diff --git a/.gitignore b/.gitignore index e6501c9..d0d9bc1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -SOURCES/samba-4.7.1.tar.xz +SOURCES/samba-4.8.3.tar.xz diff --git a/.samba.metadata b/.samba.metadata index 44641bf..c121f9a 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ 6bf33724c18b74427453f0e3fc0180f84ff60818 SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg -3c58fef85ceff87968b9e79c665e861f5442f0f1 SOURCES/samba-4.7.1.tar.xz +ee51f44b1b61cb189f0145b477300d4d58b1dff6 SOURCES/samba-4.8.3.tar.xz diff --git a/SOURCES/CVE-2017-14746.patch b/SOURCES/CVE-2017-14746.patch deleted file mode 100644 index d33d24d..0000000 --- a/SOURCES/CVE-2017-14746.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 19 Sep 2017 16:11:33 -0700 -Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When setting up the chain, always use 'next->' variables -not the 'req->' one. - -Bug discovered by 连一汉 - -CVE-2017-14746 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 - -Signed-off-by: Jeremy Allison ---- - source3/smbd/process.c | 7 ++++--- - source3/smbd/reply.c | 5 +++++ - 2 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/source3/smbd/process.c b/source3/smbd/process.c -index b65ae2c1b1c..9b2b0a669a2 100644 ---- a/source3/smbd/process.c -+++ b/source3/smbd/process.c -@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req) - - next->vuid = SVAL(req->outbuf, smb_uid); - next->tid = SVAL(req->outbuf, smb_tid); -- status = smb1srv_tcon_lookup(req->xconn, req->tid, -+ status = smb1srv_tcon_lookup(req->xconn, next->tid, - now, &tcon); -+ - if (NT_STATUS_IS_OK(status)) { -- req->conn = tcon->compat; -+ next->conn = tcon->compat; - } else { -- req->conn = NULL; -+ next->conn = NULL; - } - next->chain_fsp = req->chain_fsp; - next->inbuf = req->inbuf; -diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c -index 7b07078249b..81acedf0413 100644 ---- a/source3/smbd/reply.c -+++ b/source3/smbd/reply.c -@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req) - } - - TALLOC_FREE(tcon); -+ /* -+ * This tree id is gone. Make sure we can't re-use it -+ * by accident. -+ */ -+ req->tid = 0; - } - - if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { --- -2.14.2.920.gcf0c67979c-goog - diff --git a/SOURCES/CVE-2017-15275.patch b/SOURCES/CVE-2017-15275.patch deleted file mode 100644 index f0510f9..0000000 --- a/SOURCES/CVE-2017-15275.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 20 Sep 2017 11:04:50 -0700 -Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when - talloc buffer is grown. - -Ensure we zero out unused grown area. - -CVE-2017-15275 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 - -Signed-off-by: Jeremy Allison ---- - source3/smbd/srvstr.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c -index 56dceba8c6c..c2d70b32c32 100644 ---- a/source3/smbd/srvstr.c -+++ b/source3/smbd/srvstr.c -@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags) - DEBUG(0, ("srvstr_push failed\n")); - return -1; - } -+ -+ /* -+ * Ensure we clear out the extra data we have -+ * grown the buffer by, but not written to. -+ */ -+ if (buf_size + result < buf_size) { -+ return -1; -+ } -+ if (grow_size < result) { -+ return -1; -+ } -+ -+ memset(tmp + buf_size + result, '\0', grow_size - result); -+ - set_message_bcc((char *)tmp, smb_buflen(tmp) + result); - - *outbuf = tmp; --- -2.14.2.920.gcf0c67979c-goog - diff --git a/SOURCES/CVE-2018-10858.patch b/SOURCES/CVE-2018-10858.patch new file mode 100644 index 0000000..03d7718 --- /dev/null +++ b/SOURCES/CVE-2018-10858.patch @@ -0,0 +1,199 @@ +From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 15 Jun 2018 15:07:17 -0700 +Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in + buffer. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 + +CVE-2018-10858: Insufficient input validation on client directory + listing in libsmbclient. + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +--- + source3/libsmb/libsmb_path.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c +index 01b0a61e483..ed70ab37550 100644 +--- a/source3/libsmb/libsmb_path.c ++++ b/source3/libsmb/libsmb_path.c +@@ -173,8 +173,13 @@ smbc_urlencode(char *dest, + } + } + +- *dest++ = '\0'; +- max_dest_len--; ++ if (max_dest_len == 0) { ++ /* Ensure we return -1 if no null termination. */ ++ return -1; ++ } ++ ++ *dest++ = '\0'; ++ max_dest_len--; + + return max_dest_len; + } +-- +2.11.0 + + +From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 15 Jun 2018 15:08:17 -0700 +Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns + from malicious servers. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 + +CVE-2018-10858: Insufficient input validation on client directory + listing in libsmbclient. + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme +--- + source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------ + source3/libsmb/libsmb_path.c | 2 +- + 2 files changed, 51 insertions(+), 8 deletions(-) + +diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c +index 72441c46736..54c2bcb3c73 100644 +--- a/source3/libsmb/libsmb_dir.c ++++ b/source3/libsmb/libsmb_dir.c +@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context, + + } + +-static void ++static int + smbc_readdir_internal(SMBCCTX * context, + struct smbc_dirent *dest, + struct smbc_dirent *src, + int max_namebuf_len) + { + if (smbc_getOptionUrlEncodeReaddirEntries(context)) { ++ int remaining_len; + + /* url-encode the name. get back remaining buffer space */ +- max_namebuf_len = ++ remaining_len = + smbc_urlencode(dest->name, src->name, max_namebuf_len); + ++ /* -1 means no null termination. */ ++ if (remaining_len < 0) { ++ return -1; ++ } ++ + /* We now know the name length */ + dest->namelen = strlen(dest->name); + ++ if (dest->namelen + 1 < 1) { ++ /* Integer wrap. */ ++ return -1; ++ } ++ ++ if (dest->namelen + 1 >= max_namebuf_len) { ++ /* Out of space for comment. */ ++ return -1; ++ } ++ + /* Save the pointer to the beginning of the comment */ + dest->comment = dest->name + dest->namelen + 1; + ++ if (remaining_len < 1) { ++ /* No room for comment null termination. */ ++ return -1; ++ } ++ + /* Copy the comment */ +- strncpy(dest->comment, src->comment, max_namebuf_len - 1); +- dest->comment[max_namebuf_len - 1] = '\0'; ++ strlcpy(dest->comment, src->comment, remaining_len); + + /* Save other fields */ + dest->smbc_type = src->smbc_type; +@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context, + } else { + + /* No encoding. Just copy the entry as is. */ ++ if (src->dirlen > max_namebuf_len) { ++ return -1; ++ } + memcpy(dest, src, src->dirlen); ++ if (src->namelen + 1 < 1) { ++ /* Integer wrap */ ++ return -1; ++ } ++ if (src->namelen + 1 >= max_namebuf_len) { ++ /* Comment off the end. */ ++ return -1; ++ } + dest->comment = (char *)(&dest->name + src->namelen + 1); + } +- ++ return 0; + } + + /* +@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context, + SMBCFILE *dir) + { + int maxlen; ++ int ret; + struct smbc_dirent *dirp, *dirent; + TALLOC_CTX *frame = talloc_stackframe(); + +@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context, + dirp = &context->internal->dirent; + maxlen = sizeof(context->internal->_dirent_name); + +- smbc_readdir_internal(context, dirp, dirent, maxlen); ++ ret = smbc_readdir_internal(context, dirp, dirent, maxlen); ++ if (ret == -1) { ++ errno = EINVAL; ++ TALLOC_FREE(frame); ++ return NULL; ++ } + + dir->dir_next = dir->dir_next->next; + +@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context, + */ + + while ((dirlist = dir->dir_next)) { ++ int ret; + struct smbc_dirent *dirent; + struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir; + +@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context, + /* Do urlencoding of next entry, if so selected */ + dirent = &context->internal->dirent; + maxlen = sizeof(context->internal->_dirent_name); +- smbc_readdir_internal(context, dirent, ++ ret = smbc_readdir_internal(context, dirent, + dirlist->dirent, maxlen); ++ if (ret == -1) { ++ errno = EINVAL; ++ TALLOC_FREE(frame); ++ return -1; ++ } + + reqd = dirent->dirlen; + +diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c +index ed70ab37550..5b53b386a67 100644 +--- a/source3/libsmb/libsmb_path.c ++++ b/source3/libsmb/libsmb_path.c +@@ -173,7 +173,7 @@ smbc_urlencode(char *dest, + } + } + +- if (max_dest_len == 0) { ++ if (max_dest_len <= 0) { + /* Ensure we return -1 if no null termination. */ + return -1; + } +-- +2.11.0 + diff --git a/SOURCES/CVE-2018-1139.patch b/SOURCES/CVE-2018-1139.patch new file mode 100644 index 0000000..77774ec --- /dev/null +++ b/SOURCES/CVE-2018-1139.patch @@ -0,0 +1,753 @@ +From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Thu, 22 Feb 2018 11:54:45 +1300 +Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set + with_cmocka flag + +We have cmocka in third_party, so we are never without it. + +Signed-off-by: Douglas Bagnall +Reviewed-by: Andrew Bartlett + +(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6 +by Andrew Bartlett) +--- + selftest/tests.py | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/selftest/tests.py b/selftest/tests.py +index 126e1184230..3f5097b680c 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -38,7 +38,6 @@ finally: + f.close() + + have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) +-with_cmocka = ("HAVE_CMOCKA" in config_hash) + with_pam = ("WITH_PAM" in config_hash) + pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"] + +@@ -168,13 +167,12 @@ if with_pam: + valgrindify(python), pam_wrapper_so_path, + "$DOMAIN", "alice", "Secret007"]) + +-if with_cmocka: +- plantestsuite("samba.unittests.krb5samba", "none", +- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) +- plantestsuite("samba.unittests.sambafs_srv_pipe", "none", +- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) +- plantestsuite("samba.unittests.lib_util_modules", "none", +- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) ++plantestsuite("samba.unittests.krb5samba", "none", ++ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) ++plantestsuite("samba.unittests.sambafs_srv_pipe", "none", ++ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) ++plantestsuite("samba.unittests.lib_util_modules", "none", ++ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) + +- plantestsuite("samba.unittests.smb1cli_session", "none", +- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) ++plantestsuite("samba.unittests.smb1cli_session", "none", ++ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) +-- +2.14.4 + + +From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 27 Jul 2018 08:44:24 +1200 +Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for + ntlm_password_check() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 + +Signed-off-by: Andrew Bartlett +--- + libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++ + libcli/auth/wscript_build | 13 ++ + selftest/knownfail.d/ntlm | 2 + + selftest/tests.py | 2 + + 4 files changed, 430 insertions(+) + create mode 100644 libcli/auth/tests/ntlm_check.c + create mode 100644 selftest/knownfail.d/ntlm + +diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c +new file mode 100644 +index 00000000000..e87a0a276d4 +--- /dev/null ++++ b/libcli/auth/tests/ntlm_check.c +@@ -0,0 +1,413 @@ ++/* ++ * Unit tests for the ntlm_check password hash check library. ++ * ++ * Copyright (C) Andrew Bartlett 2018 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ * ++ */ ++ ++/* ++ * from cmocka.c: ++ * These headers or their equivalents should be included prior to ++ * including ++ * this header file. ++ * ++ * #include ++ * #include ++ * #include ++ * ++ * This allows test applications to use custom definitions of C standard ++ * library functions and types. ++ * ++ */ ++ ++/* ++ * Note that the messaging routines (audit_message_send and get_event_server) ++ * are not tested by these unit tests. Currently they are for integration ++ * test support, and as such are exercised by the integration tests. ++ */ ++#include ++#include ++#include ++#include ++ ++#include "includes.h" ++#include "../lib/crypto/crypto.h" ++#include "librpc/gen_ndr/netlogon.h" ++#include "libcli/auth/libcli_auth.h" ++#include "auth/credentials/credentials.h" ++ ++struct ntlm_state { ++ const char *username; ++ const char *domain; ++ DATA_BLOB challenge; ++ DATA_BLOB ntlm; ++ DATA_BLOB lm; ++ DATA_BLOB ntlm_key; ++ DATA_BLOB lm_key; ++ const struct samr_Password *nt_hash; ++}; ++ ++static int test_ntlm_setup_with_options(void **state, ++ int flags, bool upn) ++{ ++ NTSTATUS status; ++ DATA_BLOB challenge = { ++ .data = discard_const_p(uint8_t, "I am a teapot"), ++ .length = 8 ++ }; ++ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state); ++ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state, ++ NULL, ++ "serverdom"); ++ struct cli_credentials *creds = cli_credentials_init(ntlm_state); ++ cli_credentials_set_username(creds, ++ "testuser", ++ CRED_SPECIFIED); ++ cli_credentials_set_domain(creds, ++ "testdom", ++ CRED_SPECIFIED); ++ cli_credentials_set_workstation(creds, ++ "testwksta", ++ CRED_SPECIFIED); ++ cli_credentials_set_password(creds, ++ "testpass", ++ CRED_SPECIFIED); ++ ++ if (upn) { ++ cli_credentials_set_principal(creds, ++ "testuser@samba.org", ++ CRED_SPECIFIED); ++ } ++ ++ cli_credentials_get_ntlm_username_domain(creds, ++ ntlm_state, ++ &ntlm_state->username, ++ &ntlm_state->domain); ++ ++ status = cli_credentials_get_ntlm_response(creds, ++ ntlm_state, ++ &flags, ++ challenge, ++ NULL, ++ target_info, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ &ntlm_state->lm_key, ++ &ntlm_state->ntlm_key); ++ ntlm_state->challenge = challenge; ++ ++ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds, ++ ntlm_state); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ return -1; ++ } ++ ++ *state = ntlm_state; ++ return 0; ++} ++ ++static int test_ntlm_setup(void **state) { ++ return test_ntlm_setup_with_options(state, 0, false); ++} ++ ++static int test_ntlm_and_lm_setup(void **state) { ++ return test_ntlm_setup_with_options(state, ++ CLI_CRED_LANMAN_AUTH, ++ false); ++} ++ ++static int test_ntlm2_setup(void **state) { ++ return test_ntlm_setup_with_options(state, ++ CLI_CRED_NTLM2, ++ false); ++} ++ ++static int test_ntlmv2_setup(void **state) { ++ return test_ntlm_setup_with_options(state, ++ CLI_CRED_NTLMv2_AUTH, ++ false); ++} ++ ++static int test_ntlm_teardown(void **state) ++{ ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ TALLOC_FREE(ntlm_state); ++ *state = NULL; ++ return 0; ++} ++ ++static void test_ntlm_allowed(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_ON, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); ++} ++ ++static void test_ntlm_allowed_lm_supplied(void **state) ++{ ++ return test_ntlm_allowed(state); ++} ++ ++static void test_ntlm_disabled(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_DISABLED, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED)); ++} ++ ++static void test_ntlm2(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_ON, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ /* ++ * NTLM2 session security (where the real challenge is the ++ * MD5(challenge, client-challenge) (in the first 8 bytes of ++ * the lm) isn't decoded by ntlm_password_check(), it must ++ * first be converted back into normal NTLM by the NTLMSSP ++ * layer ++ */ ++ assert_int_equal(NT_STATUS_V(status), ++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); ++} ++ ++static void test_ntlm_mschapv2_only_allowed(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, ++ MSV1_0_ALLOW_MSVCHAPV2, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); ++} ++ ++static void test_ntlm_mschapv2_only_denied(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), ++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); ++} ++ ++static void test_ntlmv2_only_ntlmv2(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_NTLMV2_ONLY, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); ++} ++ ++static void test_ntlmv2_only_ntlm(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_NTLMV2_ONLY, ++ 0, ++ &ntlm_state->challenge, ++ &ntlm_state->lm, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), ++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); ++} ++ ++static void test_ntlmv2_only_ntlm_and_lanman(void **state) ++{ ++ return test_ntlmv2_only_ntlm(state); ++} ++ ++static void test_ntlmv2_only_ntlm_once(void **state) ++{ ++ DATA_BLOB user_sess_key, lm_sess_key; ++ struct ntlm_state *ntlm_state ++ = talloc_get_type_abort(*state, ++ struct ntlm_state); ++ NTSTATUS status; ++ status = ntlm_password_check(ntlm_state, ++ false, ++ NTLM_AUTH_NTLMV2_ONLY, ++ 0, ++ &ntlm_state->challenge, ++ &data_blob_null, ++ &ntlm_state->ntlm, ++ ntlm_state->username, ++ ntlm_state->username, ++ ntlm_state->domain, ++ NULL, ++ ntlm_state->nt_hash, ++ &user_sess_key, ++ &lm_sess_key); ++ ++ assert_int_equal(NT_STATUS_V(status), ++ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); ++} ++ ++int main(int argc, const char **argv) ++{ ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test_setup_teardown(test_ntlm_allowed, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied, ++ test_ntlm_and_lm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlm_disabled, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlm2, ++ test_ntlm2_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman, ++ test_ntlm_and_lm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once, ++ test_ntlm_setup, ++ test_ntlm_teardown), ++ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2, ++ test_ntlmv2_setup, ++ test_ntlm_teardown) ++ }; ++ ++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); ++ return cmocka_run_group_tests(tests, NULL, NULL); ++} +diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build +index 475b7d69406..d319d9b879e 100644 +--- a/libcli/auth/wscript_build ++++ b/libcli/auth/wscript_build +@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', + bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', + source='spnego_parse.c', + deps='asn1util') ++ ++bld.SAMBA_BINARY( ++ 'test_ntlm_check', ++ source='tests/ntlm_check.c', ++ deps=''' ++ NTLM_CHECK ++ CREDENTIALS_NTLM ++ samba-credentials ++ cmocka ++ talloc ++ ''', ++ install=False ++ ) +diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm +new file mode 100644 +index 00000000000..c6e6a3739ba +--- /dev/null ++++ b/selftest/knownfail.d/ntlm +@@ -0,0 +1,2 @@ ++^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied ++^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( +diff --git a/selftest/tests.py b/selftest/tests.py +index 3f5097b680c..dc6486c13f8 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none", + + plantestsuite("samba.unittests.smb1cli_session", "none", + [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) ++plantestsuite("samba.unittests.ntlm_check", "none", ++ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) +-- +2.14.4 + + +From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 14 Mar 2018 15:36:05 +0100 +Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in + hash_password_check() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 + +CVE-2018-1139: Weak authentication protocol allowed. + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + libcli/auth/ntlm_check.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c +index 3b02adc1d48..1c6499bd210 100644 +--- a/libcli/auth/ntlm_check.c ++++ b/libcli/auth/ntlm_check.c +@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, + const struct samr_Password *stored_nt) + { + if (stored_nt == NULL) { +- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", ++ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n", + username)); + } + +@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, + if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { + return NT_STATUS_OK; + } else { +- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", ++ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } + + } else if (client_lanman && stored_lanman) { + if (!lanman_auth) { +- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", ++ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } +@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, + if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { + return NT_STATUS_OK; + } else { +- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", ++ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n", + username)); + return NT_STATUS_WRONG_PASSWORD; + } +-- +2.14.4 + + +From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 14 Mar 2018 15:35:01 +0100 +Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in + ntlm_password_check(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 + +CVE-2018-1139: Weak authentication protocol allowed. + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/utils/ntlm_auth.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 3f544902a24..8f77680416f 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context, + *pauthoritative = 1; + + nt_status = ntlm_password_check(mem_ctx, +- true, true, 0, ++ true, NTLM_AUTH_ON, 0, + &auth4_context->challenge.data, + &user_info->password.response.lanman, + &user_info->password.response.nt, +@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod + + nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); + nt_status = ntlm_password_check(mem_ctx, +- true, true, 0, ++ true, ++ NTLM_AUTH_ON, ++ 0, + &challenge, + &lm_response, + &nt_response, +-- +2.14.4 + + +From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 16 Mar 2018 17:25:12 +0100 +Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used + via SMB1 when it is disabled. + +Right now, this test will succeed. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 + +CVE-2018-1139: Weak authentication protocol allowed. + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + source3/selftest/tests.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index 9092c1776c8..034c014e5b8 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb + plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) + plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) + +-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]: ++for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]: + for env in ["nt4_member", "ad_member"]: + plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) + plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options]) +-- +2.14.4 + + +From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 13 Mar 2018 16:56:20 +0100 +Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 + when it is disabled via "ntlm auth". + +This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. + +Found by Vivek Das (Red Hat QE). + +In order to demonstrate simply run: + +smbclient //server/share -U user%password -mNT1 -c quit \ +--option="client ntlmv2 auth"=no \ +--option="client use spnego"=no + +against a server that uses "ntlm auth = ntlmv2-only" (our default +setting). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 + +CVE-2018-1139: Weak authentication protocol allowed. + +Guenther + +Pair-Programmed-With: Stefan Metzmacher +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +--- + libcli/auth/ntlm_check.c | 2 +- + selftest/knownfail | 3 ++- + selftest/knownfail.d/ntlm | 2 -- + 3 files changed, 3 insertions(+), 4 deletions(-) + delete mode 100644 selftest/knownfail.d/ntlm + +diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c +index 1c6499bd210..b68e9c87888 100644 +--- a/libcli/auth/ntlm_check.c ++++ b/libcli/auth/ntlm_check.c +@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, + - I think this is related to Win9X pass-though authentication + */ + DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n")); +- if (ntlm_auth) { ++ if (ntlm_auth == NTLM_AUTH_ON) { + if (smb_pwd_check_ntlmv1(mem_ctx, + lm_response, + stored_nt->hash, challenge, +diff --git a/selftest/knownfail b/selftest/knownfail +index ba16fd72290..84776d4f35d 100644 +--- a/selftest/knownfail ++++ b/selftest/knownfail +@@ -303,8 +303,9 @@ + ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\) + # fl2000dc doesn't support AES + ^samba4.krb5.kdc.*as-req-aes.*fl2000dc +-# nt4_member and ad_member don't support ntlmv1 ++# nt4_member and ad_member don't support ntlmv1 (not even over SMB1) + ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user ++^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user + #nt-vfs server blocks read with execute access + ^samba4.smb2.read.access + #ntvfs server blocks copychunk with execute access on read handle +diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm +deleted file mode 100644 +index c6e6a3739ba..00000000000 +--- a/selftest/knownfail.d/ntlm ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied +-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( +-- +2.14.4 + diff --git a/SOURCES/samba-4.7-fix_aesni_intel_support.patch b/SOURCES/samba-4.7-fix_aesni_intel_support.patch deleted file mode 100644 index 9e37d86..0000000 --- a/SOURCES/samba-4.7-fix_aesni_intel_support.patch +++ /dev/null @@ -1,72 +0,0 @@ -From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= -Date: Mon, 4 Dec 2017 10:49:19 +0100 -Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z - noexecstack -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174 - -Signed-off-by: Björn Baumbach -Reviewed-by: Andreas Schneider ---- - third_party/aesni-intel/wscript | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript -index eb92d6626fe..0ccd9eb1e5b 100644 ---- a/third_party/aesni-intel/wscript -+++ b/third_party/aesni-intel/wscript -@@ -12,6 +12,8 @@ def configure(conf): - raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU') - else: - raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') -+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'): -+ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack') - - def build(bld): - if not bld.CONFIG_SET('HAVE_AESNI_INTEL'): -@@ -20,4 +22,5 @@ def build(bld): - bld.SAMBA_LIBRARY('aesni-intel', - source='aesni-intel_asm.c', - cflags='-Wp,-E,-lang-asm', -+ ldflags='-Wl,-z,noexecstack', - private_library=True) --- -2.15.0 - - -From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 4 Dec 2017 11:00:10 +0100 -Subject: [PATCH 2/2] third_party: Fix a typo in the option name - -Signed-off-by: Andreas Schneider ---- - third_party/aesni-intel/wscript | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript -index 0ccd9eb1e5b..f0723a52501 100644 ---- a/third_party/aesni-intel/wscript -+++ b/third_party/aesni-intel/wscript -@@ -9,11 +9,11 @@ def configure(conf): - print("Compiling with Intel AES instructions") - conf.DEFINE('HAVE_AESNI_INTEL', 1) - else: -- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU') -+ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU') - else: -- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') -+ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm') - if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'): -- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack') -+ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack') - - def build(bld): - if not bld.CONFIG_SET('HAVE_AESNI_INTEL'): --- -2.15.0 - diff --git a/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch b/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch deleted file mode 100644 index 6a4fa39..0000000 --- a/SOURCES/samba-4.7-fix_dns_segfault_during_net_ads_join.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e3f491fde52c3c7f31b0137125cb0ab1d5721f87 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 17 May 2018 11:53:18 +0200 -Subject: [PATCH] s3:utils: Do not segfault on error in DoDNSUpdate() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13440 - -Signed-off-by: Andreas Schneider -Reviewed-by: Volker Lendecke - -(cherry picked from commit cdd98aa1e2116fb97e16718d115ee883fe1bc8ba) ---- - source3/utils/net_dns.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c -index d972a5d4bad..9ee856c0059 100644 ---- a/source3/utils/net_dns.c -+++ b/source3/utils/net_dns.c -@@ -75,6 +75,7 @@ DNS_ERROR DoDNSUpdate(char *pszServerName, - - if (!ERR_DNS_IS_OK(err)) { - DEBUG(3,("DoDNSUpdate: failed to probe DNS\n")); -+ goto error; - } - - if ((dns_response_code(resp->flags) == DNS_NO_ERROR) && --- -2.16.3 - diff --git a/SOURCES/samba-4.7-fix_samba_with_systemd.patch b/SOURCES/samba-4.7-fix_samba_with_systemd.patch deleted file mode 100644 index a12f130..0000000 --- a/SOURCES/samba-4.7-fix_samba_with_systemd.patch +++ /dev/null @@ -1,313 +0,0 @@ -From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Mon, 21 Aug 2017 15:12:04 +1200 -Subject: [PATCH 1/4] s4/smbd: set the process group. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Set the process group in the samba daemon, the --no-process-group option -allows this to be disabled. The no-process-group option needs to be -disabled in self test. - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144 ---- - selftest/target/Samba4.pm | 2 +- - source4/smbd/server.c | 18 +++++++++++++++++- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index 772f982cb9d..6a1856ef642 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -158,7 +158,7 @@ sub check_or_start($$$) - close($env_vars->{STDIN_PIPE}); - open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!"; - -- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); -+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!"); - } - $env_vars->{SAMBA_PID} = $pid; - print "DONE ($pid)\n"; -diff --git a/source4/smbd/server.c b/source4/smbd/server.c -index a8bad06bed3..ba520e0a8f5 100644 ---- a/source4/smbd/server.c -+++ b/source4/smbd/server.c -@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name, - { - bool opt_daemon = false; - bool opt_interactive = false; -+ bool opt_no_process_group = false; - int opt; - poptContext pc; - #define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *); -@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name, - OPT_DAEMON = 1000, - OPT_INTERACTIVE, - OPT_PROCESS_MODEL, -- OPT_SHOW_BUILD -+ OPT_SHOW_BUILD, -+ OPT_NO_PROCESS_GROUP, - }; - struct poptOption long_options[] = { - POPT_AUTOHELP -@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name, - "till autotermination", "seconds"}, - {"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD, - "show build info", NULL }, -+ {"no-process-group", '\0', POPT_ARG_NONE, NULL, -+ OPT_NO_PROCESS_GROUP, "Don't create a new process group" }, - POPT_COMMON_SAMBA - POPT_COMMON_VERSION - { NULL } -@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name, - case OPT_SHOW_BUILD: - show_build(); - break; -+ case OPT_NO_PROCESS_GROUP: -+ opt_no_process_group = true; -+ break; - default: - fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); -@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name, - stdin_event_flags = 0; - } - -+#if HAVE_SETPGID -+ /* -+ * If we're interactive we want to set our own process group for -+ * signal management, unless --no-process-group specified. -+ */ -+ if (opt_interactive && !opt_no_process_group) -+ setpgid((pid_t)0, (pid_t)0); -+#endif -+ - /* catch EOF on stdin */ - #ifdef SIGTTIN - signal(SIGTTIN, SIG_IGN); --- -2.15.0 - - -From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 15 Nov 2017 10:00:52 +0100 -Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett -(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209) ---- - source4/smbd/server.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source4/smbd/server.c b/source4/smbd/server.c -index ba520e0a8f5..406f79593b9 100644 ---- a/source4/smbd/server.c -+++ b/source4/smbd/server.c -@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx) - { - char *path; - TALLOC_CTX *mem_ctx = talloc_new(NULL); -+ if (mem_ctx == NULL) { -+ exit_daemon("Failed to create memory context", -+ ENOMEM); -+ } - - path = smbd_tmp_path(mem_ctx, lp_ctx, NULL); -+ if (path == NULL) { -+ exit_daemon("Failed to cleanup temporary files", -+ EINVAL); -+ } - - recursive_delete(path); - talloc_free(mem_ctx); --- -2.15.0 - - -From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 10 Nov 2017 09:18:18 +0100 -Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground - -We are passing the no_process_group to become_daemon() that setsid() is -not called. In case we are double forking, we run in SysV daemon mode, -setsid() should be called! - -See: -https://www.freedesktop.org/software/systemd/man/daemon.html - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909) ---- - source3/smbd/server.c | 2 +- - source4/smbd/server.c | 13 ++++++++++--- - 2 files changed, 11 insertions(+), 4 deletions(-) - -diff --git a/source3/smbd/server.c b/source3/smbd/server.c -index 181bcd1e123..252b43190d7 100644 ---- a/source3/smbd/server.c -+++ b/source3/smbd/server.c -@@ -1592,7 +1592,7 @@ extern void build_options(bool screen); - struct poptOption long_options[] = { - POPT_AUTOHELP - {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" }, -- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"}, -+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"}, - {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" }, - {"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" }, - {"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" }, -diff --git a/source4/smbd/server.c b/source4/smbd/server.c -index 406f79593b9..2349d5c7fa0 100644 ---- a/source4/smbd/server.c -+++ b/source4/smbd/server.c -@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name, - const char *argv[]) - { - bool opt_daemon = false; -+ bool opt_fork = true; - bool opt_interactive = false; - bool opt_no_process_group = false; - int opt; -@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name, - struct stat st; - enum { - OPT_DAEMON = 1000, -+ OPT_FOREGROUND, - OPT_INTERACTIVE, - OPT_PROCESS_MODEL, - OPT_SHOW_BUILD, -@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name, - POPT_AUTOHELP - {"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, - "Become a daemon (default)", NULL }, -+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND, -+ "Run the daemon in foreground", NULL }, - {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, - "Run interactive (not a daemon)", NULL}, - {"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL, -@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name, - case OPT_DAEMON: - opt_daemon = true; - break; -+ case OPT_FOREGROUND: -+ opt_fork = false; -+ break; - case OPT_INTERACTIVE: - opt_interactive = true; - break; -@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name, - "not allowed together with -D|--daemon\n\n"); - poptPrintUsage(pc, stderr, 0); - return 1; -- } else if (!opt_interactive) { -+ } else if (!opt_interactive && !opt_fork) { - /* default is --daemon */ - opt_daemon = true; - } -@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name, - } - - if (opt_daemon) { -- DEBUG(3,("Becoming a daemon.\n")); -- become_daemon(true, false, false); -+ DBG_NOTICE("Becoming a daemon.\n"); -+ become_daemon(opt_fork, opt_no_process_group, false); - } - - /* Create the memory context to hang everything off. */ --- -2.15.0 - - -From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 10 Nov 2017 09:32:27 +0100 -Subject: [PATCH 4/4] systemd: Start processes in forground and without a - process group - -We should not double fork in notify mode or systemd think something -during startup will be wrong and send SIGTERM to the process. So -sometimes the daemon will not start up correctly. - -systemd will also handle the process group. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129 - -Signed-off-by: Andreas Schneider -Reviewed-by: Andrew Bartlett - -(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77) ---- - packaging/systemd/nmb.service | 2 +- - packaging/systemd/samba.service | 2 +- - packaging/systemd/smb.service | 2 +- - packaging/systemd/winbind.service | 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service -index 992c0cd9d2b..71c93d6088b 100644 ---- a/packaging/systemd/nmb.service -+++ b/packaging/systemd/nmb.service -@@ -7,7 +7,7 @@ Type=notify - NotifyAccess=all - PIDFile=/run/nmbd.pid - EnvironmentFile=-/etc/sysconfig/samba --ExecStart=/usr/sbin/nmbd $NMBDOPTIONS -+ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS - ExecReload=/usr/bin/kill -HUP $MAINPID - LimitCORE=infinity - -diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service -index 824f89c2030..1b64c3b779d 100644 ---- a/packaging/systemd/samba.service -+++ b/packaging/systemd/samba.service -@@ -8,7 +8,7 @@ NotifyAccess=all - PIDFile=/run/samba.pid - LimitNOFILE=16384 - EnvironmentFile=-/etc/sysconfig/samba --ExecStart=/usr/sbin/samba $SAMBAOPTIONS -+ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS - ExecReload=/usr/bin/kill -HUP $MAINPID - - [Install] -diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service -index 6053a5caaa5..adf6684c7d9 100644 ---- a/packaging/systemd/smb.service -+++ b/packaging/systemd/smb.service -@@ -8,7 +8,7 @@ NotifyAccess=all - PIDFile=/run/smbd.pid - LimitNOFILE=16384 - EnvironmentFile=-/etc/sysconfig/samba --ExecStart=/usr/sbin/smbd $SMBDOPTIONS -+ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS - ExecReload=/usr/bin/kill -HUP $MAINPID - LimitCORE=infinity - -diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service -index c511488166e..46b3797251d 100644 ---- a/packaging/systemd/winbind.service -+++ b/packaging/systemd/winbind.service -@@ -7,7 +7,7 @@ Type=notify - NotifyAccess=all - PIDFile=/run/winbindd.pid - EnvironmentFile=-/etc/sysconfig/samba --ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS" -+ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS" - ExecReload=/usr/bin/kill -HUP $MAINPID - LimitCORE=infinity - --- -2.15.0 - diff --git a/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch b/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch deleted file mode 100644 index 4df811e..0000000 --- a/SOURCES/samba-4.7-fix_segfault_in_NT1_connection_setup.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 27bd0925c556ff69ce5db306f513eb4e4e7d4c7e Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 19 Feb 2018 18:07:50 +0100 -Subject: [PATCH] s3:smbd: Do not crash if we fail to init the session table - -This should the following segfault with SMB1: - - #6 sig_fault (sig=) at ../lib/util/fault.c:94 - #7 - #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) - at ../source3/smbd/smbXsrv_session.c:1212 - #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 - #10 0x00007f7618ae17b0 in switch_message (type=, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 - #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) - at ../source3/smbd/process.c:1762 - #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=, nread=140, unread_bytes=0, seqnum=0, encrypted=, - deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 - #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 - #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 - -Inspection the core shows that: - conn->client-session_table is NULL - conn->protocol is PROTOCOL_NONE - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 - -Signed-off-by: Andreas Schneider -Reviewed-by: Jeremy Allison -(cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878) ---- - source3/smbd/negprot.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - -diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c -index d3f4776076f..70249f7b446 100644 ---- a/source3/smbd/negprot.c -+++ b/source3/smbd/negprot.c -@@ -65,6 +65,8 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice) - time_t t = time(NULL); - struct smbXsrv_connection *xconn = req->xconn; - uint16_t raw; -+ NTSTATUS status; -+ - if (lp_async_smb_echo_handler()) { - raw = 0; - } else { -@@ -88,7 +90,11 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice) - SSVAL(req->outbuf,smb_vwv11, 8); - } - -- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1); -+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1); -+ if (!NT_STATUS_IS_OK(status)) { -+ reply_nterror(req, status); -+ return; -+ } - - /* Reply, SMBlockread, SMBwritelock supported. */ - SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); -@@ -115,6 +121,8 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice) - time_t t = time(NULL); - struct smbXsrv_connection *xconn = req->xconn; - uint16_t raw; -+ NTSTATUS status; -+ - if (lp_async_smb_echo_handler()) { - raw = 0; - } else { -@@ -140,7 +148,11 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice) - SSVAL(req->outbuf,smb_vwv11, 8); - } - -- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2); -+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2); -+ if (!NT_STATUS_IS_OK(status)) { -+ reply_nterror(req, status); -+ return; -+ } - - /* Reply, SMBlockread, SMBwritelock supported. */ - SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD); -@@ -260,6 +272,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) - struct smbXsrv_connection *xconn = req->xconn; - bool signing_desired = false; - bool signing_required = false; -+ NTSTATUS status; - - xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords(); - -@@ -337,7 +350,11 @@ static void reply_nt1(struct smb_request *req, uint16_t choice) - SSVAL(req->outbuf,smb_vwv0,choice); - SCVAL(req->outbuf,smb_vwv1,secword); - -- smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1); -+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1); -+ if (!NT_STATUS_IS_OK(status)) { -+ reply_nterror(req, status); -+ return; -+ } - - SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */ - SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */ --- -2.16.2 - diff --git a/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch b/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch deleted file mode 100644 index ba778fc..0000000 --- a/SOURCES/samba-4.7-fix_segfault_in_keytab_handling.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8fb23665ddad8f65a6461c310ed5680d104fd9bf Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Tue, 17 Apr 2018 08:55:23 +0200 -Subject: [PATCH] s3:passdb: Do not return OK if we don't have pinfo set up - -This prevents a crash in fill_mem_keytab_from_secrets() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13376 - -Signed-off-by: Andreas Schneider -Reviewed-by: Stefan Metzmacher - -(cherry picked from commit 99859479fc6e12b2f74ce2dfa83da56d8b8f3d26) ---- - source3/passdb/machine_account_secrets.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c -index 75f31cb04e2..d36fa268a4b 100644 ---- a/source3/passdb/machine_account_secrets.c -+++ b/source3/passdb/machine_account_secrets.c -@@ -1317,7 +1317,7 @@ NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain, - - last_set_time = secrets_fetch_pass_last_set_time(domain); - if (last_set_time == 0) { -- return NT_STATUS_OK; -+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; - } - unix_to_nt_time(&last_set_nt, last_set_time); - --- -2.16.3 - diff --git a/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch b/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch deleted file mode 100644 index 4360ef5..0000000 --- a/SOURCES/samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 2f6d1b8b5a1643082d93f338b0528b861caeff80 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Wed, 11 Apr 2018 10:42:21 +0200 -Subject: [PATCH] rpc_server: Init local_server_* in - make_internal_rpc_pipe_socketpair - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=13370 -Signed-off-by: Volker Lendecke -Reviewed-by: Stefan Metzmacher - -Autobuild-User(master): Volker Lendecke -Autobuild-Date(master): Wed Apr 11 15:19:19 CEST 2018 on sn-devel-144 - -(cherry picked from commit 212815969f4a706bc8395e2f6dbf225318ff2ad7) ---- - source3/rpc_server/rpc_ncacn_np.c | 31 +++++++++++++++++++++++-------- - source3/rpc_server/rpc_ncacn_np.h | 18 ++++++++++-------- - source3/rpc_server/srv_pipe_hnd.c | 18 ++++++++++-------- - 3 files changed, 43 insertions(+), 24 deletions(-) - -diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c -index 0728f54b092..d7e7785248d 100644 ---- a/source3/rpc_server/rpc_ncacn_np.c -+++ b/source3/rpc_server/rpc_ncacn_np.c -@@ -69,14 +69,16 @@ fail: - return NULL; - } - --NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev_ctx, -- struct messaging_context *msg_ctx, -- const char *pipe_name, -- const struct ndr_syntax_id *syntax, -- const struct tsocket_address *remote_address, -- const struct auth_session_info *session_info, -- struct npa_state **pnpa) -+NTSTATUS make_internal_rpc_pipe_socketpair( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev_ctx, -+ struct messaging_context *msg_ctx, -+ const char *pipe_name, -+ const struct ndr_syntax_id *syntax, -+ const struct tsocket_address *remote_address, -+ const struct tsocket_address *local_address, -+ const struct auth_session_info *session_info, -+ struct npa_state **pnpa) - { - TALLOC_CTX *tmp_ctx = talloc_stackframe(); - struct named_pipe_client *npc; -@@ -136,6 +138,19 @@ NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx, - goto out; - } - -+ npc->local_server_addr = tsocket_address_copy(local_address, npc); -+ if (npc->local_server_addr == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ -+ npc->local_server_name = tsocket_address_inet_addr_string( -+ npc->local_server_addr, npc); -+ if (npc->local_server_name == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto out; -+ } -+ - npc->session_info = copy_session_info(npc, session_info); - if (npc->session_info == NULL) { - status = NT_STATUS_NO_MEMORY; -diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h -index 03bbd3f8af9..9ba58644ec0 100644 ---- a/source3/rpc_server/rpc_ncacn_np.h -+++ b/source3/rpc_server/rpc_ncacn_np.h -@@ -44,14 +44,16 @@ NTSTATUS make_external_rpc_pipe(TALLOC_CTX *mem_ctx, - const struct auth_session_info *session_info, - struct npa_state **pnpa); - --NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx, -- struct tevent_context *ev_ctx, -- struct messaging_context *msg_ctx, -- const char *pipe_name, -- const struct ndr_syntax_id *syntax, -- const struct tsocket_address *remote_address, -- const struct auth_session_info *session_info, -- struct npa_state **pnpa); -+NTSTATUS make_internal_rpc_pipe_socketpair( -+ TALLOC_CTX *mem_ctx, -+ struct tevent_context *ev_ctx, -+ struct messaging_context *msg_ctx, -+ const char *pipe_name, -+ const struct ndr_syntax_id *syntax, -+ const struct tsocket_address *remote_address, -+ const struct tsocket_address *local_address, -+ const struct auth_session_info *session_info, -+ struct npa_state **pnpa); - - struct np_proxy_state { - uint16_t file_type; -diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c -index f9b7855b40f..baa4ce96334 100644 ---- a/source3/rpc_server/srv_pipe_hnd.c -+++ b/source3/rpc_server/srv_pipe_hnd.c -@@ -106,14 +106,16 @@ NTSTATUS np_open(TALLOC_CTX *mem_ctx, const char *name, - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - -- status = make_internal_rpc_pipe_socketpair(handle, -- ev_ctx, -- msg_ctx, -- name, -- &syntax, -- remote_client_address, -- session_info, -- &npa); -+ status = make_internal_rpc_pipe_socketpair( -+ handle, -+ ev_ctx, -+ msg_ctx, -+ name, -+ &syntax, -+ remote_client_address, -+ local_server_address, -+ session_info, -+ &npa); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(handle); - return status; --- -2.11.0 - diff --git a/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch b/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch deleted file mode 100644 index c41796a..0000000 --- a/SOURCES/samba-4.7-fix_smb2_anonymous_connections.patch +++ /dev/null @@ -1,2595 +0,0 @@ -From 5604f16d805a73dd35a69c162966d081a1ebdb84 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 15 Mar 2018 17:40:07 +0100 -Subject: [PATCH 01/21] s3:torture: add SMB2-ANONYMOUS which asserts no GUEST - bit for anonymous - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 82d8aa3b9cb15512d29a97b5a7e55ea1a052734f) -(cherry picked from commit 23d1850c1c632984052ac923ab365501dd1c0195) ---- - source3/torture/proto.h | 1 + - source3/torture/test_smb2.c | 42 +++++++++++++++++++++++++++++++++++++ - source3/torture/torture.c | 1 + - 3 files changed, 44 insertions(+) - -diff --git a/source3/torture/proto.h b/source3/torture/proto.h -index 4c3e5401ce0..6f12ff7c2b9 100644 ---- a/source3/torture/proto.h -+++ b/source3/torture/proto.h -@@ -95,6 +95,7 @@ bool run_nttrans_create(int dummy); - bool run_nttrans_fsctl(int dummy); - bool run_smb2_basic(int dummy); - bool run_smb2_negprot(int dummy); -+bool run_smb2_anonymous(int dummy); - bool run_smb2_session_reconnect(int dummy); - bool run_smb2_tcon_dependence(int dummy); - bool run_smb2_multi_channel(int dummy); -diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c -index 297c3abca9f..897d034f6a9 100644 ---- a/source3/torture/test_smb2.c -+++ b/source3/torture/test_smb2.c -@@ -24,6 +24,7 @@ - #include "../libcli/smb/smbXcli_base.h" - #include "libcli/security/security.h" - #include "libsmb/proto.h" -+#include "auth/credentials/credentials.h" - #include "auth/gensec/gensec.h" - #include "auth_generic.h" - #include "../librpc/ndr/libndr.h" -@@ -274,6 +275,47 @@ bool run_smb2_negprot(int dummy) - return true; - } - -+bool run_smb2_anonymous(int dummy) -+{ -+ struct cli_state *cli = NULL; -+ NTSTATUS status; -+ struct cli_credentials *anon_creds = NULL; -+ bool guest = false; -+ -+ printf("Starting SMB2-ANONYMOUS\n"); -+ -+ if (!torture_init_connection(&cli)) { -+ return false; -+ } -+ -+ status = smbXcli_negprot(cli->conn, cli->timeout, -+ PROTOCOL_SMB2_02, PROTOCOL_LATEST); -+ if (!NT_STATUS_IS_OK(status)) { -+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); -+ return false; -+ } -+ -+ anon_creds = cli_credentials_init_anon(talloc_tos()); -+ if (anon_creds == NULL) { -+ printf("cli_credentials_init_anon failed\n"); -+ return false; -+ } -+ -+ status = cli_session_setup_creds(cli, anon_creds); -+ if (!NT_STATUS_IS_OK(status)) { -+ printf("cli_session_setup returned %s\n", nt_errstr(status)); -+ return false; -+ } -+ -+ guest = smbXcli_session_is_guest(cli->smb2.session); -+ if (guest) { -+ printf("anonymous session should not have guest authentication\n"); -+ return false; -+ } -+ -+ return true; -+} -+ - bool run_smb2_session_reconnect(int dummy) - { - struct cli_state *cli1; -diff --git a/source3/torture/torture.c b/source3/torture/torture.c -index 31e2bcc3497..e3834432ccb 100644 ---- a/source3/torture/torture.c -+++ b/source3/torture/torture.c -@@ -11644,6 +11644,7 @@ static struct { - { "NOTIFY-ONLINE", run_notify_online }, - { "SMB2-BASIC", run_smb2_basic }, - { "SMB2-NEGPROT", run_smb2_negprot }, -+ { "SMB2-ANONYMOUS", run_smb2_anonymous }, - { "SMB2-SESSION-RECONNECT", run_smb2_session_reconnect }, - { "SMB2-TCON-DEPENDENCE", run_smb2_tcon_dependence }, - { "SMB2-MULTI-CHANNEL", run_smb2_multi_channel }, --- -2.17.0 - - -From 6dfd59a8a8862b0954f8bd87b3816062f00fea0f Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 15 Mar 2018 18:04:21 +0100 -Subject: [PATCH 02/21] s3:selftest: run SMB2-ANONYMOUS - -This fails against a non AD DC smbd. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit bf707a1eba39e996bb19457b63ddb658cc4183c2) -(cherry picked from commit e39a5bd12e1704926c9d8141d8ef75a093670892) ---- - selftest/knownfail.d/anonymous-guest | 1 + - source3/selftest/tests.py | 1 + - 2 files changed, 2 insertions(+) - create mode 100644 selftest/knownfail.d/anonymous-guest - -diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest -new file mode 100644 -index 00000000000..a134cece3d5 ---- /dev/null -+++ b/selftest/knownfail.d/anonymous-guest -@@ -0,0 +1 @@ -+^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 56b94c436ce..c0522b3ed6f 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -75,6 +75,7 @@ tests = ["FDPASS", "LOCK1", "LOCK2", "LOCK3", "LOCK4", "LOCK5", "LOCK6", "LOCK7" - "GETADDRINFO", "UID-REGRESSION-TEST", "SHORTNAME-TEST", - "CASE-INSENSITIVE-CREATE", "SMB2-BASIC", "NTTRANS-FSCTL", "SMB2-NEGPROT", - "SMB2-SESSION-REAUTH", "SMB2-SESSION-RECONNECT", "SMB2-FTRUNCATE", -+ "SMB2-ANONYMOUS", - "CLEANUP1", - "CLEANUP2", - "CLEANUP4", --- -2.17.0 - - -From 40b619182e63df1cbc8e47c79a0ac0f83debce69 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Wed, 14 Mar 2018 11:44:49 +0100 -Subject: [PATCH 03/21] libcli/security: only announce a session as GUEST if - 'Builtin\Guests' is there without 'Authenticated User' - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3) -(cherry picked from commit ff7a8e416b53e073a6d16fb122cdeba8b53c6e53) ---- - libcli/security/session.c | 18 +++++++++++------- - 1 file changed, 11 insertions(+), 7 deletions(-) - -diff --git a/libcli/security/session.c b/libcli/security/session.c -index 0fbb87d584e..f17e884c847 100644 ---- a/libcli/security/session.c -+++ b/libcli/security/session.c -@@ -26,6 +26,9 @@ - enum security_user_level security_session_user_level(struct auth_session_info *session_info, - const struct dom_sid *domain_sid) - { -+ bool authenticated = false; -+ bool guest = false; -+ - if (!session_info) { - return SECURITY_ANONYMOUS; - } -@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s - return SECURITY_ANONYMOUS; - } - -- if (security_token_has_builtin_guests(session_info->security_token)) { -- return SECURITY_GUEST; -+ authenticated = security_token_has_nt_authenticated_users(session_info->security_token); -+ guest = security_token_has_builtin_guests(session_info->security_token); -+ if (!authenticated) { -+ if (guest) { -+ return SECURITY_GUEST; -+ } -+ return SECURITY_ANONYMOUS; - } - - if (security_token_has_builtin_administrators(session_info->security_token)) { -@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s - return SECURITY_DOMAIN_CONTROLLER; - } - -- if (security_token_has_nt_authenticated_users(session_info->security_token)) { -- return SECURITY_USER; -- } -- -- return SECURITY_ANONYMOUS; -+ return SECURITY_USER; - } --- -2.17.0 - - -From b2e7990934503c86c17751a8c4f7d5f40b32aed7 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 1 Mar 2018 18:05:28 +0100 -Subject: [PATCH 04/21] s3:auth: remove unused auth_serversupplied_info->system - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 28ad1306b880a44824ee956a19656ac29581a1b9) -(cherry picked from commit b991dca37a425cc252752e5a306df80077814aaf) ---- - source3/auth/auth_util.c | 1 - - source3/include/auth.h | 1 - - 2 files changed, 2 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 1021f2a6fef..4ae9dad2dd6 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1045,7 +1045,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO - SMB_ASSERT(src->unix_info); - - dst->guest = true; -- dst->system = false; - - /* This element must be provided to convert back to an - * auth_serversupplied_info. This needs to be from the -diff --git a/source3/include/auth.h b/source3/include/auth.h -index b7223c15036..d3055373964 100644 ---- a/source3/include/auth.h -+++ b/source3/include/auth.h -@@ -30,7 +30,6 @@ struct extra_auth_info { - - struct auth_serversupplied_info { - bool guest; -- bool system; - - struct security_unix_token utok; - --- -2.17.0 - - -From 092a1ddebdcd399676820edafb33afe535522ee4 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Mar 2018 16:37:58 +0100 -Subject: [PATCH 05/21] s3:auth: add the "Unix Groups" sid for the primary gid - -The primary gid might not be in the gid array. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit f3ca3e71cc35876df47e31ec9c3643308add2405) -(cherry picked from commit 1258f287420642698c456f6bb17bf4547a921964) ---- - source3/auth/auth_util.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 4ae9dad2dd6..2aa40388d14 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -660,7 +660,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - */ - - uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); -+ add_sid_to_array_unique(session_info->security_token, &tmp_sid, -+ &session_info->security_token->sids, -+ &session_info->security_token->num_sids); - -+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); - add_sid_to_array_unique(session_info->security_token, &tmp_sid, - &session_info->security_token->sids, - &session_info->security_token->num_sids); --- -2.17.0 - - -From c7b23189a548a0d684e04ef78e0fa7c3e3456316 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 17:14:34 +0100 -Subject: [PATCH 06/21] s3:auth: move add_local_groups() out of - finalize_local_nt_token() - -finalize_local_nt_token() will be used in another place, -were we don't want to add local groups in a following commit. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit df3d278853ec097df27c221369dfb3ed0297d6c8) -(cherry picked from commit 85097b155447257d9c4a66cd43ac432a27b52529) ---- - source3/auth/token_util.c | 22 +++++++++++++++------- - 1 file changed, 15 insertions(+), 7 deletions(-) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index 03c4b646007..e5a12db1ba3 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -208,6 +208,8 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, - return NT_STATUS_OK; - } - -+static NTSTATUS add_local_groups(struct security_token *result, -+ bool is_guest); - static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest); - -@@ -323,6 +325,13 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, - } - } - -+ status = add_local_groups(usrtok, is_guest); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(3, ("Failed to add local groups\n")); -+ TALLOC_FREE(usrtok); -+ return status; -+ } -+ - status = finalize_local_nt_token(usrtok, is_guest); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("Failed to finalize nt token\n")); -@@ -392,6 +401,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - } - } - -+ status = add_local_groups(result, is_guest); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(result); -+ return NULL; -+ } -+ - status = finalize_local_nt_token(result, is_guest); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); -@@ -502,13 +517,6 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - NTSTATUS status; - struct acct_info *info; - -- /* Add any local groups. */ -- -- status = add_local_groups(result, is_guest); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- - /* Add in BUILTIN sids */ - - status = add_sid_to_array(result, &global_sid_World, --- -2.17.0 - - -From b914f0e37eb05eb656d37cb317f1b3d556325edd Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 13 Mar 2018 21:35:48 +0100 -Subject: [PATCH 07/21] s3:passdb: handle dom_sid=NULL in - create_builtin_{users,administrators}() - -We should not crash if we're called with NULL. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit efdc617c76d9043286e33b961f45ad4564232102) -(cherry picked from commit c1f61c0816441be2061b3fd23db04dc60dcc64f7) ---- - source3/passdb/pdb_util.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/source3/passdb/pdb_util.c b/source3/passdb/pdb_util.c -index bf7b2b8abd1..309eb893f8a 100644 ---- a/source3/passdb/pdb_util.c -+++ b/source3/passdb/pdb_util.c -@@ -130,8 +130,9 @@ NTSTATUS create_builtin_users(const struct dom_sid *dom_sid) - } - - /* add domain users */ -- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) -- && sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) -+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && -+ (dom_sid != NULL) && -+ sid_compose(&dom_users, dom_sid, DOMAIN_RID_USERS)) - { - status = add_sid_to_builtin(&global_sid_Builtin_Users, - &dom_users); -@@ -159,8 +160,9 @@ NTSTATUS create_builtin_administrators(const struct dom_sid *dom_sid) - } - - /* add domain admins */ -- if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) -- && sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) -+ if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) && -+ (dom_sid != NULL) && -+ sid_compose(&dom_admins, dom_sid, DOMAIN_RID_ADMINS)) - { - status = add_sid_to_builtin(&global_sid_Builtin_Administrators, - &dom_admins); --- -2.17.0 - - -From db7aa26880d37b0966cbf99100457ba31d3a0e9b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 13 Mar 2018 21:38:27 +0100 -Subject: [PATCH 08/21] s3:auth: only call secrets_fetch_domain_sid() once in - finalize_local_nt_token() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308) -(cherry picked from commit e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b) ---- - source3/auth/token_util.c | 35 +++++++++++++++++++---------------- - 1 file changed, 19 insertions(+), 16 deletions(-) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index e5a12db1ba3..f3d24cdac2f 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, - if ( IS_DC ) { - sid_copy( &domadm, get_global_sam_sid() ); - } else { -+ if (dom_sid == NULL) { -+ return NT_STATUS_INVALID_PARAMETER_MIX; -+ } - sid_copy(&domadm, dom_sid); - } - sid_append_rid( &domadm, DOMAIN_RID_ADMINS ); -@@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result, - static NTSTATUS finalize_local_nt_token(struct security_token *result, - bool is_guest) - { -- struct dom_sid dom_sid; -+ struct dom_sid _dom_sid = { 0, }; -+ struct dom_sid *domain_sid = NULL; - NTSTATUS status; - struct acct_info *info; -+ bool ok; - - /* Add in BUILTIN sids */ - -@@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - } - } - -+ become_root(); -+ ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); -+ if (ok) { -+ domain_sid = &_dom_sid; -+ } else { -+ DEBUG(3, ("Failed to fetch domain sid for %s\n", -+ lp_workgroup())); -+ } -+ unbecome_root(); -+ - info = talloc_zero(talloc_tos(), struct acct_info); - if (info == NULL) { - DEBUG(0, ("talloc failed!\n")); -@@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - if (!NT_STATUS_IS_OK(status)) { - - become_root(); -- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { -- status = NT_STATUS_OK; -- DEBUG(3, ("Failed to fetch domain sid for %s\n", -- lp_workgroup())); -- } else { -- status = create_builtin_administrators(&dom_sid); -- } -+ status = create_builtin_administrators(domain_sid); - unbecome_root(); - - if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { - /* Add BUILTIN\Administrators directly to token. */ -- status = add_builtin_administrators(result, &dom_sid); -+ status = add_builtin_administrators(result, domain_sid); - if ( !NT_STATUS_IS_OK(status) ) { - DEBUG(3, ("Failed to check for local " - "Administrators membership (%s)\n", -@@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - if (!NT_STATUS_IS_OK(status)) { - - become_root(); -- if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { -- status = NT_STATUS_OK; -- DEBUG(3, ("Failed to fetch domain sid for %s\n", -- lp_workgroup())); -- } else { -- status = create_builtin_users(&dom_sid); -- } -+ status = create_builtin_users(domain_sid); - unbecome_root(); - - if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && --- -2.17.0 - - -From 9c86a3d2a0783fae2ec2883907ec877f9edd1dac Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 23:26:28 +0100 -Subject: [PATCH 09/21] s3:auth: add add_builtin_guests() handling to - finalize_local_nt_token() - -We should add Builtin_Guests depending on the current token -not based on 'is_guest'. Even authenticated users can be member -a guest related group and therefore get Builtin_Guests. - -Sadly we still need to use 'is_guest' within create_local_nt_token() -as we only have S-1-22-* SIDs there and still need to -add Builtin_Guests. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit e8dc55d2b969b670322a913799d1af459a1000e7) -(cherry picked from commit 7687d26f8bb6aa57672c70f95bee3f67b9957107) ---- - source3/auth/token_util.c | 122 +++++++++++++++++++++++++++++++++++--- - 1 file changed, 114 insertions(+), 8 deletions(-) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index f3d24cdac2f..30f2f8d346b 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -211,6 +211,74 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, - return NT_STATUS_OK; - } - -+static NTSTATUS add_builtin_guests(struct security_token *token, -+ const struct dom_sid *dom_sid) -+{ -+ struct dom_sid tmp_sid; -+ NTSTATUS status; -+ -+ /* -+ * First check the local GUEST account. -+ */ -+ sid_copy(&tmp_sid, get_global_sam_sid()); -+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUEST); -+ -+ if (nt_token_check_sid(&tmp_sid, token)) { -+ status = add_sid_to_array_unique(token, -+ &global_sid_Builtin_Guests, -+ &token->sids, &token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ return NT_STATUS_OK; -+ } -+ -+ /* -+ * First check the local GUESTS group. -+ */ -+ sid_copy(&tmp_sid, get_global_sam_sid()); -+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); -+ -+ if (nt_token_check_sid(&tmp_sid, token)) { -+ status = add_sid_to_array_unique(token, -+ &global_sid_Builtin_Guests, -+ &token->sids, &token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ return NT_STATUS_OK; -+ } -+ -+ if (lp_server_role() != ROLE_DOMAIN_MEMBER) { -+ return NT_STATUS_OK; -+ } -+ -+ if (dom_sid == NULL) { -+ return NT_STATUS_INVALID_PARAMETER_MIX; -+ } -+ -+ /* -+ * First check the domain GUESTS group. -+ */ -+ sid_copy(&tmp_sid, dom_sid); -+ sid_append_rid(&tmp_sid, DOMAIN_RID_GUESTS); -+ -+ if (nt_token_check_sid(&tmp_sid, token)) { -+ status = add_sid_to_array_unique(token, -+ &global_sid_Builtin_Guests, -+ &token->sids, &token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ -+ return NT_STATUS_OK; -+ } -+ -+ return NT_STATUS_OK; -+} -+ - static NTSTATUS add_local_groups(struct security_token *result, - bool is_guest); - static NTSTATUS finalize_local_nt_token(struct security_token *result, -@@ -416,6 +484,29 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - return NULL; - } - -+ if (is_guest) { -+ /* -+ * It's ugly, but for now it's -+ * needed to add Builtin_Guests -+ * here, the "local" token only -+ * consist of S-1-22-* SIDs -+ * and finalize_local_nt_token() -+ * doesn't have the chance to -+ * to detect it need to -+ * add Builtin_Guests via -+ * add_builtin_guests(). -+ */ -+ status = add_sid_to_array_unique(result, -+ &global_sid_Builtin_Guests, -+ &result->sids, -+ &result->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(3, ("Failed to add SID to nt token\n")); -+ TALLOC_FREE(result); -+ return NULL; -+ } -+ } -+ - return result; - } - -@@ -535,14 +626,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - return status; - } - -- if (is_guest) { -- status = add_sid_to_array(result, &global_sid_Builtin_Guests, -- &result->sids, -- &result->num_sids); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- } else { -+ if (!is_guest) { - status = add_sid_to_array(result, - &global_sid_Authenticated_Users, - &result->sids, -@@ -613,6 +697,28 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - } - } - -+ /* -+ * Add BUILTIN\Guests directly to token. -+ * But only if the token already indicates -+ * real guest access by: -+ * - local GUEST account -+ * - local GUESTS group -+ * - domain GUESTS group -+ * -+ * Even if a user was authenticated, it -+ * can be member of a guest related group. -+ */ -+ status = add_builtin_guests(result, domain_sid); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(3, ("Failed to check for local " -+ "Guests membership (%s)\n", -+ nt_errstr(status))); -+ /* -+ * This is a hard error. -+ */ -+ return status; -+ } -+ - TALLOC_FREE(info); - - /* Deal with local groups */ --- -2.17.0 - - -From 02ec86b90cc7c293d3086d59a0d349a967375665 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 23:36:03 +0100 -Subject: [PATCH 10/21] s3:auth: don't try to expand system or anonymous tokens - in finalize_local_nt_token() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 4f81ef9353ad76390aa910c8c17456fec21916c6) -(cherry picked from commit ecee9453a6ef611763d11e88e2ecf212f065a86c) ---- - source3/auth/token_util.c | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index 30f2f8d346b..6ebfa54126b 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -613,6 +613,13 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - struct acct_info *info; - bool ok; - -+ result->privilege_mask = 0; -+ result->rights_mask = 0; -+ -+ if (result->num_sids == 0) { -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ - /* Add in BUILTIN sids */ - - status = add_sid_to_array(result, &global_sid_World, -@@ -626,6 +633,23 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - return status; - } - -+ /* -+ * Don't expand nested groups of system, anonymous etc -+ * -+ * Note that they still get SID_WORLD and SID_NETWORK -+ * for now in order let existing tests pass. -+ * -+ * But SYSTEM doesn't get AUTHENTICATED_USERS -+ * and ANONYMOUS doesn't get BUILTIN GUESTS anymore. -+ */ -+ if (security_token_is_anonymous(result)) { -+ return NT_STATUS_OK; -+ } -+ if (security_token_is_system(result)) { -+ result->privilege_mask = ~0; -+ return NT_STATUS_OK; -+ } -+ - if (!is_guest) { - status = add_sid_to_array(result, - &global_sid_Authenticated_Users, --- -2.17.0 - - -From e243c00682b4e3b82f5cdddf7079d6dadb5f2e68 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 23:40:10 +0100 -Subject: [PATCH 11/21] s3:auth: pass AUTH_SESSION_INFO_* flags to - finalize_local_nt_token() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit d3aae5ba65c7ed0d5e9f8389101cf1c8c1f0a25b) -(cherry picked from commit 627a86bf2d516e256701f50473d0cdfd15d7eecc) ---- - source3/auth/token_util.c | 58 ++++++++++++++++++++++++++------------- - 1 file changed, 39 insertions(+), 19 deletions(-) - -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index 6ebfa54126b..acb916ab55c 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token, - static NTSTATUS add_local_groups(struct security_token *result, - bool is_guest); - static NTSTATUS finalize_local_nt_token(struct security_token *result, -- bool is_guest); -+ uint32_t session_info_flags); - - NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, - const struct extra_auth_info *extra, -@@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, - struct security_token **ntok) - { - struct security_token *usrtok = NULL; -+ uint32_t session_info_flags = 0; - NTSTATUS status; - int i; - -@@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx, - return status; - } - -- status = finalize_local_nt_token(usrtok, is_guest); -+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; -+ if (!is_guest) { -+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; -+ } -+ -+ status = finalize_local_nt_token(usrtok, session_info_flags); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3, ("Failed to finalize nt token\n")); - TALLOC_FREE(usrtok); -@@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - struct security_token *result = NULL; - int i; - NTSTATUS status; -+ uint32_t session_info_flags = 0; - - DEBUG(10, ("Create local NT token for %s\n", - sid_string_dbg(user_sid))); -@@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - return NULL; - } - -- status = finalize_local_nt_token(result, is_guest); -+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; -+ if (!is_guest) { -+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; -+ } -+ -+ status = finalize_local_nt_token(result, session_info_flags); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(result); - return NULL; -@@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result, - } - - static NTSTATUS finalize_local_nt_token(struct security_token *result, -- bool is_guest) -+ uint32_t session_info_flags) - { - struct dom_sid _dom_sid = { 0, }; - struct dom_sid *domain_sid = NULL; -@@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - return NT_STATUS_INVALID_TOKEN; - } - -- /* Add in BUILTIN sids */ -- -- status = add_sid_to_array(result, &global_sid_World, -- &result->sids, &result->num_sids); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- status = add_sid_to_array(result, &global_sid_Network, -- &result->sids, &result->num_sids); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { -+ status = add_sid_to_array(result, &global_sid_World, -+ &result->sids, &result->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } -+ status = add_sid_to_array(result, &global_sid_Network, -+ &result->sids, &result->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ return status; -+ } - } - - /* -@@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - return NT_STATUS_OK; - } - -- if (!is_guest) { -+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - status = add_sid_to_array(result, - &global_sid_Authenticated_Users, - &result->sids, -@@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - } - } - -+ /* Add in BUILTIN sids */ -+ - become_root(); - ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); - if (ok) { -@@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, - unbecome_root(); - } - -- /* Add privileges based on current user sids */ - -- get_privileges_for_sids(&result->privilege_mask, result->sids, -- result->num_sids); -+ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { -+ if (security_token_has_builtin_administrators(result)) { -+ result->privilege_mask = ~0; -+ } -+ } else { -+ /* Add privileges based on current user sids */ -+ get_privileges_for_sids(&result->privilege_mask, result->sids, -+ result->num_sids); -+ } - - return NT_STATUS_OK; - } --- -2.17.0 - - -From d97bfd5d7ecc48f6781161397928d9094d95dae1 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 23:45:30 +0100 -Subject: [PATCH 12/21] s3:auth: remove static from finalize_local_nt_token() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 7f47f9e1f220d2dd547cf77bbc292357a2173870) -(cherry picked from commit 8b5253e5d4c79265a9c35955f83407a0c11a76d1) ---- - source3/auth/proto.h | 2 ++ - source3/auth/token_util.c | 6 ++---- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/source3/auth/proto.h b/source3/auth/proto.h -index 3942815e467..d3403f1a929 100644 ---- a/source3/auth/proto.h -+++ b/source3/auth/proto.h -@@ -359,6 +359,8 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx, - bool is_guest, - int num_groupsids, - const struct dom_sid *groupsids); -+NTSTATUS finalize_local_nt_token(struct security_token *result, -+ uint32_t session_info_flags); - NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, - const struct extra_auth_info *extra, - struct dom_sid *sid); -diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c -index acb916ab55c..f015f8d2cd5 100644 ---- a/source3/auth/token_util.c -+++ b/source3/auth/token_util.c -@@ -281,8 +281,6 @@ static NTSTATUS add_builtin_guests(struct security_token *token, - - static NTSTATUS add_local_groups(struct security_token *result, - bool is_guest); --static NTSTATUS finalize_local_nt_token(struct security_token *result, -- uint32_t session_info_flags); - - NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3, - const struct extra_auth_info *extra, -@@ -616,8 +614,8 @@ static NTSTATUS add_local_groups(struct security_token *result, - return NT_STATUS_OK; - } - --static NTSTATUS finalize_local_nt_token(struct security_token *result, -- uint32_t session_info_flags) -+NTSTATUS finalize_local_nt_token(struct security_token *result, -+ uint32_t session_info_flags) - { - struct dom_sid _dom_sid = { 0, }; - struct dom_sid *domain_sid = NULL; --- -2.17.0 - - -From 424de089a89f226854e159c1ce0bab3dc2eb8eaf Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 6 Mar 2018 16:38:10 +0100 -Subject: [PATCH 13/21] auth: add auth_user_info_copy() function - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 6ff891195855403bc485725aef8d43d4e3cabacb) -(cherry picked from commit 104de61756e6b098985c3a599a3ccf62cbbe7299) ---- - auth/auth_sam_reply.c | 35 +++++++++++++++++++++++++++++++++++ - auth/auth_sam_reply.h | 3 +++ - 2 files changed, 38 insertions(+) - -diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c -index 15d17b0745e..bd695151dc0 100644 ---- a/auth/auth_sam_reply.c -+++ b/auth/auth_sam_reply.c -@@ -333,6 +333,41 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, - return NT_STATUS_OK; - } - -+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, -+ const struct auth_user_info *src) -+{ -+ struct auth_user_info *dst = NULL; -+ -+ dst = talloc_zero(mem_ctx, struct auth_user_info); -+ if (dst == NULL) { -+ return NULL; -+ } -+ -+ *dst = *src; -+#define _COPY_STRING(_mem, _str) do { \ -+ if ((_str) != NULL) { \ -+ (_str) = talloc_strdup((_mem), (_str)); \ -+ if ((_str) == NULL) { \ -+ TALLOC_FREE(dst); \ -+ return NULL; \ -+ } \ -+ } \ -+} while(0) -+ _COPY_STRING(dst, dst->account_name); -+ _COPY_STRING(dst, dst->user_principal_name); -+ _COPY_STRING(dst, dst->domain_name); -+ _COPY_STRING(dst, dst->dns_domain_name); -+ _COPY_STRING(dst, dst->full_name); -+ _COPY_STRING(dst, dst->logon_script); -+ _COPY_STRING(dst, dst->profile_path); -+ _COPY_STRING(dst, dst->home_directory); -+ _COPY_STRING(dst, dst->home_drive); -+ _COPY_STRING(dst, dst->logon_server); -+#undef _COPY_STRING -+ -+ return dst; -+} -+ - /** - * Make a user_info_dc struct from the info3 returned by a domain logon - */ -diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h -index 4aa3096c889..e4b26e961d7 100644 ---- a/auth/auth_sam_reply.h -+++ b/auth/auth_sam_reply.h -@@ -38,6 +38,9 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, - bool authenticated, - struct auth_user_info **_user_info); - -+struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, -+ const struct auth_user_info *src); -+ - NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, - const struct auth_user_info_dc *user_info_dc, - struct netr_SamInfo6 **_sam6); --- -2.17.0 - - -From 417e52e67a662903ee0585371bcb9507fe6f8d87 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 7 Mar 2018 00:21:13 +0100 -Subject: [PATCH 14/21] s3:auth: add auth3_user_info_dc_add_hints() and - auth3_session_info_create() - -These functions make it possible to construct a full auth_session_info -from the information available from an auth_user_info_dc structure. - -This has all the logic from create_local_token() that is used -to transform a auth_serversupplied_info to a full auth_session_info. - -In order to workarround the restriction that auth_user_info_dc -doesn't contain hints for the unix token/name, we use -the special S-1-5-88 (Unix_NFS) sids: - - - S-1-5-88-1-Y gives the uid=Y - - S-1-5-88-2-Y gives the gid=Y - - S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_* - -The currently implemented flags are: - -- AUTH3_UNIX_HINT_QUALIFIED_NAME - unix_name = DOMAIN+ACCOUNT - -- AUTH3_UNIX_HINT_ISLOLATED_NAME - unix_name = ACCOUNT - -- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS - Don't translate the nt token SIDS into uid/gids - using sid mapping. - -- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS - Don't translate the unix token uid/gids to S-1-22-X-Y SIDS - -- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS - The unix token won't get expanded gid values - from getgroups_unix_user() - -By using the hints it is possible to keep the current logic -where an authentication backend provides uid/gid values and -the unix name. - -Note the S-1-5-88-* SIDS never appear in the final security_token. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit af4bc135e486e17164da0ea918281fbf689892c3) -(cherry picked from commit b8c518d57fc32f8daffb0d4798dc8f5de17c0150) ---- - source3/auth/auth_util.c | 552 +++++++++++++++++++++++++++++++++++++++ - source3/auth/proto.h | 32 +++ - 2 files changed, 584 insertions(+) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 2aa40388d14..9d6e8020d77 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -692,6 +692,558 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - return NT_STATUS_OK; - } - -+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, -+ uid_t uid, -+ gid_t gid, -+ uint32_t flags) -+{ -+ uint32_t orig_num_sids = user_info_dc->num_sids; -+ struct dom_sid tmp_sid = { 0, }; -+ NTSTATUS status; -+ -+ /* -+ * We add S-5-88-1-X in order to pass the uid -+ * for the unix token. -+ */ -+ sid_compose(&tmp_sid, -+ &global_sid_Unix_NFS_Users, -+ (uint32_t)uid); -+ status = add_sid_to_array_unique(user_info_dc->sids, -+ &tmp_sid, -+ &user_info_dc->sids, -+ &user_info_dc->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", -+ nt_errstr(status))); -+ goto fail; -+ } -+ -+ /* -+ * We add S-5-88-2-X in order to pass the gid -+ * for the unix token. -+ */ -+ sid_compose(&tmp_sid, -+ &global_sid_Unix_NFS_Groups, -+ (uint32_t)gid); -+ status = add_sid_to_array_unique(user_info_dc->sids, -+ &tmp_sid, -+ &user_info_dc->sids, -+ &user_info_dc->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", -+ nt_errstr(status))); -+ goto fail; -+ } -+ -+ /* -+ * We add S-5-88-3-X in order to pass some flags -+ * (AUTH3_UNIX_HINT_*) to auth3_create_session_info(). -+ */ -+ sid_compose(&tmp_sid, -+ &global_sid_Unix_NFS_Mode, -+ flags); -+ status = add_sid_to_array_unique(user_info_dc->sids, -+ &tmp_sid, -+ &user_info_dc->sids, -+ &user_info_dc->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("add_sid_to_array_unique failed: %s\n", -+ nt_errstr(status))); -+ goto fail; -+ } -+ -+ return NT_STATUS_OK; -+ -+fail: -+ user_info_dc->num_sids = orig_num_sids; -+ return status; -+} -+ -+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, -+ const struct auth_user_info_dc *user_info_dc, -+ const char *original_user_name, -+ uint32_t session_info_flags, -+ struct auth_session_info **session_info_out) -+{ -+ TALLOC_CTX *frame = talloc_stackframe(); -+ struct auth_session_info *session_info = NULL; -+ uid_t hint_uid = -1; -+ bool found_hint_uid = false; -+ uid_t hint_gid = -1; -+ bool found_hint_gid = false; -+ uint32_t hint_flags = 0; -+ bool found_hint_flags = false; -+ bool need_getpwuid = false; -+ struct unixid *ids = NULL; -+ uint32_t num_gids = 0; -+ gid_t *gids = NULL; -+ struct dom_sid tmp_sid = { 0, }; -+ fstring tmp = { 0, }; -+ NTSTATUS status; -+ size_t i; -+ bool ok; -+ -+ *session_info_out = NULL; -+ -+ if (user_info_dc->num_sids == 0) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ if (user_info_dc->info == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ if (user_info_dc->info->account_name == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ session_info = talloc_zero(mem_ctx, struct auth_session_info); -+ if (session_info == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ /* keep this under frame for easier cleanup */ -+ talloc_reparent(mem_ctx, frame, session_info); -+ -+ session_info->info = auth_user_info_copy(session_info, -+ user_info_dc->info); -+ if (session_info->info == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ session_info->security_token = talloc_zero(session_info, -+ struct security_token); -+ if (session_info->security_token == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ /* -+ * Avoid a lot of reallocations and allocate what we'll -+ * use in most cases. -+ */ -+ session_info->security_token->sids = talloc_zero_array( -+ session_info->security_token, -+ struct dom_sid, -+ user_info_dc->num_sids); -+ if (session_info->security_token->sids == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ for (i = PRIMARY_USER_SID_INDEX; i < user_info_dc->num_sids; i++) { -+ struct security_token *nt_token = session_info->security_token; -+ int cmp; -+ -+ /* -+ * S-1-5-88-X-Y sids are only used to give hints -+ * to the unix token construction. -+ * -+ * S-1-5-88-1-Y gives the uid=Y -+ * S-1-5-88-2-Y gives the gid=Y -+ * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* -+ */ -+ cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, -+ &user_info_dc->sids[i]); -+ if (cmp == 0) { -+ bool match; -+ uint32_t hint = 0; -+ -+ match = sid_peek_rid(&user_info_dc->sids[i], &hint); -+ if (!match) { -+ continue; -+ } -+ -+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, -+ &user_info_dc->sids[i]); -+ if (match) { -+ if (found_hint_uid) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ found_hint_uid = true; -+ hint_uid = (uid_t)hint; -+ continue; -+ } -+ -+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, -+ &user_info_dc->sids[i]); -+ if (match) { -+ if (found_hint_gid) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ found_hint_gid = true; -+ hint_gid = (gid_t)hint; -+ continue; -+ } -+ -+ match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode, -+ &user_info_dc->sids[i]); -+ if (match) { -+ if (found_hint_flags) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ found_hint_flags = true; -+ hint_flags = hint; -+ continue; -+ } -+ -+ continue; -+ } -+ -+ status = add_sid_to_array_unique(nt_token->sids, -+ &user_info_dc->sids[i], -+ &nt_token->sids, -+ &nt_token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ } -+ -+ /* -+ * We need at least one usable SID -+ */ -+ if (session_info->security_token->num_sids == 0) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ /* -+ * We need all tree hints: uid, gid, flags -+ * or none of them. -+ */ -+ if (found_hint_uid || found_hint_gid || found_hint_flags) { -+ if (!found_hint_uid) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ if (!found_hint_gid) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ if (!found_hint_flags) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ } -+ -+ if (session_info->info->authenticated) { -+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; -+ } -+ -+ status = finalize_local_nt_token(session_info->security_token, -+ session_info_flags); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ -+ /* -+ * unless set otherwise, the session key is the user session -+ * key from the auth subsystem -+ */ -+ if (user_info_dc->user_session_key.length != 0) { -+ session_info->session_key = data_blob_dup_talloc(session_info, -+ user_info_dc->user_session_key); -+ if (session_info->session_key.data == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ if (!(session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)) { -+ goto done; -+ } -+ -+ session_info->unix_token = talloc_zero(session_info, struct security_unix_token); -+ if (session_info->unix_token == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ session_info->unix_token->uid = -1; -+ session_info->unix_token->gid = -1; -+ -+ session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); -+ if (session_info->unix_info == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ /* Convert the SIDs to uid/gids. */ -+ -+ ids = talloc_zero_array(frame, struct unixid, -+ session_info->security_token->num_sids); -+ if (ids == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS)) { -+ ok = sids_to_unixids(session_info->security_token->sids, -+ session_info->security_token->num_sids, -+ ids); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ -+ if (found_hint_uid) { -+ session_info->unix_token->uid = hint_uid; -+ } else if (ids[0].type == ID_TYPE_UID) { -+ /* -+ * The primary SID resolves to a UID only. -+ */ -+ session_info->unix_token->uid = ids[0].id; -+ } else if (ids[0].type == ID_TYPE_BOTH) { -+ /* -+ * The primary SID resolves to a UID and GID, -+ * use it as uid and add it as first element -+ * to the groups array. -+ */ -+ session_info->unix_token->uid = ids[0].id; -+ -+ ok = add_gid_to_array_unique(session_info->unix_token, -+ session_info->unix_token->uid, -+ &session_info->unix_token->groups, -+ &session_info->unix_token->ngroups); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } else { -+ /* -+ * It we can't get a uid, we can't imporsonate -+ * the user. -+ */ -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ -+ if (found_hint_gid) { -+ session_info->unix_token->gid = hint_gid; -+ } else { -+ need_getpwuid = true; -+ } -+ -+ if (hint_flags & AUTH3_UNIX_HINT_QUALIFIED_NAME) { -+ session_info->unix_info->unix_name = -+ talloc_asprintf(session_info->unix_info, -+ "%s%c%s", -+ session_info->info->domain_name, -+ *lp_winbind_separator(), -+ session_info->info->account_name); -+ if (session_info->unix_info->unix_name == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } else if (hint_flags & AUTH3_UNIX_HINT_ISLOLATED_NAME) { -+ session_info->unix_info->unix_name = -+ talloc_strdup(session_info->unix_info, -+ session_info->info->account_name); -+ if (session_info->unix_info->unix_name == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } else { -+ need_getpwuid = true; -+ } -+ -+ if (need_getpwuid) { -+ struct passwd *pwd = NULL; -+ -+ /* -+ * Ask the system for the primary gid -+ * and the real unix name. -+ */ -+ pwd = getpwuid_alloc(frame, session_info->unix_token->uid); -+ if (pwd == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ if (!found_hint_gid) { -+ session_info->unix_token->gid = pwd->pw_gid; -+ } -+ -+ session_info->unix_info->unix_name = -+ talloc_strdup(session_info->unix_info, pwd->pw_name); -+ if (session_info->unix_info->unix_name == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ TALLOC_FREE(pwd); -+ } -+ -+ ok = add_gid_to_array_unique(session_info->unix_token, -+ session_info->unix_token->gid, -+ &session_info->unix_token->groups, -+ &session_info->unix_token->ngroups); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ /* This is a potentially untrusted username for use in %U */ -+ alpha_strcpy(tmp, original_user_name, ". _-$", sizeof(tmp)); -+ session_info->unix_info->sanitized_username = -+ talloc_strdup(session_info->unix_info, tmp); -+ if (session_info->unix_info->sanitized_username == NULL) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ for (i=0; i < session_info->security_token->num_sids; i++) { -+ -+ if (ids[i].type != ID_TYPE_GID && -+ ids[i].type != ID_TYPE_BOTH) { -+ struct security_token *nt_token = -+ session_info->security_token; -+ -+ DEBUG(10, ("Could not convert SID %s to gid, " -+ "ignoring it\n", -+ sid_string_dbg(&nt_token->sids[i]))); -+ continue; -+ } -+ -+ ok = add_gid_to_array_unique(session_info->unix_token, -+ ids[i].id, -+ &session_info->unix_token->groups, -+ &session_info->unix_token->ngroups); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ TALLOC_FREE(ids); -+ -+ /* -+ * Now we must get any groups this user has been -+ * added to in /etc/group and merge them in. -+ * This has to be done in every code path -+ * that creates an NT token, as remote users -+ * may have been added to the local /etc/group -+ * database. Tokens created merely from the -+ * info3 structs (via the DC or via the krb5 PAC) -+ * won't have these local groups. Note the -+ * groups added here will only be UNIX groups -+ * (S-1-22-2-XXXX groups) as getgroups_unix_user() -+ * turns off winbindd before calling getgroups(). -+ * -+ * NB. This is duplicating work already -+ * done in the 'unix_user:' case of -+ * create_token_from_sid() but won't -+ * do anything other than be inefficient -+ * in that case. -+ */ -+ if (!(hint_flags & AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS)) { -+ ok = getgroups_unix_user(frame, -+ session_info->unix_info->unix_name, -+ session_info->unix_token->gid, -+ &gids, &num_gids); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_INVALID_TOKEN; -+ } -+ } -+ -+ for (i=0; i < num_gids; i++) { -+ -+ ok = add_gid_to_array_unique(session_info->unix_token, -+ gids[i], -+ &session_info->unix_token->groups, -+ &session_info->unix_token->ngroups); -+ if (!ok) { -+ TALLOC_FREE(frame); -+ return NT_STATUS_NO_MEMORY; -+ } -+ } -+ TALLOC_FREE(gids); -+ -+ if (hint_flags & AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS) { -+ /* -+ * We should not translate the unix token uid/gids -+ * to S-1-22-X-Y SIDs. -+ */ -+ goto done; -+ } -+ -+ /* -+ * Add the "Unix Group" SID for each gid to catch mapped groups -+ * and their Unix equivalent. This is to solve the backwards -+ * compatibility problem of 'valid users = +ntadmin' where -+ * ntadmin has been paired with "Domain Admins" in the group -+ * mapping table. Otherwise smb.conf would need to be changed -+ * to 'valid user = "Domain Admins"'. --jerry -+ * -+ * For consistency we also add the "Unix User" SID, -+ * so that the complete unix token is represented within -+ * the nt token. -+ */ -+ -+ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); -+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, -+ &session_info->security_token->sids, -+ &session_info->security_token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ -+ gid_to_unix_groups_sid(session_info->unix_token->gid, &tmp_sid); -+ status = add_sid_to_array_unique(session_info->security_token, &tmp_sid, -+ &session_info->security_token->sids, -+ &session_info->security_token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ -+ for (i=0; i < session_info->unix_token->ngroups; i++ ) { -+ struct security_token *nt_token = session_info->security_token; -+ -+ gid_to_unix_groups_sid(session_info->unix_token->groups[i], -+ &tmp_sid); -+ status = add_sid_to_array_unique(nt_token->sids, -+ &tmp_sid, -+ &nt_token->sids, -+ &nt_token->num_sids); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ } -+ -+done: -+ security_token_debug(DBGC_AUTH, 10, session_info->security_token); -+ if (session_info->unix_token != NULL) { -+ debug_unix_user_token(DBGC_AUTH, 10, -+ session_info->unix_token->uid, -+ session_info->unix_token->gid, -+ session_info->unix_token->ngroups, -+ session_info->unix_token->groups); -+ } -+ -+ status = log_nt_token(session_info->security_token); -+ if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(frame); -+ return status; -+ } -+ -+ *session_info_out = talloc_move(mem_ctx, &session_info); -+ TALLOC_FREE(frame); -+ return NT_STATUS_OK; -+} -+ - /*************************************************************************** - Make (and fill) a server_info struct from a 'struct passwd' by conversion - to a struct samu -diff --git a/source3/auth/proto.h b/source3/auth/proto.h -index d3403f1a929..84e20093218 100644 ---- a/source3/auth/proto.h -+++ b/source3/auth/proto.h -@@ -225,6 +225,38 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - DATA_BLOB *session_key, - const char *smb_name, - struct auth_session_info **session_info_out); -+ -+/* -+ * The unix name should be constructed as DOMAIN+ACCOUNT, -+ * while '+' will be the "winbind separator" character. -+ */ -+#define AUTH3_UNIX_HINT_QUALIFIED_NAME 0x00000001 -+/* -+ * The unix name will be just ACCOUNT -+ */ -+#define AUTH3_UNIX_HINT_ISLOLATED_NAME 0x00000002 -+/* -+ * Don't translate the nt token SIDS into uid/gids -+ */ -+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS 0x00000004 -+/* -+ * Don't translate the unix token uid/gids to S-1-22-X-Y SIDS -+ */ -+#define AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS 0x00000008 -+/* -+ * The unix token won't get expanded gid values -+ * from getgroups_unix_user() -+ */ -+#define AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS 0x00000010 -+NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, -+ uid_t uid, -+ gid_t gid, -+ uint32_t flags); -+NTSTATUS auth3_session_info_create(TALLOC_CTX *mem_ctx, -+ const struct auth_user_info_dc *user_info_dc, -+ const char *original_user_name, -+ uint32_t session_info_flags, -+ struct auth_session_info **session_info_out); - NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username, - bool is_guest, - uid_t *uid, gid_t *gid, --- -2.17.0 - - -From 92c6d4d81f801cced97adce4e5a054d226876607 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 7 Mar 2018 00:51:51 +0100 -Subject: [PATCH 15/21] s3:auth: base make_new_session_info_system() on - auth_system_user_info_dc() and auth3_create_session_info() - -The changes in the resulting token look like this: - - unix_token : * - unix_token: struct security_unix_token - uid : 0x0000000000000000 (0) - gid : 0x0000000000000000 (0) -- ngroups : 0x00000000 (0) -- groups: ARRAY(0) -+ ngroups : 0x00000001 (1) -+ groups: ARRAY(1) -+ groups : 0x0000000000000000 (0) - -... - - domain_name : * - domain_name : 'NT AUTHORITY' - dns_domain_name : NULL -- full_name : NULL -- logon_script : NULL -- profile_path : NULL -- home_directory : NULL -- home_drive : NULL -- logon_server : NULL -+ full_name : * -+ full_name : 'System' -+ logon_script : * -+ logon_script : '' -+ profile_path : * -+ profile_path : '' -+ home_directory : * -+ home_directory : '' -+ home_drive : * -+ home_drive : '' -+ logon_server : * -+ logon_server : 'SLOWSERVER' - last_logon : NTTIME(0) - last_logoff : NTTIME(0) - acct_expiry : NTTIME(0) - last_password_change : NTTIME(0) - allow_password_change : NTTIME(0) - force_password_change : NTTIME(0) - logon_count : 0x0000 (0) - bad_password_count : 0x0000 (0) -- acct_flags : 0x00000000 (0) -+ acct_flags : 0x00000010 (16) - authenticated : 0x01 (1) - unix_info : * - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(similar to commit e8402ec0486ced6ac2adb640c61a9e5abc77d4e4) -(cherry picked from commit 19026525a2b649f282bb11d55ae1eb5807fc4a3a) ---- - source3/auth/auth_util.c | 123 ++++++++++++++------------------------- - 1 file changed, 43 insertions(+), 80 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 9d6e8020d77..7fc3da22317 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -36,6 +36,7 @@ - #include "../librpc/gen_ndr/idmap.h" - #include "lib/param/loadparm.h" - #include "../lib/tsocket/tsocket.h" -+#include "source4/auth/auth.h" - - #undef DBGC_CLASS - #define DBGC_CLASS DBGC_AUTH -@@ -1295,31 +1296,6 @@ done: - return status; - } - --static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx, -- struct netr_SamInfo3 *info3) --{ -- NTSTATUS status; -- -- /* Set account name */ -- init_lsa_String(&info3->base.account_name, "SYSTEM"); -- -- /* Set domain name */ -- init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY"); -- -- -- status = dom_sid_split_rid(mem_ctx, &global_sid_System, -- &info3->base.domain_sid, -- &info3->base.rid); -- if (!NT_STATUS_IS_OK(status)) { -- return status; -- } -- -- /* Primary gid is the same */ -- info3->base.primary_gid = info3->base.rid; -- -- return NT_STATUS_OK; --} -- - static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx, - struct netr_SamInfo3 *info3) - { -@@ -1448,80 +1424,67 @@ done: - static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx, - struct auth_session_info **session_info) - { -+ TALLOC_CTX *frame = talloc_stackframe(); -+ struct auth_user_info_dc *user_info_dc = NULL; -+ uid_t uid = -1; -+ gid_t gid = -1; -+ uint32_t hint_flags = 0; -+ uint32_t session_info_flags = 0; - NTSTATUS status; -- struct auth_serversupplied_info *server_info; -- TALLOC_CTX *tmp_ctx; -- -- tmp_ctx = talloc_stackframe(); -- if (tmp_ctx == NULL) { -- return NT_STATUS_NO_MEMORY; -- } -- -- server_info = make_server_info(tmp_ctx); -- if (!server_info) { -- status = NT_STATUS_NO_MEMORY; -- DEBUG(0, ("failed making server_info\n")); -- goto done; -- } - -- server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3); -- if (!server_info->info3) { -- status = NT_STATUS_NO_MEMORY; -- DEBUG(0, ("talloc failed setting info3\n")); -- goto done; -- } -- -- status = get_system_info3(server_info, server_info->info3); -+ status = auth_system_user_info_dc(frame, lp_netbios_name(), -+ &user_info_dc); - if (!NT_STATUS_IS_OK(status)) { -- DEBUG(0, ("Failed creating system info3 with %s\n", -+ DEBUG(0, ("auth_system_user_info_dc failed: %s\n", - nt_errstr(status))); - goto done; - } - -- server_info->utok.uid = sec_initial_uid(); -- server_info->utok.gid = sec_initial_gid(); -- server_info->unix_name = talloc_asprintf(server_info, -- "NT AUTHORITY%cSYSTEM", -- *lp_winbind_separator()); -- -- if (!server_info->unix_name) { -- status = NT_STATUS_NO_MEMORY; -- DEBUG(0, ("talloc_asprintf failed setting unix_name\n")); -- goto done; -- } -+ /* -+ * Just get the initial uid/gid -+ * and don't expand the unix groups. -+ */ -+ uid = sec_initial_uid(); -+ gid = sec_initial_gid(); -+ hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS; - -- server_info->security_token = talloc_zero(server_info, struct security_token); -- if (!server_info->security_token) { -- status = NT_STATUS_NO_MEMORY; -- DEBUG(0, ("talloc failed setting security token\n")); -- goto done; -- } -+ /* -+ * Also avoid sid mapping to gids, -+ * as well as adding the unix_token uid/gids as -+ * S-1-22-X-Y SIDs to the nt token. -+ */ -+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS; -+ hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS; - -- status = add_sid_to_array_unique(server_info->security_token->sids, -- &global_sid_System, -- &server_info->security_token->sids, -- &server_info->security_token->num_sids); -+ /* -+ * The unix name will be "NT AUTHORITY+SYSTEM", -+ * where '+' is the "winbind separator" character. -+ */ -+ hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME; -+ status = auth3_user_info_dc_add_hints(user_info_dc, -+ uid, -+ gid, -+ hint_flags); - if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", -+ nt_errstr(status))); - goto done; - } - -- /* SYSTEM has all privilages */ -- server_info->security_token->privilege_mask = ~0; -- -- /* Now turn the server_info into a session_info with the full token etc */ -- status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info); -- talloc_free(server_info); -- -+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; -+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; -+ status = auth3_session_info_create(mem_ctx, user_info_dc, -+ user_info_dc->info->account_name, -+ session_info_flags, -+ session_info); - if (!NT_STATUS_IS_OK(status)) { -- DEBUG(0, ("create_local_token failed: %s\n", -+ DEBUG(0, ("auth3_session_info_create failed: %s\n", - nt_errstr(status))); - goto done; - } - -- talloc_steal(mem_ctx, *session_info); -- - done: -- TALLOC_FREE(tmp_ctx); -+ TALLOC_FREE(frame); - return status; - } - --- -2.17.0 - - -From c8e19cd979f18eba054b51664d2206493ed8d5e2 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Mar 2018 17:07:11 +0100 -Subject: [PATCH 16/21] s3:auth: pass the whole auth_session_info from - copy_session_info_serverinfo_guest() to create_local_token() - -We only need to adjust sanitized_username in order to keep the same behaviour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit a2a289d0446fedb4ea40834b5b5b190fdca30906) -(cherry picked from commit c3fdc6157377e71cf354fae5b59b823a4ebaa0eb) ---- - source3/auth/auth_util.c | 51 +++++++++++++++++----------------------- - source3/include/auth.h | 5 ++-- - 2 files changed, 23 insertions(+), 33 deletions(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index 7fc3da22317..a151ac13724 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -500,6 +500,26 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - return NT_STATUS_LOGON_FAILURE; - } - -+ if (server_info->cached_session_info != NULL) { -+ session_info = copy_session_info(mem_ctx, -+ server_info->cached_session_info); -+ if (session_info == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ /* This is a potentially untrusted username for use in %U */ -+ alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); -+ session_info->unix_info->sanitized_username = -+ talloc_strdup(session_info->unix_info, tmp); -+ if (session_info->unix_info->sanitized_username == NULL) { -+ TALLOC_FREE(session_info); -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ *session_info_out = session_info; -+ return NT_STATUS_OK; -+ } -+ - session_info = talloc_zero(mem_ctx, struct auth_session_info); - if (!session_info) { - return NT_STATUS_NO_MEMORY; -@@ -554,30 +574,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, - return status; - } - -- if (server_info->security_token) { -- /* Just copy the token, it has already been finalised -- * (nasty hack to support a cached guest/system session_info -- */ -- -- session_info->security_token = dup_nt_token(session_info, server_info->security_token); -- if (!session_info->security_token) { -- TALLOC_FREE(session_info); -- return NT_STATUS_NO_MEMORY; -- } -- -- session_info->unix_token->ngroups = server_info->utok.ngroups; -- if (server_info->utok.ngroups != 0) { -- session_info->unix_token->groups = (gid_t *)talloc_memdup( -- session_info->unix_token, server_info->utok.groups, -- sizeof(gid_t)*session_info->unix_token->ngroups); -- } else { -- session_info->unix_token->groups = NULL; -- } -- -- *session_info_out = session_info; -- return NT_STATUS_OK; -- } -- - /* - * If winbind is not around, we can not make much use of the SIDs the - * domain controller provided us with. Likewise if the user name was -@@ -1586,12 +1582,6 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO - * to take the wrong path */ - SMB_ASSERT(src->security_token); - -- dst->security_token = dup_nt_token(dst, src->security_token); -- if (!dst->security_token) { -- TALLOC_FREE(dst); -- return NULL; -- } -- - dst->session_key = data_blob_talloc( dst, src->session_key.data, - src->session_key.length); - -@@ -1612,6 +1602,7 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO - return NULL; - } - -+ dst->cached_session_info = src; - return dst; - } - -diff --git a/source3/include/auth.h b/source3/include/auth.h -index d3055373964..31a1f201835 100644 ---- a/source3/include/auth.h -+++ b/source3/include/auth.h -@@ -34,15 +34,14 @@ struct auth_serversupplied_info { - struct security_unix_token utok; - - /* -- * NT group information taken from the info3 structure -+ * A complete auth_session_info - * - * This is not normally filled in, during the typical - * authentication process. If filled in, it has already been - * finalised by a nasty hack to support a cached guest/system - * session_info - */ -- -- struct security_token *security_token; -+ const struct auth_session_info *cached_session_info; - - /* These are the intermediate session keys, as provided by a - * NETLOGON server and used by NTLMSSP to negotiate key --- -2.17.0 - - -From 86475067dbe32ea21081d67115035a62b9802e1c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Mar 2018 14:39:44 +0100 -Subject: [PATCH 17/21] s3:auth: add make_{server,session}_info_anonymous() - -It's important to have them separated from make_{server,session}_info_guest(), -because there's a fundamental difference between anonymous (the client requested -no authentication) and guest (the server lies about the authentication failure). - -The following is the difference between guest and anonymous token: - - security_token: struct security_token -- num_sids : 0x0000000a (10) -- sids: ARRAY(10) -- sids : S-1-5-21-3793881525-3372187982-3724979742-501 -- sids : S-1-5-21-3793881525-3372187982-3724979742-514 -- sids : S-1-22-2-65534 -- sids : S-1-22-2-65533 -+ num_sids : 0x00000009 (9) -+ sids: ARRAY(9) -+ sids : S-1-5-7 - sids : S-1-1-0 - sids : S-1-5-2 -- sids : S-1-5-32-546 - sids : S-1-22-1-65533 -+ sids : S-1-22-2-65534 -+ sids : S-1-22-2-100004 - sids : S-1-22-2-100002 - sids : S-1-22-2-100003 -+ sids : S-1-22-2-65533 - privilege_mask : 0x0000000000000000 (0) - -... - - unix_token : * - unix_token: struct security_unix_token - uid : 0x000000000000fffd (65533) - gid : 0x000000000000fffe (65534) -- ngroups : 0x00000004 (4) -- groups: ARRAY(4) -+ ngroups : 0x00000005 (5) -+ groups: ARRAY(5) - groups : 0x000000000000fffe (65534) -- groups : 0x000000000000fffd (65533) -+ groups : 0x00000000000186a4 (100004) - groups : 0x00000000000186a2 (100002) - groups : 0x00000000000186a3 (100003) -+ groups : 0x000000000000fffd (65533) - - info: struct auth_user_info - account_name : * -- account_name : 'nobody' -+ account_name : 'ANONYMOUS LOGON' - user_principal_name : NULL - user_principal_constructed: 0x00 (0) - domain_name : * -- domain_name : 'SAMBA-TEST' -+ domain_name : 'NT AUTHORITY' - dns_domain_name : NULL -- full_name : NULL -- logon_script : NULL -- profile_path : NULL -- home_directory : NULL -- home_drive : NULL -- logon_server : NULL -+ full_name : * -+ full_name : 'Anonymous Logon' -+ logon_script : * -+ logon_script : '' -+ profile_path : * -+ profile_path : '' -+ home_directory : * -+ home_directory : '' -+ home_drive : * -+ home_drive : '' -+ logon_server : * -+ logon_server : 'LOCALNT4DC2' - last_logon : NTTIME(0) - last_logoff : NTTIME(0) - acct_expiry : NTTIME(0) - last_password_change : NTTIME(0) - allow_password_change : NTTIME(0) - force_password_change : NTTIME(0) - logon_count : 0x0000 (0) - bad_password_count : 0x0000 (0) -- acct_flags : 0x00000000 (0) -+ acct_flags : 0x00000010 (16) - authenticated : 0x00 (0) - security_token: struct security_token - num_sids : 0x00000006 (6) - sids: ARRAY(6) -+ sids : S-1-5-7 -+ sids : S-1-1-0 -+ sids : S-1-5-2 - sids : S-1-22-1-65533 - sids : S-1-22-2-65534 - sids : S-1-22-2-65533 -- sids : S-1-1-0 -- sids : S-1-5-2 -- sids : S-1-5-32-546 - privilege_mask : 0x0000000000000000 (0) - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme - -(similar to commit 6afb6b67a198c88ab8fa3fee931729c43605716d) - -(cherry picked from commit 8f69498ab6fa85dc3d23a1453224a654a9bedead) ---- - source3/auth/auth_util.c | 143 ++++++++++++++++++++++++++++++++++++++- - source3/auth/proto.h | 4 ++ - 2 files changed, 146 insertions(+), 1 deletion(-) - -diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c -index a151ac13724..a1dde2cc7be 100644 ---- a/source3/auth/auth_util.c -+++ b/source3/auth/auth_util.c -@@ -1484,6 +1484,87 @@ done: - return status; - } - -+static NTSTATUS make_new_session_info_anonymous(TALLOC_CTX *mem_ctx, -+ struct auth_session_info **session_info) -+{ -+ TALLOC_CTX *frame = talloc_stackframe(); -+ const char *guest_account = lp_guest_account(); -+ struct auth_user_info_dc *user_info_dc = NULL; -+ struct passwd *pwd = NULL; -+ uint32_t hint_flags = 0; -+ uint32_t session_info_flags = 0; -+ NTSTATUS status; -+ -+ /* -+ * We use the guest account for the unix token -+ * while we use a true anonymous nt token. -+ * -+ * It's very important to have a separate -+ * nt token for anonymous. -+ */ -+ -+ pwd = Get_Pwnam_alloc(frame, guest_account); -+ if (pwd == NULL) { -+ DBG_ERR("Unable to locate guest account [%s]!\n", -+ guest_account); -+ status = NT_STATUS_NO_SUCH_USER; -+ goto done; -+ } -+ -+ status = auth_anonymous_user_info_dc(frame, lp_netbios_name(), -+ &user_info_dc); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("auth_anonymous_user_info_dc failed: %s\n", -+ nt_errstr(status))); -+ goto done; -+ } -+ -+ /* -+ * Note we don't pass AUTH3_UNIX_HINT_QUALIFIED_NAME -+ * nor AUTH3_UNIX_HINT_ISOLATED_NAME here -+ * as we want the unix name be found by getpwuid_alloc(). -+ */ -+ -+ status = auth3_user_info_dc_add_hints(user_info_dc, -+ pwd->pw_uid, -+ pwd->pw_gid, -+ hint_flags); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n", -+ nt_errstr(status))); -+ goto done; -+ } -+ -+ /* -+ * In future we may want to remove -+ * AUTH_SESSION_INFO_DEFAULT_GROUPS. -+ * -+ * Similar to Windows with EveryoneIncludesAnonymous -+ * and RestrictAnonymous. -+ * -+ * We may introduce AUTH_SESSION_INFO_ANON_WORLD... -+ * -+ * But for this is required to keep the existing tests -+ * working. -+ */ -+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; -+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; -+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; -+ status = auth3_session_info_create(mem_ctx, user_info_dc, -+ "", -+ session_info_flags, -+ session_info); -+ if (!NT_STATUS_IS_OK(status)) { -+ DEBUG(0, ("auth3_session_info_create failed: %s\n", -+ nt_errstr(status))); -+ goto done; -+ } -+ -+done: -+ TALLOC_FREE(frame); -+ return status; -+} -+ - /**************************************************************************** - Fake a auth_session_info just from a username (as a - session_info structure, with create_local_token() already called on -@@ -1661,15 +1742,30 @@ bool session_info_set_session_key(struct auth_session_info *info, - } - - static struct auth_session_info *guest_info = NULL; -+static struct auth_session_info *anonymous_info = NULL; - - static struct auth_serversupplied_info *guest_server_info = NULL; - - bool init_guest_info(void) - { -+ NTSTATUS status; -+ - if (guest_info != NULL) - return true; - -- return NT_STATUS_IS_OK(make_new_session_info_guest(&guest_info, &guest_server_info)); -+ status = make_new_session_info_guest(&guest_info, -+ &guest_server_info); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } -+ -+ status = make_new_session_info_anonymous(NULL, -+ &anonymous_info); -+ if (!NT_STATUS_IS_OK(status)) { -+ return false; -+ } -+ -+ return true; - } - - NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, -@@ -1690,6 +1786,51 @@ NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, - return (*session_info != NULL) ? NT_STATUS_OK : NT_STATUS_NO_MEMORY; - } - -+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, -+ struct auth_serversupplied_info **server_info) -+{ -+ if (anonymous_info == NULL) { -+ return NT_STATUS_UNSUCCESSFUL; -+ } -+ -+ /* -+ * This is trickier than it would appear to need to be because -+ * we are trying to avoid certain costly operations when the -+ * structure is converted to a 'auth_session_info' again in -+ * create_local_token() -+ * -+ * We use a guest server_info, but with the anonymous session info, -+ * which means create_local_token() will return a copy -+ * of the anonymous token. -+ * -+ * The server info is just used as legacy in order to -+ * keep existing code working. Maybe some debug messages -+ * will still refer to guest instead of anonymous. -+ */ -+ *server_info = copy_session_info_serverinfo_guest(mem_ctx, anonymous_info, -+ guest_server_info); -+ if (*server_info == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ return NT_STATUS_OK; -+} -+ -+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, -+ struct auth_session_info **session_info) -+{ -+ if (anonymous_info == NULL) { -+ return NT_STATUS_UNSUCCESSFUL; -+ } -+ -+ *session_info = copy_session_info(mem_ctx, anonymous_info); -+ if (*session_info == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ return NT_STATUS_OK; -+} -+ - static struct auth_session_info *system_info = NULL; - - NTSTATUS init_system_session_info(void) -diff --git a/source3/auth/proto.h b/source3/auth/proto.h -index 84e20093218..0ce34742ab6 100644 ---- a/source3/auth/proto.h -+++ b/source3/auth/proto.h -@@ -284,6 +284,10 @@ NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info **server_info); - NTSTATUS make_session_info_guest(TALLOC_CTX *mem_ctx, - struct auth_session_info **server_info); -+NTSTATUS make_server_info_anonymous(TALLOC_CTX *mem_ctx, -+ struct auth_serversupplied_info **server_info); -+NTSTATUS make_session_info_anonymous(TALLOC_CTX *mem_ctx, -+ struct auth_session_info **psession_info); - NTSTATUS make_session_info_system(TALLOC_CTX *mem_ctx, - struct auth_session_info **session_info); - const struct auth_session_info *get_session_info_system(void); --- -2.17.0 - - -From 001dcfa09cbe00feaed7be6355e63cd44d4d7cfd Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Mar 2018 14:40:19 +0100 -Subject: [PATCH 18/21] s3:rpc_server: make use of - make_session_info_anonymous() - -For unauthenticated connections we should default to a -session info with an anonymous nt token. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -(cherry picked from commit 0ee9a550944034718ea188b277cca4b6fc5fbc5c) -(cherry picked from commit 47b13364bed551fb9480ff8ac500d6251fae7b72) ---- - source3/rpc_server/rpc_server.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c -index e15cd205cdc..4f196dec76e 100644 ---- a/source3/rpc_server/rpc_server.c -+++ b/source3/rpc_server/rpc_server.c -@@ -1104,14 +1104,11 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx, - } - - if (ncacn_conn->session_info == NULL) { -- /* -- * TODO: use auth_anonymous_session_info() here? -- */ -- status = make_session_info_guest(ncacn_conn, -- &ncacn_conn->session_info); -+ status = make_session_info_anonymous(ncacn_conn, -+ &ncacn_conn->session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(2, ("Failed to create " -- "make_session_info_guest - %s\n", -+ "make_session_info_anonymous - %s\n", - nt_errstr(status))); - talloc_free(ncacn_conn); - return; --- -2.17.0 - - -From 825ec4ad86285315a5ff3285c33ca7c876dc18a8 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 2 Mar 2018 14:40:19 +0100 -Subject: [PATCH 19/21] s3:auth: make use of - make_{server,session}_info_anonymous() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's important to have them separated from make_{server,session}_info_guest(), -because there's a fundamental difference between anonymous (the client requested -no authentication) and guest (the server lies about the authentication failure). - -When it's really an anonymous connection, we should reflect that in the -resulting session info. - -This should fix a problem where Windows 10 tries to join -a Samba hosted NT4 domain and has SMB2/3 enabled. - -We no longer return SMB_SETUP_GUEST or SMB2_SESSION_FLAG_IS_GUEST -for true anonymous connections. - -The commit message from a few commit before shows the resulting -auth_session_info change. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Fri Mar 16 03:03:31 CET 2018 on sn-devel-144 - -(cherry picked from commit 1957bf11f127fc08c6622999cadc7dd580ac7d3b) -(cherry picked from commit 6c1dde631da2f5b41682210eca40f9d363168696) ---- - selftest/knownfail.d/anonymous-guest | 1 - - source3/auth/auth_builtin.c | 2 +- - source3/auth/auth_ntlmssp.c | 5 +---- - 3 files changed, 2 insertions(+), 6 deletions(-) - delete mode 100644 selftest/knownfail.d/anonymous-guest - -diff --git a/selftest/knownfail.d/anonymous-guest b/selftest/knownfail.d/anonymous-guest -deleted file mode 100644 -index a134cece3d5..00000000000 ---- a/selftest/knownfail.d/anonymous-guest -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.smbtorture_s3.*nt4_dc.*.SMB2-ANONYMOUS.smbtorture -diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c -index 0fa95d9f16d..a2d95a77330 100644 ---- a/source3/auth/auth_builtin.c -+++ b/source3/auth/auth_builtin.c -@@ -81,7 +81,7 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, - break; - } - -- return make_server_info_guest(NULL, server_info); -+ return make_server_info_anonymous(NULL, server_info); - } - - /* Guest modules initialisation */ -diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c -index fd629fd9a03..2e345e17571 100644 ---- a/source3/auth/auth_ntlmssp.c -+++ b/source3/auth/auth_ntlmssp.c -@@ -65,10 +65,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, - - cmp = dom_sid_compare(sid, &global_sid_Anonymous); - if (cmp == 0) { -- /* -- * TODO: use auth_anonymous_session_info() here? -- */ -- return make_session_info_guest(mem_ctx, session_info); -+ return make_session_info_anonymous(mem_ctx, session_info); - } - - return NT_STATUS_INTERNAL_ERROR; --- -2.17.0 - - -From 48646ffe1c60854d832c80f42c1236e43d5b1fb9 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 9 Jan 2018 08:55:48 +0100 -Subject: [PATCH 20/21] s3:libsmb: allow -U"\\administrator" to work - -cli_credentials_get_principal() returns NULL in that case. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87) -(cherry picked from commit 4c087a0e9e8ffd797e810f7dc21d630fd6833eed) ---- - source3/libsmb/cliconnect.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index 70bcead445e..d819e4c62f2 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -283,8 +283,9 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - - auth_requested = cli_credentials_authentication_requested(creds); - if (auth_requested) { -+ errno = 0; - user_principal = cli_credentials_get_principal(creds, frame); -- if (user_principal == NULL) { -+ if (errno != 0) { - TALLOC_FREE(frame); - return NT_STATUS_NO_MEMORY; - } -@@ -299,6 +300,10 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, - try_kerberos = true; - } - -+ if (user_principal == NULL) { -+ try_kerberos = false; -+ } -+ - if (target_hostname == NULL) { - try_kerberos = false; - } else if (is_ipaddress(target_hostname)) { --- -2.17.0 - - -From 38c3a25e80d7dfdef3edf330117a43a1acded21d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Tue, 9 Jan 2018 08:57:05 +0100 -Subject: [PATCH 21/21] s3:cliconnect.c: remove useless ';' - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett -(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3) -(cherry picked from commit 04cc8936c3f90bf3bbb05bce25c55212c8f0823b) ---- - source3/libsmb/cliconnect.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c -index d819e4c62f2..8c815659c80 100644 ---- a/source3/libsmb/cliconnect.c -+++ b/source3/libsmb/cliconnect.c -@@ -1289,7 +1289,7 @@ static struct tevent_req *cli_session_setup_spnego_send( - - status = cli_session_creds_prepare_krb5(cli, creds); - if (tevent_req_nterror(req, status)) { -- return tevent_req_post(req, ev);; -+ return tevent_req_post(req, ev); - } - - subreq = cli_session_setup_gensec_send(state, ev, cli, creds, --- -2.17.0 - diff --git a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch b/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch deleted file mode 100644 index cc1aaec..0000000 --- a/SOURCES/samba-4.7-fix_smb2_client_read_after_free.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 29 Nov 2017 09:21:30 -0800 -Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in - cli_smb2_close_fnum_recv(). -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which -frees req, then uses the state pointer which was owned by req. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171 - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Böhme - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144 - -(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787) ---- - source3/libsmb/cli_smb2_fnum.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c -index 5d46d543002..237e6bb2b54 100644 ---- a/source3/libsmb/cli_smb2_fnum.c -+++ b/source3/libsmb/cli_smb2_fnum.c -@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req) - { - struct cli_smb2_close_fnum_state *state = tevent_req_data( - req, struct cli_smb2_close_fnum_state); -- NTSTATUS status = tevent_req_simple_recv_ntstatus(req); -- state->cli->raw_status = status; -+ NTSTATUS status = NT_STATUS_OK; -+ -+ if (tevent_req_is_nterror(req, &status)) { -+ state->cli->raw_status = status; -+ } -+ tevent_req_received(req); - return status; - } - --- -2.15.0.531.g2ccb3012c9-goog - diff --git a/SOURCES/samba-4.7-fix_smbclient_volume.patch b/SOURCES/samba-4.7-fix_smbclient_volume.patch deleted file mode 100644 index 1f0692a..0000000 --- a/SOURCES/samba-4.7-fix_smbclient_volume.patch +++ /dev/null @@ -1,165 +0,0 @@ -From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 14 Nov 2017 13:52:03 -0800 -Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2 - calls. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andreas Schneider -(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea) ---- - source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++ - source3/libsmb/cli_smb2_fnum.h | 6 +++ - source3/libsmb/clifsinfo.c | 9 ++++ - 3 files changed, 112 insertions(+) - -diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c -index a478c41f068..89cb1f479d5 100644 ---- a/source3/libsmb/cli_smb2_fnum.c -+++ b/source3/libsmb/cli_smb2_fnum.c -@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path, - return status; - } - -+/*************************************************************** -+ Wrapper that allows SMB2 to query file system sizes. -+ Synchronous only. -+***************************************************************/ -+ -+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli, -+ uint64_t *total_allocation_units, -+ uint64_t *caller_allocation_units, -+ uint64_t *actual_allocation_units, -+ uint64_t *sectors_per_allocation_unit, -+ uint64_t *bytes_per_sector) -+{ -+ NTSTATUS status; -+ uint16_t fnum = 0xffff; -+ DATA_BLOB outbuf = data_blob_null; -+ struct smb2_hnd *ph = NULL; -+ TALLOC_CTX *frame = talloc_stackframe(); -+ -+ if (smbXcli_conn_has_async_calls(cli->conn)) { -+ /* -+ * Can't use sync call while an async call is in flight -+ */ -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto fail; -+ } -+ -+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) { -+ status = NT_STATUS_INVALID_PARAMETER; -+ goto fail; -+ } -+ -+ /* First open the top level directory. */ -+ status = -+ cli_smb2_create_fnum(cli, "", 0, /* create_flags */ -+ FILE_READ_ATTRIBUTES, /* desired_access */ -+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */ -+ FILE_SHARE_READ | FILE_SHARE_WRITE | -+ FILE_SHARE_DELETE, /* share_access */ -+ FILE_OPEN, /* create_disposition */ -+ FILE_DIRECTORY_FILE, /* create_options */ -+ &fnum, -+ NULL); -+ -+ if (!NT_STATUS_IS_OK(status)) { -+ goto fail; -+ } -+ -+ status = map_fnum_to_smb2_handle(cli, fnum, &ph); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto fail; -+ } -+ -+ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2), -+ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */ -+ -+ status = smb2cli_query_info(cli->conn, -+ cli->timeout, -+ cli->smb2.session, -+ cli->smb2.tcon, -+ SMB2_GETINFO_FS, /* in_info_type */ -+ /* in_file_info_class */ -+ SMB_FS_FULL_SIZE_INFORMATION - 1000, -+ 0xFFFF, /* in_max_output_length */ -+ NULL, /* in_input_buffer */ -+ 0, /* in_additional_info */ -+ 0, /* in_flags */ -+ ph->fid_persistent, -+ ph->fid_volatile, -+ frame, -+ &outbuf); -+ if (!NT_STATUS_IS_OK(status)) { -+ goto fail; -+ } -+ -+ if (outbuf.length < 32) { -+ status = NT_STATUS_INVALID_NETWORK_RESPONSE; -+ goto fail; -+ } -+ -+ *total_allocation_units = BIG_UINT(outbuf.data, 0); -+ *caller_allocation_units = BIG_UINT(outbuf.data, 8); -+ *actual_allocation_units = BIG_UINT(outbuf.data, 16); -+ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24); -+ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28); -+ -+fail: -+ -+ if (fnum != 0xffff) { -+ cli_smb2_close_fnum(cli, fnum); -+ } -+ -+ cli->raw_status = status; -+ -+ TALLOC_FREE(frame); -+ return status; -+} -+ - /*************************************************************** - Wrapper that allows SMB2 to query file system attributes. - Synchronous only. -diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h -index 9a709e85d96..c9325b66902 100644 ---- a/source3/libsmb/cli_smb2_fnum.h -+++ b/source3/libsmb/cli_smb2_fnum.h -@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, - uint64_t *total, - uint64_t *avail); - NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr); -+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli, -+ uint64_t *total_allocation_units, -+ uint64_t *caller_allocation_units, -+ uint64_t *actual_allocation_units, -+ uint64_t *sectors_per_allocation_unit, -+ uint64_t *bytes_per_sector); - NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli, - uint16_t fnum, - uint32_t sec_info, -diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c -index 119b1216fb2..46236390022 100644 ---- a/source3/libsmb/clifsinfo.c -+++ b/source3/libsmb/clifsinfo.c -@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli, - uint32_t rdata_count; - NTSTATUS status; - -+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) { -+ return cli_smb2_get_fs_full_size_info(cli, -+ total_allocation_units, -+ caller_allocation_units, -+ actual_allocation_units, -+ sectors_per_allocation_unit, -+ bytes_per_sector); -+ } -+ - SSVAL(setup, 0, TRANSACT2_QFSINFO); - SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION); - --- -2.15.0.448.gf294e3d99a-goog - diff --git a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch b/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch deleted file mode 100644 index e9d581c..0000000 --- a/SOURCES/samba-4.7-handle_smb_echo_gracefully.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 8 Sep 2017 16:20:34 -0700 -Subject: [PATCH] libsmbclient: Allow server (NetApp) to return - STATUS_INVALID_PARAMETER from an echo. - -It does this if we send a session ID of zero. The server still replied. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 - -Signed-off-by: Jeremy Allison -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144 - -(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142) ---- - source3/client/client.c | 8 +++++++- - source3/libsmb/libsmb_server.c | 11 ++++++++++- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/source3/client/client.c b/source3/client/client.c -index b4a6c7d0389..9c57375881d 100644 ---- a/source3/client/client.c -+++ b/source3/client/client.c -@@ -5900,7 +5900,13 @@ static void readline_callback(void) - /* Ping the server to keep the connection alive using SMBecho. */ - memset(garbage, 0xf0, sizeof(garbage)); - status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage))); -- if (NT_STATUS_IS_OK(status)) { -+ if (NT_STATUS_IS_OK(status) || -+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { -+ /* -+ * Even if server returns NT_STATUS_INVALID_PARAMETER -+ * it still responded. -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 -+ */ - return; - } - -diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c -index b0e5926fa65..2d41f2facf3 100644 ---- a/source3/libsmb/libsmb_server.c -+++ b/source3/libsmb/libsmb_server.c -@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context, - 1, - data_blob_const(data, sizeof(data))); - if (!NT_STATUS_IS_OK(status)) { -- return 1; -+ /* -+ * Some NetApp servers return -+ * NT_STATUS_INVALID_PARAMETER.That's OK, they still -+ * replied. -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007 -+ */ -+ if (!NT_STATUS_EQUAL(status, -+ NT_STATUS_INVALID_PARAMETER)) { -+ return 1; -+ } - } - server->last_echo_time = now; - } --- -2.15.0.448.gf294e3d99a-goog - diff --git a/SOURCES/samba-4.7-net_ads_keytab_list.patch b/SOURCES/samba-4.7-net_ads_keytab_list.patch deleted file mode 100644 index f77b271..0000000 --- a/SOURCES/samba-4.7-net_ads_keytab_list.patch +++ /dev/null @@ -1,84 +0,0 @@ -From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Thu, 23 Nov 2017 15:55:21 +0000 -Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name - malformed" - -When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open -instead, this function will determine the correct keytab to use. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 - -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463) ---- - source3/libads/kerberos_keytab.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index ff12ec04af6..ffd100c5636 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name) - return ret; - } - -- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab); -+ if (keytab_name == NULL) { -+ ret = ads_keytab_open(context, &keytab); -+ } else { -+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab); -+ } - if (ret) { - DEBUG(1, ("smb_krb5_kt_open failed (%s)\n", - error_message(ret))); --- -2.15.0 - - -From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001 -From: Noel Power -Date: Fri, 24 Nov 2017 07:06:27 +0000 -Subject: [PATCH 2/2] testprogs: Test net ads keytab list - -Test that correct keytab is picked up. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166 - -Signed-off-by: Noel Power -Reviewed-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2) ---- - testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh -index bbd99b676bd..c5dbaf69ba2 100755 ---- a/testprogs/blackbox/test_net_ads.sh -+++ b/testprogs/blackbox/test_net_ads.sh -@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai - testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1` - - testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -+ -+# if there is no keytab, try and create it -+if [ ! -f $dedicated_keytab_file ]; then -+ if [ $(command -v ktutil) >/dev/null ]; then -+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil -+ fi -+fi -+ -+if [ -f $dedicated_keytab_file ]; then -+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1` -+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1` -+fi -+ - rm -f $dedicated_keytab_file - - testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1` --- -2.15.0 - diff --git a/SOURCES/samba-4.7.1.tar.asc b/SOURCES/samba-4.7.1.tar.asc deleted file mode 100644 index 78fce48..0000000 --- a/SOURCES/samba-4.7.1.tar.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq -uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew== -=LZI3 ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.8.3-fix_krb5_plugins.patch b/SOURCES/samba-4.8.3-fix_krb5_plugins.patch new file mode 100644 index 0000000..86aeadb --- /dev/null +++ b/SOURCES/samba-4.8.3-fix_krb5_plugins.patch @@ -0,0 +1,270 @@ +From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Jun 2018 14:06:39 +0200 +Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + nsswitch/wscript_build | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build +index 15e93db2f05..576855bb56c 100644 +--- a/nsswitch/wscript_build ++++ b/nsswitch/wscript_build +@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): + ) + + if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): +- bld.SAMBA_LIBRARY('winbind_krb5_locator', +- source='winbind_krb5_locator.c', +- deps='wbclient krb5 com_err', +- realname='winbind_krb5_locator.so') ++ bld.SAMBA_LIBRARY('winbind_krb5_locator', ++ source='winbind_krb5_locator.c', ++ deps='wbclient krb5 com_err', ++ realname='winbind_krb5_locator.so', ++ install_path='${MODULESDIR}/krb5') + + if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): + bld.SAMBA_LIBRARY('winbind_krb5_localauth', + source='krb5_plugin/winbind_krb5_localauth.c', + deps='wbclient krb5 com_err', +- realname='winbind-krb5-localauth.so') ++ realname='winbind_krb5_localauth.so', ++ install_path='${MODULESDIR}/krb5') + + bld.SAMBA_SUBSYSTEM('WB_REQTRANS', + source='wb_reqtrans.c', +-- +2.17.1 + + +From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Jun 2018 14:08:56 +0200 +Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin + subdir + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0 + nsswitch/wscript_build | 2 +- + 2 files changed, 1 insertion(+), 1 deletion(-) + rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%) + +diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c +similarity index 100% +rename from nsswitch/winbind_krb5_locator.c +rename to nsswitch/krb5_plugin/winbind_krb5_locator.c +diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build +index 576855bb56c..dd1952b799b 100644 +--- a/nsswitch/wscript_build ++++ b/nsswitch/wscript_build +@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): + + if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): + bld.SAMBA_LIBRARY('winbind_krb5_locator', +- source='winbind_krb5_locator.c', ++ source='krb5_plugin/winbind_krb5_locator.c', + deps='wbclient krb5 com_err', + realname='winbind_krb5_locator.so', + install_path='${MODULESDIR}/krb5') +-- +2.17.1 + + +From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Jun 2018 15:14:15 +0200 +Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8 + +The vfs and idmap manpages are in volume 8 too. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + ...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++--- + docs-xml/wscript_build | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%) + +diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml +similarity index 96% +rename from docs-xml/manpages/winbind_krb5_locator.7.xml +rename to docs-xml/manpages/winbind_krb5_locator.8.xml +index 17e401a9da0..0af0c2cc95f 100644 +--- a/docs-xml/manpages/winbind_krb5_locator.7.xml ++++ b/docs-xml/manpages/winbind_krb5_locator.8.xml +@@ -1,12 +1,12 @@ + + +- ++ + + + winbind_krb5_locator +- 7 ++ 8 + Samba +- 7 ++ 8 + &doc.version; + + +diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build +index 954c62a29bc..2d686eb38b0 100644 +--- a/docs-xml/wscript_build ++++ b/docs-xml/wscript_build +@@ -103,7 +103,7 @@ pam_winbind_manpages = ''' + manpages/pam_winbind.conf.5 + ''' + +-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7' ++krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' + + def smbdotconf_generate_parameter_list(task): + parameter_all = task.outputs[0].bldpath(task.env) +-- +2.17.1 + + +From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Jun 2018 15:06:07 +0200 +Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +--- + .../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++ + docs-xml/wscript_build | 4 + + 2 files changed, 90 insertions(+) + create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml + +diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml +new file mode 100644 +index 00000000000..a382e71ead3 +--- /dev/null ++++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml +@@ -0,0 +1,86 @@ ++ ++ ++ ++ ++ ++ winbind_krb5_localauth ++ 8 ++ Samba ++ 8 ++ &doc.version; ++ ++ ++ ++ ++ winbind_krb5_localauth ++ A plugin for MIT Kerberos for mapping user accounts. ++ ++ ++ ++ ++ DESCRIPTION ++ ++ ++ This plugin is part of the ++ samba ++ 7 suite. ++ ++ ++ ++ winbind_krb5_localauth is a plugin that ++ permits the MIT Kerberos libraries that Kerberos principals can ++ be validated against local user accounts. ++ ++ ++ ++ PREREQUISITES ++ ++ MIT Kerberos (at least version 1.12) is required. ++ ++ ++ ++ The plugin queries the winbindd ++ 8 daemon which needs to be configured ++ and started separately. ++ ++ ++ ++ The following sections needs to be added to the ++ krb5.conf file. ++ ++ ++[plugins] ++ localauth = { ++ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so ++ enable_only = winbind ++ } ++ ++ ++ ++ ++ ++ VERSION ++ ++ ++ This man page is part of version &doc.version; of the Samba ++ suite. ++ ++ ++ ++ ++ AUTHOR ++ ++ ++ The original Samba software and related utilities were created ++ by Andrew Tridgell. Samba is now developed by the Samba Team as ++ an Open Source project similar to the way the Linux kernel is ++ developed. ++ ++ ++ ++ The winbind_krb5_localauth manpage was written by Andreas ++ Schneider. ++ ++ ++ ++ +diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build +index 2d686eb38b0..ec5d28fc62a 100644 +--- a/docs-xml/wscript_build ++++ b/docs-xml/wscript_build +@@ -104,6 +104,7 @@ pam_winbind_manpages = ''' + ''' + + krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' ++krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8' + + def smbdotconf_generate_parameter_list(task): + parameter_all = task.outputs[0].bldpath(task.env) +@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']): + if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): + bld.SAMBAMANPAGES(krb5_locator_manpages) + ++ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): ++ bld.SAMBAMANPAGES(krb5_localauth_manpages) ++ + if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'): + bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8') +-- +2.17.1 + diff --git a/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch b/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch new file mode 100644 index 0000000..f3b9d89 --- /dev/null +++ b/SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch @@ -0,0 +1,216 @@ +From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 2 Jul 2018 16:18:52 +0200 +Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c) +--- + nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++----- + selftest/knownfail.d/upn_handling | 2 + + source3/selftest/tests.py | 4 +- + 3 files changed, 66 insertions(+), 11 deletions(-) + +diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh +index 2803ac1408b..da30f97be74 100755 +--- a/nsswitch/tests/test_wbinfo_user_info.sh ++++ b/nsswitch/tests/test_wbinfo_user_info.sh +@@ -2,19 +2,20 @@ + # Blackbox test for wbinfo lookup for account name and upn + # Copyright (c) 2018 Andreas Schneider + +-if [ $# -lt 5 ]; then ++if [ $# -lt 6 ]; then + cat < +Date: Mon, 2 Jul 2018 16:38:01 +0200 +Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144 + +(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c) +--- + selftest/knownfail.d/upn_handling | 2 -- + source3/winbindd/winbindd_util.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling +index 7dc9b71dc5e..bcbedb4f903 100644 +--- a/selftest/knownfail.d/upn_handling ++++ b/selftest/knownfail.d/upn_handling +@@ -1,10 +1,8 @@ + ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member + ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member +-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member + ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc + ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc + ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc + ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc + ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc + ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc +-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index aa633419c9a..7a5fb73cdef 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser, + } else if (assume_domain(lp_workgroup())) { + fstrcpy(domain, lp_workgroup()); + fstrcpy(namespace, domain); ++ } else { ++ fstrcpy(namespace, lp_netbios_name()); + } + } + +-- +2.13.6 + diff --git a/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch b/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch new file mode 100644 index 0000000..6ee5623 --- /dev/null +++ b/SOURCES/samba-4.8.3-smbclient_quiet_argument.patch @@ -0,0 +1,64 @@ +From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 25 Jun 2018 09:58:56 -0400 +Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add quiet command-line argument to allow suppressing the help log +message printed automatically after establishing a smbclient connection + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485 + +Signed-off-by: Justin Stephenson +Reviewed-by: Andreas Schneider +Reviewed-by: Björn Baumbach +(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72) +--- + source3/client/client.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/source3/client/client.c b/source3/client/client.c +index 2c1c76036f7..c836e5a0477 100644 +--- a/source3/client/client.c ++++ b/source3/client/client.c +@@ -52,6 +52,7 @@ static int port = 0; + static char *service; + static char *desthost; + static bool grepable = false; ++static bool quiet = false; + static char *cmdstr = NULL; + const char *cmd_ptr = NULL; + +@@ -6059,7 +6060,9 @@ static int process_stdin(void) + { + int rc = 0; + +- d_printf("Try \"help\" to get a list of possible commands.\n"); ++ if (!quiet) { ++ d_printf("Try \"help\" to get a list of possible commands.\n"); ++ } + + while (!finished) { + TALLOC_CTX *frame = talloc_stackframe(); +@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[]) + { "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" }, + { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" }, + { "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" }, ++ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" }, + { "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" }, + POPT_COMMON_SAMBA + POPT_COMMON_CONNECTION +@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[]) + case 'g': + grepable=true; + break; ++ case 'q': ++ quiet=true; ++ break; + case 'e': + smb_encrypt=true; + break; +-- +2.17.1 diff --git a/SOURCES/samba-4.8.3.tar.asc b/SOURCES/samba-4.8.3.tar.asc new file mode 100644 index 0000000..149c42f --- /dev/null +++ b/SOURCES/samba-4.8.3.tar.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq +U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg== +=em2I +-----END PGP SIGNATURE----- diff --git a/SPECS/samba.spec b/SPECS/samba.spec index a620d2a..f2eac30 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,13 +6,13 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 9 +%define main_release 4 -%define samba_version 4.7.1 -%define talloc_version 2.1.9 -%define tdb_version 1.3.14 -%define tevent_version 0.9.33 -%define ldb_version 1.2.2 +%define samba_version 4.8.3 +%define talloc_version 2.1.11 +%define tdb_version 1.3.15 +%define tevent_version 0.9.36 +%define ldb_version 1.3.4 # This should be rc1 or nil %define pre_release %nil @@ -25,6 +25,12 @@ # This is a network daemon, do a hardened build # Enables PIE and full RELRO protection %global _hardened_build 1 +# Samba cannot be linked with -Wl,-z,defs (from hardened build config) +# For exmple the samba-cluster-support library is marked to allow undefined +# symbols in the samba build. +# +# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md +%undefine _strict_symbol_defs_build %global with_libsmbclient 1 %global with_libwbclient 1 @@ -84,6 +90,8 @@ %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} +%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" + Name: samba Version: %{samba_version} Release: %{samba_release} @@ -119,19 +127,11 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: CVE-2017-14746.patch -Patch1: CVE-2017-15275.patch -Patch2: samba-4.7-fix_smbclient_volume.patch -Patch3: samba-4.7-fix_samba_with_systemd.patch -Patch4: samba-4.7-net_ads_keytab_list.patch -Patch5: samba-4.7-fix_aesni_intel_support.patch -Patch6: samba-4.7-handle_smb_echo_gracefully.patch -Patch7: samba-4.7-fix_smb2_client_read_after_free.patch -Patch8: samba-4.7-fix_dns_segfault_during_net_ads_join.patch -Patch9: samba-4.7-fix_segfault_in_NT1_connection_setup.patch -Patch10: samba-4.7-fix_segfault_in_keytab_handling.patch -Patch11: samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch -Patch12: samba-4.7-fix_smb2_anonymous_connections.patch +Patch0: samba-4.8.3-fix_krb5_plugins.patch +Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch +Patch2: samba-4.8.3-smbclient_quiet_argument.patch +Patch3: CVE-2018-1139.patch +Patch4: CVE-2018-10858.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -198,7 +198,7 @@ BuildRequires: python-dns BuildRequires: python-iso8601 %if %{with testsuite} BuildRequires: python2-pygpgme -BuildRequires: python2-subunit +BuildRequires: python2-markdown %endif BuildRequires: quota-devel BuildRequires: readline-devel @@ -834,7 +834,13 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} - %if %with_intel_aes_accel --accel-aes=intelaesni \ %endif - --with-systemd + --with-systemd \ + --systemd-install-services \ + --with-systemddir=/usr/lib/systemd/system \ + --systemd-smb-extra=%{_systemd_extra} \ + --systemd-nmb-extra=%{_systemd_extra} \ + --systemd-winbind-extra=%{_systemd_extra} \ + --systemd-samba-extra=%{_systemd_extra} make %{?_smp_mflags} @@ -931,15 +937,6 @@ install -m 0644 %{SOURCE200} packaging/README.dc install -m 0644 %{SOURCE200} packaging/README.dc-libs %endif -install -d -m 0755 %{buildroot}%{_unitdir} -services="nmb smb winbind" -%if %with_dc -services="$services samba" -%endif -for i in $services ; do - cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service - install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service -done %if %with_clustering_support install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} %endif @@ -954,16 +951,28 @@ install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %if ! %with_dc -for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ +for i in \ + %{_libdir}/samba/libdfs-server-ad-samba4.so \ %{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ - %{_mandir}/man8/samba.8 \ - %{_mandir}/man8/samba-tool.8 \ %{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \ + %{_mandir}/man8/samba.8 \ + %{_mandir}/man8/samba-tool.8 \ + %{_mandir}/man8/samba_gpoupdate.8 \ + %{_sbindir}/samba_gpoupdate \ + %{python_sitearch}/samba/colour.py* \ + %{python_sitearch}/samba/domain_update.py* \ + %{python_sitearch}/samba/forest_update.py* \ + %{python_sitearch}/samba/gpclass.py* \ + %{python_sitearch}/samba/graph.py* \ + %{python_sitearch}/samba/ms_forest_updates_markdown.py* \ + %{python_sitearch}/samba/ms_schema_markdown.py* \ + %{python_sitearch}/samba/gpo.so \ %{python_sitearch}/samba/dcerpc/dnsserver.so \ %{python_sitearch}/samba/netcmd/fsmo.py* \ %{python_sitearch}/samba/netcmd/rodc.py* \ + %{python_sitearch}/samba/netcmd/visualize.py* \ %{python_sitearch}/samba/kcc/__init__.py* \ %{python_sitearch}/samba/kcc/debug.py* \ %{python_sitearch}/samba/kcc/graph.py* \ @@ -984,6 +993,9 @@ for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ %{python_sitearch}/samba/dsdb_dns.so \ %{python_sitearch}/samba/samdb.py* \ %{python_sitearch}/samba/schema.py* \ + %{python_sitearch}/samba/tests/krb5_credentials.py* \ + %{python_sitearch}/samba/tests/password_quality.py* \ + %{_unitdir}/samba.service \ ; do rm -f %{buildroot}$i done @@ -1139,18 +1151,18 @@ fi %postun winbind-krb5-locator if [ "$1" -ge "1" ]; then - if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then - %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/samba/krb5/winbind_krb5_locator.so" ]; then + %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so fi fi %post winbind-krb5-locator %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ - winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10 + winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so 10 %preun winbind-krb5-locator if [ $1 -eq 0 ]; then - %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so fi %post winbind-modules -p /sbin/ldconfig @@ -1196,7 +1208,6 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/acl_tdb.so %{_libdir}/samba/vfs/acl_xattr.so %{_libdir}/samba/vfs/aio_fork.so -%{_libdir}/samba/vfs/aio_linux.so %{_libdir}/samba/vfs/aio_pthread.so %{_libdir}/samba/vfs/audit.so %{_libdir}/samba/vfs/btrfs.so @@ -1232,6 +1243,7 @@ rm -rf %{buildroot} %{_libdir}/samba/vfs/syncops.so %{_libdir}/samba/vfs/time_audit.so %{_libdir}/samba/vfs/unityed_media.so +%{_libdir}/samba/vfs/virusfilter.so %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so @@ -1248,7 +1260,6 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_acl_tdb.8* %{_mandir}/man8/vfs_acl_xattr.8* %{_mandir}/man8/vfs_aio_fork.8* -%{_mandir}/man8/vfs_aio_linux.8* %{_mandir}/man8/vfs_aio_pthread.8* %{_mandir}/man8/vfs_audit.8* %{_mandir}/man8/vfs_btrfs.8* @@ -1268,6 +1279,7 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_linux_xfs_sgid.8* %{_mandir}/man8/vfs_media_harmony.8* %{_mandir}/man8/vfs_netatalk.8* +%{_mandir}/man8/vfs_nfs4acl_xattr.8* %{_mandir}/man8/vfs_offline.8* %{_mandir}/man8/vfs_prealloc.8* %{_mandir}/man8/vfs_preopen.8* @@ -1284,6 +1296,7 @@ rm -rf %{buildroot} %{_mandir}/man8/vfs_time_audit.8* %{_mandir}/man8/vfs_tsmsm.8* %{_mandir}/man8/vfs_unityed_media.8* +%{_mandir}/man8/vfs_virusfilter.8* %{_mandir}/man8/vfs_worm.8* %{_mandir}/man8/vfs_xattr_tdb.8* @@ -1342,6 +1355,8 @@ rm -rf %{buildroot} %{_mandir}/man5/smbgetrc.5* %{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtree.1* +%{_mandir}/man7/traffic_learner.7.* +%{_mandir}/man7/traffic_replay.7.* %{_mandir}/man8/cifsdd.8.* %{_mandir}/man8/samba-regedit.8* %{_mandir}/man8/smbspool.8* @@ -1423,7 +1438,7 @@ rm -rf %{buildroot} %{_libdir}/samba/libflag-mapping-samba4.so %{_libdir}/samba/libgenrand-samba4.so %{_libdir}/samba/libgensec-samba4.so -%{_libdir}/samba/libgpo-samba4.so +%{_libdir}/samba/libgpext-samba4.so %{_libdir}/samba/libgse-samba4.so %{_libdir}/samba/libhttp-samba4.so %{_libdir}/samba/libinterfaces-samba4.so @@ -1574,12 +1589,14 @@ rm -rf %{buildroot} %{_sbindir}/samba %{_sbindir}/samba_kcc %{_sbindir}/samba_dnsupdate +%{_sbindir}/samba_gpoupdate %{_sbindir}/samba_spnupdate %{_sbindir}/samba_upgradedns %{_libdir}/krb5/plugins/kdb/samba.so %{_libdir}/samba/auth/samba4.so +%{_libdir}/samba/libgpo-samba4.so %{_libdir}/samba/libpac-samba4.so %dir %{_libdir}/samba/gensec %{_libdir}/samba/gensec/krb5.so @@ -1590,6 +1607,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/dirsync.so %{_libdir}/samba/ldb/dns_notify.so %{_libdir}/samba/ldb/dsdb_notification.so +%{_libdir}/samba/ldb/encrypted_secrets.so %{_libdir}/samba/ldb/extended_dn_in.so %{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_store.so @@ -1624,6 +1642,7 @@ rm -rf %{buildroot} %{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/tombstone_reanimate.so +%{_libdir}/samba/ldb/unique_object_sids.so %{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/vlv.so %{_libdir}/samba/ldb/wins_ldb.so @@ -1632,6 +1651,7 @@ rm -rf %{buildroot} %{_datadir}/samba/setup %{_mandir}/man8/samba.8* %{_mandir}/man8/samba-tool.8* +%{_mandir}/man8/samba_gpoupdate.8* %else # with_dc %doc packaging/README.dc %endif # with_dc @@ -1644,6 +1664,7 @@ rm -rf %{buildroot} %{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libservice-samba4.so %dir %{_libdir}/samba/process_model +%{_libdir}/samba/process_model/prefork.so %{_libdir}/samba/process_model/standard.so %dir %{_libdir}/samba/service %{_libdir}/samba/service/cldap.so @@ -1981,6 +2002,10 @@ rm -rf %{buildroot} %{python_sitearch}/samba/ndr.py* %{python_sitearch}/samba/net.so %{python_sitearch}/samba/netbios.so +%dir %{python_sitearch}/samba/emulate +%{python_sitearch}/samba/emulate/__init__.py* +%{python_sitearch}/samba/emulate/traffic.py* +%{python_sitearch}/samba/emulate/traffic_packets.py* %dir %{python_sitearch}/samba/netcmd %{python_sitearch}/samba/netcmd/__init__.py* %{python_sitearch}/samba/netcmd/common.py* @@ -2058,11 +2083,17 @@ rm -rf %{buildroot} %dir %{python_sitearch}/samba/web_server %{python_sitearch}/samba/web_server/__init__.py* +%{python_sitearch}/samba/domain_update.py* %{python_sitearch}/samba/dckeytab.so %{python_sitearch}/samba/dnsserver.py* %{python_sitearch}/samba/drs_utils.py* %{python_sitearch}/samba/dsdb.so %{python_sitearch}/samba/dsdb_dns.so +%{python_sitearch}/samba/forest_update.py* +%{python_sitearch}/samba/gpclass.py* +%{python_sitearch}/samba/gpo.so +%{python_sitearch}/samba/ms_forest_updates_markdown.py* +%{python_sitearch}/samba/ms_schema_markdown.py* %{python_sitearch}/samba/samdb.py* %{python_sitearch}/samba/schema.py* %endif @@ -2081,8 +2112,13 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/auth_log_samlogon.py* %dir %{python_sitearch}/samba/tests/blackbox %{python_sitearch}/samba/tests/blackbox/__init__.py* +%{python_sitearch}/samba/tests/blackbox/check_output.py* %{python_sitearch}/samba/tests/blackbox/ndrdump.py* %{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py* +%{python_sitearch}/samba/tests/blackbox/smbcontrol.py* +%{python_sitearch}/samba/tests/blackbox/traffic_learner.py* +%{python_sitearch}/samba/tests/blackbox/traffic_replay.py* +%{python_sitearch}/samba/tests/blackbox/traffic_summary.py* %{python_sitearch}/samba/tests/common.py* %{python_sitearch}/samba/tests/core.py* %{python_sitearch}/samba/tests/credentials.py* @@ -2112,10 +2148,17 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/dns_wildcard.py* %{python_sitearch}/samba/tests/docs.py* %{python_sitearch}/samba/tests/dsdb.py* +%{python_sitearch}/samba/tests/dsdb_lock.py* %{python_sitearch}/samba/tests/dsdb_schema_attributes.py* +%dir %{python_sitearch}/samba/tests/emulate +%{python_sitearch}/samba/tests/emulate/__init__.py* +%{python_sitearch}/samba/tests/emulate/traffic.py* +%{python_sitearch}/samba/tests/emulate/traffic_packet.py* +%{python_sitearch}/samba/tests/encrypted_secrets.py* %{python_sitearch}/samba/tests/gensec.py* %{python_sitearch}/samba/tests/get_opt.py* %{python_sitearch}/samba/tests/glue.py* +%{python_sitearch}/samba/tests/graph.py* %{python_sitearch}/samba/tests/hostconfig.py* %{python_sitearch}/samba/tests/join.py* %dir %{python_sitearch}/samba/tests/kcc @@ -2132,8 +2175,9 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/netcmd.py* %{python_sitearch}/samba/tests/netlogonsvc.py* %{python_sitearch}/samba/tests/ntacls.py* -%{python_sitearch}/samba/tests/ntlmauth.py* +%{python_sitearch}/samba/tests/ntlmdisabled.py* %{python_sitearch}/samba/tests/pam_winbind.py* +%{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py* %{python_sitearch}/samba/tests/param.py* %{python_sitearch}/samba/tests/password_hash.py* %{python_sitearch}/samba/tests/password_hash_fl2003.py* @@ -2154,9 +2198,11 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/samba_tool/fsmo.py* %{python_sitearch}/samba/tests/samba_tool/gpo.py* %{python_sitearch}/samba/tests/samba_tool/group.py* +%{python_sitearch}/samba/tests/samba_tool/help.py* %{python_sitearch}/samba/tests/samba_tool/join.py* %{python_sitearch}/samba/tests/samba_tool/ntacl.py* %{python_sitearch}/samba/tests/samba_tool/processes.py* +%{python_sitearch}/samba/tests/samba_tool/provision_password_check.py* %{python_sitearch}/samba/tests/samba_tool/rodc.py* %{python_sitearch}/samba/tests/samba_tool/sites.py* %{python_sitearch}/samba/tests/samba_tool/timecmd.py* @@ -2164,11 +2210,14 @@ rm -rf %{buildroot} %{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py* %{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py* %{python_sitearch}/samba/tests/samba_tool/user_wdigest.py* +%{python_sitearch}/samba/tests/samba_tool/visualize.py* +%{python_sitearch}/samba/tests/samba_tool/visualize_drs.py* %{python_sitearch}/samba/tests/samdb.py* %{python_sitearch}/samba/tests/security.py* %{python_sitearch}/samba/tests/source.py* %{python_sitearch}/samba/tests/strings.py* %{python_sitearch}/samba/tests/subunitrun.py* +%{python_sitearch}/samba/tests/tdb_util.py* %{python_sitearch}/samba/tests/unicodenames.py* %{python_sitearch}/samba/tests/upgrade.py* %{python_sitearch}/samba/tests/upgradeprovision.py* @@ -2225,15 +2274,17 @@ rm -rf %{buildroot} %defattr(-,root,root) %{_bindir}/ntlm_auth %{_bindir}/wbinfo +%{_libdir}/samba/krb5/winbind_krb5_localauth.so %{_mandir}/man1/ntlm_auth.1.gz %{_mandir}/man1/wbinfo.1* +%{_mandir}/man8/winbind_krb5_localauth.8* ### WINBIND-KRB5-LOCATOR %files winbind-krb5-locator %defattr(-,root,root) %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -%{_libdir}/winbind_krb5_locator.so -%{_mandir}/man7/winbind_krb5_locator.7* +%{_libdir}/samba/krb5/winbind_krb5_locator.so +%{_mandir}/man8/winbind_krb5_locator.8* ### WINBIND-MODULES %files winbind-modules @@ -2369,7 +2420,11 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/pkt_read_test %{_libexecdir}/ctdb/tests/pkt_write_test %{_libexecdir}/ctdb/tests/porting_tests -%{_libexecdir}/ctdb/tests/protocol_client_test +%{_libexecdir}/ctdb/tests/protocol_basic_test +%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test +%{_libexecdir}/ctdb/tests/protocol_ctdb_test +%{_libexecdir}/ctdb/tests/protocol_event_test +%{_libexecdir}/ctdb/tests/protocol_types_compat_test %{_libexecdir}/ctdb/tests/protocol_types_test %{_libexecdir}/ctdb/tests/protocol_util_test %{_libexecdir}/ctdb/tests/rb_test @@ -2381,6 +2436,8 @@ rm -rf %{buildroot} %{_libexecdir}/ctdb/tests/srvid_test %{_libexecdir}/ctdb/tests/test_mutex_raw %{_libexecdir}/ctdb/tests/transaction_loop +%{_libexecdir}/ctdb/tests/tunnel_cmd +%{_libexecdir}/ctdb/tests/tunnel_test %{_libexecdir}/ctdb/tests/update_record %{_libexecdir}/ctdb/tests/update_record_persistent @@ -2397,6 +2454,8 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh %{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh %{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh +%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh +%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh %{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh %{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh %{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh @@ -2420,7 +2479,11 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/cunit/porting_tests_001.sh %{_datadir}/ctdb/tests/cunit/protocol_test_001.sh %{_datadir}/ctdb/tests/cunit/protocol_test_002.sh -%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_102.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh +%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh %{_datadir}/ctdb/tests/cunit/rb_test_001.sh %{_datadir}/ctdb/tests/cunit/reqid_test_001.sh %{_datadir}/ctdb/tests/cunit/run_event_001.sh @@ -2498,6 +2561,10 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.010.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.011.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.012.sh +%{_datadir}/ctdb/tests/eventscripts/10.interface.013.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh @@ -2524,10 +2591,6 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.012.sh -%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.013.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh @@ -2581,13 +2644,28 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh +%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.001.sh +%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh %{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.001.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.001.sh +%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh @@ -2723,7 +2801,6 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo %dir %{_datadir}/ctdb/tests/onnode -%{_datadir}/ctdb/tests/onnode/README %{_datadir}/ctdb/tests/onnode/0001.sh %{_datadir}/ctdb/tests/onnode/0002.sh %{_datadir}/ctdb/tests/onnode/0003.sh @@ -2742,7 +2819,6 @@ rm -rf %{buildroot} %dir %{_datadir}/ctdb/tests/onnode/stubs %{_datadir}/ctdb/tests/onnode/stubs/ctdb -%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001 %{_datadir}/ctdb/tests/onnode/stubs/ssh %dir %{_datadir}/ctdb/tests/scripts @@ -2817,6 +2893,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh %{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh %{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh +%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh %{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh %{_datadir}/ctdb/tests/simple/functions # This is a dangling symlink but needed for testing @@ -2863,6 +2940,7 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/takeover/lcp2.032.sh %{_datadir}/ctdb/tests/takeover/lcp2.033.sh %{_datadir}/ctdb/tests/takeover/lcp2.034.sh +%{_datadir}/ctdb/tests/takeover/lcp2.035.sh %{_datadir}/ctdb/tests/takeover/nondet.001.sh %{_datadir}/ctdb/tests/takeover/nondet.002.sh %{_datadir}/ctdb/tests/takeover/nondet.003.sh @@ -2927,11 +3005,9 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh %{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh %{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh -%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh -%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh @@ -2941,7 +3017,6 @@ rm -rf %{buildroot} %{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh -%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh @@ -3045,17 +3120,49 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog -* Wed Jul 04 2018 Andreas Schneider - 4.7.1-9 -- related: #1581375 - Remove patch which doesn't fully work +* Thu Aug 09 2018 Andreas Schneider - 4.8.3-4 +- resolves: #1614132 - Fix delete-on-close after smb2_find +- resolves: #1614265 - Fix CVE-2018-1139 +- resolves: #1614269 - Fix CVE-2018-10858 + +* Fri Jul 06 2018 Justin Stephenson - 4.8.3-3 +- resolves: #1581016 - Add smbclient quiet argument + +* Thu Jul 05 2018 Andreas Schneider - 4.8.3-2 +- related: #1538743 - Fix local user account lookup with winbind + +* Wed Jun 27 2018 Andreas Schneider - 4.8.3-1 +- related: #1558560 - Rebase to Samba version 4.8.3 +- resolves: #1579398 - Add winbind localauth krb5 plugin + +* Wed Jun 13 2018 Andreas Schneider - 4.8.2-2 +- resolves: #1540457 - Fixed support for authenticaton on on way trusts + +* Mon Jun 11 2018 Andreas Schneider - 4.8.2-1 +- related: #1558560 - Rebase to newer Samba version + +* Wed May 30 2018 Andreas Schneider - 4.8.1-4 +- resolves: #1582541 - Fix anonymous auth with SMB2/3 + +* Tue May 22 2018 Andreas Schneider - 4.8.1-3 +- resolves: #1575205 - Fix segfault when updating DNS with 'net ads join' +- resolves: #1525511 - Fix idmap_rid dependency on trusted domain list + +* Wed May 16 2018 Andreas Schneider - 4.8.1-2 +- resolves: #1538743 - Fix UPN handling in winbind + +* Fri Apr 27 2018 Andreas Schneider - 4.8.1-1 +- related: #1558560 - Rebase to newer Samba version +- resolves: #1567896 - Fix possible crash if secrets db is emtpy +- resolves: #1570020 - Fix a crash in smbd when dfsgetinfo is called -* Mon May 28 2018 Andreas Schneider - 4.7.1-8 -- resolves: #1582541 - Fix anyoumous and guest handling of SMB2/3 +* Thu Apr 12 2018 Andreas Schneider - 4.8.0-1 +- resolves: #1558560 - Rebase to newer Samba version +- resolves: #1558943 - Fix winbind requests getting stuck on a child +- resolves: #1532618 - Fix segfault with NT1 connections in smbd -* Wed May 23 2018 Andreas Schneider - 4.7.1-7 -- resolves: #1581369 - Fix segfault updating dns during 'net ads join' -- resolves: #1581373 - Fix segfault during NT1 session setup -- resolves: #1581376 - Fix segfault in keytab handling -- resolves: #1581377 - Fix segfault in smbclient dfsgetinfo +* Fri Mar 09 2018 Andreas Schneider - 4.7.1-7 +- resolves: #1552004 - Fix CVE-2018-1050 * Wed Dec 20 2017 Andreas Schneider - 4.7.1-6 - resolves: #1476153 - Handle SMB echo responses more gracefully