Initial import

tags/samba-4.6.2-13.fws.beta0
Daniel Berteaud 6 years ago
commit 36f327d1e2
  1. 381
      CVE-2017-12150.patch
  2. 111
      CVE-2017-12151.patch
  3. 141
      CVE-2017-12163.patch
  4. 63
      CVE-2017-14746.patch
  5. 45
      CVE-2017-15275.patch
  6. 34
      CVE-2017-7494.patch
  7. 20
      README.dc
  8. 29
      README.downgrade
  9. BIN
      gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
  10. 38
      pam_winbind.conf
  11. 7
      samba-4.6.2.tar.asc
  12. 37
      samba-v4-6-fix-building-with-new-glibc.patch
  13. 1731
      samba-v4-6-fix-cross-realm-refferals.patch
  14. 39
      samba-v4-6-fix-kerberos-debug-message.patch
  15. 293
      samba-v4-6-fix-net-ads-keytab-handling.patch
  16. 245
      samba-v4-6-fix-spoolss-32bit-driver-upload.patch
  17. 211
      samba-v4-6-fix-vfs-expand-msdfs.patch
  18. 74
      samba-v4-6-fix_net_ads_changetrustpw.patch
  19. 194
      samba-v4-6-fix_path_substitutions.patch
  20. 339
      samba-v4-6-fix_smbclient_session_setup_info.patch
  21. 162
      samba-v4-6-fix_smbclient_username_parsing.patch
  22. 227
      samba-v4-6-fix_winbind_child_crash.patch
  23. 76
      samba-v4-6-fix_winbind_normalize_names.patch
  24. 54
      samba-v4.6-credentials-fix-realm.patch
  25. 391
      samba-v4.6-fix_smbpasswd_user_pwd_change.patch
  26. 53
      samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
  27. 543
      samba-v4.6-gss_krb5_import_cred.patch
  28. 179
      samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
  29. 405
      samba-v4.7-config-dynamic-rpc-port-range.patch
  30. 7
      samba.log
  31. 6
      samba.pamd
  32. 4747
      samba.spec
  33. 313
      smb.conf.example
  34. 36
      smb.conf.vendor

@ -0,0 +1,381 @@
From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 17:06:21 +0200
Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
username into a specified one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/include/auth_info.h | 1 +
source3/lib/popt_common.c | 6 +-----
source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
3 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
index c6f71ad..8212c27 100644
--- a/source3/include/auth_info.h
+++ b/source3/include/auth_info.h
@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
const char *username);
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
const char *domain);
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 9928c70..36b5e92 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
void popt_common_credentials_post(void)
{
struct user_auth_info *auth_info = cmdline_auth_info;
- const char *username = NULL;
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
!set_cmdline_auth_info_machine_account_creds(auth_info))
@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
* correctly parsed yet. If we have a username we need to set it again
* to run the string parser for the username correctly.
*/
- username = get_cmdline_auth_info_username(auth_info);
- if (username != NULL && username[0] != '\0') {
- set_cmdline_auth_info_username(auth_info, username);
- }
+ reset_cmdline_auth_info_username(auth_info);
}
static void popt_common_credentials_callback(poptContext con,
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index ad51a4f..80142e2 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -37,6 +37,7 @@
struct user_auth_info {
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
+ bool got_username;
bool got_pass;
int signing_state;
bool smb_encrypt;
@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
if (!ok) {
exit(EIO);
}
+ auth_info->got_username = true;
}
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
exit(ENOMEM);
}
+ auth_info->got_username = true;
if (strchr_m(username, '%') != NULL) {
auth_info->got_pass = true;
}
}
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
+{
+ const char *username = NULL;
+ const char *new_val = NULL;
+
+ if (!auth_info->got_username) {
+ return;
+ }
+
+ username = cli_credentials_get_username(auth_info->creds);
+ if (username == NULL) {
+ return;
+ }
+ if (username[0] == '\0') {
+ return;
+ }
+
+ cli_credentials_parse_string(auth_info->creds,
+ username,
+ CRED_SPECIFIED);
+ new_val = cli_credentials_get_username(auth_info->creds);
+ if (new_val == NULL) {
+ exit(ENOMEM);
+ }
+}
+
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
{
const char *domain = NULL;
--
1.9.1
From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Nov 2016 17:16:43 +0100
Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/lib/util_cmdline.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 80142e2..90ee67c 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return SMB_SIGNING_REQUIRED;
+ }
return auth_info->signing_state;
}
--
1.9.1
From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Dec 2016 09:26:32 +0100
Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/pylibsmb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index 59c0998..350c6d4 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
req = cli_full_connection_creds_send(
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
- cli_creds, 0, 0);
+ cli_creds, 0, SMB_SIGNING_DEFAULT);
if (!py_tevent_req_wait_exc(self->ev, req)) {
return -1;
}
--
1.9.1
From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 05:49:46 +0100
Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libgpo/gpo_fetch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 836bc23..3740d4e 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ SMB_SIGNING_REQUIRED);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--
1.9.1
From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:24:14 +0200
Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
cli_credentials_authentication_requested() should check for
NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
auth/credentials/credentials.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 06648c7..5e3b5e8 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -25,6 +25,7 @@
#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
+#include "auth/gensec/gensec.h"
#include "libcli/auth/libcli_auth.h"
#include "tevent.h"
#include "param/param.h"
@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
{
+ uint32_t gensec_features = 0;
+
if (cred->bind_dn) {
return true;
}
@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
+ gensec_features = cli_credentials_get_gensec_features(cred);
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SIGN) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SEAL) {
+ return true;
+ }
+
return false;
}
--
1.9.1
From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:35:49 +0200
Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
smbXcli_conn_signing_mandatory()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libcli/smb/smbXcli_base.c | 5 +++++
libcli/smb/smbXcli_base.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b21d796..239e5eb 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
return false;
}
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
+{
+ return conn->mandatory_signing;
+}
+
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
{
set_socket_options(conn->sock_fd, options);
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index e48fc35..2594f07 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
--
1.9.1
From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 06:07:56 +0100
Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 75012b2..fdcd665 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -26,6 +26,7 @@
#include "trans2.h"
#include "libsmb/nmblib.h"
#include "../libcli/smb/smbXcli_base.h"
+#include "auth/credentials/credentials.h"
/********************************************************************
Important point.
@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
char *servicename;
char *sharename;
char *newserver, *newshare;
- const char *username;
- const char *password;
- const char *domain;
NTSTATUS status;
int flags = 0;
int signing_state = get_cmdline_auth_info_signing_state(auth_info);
@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
}
- username = get_cmdline_auth_info_username(auth_info);
- password = get_cmdline_auth_info_password(auth_info);
- domain = get_cmdline_auth_info_domain(auth_info);
- if ((domain == NULL) || (domain[0] == '\0')) {
- domain = lp_workgroup();
- }
-
creds = get_cmdline_auth_info_creds(auth_info);
status = cli_session_setup_creds(c, creds);
if (!NT_STATUS_IS_OK(status)) {
/* If a password was not supplied then
* try again with a null username. */
- if (password[0] || !username[0] ||
- get_cmdline_auth_info_use_kerberos(auth_info) ||
+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
+ cli_credentials_authentication_requested(creds) ||
+ cli_credentials_is_anonymous(creds) ||
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
{
d_printf("session setup failed: %s\n",
--
1.9.1

@ -0,0 +1,111 @@
From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 14 Aug 2017 12:13:18 +0200
Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
cli_state_is_encryption_on() helper function
This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clientgen.c | 13 +++++++++++++
source3/libsmb/proto.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index bc5c1b1ce3c..3e8523e5ce8 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
return cli->smb1.pid;
}
+bool cli_state_is_encryption_on(struct cli_state *cli)
+{
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ return smb1cli_conn_encryption_on(cli->conn);
+ }
+
+ if (cli->smb2.tcon == NULL) {
+ return false;
+ }
+
+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
+}
+
bool cli_state_has_tcon(struct cli_state *cli)
{
uint16_t tid = cli_state_get_tid(cli);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 764f3fc1b12..67fa43e4e4a 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
uint16_t cli_state_get_vc_num(struct cli_state *cli);
uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
uint32_t cli_getpid(struct cli_state *cli);
+bool cli_state_is_encryption_on(struct cli_state *cli);
bool cli_state_has_tcon(struct cli_state *cli);
uint16_t cli_state_get_tid(struct cli_state *cli);
uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
--
2.13.5
From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 17 Dec 2016 10:36:49 +0100
Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
cli_state_is_encryption_on()
This will keep enforced encryption across dfs referrals.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 4 ++--
source3/libsmb/libsmb_context.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index c477d7c6a46..99818a681e3 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
"IPC$",
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
dfs_refs[count].share,
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
index ed6ca2b1b9f..b55cf1e2d15 100644
--- a/source3/libsmb/libsmb_context.c
+++ b/source3/libsmb/libsmb_context.c
@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
for (s = context->internal->servers; s; s = s->next) {
num_servers++;
- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
+ if (!cli_state_is_encryption_on(s->cli)) {
return (void *)false;
}
}
--
2.13.5

@ -0,0 +1,141 @@
From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 317143f..7b07078 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
off_t startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
off_t startpos;
const char *data;
@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
goto out;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
off_t startpos;
@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (fsp->print_file == NULL) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);
--
1.9.1

@ -0,0 +1,63 @@
From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 19 Sep 2017 16:11:33 -0700
Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyihan@360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/process.c | 7 ++++---
source3/smbd/reply.c | 5 +++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index b65ae2c1b1c..9b2b0a669a2 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078249b..81acedf0413 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,45 @@
From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,34 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0633b5f..c3f0cd8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
{
NTSTATUS status;
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;
--
1.9.1

@ -0,0 +1,20 @@
MIT Kerberos 5 Support
=======================
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
choice. The Samba build in Fedora is using MIT Kerberos implementation in order
to allow system-wide interoperability between both desktop and server
applications running on the same machine.
At the moment the Samba Active Directory Domain Controller implementation is
not available with MIT Kereberos. FreeIPA and Samba Team members are currently
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
distribution integration of Samba AD DC features.
We have just finished migrating the file server and all client utilities to MIT
Kerberos. The result of this work is available in samba-* packages in Fedora.
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
KDC will be ready.
In case of further questions do not hesitate to send your inquiries to
samba-owner@fedoraproject.org

@ -0,0 +1,29 @@
Downgrading Samba
=================
Short version: data-preserving downgrades between Samba versions are not supported
Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.
Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.
Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.
Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb
In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
DQw3KuAbWCKIgkHcy1zZr2o=
=bIg5
-----END PGP SIGNATURE-----

@ -0,0 +1,37 @@
From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 5 Jan 2017 09:34:36 +0100
Subject: [PATCH] replace: Include sysmacros.h
In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
historical compatibility, it is currently defined by <sys/types.h> as
well, but it is planned to remove this soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
---
lib/replace/replace.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index c69a069e4b3..1dbeacfff66 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -171,6 +171,10 @@
#include <sys/types.h>
#endif
+#ifdef HAVE_SYS_SYSMACROS_H
+#include <sys/sysmacros.h>
+#endif
+
#ifdef HAVE_SETPROCTITLE_H
#include <setproctitle.h>
#endif
--
2.12.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,39 @@
From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 20 Mar 2017 16:08:20 +0100
Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/cliconnect.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 029c3d4760e..93f873079db 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
0 /* no time correction for now */,
NULL);
if (ret != 0) {
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
- user_principal, target_hostname,
- error_message(ret)));
+ int dbglvl = DBGLVL_WARNING;
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ dbglvl = DBGLVL_ERR;
+ }
+
+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
+ user_principal, target_hostname,
+ error_message(ret)));
if (krb5_state == CRED_MUST_USE_KERBEROS) {
TALLOC_FREE(frame);
return krb5_to_nt_status(ret);
--
2.12.0

@ -0,0 +1,293 @@
From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:30:37 +0100
Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
The old behaviour is:
for var in $*
do
echo "$var"
done
And you get this:
$ sh test.sh 1 2 '3 4'
1
2
3
4
Changing it to:
for var in "$@"
do
echo "$var"
done
will correctly expand to:
$ sh test.sh 1 2 '3 4'
1
2
3 4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
---
testprogs/blackbox/subunit.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
index 0791d775d27..5c81ce20a11 100755
--- a/testprogs/blackbox/subunit.sh
+++ b/testprogs/blackbox/subunit.sh
@@ -78,7 +78,7 @@ subunit_skip_test () {
testit () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
@@ -93,7 +93,7 @@ testit () {
testit_expect_failure () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
--
2.12.0
From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:11:39 +0100
Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
---
lib/krb5_wrap/krb5_samba.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 10b42dec53f..fd8e4a96071 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
goto open_keytab;
}
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
return KRB5_KT_BADNAME;
open_keytab:
--
2.12.0
From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:24:52 +0100
Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
---
source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
1 file changed, 57 insertions(+), 12 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 3c73b089bbb..96df10fcf65 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,6 +34,57 @@
#ifdef HAVE_ADS
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 1100
+#endif
+
+static krb5_error_code ads_keytab_open(krb5_context context,
+ krb5_keytab *keytab)
+{
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
+ const char *keytab_name = NULL;
+ krb5_error_code ret = 0;
+
+ switch (lp_kerberos_method()) {
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
+ ret = krb5_kt_default_name(context,
+ keytab_str,
+ sizeof(keytab_str) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name");
+ goto out;
+ }
+ keytab_name = keytab_str;
+ break;
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
+ keytab_name = lp_dedicated_keytab_file();
+ break;
+ default:
+ DBG_ERR("Invalid kerberos method set (%d)\n",
+ lp_kerberos_method());
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
+ DBG_ERR("Invalid keytab name\n");
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
+ if (ret != 0) {
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
/**********************************************************************
Adds a single service principal, i.e. 'host' to the system keytab
***********************************************************************/
@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
return -1;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
"and update.\n"));
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto done;
}
--
2.12.0
From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:28:58 +0100
Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
---
lib/param/param_table.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4b5234a7c9e..9a944ef19b3 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
static const struct enum_list enum_kerberos_method[] = {
{KERBEROS_VERIFY_SECRETS, "default"},
{KERBEROS_VERIFY_SECRETS, "secrets only"},
+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
{-1, NULL}
};
--
2.12.0
From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:34:05 +0100
Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
---
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 8e915cdcf1f..99b886f53eb 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+# Test with kerberos method = secrets and keytab
+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+rm -f $dedicated_keytab_file
+
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
2.12.0

@ -0,0 +1,245 @@
From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 May 2017 17:48:42 +0200
Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
COPY_FROM_DIRECTORY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
---
source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 16 deletions(-)
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 394a3e5..49be5d9 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
static uint32_t get_correct_cversion(struct auth_session_info *session_info,
const char *architecture,
const char *driverpath_in,
+ const char *driver_directory,
WERROR *perr)
{
int cversion = -1;
NTSTATUS nt_status;
struct smb_filename *smb_fname = NULL;
- char *driverpath = NULL;
files_struct *fsp = NULL;
connection_struct *conn = NULL;
char *oldcwd;
char *printdollar = NULL;
+ char *printdollar_path = NULL;
+ char *working_dir = NULL;
int printdollar_snum;
*perr = WERR_INVALID_PARAMETER;
@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
return -1;
}
+ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
+ if (printdollar_path == NULL) {
+ *perr = WERR_NOT_ENOUGH_MEMORY;
+ return -1;
+ }
+
+ working_dir = talloc_asprintf(talloc_tos(),
+ "%s/%s",
+ printdollar_path,
+ architecture);
+ /*
+ * If the driver has been uploaded into a temorpary driver
+ * directory, switch to the driver directory.
+ */
+ if (driver_directory != NULL) {
+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
+ printdollar_path,
+ architecture,
+ driver_directory);
+ }
+
nt_status = create_conn_struct_cwd(talloc_tos(),
server_event_context(),
server_messaging_context(),
&conn,
printdollar_snum,
- lp_path(talloc_tos(), printdollar_snum),
+ working_dir,
session_info, &oldcwd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("get_correct_cversion: create_conn_struct "
@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
goto error_free_conn;
}
- /* Open the driver file (Portable Executable format) and determine the
- * deriver the cversion. */
- driverpath = talloc_asprintf(talloc_tos(),
- "%s/%s",
- architecture,
- driverpath_in);
- if (!driverpath) {
- *perr = WERR_NOT_ENOUGH_MEMORY;
- goto error_exit;
- }
-
- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
+ /*
+ * We switch to the directory where the driver files are located,
+ * so only work on the file names
+ */
+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
if (!NT_STATUS_IS_OK(nt_status)) {
*perr = ntstatus_to_werror(nt_status);
goto error_exit;
@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
* NT2K: cversion=3
*/
- *version = get_correct_cversion(session_info, short_architecture,
- *driver_path, &err);
+ *version = get_correct_cversion(session_info,
+ short_architecture,
+ *driver_path,
+ *driver_directory,
+ &err);
if (*version == -1) {
return err;
}
--
2.9.3
From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:11:25 +0200
Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
for 64bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
---
source4/torture/rpc/spoolss.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 409ba57..c4b7bf1 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
}
static bool test_driver_copy_from_directory(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ const char *architecture)
{
struct torture_driver_context *d;
struct spoolss_StringArray *a;
@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d = talloc_zero(tctx, struct torture_driver_context);
torture_assert_not_null(tctx, d, "ENOMEM");
- d->local.environment =
- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
+ d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
d->local.driver_directory =
@@ -11208,6 +11208,12 @@ done:
return ok;
}
+static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
torture_rpc_tcase_add_test(tcase,
- "test_driver_copy_from_directory",
- test_driver_copy_from_directory);
+ "test_driver_copy_from_directory_64",
+ test_driver_copy_from_directory_64);
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
--
2.9.3
From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:12:02 +0200
Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
copy_from_directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
---
source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index c4b7bf1..e17ac6f 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
- d->local.driver_directory =
- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/x64");
+ } else {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/i386");
+ }
torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
d->remote.driver_upload_directory = GUID_string2(d, &guid);
@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
}
+static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
"test_driver_copy_from_directory_64",
test_driver_copy_from_directory_64);
+ torture_rpc_tcase_add_test(tcase,
+ "test_driver_copy_from_directory_32",
+ test_driver_copy_from_directory_32);
+
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
--
2.9.3

@ -0,0 +1,211 @@
From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 Mar 2017 16:12:20 +0100
Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
---
source3/modules/vfs_expand_msdfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
index ffbfa333bad..e42d0098b32 100644
--- a/source3/modules/vfs_expand_msdfs.c
+++ b/source3/modules/vfs_expand_msdfs.c
@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
return NULL;
}
- targethost = read_target_host(
- ctx, raddr, mapfilename);
+ targethost = read_target_host(ctx, mapfilename, raddr);
if (targethost == NULL) {
DEBUG(1, ("Could not expand target host from file %s\n",
mapfilename));
--
2.12.0
From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 15:32:37 +0100
Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
get_referred_path()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
---
source3/modules/vfs_default.c | 2 ++
source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
source3/smbd/msdfs.c | 12 +++++++-----
source3/smbd/proto.h | 12 +++++++-----
4 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index e0b6125f7d8..dcae861103d 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
/* The following call can change cwd. */
status = get_referred_path(r, pathnamep,
+ handle->conn->sconn->remote_address,
+ handle->conn->sconn->local_address,
!handle->conn->sconn->using_smb2,
junction, &consumedcnt, &self_referral);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
index ab2af53c0ba..0a4d6d31b7c 100644
--- a/source3/rpc_server/dfs/srv_dfs_nt.c
+++ b/source3/rpc_server/dfs/srv_dfs_nt.c
@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
}
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status) ||
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 61538cec832..3cf82d3b430 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
**********************************************************************/
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- const char *dfs_path,
- bool allow_broken_path,
- struct junction_map *jucn,
- int *consumedcntp,
- bool *self_referralp)
+ const char *dfs_path,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ bool allow_broken_path,
+ struct junction_map *jucn,
+ int *consumedcntp,
+ bool *self_referralp)
{
struct connection_struct *conn;
char *targetpath = NULL;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index c1b8201b472..e64457cf9e0 100644
--- a/source3/smbd/proto.h