diff --git a/.gitignore b/.gitignore index 9b3845c..41cd890 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.15.3.tar.xz +SOURCES/samba-4.15.5.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index 3011278..b1ff8f6 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -e778708ce1f39566d91d74dce8e9940b324d1ef1 SOURCES/samba-4.15.3.tar.xz +f7e367a546d6523d21be3602b3f2a22a76016844 SOURCES/samba-4.15.5.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/samba-4.15.3.tar.asc b/SOURCES/samba-4.15.3.tar.asc deleted file mode 100644 index dbc01c2..0000000 --- a/SOURCES/samba-4.15.3.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0kACgkQqplEL7aA -tiCzMg/+IzBD53oeYFSSt6V9o1ZhD/7bL425n/7Ea2iLaHkOEQWN3AgKV7h1rdSb -tS/Ys3xUf9LB1ZVkXbu17oWj5pG8aWcp6Ky80uXHycZ5X0/fcHegSU5SIyUfLs0F -d3BXvFWkPIy8H9a55wFTpJte2ofRoFqWUG4MAlOq83ummnmrz0W5j6QcufVIRjWq -hGMbg8Vjk+UEtKNO7fl8iSQ0ZRyXCkBR3biDBtMbvtoluaVkixxwwSPqgDoNXgju -ox2EbVfHLSHc+7Tb30uKQq/mf3uhf6ASIrajNVrXotK1fgpCCKnMLb9qRHEftttY -DwYKQvsrHCw9vYg/xyO2NOBr82mxjE6NBLsV1Kp8pdc4vInmAqOCsQpOuZ0SgO6u -sZk4c5AkfH7pZtHeNtlefiGe8/7ApU6UC6kkXT3mnLBtWKMBte9/NR6ZgCLle7tV -aAx6Io9j/rAeueRRgIK98bzxXSufjtFyNmM+Qr7IXnFHtJNM919ib4pr5DzpGwAc -+FMG0LfmU0XiUXcbw/IZ3AOD2DBwZC58ZezO3alUS8eRqNTP13v3Uhg9F78+eyah -Wbohx05Y4MA1ywtMd8z/dZn97nw3bw+z6fLNC//1Sq1qo1fXipaoSQW1LK9IHeVO -cV7cvd2c16p7NN3Op+34QY7Nc7b1uhtTV3v3tiEQYR/uQx+tyz8= -=fu6B ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.15.5.tar.asc b/SOURCES/samba-4.15.5.tar.asc new file mode 100644 index 0000000..4e31e62 --- /dev/null +++ b/SOURCES/samba-4.15.5.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmH3yN4ACgkQqplEL7aA +tiBh5Q/+Pz0ROFJ5gGKdpjH0ZS7ES38wutEgnIyy0y25VHxes+ByByUSpd4WHKMX +KYSmpQlvQBqSUhD5Jg5GxFT5iVsRiVMcHxc0QVAbdqLuypyoztTE0nGj4RrkWa/9 +j7kPtdojQ3Z6rZ1W6bPzzgb6JRLdvTnoc/IKi/ICXaN50bb8qNGarE35JDbKWcIt +b72pKe8Z3ainkxNM2/ozFgZeTDSpVZG0b9z8fulsMZ47HDY4pXYWaTG4Q0avrzdY +0o/p17FFO8YLpSBIIsbHCjIVLz5diZYwuT/23zYAzFZGNIIVYyQlrorBB4krIB6v +/2q1kescibqc0FMcbWEtSp+QnLqKCCV9JAWgTkyJaUNBZkRQKTF1KwA1/tDtbEoj ++rM8m/luKl0HlwbcQTRk5m3fWTIbZNAKyVoLmv9Aj38wsoEqKyvhjB2xqiTxVwu9 +g2/z7lGTx/qzou0TMbVwCjX1yahR1qmKD0GlffvIPRNPtCOfUlYvX36yM8v8yP/y +5Pv7SdJ2G3GNkWpzWSSteWDzPvI5IY3PXX+AINuknNgjT54+SiaTY1uKEHj8aYMJ +f1YkvKhBiBL87+CGZkOEaIDAKsZUAwmfVo8ebID7Ebmtd/VfLYHR8BEeMOU70cxB +OlAsSQcQm9Nwv51h/AB3n4oK1RykD2FMaH8XNmY0pw+Nd7mKoBo= +=oc6g +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-disable-ntlmssp.patch b/SOURCES/samba-disable-ntlmssp.patch new file mode 100644 index 0000000..d80e85b --- /dev/null +++ b/SOURCES/samba-disable-ntlmssp.patch @@ -0,0 +1,764 @@ +From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 10 Dec 2021 16:08:04 +0100 +Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527) +--- + source3/utils/net_ads.c | 22 +++++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 6ab4a0096b1..8f993f9ba4c 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, + char *cp; + const char *realm = NULL; + bool tried_closest_dc = false; ++ enum credentials_use_kerberos krb5_state = ++ CRED_USE_KERBEROS_DISABLED; + + /* lp_realm() should be handled by a command line param, + However, the join requires that realm be set in smb.conf +@@ -650,10 +652,28 @@ retry: + ads->auth.password = smb_xstrdup(c->opt_password); + } + +- ads->auth.flags |= auth_flags; + SAFE_FREE(ads->auth.user_name); + ads->auth.user_name = smb_xstrdup(c->opt_user_name); + ++ ads->auth.flags |= auth_flags; ++ ++ /* The ADS code will handle FIPS mode */ ++ krb5_state = cli_credentials_get_kerberos_state(c->creds); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } ++ + /* + * If the username is of the form "name@realm", + * extract the realm and convert to upper case. +-- +2.33.1 + + +From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 8 Dec 2021 16:05:17 +0100 +Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 60fa2bf80cb..b91e2d15bcf 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -1,18 +1,18 @@ +-/* ++/* + Unix SMB/CIFS implementation. + ads sasl code + Copyright (C) Andrew Tridgell 2001 +- ++ + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. +- ++ + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. +- ++ + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ +@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = { + .disconnect = ads_sasl_gensec_disconnect + }; + +-/* ++/* + perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can + we fit on one socket??) + */ +@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, + + #endif /* HAVE_KRB5 */ + +-/* ++/* + this performs a SASL/SPNEGO bind + */ + static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) +@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + file_save("sasl_spnego.dat", blob.data, blob.length); + #endif + +- /* the server sent us the first part of the SPNEGO exchange in the negprot ++ /* the server sent us the first part of the SPNEGO exchange in the negprot + reply */ + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) || + OIDs[0] == NULL) { +@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + #ifdef HAVE_KRB5 + if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && +- got_kerberos_mechanism) ++ got_kerberos_mechanism) + { + mech = "KRB5"; + +@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + "calling kinit\n", ads_errstr(status))); + } + +- status = ADS_ERROR_KRB5(ads_kinit_password(ads)); ++ status = ADS_ERROR_KRB5(ads_kinit_password(ads)); + + if (ADS_ERR_OK(status)) { + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + } + + /* only fallback to NTLMSSP if allowed */ +- if (ADS_ERR_OK(status) || ++ if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { + goto done; + } +@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + #endif + + /* lets do NTLMSSP ... this has the big advantage that we don't need +- to sync clocks, and we don't rely on special versions of the krb5 ++ to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", +-- +2.33.1 + + +From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 9 Dec 2021 13:43:08 +0100 +Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329) +--- + source3/libads/sasl.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index b91e2d15bcf..992f7022a69 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + + DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " + "for %s/%s with user[%s] realm[%s]: %s, " +- "fallback to NTLMSSP\n", ++ "try to fallback to NTLMSSP\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + to sync clocks, and we don't rely on special versions of the krb5 + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; ++ ++ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { ++ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" ++ " disallowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", + CRED_USE_KERBEROS_DISABLED, + p.service, p.hostname, +-- +2.33.1 + + +From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 7 Jan 2022 10:31:19 +0100 +Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738) +--- + source3/libads/sasl.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index 992f7022a69..ea98aa47ecd 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + p.service, p.hostname, + blob); + if (!ADS_ERR_OK(status)) { +- DEBUG(0,("kinit succeeded but " +- "ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s\n", ++ DBG_ERR("kinit succeeded but " ++ "SPNEGO bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s\n", + p.service, p.hostname, + ads->auth.user_name, + ads->auth.realm, +- ads_errstr(status))); ++ ads_errstr(status)); + } + } + +@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + goto done; + } + +- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " +- "for %s/%s with user[%s] realm[%s]: %s, " +- "try to fallback to NTLMSSP\n", +- p.service, p.hostname, +- ads->auth.user_name, +- ads->auth.realm, +- ads_errstr(status))); ++ DBG_WARNING("SASL bind with Kerberos failed " ++ "for %s/%s - user[%s], realm[%s]: %s, " ++ "try to fallback to NTLMSSP\n", ++ p.service, p.hostname, ++ ads->auth.user_name, ++ ads->auth.realm, ++ ads_errstr(status)); + } + #endif + +-- +2.33.1 + + +From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 11:13:06 +0100 +Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds + without kerberos) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc) +--- + source3/libads/sasl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c +index ea98aa47ecd..1bcfe0490a8 100644 +--- a/source3/libads/sasl.c ++++ b/source3/libads/sasl.c +@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) + library for HMAC_MD4 encryption */ + mech = "NTLMSSP"; + ++ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { ++ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n"); ++ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ goto done; ++ } ++ + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" + " disallowed.\n"); +-- +2.33.1 + + +From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 3 Jan 2022 15:33:46 +0100 +Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6) +--- + .../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++ + 1 file changed, 41 insertions(+) + create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh + +diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +new file mode 100755 +index 00000000000..2822ab29d14 +--- /dev/null ++++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh +@@ -0,0 +1,41 @@ ++#!/bin/sh ++# Blackbox tests for diabing NTLMSSP for ldap clinet connections ++# Copyright (c) 2022 Pavel Filipenský ++ ++if [ $# -lt 2 ]; then ++cat <&1 || failed=`expr $failed + 1` ++ ++# We should be allowed to use NTLM for connecting ++testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++GNUTLS_FORCE_FIPS_MODE=1 ++export GNUTLS_FORCE_FIPS_MODE ++ ++# Checks that testparm reports: Weak crypto is disallowed ++testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1` ++ ++# We should not be allowed to use NTLM for connecting ++testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1` ++ ++unset GNUTLS_FORCE_FIPS_MODE ++ ++exit $failed +-- +2.33.1 + + +From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 4 Jan 2022 12:00:20 +0100 +Subject: [PATCH 07/10] s4:selftest: plan test suite + samba4.blackbox.test_weak_disable_ntlmssp_ldap +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95) +--- + source4/selftest/tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index 1e4b2ae6dd3..3a6a716f061 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo + + if have_gnutls_fips_mode_support: + plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"]) ++ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD']) + + for env in ["ad_dc_fips", "ad_member_fips"]: + plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration]) +-- +2.33.1 + + +From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:47:38 +0100 +Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5) +--- + source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 19 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 948c903f165..e415df347e6 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("query_user_list: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * According to Section 5.1(4) of RFC 2251 if a value of a type is it's + * default value, it MUST be absent. In case of extensible matching the + * "dnattr" boolean defaults to FALSE and so it must be only be present +- * when set to TRUE. ++ * when set to TRUE. + * + * When it is set to FALSE and the OpenLDAP lib (correctly) encodes a + * filter using bitwise matching rule then the buggy AD fails to decode +@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + * + * Thanks to Ralf Haferkamp for input and testing - Guenther */ + +- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", ++ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))", + ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED, +- ADS_LDAP_MATCHING_RULE_BIT_AND, ++ ADS_LDAP_MATCHING_RULE_BIT_AND, + enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP); + + if (filter == NULL) { +@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain, + DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries))); + + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain, + struct wb_acct_info **info) + { + /* +- * This is a stub function only as we returned the domain ++ * This is a stub function only as we returned the domain + * local groups in enum_dom_groups() if the domain->native field + * was true. This is a simple performance optimization when + * using LDAP. + * +- * if we ever need to enumerate domain local groups separately, ++ * if we ever need to enumerate domain local groups separately, + * then this optimization in enum_dom_groups() will need + * to be split out + */ +@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain, + tokenGroups are not available. */ + static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + TALLOC_CTX *mem_ctx, +- const char *user_dn, ++ const char *user_dn, + struct dom_sid *primary_group, + uint32_t *p_num_groups, struct dom_sid **user_sids) + { +@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + if ( !winbindd_can_contact_domain( domain ) ) { + DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n", +- domain->name)); ++ domain->name)); + return NT_STATUS_OK; + } + +@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain, + + DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn)); + done: +- if (res) ++ if (res) + ads_msgfree(ads, res); + + return status; +@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + if (count != 1) { + status = NT_STATUS_UNSUCCESSFUL; + DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: " +- "invalid number of results (count=%d)\n", ++ "invalid number of results (count=%d)\n", + dom_sid_str_buf(sid, &buf), + count)); + goto done; + } + + if (!msg) { +- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", ++ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n", + dom_sid_str_buf(sid, &buf))); + status = NT_STATUS_UNSUCCESSFUL; + goto done; +@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + } + + if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) { +- DEBUG(1,("%s: No primary group for sid=%s !?\n", ++ DEBUG(1,("%s: No primary group for sid=%s !?\n", + domain->name, + dom_sid_str_buf(sid, &buf))); + goto done; +@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + + count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids); + +- /* there must always be at least one group in the token, ++ /* there must always be at least one group in the token, + unless we are talking to a buggy Win2k server */ + + /* actually this only happens when the machine account has no read +@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, + /* lookup what groups this user is a member of by DN search on + * "member" */ + +- status = lookup_usergroups_member(domain, mem_ctx, user_dn, ++ status = lookup_usergroups_member(domain, mem_ctx, user_dn, + &primary_group, + &num_groups, user_sids); + *p_num_groups = num_groups; +@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could " + "not map any SIDs at all.\n")); + /* Don't handle this as an error here. +- * There is nothing left to do with respect to the ++ * There is nothing left to do with respect to the + * overall result... */ + } + else if (!NT_STATUS_IS_OK(status)) { +@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain, + NETR_TRUST_FLAG_IN_FOREST; + } else { + flags = NETR_TRUST_FLAG_IN_FOREST; +- } ++ } + + result = cm_connect_netlogon(domain, &cli); + + if (!NT_STATUS_IS_OK(result)) { + DEBUG(5, ("trusted_domains: Could not open a connection to %s " +- "for PIPE_NETLOGON (%s)\n", ++ "for PIPE_NETLOGON (%s)\n", + domain->name, nt_errstr(result))); + return NT_STATUS_UNSUCCESSFUL; + } +-- +2.33.1 + + +From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 18 Jan 2022 19:44:54 +0100 +Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher +(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96) +--- + source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index e415df347e6..6f01ef6e334 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -34,6 +34,7 @@ + #include "../libds/common/flag_mapping.h" + #include "libsmb/samlogon_cache.h" + #include "passdb.h" ++#include "auth/credentials/credentials.h" + + #ifdef HAVE_ADS + +@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ADS_STATUS status; + struct sockaddr_storage dc_ss; + fstring dc_name; ++ enum credentials_use_kerberos krb5_state; + + if (auth_realm == NULL) { + return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); +@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + ads->auth.renewable = renewable; + ads->auth.password = password; + +- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + ads->auth.realm = SMB_STRDUP(auth_realm); + if (!strupper_m(ads->auth.realm)) { +-- +2.33.1 + + +From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Fri, 21 Jan 2022 12:01:33 +0100 +Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS + mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 + +Pair-Programmed-With: Andreas Schneider + +Signed-off-by: Pavel Filipenský +Signed-off-by: Andreas Schneider +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 + +(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9) +--- + source3/libnet/libnet_join.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 02705f1c70c..4c67e9af5c4 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + ADS_STATUS status; + ADS_STRUCT *my_ads = NULL; + char *cp; ++ enum credentials_use_kerberos krb5_state; + + my_ads = ads_init(dns_domain_name, + netbios_domain_name, +@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + +- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ /* In FIPS mode, client use kerberos is forced to required. */ ++ krb5_state = lp_client_use_kerberos(); ++ switch (krb5_state) { ++ case CRED_USE_KERBEROS_REQUIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DESIRED: ++ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ case CRED_USE_KERBEROS_DISABLED: ++ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ break; ++ } + + if (user_name) { + SAFE_FREE(my_ads->auth.user_name); +-- +2.33.1 + diff --git a/SOURCES/samba-disable-systemd-notifications.patch b/SOURCES/samba-disable-systemd-notifications.patch new file mode 100644 index 0000000..9e57630 --- /dev/null +++ b/SOURCES/samba-disable-systemd-notifications.patch @@ -0,0 +1,36 @@ +From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001 +From: "FeRD (Frank Dana)" +Date: Mon, 24 Jan 2022 22:14:31 -0500 +Subject: [PATCH] printing/bgqd: Disable systemd notifications + +samba-bgqd daemon is started by existing Samba daemons. When running +under systemd, those daemons control systemd notifications and +samba-bgqd messages need to be silenced. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947 + +Signed-off-by: FeRD (Frank Dana) +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5) +--- + source3/printing/samba-bgqd.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c +index f21327fc622..59ed0cc40db 100644 +--- a/source3/printing/samba-bgqd.c ++++ b/source3/printing/samba-bgqd.c +@@ -252,6 +252,9 @@ int main(int argc, const char *argv[]) + + log_stdout = (debug_get_log_type() == DEBUG_STDOUT); + ++ /* main process will notify systemd */ ++ daemon_sd_notifications(false); ++ + if (!cmdline_daemon_cfg->fork) { + daemon_status(progname, "Starting process ... "); + } else { +-- +2.34.1 + diff --git a/SOURCES/samba-password-change-prompt.patch b/SOURCES/samba-password-change-prompt.patch new file mode 100644 index 0000000..5dee86c --- /dev/null +++ b/SOURCES/samba-password-change-prompt.patch @@ -0,0 +1,100 @@ +From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 17 Nov 2021 09:56:09 +0100 +Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to + off). + +This change disables the prompt for the change of an expired password by +default (using the PAM_RADIO_TYPE mechanism if present). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) +--- + docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ + nsswitch/pam_winbind.c | 12 ++++++++++-- + nsswitch/pam_winbind.h | 1 + + 3 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml +index 0bc288f91a1..bae9298fc32 100644 +--- a/docs-xml/manpages/pam_winbind.conf.5.xml ++++ b/docs-xml/manpages/pam_winbind.conf.5.xml +@@ -194,6 +194,13 @@ + + + ++ ++ pwd_change_prompt = yes|no ++ ++ Generate prompt for changing an expired password. Defaults to "no". ++ ++ ++ + + + +diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c +index 720a4b90d85..06098dd07d8 100644 +--- a/nsswitch/pam_winbind.c ++++ b/nsswitch/pam_winbind.c +@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, + ctrl |= WINBIND_MKHOMEDIR; + } + ++ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; ++ } ++ + config_from_pam: + /* step through arguments */ + for (i=argc,v=argv; i-- > 0; ++v) { +@@ -522,6 +526,8 @@ config_from_pam: + else if (!strncasecmp(*v, "warn_pwd_expire", + strlen("warn_pwd_expire"))) + ctrl |= WINBIND_WARN_PWD_EXPIRE; ++ else if (!strcasecmp(*v, "pwd_change_prompt")) ++ ctrl |= WINBIND_PWD_CHANGE_PROMPT; + else if (type != PAM_WINBIND_CLEANUP) { + __pam_log(pamh, ctrl, LOG_ERR, + "pam_parse: unknown option: %s", *v); +@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, + * successfully sent the warning message. + * Give the user a chance to change pwd. + */ +- if (ret == PAM_SUCCESS) { ++ if (ret == PAM_SUCCESS && ++ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { + if (change_pwd) { + retval = _pam_winbind_change_pwd(ctx); + if (retval) { +diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h +index c6786d65a4d..2f4a25729bd 100644 +--- a/nsswitch/pam_winbind.h ++++ b/nsswitch/pam_winbind.h +@@ -157,6 +157,7 @@ do { \ + #define WINBIND_WARN_PWD_EXPIRE 0x00002000 + #define WINBIND_MKHOMEDIR 0x00004000 + #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 ++#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 + + #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) + #define _(string) dgettext(MODULE_NAME, string) +-- +2.35.1 + diff --git a/SOURCES/samba-printing-win7.patch b/SOURCES/samba-printing-win7.patch new file mode 100644 index 0000000..d1a6b6a --- /dev/null +++ b/SOURCES/samba-printing-win7.patch @@ -0,0 +1,229 @@ +From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Sat, 22 Jan 2022 01:08:26 +0100 +Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls + +This is important for the source3/rpc_server code as it might +be called embedded in smbd and may not run as root with access +to our private tdb/ldb files. + +Note this is only really needed for 4.15 and older, as +we no longer run the rpc_server embedded in smbd, +but we better be consistent for now. + +This should be able to fix the problem the printing no longer works +on Windows 7 with 2021-10 monthly rollup patch (KB5006743). + +Windows uses NTLMSSP with privacy at the DCERPC layer on top +of NCACN_NP (smb). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andreas Schneider +(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9) +--- + librpc/rpc/dcesrv_auth.c | 5 +++++ + librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++ + librpc/rpc/dcesrv_core.h | 2 ++ + source3/rpc_server/rpc_config.c | 2 ++ + source4/rpc_server/service_rpc.c | 10 ++++++++++ + 5 files changed, 37 insertions(+) + +diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c +index fec8df513a83..99d8e0162160 100644 +--- a/librpc/rpc/dcesrv_auth.c ++++ b/librpc/rpc/dcesrv_auth.c +@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call) + auth->auth_level = call->in_auth_info.auth_level; + auth->auth_context_id = call->in_auth_info.auth_context_id; + ++ cb->auth.become_root(); + status = cb->auth.gensec_prepare( + auth, + call, + &auth->gensec_security, + cb->auth.private_data); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to call samba_server_gensec_start %s\n", + nt_errstr(status))); +@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) + NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + { + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + const char *pdu = ""; + + switch (call->pkt.ptype) { +@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status) + return status; + } + ++ cb->auth.become_root(); + status = gensec_session_info(auth->gensec_security, + auth, + &auth->session_info); ++ cb->auth.unbecome_root(); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to establish session_info: %s\n", + nt_errstr(status))); +diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c +index d16159b0b6cd..ea91fc689b4a 100644 +--- a/librpc/rpc/dcesrv_core.c ++++ b/librpc/rpc/dcesrv_core.c +@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + struct dcerpc_binding *ep_2nd_description = NULL; + const char *endpoint = NULL; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct dcerpc_ack_ctx *ack_features = NULL; + struct tevent_req *subreq = NULL; +@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + { + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct tevent_req *subreq = NULL; + NTSTATUS status; + +@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call) + return NT_STATUS_OK; + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq) + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + struct ncacn_packet *pkt = &call->ack_pkt; + uint32_t extra_flags = 0; + struct dcesrv_auth *auth = call->auth_state; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + struct dcerpc_ack_ctx *ack_ctx_list = NULL; + struct tevent_req *subreq = NULL; + size_t i; +@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) + return dcesrv_auth_reply(call); + } + ++ cb->auth.become_root(); + subreq = gensec_update_send(call, call->event_ctx, + auth->gensec_security, + call->in_auth_info.credentials); ++ cb->auth.unbecome_root(); + if (subreq == NULL) { + return NT_STATUS_NO_MEMORY; + } +@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq) + tevent_req_callback_data(subreq, + struct dcesrv_call_state); + struct dcesrv_connection *conn = call->conn; ++ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks; + NTSTATUS status; + ++ cb->auth.become_root(); + status = gensec_update_recv(subreq, call, + &call->out_auth_info->credentials); ++ cb->auth.unbecome_root(); + TALLOC_FREE(subreq); + + status = dcesrv_auth_complete(call, status); +diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h +index d8d5f9030959..0538442e0ce6 100644 +--- a/librpc/rpc/dcesrv_core.h ++++ b/librpc/rpc/dcesrv_core.h +@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks { + struct gensec_security **out, + void *private_data); + void *private_data; ++ void (*become_root)(void); ++ void (*unbecome_root)(void); + } auth; + struct { + NTSTATUS (*find)( +diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c +index 2f1a01da1c0b..289c4f398409 100644 +--- a/source3/rpc_server/rpc_config.c ++++ b/source3/rpc_server/rpc_config.c +@@ -31,6 +31,8 @@ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = dcesrv_log_successful_authz, + .auth.gensec_prepare = dcesrv_auth_gensec_prepare, ++ .auth.become_root = become_root, ++ .auth.unbecome_root = unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c +index d8c6746d7815..ebb50f8a7ef3 100644 +--- a/source4/rpc_server/service_rpc.c ++++ b/source4/rpc_server/service_rpc.c +@@ -40,9 +40,19 @@ + #include "../libcli/named_pipe_auth/npa_tstream.h" + #include "samba/process_model.h" + ++static void skip_become_root(void) ++{ ++} ++ ++static void skip_unbecome_root(void) ++{ ++} ++ + static struct dcesrv_context_callbacks srv_callbacks = { + .log.successful_authz = log_successful_dcesrv_authz_event, + .auth.gensec_prepare = dcesrv_gensec_prepare, ++ .auth.become_root = skip_become_root, ++ .auth.unbecome_root = skip_unbecome_root, + .assoc_group.find = dcesrv_assoc_group_find, + }; + +-- +2.25.1 + diff --git a/SOURCES/samba-virus_scanner.patch b/SOURCES/samba-virus_scanner.patch new file mode 100644 index 0000000..6e243da --- /dev/null +++ b/SOURCES/samba-virus_scanner.patch @@ -0,0 +1,597 @@ +From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 9 Feb 2022 16:33:10 +0100 +Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd + +We have the env variable SERVER_LOG_LEVEL which allows you to change +the log level on the command line. If we force -d0 this will not work. + +make test TESTS="samba" SERVER_LOG_LEVEL=10 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b) +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index b901fd2677a..64a9a791a61 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -2153,7 +2153,7 @@ sub make_bin_cmd + { + my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_; + +- my @optargs = ("-d0"); ++ my @optargs = (); + if (defined($options)) { + @optargs = split(/ /, $options); + } +-- +2.34.1 + + +From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 12:07:03 +0100 +Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses + filename matching +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1) +--- + source3/modules/vfs_virusfilter.c | 12 +++++ + source3/modules/vfs_virusfilter_common.h | 4 ++ + source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++ + source3/modules/wscript_build | 1 + + 4 files changed, 75 insertions(+) + create mode 100644 source3/modules/vfs_virusfilter_dummy.c + +diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c +index 9fafe4e5d41..e6cbee7cd45 100644 +--- a/source3/modules/vfs_virusfilter.c ++++ b/source3/modules/vfs_virusfilter.c +@@ -35,12 +35,14 @@ + + enum virusfilter_scanner_enum { + VIRUSFILTER_SCANNER_CLAMAV, ++ VIRUSFILTER_SCANNER_DUMMY, + VIRUSFILTER_SCANNER_FSAV, + VIRUSFILTER_SCANNER_SOPHOS + }; + + static const struct enum_list scanner_list[] = { + { VIRUSFILTER_SCANNER_CLAMAV, "clamav" }, ++ { VIRUSFILTER_SCANNER_DUMMY, "dummy" }, + { VIRUSFILTER_SCANNER_FSAV, "fsav" }, + { VIRUSFILTER_SCANNER_SOPHOS, "sophos" }, + { -1, NULL } +@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect( + int snum = SNUM(handle->conn); + struct virusfilter_config *config = NULL; + const char *exclude_files = NULL; ++ const char *infected_files = NULL; + const char *temp_quarantine_dir_mode = NULL; + const char *infected_file_command = NULL; + const char *scan_error_command = NULL; +@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect( + set_namearray(&config->exclude_files, exclude_files); + } + ++ infected_files = lp_parm_const_string( ++ snum, "virusfilter", "infected files", NULL); ++ if (infected_files != NULL) { ++ set_namearray(&config->infected_files, infected_files); ++ } ++ + config->cache_entry_limit = lp_parm_int( + snum, "virusfilter", "cache entry limit", 100); + +@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect( + case VIRUSFILTER_SCANNER_CLAMAV: + ret = virusfilter_clamav_init(config); + break; ++ case VIRUSFILTER_SCANNER_DUMMY: ++ ret = virusfilter_dummy_init(config); ++ break; + default: + DBG_ERR("Unhandled scanner %d\n", backend); + return -1; +diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h +index f71b0b949a7..463a9d74e9c 100644 +--- a/source3/modules/vfs_virusfilter_common.h ++++ b/source3/modules/vfs_virusfilter_common.h +@@ -83,6 +83,9 @@ struct virusfilter_config { + /* Exclude files */ + name_compare_entry *exclude_files; + ++ /* Infected files */ ++ name_compare_entry *infected_files; ++ + /* Scan result cache */ + struct virusfilter_cache *cache; + int cache_entry_limit; +@@ -149,5 +152,6 @@ struct virusfilter_backend { + int virusfilter_sophos_init(struct virusfilter_config *config); + int virusfilter_fsav_init(struct virusfilter_config *config); + int virusfilter_clamav_init(struct virusfilter_config *config); ++int virusfilter_dummy_init(struct virusfilter_config *config); + + #endif /* _VIRUSFILTER_COMMON_H */ +diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c +new file mode 100644 +index 00000000000..03405cd6629 +--- /dev/null ++++ b/source3/modules/vfs_virusfilter_dummy.c +@@ -0,0 +1,58 @@ ++/* ++ Samba-VirusFilter VFS modules ++ Dummy scanner with infected files support. ++ Copyright (C) 2022 Pavel Filipenský ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "modules/vfs_virusfilter_utils.h" ++ ++static virusfilter_result virusfilter_dummy_scan( ++ struct vfs_handle_struct *handle, ++ struct virusfilter_config *config, ++ const struct files_struct *fsp, ++ char **reportp) ++{ ++ bool ok; ++ ++ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp)); ++ ok = is_in_path(fsp->fsp_name->base_name, ++ config->infected_files, ++ false); ++ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN; ++} ++ ++static struct virusfilter_backend_fns virusfilter_backend_dummy = { ++ .connect = NULL, ++ .disconnect = NULL, ++ .scan_init = NULL, ++ .scan = virusfilter_dummy_scan, ++ .scan_end = NULL, ++}; ++ ++int virusfilter_dummy_init(struct virusfilter_config *config) ++{ ++ struct virusfilter_backend *backend = NULL; ++ ++ backend = talloc_zero(config, struct virusfilter_backend); ++ if (backend == NULL) { ++ return -1; ++ } ++ ++ backend->fns = &virusfilter_backend_dummy; ++ backend->name = "dummy"; ++ config->backend = backend; ++ return 0; ++} +diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build +index 40df4539392..ff318c3fa06 100644 +--- a/source3/modules/wscript_build ++++ b/source3/modules/wscript_build +@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter', + vfs_virusfilter_sophos.c + vfs_virusfilter_fsav.c + vfs_virusfilter_clamav.c ++ vfs_virusfilter_dummy.c + ''', + deps='samba-util VFS_VIRUSFILTER_UTILS', + init_function='', +-- +2.34.1 + + +From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 22:35:29 +0100 +Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and + 'virusfilter:infected files' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969) +--- + docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml +index 329a35af68a..88f91d73a42 100644 +--- a/docs-xml/manpages/vfs_virusfilter.8.xml ++++ b/docs-xml/manpages/vfs_virusfilter.8.xml +@@ -48,6 +48,10 @@ + scanner + clamav, the ClamAV + scanner ++ dummy, dummy scanner used in ++ tests. Checks against the infected files ++ parameter and flags any name that matches as infected. ++ + + + +@@ -264,6 +268,14 @@ + + + ++ ++ virusfilter:infected files = empty ++ ++ Files that virusfilter dummy flags as infected. ++ If this option is not set, the default is empty. ++ ++ ++ + + virusfilter:block access on error = false + +-- +2.34.1 + + +From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 15:34:56 +0100 +Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a) +--- + selftest/target/Samba3.pm | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 64a9a791a61..7584a0e7ba9 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -188,7 +188,7 @@ sub getlog_env_app($$$) + close(LOG); + + return "" if $out eq $title; +- ++ + return $out; + } + +@@ -2426,7 +2426,7 @@ sub provision($$) + my $nmbdsockdir="$prefix_abs/nmbd"; + unlink($nmbdsockdir); + +- ## ++ ## + ## create the test directory layout + ## + die ("prefix_abs = ''") if $prefix_abs eq ""; +@@ -3290,7 +3290,7 @@ sub provision($$) + unless (open(PASSWD, ">$nss_wrapper_passwd")) { + warn("Unable to open $nss_wrapper_passwd"); + return undef; +- } ++ } + print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false + $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false + pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false +-- +2.34.1 + + +From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 8 Feb 2022 15:35:48 +0100 +Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský + +Pair-Programmed-With: Andreas Schneider +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider +(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544) +--- + selftest/knownfail.d/virus_scanner | 2 + + selftest/target/Samba3.pm | 12 ++ + source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++ + source3/selftest/tests.py | 9 ++ + 4 files changed, 147 insertions(+) + create mode 100644 selftest/knownfail.d/virus_scanner + create mode 100755 source3/script/tests/test_virus_scanner.sh + +diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner +new file mode 100644 +index 00000000000..6df3fd20627 +--- /dev/null ++++ b/selftest/knownfail.d/virus_scanner +@@ -0,0 +1,2 @@ ++^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') ++^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 7584a0e7ba9..c1d0c60d96a 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1688,6 +1688,9 @@ sub setup_fileserver + my $veto_sharedir="$share_dir/veto"; + push(@dirs,$veto_sharedir); + ++ my $virusfilter_sharedir="$share_dir/virusfilter"; ++ push(@dirs,$virusfilter_sharedir); ++ + my $ip4 = Samba::get_ipv4_addr("FILESERVER"); + my $fileserver_options = " + kernel change notify = yes +@@ -1813,6 +1816,15 @@ sub setup_fileserver + path = $veto_sharedir + delete veto files = yes + ++[virusfilter] ++ path = $virusfilter_sharedir ++ vfs objects = acl_xattr virusfilter ++ virusfilter:scanner = dummy ++ virusfilter:min file size = 0 ++ virusfilter:infected files = *infected* ++ virusfilter:infected file action = rename ++ virusfilter:scan on close = yes ++ + [homes] + comment = Home directories + browseable = No +diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh +new file mode 100755 +index 00000000000..2234ea6ca89 +--- /dev/null ++++ b/source3/script/tests/test_virus_scanner.sh +@@ -0,0 +1,124 @@ ++#!/bin/sh ++# Copyright (c) 2022 Pavel Filipenský ++# shellcheck disable=1091 ++ ++if [ $# -lt 4 ]; then ++cat <fsp_flags.modified ++ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/infected.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}" ++ ++ # check that virusfilter:rename prefix/suffix was added ++ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then ++ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing." ++ return 1 ++ fi ++ ++ # check that file was not uploaded ++ if [ -f "${sharedir}/infected.upload.txt" ]; then ++ echo "ERROR: {sharedir}/${smbfile} should not exist." ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++check_healthy_read() ++{ ++ rm -rf "${sharedir:?}"/* ++ ++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/healthy.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt" ++ ++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then ++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED" ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++check_healthy_write() ++{ ++ rm -rf "${sharedir:?}"/* ++ ++ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then ++ echo "ERROR: Cannot create ${sharedir}/healthy.txt" ++ return 1 ++ fi ++ ++ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt" ++ ++ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then ++ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED" ++ return 1 ++ fi ++ ++ return 0 ++} ++ ++testit "check_infected_read" check_infected_read || failed=$((failed + 1)) ++testit "check_infected_write" check_infected_write || failed=$((failed + 1)) ++testit "check_healthy_read" check_healthy_read || failed=$((failed + 1)) ++testit "check_healthy_write" check_healthy_write || failed=$((failed + 1)) ++ ++testok "$0" "$failed" +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index 701be011f70..6b146c76381 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local", + '$SERVER_IP', + "tmp"]) + ++env = 'fileserver' ++plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env), ++ [os.path.join(samba3srcdir, ++ "script/tests/test_virus_scanner.sh"), ++ '$SERVER_IP', ++ "virusfilter", ++ '$LOCAL_PATH', ++ smbclient3]) ++ + for env in ['fileserver', 'simpleserver']: + plantestsuite("samba3.blackbox.smbclient.encryption", env, + [os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"), +-- +2.34.1 + + +From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 7 Feb 2022 23:06:10 +0100 +Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971 + +Signed-off-by: Pavel Filipenský + +Pair-Programmed-With: Andreas Schneider +Reviewed-by: Jeremy Allison +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184 + +(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c) +--- + selftest/knownfail.d/virus_scanner | 2 -- + source3/modules/vfs_virusfilter.c | 6 +++--- + 2 files changed, 3 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/virus_scanner + +diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner +deleted file mode 100644 +index 6df3fd20627..00000000000 +--- a/selftest/knownfail.d/virus_scanner ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter') +-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter') +diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c +index e6cbee7cd45..d1554967ad1 100644 +--- a/source3/modules/vfs_virusfilter.c ++++ b/source3/modules/vfs_virusfilter.c +@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle, + */ + goto virusfilter_vfs_open_next; + } +- ret = S_ISREG(smb_fname->st.st_ex_mode); ++ ret = S_ISREG(sbuf.st_ex_mode); + if (ret == 0) { + DBG_INFO("Not scanned: Directory or special file: %s/%s\n", + cwd_fname, fname); + goto virusfilter_vfs_open_next; + } + if (config->max_file_size > 0 && +- smb_fname->st.st_ex_size > config->max_file_size) ++ sbuf.st_ex_size > config->max_file_size) + { + DBG_INFO("Not scanned: file size > max file size: %s/%s\n", + cwd_fname, fname); + goto virusfilter_vfs_open_next; + } + if (config->min_file_size > 0 && +- smb_fname->st.st_ex_size < config->min_file_size) ++ sbuf.st_ex_size < config->min_file_size) + { + DBG_INFO("Not scanned: file size < min file size: %s/%s\n", + cwd_fname, fname); +-- +2.34.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 0db9947..8d088f3 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -132,9 +132,9 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 1 +%global baserelease 101 -%global samba_version 4.15.3 +%global samba_version 4.15.5 %global talloc_version 2.3.3 %global tdb_version 1.4.4 %global tevent_version 0.11.0 @@ -204,6 +204,11 @@ Source201: README.downgrade Patch0: samba-s4u.patch Patch1: samba-ctdb-etcd-reclock.patch Patch2: samba-glibc-dns.patch +Patch3: samba-printing-win7.patch +Patch4: samba-disable-systemd-notifications.patch +Patch5: samba-disable-ntlmssp.patch +Patch6: samba-password-change-prompt.patch +Patch7: samba-virus_scanner.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -325,7 +330,7 @@ BuildRequires: python3-etcd # Add python3-iso8601 to avoid that the # version in Samba is being packaged BuildRequires: python3-iso8601 -BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1 >= 0.4.8 BuildRequires: bind BuildRequires: krb5-server >= %{required_mit_krb5} @@ -4102,6 +4107,26 @@ fi %endif %changelog +* Mon Feb 14 2022 Pavel Filipenský - 4.15.5-101 +- resolves: #2050111 - [RFE] Change change password change prompt phrasing +- resolves: #2054110 - virusfilter_vfs_openat: Not scanned: Directory or special file + +* Wed Feb 02 2022 Pavel Filipenský - 4.15.5-100 +- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release +- resolves: #2046129 - Fix CVE-2021-44141 +- resolves: #2046154 - Fix CVE-2021-44142 +- resolves: #2044405 - Fix printing no longer works on Windows 7 +- resolves: #2049485 - Fix systemd notifications +- resolves: #2049604 - Disable NTLMSSP for ldap client connections + +* Mon Jan 24 2022 Pavel Filipenský - 4.15.4-100 +- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release +- resolves: #2039154 - Fix CVE-2021-20316 +- resolves: #2044238 - Failed to authenticate users after upgrade samba package to release samba-4.14.5-7x +- resolves: #2044239 - [smb] Segmentation fault when joining the domain +- resolves: #2044241 - filename_convert_internal: open_pathref_fsp [xxx] failed: NT_STATUS_ACCESS_DENIED +- resolves: #2044255 - Fix CVE-2021-43566 + * Wed Dec 15 2021 Pavel Filipenský - 4.15.3-1 - related: rhbz#2013578 - Rebase to Samba 4.15.3 - resolves: rhbz#2028026 - Fix possible null pointer dereference in winbind