Initial import

tags/samba-4.6.2-13.fws.beta0
Daniel Berteaud 7 years ago
commit 36f327d1e2
  1. 381
      CVE-2017-12150.patch
  2. 111
      CVE-2017-12151.patch
  3. 141
      CVE-2017-12163.patch
  4. 63
      CVE-2017-14746.patch
  5. 45
      CVE-2017-15275.patch
  6. 34
      CVE-2017-7494.patch
  7. 20
      README.dc
  8. 29
      README.downgrade
  9. BIN
      gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
  10. 38
      pam_winbind.conf
  11. 7
      samba-4.6.2.tar.asc
  12. 37
      samba-v4-6-fix-building-with-new-glibc.patch
  13. 1731
      samba-v4-6-fix-cross-realm-refferals.patch
  14. 39
      samba-v4-6-fix-kerberos-debug-message.patch
  15. 293
      samba-v4-6-fix-net-ads-keytab-handling.patch
  16. 245
      samba-v4-6-fix-spoolss-32bit-driver-upload.patch
  17. 211
      samba-v4-6-fix-vfs-expand-msdfs.patch
  18. 74
      samba-v4-6-fix_net_ads_changetrustpw.patch
  19. 194
      samba-v4-6-fix_path_substitutions.patch
  20. 339
      samba-v4-6-fix_smbclient_session_setup_info.patch
  21. 162
      samba-v4-6-fix_smbclient_username_parsing.patch
  22. 227
      samba-v4-6-fix_winbind_child_crash.patch
  23. 76
      samba-v4-6-fix_winbind_normalize_names.patch
  24. 54
      samba-v4.6-credentials-fix-realm.patch
  25. 391
      samba-v4.6-fix_smbpasswd_user_pwd_change.patch
  26. 53
      samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
  27. 543
      samba-v4.6-gss_krb5_import_cred.patch
  28. 179
      samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
  29. 405
      samba-v4.7-config-dynamic-rpc-port-range.patch
  30. 7
      samba.log
  31. 6
      samba.pamd
  32. 4747
      samba.spec
  33. 313
      smb.conf.example
  34. 36
      smb.conf.vendor

@ -0,0 +1,381 @@
From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 17:06:21 +0200
Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
username into a specified one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/include/auth_info.h | 1 +
source3/lib/popt_common.c | 6 +-----
source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
3 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
index c6f71ad..8212c27 100644
--- a/source3/include/auth_info.h
+++ b/source3/include/auth_info.h
@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
const char *username);
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
const char *domain);
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 9928c70..36b5e92 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
void popt_common_credentials_post(void)
{
struct user_auth_info *auth_info = cmdline_auth_info;
- const char *username = NULL;
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
!set_cmdline_auth_info_machine_account_creds(auth_info))
@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
* correctly parsed yet. If we have a username we need to set it again
* to run the string parser for the username correctly.
*/
- username = get_cmdline_auth_info_username(auth_info);
- if (username != NULL && username[0] != '\0') {
- set_cmdline_auth_info_username(auth_info, username);
- }
+ reset_cmdline_auth_info_username(auth_info);
}
static void popt_common_credentials_callback(poptContext con,
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index ad51a4f..80142e2 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -37,6 +37,7 @@
struct user_auth_info {
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
+ bool got_username;
bool got_pass;
int signing_state;
bool smb_encrypt;
@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
if (!ok) {
exit(EIO);
}
+ auth_info->got_username = true;
}
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
exit(ENOMEM);
}
+ auth_info->got_username = true;
if (strchr_m(username, '%') != NULL) {
auth_info->got_pass = true;
}
}
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
+{
+ const char *username = NULL;
+ const char *new_val = NULL;
+
+ if (!auth_info->got_username) {
+ return;
+ }
+
+ username = cli_credentials_get_username(auth_info->creds);
+ if (username == NULL) {
+ return;
+ }
+ if (username[0] == '\0') {
+ return;
+ }
+
+ cli_credentials_parse_string(auth_info->creds,
+ username,
+ CRED_SPECIFIED);
+ new_val = cli_credentials_get_username(auth_info->creds);
+ if (new_val == NULL) {
+ exit(ENOMEM);
+ }
+}
+
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
{
const char *domain = NULL;
--
1.9.1
From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Nov 2016 17:16:43 +0100
Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/lib/util_cmdline.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 80142e2..90ee67c 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return SMB_SIGNING_REQUIRED;
+ }
return auth_info->signing_state;
}
--
1.9.1
From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Dec 2016 09:26:32 +0100
Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/pylibsmb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index 59c0998..350c6d4 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
req = cli_full_connection_creds_send(
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
- cli_creds, 0, 0);
+ cli_creds, 0, SMB_SIGNING_DEFAULT);
if (!py_tevent_req_wait_exc(self->ev, req)) {
return -1;
}
--
1.9.1
From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 05:49:46 +0100
Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libgpo/gpo_fetch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 836bc23..3740d4e 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ SMB_SIGNING_REQUIRED);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--
1.9.1
From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:24:14 +0200
Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
cli_credentials_authentication_requested() should check for
NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
auth/credentials/credentials.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 06648c7..5e3b5e8 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -25,6 +25,7 @@
#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
+#include "auth/gensec/gensec.h"
#include "libcli/auth/libcli_auth.h"
#include "tevent.h"
#include "param/param.h"
@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
{
+ uint32_t gensec_features = 0;
+
if (cred->bind_dn) {
return true;
}
@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
+ gensec_features = cli_credentials_get_gensec_features(cred);
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SIGN) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SEAL) {
+ return true;
+ }
+
return false;
}
--
1.9.1
From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:35:49 +0200
Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
smbXcli_conn_signing_mandatory()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libcli/smb/smbXcli_base.c | 5 +++++
libcli/smb/smbXcli_base.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b21d796..239e5eb 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
return false;
}
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
+{
+ return conn->mandatory_signing;
+}
+
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
{
set_socket_options(conn->sock_fd, options);
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index e48fc35..2594f07 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
--
1.9.1
From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 06:07:56 +0100
Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 75012b2..fdcd665 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -26,6 +26,7 @@
#include "trans2.h"
#include "libsmb/nmblib.h"
#include "../libcli/smb/smbXcli_base.h"
+#include "auth/credentials/credentials.h"
/********************************************************************
Important point.
@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
char *servicename;
char *sharename;
char *newserver, *newshare;
- const char *username;
- const char *password;
- const char *domain;
NTSTATUS status;
int flags = 0;
int signing_state = get_cmdline_auth_info_signing_state(auth_info);
@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
}
- username = get_cmdline_auth_info_username(auth_info);
- password = get_cmdline_auth_info_password(auth_info);
- domain = get_cmdline_auth_info_domain(auth_info);
- if ((domain == NULL) || (domain[0] == '\0')) {
- domain = lp_workgroup();
- }
-
creds = get_cmdline_auth_info_creds(auth_info);
status = cli_session_setup_creds(c, creds);
if (!NT_STATUS_IS_OK(status)) {
/* If a password was not supplied then
* try again with a null username. */
- if (password[0] || !username[0] ||
- get_cmdline_auth_info_use_kerberos(auth_info) ||
+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
+ cli_credentials_authentication_requested(creds) ||
+ cli_credentials_is_anonymous(creds) ||
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
{
d_printf("session setup failed: %s\n",
--
1.9.1

@ -0,0 +1,111 @@
From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 14 Aug 2017 12:13:18 +0200
Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
cli_state_is_encryption_on() helper function
This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clientgen.c | 13 +++++++++++++
source3/libsmb/proto.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index bc5c1b1ce3c..3e8523e5ce8 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
return cli->smb1.pid;
}
+bool cli_state_is_encryption_on(struct cli_state *cli)
+{
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ return smb1cli_conn_encryption_on(cli->conn);
+ }
+
+ if (cli->smb2.tcon == NULL) {
+ return false;
+ }
+
+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
+}
+
bool cli_state_has_tcon(struct cli_state *cli)
{
uint16_t tid = cli_state_get_tid(cli);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 764f3fc1b12..67fa43e4e4a 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
uint16_t cli_state_get_vc_num(struct cli_state *cli);
uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
uint32_t cli_getpid(struct cli_state *cli);
+bool cli_state_is_encryption_on(struct cli_state *cli);
bool cli_state_has_tcon(struct cli_state *cli);
uint16_t cli_state_get_tid(struct cli_state *cli);
uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
--
2.13.5
From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 17 Dec 2016 10:36:49 +0100
Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
cli_state_is_encryption_on()
This will keep enforced encryption across dfs referrals.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 4 ++--
source3/libsmb/libsmb_context.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index c477d7c6a46..99818a681e3 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
"IPC$",
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
dfs_refs[count].share,
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
index ed6ca2b1b9f..b55cf1e2d15 100644
--- a/source3/libsmb/libsmb_context.c
+++ b/source3/libsmb/libsmb_context.c
@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
for (s = context->internal->servers; s; s = s->next) {
num_servers++;
- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
+ if (!cli_state_is_encryption_on(s->cli)) {
return (void *)false;
}
}
--
2.13.5

@ -0,0 +1,141 @@
From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 317143f..7b07078 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
off_t startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
off_t startpos;
const char *data;
@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
goto out;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
off_t startpos;
@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (fsp->print_file == NULL) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);
--
1.9.1

@ -0,0 +1,63 @@
From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 19 Sep 2017 16:11:33 -0700
Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyihan@360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/process.c | 7 ++++---
source3/smbd/reply.c | 5 +++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index b65ae2c1b1c..9b2b0a669a2 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078249b..81acedf0413 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,45 @@
From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,34 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0633b5f..c3f0cd8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
{
NTSTATUS status;
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;
--
1.9.1

@ -0,0 +1,20 @@
MIT Kerberos 5 Support
=======================
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
choice. The Samba build in Fedora is using MIT Kerberos implementation in order
to allow system-wide interoperability between both desktop and server
applications running on the same machine.
At the moment the Samba Active Directory Domain Controller implementation is
not available with MIT Kereberos. FreeIPA and Samba Team members are currently
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
distribution integration of Samba AD DC features.
We have just finished migrating the file server and all client utilities to MIT
Kerberos. The result of this work is available in samba-* packages in Fedora.
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
KDC will be ready.
In case of further questions do not hesitate to send your inquiries to
samba-owner@fedoraproject.org

@ -0,0 +1,29 @@
Downgrading Samba
=================
Short version: data-preserving downgrades between Samba versions are not supported
Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.
Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.
Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.
Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb
In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
DQw3KuAbWCKIgkHcy1zZr2o=
=bIg5
-----END PGP SIGNATURE-----

@ -0,0 +1,37 @@
From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 5 Jan 2017 09:34:36 +0100
Subject: [PATCH] replace: Include sysmacros.h
In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
historical compatibility, it is currently defined by <sys/types.h> as
well, but it is planned to remove this soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
---
lib/replace/replace.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index c69a069e4b3..1dbeacfff66 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -171,6 +171,10 @@
#include <sys/types.h>
#endif
+#ifdef HAVE_SYS_SYSMACROS_H
+#include <sys/sysmacros.h>
+#endif
+
#ifdef HAVE_SETPROCTITLE_H
#include <setproctitle.h>
#endif
--
2.12.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,39 @@
From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 20 Mar 2017 16:08:20 +0100
Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/cliconnect.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 029c3d4760e..93f873079db 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
0 /* no time correction for now */,
NULL);
if (ret != 0) {
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
- user_principal, target_hostname,
- error_message(ret)));
+ int dbglvl = DBGLVL_WARNING;
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ dbglvl = DBGLVL_ERR;
+ }
+
+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
+ user_principal, target_hostname,
+ error_message(ret)));
if (krb5_state == CRED_MUST_USE_KERBEROS) {
TALLOC_FREE(frame);
return krb5_to_nt_status(ret);
--
2.12.0

@ -0,0 +1,293 @@
From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:30:37 +0100
Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
The old behaviour is:
for var in $*
do
echo "$var"
done
And you get this:
$ sh test.sh 1 2 '3 4'
1
2
3
4
Changing it to:
for var in "$@"
do
echo "$var"
done
will correctly expand to:
$ sh test.sh 1 2 '3 4'
1
2
3 4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
---
testprogs/blackbox/subunit.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
index 0791d775d27..5c81ce20a11 100755
--- a/testprogs/blackbox/subunit.sh
+++ b/testprogs/blackbox/subunit.sh
@@ -78,7 +78,7 @@ subunit_skip_test () {
testit () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
@@ -93,7 +93,7 @@ testit () {
testit_expect_failure () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
--
2.12.0
From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:11:39 +0100
Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
---
lib/krb5_wrap/krb5_samba.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 10b42dec53f..fd8e4a96071 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
goto open_keytab;
}
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
return KRB5_KT_BADNAME;
open_keytab:
--
2.12.0
From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:24:52 +0100
Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
---
source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
1 file changed, 57 insertions(+), 12 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 3c73b089bbb..96df10fcf65 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,6 +34,57 @@
#ifdef HAVE_ADS
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 1100
+#endif
+
+static krb5_error_code ads_keytab_open(krb5_context context,
+ krb5_keytab *keytab)
+{
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
+ const char *keytab_name = NULL;
+ krb5_error_code ret = 0;
+
+ switch (lp_kerberos_method()) {
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
+ ret = krb5_kt_default_name(context,
+ keytab_str,
+ sizeof(keytab_str) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name");
+ goto out;
+ }
+ keytab_name = keytab_str;
+ break;
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
+ keytab_name = lp_dedicated_keytab_file();
+ break;
+ default:
+ DBG_ERR("Invalid kerberos method set (%d)\n",
+ lp_kerberos_method());
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
+ DBG_ERR("Invalid keytab name\n");
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
+ if (ret != 0) {
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
/**********************************************************************
Adds a single service principal, i.e. 'host' to the system keytab
***********************************************************************/
@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
return -1;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
"and update.\n"));
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto done;
}
--
2.12.0
From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:28:58 +0100
Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
---
lib/param/param_table.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4b5234a7c9e..9a944ef19b3 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
static const struct enum_list enum_kerberos_method[] = {
{KERBEROS_VERIFY_SECRETS, "default"},
{KERBEROS_VERIFY_SECRETS, "secrets only"},
+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
{-1, NULL}
};
--
2.12.0
From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:34:05 +0100
Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
---
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 8e915cdcf1f..99b886f53eb 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+# Test with kerberos method = secrets and keytab
+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+rm -f $dedicated_keytab_file
+
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
2.12.0

@ -0,0 +1,245 @@
From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 May 2017 17:48:42 +0200
Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
COPY_FROM_DIRECTORY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
---
source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 16 deletions(-)
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 394a3e5..49be5d9 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
static uint32_t get_correct_cversion(struct auth_session_info *session_info,
const char *architecture,
const char *driverpath_in,
+ const char *driver_directory,
WERROR *perr)
{
int cversion = -1;
NTSTATUS nt_status;
struct smb_filename *smb_fname = NULL;
- char *driverpath = NULL;
files_struct *fsp = NULL;
connection_struct *conn = NULL;
char *oldcwd;
char *printdollar = NULL;
+ char *printdollar_path = NULL;
+ char *working_dir = NULL;
int printdollar_snum;
*perr = WERR_INVALID_PARAMETER;
@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
return -1;
}
+ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
+ if (printdollar_path == NULL) {
+ *perr = WERR_NOT_ENOUGH_MEMORY;
+ return -1;
+ }
+
+ working_dir = talloc_asprintf(talloc_tos(),
+ "%s/%s",
+ printdollar_path,
+ architecture);
+ /*
+ * If the driver has been uploaded into a temorpary driver
+ * directory, switch to the driver directory.
+ */
+ if (driver_directory != NULL) {
+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
+ printdollar_path,
+ architecture,
+ driver_directory);
+ }
+
nt_status = create_conn_struct_cwd(talloc_tos(),
server_event_context(),
server_messaging_context(),
&conn,
printdollar_snum,
- lp_path(talloc_tos(), printdollar_snum),
+ working_dir,
session_info, &oldcwd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("get_correct_cversion: create_conn_struct "
@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
goto error_free_conn;
}
- /* Open the driver file (Portable Executable format) and determine the
- * deriver the cversion. */
- driverpath = talloc_asprintf(talloc_tos(),
- "%s/%s",
- architecture,
- driverpath_in);
- if (!driverpath) {
- *perr = WERR_NOT_ENOUGH_MEMORY;
- goto error_exit;
- }
-
- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
+ /*
+ * We switch to the directory where the driver files are located,
+ * so only work on the file names
+ */
+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
if (!NT_STATUS_IS_OK(nt_status)) {
*perr = ntstatus_to_werror(nt_status);
goto error_exit;
@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
* NT2K: cversion=3
*/
- *version = get_correct_cversion(session_info, short_architecture,
- *driver_path, &err);
+ *version = get_correct_cversion(session_info,
+ short_architecture,
+ *driver_path,
+ *driver_directory,
+ &err);
if (*version == -1) {
return err;
}
--
2.9.3
From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:11:25 +0200
Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
for 64bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
---
source4/torture/rpc/spoolss.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 409ba57..c4b7bf1 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
}
static bool test_driver_copy_from_directory(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ const char *architecture)
{
struct torture_driver_context *d;
struct spoolss_StringArray *a;
@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d = talloc_zero(tctx, struct torture_driver_context);
torture_assert_not_null(tctx, d, "ENOMEM");
- d->local.environment =
- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
+ d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
d->local.driver_directory =
@@ -11208,6 +11208,12 @@ done:
return ok;
}
+static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
torture_rpc_tcase_add_test(tcase,
- "test_driver_copy_from_directory",
- test_driver_copy_from_directory);
+ "test_driver_copy_from_directory_64",
+ test_driver_copy_from_directory_64);
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
--
2.9.3
From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:12:02 +0200
Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
copy_from_directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
---
source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index c4b7bf1..e17ac6f 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
- d->local.driver_directory =
- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/x64");
+ } else {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/i386");
+ }
torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
d->remote.driver_upload_directory = GUID_string2(d, &guid);
@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
}
+static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
"test_driver_copy_from_directory_64",
test_driver_copy_from_directory_64);
+ torture_rpc_tcase_add_test(tcase,
+ "test_driver_copy_from_directory_32",
+ test_driver_copy_from_directory_32);
+
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
--
2.9.3

@ -0,0 +1,211 @@
From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 Mar 2017 16:12:20 +0100
Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
---
source3/modules/vfs_expand_msdfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
index ffbfa333bad..e42d0098b32 100644
--- a/source3/modules/vfs_expand_msdfs.c
+++ b/source3/modules/vfs_expand_msdfs.c
@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
return NULL;
}
- targethost = read_target_host(
- ctx, raddr, mapfilename);
+ targethost = read_target_host(ctx, mapfilename, raddr);
if (targethost == NULL) {
DEBUG(1, ("Could not expand target host from file %s\n",
mapfilename));
--
2.12.0
From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 15:32:37 +0100
Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
get_referred_path()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
---
source3/modules/vfs_default.c | 2 ++
source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
source3/smbd/msdfs.c | 12 +++++++-----
source3/smbd/proto.h | 12 +++++++-----
4 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index e0b6125f7d8..dcae861103d 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
/* The following call can change cwd. */
status = get_referred_path(r, pathnamep,
+ handle->conn->sconn->remote_address,
+ handle->conn->sconn->local_address,
!handle->conn->sconn->using_smb2,
junction, &consumedcnt, &self_referral);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
index ab2af53c0ba..0a4d6d31b7c 100644
--- a/source3/rpc_server/dfs/srv_dfs_nt.c
+++ b/source3/rpc_server/dfs/srv_dfs_nt.c
@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
}
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status) ||
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 61538cec832..3cf82d3b430 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
**********************************************************************/
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- const char *dfs_path,
- bool allow_broken_path,
- struct junction_map *jucn,
- int *consumedcntp,
- bool *self_referralp)
+ const char *dfs_path,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ bool allow_broken_path,
+ struct junction_map *jucn,
+ int *consumedcntp,
+ bool *self_referralp)
{
struct connection_struct *conn;
char *targetpath = NULL;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index c1b8201b472..e64457cf9e0 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
SMB_STRUCT_STAT *sbufp);
struct junction_map;
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- const char *dfs_path,
- bool allow_broken_path,
- struct junction_map *jucn,
- int *consumedcntp,
- bool *self_referralp);
+ const char *dfs_path,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ bool allow_broken_path,
+ struct junction_map *jucn,
+ int *consumedcntp,
+ bool *self_referralp);
int setup_dfs_referral(connection_struct *orig_conn,
const char *dfs_path,
int max_referral_level,
--
2.13.0
From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 15:45:34 +0100
Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
---
source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 3cf82d3b430..c25fb17cee8 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -31,6 +31,7 @@
#include "lib/param/loadparm.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_dfsblobs.h"
+#include "lib/tsocket/tsocket.h"
/**********************************************************************
Parse a DFS pathname of the form \hostname\service\reqpath
@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
return status;
}
+ /*
+ * TODO
+ *
+ * The remote and local address should be passed down to
+ * create_conn_struct_cwd.
+ */
+ if (conn->sconn->remote_address == NULL) {
+ conn->sconn->remote_address =
+ tsocket_address_copy(remote_address, conn->sconn);
+ if (conn->sconn->remote_address == NULL) {
+ TALLOC_FREE(pdp);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ if (conn->sconn->local_address == NULL) {
+ conn->sconn->local_address =
+ tsocket_address_copy(local_address, conn->sconn);
+ if (conn->sconn->local_address == NULL) {
+ TALLOC_FREE(pdp);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
/* If this is a DFS path dfs_lookup should return
* NT_STATUS_PATH_NOT_COVERED. */
--
2.13.0

@ -0,0 +1,74 @@
From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Aug 2017 18:14:23 +0200
Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
---
source3/libads/krb5_setpw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 630c2e46631..bc96ac603b1 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
ret = krb5_set_password(context,
&creds,
discard_const_p(char, newpw),
- princ,
+ NULL,
&result_code,
&result_code_string,
&result_string);
--
2.14.0
From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Aug 2017 12:14:34 +0200
Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
---
testprogs/blackbox/test_net_ads.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 99b886f53eb..bbd99b676bd 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
# Test with kerberos method = secrets and keytab
@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
rm -f $dedicated_keytab_file
--
2.14.0

@ -0,0 +1,194 @@
From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 17 Mar 2017 13:52:57 +0100
Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
information
This fixes the substitution for 'template homedir'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
---
source3/winbindd/wb_queryuser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index be4d3d3e665..69b4c8dad5a 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
NTSTATUS status;
const char *domain_name;
- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
&state->info->primary_group_name);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
--
2.12.0
From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 Mar 2017 12:37:08 +0100
Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
---
selftest/target/Samba3.pm | 19 ++++++++++++++++++-
source3/script/tests/test_substitutions.sh | 9 +++++++--
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5b2c510224..1e053f12297 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -394,16 +394,33 @@ sub setup_admember($$$$)
$substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
push(@dirs, $substitution_path);
+ # Using '/' as the winbind separator is a bad idea ...
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
+ push(@dirs, $substitution_path);
+
my $member_options = "
security = ads
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
-[subDUG]
+[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
writeable = yes
+[sub_dug2]
+ path = $share_dir/D_%D/u_%u/g_%g
+ writeable = yes
+
";
my $ret = $self->provision($prefix,
diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
index 0852ad969f0..1a46f11c85d 100755
--- a/source3/script/tests/test_substitutions.sh
+++ b/source3/script/tests/test_substitutions.sh
@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
. $samba_srcdir/testprogs/blackbox/subunit.sh
. $samba_srcdir/testprogs/blackbox/common_test_fns.inc
-SMB_UNC="//$SERVER/subDUG"
+SMB_UNC="//$SERVER/sub_dug"
-test_smbclient "Test login to share with substitution" \
+test_smbclient "Test login to share with substitution (DUG)" \
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
+SMB_UNC="//$SERVER/sub_dug2"
+
+test_smbclient "Test login to share with substitution (Dug)" \
"ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
exit $failed
--
2.12.0
From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 17 Mar 2017 10:04:19 +0100
Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
---
nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
selftest/target/Samba3.pm | 1 +
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index cfe582df068..f9c040e5f43 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
# The full name (GECOS) is based on name (the RDN, in this case CN)
# and displayName in winbindd_ads, and is based only on displayName in
# winbindd_msrpc and winbindd_rpc. Allow both versions.
-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+if test "$TARGET" = "ad_member"; then
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
+else
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+fi
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
subunit_pass_test "$test_name"
else
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
failed=`expr $failed + 1`
fi
@@ -227,10 +232,10 @@ fi
test_name="confirm output of wbinfo --uid-info against $TARGET"
subunit_start_test "$test_name"
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
subunit_pass_test "$test_name"
else
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
failed=`expr $failed + 1`
fi
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1e053f12297..cb4970828a5 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -412,6 +412,7 @@ sub setup_admember($$$$)
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
+ template homedir = /home/%D/%G/%U
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
--
2.12.0

@ -0,0 +1,339 @@
From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Mar 2017 17:04:30 +0000
Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
smb_bytes_pull_str()
This function needs to get the whole smb buffer in order to get
the alignment for unicode correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
---
libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
libcli/smb/smb_util.h | 3 ++-
libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
3 files changed, 47 insertions(+), 31 deletions(-)
diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
index 9d92aa6aed4..11614df0ae4 100644
--- a/libcli/smb/smb1cli_session.c
+++ b/libcli/smb/smb1cli_session.c
@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
p = bytes;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
p = bytes;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_primary_domain,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
p += out_security_blob_length;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
index 7e6f0a4ebc4..2884786339d 100644
--- a/libcli/smb/smb_util.h
+++ b/libcli/smb/smb_util.h
@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
const uint8_t *bytes, size_t num_bytes);
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
const uint8_t *buf, size_t buf_len,
- size_t *pbuf_consumed);
+ const uint8_t *position,
+ size_t *_consumed);
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
index ef8c9fafa35..7ef909c6077 100644
--- a/libcli/smb/util.c
+++ b/libcli/smb/util.c
@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
bool ucs2, bool align_odd,
const uint8_t *buf, size_t buf_len,
- size_t *pbuf_consumed)
+ const uint8_t *position,
+ size_t *p_consumed)
{
size_t pad = 0;
+ size_t offset;
char *str = NULL;
size_t str_len = 0;
bool ok;
*_str = NULL;
- if (pbuf_consumed != NULL) {
- *pbuf_consumed = 0;
+ if (p_consumed != NULL) {
+ *p_consumed = 0;
+ }
+
+ if (position < buf) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ offset = PTR_DIFF(position, buf);
+ if (offset > buf_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
if (ucs2 &&
- ((align_odd && (buf_len % 2 == 0)) ||
- (!align_odd && (buf_len % 2 == 1)))) {
- if (buf_len < 1) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
- pad = 1;
- buf_len -= pad;
- buf += pad;
+ ((align_odd && (offset % 2 == 0)) ||
+ (!align_odd && (offset % 2 == 1)))) {
+ pad += 1;
+ offset += 1;
+ }
+
+ if (offset > buf_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
+ buf_len -= offset;
+ buf += offset;
+
if (ucs2) {
buf_len = utf16_len_n(buf, buf_len);
} else {
@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
return map_nt_error_from_unix_common(errno);
}
- if (pbuf_consumed != NULL) {
- *pbuf_consumed = buf_len + pad;
+ if (p_consumed != NULL) {
+ *p_consumed = buf_len + pad;
}
*_str = str;
- return NT_STATUS_OK;;
+ return NT_STATUS_OK;
}
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
const uint8_t *buf, size_t buf_len,
- size_t *_buf_consumed)
+ const uint8_t *position,
+ size_t *_consumed)
{
return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
- buf, buf_len, _buf_consumed);
+ buf, buf_len, position, _consumed);
}
--
2.13.1
From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Mar 2017 17:04:44 +0000
Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
function
This function updates cli->server_{os,type,domain} to valid values
after a session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
---
source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
1 file changed, 52 insertions(+), 22 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index a2362ceb863..ef03da17eec 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
+ const char *native_os,
+ const char *native_lm,
+ const char *primary_domain)
+{
+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
+
+ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
+ cli->server_os = talloc_strdup(cli, native_os);
+ if (cli->server_os == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
+ cli->server_type = talloc_strdup(cli, native_lm);
+ if (cli->server_type == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
+ cli->server_domain = talloc_strdup(cli, primary_domain);
+ if (cli->server_domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+#undef _VALID_STRING
+ return NT_STATUS_OK;
+}
+
/********************************************************
Utility function to ensure we always return at least
a valid char * pointer to an empty string for the
@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
subreq, struct tevent_req);
struct cli_sesssetup_blob_state *state = tevent_req_data(
req, struct cli_sesssetup_blob_state);
- struct cli_state *cli = state->cli;
NTSTATUS status;
if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
- }
-
state->status = status;
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ NULL);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
if (state->blob.length != 0) {
/*
* More to send
@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
- }
- if (cli->server_domain == NULL) {
- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ state->out_primary_domain);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
ok = smb1cli_conn_activate_signing(cli->conn,
@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
subreq, struct tevent_req);
struct cli_session_setup_creds_state *state = tevent_req_data(
req, struct cli_session_setup_creds_state);
- struct cli_state *cli = state->cli;
NTSTATUS status;
status = smb1cli_session_setup_lm21_recv(subreq, state,
@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ NULL);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
tevent_req_done(req);
--
2.13.1

@ -0,0 +1,162 @@
From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Jun 2017 14:50:33 +0200
Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
popt_common_credentials_post()
When we parse the username in the options handling, the smb.conf file
has not been loaded yet. So we are not aware of a 'winbind separator'
set in the config file.
We need to read and set the username again in the post-processing of the
credentials.
https://bugzilla.samba.org/show_bug.cgi?id=12849
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
---
source3/lib/popt_common.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 3589a4fbd2b..9928c708e89 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
void popt_common_credentials_post(void)
{
struct user_auth_info *auth_info = cmdline_auth_info;
+ const char *username = NULL;
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
!set_cmdline_auth_info_machine_account_creds(auth_info))
@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
}
set_cmdline_auth_info_getpass(auth_info);
+
+ /*
+ * When we set the username during the handling of the options passed to
+ * the binary we haven't loaded the config yet. This means that we
+ * didnn't take the 'winbind separator' into account.
+ *
+ * The username might contain the domain name and thus it hasn't been
+ * correctly parsed yet. If we have a username we need to set it again
+ * to run the string parser for the username correctly.
+ */
+ username = get_cmdline_auth_info_username(auth_info);
+ if (username != NULL && username[0] != '\0') {
+ set_cmdline_auth_info_username(auth_info, username);
+ }
}
static void popt_common_credentials_callback(poptContext con,
--
2.13.1
From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Jun 2017 15:52:23 +0200
Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
---
source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
2 files changed, 63 insertions(+)
create mode 100755 source3/script/tests/test_smbclient_basic.sh
diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
new file mode 100755
index 00000000000..90e579b68e9
--- /dev/null
+++ b/source3/script/tests/test_smbclient_basic.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# this runs the file serving tests that are expected to pass with samba3 against shares with various options
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+smbclient="$5"
+CONFIGURATION="$6"
+shift 6
+ADDARGS="$@"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+test_smbclient() {
+ name="$1"
+ cmd="$2"
+ shift
+ shift
+ echo "test: $name"
+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+# TEST using \ as the separator (default)
+test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
+# TEST using / as the separator (default)
+test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
+
+# TEST using 'winbind separator = +'
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
+
+# TEST using 'winbind separator = +' set in a config file
+smbclient_config="$PREFIX/tmpsmbconf"
+cat > $smbclient_config <<EOF
+[global]
+ include = $(echo $CONFIGURATION | cut -d= -f2)
+ winbind separator = +
+EOF
+
+SAVE_CONFIGURATION="$CONFIGURATION"
+CONFIGURATION="--configfile=$smbclient_config"
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
+CONFIGURATION="$SAVE_CONFIGURATION"
+rm -rf $smbclient_config
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index dfe7866b283..d3cb071b903 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
env = "nt4_dc"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
--
2.13.1

@ -0,0 +1,227 @@
From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 09:57:30 +0100
Subject: [PATCH 1/2] s3:libads: Remove obsolete
smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
---
source3/libads/kerberos.c | 169 ----------------------------------------------
1 file changed, 169 deletions(-)
Index: samba-4.6.2/source3/libads/kerberos.c
===================================================================
--- samba-4.6.2.orig/source3/libads/kerberos.c
+++ samba-4.6.2/source3/libads/kerberos.c
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
return 0;
}
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
- DATA_BLOB *edata,
- DATA_BLOB *edata_out)
-{
- DATA_BLOB edata_contents;
- ASN1_DATA *data;
- int edata_type;
-
- if (!edata->length) {
- return false;
- }
-
- data = asn1_init(mem_ctx);
- if (data == NULL) {
- return false;
- }
-
- if (!asn1_load(data, *edata)) goto err;
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
- if (!asn1_read_Integer(data, &edata_type)) goto err;
-
- if (edata_type != KRB5_PADATA_PW_SALT) {
- DEBUG(0,("edata is not of required type %d but of type %d\n",
- KRB5_PADATA_PW_SALT, edata_type));
- goto err;
- }
-
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- asn1_free(data);
-
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
-
- data_blob_free(&edata_contents);
-
- return true;
-
- err:
-
- asn1_free(data);
- return false;
-}
-
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
- NTSTATUS *nt_status)
-{
- DATA_BLOB edata;
- DATA_BLOB unwrapped_edata;
- TALLOC_CTX *mem_ctx;
- struct KRB5_EDATA_NTSTATUS parsed_edata;
- enum ndr_err_code ndr_err;
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- edata = data_blob(error->e_data->data, error->e_data->length);
-#else
- edata = data_blob(error->e_data.data, error->e_data.length);
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
-
-#ifdef DEVELOPER
- dump_data(10, edata.data, edata.length);
-#endif /* DEVELOPER */
-
- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
- if (mem_ctx == NULL) {
- data_blob_free(&edata);
- return False;
- }
-
- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
- data_blob_free(&edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&edata);
-
- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- data_blob_free(&unwrapped_edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&unwrapped_edata);
-
- if (nt_status) {
- *nt_status = parsed_edata.ntstatus;
- }
-
- TALLOC_FREE(mem_ctx);
-
- return True;
-}
-
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
- krb5_principal client,
- krb5_get_init_creds_opt *opt,
- NTSTATUS *nt_status)
-{
- krb5_init_creds_context icc;
- krb5_error_code code;
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- /* HEIMDAL */
- krb5_error error;
-#else
- krb5_error *error = NULL;
-#endif
- bool ok;
-
- code = krb5_init_creds_init(ctx,
- client,
- NULL,
- NULL,
- 0,
- opt,
- &icc);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
- error_message(code));
- return false;
- }
-
- code = krb5_init_creds_get_error(ctx,
- icc,
- &error);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
- error_message(code));
- return false;
- }
- krb5_init_creds_free(ctx, icc);
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
-
- krb5_free_error_contents(ctx, &error);
-#else
- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
-
- krb5_free_error(ctx, error);
-#endif
-
- return ok;
-}
-
/*
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
place in default cache location.
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
}
out:
if (ntstatus) {
-
- NTSTATUS status;
-
/* fast path */
if (code == 0) {
*ntstatus = NT_STATUS_OK;
goto cleanup;
}
- /* try to get ntstatus code out of krb5_error when we have it
- * inside the krb5_get_init_creds_opt - gd */
-
- if (opt != NULL) {
- bool ok;
-
- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
- me,
- opt,
- &status);
- if (ok) {
- *ntstatus = status;
- goto cleanup;
- }
- }
-
/* fall back to self-made-mapping */
*ntstatus = krb5_to_nt_status(code);
}
Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
===================================================================
--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
rm -f $KRB5CCNAME_PATH
exit $failed

@ -0,0 +1,76 @@
From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 20 Jun 2017 10:27:07 +0200
Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
index 8c764f77b08..b0bf6784ba6 100644
--- a/source3/winbindd/wb_getpwsid.c
+++ b/source3/winbindd/wb_getpwsid.c
@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
req, struct wb_getpwsid_state);
struct winbindd_pw *pw = state->pw;
struct wbint_userinfo *info;
+ struct winbindd_domain *domain = NULL;
fstring acct_name, output_username;
+ char *mapped_name = NULL;
char *tmp;
NTSTATUS status;
@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
return;
}
- fill_domain_username(output_username, info->domain_name,
- acct_name, true);
+ domain = find_domain_from_name_noinit(info->domain_name);
+ if (tevent_req_nomem(domain, req)) {
+ return;
+ }
+
+ /*
+ * TODO:
+ * This function should be called in 'idmap winbind child'. It shouldn't
+ * be a blocking call, but for this we need to add a new function for
+ * winbind.idl. This is a fix which can be backported for now.
+ */
+ status = normalize_name_map(state,
+ domain,
+ acct_name,
+ &mapped_name);
+ if (NT_STATUS_IS_OK(status)) {
+ fill_domain_username(output_username,
+ info->domain_name,
+ mapped_name, true);
+ fstrcpy(acct_name, mapped_name);
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(acct_name, mapped_name);
+ } else {
+ fill_domain_username(output_username,
+ info->domain_name,
+ acct_name, true);
+ }
+
strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
TALLOC_FREE(tmp);
tmp = talloc_sub_specified(
- state, info->shell, info->acct_name,
+ state, info->shell, acct_name,
info->primary_group_name, info->domain_name,
pw->pw_uid, pw->pw_gid);
if (tevent_req_nomem(tmp, req)) {
--
2.13.1

@ -0,0 +1,54 @@
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
Author: Andreas Schneider <asn@samba.org>
Date: Wed Dec 21 22:17:22 2016 +0100
auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0e68012..1912c48 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained,
const char **error_string)
{
-
+ bool ok;
+ char *realm;
krb5_principal princ;
krb5_error_code ret;
char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return ret;
}
- cli_credentials_set_principal(cred, name, obtained);
-
+ ok = cli_credentials_set_principal(cred, name, obtained);
+ if (!ok) {
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ return ENOMEM;
+ }
free(name);
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+ princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ if (realm == NULL) {
+ return ENOMEM;
+ }
+ ok = cli_credentials_set_realm(cred, realm, obtained);
+ SAFE_FREE(realm);
+ if (!ok) {
+ return ENOMEM;
+ }
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
cred->ccache_obtained = obtained;

@ -0,0 +1,391 @@
From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:08:46 +0200
Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
---
source3/include/proto.h | 3 ++-
source3/libsmb/passchange.c | 5 +++--
source3/utils/smbpasswd.c | 3 ++-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index baa579995a5..9deb27b416b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
/* The following definitions come from libsmb/passchange.c */
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str);
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index c89b7ca85d1..48ffba8036f 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -30,7 +30,8 @@
Change a password on a remote machine using IPC calls.
*************************************************************/
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str)
{
@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
creds = cli_session_creds_init(cli,
user_name,
- NULL, /* domain */
+ domain,
NULL, /* realm */
old_passwd,
false, /* use_kerberos */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 437a5e551bb..4d7a3c739bc 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
fprintf(stderr, "Invalid remote operation!\n");
return NT_STATUS_UNSUCCESSFUL;
}
- ret = remote_password_change(remote_mach, username,
+ ret = remote_password_change(remote_mach,
+ NULL, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
--
2.14.1
From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:10:06 +0200
Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
---
source3/include/proto.h | 7 -------
source3/libsmb/proto.h | 10 ++++++++++
source3/utils/smbpasswd.c | 1 +
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 9deb27b416b..67e1a9d750e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
fstring srv_name,
struct sockaddr_storage *ss_out);
-/* The following definitions come from libsmb/passchange.c */
-
-NTSTATUS remote_password_change(const char *remote_machine,
- const char *domain, const char *user_name,
- const char *old_passwd, const char *new_passwd,
- char **err_str);
-
/* The following definitions come from libsmb/smberr.c */
const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index a583a8ee159..44f4d04cff5 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -31,6 +31,9 @@
struct smb_trans_enc_state;
struct cli_credentials;
+struct cli_state;
+struct file_info;
+struct print_job_info;
/* The following definitions come from libsmb/cliconnect.c */
@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
TALLOC_CTX *mem_ctx, char **psubstitute_name,
char **pprint_name, uint32_t *pflags);
+/* The following definitions come from libsmb/passchange.c */
+
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
+ const char *old_passwd, const char *new_passwd,
+ char **err_str);
+
#endif /* _LIBSMB_PROTO_H_ */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 4d7a3c739bc..6eb2deb7a3b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -21,6 +21,7 @@
#include "secrets.h"
#include "../librpc/gen_ndr/samr.h"
#include "../lib/util/util_pw.h"
+#include "libsmb/proto.h"
#include "passdb.h"
/*
--
2.14.1
From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:13:15 +0200
Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
---
source3/utils/smbpasswd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 6eb2deb7a3b..b0e08cc0e58 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
Change a password either locally or remotely.
*************************************************************/
-static NTSTATUS password_change(const char *remote_mach, char *username,
- char *old_passwd, char *new_pw,
+static NTSTATUS password_change(const char *remote_mach,
+ const char *username,
+ const char *old_passwd, const char *new_pw,
int local_flags)
{
NTSTATUS ret;
--
2.14.1
From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:14:57 +0200
Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
---
source3/utils/smbpasswd.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index b0e08cc0e58..92712e38f6b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
*************************************************************/
static NTSTATUS password_change(const char *remote_mach,
- const char *username,
+ const char *domain, const char *username,
const char *old_passwd, const char *new_pw,
int local_flags)
{
@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
return NT_STATUS_UNSUCCESSFUL;
}
ret = remote_password_change(remote_mach,
- NULL, username,
+ domain, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
@@ -466,7 +466,8 @@ static int process_root(int local_flags)
}
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
old_passwd, new_passwd,
local_flags))) {
result = 1;
@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
exit(1);
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
- new_pw, 0))) {
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
+ old_pw, new_pw, 0))) {
result = 1;
goto done;
}
--
2.14.1
From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:17:08 +0200
Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
in smbpasswd
If a local user wants to change his password using smbpasswd and the
machine is a domain member, we need to make sure we authenticate against
our SAM and not ask winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
---
source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 92712e38f6b..556e6869da7 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -58,7 +58,7 @@ static void usage(void)
printf(" -c smb.conf file Use the given path to the smb.conf file\n");
printf(" -D LEVEL debug level\n");
printf(" -r MACHINE remote machine\n");
- printf(" -U USER remote username\n");
+ printf(" -U USER remote username (e.g. SAM/user)\n");
printf("extra options when run by root or in local mode:\n");
printf(" -a add user\n");
@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
user_name[0] = '\0';
- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
+ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
switch(ch) {
case 'L':
if (getuid() != 0) {
@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
int result = 0;
char *old_pw = NULL;
char *new_pw = NULL;
+ const char *username = user_name;
+ const char *domain = NULL;
+ char *p = NULL;
if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
/* Extra flags that we can't honor non-root */
@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
}
}
+ /* Allow domain as part of the username */
+ if ((p = strchr_m(user_name, '\\')) ||
+ (p = strchr_m(user_name, '/')) ||
+ (p = strchr_m(user_name, *lp_winbind_separator()))) {
+ *p = '\0';
+ username = p + 1;
+ domain = user_name;
+ }
+
/*
* A non-root user is always setting a password
* via a remote machine (even if that machine is
@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
load_interfaces(); /* Delayed from main() */
- if (remote_machine == NULL) {
+ if (remote_machine != NULL) {
+ if (!is_ipaddress(remote_machine)) {
+ domain = remote_machine;
+ }
+ } else {
remote_machine = "127.0.0.1";
+
+ /*
+ * If we deal with a local user, change the password for the
+ * user in our SAM.
+ */
+ domain = get_global_sam_name();
}
if (remote_machine != NULL) {
@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
}
if (!NT_STATUS_IS_OK(password_change(remote_machine,
- NULL, user_name,
+ domain, username,
old_pw, new_pw, 0))) {
result = 1;
goto done;
}
- printf("Password changed for user %s\n", user_name);
+ printf("Password changed for user %s\n", username);
done:
SAFE_FREE(old_pw);
--
2.14.1
From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 22 Aug 2017 15:46:07 +0200
Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Review with: git show -U20
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
---
source3/utils/smbpasswd.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 556e6869da7..fb7ad283995 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
domain = get_global_sam_name();
}
- if (remote_machine != NULL) {
- old_pw = get_pass("Old SMB password:",stdin_passwd_get);
- if (old_pw == NULL) {
- fprintf(stderr, "Unable to get old password.\n");
- exit(1);
- }
+ old_pw = get_pass("Old SMB password:",stdin_passwd_get);
+ if (old_pw == NULL) {
+ fprintf(stderr, "Unable to get old password.\n");
+ exit(1);
}
if (!new_passwd) {
--
2.14.1

@ -0,0 +1,53 @@
From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 30 May 2017 16:30:33 +0200
Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
FSCTL_VALIDATE_NEGOTIATE_INFO
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
---
libcli/smb/smbXcli_base.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index a7b24f01497..593edf9ce78 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
tevent_req_done(req);
return;
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ /*
+ * The response was signed, but not supported
+ *
+ * This might be returned by older Windows versions or by
+ * NetApp SMB server implementations.
+ *
+ * See
+ *
+ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
+ *
+ */
+ tevent_req_done(req);
+ return;
+ }
if (tevent_req_nterror(req, status)) {
return;
}
--
2.13.1.518.g3df882009-goog

@ -0,0 +1,543 @@
From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 17:08:09 +0200
Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
---
wscript_configure_system_mitkrb5 | 1 +
1 file changed, 1 insertion(+)
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 06a9821..d3e8ebf 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
gsskrb5_extract_authz_data_from_sec_context
gss_krb5_export_lucid_sec_context
gss_import_cred gss_export_cred
+ gss_acquire_cred_from
''', 'gssapi gssapi_krb5')
conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
--
2.9.3
From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:14:57 +0200
Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
Wrap gss_krb5_import_cred() to allow re-implementing it with
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
works fine with GSSAPI interposer (GSS-proxy) while
gss_krb5_import_cred() is not interposed yet.
The wrapper has additional parameter, krb5_context handle, to facilitate
with credentials cache name discovery. All our callers to
gss_krb5_import_cred() already have krb5 context handy.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
---
lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
lib/krb5_wrap/gss_samba.h | 13 +++++
2 files changed, 134 insertions(+)
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index b444633..757ffc5 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
}
#endif /* !HAVE_GSS_OID_EQUAL */
+
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve ccache name.
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+ krb5_ccache id, krb5_principal keytab_principal,
+ krb5_keytab keytab, gss_cred_id_t *cred)
+{
+ uint32_t major_status = 0;
+
+#if HAVE_GSS_ACQUIRE_CRED_FROM
+ uint32_t minor = 0;
+ gss_key_value_element_desc ccache_element = {
+ .key = "ccache",
+ .value = NULL,
+ };
+
+ gss_key_value_element_desc keytab_element = {
+ .key = "keytab",
+ .value = NULL,
+ };
+
+ gss_key_value_element_desc elements[2];
+
+ gss_key_value_set_desc cred_store = {
+ .elements = &ccache_element,
+ .count = 1,
+ };
+
+ gss_OID_set mech_set = GSS_C_NO_OID_SET;
+ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
+ gss_name_t name = NULL;
+ gss_buffer_desc pr_name = {
+ .value = NULL,
+ .length = 0,
+ };
+
+ if (id != NULL) {
+ major_status = krb5_cc_get_full_name(ctx,
+ id,
+ discard_const(&ccache_element.value));
+ if (major_status != 0) {
+ return major_status;
+ }
+ }
+
+ if (keytab != NULL) {
+ keytab_element.value = malloc(4096);
+ if (!keytab_element.value) {
+ return ENOMEM;
+ }
+ major_status = krb5_kt_get_name(ctx,
+ keytab,
+ discard_const(keytab_element.value), 4096);
+ if (major_status != 0) {
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ cred_usage = GSS_C_ACCEPT;
+ cred_store.elements = &keytab_element;
+
+ if (keytab_principal != NULL) {
+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
+ if (major_status != 0) {
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ pr_name.length = strlen(pr_name.value);
+
+ major_status = gss_import_name(minor_status,
+ &pr_name,
+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
+ &name);
+ if (major_status != 0) {
+ krb5_free_unparsed_name(ctx, pr_name.value);
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ }
+ }
+
+ if (id != NULL && keytab != NULL) {
+ elements[0] = ccache_element;
+ elements[1] = keytab_element;
+
+ cred_store.elements = elements;
+ cred_store.count = 2;
+ cred_usage = GSS_C_BOTH;
+ }
+
+ major_status = gss_acquire_cred_from(minor_status,
+ name,
+ 0,
+ mech_set,
+ cred_usage,
+ &cred_store,
+ cred,
+ NULL,
+ NULL);
+
+ if (pr_name.value != NULL) {
+ (void)gss_release_name(&minor, &name);
+ krb5_free_unparsed_name(ctx, pr_name.value);
+ }
+ if (keytab_element.value != NULL) {
+ free(discard_const(keytab_element.value));
+ }
+ krb5_free_string(ctx, discard_const(ccache_element.value));
+#else
+ major_status = gss_krb5_import_cred(minor_status,
+ id,
+ keytab_principal,
+ keytab, cred);
+#endif
+ return major_status;
+}
+
+
#endif /* HAVE_GSSAPI */
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
index 5319932..89aee34 100644
--- a/lib/krb5_wrap/gss_samba.h
+++ b/lib/krb5_wrap/gss_samba.h
@@ -25,6 +25,7 @@
#ifdef HAVE_GSSAPI
#include "system/gssapi.h"
+#include "krb5_samba.h"
#if defined(HAVE_GSS_OID_EQUAL)
#define smb_gss_oid_equal gss_oid_equal
@@ -32,5 +33,17 @@
int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
#endif /* HAVE_GSS_OID_EQUAL */
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve the ccache name for
+ * gss_acquire_cred_from().
+ *
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
+ krb5_ccache id, krb5_principal keytab_principal,
+ krb5_keytab keytab, gss_cred_id_t *cred);
+
#endif /* HAVE_GSSAPI */
#endif /* _GSS_SAMBA_H */
--
2.9.3
From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:57:13 +0200
Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
---
auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e974df9..0e68012 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+ ccache->ccache, NULL, NULL,
+ &gcc->creds);
if ((maj_stat == GSS_S_FAILURE) &&
(min_stat == (OM_uint32)KRB5_CC_END ||
min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+ ccache->ccache, NULL, NULL,
+ &gcc->creds);
}
@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
} else {
ret = EINVAL;
}
- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
return ret;
}
@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
if (ktc->password_based || obtained < CRED_SPECIFIED) {
/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+ NULL, NULL, ktc->keytab,
+ &gcc->creds);
} else {
/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+ NULL, princ, ktc->keytab,
+ &gcc->creds);
}
if (maj_stat) {
if (min_stat) {
--
2.9.3
From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:57:50 +0200
Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
---
source3/libads/sasl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 8570788..30127fa 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
goto done;
}
- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
if (maj != GSS_S_COMPLETE) {
status = ADS_ERROR_GSS(maj, min);
goto done;
--
2.9.3
From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:58:14 +0200
Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
---
source3/librpc/crypto/gse.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index abf20bc..f4238f3 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
- gss_maj = gss_krb5_import_cred(&gss_min,
- gse_ctx->ccache,
- NULL, /* keytab_principal */
- NULL, /* keytab */
- &gse_ctx->creds);
+ gss_maj = smb_gss_krb5_import_cred(&gss_min,
+ gse_ctx->k5ctx,
+ gse_ctx->ccache,
+ NULL, /* keytab_principal */
+ NULL, /* keytab */
+ &gse_ctx->creds);
if (gss_maj) {
char *ccache = NULL;
int kret;
@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
ccache = NULL;
}
- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
"the caller may retry after a kinit.\n",
ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
SAFE_FREE(ccache);
@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
}
/* This creates a GSSAPI cred_id_t with the keytab set */
- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
- &gse_ctx->creds);
+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
+ NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
if (gss_maj != 0
&& gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
--
2.9.3
From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 8 Mar 2017 12:38:49 +0200
Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
---
lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
source3/librpc/crypto/gse.c | 49 +--------------------------------------------
2 files changed, 44 insertions(+), 51 deletions(-)
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index 757ffc5..9e5ad4a 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
krb5_free_string(ctx, discard_const(ccache_element.value));
#else
major_status = gss_krb5_import_cred(minor_status,
- id,
- keytab_principal,
- keytab, cred);
+ id,
+ keytab_principal,
+ keytab, cred);
+
+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+ if ((keytab_principal == NULL) && (keytab != NULL)) {
+ /* No principal was specified and MIT krb5 1.9 version failed.
+ * We have to fall back to set global acceptor identity */
+ gss_OID_set_desc mech_set;
+ char *kt_name = NULL;
+
+ kt_name = malloc(4096);
+ if (!kt_name) {
+ return ENOMEM;
+ }
+
+ major_status = krb5_kt_get_name(ctx,
+ keytab,
+ kt_name, 4096);
+ if (major_status != 0) {
+ free(kt_name);
+ return major_status;
+ }
+
+ major_status = gsskrb5_register_acceptor_identity(kt_name);
+ if (major_status) {
+ free(kt_name);
+ return major_status;
+ }
+
+ /* We are dealing with krb5 GSSAPI mech in this fallback */
+ mech_set.count = 1;
+ mech_set.elements = gss_mech_krb5;
+ major_status = gss_acquire_cred(minor_status,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &mech_set,
+ GSS_C_ACCEPT,
+ cred,
+ NULL, NULL);
+ free(kt_name);
+ }
+ }
#endif
return major_status;
}
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index f4238f3..a111320 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
NULL, NULL, gse_ctx->keytab,
&gse_ctx->creds);
- if (gss_maj != 0
- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+ if (gss_maj != 0) {
DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
-
- /* This is the error the MIT krb5 1.9 gives when it
- * implements the function, but we do not specify the
- * principal. However, when we specify the principal
- * as host$@REALM the GSS acceptor fails with 'wrong
- * principal in request'. Work around the issue by
- * falling back to the alternate approach below. */
- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
- /* FIXME!!!
- * This call sets the default keytab for the whole server, not
- * just for this context. Need to find a way that does not alter
- * the state of the whole server ... */
- {
- const char *ktname;
- gss_OID_set_desc mech_set;
-
- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
- gse_ctx->keytab, &ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- ret = gsskrb5_register_acceptor_identity(ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mech_set,
- GSS_C_ACCEPT,
- &gse_ctx->creds,
- NULL, NULL);
-
- if (gss_maj) {
- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
}
status = NT_STATUS_OK;
--
2.9.3

@ -0,0 +1,179 @@
From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 10 Mar 2017 16:20:06 +0200
Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.
Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.
Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
---
lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/crypto/wscript_build | 7 ++++
python/samba/__init__.py | 16 ++-------
3 files changed, 99 insertions(+), 14 deletions(-)
create mode 100644 lib/crypto/py_crypto.c
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
new file mode 100644
index 0000000..bf7f9f4
--- /dev/null
+++ b/lib/crypto/py_crypto.c
@@ -0,0 +1,90 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba crypto functions
+
+ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <Python.h>
+#include "includes.h"
+#include "python/py3compat.h"
+#include "lib/crypto/arcfour.h"
+
+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+ DATA_BLOB data, key;
+ PyObject *py_data, *py_key, *result;
+ TALLOC_CTX *ctx;
+
+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
+ return NULL;
+
+ if (!PyBytes_Check(py_data)) {
+ PyErr_Format(PyExc_TypeError, "bytes expected");
+ return NULL;
+ }
+
+ if (!PyBytes_Check(py_key)) {
+ PyErr_Format(PyExc_TypeError, "bytes expected");
+ return NULL;
+ }
+
+ ctx = talloc_new(NULL);
+
+ data.length = PyBytes_Size(py_data);
+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
+ if (!data.data) {
+ talloc_free(ctx);
+ return PyErr_NoMemory();
+ }
+
+ key.data = (uint8_t *)PyBytes_AsString(py_key);
+ key.length = PyBytes_Size(py_key);
+
+ arcfour_crypt_blob(data.data, data.length, &key);
+
+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
+ talloc_free(ctx);
+ return result;
+}
+
+
+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
+ "Encrypt the data with RC4 algorithm using the key";
+
+static PyMethodDef py_crypto_methods[] = {
+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
+ { NULL },
+};
+
+static struct PyModuleDef moduledef = {
+ PyModuleDef_HEAD_INIT,
+ .m_name = "crypto",
+ .m_doc = "Crypto functions required for SMB",
+ .m_size = -1,
+ .m_methods = py_crypto_methods,
+};
+
+MODULE_INIT_FUNC(crypto)
+{
+ PyObject *m;
+
+ m = PyModule_Create(&moduledef);
+ if (m == NULL)
+ return NULL;
+
+ return m;
+}
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 7f94532..d1f152e 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
autoproto='test_proto.h',
deps='LIBCRYPTO'
)
+
+for env in bld.gen_python_environments():
+ bld.SAMBA_PYTHON('python_crypto',
+ source='py_crypto.c',
+ deps='LIBCRYPTO',
+ realname='samba/crypto.so'
+ )
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 19d5e38..fa4244a 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -371,20 +371,8 @@ def string_to_byte_array(string):
return blob
def arcfour_encrypt(key, data):
- try:
- from Crypto.Cipher import ARC4
- c = ARC4.new(key)
- return c.encrypt(data)
- except ImportError as e:
- pass
- try:
- from M2Crypto.RC4 import RC4
- c = RC4(key)
- return c.update(data)
- except ImportError as e:
- pass
- raise Exception("arcfour_encrypt() requires " +
- "python*-crypto or python*-m2crypto or m2crypto")
+ from samba.crypto import arcfour_crypt_blob
+ return arcfour_crypt_blob(data, key)
import _glue
version = _glue.version
--
2.9.3

@ -0,0 +1,405 @@
From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Jan 2017 11:43:12 +0100
Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
Since Windows Server 2008 Microsoft uses a different port range for RPC
services. Before it was 1024-65535 and they changed it to 49152-65535.
We should use the same range as these are the ports the firewall in AD
networks normally allow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
---
source3/rpc_server/rpc_server.c | 4 ++--
source4/smbd/service_stream.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 5effe66d9bb..37fe68fc36d 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -34,8 +34,8 @@
#include "rpc_server/srv_pipe_hnd.h"
#include "rpc_server/srv_pipe.h"
-#define SERVER_TCP_LOW_PORT 1024
-#define SERVER_TCP_HIGH_PORT 1300
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index f0a379acf6a..96a303fc6a9 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -30,8 +30,8 @@
#include "lib/util/util_net.h"
/* the range of ports to try for dcerpc over tcp endpoints */
-#define SERVER_TCP_LOW_PORT 1024
-#define SERVER_TCP_HIGH_PORT 1300
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
/* size of listen() backlog in smbd */
#define SERVER_LISTEN_BACKLOG 10
--
2.11.0
From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Jan 2017 12:05:09 +0100
Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
---
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
.../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
lib/param/loadparm.c | 47 ++++++++++++++++++++++
lib/param/loadparm.h | 9 ++++-
lib/param/param.h | 3 ++
python/samba/tests/docs.py | 11 +++--
source3/include/proto.h | 2 +
source3/param/loadparm.c | 16 ++++++++
source3/rpc_server/rpc_server.c | 5 +--
source4/smbd/service_stream.c | 8 ++--
10 files changed, 120 insertions(+), 17 deletions(-)
create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
index 8a70835612f..0fd87d69212 100644
--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
@@ -4,11 +4,19 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ <para>This controls the default port for all protocols, except for NETLOGON.</para>
+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+ <para>This option applies currently only when
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ runs as an active directory domain controller.</para>
+
+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
</description>
-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
+
+<related>rpc server dynamic port range</related>
+
<value type="default">0</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
new file mode 100644
index 00000000000..a9c51d2fe41
--- /dev/null
+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="rpc server dynamic port range"
+ context="G"
+ type="string"
+ handler="handle_rpc_server_dynamic_port_range"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter tells the RPC server which port range it is
+ allowed to use to create a listening socket for LSA, SAM,
+ Netlogon and others without wellknown tcp ports.
+ The first value is the lowest number of the port
+ range and the second the hightest.
+ </para>
+ <para>
+ This applies to RPC servers in all server roles.
+ </para>
+</description>
+
+<related>rpc server port</related>
+
+<value type="default">49152-65535</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 6aa757f7c6b..3b54ff232aa 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
return lp_ctx->sDefault;
}
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_low_port;
+}
+
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_high_port;
+}
+
/**
* Convenience routine to grab string parameters into temporary memory
* and run standard_sub_basic on them.
@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
return true;
}
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue,
+ char **ptr)
+{
+ int low_port = -1, high_port = -1;
+ int rc;
+
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
+ return false;
+ }
+
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
+ if (rc != 2) {
+ return false;
+ }
+
+ if (low_port > high_port) {
+ return false;
+ }
+
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
+ return false;
+ }
+
+ lp_ctx->globals->rpc_low_port = low_port;
+ lp_ctx->globals->rpc_high_port = high_port;
+
+ return true;
+}
+
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
struct loadparm_service *service,
const char *pszParmValue, char **ptr)
@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
/* This appears odd, but globals in s3 isn't a pointer */
lp_ctx->globals->ctx = lp_ctx->globals;
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+ lpcfg_do_global_parameter(lp_ctx,
+ "rpc server dynamic port range",
+ "49152-65535");
+
/* Allow modules to adjust defaults */
for (defaults_hook = defaults_hooks; defaults_hook;
defaults_hook = defaults_hook->next) {
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index f9fb7d8d804..c63683d6b66 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
#endif /* DEVELOPER */
};
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
+
+#define SERVER_TCP_PORT_MIN 1024
+#define SERVER_TCP_PORT_MAX 65535
@@ -272,7 +277,9 @@ enum inheritowner_options {
#define LOADPARM_EXTRA_GLOBALS \
struct parmlist_entry *param_opt; \
char *dnsdomain; \
- char *realm_original;
+ char *realm_original; \
+ int rpc_low_port; \
+ int rpc_high_port;
const char* server_role_str(uint32_t role);
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
diff --git a/lib/param/param.h b/lib/param/param.h
index 66037e2ef1b..e123e67a990 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
time_t *usr_tkt_lifetime,
time_t *renewal_lifetime);
+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
+
/* The following definitions come from lib/version.c */
const char *samba_version_string(void);
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 22e022583f6..65df573a350 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
'lprm command', 'lpq command', 'print command', 'template homedir',
'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
'max open files', 'fss: prune stale', 'fss: sequence timeout',
- 'include system krb5 conf'])
+ 'include system krb5 conf', 'rpc server dynamic port range'])
def setUp(self):
super(SmbDotConfTests, self).setUp()
@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
exceptions = ['client lanman auth',
'client plaintext auth',
'registry shares',
- 'smb ports'])
+ 'smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/testparm'])
def test_default_s4(self):
self._test_default(['bin/samba-tool', 'testparm'])
self._set_defaults(['bin/samba-tool', 'testparm'])
self._set_arbitrary(['bin/samba-tool', 'testparm'],
- exceptions = ['smb ports'])
+ exceptions = ['smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/samba-tool', 'testparm'])
def _test_default(self, program):
@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
+
if param in self.special_cases:
continue
section = None
@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
- if param in ['printing']:
+ if param in ['printing', 'rpc server dynamic port range']:
continue
section = None
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 642900ed67c..b3d3ca0e5d1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
+int lp_rpc_low_port(void);
+int lp_rpc_high_port(void);
int lp_wi_scan_global_parametrics(
const char *regex, size_t max_matches,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d8da749ccba..2c8380067f6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.aio_max_threads = 100;
+ lpcfg_string_set(Globals.ctx,
+ &Globals.rpc_server_dynamic_port_range,
+ "49152-65535");
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
return client_ipc_signing;
}
+int lp_rpc_low_port(void)
+{
+ return Globals.rpc_low_port;
+}
+
+int lp_rpc_high_port(void)
+{
+ return Globals.rpc_high_port;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 37fe68fc36d..f7fb8ef5207 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -34,9 +34,6 @@
#include "rpc_server/srv_pipe_hnd.h"
#include "rpc_server/srv_pipe.h"
-#define SERVER_TCP_LOW_PORT 49152
-#define SERVER_TCP_HIGH_PORT 65535
-
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
if (*port == 0) {
uint16_t i;
- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
fd = open_socket_in(SOCK_STREAM,
i,
0,
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index 96a303fc6a9..deb96d8d69d 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -29,10 +29,6 @@
#include "../lib/tsocket/tsocket.h"
#include "lib/util/util_net.h"
-/* the range of ports to try for dcerpc over tcp endpoints */
-#define SERVER_TCP_LOW_PORT 49152
-#define SERVER_TCP_HIGH_PORT 65535
-
/* size of listen() backlog in smbd */
#define SERVER_LISTEN_BACKLOG 10
@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
if (!port) {
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
} else if (*port == 0) {
- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
+ for (i = lpcfg_rpc_low_port(lp_ctx);
+ i <= lpcfg_rpc_high_port(lp_ctx);
+ i++) {
socket_address->port = i;
status = socket_listen(stream_socket->sock, socket_address,
SERVER_LISTEN_BACKLOG, 0);
--
2.11.0

@ -0,0 +1,7 @@
/var/log/samba/* {
notifempty
olddir /var/log/samba/old
missingok
sharedscripts
copytruncate
}

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth

File diff suppressed because it is too large Load Diff

@ -0,0 +1,313 @@
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
[global]
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes
cups options = raw
; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

@ -0,0 +1,36 @@
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
Loading…
Cancel
Save