Browse Source

samba package update

Signed-off-by: fpdpbuilder_pel7x64builder0 <fpdpbuilder@powerel.org>
master
fpdpbuilder_pel7x64builder0 6 years ago
commit
56015c2d68
  1. 199
      SOURCES/CVE-2018-10858.patch
  2. 753
      SOURCES/CVE-2018-1139.patch
  3. 20
      SOURCES/README.dc
  4. 29
      SOURCES/README.downgrade
  5. BIN
      SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
  6. 38
      SOURCES/pam_winbind.conf
  7. 270
      SOURCES/samba-4.8.3-fix_krb5_plugins.patch
  8. 216
      SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch
  9. 64
      SOURCES/samba-4.8.3-smbclient_quiet_argument.patch
  10. 7
      SOURCES/samba.log
  11. 6
      SOURCES/samba.pamd
  12. 313
      SOURCES/smb.conf.example
  13. 37
      SOURCES/smb.conf.vendor
  14. 5295
      SPECS/samba.spec

199
SOURCES/CVE-2018-10858.patch

@ -0,0 +1,199 @@
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:07:17 -0700
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_path.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index 01b0a61e483..ed70ab37550 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
}
}
- *dest++ = '\0';
- max_dest_len--;
+ if (max_dest_len == 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+
+ *dest++ = '\0';
+ max_dest_len--;
return max_dest_len;
}
--
2.11.0


From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:08:17 -0700
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
from malicious servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
source3/libsmb/libsmb_path.c | 2 +-
2 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 72441c46736..54c2bcb3c73 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
}
-static void
+static int
smbc_readdir_internal(SMBCCTX * context,
struct smbc_dirent *dest,
struct smbc_dirent *src,
int max_namebuf_len)
{
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
+ int remaining_len;
/* url-encode the name. get back remaining buffer space */
- max_namebuf_len =
+ remaining_len =
smbc_urlencode(dest->name, src->name, max_namebuf_len);
+ /* -1 means no null termination. */
+ if (remaining_len < 0) {
+ return -1;
+ }
+
/* We now know the name length */
dest->namelen = strlen(dest->name);
+ if (dest->namelen + 1 < 1) {
+ /* Integer wrap. */
+ return -1;
+ }
+
+ if (dest->namelen + 1 >= max_namebuf_len) {
+ /* Out of space for comment. */
+ return -1;
+ }
+
/* Save the pointer to the beginning of the comment */
dest->comment = dest->name + dest->namelen + 1;
+ if (remaining_len < 1) {
+ /* No room for comment null termination. */
+ return -1;
+ }
+
/* Copy the comment */
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
- dest->comment[max_namebuf_len - 1] = '\0';
+ strlcpy(dest->comment, src->comment, remaining_len);
/* Save other fields */
dest->smbc_type = src->smbc_type;
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
} else {
/* No encoding. Just copy the entry as is. */
+ if (src->dirlen > max_namebuf_len) {
+ return -1;
+ }
memcpy(dest, src, src->dirlen);
+ if (src->namelen + 1 < 1) {
+ /* Integer wrap */
+ return -1;
+ }
+ if (src->namelen + 1 >= max_namebuf_len) {
+ /* Comment off the end. */
+ return -1;
+ }
dest->comment = (char *)(&dest->name + src->namelen + 1);
}
-
+ return 0;
}
/*
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
SMBCFILE *dir)
{
int maxlen;
+ int ret;
struct smbc_dirent *dirp, *dirent;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
dirp = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirp, dirent, maxlen);
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return NULL;
+ }
dir->dir_next = dir->dir_next->next;
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
*/
while ((dirlist = dir->dir_next)) {
+ int ret;
struct smbc_dirent *dirent;
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
/* Do urlencoding of next entry, if so selected */
dirent = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirent,
+ ret = smbc_readdir_internal(context, dirent,
dirlist->dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return -1;
+ }
reqd = dirent->dirlen;
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index ed70ab37550..5b53b386a67 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
}
}
- if (max_dest_len == 0) {
+ if (max_dest_len <= 0) {
/* Ensure we return -1 if no null termination. */
return -1;
}
--
2.11.0

753
SOURCES/CVE-2018-1139.patch

@ -0,0 +1,753 @@
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 22 Feb 2018 11:54:45 +1300
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
with_cmocka flag

We have cmocka in third_party, so we are never without it.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
---
selftest/tests.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/selftest/tests.py b/selftest/tests.py
index 126e1184230..3f5097b680c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -38,7 +38,6 @@ finally:
f.close()
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
@@ -168,13 +167,12 @@ if with_pam:
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "alice", "Secret007"])
-if with_cmocka:
- plantestsuite("samba.unittests.krb5samba", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
- plantestsuite("samba.unittests.lib_util_modules", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
--
2.14.4


From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Jul 2018 08:44:24 +1200
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
ntlm_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
libcli/auth/wscript_build | 13 ++
selftest/knownfail.d/ntlm | 2 +
selftest/tests.py | 2 +
4 files changed, 430 insertions(+)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 selftest/knownfail.d/ntlm

diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 00000000000..e87a0a276d4
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests. Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+ const char *username;
+ const char *domain;
+ DATA_BLOB challenge;
+ DATA_BLOB ntlm;
+ DATA_BLOB lm;
+ DATA_BLOB ntlm_key;
+ DATA_BLOB lm_key;
+ const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+ int flags, bool upn)
+{
+ NTSTATUS status;
+ DATA_BLOB challenge = {
+ .data = discard_const_p(uint8_t, "I am a teapot"),
+ .length = 8
+ };
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+ NULL,
+ "serverdom");
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+ cli_credentials_set_username(creds,
+ "testuser",
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(creds,
+ "testdom",
+ CRED_SPECIFIED);
+ cli_credentials_set_workstation(creds,
+ "testwksta",
+ CRED_SPECIFIED);
+ cli_credentials_set_password(creds,
+ "testpass",
+ CRED_SPECIFIED);
+
+ if (upn) {
+ cli_credentials_set_principal(creds,
+ "testuser@samba.org",
+ CRED_SPECIFIED);
+ }
+
+ cli_credentials_get_ntlm_username_domain(creds,
+ ntlm_state,
+ &ntlm_state->username,
+ &ntlm_state->domain);
+
+ status = cli_credentials_get_ntlm_response(creds,
+ ntlm_state,
+ &flags,
+ challenge,
+ NULL,
+ target_info,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ &ntlm_state->lm_key,
+ &ntlm_state->ntlm_key);
+ ntlm_state->challenge = challenge;
+
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+ ntlm_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+
+ *state = ntlm_state;
+ return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+ return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_LANMAN_AUTH,
+ false);
+}
+
+static int test_ntlm2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLM2,
+ false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLMv2_AUTH,
+ false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ TALLOC_FREE(ntlm_state);
+ *state = NULL;
+ return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+ return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_DISABLED,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ /*
+ * NTLM2 session security (where the real challenge is the
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
+ * the lm) isn't decoded by ntlm_password_check(), it must
+ * first be converted back into normal NTLM by the NTLMSSP
+ * layer
+ */
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ MSV1_0_ALLOW_MSVCHAPV2,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
+{
+ return test_ntlmv2_only_ntlm(state);
+}
+
+static void test_ntlmv2_only_ntlm_once(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &data_blob_null,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm2,
+ test_ntlm2_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
+ test_ntlmv2_setup,
+ test_ntlm_teardown)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 475b7d69406..d319d9b879e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
source='spnego_parse.c',
deps='asn1util')
+
+bld.SAMBA_BINARY(
+ 'test_ntlm_check',
+ source='tests/ntlm_check.c',
+ deps='''
+ NTLM_CHECK
+ CREDENTIALS_NTLM
+ samba-credentials
+ cmocka
+ talloc
+ ''',
+ install=False
+ )
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
new file mode 100644
index 00000000000..c6e6a3739ba
--- /dev/null
+++ b/selftest/knownfail.d/ntlm
@@ -0,0 +1,2 @@
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
diff --git a/selftest/tests.py b/selftest/tests.py
index 3f5097b680c..dc6486c13f8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
--
2.14.4


From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:36:05 +0100
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
hash_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc1d48..1c6499bd210 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
--
2.14.4


From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:35:01 +0100
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
ntlm_password_check().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/ntlm_auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..8f77680416f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
*pauthoritative = 1;
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true, NTLM_AUTH_ON, 0,
&auth4_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true,
+ NTLM_AUTH_ON,
+ 0,
&challenge,
&lm_response,
&nt_response,
--
2.14.4


From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 16 Mar 2018 17:25:12 +0100
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
via SMB1 when it is disabled.

Right now, this test will succeed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9092c1776c8..034c014e5b8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
for env in ["nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
--
2.14.4


From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Mar 2018 16:56:20 +0100
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
when it is disabled via "ntlm auth".

This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 2 +-
selftest/knownfail | 3 ++-
selftest/knownfail.d/ntlm | 2 --
3 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/ntlm

diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index ba16fd72290..84776d4f35d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -303,8 +303,9 @@
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
--
2.14.4

20
SOURCES/README.dc

@ -0,0 +1,20 @@
MIT Kerberos 5 Support
=======================

Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
choice. The Samba build in Fedora is using MIT Kerberos implementation in order
to allow system-wide interoperability between both desktop and server
applications running on the same machine.

At the moment the Samba Active Directory Domain Controller implementation is
not available with MIT Kereberos. FreeIPA and Samba Team members are currently
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
distribution integration of Samba AD DC features.

We have just finished migrating the file server and all client utilities to MIT
Kerberos. The result of this work is available in samba-* packages in Fedora.
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
KDC will be ready.

In case of further questions do not hesitate to send your inquiries to
samba-owner@fedoraproject.org

29
SOURCES/README.downgrade

@ -0,0 +1,29 @@
Downgrading Samba
=================

Short version: data-preserving downgrades between Samba versions are not supported

Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.

Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.

Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.

Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb

In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

BIN
SOURCES/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg

Binary file not shown.

38
SOURCES/pam_winbind.conf

@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
;mkhomedir = no

270
SOURCES/samba-4.8.3-fix_krb5_plugins.patch

@ -0,0 +1,270 @@
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:06:39 +0200
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/wscript_build | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 15e93db2f05..576855bb56c 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
)
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
- deps='wbclient krb5 com_err',
- realname='winbind_krb5_locator.so')
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
+ source='winbind_krb5_locator.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
deps='wbclient krb5 com_err',
- realname='winbind-krb5-localauth.so')
+ realname='winbind_krb5_localauth.so',
+ install_path='${MODULESDIR}/krb5')
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
--
2.17.1


From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:08:56 +0200
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
subdir

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
nsswitch/wscript_build | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)

diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
similarity index 100%
rename from nsswitch/winbind_krb5_locator.c
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 576855bb56c..dd1952b799b 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
+ source='krb5_plugin/winbind_krb5_locator.c',
deps='wbclient krb5 com_err',
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
--
2.17.1


From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:14:15 +0200
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8

The vfs and idmap manpages are in volume 8 too.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
docs-xml/wscript_build | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)

diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
similarity index 96%
rename from docs-xml/manpages/winbind_krb5_locator.7.xml
rename to docs-xml/manpages/winbind_krb5_locator.8.xml
index 17e401a9da0..0af0c2cc95f 100644
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
@@ -1,12 +1,12 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="winbind_krb5_locator.7">
+<refentry id="winbind_krb5_locator.8">
<refmeta>
<refentrytitle>winbind_krb5_locator</refentrytitle>
- <manvolnum>7</manvolnum>
+ <manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">7</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 954c62a29bc..2d686eb38b0 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
manpages/pam_winbind.conf.5
'''
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
--
2.17.1


From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:06:07 +0200
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
docs-xml/wscript_build | 4 +
2 files changed, 90 insertions(+)
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml

diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
new file mode 100644
index 00000000000..a382e71ead3
--- /dev/null
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="winbind_krb5_localauth.8">
+
+<refmeta>
+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbind_krb5_localauth</refname>
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
+</refnamediv>
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>
+ This plugin is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.
+ </para>
+
+ <para>
+ <command>winbind_krb5_localauth</command> is a plugin that
+ permits the MIT Kerberos libraries that Kerberos principals can
+ be validated against local user accounts.
+ </para>
+</refsect1>
+<refsect1>
+ <title>PREREQUISITES</title>
+ <para>
+ MIT Kerberos (at least version 1.12) is required.
+ </para>
+
+ <para>
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
+ and started separately.
+ </para>
+
+ <para>
+ The following sections needs to be added to the
+ <filename>krb5.conf</filename> file.
+
+ <programlisting>
+[plugins]
+ localauth = {
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
+ enable_only = winbind
+ }
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>
+ This man page is part of version &doc.version; of the Samba
+ suite.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created
+ by Andrew Tridgell. Samba is now developed by the Samba Team as
+ an Open Source project similar to the way the Linux kernel is
+ developed.
+ </para>
+
+ <para>
+ The winbind_krb5_localauth manpage was written by Andreas
+ Schneider.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 2d686eb38b0..ec5d28fc62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
'''
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBAMANPAGES(krb5_locator_manpages)
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
+
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
--
2.17.1

216
SOURCES/samba-4.8.3-fix_winbind_getpwnam_local_user.patch

@ -0,0 +1,216 @@
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:18:52 +0200
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
---
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
selftest/knownfail.d/upn_handling | 2 +
source3/selftest/tests.py | 4 +-
3 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
index 2803ac1408b..da30f97be74 100755
--- a/nsswitch/tests/test_wbinfo_user_info.sh
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -2,19 +2,20 @@
# Blackbox test for wbinfo lookup for account name and upn
# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
cat <<EOF
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
EOF
exit 1;
fi
DOMAIN=$1
REALM=$2
-USERNAME1=$3
-UPN_NAME1=$4
-USERNAME2=$5
-UPN_NAME2=$6
+OWN_DOMAIN=$3
+USERNAME1=$4
+UPN_NAME1=$5
+USERNAME2=$6
+UPN_NAME2=$7
shift 6
failed=0
@@ -31,9 +32,9 @@ test_user_info()
{
local cmd out ret user domain upn userinfo
- domain="$1"
- user="$2"
- upn="$3"
+ local domain="$1"
+ local user="$2"
+ local upn="$3"
if [ $# -lt 3 ]; then
userinfo="$domain/$user"
@@ -62,6 +63,39 @@ test_user_info()
return 0
}
+test_getpwnam()
+{
+ local cmd out ret
+
+ local lookup_username=$1
+ local expected_return=$2
+ local expected_output=$3
+
+ cmd='getent passwd $lookup_username'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+
+ if [ $ret -ne $expected_return ]; then
+ echo "return code: $ret, expected return code is: $expected_return"
+ echo "$out"
+ return 1
+ fi
+
+ if [ -n "$expected_output" ]; then
+ echo "$out" | grep "$expected_output"
+ ret=$?
+
+ if [ $ret -ne 0 ]; then
+ echo "Unable to find $expected_output in:"
+ echo "$out"
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+# We should not be able to lookup the user just by the name
+test_ret=0
+test_output="$DOMAIN/$USERNAME1"
+
+if [ "$ENVNAME" = "ad_member" ]; then
+ test_ret=2
+ test_output=""
+fi
+if [ "$ENVNAME" = "fl2008r2dc" ]; then
+ test_ret=0
+ test_output="$OWN_DOMAIN/$USERNAME1"
+fi
+
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
+
exit $failed
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index bcbedb4f903..7dc9b71dc5e 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,8 +1,10 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f43d2b14d3a..a9cb2dad792 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -216,13 +216,13 @@ env = "ad_member:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
--
2.13.6


From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:38:01 +0200
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144

(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
---
selftest/knownfail.d/upn_handling | 2 --
source3/winbindd/winbindd_util.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 7dc9b71dc5e..bcbedb4f903 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,10 +1,8 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index aa633419c9a..7a5fb73cdef 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
} else if (assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(namespace, lp_netbios_name());
}
}
--
2.13.6

64
SOURCES/samba-4.8.3-smbclient_quiet_argument.patch

@ -0,0 +1,64 @@
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 25 Jun 2018 09:58:56 -0400
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add quiet command-line argument to allow suppressing the help log
message printed automatically after establishing a smbclient connection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485

Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
---
source3/client/client.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/source3/client/client.c b/source3/client/client.c
index 2c1c76036f7..c836e5a0477 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -52,6 +52,7 @@ static int port = 0;
static char *service;
static char *desthost;
static bool grepable = false;
+static bool quiet = false;
static char *cmdstr = NULL;
const char *cmd_ptr = NULL;

@@ -6059,7 +6060,9 @@ static int process_stdin(void)
{
int rc = 0;

- d_printf("Try \"help\" to get a list of possible commands.\n");
+ if (!quiet) {
+ d_printf("Try \"help\" to get a list of possible commands.\n");
+ }

while (!finished) {
TALLOC_CTX *frame = talloc_stackframe();
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
POPT_COMMON_SAMBA
POPT_COMMON_CONNECTION
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
case 'g':
grepable=true;
break;
+ case 'q':
+ quiet=true;
+ break;
case 'e':
smb_encrypt=true;
break;
--
2.17.1

7
SOURCES/samba.log

@ -0,0 +1,7 @@
/var/log/samba/* {
notifempty
olddir /var/log/samba/old
missingok
sharedscripts
copytruncate
}

6
SOURCES/samba.pamd

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth

313
SOURCES/smb.conf.example

@ -0,0 +1,313 @@
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#

security = user
passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.

; security = domain
; passdb backend = tdbsam
; realm = MY_REALM

; password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam

; domain master = yes
; domain logons = yes

# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =

# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:

; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.

; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes

; dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

load printers = yes
cups options = raw

; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

37
SOURCES/smb.conf.vendor

@ -0,0 +1,37 @@
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.

[global]
workgroup = SAMBA
security = user

passdb backend = tdbsam

printing = cups
printcap name = cups
load printers = yes
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

5295
SPECS/samba.spec

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save