/g_lock_loop +%{_libexecdir}/ctdb/tests/hash_count_test %{_libexecdir}/ctdb/tests/lock_tdb %{_libexecdir}/ctdb/tests/message_ring %{_libexecdir}/ctdb/tests/pidfile_test @@ -2009,6 +2369,7 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/protocol_util_test %{_libexecdir}/ctdb/tests/rb_test %{_libexecdir}/ctdb/tests/reqid_test +%{_libexecdir}/ctdb/tests/run_event_test %{_libexecdir}/ctdb/tests/run_proc_test %{_libexecdir}/ctdb/tests/sock_daemon_test %{_libexecdir}/ctdb/tests/sock_io_test @@ -2047,6 +2408,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/cunit/comm_test_001.sh %{_datadir}/ctdb/tests/cunit/comm_test_002.sh %{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh +%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh %{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh %{_datadir}/ctdb/tests/cunit/pkt_read_001.sh %{_datadir}/ctdb/tests/cunit/pkt_write_001.sh @@ -2056,6 +2418,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/cunit/protocol_test_003.sh %{_datadir}/ctdb/tests/cunit/rb_test_001.sh %{_datadir}/ctdb/tests/cunit/reqid_test_001.sh +%{_datadir}/ctdb/tests/cunit/run_event_001.sh %{_datadir}/ctdb/tests/cunit/run_proc_001.sh %{_datadir}/ctdb/tests/cunit/sock_daemon_test_001.sh %{_datadir}/ctdb/tests/cunit/sock_io_test_001.sh @@ -2126,6 +2489,10 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.016.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.017.sh %{_datadir}/ctdb/tests/eventscripts/05.system.monitor.018.sh +%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.001.sh +%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh +%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh +%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh @@ -2154,6 +2521,8 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.012.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.013.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh @@ -2212,19 +2581,14 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.050.sh -%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.051.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.050.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.051.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.105.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.106.sh -%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.107.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.110.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.111.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.112.sh @@ -2242,6 +2606,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.106.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.107.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.108.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.109.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.111.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.112.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.113.sh @@ -2261,6 +2626,14 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.162.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.001.sh %{_datadir}/ctdb/tests/eventscripts/60.nfs.multi.002.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.releaseip.002.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.startup.002.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.001.sh +%{_datadir}/ctdb/tests/eventscripts/60.nfs.takeip.002.sh %{_datadir}/ctdb/tests/eventscripts/91.lvs.001.sh %{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.011.sh %{_datadir}/ctdb/tests/eventscripts/91.lvs.ipreallocated.012.sh @@ -2409,6 +2782,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/18_ctdb_reloadips.sh %{_datadir}/ctdb/tests/simple/19_ip_takeover_noop.sh %{_datadir}/ctdb/tests/simple/20_delip_iface_gc.sh +%{_datadir}/ctdb/tests/simple/21_ctdb_attach.sh %{_datadir}/ctdb/tests/simple/23_ctdb_moveip.sh %{_datadir}/ctdb/tests/simple/24_ctdb_getdbmap.sh %{_datadir}/ctdb/tests/simple/25_dumpmemory.sh @@ -2426,6 +2800,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/53_transaction_loop.sh %{_datadir}/ctdb/tests/simple/54_transaction_loop_recovery.sh %{_datadir}/ctdb/tests/simple/55_ctdb_ptrans.sh +%{_datadir}/ctdb/tests/simple/56_replicated_transaction_recovery.sh %{_datadir}/ctdb/tests/simple/58_ctdb_restoredb.sh %{_datadir}/ctdb/tests/simple/60_recoverd_missing_ip.sh %{_datadir}/ctdb/tests/simple/70_recoverpdbbyseqnum.sh @@ -2482,6 +2857,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/takeover/lcp2.031.sh %{_datadir}/ctdb/tests/takeover/lcp2.032.sh %{_datadir}/ctdb/tests/takeover/lcp2.033.sh +%{_datadir}/ctdb/tests/takeover/lcp2.034.sh %{_datadir}/ctdb/tests/takeover/nondet.001.sh %{_datadir}/ctdb/tests/takeover/nondet.002.sh %{_datadir}/ctdb/tests/takeover/nondet.003.sh @@ -2510,6 +2886,8 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/takeover_helper/026.sh %{_datadir}/ctdb/tests/takeover_helper/027.sh %{_datadir}/ctdb/tests/takeover_helper/028.sh +%{_datadir}/ctdb/tests/takeover_helper/030.sh +%{_datadir}/ctdb/tests/takeover_helper/031.sh %{_datadir}/ctdb/tests/takeover_helper/110.sh %{_datadir}/ctdb/tests/takeover_helper/111.sh %{_datadir}/ctdb/tests/takeover_helper/120.sh @@ -2596,9 +2974,15 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/tool/ctdb.natgw.008.sh %{_datadir}/ctdb/tests/tool/ctdb.nodestatus.001.sh %{_datadir}/ctdb/tests/tool/ctdb.nodestatus.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.003.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.005.sh +%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.006.sh %{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh %{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh %{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh +%{_datadir}/ctdb/tests/tool/ctdb.process-exists.002.sh +%{_datadir}/ctdb/tests/tool/ctdb.process-exists.003.sh %{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh %{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh %{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh @@ -2627,10 +3011,12 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.002.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.003.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbreadonly.005.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.001.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.002.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.003.sh %{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.004.sh +%{_datadir}/ctdb/tests/tool/ctdb.setdbsticky.005.sh %{_datadir}/ctdb/tests/tool/ctdb.setdebug.001.sh %{_datadir}/ctdb/tests/tool/ctdb.setdebug.002.sh %{_datadir}/ctdb/tests/tool/ctdb.setdebug.003.sh @@ -2654,20 +3040,58 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Fri Nov 17 2017 Andreas Schneider - 4.6.2-12 -- resolves: #1514314 - Fix CVE-2017-14746 and CVE-2017-15275 +* Wed Dec 20 2017 Andreas Schneider - 4.7.1-6 +- resolves: #1476153 - Handle SMB echo responses more gracefully +- resolves: #1523212 - Fix SMB2 client read-after-free issue + +* Mon Dec 04 2017 Andreas Schneider - 4.7.1-5 +- resolves: #1505940 - Fix 'net ads keytab list' +- resolves: #1518732 - Enable AES-NI to make SMB3 encryption and signing + faster + +* Tue Nov 28 2017 Andreas Schneider - 4.7.1-4 +- resolves: #1510872 - Fix systemd startup of samba daemons + +* Thu Nov 23 2017 Andreas Schneider - 4.7.1-3 +- resolves: #1498353 - Fix broken MacOSX client which can't handle file_ids + correctly +- resolves: #1495490 - Fix client rename over SMB2 +- resolves: #1510598 - Fix client volume cmd over SMB2 + +* Fri Nov 17 2017 Andreas Schneider - 4.7.1-2 +- resolves: #1514316 - CVE-2017-14746 CVE-2017-15275 + +* Thu Nov 02 2017 Andreas Schneider - 4.7.1-1 +- related: #1470048 - Update to version 4.7.1 + +* Thu Oct 26 2017 Andreas Schneider - 4.7.0-4 +- resolves: #1506489 - Fix python dependency issues + +* Wed Oct 25 2017 Andreas Schneider - 4.7.0-3 +- related: #1470048 - Fix dependency issues +- resolves: #1486318 - Move /var/lib/samba/lock to common package +- resolves: #1497162 - Fix smbcacls command line password handling + +* Tue Oct 24 2017 Andreas Schneider - 4.7.0-2 +- related: #1470048 - Fix package names + +* Mon Oct 23 2017 Andreas Schneider - 4.7.0-1 +- resolves: #1470048 - Rebase Samba to version 4.7.0 +- resolves: #1335710 - Improve performance of smbd for a lot + of new client connections * Thu Sep 14 2017 Andreas Schneider - 4.6.2-11 -- resolves: #1491213 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 +- resolves: #1491214 - CVE-2017-12150 CVE-2017-12151 CVE-2017-12163 * Wed Aug 23 2017 Andreas Schneider - 4.6.2-10 -- resolves: #1484423 - Require at least krb5 version 1.15.1 -- resolves: #1484713 - Fix password changes for users via smbpasswd -- resolves: #1484723 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO +- resolves: #1480310 - Require at least krb5 version 1.15.1 +- resolves: #1482133 - Fix password changes for users via smbpasswd +- resolves: #1452003 - Be more graceful on FSCTL_VALIDATE_NEGOTIATE_INFO returned errors +- resolves: #1485390 - Do not print kerberos warning when not enforced * Mon Aug 14 2017 Andreas Schneider - 4.6.2-9 -- resolves: #1481188 - Fix 'net ads changetrustpw' +- resolves: #1479897 - Fix 'net ads changetrustpw' * Thu Jun 22 2017 Andreas Schneider - 4.6.2-8 - resolves: #1459936 - Fix regression with "follow symlinks = no"