diff --git a/CVE-2018-10858.patch b/CVE-2018-10858.patch deleted file mode 100644 index 03d7718..0000000 --- a/CVE-2018-10858.patch +++ /dev/null @@ -1,199 +0,0 @@ -From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 15 Jun 2018 15:07:17 -0700 -Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in - buffer. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 - -CVE-2018-10858: Insufficient input validation on client directory - listing in libsmbclient. - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme ---- - source3/libsmb/libsmb_path.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c -index 01b0a61e483..ed70ab37550 100644 ---- a/source3/libsmb/libsmb_path.c -+++ b/source3/libsmb/libsmb_path.c -@@ -173,8 +173,13 @@ smbc_urlencode(char *dest, - } - } - -- *dest++ = '\0'; -- max_dest_len--; -+ if (max_dest_len == 0) { -+ /* Ensure we return -1 if no null termination. */ -+ return -1; -+ } -+ -+ *dest++ = '\0'; -+ max_dest_len--; - - return max_dest_len; - } --- -2.11.0 - - -From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 15 Jun 2018 15:08:17 -0700 -Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns - from malicious servers. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 - -CVE-2018-10858: Insufficient input validation on client directory - listing in libsmbclient. - -Signed-off-by: Jeremy Allison -Reviewed-by: Ralph Boehme ---- - source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------ - source3/libsmb/libsmb_path.c | 2 +- - 2 files changed, 51 insertions(+), 8 deletions(-) - -diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c -index 72441c46736..54c2bcb3c73 100644 ---- a/source3/libsmb/libsmb_dir.c -+++ b/source3/libsmb/libsmb_dir.c -@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context, - - } - --static void -+static int - smbc_readdir_internal(SMBCCTX * context, - struct smbc_dirent *dest, - struct smbc_dirent *src, - int max_namebuf_len) - { - if (smbc_getOptionUrlEncodeReaddirEntries(context)) { -+ int remaining_len; - - /* url-encode the name. get back remaining buffer space */ -- max_namebuf_len = -+ remaining_len = - smbc_urlencode(dest->name, src->name, max_namebuf_len); - -+ /* -1 means no null termination. */ -+ if (remaining_len < 0) { -+ return -1; -+ } -+ - /* We now know the name length */ - dest->namelen = strlen(dest->name); - -+ if (dest->namelen + 1 < 1) { -+ /* Integer wrap. */ -+ return -1; -+ } -+ -+ if (dest->namelen + 1 >= max_namebuf_len) { -+ /* Out of space for comment. */ -+ return -1; -+ } -+ - /* Save the pointer to the beginning of the comment */ - dest->comment = dest->name + dest->namelen + 1; - -+ if (remaining_len < 1) { -+ /* No room for comment null termination. */ -+ return -1; -+ } -+ - /* Copy the comment */ -- strncpy(dest->comment, src->comment, max_namebuf_len - 1); -- dest->comment[max_namebuf_len - 1] = '\0'; -+ strlcpy(dest->comment, src->comment, remaining_len); - - /* Save other fields */ - dest->smbc_type = src->smbc_type; -@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context, - } else { - - /* No encoding. Just copy the entry as is. */ -+ if (src->dirlen > max_namebuf_len) { -+ return -1; -+ } - memcpy(dest, src, src->dirlen); -+ if (src->namelen + 1 < 1) { -+ /* Integer wrap */ -+ return -1; -+ } -+ if (src->namelen + 1 >= max_namebuf_len) { -+ /* Comment off the end. */ -+ return -1; -+ } - dest->comment = (char *)(&dest->name + src->namelen + 1); - } -- -+ return 0; - } - - /* -@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context, - SMBCFILE *dir) - { - int maxlen; -+ int ret; - struct smbc_dirent *dirp, *dirent; - TALLOC_CTX *frame = talloc_stackframe(); - -@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context, - dirp = &context->internal->dirent; - maxlen = sizeof(context->internal->_dirent_name); - -- smbc_readdir_internal(context, dirp, dirent, maxlen); -+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen); -+ if (ret == -1) { -+ errno = EINVAL; -+ TALLOC_FREE(frame); -+ return NULL; -+ } - - dir->dir_next = dir->dir_next->next; - -@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context, - */ - - while ((dirlist = dir->dir_next)) { -+ int ret; - struct smbc_dirent *dirent; - struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir; - -@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context, - /* Do urlencoding of next entry, if so selected */ - dirent = &context->internal->dirent; - maxlen = sizeof(context->internal->_dirent_name); -- smbc_readdir_internal(context, dirent, -+ ret = smbc_readdir_internal(context, dirent, - dirlist->dirent, maxlen); -+ if (ret == -1) { -+ errno = EINVAL; -+ TALLOC_FREE(frame); -+ return -1; -+ } - - reqd = dirent->dirlen; - -diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c -index ed70ab37550..5b53b386a67 100644 ---- a/source3/libsmb/libsmb_path.c -+++ b/source3/libsmb/libsmb_path.c -@@ -173,7 +173,7 @@ smbc_urlencode(char *dest, - } - } - -- if (max_dest_len == 0) { -+ if (max_dest_len <= 0) { - /* Ensure we return -1 if no null termination. */ - return -1; - } --- -2.11.0 - diff --git a/CVE-2018-1139.patch b/CVE-2018-1139.patch deleted file mode 100644 index 77774ec..0000000 --- a/CVE-2018-1139.patch +++ /dev/null @@ -1,753 +0,0 @@ -From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Thu, 22 Feb 2018 11:54:45 +1300 -Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set - with_cmocka flag - -We have cmocka in third_party, so we are never without it. - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett - -(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6 -by Andrew Bartlett) ---- - selftest/tests.py | 18 ++++++++---------- - 1 file changed, 8 insertions(+), 10 deletions(-) - -diff --git a/selftest/tests.py b/selftest/tests.py -index 126e1184230..3f5097b680c 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -38,7 +38,6 @@ finally: - f.close() - - have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) --with_cmocka = ("HAVE_CMOCKA" in config_hash) - with_pam = ("WITH_PAM" in config_hash) - pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"] - -@@ -168,13 +167,12 @@ if with_pam: - valgrindify(python), pam_wrapper_so_path, - "$DOMAIN", "alice", "Secret007"]) - --if with_cmocka: -- plantestsuite("samba.unittests.krb5samba", "none", -- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) -- plantestsuite("samba.unittests.sambafs_srv_pipe", "none", -- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) -- plantestsuite("samba.unittests.lib_util_modules", "none", -- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) -+plantestsuite("samba.unittests.krb5samba", "none", -+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")]) -+plantestsuite("samba.unittests.sambafs_srv_pipe", "none", -+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")]) -+plantestsuite("samba.unittests.lib_util_modules", "none", -+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")]) - -- plantestsuite("samba.unittests.smb1cli_session", "none", -- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) -+plantestsuite("samba.unittests.smb1cli_session", "none", -+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) --- -2.14.4 - - -From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Fri, 27 Jul 2018 08:44:24 +1200 -Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for - ntlm_password_check() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 - -Signed-off-by: Andrew Bartlett ---- - libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++ - libcli/auth/wscript_build | 13 ++ - selftest/knownfail.d/ntlm | 2 + - selftest/tests.py | 2 + - 4 files changed, 430 insertions(+) - create mode 100644 libcli/auth/tests/ntlm_check.c - create mode 100644 selftest/knownfail.d/ntlm - -diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c -new file mode 100644 -index 00000000000..e87a0a276d4 ---- /dev/null -+++ b/libcli/auth/tests/ntlm_check.c -@@ -0,0 +1,413 @@ -+/* -+ * Unit tests for the ntlm_check password hash check library. -+ * -+ * Copyright (C) Andrew Bartlett 2018 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include -+ * #include -+ * #include -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ * -+ */ -+ -+/* -+ * Note that the messaging routines (audit_message_send and get_event_server) -+ * are not tested by these unit tests. Currently they are for integration -+ * test support, and as such are exercised by the integration tests. -+ */ -+#include -+#include -+#include -+#include -+ -+#include "includes.h" -+#include "../lib/crypto/crypto.h" -+#include "librpc/gen_ndr/netlogon.h" -+#include "libcli/auth/libcli_auth.h" -+#include "auth/credentials/credentials.h" -+ -+struct ntlm_state { -+ const char *username; -+ const char *domain; -+ DATA_BLOB challenge; -+ DATA_BLOB ntlm; -+ DATA_BLOB lm; -+ DATA_BLOB ntlm_key; -+ DATA_BLOB lm_key; -+ const struct samr_Password *nt_hash; -+}; -+ -+static int test_ntlm_setup_with_options(void **state, -+ int flags, bool upn) -+{ -+ NTSTATUS status; -+ DATA_BLOB challenge = { -+ .data = discard_const_p(uint8_t, "I am a teapot"), -+ .length = 8 -+ }; -+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state); -+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state, -+ NULL, -+ "serverdom"); -+ struct cli_credentials *creds = cli_credentials_init(ntlm_state); -+ cli_credentials_set_username(creds, -+ "testuser", -+ CRED_SPECIFIED); -+ cli_credentials_set_domain(creds, -+ "testdom", -+ CRED_SPECIFIED); -+ cli_credentials_set_workstation(creds, -+ "testwksta", -+ CRED_SPECIFIED); -+ cli_credentials_set_password(creds, -+ "testpass", -+ CRED_SPECIFIED); -+ -+ if (upn) { -+ cli_credentials_set_principal(creds, -+ "testuser@samba.org", -+ CRED_SPECIFIED); -+ } -+ -+ cli_credentials_get_ntlm_username_domain(creds, -+ ntlm_state, -+ &ntlm_state->username, -+ &ntlm_state->domain); -+ -+ status = cli_credentials_get_ntlm_response(creds, -+ ntlm_state, -+ &flags, -+ challenge, -+ NULL, -+ target_info, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ &ntlm_state->lm_key, -+ &ntlm_state->ntlm_key); -+ ntlm_state->challenge = challenge; -+ -+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds, -+ ntlm_state); -+ -+ if (!NT_STATUS_IS_OK(status)) { -+ return -1; -+ } -+ -+ *state = ntlm_state; -+ return 0; -+} -+ -+static int test_ntlm_setup(void **state) { -+ return test_ntlm_setup_with_options(state, 0, false); -+} -+ -+static int test_ntlm_and_lm_setup(void **state) { -+ return test_ntlm_setup_with_options(state, -+ CLI_CRED_LANMAN_AUTH, -+ false); -+} -+ -+static int test_ntlm2_setup(void **state) { -+ return test_ntlm_setup_with_options(state, -+ CLI_CRED_NTLM2, -+ false); -+} -+ -+static int test_ntlmv2_setup(void **state) { -+ return test_ntlm_setup_with_options(state, -+ CLI_CRED_NTLMv2_AUTH, -+ false); -+} -+ -+static int test_ntlm_teardown(void **state) -+{ -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ TALLOC_FREE(ntlm_state); -+ *state = NULL; -+ return 0; -+} -+ -+static void test_ntlm_allowed(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_ON, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); -+} -+ -+static void test_ntlm_allowed_lm_supplied(void **state) -+{ -+ return test_ntlm_allowed(state); -+} -+ -+static void test_ntlm_disabled(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_DISABLED, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED)); -+} -+ -+static void test_ntlm2(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_ON, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ /* -+ * NTLM2 session security (where the real challenge is the -+ * MD5(challenge, client-challenge) (in the first 8 bytes of -+ * the lm) isn't decoded by ntlm_password_check(), it must -+ * first be converted back into normal NTLM by the NTLMSSP -+ * layer -+ */ -+ assert_int_equal(NT_STATUS_V(status), -+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); -+} -+ -+static void test_ntlm_mschapv2_only_allowed(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, -+ MSV1_0_ALLOW_MSVCHAPV2, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); -+} -+ -+static void test_ntlm_mschapv2_only_denied(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), -+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); -+} -+ -+static void test_ntlmv2_only_ntlmv2(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_NTLMV2_ONLY, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK)); -+} -+ -+static void test_ntlmv2_only_ntlm(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_NTLMV2_ONLY, -+ 0, -+ &ntlm_state->challenge, -+ &ntlm_state->lm, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), -+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); -+} -+ -+static void test_ntlmv2_only_ntlm_and_lanman(void **state) -+{ -+ return test_ntlmv2_only_ntlm(state); -+} -+ -+static void test_ntlmv2_only_ntlm_once(void **state) -+{ -+ DATA_BLOB user_sess_key, lm_sess_key; -+ struct ntlm_state *ntlm_state -+ = talloc_get_type_abort(*state, -+ struct ntlm_state); -+ NTSTATUS status; -+ status = ntlm_password_check(ntlm_state, -+ false, -+ NTLM_AUTH_NTLMV2_ONLY, -+ 0, -+ &ntlm_state->challenge, -+ &data_blob_null, -+ &ntlm_state->ntlm, -+ ntlm_state->username, -+ ntlm_state->username, -+ ntlm_state->domain, -+ NULL, -+ ntlm_state->nt_hash, -+ &user_sess_key, -+ &lm_sess_key); -+ -+ assert_int_equal(NT_STATUS_V(status), -+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD)); -+} -+ -+int main(int argc, const char **argv) -+{ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test_setup_teardown(test_ntlm_allowed, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied, -+ test_ntlm_and_lm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlm_disabled, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlm2, -+ test_ntlm2_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman, -+ test_ntlm_and_lm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once, -+ test_ntlm_setup, -+ test_ntlm_teardown), -+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2, -+ test_ntlmv2_setup, -+ test_ntlm_teardown) -+ }; -+ -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 475b7d69406..d319d9b879e 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS', - bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE', - source='spnego_parse.c', - deps='asn1util') -+ -+bld.SAMBA_BINARY( -+ 'test_ntlm_check', -+ source='tests/ntlm_check.c', -+ deps=''' -+ NTLM_CHECK -+ CREDENTIALS_NTLM -+ samba-credentials -+ cmocka -+ talloc -+ ''', -+ install=False -+ ) -diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm -new file mode 100644 -index 00000000000..c6e6a3739ba ---- /dev/null -+++ b/selftest/knownfail.d/ntlm -@@ -0,0 +1,2 @@ -+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied -+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( -diff --git a/selftest/tests.py b/selftest/tests.py -index 3f5097b680c..dc6486c13f8 100644 ---- a/selftest/tests.py -+++ b/selftest/tests.py -@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none", - - plantestsuite("samba.unittests.smb1cli_session", "none", - [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) -+plantestsuite("samba.unittests.ntlm_check", "none", -+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) --- -2.14.4 - - -From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 14 Mar 2018 15:36:05 +0100 -Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in - hash_password_check() - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 - -CVE-2018-1139: Weak authentication protocol allowed. - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - libcli/auth/ntlm_check.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c -index 3b02adc1d48..1c6499bd210 100644 ---- a/libcli/auth/ntlm_check.c -+++ b/libcli/auth/ntlm_check.c -@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, - const struct samr_Password *stored_nt) - { - if (stored_nt == NULL) { -- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n", -+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n", - username)); - } - -@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, - if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) { - return NT_STATUS_OK; - } else { -- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n", -+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } - - } else if (client_lanman && stored_lanman) { - if (!lanman_auth) { -- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", -+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } -@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, - if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) { - return NT_STATUS_OK; - } else { -- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n", -+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n", - username)); - return NT_STATUS_WRONG_PASSWORD; - } --- -2.14.4 - - -From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Wed, 14 Mar 2018 15:35:01 +0100 -Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in - ntlm_password_check(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 - -CVE-2018-1139: Weak authentication protocol allowed. - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - source3/utils/ntlm_auth.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c -index 3f544902a24..8f77680416f 100644 ---- a/source3/utils/ntlm_auth.c -+++ b/source3/utils/ntlm_auth.c -@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context, - *pauthoritative = 1; - - nt_status = ntlm_password_check(mem_ctx, -- true, true, 0, -+ true, NTLM_AUTH_ON, 0, - &auth4_context->challenge.data, - &user_info->password.response.lanman, - &user_info->password.response.nt, -@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod - - nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash); - nt_status = ntlm_password_check(mem_ctx, -- true, true, 0, -+ true, -+ NTLM_AUTH_ON, -+ 0, - &challenge, - &lm_response, - &nt_response, --- -2.14.4 - - -From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Fri, 16 Mar 2018 17:25:12 +0100 -Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used - via SMB1 when it is disabled. - -Right now, this test will succeed. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 - -CVE-2018-1139: Weak authentication protocol allowed. - -Guenther - -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - source3/selftest/tests.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 9092c1776c8..034c014e5b8 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb - plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) - plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) - --for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]: -+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]: - for env in ["nt4_member", "ad_member"]: - plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) - plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options]) --- -2.14.4 - - -From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Tue, 13 Mar 2018 16:56:20 +0100 -Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 - when it is disabled via "ntlm auth". - -This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. - -Found by Vivek Das (Red Hat QE). - -In order to demonstrate simply run: - -smbclient //server/share -U user%password -mNT1 -c quit \ ---option="client ntlmv2 auth"=no \ ---option="client use spnego"=no - -against a server that uses "ntlm auth = ntlmv2-only" (our default -setting). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 - -CVE-2018-1139: Weak authentication protocol allowed. - -Guenther - -Pair-Programmed-With: Stefan Metzmacher -Signed-off-by: Guenther Deschner -Reviewed-by: Andreas Schneider ---- - libcli/auth/ntlm_check.c | 2 +- - selftest/knownfail | 3 ++- - selftest/knownfail.d/ntlm | 2 -- - 3 files changed, 3 insertions(+), 4 deletions(-) - delete mode 100644 selftest/knownfail.d/ntlm - -diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c -index 1c6499bd210..b68e9c87888 100644 ---- a/libcli/auth/ntlm_check.c -+++ b/libcli/auth/ntlm_check.c -@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - - I think this is related to Win9X pass-though authentication - */ - DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n")); -- if (ntlm_auth) { -+ if (ntlm_auth == NTLM_AUTH_ON) { - if (smb_pwd_check_ntlmv1(mem_ctx, - lm_response, - stored_nt->hash, challenge, -diff --git a/selftest/knownfail b/selftest/knownfail -index ba16fd72290..84776d4f35d 100644 ---- a/selftest/knownfail -+++ b/selftest/knownfail -@@ -303,8 +303,9 @@ - ^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\) - # fl2000dc doesn't support AES - ^samba4.krb5.kdc.*as-req-aes.*fl2000dc --# nt4_member and ad_member don't support ntlmv1 -+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1) - ^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user -+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user - #nt-vfs server blocks read with execute access - ^samba4.smb2.read.access - #ntvfs server blocks copychunk with execute access on read handle -diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm -deleted file mode 100644 -index c6e6a3739ba..00000000000 ---- a/selftest/knownfail.d/ntlm -+++ /dev/null -@@ -1,2 +0,0 @@ --^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied --^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\( --- -2.14.4 - diff --git a/samba-4.10-fix_gencache_debug_message.patch b/samba-4.10-fix_gencache_debug_message.patch new file mode 100644 index 0000000..2440c97 --- /dev/null +++ b/samba-4.10-fix_gencache_debug_message.patch @@ -0,0 +1,38 @@ +From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 17 Jan 2019 13:58:14 +0100 +Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries. + +To get correct values, we need to cast 'timeout' to 'long int' first in +order to do calculation in that integer space! Calculations are don in +the space of the lvalue! + +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke +--- + source3/lib/gencache.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c +index ab12fc1c531..9f4e1cfcaa3 100644 +--- a/source3/lib/gencache.c ++++ b/source3/lib/gencache.c +@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob, + dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len }; + dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length }; + +- DEBUG(10, ("Adding cache entry with key=[%s] and timeout=" +- "[%s] (%d seconds %s)\n", keystr, ++ DBG_DEBUG("Adding cache entry with key=[%s] and timeout=" ++ "[%s] (%ld seconds %s)\n", keystr, + timestring(talloc_tos(), timeout), +- (int)(timeout - time(NULL)), +- timeout > time(NULL) ? "ahead" : "in the past")); ++ ((long int)timeout) - time(NULL), ++ timeout > time(NULL) ? "ahead" : "in the past"); + + ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr), + dbufs, 2, 0); +-- +2.20.1 + diff --git a/samba-4.8.3-fix_krb5_plugins.patch b/samba-4.8.3-fix_krb5_plugins.patch deleted file mode 100644 index 86aeadb..0000000 --- a/samba-4.8.3-fix_krb5_plugins.patch +++ /dev/null @@ -1,270 +0,0 @@ -From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Jun 2018 14:06:39 +0200 -Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - nsswitch/wscript_build | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build -index 15e93db2f05..576855bb56c 100644 ---- a/nsswitch/wscript_build -+++ b/nsswitch/wscript_build -@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): - ) - - if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): -- bld.SAMBA_LIBRARY('winbind_krb5_locator', -- source='winbind_krb5_locator.c', -- deps='wbclient krb5 com_err', -- realname='winbind_krb5_locator.so') -+ bld.SAMBA_LIBRARY('winbind_krb5_locator', -+ source='winbind_krb5_locator.c', -+ deps='wbclient krb5 com_err', -+ realname='winbind_krb5_locator.so', -+ install_path='${MODULESDIR}/krb5') - - if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): - bld.SAMBA_LIBRARY('winbind_krb5_localauth', - source='krb5_plugin/winbind_krb5_localauth.c', - deps='wbclient krb5 com_err', -- realname='winbind-krb5-localauth.so') -+ realname='winbind_krb5_localauth.so', -+ install_path='${MODULESDIR}/krb5') - - bld.SAMBA_SUBSYSTEM('WB_REQTRANS', - source='wb_reqtrans.c', --- -2.17.1 - - -From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Jun 2018 14:08:56 +0200 -Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin - subdir - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0 - nsswitch/wscript_build | 2 +- - 2 files changed, 1 insertion(+), 1 deletion(-) - rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%) - -diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c -similarity index 100% -rename from nsswitch/winbind_krb5_locator.c -rename to nsswitch/krb5_plugin/winbind_krb5_locator.c -diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build -index 576855bb56c..dd1952b799b 100644 ---- a/nsswitch/wscript_build -+++ b/nsswitch/wscript_build -@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'): - - if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): - bld.SAMBA_LIBRARY('winbind_krb5_locator', -- source='winbind_krb5_locator.c', -+ source='krb5_plugin/winbind_krb5_locator.c', - deps='wbclient krb5 com_err', - realname='winbind_krb5_locator.so', - install_path='${MODULESDIR}/krb5') --- -2.17.1 - - -From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Jun 2018 15:14:15 +0200 -Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8 - -The vfs and idmap manpages are in volume 8 too. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - ...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++--- - docs-xml/wscript_build | 2 +- - 2 files changed, 4 insertions(+), 4 deletions(-) - rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%) - -diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml -similarity index 96% -rename from docs-xml/manpages/winbind_krb5_locator.7.xml -rename to docs-xml/manpages/winbind_krb5_locator.8.xml -index 17e401a9da0..0af0c2cc95f 100644 ---- a/docs-xml/manpages/winbind_krb5_locator.7.xml -+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml -@@ -1,12 +1,12 @@ - - -- -+ - - - winbind_krb5_locator -- 7 -+ 8 - Samba -- 7 -+ 8 - &doc.version; - - -diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build -index 954c62a29bc..2d686eb38b0 100644 ---- a/docs-xml/wscript_build -+++ b/docs-xml/wscript_build -@@ -103,7 +103,7 @@ pam_winbind_manpages = ''' - manpages/pam_winbind.conf.5 - ''' - --krb5_locator_manpages = 'manpages/winbind_krb5_locator.7' -+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' - - def smbdotconf_generate_parameter_list(task): - parameter_all = task.outputs[0].bldpath(task.env) --- -2.17.1 - - -From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Wed, 27 Jun 2018 15:06:07 +0200 -Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489 - -Signed-off-by: Andreas Schneider -Reviewed-by: Alexander Bokovoy ---- - .../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++ - docs-xml/wscript_build | 4 + - 2 files changed, 90 insertions(+) - create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml - -diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml -new file mode 100644 -index 00000000000..a382e71ead3 ---- /dev/null -+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml -@@ -0,0 +1,86 @@ -+ -+ -+ -+ -+ -+ winbind_krb5_localauth -+ 8 -+ Samba -+ 8 -+ &doc.version; -+ -+ -+ -+ -+ winbind_krb5_localauth -+ A plugin for MIT Kerberos for mapping user accounts. -+ -+ -+ -+ -+ DESCRIPTION -+ -+ -+ This plugin is part of the -+ samba -+ 7 suite. -+ -+ -+ -+ winbind_krb5_localauth is a plugin that -+ permits the MIT Kerberos libraries that Kerberos principals can -+ be validated against local user accounts. -+ -+ -+ -+ PREREQUISITES -+ -+ MIT Kerberos (at least version 1.12) is required. -+ -+ -+ -+ The plugin queries the winbindd -+ 8 daemon which needs to be configured -+ and started separately. -+ -+ -+ -+ The following sections needs to be added to the -+ krb5.conf file. -+ -+ -+[plugins] -+ localauth = { -+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so -+ enable_only = winbind -+ } -+ -+ -+ -+ -+ -+ VERSION -+ -+ -+ This man page is part of version &doc.version; of the Samba -+ suite. -+ -+ -+ -+ -+ AUTHOR -+ -+ -+ The original Samba software and related utilities were created -+ by Andrew Tridgell. Samba is now developed by the Samba Team as -+ an Open Source project similar to the way the Linux kernel is -+ developed. -+ -+ -+ -+ The winbind_krb5_localauth manpage was written by Andreas -+ Schneider. -+ -+ -+ -+ -diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build -index 2d686eb38b0..ec5d28fc62a 100644 ---- a/docs-xml/wscript_build -+++ b/docs-xml/wscript_build -@@ -104,6 +104,7 @@ pam_winbind_manpages = ''' - ''' - - krb5_locator_manpages = 'manpages/winbind_krb5_locator.8' -+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8' - - def smbdotconf_generate_parameter_list(task): - parameter_all = task.outputs[0].bldpath(task.env) -@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']): - if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'): - bld.SAMBAMANPAGES(krb5_locator_manpages) - -+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'): -+ bld.SAMBAMANPAGES(krb5_localauth_manpages) -+ - if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'): - bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8') --- -2.17.1 - diff --git a/samba-4.8.3-fix_winbind_getpwnam_local_user.patch b/samba-4.8.3-fix_winbind_getpwnam_local_user.patch deleted file mode 100644 index f3b9d89..0000000 --- a/samba-4.8.3-fix_winbind_getpwnam_local_user.patch +++ /dev/null @@ -1,216 +0,0 @@ -From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Mon, 2 Jul 2018 16:18:52 +0200 -Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme -(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c) ---- - nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++----- - selftest/knownfail.d/upn_handling | 2 + - source3/selftest/tests.py | 4 +- - 3 files changed, 66 insertions(+), 11 deletions(-) - -diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh -index 2803ac1408b..da30f97be74 100755 ---- a/nsswitch/tests/test_wbinfo_user_info.sh -+++ b/nsswitch/tests/test_wbinfo_user_info.sh -@@ -2,19 +2,20 @@ - # Blackbox test for wbinfo lookup for account name and upn - # Copyright (c) 2018 Andreas Schneider - --if [ $# -lt 5 ]; then -+if [ $# -lt 6 ]; then - cat < -Date: Mon, 2 Jul 2018 16:38:01 +0200 -Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503 - -Signed-off-by: Andreas Schneider -Reviewed-by: Ralph Boehme - -Autobuild-User(master): Ralph Böhme -Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144 - -(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c) ---- - selftest/knownfail.d/upn_handling | 2 -- - source3/winbindd/winbindd_util.c | 2 ++ - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling -index 7dc9b71dc5e..bcbedb4f903 100644 ---- a/selftest/knownfail.d/upn_handling -+++ b/selftest/knownfail.d/upn_handling -@@ -1,10 +1,8 @@ - ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member - ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member --^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member - ^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc - ^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc - ^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc - ^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc - ^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc - ^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc --^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc -diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c -index aa633419c9a..7a5fb73cdef 100644 ---- a/source3/winbindd/winbindd_util.c -+++ b/source3/winbindd/winbindd_util.c -@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser, - } else if (assume_domain(lp_workgroup())) { - fstrcpy(domain, lp_workgroup()); - fstrcpy(namespace, domain); -+ } else { -+ fstrcpy(namespace, lp_netbios_name()); - } - } - --- -2.13.6 - diff --git a/samba-4.8.3-smbclient_quiet_argument.patch b/samba-4.8.3-smbclient_quiet_argument.patch deleted file mode 100644 index 6ee5623..0000000 --- a/samba-4.8.3-smbclient_quiet_argument.patch +++ /dev/null @@ -1,64 +0,0 @@ -From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001 -From: Justin Stephenson -Date: Mon, 25 Jun 2018 09:58:56 -0400 -Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add quiet command-line argument to allow suppressing the help log -message printed automatically after establishing a smbclient connection - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485 - -Signed-off-by: Justin Stephenson -Reviewed-by: Andreas Schneider -Reviewed-by: Björn Baumbach -(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72) ---- - source3/client/client.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/source3/client/client.c b/source3/client/client.c -index 2c1c76036f7..c836e5a0477 100644 ---- a/source3/client/client.c -+++ b/source3/client/client.c -@@ -52,6 +52,7 @@ static int port = 0; - static char *service; - static char *desthost; - static bool grepable = false; -+static bool quiet = false; - static char *cmdstr = NULL; - const char *cmd_ptr = NULL; - -@@ -6059,7 +6060,9 @@ static int process_stdin(void) - { - int rc = 0; - -- d_printf("Try \"help\" to get a list of possible commands.\n"); -+ if (!quiet) { -+ d_printf("Try \"help\" to get a list of possible commands.\n"); -+ } - - while (!finished) { - TALLOC_CTX *frame = talloc_stackframe(); -@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[]) - { "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" }, - { "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" }, - { "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" }, -+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" }, - { "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" }, - POPT_COMMON_SAMBA - POPT_COMMON_CONNECTION -@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[]) - case 'g': - grepable=true; - break; -+ case 'q': -+ quiet=true; -+ break; - case 'e': - smb_encrypt=true; - break; --- -2.17.1 diff --git a/samba-4.8.3.tar.asc b/samba-4.8.3.tar.asc deleted file mode 100644 index 149c42f..0000000 --- a/samba-4.8.3.tar.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq -U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg== -=em2I ------END PGP SIGNATURE----- diff --git a/samba-4.8.3.tar.xz b/samba-4.8.3.tar.xz deleted file mode 100644 index d811ca0..0000000 --- a/samba-4.8.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b73a8bce7881bfaa1b1fd2aaf502fb21f313555b92330437a4acc440dd7a3d55 -size 11467348 diff --git a/samba-4.9-CVE-2019-3880.patch b/samba-4.9-CVE-2019-3880.patch new file mode 100644 index 0000000..eded5d9 --- /dev/null +++ b/samba-4.9-CVE-2019-3880.patch @@ -0,0 +1,151 @@ +From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 21 Mar 2019 14:51:30 -0700 +Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of + SaveKey/RestoreKey. + +The were not using VFS backend calls and could only work +locally, and were unsafe against symlink races and other +security issues. + +If the incoming handle is valid, return WERR_BAD_PATHNAME. + +[MS-RRP] states "The format of the file name is implementation-specific" +so ensure we don't allow this. + +As reported by Michael Hanselmann. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851 + +Signed-off-by: Jeremy Allison +Reviewed-by: Andrew Bartlett +--- + source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++----------------------------- + 1 file changed, 4 insertions(+), 88 deletions(-) + +diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c +index d9ee8d0602d..816c6bb2a12 100644 +--- a/source3/rpc_server/winreg/srv_winreg_nt.c ++++ b/source3/rpc_server/winreg/srv_winreg_nt.c +@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p, + } + + /******************************************************************* +- ********************************************************************/ +- +-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname ) +-{ +- char *p = NULL; +- int num_services = lp_numservices(); +- int snum = -1; +- const char *share_path = NULL; +- char *fname = *pp_fname; +- +- /* convert to a unix path, stripping the C:\ along the way */ +- +- if (!(p = valid_share_pathname(ctx, fname))) { +- return -1; +- } +- +- /* has to exist within a valid file share */ +- +- for (snum=0; snumin.handle ); +- char *fname = NULL; +- int snum = -1; + +- if ( !regkey ) ++ if ( !regkey ) { + return WERR_INVALID_HANDLE; +- +- if ( !r->in.filename || !r->in.filename->name ) +- return WERR_INVALID_PARAMETER; +- +- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); +- if (!fname) { +- return WERR_NOT_ENOUGH_MEMORY; + } +- +- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from " +- "\"%s\"\n", regkey->key->name, fname)); +- +- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1) +- return WERR_BAD_PATHNAME; +- +- /* user must posses SeRestorePrivilege for this this proceed */ +- +- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) { +- return WERR_ACCESS_DENIED; +- } +- +- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", +- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); +- +- return reg_restorekey(regkey, fname); ++ return WERR_BAD_PATHNAME; + } + + /******************************************************************* +@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p, + struct winreg_SaveKey *r) + { + struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); +- char *fname = NULL; +- int snum = -1; + +- if ( !regkey ) ++ if ( !regkey ) { + return WERR_INVALID_HANDLE; +- +- if ( !r->in.filename || !r->in.filename->name ) +- return WERR_INVALID_PARAMETER; +- +- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); +- if (!fname) { +- return WERR_NOT_ENOUGH_MEMORY; + } +- +- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n", +- regkey->key->name, fname)); +- +- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 ) +- return WERR_BAD_PATHNAME; +- +- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n", +- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); +- +- return reg_savekey(regkey, fname); ++ return WERR_BAD_PATHNAME; + } + + /******************************************************************* +-- +2.11.0 + diff --git a/samba-4.9-add_smbc_setOptionProtocols.patch b/samba-4.9-add_smbc_setOptionProtocols.patch new file mode 100644 index 0000000..08c88a1 --- /dev/null +++ b/samba-4.9-add_smbc_setOptionProtocols.patch @@ -0,0 +1,280 @@ +From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 4 Sep 2018 15:48:03 +0200 +Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6) +--- + source3/include/libsmbclient.h | 19 ++- + source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++ + source3/libsmb/libsmb_setget.c | 18 +++ + source3/libsmb/wscript | 2 +- + 4 files changed, 222 insertions(+), 2 deletions(-) + create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs + +diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h +index ca5c7f87f71..5e4a1715402 100644 +--- a/source3/include/libsmbclient.h ++++ b/source3/include/libsmbclient.h +@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c); + void + smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b); + +- ++/** ++ * @brief Set the 'client min protocol' and the 'client max protocol'. ++ * ++ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max ++ * protocol' set in the smb.conf file! ++ * ++ * @param[in] c The smbc context to use. ++ * ++ * @param[in] min_proto The minimal protocol to use or NULL for leaving it ++ * untouched. ++ * ++ * @param[in] max_proto The maximum protocol to use or NULL for leaving it ++ * untouched. ++ * ++ * @returns true for success, false otherwise ++ */ ++smbc_bool ++smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto); + + /************************************* + * Getters and setters for FUNCTIONS * +diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs +new file mode 100644 +index 00000000000..b4245979c24 +--- /dev/null ++++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs +@@ -0,0 +1,185 @@ ++smbc_chmod: int (const char *, mode_t) ++smbc_close: int (int) ++smbc_closedir: int (int) ++smbc_creat: int (const char *, mode_t) ++smbc_fgetxattr: int (int, const char *, const void *, size_t) ++smbc_flistxattr: int (int, char *, size_t) ++smbc_free_context: int (SMBCCTX *, int) ++smbc_fremovexattr: int (int, const char *) ++smbc_fsetxattr: int (int, const char *, const void *, size_t, int) ++smbc_fstat: int (int, struct stat *) ++smbc_fstatvfs: int (int, struct statvfs *) ++smbc_ftruncate: int (int, off_t) ++smbc_getDebug: int (SMBCCTX *) ++smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *) ++smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *) ++smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *) ++smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *) ++smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *) ++smbc_getFunctionClose: smbc_close_fn (SMBCCTX *) ++smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *) ++smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *) ++smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *) ++smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *) ++smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *) ++smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *) ++smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *) ++smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *) ++smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *) ++smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *) ++smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *) ++smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *) ++smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *) ++smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *) ++smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *) ++smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *) ++smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *) ++smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *) ++smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *) ++smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *) ++smbc_getFunctionRead: smbc_read_fn (SMBCCTX *) ++smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *) ++smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *) ++smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *) ++smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *) ++smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *) ++smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *) ++smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *) ++smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *) ++smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *) ++smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *) ++smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *) ++smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *) ++smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *) ++smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *) ++smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *) ++smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *) ++smbc_getNetbiosName: const char *(SMBCCTX *) ++smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *) ++smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *) ++smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *) ++smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *) ++smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *) ++smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *) ++smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *) ++smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *) ++smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *) ++smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *) ++smbc_getOptionUseCCache: smbc_bool (SMBCCTX *) ++smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *) ++smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *) ++smbc_getOptionUserData: void *(SMBCCTX *) ++smbc_getPort: uint16_t (SMBCCTX *) ++smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *) ++smbc_getTimeout: int (SMBCCTX *) ++smbc_getUser: const char *(SMBCCTX *) ++smbc_getWorkgroup: const char *(SMBCCTX *) ++smbc_getdents: int (unsigned int, struct smbc_dirent *, int) ++smbc_getxattr: int (const char *, const char *, const void *, size_t) ++smbc_init: int (smbc_get_auth_data_fn, int) ++smbc_init_context: SMBCCTX *(SMBCCTX *) ++smbc_lgetxattr: int (const char *, const char *, const void *, size_t) ++smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn) ++smbc_listxattr: int (const char *, char *, size_t) ++smbc_llistxattr: int (const char *, char *, size_t) ++smbc_lremovexattr: int (const char *, const char *) ++smbc_lseek: off_t (int, off_t, int) ++smbc_lseekdir: int (int, off_t) ++smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int) ++smbc_mkdir: int (const char *, mode_t) ++smbc_new_context: SMBCCTX *(void) ++smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *) ++smbc_open: int (const char *, int, mode_t) ++smbc_open_print_job: int (const char *) ++smbc_opendir: int (const char *) ++smbc_option_get: void *(SMBCCTX *, char *) ++smbc_option_set: void (SMBCCTX *, char *, ...) ++smbc_print_file: int (const char *, const char *) ++smbc_read: ssize_t (int, void *, size_t) ++smbc_readdir: struct smbc_dirent *(unsigned int) ++smbc_readdirplus: const struct libsmb_file_info *(unsigned int) ++smbc_removexattr: int (const char *, const char *) ++smbc_rename: int (const char *, const char *) ++smbc_rmdir: int (const char *) ++smbc_setConfiguration: int (SMBCCTX *, const char *) ++smbc_setDebug: void (SMBCCTX *, int) ++smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn) ++smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn) ++smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn) ++smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn) ++smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn) ++smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn) ++smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn) ++smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn) ++smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn) ++smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn) ++smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn) ++smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn) ++smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn) ++smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn) ++smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn) ++smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn) ++smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn) ++smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn) ++smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn) ++smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn) ++smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn) ++smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn) ++smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn) ++smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn) ++smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn) ++smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn) ++smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn) ++smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn) ++smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn) ++smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn) ++smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn) ++smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn) ++smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn) ++smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn) ++smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn) ++smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn) ++smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn) ++smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn) ++smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn) ++smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn) ++smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn) ++smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn) ++smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn) ++smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn) ++smbc_setNetbiosName: void (SMBCCTX *, const char *) ++smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int) ++smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool) ++smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool) ++smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool) ++smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool) ++smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool) ++smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool) ++smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode) ++smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *) ++smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level) ++smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool) ++smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool) ++smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool) ++smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool) ++smbc_setOptionUserData: void (SMBCCTX *, void *) ++smbc_setPort: void (SMBCCTX *, uint16_t) ++smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *) ++smbc_setTimeout: void (SMBCCTX *, int) ++smbc_setUser: void (SMBCCTX *, const char *) ++smbc_setWorkgroup: void (SMBCCTX *, const char *) ++smbc_set_context: SMBCCTX *(SMBCCTX *) ++smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *) ++smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *) ++smbc_setxattr: int (const char *, const char *, const void *, size_t, int) ++smbc_stat: int (const char *, struct stat *) ++smbc_statvfs: int (char *, struct statvfs *) ++smbc_telldir: off_t (int) ++smbc_unlink: int (const char *) ++smbc_unlink_print_job: int (const char *, int) ++smbc_urldecode: int (char *, char *, size_t) ++smbc_urlencode: int (char *, char *, int) ++smbc_utime: int (const char *, struct utimbuf *) ++smbc_utimes: int (const char *, struct timeval *) ++smbc_version: const char *(void) ++smbc_write: ssize_t (int, const void *, size_t) +diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c +index 60b822a395c..b1c4ff3b557 100644 +--- a/source3/libsmb/libsmb_setget.c ++++ b/source3/libsmb/libsmb_setget.c +@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b) + } + } + ++smbc_bool ++smbc_setOptionProtocols(SMBCCTX *c, ++ const char *min_proto, ++ const char *max_proto) ++{ ++ bool ok = true; ++ ++ if (min_proto != NULL) { ++ ok = lp_set_cmdline("client min protocol", min_proto); ++ } ++ ++ if (max_proto != NULL) { ++ ok &= lp_set_cmdline("client min protocol", max_proto); ++ } ++ ++ return ok; ++} ++ + /** Get the function for obtaining authentication data */ + smbc_get_auth_data_fn + smbc_getFunctionAuthData(SMBCCTX *c) +diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript +index 5482aea7d9c..298afc3c0e3 100644 +--- a/source3/libsmb/wscript ++++ b/source3/libsmb/wscript +@@ -27,5 +27,5 @@ def build(bld): + public_headers='../include/libsmbclient.h', + abi_directory='ABI', + abi_match='smbc_*', +- vnum='0.4.0', ++ vnum='0.5.0', + pc_files='smbclient.pc') +-- +2.19.2 + diff --git a/samba-4.9-disable_netbios.patch b/samba-4.9-disable_netbios.patch new file mode 100644 index 0000000..4191502 --- /dev/null +++ b/samba-4.9-disable_netbios.patch @@ -0,0 +1,252 @@ +From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Thu, 3 Jan 2019 12:07:01 -0500 +Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect + +If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED +for a port 139 connection in the low level socket connection code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 + +Signed-off-by: Justin Stephenson +Reviewed-by: Noel Power +Reviewed-by: Jeremy Allison +(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9) +--- + source3/libsmb/smbsock_connect.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c +index 9f915e1bb42..bb3cb07646c 100644 +--- a/source3/libsmb/smbsock_connect.c ++++ b/source3/libsmb/smbsock_connect.c +@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx, + tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup); + + if (port == NBT_SMB_PORT) { ++ if (lp_disable_netbios()) { ++ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED); ++ return tevent_req_post(req, ev); ++ } ++ + state->req_139 = nb_connect_send(state, state->ev, state->addr, + state->called_name, + state->called_type, +-- +2.20.1 + + +From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 17 Dec 2018 14:40:33 -0500 +Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios + +With a preceding patch, cli_connect_nb() will return +NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. + +Print an informative error message to indicate Netbios is disabled +if this occurs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 + +Signed-off-by: Justin Stephenson +Reviewed-by: Noel Power +Reviewed-by: Jeremy Allison +(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b) +--- + source3/libsmb/clidfs.c | 10 +++++++--- + source3/libsmb/libsmb_server.c | 4 ++++ + 2 files changed, 11 insertions(+), 3 deletions(-) + +diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c +index 0dfb8b33606..4342a3b1d1b 100644 +--- a/source3/libsmb/clidfs.c ++++ b/source3/libsmb/clidfs.c +@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx, + flags, &c); + + if (!NT_STATUS_IS_OK(status)) { +- d_printf("Connection to %s failed (Error %s)\n", +- server, +- nt_errstr(status)); ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ DBG_ERR("NetBIOS support disabled, unable to connect"); ++ } ++ ++ DBG_WARNING("Connection to %s failed (Error %s)\n", ++ server, ++ nt_errstr(status)); + return status; + } + +diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c +index 67dfcf72327..0067df48cac 100644 +--- a/source3/libsmb/libsmb_server.c ++++ b/source3/libsmb/libsmb_server.c +@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx, + } + + if (!NT_STATUS_IS_OK(status)) { ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ DBG_ERR("NetBIOS support disabled, unable to connect"); ++ } ++ + errno = map_errno_from_nt_status(status); + return NULL; + } +-- +2.20.1 + + +From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 17 Dec 2018 14:57:59 -0500 +Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios + +With a preceding patch, cli_connect_nb() will return +NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. + +Print an informative error message to indicate Netbios is disabled +if this occurs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 + +Signed-off-by: Justin Stephenson +Reviewed-by: Noel Power +Reviewed-by: Jeremy Allison +(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098) +--- + source3/libsmb/passchange.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c +index 48ffba8036f..f60e3079975 100644 +--- a/source3/libsmb/passchange.c ++++ b/source3/libsmb/passchange.c +@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine, + result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL, + SMB_SIGNING_IPC_DEFAULT, 0, &cli); + if (!NT_STATUS_IS_OK(result)) { +- if (asprintf(err_str, "Unable to connect to SMB server on " +- "machine %s. Error was : %s.\n", +- remote_machine, nt_errstr(result))==-1) { +- *err_str = NULL; ++ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) { ++ if (asprintf(err_str, "Unable to connect to SMB server on " ++ "machine %s. NetBIOS support disabled\n", ++ remote_machine) == -1) { ++ *err_str = NULL; ++ } ++ } else { ++ if (asprintf(err_str, "Unable to connect to SMB server on " ++ "machine %s. Error was : %s.\n", ++ remote_machine, nt_errstr(result))==-1) { ++ *err_str = NULL; ++ } + } + return result; + } +-- +2.20.1 + + +From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 17 Dec 2018 15:17:24 -0500 +Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios + +With a preceding patch, cli_connect_nb() will return +NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf. + +Print an informative error message to indicate Netbios is disabled +if this occurs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 + +Signed-off-by: Justin Stephenson +Reviewed-by: Noel Power +Reviewed-by: Jeremy Allison +(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397) +--- + source3/utils/net_rpc.c | 3 +++ + source3/utils/net_time.c | 9 +++++++-- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index 67fff2f4d1b..91ad90f9594 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags) + lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT, + 0, &cli); + if (!NT_STATUS_IS_OK(status)) { ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ DBG_ERR("NetBIOS support disabled, unable to connect\n"); ++ } + return false; + } + status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE, +diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c +index 0091fc86333..5e6cf2ea15d 100644 +--- a/source3/utils/net_time.c ++++ b/source3/utils/net_time.c +@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host, + status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(), + SMB_SIGNING_DEFAULT, 0, &cli); + if (!NT_STATUS_IS_OK(status)) { +- fprintf(stderr, _("Can't contact server %s. Error %s\n"), +- host, nt_errstr(status)); ++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) { ++ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled," ++ " Error %s\n", host, nt_errstr(status)); ++ } else { ++ fprintf(stderr, "Can't contact server %s. Error %s\n", ++ host, nt_errstr(status)); ++ } + goto done; + } + +-- +2.20.1 + + +From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 14 Jan 2019 10:36:47 -0500 +Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in + smbsock_connect_send + +If disable_netbios is set, return before the tevent timer is triggered +to prevent outgoing netbios connections. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727 + +Signed-off-by: Justin Stephenson +Reviewed-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8) +--- + source3/libsmb/smbsock_connect.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c +index bb3cb07646c..be52b9a4f79 100644 +--- a/source3/libsmb/smbsock_connect.c ++++ b/source3/libsmb/smbsock_connect.c +@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx, + tevent_req_set_callback(state->req_445, smbsock_connect_connected, + req); + ++ /* ++ * Check for disable_netbios ++ */ ++ if (lp_disable_netbios()) { ++ return req; ++ } ++ + /* + * After 5 msecs, fire the 139 (NBT) request + */ +-- +2.20.1 + diff --git a/samba-4.9-doc_smbclient_max_protocol.patch b/samba-4.9-doc_smbclient_max_protocol.patch new file mode 100644 index 0000000..748a515 --- /dev/null +++ b/samba-4.9-doc_smbclient_max_protocol.patch @@ -0,0 +1,37 @@ +From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 22 Mar 2019 14:39:11 +0100 +Subject: [PATCH] docs: Update smbclient manpage for --max-protocol + +We default to SMB3 now. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857 + +Signed-off-by: Andreas Schneider +Reviewed-by: Alexander Bokovoy +Reviewed-by: Ralph Boehme +(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9) +--- + docs-xml/manpages/smbclient.1.xml | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml +index e71a21a95e3..e25f7d3517b 100644 +--- a/docs-xml/manpages/smbclient.1.xml ++++ b/docs-xml/manpages/smbclient.1.xml +@@ -261,9 +261,9 @@ + This allows the user to select the + highest SMB protocol level that smbclient will use to + connect to the server. By default this is set to +- NT1, which is the highest available SMB1 protocol. +- To connect using SMB2 or SMB3 protocol, use the +- strings SMB2 or SMB3 respectively. Note that to connect ++ highest available SMB3 protocol version. ++ To connect using SMB2 or SMB1 protocol, use the ++ strings SMB2 or NT1 respectively. Note that to connect + to a Windows 2012 server with encrypted transport selecting + a max-protocol of SMB3 is required. + +-- +2.21.0 + diff --git a/samba-4.8-fix_cups_smbspool_backend.part2.patch b/samba-4.9-fix_cups_printing.patch similarity index 97% rename from samba-4.8-fix_cups_smbspool_backend.part2.patch rename to samba-4.9-fix_cups_printing.patch index f682db0..80da965 100644 --- a/samba-4.8-fix_cups_smbspool_backend.part2.patch +++ b/samba-4.9-fix_cups_printing.patch @@ -1,4 +1,4 @@ -From ab9266a2907fe523937d8576f6de7313d577c2e8 Mon Sep 17 00:00:00 2001 +From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 13 May 2019 16:55:49 +0200 Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups @@ -66,7 +66,7 @@ index 5c4da33238b..e6684fc0d0c 100644 2.21.0 -From d3ab97ba608b0c3000e733e3e56dd7da7bae617a Mon Sep 17 00:00:00 2001 +From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 May 2019 13:41:02 +0200 Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate @@ -82,7 +82,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 11 insertions(+) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ecaaf3c3f22..98959bb677b 100644 +index c404b3a3f69..78c13b9ebdb 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) { @@ -114,7 +114,7 @@ index ecaaf3c3f22..98959bb677b 100644 2.21.0 -From b8588870940e282aa2d5f9d553771fcba91681c7 Mon Sep 17 00:00:00 2001 +From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 May 2019 14:25:00 +0200 Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME @@ -151,7 +151,7 @@ index e6684fc0d0c..2cdcd372ec6 100644 2.21.0 -From 30feae8f20fb60999727cc4a6777b2823db46a64 Mon Sep 17 00:00:00 2001 +From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 May 2019 17:10:57 +0200 Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid @@ -190,7 +190,7 @@ index 2cdcd372ec6..3266b90ec1a 100644 2.21.0 -From 98b782f300a899ad39fe17fa62ccbe4932e8cd29 Mon Sep 17 00:00:00 2001 +From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 May 2019 17:40:43 +0200 Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is @@ -329,10 +329,10 @@ index 3266b90ec1a..bff1df417e8 100644 /* * Make sure we do not have LD_PRELOAD or other security relevant diff --git a/source3/wscript_build b/source3/wscript_build -index 15c93e46bc3..694acbfa754 100644 +index bbcfc72a714..a601ab4e9b1 100644 --- a/source3/wscript_build +++ b/source3/wscript_build -@@ -1120,6 +1120,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', +@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper', deps=''' DYNCONFIG cups @@ -344,7 +344,7 @@ index 15c93e46bc3..694acbfa754 100644 2.21.0 -From 0ffe2ecb356780264b157a03157875758431102f Mon Sep 17 00:00:00 2001 +From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 13 May 2019 16:48:31 +0200 Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open @@ -359,7 +359,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 98959bb677b..43f0cbc04e1 100644 +index 78c13b9ebdb..805ad88b88d 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */ @@ -377,7 +377,7 @@ index 98959bb677b..43f0cbc04e1 100644 2.21.0 -From 9d662cda9def334de3a27cab7d77ab6c9deb3f16 Mon Sep 17 00:00:00 2001 +From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 13 May 2019 18:54:02 +0200 Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos @@ -396,7 +396,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 51 insertions(+), 39 deletions(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 43f0cbc04e1..f8e6a76ba11 100644 +index 805ad88b88d..d336cd08209 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */ @@ -572,7 +572,7 @@ index 43f0cbc04e1..f8e6a76ba11 100644 2.21.0 -From 56f58726a1f3b98e64e9f6b27c275cc0044e2a9f Mon Sep 17 00:00:00 2001 +From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 16 May 2019 18:24:32 +0200 Subject: [PATCH 8/9] s3:smbspool: Add debug messages to @@ -588,7 +588,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 7 insertions(+) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index f8e6a76ba11..ed5837daa0d 100644 +index d336cd08209..221c50af196 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) { @@ -621,7 +621,7 @@ index f8e6a76ba11..ed5837daa0d 100644 2.21.0 -From cec536a0437b28e207cb69c318cb5769575d1761 Mon Sep 17 00:00:00 2001 +From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 14 May 2019 11:35:46 +0200 Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes @@ -638,7 +638,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 145 insertions(+), 105 deletions(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index ed5837daa0d..1c09ca0826d 100644 +index 221c50af196..5ab286cd3e9 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -60,12 +60,27 @@ diff --git a/samba-4.9-fix_debug_segfault.patch b/samba-4.9-fix_debug_segfault.patch new file mode 100644 index 0000000..edbbd33 --- /dev/null +++ b/samba-4.9-fix_debug_segfault.patch @@ -0,0 +1,40 @@ +From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 7 Nov 2018 14:32:29 +0100 +Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation + +This fixes a segfault in pyglue: + +==10142== Process terminating with default action of signal 11 (SIGSEGV) +==10142== Bad permissions for mapped region at address 0x6F00A20 +==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison +(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0) +--- + lib/util/debug.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/util/debug.c b/lib/util/debug.c +index d41e0f99c77..847ec1f0a0c 100644 +--- a/lib/util/debug.c ++++ b/lib/util/debug.c +@@ -557,10 +557,10 @@ static const char *default_classname_table[] = { + * This is to allow reading of DEBUGLEVEL_CLASS before the debug + * system has been initialized. + */ +-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)]; ++static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)]; + + static size_t debug_num_classes = 0; +-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial); ++int *DEBUGLEVEL_CLASS = debug_class_list_initial; + + + /* -------------------------------------------------------------------------- ** +-- +2.19.1 + diff --git a/samba-4.9-fix_force_group_panic.patch b/samba-4.9-fix_force_group_panic.patch new file mode 100644 index 0000000..e228ccf --- /dev/null +++ b/samba-4.9-fix_force_group_panic.patch @@ -0,0 +1,87 @@ +From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 18 Jan 2019 14:24:30 -0800 +Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an + existing share connection. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +smbd could crash if "force group" is added to a +share definition whilst an existing connection +to that share exists. In that case, don't change +the existing credentials for force group, only +do so for new connections. + +Remove knownfail from regression test. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 + +Signed-off-by: Jeremy Allison +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144 + +(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a) +--- + source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++-- + 2 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c +index 9d5321cf4cc..ced2d450f8e 100644 +--- a/source3/smbd/uid.c ++++ b/source3/smbd/uid.c +@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn, + int snum; + gid_t gid; + uid_t uid; ++ const char *force_group_name; + char group_c; + int num_groups = 0; + gid_t *group_list = NULL; +@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn, + * See if we should force group for this service. If so this overrides + * any group set in the force user code. + */ +- if((group_c = *lp_force_group(talloc_tos(), snum))) { ++ force_group_name = lp_force_group(talloc_tos(), snum); ++ group_c = *force_group_name; + +- SMB_ASSERT(conn->force_group_gid != (gid_t)-1); ++ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) { ++ /* ++ * This can happen if "force group" is added to a ++ * share definition whilst an existing connection ++ * to that share exists. In that case, don't change ++ * the existing credentials for force group, only ++ * do so for new connections. ++ * ++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 ++ */ ++ DBG_INFO("Not forcing group %s on existing connection to " ++ "share %s for SMB user %s (unix user %s)\n", ++ force_group_name, ++ lp_const_servicename(snum), ++ session_info->unix_info->sanitized_username, ++ session_info->unix_info->unix_name); ++ } ++ ++ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) { ++ /* ++ * Only force group for connections where ++ * conn->force_group_gid has already been set ++ * to the correct value (i.e. the connection ++ * happened after the 'force group' definition ++ * was added to the share definition. Connections ++ * that were made before force group was added ++ * should stay with their existing credentials. ++ * ++ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690 ++ */ + + if (group_c == '+') { + int i; +-- +2.20.1.495.gaa96b0ce6b-goog + diff --git a/samba-4.9-fix_net_ads_join_admin_otherdomain.patch b/samba-4.9-fix_net_ads_join_admin_otherdomain.patch new file mode 100644 index 0000000..8cd6b4e --- /dev/null +++ b/samba-4.9-fix_net_ads_join_admin_otherdomain.patch @@ -0,0 +1,544 @@ +From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 29 Mar 2019 11:34:53 +0100 +Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails + +Currently we just get an error but don't know what exactly we tried to +do in 'net ads join -d10'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5) +--- + source3/libads/ldap.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 13846695bd4..110f74a2dbb 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld) + if (ret != 0) { + char *ld_error = NULL; + ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error); +- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret, +- ldap_err2string(ret), ld_error)); ++ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n", ++ ret, ++ ldap_err2string(ret), ++ ld_error); + SAFE_FREE(ld_error); + } + } +@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) + (char) 1}; + LDAPControl *controls[2]; + ++ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn); ++ + controls[0] = &PermitModify; + controls[1] = NULL; + +@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods) + char *utf8_dn = NULL; + size_t converted_size; + ++ DBG_INFO("AD LDAP: Adding %s\n", new_dn); ++ + if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) { + DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!")); + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); +@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn) + return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + } + ++ DBG_INFO("AD LDAP: Deleting %s\n", del_dn); ++ + ret = ldap_delete_s(ads->ldap.ld, utf8_dn); + ads_print_error(ret, ads->ldap.ld); + TALLOC_FREE(utf8_dn); +-- +2.21.0 + + +From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Wed, 27 Mar 2019 16:45:39 +0100 +Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8) +--- + source3/libsmb/cliconnect.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c +index 837299d9220..9a3d3c769f9 100644 +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + return NT_STATUS_OK; + } + ++ DBG_INFO("Doing kinit for %s to access %s\n", ++ user_principal, target_hostname); + + /* + * TODO: This should be done within the gensec layer +@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, + */ + } + ++ DBG_DEBUG("Successfully authenticated as %s to access %s using " ++ "Kerberos\n", ++ user_principal, ++ target_hostname); ++ + TALLOC_FREE(frame); + return NT_STATUS_OK; + } +@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send( + return tevent_req_post(req, ev); + } + ++ DBG_INFO("Connect to %s as %s using SPNEGO\n", ++ target_hostname, ++ cli_credentials_get_principal(creds, talloc_tos())); ++ + subreq = cli_session_setup_gensec_send(state, ev, cli, creds, + target_service, target_hostname); + if (tevent_req_nomem(subreq, req)) { +@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + ++ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username); ++ + if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { + bool use_unicode = smbXcli_conn_use_unicode(cli->conn); + uint8_t *bytes = NULL; +-- +2.21.0 + + +From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001 +From: Guenther Deschner +Date: Mon, 1 Apr 2019 17:46:39 +0200 +Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin() + +A newline is missing but also use DBG_INFO macro and cleanup spelling. + +Signed-off-by: Guenther Deschner +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662) +--- + source3/libnet/libnet_join.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 27fc5135442..ddc00f7ad7c 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + return WERR_NERR_DEFAULTJOINREQUIRED; + } + +- DEBUG(5, ("failed to precreate account in ou %s: %s", +- r->in.account_ou, ads_errstr(ads_status))); ++ DBG_INFO("Failed to pre-create account in OU %s: %s\n", ++ r->in.account_ou, ads_errstr(ads_status)); + } + rpc_join: + +-- +2.21.0 + + +From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001 +From: Guenther Deschner +Date: Wed, 27 Mar 2019 17:51:04 +0100 +Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output + +This got lost somehow during refactoring. This is still viable +information when trying to figure out what is going wrong when +authenticating a user over NTLMSSP. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Signed-off-by: Guenther Deschner +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7) +--- + auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c +index ab406a2c5be..8e49dcee5ea 100644 +--- a/auth/ntlmssp/ntlmssp_client.c ++++ b/auth/ntlmssp/ntlmssp_client.c +@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, + } + } + ++ if (DEBUGLEVEL >= 10) { ++ struct CHALLENGE_MESSAGE *challenge = ++ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE); ++ if (challenge != NULL) { ++ NTSTATUS status; ++ challenge->NegotiateFlags = chal_flags; ++ status = ntlmssp_pull_CHALLENGE_MESSAGE( ++ &in, challenge, challenge); ++ if (NT_STATUS_IS_OK(status)) { ++ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE, ++ challenge); ++ } ++ TALLOC_FREE(challenge); ++ } ++ } ++ + if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) { + ntlmssp_state->server.is_standalone = true; + } else { +@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, + return nt_status; + } + ++ if (DEBUGLEVEL >= 10) { ++ struct AUTHENTICATE_MESSAGE *authenticate = ++ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE); ++ if (authenticate != NULL) { ++ NTSTATUS status; ++ authenticate->NegotiateFlags = ntlmssp_state->neg_flags; ++ status = ntlmssp_pull_AUTHENTICATE_MESSAGE( ++ out, authenticate, authenticate); ++ if (NT_STATUS_IS_OK(status)) { ++ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE, ++ authenticate); ++ } ++ TALLOC_FREE(authenticate); ++ } ++ } ++ + /* + * We always include the MIC, even without: + * av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; +-- +2.21.0 + + +From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 1 Apr 2019 15:59:10 +0200 +Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username + when using NTLM + +If we want to authenticate using -Wadmin@otherdomain the DC should do +take care of the authentication with the right DC for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3) +--- + auth/credentials/credentials.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c +index 4663185c979..7ef58d0752c 100644 +--- a/auth/credentials/credentials.c ++++ b/auth/credentials/credentials.c +@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c + const char **username, + const char **domain) + { +- if (cred->principal_obtained > cred->username_obtained) { ++ if (cred->principal_obtained >= cred->username_obtained) { + *domain = talloc_strdup(mem_ctx, ""); + *username = cli_credentials_get_principal(cred, mem_ctx); + } else { +-- +2.21.0 + + +From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 1 Apr 2019 16:39:45 +0200 +Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf + +Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753) +--- + source3/libnet/libnet_join.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index ddc00f7ad7c..e052306523d 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + } + + /* The domain parameter is only used as modifier +- * to krb5.conf file name. .JOIN is is not a valid ++ * to krb5.conf file name. _JOIN_ is is not a valid + * NetBIOS name so it cannot clash with another domain + * -- Uri. + */ +- create_local_private_krb5_conf_for_domain( +- pre_connect_realm, ".JOIN", sitename, &ss); ++ create_local_private_krb5_conf_for_domain(pre_connect_realm, ++ "_JOIN_", ++ sitename, ++ &ss); + } + + status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli); +-- +2.21.0 + + +From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 1 Apr 2019 16:47:26 +0200 +Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not + configured + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Pair-Programmed-With: Guenther Deschner +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6) +--- + source3/libads/kerberos.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index e623f2456a8..360cdd741da 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + } + #endif + ++ /* ++ * We are setting 'dns_lookup_kdc' to true, because we want to lookup ++ * KDCs which are not configured via DNS SRV records, eg. if we do: ++ * ++ * net ads join -Uadmin@otherdomain ++ */ + file_contents = + talloc_asprintf(fname, +- "[libdefaults]\n\tdefault_realm = %s\n" ++ "[libdefaults]\n" ++ "\tdefault_realm = %s\n" + "%s" +- "\tdns_lookup_realm = false\n\n" ++ "\tdns_lookup_realm = false\n" ++ "\tdns_lookup_kdc = true\n\n" + "[realms]\n\t%s = {\n" + "%s\t}\n" + "%s\n", +-- +2.21.0 + + +From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001 +From: Guenther Deschner +Date: Mon, 1 Apr 2019 17:40:03 +0200 +Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing + accounts + +This avoids numerous LDAP constraint violation errors when we try to +re-precreate an already existing machine account. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Pair-Programmed-With: Andreas Schneider +Signed-off-by: Guenther Deschner +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Boehme +Reviewed-by: Andrew Bartlett +(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68) +--- + source3/libads/ldap.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c +index 110f74a2dbb..e191ea792a8 100644 +--- a/source3/libads/ldap.c ++++ b/source3/libads/ldap.c +@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + goto done; + } + ++ ret = ads_find_machine_acct(ads, &res, machine_escaped); ++ ads_msgfree(ads, res); ++ if (ADS_ERR_OK(ret)) { ++ DBG_DEBUG("Host account for %s already exists.\n", ++ machine_escaped); ++ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS); ++ goto done; ++ } ++ + new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit); + samAccountName = talloc_asprintf(ctx, "%s$", machine_name); + +@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads, + + done: + SAFE_FREE(machine_escaped); +- ads_msgfree(ads, res); + talloc_destroy(ctx); + + return ret; +-- +2.21.0 + + +From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Apr 2019 13:14:06 +0200 +Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads + layer + +Otherwise we could loose the information that a non-default domain name +has been used for admin creds. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d) +--- + source3/libnet/libnet_join.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index e052306523d..fc7429e6a23 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx, + password = r->in.machine_password; + ccname = "MEMORY:libnet_join_machine_creds"; + } else { ++ char *p = NULL; ++ + username = r->in.admin_account; ++ ++ p = strchr(r->in.admin_account, '@'); ++ if (p == NULL) { ++ username = talloc_asprintf(mem_ctx, "%s@%s", ++ r->in.admin_account, ++ r->in.admin_domain); ++ } ++ if (username == NULL) { ++ return ADS_ERROR(LDAP_NO_MEMORY); ++ } + password = r->in.admin_password; + + /* +-- +2.21.0 + + +From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Apr 2019 13:16:11 +0200 +Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD + connect fails + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider +(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26) +--- + source3/libnet/libnet_join.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index fc7429e6a23..6d3fc1fe01f 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx, + + ads_status = libnet_join_connect_ads_user(mem_ctx, r); + if (!ADS_ERR_OK(ads_status)) { ++ libnet_join_set_error_string(mem_ctx, r, ++ "failed to connect to AD: %s", ++ ads_errstr(ads_status)); + return WERR_NERR_DEFAULTJOINREQUIRED; + } + +-- +2.21.0 + + +From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Tue, 2 Apr 2019 13:16:55 +0200 +Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in + libnet_join + +When a non-DNS and non-default admin domain is provided during the join +sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME' +(e.g. when the winbind krb5 locator is not installed). In that case lets +fallback to NTLMSSP, like we do in winbind. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861 + +Guenther + +Signed-off-by: Guenther Deschner +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144 + +(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5) +--- + source3/libnet/libnet_join.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index 6d3fc1fe01f..b876d7ea89f 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, + return ADS_ERROR_LDAP(LDAP_NO_MEMORY); + } + ++ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; ++ + if (user_name) { + SAFE_FREE(my_ads->auth.user_name); + my_ads->auth.user_name = SMB_STRDUP(user_name); +-- +2.21.0 + diff --git a/samba-4.9-fix_net_ads_krb5.patch b/samba-4.9-fix_net_ads_krb5.patch new file mode 100644 index 0000000..a8aedde --- /dev/null +++ b/samba-4.9-fix_net_ads_krb5.patch @@ -0,0 +1,56 @@ +From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001 +From: Justin Stephenson +Date: Mon, 17 Dec 2018 11:26:11 -0500 +Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k + +This affects net rpc getsid and net rpc changetrustpw commands. +This avoids an anonymous IPC connection being made when -k is used, +this only affects net rpc getsid and net rpc changetrustpw commands. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726 + +Signed-off-by: Justin Stephenson +Reviewed-by: Andreas Schneider +Reviewed-by: Noel Power +--- + source3/utils/net_rpc.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index b99a036fca1..67fff2f4d1b 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c, + + int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv) + { ++ int conn_flags = NET_FLAGS_PDC; ++ ++ if (!c->opt_user_specified && !c->opt_kerberos) { ++ conn_flags |= NET_FLAGS_ANONYMOUS; ++ } ++ + if (c->display_usage) { + d_printf( "%s\n" + "net rpc changetrustpw\n" +@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv) + } + + return run_rpc_command(c, NULL, &ndr_table_netlogon, +- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC, ++ conn_flags, + rpc_changetrustpw_internals, + argc, argv); + } +@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv) + { + int conn_flags = NET_FLAGS_PDC; + +- if (!c->opt_user_specified) { ++ if (!c->opt_user_specified && !c->opt_kerberos) { + conn_flags |= NET_FLAGS_ANONYMOUS; + } + +-- +2.20.1 + diff --git a/samba-4.8-fix_smbspool_as_cups_backend.patch b/samba-4.9-fix_smbspool_as_cups_backend.patch similarity index 87% rename from samba-4.8-fix_smbspool_as_cups_backend.patch rename to samba-4.9-fix_smbspool_as_cups_backend.patch index 581cc98..013eebc 100644 --- a/samba-4.8-fix_smbspool_as_cups_backend.patch +++ b/samba-4.9-fix_smbspool_as_cups_backend.patch @@ -1,4 +1,4 @@ -From c4c36c2ecc0ed1254e02f046ce08b4937fe26ee6 Mon Sep 17 00:00:00 2001 +From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 12 Mar 2019 10:15:05 +0100 Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh @@ -32,7 +32,7 @@ index d95ed064634..f28c0909334 100755 2.20.1 -From 72f86fe6f41bbe7891fe81811b3234b6662de8da Mon Sep 17 00:00:00 2001 +From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 12 Mar 2019 09:40:58 +0100 Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to @@ -115,7 +115,7 @@ index dee3b4c54be..5c4da33238b 100644 2.20.1 -From 47771d9ceff2771b5fda430e1836237d85300407 Mon Sep 17 00:00:00 2001 +From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 4 Jan 2019 09:21:24 +0100 Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set @@ -131,11 +131,11 @@ Reviewed-by: Bryan Mason Signed-off-by: Guenther Deschner (cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845) --- - source3/client/smbspool.c | 42 ++++++++++++++++++++++----------------- - 1 file changed, 24 insertions(+), 18 deletions(-) + source3/client/smbspool.c | 32 ++++++++++++++++++++------------ + 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index d6e944d547c..e94d5b33324 100644 +index 389e4ea553f..3dbf6be014b 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -60,7 +60,7 @@ @@ -156,25 +156,7 @@ index d6e944d547c..e94d5b33324 100644 /* * 'main()' - Main entry for SMB backend. */ -@@ -94,7 +96,7 @@ main(int argc, /* I - Number of command-line arguments */ - FILE *fp; /* File to print */ - int status = 1; /* Status of LPD job */ - struct cli_state *cli; /* SMB interface */ -- char null_str[1]; -+ char empty_str[] = ""; - int tries = 0; - bool need_auth = true; - const char *dev_uri; -@@ -106,8 +108,6 @@ main(int argc, /* I - Number of command-line arguments */ - int cmp; - int len; - -- null_str[0] = '\0'; -- - if (argc == 1) { - /* - * NEW! In CUPS 1.1 the backends are run with no arguments -@@ -187,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */ +@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */ } } @@ -186,25 +168,7 @@ index d6e944d547c..e94d5b33324 100644 cmp = strncmp(dev_uri, "smb://", 6); if (cmp != 0) { fprintf(stderr, -@@ -220,21 +225,25 @@ main(int argc, /* I - Number of command-line arguments */ - *tmp2++ = '\0'; - password = uri_unescape_alloc(tmp2); - } else { -- password = null_str; -+ password = empty_str; - } - username = uri_unescape_alloc(tmp); - } else { - if ((username = getenv("AUTH_USERNAME")) == NULL) { -- username = null_str; -+ username = empty_str; - } - - if ((password = getenv("AUTH_PASSWORD")) == NULL) { -- password = null_str; -+ password = empty_str; - } - +@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */ server = uri + 6; } @@ -215,7 +179,7 @@ index d6e944d547c..e94d5b33324 100644 tmp = server; if ((sep = strchr_m(tmp, '/')) == NULL) { -@@ -354,8 +363,7 @@ done: +@@ -352,8 +363,7 @@ done: static int get_exit_code(struct cli_state * cli, @@ -225,7 +189,7 @@ index d6e944d547c..e94d5b33324 100644 { int i; -@@ -382,10 +390,7 @@ get_exit_code(struct cli_state * cli, +@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli, } if (cli) { @@ -237,7 +201,7 @@ index d6e944d547c..e94d5b33324 100644 } /* -@@ -454,6 +459,7 @@ smb_complete_connection(const char *myname, +@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname, } if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) { @@ -245,7 +209,7 @@ index d6e944d547c..e94d5b33324 100644 use_kerberos = true; } -@@ -476,7 +482,7 @@ smb_complete_connection(const char *myname, +@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname, if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status)); @@ -254,7 +218,7 @@ index d6e944d547c..e94d5b33324 100644 *need_auth = true; } -@@ -490,7 +496,7 @@ smb_complete_connection(const char *myname, +@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname, fprintf(stderr, "ERROR: Tree connect failed (%s)\n", nt_errstr(nt_status)); @@ -263,7 +227,7 @@ index d6e944d547c..e94d5b33324 100644 *need_auth = true; } -@@ -679,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ +@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr, "ERROR: %s opening remote spool %s\n", nt_errstr(nt_status), title); @@ -272,7 +236,7 @@ index d6e944d547c..e94d5b33324 100644 } /* -@@ -697,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ +@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer, tbytes, nbytes, NULL); if (!NT_STATUS_IS_OK(status)) { @@ -281,7 +245,7 @@ index d6e944d547c..e94d5b33324 100644 fprintf(stderr, "ERROR: Error writing spool: %s\n", nt_errstr(status)); fprintf(stderr, "DEBUG: Returning status %d...\n", -@@ -713,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ +@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */ if (!NT_STATUS_IS_OK(nt_status)) { fprintf(stderr, "ERROR: %s closing remote spool %s\n", nt_errstr(nt_status), title); @@ -294,7 +258,7 @@ index d6e944d547c..e94d5b33324 100644 2.20.1 -From 6e83c1c9c02889bf9b7d42366ae25cd7b8738810 Mon Sep 17 00:00:00 2001 +From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 12 Mar 2019 10:09:14 +0100 Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title @@ -312,7 +276,7 @@ Signed-off-by: Guenther Deschner 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index e94d5b33324..4d78db7f77c 100644 +index 3dbf6be014b..94c7ea368a2 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *, @@ -358,7 +322,7 @@ index e94d5b33324..4d78db7f77c 100644 2.20.1 -From 5a17e86e0dde91b52afd4a192fd5a635a83b412d Mon Sep 17 00:00:00 2001 +From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 12 Mar 2019 11:40:30 +0100 Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling @@ -377,7 +341,7 @@ Signed-off-by: Guenther Deschner 1 file changed, 96 insertions(+), 24 deletions(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 4d78db7f77c..8be1009c0a8 100644 +index 94c7ea368a2..97d00bdd011 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */ diff --git a/samba-4.8-fix_cups_smbspool_backend.part1.patch b/samba-4.9-fix_smbspool_krb5_auth.patch similarity index 90% rename from samba-4.8-fix_cups_smbspool_backend.part1.patch rename to samba-4.9-fix_smbspool_krb5_auth.patch index 61fd9bd..b04c8cc 100644 --- a/samba-4.8-fix_cups_smbspool_backend.part1.patch +++ b/samba-4.9-fix_smbspool_krb5_auth.patch @@ -1,4 +1,4 @@ -From 56fb8aec557bb5b7264df2713b85b282e1c81f84 Mon Sep 17 00:00:00 2001 +From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 May 2019 16:18:51 +0200 Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos @@ -16,7 +16,7 @@ Reviewed-by: Guenther Deschner 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c -index 8be1009c0a8..ecaaf3c3f22 100644 +index 97d00bdd011..c404b3a3f69 100644 --- a/source3/client/smbspool.c +++ b/source3/client/smbspool.c @@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */ diff --git a/samba-4.9-fix_testparm_crash.patch b/samba-4.9-fix_testparm_crash.patch new file mode 100644 index 0000000..74a8a52 --- /dev/null +++ b/samba-4.9-fix_testparm_crash.patch @@ -0,0 +1,2126 @@ +From 425bed0731a02b2e310b8835e9b75bff73582d99 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Mon, 9 Jul 2018 17:11:57 +0200 +Subject: [PATCH 01/22] s3:lib/server_contexts: make server_event_ctx and + server_msg_ctx static + +server_event_ctx and server_msg_ctx static shouldn't be accessible from +outside this compilation unit. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Ralph Boehme +Reviewed-by: Christof Schmitt +(cherry picked from commit d920a725ee19215190bbccaefd5b426bedc98860) +--- + source3/lib/server_contexts.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/lib/server_contexts.c b/source3/lib/server_contexts.c +index 50072e680b6..b21cf0a4c81 100644 +--- a/source3/lib/server_contexts.c ++++ b/source3/lib/server_contexts.c +@@ -21,7 +21,7 @@ + #include "includes.h" + #include "messages.h" + +-struct tevent_context *server_event_ctx = NULL; ++static struct tevent_context *server_event_ctx = NULL; + + struct tevent_context *server_event_context(void) + { +@@ -44,7 +44,7 @@ void server_event_context_free(void) + TALLOC_FREE(server_event_ctx); + } + +-struct messaging_context *server_msg_ctx = NULL; ++static struct messaging_context *server_msg_ctx = NULL; + + struct messaging_context *server_messaging_context(void) + { +-- +2.13.6 + + +From 1e8feaa20bfba475d6e2cbe69b5e1447586a7411 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 13 Aug 2018 15:07:20 -0700 +Subject: [PATCH 02/22] s3/lib:popt_common: Move setup_logging to common + callback + +The flag is set in the common callback, so be consistent + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit dff1028e8ba4c70e726283c12531853681034014) +--- + source3/lib/popt_common.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c +index cc93a756c3b..454884fbb5c 100644 +--- a/source3/lib/popt_common.c ++++ b/source3/lib/popt_common.c +@@ -93,6 +93,10 @@ static void popt_common_callback(poptContext con, + } + } + ++ if (override_logfile) { ++ setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE ); ++ } ++ + /* Further 'every Samba program must do this' hooks here. */ + return; + } +@@ -288,10 +292,6 @@ static void popt_common_credentials_callback(poptContext con, + if (reason == POPT_CALLBACK_REASON_POST) { + bool ok; + +- if (override_logfile) { +- setup_logging(lp_logfile(talloc_tos()), DEBUG_FILE ); +- } +- + ok = lp_load_client(get_dyn_CONFIGFILE()); + if (!ok) { + const char *pname = poptGetInvocationName(con); +-- +2.13.6 + + +From a1954bee751b35c3888be7c3c36ce59bb857e3f3 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 13 Aug 2018 15:39:08 -0700 +Subject: [PATCH 03/22] s3:lib: Move popt_common_credentials to separate file + +This is only used by command line utilities and has additional +dependencies. Move to a separate file to contain the dependencies to the +command line tools. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit b7464fd89bc22b71c82bbaa424bcbfcf947db651) +--- + source3/client/client.c | 2 +- + source3/include/popt_common.h | 10 -- + source3/include/popt_common_cmdline.h | 47 +++++++ + source3/lib/popt_common.c | 208 ----------------------------- + source3/lib/popt_common_cmdline.c | 241 ++++++++++++++++++++++++++++++++++ + source3/rpcclient/cmd_spoolss.c | 2 +- + source3/rpcclient/rpcclient.c | 2 +- + source3/rpcclient/wscript_build | 2 +- + source3/utils/net.c | 2 +- + source3/utils/regedit.c | 2 +- + source3/utils/smbcacls.c | 2 +- + source3/utils/smbcquotas.c | 2 +- + source3/utils/smbget.c | 2 +- + source3/utils/smbtree.c | 2 +- + source3/utils/wscript_build | 14 +- + source3/wscript_build | 9 +- + 16 files changed, 313 insertions(+), 236 deletions(-) + create mode 100644 source3/include/popt_common_cmdline.h + create mode 100644 source3/lib/popt_common_cmdline.c + +diff --git a/source3/client/client.c b/source3/client/client.c +index 25ba01d6216..2f193459d5d 100644 +--- a/source3/client/client.c ++++ b/source3/client/client.c +@@ -23,7 +23,7 @@ + + #include "includes.h" + #include "system/filesys.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "rpc_client/cli_pipe.h" + #include "client/client_proto.h" + #include "client/clitar_proto.h" +diff --git a/source3/include/popt_common.h b/source3/include/popt_common.h +index a8c778473e9..e001a5369b7 100644 +--- a/source3/include/popt_common.h ++++ b/source3/include/popt_common.h +@@ -21,7 +21,6 @@ + #define _POPT_COMMON_H + + #include +-#include "auth_info.h" + + /* Common popt structures */ + extern struct poptOption popt_common_samba[]; +@@ -41,19 +40,10 @@ extern const struct poptOption popt_common_dynconfig[]; + #define POPT_COMMON_CONNECTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_connection, 0, "Connection options:", NULL }, + #define POPT_COMMON_VERSION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_version, 0, "Common samba options:", NULL }, + #define POPT_COMMON_CONFIGFILE { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_configfile, 0, "Common samba config:", NULL }, +-#define POPT_COMMON_CREDENTIALS { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_credentials, 0, "Authentication options:", NULL }, + #define POPT_COMMON_DYNCONFIG { NULL, 0, POPT_ARG_INCLUDE_TABLE, \ + discard_const_p(poptOption, popt_common_dynconfig), 0, \ + "Build-time configuration overrides:", NULL }, + #define POPT_COMMON_DEBUGLEVEL { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_debuglevel, 0, "Common samba debugging:", NULL }, + #define POPT_COMMON_OPTION { NULL, 0, POPT_ARG_INCLUDE_TABLE, popt_common_option, 0, "Common samba commandline config:", NULL }, + +-struct user_auth_info *popt_get_cmdline_auth_info(void); +-void popt_free_cmdline_auth_info(void); +- +-void popt_common_credentials_set_ignore_missing_conf(void); +-void popt_common_credentials_set_delay_post(void); +-void popt_common_credentials_post(void); +-void popt_burn_cmdline_password(int argc, char *argv[]); +- + #endif /* _POPT_COMMON_H */ +diff --git a/source3/include/popt_common_cmdline.h b/source3/include/popt_common_cmdline.h +new file mode 100644 +index 00000000000..21130cff071 +--- /dev/null ++++ b/source3/include/popt_common_cmdline.h +@@ -0,0 +1,47 @@ ++/* ++ Unix SMB/CIFS implementation. ++ Common popt arguments ++ Copyright (C) Jelmer Vernooij 2003 ++ Copyright (C) Christof Schmitt 2018 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++ ++#ifndef _POPT_COMMON_CREDENTIALS_H ++#define _POPT_COMMON_CREDENTIALS_H ++ ++#include "popt_common.h" ++ ++extern struct poptOption popt_common_credentials[]; ++#define POPT_COMMON_CREDENTIALS \ ++ { \ ++ NULL, \ ++ 0, \ ++ POPT_ARG_INCLUDE_TABLE, \ ++ popt_common_credentials, \ ++ 0, \ ++ "Authentication options:", \ ++ NULL \ ++ }, ++ ++struct user_auth_info *popt_get_cmdline_auth_info(void); ++void popt_free_cmdline_auth_info(void); ++ ++void popt_common_credentials_set_ignore_missing_conf(void); ++void popt_common_credentials_set_delay_post(void); ++void popt_common_credentials_post(void); ++void popt_burn_cmdline_password(int argc, char *argv[]); ++ ++#endif +diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c +index 454884fbb5c..11db080c82d 100644 +--- a/source3/lib/popt_common.c ++++ b/source3/lib/popt_common.c +@@ -213,211 +213,3 @@ struct poptOption popt_common_option[] = { + { "option", 0, POPT_ARG_STRING, NULL, OPT_OPTION, "Set smb.conf option from command line", "name=value" }, + POPT_TABLEEND + }; +- +-/* Handle command line options: +- * -U,--user +- * -A,--authentication-file +- * -k,--use-kerberos +- * -N,--no-pass +- * -S,--signing +- * -P --machine-pass +- * -e --encrypt +- * -C --use-ccache +- */ +- +-static struct user_auth_info *cmdline_auth_info; +- +-struct user_auth_info *popt_get_cmdline_auth_info(void) +-{ +- return cmdline_auth_info; +-} +-void popt_free_cmdline_auth_info(void) +-{ +- TALLOC_FREE(cmdline_auth_info); +-} +- +-static bool popt_common_credentials_ignore_missing_conf; +-static bool popt_common_credentials_delay_post; +- +-void popt_common_credentials_set_ignore_missing_conf(void) +-{ +- popt_common_credentials_delay_post = true; +-} +- +-void popt_common_credentials_set_delay_post(void) +-{ +- popt_common_credentials_delay_post = true; +-} +- +-void popt_common_credentials_post(void) +-{ +- if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) && +- !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info)) +- { +- fprintf(stderr, +- "Failed to use machine account credentials\n"); +- exit(1); +- } +- +- set_cmdline_auth_info_getpass(cmdline_auth_info); +- +- /* +- * When we set the username during the handling of the options passed to +- * the binary we haven't loaded the config yet. This means that we +- * didnn't take the 'winbind separator' into account. +- * +- * The username might contain the domain name and thus it hasn't been +- * correctly parsed yet. If we have a username we need to set it again +- * to run the string parser for the username correctly. +- */ +- reset_cmdline_auth_info_username(cmdline_auth_info); +-} +- +-static void popt_common_credentials_callback(poptContext con, +- enum poptCallbackReason reason, +- const struct poptOption *opt, +- const char *arg, const void *data) +-{ +- if (reason == POPT_CALLBACK_REASON_PRE) { +- struct user_auth_info *auth_info = +- user_auth_info_init(NULL); +- if (auth_info == NULL) { +- fprintf(stderr, "user_auth_info_init() failed\n"); +- exit(1); +- } +- cmdline_auth_info = auth_info; +- return; +- } +- +- if (reason == POPT_CALLBACK_REASON_POST) { +- bool ok; +- +- ok = lp_load_client(get_dyn_CONFIGFILE()); +- if (!ok) { +- const char *pname = poptGetInvocationName(con); +- +- fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n", +- pname, get_dyn_CONFIGFILE()); +- if (!popt_common_credentials_ignore_missing_conf) { +- exit(1); +- } +- } +- +- load_interfaces(); +- +- set_cmdline_auth_info_guess(cmdline_auth_info); +- +- if (popt_common_credentials_delay_post) { +- return; +- } +- +- popt_common_credentials_post(); +- return; +- } +- +- switch(opt->val) { +- case 'U': +- set_cmdline_auth_info_username(cmdline_auth_info, arg); +- break; +- +- case 'A': +- set_cmdline_auth_info_from_file(cmdline_auth_info, arg); +- break; +- +- case 'k': +-#ifndef HAVE_KRB5 +- d_printf("No kerberos support compiled in\n"); +- exit(1); +-#else +- set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info); +-#endif +- break; +- +- case 'S': +- if (!set_cmdline_auth_info_signing_state(cmdline_auth_info, +- arg)) { +- fprintf(stderr, "Unknown signing option %s\n", arg ); +- exit(1); +- } +- break; +- case 'P': +- set_cmdline_auth_info_use_machine_account(cmdline_auth_info); +- break; +- case 'N': +- set_cmdline_auth_info_password(cmdline_auth_info, ""); +- break; +- case 'e': +- set_cmdline_auth_info_smb_encrypt(cmdline_auth_info); +- break; +- case 'C': +- set_cmdline_auth_info_use_ccache(cmdline_auth_info, true); +- break; +- case 'H': +- set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true); +- break; +- } +-} +- +-/** +- * @brief Burn the commandline password. +- * +- * This function removes the password from the command line so we +- * don't leak the password e.g. in 'ps aux'. +- * +- * It should be called after processing the options and you should pass down +- * argv from main(). +- * +- * @param[in] argc The number of arguments. +- * +- * @param[in] argv[] The argument array we will find the array. +- */ +-void popt_burn_cmdline_password(int argc, char *argv[]) +-{ +- bool found = false; +- char *p = NULL; +- int i, ulen = 0; +- +- for (i = 0; i < argc; i++) { +- p = argv[i]; +- if (strncmp(p, "-U", 2) == 0) { +- ulen = 2; +- found = true; +- } else if (strncmp(p, "--user", 6) == 0) { +- ulen = 6; +- found = true; +- } +- +- if (found) { +- if (p == NULL) { +- return; +- } +- +- if (strlen(p) == ulen) { +- continue; +- } +- +- p = strchr_m(p, '%'); +- if (p != NULL) { +- memset(p, '\0', strlen(p)); +- } +- found = false; +- } +- } +-} +- +-struct poptOption popt_common_credentials[] = { +- { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, +- (void *)popt_common_credentials_callback, 0, NULL }, +- { "user", 'U', POPT_ARG_STRING, NULL, 'U', "Set the network username", "USERNAME" }, +- { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', "Don't ask for a password" }, +- { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', "Use kerberos (active directory) authentication" }, +- { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', "Get the credentials from a file", "FILE" }, +- { "signing", 'S', POPT_ARG_STRING, NULL, 'S', "Set the client signing state", "on|off|required" }, +- {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', "Use stored machine account password" }, +- {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', "Encrypt SMB transport" }, +- {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C', +- "Use the winbind ccache for authentication" }, +- {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H', +- "The supplied password is the NT hash" }, +- POPT_TABLEEND +-}; +diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c +new file mode 100644 +index 00000000000..57f77e0868a +--- /dev/null ++++ b/source3/lib/popt_common_cmdline.c +@@ -0,0 +1,241 @@ ++/* ++ Unix SMB/CIFS implementation. ++ Common popt routines only used by cmdline utils ++ ++ Copyright (C) Tim Potter 2001,2002 ++ Copyright (C) Jelmer Vernooij 2002,2003 ++ Copyright (C) James Peach 2006 ++ Copyright (C) Christof Schmitt 2018 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++/* Handle command line options: ++ * -U,--user ++ * -A,--authentication-file ++ * -k,--use-kerberos ++ * -N,--no-pass ++ * -S,--signing ++ * -P --machine-pass ++ * -e --encrypt ++ * -C --use-ccache ++ */ ++ ++#include "popt_common_cmdline.h" ++#include "includes.h" ++#include "auth_info.h" ++ ++static struct user_auth_info *cmdline_auth_info; ++ ++struct user_auth_info *popt_get_cmdline_auth_info(void) ++{ ++ return cmdline_auth_info; ++} ++void popt_free_cmdline_auth_info(void) ++{ ++ TALLOC_FREE(cmdline_auth_info); ++} ++ ++static bool popt_common_credentials_ignore_missing_conf; ++static bool popt_common_credentials_delay_post; ++ ++void popt_common_credentials_set_ignore_missing_conf(void) ++{ ++ popt_common_credentials_delay_post = true; ++} ++ ++void popt_common_credentials_set_delay_post(void) ++{ ++ popt_common_credentials_delay_post = true; ++} ++ ++void popt_common_credentials_post(void) ++{ ++ if (get_cmdline_auth_info_use_machine_account(cmdline_auth_info) && ++ !set_cmdline_auth_info_machine_account_creds(cmdline_auth_info)) ++ { ++ fprintf(stderr, ++ "Failed to use machine account credentials\n"); ++ exit(1); ++ } ++ ++ set_cmdline_auth_info_getpass(cmdline_auth_info); ++ ++ /* ++ * When we set the username during the handling of the options passed to ++ * the binary we haven't loaded the config yet. This means that we ++ * didn't take the 'winbind separator' into account. ++ * ++ * The username might contain the domain name and thus it hasn't been ++ * correctly parsed yet. If we have a username we need to set it again ++ * to run the string parser for the username correctly. ++ */ ++ reset_cmdline_auth_info_username(cmdline_auth_info); ++} ++ ++static void popt_common_credentials_callback(poptContext con, ++ enum poptCallbackReason reason, ++ const struct poptOption *opt, ++ const char *arg, const void *data) ++{ ++ if (reason == POPT_CALLBACK_REASON_PRE) { ++ struct user_auth_info *auth_info = ++ user_auth_info_init(NULL); ++ if (auth_info == NULL) { ++ fprintf(stderr, "user_auth_info_init() failed\n"); ++ exit(1); ++ } ++ cmdline_auth_info = auth_info; ++ return; ++ } ++ ++ if (reason == POPT_CALLBACK_REASON_POST) { ++ bool ok; ++ ++ ok = lp_load_client(get_dyn_CONFIGFILE()); ++ if (!ok) { ++ const char *pname = poptGetInvocationName(con); ++ ++ fprintf(stderr, "%s: Can't load %s - run testparm to debug it\n", ++ pname, get_dyn_CONFIGFILE()); ++ if (!popt_common_credentials_ignore_missing_conf) { ++ exit(1); ++ } ++ } ++ ++ load_interfaces(); ++ ++ set_cmdline_auth_info_guess(cmdline_auth_info); ++ ++ if (popt_common_credentials_delay_post) { ++ return; ++ } ++ ++ popt_common_credentials_post(); ++ return; ++ } ++ ++ switch(opt->val) { ++ case 'U': ++ set_cmdline_auth_info_username(cmdline_auth_info, arg); ++ break; ++ ++ case 'A': ++ set_cmdline_auth_info_from_file(cmdline_auth_info, arg); ++ break; ++ ++ case 'k': ++#ifndef HAVE_KRB5 ++ d_printf("No kerberos support compiled in\n"); ++ exit(1); ++#else ++ set_cmdline_auth_info_use_krb5_ticket(cmdline_auth_info); ++#endif ++ break; ++ ++ case 'S': ++ if (!set_cmdline_auth_info_signing_state(cmdline_auth_info, ++ arg)) { ++ fprintf(stderr, "Unknown signing option %s\n", arg ); ++ exit(1); ++ } ++ break; ++ case 'P': ++ set_cmdline_auth_info_use_machine_account(cmdline_auth_info); ++ break; ++ case 'N': ++ set_cmdline_auth_info_password(cmdline_auth_info, ""); ++ break; ++ case 'e': ++ set_cmdline_auth_info_smb_encrypt(cmdline_auth_info); ++ break; ++ case 'C': ++ set_cmdline_auth_info_use_ccache(cmdline_auth_info, true); ++ break; ++ case 'H': ++ set_cmdline_auth_info_use_pw_nt_hash(cmdline_auth_info, true); ++ break; ++ } ++} ++ ++/** ++ * @brief Burn the commandline password. ++ * ++ * This function removes the password from the command line so we ++ * don't leak the password e.g. in 'ps aux'. ++ * ++ * It should be called after processing the options and you should pass down ++ * argv from main(). ++ * ++ * @param[in] argc The number of arguments. ++ * ++ * @param[in] argv[] The argument array we will find the array. ++ */ ++void popt_burn_cmdline_password(int argc, char *argv[]) ++{ ++ bool found = false; ++ char *p = NULL; ++ int i, ulen = 0; ++ ++ for (i = 0; i < argc; i++) { ++ p = argv[i]; ++ if (strncmp(p, "-U", 2) == 0) { ++ ulen = 2; ++ found = true; ++ } else if (strncmp(p, "--user", 6) == 0) { ++ ulen = 6; ++ found = true; ++ } ++ ++ if (found) { ++ if (p == NULL) { ++ return; ++ } ++ ++ if (strlen(p) == ulen) { ++ continue; ++ } ++ ++ p = strchr_m(p, '%'); ++ if (p != NULL) { ++ memset(p, '\0', strlen(p)); ++ } ++ found = false; ++ } ++ } ++} ++ ++struct poptOption popt_common_credentials[] = { ++ { NULL, 0, POPT_ARG_CALLBACK|POPT_CBFLAG_PRE|POPT_CBFLAG_POST, ++ (void *)popt_common_credentials_callback, 0, NULL }, ++ { "user", 'U', POPT_ARG_STRING, NULL, 'U', ++ "Set the network username", "USERNAME" }, ++ { "no-pass", 'N', POPT_ARG_NONE, NULL, 'N', ++ "Don't ask for a password" }, ++ { "kerberos", 'k', POPT_ARG_NONE, NULL, 'k', ++ "Use kerberos (active directory) authentication" }, ++ { "authentication-file", 'A', POPT_ARG_STRING, NULL, 'A', ++ "Get the credentials from a file", "FILE" }, ++ { "signing", 'S', POPT_ARG_STRING, NULL, 'S', ++ "Set the client signing state", "on|off|required" }, ++ {"machine-pass", 'P', POPT_ARG_NONE, NULL, 'P', ++ "Use stored machine account password" }, ++ {"encrypt", 'e', POPT_ARG_NONE, NULL, 'e', ++ "Encrypt SMB transport" }, ++ {"use-ccache", 'C', POPT_ARG_NONE, NULL, 'C', ++ "Use the winbind ccache for authentication" }, ++ {"pw-nt-hash", '\0', POPT_ARG_NONE, NULL, 'H', ++ "The supplied password is the NT hash" }, ++ POPT_TABLEEND ++}; +diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c +index 1d24476e9a5..8d330afdeb0 100644 +--- a/source3/rpcclient/cmd_spoolss.c ++++ b/source3/rpcclient/cmd_spoolss.c +@@ -33,7 +33,7 @@ + #include "../libcli/security/security_descriptor.h" + #include "../libcli/registry/util_reg.h" + #include "libsmb/libsmb.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + + #define RPCCLIENT_PRINTERNAME(_printername, _cli, _arg) \ + { \ +diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c +index b4e25e6e479..f7e196226cf 100644 +--- a/source3/rpcclient/rpcclient.c ++++ b/source3/rpcclient/rpcclient.c +@@ -21,7 +21,7 @@ + + #include "includes.h" + #include "../libcli/auth/netlogon_creds_cli.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "rpcclient.h" + #include "../libcli/auth/libcli_auth.h" + #include "../librpc/gen_ndr/ndr_lsa_c.h" +diff --git a/source3/rpcclient/wscript_build b/source3/rpcclient/wscript_build +index c24a5670db9..11a64f3248a 100644 +--- a/source3/rpcclient/wscript_build ++++ b/source3/rpcclient/wscript_build +@@ -25,7 +25,7 @@ bld.SAMBA3_BINARY('rpcclient', + ''', + deps=''' + talloc +- popt_samba3 ++ popt_samba3_cmdline + pdb + libsmb + smbconf +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 44daa6088ca..76b8677bf78 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -41,7 +41,7 @@ + /*****************************************************/ + + #include "includes.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "utils/net.h" + #include "secrets.h" + #include "lib/netapi/netapi.h" +diff --git a/source3/utils/regedit.c b/source3/utils/regedit.c +index 27bd6f8f2c2..20115ae1624 100644 +--- a/source3/utils/regedit.c ++++ b/source3/utils/regedit.c +@@ -18,7 +18,7 @@ + */ + + #include "includes.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "lib/util/data_blob.h" + #include "lib/registry/registry.h" + #include "regedit.h" +diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c +index 0a5eeb31d0b..33eb78c41ec 100644 +--- a/source3/utils/smbcacls.c ++++ b/source3/utils/smbcacls.c +@@ -22,7 +22,7 @@ + */ + + #include "includes.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "rpc_client/cli_pipe.h" + #include "../librpc/gen_ndr/ndr_lsa.h" + #include "rpc_client/cli_lsarpc.h" +diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c +index 798b8b6f177..a4b1b8111a5 100644 +--- a/source3/utils/smbcquotas.c ++++ b/source3/utils/smbcquotas.c +@@ -22,7 +22,7 @@ + */ + + #include "includes.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "rpc_client/cli_pipe.h" + #include "../librpc/gen_ndr/ndr_lsa.h" + #include "rpc_client/cli_lsarpc.h" +diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c +index e1be42917fb..37462fa131f 100644 +--- a/source3/utils/smbget.c ++++ b/source3/utils/smbget.c +@@ -18,7 +18,7 @@ + + #include "includes.h" + #include "system/filesys.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "libsmbclient.h" + + static int columns = 0; +diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c +index 3b539ef1045..fb0f165a18d 100644 +--- a/source3/utils/smbtree.c ++++ b/source3/utils/smbtree.c +@@ -20,7 +20,7 @@ + */ + + #include "includes.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "rpc_client/cli_pipe.h" + #include "../librpc/gen_ndr/ndr_srvsvc_c.h" + #include "libsmb/libsmb.h" +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 93e6abaac0d..67bb87e7a74 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -27,7 +27,7 @@ bld.SAMBA3_BINARY('smbtree', + smbconf + libsmb + msrpc3 +- popt_samba3 ++ popt_samba3_cmdline + RPC_NDR_SRVSVC''') + + bld.SAMBA3_BINARY('smbpasswd', +@@ -52,7 +52,7 @@ bld.SAMBA3_BINARY('smbget', + source='smbget.c', + deps=''' + talloc +- popt_samba3 ++ popt_samba3_cmdline + smbclient''') + + bld.SAMBA3_BINARY('nmblookup', +@@ -67,7 +67,7 @@ bld.SAMBA3_BINARY('smbcacls', + source='smbcacls.c ../lib/util_sd.c', + deps=''' + talloc +- popt_samba3 ++ popt_samba3_cmdline + msrpc3 + libcli_lsa3 + krb5samba''') +@@ -76,7 +76,7 @@ bld.SAMBA3_BINARY('smbcquotas', + source='smbcquotas.c', + deps=''' + talloc +- popt_samba3 ++ popt_samba3_cmdline + libsmb + msrpc3 + libcli_lsa3''') +@@ -150,7 +150,9 @@ bld.SAMBA3_BINARY('samba-regedit', + regedit_wrap.c regedit_treeview.c + regedit_valuelist.c regedit_dialog.c + regedit_hexedit.c regedit_list.c""", +- deps='ncurses menu panel form registry smbconf popt_samba3', ++ deps=''' ++ ncurses menu panel form registry smbconf popt_samba3_cmdline ++ ''', + enabled=bld.env.build_regedit) + + bld.SAMBA3_BINARY('testparm', +@@ -217,7 +219,7 @@ bld.SAMBA3_BINARY('net', + netapi + addns + samba_intl +- popt_samba3 ++ popt_samba3_cmdline + pdb + libsmb + smbconf +diff --git a/source3/wscript_build b/source3/wscript_build +index c7c69a9bee1..5ecf23d531d 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -268,7 +268,12 @@ bld.SAMBA3_SUBSYSTEM('REG_FULL', + + bld.SAMBA3_LIBRARY('popt_samba3', + source='lib/popt_common.c', +- deps='popt samba-util util_cmdline', ++ deps='popt samba-util smbconf', ++ private_library=True) ++ ++bld.SAMBA3_LIBRARY('popt_samba3_cmdline', ++ source='lib/popt_common_cmdline.c', ++ deps='popt_samba3 util_cmdline', + private_library=True) + + bld.SAMBA3_LIBRARY('util_cmdline', +@@ -1094,7 +1099,7 @@ bld.SAMBA3_BINARY('client/smbclient', + ''', + deps=''' + talloc +- popt_samba3 ++ popt_samba3_cmdline + smbconf + ndr-standard + SMBREADLINE +-- +2.13.6 + + +From a98b2df2121c129326c64e35ba63e780aeb44a19 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 14:44:28 -0700 +Subject: [PATCH 04/22] s3:lib: Introduce cmdline context wrapper + +Command line tools need acccess to the same messaging context provided +by server_messaging_context, as common code for db_open uses that +context. We want to have additional checking for command line tools +without having that code part of the servers. Introduce a wrapper +library to use for command line tools with the additional checks, that +then acquires the server_messaging_context. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 8c3b62e6231e62feafacf2a7ee4c9d41cd27a4a1) +--- + source3/lib/cmdline_contexts.c | 70 ++++++++++++++++++++++++++++++++++++++++++ + source3/lib/cmdline_contexts.h | 27 ++++++++++++++++ + source3/wscript_build | 5 +++ + 3 files changed, 102 insertions(+) + create mode 100644 source3/lib/cmdline_contexts.c + create mode 100644 source3/lib/cmdline_contexts.h + +diff --git a/source3/lib/cmdline_contexts.c b/source3/lib/cmdline_contexts.c +new file mode 100644 +index 00000000000..5713f7f7956 +--- /dev/null ++++ b/source3/lib/cmdline_contexts.c +@@ -0,0 +1,70 @@ ++/* ++ Unix SMB/CIFS implementation. ++ cmdline context wrapper. ++ ++ Copyright (C) Christof Schmitt 2018 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#include "cmdline_contexts.h" ++#include "includes.h" ++#include "messages.h" ++ ++struct messaging_context *cmdline_messaging_context(const char *config_file) ++{ ++ struct messaging_context *msg_ctx = NULL; ++ ++ /* ++ * Ensure that a config is loaded, in case the underlying ++ * messaging_init needs to create directories or sockets. ++ */ ++ if (!lp_loaded()) { ++ if (!lp_load_initial_only(config_file)) { ++ return NULL; ++ } ++ } ++ ++ /* ++ * Clustered Samba can only work as root due to required ++ * access to the registry and ctdb, which in turn requires ++ * messaging access as root. ++ */ ++ if (lp_clustering() && geteuid() != 0) { ++ fprintf(stderr, "Cluster mode requires running as root.\n"); ++ exit(1); ++ } ++ ++ msg_ctx = server_messaging_context(); ++ if (msg_ctx == NULL) { ++ if (geteuid() == 0) { ++ fprintf(stderr, ++ "Unable to initialize messaging context!\n"); ++ exit(1); ++ } else { ++ /* ++ * Non-cluster, non-root: Log error, but leave ++ * it up to the caller how to proceed. ++ */ ++ DBG_NOTICE("Unable to initialize messaging context.\n"); ++ } ++ } ++ ++ return msg_ctx; ++} ++ ++void cmdline_messaging_context_free(void) ++{ ++ server_messaging_context_free(); ++} +diff --git a/source3/lib/cmdline_contexts.h b/source3/lib/cmdline_contexts.h +new file mode 100644 +index 00000000000..21f81f0f1cd +--- /dev/null ++++ b/source3/lib/cmdline_contexts.h +@@ -0,0 +1,27 @@ ++/* ++ Unix SMB/CIFS implementation. ++ cmdline context wrapper. ++ ++ Copyright (C) Christof Schmitt 2018 ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; either version 3 of the License, or ++ (at your option) any later version. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++*/ ++ ++#ifndef _LIB_CMDLINE_CONTEXTS_H ++#define _LIB_CMDLINE_CONTEXTS_H ++ ++struct messaging_context *cmdline_messaging_context(const char *config_file); ++void cmdline_messaging_context_free(void); ++ ++#endif +diff --git a/source3/wscript_build b/source3/wscript_build +index 5ecf23d531d..6fb09f7fbeb 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -281,6 +281,11 @@ bld.SAMBA3_LIBRARY('util_cmdline', + deps='secrets3', + private_library=True) + ++bld.SAMBA3_LIBRARY('cmdline_contexts', ++ source='lib/cmdline_contexts.c', ++ deps='samba3core', ++ private_library=True) ++ + bld.SAMBA3_SUBSYSTEM('KRBCLIENT', + source='libads/kerberos.c libads/ads_status.c', + public_deps='krb5samba asn1util k5crypto gssapi LIBTSOCKET CLDAP LIBNMB') +-- +2.13.6 + + +From d5d7a587f7476835bc48aae0dda5e064c2fd573c Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 10 Jul 2018 08:11:31 +0200 +Subject: [PATCH 05/22] s3:loadparm: reinit_globals in + lp_load_with_registry_shares() + +This was set to false in 0e0d77519c27038b30fec92d542198e97be767d9 based +on the assumption that callers would have no need to call +lp_load_initial_only() with a later call to lp_load_something(). + +This is not quite correct, since for accessing registry config on a +cluster with include=registry, we need messaging up and running which +*itself* requires loadparm to be initialized to get the statedir, +lockdir asf. directories. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Ralph Boehme +Reviewed-by: Christof Schmitt +(cherry picked from commit 3aca3f24d4bdacc11278388934b0b411d518d7b0) +--- + source3/param/loadparm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 291ba57e0bb..322934c55f0 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -4120,7 +4120,7 @@ bool lp_load_with_registry_shares(const char *pszFname) + false, /* global_only */ + true, /* save_defaults */ + false, /* add_ipc */ +- false, /* reinit_globals */ ++ true, /* reinit_globals */ + true, /* allow_include_registry */ + true); /* load_all_shares*/ + } +-- +2.13.6 + + +From 88291681f03bb928d31e89717d2a19292f433024 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 10 Jul 2018 10:38:10 +0200 +Subject: [PATCH 06/22] selftest: pass configfile to pdbedit + +This is needed otherwise pdbedit fails to initialize messaging in +autobuild. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Ralph Boehme +Reviewed-by: Christof Schmitt +(cherry picked from commit 10e1a6ebb3d95b8a1584a9b90c2584536aa9c96d) +--- + testprogs/blackbox/test_pdbtest.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/testprogs/blackbox/test_pdbtest.sh b/testprogs/blackbox/test_pdbtest.sh +index 2ffded9af4e..02615094451 100755 +--- a/testprogs/blackbox/test_pdbtest.sh ++++ b/testprogs/blackbox/test_pdbtest.sh +@@ -44,12 +44,12 @@ send ${NEWUSERPASS}\n + send ${NEWUSERPASS}\n + EOF + +-testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` ++testit "create user with pdbedit" $texpect ./tmpsmbpasswdscript $VALGRIND $pdbedit -s $SMB_CONF -a $USER --account-desc="pdbedit-test-user" $@ || failed=`expr $failed + 1` + USERPASS=$NEWUSERPASS + + test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@ || failed=`expr $failed + 1` + +-testit "modify user" $VALGRIND $pdbedit --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` ++testit "modify user" $VALGRIND $pdbedit -s $SMB_CONF --modify $USER --drive="D:" $@ || failed=`expr $failed + 1` + + test_smbclient "Test login with user (ntlm)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS $@|| failed=`expr $failed + 1` + +@@ -87,11 +87,11 @@ test_smbclient "Test login with no expiry (ntlm)" 'ls' "$unc" -k no -U$USER%$NEW + NEWUSERPASS=testPaSS@03% + NEWUSERHASH=062519096c45739c1938800f80906731 + +-testit "Set user password with password hash" $VALGRIND $pdbedit -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1` ++testit "Set user password with password hash" $VALGRIND $pdbedit -s $SMB_CONF -u $USER --set-nt-hash $NEWUSERHASH $@ || failed=`expr $failed + 1` + + test_smbclient "Test login with new password (from hash)" 'ls' "$unc" -k no -U$USER%$NEWUSERPASS || failed=`expr $failed + 1` + +-testit "del user" $VALGRIND $pdbedit -x $USER $@ || failed=`expr $failed + 1` ++testit "del user" $VALGRIND $pdbedit -s $SMB_CONF -x $USER $@ || failed=`expr $failed + 1` + + rm ./tmpsmbpasswdscript + +-- +2.13.6 + + +From 31a50b15bfbe2c97ca19313e2536332979bfcef2 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 10 Jul 2018 15:26:40 +0200 +Subject: [PATCH 07/22] s3:popt_common: use cmdline_messaging_context() in + popt_common_credentials_callback() + +This adds a call to cmdline_messaging_context() to the popt +popt_common_credentials_callback() hook and ensures that any client tool +that uses POPT_COMMON_CREDENTIALS gets an implicit messaging context, +ensuring it doesn't crash in the subsequent lp_load_client() with +include=registry in a cluster. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Ralph Boehme +Reviewed-by: Christof Schmitt +(cherry picked from commit 2c63ce94ef3a55ab0aa1aae4f6fee88e29ac2efe) +--- + source3/lib/popt_common_cmdline.c | 8 ++++++++ + source3/wscript_build | 2 +- + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/source3/lib/popt_common_cmdline.c b/source3/lib/popt_common_cmdline.c +index 57f77e0868a..d1ba90dd43e 100644 +--- a/source3/lib/popt_common_cmdline.c ++++ b/source3/lib/popt_common_cmdline.c +@@ -35,6 +35,7 @@ + #include "popt_common_cmdline.h" + #include "includes.h" + #include "auth_info.h" ++#include "cmdline_contexts.h" + + static struct user_auth_info *cmdline_auth_info; + +@@ -101,8 +102,15 @@ static void popt_common_credentials_callback(poptContext con, + } + + if (reason == POPT_CALLBACK_REASON_POST) { ++ struct messaging_context *msg_ctx = NULL; + bool ok; + ++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ if (msg_ctx == NULL) { ++ fprintf(stderr, "Unable to initialize " ++ "messaging context\n"); ++ } ++ + ok = lp_load_client(get_dyn_CONFIGFILE()); + if (!ok) { + const char *pname = poptGetInvocationName(con); +diff --git a/source3/wscript_build b/source3/wscript_build +index 6fb09f7fbeb..250b7f1ff52 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -273,7 +273,7 @@ bld.SAMBA3_LIBRARY('popt_samba3', + + bld.SAMBA3_LIBRARY('popt_samba3_cmdline', + source='lib/popt_common_cmdline.c', +- deps='popt_samba3 util_cmdline', ++ deps='popt_samba3 util_cmdline cmdline_contexts', + private_library=True) + + bld.SAMBA3_LIBRARY('util_cmdline', +-- +2.13.6 + + +From db6cce7786809a96f81c575a3cbbbf87bdec3047 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Tue, 21 Aug 2018 14:58:01 -0700 +Subject: [PATCH 08/22] test:doc: Skip 'clustering=yes' + +As testparm will error out when running clustering=yes as non-root, skip +this step to avoid a test failure. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(backported from commit 3ecb9ed7b079fc1bf74c311cf5f1684086b36883) +--- + python/samba/tests/docs.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py +index 0f029ae02d2..620383caebd 100644 +--- a/python/samba/tests/docs.py ++++ b/python/samba/tests/docs.py +@@ -163,7 +163,8 @@ import xml.etree.ElementTree as ET + 'registry shares', + 'smb ports', + 'rpc server dynamic port range', +- 'name resolve order']) ++ 'name resolve order', ++ 'clustering']) + self._test_empty(['bin/testparm']) + + def test_default_s4(self): +-- +2.13.6 + + +From 7608714a4a0796c8ef747c0cbce160fc3d0fa325 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 15:38:33 -0700 +Subject: [PATCH 09/22] s3:smbpasswd: Use cmdline_messaging_context + +smbpasswd does not use POPT_CREDENTIALS. Call cmdline_messaging_context +to initialize a messaging_context with proper error checking before +calling lp_load_global. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 29fd2c2e5ad3c2d44f3629c6b7b4139772fe350c) +--- + source3/utils/smbpasswd.c | 17 +++-------------- + source3/utils/wscript_build | 4 +++- + 2 files changed, 6 insertions(+), 15 deletions(-) + +diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c +index 04f34aa9b69..8e2b9d7f80f 100644 +--- a/source3/utils/smbpasswd.c ++++ b/source3/utils/smbpasswd.c +@@ -23,6 +23,7 @@ + #include "../lib/util/util_pw.h" + #include "libsmb/proto.h" + #include "passdb.h" ++#include "cmdline_contexts.h" + + /* + * Next two lines needed for SunOS and don't +@@ -196,6 +197,8 @@ static int process_options(int argc, char **argv, int local_flags) + usage(); + } + ++ cmdline_messaging_context(configfile); ++ + if (!lp_load_global(configfile)) { + fprintf(stderr, "Can't load %s - run testparm to debug it\n", + configfile); +@@ -614,7 +617,6 @@ static int process_nonroot(int local_flags) + int main(int argc, char **argv) + { + TALLOC_CTX *frame = talloc_stackframe(); +- struct messaging_context *msg_ctx = NULL; + int local_flags = 0; + int ret; + +@@ -632,19 +634,6 @@ int main(int argc, char **argv) + + setup_logging("smbpasswd", DEBUG_STDERR); + +- msg_ctx = server_messaging_context(); +- if (msg_ctx == NULL) { +- if (geteuid() != 0) { +- DBG_NOTICE("Unable to initialize messaging context. " +- "Must be root to do that.\n"); +- } else { +- fprintf(stderr, +- "smbpasswd is not able to initialize the " +- "messaging context!\n"); +- return 1; +- } +- } +- + /* + * Set the machine NETBIOS name if not already + * set from the config file. +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 67bb87e7a74..06a986cada4 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -37,7 +37,9 @@ bld.SAMBA3_BINARY('smbpasswd', + smbconf + pdb + PASSWD_UTIL +- PASSCHANGE''') ++ PASSCHANGE ++ cmdline_contexts ++ ''') + + bld.SAMBA3_BINARY('pdbedit', + source='pdbedit.c', +-- +2.13.6 + + +From 305cf6a251e395c895f04b2590125dec430a08e6 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 15:46:27 -0700 +Subject: [PATCH 10/22] s3:smbstatus: Use cmdline_messaging_context + +Use cmdline_messaging_context to initialize a messaging context instead +of open coding the same steps. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit d7fa3815a83a50fd9e3d78cac0d5ef3eb79235e5) +--- + source3/utils/status.c | 25 +++---------------------- + source3/wscript_build | 1 + + 2 files changed, 4 insertions(+), 22 deletions(-) + +diff --git a/source3/utils/status.c b/source3/utils/status.c +index d04efedee3f..1d68219a5ac 100644 +--- a/source3/utils/status.c ++++ b/source3/utils/status.c +@@ -48,6 +48,7 @@ + #include "serverid.h" + #include "status_profile.h" + #include "smbd/notifyd/notifyd.h" ++#include "cmdline_contexts.h" + + #define SMB_MAXPIDS 2048 + static uid_t Ucrit_uid = 0; /* added by OH */ +@@ -528,7 +529,6 @@ int main(int argc, const char *argv[]) + }; + TALLOC_CTX *frame = talloc_stackframe(); + int ret = 0; +- struct tevent_context *ev; + struct messaging_context *msg_ctx = NULL; + char *db_path; + bool ok; +@@ -607,28 +607,9 @@ int main(int argc, const char *argv[]) + d_printf("using configfile = %s\n", get_dyn_CONFIGFILE()); + } + +- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { +- fprintf(stderr, "Can't load %s - run testparm to debug it\n", +- get_dyn_CONFIGFILE()); +- ret = -1; +- goto done; +- } +- +- +- /* +- * This implicitly initializes the global ctdbd connection, +- * usable by the db_open() calls further down. +- */ +- ev = samba_tevent_context_init(NULL); +- if (ev == NULL) { +- fprintf(stderr, "samba_tevent_context_init failed\n"); +- ret = -1; +- goto done; +- } +- +- msg_ctx = messaging_init(NULL, ev); ++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); + if (msg_ctx == NULL) { +- fprintf(stderr, "messaging_init failed\n"); ++ fprintf(stderr, "Could not initialize messaging, not root?\n"); + ret = -1; + goto done; + } +diff --git a/source3/wscript_build b/source3/wscript_build +index 250b7f1ff52..36cfd5dada7 100644 +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -1157,6 +1157,7 @@ bld.SAMBA3_BINARY('smbstatus', + talloc + smbconf + popt_samba3 ++ cmdline_contexts + smbd_base + LOCKING + PROFILE +-- +2.13.6 + + +From 27e80482d1d37aaacbca7ca6eff6000c78349da7 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 15:54:11 -0700 +Subject: [PATCH 11/22] rpcclient: Use cmdline_messaging_context + +Use cmdline_messaging_context with its error checking instead of open +coding the same steps. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit dd3ae2ffdc66be4707471bfccf27ef446b5599cb) +--- + source3/rpcclient/rpcclient.c | 28 ++-------------------------- + 1 file changed, 2 insertions(+), 26 deletions(-) + +diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c +index f7e196226cf..9f95f1a7a8c 100644 +--- a/source3/rpcclient/rpcclient.c ++++ b/source3/rpcclient/rpcclient.c +@@ -35,6 +35,7 @@ + #include "auth/gensec/gensec.h" + #include "../libcli/smb/smbXcli_base.h" + #include "messages.h" ++#include "cmdline_contexts.h" + + enum pipe_auth_type_spnego { + PIPE_AUTH_TYPE_SPNEGO_NONE = 0, +@@ -950,7 +951,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, + const char *binding_string = NULL; + const char *host; + int signing_state = SMB_SIGNING_IPC_DEFAULT; +- struct tevent_context *ev_ctx = NULL; + + /* make sure the vars that get altered (4th field) are in + a fixed location or certain compilers complain */ +@@ -1016,30 +1016,7 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, + poptFreeContext(pc); + popt_burn_cmdline_password(argc, argv); + +- ev_ctx = samba_tevent_context_init(frame); +- if (ev_ctx == NULL) { +- fprintf(stderr, "Could not init event context\n"); +- result = 1; +- goto done; +- } +- +- nt_status = messaging_init_client(ev_ctx, +- ev_ctx, +- &rpcclient_msg_ctx); +- if (geteuid() != 0 && +- NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) { +- /* +- * Normal to fail to initialize messaging context +- * if we're not root as we don't have ability to +- * read lock directory. +- */ +- DBG_NOTICE("Unable to initialize messaging context. " +- "Must be root to do that.\n"); +- } else if (!NT_STATUS_IS_OK(nt_status)) { +- fprintf(stderr, "Could not init messaging context\n"); +- result = 1; +- goto done; +- } ++ rpcclient_msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); + + if (!init_names()) { + result = 1; +@@ -1258,7 +1235,6 @@ static NTSTATUS process_cmd(struct user_auth_info *auth_info, + popt_free_cmdline_auth_info(); + netlogon_creds_cli_close_global_db(); + TALLOC_FREE(rpcclient_msg_ctx); +- TALLOC_FREE(ev_ctx); + TALLOC_FREE(frame); + return result; + } +-- +2.13.6 + + +From eaa0cb2c039c9c8ef838f259efcaffc59033bbbf Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:01:00 -0700 +Subject: [PATCH 12/22] s3:net: Use cmdline_messaging_context + +Use cmdline_messaging_context with its error checking instead of open +coding the same steps. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit f2b659e4f518ccb06f221dd028f99883ca1a1847) +--- + source3/utils/net.c | 29 ++--------------------------- + 1 file changed, 2 insertions(+), 27 deletions(-) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 76b8677bf78..759d8cd442b 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -48,6 +48,7 @@ + #include "../libcli/security/security.h" + #include "passdb.h" + #include "messages.h" ++#include "cmdline_contexts.h" + + #ifdef WITH_FAKE_KASERVER + #include "utils/net_afs.h" +@@ -915,9 +916,7 @@ static struct functable net_func[] = { + const char **argv_const = discard_const_p(const char *, argv); + poptContext pc; + TALLOC_CTX *frame = talloc_stackframe(); +- struct tevent_context *ev; + struct net_context *c = talloc_zero(frame, struct net_context); +- NTSTATUS status; + + struct poptOption long_options[] = { + {"help", 'h', POPT_ARG_NONE, 0, 'h'}, +@@ -1031,31 +1030,7 @@ static struct functable net_func[] = { + } + } + +- if (!lp_load_initial_only(get_dyn_CONFIGFILE())) { +- d_fprintf(stderr, "Can't load %s - run testparm to debug it\n", +- get_dyn_CONFIGFILE()); +- exit(1); +- } +- +- ev = samba_tevent_context_init(c); +- if (ev == NULL) { +- d_fprintf(stderr, "samba_tevent_context_init failed\n"); +- exit(1); +- } +- status = messaging_init_client(c, ev, &c->msg_ctx); +- if (geteuid() != 0 && +- NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { +- /* +- * Normal to fail to initialize messaging context +- * if we're not root as we don't have ability to +- * read lock directory. +- */ +- DBG_NOTICE("Unable to initialize messaging context. " +- "Must be root to do that.\n"); +- } else if (!NT_STATUS_IS_OK(status)) { +- d_fprintf(stderr, "Failed to init messaging context\n"); +- exit(1); +- } ++ c->msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); + + if (!lp_load_global(get_dyn_CONFIGFILE())) { + d_fprintf(stderr, "Can't load %s - run testparm to debug it\n", +-- +2.13.6 + + +From 8cb95d9ad621db6adf627b439745691c8ff09d66 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 10 Jul 2018 16:29:46 +0200 +Subject: [PATCH 13/22] s3:messaging: remove unused messaging_init_client() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Ralph Boehme +Reviewed-by: Christof Schmitt +(cherry picked from commit f56496b11469f0e9af9ba81cefb796ca1febabb1) +--- + source3/include/messages.h | 3 --- + source3/lib/messages.c | 9 --------- + 2 files changed, 12 deletions(-) + +diff --git a/source3/include/messages.h b/source3/include/messages.h +index 29c394af317..f7b40664b0b 100644 +--- a/source3/include/messages.h ++++ b/source3/include/messages.h +@@ -46,9 +46,6 @@ struct messaging_rec; + + struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev); +-NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx, +- struct tevent_context *ev, +- struct messaging_context **pmsg_ctx); + + struct server_id messaging_server_id(const struct messaging_context *msg_ctx); + struct tevent_context *messaging_tevent_context( +diff --git a/source3/lib/messages.c b/source3/lib/messages.c +index dab53f1c48e..90fffa2c872 100644 +--- a/source3/lib/messages.c ++++ b/source3/lib/messages.c +@@ -635,15 +635,6 @@ struct messaging_context *messaging_init(TALLOC_CTX *mem_ctx, + return ctx; + } + +-NTSTATUS messaging_init_client(TALLOC_CTX *mem_ctx, +- struct tevent_context *ev, +- struct messaging_context **pmsg_ctx) +-{ +- return messaging_init_internal(mem_ctx, +- ev, +- pmsg_ctx); +-} +- + struct server_id messaging_server_id(const struct messaging_context *msg_ctx) + { + return msg_ctx->id; +-- +2.13.6 + + +From 37ad220effcfea97929483e84477fae2e48d0be8 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:08:21 -0700 +Subject: [PATCH 14/22] s3:pdbedit: Use cmdline_messaging_context + +Initialize the messaging context through cmdline_messaging_context to +allow access to config in clustered Samba. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 4661537c201acebee991d219d151cb481f56265c) +--- + source3/utils/pdbedit.c | 3 +++ + source3/utils/wscript_build | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c +index 5c947e2fbde..a2394880c65 100644 +--- a/source3/utils/pdbedit.c ++++ b/source3/utils/pdbedit.c +@@ -25,6 +25,7 @@ + #include "../librpc/gen_ndr/samr.h" + #include "../libcli/security/security.h" + #include "passdb.h" ++#include "cmdline_contexts.h" + + #define BIT_BACKEND 0x00000004 + #define BIT_VERBOSE 0x00000008 +@@ -1121,6 +1122,8 @@ int main(int argc, const char **argv) + if (user_name == NULL) + user_name = poptGetArg(pc); + ++ cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ + if (!lp_load_global(get_dyn_CONFIGFILE())) { + fprintf(stderr, "Can't load %s - run testparm to debug it\n", get_dyn_CONFIGFILE()); + exit(1); +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 06a986cada4..570c4506bee 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -47,6 +47,7 @@ bld.SAMBA3_BINARY('pdbedit', + talloc + smbconf + popt_samba3 ++ cmdline_contexts + pdb + PASSWD_UTIL''') + +-- +2.13.6 + + +From 375f013eaeb9d4c2592f68cd10374f61e2d12533 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:11:11 -0700 +Subject: [PATCH 15/22] s3:testparm: Use cmdline_messaging_context + +Call cmdline_messaging_context to initialize a messaging config before +accessing clustered Samba config. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit ea7a4ff7ae5ef2b22fb7ef5640d6b946c064cfc3) +--- + source3/utils/testparm.c | 3 +++ + source3/utils/wscript_build | 4 +++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index 8113eea0020..88dfc42d492 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -35,6 +35,7 @@ + #include "system/filesys.h" + #include "popt_common.h" + #include "lib/param/loadparm.h" ++#include "cmdline_contexts.h" + + #include + +@@ -698,6 +699,8 @@ static void do_per_share_checks(int s) + goto done; + } + ++ cmdline_messaging_context(config_file); ++ + fprintf(stderr,"Load smb config files from %s\n",config_file); + + if (!lp_load_with_registry_shares(config_file)) { +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 570c4506bee..ffa0762d828 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -163,7 +163,9 @@ bld.SAMBA3_BINARY('testparm', + deps=''' + talloc + smbconf +- popt_samba3''') ++ popt_samba3 ++ cmdline_contexts ++ ''') + + bld.SAMBA3_BINARY('net', + source='''net.c +-- +2.13.6 + + +From 96d91b1d4c60552b1ed7058a4d9ed2b06a929c57 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:15:02 -0700 +Subject: [PATCH 16/22] s3:sharesec: Use cmdline_messaging_context + +Call cmdline_messasging_context to initialize messaging context before +accessing clustered Samba config. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit cab8f27bbc927e48c52bac6350325e8ec38092b2) +--- + source3/utils/sharesec.c | 2 ++ + source3/utils/wscript_build | 4 +++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c +index d9f81587f0e..375ae582ae5 100644 +--- a/source3/utils/sharesec.c ++++ b/source3/utils/sharesec.c +@@ -28,6 +28,7 @@ struct cli_state; + #include "../libcli/security/security.h" + #include "passdb/machine_sid.h" + #include "util_sd.h" ++#include "cmdline_contexts.h" + + static TALLOC_CTX *ctx; + +@@ -420,6 +421,7 @@ int main(int argc, const char *argv[]) + + setlinebuf(stdout); + ++ cmdline_messaging_context(get_dyn_CONFIGFILE()); + lp_load_with_registry_shares(get_dyn_CONFIGFILE()); + + /* check for initializing secrets.tdb first */ +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index ffa0762d828..7e586dc268d 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -98,7 +98,9 @@ bld.SAMBA3_BINARY('sharesec', + talloc + msrpc3 + libcli_lsa3 +- popt_samba3''') ++ popt_samba3 ++ cmdline_contexts ++ ''') + + bld.SAMBA3_BINARY('log2pcap', + source='log2pcaphex.c', +-- +2.13.6 + + +From 389d7e32dc9f02b037ab9c2d0db1095f88f64145 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:18:20 -0700 +Subject: [PATCH 17/22] s3: ntlm_auth: Use cmdline_messaging_context + +Call cmdline_messaging_context to initialize the messaging context +before accessing clustered Samba config. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 9ed617474f588ceb42c8929ee8a51071a408c219) +--- + source3/utils/ntlm_auth.c | 3 +++ + source3/utils/wscript_build | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 7d27712980b..b8014ec1034 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -47,6 +47,7 @@ + #include "nsswitch/libwbclient/wbclient.h" + #include "lib/param/loadparm.h" + #include "lib/util/base64.h" ++#include "cmdline_contexts.h" + + #if HAVE_KRB5 + #include "auth/kerberos/pac_utils.h" +@@ -2380,6 +2381,8 @@ enum { + + poptFreeContext(pc); + ++ cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ + if (!lp_load_global(get_dyn_CONFIGFILE())) { + d_fprintf(stderr, "ntlm_auth: error opening config file %s. Error was %s\n", + get_dyn_CONFIGFILE(), strerror(errno)); +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 7e586dc268d..92404a61c2d 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -128,6 +128,7 @@ bld.SAMBA3_BINARY('ntlm_auth', + tiniparser + libsmb + popt_samba3 ++ cmdline_contexts + gse gensec''') + + bld.SAMBA3_BINARY('dbwrap_tool', +-- +2.13.6 + + +From 6a08003f378ddc270597465509cf4b34837d8dc8 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 20 Aug 2018 16:21:51 -0700 +Subject: [PATCH 18/22] s3:eventlogadm: Use cmdline_messaging_context + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 095123df945270bc51635a19125a7abdfcd4ab80) +--- + source3/utils/eventlogadm.c | 4 ++++ + source3/utils/wscript_build | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c +index 5ef091a9ae3..db874dfae8a 100644 +--- a/source3/utils/eventlogadm.c ++++ b/source3/utils/eventlogadm.c +@@ -30,6 +30,7 @@ + #include "registry/reg_util_token.h" + #include "registry/reg_backend_db.h" + #include "../libcli/registry/util_reg.h" ++#include "cmdline_contexts.h" + + extern int optind; + extern char *optarg; +@@ -472,6 +473,9 @@ int main( int argc, char *argv[] ) + exit( 1 ); + } + ++ cmdline_messaging_context(configfile == NULL ? ++ get_dyn_CONFIGFILE() : configfile); ++ + if ( configfile == NULL ) { + lp_load_global(get_dyn_CONFIGFILE()); + } else if (!lp_load_global(configfile)) { +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 92404a61c2d..eabebcf3d52 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -89,6 +89,7 @@ bld.SAMBA3_BINARY('eventlogadm', + deps=''' + talloc + smbconf ++ cmdline_contexts + LIBEVENTLOG''', + install_path='${SBINDIR}') + +-- +2.13.6 + + +From 6f32f75ad43b4e49de5af794beb134252267b768 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Tue, 21 Aug 2018 12:34:34 -0700 +Subject: [PATCH 19/22] s3:dbwrap_tool: Use cmdline_messaging_context + +Initialize the messaging context through cmdline_messaging_context to +allow access to config in clustered Samba. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 7eeff96b826711b5a8d44ab24603dafcc0343d84) +--- + source3/utils/dbwrap_tool.c | 3 +++ + source3/utils/wscript_build | 4 +++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c +index 94aacd8ba26..b182e9cbfab 100644 +--- a/source3/utils/dbwrap_tool.c ++++ b/source3/utils/dbwrap_tool.c +@@ -28,6 +28,7 @@ + #include "dbwrap/dbwrap_watch.h" + #include "messages.h" + #include "util_tdb.h" ++#include "cmdline_contexts.h" + + enum dbwrap_op { OP_FETCH, OP_STORE, OP_DELETE, OP_ERASE, OP_LISTKEYS, + OP_EXISTS }; +@@ -428,6 +429,8 @@ int main(int argc, const char **argv) + while (extra_argv[extra_argc]) extra_argc++; + } + ++ cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ + lp_load_global(get_dyn_CONFIGFILE()); + + if ((extra_argc < 2) || (extra_argc > 5)) { +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index eabebcf3d52..11bd2015c3a 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -136,7 +136,9 @@ bld.SAMBA3_BINARY('dbwrap_tool', + source='dbwrap_tool.c', + deps=''' + talloc +- popt_samba3''') ++ popt_samba3 ++ cmdline_contexts ++ ''') + + bld.SAMBA3_BINARY('dbwrap_torture', + source='dbwrap_torture.c', +-- +2.13.6 + + +From f23f129047edd4b6fd6163a7795e48be3e59b49c Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Tue, 21 Aug 2018 12:35:11 -0700 +Subject: [PATCH 20/22] s3:smbcontrol: Use cmdline_messaging_context + +Initialize the messaging context through cmdline_messaging_context to +allow access to config in clustered Samba. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit de040eafbd7d729316d757c14c44df163a4b36ad) +--- + source3/utils/smbcontrol.c | 19 +++++++++++-------- + source3/utils/wscript_build | 1 + + 2 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/source3/utils/smbcontrol.c b/source3/utils/smbcontrol.c +index bd89b9ebf0a..ecf27801f8a 100644 +--- a/source3/utils/smbcontrol.c ++++ b/source3/utils/smbcontrol.c +@@ -35,6 +35,7 @@ + #include "util_tdb.h" + #include "../lib/util/pidfile.h" + #include "serverid.h" ++#include "cmdline_contexts.h" + + #if HAVE_LIBUNWIND_H + #include +@@ -1609,21 +1610,23 @@ int main(int argc, const char **argv) + if (argc <= 1) + usage(pc); + ++ msg_ctx = cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ if (msg_ctx == NULL) { ++ fprintf(stderr, ++ "Could not init messaging context, not root?\n"); ++ TALLOC_FREE(frame); ++ exit(1); ++ } ++ ++ evt_ctx = server_event_context(); ++ + lp_load_global(get_dyn_CONFIGFILE()); + + /* Need to invert sense of return code -- samba + * routines mostly return True==1 for success, but + * shell needs 0. */ + +- if (!(evt_ctx = samba_tevent_context_init(NULL)) || +- !(msg_ctx = messaging_init(NULL, evt_ctx))) { +- fprintf(stderr, "could not init messaging context\n"); +- TALLOC_FREE(frame); +- exit(1); +- } +- + ret = !do_command(evt_ctx, msg_ctx, argc, argv); +- TALLOC_FREE(msg_ctx); + TALLOC_FREE(frame); + return ret; + } +diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build +index 11bd2015c3a..6793c6d5c8a 100644 +--- a/source3/utils/wscript_build ++++ b/source3/utils/wscript_build +@@ -18,6 +18,7 @@ bld.SAMBA3_BINARY('smbcontrol', + talloc + smbconf + popt_samba3 ++ cmdline_contexts + PRINTBASE''') + + bld.SAMBA3_BINARY('smbtree', +-- +2.13.6 + + +From 4f57a7b28cc1b705f34444f795724e3d3a06d99c Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Tue, 21 Aug 2018 16:11:02 -0700 +Subject: [PATCH 21/22] s3:smbget: Use cmdline_messaging_context + +Initialize the messaging context through cmdline_messaging_context to +allow access to config in clustered Samba. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Christof Schmitt +Reviewed-by: Ralph Boehme +(cherry picked from commit 20ed13923ed3c55e1b293e5440028d29384e9d3a) +--- + source3/utils/smbget.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c +index 37462fa131f..4653c6894e0 100644 +--- a/source3/utils/smbget.c ++++ b/source3/utils/smbget.c +@@ -20,6 +20,7 @@ + #include "system/filesys.h" + #include "popt_common_cmdline.h" + #include "libsmbclient.h" ++#include "cmdline_contexts.h" + + static int columns = 0; + +@@ -879,6 +880,8 @@ int main(int argc, char **argv) + + popt_burn_cmdline_password(argc, argv); + ++ cmdline_messaging_context(get_dyn_CONFIGFILE()); ++ + if (smbc_init(get_auth_data, opt.debuglevel) < 0) { + fprintf(stderr, "Unable to initialize libsmbclient\n"); + return 1; +-- +2.13.6 + + +From 8fb42e4a751af55e6e56cd4e64029228f1cc36c3 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Fri, 7 Sep 2018 07:27:46 +0200 +Subject: [PATCH 22/22] examples: Fix the smb2mount build + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13465 + +Signed-off-by: Volker Lendecke +Reviewed-by: Ralph Boehme +(cherry picked from commit 94852e3544bf2cace3ddba8b9c89d986d77fdab5) +--- + examples/fuse/smb2mount.c | 2 +- + examples/fuse/wscript_build | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/examples/fuse/smb2mount.c b/examples/fuse/smb2mount.c +index 816b0b597ad..ec4be809f6d 100644 +--- a/examples/fuse/smb2mount.c ++++ b/examples/fuse/smb2mount.c +@@ -20,7 +20,7 @@ + + #include "source3/include/includes.h" + #include "popt.h" +-#include "popt_common.h" ++#include "popt_common_cmdline.h" + #include "client.h" + #include "libsmb/proto.h" + #include "clifuse.h" +diff --git a/examples/fuse/wscript_build b/examples/fuse/wscript_build +index 9ec5fc0a0f2..31341e4357d 100644 +--- a/examples/fuse/wscript_build ++++ b/examples/fuse/wscript_build +@@ -3,5 +3,5 @@ + if bld.env.HAVE_FUSE: + bld.SAMBA_BINARY('smb2mount', + source='smb2mount.c clifuse.c', +- deps='smbconf popt_samba3 libsmb fuse', ++ deps='smbconf popt_samba3_cmdline libsmb fuse', + install=False) +-- +2.13.6 + diff --git a/samba-4.9-fix_winbind_passdb_segfault.patch b/samba-4.9-fix_winbind_passdb_segfault.patch new file mode 100644 index 0000000..3d678a2 --- /dev/null +++ b/samba-4.9-fix_winbind_passdb_segfault.patch @@ -0,0 +1,39 @@ +From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 29 Oct 2018 19:45:58 +0100 +Subject: [PATCH] s3:winbind: Check return code of initialize_password_db() + +See https://retrace.fedoraproject.org/faf/reports/1577174/ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac) +--- + source3/winbindd/winbindd.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c +index 254d93b344d..a8ffc31778c 100644 +--- a/source3/winbindd/winbindd.c ++++ b/source3/winbindd/winbindd.c +@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv) + if (!NT_STATUS_IS_OK(status)) { + exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status)); + } +- initialize_password_db(true, server_event_context()); ++ ++ ok = initialize_password_db(true, server_event_context()); ++ if (!ok) { ++ exit_daemon("Failed to initialize passdb backend! " ++ "Check the 'passdb backend' variable in your " ++ "smb.conf file.", EINVAL); ++ } + + /* + * Do not initialize the parent-child-pipe before becoming +-- +2.19.1 + diff --git a/samba-4.9-harden_homes_share.patch b/samba-4.9-harden_homes_share.patch new file mode 100644 index 0000000..60ca5c6 --- /dev/null +++ b/samba-4.9-harden_homes_share.patch @@ -0,0 +1,402 @@ +From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Thu, 15 Nov 2018 16:06:49 +0100 +Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Böhme +Reviewed-by: Jeremy Allison +(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0) +--- + selftest/target/Samba3.pm | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 438cb3409bb..373f8152ca3 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$) + my ($gid_force_user); + my ($uid_user1); + my ($uid_user2); ++ my ($uid_gooduser); ++ my ($uid_eviluser); + +- if ($unix_uid < 0xffff - 10) { ++ if ($unix_uid < 0xffff - 12) { + $max_uid = 0xffff; + } else { + $max_uid = $unix_uid; +@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$) + $uid_smbget = $max_uid - 8; + $uid_user1 = $max_uid - 9; + $uid_user2 = $max_uid - 10; ++ $uid_gooduser = $max_uid - 11; ++ $uid_eviluser = $max_uid - 12; + + if ($unix_gids[0] < 0xffff - 8) { + $max_gid = 0xffff; +@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f + smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false + user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false + user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false ++gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false ++eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false + "; + if ($unix_uid != 0) { + print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false +@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user: + createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user"); + createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1"); + createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); ++ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); ++ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); + + open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); + print DNS_UPDATE_LIST "A $server. $server_ip\n"; +-- +2.19.2 + + +From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 16 Nov 2018 15:40:59 +0100 +Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes' + share +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This adds a test for CVE-2009-2813. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Böhme +(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6) +--- + selftest/target/Samba3.pm | 4 ++ + source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++ + source3/selftest/tests.py | 1 + + 3 files changed, 104 insertions(+) + create mode 100755 source3/script/tests/test_homes.sh + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 373f8152ca3..2031003210c 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -921,6 +921,10 @@ sub setup_fileserver + comment = inherit only unix owner + inherit owner = unix only + acl_xattr:ignore system acls = yes ++[homes] ++ comment = Home directories ++ browseable = No ++ read only = No + "; + + my $vars = $self->provision($path, "WORKGROUP", +diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh +new file mode 100755 +index 00000000000..06de0a0c301 +--- /dev/null ++++ b/source3/script/tests/test_homes.sh +@@ -0,0 +1,99 @@ ++#!/bin/sh ++ ++# Copyright (c) Andreas Schneider ++# License: GPLv3 ++ ++if [ $# -lt 7 ]; then ++ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION" ++ exit 1 ++fi ++ ++SERVER="${1}" ++USERNAME="${2}" ++PASSWORD="${3}" ++LOCAL_PATH="${4}" ++PREFIX="${5}" ++SMBCLIENT="${6}" ++CONFIGURATION="${7}" ++shift 7 ++ ++incdir=`dirname $0`/../../../testprogs/blackbox ++. $incdir/subunit.sh ++ ++failed=0 ++ ++test_gooduser_home() ++{ ++ tmpfile=$PREFIX/smbclient_homes_gooduser_commands ++ cat > $tmpfile < $tmpfile < +Date: Thu, 22 Nov 2018 18:23:24 +0100 +Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home + dir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If "/" (root) is returned as the home directory, prevent exporting it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Böhme +(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af) +--- + source3/param/service.c | 6 +++++- + source3/smbd/password.c | 7 +++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/source3/param/service.c b/source3/param/service.c +index b21be6093d4..22f46f08894 100644 +--- a/source3/param/service.c ++++ b/source3/param/service.c +@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out) + DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out, + phome_dir?phome_dir:"(NULL)")); + +- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir); ++ if (!strequal(phome_dir, "/")) { ++ iService = add_home_service(*p_service_out, ++ *p_service_out, /* username */ ++ phome_dir); ++ } + } + + /* If we still don't have a service, attempt to add it as a printer. */ +diff --git a/source3/smbd/password.c b/source3/smbd/password.c +index f472bda2c70..0576d2563eb 100644 +--- a/source3/smbd/password.c ++++ b/source3/smbd/password.c +@@ -129,6 +129,13 @@ int register_homes_share(const char *username) + return -1; + } + ++ if (strequal(pwd->pw_dir, "/")) { ++ DBG_NOTICE("Invalid home directory defined for user '%s'\n", ++ username); ++ TALLOC_FREE(pwd); ++ return -1; ++ } ++ + DEBUG(3, ("Adding homes service for user '%s' using home directory: " + "'%s'\n", username, pwd->pw_dir)); + +-- +2.19.2 + + +From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 3 Dec 2018 11:05:46 +0100 +Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed + as home dir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699 + +Signed-off-by: Andreas Schneider +Reviewed-by: Ralph Böhme +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144 + +(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87) +--- + selftest/target/Samba3.pm | 6 ++++- + source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++ + 2 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 2031003210c..583396b3818 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$) + my ($uid_user2); + my ($uid_gooduser); + my ($uid_eviluser); ++ my ($uid_slashuser); + +- if ($unix_uid < 0xffff - 12) { ++ if ($unix_uid < 0xffff - 13) { + $max_uid = 0xffff; + } else { + $max_uid = $unix_uid; +@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$) + $uid_user2 = $max_uid - 10; + $uid_gooduser = $max_uid - 11; + $uid_eviluser = $max_uid - 12; ++ $uid_slashuser = $max_uid - 13; + + if ($unix_gids[0] < 0xffff - 8) { + $max_gid = 0xffff; +@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false + user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false + gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false + eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false ++slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false + "; + if ($unix_uid != 0) { + print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false +@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user: + createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2"); + createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser"); + createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser"); ++ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser"); + + open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list"); + print DNS_UPDATE_LIST "A $server. $server_ip\n"; +diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh +index 06de0a0c301..90e84550dbc 100755 +--- a/source3/script/tests/test_homes.sh ++++ b/source3/script/tests/test_homes.sh +@@ -88,6 +88,39 @@ EOF + return 0 + } + ++test_slashuser_home() ++{ ++ tmpfile=$PREFIX/smbclient_homes_slashuser_commands ++ cat > $tmpfile < +Date: Wed, 27 Jun 2018 11:32:31 -0400 +Subject: [PATCH] s3:libads: Add net ads leave keep-account option + +Add the ability to leave the domain with --keep-account argument to avoid +removal of the host machine account. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498 + +Signed-off-by: Justin Stephenson +Reviewed-by: Andrew Bartlett +Reviewed-by: Alexander Bokovoy +(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694) +--- + docs-xml/manpages/net.8.xml | 9 ++++++++- + source3/libnet/libnet_join.c | 2 ++ + source3/utils/net.c | 3 ++- + source3/utils/net.h | 1 + + source3/utils/net_ads.c | 9 +++++++-- + 5 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml +index 3154ee5ff85..d2bcd24c502 100644 +--- a/docs-xml/manpages/net.8.xml ++++ b/docs-xml/manpages/net.8.xml +@@ -377,6 +377,13 @@ + + + ++ ++ --keep-account ++ Prevent the machine account removal as ++ part of "net ads leave". ++ ++ ++ + &stdarg.encrypt; + &popt.common.samba.client; + +@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller. + + + +-ADS LEAVE ++ADS LEAVE [--keep-account] + + Make the remote host leave the domain it is part of. + +diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c +index a9405e8d288..27fc5135442 100644 +--- a/source3/libnet/libnet_join.c ++++ b/source3/libnet/libnet_join.c +@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx, + return ntstatus_to_werror(status); + } + ++ r->out.dns_domain_name = talloc_strdup(mem_ctx, ++ r->in.domain_name); + r->out.disabled_machine_account = true; + } + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 759d8cd442b..b3bd4b67118 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -970,8 +970,9 @@ static struct functable net_func[] = { + {"wipe", 0, POPT_ARG_NONE, &c->opt_wipe}, + /* Options for 'net registry import' */ + {"precheck", 0, POPT_ARG_STRING, &c->opt_precheck}, +- /* Options for 'net ads join' */ ++ /* Options for 'net ads join or leave' */ + {"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates}, ++ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account}, + POPT_COMMON_SAMBA + { 0, 0, 0, 0} + }; +diff --git a/source3/utils/net.h b/source3/utils/net.h +index d6dfeb6208f..5e70fd3aafa 100644 +--- a/source3/utils/net.h ++++ b/source3/utils/net.h +@@ -85,6 +85,7 @@ struct net_context { + int opt_wipe; + const char *opt_precheck; + int opt_no_dns_updates; ++ int opt_keep_account; + + int opt_have_ip; + struct sockaddr_storage opt_dest_ip; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index ffa67d8f525..afe47dad839 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) + + if (c->display_usage) { + d_printf( "%s\n" +- "net ads leave\n" ++ "net ads leave [--keep-account]\n" + " %s\n", + _("Usage:"), + _("Leave an AD domain")); +@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv) + WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */ + r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE | + WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE; +- r->in.delete_machine_account = true; ++ if (c->opt_keep_account) { ++ r->in.delete_machine_account = false; ++ } else { ++ r->in.delete_machine_account = true; ++ } ++ + r->in.msg_ctx = c->msg_ctx; + + werr = libnet_Unjoin(ctx, r); +-- +2.17.1 + diff --git a/samba-4.9-static_analysis_fixes.patch b/samba-4.9-static_analysis_fixes.patch new file mode 100644 index 0000000..06b10cf --- /dev/null +++ b/samba-4.9-static_analysis_fixes.patch @@ -0,0 +1,179 @@ +From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Nov 2018 10:09:23 +0100 +Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name + +This could be passed uninitialized to dcerpc_netr_DsRGetDCName() + +Found by cppcheck. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d) +--- + source3/rpcclient/cmd_netlogon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c +index 8d62ef7e095..631740562c6 100644 +--- a/source3/rpcclient/cmd_netlogon.c ++++ b/source3/rpcclient/cmd_netlogon.c +@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli, + WERROR werr = WERR_OK; + uint32_t flags = DS_RETURN_DNS_NAME; + const char *server_name = cli->desthost; +- const char *domain_name; ++ const char *domain_name = NULL; + struct GUID domain_guid = GUID_zero(); + struct GUID site_guid = GUID_zero(); + struct netr_DsRGetDCNameInfo *info = NULL; +-- +2.19.2 + + +From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Nov 2018 10:13:51 +0100 +Subject: [PATCH 2/5] librpc:ndr: Initialize inblob + +Found by cppcheck. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83) +--- + librpc/ndr/ndr_backupkey.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c +index 827bc694230..adb6e393287 100644 +--- a/librpc/ndr/ndr_backupkey.c ++++ b/librpc/ndr/ndr_backupkey.c +@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name, + ndr->flags |= LIBNDR_PRINT_SET_VALUES; + } + if (flags & NDR_IN) { +- union bkrp_data_in_blob inblob; ++ union bkrp_data_in_blob inblob = { ++ .empty._empty_ = '\0', ++ }; + DATA_BLOB blob; + uint32_t level; + enum ndr_err_code ndr_err; +-- +2.19.2 + + +From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Nov 2018 10:16:06 +0100 +Subject: [PATCH 3/5] libgpo: Make sure status is intialized + +Found by cppcheck. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7) +--- + libgpo/gpo_ldap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c +index fec00053b49..f087203f28a 100644 +--- a/libgpo/gpo_ldap.c ++++ b/libgpo/gpo_ldap.c +@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, + const char *guid_name, + struct GROUP_POLICY_OBJECT *gpo) + { +- ADS_STATUS status; ++ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT); + LDAPMessage *res = NULL; + char *dn; + const char *filter; +-- +2.19.2 + + +From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Nov 2018 10:17:37 +0100 +Subject: [PATCH 4/5] lib:util Always initialize start and space + +Found by cppcheck. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45) +--- + lib/util/talloc_report.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c +index 63213a014b6..bed0fd91e43 100644 +--- a/lib/util/talloc_report.c ++++ b/lib/util/talloc_report.c +@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len, + const char *fmt, va_list ap) + { + ssize_t str_len = *pstr_len; +- size_t buflen, needed, space; +- char *start, *tmpbuf; ++ size_t buflen, needed, space = 0; ++ char *start = NULL, *tmpbuf = NULL; + va_list ap2; + int printlen; + +@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len, + if (buflen > str_len) { + start = buf + str_len; + space = buflen - str_len; +- } else { +- start = NULL; +- space = 0; + } + + va_copy(ap2, ap); +-- +2.19.2 + + +From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Nov 2018 10:21:15 +0100 +Subject: [PATCH 5/5] ctdb: Fix an out of bound array access + +Found by cppcheck. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9) +--- + ctdb/common/logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c +index dc8c4f75058..55e5d541735 100644 +--- a/ctdb/common/logging.c ++++ b/ctdb/common/logging.c +@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level) + { + int i; + +- for (i=0; ARRAY_SIZE(log_string_map); i++) { ++ for (i=0; i < ARRAY_SIZE(log_string_map); i++) { + if (log_string_map[i].log_level == log_level) { + return log_string_map[i].log_string; + } +-- +2.19.2 diff --git a/samba-4.9.0rc5-stack-protector.patch b/samba-4.9.0rc5-stack-protector.patch new file mode 100644 index 0000000..51bc83a --- /dev/null +++ b/samba-4.9.0rc5-stack-protector.patch @@ -0,0 +1,117 @@ +From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 3 Sep 2018 10:35:08 +0200 +Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support + +The -fstack-protector* flags are compiler only flags, don't pass them to +the linker. + +https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371) +--- + buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py +index c4391d0c4dc..bfd6f9710db 100644 +--- a/buildtools/wafsamba/samba_autoconf.py ++++ b/buildtools/wafsamba/samba_autoconf.py +@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None): + return + + # we need to build real code that can't be optimized away to test +- if conf.check(fragment=''' +- #include +- +- int main(void) +- { +- char t[100000]; +- while (fgets(t, sizeof(t), stdin)); +- return 0; +- } +- ''', +- execute=0, +- ccflags='-fstack-protector', +- ldflags='-fstack-protector', +- mandatory=False, +- msg='Checking if toolchain accepts -fstack-protector'): +- conf.ADD_CFLAGS('-fstack-protector') +- conf.ADD_LDFLAGS('-fstack-protector') ++ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector'] ++ for stack_protect_flag in stack_protect_list: ++ flag_supported = conf.check(fragment=''' ++ #include ++ ++ int main(void) ++ { ++ char t[100000]; ++ while (fgets(t, sizeof(t), stdin)); ++ return 0; ++ } ++ ''', ++ execute=0, ++ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag], ++ mandatory=False, ++ msg='Checking if compiler accepts %s' % (stack_protect_flag)) ++ if flag_supported: ++ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) ++ break + + if Options.options.debug: + conf.ADD_CFLAGS('-g', testflags=True) +-- +2.18.0 + + +From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 3 Sep 2018 10:49:52 +0200 +Subject: [PATCH 2/2] waf: Add -fstack-clash-protection + +https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601 + +Signed-off-by: Andreas Schneider +Reviewed-by: Andrew Bartlett +(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0) +--- + buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py +index bfd6f9710db..f2b3ec8db8d 100644 +--- a/buildtools/wafsamba/samba_autoconf.py ++++ b/buildtools/wafsamba/samba_autoconf.py +@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None): + conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag)) + break + ++ flag_supported = conf.check(fragment=''' ++ #include ++ ++ int main(void) ++ { ++ char t[100000]; ++ while (fgets(t, sizeof(t), stdin)); ++ return 0; ++ } ++ ''', ++ execute=0, ++ ccflags=[ '-Werror', '-fstack-clash-protection'], ++ mandatory=False, ++ msg='Checking if compiler accepts -fstack-clash-protection') ++ if flag_supported: ++ conf.ADD_CFLAGS('-fstack-clash-protection') ++ + if Options.options.debug: + conf.ADD_CFLAGS('-g', testflags=True) + +-- +2.18.0 + diff --git a/samba-4.9.1.tar.asc b/samba-4.9.1.tar.asc new file mode 100644 index 0000000..3a95975 --- /dev/null +++ b/samba-4.9.1.tar.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq +Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg== +=2NTz +-----END PGP SIGNATURE----- diff --git a/samba-4.9.1.tar.xz b/samba-4.9.1.tar.xz new file mode 100644 index 0000000..fbca2f3 --- /dev/null +++ b/samba-4.9.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8afd17ca6f157cbd5b3028fc5740bb17f42e4ddf71006aa64e857fabdd1ca749 +size 11700448 diff --git a/samba.spec b/samba.spec index e9f845f..3de2ec8 100644 --- a/samba.spec +++ b/samba.spec @@ -8,11 +8,11 @@ %define main_release 6 -%define samba_version 4.8.3 -%define talloc_version 2.1.11 -%define tdb_version 1.3.15 -%define tevent_version 0.9.36 -%define ldb_version 1.3.4 +%define samba_version 4.9.1 +%define talloc_version 2.1.14 +%define tdb_version 1.3.16 +%define tevent_version 0.9.37 +%define ldb_version 1.4.2 # This should be rc1 or nil %define pre_release %nil @@ -90,8 +90,8 @@ %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" Name: samba -Version: 4.8.3 -Release: 106.1.dc%{?dist} +Version: 4.9.1 +Release: 100.dc%{?dist} %if 0%{?rhel} Epoch: 0 @@ -124,14 +124,24 @@ Source14: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.8.3-fix_krb5_plugins.patch -Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch -Patch2: samba-4.8.3-smbclient_quiet_argument.patch -Patch3: CVE-2018-1139.patch -Patch4: CVE-2018-10858.patch -Patch5: samba-4.8-fix_smbspool_as_cups_backend.patch -Patch6: samba-4.8-fix_cups_smbspool_backend.part1.patch -Patch7: samba-4.8-fix_cups_smbspool_backend.part2.patch +Patch0: samba-4.9.0rc5-stack-protector.patch +Patch1: samba-4.9-harden_homes_share.patch +Patch2: samba-4.9-static_analysis_fixes.patch +Patch3: samba-4.9-fix_debug_segfault.patch +Patch4: samba-4.9-fix_winbind_passdb_segfault.patch +Patch5: samba-4.9-fix_testparm_crash.patch +Patch6: samba-4.9-disable_netbios.patch +Patch7: samba-4.9-net_ads_leave_keep_account.patch +Patch8: samba-4.9-fix_force_group_panic.patch +Patch9: samba-4.10-fix_gencache_debug_message.patch +Patch10: samba-4.9-fix_net_ads_krb5.patch +Patch11: samba-4.9-add_smbc_setOptionProtocols.patch +Patch12: samba-4.9-fix_smbspool_as_cups_backend.patch +Patch13: samba-4.9-doc_smbclient_max_protocol.patch +Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch +Patch15: samba-4.9-CVE-2019-3880.patch +Patch16: samba-4.9-fix_smbspool_krb5_auth.patch +Patch17: samba-4.9-fix_cups_printing.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -175,6 +185,7 @@ BuildRequires: docbook-style-xsl BuildRequires: e2fsprogs-devel BuildRequires: gawk BuildRequires: gnupg2 +BuildRequires: jansson-devel BuildRequires: krb5-devel >= %{required_mit_krb5} BuildRequires: libacl-devel BuildRequires: libaio-devel @@ -187,6 +198,7 @@ BuildRequires: libxslt BuildRequires: ncurses-devel BuildRequires: openldap-devel BuildRequires: pam-devel +BuildRequires: perl-interpreter BuildRequires: perl(Test::More) BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Parse::Yapp) @@ -209,9 +221,6 @@ BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) -# Enable JSON logging -BuildRequires: jansson-devel - %if %{with_vfs_glusterfs} BuildRequires: glusterfs-api-devel >= 3.4.0.16 BuildRequires: glusterfs-devel >= 3.4.0.16 @@ -563,6 +572,7 @@ managing Samba AD. ### PIDL %package pidl Summary: Perl IDL compiler +Requires: perl-interpreter Requires: perl(Parse::Yapp) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) BuildArch: noarch @@ -700,7 +710,6 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB) Requires: %{name}-client-libs = %{samba_depver} Requires: coreutils -Requires: fileutils # for ps and killall Requires: psmisc Requires: sed @@ -874,8 +883,8 @@ install -d -m 0755 %{buildroot}/var/lib/samba/sysvol install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/var/spool/samba -install -d -m 0755 %{buildroot}/var/run/samba -install -d -m 0755 %{buildroot}/var/run/winbindd +install -d -m 0755 %{buildroot}/run/samba +install -d -m 0755 %{buildroot}/run/winbindd install -d -m 0755 %{buildroot}/%{_libdir}/samba install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig @@ -915,22 +924,21 @@ install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/sch install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint install -d -m 0755 %{buildroot}%{_tmpfilesdir} -install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf -# create /run/samba too. -echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf +# Create /run/samba too. +echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf %if %with_clustering_support -echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf +echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf %endif install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba %if %with_clustering_support cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb < 4.8.3-106.1.dc -- Enable JSON logging support -- Enable DC support - -* Tue May 28 2019 Andreas Schneider - 4.8.3-6 -- resolves: #1713637 - Fix smbspool with krb5 as CUPS backend - -* Wed Mar 20 2019 Andreas Schneider - 4.8.3-5 -- resolves: #1690517 - Fix smbspool as CUPS backend +* Fri May 24 2019 Andreas Schneider - 4.9.1-6 +- related: #1703204 - Fix printing with smbspool as CUPS backend + +* Fri May 10 2019 Andreas Schneider - 4.9.1-5 +- resolves: #1703204 - Fix smbspool krb5 authentication + +* Thu Mar 28 2019 Andreas Schneider - 4.9.1-4 +- resolves: #1690222 - Fix --max-protocol documentation of smbclient +- resolves: #1518353 - Fix 'net ads join -Uadmin@forestdomain' +- resolves: #1696524 - Fix CVE-2019-3880 + +* Thu Mar 14 2019 Andreas Schneider - 4.9.1-3 +- resolves: #1479451 - Fix 'net' command auth with Kerberos +- resolves: #1686158 - Fix printing with CUPS +- resolves: #1662408 - Fix username/password printing with CUPS + +* Mon Feb 11 2019 Andreas Schneider - 4.9.1-2 +- resolves: #1674403 - Fix panic when setting 'force group' on a share with + an active connections +- resolves: #1670720 - Fix installation of samba-python +- resolves: #1669476 - Fix user lookup via UPN + +* Fri Jan 18 2019 Andreas Schneider - 4.9.1-1 +- resolves: #1649434 - Update to version 4.9.1 +- resolves: #1648852 - Fix out of bound array access in ctdb +- resolves: #1647960 - Fix segfault in the debug system with hardended build +- resolves: #1644328 - Fix segfault if wrong 'passdb backend' is configured +- resolves: #1650452 - Add smbc_setOptionProtocols() +- resolves: #1659513 - Fix testparm/pdbedit crash +- resolves: #1529301 - Added new 'net ads spn' command +- resolves: #1595277 - Fix manpage for 'net ads lookup' +- resolves: #1600274 - Fix vfs_audit log which does not show full path names +- resolves: #1623140 - Fix handling the 'disable netbios' option +- resolves: #1624227 - Connect to spoolss with the correct version information +- resolves: #1659533 - Fix new file and folder creation with vfs_glusterfs +- resolves: #1579401 - Implement 'net ads leave --keep-account' +- resolves: #1624227 - Fix spoolss client operations against newer Windows + versions +- resolves: #1656405 - Fix looking up local system accounts * Thu Aug 09 2018 Andreas Schneider - 4.8.3-4 - resolves: #1614132 - Fix delete-on-close after smb2_find