Browse Source

initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>
master
Toshaan Bharvani 3 years ago
commit
f3f3db32fd
  1. 29
      SOURCES/README.downgrade
  2. 38
      SOURCES/pam_winbind.conf
  3. 231
      SOURCES/samba-4-15-fix-autorid.patch
  4. 477
      SOURCES/samba-4-15-fix-create-local-krb5-conf.patch
  5. 411
      SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch
  6. 30
      SOURCES/samba-ctdb-etcd-reclock.patch
  7. 764
      SOURCES/samba-disable-ntlmssp.patch
  8. 36
      SOURCES/samba-disable-systemd-notifications.patch
  9. 64
      SOURCES/samba-glibc-dns.patch
  10. 100
      SOURCES/samba-password-change-prompt.patch
  11. 229
      SOURCES/samba-printing-win7.patch
  12. BIN
      SOURCES/samba-pubkey_AA99442FB680B620.gpg
  13. 697
      SOURCES/samba-s4u.patch
  14. 597
      SOURCES/samba-virus_scanner.patch
  15. 10
      SOURCES/samba.logrotate
  16. 6
      SOURCES/samba.pamd
  17. 313
      SOURCES/smb.conf.example
  18. 41
      SOURCES/smb.conf.vendor
  19. 6764
      SPECS/samba.spec

29
SOURCES/README.downgrade

@ -0,0 +1,29 @@ @@ -0,0 +1,29 @@
Downgrading Samba
=================

Short version: data-preserving downgrades between Samba versions are not supported

Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.

Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.

Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.

Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb

In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

38
SOURCES/pam_winbind.conf

@ -0,0 +1,38 @@ @@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#

[global]

# turn on debugging
;debug = no

# turn on extended PAM state debugging
;debug_state = no

# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no

# authenticate using kerberos
;krb5_auth = no

# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =

# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =

# password expiry warning period in days
;warn_pwd_expire = 14

# omit pam conversations
;silent = no

# create homedirectory on the fly
;mkhomedir = no

231
SOURCES/samba-4-15-fix-autorid.patch

@ -0,0 +1,231 @@ @@ -0,0 +1,231 @@
From 89f7b7790dd7f3a300718de2d811104dc0637bbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:06:30 +0100
Subject: [PATCH 1/3] s3:winbindd: Add a sanity check for the range

What we want to avoid:

$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid

$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)

$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000

$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)

$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid

If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fe84ae5547313e482ea0eba8ddca5b38a033dc8f)
---
source3/winbindd/idmap_autorid.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index ad53b5810ee..c7d56a37684 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -856,9 +856,10 @@ static NTSTATUS idmap_autorid_initialize(struct idmap_domain *dom)
config->maxranges = (dom->high_id - dom->low_id + 1) /
config->rangesize;
- if (config->maxranges == 0) {
- DEBUG(1, ("Allowed uid range is smaller than rangesize. "
- "Increase uid range or decrease rangesize.\n"));
+ if (config->maxranges < 2) {
+ DBG_WARNING("Allowed idmap range is not a least double the "
+ "size of the rangesize. Please increase idmap "
+ "range.\n");
status = NT_STATUS_INVALID_PARAMETER;
goto error;
}
--
2.35.1


From 70a0069038948a22b1e7dfd8917a3487206ec770 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:07:50 +0100
Subject: [PATCH 2/3] s3:utils: Add a testparm check for idmap autorid

What we want to avoid:

$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid

$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)

$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000

$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)

$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid

If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit db6d4da3411a910e7ce45fe1fecfabf2864eb9f4)
---
source3/utils/testparm.c | 51 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 98bcc219b1e..58ba46bc15f 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -128,6 +128,21 @@ static bool lp_scan_idmap_found_domain(const char *string,
return false; /* Keep scanning */
}
+static int idmap_config_int(const char *domname, const char *option, int def)
+{
+ int len = snprintf(NULL, 0, "idmap config %s", domname);
+
+ if (len == -1) {
+ return def;
+ }
+ {
+ char config_option[len+1];
+ snprintf(config_option, sizeof(config_option),
+ "idmap config %s", domname);
+ return lp_parm_int(-1, config_option, option, def);
+ }
+}
+
static bool do_idmap_check(void)
{
struct idmap_domains *d;
@@ -157,6 +172,42 @@ static bool do_idmap_check(void)
rc);
}
+ /* Check autorid backend */
+ if (strequal(lp_idmap_default_backend(), "autorid")) {
+ struct idmap_config *c = NULL;
+ bool found = false;
+
+ for (i = 0; i < d->count; i++) {
+ c = &d->c[i];
+
+ if (strequal(c->backend, "autorid")) {
+ found = true;
+ break;
+ }
+ }
+
+ if (found) {
+ uint32_t rangesize =
+ idmap_config_int("*", "rangesize", 100000);
+ uint32_t maxranges =
+ (c->high - c->low + 1) / rangesize;
+
+ if (maxranges < 2) {
+ fprintf(stderr,
+ "ERROR: The idmap autorid range "
+ "[%u-%u] needs to be at least twice as "
+ "big as the rangesize [%u]!"
+ "\n\n",
+ c->low,
+ c->high,
+ rangesize);
+ ok = false;
+ goto done;
+ }
+ }
+ }
+
+ /* Check for overlapping idmap ranges */
for (i = 0; i < d->count; i++) {
struct idmap_config *c = &d->c[i];
uint32_t j;
--
2.35.1


From 9cc90a306bc31ca9fb0b82556ae28c173b77724e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 1 Feb 2022 10:05:19 +0100
Subject: [PATCH 3/3] docs-xml: Fix idmap_autorid documentation

What we want to avoid:

$ ./bin/testparm -s | grep "idmap config"
idmap config * : rangesize = 10000
idmap config * : range = 10000-19999
idmap config * : backend = autorid

$ ./bin/wbinfo --name-to-sid BUILTIN/Administrators
S-1-5-32-544 SID_ALIAS (4)

$ ./bin/wbinfo --sid-to-gid S-1-5-32-544
10000

$ ./bin/wbinfo --name-to-sid ADDOMAIN/alice
S-1-5-21-4058748110-895691256-3682847423-1107 SID_USER (1)

$ ./bin/wbinfo --sid-to-gid S-1-5-21-984165912-589366285-3903095728-1107
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-984165912-589366285-3903095728-1107 to gid

If only one range is configured we are either not able to map users/groups
from our primary *and* the BUILTIN domain. We need at least two ranges to also
cover the BUILTIN domain!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14967

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7e5afd8f1f7e5cfab1a8ef7f4293ac465b7cd8de)
---
docs-xml/manpages/idmap_autorid.8.xml | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
index 6c4da1cad8a..980718f0bd4 100644
--- a/docs-xml/manpages/idmap_autorid.8.xml
+++ b/docs-xml/manpages/idmap_autorid.8.xml
@@ -48,7 +48,13 @@
and the corresponding map is discarded. It is
intended as a way to avoid accidental UID/GID
overlaps between local and remotely defined
- IDs.
+ IDs. Note that the range should be a multiple
+ of the rangesize and needs to be at least twice
+ as large in order to have sufficient id range
+ space for the mandatory BUILTIN domain.
+ With a default rangesize of 100000 the range
+ needs to span at least 200000.
+ This would be: range = 100000 - 299999.
</para></listitem>
</varlistentry>
--
2.35.1

477
SOURCES/samba-4-15-fix-create-local-krb5-conf.patch

@ -0,0 +1,477 @@ @@ -0,0 +1,477 @@
From 73368f962136398d79c22e7df6fe4f6d7ce3932f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 16:53:02 +0100
Subject: [PATCH 1/9] testprogs: Add test that local krb5.conf has been created

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
testprogs/blackbox/test_net_ads.sh | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 76b394b10a9..cfafb945b62 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -51,6 +51,12 @@ fi
testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+workgroup=$(awk '/workgroup =/ { print $NR }' "${BASEDIR}/${WORKDIR}/client.conf")
+testit "local krb5.conf created" \
+ test -r \
+ "${BASEDIR}/${WORKDIR}/lockdir/smb_krb5/krb5.conf.${workgroup}" ||
+ failed=$((failed + 1))
+
testit "testjoin" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
netbios=$(grep "netbios name" $BASEDIR/$WORKDIR/client.conf | cut -f2 -d= | awk '{$1=$1};1')
--
2.35.1


From d50e4298d6d713128cc3a7687cb7d5c8f4c213e4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:03:40 +0100
Subject: [PATCH 2/9] s3:libads: Remove trailing spaces in kerberos.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 75beeef4a44..60fe03fd5d7 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
kerberos utility library
Copyright (C) Andrew Tridgell 2001
@@ -37,11 +37,11 @@
#define LIBADS_CCACHE_NAME "MEMORY:libads"
/*
- we use a prompter to avoid a crash bug in the kerberos libs when
+ we use a prompter to avoid a crash bug in the kerberos libs when
dealing with empty passwords
this prompter is just a string copy ...
*/
-static krb5_error_code
+static krb5_error_code
kerb_prompter(krb5_context ctx, void *data,
const char *name,
const char *banner,
@@ -192,7 +192,7 @@ int kerberos_kinit_password_ext(const char *given_principal,
krb5_get_init_creds_opt_set_address_list(opt, addr->addrs);
}
- if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
+ if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, discard_const_p(char,password),
kerb_prompter, discard_const_p(char, password),
0, NULL, opt))) {
goto out;
@@ -299,7 +299,7 @@ int ads_kdestroy(const char *cc_name)
}
if ((code = krb5_cc_destroy (ctx, cc))) {
- DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
+ DEBUG(3, ("ads_kdestroy: krb5_cc_destroy failed: %s\n",
error_message(code)));
}
@@ -348,10 +348,10 @@ int kerberos_kinit_password(const char *principal,
int time_offset,
const char *cache_name)
{
- return kerberos_kinit_password_ext(principal,
- password,
- time_offset,
- 0,
+ return kerberos_kinit_password_ext(principal,
+ password,
+ time_offset,
+ 0,
0,
cache_name,
False,
--
2.35.1


From 85f140daa2779dec38255a997ec77540365959ca Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:04:34 +0100
Subject: [PATCH 3/9] s3:libads: Leave early on error in get_kdc_ip_string()

This avoids useless allocations.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 60fe03fd5d7..1bf149ef09b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -434,9 +434,14 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
bool ok;
- char *kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n", "",
- print_canonical_sockaddr_with_port(mem_ctx, pss));
+ char *kdc_str = NULL;
+ SMB_ASSERT(pss != NULL);
+
+ kdc_str = talloc_asprintf(mem_ctx,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(mem_ctx,
+ pss));
if (kdc_str == NULL) {
TALLOC_FREE(frame);
return NULL;
@@ -516,15 +521,15 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
}
- dc_addrs2 = talloc_zero_array(talloc_tos(),
- struct tsocket_address *,
- num_dcs);
-
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
TALLOC_FREE(kdc_str);
goto out;
}
+
+ dc_addrs2 = talloc_zero_array(talloc_tos(),
+ struct tsocket_address *,
+ num_dcs);
if (dc_addrs2 == NULL) {
TALLOC_FREE(kdc_str);
goto out;
--
2.35.1


From 010cb49995f00b6bb5058b8b1a69e684c0bb1050 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:10:47 +0100
Subject: [PATCH 4/9] s3:libads: Improve debug messages for get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1bf149ef09b..6a46d72a156 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -590,7 +590,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
result = kdc_str;
out:
- DBG_DEBUG("Returning\n%s\n", kdc_str);
+ if (result != NULL) {
+ DBG_DEBUG("Returning\n%s\n", kdc_str);
+ } else {
+ DBG_NOTICE("Failed to get KDC ip address\n");
+ }
TALLOC_FREE(ip_sa_site);
TALLOC_FREE(ip_sa_nonsite);
--
2.35.1


From c0640d8ea59ef57a1d61151f790431bcf7fddeba Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:48:23 +0100
Subject: [PATCH 5/9] s3:libads: Use talloc_asprintf_append() in
get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 6a46d72a156..d1c410ffa4b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -578,10 +578,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = talloc_asprintf(mem_ctx, "%s\t\tkdc = %s\n",
- kdc_str,
- print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
- TALLOC_FREE(kdc_str);
+ new_kdc_str = talloc_asprintf_append(
+ kdc_str,
+ "\t\tkdc = %s\n",
+ print_canonical_sockaddr_with_port(
+ mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto out;
}
--
2.35.1


From b8e73356ff44f0717ed413a4e8af51f043434a7f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:56:58 +0100
Subject: [PATCH 6/9] s3:libads: Allocate all memory on the talloc stackframe

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d1c410ffa4b..aadc65a3edc 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -438,7 +438,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
SMB_ASSERT(pss != NULL);
- kdc_str = talloc_asprintf(mem_ctx,
+ kdc_str = talloc_asprintf(frame,
"\t\tkdc = %s\n",
print_canonical_sockaddr_with_port(mem_ctx,
pss));
@@ -459,7 +459,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
*/
if (sitename) {
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
sitename,
&ip_sa_site,
@@ -477,7 +477,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
/* Get all KDC's. */
- status = get_kdc_list(talloc_tos(),
+ status = get_kdc_list(frame,
realm,
NULL,
&ip_sa_nonsite,
@@ -589,7 +589,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
kdc_str = new_kdc_str;
}
- result = kdc_str;
+ result = talloc_move(mem_ctx, &kdc_str);
out:
if (result != NULL) {
DBG_DEBUG("Returning\n%s\n", kdc_str);
@@ -597,8 +597,6 @@ out:
DBG_NOTICE("Failed to get KDC ip address\n");
}
- TALLOC_FREE(ip_sa_site);
- TALLOC_FREE(ip_sa_nonsite);
TALLOC_FREE(frame);
return result;
}
--
2.35.1


From e2ea1de6128195af937474b41a57756013c8249e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 12:57:18 +0100
Subject: [PATCH 7/9] s3:libads: Remove obsolete free's of kdc_str

This is allocated on the stackframe now!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index aadc65a3edc..2087dc1e6f9 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -443,13 +443,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
print_canonical_sockaddr_with_port(mem_ctx,
pss));
if (kdc_str == NULL) {
- TALLOC_FREE(frame);
- return NULL;
+ goto out;
}
ok = sockaddr_storage_to_samba_sockaddr(&sa, pss);
if (!ok) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -467,7 +465,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site %s search\n",
@@ -485,7 +482,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DBG_ERR("get_kdc_list (site-less) fail %s\n",
nt_errstr(status));
- TALLOC_FREE(kdc_str);
goto out;
}
DBG_DEBUG("got %zu addresses from site-less search\n", count_nonsite);
@@ -493,7 +489,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (count_site + count_nonsite < count_site) {
/* Wrap check. */
DBG_ERR("get_kdc_list_talloc (site-less) fail wrap error\n");
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -501,7 +496,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
dc_addrs = talloc_array(talloc_tos(), struct sockaddr_storage,
count_site + count_nonsite);
if (dc_addrs == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -523,7 +517,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -531,7 +524,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct tsocket_address *,
num_dcs);
if (dc_addrs2 == NULL) {
- TALLOC_FREE(kdc_str);
goto out;
}
@@ -548,7 +540,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
status = map_nt_error_from_unix(errno);
DEBUG(2,("Failed to create tsocket_address for %s - %s\n",
addr, nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
}
@@ -566,7 +557,6 @@ static char *get_kdc_ip_string(char *mem_ctx,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("get_kdc_ip_string: cldap_multi_netlogon failed: "
"%s\n", nt_errstr(status)));
- TALLOC_FREE(kdc_str);
goto out;
}
--
2.35.1


From 8242cb20ed3149acb83a140c140bdbb90de58b65 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 13:02:05 +0100
Subject: [PATCH 8/9] s3:libads: Check print_canonical_sockaddr_with_port() for
NULL in get_kdc_ip_string()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 2087dc1e6f9..20dceeefb22 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -435,13 +435,18 @@ static char *get_kdc_ip_string(char *mem_ctx,
NTSTATUS status;
bool ok;
char *kdc_str = NULL;
+ char *canon_sockaddr = NULL;
SMB_ASSERT(pss != NULL);
+ canon_sockaddr = print_canonical_sockaddr_with_port(frame, pss);
+ if (canon_sockaddr == NULL) {
+ goto out;
+ }
+
kdc_str = talloc_asprintf(frame,
"\t\tkdc = %s\n",
- print_canonical_sockaddr_with_port(mem_ctx,
- pss));
+ canon_sockaddr);
if (kdc_str == NULL) {
goto out;
}
--
2.35.1


From fbd0843fdd257bc0e4ebef53c7afa29f171e86e5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 15 Mar 2022 13:10:06 +0100
Subject: [PATCH 9/9] s3:libads: Fix creating local krb5.conf

We create an KDC ip string entry directly at the beginning, use it if we
don't have any additional DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15016

Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 20dceeefb22..3fd86e87064 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -522,6 +522,11 @@ static char *get_kdc_ip_string(char *mem_ctx,
DBG_DEBUG("%zu additional KDCs to test\n", num_dcs);
if (num_dcs == 0) {
+ /*
+ * We do not have additional KDCs, but we have the one passed
+ * in via `pss`. So just use that one and leave.
+ */
+ result = talloc_move(mem_ctx, &kdc_str);
goto out;
}
--
2.35.1

411
SOURCES/samba-4-15-fix-winbind-refresh-tickets.patch

@ -0,0 +1,411 @@ @@ -0,0 +1,411 @@
From a32bef9d1193e2bc253b7af8f4d0adb6476937f5 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 12:59:44 +0100
Subject: [PATCH 1/6] s3:libads: Fix memory leak in kerberos_return_pac() error
path

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3dbcd20de98cd28683a9c248368e5082b6388111)
---
source3/libads/authdata.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd21d895fc2..c048510d480 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -61,7 +61,10 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
- DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
+ DATA_BLOB tkt = data_blob_null;
+ DATA_BLOB tkt_wrapped = data_blob_null;
+ DATA_BLOB ap_rep = data_blob_null;
+ DATA_BLOB sesskey1 = data_blob_null;
const char *auth_princ = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
@@ -81,7 +84,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(sesskey1);
if (!name || !pass) {
- return NT_STATUS_INVALID_PARAMETER;
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
}
if (cache_name) {
@@ -131,7 +135,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
if (expire_time && renew_till_time &&
(*expire_time == 0) && (*renew_till_time == 0)) {
- return NT_STATUS_INVALID_LOGON_TYPE;
+ status = NT_STATUS_INVALID_LOGON_TYPE;
+ goto out;
}
ret = ads_krb5_cli_get_ticket(mem_ctx,
--
2.35.1


From d5a800beb60ee0b9310fa073c2e06a7dcbe65d5e Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:00:05 +0100
Subject: [PATCH 2/6] lib:krb5_wrap: Improve debug message and use newer debug
macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ed14513be055cc56eb39785323df2c538a813865)
---
lib/krb5_wrap/krb5_samba.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..42d4b950f80 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1079,7 +1079,7 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
goto done;
}
- DEBUG(10,("smb_krb5_renew_ticket: using %s as ccache\n", ccache_string));
+ DBG_DEBUG("Using %s as ccache for '%s'\n", ccache_string, client_string);
/* FIXME: we should not fall back to defaults */
ret = krb5_cc_resolve(context, discard_const_p(char, ccache_string), &ccache);
--
2.35.1


From 79d08465f66df67b69fdafed8eec48290acf24b9 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 14:28:28 +0100
Subject: [PATCH 3/6] lib:krb5_wrap: Fix wrong debug message and use newer
debug macro

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1b5b4107a5081f15ba215f3025056d509fcfcf2a)
---
lib/krb5_wrap/krb5_samba.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 42d4b950f80..76c2dcd2126 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1101,7 +1101,10 @@ krb5_error_code smb_krb5_renew_ticket(const char *ccache_string,
ret = krb5_get_renewed_creds(context, &creds, client, ccache, discard_const_p(char, service_string));
if (ret) {
- DEBUG(10,("smb_krb5_renew_ticket: krb5_get_kdc_cred failed: %s\n", error_message(ret)));
+ DBG_DEBUG("krb5_get_renewed_creds using ccache '%s' "
+ "for client '%s' and service '%s' failed: %s\n",
+ ccache_string, client_string, service_string,
+ error_message(ret));
goto done;
}
--
2.35.1


From 00418e5b78fa4361c0386c13374154d310426f77 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:08:56 +0100
Subject: [PATCH 4/6] s3:libads: Return canonical principal and realm from
kerberos_return_pac()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f)
---
source3/libads/authdata.c | 22 +++++++++++++++++++++-
source3/libads/kerberos_proto.h | 2 ++
source3/utils/net_ads.c | 2 ++
source3/winbindd/winbindd_pam.c | 2 ++
4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index c048510d480..bf9a2335445 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
+ if (_canon_principal != NULL) {
+ *_canon_principal = NULL;
+ }
+
+ if (_canon_realm != NULL) {
+ *_canon_realm = NULL;
+ }
+
if (cache_name) {
cc = cache_name;
}
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
request_pac,
add_netbios_addr,
renewable_time,
- NULL, NULL, NULL,
+ tmp_ctx,
+ &canon_principal,
+ &canon_realm,
&status);
if (ret) {
DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+ if (_canon_principal != NULL) {
+ *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+ }
+ if (_canon_realm != NULL) {
+ *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+ }
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 3d7b5bc074b..807381248c8 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
+ char **_canon_principal,
+ char **_canon_realm,
struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 8f993f9ba4c..c41fb0afe9c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
2592000, /* one month */
impersonate_princ_s,
local_service,
+ NULL,
+ NULL,
pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 7606bfb4ecd..025a5cbc111 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
+ NULL,
+ NULL,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
--
2.35.1


From d754753ab8edf6dde241d91442fe6afba8993de5 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 13:19:02 +0100
Subject: [PATCH 5/6] s3:winbind: Store canonical principal and realm in ccache
entry

They will be used later to refresh the tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0f4f330773d272b4d28ff3ba5a41bdd4ba569c8b)
---
source3/winbindd/winbindd.h | 2 ++
source3/winbindd/winbindd_cred_cache.c | 16 +++++++++++++++-
source3/winbindd/winbindd_pam.c | 14 ++++++++++----
source3/winbindd/winbindd_proto.h | 4 +++-
4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index a6b2238cec1..dac4a1fa927 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -344,6 +344,8 @@ struct WINBINDD_CCACHE_ENTRY {
const char *service;
const char *username;
const char *realm;
+ const char *canon_principal;
+ const char *canon_realm;
struct WINBINDD_MEMORY_CREDS *cred_ptr;
int ref_count;
uid_t uid;
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index c3077e21989..88847b1ab97 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -501,7 +501,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request)
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
@@ -617,6 +619,18 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
goto no_mem;
}
}
+ if (canon_principal != NULL) {
+ entry->canon_principal = talloc_strdup(entry, canon_principal);
+ if (entry->canon_principal == NULL) {
+ goto no_mem;
+ }
+ }
+ if (canon_realm != NULL) {
+ entry->canon_realm = talloc_strdup(entry, canon_realm);
+ if (entry->canon_realm == NULL) {
+ goto no_mem;
+ }
+ }
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 025a5cbc111..a24cef78440 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -687,6 +687,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *local_service;
uint32_t i;
struct netr_SamInfo6 *info6_copy = NULL;
+ char *canon_principal = NULL;
+ char *canon_realm = NULL;
bool ok;
*info6 = NULL;
@@ -789,8 +791,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
- NULL,
- NULL,
+ &canon_principal,
+ &canon_realm,
&pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
@@ -856,7 +858,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time(NULL),
ticket_lifetime,
renewal_until,
- false);
+ false,
+ canon_principal,
+ canon_realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n",
@@ -1233,7 +1237,9 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
time(NULL),
time(NULL) + lp_winbind_cache_time(),
time(NULL) + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- true);
+ true,
+ principal_s,
+ realm);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: failed "
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index c0d653a6d77..16c23f3de40 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -236,7 +236,9 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
time_t create_time,
time_t ticket_end,
time_t renew_until,
- bool postponed_request);
+ bool postponed_request,
+ const char *canon_principal,
+ const char *canon_realm);
NTSTATUS remove_ccache(const char *username);
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username);
NTSTATUS winbindd_add_memory_creds(const char *username,
--
2.35.1


From 82452eb54758de50700776fb92b7e7af892fdaea Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Tue, 22 Feb 2022 14:28:44 +0100
Subject: [PATCH 6/6] s3:winbind: Use the canonical principal name to renew the
credentials

The principal name stored in the winbindd ccache entry might be an
enterprise principal name if enterprise principals are enabled. Use
the canonical name to renew the credentials.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8246ccc23d064147412bb3475e6431a9fffc0d27)
---
source3/winbindd/winbindd_cred_cache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 88847b1ab97..6c65db6a73f 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -209,7 +209,7 @@ rekinit:
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
- entry->principal_name,
+ entry->canon_principal,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
--
2.35.1

30
SOURCES/samba-ctdb-etcd-reclock.patch

@ -0,0 +1,30 @@ @@ -0,0 +1,30 @@
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
From: Martin Schwenke <martin@meltin.net>
Date: Tue, 27 Apr 2021 15:46:14 +1000
Subject: [PATCH] utils: Use Python 3

Due to the number of flake8 and pylint warnings it is unclear if the
source has Python 3 incompatibilities. These will be cleaned up in
subsequent commits.

Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
---
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
index 000c6bb7208..7f5194eff0a 100755
--- a/ctdb/utils/etcd/ctdb_etcd_lock
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/env python3
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
--
2.31.1

764
SOURCES/samba-disable-ntlmssp.patch

@ -0,0 +1,764 @@ @@ -0,0 +1,764 @@
From 1d5dc35b3c5d793f75cd6572bdda2a1ab0df99cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 10 Dec 2021 16:08:04 +0100
Subject: [PATCH 01/10] s3:utils: set ads->auth.flags using krb5_state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit afcdb090769f6f0f66428cd29f88b0283c6bd527)
---
source3/utils/net_ads.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 6ab4a0096b1..8f993f9ba4c 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -607,6 +607,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain,
char *cp;
const char *realm = NULL;
bool tried_closest_dc = false;
+ enum credentials_use_kerberos krb5_state =
+ CRED_USE_KERBEROS_DISABLED;
/* lp_realm() should be handled by a command line param,
However, the join requires that realm be set in smb.conf
@@ -650,10 +652,28 @@ retry:
ads->auth.password = smb_xstrdup(c->opt_password);
}
- ads->auth.flags |= auth_flags;
SAFE_FREE(ads->auth.user_name);
ads->auth.user_name = smb_xstrdup(c->opt_user_name);
+ ads->auth.flags |= auth_flags;
+
+ /* The ADS code will handle FIPS mode */
+ krb5_state = cli_credentials_get_kerberos_state(c->creds);
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
+
/*
* If the username is of the form "name@realm",
* extract the realm and convert to upper case.
--
2.33.1


From 8f5c1246fdf03ae4d4abba50ef41e2a5cded61d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Wed, 8 Dec 2021 16:05:17 +0100
Subject: [PATCH 02/10] s3:libads: Remove trailing spaces from sasl.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 60fa2bf80cb..b91e2d15bcf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -1,18 +1,18 @@
-/*
+/*
Unix SMB/CIFS implementation.
ads sasl code
Copyright (C) Andrew Tridgell 2001
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -117,7 +117,7 @@ static const struct ads_saslwrap_ops ads_sasl_gensec_ops = {
.disconnect = ads_sasl_gensec_disconnect
};
-/*
+/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
@@ -496,7 +496,7 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
#endif /* HAVE_KRB5 */
-/*
+/*
this performs a SASL/SPNEGO bind
*/
static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
@@ -529,7 +529,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
file_save("sasl_spnego.dat", blob.data, blob.length);
#endif
- /* the server sent us the first part of the SPNEGO exchange in the negprot
+ /* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL) ||
OIDs[0] == NULL) {
@@ -557,7 +557,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism)
+ got_kerberos_mechanism)
{
mech = "KRB5";
@@ -578,7 +578,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
"calling kinit\n", ads_errstr(status)));
}
- status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
@@ -597,7 +597,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
}
/* only fallback to NTLMSSP if allowed */
- if (ADS_ERR_OK(status) ||
+ if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
@@ -613,7 +613,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
- to sync clocks, and we don't rely on special versions of the krb5
+ to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
--
2.33.1


From 2885c2186fd2d1d8e2fc5f90e58f54b0c72a72df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Thu, 9 Dec 2021 13:43:08 +0100
Subject: [PATCH 03/10] s3:libads: Disable NTLMSSP for FIPS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7785eb9b78066f6f7ee2541cf72d80fcf7411329)
---
source3/libads/sasl.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b91e2d15bcf..992f7022a69 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
"for %s/%s with user[%s] realm[%s]: %s, "
- "fallback to NTLMSSP\n",
+ "try to fallback to NTLMSSP\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+ " disallowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
--
2.33.1


From 636281a0b09f20e4c91f649a950a8c9ca53d1e3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 7 Jan 2022 10:31:19 +0100
Subject: [PATCH 04/10] s3:libads: Improve debug messages for SASL bind
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5f6251abf2f468b3744a96376b0e1c3bc317c738)
---
source3/libads/sasl.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 992f7022a69..ea98aa47ecd 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -586,13 +586,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
- DEBUG(0,("kinit succeeded but "
- "ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s\n",
+ DBG_ERR("kinit succeeded but "
+ "SPNEGO bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
- ads_errstr(status)));
+ ads_errstr(status));
}
}
@@ -602,13 +602,13 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
goto done;
}
- DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
- "for %s/%s with user[%s] realm[%s]: %s, "
- "try to fallback to NTLMSSP\n",
- p.service, p.hostname,
- ads->auth.user_name,
- ads->auth.realm,
- ads_errstr(status)));
+ DBG_WARNING("SASL bind with Kerberos failed "
+ "for %s/%s - user[%s], realm[%s]: %s, "
+ "try to fallback to NTLMSSP\n",
+ p.service, p.hostname,
+ ads->auth.user_name,
+ ads->auth.realm,
+ ads_errstr(status));
}
#endif
--
2.33.1


From db4df8c4ebc9a10d14174878c3303c5f7a9e3d2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 11:13:06 +0100
Subject: [PATCH 05/10] s3:libads: Disable NTLMSSP if not allowed (for builds
without kerberos)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 17ea2ccdabbe935ef571e1227908d51b755707bc)
---
source3/libads/sasl.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index ea98aa47ecd..1bcfe0490a8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
+ if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+ DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+ status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+ goto done;
+ }
+
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
" disallowed.\n");
--
2.33.1


From 86e4b3649f001e162328b1b89ea2d068056514e7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 3 Jan 2022 15:33:46 +0100
Subject: [PATCH 06/10] tests: Add test for disabling NTLMSSP for ldap client
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit eb0fa26dce77829995505f542af02e32df088cd6)
---
.../test_weak_disable_ntlmssp_ldap.sh | 41 +++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100755 testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh

diff --git a/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
new file mode 100755
index 00000000000..2822ab29d14
--- /dev/null
+++ b/testprogs/blackbox/test_weak_disable_ntlmssp_ldap.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+# Blackbox tests for diabing NTLMSSP for ldap clinet connections
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: $0 USERNAME PASSWORD
+EOF
+exit 1;
+fi
+
+USERNAME=$1
+PASSWORD=$2
+shift 2
+
+failed=0
+. `dirname $0`/subunit.sh
+
+samba_testparm="$BINDIR/testparm"
+samba_net="$BINDIR/net"
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is allowed
+testit_grep "testparm" "Weak crypto is allowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should be allowed to use NTLM for connecting
+testit "net_ads_search.ntlm" $samba_net ads search --use-kerberos=off '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+GNUTLS_FORCE_FIPS_MODE=1
+export GNUTLS_FORCE_FIPS_MODE
+
+# Checks that testparm reports: Weak crypto is disallowed
+testit_grep "testparm" "Weak crypto is disallowed" $samba_testparm --suppress-prompt $SMB_CONF_PATH 2>&1 || failed=`expr $failed + 1`
+
+# We should not be allowed to use NTLM for connecting
+testit_expect_failure_grep "net_ads_search.ntlm" "We can't fallback to NTLMSSP, weak crypto is disallowed." $samba_net ads search --use-kerberos=off -d10 '(objectCategory=group)' sAMAccountName -U${USERNAME}%${PASSWORD} || failed=`expr $failed + 1`
+
+unset GNUTLS_FORCE_FIPS_MODE
+
+exit $failed
--
2.33.1


From bd39e9418da9dee81d5872037aa5834deba2b40b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 4 Jan 2022 12:00:20 +0100
Subject: [PATCH 07/10] s4:selftest: plan test suite
samba4.blackbox.test_weak_disable_ntlmssp_ldap
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9624e60e8c32de695661ae8f0fb5f8f9d836ab95)
---
source4/selftest/tests.py | 1 +
1 file changed, 1 insertion(+)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1e4b2ae6dd3..3a6a716f061 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -636,6 +636,7 @@ plantestsuite("samba4.blackbox.samba-tool_ntacl(ad_member:local)", "ad_member:lo
if have_gnutls_fips_mode_support:
plantestsuite("samba4.blackbox.weak_crypto.client", "ad_dc", [os.path.join(bbdir, "test_weak_crypto.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc"])
+ plantestsuite("samba4.blackbox.test_weak_disable_ntlmssp_ldap", "ad_member:local", [os.path.join(bbdir, "test_weak_disable_ntlmssp_ldap.sh"),'$DC_USERNAME', '$DC_PASSWORD'])
for env in ["ad_dc_fips", "ad_member_fips"]:
plantestsuite("samba4.blackbox.weak_crypto.server", env, [os.path.join(bbdir, "test_weak_crypto_server.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_fips", configuration])
--
2.33.1


From bde5c51a9eef39a165dad7aadf23ecaa5921f520 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:47:38 +0100
Subject: [PATCH 08/10] s3:winbindd: Remove trailing spaces from winbindd_ads.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fcf225a356abb06d1205f66eb79f707c85803cb5)
---
source3/winbindd/winbindd_ads.c | 38 ++++++++++++++++-----------------
1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 948c903f165..e415df347e6 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -326,7 +326,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("query_user_list: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -432,7 +432,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("enum_dom_groups: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -447,7 +447,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
* According to Section 5.1(4) of RFC 2251 if a value of a type is it's
* default value, it MUST be absent. In case of extensible matching the
* "dnattr" boolean defaults to FALSE and so it must be only be present
- * when set to TRUE.
+ * when set to TRUE.
*
* When it is set to FALSE and the OpenLDAP lib (correctly) encodes a
* filter using bitwise matching rule then the buggy AD fails to decode
@@ -458,9 +458,9 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
*
* Thanks to Ralf Haferkamp for input and testing - Guenther */
- filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
+ filter = talloc_asprintf(mem_ctx, "(&(objectCategory=group)(&(groupType:dn:%s:=%d)(!(groupType:dn:%s:=%d))))",
ADS_LDAP_MATCHING_RULE_BIT_AND, GROUP_TYPE_SECURITY_ENABLED,
- ADS_LDAP_MATCHING_RULE_BIT_AND,
+ ADS_LDAP_MATCHING_RULE_BIT_AND,
enum_dom_local_groups ? GROUP_TYPE_BUILTIN_LOCAL_GROUP : GROUP_TYPE_RESOURCE_GROUP);
if (filter == NULL) {
@@ -529,7 +529,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
DEBUG(3,("ads enum_dom_groups gave %d entries\n", (*num_entries)));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -542,12 +542,12 @@ static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
struct wb_acct_info **info)
{
/*
- * This is a stub function only as we returned the domain
+ * This is a stub function only as we returned the domain
* local groups in enum_dom_groups() if the domain->native field
* was true. This is a simple performance optimization when
* using LDAP.
*
- * if we ever need to enumerate domain local groups separately,
+ * if we ever need to enumerate domain local groups separately,
* then this optimization in enum_dom_groups() will need
* to be split out
*/
@@ -601,7 +601,7 @@ static NTSTATUS rids_to_names(struct winbindd_domain *domain,
tokenGroups are not available. */
static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
TALLOC_CTX *mem_ctx,
- const char *user_dn,
+ const char *user_dn,
struct dom_sid *primary_group,
uint32_t *p_num_groups, struct dom_sid **user_sids)
{
@@ -620,7 +620,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
if ( !winbindd_can_contact_domain( domain ) ) {
DEBUG(10,("lookup_usergroups_members: No incoming trust for domain %s\n",
- domain->name));
+ domain->name));
return NT_STATUS_OK;
}
@@ -702,7 +702,7 @@ static NTSTATUS lookup_usergroups_member(struct winbindd_domain *domain,
DEBUG(3,("ads lookup_usergroups (member) succeeded for dn=%s\n", user_dn));
done:
- if (res)
+ if (res)
ads_msgfree(ads, res);
return status;
@@ -883,14 +883,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
if (count != 1) {
status = NT_STATUS_UNSUCCESSFUL;
DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: "
- "invalid number of results (count=%d)\n",
+ "invalid number of results (count=%d)\n",
dom_sid_str_buf(sid, &buf),
count));
goto done;
}
if (!msg) {
- DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
+ DEBUG(1,("lookup_usergroups(sid=%s) ads_search tokenGroups: NULL msg\n",
dom_sid_str_buf(sid, &buf)));
status = NT_STATUS_UNSUCCESSFUL;
goto done;
@@ -903,7 +903,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
}
if (!ads_pull_uint32(ads, msg, "primaryGroupID", &primary_group_rid)) {
- DEBUG(1,("%s: No primary group for sid=%s !?\n",
+ DEBUG(1,("%s: No primary group for sid=%s !?\n",
domain->name,
dom_sid_str_buf(sid, &buf)));
goto done;
@@ -913,7 +913,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
count = ads_pull_sids(ads, mem_ctx, msg, "tokenGroups", &sids);
- /* there must always be at least one group in the token,
+ /* there must always be at least one group in the token,
unless we are talking to a buggy Win2k server */
/* actually this only happens when the machine account has no read
@@ -937,7 +937,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
/* lookup what groups this user is a member of by DN search on
* "member" */
- status = lookup_usergroups_member(domain, mem_ctx, user_dn,
+ status = lookup_usergroups_member(domain, mem_ctx, user_dn,
&primary_group,
&num_groups, user_sids);
*p_num_groups = num_groups;
@@ -1302,7 +1302,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
DEBUG(10, ("lookup_groupmem: lsa_lookup_sids could "
"not map any SIDs at all.\n"));
/* Don't handle this as an error here.
- * There is nothing left to do with respect to the
+ * There is nothing left to do with respect to the
* overall result... */
}
else if (!NT_STATUS_IS_OK(status)) {
@@ -1367,13 +1367,13 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
NETR_TRUST_FLAG_IN_FOREST;
} else {
flags = NETR_TRUST_FLAG_IN_FOREST;
- }
+ }
result = cm_connect_netlogon(domain, &cli);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(5, ("trusted_domains: Could not open a connection to %s "
- "for PIPE_NETLOGON (%s)\n",
+ "for PIPE_NETLOGON (%s)\n",
domain->name, nt_errstr(result)));
return NT_STATUS_UNSUCCESSFUL;
}
--
2.33.1


From db840cc208542a52a8e8a226b452c4df921fe9e6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:44:54 +0100
Subject: [PATCH 09/10] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit f03abaec2abbd22b9dc83ce4a103b1b3a2912d96)
---
source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
#include "../libds/common/flag_mapping.h"
#include "libsmb/samlogon_cache.h"
#include "passdb.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_ADS
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ADS_STATUS status;
struct sockaddr_storage dc_ss;
fstring dc_name;
+ enum credentials_use_kerberos krb5_state;
if (auth_realm == NULL) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
ads->auth.renewable = renewable;
ads->auth.password = password;
- ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
ads->auth.realm = SMB_STRDUP(auth_realm);
if (!strupper_m(ads->auth.realm)) {
--
2.33.1


From ead4f4c0a908f22ee2edf7510033345700e2efd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Fri, 21 Jan 2022 12:01:33 +0100
Subject: [PATCH 10/10] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS
mode
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184

(cherry picked from commit fa5413b63c8f4a20ab5b803f5cc523e0658eefc9)
---
source3/libnet/libnet_join.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 02705f1c70c..4c67e9af5c4 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
ADS_STATUS status;
ADS_STRUCT *my_ads = NULL;
char *cp;
+ enum credentials_use_kerberos krb5_state;
my_ads = ads_init(dns_domain_name,
netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ /* In FIPS mode, client use kerberos is forced to required. */
+ krb5_state = lp_client_use_kerberos();
+ switch (krb5_state) {
+ case CRED_USE_KERBEROS_REQUIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DESIRED:
+ my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ case CRED_USE_KERBEROS_DISABLED:
+ my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+ break;
+ }
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
--
2.33.1

36
SOURCES/samba-disable-systemd-notifications.patch

@ -0,0 +1,36 @@ @@ -0,0 +1,36 @@
From 752de46cc57215b14b55f2c68334178454d7444f Mon Sep 17 00:00:00 2001
From: "FeRD (Frank Dana)" <ferdnyc@gmail.com>
Date: Mon, 24 Jan 2022 22:14:31 -0500
Subject: [PATCH] printing/bgqd: Disable systemd notifications

samba-bgqd daemon is started by existing Samba daemons. When running
under systemd, those daemons control systemd notifications and
samba-bgqd messages need to be silenced.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14947

Signed-off-by: FeRD (Frank Dana) <ferdnyc@gmail.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 36c861e25b1d9c5ce44bfcb46247e7e4747930c5)
---
source3/printing/samba-bgqd.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index f21327fc622..59ed0cc40db 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -252,6 +252,9 @@ int main(int argc, const char *argv[])
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
+ /* main process will notify systemd */
+ daemon_sd_notifications(false);
+
if (!cmdline_daemon_cfg->fork) {
daemon_status(progname, "Starting process ... ");
} else {
--
2.34.1

64
SOURCES/samba-glibc-dns.patch

@ -0,0 +1,64 @@ @@ -0,0 +1,64 @@
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 7 Oct 2021 15:55:37 +0200
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34

With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
anymore. The res_* symbols have been moved from libresolv to libc. We are not
able to intercept any traffic inside of libc.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
selftest/wscript | 2 +-
third_party/resolv_wrapper/wscript | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/selftest/wscript b/selftest/wscript
index a6be06c2ae9..85d9338489a 100644
--- a/selftest/wscript
+++ b/selftest/wscript
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
if os.environ.get('USE_NAMESPACES') is None:
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
env.OPTIONS += " --use-dns-faking"
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
index a7f18389b0f..7e369bd90b5 100644
--- a/third_party/resolv_wrapper/wscript
+++ b/third_party/resolv_wrapper/wscript
@@ -1,6 +1,7 @@
#!/usr/bin/env python
import os
+from waflib import Logs
VERSION="1.1.7"
@@ -49,6 +50,18 @@ def configure(conf):
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
+ Logs.warn("Detection for resolv_wrapper: "
+ "Only dns faking will be available")
+ else:
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
+
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
--
2.33.1

100
SOURCES/samba-password-change-prompt.patch

@ -0,0 +1,100 @@ @@ -0,0 +1,100 @@
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 17 Nov 2021 09:56:09 +0100
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
off).

This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
---
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
nsswitch/pam_winbind.c | 12 ++++++++++--
nsswitch/pam_winbind.h | 1 +
3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 0bc288f91a1..bae9298fc32 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>pwd_change_prompt = yes|no</term>
+ <listitem><para>
+ Generate prompt for changing an expired password. Defaults to "no".
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
</para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 720a4b90d85..06098dd07d8 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
ctrl |= WINBIND_MKHOMEDIR;
}
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+ }
+
config_from_pam:
/* step through arguments */
for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
else if (!strncasecmp(*v, "warn_pwd_expire",
strlen("warn_pwd_expire")))
ctrl |= WINBIND_WARN_PWD_EXPIRE;
+ else if (!strcasecmp(*v, "pwd_change_prompt"))
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
else if (type != PAM_WINBIND_CLEANUP) {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
- if (ret == PAM_SUCCESS) {
+ if (ret == PAM_SUCCESS &&
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index c6786d65a4d..2f4a25729bd 100644
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do { \
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
#define WINBIND_MKHOMEDIR 0x00004000
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
#define _(string) dgettext(MODULE_NAME, string)
--
2.35.1

229
SOURCES/samba-printing-win7.patch

@ -0,0 +1,229 @@ @@ -0,0 +1,229 @@
From 10f485b3a27e10906aa6ee40833fca8bf81b5511 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 22 Jan 2022 01:08:26 +0100
Subject: [PATCH] dcesrv_core: wrap gensec_*() calls in [un]become_root() calls

This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.

Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.

This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).

Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0651fa474cd68b18d8eb9bdc7c4ba5b847ba9ad9)
---
librpc/rpc/dcesrv_auth.c | 5 +++++
librpc/rpc/dcesrv_core.c | 18 ++++++++++++++++++
librpc/rpc/dcesrv_core.h | 2 ++
source3/rpc_server/rpc_config.c | 2 ++
source4/rpc_server/service_rpc.c | 10 ++++++++++
5 files changed, 37 insertions(+)

diff --git a/librpc/rpc/dcesrv_auth.c b/librpc/rpc/dcesrv_auth.c
index fec8df513a83..99d8e0162160 100644
--- a/librpc/rpc/dcesrv_auth.c
+++ b/librpc/rpc/dcesrv_auth.c
@@ -130,11 +130,13 @@ static bool dcesrv_auth_prepare_gensec(struct dcesrv_call_state *call)
auth->auth_level = call->in_auth_info.auth_level;
auth->auth_context_id = call->in_auth_info.auth_context_id;
+ cb->auth.become_root();
status = cb->auth.gensec_prepare(
auth,
call,
&auth->gensec_security,
cb->auth.private_data);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to call samba_server_gensec_start %s\n",
nt_errstr(status)));
@@ -329,6 +331,7 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
{
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
const char *pdu = "<unknown>";
switch (call->pkt.ptype) {
@@ -359,9 +362,11 @@ NTSTATUS dcesrv_auth_complete(struct dcesrv_call_state *call, NTSTATUS status)
return status;
}
+ cb->auth.become_root();
status = gensec_session_info(auth->gensec_security,
auth,
&auth->session_info);
+ cb->auth.unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n",
nt_errstr(status)));
diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index d16159b0b6cd..ea91fc689b4a 100644
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -938,6 +938,7 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
struct dcerpc_binding *ep_2nd_description = NULL;
const char *endpoint = NULL;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct dcerpc_ack_ctx *ack_features = NULL;
struct tevent_req *subreq = NULL;
@@ -1143,9 +1144,11 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1160,10 +1163,13 @@ static void dcesrv_bind_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1221,6 +1227,7 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct tevent_req *subreq = NULL;
NTSTATUS status;
@@ -1265,9 +1272,11 @@ static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
return NT_STATUS_OK;
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1283,10 +1292,13 @@ static void dcesrv_auth3_done(struct tevent_req *subreq)
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
@@ -1555,6 +1567,7 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
struct ncacn_packet *pkt = &call->ack_pkt;
uint32_t extra_flags = 0;
struct dcesrv_auth *auth = call->auth_state;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
struct dcerpc_ack_ctx *ack_ctx_list = NULL;
struct tevent_req *subreq = NULL;
size_t i;
@@ -1666,9 +1679,11 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
return dcesrv_auth_reply(call);
}
+ cb->auth.become_root();
subreq = gensec_update_send(call, call->event_ctx,
auth->gensec_security,
call->in_auth_info.credentials);
+ cb->auth.unbecome_root();
if (subreq == NULL) {
return NT_STATUS_NO_MEMORY;
}
@@ -1683,10 +1698,13 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
tevent_req_callback_data(subreq,
struct dcesrv_call_state);
struct dcesrv_connection *conn = call->conn;
+ struct dcesrv_context_callbacks *cb = call->conn->dce_ctx->callbacks;
NTSTATUS status;
+ cb->auth.become_root();
status = gensec_update_recv(subreq, call,
&call->out_auth_info->credentials);
+ cb->auth.unbecome_root();
TALLOC_FREE(subreq);
status = dcesrv_auth_complete(call, status);
diff --git a/librpc/rpc/dcesrv_core.h b/librpc/rpc/dcesrv_core.h
index d8d5f9030959..0538442e0ce6 100644
--- a/librpc/rpc/dcesrv_core.h
+++ b/librpc/rpc/dcesrv_core.h
@@ -392,6 +392,8 @@ struct dcesrv_context_callbacks {
struct gensec_security **out,
void *private_data);
void *private_data;
+ void (*become_root)(void);
+ void (*unbecome_root)(void);
} auth;
struct {
NTSTATUS (*find)(
diff --git a/source3/rpc_server/rpc_config.c b/source3/rpc_server/rpc_config.c
index 2f1a01da1c0b..289c4f398409 100644
--- a/source3/rpc_server/rpc_config.c
+++ b/source3/rpc_server/rpc_config.c
@@ -31,6 +31,8 @@
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = dcesrv_log_successful_authz,
.auth.gensec_prepare = dcesrv_auth_gensec_prepare,
+ .auth.become_root = become_root,
+ .auth.unbecome_root = unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
diff --git a/source4/rpc_server/service_rpc.c b/source4/rpc_server/service_rpc.c
index d8c6746d7815..ebb50f8a7ef3 100644
--- a/source4/rpc_server/service_rpc.c
+++ b/source4/rpc_server/service_rpc.c
@@ -40,9 +40,19 @@
#include "../libcli/named_pipe_auth/npa_tstream.h"
#include "samba/process_model.h"
+static void skip_become_root(void)
+{
+}
+
+static void skip_unbecome_root(void)
+{
+}
+
static struct dcesrv_context_callbacks srv_callbacks = {
.log.successful_authz = log_successful_dcesrv_authz_event,
.auth.gensec_prepare = dcesrv_gensec_prepare,
+ .auth.become_root = skip_become_root,
+ .auth.unbecome_root = skip_unbecome_root,
.assoc_group.find = dcesrv_assoc_group_find,
};
--
2.25.1

BIN
SOURCES/samba-pubkey_AA99442FB680B620.gpg

Binary file not shown.

697
SOURCES/samba-s4u.patch

@ -0,0 +1,697 @@ @@ -0,0 +1,697 @@
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
source4/kdc/mit_samba.c | 47 ++-------
source4/kdc/mit_samba.h | 6 +-
3 files changed, 71 insertions(+), 106 deletions(-)

diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index f35210669c2..b1c7c5dcc5e 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *out_pac)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
- krb5_pac ipac = NULL;
- DATA_BLOB logon_data = { NULL, 0 };
+ krb5_keyblock *header_server_key = NULL;
+ krb5_key_data *impersonator_kd = NULL;
+ krb5_keyblock impersonator_key = {0};
krb5_error_code code;
+ krb5_pac pac;
+
+ *out_pac = NULL;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = krb5_pac_parse(context,
authdata[0]->contents,
authdata[0]->length,
- &ipac);
+ &pac);
if (code != 0) {
goto done;
}
- /* TODO: verify this is correct
- *
- * In the constrained delegation case, the PAC is from a service
- * ticket rather than a TGT; we must verify the server and KDC
- * signatures to assert that the server did not forge the PAC.
+ /*
+ * For constrained delegation in MIT version < 1.18 we aren't provided
+ * with the 2nd ticket server key to verify the PAC.
+ * We can workaround that by fetching the key from the client db entry,
+ * which is the impersonator account in that version.
+ * TODO: use the provided entry in the new 1.18 version.
*/
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- server_key,
- krbtgt_key);
+ /* The impersonator must be local. */
+ if (client == NULL) {
+ code = KRB5KDC_ERR_BADOPTION;
+ goto done;
+ }
+ /* Fetch and decrypt 2nd ticket server's current key. */
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
+ &impersonator_kd);
+ if (code != 0) {
+ goto done;
+ }
+ code = krb5_dbe_decrypt_key_data(context, NULL,
+ impersonator_kd,
+ &impersonator_key, NULL);
+ if (code != 0) {
+ goto done;
+ }
+ header_server_key = &impersonator_key;
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
- }
- if (code != 0) {
- goto done;
+ header_server_key = krbtgt_key;
}
- /* check and update PAC */
- code = krb5_pac_parse(context,
- authdata[0]->contents,
- authdata[0]->length,
- pac);
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
+ header_server_key, NULL);
if (code != 0) {
goto done;
}
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
code = mit_samba_reget_pac(mit_ctx,
context,
flags,
- client_princ,
client,
server,
krbtgt,
krbtgt_key,
- pac);
+ &pac);
+ if (code != 0) {
+ goto done;
+ }
+
+ *out_pac = pac;
+ pac = NULL;
done:
+ krb5_free_keyblock_contents(context, &impersonator_key);
krb5_free_authdata(context, authdata);
- krb5_pac_free(context, ipac);
- free(logon_data.data);
+ krb5_pac_free(context, pac);
return code;
}
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krb5_authdata **pac_auth_data = NULL;
krb5_authdata **authdata = NULL;
krb5_boolean is_as_req;
+ krb5_const_principal pac_client;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
- /* FIXME: We don't support S4U yet */
- if (flags & KRB5_KDB_FLAGS_S4U) {
- return KRB5_KDB_DBTYPE_NOSUP;
- }
-
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
/*
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
ks_client_princ = client->princ;
}
+ /* In protocol transition, we are currently not provided with the tgt
+ * client name to verify the PAC, we could probably skip the name
+ * verification and just verify the signatures, but since we don't
+ * support cross-realm nor aliases, we can just use server->princ */
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+ pac_client = server->princ;
+ } else {
+ pac_client = ks_client_princ;
+ }
+
if (client_entry == NULL) {
client_entry = client;
}
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
code = ks_verify_pac(context,
flags,
- ks_client_princ,
+ pac_client,
client_entry,
server,
krbtgt,
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
is_as_req ? "AS-REQ" : "TGS-REQ",
client_name);
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ server_key, krbtgt_key, &pac_data);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
KRB5_AUTHDATA_IF_RELEVANT,
authdata,
signed_auth_data);
- if (code != 0) {
- goto done;
- }
-
- code = 0;
-
done:
if (client_entry != NULL && client_entry != client) {
ks_free_principal(context, client_entry);
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
* server; -> delegating service
* proxy; -> target principal
*/
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
-
- char *target_name = NULL;
- bool is_enterprise;
- krb5_error_code code;
mit_ctx = ks_get_context(context);
if (mit_ctx == NULL) {
return KRB5_KDB_DBNOTINITED;
}
- code = krb5_unparse_name(context, proxy, &target_name);
- if (code) {
- goto done;
- }
-
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
-
- code = mit_samba_check_s4u2proxy(mit_ctx,
- delegating_service,
- target_name,
- is_enterprise);
-
-done:
- free(target_name);
- return code;
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
}
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 4239332f0d9..acc3cba6254 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
- discard_const(client_principal),
+ client->princ,
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name)
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal)
{
-#if 1
- /*
- * This is disabled because mit_samba_update_pac_data() does not handle
- * S4U_DELEGATION_INFO
- */
-
- return KRB5KDC_ERR_BADOPTION;
-#else
- krb5_principal target_principal;
- int flags = 0;
- int ret;
-
- if (is_nt_enterprise_name) {
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
- }
-
- ret = krb5_parse_name_flags(ctx->context, target_name,
- flags, &target_principal);
- if (ret) {
- return ret;
- }
-
- ret = samba_kdc_check_s4u2proxy(ctx->context,
- ctx->db_ctx,
- skdc_entry,
- target_principal);
-
- krb5_free_principal(ctx->context, target_principal);
-
- return ret;
-#endif
+ struct samba_kdc_entry *server_skdc_entry =
+ talloc_get_type_abort(server->e_data,
+ struct samba_kdc_entry);
+
+ return samba_kdc_check_s4u2proxy(ctx->context,
+ ctx->db_ctx,
+ server_skdc_entry,
+ target_principal);
}
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
index 636c77ec97c..9cb00c9610e 100644
--- a/source4/kdc/mit_samba.h
+++ b/source4/kdc/mit_samba.h
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
krb5_context context,
int flags,
- krb5_const_principal client_principal,
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
DATA_BLOB *e_data);
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
- krb5_db_entry *kentry,
- const char *target_name,
- bool is_nt_enterprise_name);
+ const krb5_db_entry *server,
+ krb5_const_principal target_principal);
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.33.1


From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
---
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
lib/krb5_wrap/krb5_samba.h | 2 -
source4/auth/kerberos/kerberos_util.c | 11 --
3 files changed, 185 insertions(+), 13 deletions(-)

diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index fff5b4e2a22..791b417d5ba 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
+
+#else /* MIT */
+
+static bool princ_compare_no_dollar(krb5_context ctx,
+ krb5_principal a,
+ krb5_principal b)
+{
+ bool cmp;
+ krb5_principal mod = NULL;
+
+ if (a->length == 1 && b->length == 1 &&
+ a->data[0].length != 0 && b->data[0].length != 0 &&
+ a->data[0].data[a->data[0].length -1] !=
+ b->data[0].data[b->data[0].length -1]) {
+ if (a->data[0].data[a->data[0].length -1] == '$') {
+ mod = a;
+ mod->data[0].length--;
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
+ mod = b;
+ mod->data[0].length--;
+ }
+ }
+
+ cmp = krb5_principal_compare_flags(ctx, a, b,
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
+
+ if (mod != NULL) {
+ mod->data[0].length++;
+ }
+
+ return cmp;
+}
+
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+ krb5_ccache store_cc,
+ krb5_principal init_principal,
+ const char *init_password,
+ krb5_principal impersonate_principal,
+ const char *self_service,
+ const char *target_service,
+ krb5_get_init_creds_opt *krb_options,
+ time_t *expire_time,
+ time_t *kdc_time)
+{
+ krb5_error_code code;
+ krb5_principal self_princ = NULL;
+ krb5_principal target_princ = NULL;
+ krb5_creds *store_creds;
+ krb5_creds *s4u2self_creds = NULL;
+ krb5_creds *s4u2proxy_creds = NULL;
+ krb5_creds init_creds = {0};
+ krb5_creds mcreds = {0};
+ krb5_flags options = KRB5_GC_NO_STORE;
+ krb5_ccache tmp_cc;
+ bool s4u2proxy;
+
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
+ if (code != 0) {
+ return code;
+ }
+
+ code = krb5_get_init_creds_password(ctx, &init_creds,
+ init_principal,
+ init_password,
+ NULL, NULL,
+ 0,
+ NULL,
+ krb_options);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /*
+ * Check if we also need S4U2Proxy or if S4U2Self is
+ * enough in order to get a ticket for the target.
+ */
+ if (target_service == NULL) {
+ s4u2proxy = false;
+ } else if (strcmp(target_service, self_service) == 0) {
+ s4u2proxy = false;
+ } else {
+ s4u2proxy = true;
+ }
+
+ code = krb5_parse_name(ctx, self_service, &self_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
+ * client and the request server to be the same principal name. */
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ mcreds.client = impersonate_principal;
+ mcreds.server = init_creds.client;
+
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
+ NULL, &s4u2self_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (s4u2proxy) {
+ code = krb5_parse_name(ctx, target_service, &target_princ);
+ if (code != 0) {
+ goto done;
+ }
+
+ mcreds.client = init_creds.client;
+ mcreds.server = target_princ;
+ mcreds.second_ticket = s4u2self_creds->ticket;
+
+ code = krb5_get_credentials(ctx, options |
+ KRB5_GC_CONSTRAINED_DELEGATION,
+ tmp_cc, &mcreds, &s4u2proxy_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ /* Check KDC support of S4U2Proxy extension */
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
+ s4u2proxy_creds->client)) {
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
+ goto done;
+ }
+
+ store_creds = s4u2proxy_creds;
+ } else {
+ store_creds = s4u2self_creds;;
+
+ /* We need to save the ticket with the requested server name
+ * or the caller won't be able to find it in cache. */
+ if (!krb5_principal_compare(ctx, self_princ,
+ store_creds->server)) {
+ krb5_free_principal(ctx, store_creds->server);
+ store_creds->server = NULL;
+ code = krb5_copy_principal(ctx, self_princ,
+ &store_creds->server);
+ if (code != 0) {
+ goto done;
+ }
+ }
+ }
+
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
+ if (code != 0) {
+ goto done;
+ }
+
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
+ if (code != 0) {
+ goto done;
+ }
+
+ if (expire_time) {
+ *expire_time = (time_t) store_creds->times.endtime;
+ }
+
+ if (kdc_time) {
+ *kdc_time = (time_t) store_creds->times.starttime;
+ }
+
+done:
+ krb5_cc_destroy(ctx, tmp_cc);
+ krb5_free_cred_contents(ctx, &init_creds);
+ krb5_free_creds(ctx, s4u2self_creds);
+ krb5_free_creds(ctx, s4u2proxy_creds);
+ krb5_free_principal(ctx, self_princ);
+ krb5_free_principal(ctx, target_princ);
+
+ return code;
+}
#endif
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index eab67f6d969..b5385c69a33 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#ifdef SAMBA4_USES_HEIMDAL
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_ccache store_cc,
krb5_principal init_principal,
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
krb5_get_init_creds_opt *krb_options,
time_t *expire_time,
time_t *kdc_time);
-#endif
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
#define smb_krb5_make_principal krb5_make_principal
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 544d9d853cc..c14d8c72d8c 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -234,9 +234,7 @@ done:
{
krb5_error_code ret;
const char *password;
-#ifdef SAMBA4_USES_HEIMDAL
const char *self_service;
-#endif
const char *target_service;
time_t kdc_time = 0;
krb5_principal princ;
@@ -268,9 +266,7 @@ done:
return ret;
}
-#ifdef SAMBA4_USES_HEIMDAL
self_service = cli_credentials_get_self_service(credentials);
-#endif
target_service = cli_credentials_get_target_service(credentials);
password = cli_credentials_get_password(credentials);
@@ -331,7 +327,6 @@ done:
#endif
if (password) {
if (impersonate_principal) {
-#ifdef SAMBA4_USES_HEIMDAL
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
ccache,
princ,
@@ -342,12 +337,6 @@ done:
krb_options,
NULL,
&kdc_time);
-#else
- talloc_free(mem_ctx);
- (*error_string) = "INTERNAL error: s4u2 ops "
- "are not supported with MIT build yet";
- return EINVAL;
-#endif
} else {
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.33.1


From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code

---
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/kdc/db-glue.c | 8 ++++++--
source4/kdc/mit_samba.c | 3 +++
source4/kdc/sdb.h | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
index 5ef9d9565f3..dafaffc6c2d 100644
--- a/source4/heimdal/lib/hdb/hdb.h
+++ b/source4/heimdal/lib/hdb/hdb.h
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index aff74f2ee71..d16b4c3329a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
krb5_clear_error_message(context);
goto out;
}
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
/*
* SDB_F_CANON maps from the canonicalize flag in the
* packet, and has a different meaning between AS-REQ
* and TGS-REQ. We only change the principal in the AS-REQ case
+ *
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
+ * the canonical name in all lookups, and takes care to canonicalize
+ * only when appropriate.
*/
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
if (ret) {
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index acc3cba6254..f0b9df8b613 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
sflags |= SDB_F_CANON;
}
+#if KRB5_KDB_API_VERSION >= 10
+ sflags |= SDB_F_FORCE_CANON;
+#endif
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index c929acccce6..a9115ec23d7 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
void sdb_free_entry(struct sdb_entry_ex *e);
void free_sdb_entry(struct sdb_entry *s);
--
2.33.1

597
SOURCES/samba-virus_scanner.patch

@ -0,0 +1,597 @@ @@ -0,0 +1,597 @@
From 1b14752bebbdecbb7c89c7fe03853bdf4dff6f64 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Feb 2022 16:33:10 +0100
Subject: [PATCH 1/6] selftest: Do not force -d0 for smbd/nmbd/winbindd

We have the env variable SERVER_LOG_LEVEL which allows you to change
the log level on the command line. If we force -d0 this will not work.

make test TESTS="samba" SERVER_LOG_LEVEL=10

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 9693f7ea7383c6a51ab58b7c8255b30206f18a3b)
---
selftest/target/Samba3.pm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index b901fd2677a..64a9a791a61 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2153,7 +2153,7 @@ sub make_bin_cmd
{
my ($self, $binary, $env_vars, $options, $valgrind, $dont_log_stdout) = @_;
- my @optargs = ("-d0");
+ my @optargs = ();
if (defined($options)) {
@optargs = split(/ /, $options);
}
--
2.34.1


From 22c2899dfc787736c19857997291c151886b7ac0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 12:07:03 +0100
Subject: [PATCH 2/6] s3:modules: Implement dummy virus scanner that uses
filename matching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9f34babec7c6aca3d91f226705d3b3996792e5f1)
---
source3/modules/vfs_virusfilter.c | 12 +++++
source3/modules/vfs_virusfilter_common.h | 4 ++
source3/modules/vfs_virusfilter_dummy.c | 58 ++++++++++++++++++++++++
source3/modules/wscript_build | 1 +
4 files changed, 75 insertions(+)
create mode 100644 source3/modules/vfs_virusfilter_dummy.c

diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index 9fafe4e5d41..e6cbee7cd45 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -35,12 +35,14 @@
enum virusfilter_scanner_enum {
VIRUSFILTER_SCANNER_CLAMAV,
+ VIRUSFILTER_SCANNER_DUMMY,
VIRUSFILTER_SCANNER_FSAV,
VIRUSFILTER_SCANNER_SOPHOS
};
static const struct enum_list scanner_list[] = {
{ VIRUSFILTER_SCANNER_CLAMAV, "clamav" },
+ { VIRUSFILTER_SCANNER_DUMMY, "dummy" },
{ VIRUSFILTER_SCANNER_FSAV, "fsav" },
{ VIRUSFILTER_SCANNER_SOPHOS, "sophos" },
{ -1, NULL }
@@ -199,6 +201,7 @@ static int virusfilter_vfs_connect(
int snum = SNUM(handle->conn);
struct virusfilter_config *config = NULL;
const char *exclude_files = NULL;
+ const char *infected_files = NULL;
const char *temp_quarantine_dir_mode = NULL;
const char *infected_file_command = NULL;
const char *scan_error_command = NULL;
@@ -255,6 +258,12 @@ static int virusfilter_vfs_connect(
set_namearray(&config->exclude_files, exclude_files);
}
+ infected_files = lp_parm_const_string(
+ snum, "virusfilter", "infected files", NULL);
+ if (infected_files != NULL) {
+ set_namearray(&config->infected_files, infected_files);
+ }
+
config->cache_entry_limit = lp_parm_int(
snum, "virusfilter", "cache entry limit", 100);
@@ -537,6 +546,9 @@ static int virusfilter_vfs_connect(
case VIRUSFILTER_SCANNER_CLAMAV:
ret = virusfilter_clamav_init(config);
break;
+ case VIRUSFILTER_SCANNER_DUMMY:
+ ret = virusfilter_dummy_init(config);
+ break;
default:
DBG_ERR("Unhandled scanner %d\n", backend);
return -1;
diff --git a/source3/modules/vfs_virusfilter_common.h b/source3/modules/vfs_virusfilter_common.h
index f71b0b949a7..463a9d74e9c 100644
--- a/source3/modules/vfs_virusfilter_common.h
+++ b/source3/modules/vfs_virusfilter_common.h
@@ -83,6 +83,9 @@ struct virusfilter_config {
/* Exclude files */
name_compare_entry *exclude_files;
+ /* Infected files */
+ name_compare_entry *infected_files;
+
/* Scan result cache */
struct virusfilter_cache *cache;
int cache_entry_limit;
@@ -149,5 +152,6 @@ struct virusfilter_backend {
int virusfilter_sophos_init(struct virusfilter_config *config);
int virusfilter_fsav_init(struct virusfilter_config *config);
int virusfilter_clamav_init(struct virusfilter_config *config);
+int virusfilter_dummy_init(struct virusfilter_config *config);
#endif /* _VIRUSFILTER_COMMON_H */
diff --git a/source3/modules/vfs_virusfilter_dummy.c b/source3/modules/vfs_virusfilter_dummy.c
new file mode 100644
index 00000000000..03405cd6629
--- /dev/null
+++ b/source3/modules/vfs_virusfilter_dummy.c
@@ -0,0 +1,58 @@
+/*
+ Samba-VirusFilter VFS modules
+ Dummy scanner with infected files support.
+ Copyright (C) 2022 Pavel Filipenský <pfilipen@redhat.com>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "modules/vfs_virusfilter_utils.h"
+
+static virusfilter_result virusfilter_dummy_scan(
+ struct vfs_handle_struct *handle,
+ struct virusfilter_config *config,
+ const struct files_struct *fsp,
+ char **reportp)
+{
+ bool ok;
+
+ DBG_INFO("Scanning file: %s\n", fsp_str_dbg(fsp));
+ ok = is_in_path(fsp->fsp_name->base_name,
+ config->infected_files,
+ false);
+ return ok ? VIRUSFILTER_RESULT_INFECTED : VIRUSFILTER_RESULT_CLEAN;
+}
+
+static struct virusfilter_backend_fns virusfilter_backend_dummy = {
+ .connect = NULL,
+ .disconnect = NULL,
+ .scan_init = NULL,
+ .scan = virusfilter_dummy_scan,
+ .scan_end = NULL,
+};
+
+int virusfilter_dummy_init(struct virusfilter_config *config)
+{
+ struct virusfilter_backend *backend = NULL;
+
+ backend = talloc_zero(config, struct virusfilter_backend);
+ if (backend == NULL) {
+ return -1;
+ }
+
+ backend->fns = &virusfilter_backend_dummy;
+ backend->name = "dummy";
+ config->backend = backend;
+ return 0;
+}
diff --git a/source3/modules/wscript_build b/source3/modules/wscript_build
index 40df4539392..ff318c3fa06 100644
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@@ -591,6 +591,7 @@ bld.SAMBA3_MODULE('vfs_virusfilter',
vfs_virusfilter_sophos.c
vfs_virusfilter_fsav.c
vfs_virusfilter_clamav.c
+ vfs_virusfilter_dummy.c
''',
deps='samba-util VFS_VIRUSFILTER_UTILS',
init_function='',
--
2.34.1


From a813dc2adec352a85ec526ac9a3ec67139b730d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 22:35:29 +0100
Subject: [PATCH 3/6] docs-xml:manpages: Document 'dummy' virusfilter and
'virusfilter:infected files'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2fd518e5cc63221c162c9b3f8526b9b7c9e34969)
---
docs-xml/manpages/vfs_virusfilter.8.xml | 12 ++++++++++++
1 file changed, 12 insertions(+)

diff --git a/docs-xml/manpages/vfs_virusfilter.8.xml b/docs-xml/manpages/vfs_virusfilter.8.xml
index 329a35af68a..88f91d73a42 100644
--- a/docs-xml/manpages/vfs_virusfilter.8.xml
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@@ -48,6 +48,10 @@
scanner</para></listitem>
<listitem><para><emphasis>clamav</emphasis>, the ClamAV
scanner</para></listitem>
+ <listitem><para><emphasis>dummy</emphasis>, dummy scanner used in
+ tests. Checks against the <emphasis>infected files</emphasis>
+ parameter and flags any name that matches as infected.
+ </para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
@@ -264,6 +268,14 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>virusfilter:infected files = empty</term>
+ <listitem>
+ <para>Files that virusfilter <emphasis>dummy</emphasis> flags as infected.</para>
+ <para>If this option is not set, the default is empty.</para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>virusfilter:block access on error = false</term>
<listitem>
--
2.34.1


From b67c6fe07a506627439c6ffd07e687befbc122ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:34:56 +0100
Subject: [PATCH 4/6] selftest: Fix trailing whitespace in Samba3.pm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 547b4c595a8513a4be99177edbaa39ce43840f7a)
---
selftest/target/Samba3.pm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 64a9a791a61..7584a0e7ba9 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -188,7 +188,7 @@ sub getlog_env_app($$$)
close(LOG);
return "" if $out eq $title;
-
+
return $out;
}
@@ -2426,7 +2426,7 @@ sub provision($$)
my $nmbdsockdir="$prefix_abs/nmbd";
unlink($nmbdsockdir);
- ##
+ ##
## create the test directory layout
##
die ("prefix_abs = ''") if $prefix_abs eq "";
@@ -3290,7 +3290,7 @@ sub provision($$)
unless (open(PASSWD, ">$nss_wrapper_passwd")) {
warn("Unable to open $nss_wrapper_passwd");
return undef;
- }
+ }
print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
$unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
--
2.34.1


From b558d8f8be4459fa9e588486984c4cadf65ede12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 8 Feb 2022 15:35:48 +0100
Subject: [PATCH 5/6] s3:selftest: Add test for virus scanner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a25c714c34d3e00e0f3c29d2acfa98cf9cdbc544)
---
selftest/knownfail.d/virus_scanner | 2 +
selftest/target/Samba3.pm | 12 ++
source3/script/tests/test_virus_scanner.sh | 124 +++++++++++++++++++++
source3/selftest/tests.py | 9 ++
4 files changed, 147 insertions(+)
create mode 100644 selftest/knownfail.d/virus_scanner
create mode 100755 source3/script/tests/test_virus_scanner.sh

diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
new file mode 100644
index 00000000000..6df3fd20627
--- /dev/null
+++ b/selftest/knownfail.d/virus_scanner
@@ -0,0 +1,2 @@
+^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
+^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7584a0e7ba9..c1d0c60d96a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1688,6 +1688,9 @@ sub setup_fileserver
my $veto_sharedir="$share_dir/veto";
push(@dirs,$veto_sharedir);
+ my $virusfilter_sharedir="$share_dir/virusfilter";
+ push(@dirs,$virusfilter_sharedir);
+
my $ip4 = Samba::get_ipv4_addr("FILESERVER");
my $fileserver_options = "
kernel change notify = yes
@@ -1813,6 +1816,15 @@ sub setup_fileserver
path = $veto_sharedir
delete veto files = yes
+[virusfilter]
+ path = $virusfilter_sharedir
+ vfs objects = acl_xattr virusfilter
+ virusfilter:scanner = dummy
+ virusfilter:min file size = 0
+ virusfilter:infected files = *infected*
+ virusfilter:infected file action = rename
+ virusfilter:scan on close = yes
+
[homes]
comment = Home directories
browseable = No
diff --git a/source3/script/tests/test_virus_scanner.sh b/source3/script/tests/test_virus_scanner.sh
new file mode 100755
index 00000000000..2234ea6ca89
--- /dev/null
+++ b/source3/script/tests/test_virus_scanner.sh
@@ -0,0 +1,124 @@
+#!/bin/sh
+# Copyright (c) 2022 Pavel Filipenský <pfilipen@redhat.com>
+# shellcheck disable=1091
+
+if [ $# -lt 4 ]; then
+cat <<EOF
+Usage: $0 SERVER_IP SHARE LOCAL_PATH SMBCLIENT
+EOF
+exit 1;
+fi
+
+SERVER_IP=${1}
+SHARE=${2}
+LOCAL_PATH=${3}
+SMBCLIENT=${4}
+
+SMBCLIENT="${VALGRIND} ${SMBCLIENT}"
+
+failed=0
+sharedir="${LOCAL_PATH}/${SHARE}"
+
+incdir="$(dirname "$0")/../../../testprogs/blackbox"
+. "${incdir}/subunit.sh"
+
+check_infected_read()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! touch "${sharedir}/infected.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get infected.txt ${sharedir}/infected.download.txt"
+
+ # check that virusfilter:rename prefix/suffix was added
+ if [ ! -f "${sharedir}/virusfilter.infected.txt.infected" ]; then
+ echo "ERROR: ${sharedir}/virusfilter.infected.txt.infected is missing."
+ return 1
+ fi
+
+ # check that file was not downloaded
+ if [ -f "${sharedir}/infected.download.txt" ]; then
+ echo "ERROR: {sharedir}/infected.download.txt should not exist."
+ return 1
+ fi
+
+ return 0
+}
+
+check_infected_write()
+{
+ rm -rf "${sharedir:?}"/*
+ smbfile=infected.upload.txt
+ smbfilerenamed="virusfilter.${smbfile}.infected"
+
+ # non empty file is needed
+ # vsf_virusfilter performs a scan only if fsp->fsp_flags.modified
+ if ! echo "Hello Virus!" > "${sharedir}/infected.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/infected.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} "//${SERVER_IP}/${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/infected.txt ${smbfile}"
+
+ # check that virusfilter:rename prefix/suffix was added
+ if [ ! -f "${sharedir}/${smbfilerenamed}" ]; then
+ echo "ERROR: ${sharedir}/${smbfilerenamed} is missing."
+ return 1
+ fi
+
+ # check that file was not uploaded
+ if [ -f "${sharedir}/infected.upload.txt" ]; then
+ echo "ERROR: {sharedir}/${smbfile} should not exist."
+ return 1
+ fi
+
+ return 0
+}
+
+check_healthy_read()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "get healthy.txt ${sharedir}/healthy.download.txt"
+
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.download.txt"; then
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.download.txt FAILED"
+ return 1
+ fi
+
+ return 0
+}
+
+check_healthy_write()
+{
+ rm -rf "${sharedir:?}"/*
+
+ if ! echo "Hello Samba!" > "${sharedir}/healthy.txt"; then
+ echo "ERROR: Cannot create ${sharedir}/healthy.txt"
+ return 1
+ fi
+
+ ${SMBCLIENT} //"${SERVER_IP}"/"${SHARE}" -U"${USER}"%"${PASSWORD}" -c "put ${sharedir}/healthy.txt healthy.upload.txt"
+
+ if ! cmp "${sharedir}/healthy.txt" "${sharedir}/healthy.upload.txt"; then
+ echo "ERROR: cmp ${sharedir}/healthy.txt ${sharedir}/healthy.upload.txt FAILED"
+ return 1
+ fi
+
+ return 0
+}
+
+testit "check_infected_read" check_infected_read || failed=$((failed + 1))
+testit "check_infected_write" check_infected_write || failed=$((failed + 1))
+testit "check_healthy_read" check_healthy_read || failed=$((failed + 1))
+testit "check_healthy_write" check_healthy_write || failed=$((failed + 1))
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 701be011f70..6b146c76381 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1240,6 +1240,15 @@ plantestsuite("samba3.blackbox.smbXsrv_client_dead_rec", "fileserver:local",
'$SERVER_IP',
"tmp"])
+env = 'fileserver'
+plantestsuite("samba3.blackbox.virus_scanner", "%s:local" % (env),
+ [os.path.join(samba3srcdir,
+ "script/tests/test_virus_scanner.sh"),
+ '$SERVER_IP',
+ "virusfilter",
+ '$LOCAL_PATH',
+ smbclient3])
+
for env in ['fileserver', 'simpleserver']:
plantestsuite("samba3.blackbox.smbclient.encryption", env,
[os.path.join(samba3srcdir, "script/tests/test_smbclient_encryption.sh"),
--
2.34.1


From 275139352e854c7b01a53014b16673c8c7254fa9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Mon, 7 Feb 2022 23:06:10 +0100
Subject: [PATCH 6/6] s3:modules: Fix virusfilter_vfs_openat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14971

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Feb 10 22:09:06 UTC 2022 on sn-devel-184

(cherry picked from commit 3f1c958f6fa9d2991185f4e281a377a295d09f9c)
---
selftest/knownfail.d/virus_scanner | 2 --
source3/modules/vfs_virusfilter.c | 6 +++---
2 files changed, 3 insertions(+), 5 deletions(-)
delete mode 100644 selftest/knownfail.d/virus_scanner

diff --git a/selftest/knownfail.d/virus_scanner b/selftest/knownfail.d/virus_scanner
deleted file mode 100644
index 6df3fd20627..00000000000
--- a/selftest/knownfail.d/virus_scanner
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba3.blackbox.virus_scanner.check_infected_read # test download infected file ('vfs objects = virusfilter')
-^samba3.blackbox.virus_scanner.check_infected_write # test upload infected file ('vfs objects = virusfilter')
diff --git a/source3/modules/vfs_virusfilter.c b/source3/modules/vfs_virusfilter.c
index e6cbee7cd45..d1554967ad1 100644
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
@@ -1309,21 +1309,21 @@ static int virusfilter_vfs_openat(struct vfs_handle_struct *handle,
*/
goto virusfilter_vfs_open_next;
}
- ret = S_ISREG(smb_fname->st.st_ex_mode);
+ ret = S_ISREG(sbuf.st_ex_mode);
if (ret == 0) {
DBG_INFO("Not scanned: Directory or special file: %s/%s\n",
cwd_fname, fname);
goto virusfilter_vfs_open_next;
}
if (config->max_file_size > 0 &&
- smb_fname->st.st_ex_size > config->max_file_size)
+ sbuf.st_ex_size > config->max_file_size)
{
DBG_INFO("Not scanned: file size > max file size: %s/%s\n",
cwd_fname, fname);
goto virusfilter_vfs_open_next;
}
if (config->min_file_size > 0 &&
- smb_fname->st.st_ex_size < config->min_file_size)
+ sbuf.st_ex_size < config->min_file_size)
{
DBG_INFO("Not scanned: file size < min file size: %s/%s\n",
cwd_fname, fname);
--
2.34.1

10
SOURCES/samba.logrotate

@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
/var/log/samba/log.* {
compress
dateext
maxage 365
rotate 99
notifempty
olddir /var/log/samba/old
missingok
copytruncate
}

6
SOURCES/samba.pamd

@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth

313
SOURCES/smb.conf.example

@ -0,0 +1,313 @@ @@ -0,0 +1,313 @@
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v

; netbios name = MYSERVER

; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#

# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#

security = user
passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.

; security = domain
; passdb backend = tdbsam
; realm = MY_REALM

; password server = <NT-Server-Name>

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam

; domain master = yes
; domain logons = yes

# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =

# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:

; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.

; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes

; dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

load printers = yes
cups options = raw

; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes


#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/tmp
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

41
SOURCES/smb.conf.vendor

@ -0,0 +1,41 @@ @@ -0,0 +1,41 @@
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
#
# Note:
# SMB1 is disabled by default. This means clients without support for SMB2 or
# SMB3 are no longer able to connect to smbd (by default).

[global]
workgroup = SAMBA
security = user

passdb backend = tdbsam

printing = cups
printcap name = cups
load printers = yes
cups options = raw

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

6764
SPECS/samba.spec

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save