diff --git a/.gitignore b/.gitignore
index e6501c9..d0d9bc1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-SOURCES/samba-4.7.1.tar.xz
+SOURCES/samba-4.8.3.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index 44641bf..c121f9a 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1,2 +1,2 @@
6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
-3c58fef85ceff87968b9e79c665e861f5442f0f1 SOURCES/samba-4.7.1.tar.xz
+ee51f44b1b61cb189f0145b477300d4d58b1dff6 SOURCES/samba-4.8.3.tar.xz
diff --git a/SOURCES/CVE-2017-14746.patch b/SOURCES/CVE-2017-14746.patch
deleted file mode 100644
index d33d24d..0000000
--- a/SOURCES/CVE-2017-14746.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 19 Sep 2017 16:11:33 -0700
-Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When setting up the chain, always use 'next->' variables
-not the 'req->' one.
-
-Bug discovered by 连一汉 <lianyihan@360.cn>
-
-CVE-2017-14746
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/process.c | 7 ++++---
- source3/smbd/reply.c | 5 +++++
- 2 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/source3/smbd/process.c b/source3/smbd/process.c
-index b65ae2c1b1c..9b2b0a669a2 100644
---- a/source3/smbd/process.c
-+++ b/source3/smbd/process.c
-@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
-
- next->vuid = SVAL(req->outbuf, smb_uid);
- next->tid = SVAL(req->outbuf, smb_tid);
-- status = smb1srv_tcon_lookup(req->xconn, req->tid,
-+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
- now, &tcon);
-+
- if (NT_STATUS_IS_OK(status)) {
-- req->conn = tcon->compat;
-+ next->conn = tcon->compat;
- } else {
-- req->conn = NULL;
-+ next->conn = NULL;
- }
- next->chain_fsp = req->chain_fsp;
- next->inbuf = req->inbuf;
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 7b07078249b..81acedf0413 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
- }
-
- TALLOC_FREE(tcon);
-+ /*
-+ * This tree id is gone. Make sure we can't re-use it
-+ * by accident.
-+ */
-+ req->tid = 0;
- }
-
- if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
---
-2.14.2.920.gcf0c67979c-goog
-
diff --git a/SOURCES/CVE-2017-15275.patch b/SOURCES/CVE-2017-15275.patch
deleted file mode 100644
index f0510f9..0000000
--- a/SOURCES/CVE-2017-15275.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 20 Sep 2017 11:04:50 -0700
-Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
- talloc buffer is grown.
-
-Ensure we zero out unused grown area.
-
-CVE-2017-15275
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/srvstr.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
-index 56dceba8c6c..c2d70b32c32 100644
---- a/source3/smbd/srvstr.c
-+++ b/source3/smbd/srvstr.c
-@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
- DEBUG(0, ("srvstr_push failed\n"));
- return -1;
- }
-+
-+ /*
-+ * Ensure we clear out the extra data we have
-+ * grown the buffer by, but not written to.
-+ */
-+ if (buf_size + result < buf_size) {
-+ return -1;
-+ }
-+ if (grow_size < result) {
-+ return -1;
-+ }
-+
-+ memset(tmp + buf_size + result, '\0', grow_size - result);
-+
- set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
-
- *outbuf = tmp;
---
-2.14.2.920.gcf0c67979c-goog
-
diff --git a/SOURCES/CVE-2018-10858.patch b/SOURCES/CVE-2018-10858.patch
new file mode 100644
index 0000000..03d7718
--- /dev/null
+++ b/SOURCES/CVE-2018-10858.patch
@@ -0,0 +1,199 @@
+From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 15 Jun 2018 15:07:17 -0700
+Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
+ buffer.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
+
+CVE-2018-10858: Insufficient input validation on client directory
+ listing in libsmbclient.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/libsmb_path.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
+index 01b0a61e483..ed70ab37550 100644
+--- a/source3/libsmb/libsmb_path.c
++++ b/source3/libsmb/libsmb_path.c
+@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
+ }
+ }
+
+- *dest++ = '\0';
+- max_dest_len--;
++ if (max_dest_len == 0) {
++ /* Ensure we return -1 if no null termination. */
++ return -1;
++ }
++
++ *dest++ = '\0';
++ max_dest_len--;
+
+ return max_dest_len;
+ }
+--
+2.11.0
+
+
+From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 15 Jun 2018 15:08:17 -0700
+Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
+ from malicious servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
+
+CVE-2018-10858: Insufficient input validation on client directory
+ listing in libsmbclient.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
+ source3/libsmb/libsmb_path.c | 2 +-
+ 2 files changed, 51 insertions(+), 8 deletions(-)
+
+diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
+index 72441c46736..54c2bcb3c73 100644
+--- a/source3/libsmb/libsmb_dir.c
++++ b/source3/libsmb/libsmb_dir.c
+@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
+
+ }
+
+-static void
++static int
+ smbc_readdir_internal(SMBCCTX * context,
+ struct smbc_dirent *dest,
+ struct smbc_dirent *src,
+ int max_namebuf_len)
+ {
+ if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
++ int remaining_len;
+
+ /* url-encode the name. get back remaining buffer space */
+- max_namebuf_len =
++ remaining_len =
+ smbc_urlencode(dest->name, src->name, max_namebuf_len);
+
++ /* -1 means no null termination. */
++ if (remaining_len < 0) {
++ return -1;
++ }
++
+ /* We now know the name length */
+ dest->namelen = strlen(dest->name);
+
++ if (dest->namelen + 1 < 1) {
++ /* Integer wrap. */
++ return -1;
++ }
++
++ if (dest->namelen + 1 >= max_namebuf_len) {
++ /* Out of space for comment. */
++ return -1;
++ }
++
+ /* Save the pointer to the beginning of the comment */
+ dest->comment = dest->name + dest->namelen + 1;
+
++ if (remaining_len < 1) {
++ /* No room for comment null termination. */
++ return -1;
++ }
++
+ /* Copy the comment */
+- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
+- dest->comment[max_namebuf_len - 1] = '\0';
++ strlcpy(dest->comment, src->comment, remaining_len);
+
+ /* Save other fields */
+ dest->smbc_type = src->smbc_type;
+@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
+ } else {
+
+ /* No encoding. Just copy the entry as is. */
++ if (src->dirlen > max_namebuf_len) {
++ return -1;
++ }
+ memcpy(dest, src, src->dirlen);
++ if (src->namelen + 1 < 1) {
++ /* Integer wrap */
++ return -1;
++ }
++ if (src->namelen + 1 >= max_namebuf_len) {
++ /* Comment off the end. */
++ return -1;
++ }
+ dest->comment = (char *)(&dest->name + src->namelen + 1);
+ }
+-
++ return 0;
+ }
+
+ /*
+@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
+ SMBCFILE *dir)
+ {
+ int maxlen;
++ int ret;
+ struct smbc_dirent *dirp, *dirent;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
+ dirp = &context->internal->dirent;
+ maxlen = sizeof(context->internal->_dirent_name);
+
+- smbc_readdir_internal(context, dirp, dirent, maxlen);
++ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
++ if (ret == -1) {
++ errno = EINVAL;
++ TALLOC_FREE(frame);
++ return NULL;
++ }
+
+ dir->dir_next = dir->dir_next->next;
+
+@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
+ */
+
+ while ((dirlist = dir->dir_next)) {
++ int ret;
+ struct smbc_dirent *dirent;
+ struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
+
+@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
+ /* Do urlencoding of next entry, if so selected */
+ dirent = &context->internal->dirent;
+ maxlen = sizeof(context->internal->_dirent_name);
+- smbc_readdir_internal(context, dirent,
++ ret = smbc_readdir_internal(context, dirent,
+ dirlist->dirent, maxlen);
++ if (ret == -1) {
++ errno = EINVAL;
++ TALLOC_FREE(frame);
++ return -1;
++ }
+
+ reqd = dirent->dirlen;
+
+diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
+index ed70ab37550..5b53b386a67 100644
+--- a/source3/libsmb/libsmb_path.c
++++ b/source3/libsmb/libsmb_path.c
+@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
+ }
+ }
+
+- if (max_dest_len == 0) {
++ if (max_dest_len <= 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+--
+2.11.0
+
diff --git a/SOURCES/CVE-2018-1139.patch b/SOURCES/CVE-2018-1139.patch
new file mode 100644
index 0000000..77774ec
--- /dev/null
+++ b/SOURCES/CVE-2018-1139.patch
@@ -0,0 +1,753 @@
+From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Thu, 22 Feb 2018 11:54:45 +1300
+Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
+ with_cmocka flag
+
+We have cmocka in third_party, so we are never without it.
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
+by Andrew Bartlett)
+---
+ selftest/tests.py | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 126e1184230..3f5097b680c 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -38,7 +38,6 @@ finally:
+ f.close()
+
+ have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
+-with_cmocka = ("HAVE_CMOCKA" in config_hash)
+ with_pam = ("WITH_PAM" in config_hash)
+ pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
+
+@@ -168,13 +167,12 @@ if with_pam:
+ valgrindify(python), pam_wrapper_so_path,
+ "$DOMAIN", "alice", "Secret007"])
+
+-if with_cmocka:
+- plantestsuite("samba.unittests.krb5samba", "none",
+- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+- plantestsuite("samba.unittests.lib_util_modules", "none",
+- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
++plantestsuite("samba.unittests.krb5samba", "none",
++ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
++plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
++ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
++plantestsuite("samba.unittests.lib_util_modules", "none",
++ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+
+- plantestsuite("samba.unittests.smb1cli_session", "none",
+- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
++plantestsuite("samba.unittests.smb1cli_session", "none",
++ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+--
+2.14.4
+
+
+From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 27 Jul 2018 08:44:24 +1200
+Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
+ ntlm_password_check()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
+ libcli/auth/wscript_build | 13 ++
+ selftest/knownfail.d/ntlm | 2 +
+ selftest/tests.py | 2 +
+ 4 files changed, 430 insertions(+)
+ create mode 100644 libcli/auth/tests/ntlm_check.c
+ create mode 100644 selftest/knownfail.d/ntlm
+
+diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
+new file mode 100644
+index 00000000000..e87a0a276d4
+--- /dev/null
++++ b/libcli/auth/tests/ntlm_check.c
+@@ -0,0 +1,413 @@
++/*
++ * Unit tests for the ntlm_check password hash check library.
++ *
++ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program. If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++/*
++ * from cmocka.c:
++ * These headers or their equivalents should be included prior to
++ * including
++ * this header file.
++ *
++ * #include <stdarg.h>
++ * #include <stddef.h>
++ * #include <setjmp.h>
++ *
++ * This allows test applications to use custom definitions of C standard
++ * library functions and types.
++ *
++ */
++
++/*
++ * Note that the messaging routines (audit_message_send and get_event_server)
++ * are not tested by these unit tests. Currently they are for integration
++ * test support, and as such are exercised by the integration tests.
++ */
++#include <stdarg.h>
++#include <stddef.h>
++#include <setjmp.h>
++#include <cmocka.h>
++
++#include "includes.h"
++#include "../lib/crypto/crypto.h"
++#include "librpc/gen_ndr/netlogon.h"
++#include "libcli/auth/libcli_auth.h"
++#include "auth/credentials/credentials.h"
++
++struct ntlm_state {
++ const char *username;
++ const char *domain;
++ DATA_BLOB challenge;
++ DATA_BLOB ntlm;
++ DATA_BLOB lm;
++ DATA_BLOB ntlm_key;
++ DATA_BLOB lm_key;
++ const struct samr_Password *nt_hash;
++};
++
++static int test_ntlm_setup_with_options(void **state,
++ int flags, bool upn)
++{
++ NTSTATUS status;
++ DATA_BLOB challenge = {
++ .data = discard_const_p(uint8_t, "I am a teapot"),
++ .length = 8
++ };
++ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
++ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
++ NULL,
++ "serverdom");
++ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
++ cli_credentials_set_username(creds,
++ "testuser",
++ CRED_SPECIFIED);
++ cli_credentials_set_domain(creds,
++ "testdom",
++ CRED_SPECIFIED);
++ cli_credentials_set_workstation(creds,
++ "testwksta",
++ CRED_SPECIFIED);
++ cli_credentials_set_password(creds,
++ "testpass",
++ CRED_SPECIFIED);
++
++ if (upn) {
++ cli_credentials_set_principal(creds,
++ "testuser@samba.org",
++ CRED_SPECIFIED);
++ }
++
++ cli_credentials_get_ntlm_username_domain(creds,
++ ntlm_state,
++ &ntlm_state->username,
++ &ntlm_state->domain);
++
++ status = cli_credentials_get_ntlm_response(creds,
++ ntlm_state,
++ &flags,
++ challenge,
++ NULL,
++ target_info,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ &ntlm_state->lm_key,
++ &ntlm_state->ntlm_key);
++ ntlm_state->challenge = challenge;
++
++ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
++ ntlm_state);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ return -1;
++ }
++
++ *state = ntlm_state;
++ return 0;
++}
++
++static int test_ntlm_setup(void **state) {
++ return test_ntlm_setup_with_options(state, 0, false);
++}
++
++static int test_ntlm_and_lm_setup(void **state) {
++ return test_ntlm_setup_with_options(state,
++ CLI_CRED_LANMAN_AUTH,
++ false);
++}
++
++static int test_ntlm2_setup(void **state) {
++ return test_ntlm_setup_with_options(state,
++ CLI_CRED_NTLM2,
++ false);
++}
++
++static int test_ntlmv2_setup(void **state) {
++ return test_ntlm_setup_with_options(state,
++ CLI_CRED_NTLMv2_AUTH,
++ false);
++}
++
++static int test_ntlm_teardown(void **state)
++{
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ TALLOC_FREE(ntlm_state);
++ *state = NULL;
++ return 0;
++}
++
++static void test_ntlm_allowed(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_ON,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
++}
++
++static void test_ntlm_allowed_lm_supplied(void **state)
++{
++ return test_ntlm_allowed(state);
++}
++
++static void test_ntlm_disabled(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_DISABLED,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
++}
++
++static void test_ntlm2(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_ON,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ /*
++ * NTLM2 session security (where the real challenge is the
++ * MD5(challenge, client-challenge) (in the first 8 bytes of
++ * the lm) isn't decoded by ntlm_password_check(), it must
++ * first be converted back into normal NTLM by the NTLMSSP
++ * layer
++ */
++ assert_int_equal(NT_STATUS_V(status),
++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
++}
++
++static void test_ntlm_mschapv2_only_allowed(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
++ MSV1_0_ALLOW_MSVCHAPV2,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
++}
++
++static void test_ntlm_mschapv2_only_denied(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status),
++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
++}
++
++static void test_ntlmv2_only_ntlmv2(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_NTLMV2_ONLY,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
++}
++
++static void test_ntlmv2_only_ntlm(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_NTLMV2_ONLY,
++ 0,
++ &ntlm_state->challenge,
++ &ntlm_state->lm,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status),
++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
++}
++
++static void test_ntlmv2_only_ntlm_and_lanman(void **state)
++{
++ return test_ntlmv2_only_ntlm(state);
++}
++
++static void test_ntlmv2_only_ntlm_once(void **state)
++{
++ DATA_BLOB user_sess_key, lm_sess_key;
++ struct ntlm_state *ntlm_state
++ = talloc_get_type_abort(*state,
++ struct ntlm_state);
++ NTSTATUS status;
++ status = ntlm_password_check(ntlm_state,
++ false,
++ NTLM_AUTH_NTLMV2_ONLY,
++ 0,
++ &ntlm_state->challenge,
++ &data_blob_null,
++ &ntlm_state->ntlm,
++ ntlm_state->username,
++ ntlm_state->username,
++ ntlm_state->domain,
++ NULL,
++ ntlm_state->nt_hash,
++ &user_sess_key,
++ &lm_sess_key);
++
++ assert_int_equal(NT_STATUS_V(status),
++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
++}
++
++int main(int argc, const char **argv)
++{
++ const struct CMUnitTest tests[] = {
++ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
++ test_ntlm_and_lm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlm2,
++ test_ntlm2_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
++ test_ntlm_and_lm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
++ test_ntlm_setup,
++ test_ntlm_teardown),
++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
++ test_ntlmv2_setup,
++ test_ntlm_teardown)
++ };
++
++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
++ return cmocka_run_group_tests(tests, NULL, NULL);
++}
+diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
+index 475b7d69406..d319d9b879e 100644
+--- a/libcli/auth/wscript_build
++++ b/libcli/auth/wscript_build
+@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
+ bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
+ source='spnego_parse.c',
+ deps='asn1util')
++
++bld.SAMBA_BINARY(
++ 'test_ntlm_check',
++ source='tests/ntlm_check.c',
++ deps='''
++ NTLM_CHECK
++ CREDENTIALS_NTLM
++ samba-credentials
++ cmocka
++ talloc
++ ''',
++ install=False
++ )
+diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
+new file mode 100644
+index 00000000000..c6e6a3739ba
+--- /dev/null
++++ b/selftest/knownfail.d/ntlm
+@@ -0,0 +1,2 @@
++^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
++^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 3f5097b680c..dc6486c13f8 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
+
+ plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
++plantestsuite("samba.unittests.ntlm_check", "none",
++ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
+--
+2.14.4
+
+
+From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 14 Mar 2018 15:36:05 +0100
+Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
+ hash_password_check()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
+
+CVE-2018-1139: Weak authentication protocol allowed.
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ libcli/auth/ntlm_check.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
+index 3b02adc1d48..1c6499bd210 100644
+--- a/libcli/auth/ntlm_check.c
++++ b/libcli/auth/ntlm_check.c
+@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
+ const struct samr_Password *stored_nt)
+ {
+ if (stored_nt == NULL) {
+- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
++ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
+ username));
+ }
+
+@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
+ if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
+ return NT_STATUS_OK;
+ } else {
+- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
++ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ } else if (client_lanman && stored_lanman) {
+ if (!lanman_auth) {
+- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
++ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
+ if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
+ return NT_STATUS_OK;
+ } else {
+- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
++ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+--
+2.14.4
+
+
+From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 14 Mar 2018 15:35:01 +0100
+Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
+ ntlm_password_check().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
+
+CVE-2018-1139: Weak authentication protocol allowed.
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/utils/ntlm_auth.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 3f544902a24..8f77680416f 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
+ *pauthoritative = 1;
+
+ nt_status = ntlm_password_check(mem_ctx,
+- true, true, 0,
++ true, NTLM_AUTH_ON, 0,
+ &auth4_context->challenge.data,
+ &user_info->password.response.lanman,
+ &user_info->password.response.nt,
+@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
+
+ nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
+ nt_status = ntlm_password_check(mem_ctx,
+- true, true, 0,
++ true,
++ NTLM_AUTH_ON,
++ 0,
+ &challenge,
+ &lm_response,
+ &nt_response,
+--
+2.14.4
+
+
+From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 16 Mar 2018 17:25:12 +0100
+Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
+ via SMB1 when it is disabled.
+
+Right now, this test will succeed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
+
+CVE-2018-1139: Weak authentication protocol allowed.
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/selftest/tests.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 9092c1776c8..034c014e5b8 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
+ plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
+ plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
+
+-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
++for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
+ for env in ["nt4_member", "ad_member"]:
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
+ plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
+--
+2.14.4
+
+
+From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 13 Mar 2018 16:56:20 +0100
+Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
+ when it is disabled via "ntlm auth".
+
+This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
+
+Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
+
+In order to demonstrate simply run:
+
+smbclient //server/share -U user%password -mNT1 -c quit \
+--option="client ntlmv2 auth"=no \
+--option="client use spnego"=no
+
+against a server that uses "ntlm auth = ntlmv2-only" (our default
+setting).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
+
+CVE-2018-1139: Weak authentication protocol allowed.
+
+Guenther
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ libcli/auth/ntlm_check.c | 2 +-
+ selftest/knownfail | 3 ++-
+ selftest/knownfail.d/ntlm | 2 --
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+ delete mode 100644 selftest/knownfail.d/ntlm
+
+diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
+index 1c6499bd210..b68e9c87888 100644
+--- a/libcli/auth/ntlm_check.c
++++ b/libcli/auth/ntlm_check.c
+@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
+ - I think this is related to Win9X pass-though authentication
+ */
+ DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
+- if (ntlm_auth) {
++ if (ntlm_auth == NTLM_AUTH_ON) {
+ if (smb_pwd_check_ntlmv1(mem_ctx,
+ lm_response,
+ stored_nt->hash, challenge,
+diff --git a/selftest/knownfail b/selftest/knownfail
+index ba16fd72290..84776d4f35d 100644
+--- a/selftest/knownfail
++++ b/selftest/knownfail
+@@ -303,8 +303,9 @@
+ ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
+ # fl2000dc doesn't support AES
+ ^samba4.krb5.kdc.*as-req-aes.*fl2000dc
+-# nt4_member and ad_member don't support ntlmv1
++# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
+ ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
++^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
+ #nt-vfs server blocks read with execute access
+ ^samba4.smb2.read.access
+ #ntvfs server blocks copychunk with execute access on read handle
+diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
+deleted file mode 100644
+index c6e6a3739ba..00000000000
+--- a/selftest/knownfail.d/ntlm
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
+--
+2.14.4
+
diff --git a/SOURCES/samba-4.7-fix_aesni_intel_support.patch b/SOURCES/samba-4.7-fix_aesni_intel_support.patch
deleted file mode 100644
index 9e37d86..0000000
--- a/SOURCES/samba-4.7-fix_aesni_intel_support.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
-Date: Mon, 4 Dec 2017 10:49:19 +0100
-Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z
- noexecstack
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
-
-Signed-off-by: Björn Baumbach <bb@sernet.de>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- third_party/aesni-intel/wscript | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
-index eb92d6626fe..0ccd9eb1e5b 100644
---- a/third_party/aesni-intel/wscript
-+++ b/third_party/aesni-intel/wscript
-@@ -12,6 +12,8 @@ def configure(conf):
- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
- else:
- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
-+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
-+ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
-
- def build(bld):
- if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
-@@ -20,4 +22,5 @@ def build(bld):
- bld.SAMBA_LIBRARY('aesni-intel',
- source='aesni-intel_asm.c',
- cflags='-Wp,-E,-lang-asm',
-+ ldflags='-Wl,-z,noexecstack',
- private_library=True)
---
-2.15.0
-
-
-From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 4 Dec 2017 11:00:10 +0100
-Subject: [PATCH 2/2] third_party: Fix a typo in the option name
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- third_party/aesni-intel/wscript | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
-index 0ccd9eb1e5b..f0723a52501 100644
---- a/third_party/aesni-intel/wscript
-+++ b/third_party/aesni-intel/wscript
-@@ -9,11 +9,11 @@ def configure(conf):
- print("Compiling with Intel AES instructions")
- conf.DEFINE('HAVE_AESNI_INTEL', 1)
- else:
-- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
-+ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU')
- else:
-- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
-+ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
- if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
-- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
-+ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack')
-
- def build(bld):
- if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
---
-2.15.0
-
diff --git a/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch b/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch
deleted file mode 100644
index 6a4fa39..0000000
--- a/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From e3f491fde52c3c7f31b0137125cb0ab1d5721f87 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 17 May 2018 11:53:18 +0200
-Subject: [PATCH] s3:utils: Do not segfault on error in DoDNSUpdate()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13440
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-
-(cherry picked from commit cdd98aa1e2116fb97e16718d115ee883fe1bc8ba)
----
- source3/utils/net_dns.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c
-index d972a5d4bad..9ee856c0059 100644
---- a/source3/utils/net_dns.c
-+++ b/source3/utils/net_dns.c
-@@ -75,6 +75,7 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
-
- if (!ERR_DNS_IS_OK(err)) {
- DEBUG(3,("DoDNSUpdate: failed to probe DNS\n"));
-+ goto error;
- }
-
- if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
---
-2.16.3
-
diff --git a/SOURCES/samba-4.7-fix_samba_with_systemd.patch b/SOURCES/samba-4.7-fix_samba_with_systemd.patch
deleted file mode 100644
index a12f130..0000000
--- a/SOURCES/samba-4.7-fix_samba_with_systemd.patch
+++ /dev/null
@@ -1,313 +0,0 @@
-From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001
-From: Gary Lockyer <gary@catalyst.net.nz>
-Date: Mon, 21 Aug 2017 15:12:04 +1200
-Subject: [PATCH 1/4] s4/smbd: set the process group.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Set the process group in the samba daemon, the --no-process-group option
-allows this to be disabled. The no-process-group option needs to be
-disabled in self test.
-
-Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144
----
- selftest/target/Samba4.pm | 2 +-
- source4/smbd/server.c | 18 +++++++++++++++++-
- 2 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
-index 772f982cb9d..6a1856ef642 100755
---- a/selftest/target/Samba4.pm
-+++ b/selftest/target/Samba4.pm
-@@ -158,7 +158,7 @@ sub check_or_start($$$)
- close($env_vars->{STDIN_PIPE});
- open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
-
-- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
-+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
- }
- $env_vars->{SAMBA_PID} = $pid;
- print "DONE ($pid)\n";
-diff --git a/source4/smbd/server.c b/source4/smbd/server.c
-index a8bad06bed3..ba520e0a8f5 100644
---- a/source4/smbd/server.c
-+++ b/source4/smbd/server.c
-@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name,
- {
- bool opt_daemon = false;
- bool opt_interactive = false;
-+ bool opt_no_process_group = false;
- int opt;
- poptContext pc;
- #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
-@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name,
- OPT_DAEMON = 1000,
- OPT_INTERACTIVE,
- OPT_PROCESS_MODEL,
-- OPT_SHOW_BUILD
-+ OPT_SHOW_BUILD,
-+ OPT_NO_PROCESS_GROUP,
- };
- struct poptOption long_options[] = {
- POPT_AUTOHELP
-@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name,
- "till autotermination", "seconds"},
- {"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD,
- "show build info", NULL },
-+ {"no-process-group", '\0', POPT_ARG_NONE, NULL,
-+ OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
- POPT_COMMON_SAMBA
- POPT_COMMON_VERSION
- { NULL }
-@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name,
- case OPT_SHOW_BUILD:
- show_build();
- break;
-+ case OPT_NO_PROCESS_GROUP:
-+ opt_no_process_group = true;
-+ break;
- default:
- fprintf(stderr, "\nInvalid option %s: %s\n\n",
- poptBadOption(pc, 0), poptStrerror(opt));
-@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name,
- stdin_event_flags = 0;
- }
-
-+#if HAVE_SETPGID
-+ /*
-+ * If we're interactive we want to set our own process group for
-+ * signal management, unless --no-process-group specified.
-+ */
-+ if (opt_interactive && !opt_no_process_group)
-+ setpgid((pid_t)0, (pid_t)0);
-+#endif
-+
- /* catch EOF on stdin */
- #ifdef SIGTTIN
- signal(SIGTTIN, SIG_IGN);
---
-2.15.0
-
-
-From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 15 Nov 2017 10:00:52 +0100
-Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209)
----
- source4/smbd/server.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source4/smbd/server.c b/source4/smbd/server.c
-index ba520e0a8f5..406f79593b9 100644
---- a/source4/smbd/server.c
-+++ b/source4/smbd/server.c
-@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
- {
- char *path;
- TALLOC_CTX *mem_ctx = talloc_new(NULL);
-+ if (mem_ctx == NULL) {
-+ exit_daemon("Failed to create memory context",
-+ ENOMEM);
-+ }
-
- path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
-+ if (path == NULL) {
-+ exit_daemon("Failed to cleanup temporary files",
-+ EINVAL);
-+ }
-
- recursive_delete(path);
- talloc_free(mem_ctx);
---
-2.15.0
-
-
-From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 10 Nov 2017 09:18:18 +0100
-Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground
-
-We are passing the no_process_group to become_daemon() that setsid() is
-not called. In case we are double forking, we run in SysV daemon mode,
-setsid() should be called!
-
-See:
-https://www.freedesktop.org/software/systemd/man/daemon.html
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909)
----
- source3/smbd/server.c | 2 +-
- source4/smbd/server.c | 13 ++++++++++---
- 2 files changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/source3/smbd/server.c b/source3/smbd/server.c
-index 181bcd1e123..252b43190d7 100644
---- a/source3/smbd/server.c
-+++ b/source3/smbd/server.c
-@@ -1592,7 +1592,7 @@ extern void build_options(bool screen);
- struct poptOption long_options[] = {
- POPT_AUTOHELP
- {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" },
-- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"},
-+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"},
- {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" },
- {"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
- {"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" },
-diff --git a/source4/smbd/server.c b/source4/smbd/server.c
-index 406f79593b9..2349d5c7fa0 100644
---- a/source4/smbd/server.c
-+++ b/source4/smbd/server.c
-@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name,
- const char *argv[])
- {
- bool opt_daemon = false;
-+ bool opt_fork = true;
- bool opt_interactive = false;
- bool opt_no_process_group = false;
- int opt;
-@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name,
- struct stat st;
- enum {
- OPT_DAEMON = 1000,
-+ OPT_FOREGROUND,
- OPT_INTERACTIVE,
- OPT_PROCESS_MODEL,
- OPT_SHOW_BUILD,
-@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name,
- POPT_AUTOHELP
- {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
- "Become a daemon (default)", NULL },
-+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND,
-+ "Run the daemon in foreground", NULL },
- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
- "Run interactive (not a daemon)", NULL},
- {"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
-@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name,
- case OPT_DAEMON:
- opt_daemon = true;
- break;
-+ case OPT_FOREGROUND:
-+ opt_fork = false;
-+ break;
- case OPT_INTERACTIVE:
- opt_interactive = true;
- break;
-@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name,
- "not allowed together with -D|--daemon\n\n");
- poptPrintUsage(pc, stderr, 0);
- return 1;
-- } else if (!opt_interactive) {
-+ } else if (!opt_interactive && !opt_fork) {
- /* default is --daemon */
- opt_daemon = true;
- }
-@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name,
- }
-
- if (opt_daemon) {
-- DEBUG(3,("Becoming a daemon.\n"));
-- become_daemon(true, false, false);
-+ DBG_NOTICE("Becoming a daemon.\n");
-+ become_daemon(opt_fork, opt_no_process_group, false);
- }
-
- /* Create the memory context to hang everything off. */
---
-2.15.0
-
-
-From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 10 Nov 2017 09:32:27 +0100
-Subject: [PATCH 4/4] systemd: Start processes in forground and without a
- process group
-
-We should not double fork in notify mode or systemd think something
-during startup will be wrong and send SIGTERM to the process. So
-sometimes the daemon will not start up correctly.
-
-systemd will also handle the process group.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77)
----
- packaging/systemd/nmb.service | 2 +-
- packaging/systemd/samba.service | 2 +-
- packaging/systemd/smb.service | 2 +-
- packaging/systemd/winbind.service | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
-index 992c0cd9d2b..71c93d6088b 100644
---- a/packaging/systemd/nmb.service
-+++ b/packaging/systemd/nmb.service
-@@ -7,7 +7,7 @@ Type=notify
- NotifyAccess=all
- PIDFile=/run/nmbd.pid
- EnvironmentFile=-/etc/sysconfig/samba
--ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
-+ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS
- ExecReload=/usr/bin/kill -HUP $MAINPID
- LimitCORE=infinity
-
-diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
-index 824f89c2030..1b64c3b779d 100644
---- a/packaging/systemd/samba.service
-+++ b/packaging/systemd/samba.service
-@@ -8,7 +8,7 @@ NotifyAccess=all
- PIDFile=/run/samba.pid
- LimitNOFILE=16384
- EnvironmentFile=-/etc/sysconfig/samba
--ExecStart=/usr/sbin/samba $SAMBAOPTIONS
-+ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS
- ExecReload=/usr/bin/kill -HUP $MAINPID
-
- [Install]
-diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
-index 6053a5caaa5..adf6684c7d9 100644
---- a/packaging/systemd/smb.service
-+++ b/packaging/systemd/smb.service
-@@ -8,7 +8,7 @@ NotifyAccess=all
- PIDFile=/run/smbd.pid
- LimitNOFILE=16384
- EnvironmentFile=-/etc/sysconfig/samba
--ExecStart=/usr/sbin/smbd $SMBDOPTIONS
-+ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
- ExecReload=/usr/bin/kill -HUP $MAINPID
- LimitCORE=infinity
-
-diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
-index c511488166e..46b3797251d 100644
---- a/packaging/systemd/winbind.service
-+++ b/packaging/systemd/winbind.service
-@@ -7,7 +7,7 @@ Type=notify
- NotifyAccess=all
- PIDFile=/run/winbindd.pid
- EnvironmentFile=-/etc/sysconfig/samba
--ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
-+ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
- ExecReload=/usr/bin/kill -HUP $MAINPID
- LimitCORE=infinity
-
---
-2.15.0
-
diff --git a/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch b/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch
deleted file mode 100644
index 4df811e..0000000
--- a/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-From 27bd0925c556ff69ce5db306f513eb4e4e7d4c7e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 19 Feb 2018 18:07:50 +0100
-Subject: [PATCH] s3:smbd: Do not crash if we fail to init the session table
-
-This should the following segfault with SMB1:
-
- #6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
- #7 <signal handler called>
- #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
- at ../source3/smbd/smbXsrv_session.c:1212
- #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
- #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
- #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
- at ../source3/smbd/process.c:1762
- #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
- deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
- #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
- #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0
-
-Inspection the core shows that:
- conn->client-session_table is NULL
- conn->protocol is PROTOCOL_NONE
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878)
----
- source3/smbd/negprot.c | 23 ++++++++++++++++++++---
- 1 file changed, 20 insertions(+), 3 deletions(-)
-
-diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
-index d3f4776076f..70249f7b446 100644
---- a/source3/smbd/negprot.c
-+++ b/source3/smbd/negprot.c
-@@ -65,6 +65,8 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
- time_t t = time(NULL);
- struct smbXsrv_connection *xconn = req->xconn;
- uint16_t raw;
-+ NTSTATUS status;
-+
- if (lp_async_smb_echo_handler()) {
- raw = 0;
- } else {
-@@ -88,7 +90,11 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
- SSVAL(req->outbuf,smb_vwv11, 8);
- }
-
-- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
-+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ reply_nterror(req, status);
-+ return;
-+ }
-
- /* Reply, SMBlockread, SMBwritelock supported. */
- SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
-@@ -115,6 +121,8 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
- time_t t = time(NULL);
- struct smbXsrv_connection *xconn = req->xconn;
- uint16_t raw;
-+ NTSTATUS status;
-+
- if (lp_async_smb_echo_handler()) {
- raw = 0;
- } else {
-@@ -140,7 +148,11 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
- SSVAL(req->outbuf,smb_vwv11, 8);
- }
-
-- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
-+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ reply_nterror(req, status);
-+ return;
-+ }
-
- /* Reply, SMBlockread, SMBwritelock supported. */
- SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
-@@ -260,6 +272,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
- struct smbXsrv_connection *xconn = req->xconn;
- bool signing_desired = false;
- bool signing_required = false;
-+ NTSTATUS status;
-
- xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
-
-@@ -337,7 +350,11 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
- SSVAL(req->outbuf,smb_vwv0,choice);
- SCVAL(req->outbuf,smb_vwv1,secword);
-
-- smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
-+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ reply_nterror(req, status);
-+ return;
-+ }
-
- SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */
- SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */
---
-2.16.2
-
diff --git a/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch b/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch
deleted file mode 100644
index ba778fc..0000000
--- a/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8fb23665ddad8f65a6461c310ed5680d104fd9bf Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 17 Apr 2018 08:55:23 +0200
-Subject: [PATCH] s3:passdb: Do not return OK if we don't have pinfo set up
-
-This prevents a crash in fill_mem_keytab_from_secrets()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13376
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-(cherry picked from commit 99859479fc6e12b2f74ce2dfa83da56d8b8f3d26)
----
- source3/passdb/machine_account_secrets.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
-index 75f31cb04e2..d36fa268a4b 100644
---- a/source3/passdb/machine_account_secrets.c
-+++ b/source3/passdb/machine_account_secrets.c
-@@ -1317,7 +1317,7 @@ NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
-
- last_set_time = secrets_fetch_pass_last_set_time(domain);
- if (last_set_time == 0) {
-- return NT_STATUS_OK;
-+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- }
- unix_to_nt_time(&last_set_nt, last_set_time);
-
---
-2.16.3
-
diff --git a/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch b/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch
deleted file mode 100644
index 4360ef5..0000000
--- a/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 2f6d1b8b5a1643082d93f338b0528b861caeff80 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Wed, 11 Apr 2018 10:42:21 +0200
-Subject: [PATCH] rpc_server: Init local_server_* in
- make_internal_rpc_pipe_socketpair
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=13370
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-
-Autobuild-User(master): Volker Lendecke <vl@samba.org>
-Autobuild-Date(master): Wed Apr 11 15:19:19 CEST 2018 on sn-devel-144
-
-(cherry picked from commit 212815969f4a706bc8395e2f6dbf225318ff2ad7)
----
- source3/rpc_server/rpc_ncacn_np.c | 31 +++++++++++++++++++++++--------
- source3/rpc_server/rpc_ncacn_np.h | 18 ++++++++++--------
- source3/rpc_server/srv_pipe_hnd.c | 18 ++++++++++--------
- 3 files changed, 43 insertions(+), 24 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
-index 0728f54b092..d7e7785248d 100644
---- a/source3/rpc_server/rpc_ncacn_np.c
-+++ b/source3/rpc_server/rpc_ncacn_np.c
-@@ -69,14 +69,16 @@ fail:
- return NULL;
- }
-
--NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
-- struct tevent_context *ev_ctx,
-- struct messaging_context *msg_ctx,
-- const char *pipe_name,
-- const struct ndr_syntax_id *syntax,
-- const struct tsocket_address *remote_address,
-- const struct auth_session_info *session_info,
-- struct npa_state **pnpa)
-+NTSTATUS make_internal_rpc_pipe_socketpair(
-+ TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev_ctx,
-+ struct messaging_context *msg_ctx,
-+ const char *pipe_name,
-+ const struct ndr_syntax_id *syntax,
-+ const struct tsocket_address *remote_address,
-+ const struct tsocket_address *local_address,
-+ const struct auth_session_info *session_info,
-+ struct npa_state **pnpa)
- {
- TALLOC_CTX *tmp_ctx = talloc_stackframe();
- struct named_pipe_client *npc;
-@@ -136,6 +138,19 @@ NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
- goto out;
- }
-
-+ npc->local_server_addr = tsocket_address_copy(local_address, npc);
-+ if (npc->local_server_addr == NULL) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto out;
-+ }
-+
-+ npc->local_server_name = tsocket_address_inet_addr_string(
-+ npc->local_server_addr, npc);
-+ if (npc->local_server_name == NULL) {
-+ status = NT_STATUS_NO_MEMORY;
-+ goto out;
-+ }
-+
- npc->session_info = copy_session_info(npc, session_info);
- if (npc->session_info == NULL) {
- status = NT_STATUS_NO_MEMORY;
-diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
-index 03bbd3f8af9..9ba58644ec0 100644
---- a/source3/rpc_server/rpc_ncacn_np.h
-+++ b/source3/rpc_server/rpc_ncacn_np.h
-@@ -44,14 +44,16 @@ NTSTATUS make_external_rpc_pipe(TALLOC_CTX *mem_ctx,
- const struct auth_session_info *session_info,
- struct npa_state **pnpa);
-
--NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
-- struct tevent_context *ev_ctx,
-- struct messaging_context *msg_ctx,
-- const char *pipe_name,
-- const struct ndr_syntax_id *syntax,
-- const struct tsocket_address *remote_address,
-- const struct auth_session_info *session_info,
-- struct npa_state **pnpa);
-+NTSTATUS make_internal_rpc_pipe_socketpair(
-+ TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev_ctx,
-+ struct messaging_context *msg_ctx,
-+ const char *pipe_name,
-+ const struct ndr_syntax_id *syntax,
-+ const struct tsocket_address *remote_address,
-+ const struct tsocket_address *local_address,
-+ const struct auth_session_info *session_info,
-+ struct npa_state **pnpa);
-
- struct np_proxy_state {
- uint16_t file_type;
-diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
-index f9b7855b40f..baa4ce96334 100644
---- a/source3/rpc_server/srv_pipe_hnd.c
-+++ b/source3/rpc_server/srv_pipe_hnd.c
-@@ -106,14 +106,16 @@ NTSTATUS np_open(TALLOC_CTX *mem_ctx, const char *name,
- return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- }
-
-- status = make_internal_rpc_pipe_socketpair(handle,
-- ev_ctx,
-- msg_ctx,
-- name,
-- &syntax,
-- remote_client_address,
-- session_info,
-- &npa);
-+ status = make_internal_rpc_pipe_socketpair(
-+ handle,
-+ ev_ctx,
-+ msg_ctx,
-+ name,
-+ &syntax,
-+ remote_client_address,
-+ local_server_address,
-+ session_info,
-+ &npa);
- if (!NT_STATUS_IS_OK(status)) {
- talloc_free(handle);
- return status;
---
-2.11.0
-
diff --git a/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch b/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch
deleted file mode 100644
index c41796a..0000000
--- a/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch
+++ /dev/null
@@ -1,2595 +0,0 @@
-From 5604f16d805a73dd35a69c162966d081a1ebdb84 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 15 Mar 2018 17:40:07 +0100
-Subject: [PATCH 01/21] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST
- bit for anonymous
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f)
-(cherry picked from commit 23d1850c1c632984052ac923ab365501dd1c0195)
----
- source3/torture/proto.h | 1 +
- source3/torture/test_smb2.c | 42 +++++++++++++++++++++++++++++++++++++
- source3/torture/torture.c | 1 +
- 3 files changed, 44 insertions(+)
-
-diff --git a/source3/torture/proto.h b/source3/torture/proto.h
-index 4c3e5401ce0..6f12ff7c2b9 100644
---- a/source3/torture/proto.h
-+++ b/source3/torture/proto.h
-@@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy);
- bool run_nttrans_fsctl(int dummy);
- bool run_smb2_basic(int dummy);
- bool run_smb2_negprot(int dummy);
-+bool run_smb2_anonymous(int dummy);
- bool run_smb2_session_reconnect(int dummy);
- bool run_smb2_tcon_dependence(int dummy);
- bool run_smb2_multi_channel(int dummy);
-diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
-index 297c3abca9f..897d034f6a9 100644
---- a/source3/torture/test_smb2.c
-+++ b/source3/torture/test_smb2.c
-@@ -24,6 +24,7 @@
- #include "../libcli/smb/smbXcli_base.h"
- #include "libcli/security/security.h"
- #include "libsmb/proto.h"
-+#include "auth/credentials/credentials.h"
- #include "auth/gensec/gensec.h"
- #include "auth_generic.h"
- #include "../librpc/ndr/libndr.h"
-@@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy)
- return true;
- }
-
-+bool run_smb2_anonymous(int dummy)
-+{
-+ struct cli_state *cli = NULL;
-+ NTSTATUS status;
-+ struct cli_credentials *anon_creds = NULL;
-+ bool guest = false;
-+
-+ printf("Starting SMB2-ANONYMOUS\n");
-+
-+ if (!torture_init_connection(&cli)) {
-+ return false;
-+ }
-+
-+ status = smbXcli_negprot(cli->conn, cli->timeout,
-+ PROTOCOL_SMB2_02, PROTOCOL_LATEST);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
-+ return false;
-+ }
-+
-+ anon_creds = cli_credentials_init_anon(talloc_tos());
-+ if (anon_creds == NULL) {
-+ printf("cli_credentials_init_anon failed\n");
-+ return false;
-+ }
-+
-+ status = cli_session_setup_creds(cli, anon_creds);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ printf("cli_session_setup returned %s\n", nt_errstr(status));
-+ return false;
-+ }
-+
-+ guest = smbXcli_session_is_guest(cli->smb2.session);
-+ if (guest) {
-+ printf("anonymous session should not have guest authentication\n");
-+ return false;
-+ }
-+
-+ return true;
-+}
-+
- bool run_smb2_session_reconnect(int dummy)
- {
- struct cli_state *cli1;
-diff --git a/source3/torture/torture.c b/source3/torture/torture.c
-index 31e2bcc3497..e3834432ccb 100644
---- a/source3/torture/torture.c
-+++ b/source3/torture/torture.c
-@@ -11644,6 +11644,7 @@ static struct {
- { "NOTIFY-ONLINE", run_notify_online },
- { "SMB2-BASIC", run_smb2_basic },
- { "SMB2-NEGPROT", run_smb2_negprot },
-+ { "SMB2-ANONYMOUS", run_smb2_anonymous },
- { "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect },
- { "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence },
- { "SMB2-MULTI-CHANNEL", run_smb2_multi_channel },
---
-2.17.0
-
-
-From 6dfd59a8a8862b0954f8bd87b3816062f00fea0f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 15 Mar 2018 18:04:21 +0100
-Subject: [PATCH 02/21] s3:selftest: run SMB2-ANONYMOUS
-
-This fails against a non AD DC smbd.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2)
-(cherry picked from commit e39a5bd12e1704926c9d8141d8ef75a093670892)
----
- selftest/knownfail.d/anonymous-guest | 1 +
- source3/selftest/tests.py | 1 +
- 2 files changed, 2 insertions(+)
- create mode 100644 selftest/knownfail.d/anonymous-guest
-
-diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest
-new file mode 100644
-index 00000000000..a134cece3d5
---- /dev/null
-+++ b/selftest/knownfail.d/anonymous-guest
-@@ -0,0 +1 @@
-+^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index 56b94c436ce..c0522b3ed6f 100755
---- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -75,6 +75,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7"
- "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST",
- "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT",
- "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE",
-+ "SMB2-ANONYMOUS",
- "CLEANUP1",
- "CLEANUP2",
- "CLEANUP4",
---
-2.17.0
-
-
-From 40b619182e63df1cbc8e47c79a0ac0f83debce69 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 14 Mar 2018 11:44:49 +0100
-Subject: [PATCH 03/21] libcli/security: only announce a session as GUEST if
- 'Builtin\Guests' is there without 'Authenticated User'
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3)
-(cherry picked from commit ff7a8e416b53e073a6d16fb122cdeba8b53c6e53)
----
- libcli/security/session.c | 18 +++++++++++-------
- 1 file changed, 11 insertions(+), 7 deletions(-)
-
-diff --git a/libcli/security/session.c b/libcli/security/session.c
-index 0fbb87d584e..f17e884c847 100644
---- a/libcli/security/session.c
-+++ b/libcli/security/session.c
-@@ -26,6 +26,9 @@
- enum security_user_level security_session_user_level(struct auth_session_info *session_info,
- const struct dom_sid *domain_sid)
- {
-+ bool authenticated = false;
-+ bool guest = false;
-+
- if (!session_info) {
- return SECURITY_ANONYMOUS;
- }
-@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
- return SECURITY_ANONYMOUS;
- }
-
-- if (security_token_has_builtin_guests(session_info->security_token)) {
-- return SECURITY_GUEST;
-+ authenticated = security_token_has_nt_authenticated_users(session_info->security_token);
-+ guest = security_token_has_builtin_guests(session_info->security_token);
-+ if (!authenticated) {
-+ if (guest) {
-+ return SECURITY_GUEST;
-+ }
-+ return SECURITY_ANONYMOUS;
- }
-
- if (security_token_has_builtin_administrators(session_info->security_token)) {
-@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
- return SECURITY_DOMAIN_CONTROLLER;
- }
-
-- if (security_token_has_nt_authenticated_users(session_info->security_token)) {
-- return SECURITY_USER;
-- }
--
-- return SECURITY_ANONYMOUS;
-+ return SECURITY_USER;
- }
---
-2.17.0
-
-
-From b2e7990934503c86c17751a8c4f7d5f40b32aed7 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 1 Mar 2018 18:05:28 +0100
-Subject: [PATCH 04/21] s3:auth: remove unused auth_serversupplied_info->system
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9)
-(cherry picked from commit b991dca37a425cc252752e5a306df80077814aaf)
----
- source3/auth/auth_util.c | 1 -
- source3/include/auth.h | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 1021f2a6fef..4ae9dad2dd6 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -1045,7 +1045,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
- SMB_ASSERT(src->unix_info);
-
- dst->guest = true;
-- dst->system = false;
-
- /* This element must be provided to convert back to an
- * auth_serversupplied_info. This needs to be from the
-diff --git a/source3/include/auth.h b/source3/include/auth.h
-index b7223c15036..d3055373964 100644
---- a/source3/include/auth.h
-+++ b/source3/include/auth.h
-@@ -30,7 +30,6 @@ struct extra_auth_info {
-
- struct auth_serversupplied_info {
- bool guest;
-- bool system;
-
- struct security_unix_token utok;
-
---
-2.17.0
-
-
-From 092a1ddebdcd399676820edafb33afe535522ee4 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Mar 2018 16:37:58 +0100
-Subject: [PATCH 05/21] s3:auth: add the "Unix Groups" sid for the primary gid
-
-The primary gid might not be in the gid array.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405)
-(cherry picked from commit 1258f287420642698c456f6bb17bf4547a921964)
----
- source3/auth/auth_util.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 4ae9dad2dd6..2aa40388d14 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -660,7 +660,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- */
-
- uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
-+ add_sid_to_array_unique(session_info->security_token, &tmp_sid,
-+ &session_info->security_token->sids,
-+ &session_info->security_token->num_sids);
-
-+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid);
- add_sid_to_array_unique(session_info->security_token, &tmp_sid,
- &session_info->security_token->sids,
- &session_info->security_token->num_sids);
---
-2.17.0
-
-
-From c7b23189a548a0d684e04ef78e0fa7c3e3456316 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 17:14:34 +0100
-Subject: [PATCH 06/21] s3:auth: move add_local_groups() out of
- finalize_local_nt_token()
-
-finalize_local_nt_token() will be used in another place,
-were we don't want to add local groups in a following commit.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8)
-(cherry picked from commit 85097b155447257d9c4a66cd43ac432a27b52529)
----
- source3/auth/token_util.c | 22 +++++++++++++++-------
- 1 file changed, 15 insertions(+), 7 deletions(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index 03c4b646007..e5a12db1ba3 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,
- return NT_STATUS_OK;
- }
-
-+static NTSTATUS add_local_groups(struct security_token *result,
-+ bool is_guest);
- static NTSTATUS finalize_local_nt_token(struct security_token *result,
- bool is_guest);
-
-@@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
- }
- }
-
-+ status = add_local_groups(usrtok, is_guest);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(3, ("Failed to add local groups\n"));
-+ TALLOC_FREE(usrtok);
-+ return status;
-+ }
-+
- status = finalize_local_nt_token(usrtok, is_guest);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Failed to finalize nt token\n"));
-@@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- }
- }
-
-+ status = add_local_groups(result, is_guest);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(result);
-+ return NULL;
-+ }
-+
- status = finalize_local_nt_token(result, is_guest);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(result);
-@@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- NTSTATUS status;
- struct acct_info *info;
-
-- /* Add any local groups. */
--
-- status = add_local_groups(result, is_guest);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
- /* Add in BUILTIN sids */
-
- status = add_sid_to_array(result, &global_sid_World,
---
-2.17.0
-
-
-From b914f0e37eb05eb656d37cb317f1b3d556325edd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 13 Mar 2018 21:35:48 +0100
-Subject: [PATCH 07/21] s3:passdb: handle dom_sid=NULL in
- create_builtin_{users,administrators}()
-
-We should not crash if we're called with NULL.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102)
-(cherry picked from commit c1f61c0816441be2061b3fd23db04dc60dcc64f7)
----
- source3/passdb/pdb_util.c | 10 ++++++----
- 1 file changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c
-index bf7b2b8abd1..309eb893f8a 100644
---- a/source3/passdb/pdb_util.c
-+++ b/source3/passdb/pdb_util.c
-@@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid)
- }
-
- /* add domain users */
-- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
-- && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))
-+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&
-+ (dom_sid != NULL) &&
-+ sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS))
- {
- status = add_sid_to_builtin(&global_sid_Builtin_Users,
- &dom_users);
-@@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid)
- }
-
- /* add domain admins */
-- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER))
-- && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))
-+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) &&
-+ (dom_sid != NULL) &&
-+ sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS))
- {
- status = add_sid_to_builtin(&global_sid_Builtin_Administrators,
- &dom_admins);
---
-2.17.0
-
-
-From db7aa26880d37b0966cbf99100457ba31d3a0e9b Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 13 Mar 2018 21:38:27 +0100
-Subject: [PATCH 08/21] s3:auth: only call secrets_fetch_domain_sid() once in
- finalize_local_nt_token()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)
-(cherry picked from commit e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b)
----
- source3/auth/token_util.c | 35 +++++++++++++++++++----------------
- 1 file changed, 19 insertions(+), 16 deletions(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index e5a12db1ba3..f3d24cdac2f 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,
- if ( IS_DC ) {
- sid_copy( &domadm, get_global_sam_sid() );
- } else {
-+ if (dom_sid == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
- sid_copy(&domadm, dom_sid);
- }
- sid_append_rid( &domadm, DOMAIN_RID_ADMINS );
-@@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result,
- static NTSTATUS finalize_local_nt_token(struct security_token *result,
- bool is_guest)
- {
-- struct dom_sid dom_sid;
-+ struct dom_sid _dom_sid = { 0, };
-+ struct dom_sid *domain_sid = NULL;
- NTSTATUS status;
- struct acct_info *info;
-+ bool ok;
-
- /* Add in BUILTIN sids */
-
-@@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- }
- }
-
-+ become_root();
-+ ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
-+ if (ok) {
-+ domain_sid = &_dom_sid;
-+ } else {
-+ DEBUG(3, ("Failed to fetch domain sid for %s\n",
-+ lp_workgroup()));
-+ }
-+ unbecome_root();
-+
- info = talloc_zero(talloc_tos(), struct acct_info);
- if (info == NULL) {
- DEBUG(0, ("talloc failed!\n"));
-@@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- if (!NT_STATUS_IS_OK(status)) {
-
- become_root();
-- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
-- status = NT_STATUS_OK;
-- DEBUG(3, ("Failed to fetch domain sid for %s\n",
-- lp_workgroup()));
-- } else {
-- status = create_builtin_administrators(&dom_sid);
-- }
-+ status = create_builtin_administrators(domain_sid);
- unbecome_root();
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
- /* Add BUILTIN\Administrators directly to token. */
-- status = add_builtin_administrators(result, &dom_sid);
-+ status = add_builtin_administrators(result, domain_sid);
- if ( !NT_STATUS_IS_OK(status) ) {
- DEBUG(3, ("Failed to check for local "
- "Administrators membership (%s)\n",
-@@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- if (!NT_STATUS_IS_OK(status)) {
-
- become_root();
-- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) {
-- status = NT_STATUS_OK;
-- DEBUG(3, ("Failed to fetch domain sid for %s\n",
-- lp_workgroup()));
-- } else {
-- status = create_builtin_users(&dom_sid);
-- }
-+ status = create_builtin_users(domain_sid);
- unbecome_root();
-
- if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) &&
---
-2.17.0
-
-
-From 9c86a3d2a0783fae2ec2883907ec877f9edd1dac Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 23:26:28 +0100
-Subject: [PATCH 09/21] s3:auth: add add_builtin_guests() handling to
- finalize_local_nt_token()
-
-We should add Builtin_Guests depending on the current token
-not based on 'is_guest'. Even authenticated users can be member
-a guest related group and therefore get Builtin_Guests.
-
-Sadly we still need to use 'is_guest' within create_local_nt_token()
-as we only have S-1-22-* SIDs there and still need to
-add Builtin_Guests.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7)
-(cherry picked from commit 7687d26f8bb6aa57672c70f95bee3f67b9957107)
----
- source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++---
- 1 file changed, 114 insertions(+), 8 deletions(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index f3d24cdac2f..30f2f8d346b 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token,
- return NT_STATUS_OK;
- }
-
-+static NTSTATUS add_builtin_guests(struct security_token *token,
-+ const struct dom_sid *dom_sid)
-+{
-+ struct dom_sid tmp_sid;
-+ NTSTATUS status;
-+
-+ /*
-+ * First check the local GUEST account.
-+ */
-+ sid_copy(&tmp_sid, get_global_sam_sid());
-+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST);
-+
-+ if (nt_token_check_sid(&tmp_sid, token)) {
-+ status = add_sid_to_array_unique(token,
-+ &global_sid_Builtin_Guests,
-+ &token->sids, &token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+ }
-+
-+ /*
-+ * First check the local GUESTS group.
-+ */
-+ sid_copy(&tmp_sid, get_global_sam_sid());
-+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
-+
-+ if (nt_token_check_sid(&tmp_sid, token)) {
-+ status = add_sid_to_array_unique(token,
-+ &global_sid_Builtin_Guests,
-+ &token->sids, &token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+ }
-+
-+ if (lp_server_role() != ROLE_DOMAIN_MEMBER) {
-+ return NT_STATUS_OK;
-+ }
-+
-+ if (dom_sid == NULL) {
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-+
-+ /*
-+ * First check the domain GUESTS group.
-+ */
-+ sid_copy(&tmp_sid, dom_sid);
-+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS);
-+
-+ if (nt_token_check_sid(&tmp_sid, token)) {
-+ status = add_sid_to_array_unique(token,
-+ &global_sid_Builtin_Guests,
-+ &token->sids, &token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+ return NT_STATUS_OK;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- static NTSTATUS add_local_groups(struct security_token *result,
- bool is_guest);
- static NTSTATUS finalize_local_nt_token(struct security_token *result,
-@@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-+ if (is_guest) {
-+ /*
-+ * It's ugly, but for now it's
-+ * needed to add Builtin_Guests
-+ * here, the "local" token only
-+ * consist of S-1-22-* SIDs
-+ * and finalize_local_nt_token()
-+ * doesn't have the chance to
-+ * to detect it need to
-+ * add Builtin_Guests via
-+ * add_builtin_guests().
-+ */
-+ status = add_sid_to_array_unique(result,
-+ &global_sid_Builtin_Guests,
-+ &result->sids,
-+ &result->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(3, ("Failed to add SID to nt token\n"));
-+ TALLOC_FREE(result);
-+ return NULL;
-+ }
-+ }
-+
- return result;
- }
-
-@@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- return status;
- }
-
-- if (is_guest) {
-- status = add_sid_to_array(result, &global_sid_Builtin_Guests,
-- &result->sids,
-- &result->num_sids);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
-- } else {
-+ if (!is_guest) {
- status = add_sid_to_array(result,
- &global_sid_Authenticated_Users,
- &result->sids,
-@@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- }
- }
-
-+ /*
-+ * Add BUILTIN\Guests directly to token.
-+ * But only if the token already indicates
-+ * real guest access by:
-+ * - local GUEST account
-+ * - local GUESTS group
-+ * - domain GUESTS group
-+ *
-+ * Even if a user was authenticated, it
-+ * can be member of a guest related group.
-+ */
-+ status = add_builtin_guests(result, domain_sid);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(3, ("Failed to check for local "
-+ "Guests membership (%s)\n",
-+ nt_errstr(status)));
-+ /*
-+ * This is a hard error.
-+ */
-+ return status;
-+ }
-+
- TALLOC_FREE(info);
-
- /* Deal with local groups */
---
-2.17.0
-
-
-From 02ec86b90cc7c293d3086d59a0d349a967375665 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 23:36:03 +0100
-Subject: [PATCH 10/21] s3:auth: don't try to expand system or anonymous tokens
- in finalize_local_nt_token()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6)
-(cherry picked from commit ecee9453a6ef611763d11e88e2ecf212f065a86c)
----
- source3/auth/token_util.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index 30f2f8d346b..6ebfa54126b 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- struct acct_info *info;
- bool ok;
-
-+ result->privilege_mask = 0;
-+ result->rights_mask = 0;
-+
-+ if (result->num_sids == 0) {
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
- /* Add in BUILTIN sids */
-
- status = add_sid_to_array(result, &global_sid_World,
-@@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- return status;
- }
-
-+ /*
-+ * Don't expand nested groups of system, anonymous etc
-+ *
-+ * Note that they still get SID_WORLD and SID_NETWORK
-+ * for now in order let existing tests pass.
-+ *
-+ * But SYSTEM doesn't get AUTHENTICATED_USERS
-+ * and ANONYMOUS doesn't get BUILTIN GUESTS anymore.
-+ */
-+ if (security_token_is_anonymous(result)) {
-+ return NT_STATUS_OK;
-+ }
-+ if (security_token_is_system(result)) {
-+ result->privilege_mask = ~0;
-+ return NT_STATUS_OK;
-+ }
-+
- if (!is_guest) {
- status = add_sid_to_array(result,
- &global_sid_Authenticated_Users,
---
-2.17.0
-
-
-From e243c00682b4e3b82f5cdddf7079d6dadb5f2e68 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 23:40:10 +0100
-Subject: [PATCH 11/21] s3:auth: pass AUTH_SESSION_INFO_* flags to
- finalize_local_nt_token()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b)
-(cherry picked from commit 627a86bf2d516e256701f50473d0cdfd15d7eecc)
----
- source3/auth/token_util.c | 58 ++++++++++++++++++++++++++-------------
- 1 file changed, 39 insertions(+), 19 deletions(-)
-
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index 6ebfa54126b..acb916ab55c 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token,
- static NTSTATUS add_local_groups(struct security_token *result,
- bool is_guest);
- static NTSTATUS finalize_local_nt_token(struct security_token *result,
-- bool is_guest);
-+ uint32_t session_info_flags);
-
- NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
- const struct extra_auth_info *extra,
-@@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
- struct security_token **ntok)
- {
- struct security_token *usrtok = NULL;
-+ uint32_t session_info_flags = 0;
- NTSTATUS status;
- int i;
-
-@@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-- status = finalize_local_nt_token(usrtok, is_guest);
-+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-+ if (!is_guest) {
-+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-+ }
-+
-+ status = finalize_local_nt_token(usrtok, session_info_flags);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Failed to finalize nt token\n"));
- TALLOC_FREE(usrtok);
-@@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- struct security_token *result = NULL;
- int i;
- NTSTATUS status;
-+ uint32_t session_info_flags = 0;
-
- DEBUG(10, ("Create local NT token for %s\n",
- sid_string_dbg(user_sid)));
-@@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- return NULL;
- }
-
-- status = finalize_local_nt_token(result, is_guest);
-+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-+ if (!is_guest) {
-+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-+ }
-+
-+ status = finalize_local_nt_token(result, session_info_flags);
- if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(result);
- return NULL;
-@@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result,
- }
-
- static NTSTATUS finalize_local_nt_token(struct security_token *result,
-- bool is_guest)
-+ uint32_t session_info_flags)
- {
- struct dom_sid _dom_sid = { 0, };
- struct dom_sid *domain_sid = NULL;
-@@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- return NT_STATUS_INVALID_TOKEN;
- }
-
-- /* Add in BUILTIN sids */
--
-- status = add_sid_to_array(result, &global_sid_World,
-- &result->sids, &result->num_sids);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
-- status = add_sid_to_array(result, &global_sid_Network,
-- &result->sids, &result->num_sids);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
-+ status = add_sid_to_array(result, &global_sid_World,
-+ &result->sids, &result->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+ status = add_sid_to_array(result, &global_sid_Network,
-+ &result->sids, &result->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
- }
-
- /*
-@@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- return NT_STATUS_OK;
- }
-
-- if (!is_guest) {
-+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
- status = add_sid_to_array(result,
- &global_sid_Authenticated_Users,
- &result->sids,
-@@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- }
- }
-
-+ /* Add in BUILTIN sids */
-+
- become_root();
- ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
- if (ok) {
-@@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
- unbecome_root();
- }
-
-- /* Add privileges based on current user sids */
-
-- get_privileges_for_sids(&result->privilege_mask, result->sids,
-- result->num_sids);
-+ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
-+ if (security_token_has_builtin_administrators(result)) {
-+ result->privilege_mask = ~0;
-+ }
-+ } else {
-+ /* Add privileges based on current user sids */
-+ get_privileges_for_sids(&result->privilege_mask, result->sids,
-+ result->num_sids);
-+ }
-
- return NT_STATUS_OK;
- }
---
-2.17.0
-
-
-From d97bfd5d7ecc48f6781161397928d9094d95dae1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 23:45:30 +0100
-Subject: [PATCH 12/21] s3:auth: remove static from finalize_local_nt_token()
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870)
-(cherry picked from commit 8b5253e5d4c79265a9c35955f83407a0c11a76d1)
----
- source3/auth/proto.h | 2 ++
- source3/auth/token_util.c | 6 ++----
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 3942815e467..d3403f1a929 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -359,6 +359,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
- bool is_guest,
- int num_groupsids,
- const struct dom_sid *groupsids);
-+NTSTATUS finalize_local_nt_token(struct security_token *result,
-+ uint32_t session_info_flags);
- NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
- const struct extra_auth_info *extra,
- struct dom_sid *sid);
-diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
-index acb916ab55c..f015f8d2cd5 100644
---- a/source3/auth/token_util.c
-+++ b/source3/auth/token_util.c
-@@ -281,8 +281,6 @@ static NTSTATUS add_builtin_guests(struct security_token *token,
-
- static NTSTATUS add_local_groups(struct security_token *result,
- bool is_guest);
--static NTSTATUS finalize_local_nt_token(struct security_token *result,
-- uint32_t session_info_flags);
-
- NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
- const struct extra_auth_info *extra,
-@@ -616,8 +614,8 @@ static NTSTATUS add_local_groups(struct security_token *result,
- return NT_STATUS_OK;
- }
-
--static NTSTATUS finalize_local_nt_token(struct security_token *result,
-- uint32_t session_info_flags)
-+NTSTATUS finalize_local_nt_token(struct security_token *result,
-+ uint32_t session_info_flags)
- {
- struct dom_sid _dom_sid = { 0, };
- struct dom_sid *domain_sid = NULL;
---
-2.17.0
-
-
-From 424de089a89f226854e159c1ce0bab3dc2eb8eaf Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 6 Mar 2018 16:38:10 +0100
-Subject: [PATCH 13/21] auth: add auth_user_info_copy() function
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb)
-(cherry picked from commit 104de61756e6b098985c3a599a3ccf62cbbe7299)
----
- auth/auth_sam_reply.c | 35 +++++++++++++++++++++++++++++++++++
- auth/auth_sam_reply.h | 3 +++
- 2 files changed, 38 insertions(+)
-
-diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
-index 15d17b0745e..bd695151dc0 100644
---- a/auth/auth_sam_reply.c
-+++ b/auth/auth_sam_reply.c
-@@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
- return NT_STATUS_OK;
- }
-
-+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
-+ const struct auth_user_info *src)
-+{
-+ struct auth_user_info *dst = NULL;
-+
-+ dst = talloc_zero(mem_ctx, struct auth_user_info);
-+ if (dst == NULL) {
-+ return NULL;
-+ }
-+
-+ *dst = *src;
-+#define _COPY_STRING(_mem, _str) do { \
-+ if ((_str) != NULL) { \
-+ (_str) = talloc_strdup((_mem), (_str)); \
-+ if ((_str) == NULL) { \
-+ TALLOC_FREE(dst); \
-+ return NULL; \
-+ } \
-+ } \
-+} while(0)
-+ _COPY_STRING(dst, dst->account_name);
-+ _COPY_STRING(dst, dst->user_principal_name);
-+ _COPY_STRING(dst, dst->domain_name);
-+ _COPY_STRING(dst, dst->dns_domain_name);
-+ _COPY_STRING(dst, dst->full_name);
-+ _COPY_STRING(dst, dst->logon_script);
-+ _COPY_STRING(dst, dst->profile_path);
-+ _COPY_STRING(dst, dst->home_directory);
-+ _COPY_STRING(dst, dst->home_drive);
-+ _COPY_STRING(dst, dst->logon_server);
-+#undef _COPY_STRING
-+
-+ return dst;
-+}
-+
- /**
- * Make a user_info_dc struct from the info3 returned by a domain logon
- */
-diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
-index 4aa3096c889..e4b26e961d7 100644
---- a/auth/auth_sam_reply.h
-+++ b/auth/auth_sam_reply.h
-@@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
- bool authenticated,
- struct auth_user_info **_user_info);
-
-+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
-+ const struct auth_user_info *src);
-+
- NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
- const struct auth_user_info_dc *user_info_dc,
- struct netr_SamInfo6 **_sam6);
---
-2.17.0
-
-
-From 417e52e67a662903ee0585371bcb9507fe6f8d87 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Mar 2018 00:21:13 +0100
-Subject: [PATCH 14/21] s3:auth: add auth3_user_info_dc_add_hints() and
- auth3_session_info_create()
-
-These functions make it possible to construct a full auth_session_info
-from the information available from an auth_user_info_dc structure.
-
-This has all the logic from create_local_token() that is used
-to transform a auth_serversupplied_info to a full auth_session_info.
-
-In order to workarround the restriction that auth_user_info_dc
-doesn't contain hints for the unix token/name, we use
-the special S-1-5-88 (Unix_NFS) sids:
-
- - S-1-5-88-1-Y gives the uid=Y
- - S-1-5-88-2-Y gives the gid=Y
- - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*
-
-The currently implemented flags are:
-
-- AUTH3_UNIX_HINT_QUALIFIED_NAME
- unix_name = DOMAIN+ACCOUNT
-
-- AUTH3_UNIX_HINT_ISLOLATED_NAME
- unix_name = ACCOUNT
-
-- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
- Don't translate the nt token SIDS into uid/gids
- using sid mapping.
-
-- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
- Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
-
-- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
- The unix token won't get expanded gid values
- from getgroups_unix_user()
-
-By using the hints it is possible to keep the current logic
-where an authentication backend provides uid/gid values and
-the unix name.
-
-Note the S-1-5-88-* SIDS never appear in the final security_token.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3)
-(cherry picked from commit b8c518d57fc32f8daffb0d4798dc8f5de17c0150)
----
- source3/auth/auth_util.c | 552 +++++++++++++++++++++++++++++++++++++++
- source3/auth/proto.h | 32 +++
- 2 files changed, 584 insertions(+)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 2aa40388d14..9d6e8020d77 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -692,6 +692,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- return NT_STATUS_OK;
- }
-
-+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
-+ uid_t uid,
-+ gid_t gid,
-+ uint32_t flags)
-+{
-+ uint32_t orig_num_sids = user_info_dc->num_sids;
-+ struct dom_sid tmp_sid = { 0, };
-+ NTSTATUS status;
-+
-+ /*
-+ * We add S-5-88-1-X in order to pass the uid
-+ * for the unix token.
-+ */
-+ sid_compose(&tmp_sid,
-+ &global_sid_Unix_NFS_Users,
-+ (uint32_t)uid);
-+ status = add_sid_to_array_unique(user_info_dc->sids,
-+ &tmp_sid,
-+ &user_info_dc->sids,
-+ &user_info_dc->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
-+ nt_errstr(status)));
-+ goto fail;
-+ }
-+
-+ /*
-+ * We add S-5-88-2-X in order to pass the gid
-+ * for the unix token.
-+ */
-+ sid_compose(&tmp_sid,
-+ &global_sid_Unix_NFS_Groups,
-+ (uint32_t)gid);
-+ status = add_sid_to_array_unique(user_info_dc->sids,
-+ &tmp_sid,
-+ &user_info_dc->sids,
-+ &user_info_dc->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
-+ nt_errstr(status)));
-+ goto fail;
-+ }
-+
-+ /*
-+ * We add S-5-88-3-X in order to pass some flags
-+ * (AUTH3_UNIX_HINT_*) to auth3_create_session_info().
-+ */
-+ sid_compose(&tmp_sid,
-+ &global_sid_Unix_NFS_Mode,
-+ flags);
-+ status = add_sid_to_array_unique(user_info_dc->sids,
-+ &tmp_sid,
-+ &user_info_dc->sids,
-+ &user_info_dc->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n",
-+ nt_errstr(status)));
-+ goto fail;
-+ }
-+
-+ return NT_STATUS_OK;
-+
-+fail:
-+ user_info_dc->num_sids = orig_num_sids;
-+ return status;
-+}
-+
-+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx,
-+ const struct auth_user_info_dc *user_info_dc,
-+ const char *original_user_name,
-+ uint32_t session_info_flags,
-+ struct auth_session_info **session_info_out)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct auth_session_info *session_info = NULL;
-+ uid_t hint_uid = -1;
-+ bool found_hint_uid = false;
-+ uid_t hint_gid = -1;
-+ bool found_hint_gid = false;
-+ uint32_t hint_flags = 0;
-+ bool found_hint_flags = false;
-+ bool need_getpwuid = false;
-+ struct unixid *ids = NULL;
-+ uint32_t num_gids = 0;
-+ gid_t *gids = NULL;
-+ struct dom_sid tmp_sid = { 0, };
-+ fstring tmp = { 0, };
-+ NTSTATUS status;
-+ size_t i;
-+ bool ok;
-+
-+ *session_info_out = NULL;
-+
-+ if (user_info_dc->num_sids == 0) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ if (user_info_dc->info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ if (user_info_dc->info->account_name == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ session_info = talloc_zero(mem_ctx, struct auth_session_info);
-+ if (session_info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ /* keep this under frame for easier cleanup */
-+ talloc_reparent(mem_ctx, frame, session_info);
-+
-+ session_info->info = auth_user_info_copy(session_info,
-+ user_info_dc->info);
-+ if (session_info->info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ session_info->security_token = talloc_zero(session_info,
-+ struct security_token);
-+ if (session_info->security_token == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /*
-+ * Avoid a lot of reallocations and allocate what we'll
-+ * use in most cases.
-+ */
-+ session_info->security_token->sids = talloc_zero_array(
-+ session_info->security_token,
-+ struct dom_sid,
-+ user_info_dc->num_sids);
-+ if (session_info->security_token->sids == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) {
-+ struct security_token *nt_token = session_info->security_token;
-+ int cmp;
-+
-+ /*
-+ * S-1-5-88-X-Y sids are only used to give hints
-+ * to the unix token construction.
-+ *
-+ * S-1-5-88-1-Y gives the uid=Y
-+ * S-1-5-88-2-Y gives the gid=Y
-+ * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_*
-+ */
-+ cmp = dom_sid_compare_domain(&global_sid_Unix_NFS,
-+ &user_info_dc->sids[i]);
-+ if (cmp == 0) {
-+ bool match;
-+ uint32_t hint = 0;
-+
-+ match = sid_peek_rid(&user_info_dc->sids[i], &hint);
-+ if (!match) {
-+ continue;
-+ }
-+
-+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Users,
-+ &user_info_dc->sids[i]);
-+ if (match) {
-+ if (found_hint_uid) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ found_hint_uid = true;
-+ hint_uid = (uid_t)hint;
-+ continue;
-+ }
-+
-+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups,
-+ &user_info_dc->sids[i]);
-+ if (match) {
-+ if (found_hint_gid) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ found_hint_gid = true;
-+ hint_gid = (gid_t)hint;
-+ continue;
-+ }
-+
-+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode,
-+ &user_info_dc->sids[i]);
-+ if (match) {
-+ if (found_hint_flags) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ found_hint_flags = true;
-+ hint_flags = hint;
-+ continue;
-+ }
-+
-+ continue;
-+ }
-+
-+ status = add_sid_to_array_unique(nt_token->sids,
-+ &user_info_dc->sids[i],
-+ &nt_token->sids,
-+ &nt_token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+ }
-+
-+ /*
-+ * We need at least one usable SID
-+ */
-+ if (session_info->security_token->num_sids == 0) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ /*
-+ * We need all tree hints: uid, gid, flags
-+ * or none of them.
-+ */
-+ if (found_hint_uid || found_hint_gid || found_hint_flags) {
-+ if (!found_hint_uid) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ if (!found_hint_gid) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ if (!found_hint_flags) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ }
-+
-+ if (session_info->info->authenticated) {
-+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-+ }
-+
-+ status = finalize_local_nt_token(session_info->security_token,
-+ session_info_flags);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ /*
-+ * unless set otherwise, the session key is the user session
-+ * key from the auth subsystem
-+ */
-+ if (user_info_dc->user_session_key.length != 0) {
-+ session_info->session_key = data_blob_dup_talloc(session_info,
-+ user_info_dc->user_session_key);
-+ if (session_info->session_key.data == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) {
-+ goto done;
-+ }
-+
-+ session_info->unix_token = talloc_zero(session_info, struct security_unix_token);
-+ if (session_info->unix_token == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ session_info->unix_token->uid = -1;
-+ session_info->unix_token->gid = -1;
-+
-+ session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix);
-+ if (session_info->unix_info == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* Convert the SIDs to uid/gids. */
-+
-+ ids = talloc_zero_array(frame, struct unixid,
-+ session_info->security_token->num_sids);
-+ if (ids == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS)) {
-+ ok = sids_to_unixids(session_info->security_token->sids,
-+ session_info->security_token->num_sids,
-+ ids);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+
-+ if (found_hint_uid) {
-+ session_info->unix_token->uid = hint_uid;
-+ } else if (ids[0].type == ID_TYPE_UID) {
-+ /*
-+ * The primary SID resolves to a UID only.
-+ */
-+ session_info->unix_token->uid = ids[0].id;
-+ } else if (ids[0].type == ID_TYPE_BOTH) {
-+ /*
-+ * The primary SID resolves to a UID and GID,
-+ * use it as uid and add it as first element
-+ * to the groups array.
-+ */
-+ session_info->unix_token->uid = ids[0].id;
-+
-+ ok = add_gid_to_array_unique(session_info->unix_token,
-+ session_info->unix_token->uid,
-+ &session_info->unix_token->groups,
-+ &session_info->unix_token->ngroups);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ } else {
-+ /*
-+ * It we can't get a uid, we can't imporsonate
-+ * the user.
-+ */
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+
-+ if (found_hint_gid) {
-+ session_info->unix_token->gid = hint_gid;
-+ } else {
-+ need_getpwuid = true;
-+ }
-+
-+ if (hint_flags & AUTH3_UNIX_HINT_QUALIFIED_NAME) {
-+ session_info->unix_info->unix_name =
-+ talloc_asprintf(session_info->unix_info,
-+ "%s%c%s",
-+ session_info->info->domain_name,
-+ *lp_winbind_separator(),
-+ session_info->info->account_name);
-+ if (session_info->unix_info->unix_name == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ } else if (hint_flags & AUTH3_UNIX_HINT_ISLOLATED_NAME) {
-+ session_info->unix_info->unix_name =
-+ talloc_strdup(session_info->unix_info,
-+ session_info->info->account_name);
-+ if (session_info->unix_info->unix_name == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ } else {
-+ need_getpwuid = true;
-+ }
-+
-+ if (need_getpwuid) {
-+ struct passwd *pwd = NULL;
-+
-+ /*
-+ * Ask the system for the primary gid
-+ * and the real unix name.
-+ */
-+ pwd = getpwuid_alloc(frame, session_info->unix_token->uid);
-+ if (pwd == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ if (!found_hint_gid) {
-+ session_info->unix_token->gid = pwd->pw_gid;
-+ }
-+
-+ session_info->unix_info->unix_name =
-+ talloc_strdup(session_info->unix_info, pwd->pw_name);
-+ if (session_info->unix_info->unix_name == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ TALLOC_FREE(pwd);
-+ }
-+
-+ ok = add_gid_to_array_unique(session_info->unix_token,
-+ session_info->unix_token->gid,
-+ &session_info->unix_token->groups,
-+ &session_info->unix_token->ngroups);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* This is a potentially untrusted username for use in %U */
-+ alpha_strcpy(tmp, original_user_name, ". _-$", sizeof(tmp));
-+ session_info->unix_info->sanitized_username =
-+ talloc_strdup(session_info->unix_info, tmp);
-+ if (session_info->unix_info->sanitized_username == NULL) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ for (i=0; i < session_info->security_token->num_sids; i++) {
-+
-+ if (ids[i].type != ID_TYPE_GID &&
-+ ids[i].type != ID_TYPE_BOTH) {
-+ struct security_token *nt_token =
-+ session_info->security_token;
-+
-+ DEBUG(10, ("Could not convert SID %s to gid, "
-+ "ignoring it\n",
-+ sid_string_dbg(&nt_token->sids[i])));
-+ continue;
-+ }
-+
-+ ok = add_gid_to_array_unique(session_info->unix_token,
-+ ids[i].id,
-+ &session_info->unix_token->groups,
-+ &session_info->unix_token->ngroups);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+ TALLOC_FREE(ids);
-+
-+ /*
-+ * Now we must get any groups this user has been
-+ * added to in /etc/group and merge them in.
-+ * This has to be done in every code path
-+ * that creates an NT token, as remote users
-+ * may have been added to the local /etc/group
-+ * database. Tokens created merely from the
-+ * info3 structs (via the DC or via the krb5 PAC)
-+ * won't have these local groups. Note the
-+ * groups added here will only be UNIX groups
-+ * (S-1-22-2-XXXX groups) as getgroups_unix_user()
-+ * turns off winbindd before calling getgroups().
-+ *
-+ * NB. This is duplicating work already
-+ * done in the 'unix_user:' case of
-+ * create_token_from_sid() but won't
-+ * do anything other than be inefficient
-+ * in that case.
-+ */
-+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS)) {
-+ ok = getgroups_unix_user(frame,
-+ session_info->unix_info->unix_name,
-+ session_info->unix_token->gid,
-+ &gids, &num_gids);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_INVALID_TOKEN;
-+ }
-+ }
-+
-+ for (i=0; i < num_gids; i++) {
-+
-+ ok = add_gid_to_array_unique(session_info->unix_token,
-+ gids[i],
-+ &session_info->unix_token->groups,
-+ &session_info->unix_token->ngroups);
-+ if (!ok) {
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+ }
-+ TALLOC_FREE(gids);
-+
-+ if (hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS) {
-+ /*
-+ * We should not translate the unix token uid/gids
-+ * to S-1-22-X-Y SIDs.
-+ */
-+ goto done;
-+ }
-+
-+ /*
-+ * Add the "Unix Group" SID for each gid to catch mapped groups
-+ * and their Unix equivalent. This is to solve the backwards
-+ * compatibility problem of 'valid users = +ntadmin' where
-+ * ntadmin has been paired with "Domain Admins" in the group
-+ * mapping table. Otherwise smb.conf would need to be changed
-+ * to 'valid user = "Domain Admins"'. --jerry
-+ *
-+ * For consistency we also add the "Unix User" SID,
-+ * so that the complete unix token is represented within
-+ * the nt token.
-+ */
-+
-+ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid);
-+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid,
-+ &session_info->security_token->sids,
-+ &session_info->security_token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid);
-+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid,
-+ &session_info->security_token->sids,
-+ &session_info->security_token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ for (i=0; i < session_info->unix_token->ngroups; i++ ) {
-+ struct security_token *nt_token = session_info->security_token;
-+
-+ gid_to_unix_groups_sid(session_info->unix_token->groups[i],
-+ &tmp_sid);
-+ status = add_sid_to_array_unique(nt_token->sids,
-+ &tmp_sid,
-+ &nt_token->sids,
-+ &nt_token->num_sids);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+ }
-+
-+done:
-+ security_token_debug(DBGC_AUTH, 10, session_info->security_token);
-+ if (session_info->unix_token != NULL) {
-+ debug_unix_user_token(DBGC_AUTH, 10,
-+ session_info->unix_token->uid,
-+ session_info->unix_token->gid,
-+ session_info->unix_token->ngroups,
-+ session_info->unix_token->groups);
-+ }
-+
-+ status = log_nt_token(session_info->security_token);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ TALLOC_FREE(frame);
-+ return status;
-+ }
-+
-+ *session_info_out = talloc_move(mem_ctx, &session_info);
-+ TALLOC_FREE(frame);
-+ return NT_STATUS_OK;
-+}
-+
- /***************************************************************************
- Make (and fill) a server_info struct from a 'struct passwd' by conversion
- to a struct samu
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index d3403f1a929..84e20093218 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -225,6 +225,38 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- DATA_BLOB *session_key,
- const char *smb_name,
- struct auth_session_info **session_info_out);
-+
-+/*
-+ * The unix name should be constructed as DOMAIN+ACCOUNT,
-+ * while '+' will be the "winbind separator" character.
-+ */
-+#define AUTH3_UNIX_HINT_QUALIFIED_NAME 0x00000001
-+/*
-+ * The unix name will be just ACCOUNT
-+ */
-+#define AUTH3_UNIX_HINT_ISLOLATED_NAME 0x00000002
-+/*
-+ * Don't translate the nt token SIDS into uid/gids
-+ */
-+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS 0x00000004
-+/*
-+ * Don't translate the unix token uid/gids to S-1-22-X-Y SIDS
-+ */
-+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS 0x00000008
-+/*
-+ * The unix token won't get expanded gid values
-+ * from getgroups_unix_user()
-+ */
-+#define AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS 0x00000010
-+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
-+ uid_t uid,
-+ gid_t gid,
-+ uint32_t flags);
-+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx,
-+ const struct auth_user_info_dc *user_info_dc,
-+ const char *original_user_name,
-+ uint32_t session_info_flags,
-+ struct auth_session_info **session_info_out);
- NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
- bool is_guest,
- uid_t *uid, gid_t *gid,
---
-2.17.0
-
-
-From 92c6d4d81f801cced97adce4e5a054d226876607 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 7 Mar 2018 00:51:51 +0100
-Subject: [PATCH 15/21] s3:auth: base make_new_session_info_system() on
- auth_system_user_info_dc() and auth3_create_session_info()
-
-The changes in the resulting token look like this:
-
- unix_token : *
- unix_token: struct security_unix_token
- uid : 0x0000000000000000 (0)
- gid : 0x0000000000000000 (0)
-- ngroups : 0x00000000 (0)
-- groups: ARRAY(0)
-+ ngroups : 0x00000001 (1)
-+ groups: ARRAY(1)
-+ groups : 0x0000000000000000 (0)
-
-...
-
- domain_name : *
- domain_name : 'NT AUTHORITY'
- dns_domain_name : NULL
-- full_name : NULL
-- logon_script : NULL
-- profile_path : NULL
-- home_directory : NULL
-- home_drive : NULL
-- logon_server : NULL
-+ full_name : *
-+ full_name : 'System'
-+ logon_script : *
-+ logon_script : ''
-+ profile_path : *
-+ profile_path : ''
-+ home_directory : *
-+ home_directory : ''
-+ home_drive : *
-+ home_drive : ''
-+ logon_server : *
-+ logon_server : 'SLOWSERVER'
- last_logon : NTTIME(0)
- last_logoff : NTTIME(0)
- acct_expiry : NTTIME(0)
- last_password_change : NTTIME(0)
- allow_password_change : NTTIME(0)
- force_password_change : NTTIME(0)
- logon_count : 0x0000 (0)
- bad_password_count : 0x0000 (0)
-- acct_flags : 0x00000000 (0)
-+ acct_flags : 0x00000010 (16)
- authenticated : 0x01 (1)
- unix_info : *
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4)
-(cherry picked from commit 19026525a2b649f282bb11d55ae1eb5807fc4a3a)
----
- source3/auth/auth_util.c | 123 ++++++++++++++-------------------------
- 1 file changed, 43 insertions(+), 80 deletions(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 9d6e8020d77..7fc3da22317 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -36,6 +36,7 @@
- #include "../librpc/gen_ndr/idmap.h"
- #include "lib/param/loadparm.h"
- #include "../lib/tsocket/tsocket.h"
-+#include "source4/auth/auth.h"
-
- #undef DBGC_CLASS
- #define DBGC_CLASS DBGC_AUTH
-@@ -1295,31 +1296,6 @@ done:
- return status;
- }
-
--static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
-- struct netr_SamInfo3 *info3)
--{
-- NTSTATUS status;
--
-- /* Set account name */
-- init_lsa_String(&info3->base.account_name, "SYSTEM");
--
-- /* Set domain name */
-- init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY");
--
--
-- status = dom_sid_split_rid(mem_ctx, &global_sid_System,
-- &info3->base.domain_sid,
-- &info3->base.rid);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- /* Primary gid is the same */
-- info3->base.primary_gid = info3->base.rid;
--
-- return NT_STATUS_OK;
--}
--
- static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3)
- {
-@@ -1448,80 +1424,67 @@ done:
- static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
- struct auth_session_info **session_info)
- {
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ struct auth_user_info_dc *user_info_dc = NULL;
-+ uid_t uid = -1;
-+ gid_t gid = -1;
-+ uint32_t hint_flags = 0;
-+ uint32_t session_info_flags = 0;
- NTSTATUS status;
-- struct auth_serversupplied_info *server_info;
-- TALLOC_CTX *tmp_ctx;
--
-- tmp_ctx = talloc_stackframe();
-- if (tmp_ctx == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- server_info = make_server_info(tmp_ctx);
-- if (!server_info) {
-- status = NT_STATUS_NO_MEMORY;
-- DEBUG(0, ("failed making server_info\n"));
-- goto done;
-- }
-
-- server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3);
-- if (!server_info->info3) {
-- status = NT_STATUS_NO_MEMORY;
-- DEBUG(0, ("talloc failed setting info3\n"));
-- goto done;
-- }
--
-- status = get_system_info3(server_info, server_info->info3);
-+ status = auth_system_user_info_dc(frame, lp_netbios_name(),
-+ &user_info_dc);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("Failed creating system info3 with %s\n",
-+ DEBUG(0, ("auth_system_user_info_dc failed: %s\n",
- nt_errstr(status)));
- goto done;
- }
-
-- server_info->utok.uid = sec_initial_uid();
-- server_info->utok.gid = sec_initial_gid();
-- server_info->unix_name = talloc_asprintf(server_info,
-- "NT AUTHORITY%cSYSTEM",
-- *lp_winbind_separator());
--
-- if (!server_info->unix_name) {
-- status = NT_STATUS_NO_MEMORY;
-- DEBUG(0, ("talloc_asprintf failed setting unix_name\n"));
-- goto done;
-- }
-+ /*
-+ * Just get the initial uid/gid
-+ * and don't expand the unix groups.
-+ */
-+ uid = sec_initial_uid();
-+ gid = sec_initial_gid();
-+ hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS;
-
-- server_info->security_token = talloc_zero(server_info, struct security_token);
-- if (!server_info->security_token) {
-- status = NT_STATUS_NO_MEMORY;
-- DEBUG(0, ("talloc failed setting security token\n"));
-- goto done;
-- }
-+ /*
-+ * Also avoid sid mapping to gids,
-+ * as well as adding the unix_token uid/gids as
-+ * S-1-22-X-Y SIDs to the nt token.
-+ */
-+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS;
-+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS;
-
-- status = add_sid_to_array_unique(server_info->security_token->sids,
-- &global_sid_System,
-- &server_info->security_token->sids,
-- &server_info->security_token->num_sids);
-+ /*
-+ * The unix name will be "NT AUTHORITY+SYSTEM",
-+ * where '+' is the "winbind separator" character.
-+ */
-+ hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME;
-+ status = auth3_user_info_dc_add_hints(user_info_dc,
-+ uid,
-+ gid,
-+ hint_flags);
- if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n",
-+ nt_errstr(status)));
- goto done;
- }
-
-- /* SYSTEM has all privilages */
-- server_info->security_token->privilege_mask = ~0;
--
-- /* Now turn the server_info into a session_info with the full token etc */
-- status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info);
-- talloc_free(server_info);
--
-+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
-+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
-+ status = auth3_session_info_create(mem_ctx, user_info_dc,
-+ user_info_dc->info->account_name,
-+ session_info_flags,
-+ session_info);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("create_local_token failed: %s\n",
-+ DEBUG(0, ("auth3_session_info_create failed: %s\n",
- nt_errstr(status)));
- goto done;
- }
-
-- talloc_steal(mem_ctx, *session_info);
--
- done:
-- TALLOC_FREE(tmp_ctx);
-+ TALLOC_FREE(frame);
- return status;
- }
-
---
-2.17.0
-
-
-From c8e19cd979f18eba054b51664d2206493ed8d5e2 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Mar 2018 17:07:11 +0100
-Subject: [PATCH 16/21] s3:auth: pass the whole auth_session_info from
- copy_session_info_serverinfo_guest() to create_local_token()
-
-We only need to adjust sanitized_username in order to keep the same behaviour.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906)
-(cherry picked from commit c3fdc6157377e71cf354fae5b59b823a4ebaa0eb)
----
- source3/auth/auth_util.c | 51 +++++++++++++++++-----------------------
- source3/include/auth.h | 5 ++--
- 2 files changed, 23 insertions(+), 33 deletions(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index 7fc3da22317..a151ac13724 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -500,6 +500,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- return NT_STATUS_LOGON_FAILURE;
- }
-
-+ if (server_info->cached_session_info != NULL) {
-+ session_info = copy_session_info(mem_ctx,
-+ server_info->cached_session_info);
-+ if (session_info == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ /* This is a potentially untrusted username for use in %U */
-+ alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp));
-+ session_info->unix_info->sanitized_username =
-+ talloc_strdup(session_info->unix_info, tmp);
-+ if (session_info->unix_info->sanitized_username == NULL) {
-+ TALLOC_FREE(session_info);
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ *session_info_out = session_info;
-+ return NT_STATUS_OK;
-+ }
-+
- session_info = talloc_zero(mem_ctx, struct auth_session_info);
- if (!session_info) {
- return NT_STATUS_NO_MEMORY;
-@@ -554,30 +574,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
- return status;
- }
-
-- if (server_info->security_token) {
-- /* Just copy the token, it has already been finalised
-- * (nasty hack to support a cached guest/system session_info
-- */
--
-- session_info->security_token = dup_nt_token(session_info, server_info->security_token);
-- if (!session_info->security_token) {
-- TALLOC_FREE(session_info);
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- session_info->unix_token->ngroups = server_info->utok.ngroups;
-- if (server_info->utok.ngroups != 0) {
-- session_info->unix_token->groups = (gid_t *)talloc_memdup(
-- session_info->unix_token, server_info->utok.groups,
-- sizeof(gid_t)*session_info->unix_token->ngroups);
-- } else {
-- session_info->unix_token->groups = NULL;
-- }
--
-- *session_info_out = session_info;
-- return NT_STATUS_OK;
-- }
--
- /*
- * If winbind is not around, we can not make much use of the SIDs the
- * domain controller provided us with. Likewise if the user name was
-@@ -1586,12 +1582,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
- * to take the wrong path */
- SMB_ASSERT(src->security_token);
-
-- dst->security_token = dup_nt_token(dst, src->security_token);
-- if (!dst->security_token) {
-- TALLOC_FREE(dst);
-- return NULL;
-- }
--
- dst->session_key = data_blob_talloc( dst, src->session_key.data,
- src->session_key.length);
-
-@@ -1612,6 +1602,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
- return NULL;
- }
-
-+ dst->cached_session_info = src;
- return dst;
- }
-
-diff --git a/source3/include/auth.h b/source3/include/auth.h
-index d3055373964..31a1f201835 100644
---- a/source3/include/auth.h
-+++ b/source3/include/auth.h
-@@ -34,15 +34,14 @@ struct auth_serversupplied_info {
- struct security_unix_token utok;
-
- /*
-- * NT group information taken from the info3 structure
-+ * A complete auth_session_info
- *
- * This is not normally filled in, during the typical
- * authentication process. If filled in, it has already been
- * finalised by a nasty hack to support a cached guest/system
- * session_info
- */
--
-- struct security_token *security_token;
-+ const struct auth_session_info *cached_session_info;
-
- /* These are the intermediate session keys, as provided by a
- * NETLOGON server and used by NTLMSSP to negotiate key
---
-2.17.0
-
-
-From 86475067dbe32ea21081d67115035a62b9802e1c Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Mar 2018 14:39:44 +0100
-Subject: [PATCH 17/21] s3:auth: add make_{server,session}_info_anonymous()
-
-It's important to have them separated from make_{server,session}_info_guest(),
-because there's a fundamental difference between anonymous (the client requested
-no authentication) and guest (the server lies about the authentication failure).
-
-The following is the difference between guest and anonymous token:
-
- security_token: struct security_token
-- num_sids : 0x0000000a (10)
-- sids: ARRAY(10)
-- sids : S-1-5-21-3793881525-3372187982-3724979742-501
-- sids : S-1-5-21-3793881525-3372187982-3724979742-514
-- sids : S-1-22-2-65534
-- sids : S-1-22-2-65533
-+ num_sids : 0x00000009 (9)
-+ sids: ARRAY(9)
-+ sids : S-1-5-7
- sids : S-1-1-0
- sids : S-1-5-2
-- sids : S-1-5-32-546
- sids : S-1-22-1-65533
-+ sids : S-1-22-2-65534
-+ sids : S-1-22-2-100004
- sids : S-1-22-2-100002
- sids : S-1-22-2-100003
-+ sids : S-1-22-2-65533
- privilege_mask : 0x0000000000000000 (0)
-
-...
-
- unix_token : *
- unix_token: struct security_unix_token
- uid : 0x000000000000fffd (65533)
- gid : 0x000000000000fffe (65534)
-- ngroups : 0x00000004 (4)
-- groups: ARRAY(4)
-+ ngroups : 0x00000005 (5)
-+ groups: ARRAY(5)
- groups : 0x000000000000fffe (65534)
-- groups : 0x000000000000fffd (65533)
-+ groups : 0x00000000000186a4 (100004)
- groups : 0x00000000000186a2 (100002)
- groups : 0x00000000000186a3 (100003)
-+ groups : 0x000000000000fffd (65533)
-
- info: struct auth_user_info
- account_name : *
-- account_name : 'nobody'
-+ account_name : 'ANONYMOUS LOGON'
- user_principal_name : NULL
- user_principal_constructed: 0x00 (0)
- domain_name : *
-- domain_name : 'SAMBA-TEST'
-+ domain_name : 'NT AUTHORITY'
- dns_domain_name : NULL
-- full_name : NULL
-- logon_script : NULL
-- profile_path : NULL
-- home_directory : NULL
-- home_drive : NULL
-- logon_server : NULL
-+ full_name : *
-+ full_name : 'Anonymous Logon'
-+ logon_script : *
-+ logon_script : ''
-+ profile_path : *
-+ profile_path : ''
-+ home_directory : *
-+ home_directory : ''
-+ home_drive : *
-+ home_drive : ''
-+ logon_server : *
-+ logon_server : 'LOCALNT4DC2'
- last_logon : NTTIME(0)
- last_logoff : NTTIME(0)
- acct_expiry : NTTIME(0)
- last_password_change : NTTIME(0)
- allow_password_change : NTTIME(0)
- force_password_change : NTTIME(0)
- logon_count : 0x0000 (0)
- bad_password_count : 0x0000 (0)
-- acct_flags : 0x00000000 (0)
-+ acct_flags : 0x00000010 (16)
- authenticated : 0x00 (0)
- security_token: struct security_token
- num_sids : 0x00000006 (6)
- sids: ARRAY(6)
-+ sids : S-1-5-7
-+ sids : S-1-1-0
-+ sids : S-1-5-2
- sids : S-1-22-1-65533
- sids : S-1-22-2-65534
- sids : S-1-22-2-65533
-- sids : S-1-1-0
-- sids : S-1-5-2
-- sids : S-1-5-32-546
- privilege_mask : 0x0000000000000000 (0)
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-(similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d)
-
-(cherry picked from commit 8f69498ab6fa85dc3d23a1453224a654a9bedead)
----
- source3/auth/auth_util.c | 143 ++++++++++++++++++++++++++++++++++++++-
- source3/auth/proto.h | 4 ++
- 2 files changed, 146 insertions(+), 1 deletion(-)
-
-diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
-index a151ac13724..a1dde2cc7be 100644
---- a/source3/auth/auth_util.c
-+++ b/source3/auth/auth_util.c
-@@ -1484,6 +1484,87 @@ done:
- return status;
- }
-
-+static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx,
-+ struct auth_session_info **session_info)
-+{
-+ TALLOC_CTX *frame = talloc_stackframe();
-+ const char *guest_account = lp_guest_account();
-+ struct auth_user_info_dc *user_info_dc = NULL;
-+ struct passwd *pwd = NULL;
-+ uint32_t hint_flags = 0;
-+ uint32_t session_info_flags = 0;
-+ NTSTATUS status;
-+
-+ /*
-+ * We use the guest account for the unix token
-+ * while we use a true anonymous nt token.
-+ *
-+ * It's very important to have a separate
-+ * nt token for anonymous.
-+ */
-+
-+ pwd = Get_Pwnam_alloc(frame, guest_account);
-+ if (pwd == NULL) {
-+ DBG_ERR("Unable to locate guest account [%s]!\n",
-+ guest_account);
-+ status = NT_STATUS_NO_SUCH_USER;
-+ goto done;
-+ }
-+
-+ status = auth_anonymous_user_info_dc(frame, lp_netbios_name(),
-+ &user_info_dc);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n",
-+ nt_errstr(status)));
-+ goto done;
-+ }
-+
-+ /*
-+ * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME
-+ * nor AUTH3_UNIX_HINT_ISOLATED_NAME here
-+ * as we want the unix name be found by getpwuid_alloc().
-+ */
-+
-+ status = auth3_user_info_dc_add_hints(user_info_dc,
-+ pwd->pw_uid,
-+ pwd->pw_gid,
-+ hint_flags);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n",
-+ nt_errstr(status)));
-+ goto done;
-+ }
-+
-+ /*
-+ * In future we may want to remove
-+ * AUTH_SESSION_INFO_DEFAULT_GROUPS.
-+ *
-+ * Similar to Windows with EveryoneIncludesAnonymous
-+ * and RestrictAnonymous.
-+ *
-+ * We may introduce AUTH_SESSION_INFO_ANON_WORLD...
-+ *
-+ * But for this is required to keep the existing tests
-+ * working.
-+ */
-+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
-+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
-+ status = auth3_session_info_create(mem_ctx, user_info_dc,
-+ "",
-+ session_info_flags,
-+ session_info);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ DEBUG(0, ("auth3_session_info_create failed: %s\n",
-+ nt_errstr(status)));
-+ goto done;
-+ }
-+
-+done:
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
- /****************************************************************************
- Fake a auth_session_info just from a username (as a
- session_info structure, with create_local_token() already called on
-@@ -1661,15 +1742,30 @@ bool session_info_set_session_key(struct auth_session_info *info,
- }
-
- static struct auth_session_info *guest_info = NULL;
-+static struct auth_session_info *anonymous_info = NULL;
-
- static struct auth_serversupplied_info *guest_server_info = NULL;
-
- bool init_guest_info(void)
- {
-+ NTSTATUS status;
-+
- if (guest_info != NULL)
- return true;
-
-- return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info));
-+ status = make_new_session_info_guest(&guest_info,
-+ &guest_server_info);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return false;
-+ }
-+
-+ status = make_new_session_info_anonymous(NULL,
-+ &anonymous_info);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return false;
-+ }
-+
-+ return true;
- }
-
- NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
-@@ -1690,6 +1786,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
- return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY;
- }
-
-+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx,
-+ struct auth_serversupplied_info **server_info)
-+{
-+ if (anonymous_info == NULL) {
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
-+ /*
-+ * This is trickier than it would appear to need to be because
-+ * we are trying to avoid certain costly operations when the
-+ * structure is converted to a 'auth_session_info' again in
-+ * create_local_token()
-+ *
-+ * We use a guest server_info, but with the anonymous session info,
-+ * which means create_local_token() will return a copy
-+ * of the anonymous token.
-+ *
-+ * The server info is just used as legacy in order to
-+ * keep existing code working. Maybe some debug messages
-+ * will still refer to guest instead of anonymous.
-+ */
-+ *server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info,
-+ guest_server_info);
-+ if (*server_info == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
-+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx,
-+ struct auth_session_info **session_info)
-+{
-+ if (anonymous_info == NULL) {
-+ return NT_STATUS_UNSUCCESSFUL;
-+ }
-+
-+ *session_info = copy_session_info(mem_ctx, anonymous_info);
-+ if (*session_info == NULL) {
-+ return NT_STATUS_NO_MEMORY;
-+ }
-+
-+ return NT_STATUS_OK;
-+}
-+
- static struct auth_session_info *system_info = NULL;
-
- NTSTATUS init_system_session_info(void)
-diff --git a/source3/auth/proto.h b/source3/auth/proto.h
-index 84e20093218..0ce34742ab6 100644
---- a/source3/auth/proto.h
-+++ b/source3/auth/proto.h
-@@ -284,6 +284,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info);
- NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx,
- struct auth_session_info **server_info);
-+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx,
-+ struct auth_serversupplied_info **server_info);
-+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx,
-+ struct auth_session_info **psession_info);
- NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx,
- struct auth_session_info **session_info);
- const struct auth_session_info *get_session_info_system(void);
---
-2.17.0
-
-
-From 001dcfa09cbe00feaed7be6355e63cd44d4d7cfd Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Mar 2018 14:40:19 +0100
-Subject: [PATCH 18/21] s3:rpc_server: make use of
- make_session_info_anonymous()
-
-For unauthenticated connections we should default to a
-session info with an anonymous nt token.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c)
-(cherry picked from commit 47b13364bed551fb9480ff8ac500d6251fae7b72)
----
- source3/rpc_server/rpc_server.c | 9 +++------
- 1 file changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
-index e15cd205cdc..4f196dec76e 100644
---- a/source3/rpc_server/rpc_server.c
-+++ b/source3/rpc_server/rpc_server.c
-@@ -1104,14 +1104,11 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
- }
-
- if (ncacn_conn->session_info == NULL) {
-- /*
-- * TODO: use auth_anonymous_session_info() here?
-- */
-- status = make_session_info_guest(ncacn_conn,
-- &ncacn_conn->session_info);
-+ status = make_session_info_anonymous(ncacn_conn,
-+ &ncacn_conn->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(2, ("Failed to create "
-- "make_session_info_guest - %s\n",
-+ "make_session_info_anonymous - %s\n",
- nt_errstr(status)));
- talloc_free(ncacn_conn);
- return;
---
-2.17.0
-
-
-From 825ec4ad86285315a5ff3285c33ca7c876dc18a8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Fri, 2 Mar 2018 14:40:19 +0100
-Subject: [PATCH 19/21] s3:auth: make use of
- make_{server,session}_info_anonymous()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It's important to have them separated from make_{server,session}_info_guest(),
-because there's a fundamental difference between anonymous (the client requested
-no authentication) and guest (the server lies about the authentication failure).
-
-When it's really an anonymous connection, we should reflect that in the
-resulting session info.
-
-This should fix a problem where Windows 10 tries to join
-a Samba hosted NT4 domain and has SMB2/3 enabled.
-
-We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST
-for true anonymous connections.
-
-The commit message from a few commit before shows the resulting
-auth_session_info change.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Ralph Böhme <slow@samba.org>
-Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144
-
-(cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b)
-(cherry picked from commit 6c1dde631da2f5b41682210eca40f9d363168696)
----
- selftest/knownfail.d/anonymous-guest | 1 -
- source3/auth/auth_builtin.c | 2 +-
- source3/auth/auth_ntlmssp.c | 5 +----
- 3 files changed, 2 insertions(+), 6 deletions(-)
- delete mode 100644 selftest/knownfail.d/anonymous-guest
-
-diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest
-deleted file mode 100644
-index a134cece3d5..00000000000
---- a/selftest/knownfail.d/anonymous-guest
-+++ /dev/null
-@@ -1 +0,0 @@
--^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture
-diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
-index 0fa95d9f16d..a2d95a77330 100644
---- a/source3/auth/auth_builtin.c
-+++ b/source3/auth/auth_builtin.c
-@@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
- break;
- }
-
-- return make_server_info_guest(NULL, server_info);
-+ return make_server_info_anonymous(NULL, server_info);
- }
-
- /* Guest modules initialisation */
-diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
-index fd629fd9a03..2e345e17571 100644
---- a/source3/auth/auth_ntlmssp.c
-+++ b/source3/auth/auth_ntlmssp.c
-@@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
-
- cmp = dom_sid_compare(sid, &global_sid_Anonymous);
- if (cmp == 0) {
-- /*
-- * TODO: use auth_anonymous_session_info() here?
-- */
-- return make_session_info_guest(mem_ctx, session_info);
-+ return make_session_info_anonymous(mem_ctx, session_info);
- }
-
- return NT_STATUS_INTERNAL_ERROR;
---
-2.17.0
-
-
-From 48646ffe1c60854d832c80f42c1236e43d5b1fb9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 9 Jan 2018 08:55:48 +0100
-Subject: [PATCH 20/21] s3:libsmb: allow -U"\\administrator" to work
-
-cli_credentials_get_principal() returns NULL in that case.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87)
-(cherry picked from commit 4c087a0e9e8ffd797e810f7dc21d630fd6833eed)
----
- source3/libsmb/cliconnect.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index 70bcead445e..d819e4c62f2 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
-
- auth_requested = cli_credentials_authentication_requested(creds);
- if (auth_requested) {
-+ errno = 0;
- user_principal = cli_credentials_get_principal(creds, frame);
-- if (user_principal == NULL) {
-+ if (errno != 0) {
- TALLOC_FREE(frame);
- return NT_STATUS_NO_MEMORY;
- }
-@@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
- try_kerberos = true;
- }
-
-+ if (user_principal == NULL) {
-+ try_kerberos = false;
-+ }
-+
- if (target_hostname == NULL) {
- try_kerberos = false;
- } else if (is_ipaddress(target_hostname)) {
---
-2.17.0
-
-
-From 38c3a25e80d7dfdef3edf330117a43a1acded21d Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 9 Jan 2018 08:57:05 +0100
-Subject: [PATCH 21/21] s3:cliconnect.c: remove useless ';'
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3)
-(cherry picked from commit 04cc8936c3f90bf3bbb05bce25c55212c8f0823b)
----
- source3/libsmb/cliconnect.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
-index d819e4c62f2..8c815659c80 100644
---- a/source3/libsmb/cliconnect.c
-+++ b/source3/libsmb/cliconnect.c
-@@ -1289,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send(
-
- status = cli_session_creds_prepare_krb5(cli, creds);
- if (tevent_req_nterror(req, status)) {
-- return tevent_req_post(req, ev);;
-+ return tevent_req_post(req, ev);
- }
-
- subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
---
-2.17.0
-
diff --git a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch
deleted file mode 100644
index cc1aaec..0000000
--- a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 29 Nov 2017 09:21:30 -0800
-Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
- cli_smb2_close_fnum_recv().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
-frees req, then uses the state pointer which was owned by req.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ralph Böhme <slow@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
-
-(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
----
- source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
-index 5d46d543002..237e6bb2b54 100644
---- a/source3/libsmb/cli_smb2_fnum.c
-+++ b/source3/libsmb/cli_smb2_fnum.c
-@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
- {
- struct cli_smb2_close_fnum_state *state = tevent_req_data(
- req, struct cli_smb2_close_fnum_state);
-- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
-- state->cli->raw_status = status;
-+ NTSTATUS status = NT_STATUS_OK;
-+
-+ if (tevent_req_is_nterror(req, &status)) {
-+ state->cli->raw_status = status;
-+ }
-+ tevent_req_received(req);
- return status;
- }
-
---
-2.15.0.531.g2ccb3012c9-goog
-
diff --git a/SOURCES/samba-4.7-fix_smbclient_volume.patch b/SOURCES/samba-4.7-fix_smbclient_volume.patch
deleted file mode 100644
index 1f0692a..0000000
--- a/SOURCES/samba-4.7-fix_smbclient_volume.patch
+++ /dev/null
@@ -1,165 +0,0 @@
-From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 14 Nov 2017 13:52:03 -0800
-Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2
- calls.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea)
----
- source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++
- source3/libsmb/cli_smb2_fnum.h | 6 +++
- source3/libsmb/clifsinfo.c | 9 ++++
- 3 files changed, 112 insertions(+)
-
-diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
-index a478c41f068..89cb1f479d5 100644
---- a/source3/libsmb/cli_smb2_fnum.c
-+++ b/source3/libsmb/cli_smb2_fnum.c
-@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path,
- return status;
- }
-
-+/***************************************************************
-+ Wrapper that allows SMB2 to query file system sizes.
-+ Synchronous only.
-+***************************************************************/
-+
-+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
-+ uint64_t *total_allocation_units,
-+ uint64_t *caller_allocation_units,
-+ uint64_t *actual_allocation_units,
-+ uint64_t *sectors_per_allocation_unit,
-+ uint64_t *bytes_per_sector)
-+{
-+ NTSTATUS status;
-+ uint16_t fnum = 0xffff;
-+ DATA_BLOB outbuf = data_blob_null;
-+ struct smb2_hnd *ph = NULL;
-+ TALLOC_CTX *frame = talloc_stackframe();
-+
-+ if (smbXcli_conn_has_async_calls(cli->conn)) {
-+ /*
-+ * Can't use sync call while an async call is in flight
-+ */
-+ status = NT_STATUS_INVALID_PARAMETER;
-+ goto fail;
-+ }
-+
-+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
-+ status = NT_STATUS_INVALID_PARAMETER;
-+ goto fail;
-+ }
-+
-+ /* First open the top level directory. */
-+ status =
-+ cli_smb2_create_fnum(cli, "", 0, /* create_flags */
-+ FILE_READ_ATTRIBUTES, /* desired_access */
-+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
-+ FILE_SHARE_READ | FILE_SHARE_WRITE |
-+ FILE_SHARE_DELETE, /* share_access */
-+ FILE_OPEN, /* create_disposition */
-+ FILE_DIRECTORY_FILE, /* create_options */
-+ &fnum,
-+ NULL);
-+
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto fail;
-+ }
-+
-+ status = map_fnum_to_smb2_handle(cli, fnum, &ph);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto fail;
-+ }
-+
-+ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
-+ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */
-+
-+ status = smb2cli_query_info(cli->conn,
-+ cli->timeout,
-+ cli->smb2.session,
-+ cli->smb2.tcon,
-+ SMB2_GETINFO_FS, /* in_info_type */
-+ /* in_file_info_class */
-+ SMB_FS_FULL_SIZE_INFORMATION - 1000,
-+ 0xFFFF, /* in_max_output_length */
-+ NULL, /* in_input_buffer */
-+ 0, /* in_additional_info */
-+ 0, /* in_flags */
-+ ph->fid_persistent,
-+ ph->fid_volatile,
-+ frame,
-+ &outbuf);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ goto fail;
-+ }
-+
-+ if (outbuf.length < 32) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto fail;
-+ }
-+
-+ *total_allocation_units = BIG_UINT(outbuf.data, 0);
-+ *caller_allocation_units = BIG_UINT(outbuf.data, 8);
-+ *actual_allocation_units = BIG_UINT(outbuf.data, 16);
-+ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24);
-+ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28);
-+
-+fail:
-+
-+ if (fnum != 0xffff) {
-+ cli_smb2_close_fnum(cli, fnum);
-+ }
-+
-+ cli->raw_status = status;
-+
-+ TALLOC_FREE(frame);
-+ return status;
-+}
-+
- /***************************************************************
- Wrapper that allows SMB2 to query file system attributes.
- Synchronous only.
-diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
-index 9a709e85d96..c9325b66902 100644
---- a/source3/libsmb/cli_smb2_fnum.h
-+++ b/source3/libsmb/cli_smb2_fnum.h
-@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli,
- uint64_t *total,
- uint64_t *avail);
- NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr);
-+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
-+ uint64_t *total_allocation_units,
-+ uint64_t *caller_allocation_units,
-+ uint64_t *actual_allocation_units,
-+ uint64_t *sectors_per_allocation_unit,
-+ uint64_t *bytes_per_sector);
- NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli,
- uint16_t fnum,
- uint32_t sec_info,
-diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
-index 119b1216fb2..46236390022 100644
---- a/source3/libsmb/clifsinfo.c
-+++ b/source3/libsmb/clifsinfo.c
-@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
- uint32_t rdata_count;
- NTSTATUS status;
-
-+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
-+ return cli_smb2_get_fs_full_size_info(cli,
-+ total_allocation_units,
-+ caller_allocation_units,
-+ actual_allocation_units,
-+ sectors_per_allocation_unit,
-+ bytes_per_sector);
-+ }
-+
- SSVAL(setup, 0, TRANSACT2_QFSINFO);
- SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
-
---
-2.15.0.448.gf294e3d99a-goog
-
diff --git a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch
deleted file mode 100644
index e9d581c..0000000
--- a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Fri, 8 Sep 2017 16:20:34 -0700
-Subject: [PATCH] libsmbclient: Allow server (NetApp) to return
- STATUS_INVALID_PARAMETER from an echo.
-
-It does this if we send a session ID of zero. The server still replied.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144
-
-(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142)
----
- source3/client/client.c | 8 +++++++-
- source3/libsmb/libsmb_server.c | 11 ++++++++++-
- 2 files changed, 17 insertions(+), 2 deletions(-)
-
-diff --git a/source3/client/client.c b/source3/client/client.c
-index b4a6c7d0389..9c57375881d 100644
---- a/source3/client/client.c
-+++ b/source3/client/client.c
-@@ -5900,7 +5900,13 @@ static void readline_callback(void)
- /* Ping the server to keep the connection alive using SMBecho. */
- memset(garbage, 0xf0, sizeof(garbage));
- status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage)));
-- if (NT_STATUS_IS_OK(status)) {
-+ if (NT_STATUS_IS_OK(status) ||
-+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
-+ /*
-+ * Even if server returns NT_STATUS_INVALID_PARAMETER
-+ * it still responded.
-+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
-+ */
- return;
- }
-
-diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
-index b0e5926fa65..2d41f2facf3 100644
---- a/source3/libsmb/libsmb_server.c
-+++ b/source3/libsmb/libsmb_server.c
-@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context,
- 1,
- data_blob_const(data, sizeof(data)));
- if (!NT_STATUS_IS_OK(status)) {
-- return 1;
-+ /*
-+ * Some NetApp servers return
-+ * NT_STATUS_INVALID_PARAMETER.That's OK, they still
-+ * replied.
-+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
-+ */
-+ if (!NT_STATUS_EQUAL(status,
-+ NT_STATUS_INVALID_PARAMETER)) {
-+ return 1;
-+ }
- }
- server->last_echo_time = now;
- }
---
-2.15.0.448.gf294e3d99a-goog
-
diff --git a/SOURCES/samba-4.7-net_ads_keytab_list.patch b/SOURCES/samba-4.7-net_ads_keytab_list.patch
deleted file mode 100644
index f77b271..0000000
--- a/SOURCES/samba-4.7-net_ads_keytab_list.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Thu, 23 Nov 2017 15:55:21 +0000
-Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name
- malformed"
-
-When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
-instead, this function will determine the correct keytab to use.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
----
- source3/libads/kerberos_keytab.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
-index ff12ec04af6..ffd100c5636 100644
---- a/source3/libads/kerberos_keytab.c
-+++ b/source3/libads/kerberos_keytab.c
-@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name)
- return ret;
- }
-
-- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
-+ if (keytab_name == NULL) {
-+ ret = ads_keytab_open(context, &keytab);
-+ } else {
-+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
-+ }
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
---
-2.15.0
-
-
-From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Fri, 24 Nov 2017 07:06:27 +0000
-Subject: [PATCH 2/2] testprogs: Test net ads keytab list
-
-Test that correct keytab is picked up.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Ralph Boehme <slow@samba.org>
-(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2)
----
- testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
-index bbd99b676bd..c5dbaf69ba2 100755
---- a/testprogs/blackbox/test_net_ads.sh
-+++ b/testprogs/blackbox/test_net_ads.sh
-@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
- testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
-
- testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
-+
-+# if there is no keytab, try and create it
-+if [ ! -f $dedicated_keytab_file ]; then
-+ if [ $(command -v ktutil) >/dev/null ]; then
-+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
-+ fi
-+fi
-+
-+if [ -f $dedicated_keytab_file ]; then
-+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
-+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
-+fi
-+
- rm -f $dedicated_keytab_file
-
- testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
---
-2.15.0
-
diff --git a/SOURCES/samba-4.7.1.tar.asc b/SOURCES/samba-4.7.1.tar.asc
deleted file mode 100644
index 78fce48..0000000
--- a/SOURCES/samba-4.7.1.tar.asc
+++ /dev/null
@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
-uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew==
-=LZI3
------END PGP SIGNATURE-----
diff --git a/SOURCES/samba-4.8.3-fix_krb5_plugins.patch b/SOURCES/samba-4.8.3-fix_krb5_plugins.patch
new file mode 100644
index 0000000..86aeadb
--- /dev/null
+++ b/SOURCES/samba-4.8.3-fix_krb5_plugins.patch
@@ -0,0 +1,270 @@
+From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 27 Jun 2018 14:06:39 +0200
+Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ nsswitch/wscript_build | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
+index 15e93db2f05..576855bb56c 100644
+--- a/nsswitch/wscript_build
++++ b/nsswitch/wscript_build
+@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
+ )
+
+ if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+- bld.SAMBA_LIBRARY('winbind_krb5_locator',
+- source='winbind_krb5_locator.c',
+- deps='wbclient krb5 com_err',
+- realname='winbind_krb5_locator.so')
++ bld.SAMBA_LIBRARY('winbind_krb5_locator',
++ source='winbind_krb5_locator.c',
++ deps='wbclient krb5 com_err',
++ realname='winbind_krb5_locator.so',
++ install_path='${MODULESDIR}/krb5')
+
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBA_LIBRARY('winbind_krb5_localauth',
+ source='krb5_plugin/winbind_krb5_localauth.c',
+ deps='wbclient krb5 com_err',
+- realname='winbind-krb5-localauth.so')
++ realname='winbind_krb5_localauth.so',
++ install_path='${MODULESDIR}/krb5')
+
+ bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
+ source='wb_reqtrans.c',
+--
+2.17.1
+
+
+From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 27 Jun 2018 14:08:56 +0200
+Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
+ subdir
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
+ nsswitch/wscript_build | 2 +-
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+ rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
+
+diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
+similarity index 100%
+rename from nsswitch/winbind_krb5_locator.c
+rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
+diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
+index 576855bb56c..dd1952b799b 100644
+--- a/nsswitch/wscript_build
++++ b/nsswitch/wscript_build
+@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
+
+ if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
+- source='winbind_krb5_locator.c',
++ source='krb5_plugin/winbind_krb5_locator.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
+--
+2.17.1
+
+
+From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 27 Jun 2018 15:14:15 +0200
+Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
+
+The vfs and idmap manpages are in volume 8 too.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ ...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
+ docs-xml/wscript_build | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+ rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
+
+diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
+similarity index 96%
+rename from docs-xml/manpages/winbind_krb5_locator.7.xml
+rename to docs-xml/manpages/winbind_krb5_locator.8.xml
+index 17e401a9da0..0af0c2cc95f 100644
+--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
++++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
+@@ -1,12 +1,12 @@
+ <?xml version="1.0" encoding="iso-8859-1"?>
+ <!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+-<refentry id="winbind_krb5_locator.7">
++<refentry id="winbind_krb5_locator.8">
+
+ <refmeta>
+ <refentrytitle>winbind_krb5_locator</refentrytitle>
+- <manvolnum>7</manvolnum>
++ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+- <refmiscinfo class="manual">7</refmiscinfo>
++ <refmiscinfo class="manual">8</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+ </refmeta>
+
+diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
+index 954c62a29bc..2d686eb38b0 100644
+--- a/docs-xml/wscript_build
++++ b/docs-xml/wscript_build
+@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
+ manpages/pam_winbind.conf.5
+ '''
+
+-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
++krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
+
+ def smbdotconf_generate_parameter_list(task):
+ parameter_all = task.outputs[0].bldpath(task.env)
+--
+2.17.1
+
+
+From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 27 Jun 2018 15:06:07 +0200
+Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+---
+ .../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
+ docs-xml/wscript_build | 4 +
+ 2 files changed, 90 insertions(+)
+ create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
+
+diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
+new file mode 100644
+index 00000000000..a382e71ead3
+--- /dev/null
++++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
+@@ -0,0 +1,86 @@
++<?xml version="1.0" encoding="iso-8859-1"?>
++<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
++<refentry id="winbind_krb5_localauth.8">
++
++<refmeta>
++ <refentrytitle>winbind_krb5_localauth</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="source">Samba</refmiscinfo>
++ <refmiscinfo class="manual">8</refmiscinfo>
++ <refmiscinfo class="version">&doc.version;</refmiscinfo>
++</refmeta>
++
++
++<refnamediv>
++ <refname>winbind_krb5_localauth</refname>
++ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
++</refnamediv>
++
++
++<refsect1>
++ <title>DESCRIPTION</title>
++
++ <para>
++ This plugin is part of the
++ <citerefentry><refentrytitle>samba</refentrytitle>
++ <manvolnum>7</manvolnum></citerefentry> suite.
++ </para>
++
++ <para>
++ <command>winbind_krb5_localauth</command> is a plugin that
++ permits the MIT Kerberos libraries that Kerberos principals can
++ be validated against local user accounts.
++ </para>
++</refsect1>
++<refsect1>
++ <title>PREREQUISITES</title>
++ <para>
++ MIT Kerberos (at least version 1.12) is required.
++ </para>
++
++ <para>
++ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
++ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
++ and started separately.
++ </para>
++
++ <para>
++ The following sections needs to be added to the
++ <filename>krb5.conf</filename> file.
++
++ <programlisting>
++[plugins]
++ localauth = {
++ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
++ enable_only = winbind
++ }
++ </programlisting>
++ </para>
++</refsect1>
++
++<refsect1>
++ <title>VERSION</title>
++
++ <para>
++ This man page is part of version &doc.version; of the Samba
++ suite.
++ </para>
++</refsect1>
++
++<refsect1>
++ <title>AUTHOR</title>
++
++ <para>
++ The original Samba software and related utilities were created
++ by Andrew Tridgell. Samba is now developed by the Samba Team as
++ an Open Source project similar to the way the Linux kernel is
++ developed.
++ </para>
++
++ <para>
++ The winbind_krb5_localauth manpage was written by Andreas
++ Schneider.
++ </para>
++</refsect1>
++
++</refentry>
+diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
+index 2d686eb38b0..ec5d28fc62a 100644
+--- a/docs-xml/wscript_build
++++ b/docs-xml/wscript_build
+@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
+ '''
+
+ krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
++krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
+
+ def smbdotconf_generate_parameter_list(task):
+ parameter_all = task.outputs[0].bldpath(task.env)
+@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
+ if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
+ bld.SAMBAMANPAGES(krb5_locator_manpages)
+
++ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
++ bld.SAMBAMANPAGES(krb5_localauth_manpages)
++
+ if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
+ bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
+--
+2.17.1
+
diff --git a/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch b/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch
new file mode 100644
index 0000000..f3b9d89
--- /dev/null
+++ b/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch
@@ -0,0 +1,216 @@
+From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 2 Jul 2018 16:18:52 +0200
+Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
+---
+ nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
+ selftest/knownfail.d/upn_handling | 2 +
+ source3/selftest/tests.py | 4 +-
+ 3 files changed, 66 insertions(+), 11 deletions(-)
+
+diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
+index 2803ac1408b..da30f97be74 100755
+--- a/nsswitch/tests/test_wbinfo_user_info.sh
++++ b/nsswitch/tests/test_wbinfo_user_info.sh
+@@ -2,19 +2,20 @@
+ # Blackbox test for wbinfo lookup for account name and upn
+ # Copyright (c) 2018 Andreas Schneider <asn@samba.org>
+
+-if [ $# -lt 5 ]; then
++if [ $# -lt 6 ]; then
+ cat <<EOF
+-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
++Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+ EOF
+ exit 1;
+ fi
+
+ DOMAIN=$1
+ REALM=$2
+-USERNAME1=$3
+-UPN_NAME1=$4
+-USERNAME2=$5
+-UPN_NAME2=$6
++OWN_DOMAIN=$3
++USERNAME1=$4
++UPN_NAME1=$5
++USERNAME2=$6
++UPN_NAME2=$7
+ shift 6
+
+ failed=0
+@@ -31,9 +32,9 @@ test_user_info()
+ {
+ local cmd out ret user domain upn userinfo
+
+- domain="$1"
+- user="$2"
+- upn="$3"
++ local domain="$1"
++ local user="$2"
++ local upn="$3"
+
+ if [ $# -lt 3 ]; then
+ userinfo="$domain/$user"
+@@ -62,6 +63,39 @@ test_user_info()
+ return 0
+ }
+
++test_getpwnam()
++{
++ local cmd out ret
++
++ local lookup_username=$1
++ local expected_return=$2
++ local expected_output=$3
++
++ cmd='getent passwd $lookup_username'
++ eval echo "$cmd"
++ out=$(eval $cmd)
++ ret=$?
++
++ if [ $ret -ne $expected_return ]; then
++ echo "return code: $ret, expected return code is: $expected_return"
++ echo "$out"
++ return 1
++ fi
++
++ if [ -n "$expected_output" ]; then
++ echo "$out" | grep "$expected_output"
++ ret=$?
++
++ if [ $ret -ne 0 ]; then
++ echo "Unable to find $expected_output in:"
++ echo "$out"
++ return 1
++ fi
++ fi
++
++ return 0
++}
++
+ testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
+ testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
+
+@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
+ testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
+ testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+
++testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
++
++testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
++
++# We should not be able to lookup the user just by the name
++test_ret=0
++test_output="$DOMAIN/$USERNAME1"
++
++if [ "$ENVNAME" = "ad_member" ]; then
++ test_ret=2
++ test_output=""
++fi
++if [ "$ENVNAME" = "fl2008r2dc" ]; then
++ test_ret=0
++ test_output="$OWN_DOMAIN/$USERNAME1"
++fi
++
++testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
++
+ exit $failed
+diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
+index bcbedb4f903..7dc9b71dc5e 100644
+--- a/selftest/knownfail.d/upn_handling
++++ b/selftest/knownfail.d/upn_handling
+@@ -1,8 +1,10 @@
+ ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
++^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
+ ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
++^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index f43d2b14d3a..a9cb2dad792 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -216,13 +216,13 @@ env = "ad_member:local"
+ plantestsuite("samba3.wbinfo_user_info", env,
+ [ os.path.join(srcdir(),
+ "nsswitch/tests/test_wbinfo_user_info.sh"),
+- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
++ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
+
+ env = "fl2008r2dc:local"
+ plantestsuite("samba3.wbinfo_user_info", env,
+ [ os.path.join(srcdir(),
+ "nsswitch/tests/test_wbinfo_user_info.sh"),
+- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
++ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
+
+ env = "ad_member"
+ t = "WBCLIENT-MULTI-PING"
+--
+2.13.6
+
+
+From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 2 Jul 2018 16:38:01 +0200
+Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
+
+(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
+---
+ selftest/knownfail.d/upn_handling | 2 --
+ source3/winbindd/winbindd_util.c | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
+index 7dc9b71dc5e..bcbedb4f903 100644
+--- a/selftest/knownfail.d/upn_handling
++++ b/selftest/knownfail.d/upn_handling
+@@ -1,10 +1,8 @@
+ ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
+ ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
+ ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
+-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
+diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
+index aa633419c9a..7a5fb73cdef 100644
+--- a/source3/winbindd/winbindd_util.c
++++ b/source3/winbindd/winbindd_util.c
+@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
+ } else if (assume_domain(lp_workgroup())) {
+ fstrcpy(domain, lp_workgroup());
+ fstrcpy(namespace, domain);
++ } else {
++ fstrcpy(namespace, lp_netbios_name());
+ }
+ }
+
+--
+2.13.6
+
diff --git a/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch b/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch
new file mode 100644
index 0000000..6ee5623
--- /dev/null
+++ b/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch
@@ -0,0 +1,64 @@
+From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Mon, 25 Jun 2018 09:58:56 -0400
+Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add quiet command-line argument to allow suppressing the help log
+message printed automatically after establishing a smbclient connection
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
+
+Signed-off-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Björn Baumbach <bb@sernet.de>
+(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
+---
+ source3/client/client.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/source3/client/client.c b/source3/client/client.c
+index 2c1c76036f7..c836e5a0477 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -52,6 +52,7 @@ static int port = 0;
+ static char *service;
+ static char *desthost;
+ static bool grepable = false;
++static bool quiet = false;
+ static char *cmdstr = NULL;
+ const char *cmd_ptr = NULL;
+
+@@ -6059,7 +6060,9 @@ static int process_stdin(void)
+ {
+ int rc = 0;
+
+- d_printf("Try \"help\" to get a list of possible commands.\n");
++ if (!quiet) {
++ d_printf("Try \"help\" to get a list of possible commands.\n");
++ }
+
+ while (!finished) {
+ TALLOC_CTX *frame = talloc_stackframe();
+@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
+ { "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
+ { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
+ { "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
++ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
+ { "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
+ POPT_COMMON_SAMBA
+ POPT_COMMON_CONNECTION
+@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
+ case 'g':
+ grepable=true;
+ break;
++ case 'q':
++ quiet=true;
++ break;
+ case 'e':
+ smb_encrypt=true;
+ break;
+--
+2.17.1
diff --git a/SOURCES/samba-4.8.3.tar.asc b/SOURCES/samba-4.8.3.tar.asc
new file mode 100644
index 0000000..149c42f
--- /dev/null
+++ b/SOURCES/samba-4.8.3.tar.asc
@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
+U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg==
+=em2I
+-----END PGP SIGNATURE-----
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index a620d2a..f2eac30 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,13 +6,13 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 9
+%define main_release 4
-%define samba_version 4.7.1
-%define talloc_version 2.1.9
-%define tdb_version 1.3.14
-%define tevent_version 0.9.33
-%define ldb_version 1.2.2
+%define samba_version 4.8.3
+%define talloc_version 2.1.11
+%define tdb_version 1.3.15
+%define tevent_version 0.9.36
+%define ldb_version 1.3.4
# This should be rc1 or nil
%define pre_release %nil
@@ -25,6 +25,12 @@
# This is a network daemon, do a hardened build
# Enables PIE and full RELRO protection
%global _hardened_build 1
+# Samba cannot be linked with -Wl,-z,defs (from hardened build config)
+# For exmple the samba-cluster-support library is marked to allow undefined
+# symbols in the samba build.
+#
+# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
+%undefine _strict_symbol_defs_build
%global with_libsmbclient 1
%global with_libwbclient 1
@@ -84,6 +90,8 @@
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
+
Name: samba
Version: %{samba_version}
Release: %{samba_release}
@@ -119,19 +127,11 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: CVE-2017-14746.patch
-Patch1: CVE-2017-15275.patch
-Patch2: samba-4.7-fix_smbclient_volume.patch
-Patch3: samba-4.7-fix_samba_with_systemd.patch
-Patch4: samba-4.7-net_ads_keytab_list.patch
-Patch5: samba-4.7-fix_aesni_intel_support.patch
-Patch6: samba-4.7-handle_smb_echo_gracefully.patch
-Patch7: samba-4.7-fix_smb2_client_read_after_free.patch
-Patch8: samba-4.7-fix_dns_segfault_during_net_ads_join.patch
-Patch9: samba-4.7-fix_segfault_in_NT1_connection_setup.patch
-Patch10: samba-4.7-fix_segfault_in_keytab_handling.patch
-Patch11: samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch
-Patch12: samba-4.7-fix_smb2_anonymous_connections.patch
+Patch0: samba-4.8.3-fix_krb5_plugins.patch
+Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch
+Patch2: samba-4.8.3-smbclient_quiet_argument.patch
+Patch3: CVE-2018-1139.patch
+Patch4: CVE-2018-10858.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@@ -198,7 +198,7 @@ BuildRequires: python-dns
BuildRequires: python-iso8601
%if %{with testsuite}
BuildRequires: python2-pygpgme
-BuildRequires: python2-subunit
+BuildRequires: python2-markdown
%endif
BuildRequires: quota-devel
BuildRequires: readline-devel
@@ -834,7 +834,13 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%if %with_intel_aes_accel
--accel-aes=intelaesni \
%endif
- --with-systemd
+ --with-systemd \
+ --systemd-install-services \
+ --with-systemddir=/usr/lib/systemd/system \
+ --systemd-smb-extra=%{_systemd_extra} \
+ --systemd-nmb-extra=%{_systemd_extra} \
+ --systemd-winbind-extra=%{_systemd_extra} \
+ --systemd-samba-extra=%{_systemd_extra}
make %{?_smp_mflags}
@@ -931,15 +937,6 @@ install -m 0644 %{SOURCE200} packaging/README.dc
install -m 0644 %{SOURCE200} packaging/README.dc-libs
%endif
-install -d -m 0755 %{buildroot}%{_unitdir}
-services="nmb smb winbind"
-%if %with_dc
-services="$services samba"
-%endif
-for i in $services ; do
- cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service
- install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
-done
%if %with_clustering_support
install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
%endif
@@ -954,16 +951,28 @@ install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if ! %with_dc
-for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \
+for i in \
+ %{_libdir}/samba/libdfs-server-ad-samba4.so \
%{_libdir}/samba/libdnsserver-common-samba4.so \
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
- %{_mandir}/man8/samba.8 \
- %{_mandir}/man8/samba-tool.8 \
%{_libdir}/samba/ldb/ildap.so \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
+ %{_mandir}/man8/samba.8 \
+ %{_mandir}/man8/samba-tool.8 \
+ %{_mandir}/man8/samba_gpoupdate.8 \
+ %{_sbindir}/samba_gpoupdate \
+ %{python_sitearch}/samba/colour.py* \
+ %{python_sitearch}/samba/domain_update.py* \
+ %{python_sitearch}/samba/forest_update.py* \
+ %{python_sitearch}/samba/gpclass.py* \
+ %{python_sitearch}/samba/graph.py* \
+ %{python_sitearch}/samba/ms_forest_updates_markdown.py* \
+ %{python_sitearch}/samba/ms_schema_markdown.py* \
+ %{python_sitearch}/samba/gpo.so \
%{python_sitearch}/samba/dcerpc/dnsserver.so \
%{python_sitearch}/samba/netcmd/fsmo.py* \
%{python_sitearch}/samba/netcmd/rodc.py* \
+ %{python_sitearch}/samba/netcmd/visualize.py* \
%{python_sitearch}/samba/kcc/__init__.py* \
%{python_sitearch}/samba/kcc/debug.py* \
%{python_sitearch}/samba/kcc/graph.py* \
@@ -984,6 +993,9 @@ for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \
%{python_sitearch}/samba/dsdb_dns.so \
%{python_sitearch}/samba/samdb.py* \
%{python_sitearch}/samba/schema.py* \
+ %{python_sitearch}/samba/tests/krb5_credentials.py* \
+ %{python_sitearch}/samba/tests/password_quality.py* \
+ %{_unitdir}/samba.service \
; do
rm -f %{buildroot}$i
done
@@ -1139,18 +1151,18 @@ fi
%postun winbind-krb5-locator
if [ "$1" -ge "1" ]; then
- if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then
- %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so
+ if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/samba/krb5/winbind_krb5_locator.so" ]; then
+ %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so
fi
fi
%post winbind-krb5-locator
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
- winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10
+ winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so 10
%preun winbind-krb5-locator
if [ $1 -eq 0 ]; then
- %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so
+ %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so
fi
%post winbind-modules -p /sbin/ldconfig
@@ -1196,7 +1208,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/acl_tdb.so
%{_libdir}/samba/vfs/acl_xattr.so
%{_libdir}/samba/vfs/aio_fork.so
-%{_libdir}/samba/vfs/aio_linux.so
%{_libdir}/samba/vfs/aio_pthread.so
%{_libdir}/samba/vfs/audit.so
%{_libdir}/samba/vfs/btrfs.so
@@ -1232,6 +1243,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/syncops.so
%{_libdir}/samba/vfs/time_audit.so
%{_libdir}/samba/vfs/unityed_media.so
+%{_libdir}/samba/vfs/virusfilter.so
%{_libdir}/samba/vfs/worm.so
%{_libdir}/samba/vfs/xattr_tdb.so
@@ -1248,7 +1260,6 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_acl_tdb.8*
%{_mandir}/man8/vfs_acl_xattr.8*
%{_mandir}/man8/vfs_aio_fork.8*
-%{_mandir}/man8/vfs_aio_linux.8*
%{_mandir}/man8/vfs_aio_pthread.8*
%{_mandir}/man8/vfs_audit.8*
%{_mandir}/man8/vfs_btrfs.8*
@@ -1268,6 +1279,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_linux_xfs_sgid.8*
%{_mandir}/man8/vfs_media_harmony.8*
%{_mandir}/man8/vfs_netatalk.8*
+%{_mandir}/man8/vfs_nfs4acl_xattr.8*
%{_mandir}/man8/vfs_offline.8*
%{_mandir}/man8/vfs_prealloc.8*
%{_mandir}/man8/vfs_preopen.8*
@@ -1284,6 +1296,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_time_audit.8*
%{_mandir}/man8/vfs_tsmsm.8*
%{_mandir}/man8/vfs_unityed_media.8*
+%{_mandir}/man8/vfs_virusfilter.8*
%{_mandir}/man8/vfs_worm.8*
%{_mandir}/man8/vfs_xattr_tdb.8*
@@ -1342,6 +1355,8 @@ rm -rf %{buildroot}
%{_mandir}/man5/smbgetrc.5*
%{_mandir}/man1/smbtar.1*
%{_mandir}/man1/smbtree.1*
+%{_mandir}/man7/traffic_learner.7.*
+%{_mandir}/man7/traffic_replay.7.*
%{_mandir}/man8/cifsdd.8.*
%{_mandir}/man8/samba-regedit.8*
%{_mandir}/man8/smbspool.8*
@@ -1423,7 +1438,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libflag-mapping-samba4.so
%{_libdir}/samba/libgenrand-samba4.so
%{_libdir}/samba/libgensec-samba4.so
-%{_libdir}/samba/libgpo-samba4.so
+%{_libdir}/samba/libgpext-samba4.so
%{_libdir}/samba/libgse-samba4.so
%{_libdir}/samba/libhttp-samba4.so
%{_libdir}/samba/libinterfaces-samba4.so
@@ -1574,12 +1589,14 @@ rm -rf %{buildroot}
%{_sbindir}/samba
%{_sbindir}/samba_kcc
%{_sbindir}/samba_dnsupdate
+%{_sbindir}/samba_gpoupdate
%{_sbindir}/samba_spnupdate
%{_sbindir}/samba_upgradedns
%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so
+%{_libdir}/samba/libgpo-samba4.so
%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
@@ -1590,6 +1607,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/dirsync.so
%{_libdir}/samba/ldb/dns_notify.so
%{_libdir}/samba/ldb/dsdb_notification.so
+%{_libdir}/samba/ldb/encrypted_secrets.so
%{_libdir}/samba/ldb/extended_dn_in.so
%{_libdir}/samba/ldb/extended_dn_out.so
%{_libdir}/samba/ldb/extended_dn_store.so
@@ -1624,6 +1642,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/subtree_delete.so
%{_libdir}/samba/ldb/subtree_rename.so
%{_libdir}/samba/ldb/tombstone_reanimate.so
+%{_libdir}/samba/ldb/unique_object_sids.so
%{_libdir}/samba/ldb/update_keytab.so
%{_libdir}/samba/ldb/vlv.so
%{_libdir}/samba/ldb/wins_ldb.so
@@ -1632,6 +1651,7 @@ rm -rf %{buildroot}
%{_datadir}/samba/setup
%{_mandir}/man8/samba.8*
%{_mandir}/man8/samba-tool.8*
+%{_mandir}/man8/samba_gpoupdate.8*
%else # with_dc
%doc packaging/README.dc
%endif # with_dc
@@ -1644,6 +1664,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libprocess-model-samba4.so
%{_libdir}/samba/libservice-samba4.so
%dir %{_libdir}/samba/process_model
+%{_libdir}/samba/process_model/prefork.so
%{_libdir}/samba/process_model/standard.so
%dir %{_libdir}/samba/service
%{_libdir}/samba/service/cldap.so
@@ -1981,6 +2002,10 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/ndr.py*
%{python_sitearch}/samba/net.so
%{python_sitearch}/samba/netbios.so
+%dir %{python_sitearch}/samba/emulate
+%{python_sitearch}/samba/emulate/__init__.py*
+%{python_sitearch}/samba/emulate/traffic.py*
+%{python_sitearch}/samba/emulate/traffic_packets.py*
%dir %{python_sitearch}/samba/netcmd
%{python_sitearch}/samba/netcmd/__init__.py*
%{python_sitearch}/samba/netcmd/common.py*
@@ -2058,11 +2083,17 @@ rm -rf %{buildroot}
%dir %{python_sitearch}/samba/web_server
%{python_sitearch}/samba/web_server/__init__.py*
+%{python_sitearch}/samba/domain_update.py*
%{python_sitearch}/samba/dckeytab.so
%{python_sitearch}/samba/dnsserver.py*
%{python_sitearch}/samba/drs_utils.py*
%{python_sitearch}/samba/dsdb.so
%{python_sitearch}/samba/dsdb_dns.so
+%{python_sitearch}/samba/forest_update.py*
+%{python_sitearch}/samba/gpclass.py*
+%{python_sitearch}/samba/gpo.so
+%{python_sitearch}/samba/ms_forest_updates_markdown.py*
+%{python_sitearch}/samba/ms_schema_markdown.py*
%{python_sitearch}/samba/samdb.py*
%{python_sitearch}/samba/schema.py*
%endif
@@ -2081,8 +2112,13 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/auth_log_samlogon.py*
%dir %{python_sitearch}/samba/tests/blackbox
%{python_sitearch}/samba/tests/blackbox/__init__.py*
+%{python_sitearch}/samba/tests/blackbox/check_output.py*
%{python_sitearch}/samba/tests/blackbox/ndrdump.py*
%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
+%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
+%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
%{python_sitearch}/samba/tests/common.py*
%{python_sitearch}/samba/tests/core.py*
%{python_sitearch}/samba/tests/credentials.py*
@@ -2112,10 +2148,17 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/dns_wildcard.py*
%{python_sitearch}/samba/tests/docs.py*
%{python_sitearch}/samba/tests/dsdb.py*
+%{python_sitearch}/samba/tests/dsdb_lock.py*
%{python_sitearch}/samba/tests/dsdb_schema_attributes.py*
+%dir %{python_sitearch}/samba/tests/emulate
+%{python_sitearch}/samba/tests/emulate/__init__.py*
+%{python_sitearch}/samba/tests/emulate/traffic.py*
+%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
+%{python_sitearch}/samba/tests/encrypted_secrets.py*
%{python_sitearch}/samba/tests/gensec.py*
%{python_sitearch}/samba/tests/get_opt.py*
%{python_sitearch}/samba/tests/glue.py*
+%{python_sitearch}/samba/tests/graph.py*
%{python_sitearch}/samba/tests/hostconfig.py*
%{python_sitearch}/samba/tests/join.py*
%dir %{python_sitearch}/samba/tests/kcc
@@ -2132,8 +2175,9 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/netcmd.py*
%{python_sitearch}/samba/tests/netlogonsvc.py*
%{python_sitearch}/samba/tests/ntacls.py*
-%{python_sitearch}/samba/tests/ntlmauth.py*
+%{python_sitearch}/samba/tests/ntlmdisabled.py*
%{python_sitearch}/samba/tests/pam_winbind.py*
+%{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py*
%{python_sitearch}/samba/tests/param.py*
%{python_sitearch}/samba/tests/password_hash.py*
%{python_sitearch}/samba/tests/password_hash_fl2003.py*
@@ -2154,9 +2198,11 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/samba_tool/fsmo.py*
%{python_sitearch}/samba/tests/samba_tool/gpo.py*
%{python_sitearch}/samba/tests/samba_tool/group.py*
+%{python_sitearch}/samba/tests/samba_tool/help.py*
%{python_sitearch}/samba/tests/samba_tool/join.py*
%{python_sitearch}/samba/tests/samba_tool/ntacl.py*
%{python_sitearch}/samba/tests/samba_tool/processes.py*
+%{python_sitearch}/samba/tests/samba_tool/provision_password_check.py*
%{python_sitearch}/samba/tests/samba_tool/rodc.py*
%{python_sitearch}/samba/tests/samba_tool/sites.py*
%{python_sitearch}/samba/tests/samba_tool/timecmd.py*
@@ -2164,11 +2210,14 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py*
%{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py*
%{python_sitearch}/samba/tests/samba_tool/user_wdigest.py*
+%{python_sitearch}/samba/tests/samba_tool/visualize.py*
+%{python_sitearch}/samba/tests/samba_tool/visualize_drs.py*
%{python_sitearch}/samba/tests/samdb.py*
%{python_sitearch}/samba/tests/security.py*
%{python_sitearch}/samba/tests/source.py*
%{python_sitearch}/samba/tests/strings.py*
%{python_sitearch}/samba/tests/subunitrun.py*
+%{python_sitearch}/samba/tests/tdb_util.py*
%{python_sitearch}/samba/tests/unicodenames.py*
%{python_sitearch}/samba/tests/upgrade.py*
%{python_sitearch}/samba/tests/upgradeprovision.py*
@@ -2225,15 +2274,17 @@ rm -rf %{buildroot}
%defattr(-,root,root)
%{_bindir}/ntlm_auth
%{_bindir}/wbinfo
+%{_libdir}/samba/krb5/winbind_krb5_localauth.so
%{_mandir}/man1/ntlm_auth.1.gz
%{_mandir}/man1/wbinfo.1*
+%{_mandir}/man8/winbind_krb5_localauth.8*
### WINBIND-KRB5-LOCATOR
%files winbind-krb5-locator
%defattr(-,root,root)
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
-%{_libdir}/winbind_krb5_locator.so
-%{_mandir}/man7/winbind_krb5_locator.7*
+%{_libdir}/samba/krb5/winbind_krb5_locator.so
+%{_mandir}/man8/winbind_krb5_locator.8*
### WINBIND-MODULES
%files winbind-modules
@@ -2369,7 +2420,11 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/pkt_read_test
%{_libexecdir}/ctdb/tests/pkt_write_test
%{_libexecdir}/ctdb/tests/porting_tests
-%{_libexecdir}/ctdb/tests/protocol_client_test
+%{_libexecdir}/ctdb/tests/protocol_basic_test
+%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test
+%{_libexecdir}/ctdb/tests/protocol_ctdb_test
+%{_libexecdir}/ctdb/tests/protocol_event_test
+%{_libexecdir}/ctdb/tests/protocol_types_compat_test
%{_libexecdir}/ctdb/tests/protocol_types_test
%{_libexecdir}/ctdb/tests/protocol_util_test
%{_libexecdir}/ctdb/tests/rb_test
@@ -2381,6 +2436,8 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/srvid_test
%{_libexecdir}/ctdb/tests/test_mutex_raw
%{_libexecdir}/ctdb/tests/transaction_loop
+%{_libexecdir}/ctdb/tests/tunnel_cmd
+%{_libexecdir}/ctdb/tests/tunnel_test
%{_libexecdir}/ctdb/tests/update_record
%{_libexecdir}/ctdb/tests/update_record_persistent
@@ -2397,6 +2454,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
+%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh
+%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh
%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh
%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh
@@ -2420,7 +2479,11 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
-%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_102.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh
+%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh
%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh
%{_datadir}/ctdb/tests/cunit/run_event_001.sh
@@ -2498,6 +2561,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh
%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.010.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.011.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.012.sh
+%{_datadir}/ctdb/tests/eventscripts/10.interface.013.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh
@@ -2524,10 +2591,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.012.sh
-%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.013.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh
@@ -2581,13 +2644,28 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
+%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.001.sh
+%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.001.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.001.sh
+%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
@@ -2723,7 +2801,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo
%dir %{_datadir}/ctdb/tests/onnode
-%{_datadir}/ctdb/tests/onnode/README
%{_datadir}/ctdb/tests/onnode/0001.sh
%{_datadir}/ctdb/tests/onnode/0002.sh
%{_datadir}/ctdb/tests/onnode/0003.sh
@@ -2742,7 +2819,6 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/onnode/stubs
%{_datadir}/ctdb/tests/onnode/stubs/ctdb
-%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001
%{_datadir}/ctdb/tests/onnode/stubs/ssh
%dir %{_datadir}/ctdb/tests/scripts
@@ -2817,6 +2893,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
+%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
%{_datadir}/ctdb/tests/simple/functions
# This is a dangling symlink but needed for testing
@@ -2863,6 +2940,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover/lcp2.032.sh
%{_datadir}/ctdb/tests/takeover/lcp2.033.sh
%{_datadir}/ctdb/tests/takeover/lcp2.034.sh
+%{_datadir}/ctdb/tests/takeover/lcp2.035.sh
%{_datadir}/ctdb/tests/takeover/nondet.001.sh
%{_datadir}/ctdb/tests/takeover/nondet.002.sh
%{_datadir}/ctdb/tests/takeover/nondet.003.sh
@@ -2927,11 +3005,9 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh
-%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh
-%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh
@@ -2941,7 +3017,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh
-%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh
@@ -3045,17 +3120,49 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Wed Jul 04 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-9
-- related: #1581375 - Remove patch which doesn't fully work
+* Thu Aug 09 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-4
+- resolves: #1614132 - Fix delete-on-close after smb2_find
+- resolves: #1614265 - Fix CVE-2018-1139
+- resolves: #1614269 - Fix CVE-2018-10858
+
+* Fri Jul 06 2018 Justin Stephenson <jstephen@redhat.com> - 4.8.3-3
+- resolves: #1581016 - Add smbclient quiet argument
+
+* Thu Jul 05 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-2
+- related: #1538743 - Fix local user account lookup with winbind
+
+* Wed Jun 27 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-1
+- related: #1558560 - Rebase to Samba version 4.8.3
+- resolves: #1579398 - Add winbind localauth krb5 plugin
+
+* Wed Jun 13 2018 Andreas Schneider <asn@redhat.com> - 4.8.2-2
+- resolves: #1540457 - Fixed support for authenticaton on on way trusts
+
+* Mon Jun 11 2018 Andreas Schneider <asn@redhat.com> - 4.8.2-1
+- related: #1558560 - Rebase to newer Samba version
+
+* Wed May 30 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-4
+- resolves: #1582541 - Fix anonymous auth with SMB2/3
+
+* Tue May 22 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-3
+- resolves: #1575205 - Fix segfault when updating DNS with 'net ads join'
+- resolves: #1525511 - Fix idmap_rid dependency on trusted domain list
+
+* Wed May 16 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-2
+- resolves: #1538743 - Fix UPN handling in winbind
+
+* Fri Apr 27 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-1
+- related: #1558560 - Rebase to newer Samba version
+- resolves: #1567896 - Fix possible crash if secrets db is emtpy
+- resolves: #1570020 - Fix a crash in smbd when dfsgetinfo is called
-* Mon May 28 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-8
-- resolves: #1582541 - Fix anyoumous and guest handling of SMB2/3
+* Thu Apr 12 2018 Andreas Schneider <asn@redhat.com> - 4.8.0-1
+- resolves: #1558560 - Rebase to newer Samba version
+- resolves: #1558943 - Fix winbind requests getting stuck on a child
+- resolves: #1532618 - Fix segfault with NT1 connections in smbd
-* Wed May 23 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-7
-- resolves: #1581369 - Fix segfault updating dns during 'net ads join'
-- resolves: #1581373 - Fix segfault during NT1 session setup
-- resolves: #1581376 - Fix segfault in keytab handling
-- resolves: #1581377 - Fix segfault in smbclient dfsgetinfo
+* Fri Mar 09 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-7
+- resolves: #1552004 - Fix CVE-2018-1050
* Wed Dec 20 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-6
- resolves: #1476153 - Handle SMB echo responses more gracefully