commit
36f327d1e2
34 changed files with 11231 additions and 0 deletions
@ -0,0 +1,381 @@ |
||||
From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Tue, 29 Aug 2017 17:06:21 +0200
|
||||
Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
|
||||
username into a specified one
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/include/auth_info.h | 1 +
|
||||
source3/lib/popt_common.c | 6 +-----
|
||||
source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
|
||||
3 files changed, 31 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
|
||||
index c6f71ad..8212c27 100644
|
||||
--- a/source3/include/auth_info.h
|
||||
+++ b/source3/include/auth_info.h
|
||||
@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
|
||||
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
|
||||
void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
|
||||
const char *username);
|
||||
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
|
||||
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
|
||||
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
|
||||
const char *domain);
|
||||
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
|
||||
index 9928c70..36b5e92 100644
|
||||
--- a/source3/lib/popt_common.c
|
||||
+++ b/source3/lib/popt_common.c
|
||||
@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
|
||||
void popt_common_credentials_post(void)
|
||||
{
|
||||
struct user_auth_info *auth_info = cmdline_auth_info;
|
||||
- const char *username = NULL;
|
||||
|
||||
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
|
||||
!set_cmdline_auth_info_machine_account_creds(auth_info))
|
||||
@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
|
||||
* correctly parsed yet. If we have a username we need to set it again
|
||||
* to run the string parser for the username correctly.
|
||||
*/
|
||||
- username = get_cmdline_auth_info_username(auth_info);
|
||||
- if (username != NULL && username[0] != '\0') {
|
||||
- set_cmdline_auth_info_username(auth_info, username);
|
||||
- }
|
||||
+ reset_cmdline_auth_info_username(auth_info);
|
||||
}
|
||||
|
||||
static void popt_common_credentials_callback(poptContext con,
|
||||
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
||||
index ad51a4f..80142e2 100644
|
||||
--- a/source3/lib/util_cmdline.c
|
||||
+++ b/source3/lib/util_cmdline.c
|
||||
@@ -37,6 +37,7 @@
|
||||
struct user_auth_info {
|
||||
struct cli_credentials *creds;
|
||||
struct loadparm_context *lp_ctx;
|
||||
+ bool got_username;
|
||||
bool got_pass;
|
||||
int signing_state;
|
||||
bool smb_encrypt;
|
||||
@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
|
||||
if (!ok) {
|
||||
exit(EIO);
|
||||
}
|
||||
+ auth_info->got_username = true;
|
||||
}
|
||||
|
||||
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
|
||||
@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
|
||||
exit(ENOMEM);
|
||||
}
|
||||
|
||||
+ auth_info->got_username = true;
|
||||
if (strchr_m(username, '%') != NULL) {
|
||||
auth_info->got_pass = true;
|
||||
}
|
||||
}
|
||||
|
||||
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
|
||||
+{
|
||||
+ const char *username = NULL;
|
||||
+ const char *new_val = NULL;
|
||||
+
|
||||
+ if (!auth_info->got_username) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ username = cli_credentials_get_username(auth_info->creds);
|
||||
+ if (username == NULL) {
|
||||
+ return;
|
||||
+ }
|
||||
+ if (username[0] == '\0') {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ cli_credentials_parse_string(auth_info->creds,
|
||||
+ username,
|
||||
+ CRED_SPECIFIED);
|
||||
+ new_val = cli_credentials_get_username(auth_info->creds);
|
||||
+ if (new_val == NULL) {
|
||||
+ exit(ENOMEM);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
|
||||
{
|
||||
const char *domain = NULL;
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Thu, 3 Nov 2016 17:16:43 +0100
|
||||
Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
|
||||
get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
|
||||
|
||||
This is an addition to the fixes for CVE-2015-5296.
|
||||
|
||||
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/lib/util_cmdline.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
|
||||
index 80142e2..90ee67c 100644
|
||||
--- a/source3/lib/util_cmdline.c
|
||||
+++ b/source3/lib/util_cmdline.c
|
||||
@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
|
||||
|
||||
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
|
||||
{
|
||||
+ if (auth_info->smb_encrypt) {
|
||||
+ return SMB_SIGNING_REQUIRED;
|
||||
+ }
|
||||
return auth_info->signing_state;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Fri, 9 Dec 2016 09:26:32 +0100
|
||||
Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
|
||||
SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/libsmb/pylibsmb.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
|
||||
index 59c0998..350c6d4 100644
|
||||
--- a/source3/libsmb/pylibsmb.c
|
||||
+++ b/source3/libsmb/pylibsmb.c
|
||||
@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
|
||||
|
||||
req = cli_full_connection_creds_send(
|
||||
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
|
||||
- cli_creds, 0, 0);
|
||||
+ cli_creds, 0, SMB_SIGNING_DEFAULT);
|
||||
if (!py_tevent_req_wait_exc(self->ev, req)) {
|
||||
return -1;
|
||||
}
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Mon, 12 Dec 2016 05:49:46 +0100
|
||||
Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
|
||||
in gpo_connect_server()
|
||||
|
||||
It's important that we use a signed connection to get the GPOs!
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
libgpo/gpo_fetch.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
|
||||
index 836bc23..3740d4e 100644
|
||||
--- a/libgpo/gpo_fetch.c
|
||||
+++ b/libgpo/gpo_fetch.c
|
||||
@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
|
||||
ads->auth.password,
|
||||
CLI_FULL_CONNECTION_USE_KERBEROS |
|
||||
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
|
||||
- Undefined);
|
||||
+ SMB_SIGNING_REQUIRED);
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
DEBUG(10,("check_refresh_gpo: "
|
||||
"failed to connect: %s\n",
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Tue, 29 Aug 2017 15:24:14 +0200
|
||||
Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
|
||||
cli_credentials_authentication_requested() should check for
|
||||
NTLM_CCACHE/SIGN/SEAL
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
auth/credentials/credentials.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
||||
index 06648c7..5e3b5e8 100644
|
||||
--- a/auth/credentials/credentials.c
|
||||
+++ b/auth/credentials/credentials.c
|
||||
@@ -25,6 +25,7 @@
|
||||
#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "auth/credentials/credentials_internal.h"
|
||||
+#include "auth/gensec/gensec.h"
|
||||
#include "libcli/auth/libcli_auth.h"
|
||||
#include "tevent.h"
|
||||
#include "param/param.h"
|
||||
@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
|
||||
|
||||
_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
|
||||
{
|
||||
+ uint32_t gensec_features = 0;
|
||||
+
|
||||
if (cred->bind_dn) {
|
||||
return true;
|
||||
}
|
||||
@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
|
||||
return true;
|
||||
}
|
||||
|
||||
+ gensec_features = cli_credentials_get_gensec_features(cred);
|
||||
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ if (gensec_features & GENSEC_FEATURE_SIGN) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ if (gensec_features & GENSEC_FEATURE_SEAL) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
return false;
|
||||
}
|
||||
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Tue, 29 Aug 2017 15:35:49 +0200
|
||||
Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
|
||||
smbXcli_conn_signing_mandatory()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
libcli/smb/smbXcli_base.c | 5 +++++
|
||||
libcli/smb/smbXcli_base.h | 1 +
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
|
||||
index b21d796..239e5eb 100644
|
||||
--- a/libcli/smb/smbXcli_base.c
|
||||
+++ b/libcli/smb/smbXcli_base.c
|
||||
@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
|
||||
return false;
|
||||
}
|
||||
|
||||
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
|
||||
+{
|
||||
+ return conn->mandatory_signing;
|
||||
+}
|
||||
+
|
||||
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
|
||||
{
|
||||
set_socket_options(conn->sock_fd, options);
|
||||
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
|
||||
index e48fc35..2594f07 100644
|
||||
--- a/libcli/smb/smbXcli_base.h
|
||||
+++ b/libcli/smb/smbXcli_base.h
|
||||
@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
|
||||
|
||||
enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
|
||||
bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
|
||||
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
|
||||
|
||||
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
|
||||
const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
|
||||
--
|
||||
1.9.1
|
||||
|
||||
|
||||
From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Mon, 12 Dec 2016 06:07:56 +0100
|
||||
Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
|
||||
authentication was not requested
|
||||
|
||||
With forced encryption or required signing we should also don't fallback.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/libsmb/clidfs.c | 16 ++++------------
|
||||
1 file changed, 4 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
||||
index 75012b2..fdcd665 100644
|
||||
--- a/source3/libsmb/clidfs.c
|
||||
+++ b/source3/libsmb/clidfs.c
|
||||
@@ -26,6 +26,7 @@
|
||||
#include "trans2.h"
|
||||
#include "libsmb/nmblib.h"
|
||||
#include "../libcli/smb/smbXcli_base.h"
|
||||
+#include "auth/credentials/credentials.h"
|
||||
|
||||
/********************************************************************
|
||||
Important point.
|
||||
@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
||||
char *servicename;
|
||||
char *sharename;
|
||||
char *newserver, *newshare;
|
||||
- const char *username;
|
||||
- const char *password;
|
||||
- const char *domain;
|
||||
NTSTATUS status;
|
||||
int flags = 0;
|
||||
int signing_state = get_cmdline_auth_info_signing_state(auth_info);
|
||||
@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
||||
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
|
||||
}
|
||||
|
||||
- username = get_cmdline_auth_info_username(auth_info);
|
||||
- password = get_cmdline_auth_info_password(auth_info);
|
||||
- domain = get_cmdline_auth_info_domain(auth_info);
|
||||
- if ((domain == NULL) || (domain[0] == '\0')) {
|
||||
- domain = lp_workgroup();
|
||||
- }
|
||||
-
|
||||
creds = get_cmdline_auth_info_creds(auth_info);
|
||||
|
||||
status = cli_session_setup_creds(c, creds);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
/* If a password was not supplied then
|
||||
* try again with a null username. */
|
||||
- if (password[0] || !username[0] ||
|
||||
- get_cmdline_auth_info_use_kerberos(auth_info) ||
|
||||
+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
|
||||
+ cli_credentials_authentication_requested(creds) ||
|
||||
+ cli_credentials_is_anonymous(creds) ||
|
||||
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
|
||||
{
|
||||
d_printf("session setup failed: %s\n",
|
||||
--
|
||||
1.9.1
|
||||
|
@ -0,0 +1,111 @@ |
||||
From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Mon, 14 Aug 2017 12:13:18 +0200
|
||||
Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
|
||||
cli_state_is_encryption_on() helper function
|
||||
|
||||
This allows to check if the current cli_state uses encryption
|
||||
(either via unix extentions or via SMB3).
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/libsmb/clientgen.c | 13 +++++++++++++
|
||||
source3/libsmb/proto.h | 1 +
|
||||
2 files changed, 14 insertions(+)
|
||||
|
||||
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
|
||||
index bc5c1b1ce3c..3e8523e5ce8 100644
|
||||
--- a/source3/libsmb/clientgen.c
|
||||
+++ b/source3/libsmb/clientgen.c
|
||||
@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
|
||||
return cli->smb1.pid;
|
||||
}
|
||||
|
||||
+bool cli_state_is_encryption_on(struct cli_state *cli)
|
||||
+{
|
||||
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
|
||||
+ return smb1cli_conn_encryption_on(cli->conn);
|
||||
+ }
|
||||
+
|
||||
+ if (cli->smb2.tcon == NULL) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
|
||||
+}
|
||||
+
|
||||
bool cli_state_has_tcon(struct cli_state *cli)
|
||||
{
|
||||
uint16_t tid = cli_state_get_tid(cli);
|
||||
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
||||
index 764f3fc1b12..67fa43e4e4a 100644
|
||||
--- a/source3/libsmb/proto.h
|
||||
+++ b/source3/libsmb/proto.h
|
||||
@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
|
||||
uint16_t cli_state_get_vc_num(struct cli_state *cli);
|
||||
uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
|
||||
uint32_t cli_getpid(struct cli_state *cli);
|
||||
+bool cli_state_is_encryption_on(struct cli_state *cli);
|
||||
bool cli_state_has_tcon(struct cli_state *cli);
|
||||
uint16_t cli_state_get_tid(struct cli_state *cli);
|
||||
uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
|
||||
--
|
||||
2.13.5
|
||||
|
||||
|
||||
From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Sat, 17 Dec 2016 10:36:49 +0100
|
||||
Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
|
||||
cli_state_is_encryption_on()
|
||||
|
||||
This will keep enforced encryption across dfs referrals.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/libsmb/clidfs.c | 4 ++--
|
||||
source3/libsmb/libsmb_context.c | 2 +-
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
||||
index c477d7c6a46..99818a681e3 100644
|
||||
--- a/source3/libsmb/clidfs.c
|
||||
+++ b/source3/libsmb/clidfs.c
|
||||
@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
||||
"IPC$",
|
||||
dfs_auth_info,
|
||||
false,
|
||||
- smb1cli_conn_encryption_on(rootcli->conn),
|
||||
+ cli_state_is_encryption_on(rootcli),
|
||||
smbXcli_conn_protocol(rootcli->conn),
|
||||
0,
|
||||
0x20,
|
||||
@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
|
||||
dfs_refs[count].share,
|
||||
dfs_auth_info,
|
||||
false,
|
||||
- smb1cli_conn_encryption_on(rootcli->conn),
|
||||
+ cli_state_is_encryption_on(rootcli),
|
||||
smbXcli_conn_protocol(rootcli->conn),
|
||||
0,
|
||||
0x20,
|
||||
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
|
||||
index ed6ca2b1b9f..b55cf1e2d15 100644
|
||||
--- a/source3/libsmb/libsmb_context.c
|
||||
+++ b/source3/libsmb/libsmb_context.c
|
||||
@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
|
||||
|
||||
for (s = context->internal->servers; s; s = s->next) {
|
||||
num_servers++;
|
||||
- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
|
||||
+ if (!cli_state_is_encryption_on(s->cli)) {
|
||||
return (void *)false;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.13.5
|
||||
|
@ -0,0 +1,141 @@ |
||||
From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Allison <jra@samba.org>
|
||||
Date: Fri, 8 Sep 2017 10:13:14 -0700
|
||||
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
|
||||
writing server memory to file.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
|
||||
|
||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 50 insertions(+)
|
||||
|
||||
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
|
||||
index 317143f..7b07078 100644
|
||||
--- a/source3/smbd/reply.c
|
||||
+++ b/source3/smbd/reply.c
|
||||
@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
|
||||
}
|
||||
|
||||
/* Ensure we don't write bytes past the end of this packet. */
|
||||
+ /*
|
||||
+ * This already protects us against CVE-2017-12163.
|
||||
+ */
|
||||
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
error_to_writebrawerr(req);
|
||||
@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
|
||||
exit_server_cleanly("secondary writebraw failed");
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * We are not vulnerable to CVE-2017-12163
|
||||
+ * here as we are guarenteed to have numtowrite
|
||||
+ * bytes available - we just read from the client.
|
||||
+ */
|
||||
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
|
||||
if (nwritten == -1) {
|
||||
TALLOC_FREE(buf);
|
||||
@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
|
||||
connection_struct *conn = req->conn;
|
||||
ssize_t nwritten = -1;
|
||||
size_t numtowrite;
|
||||
+ size_t remaining;
|
||||
off_t startpos;
|
||||
const char *data;
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
|
||||
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||||
data = (const char *)req->buf + 3;
|
||||
|
||||
+ /*
|
||||
+ * Ensure client isn't asking us to write more than
|
||||
+ * they sent. CVE-2017-12163.
|
||||
+ */
|
||||
+ remaining = smbreq_bufrem(req, data);
|
||||
+ if (numtowrite > remaining) {
|
||||
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
+ END_PROFILE(SMBwriteunlock);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (!fsp->print_file && numtowrite > 0) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
|
||||
{
|
||||
connection_struct *conn = req->conn;
|
||||
size_t numtowrite;
|
||||
+ size_t remaining;
|
||||
ssize_t nwritten = -1;
|
||||
off_t startpos;
|
||||
const char *data;
|
||||
@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
|
||||
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
|
||||
data = (const char *)req->buf + 3;
|
||||
|
||||
+ /*
|
||||
+ * Ensure client isn't asking us to write more than
|
||||
+ * they sent. CVE-2017-12163.
|
||||
+ */
|
||||
+ remaining = smbreq_bufrem(req, data);
|
||||
+ if (numtowrite > remaining) {
|
||||
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
+ END_PROFILE(SMBwrite);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (!fsp->print_file) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
|
||||
goto out;
|
||||
}
|
||||
} else {
|
||||
+ /*
|
||||
+ * This already protects us against CVE-2017-12163.
|
||||
+ */
|
||||
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
|
||||
smb_doff + numtowrite > smblen) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
|
||||
{
|
||||
connection_struct *conn = req->conn;
|
||||
size_t numtowrite;
|
||||
+ size_t remaining;
|
||||
ssize_t nwritten = -1;
|
||||
NTSTATUS close_status = NT_STATUS_OK;
|
||||
off_t startpos;
|
||||
@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
|
||||
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
|
||||
data = (const char *)req->buf + 1;
|
||||
|
||||
+ /*
|
||||
+ * Ensure client isn't asking us to write more than
|
||||
+ * they sent. CVE-2017-12163.
|
||||
+ */
|
||||
+ remaining = smbreq_bufrem(req, data);
|
||||
+ if (numtowrite > remaining) {
|
||||
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
+ END_PROFILE(SMBwriteclose);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (fsp->print_file == NULL) {
|
||||
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
|
||||
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
|
||||
@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
|
||||
|
||||
numtowrite = SVAL(req->buf, 1);
|
||||
|
||||
+ /*
|
||||
+ * This already protects us against CVE-2017-12163.
|
||||
+ */
|
||||
if (req->buflen < numtowrite + 3) {
|
||||
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
|
||||
END_PROFILE(SMBsplwr);
|
||||
--
|
||||
1.9.1
|
||||
|
@ -0,0 +1,63 @@ |
||||
From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Allison <jra@samba.org>
|
||||
Date: Tue, 19 Sep 2017 16:11:33 -0700
|
||||
Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When setting up the chain, always use 'next->' variables
|
||||
not the 'req->' one.
|
||||
|
||||
Bug discovered by 连一汉 <lianyihan@360.cn>
|
||||
|
||||
CVE-2017-14746
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
|
||||
|
||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||
---
|
||||
source3/smbd/process.c | 7 ++++---
|
||||
source3/smbd/reply.c | 5 +++++
|
||||
2 files changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
|
||||
index b65ae2c1b1c..9b2b0a669a2 100644
|
||||
--- a/source3/smbd/process.c
|
||||
+++ b/source3/smbd/process.c
|
||||
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
|
||||
|
||||
next->vuid = SVAL(req->outbuf, smb_uid);
|
||||
next->tid = SVAL(req->outbuf, smb_tid);
|
||||
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
|
||||
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
|
||||
now, &tcon);
|
||||
+
|
||||
if (NT_STATUS_IS_OK(status)) {
|
||||
- req->conn = tcon->compat;
|
||||
+ next->conn = tcon->compat;
|
||||
} else {
|
||||
- req->conn = NULL;
|
||||
+ next->conn = NULL;
|
||||
}
|
||||
next->chain_fsp = req->chain_fsp;
|
||||
next->inbuf = req->inbuf;
|
||||
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
|
||||
index 7b07078249b..81acedf0413 100644
|
||||
--- a/source3/smbd/reply.c
|
||||
+++ b/source3/smbd/reply.c
|
||||
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
|
||||
}
|
||||
|
||||
TALLOC_FREE(tcon);
|
||||
+ /*
|
||||
+ * This tree id is gone. Make sure we can't re-use it
|
||||
+ * by accident.
|
||||
+ */
|
||||
+ req->tid = 0;
|
||||
}
|
||||
|
||||
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
|
||||
--
|
||||
2.14.2.920.gcf0c67979c-goog
|
||||
|
@ -0,0 +1,45 @@ |
||||
From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
|
||||
From: Jeremy Allison <jra@samba.org>
|
||||
Date: Wed, 20 Sep 2017 11:04:50 -0700
|
||||
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
|
||||
talloc buffer is grown.
|
||||
|
||||
Ensure we zero out unused grown area.
|
||||
|
||||
CVE-2017-15275
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
|
||||
|
||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||
---
|
||||
source3/smbd/srvstr.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
|
||||
index 56dceba8c6c..c2d70b32c32 100644
|
||||
--- a/source3/smbd/srvstr.c
|
||||
+++ b/source3/smbd/srvstr.c
|
||||
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
|
||||
DEBUG(0, ("srvstr_push failed\n"));
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * Ensure we clear out the extra data we have
|
||||
+ * grown the buffer by, but not written to.
|
||||
+ */
|
||||
+ if (buf_size + result < buf_size) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (grow_size < result) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ memset(tmp + buf_size + result, '\0', grow_size - result);
|
||||
+
|
||||
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
|
||||
|
||||
*outbuf = tmp;
|
||||
--
|
||||
2.14.2.920.gcf0c67979c-goog
|
||||
|
@ -0,0 +1,34 @@ |
||||
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
|
||||
From: Volker Lendecke <vl@samba.org>
|
||||
Date: Mon, 8 May 2017 21:40:40 +0200
|
||||
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
|
||||
inside
|
||||
|
||||
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
|
||||
|
||||
Signed-off-by: Volker Lendecke <vl@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
---
|
||||
source3/rpc_server/srv_pipe.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
|
||||
index 0633b5f..c3f0cd8 100644
|
||||
--- a/source3/rpc_server/srv_pipe.c
|
||||
+++ b/source3/rpc_server/srv_pipe.c
|
||||
@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
|
||||
{
|
||||
NTSTATUS status;
|
||||
|
||||
+ if (strchr(pipename, '/')) {
|
||||
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
|
||||
DEBUG(10, ("refusing spoolss access\n"));
|
||||
return false;
|
||||
--
|
||||
1.9.1
|
||||
|
@ -0,0 +1,20 @@ |
||||
MIT Kerberos 5 Support |
||||
======================= |
||||
|
||||
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of |
||||
choice. The Samba build in Fedora is using MIT Kerberos implementation in order |
||||
to allow system-wide interoperability between both desktop and server |
||||
applications running on the same machine. |
||||
|
||||
At the moment the Samba Active Directory Domain Controller implementation is |
||||
not available with MIT Kereberos. FreeIPA and Samba Team members are currently |
||||
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux |
||||
distribution integration of Samba AD DC features. |
||||
|
||||
We have just finished migrating the file server and all client utilities to MIT |
||||
Kerberos. The result of this work is available in samba-* packages in Fedora. |
||||
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos |
||||
KDC will be ready. |
||||
|
||||
In case of further questions do not hesitate to send your inquiries to |
||||
samba-owner@fedoraproject.org |
@ -0,0 +1,29 @@ |
||||
Downgrading Samba |
||||
================= |
||||
|
||||
Short version: data-preserving downgrades between Samba versions are not supported |
||||
|
||||
Long version: |
||||
With Samba development there are cases when on-disk database format evolves. |
||||
In general, Samba Team attempts to maintain forward compatibility and |
||||
automatically upgrade databases during runtime when requires. |
||||
However, when downgrade is required Samba will not perform downgrade to |
||||
existing databases. It may be impossible if new features that caused database |
||||
upgrade are in use. Thus, one needs to consider a downgrade procedure before |
||||
actually downgrading Samba setup. |
||||
|
||||
Please always perform back up prior both upgrading and downgrading across major |
||||
version changes. Restoring database files is easiest and simplest way to get to |
||||
previously working setup. |
||||
|
||||
Easiest way to downgrade is to remove all created databases and start from scratch. |
||||
This means losing all authentication and domain relationship data, as well as |
||||
user databases (in case of tdb storage), printers, registry settings, and winbindd |
||||
caches. |
||||
|
||||
Remove databases in following locations: |
||||
/var/lib/samba/*.tdb |
||||
/var/lib/samba/private/*.tdb |
||||
|
||||
In particular, registry settings are known to prevent running downgraded versions |
||||
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4. |
Binary file not shown.
@ -0,0 +1,38 @@ |
||||
# |
||||
# pam_winbind configuration file |
||||
# |
||||
# /etc/security/pam_winbind.conf |
||||
# |
||||
|
||||
[global] |
||||
|
||||
# turn on debugging |
||||
;debug = no |
||||
|
||||
# turn on extended PAM state debugging |
||||
;debug_state = no |
||||
|
||||
# request a cached login if possible |
||||
# (needs "winbind offline logon = yes" in smb.conf) |
||||
;cached_login = no |
||||
|
||||
# authenticate using kerberos |
||||
;krb5_auth = no |
||||
|
||||
# when using kerberos, request a "FILE" krb5 credential cache type |
||||
# (leave empty to just do krb5 authentication but not have a ticket |
||||
# afterwards) |
||||
;krb5_ccache_type = |
||||
|
||||
# make successful authentication dependend on membership of one SID |
||||
# (can also take a name) |
||||
;require_membership_of = |
||||
|
||||
# password expiry warning period in days |
||||
;warn_pwd_expire = 14 |
||||
|
||||
# omit pam conversations |
||||
;silent = no |
||||
|
||||
# create homedirectory on the fly |
||||
;mkhomedir = no |
@ -0,0 +1,7 @@ |
||||
-----BEGIN PGP SIGNATURE----- |
||||
Version: GnuPG v1 |
||||
|
||||
iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz |
||||
DQw3KuAbWCKIgkHcy1zZr2o= |
||||
=bIg5 |
||||
-----END PGP SIGNATURE----- |
@ -0,0 +1,37 @@ |
||||
From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 5 Jan 2017 09:34:36 +0100
|
||||
Subject: [PATCH] replace: Include sysmacros.h
|
||||
|
||||
In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
|
||||
historical compatibility, it is currently defined by <sys/types.h> as
|
||||
well, but it is planned to remove this soon.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Volker Lendecke <vl@samba.org>
|
||||
|
||||
(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
|
||||
---
|
||||
lib/replace/replace.h | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
|
||||
index c69a069e4b3..1dbeacfff66 100644
|
||||
--- a/lib/replace/replace.h
|
||||
+++ b/lib/replace/replace.h
|
||||
@@ -171,6 +171,10 @@
|
||||
#include <sys/types.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SYS_SYSMACROS_H
|
||||
+#include <sys/sysmacros.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef HAVE_SETPROCTITLE_H
|
||||
#include <setproctitle.h>
|
||||
#endif
|
||||
--
|
||||
2.12.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,39 @@ |
||||
From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 20 Mar 2017 16:08:20 +0100
|
||||
Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||
---
|
||||
source3/libsmb/cliconnect.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
||||
index 029c3d4760e..93f873079db 100644
|
||||
--- a/source3/libsmb/cliconnect.c
|
||||
+++ b/source3/libsmb/cliconnect.c
|
||||
@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
||||
0 /* no time correction for now */,
|
||||
NULL);
|
||||
if (ret != 0) {
|
||||
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
|
||||
- user_principal, target_hostname,
|
||||
- error_message(ret)));
|
||||
+ int dbglvl = DBGLVL_WARNING;
|
||||
+
|
||||
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
||||
+ dbglvl = DBGLVL_ERR;
|
||||
+ }
|
||||
+
|
||||
+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
|
||||
+ user_principal, target_hostname,
|
||||
+ error_message(ret)));
|
||||
if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
||||
TALLOC_FREE(frame);
|
||||
return krb5_to_nt_status(ret);
|
||||
--
|
||||
2.12.0
|
||||
|
@ -0,0 +1,293 @@ |
||||
From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 13 Mar 2017 17:30:37 +0100
|
||||
Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
|
||||
|
||||
The old behaviour is:
|
||||
|
||||
for var in $*
|
||||
do
|
||||
echo "$var"
|
||||
done
|
||||
|
||||
And you get this:
|
||||
|
||||
$ sh test.sh 1 2 '3 4'
|
||||
1
|
||||
2
|
||||
3
|
||||
4
|
||||
|
||||
Changing it to:
|
||||
|
||||
for var in "$@"
|
||||
do
|
||||
echo "$var"
|
||||
done
|
||||
|
||||
will correctly expand to:
|
||||
|
||||
$ sh test.sh 1 2 '3 4'
|
||||
1
|
||||
2
|
||||
3 4
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
|
||||
---
|
||||
testprogs/blackbox/subunit.sh | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
|
||||
index 0791d775d27..5c81ce20a11 100755
|
||||
--- a/testprogs/blackbox/subunit.sh
|
||||
+++ b/testprogs/blackbox/subunit.sh
|
||||
@@ -78,7 +78,7 @@ subunit_skip_test () {
|
||||
testit () {
|
||||
name="$1"
|
||||
shift
|
||||
- cmdline="$*"
|
||||
+ cmdline="$@"
|
||||
subunit_start_test "$name"
|
||||
output=`$cmdline 2>&1`
|
||||
status=$?
|
||||
@@ -93,7 +93,7 @@ testit () {
|
||||
testit_expect_failure () {
|
||||
name="$1"
|
||||
shift
|
||||
- cmdline="$*"
|
||||
+ cmdline="$@"
|
||||
subunit_start_test "$name"
|
||||
output=`$cmdline 2>&1`
|
||||
status=$?
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 13 Mar 2017 16:11:39 +0100
|
||||
Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
|
||||
---
|
||||
lib/krb5_wrap/krb5_samba.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index 10b42dec53f..fd8e4a96071 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
|
||||
goto open_keytab;
|
||||
}
|
||||
|
||||
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
|
||||
+
|
||||
return KRB5_KT_BADNAME;
|
||||
|
||||
open_keytab:
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 13 Mar 2017 16:24:52 +0100
|
||||
Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
|
||||
---
|
||||
source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
|
||||
1 file changed, 57 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
||||
index 3c73b089bbb..96df10fcf65 100644
|
||||
--- a/source3/libads/kerberos_keytab.c
|
||||
+++ b/source3/libads/kerberos_keytab.c
|
||||
@@ -34,6 +34,57 @@
|
||||
|
||||
#ifdef HAVE_ADS
|
||||
|
||||
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
|
||||
+#ifndef MAX_KEYTAB_NAME_LEN
|
||||
+#define MAX_KEYTAB_NAME_LEN 1100
|
||||
+#endif
|
||||
+
|
||||
+static krb5_error_code ads_keytab_open(krb5_context context,
|
||||
+ krb5_keytab *keytab)
|
||||
+{
|
||||
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
|
||||
+ const char *keytab_name = NULL;
|
||||
+ krb5_error_code ret = 0;
|
||||
+
|
||||
+ switch (lp_kerberos_method()) {
|
||||
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
|
||||
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
|
||||
+ ret = krb5_kt_default_name(context,
|
||||
+ keytab_str,
|
||||
+ sizeof(keytab_str) - 2);
|
||||
+ if (ret != 0) {
|
||||
+ DBG_WARNING("Failed to get default keytab name");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ keytab_name = keytab_str;
|
||||
+ break;
|
||||
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
|
||||
+ keytab_name = lp_dedicated_keytab_file();
|
||||
+ break;
|
||||
+ default:
|
||||
+ DBG_ERR("Invalid kerberos method set (%d)\n",
|
||||
+ lp_kerberos_method());
|
||||
+ ret = KRB5_KT_BADNAME;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
|
||||
+ DBG_ERR("Invalid keytab name\n");
|
||||
+ ret = KRB5_KT_BADNAME;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
|
||||
+ if (ret != 0) {
|
||||
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
|
||||
+ error_message(ret));
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+out:
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/**********************************************************************
|
||||
Adds a single service principal, i.e. 'host' to the system keytab
|
||||
***********************************************************************/
|
||||
@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
|
||||
- if (ret) {
|
||||
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
|
||||
- error_message(ret)));
|
||||
+ ret = ads_keytab_open(context, &keytab);
|
||||
+ if (ret != 0) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
|
||||
return ret;
|
||||
}
|
||||
|
||||
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
|
||||
- if (ret) {
|
||||
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
|
||||
- error_message(ret)));
|
||||
+ ret = ads_keytab_open(context, &keytab);
|
||||
+ if (ret != 0) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
|
||||
DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
|
||||
"and update.\n"));
|
||||
|
||||
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
|
||||
- if (ret) {
|
||||
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
|
||||
- error_message(ret)));
|
||||
+ ret = ads_keytab_open(context, &keytab);
|
||||
+ if (ret != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 13 Mar 2017 17:28:58 +0100
|
||||
Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
|
||||
commandline
|
||||
|
||||
We support --option for our tools but you cannot set an option where the
|
||||
value of the option includes a space.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
|
||||
---
|
||||
lib/param/param_table.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
|
||||
index 4b5234a7c9e..9a944ef19b3 100644
|
||||
--- a/lib/param/param_table.c
|
||||
+++ b/lib/param/param_table.c
|
||||
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
|
||||
static const struct enum_list enum_kerberos_method[] = {
|
||||
{KERBEROS_VERIFY_SECRETS, "default"},
|
||||
{KERBEROS_VERIFY_SECRETS, "secrets only"},
|
||||
+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
|
||||
{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
|
||||
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
|
||||
{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
|
||||
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
|
||||
{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
|
||||
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 13 Mar 2017 16:34:05 +0100
|
||||
Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
|
||||
|
||||
This checks that a 'net ads join' can create the keytab and make sure we
|
||||
will not regress in future.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
|
||||
---
|
||||
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
||||
index 8e915cdcf1f..99b886f53eb 100755
|
||||
--- a/testprogs/blackbox/test_net_ads.sh
|
||||
+++ b/testprogs/blackbox/test_net_ads.sh
|
||||
@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
|
||||
|
||||
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
|
||||
+# Test with kerberos method = secrets and keytab
|
||||
+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
|
||||
+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
|
||||
+
|
||||
+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
|
||||
+
|
||||
+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
+rm -f $dedicated_keytab_file
|
||||
+
|
||||
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
|
||||
|
||||
testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
--
|
||||
2.12.0
|
||||
|
@ -0,0 +1,245 @@ |
||||
From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 4 May 2017 17:48:42 +0200
|
||||
Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
|
||||
COPY_FROM_DIRECTORY
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
|
||||
---
|
||||
source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 35 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
|
||||
index 394a3e5..49be5d9 100644
|
||||
--- a/source3/printing/nt_printing.c
|
||||
+++ b/source3/printing/nt_printing.c
|
||||
@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
|
||||
static uint32_t get_correct_cversion(struct auth_session_info *session_info,
|
||||
const char *architecture,
|
||||
const char *driverpath_in,
|
||||
+ const char *driver_directory,
|
||||
WERROR *perr)
|
||||
{
|
||||
int cversion = -1;
|
||||
NTSTATUS nt_status;
|
||||
struct smb_filename *smb_fname = NULL;
|
||||
- char *driverpath = NULL;
|
||||
files_struct *fsp = NULL;
|
||||
connection_struct *conn = NULL;
|
||||
char *oldcwd;
|
||||
char *printdollar = NULL;
|
||||
+ char *printdollar_path = NULL;
|
||||
+ char *working_dir = NULL;
|
||||
int printdollar_snum;
|
||||
|
||||
*perr = WERR_INVALID_PARAMETER;
|
||||
@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
|
||||
+ if (printdollar_path == NULL) {
|
||||
+ *perr = WERR_NOT_ENOUGH_MEMORY;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ working_dir = talloc_asprintf(talloc_tos(),
|
||||
+ "%s/%s",
|
||||
+ printdollar_path,
|
||||
+ architecture);
|
||||
+ /*
|
||||
+ * If the driver has been uploaded into a temorpary driver
|
||||
+ * directory, switch to the driver directory.
|
||||
+ */
|
||||
+ if (driver_directory != NULL) {
|
||||
+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
|
||||
+ printdollar_path,
|
||||
+ architecture,
|
||||
+ driver_directory);
|
||||
+ }
|
||||
+
|
||||
nt_status = create_conn_struct_cwd(talloc_tos(),
|
||||
server_event_context(),
|
||||
server_messaging_context(),
|
||||
&conn,
|
||||
printdollar_snum,
|
||||
- lp_path(talloc_tos(), printdollar_snum),
|
||||
+ working_dir,
|
||||
session_info, &oldcwd);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0,("get_correct_cversion: create_conn_struct "
|
||||
@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
|
||||
goto error_free_conn;
|
||||
}
|
||||
|
||||
- /* Open the driver file (Portable Executable format) and determine the
|
||||
- * deriver the cversion. */
|
||||
- driverpath = talloc_asprintf(talloc_tos(),
|
||||
- "%s/%s",
|
||||
- architecture,
|
||||
- driverpath_in);
|
||||
- if (!driverpath) {
|
||||
- *perr = WERR_NOT_ENOUGH_MEMORY;
|
||||
- goto error_exit;
|
||||
- }
|
||||
-
|
||||
- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
|
||||
+ /*
|
||||
+ * We switch to the directory where the driver files are located,
|
||||
+ * so only work on the file names
|
||||
+ */
|
||||
+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
*perr = ntstatus_to_werror(nt_status);
|
||||
goto error_exit;
|
||||
@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
|
||||
* NT2K: cversion=3
|
||||
*/
|
||||
|
||||
- *version = get_correct_cversion(session_info, short_architecture,
|
||||
- *driver_path, &err);
|
||||
+ *version = get_correct_cversion(session_info,
|
||||
+ short_architecture,
|
||||
+ *driver_path,
|
||||
+ *driver_directory,
|
||||
+ &err);
|
||||
if (*version == -1) {
|
||||
return err;
|
||||
}
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 5 May 2017 11:11:25 +0200
|
||||
Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
|
||||
for 64bit
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
|
||||
---
|
||||
source4/torture/rpc/spoolss.c | 16 +++++++++++-----
|
||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
|
||||
index 409ba57..c4b7bf1 100644
|
||||
--- a/source4/torture/rpc/spoolss.c
|
||||
+++ b/source4/torture/rpc/spoolss.c
|
||||
@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
|
||||
}
|
||||
|
||||
static bool test_driver_copy_from_directory(struct torture_context *tctx,
|
||||
- struct dcerpc_pipe *p)
|
||||
+ struct dcerpc_pipe *p,
|
||||
+ const char *architecture)
|
||||
{
|
||||
struct torture_driver_context *d;
|
||||
struct spoolss_StringArray *a;
|
||||
@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
|
||||
d = talloc_zero(tctx, struct torture_driver_context);
|
||||
torture_assert_not_null(tctx, d, "ENOMEM");
|
||||
|
||||
- d->local.environment =
|
||||
- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
|
||||
+ d->local.environment = talloc_strdup(d, architecture);
|
||||
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
|
||||
|
||||
d->local.driver_directory =
|
||||
@@ -11208,6 +11208,12 @@ done:
|
||||
return ok;
|
||||
}
|
||||
|
||||
+static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
|
||||
+ struct dcerpc_pipe *p)
|
||||
+{
|
||||
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
|
||||
+}
|
||||
+
|
||||
static bool test_del_driver_all_files(struct torture_context *tctx,
|
||||
struct dcerpc_pipe *p)
|
||||
{
|
||||
@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
|
||||
torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
|
||||
|
||||
torture_rpc_tcase_add_test(tcase,
|
||||
- "test_driver_copy_from_directory",
|
||||
- test_driver_copy_from_directory);
|
||||
+ "test_driver_copy_from_directory_64",
|
||||
+ test_driver_copy_from_directory_64);
|
||||
|
||||
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
|
||||
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 5 May 2017 11:12:02 +0200
|
||||
Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
|
||||
copy_from_directory
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
|
||||
---
|
||||
source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
|
||||
1 file changed, 17 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
|
||||
index c4b7bf1..e17ac6f 100644
|
||||
--- a/source4/torture/rpc/spoolss.c
|
||||
+++ b/source4/torture/rpc/spoolss.c
|
||||
@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
|
||||
d->local.environment = talloc_strdup(d, architecture);
|
||||
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
|
||||
|
||||
- d->local.driver_directory =
|
||||
- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
|
||||
+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
|
||||
+ d->local.driver_directory =
|
||||
+ talloc_strdup(d, "/usr/share/cups/drivers/x64");
|
||||
+ } else {
|
||||
+ d->local.driver_directory =
|
||||
+ talloc_strdup(d, "/usr/share/cups/drivers/i386");
|
||||
+ }
|
||||
torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
|
||||
|
||||
d->remote.driver_upload_directory = GUID_string2(d, &guid);
|
||||
@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
|
||||
return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
|
||||
}
|
||||
|
||||
+static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
|
||||
+ struct dcerpc_pipe *p)
|
||||
+{
|
||||
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
|
||||
+}
|
||||
+
|
||||
static bool test_del_driver_all_files(struct torture_context *tctx,
|
||||
struct dcerpc_pipe *p)
|
||||
{
|
||||
@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
|
||||
"test_driver_copy_from_directory_64",
|
||||
test_driver_copy_from_directory_64);
|
||||
|
||||
+ torture_rpc_tcase_add_test(tcase,
|
||||
+ "test_driver_copy_from_directory_32",
|
||||
+ test_driver_copy_from_directory_32);
|
||||
+
|
||||
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
|
||||
|
||||
torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,211 @@ |
||||
From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 14 Mar 2017 16:12:20 +0100
|
||||
Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
|
||||
|
||||
The arguments get passed in the wrong order to read_target_host().
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
|
||||
---
|
||||
source3/modules/vfs_expand_msdfs.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
|
||||
index ffbfa333bad..e42d0098b32 100644
|
||||
--- a/source3/modules/vfs_expand_msdfs.c
|
||||
+++ b/source3/modules/vfs_expand_msdfs.c
|
||||
@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- targethost = read_target_host(
|
||||
- ctx, raddr, mapfilename);
|
||||
+ targethost = read_target_host(ctx, mapfilename, raddr);
|
||||
if (targethost == NULL) {
|
||||
DEBUG(1, ("Could not expand target host from file %s\n",
|
||||
mapfilename));
|
||||
--
|
||||
2.12.0
|
||||
|
||||
From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 21 Mar 2017 15:32:37 +0100
|
||||
Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
|
||||
get_referred_path()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
|
||||
|
||||
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
|
||||
---
|
||||
source3/modules/vfs_default.c | 2 ++
|
||||
source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
|
||||
source3/smbd/msdfs.c | 12 +++++++-----
|
||||
source3/smbd/proto.h | 12 +++++++-----
|
||||
4 files changed, 22 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
|
||||
index e0b6125f7d8..dcae861103d 100644
|
||||
--- a/source3/modules/vfs_default.c
|
||||
+++ b/source3/modules/vfs_default.c
|
||||
@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
|
||||
|
||||
/* The following call can change cwd. */
|
||||
status = get_referred_path(r, pathnamep,
|
||||
+ handle->conn->sconn->remote_address,
|
||||
+ handle->conn->sconn->local_address,
|
||||
!handle->conn->sconn->using_smb2,
|
||||
junction, &consumedcnt, &self_referral);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
|
||||
index ab2af53c0ba..0a4d6d31b7c 100644
|
||||
--- a/source3/rpc_server/dfs/srv_dfs_nt.c
|
||||
+++ b/source3/rpc_server/dfs/srv_dfs_nt.c
|
||||
@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
|
||||
|
||||
/* The following call can change the cwd. */
|
||||
status = get_referred_path(ctx, r->in.path,
|
||||
+ p->remote_address,
|
||||
+ p->local_address,
|
||||
true, /*allow_broken_path */
|
||||
jn, &consumedcnt, &self_ref);
|
||||
if(!NT_STATUS_IS_OK(status)) {
|
||||
@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
|
||||
}
|
||||
|
||||
status = get_referred_path(ctx, r->in.dfs_entry_path,
|
||||
+ p->remote_address,
|
||||
+ p->local_address,
|
||||
true, /*allow_broken_path */
|
||||
jn, &consumedcnt, &self_ref);
|
||||
if(!NT_STATUS_IS_OK(status)) {
|
||||
@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
|
||||
|
||||
/* The following call can change the cwd. */
|
||||
status = get_referred_path(ctx, r->in.dfs_entry_path,
|
||||
+ p->remote_address,
|
||||
+ p->local_address,
|
||||
true, /*allow_broken_path */
|
||||
jn, &consumedcnt, &self_ref);
|
||||
if(!NT_STATUS_IS_OK(status) ||
|
||||
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
|
||||
index 61538cec832..3cf82d3b430 100644
|
||||
--- a/source3/smbd/msdfs.c
|
||||
+++ b/source3/smbd/msdfs.c
|
||||
@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
|
||||
**********************************************************************/
|
||||
|
||||
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
|
||||
- const char *dfs_path,
|
||||
- bool allow_broken_path,
|
||||
- struct junction_map *jucn,
|
||||
- int *consumedcntp,
|
||||
- bool *self_referralp)
|
||||
+ const char *dfs_path,
|
||||
+ const struct tsocket_address *remote_address,
|
||||
+ const struct tsocket_address *local_address,
|
||||
+ bool allow_broken_path,
|
||||
+ struct junction_map *jucn,
|
||||
+ int *consumedcntp,
|
||||
+ bool *self_referralp)
|
||||
{
|
||||
struct connection_struct *conn;
|
||||
char *targetpath = NULL;
|
||||
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
|
||||
index c1b8201b472..e64457cf9e0 100644
|
||||
--- a/source3/smbd/proto.h
|
||||
+++ b/source3/smbd/proto.h
|
||||
@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
|
||||
SMB_STRUCT_STAT *sbufp);
|
||||
struct junction_map;
|
||||
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
|
||||
- const char *dfs_path,
|
||||
- bool allow_broken_path,
|
||||
- struct junction_map *jucn,
|
||||
- int *consumedcntp,
|
||||
- bool *self_referralp);
|
||||
+ const char *dfs_path,
|
||||
+ const struct tsocket_address *remote_address,
|
||||
+ const struct tsocket_address *local_address,
|
||||
+ bool allow_broken_path,
|
||||
+ struct junction_map *jucn,
|
||||
+ int *consumedcntp,
|
||||
+ bool *self_referralp);
|
||||
int setup_dfs_referral(connection_struct *orig_conn,
|
||||
const char *dfs_path,
|
||||
int max_referral_level,
|
||||
--
|
||||
2.13.0
|
||||
|
||||
|
||||
From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 21 Mar 2017 15:45:34 +0100
|
||||
Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
|
||||
connection
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
|
||||
|
||||
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Signed-off-by: Ralph Boehme <slow@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
|
||||
---
|
||||
source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
|
||||
index 3cf82d3b430..c25fb17cee8 100644
|
||||
--- a/source3/smbd/msdfs.c
|
||||
+++ b/source3/smbd/msdfs.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include "lib/param/loadparm.h"
|
||||
#include "libcli/security/security.h"
|
||||
#include "librpc/gen_ndr/ndr_dfsblobs.h"
|
||||
+#include "lib/tsocket/tsocket.h"
|
||||
|
||||
/**********************************************************************
|
||||
Parse a DFS pathname of the form \hostname\service\reqpath
|
||||
@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
|
||||
return status;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * TODO
|
||||
+ *
|
||||
+ * The remote and local address should be passed down to
|
||||
+ * create_conn_struct_cwd.
|
||||
+ */
|
||||
+ if (conn->sconn->remote_address == NULL) {
|
||||
+ conn->sconn->remote_address =
|
||||
+ tsocket_address_copy(remote_address, conn->sconn);
|
||||
+ if (conn->sconn->remote_address == NULL) {
|
||||
+ TALLOC_FREE(pdp);
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+ if (conn->sconn->local_address == NULL) {
|
||||
+ conn->sconn->local_address =
|
||||
+ tsocket_address_copy(local_address, conn->sconn);
|
||||
+ if (conn->sconn->local_address == NULL) {
|
||||
+ TALLOC_FREE(pdp);
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
/* If this is a DFS path dfs_lookup should return
|
||||
* NT_STATUS_PATH_NOT_COVERED. */
|
||||
|
||||
--
|
||||
2.13.0
|
||||
|
@ -0,0 +1,74 @@ |
||||
From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed, 9 Aug 2017 18:14:23 +0200
|
||||
Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
|
||||
(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
|
||||
---
|
||||
source3/libads/krb5_setpw.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
|
||||
index 630c2e46631..bc96ac603b1 100644
|
||||
--- a/source3/libads/krb5_setpw.c
|
||||
+++ b/source3/libads/krb5_setpw.c
|
||||
@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
|
||||
ret = krb5_set_password(context,
|
||||
&creds,
|
||||
discard_const_p(char, newpw),
|
||||
- princ,
|
||||
+ NULL,
|
||||
&result_code,
|
||||
&result_code_string,
|
||||
&result_string);
|
||||
--
|
||||
2.14.0
|
||||
|
||||
|
||||
From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed, 9 Aug 2017 12:14:34 +0200
|
||||
Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
|
||||
|
||||
BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
|
||||
---
|
||||
testprogs/blackbox/test_net_ads.sh | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
|
||||
index 99b886f53eb..bbd99b676bd 100755
|
||||
--- a/testprogs/blackbox/test_net_ads.sh
|
||||
+++ b/testprogs/blackbox/test_net_ads.sh
|
||||
@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
|
||||
|
||||
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
|
||||
|
||||
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
|
||||
+
|
||||
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
|
||||
# Test with kerberos method = secrets and keytab
|
||||
@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
|
||||
|
||||
testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
|
||||
|
||||
+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
|
||||
+
|
||||
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
|
||||
rm -f $dedicated_keytab_file
|
||||
|
||||
--
|
||||
2.14.0
|
||||
|
@ -0,0 +1,194 @@ |
||||
From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
|
||||
From: Volker Lendecke <vl@samba.org>
|
||||
Date: Fri, 17 Mar 2017 13:52:57 +0100
|
||||
Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
|
||||
information
|
||||
|
||||
This fixes the substitution for 'template homedir'.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
|
||||
|
||||
Signed-off-by: Volker Lendecke <vl@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
|
||||
Autobuild-User(master): Volker Lendecke <vl@samba.org>
|
||||
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
|
||||
---
|
||||
source3/winbindd/wb_queryuser.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
|
||||
index be4d3d3e665..69b4c8dad5a 100644
|
||||
--- a/source3/winbindd/wb_queryuser.c
|
||||
+++ b/source3/winbindd/wb_queryuser.c
|
||||
@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
|
||||
NTSTATUS status;
|
||||
const char *domain_name;
|
||||
|
||||
- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
|
||||
+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
|
||||
&state->info->primary_group_name);
|
||||
TALLOC_FREE(subreq);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed, 15 Mar 2017 12:37:08 +0100
|
||||
Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
|
||||
---
|
||||
selftest/target/Samba3.pm | 19 ++++++++++++++++++-
|
||||
source3/script/tests/test_substitutions.sh | 9 +++++++--
|
||||
2 files changed, 25 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index f5b2c510224..1e053f12297 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -394,16 +394,33 @@ sub setup_admember($$$$)
|
||||
$substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
|
||||
push(@dirs, $substitution_path);
|
||||
|
||||
+ # Using '/' as the winbind separator is a bad idea ...
|
||||
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
|
||||
+ push(@dirs, $substitution_path);
|
||||
+
|
||||
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
|
||||
+ push(@dirs, $substitution_path);
|
||||
+
|
||||
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
|
||||
+ push(@dirs, $substitution_path);
|
||||
+
|
||||
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
|
||||
+ push(@dirs, $substitution_path);
|
||||
+
|
||||
my $member_options = "
|
||||
security = ads
|
||||
workgroup = $dcvars->{DOMAIN}
|
||||
realm = $dcvars->{REALM}
|
||||
netbios aliases = foo bar
|
||||
|
||||
-[subDUG]
|
||||
+[sub_dug]
|
||||
path = $share_dir/D_%D/U_%U/G_%G
|
||||
writeable = yes
|
||||
|
||||
+[sub_dug2]
|
||||
+ path = $share_dir/D_%D/u_%u/g_%g
|
||||
+ writeable = yes
|
||||
+
|
||||
";
|
||||
|
||||
my $ret = $self->provision($prefix,
|
||||
diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
|
||||
index 0852ad969f0..1a46f11c85d 100755
|
||||
--- a/source3/script/tests/test_substitutions.sh
|
||||
+++ b/source3/script/tests/test_substitutions.sh
|
||||
@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
|
||||
. $samba_srcdir/testprogs/blackbox/subunit.sh
|
||||
. $samba_srcdir/testprogs/blackbox/common_test_fns.inc
|
||||
|
||||
-SMB_UNC="//$SERVER/subDUG"
|
||||
+SMB_UNC="//$SERVER/sub_dug"
|
||||
|
||||
-test_smbclient "Test login to share with substitution" \
|
||||
+test_smbclient "Test login to share with substitution (DUG)" \
|
||||
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
|
||||
+
|
||||
+SMB_UNC="//$SERVER/sub_dug2"
|
||||
+
|
||||
+test_smbclient "Test login to share with substitution (Dug)" \
|
||||
"ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
|
||||
|
||||
exit $failed
|
||||
--
|
||||
2.12.0
|
||||
|
||||
|
||||
From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 17 Mar 2017 10:04:19 +0100
|
||||
Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
|
||||
|
||||
With this set, the samba3.local.nss test for ad_member will ensure that
|
||||
we correctly substitute those smb.conf options.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
||||
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
|
||||
---
|
||||
nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
|
||||
selftest/target/Samba3.pm | 1 +
|
||||
2 files changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
|
||||
index cfe582df068..f9c040e5f43 100755
|
||||
--- a/nsswitch/tests/test_wbinfo.sh
|
||||
+++ b/nsswitch/tests/test_wbinfo.sh
|
||||
@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
|
||||
# The full name (GECOS) is based on name (the RDN, in this case CN)
|
||||
# and displayName in winbindd_ads, and is based only on displayName in
|
||||
# winbindd_msrpc and winbindd_rpc. Allow both versions.
|
||||
-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
|
||||
-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
|
||||
+if test "$TARGET" = "ad_member"; then
|
||||
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
|
||||
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
|
||||
+else
|
||||
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
|
||||
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
|
||||
+fi
|
||||
|
||||
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
|
||||
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
|
||||
subunit_pass_test "$test_name"
|
||||
else
|
||||
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
|
||||
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
|
||||
failed=`expr $failed + 1`
|
||||
fi
|
||||
|
||||
@@ -227,10 +232,10 @@ fi
|
||||
|
||||
test_name="confirm output of wbinfo --uid-info against $TARGET"
|
||||
subunit_start_test "$test_name"
|
||||
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
|
||||
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
|
||||
subunit_pass_test "$test_name"
|
||||
else
|
||||
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
|
||||
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
|
||||
failed=`expr $failed + 1`
|
||||
fi
|
||||
|
||||
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||
index 1e053f12297..cb4970828a5 100755
|
||||
--- a/selftest/target/Samba3.pm
|
||||
+++ b/selftest/target/Samba3.pm
|
||||
@@ -412,6 +412,7 @@ sub setup_admember($$$$)
|
||||
workgroup = $dcvars->{DOMAIN}
|
||||
realm = $dcvars->{REALM}
|
||||
netbios aliases = foo bar
|
||||
+ template homedir = /home/%D/%G/%U
|
||||
|
||||
[sub_dug]
|
||||
path = $share_dir/D_%D/U_%U/G_%G
|
||||
--
|
||||
2.12.0
|
||||
|
@ -0,0 +1,339 @@ |
||||
From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Wed, 15 Mar 2017 17:04:30 +0000
|
||||
Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
|
||||
smb_bytes_pull_str()
|
||||
|
||||
This function needs to get the whole smb buffer in order to get
|
||||
the alignment for unicode correct.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
|
||||
---
|
||||
libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
|
||||
libcli/smb/smb_util.h | 3 ++-
|
||||
libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
|
||||
3 files changed, 47 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
|
||||
index 9d92aa6aed4..11614df0ae4 100644
|
||||
--- a/libcli/smb/smb1cli_session.c
|
||||
+++ b/libcli/smb/smb1cli_session.c
|
||||
@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
|
||||
p = bytes;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_os,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
p += ret;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_lm,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
|
||||
p = bytes;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_os,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
p += ret;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_lm,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
p += ret;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_primary_domain,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
|
||||
p += out_security_blob_length;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_os,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
p += ret;
|
||||
|
||||
status = smb_bytes_pull_str(state, &state->out_native_lm,
|
||||
- use_unicode, p,
|
||||
- bytes+num_bytes-p, &ret);
|
||||
+ use_unicode, bytes, num_bytes,
|
||||
+ p, &ret);
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
|
||||
index 7e6f0a4ebc4..2884786339d 100644
|
||||
--- a/libcli/smb/smb_util.h
|
||||
+++ b/libcli/smb/smb_util.h
|
||||
@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
|
||||
const uint8_t *bytes, size_t num_bytes);
|
||||
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
|
||||
const uint8_t *buf, size_t buf_len,
|
||||
- size_t *pbuf_consumed);
|
||||
+ const uint8_t *position,
|
||||
+ size_t *_consumed);
|
||||
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
|
||||
index ef8c9fafa35..7ef909c6077 100644
|
||||
--- a/libcli/smb/util.c
|
||||
+++ b/libcli/smb/util.c
|
||||
@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
|
||||
static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
|
||||
bool ucs2, bool align_odd,
|
||||
const uint8_t *buf, size_t buf_len,
|
||||
- size_t *pbuf_consumed)
|
||||
+ const uint8_t *position,
|
||||
+ size_t *p_consumed)
|
||||
{
|
||||
size_t pad = 0;
|
||||
+ size_t offset;
|
||||
char *str = NULL;
|
||||
size_t str_len = 0;
|
||||
bool ok;
|
||||
|
||||
*_str = NULL;
|
||||
- if (pbuf_consumed != NULL) {
|
||||
- *pbuf_consumed = 0;
|
||||
+ if (p_consumed != NULL) {
|
||||
+ *p_consumed = 0;
|
||||
+ }
|
||||
+
|
||||
+ if (position < buf) {
|
||||
+ return NT_STATUS_INTERNAL_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ offset = PTR_DIFF(position, buf);
|
||||
+ if (offset > buf_len) {
|
||||
+ return NT_STATUS_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
if (ucs2 &&
|
||||
- ((align_odd && (buf_len % 2 == 0)) ||
|
||||
- (!align_odd && (buf_len % 2 == 1)))) {
|
||||
- if (buf_len < 1) {
|
||||
- return NT_STATUS_BUFFER_TOO_SMALL;
|
||||
- }
|
||||
- pad = 1;
|
||||
- buf_len -= pad;
|
||||
- buf += pad;
|
||||
+ ((align_odd && (offset % 2 == 0)) ||
|
||||
+ (!align_odd && (offset % 2 == 1)))) {
|
||||
+ pad += 1;
|
||||
+ offset += 1;
|
||||
+ }
|
||||
+
|
||||
+ if (offset > buf_len) {
|
||||
+ return NT_STATUS_BUFFER_TOO_SMALL;
|
||||
}
|
||||
|
||||
+ buf_len -= offset;
|
||||
+ buf += offset;
|
||||
+
|
||||
if (ucs2) {
|
||||
buf_len = utf16_len_n(buf, buf_len);
|
||||
} else {
|
||||
@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
|
||||
return map_nt_error_from_unix_common(errno);
|
||||
}
|
||||
|
||||
- if (pbuf_consumed != NULL) {
|
||||
- *pbuf_consumed = buf_len + pad;
|
||||
+ if (p_consumed != NULL) {
|
||||
+ *p_consumed = buf_len + pad;
|
||||
}
|
||||
*_str = str;
|
||||
- return NT_STATUS_OK;;
|
||||
+ return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
|
||||
const uint8_t *buf, size_t buf_len,
|
||||
- size_t *_buf_consumed)
|
||||
+ const uint8_t *position,
|
||||
+ size_t *_consumed)
|
||||
{
|
||||
return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
|
||||
- buf, buf_len, _buf_consumed);
|
||||
+ buf, buf_len, position, _consumed);
|
||||
}
|
||||
--
|
||||
2.13.1
|
||||
|
||||
|
||||
From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Wed, 15 Mar 2017 17:04:44 +0000
|
||||
Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
|
||||
function
|
||||
|
||||
This function updates cli->server_{os,type,domain} to valid values
|
||||
after a session setup.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
|
||||
---
|
||||
source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
|
||||
1 file changed, 52 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
||||
index a2362ceb863..ef03da17eec 100644
|
||||
--- a/source3/libsmb/cliconnect.c
|
||||
+++ b/source3/libsmb/cliconnect.c
|
||||
@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
|
||||
+ const char *native_os,
|
||||
+ const char *native_lm,
|
||||
+ const char *primary_domain)
|
||||
+{
|
||||
+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
|
||||
+
|
||||
+ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
|
||||
+ cli->server_os = talloc_strdup(cli, native_os);
|
||||
+ if (cli->server_os == NULL) {
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
|
||||
+ cli->server_type = talloc_strdup(cli, native_lm);
|
||||
+ if (cli->server_type == NULL) {
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
|
||||
+ cli->server_domain = talloc_strdup(cli, primary_domain);
|
||||
+ if (cli->server_domain == NULL) {
|
||||
+ return NT_STATUS_NO_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+#undef _VALID_STRING
|
||||
+ return NT_STATUS_OK;
|
||||
+}
|
||||
+
|
||||
/********************************************************
|
||||
Utility function to ensure we always return at least
|
||||
a valid char * pointer to an empty string for the
|
||||
@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
|
||||
subreq, struct tevent_req);
|
||||
struct cli_sesssetup_blob_state *state = tevent_req_data(
|
||||
req, struct cli_sesssetup_blob_state);
|
||||
- struct cli_state *cli = state->cli;
|
||||
NTSTATUS status;
|
||||
|
||||
if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
|
||||
@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (cli->server_os == NULL) {
|
||||
- cli->server_os = talloc_move(cli, &state->out_native_os);
|
||||
- }
|
||||
- if (cli->server_type == NULL) {
|
||||
- cli->server_type = talloc_move(cli, &state->out_native_lm);
|
||||
- }
|
||||
-
|
||||
state->status = status;
|
||||
|
||||
+ status = cli_state_update_after_sesssetup(state->cli,
|
||||
+ state->out_native_os,
|
||||
+ state->out_native_lm,
|
||||
+ NULL);
|
||||
+ if (tevent_req_nterror(req, status)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (state->blob.length != 0) {
|
||||
/*
|
||||
* More to send
|
||||
@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (cli->server_os == NULL) {
|
||||
- cli->server_os = talloc_move(cli, &state->out_native_os);
|
||||
- }
|
||||
- if (cli->server_type == NULL) {
|
||||
- cli->server_type = talloc_move(cli, &state->out_native_lm);
|
||||
- }
|
||||
- if (cli->server_domain == NULL) {
|
||||
- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
|
||||
+ status = cli_state_update_after_sesssetup(state->cli,
|
||||
+ state->out_native_os,
|
||||
+ state->out_native_lm,
|
||||
+ state->out_primary_domain);
|
||||
+ if (tevent_req_nterror(req, status)) {
|
||||
+ return;
|
||||
}
|
||||
|
||||
ok = smb1cli_conn_activate_signing(cli->conn,
|
||||
@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
|
||||
subreq, struct tevent_req);
|
||||
struct cli_session_setup_creds_state *state = tevent_req_data(
|
||||
req, struct cli_session_setup_creds_state);
|
||||
- struct cli_state *cli = state->cli;
|
||||
NTSTATUS status;
|
||||
|
||||
status = smb1cli_session_setup_lm21_recv(subreq, state,
|
||||
@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (cli->server_os == NULL) {
|
||||
- cli->server_os = talloc_move(cli, &state->out_native_os);
|
||||
- }
|
||||
- if (cli->server_type == NULL) {
|
||||
- cli->server_type = talloc_move(cli, &state->out_native_lm);
|
||||
+ status = cli_state_update_after_sesssetup(state->cli,
|
||||
+ state->out_native_os,
|
||||
+ state->out_native_lm,
|
||||
+ NULL);
|
||||
+ if (tevent_req_nterror(req, status)) {
|
||||
+ return;
|
||||
}
|
||||
|
||||
tevent_req_done(req);
|
||||
--
|
||||
2.13.1
|
||||
|
@ -0,0 +1,162 @@ |
||||
From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 19 Jun 2017 14:50:33 +0200
|
||||
Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
|
||||
popt_common_credentials_post()
|
||||
|
||||
When we parse the username in the options handling, the smb.conf file
|
||||
has not been loaded yet. So we are not aware of a 'winbind separator'
|
||||
set in the config file.
|
||||
|
||||
We need to read and set the username again in the post-processing of the
|
||||
credentials.
|
||||
|
||||
https://bugzilla.samba.org/show_bug.cgi?id=12849
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
|
||||
---
|
||||
source3/lib/popt_common.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
|
||||
index 3589a4fbd2b..9928c708e89 100644
|
||||
--- a/source3/lib/popt_common.c
|
||||
+++ b/source3/lib/popt_common.c
|
||||
@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
|
||||
void popt_common_credentials_post(void)
|
||||
{
|
||||
struct user_auth_info *auth_info = cmdline_auth_info;
|
||||
+ const char *username = NULL;
|
||||
|
||||
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
|
||||
!set_cmdline_auth_info_machine_account_creds(auth_info))
|
||||
@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
|
||||
}
|
||||
|
||||
set_cmdline_auth_info_getpass(auth_info);
|
||||
+
|
||||
+ /*
|
||||
+ * When we set the username during the handling of the options passed to
|
||||
+ * the binary we haven't loaded the config yet. This means that we
|
||||
+ * didnn't take the 'winbind separator' into account.
|
||||
+ *
|
||||
+ * The username might contain the domain name and thus it hasn't been
|
||||
+ * correctly parsed yet. If we have a username we need to set it again
|
||||
+ * to run the string parser for the username correctly.
|
||||
+ */
|
||||
+ username = get_cmdline_auth_info_username(auth_info);
|
||||
+ if (username != NULL && username[0] != '\0') {
|
||||
+ set_cmdline_auth_info_username(auth_info, username);
|
||||
+ }
|
||||
}
|
||||
|
||||
static void popt_common_credentials_callback(poptContext con,
|
||||
--
|
||||
2.13.1
|
||||
|
||||
|
||||
From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 19 Jun 2017 15:52:23 +0200
|
||||
Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
|
||||
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||
Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
|
||||
---
|
||||
source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
|
||||
source3/selftest/tests.py | 1 +
|
||||
2 files changed, 63 insertions(+)
|
||||
create mode 100755 source3/script/tests/test_smbclient_basic.sh
|
||||
|
||||
diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
|
||||
new file mode 100755
|
||||
index 00000000000..90e579b68e9
|
||||
--- /dev/null
|
||||
+++ b/source3/script/tests/test_smbclient_basic.sh
|
||||
@@ -0,0 +1,62 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# this runs the file serving tests that are expected to pass with samba3 against shares with various options
|
||||
+
|
||||
+if [ $# -lt 5 ]; then
|
||||
+cat <<EOF
|
||||
+Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
|
||||
+EOF
|
||||
+exit 1;
|
||||
+fi
|
||||
+
|
||||
+SERVER="$1"
|
||||
+SERVER_IP="$2"
|
||||
+USERNAME="$3"
|
||||
+PASSWORD="$4"
|
||||
+smbclient="$5"
|
||||
+CONFIGURATION="$6"
|
||||
+shift 6
|
||||
+ADDARGS="$@"
|
||||
+
|
||||
+incdir=`dirname $0`/../../../testprogs/blackbox
|
||||
+. $incdir/subunit.sh
|
||||
+
|
||||
+test_smbclient() {
|
||||
+ name="$1"
|
||||
+ cmd="$2"
|
||||
+ shift
|
||||
+ shift
|
||||
+ echo "test: $name"
|
||||
+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
|
||||
+ status=$?
|
||||
+ if [ x$status = x0 ]; then
|
||||
+ echo "success: $name"
|
||||
+ else
|
||||
+ echo "failure: $name"
|
||||
+ fi
|
||||
+ return $status
|
||||
+}
|
||||
+
|
||||
+# TEST using \ as the separator (default)
|
||||
+test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
|
||||
+# TEST using / as the separator (default)
|
||||
+test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
|
||||
+
|
||||
+# TEST using 'winbind separator = +'
|
||||
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
|
||||
+
|
||||
+# TEST using 'winbind separator = +' set in a config file
|
||||
+smbclient_config="$PREFIX/tmpsmbconf"
|
||||
+cat > $smbclient_config <<EOF
|
||||
+[global]
|
||||
+ include = $(echo $CONFIGURATION | cut -d= -f2)
|
||||
+ winbind separator = +
|
||||
+EOF
|
||||
+
|
||||
+SAVE_CONFIGURATION="$CONFIGURATION"
|
||||
+CONFIGURATION="--configfile=$smbclient_config"
|
||||
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
|
||||
+CONFIGURATION="$SAVE_CONFIGURATION"
|
||||
+rm -rf $smbclient_config
|
||||
+
|
||||
+exit $failed
|
||||
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
||||
index dfe7866b283..d3cb071b903 100755
|
||||
--- a/source3/selftest/tests.py
|
||||
+++ b/source3/selftest/tests.py
|
||||
@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
|
||||
plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
|
||||
plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
|
||||
|
||||
+plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
|
||||
for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
|
||||
env = "nt4_dc"
|
||||
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
|
||||
--
|
||||
2.13.1
|
||||
|
@ -0,0 +1,227 @@ |
||||
From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 21 Mar 2017 09:57:30 +0100
|
||||
Subject: [PATCH 1/2] s3:libads: Remove obsolete
|
||||
smb_krb5_get_ntstatus_from_init_creds()
|
||||
|
||||
There is no way we can get a better error code out of this. The original
|
||||
function called was krb5_get_init_creds_opt_get_error() which has been
|
||||
deprecated in 2008.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Uri Simchoni <uri@samba.org>
|
||||
(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
|
||||
---
|
||||
source3/libads/kerberos.c | 169 ----------------------------------------------
|
||||
1 file changed, 169 deletions(-)
|
||||
|
||||
Index: samba-4.6.2/source3/libads/kerberos.c
|
||||
===================================================================
|
||||
--- samba-4.6.2.orig/source3/libads/kerberos.c
|
||||
+++ samba-4.6.2/source3/libads/kerberos.c
|
||||
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
|
||||
- DATA_BLOB *edata,
|
||||
- DATA_BLOB *edata_out)
|
||||
-{
|
||||
- DATA_BLOB edata_contents;
|
||||
- ASN1_DATA *data;
|
||||
- int edata_type;
|
||||
-
|
||||
- if (!edata->length) {
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
- data = asn1_init(mem_ctx);
|
||||
- if (data == NULL) {
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
- if (!asn1_load(data, *edata)) goto err;
|
||||
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
|
||||
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
|
||||
- if (!asn1_read_Integer(data, &edata_type)) goto err;
|
||||
-
|
||||
- if (edata_type != KRB5_PADATA_PW_SALT) {
|
||||
- DEBUG(0,("edata is not of required type %d but of type %d\n",
|
||||
- KRB5_PADATA_PW_SALT, edata_type));
|
||||
- goto err;
|
||||
- }
|
||||
-
|
||||
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
|
||||
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
|
||||
- if (!asn1_end_tag(data)) goto err;
|
||||
- if (!asn1_end_tag(data)) goto err;
|
||||
- if (!asn1_end_tag(data)) goto err;
|
||||
- asn1_free(data);
|
||||
-
|
||||
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
|
||||
-
|
||||
- data_blob_free(&edata_contents);
|
||||
-
|
||||
- return true;
|
||||
-
|
||||
- err:
|
||||
-
|
||||
- asn1_free(data);
|
||||
- return false;
|
||||
-}
|
||||
-
|
||||
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
|
||||
- NTSTATUS *nt_status)
|
||||
-{
|
||||
- DATA_BLOB edata;
|
||||
- DATA_BLOB unwrapped_edata;
|
||||
- TALLOC_CTX *mem_ctx;
|
||||
- struct KRB5_EDATA_NTSTATUS parsed_edata;
|
||||
- enum ndr_err_code ndr_err;
|
||||
-
|
||||
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
|
||||
- edata = data_blob(error->e_data->data, error->e_data->length);
|
||||
-#else
|
||||
- edata = data_blob(error->e_data.data, error->e_data.length);
|
||||
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
|
||||
-
|
||||
-#ifdef DEVELOPER
|
||||
- dump_data(10, edata.data, edata.length);
|
||||
-#endif /* DEVELOPER */
|
||||
-
|
||||
- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
|
||||
- if (mem_ctx == NULL) {
|
||||
- data_blob_free(&edata);
|
||||
- return False;
|
||||
- }
|
||||
-
|
||||
- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
|
||||
- data_blob_free(&edata);
|
||||
- TALLOC_FREE(mem_ctx);
|
||||
- return False;
|
||||
- }
|
||||
-
|
||||
- data_blob_free(&edata);
|
||||
-
|
||||
- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
|
||||
- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
|
||||
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
- data_blob_free(&unwrapped_edata);
|
||||
- TALLOC_FREE(mem_ctx);
|
||||
- return False;
|
||||
- }
|
||||
-
|
||||
- data_blob_free(&unwrapped_edata);
|
||||
-
|
||||
- if (nt_status) {
|
||||
- *nt_status = parsed_edata.ntstatus;
|
||||
- }
|
||||
-
|
||||
- TALLOC_FREE(mem_ctx);
|
||||
-
|
||||
- return True;
|
||||
-}
|
||||
-
|
||||
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
|
||||
- krb5_principal client,
|
||||
- krb5_get_init_creds_opt *opt,
|
||||
- NTSTATUS *nt_status)
|
||||
-{
|
||||
- krb5_init_creds_context icc;
|
||||
- krb5_error_code code;
|
||||
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
|
||||
- /* HEIMDAL */
|
||||
- krb5_error error;
|
||||
-#else
|
||||
- krb5_error *error = NULL;
|
||||
-#endif
|
||||
- bool ok;
|
||||
-
|
||||
- code = krb5_init_creds_init(ctx,
|
||||
- client,
|
||||
- NULL,
|
||||
- NULL,
|
||||
- 0,
|
||||
- opt,
|
||||
- &icc);
|
||||
- if (code != 0) {
|
||||
- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
|
||||
- error_message(code));
|
||||
- return false;
|
||||
- }
|
||||
-
|
||||
- code = krb5_init_creds_get_error(ctx,
|
||||
- icc,
|
||||
- &error);
|
||||
- if (code != 0) {
|
||||
- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
|
||||
- error_message(code));
|
||||
- return false;
|
||||
- }
|
||||
- krb5_init_creds_free(ctx, icc);
|
||||
-
|
||||
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
|
||||
- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
|
||||
-
|
||||
- krb5_free_error_contents(ctx, &error);
|
||||
-#else
|
||||
- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
|
||||
-
|
||||
- krb5_free_error(ctx, error);
|
||||
-#endif
|
||||
-
|
||||
- return ok;
|
||||
-}
|
||||
-
|
||||
/*
|
||||
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
|
||||
place in default cache location.
|
||||
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
|
||||
}
|
||||
out:
|
||||
if (ntstatus) {
|
||||
-
|
||||
- NTSTATUS status;
|
||||
-
|
||||
/* fast path */
|
||||
if (code == 0) {
|
||||
*ntstatus = NT_STATUS_OK;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
- /* try to get ntstatus code out of krb5_error when we have it
|
||||
- * inside the krb5_get_init_creds_opt - gd */
|
||||
-
|
||||
- if (opt != NULL) {
|
||||
- bool ok;
|
||||
-
|
||||
- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
|
||||
- me,
|
||||
- opt,
|
||||
- &status);
|
||||
- if (ok) {
|
||||
- *ntstatus = status;
|
||||
- goto cleanup;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
/* fall back to self-made-mapping */
|
||||
*ntstatus = krb5_to_nt_status(code);
|
||||
}
|
||||
Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
|
||||
===================================================================
|
||||
--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
|
||||
+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
|
||||
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
|
||||
|
||||
testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
|
||||
|
||||
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
|
||||
+
|
||||
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
|
||||
+
|
||||
rm -f $KRB5CCNAME_PATH
|
||||
|
||||
exit $failed
|
@ -0,0 +1,76 @@ |
||||
From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 20 Jun 2017 10:27:07 +0200
|
||||
Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Volker Lendecke <vl@samba.org>
|
||||
---
|
||||
source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
|
||||
1 file changed, 31 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
|
||||
index 8c764f77b08..b0bf6784ba6 100644
|
||||
--- a/source3/winbindd/wb_getpwsid.c
|
||||
+++ b/source3/winbindd/wb_getpwsid.c
|
||||
@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
|
||||
req, struct wb_getpwsid_state);
|
||||
struct winbindd_pw *pw = state->pw;
|
||||
struct wbint_userinfo *info;
|
||||
+ struct winbindd_domain *domain = NULL;
|
||||
fstring acct_name, output_username;
|
||||
+ char *mapped_name = NULL;
|
||||
char *tmp;
|
||||
NTSTATUS status;
|
||||
|
||||
@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
|
||||
return;
|
||||
}
|
||||
|
||||
- fill_domain_username(output_username, info->domain_name,
|
||||
- acct_name, true);
|
||||
+ domain = find_domain_from_name_noinit(info->domain_name);
|
||||
+ if (tevent_req_nomem(domain, req)) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * TODO:
|
||||
+ * This function should be called in 'idmap winbind child'. It shouldn't
|
||||
+ * be a blocking call, but for this we need to add a new function for
|
||||
+ * winbind.idl. This is a fix which can be backported for now.
|
||||
+ */
|
||||
+ status = normalize_name_map(state,
|
||||
+ domain,
|
||||
+ acct_name,
|
||||
+ &mapped_name);
|
||||
+ if (NT_STATUS_IS_OK(status)) {
|
||||
+ fill_domain_username(output_username,
|
||||
+ info->domain_name,
|
||||
+ mapped_name, true);
|
||||
+ fstrcpy(acct_name, mapped_name);
|
||||
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
|
||||
+ fstrcpy(acct_name, mapped_name);
|
||||
+ } else {
|
||||
+ fill_domain_username(output_username,
|
||||
+ info->domain_name,
|
||||
+ acct_name, true);
|
||||
+ }
|
||||
+
|
||||
strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
|
||||
|
||||
strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
|
||||
@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
|
||||
TALLOC_FREE(tmp);
|
||||
|
||||
tmp = talloc_sub_specified(
|
||||
- state, info->shell, info->acct_name,
|
||||
+ state, info->shell, acct_name,
|
||||
info->primary_group_name, info->domain_name,
|
||||
pw->pw_uid, pw->pw_gid);
|
||||
if (tevent_req_nomem(tmp, req)) {
|
||||
--
|
||||
2.13.1
|
||||
|
@ -0,0 +1,54 @@ |
||||
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
|
||||
Author: Andreas Schneider <asn@samba.org>
|
||||
Date: Wed Dec 21 22:17:22 2016 +0100
|
||||
|
||||
auth/credentials: Always set the the realm if we set the principal from the ccache
|
||||
|
||||
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
|
||||
is used to get a Kerberos ticket.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
|
||||
|
||||
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
|
||||
index 0e68012..1912c48 100644
|
||||
--- a/auth/credentials/credentials_krb5.c
|
||||
+++ b/auth/credentials/credentials_krb5.c
|
||||
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
|
||||
enum credentials_obtained obtained,
|
||||
const char **error_string)
|
||||
{
|
||||
-
|
||||
+ bool ok;
|
||||
+ char *realm;
|
||||
krb5_principal princ;
|
||||
krb5_error_code ret;
|
||||
char *name;
|
||||
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- cli_credentials_set_principal(cred, name, obtained);
|
||||
-
|
||||
+ ok = cli_credentials_set_principal(cred, name, obtained);
|
||||
+ if (!ok) {
|
||||
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
free(name);
|
||||
|
||||
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
|
||||
+ princ);
|
||||
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
|
||||
+ if (realm == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ ok = cli_credentials_set_realm(cred, realm, obtained);
|
||||
+ SAFE_FREE(realm);
|
||||
+ if (!ok) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
|
||||
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
|
||||
cred->ccache_obtained = obtained;
|
@ -0,0 +1,391 @@ |
||||
From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 18 Aug 2017 16:08:46 +0200
|
||||
Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
|
||||
---
|
||||
source3/include/proto.h | 3 ++-
|
||||
source3/libsmb/passchange.c | 5 +++--
|
||||
source3/utils/smbpasswd.c | 3 ++-
|
||||
3 files changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
||||
index baa579995a5..9deb27b416b 100644
|
||||
--- a/source3/include/proto.h
|
||||
+++ b/source3/include/proto.h
|
||||
@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
|
||||
|
||||
/* The following definitions come from libsmb/passchange.c */
|
||||
|
||||
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
|
||||
+NTSTATUS remote_password_change(const char *remote_machine,
|
||||
+ const char *domain, const char *user_name,
|
||||
const char *old_passwd, const char *new_passwd,
|
||||
char **err_str);
|
||||
|
||||
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
|
||||
index c89b7ca85d1..48ffba8036f 100644
|
||||
--- a/source3/libsmb/passchange.c
|
||||
+++ b/source3/libsmb/passchange.c
|
||||
@@ -30,7 +30,8 @@
|
||||
Change a password on a remote machine using IPC calls.
|
||||
*************************************************************/
|
||||
|
||||
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
|
||||
+NTSTATUS remote_password_change(const char *remote_machine,
|
||||
+ const char *domain, const char *user_name,
|
||||
const char *old_passwd, const char *new_passwd,
|
||||
char **err_str)
|
||||
{
|
||||
@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
|
||||
|
||||
creds = cli_session_creds_init(cli,
|
||||
user_name,
|
||||
- NULL, /* domain */
|
||||
+ domain,
|
||||
NULL, /* realm */
|
||||
old_passwd,
|
||||
false, /* use_kerberos */
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index 437a5e551bb..4d7a3c739bc 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
|
||||
fprintf(stderr, "Invalid remote operation!\n");
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
- ret = remote_password_change(remote_mach, username,
|
||||
+ ret = remote_password_change(remote_mach,
|
||||
+ NULL, username,
|
||||
old_passwd, new_pw, &err_str);
|
||||
} else {
|
||||
ret = local_password_change(username, local_flags, new_pw,
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
||||
From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 18 Aug 2017 16:10:06 +0200
|
||||
Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
|
||||
---
|
||||
source3/include/proto.h | 7 -------
|
||||
source3/libsmb/proto.h | 10 ++++++++++
|
||||
source3/utils/smbpasswd.c | 1 +
|
||||
3 files changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
||||
index 9deb27b416b..67e1a9d750e 100644
|
||||
--- a/source3/include/proto.h
|
||||
+++ b/source3/include/proto.h
|
||||
@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
|
||||
fstring srv_name,
|
||||
struct sockaddr_storage *ss_out);
|
||||
|
||||
-/* The following definitions come from libsmb/passchange.c */
|
||||
-
|
||||
-NTSTATUS remote_password_change(const char *remote_machine,
|
||||
- const char *domain, const char *user_name,
|
||||
- const char *old_passwd, const char *new_passwd,
|
||||
- char **err_str);
|
||||
-
|
||||
/* The following definitions come from libsmb/smberr.c */
|
||||
|
||||
const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
|
||||
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
|
||||
index a583a8ee159..44f4d04cff5 100644
|
||||
--- a/source3/libsmb/proto.h
|
||||
+++ b/source3/libsmb/proto.h
|
||||
@@ -31,6 +31,9 @@
|
||||
|
||||
struct smb_trans_enc_state;
|
||||
struct cli_credentials;
|
||||
+struct cli_state;
|
||||
+struct file_info;
|
||||
+struct print_job_info;
|
||||
|
||||
/* The following definitions come from libsmb/cliconnect.c */
|
||||
|
||||
@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
|
||||
TALLOC_CTX *mem_ctx, char **psubstitute_name,
|
||||
char **pprint_name, uint32_t *pflags);
|
||||
|
||||
+/* The following definitions come from libsmb/passchange.c */
|
||||
+
|
||||
+NTSTATUS remote_password_change(const char *remote_machine,
|
||||
+ const char *domain, const char *user_name,
|
||||
+ const char *old_passwd, const char *new_passwd,
|
||||
+ char **err_str);
|
||||
+
|
||||
#endif /* _LIBSMB_PROTO_H_ */
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index 4d7a3c739bc..6eb2deb7a3b 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -21,6 +21,7 @@
|
||||
#include "secrets.h"
|
||||
#include "../librpc/gen_ndr/samr.h"
|
||||
#include "../lib/util/util_pw.h"
|
||||
+#include "libsmb/proto.h"
|
||||
#include "passdb.h"
|
||||
|
||||
/*
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
||||
From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 18 Aug 2017 16:13:15 +0200
|
||||
Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
|
||||
in smbpasswd
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
|
||||
---
|
||||
source3/utils/smbpasswd.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index 6eb2deb7a3b..b0e08cc0e58 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
|
||||
Change a password either locally or remotely.
|
||||
*************************************************************/
|
||||
|
||||
-static NTSTATUS password_change(const char *remote_mach, char *username,
|
||||
- char *old_passwd, char *new_pw,
|
||||
+static NTSTATUS password_change(const char *remote_mach,
|
||||
+ const char *username,
|
||||
+ const char *old_passwd, const char *new_pw,
|
||||
int local_flags)
|
||||
{
|
||||
NTSTATUS ret;
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
||||
From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 18 Aug 2017 16:14:57 +0200
|
||||
Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
|
||||
---
|
||||
source3/utils/smbpasswd.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index b0e08cc0e58..92712e38f6b 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
|
||||
*************************************************************/
|
||||
|
||||
static NTSTATUS password_change(const char *remote_mach,
|
||||
- const char *username,
|
||||
+ const char *domain, const char *username,
|
||||
const char *old_passwd, const char *new_pw,
|
||||
int local_flags)
|
||||
{
|
||||
@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
ret = remote_password_change(remote_mach,
|
||||
- NULL, username,
|
||||
+ domain, username,
|
||||
old_passwd, new_pw, &err_str);
|
||||
} else {
|
||||
ret = local_password_change(username, local_flags, new_pw,
|
||||
@@ -466,7 +466,8 @@ static int process_root(int local_flags)
|
||||
}
|
||||
}
|
||||
|
||||
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
|
||||
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
|
||||
+ NULL, user_name,
|
||||
old_passwd, new_passwd,
|
||||
local_flags))) {
|
||||
result = 1;
|
||||
@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
|
||||
- new_pw, 0))) {
|
||||
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
|
||||
+ NULL, user_name,
|
||||
+ old_pw, new_pw, 0))) {
|
||||
result = 1;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
||||
From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Fri, 18 Aug 2017 16:17:08 +0200
|
||||
Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
|
||||
in smbpasswd
|
||||
|
||||
If a local user wants to change his password using smbpasswd and the
|
||||
machine is a domain member, we need to make sure we authenticate against
|
||||
our SAM and not ask winbind.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
|
||||
---
|
||||
source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
|
||||
1 file changed, 27 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index 92712e38f6b..556e6869da7 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -58,7 +58,7 @@ static void usage(void)
|
||||
printf(" -c smb.conf file Use the given path to the smb.conf file\n");
|
||||
printf(" -D LEVEL debug level\n");
|
||||
printf(" -r MACHINE remote machine\n");
|
||||
- printf(" -U USER remote username\n");
|
||||
+ printf(" -U USER remote username (e.g. SAM/user)\n");
|
||||
|
||||
printf("extra options when run by root or in local mode:\n");
|
||||
printf(" -a add user\n");
|
||||
@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
|
||||
|
||||
user_name[0] = '\0';
|
||||
|
||||
- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
|
||||
+ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
|
||||
switch(ch) {
|
||||
case 'L':
|
||||
if (getuid() != 0) {
|
||||
@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
|
||||
int result = 0;
|
||||
char *old_pw = NULL;
|
||||
char *new_pw = NULL;
|
||||
+ const char *username = user_name;
|
||||
+ const char *domain = NULL;
|
||||
+ char *p = NULL;
|
||||
|
||||
if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
|
||||
/* Extra flags that we can't honor non-root */
|
||||
@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
|
||||
}
|
||||
}
|
||||
|
||||
+ /* Allow domain as part of the username */
|
||||
+ if ((p = strchr_m(user_name, '\\')) ||
|
||||
+ (p = strchr_m(user_name, '/')) ||
|
||||
+ (p = strchr_m(user_name, *lp_winbind_separator()))) {
|
||||
+ *p = '\0';
|
||||
+ username = p + 1;
|
||||
+ domain = user_name;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* A non-root user is always setting a password
|
||||
* via a remote machine (even if that machine is
|
||||
@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
|
||||
|
||||
load_interfaces(); /* Delayed from main() */
|
||||
|
||||
- if (remote_machine == NULL) {
|
||||
+ if (remote_machine != NULL) {
|
||||
+ if (!is_ipaddress(remote_machine)) {
|
||||
+ domain = remote_machine;
|
||||
+ }
|
||||
+ } else {
|
||||
remote_machine = "127.0.0.1";
|
||||
+
|
||||
+ /*
|
||||
+ * If we deal with a local user, change the password for the
|
||||
+ * user in our SAM.
|
||||
+ */
|
||||
+ domain = get_global_sam_name();
|
||||
}
|
||||
|
||||
if (remote_machine != NULL) {
|
||||
@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(password_change(remote_machine,
|
||||
- NULL, user_name,
|
||||
+ domain, username,
|
||||
old_pw, new_pw, 0))) {
|
||||
result = 1;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- printf("Password changed for user %s\n", user_name);
|
||||
+ printf("Password changed for user %s\n", username);
|
||||
|
||||
done:
|
||||
SAFE_FREE(old_pw);
|
||||
--
|
||||
2.14.1
|
||||
|
||||
|
||||
From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 22 Aug 2017 15:46:07 +0200
|
||||
Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
|
||||
|
||||
Review with: git show -U20
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
|
||||
(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
|
||||
---
|
||||
source3/utils/smbpasswd.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
|
||||
index 556e6869da7..fb7ad283995 100644
|
||||
--- a/source3/utils/smbpasswd.c
|
||||
+++ b/source3/utils/smbpasswd.c
|
||||
@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
|
||||
domain = get_global_sam_name();
|
||||
}
|
||||
|
||||
- if (remote_machine != NULL) {
|
||||
- old_pw = get_pass("Old SMB password:",stdin_passwd_get);
|
||||
- if (old_pw == NULL) {
|
||||
- fprintf(stderr, "Unable to get old password.\n");
|
||||
- exit(1);
|
||||
- }
|
||||
+ old_pw = get_pass("Old SMB password:",stdin_passwd_get);
|
||||
+ if (old_pw == NULL) {
|
||||
+ fprintf(stderr, "Unable to get old password.\n");
|
||||
+ exit(1);
|
||||
}
|
||||
|
||||
if (!new_passwd) {
|
||||
--
|
||||
2.14.1
|
||||
|
@ -0,0 +1,53 @@ |
||||
From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 30 May 2017 16:30:33 +0200
|
||||
Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
|
||||
FSCTL_VALIDATE_NEGOTIATE_INFO
|
||||
|
||||
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
|
||||
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
|
||||
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||
|
||||
Autobuild-User(master): Volker Lendecke <vl@samba.org>
|
||||
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
|
||||
---
|
||||
libcli/smb/smbXcli_base.c | 15 +++++++++++++++
|
||||
1 file changed, 15 insertions(+)
|
||||
|
||||
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
|
||||
index a7b24f01497..593edf9ce78 100644
|
||||
--- a/libcli/smb/smbXcli_base.c
|
||||
+++ b/libcli/smb/smbXcli_base.c
|
||||
@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
|
||||
tevent_req_done(req);
|
||||
return;
|
||||
}
|
||||
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
||||
+ /*
|
||||
+ * The response was signed, but not supported
|
||||
+ *
|
||||
+ * This might be returned by older Windows versions or by
|
||||
+ * NetApp SMB server implementations.
|
||||
+ *
|
||||
+ * See
|
||||
+ *
|
||||
+ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
|
||||
+ *
|
||||
+ */
|
||||
+ tevent_req_done(req);
|
||||
+ return;
|
||||
+ }
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
--
|
||||
2.13.1.518.g3df882009-goog
|
||||
|
@ -0,0 +1,543 @@ |
||||
From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 3 Mar 2017 17:08:09 +0200
|
||||
Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
|
||||
---
|
||||
wscript_configure_system_mitkrb5 | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
|
||||
index 06a9821..d3e8ebf 100644
|
||||
--- a/wscript_configure_system_mitkrb5
|
||||
+++ b/wscript_configure_system_mitkrb5
|
||||
@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
|
||||
gsskrb5_extract_authz_data_from_sec_context
|
||||
gss_krb5_export_lucid_sec_context
|
||||
gss_import_cred gss_export_cred
|
||||
+ gss_acquire_cred_from
|
||||
''', 'gssapi gssapi_krb5')
|
||||
conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
|
||||
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 3 Mar 2017 16:14:57 +0200
|
||||
Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
|
||||
|
||||
Wrap gss_krb5_import_cred() to allow re-implementing it with
|
||||
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
|
||||
works fine with GSSAPI interposer (GSS-proxy) while
|
||||
gss_krb5_import_cred() is not interposed yet.
|
||||
|
||||
The wrapper has additional parameter, krb5_context handle, to facilitate
|
||||
with credentials cache name discovery. All our callers to
|
||||
gss_krb5_import_cred() already have krb5 context handy.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
|
||||
---
|
||||
lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/krb5_wrap/gss_samba.h | 13 +++++
|
||||
2 files changed, 134 insertions(+)
|
||||
|
||||
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
|
||||
index b444633..757ffc5 100644
|
||||
--- a/lib/krb5_wrap/gss_samba.c
|
||||
+++ b/lib/krb5_wrap/gss_samba.c
|
||||
@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
|
||||
}
|
||||
#endif /* !HAVE_GSS_OID_EQUAL */
|
||||
|
||||
+
|
||||
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
|
||||
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
|
||||
+ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
|
||||
+ *
|
||||
+ * This wrapper requires a proper krb5_context to resolve ccache name.
|
||||
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
|
||||
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
|
||||
+ krb5_ccache id, krb5_principal keytab_principal,
|
||||
+ krb5_keytab keytab, gss_cred_id_t *cred)
|
||||
+{
|
||||
+ uint32_t major_status = 0;
|
||||
+
|
||||
+#if HAVE_GSS_ACQUIRE_CRED_FROM
|
||||
+ uint32_t minor = 0;
|
||||
+ gss_key_value_element_desc ccache_element = {
|
||||
+ .key = "ccache",
|
||||
+ .value = NULL,
|
||||
+ };
|
||||
+
|
||||
+ gss_key_value_element_desc keytab_element = {
|
||||
+ .key = "keytab",
|
||||
+ .value = NULL,
|
||||
+ };
|
||||
+
|
||||
+ gss_key_value_element_desc elements[2];
|
||||
+
|
||||
+ gss_key_value_set_desc cred_store = {
|
||||
+ .elements = &ccache_element,
|
||||
+ .count = 1,
|
||||
+ };
|
||||
+
|
||||
+ gss_OID_set mech_set = GSS_C_NO_OID_SET;
|
||||
+ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
|
||||
+ gss_name_t name = NULL;
|
||||
+ gss_buffer_desc pr_name = {
|
||||
+ .value = NULL,
|
||||
+ .length = 0,
|
||||
+ };
|
||||
+
|
||||
+ if (id != NULL) {
|
||||
+ major_status = krb5_cc_get_full_name(ctx,
|
||||
+ id,
|
||||
+ discard_const(&ccache_element.value));
|
||||
+ if (major_status != 0) {
|
||||
+ return major_status;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (keytab != NULL) {
|
||||
+ keytab_element.value = malloc(4096);
|
||||
+ if (!keytab_element.value) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+ major_status = krb5_kt_get_name(ctx,
|
||||
+ keytab,
|
||||
+ discard_const(keytab_element.value), 4096);
|
||||
+ if (major_status != 0) {
|
||||
+ free(discard_const(keytab_element.value));
|
||||
+ return major_status;
|
||||
+ }
|
||||
+ cred_usage = GSS_C_ACCEPT;
|
||||
+ cred_store.elements = &keytab_element;
|
||||
+
|
||||
+ if (keytab_principal != NULL) {
|
||||
+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
|
||||
+ if (major_status != 0) {
|
||||
+ free(discard_const(keytab_element.value));
|
||||
+ return major_status;
|
||||
+ }
|
||||
+ pr_name.length = strlen(pr_name.value);
|
||||
+
|
||||
+ major_status = gss_import_name(minor_status,
|
||||
+ &pr_name,
|
||||
+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
|
||||
+ &name);
|
||||
+ if (major_status != 0) {
|
||||
+ krb5_free_unparsed_name(ctx, pr_name.value);
|
||||
+ free(discard_const(keytab_element.value));
|
||||
+ return major_status;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (id != NULL && keytab != NULL) {
|
||||
+ elements[0] = ccache_element;
|
||||
+ elements[1] = keytab_element;
|
||||
+
|
||||
+ cred_store.elements = elements;
|
||||
+ cred_store.count = 2;
|
||||
+ cred_usage = GSS_C_BOTH;
|
||||
+ }
|
||||
+
|
||||
+ major_status = gss_acquire_cred_from(minor_status,
|
||||
+ name,
|
||||
+ 0,
|
||||
+ mech_set,
|
||||
+ cred_usage,
|
||||
+ &cred_store,
|
||||
+ cred,
|
||||
+ NULL,
|
||||
+ NULL);
|
||||
+
|
||||
+ if (pr_name.value != NULL) {
|
||||
+ (void)gss_release_name(&minor, &name);
|
||||
+ krb5_free_unparsed_name(ctx, pr_name.value);
|
||||
+ }
|
||||
+ if (keytab_element.value != NULL) {
|
||||
+ free(discard_const(keytab_element.value));
|
||||
+ }
|
||||
+ krb5_free_string(ctx, discard_const(ccache_element.value));
|
||||
+#else
|
||||
+ major_status = gss_krb5_import_cred(minor_status,
|
||||
+ id,
|
||||
+ keytab_principal,
|
||||
+ keytab, cred);
|
||||
+#endif
|
||||
+ return major_status;
|
||||
+}
|
||||
+
|
||||
+
|
||||
#endif /* HAVE_GSSAPI */
|
||||
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
|
||||
index 5319932..89aee34 100644
|
||||
--- a/lib/krb5_wrap/gss_samba.h
|
||||
+++ b/lib/krb5_wrap/gss_samba.h
|
||||
@@ -25,6 +25,7 @@
|
||||
#ifdef HAVE_GSSAPI
|
||||
|
||||
#include "system/gssapi.h"
|
||||
+#include "krb5_samba.h"
|
||||
|
||||
#if defined(HAVE_GSS_OID_EQUAL)
|
||||
#define smb_gss_oid_equal gss_oid_equal
|
||||
@@ -32,5 +33,17 @@
|
||||
int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
|
||||
#endif /* HAVE_GSS_OID_EQUAL */
|
||||
|
||||
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
|
||||
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
|
||||
+ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
|
||||
+ *
|
||||
+ * This wrapper requires a proper krb5_context to resolve the ccache name for
|
||||
+ * gss_acquire_cred_from().
|
||||
+ *
|
||||
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
|
||||
+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
|
||||
+ krb5_ccache id, krb5_principal keytab_principal,
|
||||
+ krb5_keytab keytab, gss_cred_id_t *cred);
|
||||
+
|
||||
#endif /* HAVE_GSSAPI */
|
||||
#endif /* _GSS_SAMBA_H */
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 3 Mar 2017 16:57:13 +0200
|
||||
Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
|
||||
---
|
||||
auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
|
||||
1 file changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
|
||||
index e974df9..0e68012 100644
|
||||
--- a/auth/credentials/credentials_krb5.c
|
||||
+++ b/auth/credentials/credentials_krb5.c
|
||||
@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
|
||||
- &gcc->creds);
|
||||
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
|
||||
+ ccache->ccache, NULL, NULL,
|
||||
+ &gcc->creds);
|
||||
if ((maj_stat == GSS_S_FAILURE) &&
|
||||
(min_stat == (OM_uint32)KRB5_CC_END ||
|
||||
min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
|
||||
@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
|
||||
- &gcc->creds);
|
||||
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
|
||||
+ ccache->ccache, NULL, NULL,
|
||||
+ &gcc->creds);
|
||||
|
||||
}
|
||||
|
||||
@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
|
||||
} else {
|
||||
ret = EINVAL;
|
||||
}
|
||||
- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
|
||||
+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
|
||||
|
||||
if (ktc->password_based || obtained < CRED_SPECIFIED) {
|
||||
/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
|
||||
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
|
||||
- &gcc->creds);
|
||||
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
|
||||
+ NULL, NULL, ktc->keytab,
|
||||
+ &gcc->creds);
|
||||
} else {
|
||||
/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
|
||||
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
|
||||
- &gcc->creds);
|
||||
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
|
||||
+ NULL, princ, ktc->keytab,
|
||||
+ &gcc->creds);
|
||||
}
|
||||
if (maj_stat) {
|
||||
if (min_stat) {
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 3 Mar 2017 16:57:50 +0200
|
||||
Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
|
||||
---
|
||||
source3/libads/sasl.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
|
||||
index 8570788..30127fa 100644
|
||||
--- a/source3/libads/sasl.c
|
||||
+++ b/source3/libads/sasl.c
|
||||
@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
|
||||
goto done;
|
||||
}
|
||||
|
||||
- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
|
||||
+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
|
||||
if (maj != GSS_S_COMPLETE) {
|
||||
status = ADS_ERROR_GSS(maj, min);
|
||||
goto done;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 3 Mar 2017 16:58:14 +0200
|
||||
Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
|
||||
---
|
||||
source3/librpc/crypto/gse.c | 20 +++++++++++---------
|
||||
1 file changed, 11 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
|
||||
index abf20bc..f4238f3 100644
|
||||
--- a/source3/librpc/crypto/gse.c
|
||||
+++ b/source3/librpc/crypto/gse.c
|
||||
@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
|
||||
/* TODO: get krb5 ticket using username/password, if no valid
|
||||
* one already available in ccache */
|
||||
|
||||
- gss_maj = gss_krb5_import_cred(&gss_min,
|
||||
- gse_ctx->ccache,
|
||||
- NULL, /* keytab_principal */
|
||||
- NULL, /* keytab */
|
||||
- &gse_ctx->creds);
|
||||
+ gss_maj = smb_gss_krb5_import_cred(&gss_min,
|
||||
+ gse_ctx->k5ctx,
|
||||
+ gse_ctx->ccache,
|
||||
+ NULL, /* keytab_principal */
|
||||
+ NULL, /* keytab */
|
||||
+ &gse_ctx->creds);
|
||||
if (gss_maj) {
|
||||
char *ccache = NULL;
|
||||
int kret;
|
||||
@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
|
||||
ccache = NULL;
|
||||
}
|
||||
|
||||
- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
|
||||
+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
|
||||
"the caller may retry after a kinit.\n",
|
||||
ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
|
||||
SAFE_FREE(ccache);
|
||||
@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/* This creates a GSSAPI cred_id_t with the keytab set */
|
||||
- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
|
||||
- &gse_ctx->creds);
|
||||
+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
|
||||
+ NULL, NULL, gse_ctx->keytab,
|
||||
+ &gse_ctx->creds);
|
||||
|
||||
if (gss_maj != 0
|
||||
&& gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
|
||||
- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
|
||||
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
|
||||
gse_errstr(gse_ctx, gss_maj, gss_min)));
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
goto done;
|
||||
--
|
||||
2.9.3
|
||||
|
||||
|
||||
From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 8 Mar 2017 12:38:49 +0200
|
||||
Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
|
||||
wrapper
|
||||
|
||||
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
|
||||
credentials from a keytab without specifying actual principal.
|
||||
This was fixed in MIT krb5 1.9.2 (see commit
|
||||
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
|
||||
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
|
||||
|
||||
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
|
||||
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
|
||||
code use of krb5 mech when calling to gss_acquire_cred.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
|
||||
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
|
||||
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
|
||||
---
|
||||
lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
|
||||
source3/librpc/crypto/gse.c | 49 +--------------------------------------------
|
||||
2 files changed, 44 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
|
||||
index 757ffc5..9e5ad4a 100644
|
||||
--- a/lib/krb5_wrap/gss_samba.c
|
||||
+++ b/lib/krb5_wrap/gss_samba.c
|
||||
@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
|
||||
krb5_free_string(ctx, discard_const(ccache_element.value));
|
||||
#else
|
||||
major_status = gss_krb5_import_cred(minor_status,
|
||||
- id,
|
||||
- keytab_principal,
|
||||
- keytab, cred);
|
||||
+ id,
|
||||
+ keytab_principal,
|
||||
+ keytab, cred);
|
||||
+
|
||||
+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
|
||||
+ if ((keytab_principal == NULL) && (keytab != NULL)) {
|
||||
+ /* No principal was specified and MIT krb5 1.9 version failed.
|
||||
+ * We have to fall back to set global acceptor identity */
|
||||
+ gss_OID_set_desc mech_set;
|
||||
+ char *kt_name = NULL;
|
||||
+
|
||||
+ kt_name = malloc(4096);
|
||||
+ if (!kt_name) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ major_status = krb5_kt_get_name(ctx,
|
||||
+ keytab,
|
||||
+ kt_name, 4096);
|
||||
+ if (major_status != 0) {
|
||||
+ free(kt_name);
|
||||
+ return major_status;
|
||||
+ }
|
||||
+
|
||||
+ major_status = gsskrb5_register_acceptor_identity(kt_name);
|
||||
+ if (major_status) {
|
||||
+ free(kt_name);
|
||||
+ return major_status;
|
||||
+ }
|
||||
+
|
||||
+ /* We are dealing with krb5 GSSAPI mech in this fallback */
|
||||
+ mech_set.count = 1;
|
||||
+ mech_set.elements = gss_mech_krb5;
|
||||
+ major_status = gss_acquire_cred(minor_status,
|
||||
+ GSS_C_NO_NAME,
|
||||
+ GSS_C_INDEFINITE,
|
||||
+ &mech_set,
|
||||
+ GSS_C_ACCEPT,
|
||||
+ cred,
|
||||
+ NULL, NULL);
|
||||
+ free(kt_name);
|
||||
+ }
|
||||
+ }
|
||||
#endif
|
||||
return major_status;
|
||||
}
|
||||
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
|
||||
index f4238f3..a111320 100644
|
||||
--- a/source3/librpc/crypto/gse.c
|
||||
+++ b/source3/librpc/crypto/gse.c
|
||||
@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
|
||||
NULL, NULL, gse_ctx->keytab,
|
||||
&gse_ctx->creds);
|
||||
|
||||
- if (gss_maj != 0
|
||||
- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
|
||||
+ if (gss_maj != 0) {
|
||||
DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
|
||||
gse_errstr(gse_ctx, gss_maj, gss_min)));
|
||||
status = NT_STATUS_INTERNAL_ERROR;
|
||||
goto done;
|
||||
-
|
||||
- /* This is the error the MIT krb5 1.9 gives when it
|
||||
- * implements the function, but we do not specify the
|
||||
- * principal. However, when we specify the principal
|
||||
- * as host$@REALM the GSS acceptor fails with 'wrong
|
||||
- * principal in request'. Work around the issue by
|
||||
- * falling back to the alternate approach below. */
|
||||
- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
|
||||
- /* FIXME!!!
|
||||
- * This call sets the default keytab for the whole server, not
|
||||
- * just for this context. Need to find a way that does not alter
|
||||
- * the state of the whole server ... */
|
||||
- {
|
||||
- const char *ktname;
|
||||
- gss_OID_set_desc mech_set;
|
||||
-
|
||||
- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
|
||||
- gse_ctx->keytab, &ktname);
|
||||
- if (ret) {
|
||||
- status = NT_STATUS_INTERNAL_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = gsskrb5_register_acceptor_identity(ktname);
|
||||
- if (ret) {
|
||||
- status = NT_STATUS_INTERNAL_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- mech_set.count = 1;
|
||||
- mech_set.elements = &gse_ctx->gss_mech;
|
||||
-
|
||||
- gss_maj = gss_acquire_cred(&gss_min,
|
||||
- GSS_C_NO_NAME,
|
||||
- GSS_C_INDEFINITE,
|
||||
- &mech_set,
|
||||
- GSS_C_ACCEPT,
|
||||
- &gse_ctx->creds,
|
||||
- NULL, NULL);
|
||||
-
|
||||
- if (gss_maj) {
|
||||
- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
|
||||
- gse_errstr(gse_ctx, gss_maj, gss_min)));
|
||||
- status = NT_STATUS_INTERNAL_ERROR;
|
||||
- goto done;
|
||||
- }
|
||||
}
|
||||
|
||||
status = NT_STATUS_OK;
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,179 @@ |
||||
From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 10 Mar 2017 16:20:06 +0200
|
||||
Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Implement a small Python module that exposes arcfour_crypt_blob()
|
||||
function widely used in Samba C code.
|
||||
|
||||
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
|
||||
there is a need to encrypt trusted credentials with RC4 cipher.
|
||||
|
||||
Current Samba Python code relies on Python runtime to provide RC4
|
||||
cipher. However, in FIPS 140-2 mode system crypto libraries do not
|
||||
provide access RC4 cipher at all. According to Microsoft dochelp team,
|
||||
Windows is treating AuthenticationInformation blob encryption as 'plain
|
||||
text' in terms of FIPS 140-2, thus doing application-level encryption.
|
||||
|
||||
Replace samba.arcfour_encrypt() implementation with a call to
|
||||
samba.crypto.arcfour_crypt_blob().
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Simo Sorce <idra@samba.org>
|
||||
Reviewed-by: Guenther Deschner <gd@samba.org>
|
||||
|
||||
Autobuild-User(master): Günther Deschner <gd@samba.org>
|
||||
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
|
||||
|
||||
(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
|
||||
---
|
||||
lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/crypto/wscript_build | 7 ++++
|
||||
python/samba/__init__.py | 16 ++-------
|
||||
3 files changed, 99 insertions(+), 14 deletions(-)
|
||||
create mode 100644 lib/crypto/py_crypto.c
|
||||
|
||||
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
|
||||
new file mode 100644
|
||||
index 0000000..bf7f9f4
|
||||
--- /dev/null
|
||||
+++ b/lib/crypto/py_crypto.c
|
||||
@@ -0,0 +1,90 @@
|
||||
+/*
|
||||
+ Unix SMB/CIFS implementation.
|
||||
+ Samba crypto functions
|
||||
+
|
||||
+ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
|
||||
+
|
||||
+ This program is free software; you can redistribute it and/or modify
|
||||
+ it under the terms of the GNU General Public License as published by
|
||||
+ the Free Software Foundation; either version 3 of the License, or
|
||||
+ (at your option) any later version.
|
||||
+
|
||||
+ This program is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ GNU General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU General Public License
|
||||
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
+*/
|
||||
+
|
||||
+#include <Python.h>
|
||||
+#include "includes.h"
|
||||
+#include "python/py3compat.h"
|
||||
+#include "lib/crypto/arcfour.h"
|
||||
+
|
||||
+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
|
||||
+{
|
||||
+ DATA_BLOB data, key;
|
||||
+ PyObject *py_data, *py_key, *result;
|
||||
+ TALLOC_CTX *ctx;
|
||||
+
|
||||
+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
|
||||
+ return NULL;
|
||||
+
|
||||
+ if (!PyBytes_Check(py_data)) {
|
||||
+ PyErr_Format(PyExc_TypeError, "bytes expected");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ if (!PyBytes_Check(py_key)) {
|
||||
+ PyErr_Format(PyExc_TypeError, "bytes expected");
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ ctx = talloc_new(NULL);
|
||||
+
|
||||
+ data.length = PyBytes_Size(py_data);
|
||||
+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
|
||||
+ if (!data.data) {
|
||||
+ talloc_free(ctx);
|
||||
+ return PyErr_NoMemory();
|
||||
+ }
|
||||
+
|
||||
+ key.data = (uint8_t *)PyBytes_AsString(py_key);
|
||||
+ key.length = PyBytes_Size(py_key);
|
||||
+
|
||||
+ arcfour_crypt_blob(data.data, data.length, &key);
|
||||
+
|
||||
+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
|
||||
+ talloc_free(ctx);
|
||||
+ return result;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
|
||||
+ "Encrypt the data with RC4 algorithm using the key";
|
||||
+
|
||||
+static PyMethodDef py_crypto_methods[] = {
|
||||
+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
|
||||
+ { NULL },
|
||||
+};
|
||||
+
|
||||
+static struct PyModuleDef moduledef = {
|
||||
+ PyModuleDef_HEAD_INIT,
|
||||
+ .m_name = "crypto",
|
||||
+ .m_doc = "Crypto functions required for SMB",
|
||||
+ .m_size = -1,
|
||||
+ .m_methods = py_crypto_methods,
|
||||
+};
|
||||
+
|
||||
+MODULE_INIT_FUNC(crypto)
|
||||
+{
|
||||
+ PyObject *m;
|
||||
+
|
||||
+ m = PyModule_Create(&moduledef);
|
||||
+ if (m == NULL)
|
||||
+ return NULL;
|
||||
+
|
||||
+ return m;
|
||||
+}
|
||||
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
|
||||
index 7f94532..d1f152e 100644
|
||||
--- a/lib/crypto/wscript_build
|
||||
+++ b/lib/crypto/wscript_build
|
||||
@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
|
||||
autoproto='test_proto.h',
|
||||
deps='LIBCRYPTO'
|
||||
)
|
||||
+
|
||||
+for env in bld.gen_python_environments():
|
||||
+ bld.SAMBA_PYTHON('python_crypto',
|
||||
+ source='py_crypto.c',
|
||||
+ deps='LIBCRYPTO',
|
||||
+ realname='samba/crypto.so'
|
||||
+ )
|
||||
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
|
||||
index 19d5e38..fa4244a 100644
|
||||
--- a/python/samba/__init__.py
|
||||
+++ b/python/samba/__init__.py
|
||||
@@ -371,20 +371,8 @@ def string_to_byte_array(string):
|
||||
return blob
|
||||
|
||||
def arcfour_encrypt(key, data):
|
||||
- try:
|
||||
- from Crypto.Cipher import ARC4
|
||||
- c = ARC4.new(key)
|
||||
- return c.encrypt(data)
|
||||
- except ImportError as e:
|
||||
- pass
|
||||
- try:
|
||||
- from M2Crypto.RC4 import RC4
|
||||
- c = RC4(key)
|
||||
- return c.update(data)
|
||||
- except ImportError as e:
|
||||
- pass
|
||||
- raise Exception("arcfour_encrypt() requires " +
|
||||
- "python*-crypto or python*-m2crypto or m2crypto")
|
||||
+ from samba.crypto import arcfour_crypt_blob
|
||||
+ return arcfour_crypt_blob(data, key)
|
||||
|
||||
import _glue
|
||||
version = _glue.version
|
||||
--
|
||||
2.9.3
|
||||
|
@ -0,0 +1,405 @@ |
||||
From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 16 Jan 2017 11:43:12 +0100
|
||||
Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
|
||||
|
||||
Since Windows Server 2008 Microsoft uses a different port range for RPC
|
||||
services. Before it was 1024-65535 and they changed it to 49152-65535.
|
||||
|
||||
We should use the same range as these are the ports the firewall in AD
|
||||
networks normally allow.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
|
||||
---
|
||||
source3/rpc_server/rpc_server.c | 4 ++--
|
||||
source4/smbd/service_stream.c | 4 ++--
|
||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
|
||||
index 5effe66d9bb..37fe68fc36d 100644
|
||||
--- a/source3/rpc_server/rpc_server.c
|
||||
+++ b/source3/rpc_server/rpc_server.c
|
||||
@@ -34,8 +34,8 @@
|
||||
#include "rpc_server/srv_pipe_hnd.h"
|
||||
#include "rpc_server/srv_pipe.h"
|
||||
|
||||
-#define SERVER_TCP_LOW_PORT 1024
|
||||
-#define SERVER_TCP_HIGH_PORT 1300
|
||||
+#define SERVER_TCP_LOW_PORT 49152
|
||||
+#define SERVER_TCP_HIGH_PORT 65535
|
||||
|
||||
/* Creates a pipes_struct and initializes it with the information
|
||||
* sent from the client */
|
||||
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
|
||||
index f0a379acf6a..96a303fc6a9 100644
|
||||
--- a/source4/smbd/service_stream.c
|
||||
+++ b/source4/smbd/service_stream.c
|
||||
@@ -30,8 +30,8 @@
|
||||
#include "lib/util/util_net.h"
|
||||
|
||||
/* the range of ports to try for dcerpc over tcp endpoints */
|
||||
-#define SERVER_TCP_LOW_PORT 1024
|
||||
-#define SERVER_TCP_HIGH_PORT 1300
|
||||
+#define SERVER_TCP_LOW_PORT 49152
|
||||
+#define SERVER_TCP_HIGH_PORT 65535
|
||||
|
||||
/* size of listen() backlog in smbd */
|
||||
#define SERVER_LISTEN_BACKLOG 10
|
||||
--
|
||||
2.11.0
|
||||
|
||||
|
||||
From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Mon, 16 Jan 2017 12:05:09 +0100
|
||||
Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
|
||||
services
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
|
||||
|
||||
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
|
||||
---
|
||||
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
|
||||
.../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
|
||||
lib/param/loadparm.c | 47 ++++++++++++++++++++++
|
||||
lib/param/loadparm.h | 9 ++++-
|
||||
lib/param/param.h | 3 ++
|
||||
python/samba/tests/docs.py | 11 +++--
|
||||
source3/include/proto.h | 2 +
|
||||
source3/param/loadparm.c | 16 ++++++++
|
||||
source3/rpc_server/rpc_server.c | 5 +--
|
||||
source4/smbd/service_stream.c | 8 ++--
|
||||
10 files changed, 120 insertions(+), 17 deletions(-)
|
||||
create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
|
||||
|
||||
diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
|
||||
index 8a70835612f..0fd87d69212 100644
|
||||
--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
|
||||
+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
|
||||
@@ -4,11 +4,19 @@
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
|
||||
- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
|
||||
- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
|
||||
+ <para>This controls the default port for all protocols, except for NETLOGON.</para>
|
||||
+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
|
||||
+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
|
||||
<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
|
||||
|
||||
+ <para>This option applies currently only when
|
||||
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
|
||||
+ runs as an active directory domain controller.</para>
|
||||
+
|
||||
+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
|
||||
</description>
|
||||
-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
|
||||
+
|
||||
+<related>rpc server dynamic port range</related>
|
||||
+
|
||||
<value type="default">0</value>
|
||||
</samba:parameter>
|
||||
diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
|
||||
new file mode 100644
|
||||
index 00000000000..a9c51d2fe41
|
||||
--- /dev/null
|
||||
+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
|
||||
@@ -0,0 +1,22 @@
|
||||
+<samba:parameter name="rpc server dynamic port range"
|
||||
+ context="G"
|
||||
+ type="string"
|
||||
+ handler="handle_rpc_server_dynamic_port_range"
|
||||
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
+<description>
|
||||
+ <para>
|
||||
+ This parameter tells the RPC server which port range it is
|
||||
+ allowed to use to create a listening socket for LSA, SAM,
|
||||
+ Netlogon and others without wellknown tcp ports.
|
||||
+ The first value is the lowest number of the port
|
||||
+ range and the second the hightest.
|
||||
+ </para>
|
||||
+ <para>
|
||||
+ This applies to RPC servers in all server roles.
|
||||
+ </para>
|
||||
+</description>
|
||||
+
|
||||
+<related>rpc server port</related>
|
||||
+
|
||||
+<value type="default">49152-65535</value>
|
||||
+</samba:parameter>
|
||||
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
||||
index 6aa757f7c6b..3b54ff232aa 100644
|
||||
--- a/lib/param/loadparm.c
|
||||
+++ b/lib/param/loadparm.c
|
||||
@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
|
||||
return lp_ctx->sDefault;
|
||||
}
|
||||
|
||||
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
|
||||
+{
|
||||
+ return lp_ctx->globals->rpc_low_port;
|
||||
+}
|
||||
+
|
||||
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
|
||||
+{
|
||||
+ return lp_ctx->globals->rpc_high_port;
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* Convenience routine to grab string parameters into temporary memory
|
||||
* and run standard_sub_basic on them.
|
||||
@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
|
||||
return true;
|
||||
}
|
||||
|
||||
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
|
||||
+ struct loadparm_service *service,
|
||||
+ const char *pszParmValue,
|
||||
+ char **ptr)
|
||||
+{
|
||||
+ int low_port = -1, high_port = -1;
|
||||
+ int rc;
|
||||
+
|
||||
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
|
||||
+ if (rc != 2) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ if (low_port > high_port) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ lp_ctx->globals->rpc_low_port = low_port;
|
||||
+ lp_ctx->globals->rpc_high_port = high_port;
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
|
||||
struct loadparm_service *service,
|
||||
const char *pszParmValue, char **ptr)
|
||||
@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
|
||||
/* This appears odd, but globals in s3 isn't a pointer */
|
||||
lp_ctx->globals->ctx = lp_ctx->globals;
|
||||
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
|
||||
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
|
||||
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
|
||||
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
|
||||
|
||||
@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||
|
||||
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
|
||||
|
||||
+ lpcfg_do_global_parameter(lp_ctx,
|
||||
+ "rpc server dynamic port range",
|
||||
+ "49152-65535");
|
||||
+
|
||||
/* Allow modules to adjust defaults */
|
||||
for (defaults_hook = defaults_hooks; defaults_hook;
|
||||
defaults_hook = defaults_hook->next) {
|
||||
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
|
||||
index f9fb7d8d804..c63683d6b66 100644
|
||||
--- a/lib/param/loadparm.h
|
||||
+++ b/lib/param/loadparm.h
|
||||
@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
|
||||
#endif /* DEVELOPER */
|
||||
};
|
||||
|
||||
+#define SERVER_TCP_LOW_PORT 49152
|
||||
+#define SERVER_TCP_HIGH_PORT 65535
|
||||
+
|
||||
+#define SERVER_TCP_PORT_MIN 1024
|
||||
+#define SERVER_TCP_PORT_MAX 65535
|
||||
|
||||
|
||||
|
||||
@@ -272,7 +277,9 @@ enum inheritowner_options {
|
||||
#define LOADPARM_EXTRA_GLOBALS \
|
||||
struct parmlist_entry *param_opt; \
|
||||
char *dnsdomain; \
|
||||
- char *realm_original;
|
||||
+ char *realm_original; \
|
||||
+ int rpc_low_port; \
|
||||
+ int rpc_high_port;
|
||||
|
||||
const char* server_role_str(uint32_t role);
|
||||
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
|
||||
diff --git a/lib/param/param.h b/lib/param/param.h
|
||||
index 66037e2ef1b..e123e67a990 100644
|
||||
--- a/lib/param/param.h
|
||||
+++ b/lib/param/param.h
|
||||
@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
|
||||
time_t *usr_tkt_lifetime,
|
||||
time_t *renewal_lifetime);
|
||||
|
||||
+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
|
||||
+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
|
||||
+
|
||||
/* The following definitions come from lib/version.c */
|
||||
|
||||
const char *samba_version_string(void);
|
||||
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
|
||||
index 22e022583f6..65df573a350 100644
|
||||
--- a/python/samba/tests/docs.py
|
||||
+++ b/python/samba/tests/docs.py
|
||||
@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
|
||||
'lprm command', 'lpq command', 'print command', 'template homedir',
|
||||
'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
|
||||
'max open files', 'fss: prune stale', 'fss: sequence timeout',
|
||||
- 'include system krb5 conf'])
|
||||
+ 'include system krb5 conf', 'rpc server dynamic port range'])
|
||||
|
||||
def setUp(self):
|
||||
super(SmbDotConfTests, self).setUp()
|
||||
@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
|
||||
exceptions = ['client lanman auth',
|
||||
'client plaintext auth',
|
||||
'registry shares',
|
||||
- 'smb ports'])
|
||||
+ 'smb ports',
|
||||
+ 'rpc server dynamic port range'])
|
||||
self._test_empty(['bin/testparm'])
|
||||
|
||||
def test_default_s4(self):
|
||||
self._test_default(['bin/samba-tool', 'testparm'])
|
||||
self._set_defaults(['bin/samba-tool', 'testparm'])
|
||||
self._set_arbitrary(['bin/samba-tool', 'testparm'],
|
||||
- exceptions = ['smb ports'])
|
||||
+ exceptions = ['smb ports',
|
||||
+ 'rpc server dynamic port range'])
|
||||
self._test_empty(['bin/samba-tool', 'testparm'])
|
||||
|
||||
def _test_default(self, program):
|
||||
@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
|
||||
|
||||
for tuples in self.defaults:
|
||||
param, default, context, param_type = tuples
|
||||
+
|
||||
if param in self.special_cases:
|
||||
continue
|
||||
section = None
|
||||
@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
|
||||
for tuples in self.defaults:
|
||||
param, default, context, param_type = tuples
|
||||
|
||||
- if param in ['printing']:
|
||||
+ if param in ['printing', 'rpc server dynamic port range']:
|
||||
continue
|
||||
|
||||
section = None
|
||||
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
||||
index 642900ed67c..b3d3ca0e5d1 100644
|
||||
--- a/source3/include/proto.h
|
||||
+++ b/source3/include/proto.h
|
||||
@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
|
||||
int lp_smb2_max_credits(void);
|
||||
int lp_cups_encrypt(void);
|
||||
bool lp_widelinks(int );
|
||||
+int lp_rpc_low_port(void);
|
||||
+int lp_rpc_high_port(void);
|
||||
|
||||
int lp_wi_scan_global_parametrics(
|
||||
const char *regex, size_t max_matches,
|
||||
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
||||
index d8da749ccba..2c8380067f6 100644
|
||||
--- a/source3/param/loadparm.c
|
||||
+++ b/source3/param/loadparm.c
|
||||
@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
||||
|
||||
Globals.aio_max_threads = 100;
|
||||
|
||||
+ lpcfg_string_set(Globals.ctx,
|
||||
+ &Globals.rpc_server_dynamic_port_range,
|
||||
+ "49152-65535");
|
||||
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
|
||||
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
|
||||
+
|
||||
/* Now put back the settings that were set with lp_set_cmdline() */
|
||||
apply_lp_set_cmdline();
|
||||
}
|
||||
@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
|
||||
return client_ipc_signing;
|
||||
}
|
||||
|
||||
+int lp_rpc_low_port(void)
|
||||
+{
|
||||
+ return Globals.rpc_low_port;
|
||||
+}
|
||||
+
|
||||
+int lp_rpc_high_port(void)
|
||||
+{
|
||||
+ return Globals.rpc_high_port;
|
||||
+}
|
||||
+
|
||||
struct loadparm_global * get_globals(void)
|
||||
{
|
||||
return &Globals;
|
||||
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
|
||||
index 37fe68fc36d..f7fb8ef5207 100644
|
||||
--- a/source3/rpc_server/rpc_server.c
|
||||
+++ b/source3/rpc_server/rpc_server.c
|
||||
@@ -34,9 +34,6 @@
|
||||
#include "rpc_server/srv_pipe_hnd.h"
|
||||
#include "rpc_server/srv_pipe.h"
|
||||
|
||||
-#define SERVER_TCP_LOW_PORT 49152
|
||||
-#define SERVER_TCP_HIGH_PORT 65535
|
||||
-
|
||||
/* Creates a pipes_struct and initializes it with the information
|
||||
* sent from the client */
|
||||
int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
|
||||
@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
|
||||
if (*port == 0) {
|
||||
uint16_t i;
|
||||
|
||||
- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
|
||||
+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
|
||||
fd = open_socket_in(SOCK_STREAM,
|
||||
i,
|
||||
0,
|
||||
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
|
||||
index 96a303fc6a9..deb96d8d69d 100644
|
||||
--- a/source4/smbd/service_stream.c
|
||||
+++ b/source4/smbd/service_stream.c
|
||||
@@ -29,10 +29,6 @@
|
||||
#include "../lib/tsocket/tsocket.h"
|
||||
#include "lib/util/util_net.h"
|
||||
|
||||
-/* the range of ports to try for dcerpc over tcp endpoints */
|
||||
-#define SERVER_TCP_LOW_PORT 49152
|
||||
-#define SERVER_TCP_HIGH_PORT 65535
|
||||
-
|
||||
/* size of listen() backlog in smbd */
|
||||
#define SERVER_LISTEN_BACKLOG 10
|
||||
|
||||
@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
|
||||
if (!port) {
|
||||
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
|
||||
} else if (*port == 0) {
|
||||
- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
|
||||
+ for (i = lpcfg_rpc_low_port(lp_ctx);
|
||||
+ i <= lpcfg_rpc_high_port(lp_ctx);
|
||||
+ i++) {
|
||||
socket_address->port = i;
|
||||
status = socket_listen(stream_socket->sock, socket_address,
|
||||
SERVER_LISTEN_BACKLOG, 0);
|
||||
--
|
||||
2.11.0
|
||||
|
@ -0,0 +1,7 @@ |
||||
/var/log/samba/* { |
||||
notifempty |
||||
olddir /var/log/samba/old |
||||
missingok |
||||
sharedscripts |
||||
copytruncate |
||||
} |
@ -0,0 +1,6 @@ |
||||
#%PAM-1.0 |
||||
auth required pam_nologin.so |
||||
auth include password-auth |
||||
account include password-auth |
||||
session include password-auth |
||||
password include password-auth |
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,313 @@ |
||||
# This is the main Samba configuration file. For detailed information about the |
||||
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge |
||||
# number of configurable options, most of which are not shown in this example. |
||||
# |
||||
# The Samba Wiki contains a lot of step-by-step guides installing, configuring, |
||||
# and using Samba: |
||||
# https://wiki.samba.org/index.php/User_Documentation |
||||
# |
||||
# In this file, lines starting with a semicolon (;) or a hash (#) are |
||||
# comments and are ignored. This file uses hashes to denote commentary and |
||||
# semicolons for parts of the file you may wish to configure. |
||||
# |
||||
# NOTE: Run the "testparm" command after modifying this file to check for basic |
||||
# syntax errors. |
||||
# |
||||
#--------------- |
||||
# Security-Enhanced Linux (SELinux) Notes: |
||||
# |
||||
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the |
||||
# useradd and groupadd family of binaries. Run the following command as the |
||||
# root user to turn this Boolean on: |
||||
# setsebool -P samba_domain_controller on |
||||
# |
||||
# Turn the samba_enable_home_dirs Boolean on if you want to share home |
||||
# directories via Samba. Run the following command as the root user to turn this |
||||
# Boolean on: |
||||
# setsebool -P samba_enable_home_dirs on |
||||
# |
||||
# If you create a new directory, such as a new top-level directory, label it |
||||
# with samba_share_t so that SELinux allows Samba to read and write to it. Do |
||||
# not label system directories, such as /etc/ and /home/, with samba_share_t, as |
||||
# such directories should already have an SELinux label. |
||||
# |
||||
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux |
||||
# label for a given directory. |
||||
# |
||||
# Set SELinux labels only on files and directories you have created. Use the |
||||
# chcon command to temporarily change a label: |
||||
# chcon -t samba_share_t /path/to/directory |
||||
# |
||||
# Changes made via chcon are lost when the file system is relabeled or commands |
||||
# such as restorecon are run. |
||||
# |
||||
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system |
||||
# directories. To share such directories and only allow read-only permissions: |
||||
# setsebool -P samba_export_all_ro on |
||||
# To share such directories and allow read and write permissions: |
||||
# setsebool -P samba_export_all_rw on |
||||
# |
||||
# To run scripts (preexec/root prexec/print command/...), copy them to the |
||||
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them. |
||||
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain |
||||
# their existing SELinux labels, which may be labels that SELinux does not allow |
||||
# smbd to run. Copying the scripts will result in the correct SELinux labels. |
||||
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to |
||||
# apply the correct SELinux labels to these files. |
||||
# |
||||
#-------------- |
||||
# |
||||
#======================= Global Settings ===================================== |
||||
|
||||
[global] |
||||
|
||||
# ----------------------- Network-Related Options ------------------------- |
||||
# |
||||
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP. |
||||
# |
||||
# server string = the equivalent of the Windows NT Description field. |
||||
# |
||||
# netbios name = used to specify a server name that is not tied to the hostname, |
||||
# maximum is 15 characters. |
||||
# |
||||
# interfaces = used to configure Samba to listen on multiple network interfaces. |
||||
# If you have multiple interfaces, you can use the "interfaces =" option to |
||||
# configure which of those interfaces Samba listens on. Never omit the localhost |
||||
# interface (lo). |
||||
# |
||||
# hosts allow = the hosts allowed to connect. This option can also be used on a |
||||
# per-share basis. |
||||
# |
||||
# hosts deny = the hosts not allowed to connect. This option can also be used on |
||||
# a per-share basis. |
||||
# |
||||
workgroup = MYGROUP |
||||
server string = Samba Server Version %v |
||||
|
||||
; netbios name = MYSERVER |
||||
|
||||
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 |
||||
; hosts allow = 127. 192.168.12. 192.168.13. |
||||
|
||||
# --------------------------- Logging Options ----------------------------- |
||||
# |
||||
# log file = specify where log files are written to and how they are split. |
||||
# |
||||
# max log size = specify the maximum size log files are allowed to reach. Log |
||||
# files are rotated when they reach the size specified with "max log size". |
||||
# |
||||
|
||||
# log files split per-machine: |
||||
log file = /var/log/samba/log.%m |
||||
# maximum size of 50KB per log file, then rotate: |
||||
max log size = 50 |
||||
|
||||
# ----------------------- Standalone Server Options ------------------------ |
||||
# |
||||
# security = the mode Samba runs in. This can be set to user, share |
||||
# (deprecated), or server (deprecated). |
||||
# |
||||
# passdb backend = the backend used to store user information in. New |
||||
# installations should use either tdbsam or ldapsam. No additional configuration |
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||
# compatibility. |
||||
# |
||||
|
||||
security = user |
||||
passdb backend = tdbsam |
||||
|
||||
|
||||
# ----------------------- Domain Members Options ------------------------ |
||||
# |
||||
# security = must be set to domain or ads. |
||||
# |
||||
# passdb backend = the backend used to store user information in. New |
||||
# installations should use either tdbsam or ldapsam. No additional configuration |
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||
# compatibility. |
||||
# |
||||
# realm = only use the realm option when the "security = ads" option is set. |
||||
# The realm option specifies the Active Directory realm the host is a part of. |
||||
# |
||||
# password server = only use this option when the "security = server" |
||||
# option is set, or if you cannot use DNS to locate a Domain Controller. The |
||||
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]: |
||||
# |
||||
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] |
||||
# |
||||
# Use "password server = *" to automatically locate Domain Controllers. |
||||
|
||||
; security = domain |
||||
; passdb backend = tdbsam |
||||
; realm = MY_REALM |
||||
|
||||
; password server = <NT-Server-Name> |
||||
|
||||
# ----------------------- Domain Controller Options ------------------------ |
||||
# |
||||
# security = must be set to user for domain controllers. |
||||
# |
||||
# passdb backend = the backend used to store user information in. New |
||||
# installations should use either tdbsam or ldapsam. No additional configuration |
||||
# is required for tdbsam. The "smbpasswd" utility is available for backwards |
||||
# compatibility. |
||||
# |
||||
# domain master = specifies Samba to be the Domain Master Browser, allowing |
||||
# Samba to collate browse lists between subnets. Do not use the "domain master" |
||||
# option if you already have a Windows NT domain controller performing this task. |
||||
# |
||||
# domain logons = allows Samba to provide a network logon service for Windows |
||||
# workstations. |
||||
# |
||||
# logon script = specifies a script to run at login time on the client. These |
||||
# scripts must be provided in a share named NETLOGON. |
||||
# |
||||
# logon path = specifies (with a UNC path) where user profiles are stored. |
||||
# |
||||
# |
||||
; security = user |
||||
; passdb backend = tdbsam |
||||
|
||||
; domain master = yes |
||||
; domain logons = yes |
||||
|
||||
# the following login script name is determined by the machine name |
||||
# (%m): |
||||
; logon script = %m.bat |
||||
# the following login script name is determined by the UNIX user used: |
||||
; logon script = %u.bat |
||||
; logon path = \\%L\Profiles\%u |
||||
# use an empty path to disable profile support: |
||||
; logon path = |
||||
|
||||
# various scripts can be used on a domain controller or a stand-alone |
||||
# machine to add or delete corresponding UNIX accounts: |
||||
|
||||
; add user script = /usr/sbin/useradd "%u" -n -g users |
||||
; add group script = /usr/sbin/groupadd "%g" |
||||
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u" |
||||
; delete user script = /usr/sbin/userdel "%u" |
||||
; delete user from group script = /usr/sbin/userdel "%u" "%g" |
||||
; delete group script = /usr/sbin/groupdel "%g" |
||||
|
||||
|
||||
# ----------------------- Browser Control Options ---------------------------- |
||||
# |
||||
# local master = when set to no, Samba does not become the master browser on |
||||
# your network. When set to yes, normal election rules apply. |
||||
# |
||||
# os level = determines the precedence the server has in master browser |
||||
# elections. The default value should be reasonable. |
||||
# |
||||
# preferred master = when set to yes, Samba forces a local browser election at |
||||
# start up (and gives itself a slightly higher chance of winning the election). |
||||
# |
||||
; local master = no |
||||
; os level = 33 |
||||
; preferred master = yes |
||||
|
||||
#----------------------------- Name Resolution ------------------------------- |
||||
# |
||||
# This section details the support for the Windows Internet Name Service (WINS). |
||||
# |
||||
# Note: Samba can be either a WINS server or a WINS client, but not both. |
||||
# |
||||
# wins support = when set to yes, the NMBD component of Samba enables its WINS |
||||
# server. |
||||
# |
||||
# wins server = tells the NMBD component of Samba to be a WINS client. |
||||
# |
||||
# wins proxy = when set to yes, Samba answers name resolution queries on behalf |
||||
# of a non WINS capable client. For this to work, there must be at least one |
||||
# WINS server on the network. The default is no. |
||||
# |
||||
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS |
||||
# nslookups. |
||||
|
||||
; wins support = yes |
||||
; wins server = w.x.y.z |
||||
; wins proxy = yes |
||||
|
||||
; dns proxy = yes |
||||
|
||||
# --------------------------- Printing Options ----------------------------- |
||||
# |
||||
# The options in this section allow you to configure a non-default printing |
||||
# system. |
||||
# |
||||
# load printers = when set you yes, the list of printers is automatically |
||||
# loaded, rather than setting them up individually. |
||||
# |
||||
# cups options = allows you to pass options to the CUPS library. Setting this |
||||
# option to raw, for example, allows you to use drivers on your Windows clients. |
||||
# |
||||
# printcap name = used to specify an alternative printcap file. |
||||
# |
||||
|
||||
load printers = yes |
||||
cups options = raw |
||||
|
||||
; printcap name = /etc/printcap |
||||
# obtain a list of printers automatically on UNIX System V systems: |
||||
; printcap name = lpstat |
||||
; printing = cups |
||||
|
||||
# --------------------------- File System Options --------------------------- |
||||
# |
||||
# The options in this section can be un-commented if the file system supports |
||||
# extended attributes, and those attributes are enabled (usually via the |
||||
# "user_xattr" mount option). These options allow the administrator to specify |
||||
# that DOS attributes are stored in extended attributes and also make sure that |
||||
# Samba does not change the permission bits. |
||||
# |
||||
# Note: These options can be used on a per-share basis. Setting them globally |
||||
# (in the [global] section) makes them the default for all shares. |
||||
|
||||
; map archive = no |
||||
; map hidden = no |
||||
; map read only = no |
||||
; map system = no |
||||
; store dos attributes = yes |
||||
|
||||
|
||||
#============================ Share Definitions ============================== |
||||
|
||||
[homes] |
||||
comment = Home Directories |
||||
browseable = no |
||||
writable = yes |
||||
; valid users = %S |
||||
; valid users = MYDOMAIN\%S |
||||
|
||||
[printers] |
||||
comment = All Printers |
||||
path = /var/spool/samba |
||||
browseable = no |
||||
guest ok = no |
||||
writable = no |
||||
printable = yes |
||||
|
||||
# Un-comment the following and create the netlogon directory for Domain Logons: |
||||
; [netlogon] |
||||
; comment = Network Logon Service |
||||
; path = /var/lib/samba/netlogon |
||||
; guest ok = yes |
||||
; writable = no |
||||
; share modes = no |
||||
|
||||
# Un-comment the following to provide a specific roaming profile share. |
||||
# The default is to use the user's home directory: |
||||
; [Profiles] |
||||
; path = /var/lib/samba/profiles |
||||
; browseable = no |
||||
; guest ok = yes |
||||
|
||||
# A publicly accessible directory that is read only, except for users in the |
||||
# "staff" group (which have write permissions): |
||||
; [public] |
||||
; comment = Public Stuff |
||||
; path = /home/samba |
||||
; public = yes |
||||
; writable = no |
||||
; printable = no |
||||
; write list = +staff |
@ -0,0 +1,36 @@ |
||||
# See smb.conf.example for a more detailed config file or |
||||
# read the smb.conf manpage. |
||||
# Run 'testparm' to verify the config is correct after |
||||
# you modified it. |
||||
|
||||
[global] |
||||
workgroup = SAMBA |
||||
security = user |
||||
|
||||
passdb backend = tdbsam |
||||
|
||||
printing = cups |
||||
printcap name = cups |
||||
load printers = yes |
||||
cups options = raw |
||||
|
||||
[homes] |
||||
comment = Home Directories |
||||
valid users = %S, %D%w%S |
||||
browseable = No |
||||
read only = No |
||||
inherit acls = Yes |
||||
|
||||
[printers] |
||||
comment = All Printers |
||||
path = /var/tmp |
||||
printable = Yes |
||||
create mask = 0600 |
||||
browseable = No |
||||
|
||||
[print$] |
||||
comment = Printer Drivers |
||||
path = /var/lib/samba/drivers |
||||
write list = root |
||||
create mask = 0664 |
||||
directory mask = 0775 |
Loading…
Reference in new issue