parent
58a4cc823d
commit
4e2cf31532
28 changed files with 4824 additions and 1756 deletions
@ -1,199 +0,0 @@ |
|||||||
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeremy Allison <jra@samba.org>
|
|
||||||
Date: Fri, 15 Jun 2018 15:07:17 -0700
|
|
||||||
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
|
|
||||||
buffer.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
|
|
||||||
|
|
||||||
CVE-2018-10858: Insufficient input validation on client directory
|
|
||||||
listing in libsmbclient.
|
|
||||||
|
|
||||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
||||||
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
||||||
---
|
|
||||||
source3/libsmb/libsmb_path.c | 9 +++++++--
|
|
||||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
|
|
||||||
index 01b0a61e483..ed70ab37550 100644
|
|
||||||
--- a/source3/libsmb/libsmb_path.c
|
|
||||||
+++ b/source3/libsmb/libsmb_path.c
|
|
||||||
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- *dest++ = '\0';
|
|
||||||
- max_dest_len--;
|
|
||||||
+ if (max_dest_len == 0) {
|
|
||||||
+ /* Ensure we return -1 if no null termination. */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *dest++ = '\0';
|
|
||||||
+ max_dest_len--;
|
|
||||||
|
|
||||||
return max_dest_len;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
||||||
|
|
||||||
From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jeremy Allison <jra@samba.org>
|
|
||||||
Date: Fri, 15 Jun 2018 15:08:17 -0700
|
|
||||||
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
|
|
||||||
from malicious servers.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
|
|
||||||
|
|
||||||
CVE-2018-10858: Insufficient input validation on client directory
|
|
||||||
listing in libsmbclient.
|
|
||||||
|
|
||||||
Signed-off-by: Jeremy Allison <jra@samba.org>
|
|
||||||
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
||||||
---
|
|
||||||
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
|
|
||||||
source3/libsmb/libsmb_path.c | 2 +-
|
|
||||||
2 files changed, 51 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
|
|
||||||
index 72441c46736..54c2bcb3c73 100644
|
|
||||||
--- a/source3/libsmb/libsmb_dir.c
|
|
||||||
+++ b/source3/libsmb/libsmb_dir.c
|
|
||||||
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
-static void
|
|
||||||
+static int
|
|
||||||
smbc_readdir_internal(SMBCCTX * context,
|
|
||||||
struct smbc_dirent *dest,
|
|
||||||
struct smbc_dirent *src,
|
|
||||||
int max_namebuf_len)
|
|
||||||
{
|
|
||||||
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
|
|
||||||
+ int remaining_len;
|
|
||||||
|
|
||||||
/* url-encode the name. get back remaining buffer space */
|
|
||||||
- max_namebuf_len =
|
|
||||||
+ remaining_len =
|
|
||||||
smbc_urlencode(dest->name, src->name, max_namebuf_len);
|
|
||||||
|
|
||||||
+ /* -1 means no null termination. */
|
|
||||||
+ if (remaining_len < 0) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* We now know the name length */
|
|
||||||
dest->namelen = strlen(dest->name);
|
|
||||||
|
|
||||||
+ if (dest->namelen + 1 < 1) {
|
|
||||||
+ /* Integer wrap. */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (dest->namelen + 1 >= max_namebuf_len) {
|
|
||||||
+ /* Out of space for comment. */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Save the pointer to the beginning of the comment */
|
|
||||||
dest->comment = dest->name + dest->namelen + 1;
|
|
||||||
|
|
||||||
+ if (remaining_len < 1) {
|
|
||||||
+ /* No room for comment null termination. */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Copy the comment */
|
|
||||||
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
|
|
||||||
- dest->comment[max_namebuf_len - 1] = '\0';
|
|
||||||
+ strlcpy(dest->comment, src->comment, remaining_len);
|
|
||||||
|
|
||||||
/* Save other fields */
|
|
||||||
dest->smbc_type = src->smbc_type;
|
|
||||||
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
|
|
||||||
} else {
|
|
||||||
|
|
||||||
/* No encoding. Just copy the entry as is. */
|
|
||||||
+ if (src->dirlen > max_namebuf_len) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
memcpy(dest, src, src->dirlen);
|
|
||||||
+ if (src->namelen + 1 < 1) {
|
|
||||||
+ /* Integer wrap */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+ if (src->namelen + 1 >= max_namebuf_len) {
|
|
||||||
+ /* Comment off the end. */
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
dest->comment = (char *)(&dest->name + src->namelen + 1);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
+ return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
|
|
||||||
SMBCFILE *dir)
|
|
||||||
{
|
|
||||||
int maxlen;
|
|
||||||
+ int ret;
|
|
||||||
struct smbc_dirent *dirp, *dirent;
|
|
||||||
TALLOC_CTX *frame = talloc_stackframe();
|
|
||||||
|
|
||||||
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
|
|
||||||
dirp = &context->internal->dirent;
|
|
||||||
maxlen = sizeof(context->internal->_dirent_name);
|
|
||||||
|
|
||||||
- smbc_readdir_internal(context, dirp, dirent, maxlen);
|
|
||||||
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ errno = EINVAL;
|
|
||||||
+ TALLOC_FREE(frame);
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
dir->dir_next = dir->dir_next->next;
|
|
||||||
|
|
||||||
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
|
|
||||||
*/
|
|
||||||
|
|
||||||
while ((dirlist = dir->dir_next)) {
|
|
||||||
+ int ret;
|
|
||||||
struct smbc_dirent *dirent;
|
|
||||||
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
|
|
||||||
|
|
||||||
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
|
|
||||||
/* Do urlencoding of next entry, if so selected */
|
|
||||||
dirent = &context->internal->dirent;
|
|
||||||
maxlen = sizeof(context->internal->_dirent_name);
|
|
||||||
- smbc_readdir_internal(context, dirent,
|
|
||||||
+ ret = smbc_readdir_internal(context, dirent,
|
|
||||||
dirlist->dirent, maxlen);
|
|
||||||
+ if (ret == -1) {
|
|
||||||
+ errno = EINVAL;
|
|
||||||
+ TALLOC_FREE(frame);
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
reqd = dirent->dirlen;
|
|
||||||
|
|
||||||
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
|
|
||||||
index ed70ab37550..5b53b386a67 100644
|
|
||||||
--- a/source3/libsmb/libsmb_path.c
|
|
||||||
+++ b/source3/libsmb/libsmb_path.c
|
|
||||||
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (max_dest_len == 0) {
|
|
||||||
+ if (max_dest_len <= 0) {
|
|
||||||
/* Ensure we return -1 if no null termination. */
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.11.0
|
|
||||||
|
|
@ -1,753 +0,0 @@ |
|||||||
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
||||||
Date: Thu, 22 Feb 2018 11:54:45 +1300
|
|
||||||
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
|
|
||||||
with_cmocka flag
|
|
||||||
|
|
||||||
We have cmocka in third_party, so we are never without it.
|
|
||||||
|
|
||||||
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
||||||
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
|
|
||||||
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
|
|
||||||
by Andrew Bartlett)
|
|
||||||
---
|
|
||||||
selftest/tests.py | 18 ++++++++----------
|
|
||||||
1 file changed, 8 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
||||||
index 126e1184230..3f5097b680c 100644
|
|
||||||
--- a/selftest/tests.py
|
|
||||||
+++ b/selftest/tests.py
|
|
||||||
@@ -38,7 +38,6 @@ finally:
|
|
||||||
f.close()
|
|
||||||
|
|
||||||
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
|
|
||||||
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
|
|
||||||
with_pam = ("WITH_PAM" in config_hash)
|
|
||||||
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
|
|
||||||
|
|
||||||
@@ -168,13 +167,12 @@ if with_pam:
|
|
||||||
valgrindify(python), pam_wrapper_so_path,
|
|
||||||
"$DOMAIN", "alice", "Secret007"])
|
|
||||||
|
|
||||||
-if with_cmocka:
|
|
||||||
- plantestsuite("samba.unittests.krb5samba", "none",
|
|
||||||
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
|
|
||||||
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
|
|
||||||
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
|
|
||||||
- plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
||||||
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
|
|
||||||
+plantestsuite("samba.unittests.krb5samba", "none",
|
|
||||||
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
|
|
||||||
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
|
|
||||||
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
|
|
||||||
+plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
||||||
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
|
|
||||||
|
|
||||||
- plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
||||||
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
||||||
+plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
||||||
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
||||||
|
|
||||||
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
Date: Fri, 27 Jul 2018 08:44:24 +1200
|
|
||||||
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
|
|
||||||
ntlm_password_check()
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
||||||
|
|
||||||
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
||||||
---
|
|
||||||
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
libcli/auth/wscript_build | 13 ++
|
|
||||||
selftest/knownfail.d/ntlm | 2 +
|
|
||||||
selftest/tests.py | 2 +
|
|
||||||
4 files changed, 430 insertions(+)
|
|
||||||
create mode 100644 libcli/auth/tests/ntlm_check.c
|
|
||||||
create mode 100644 selftest/knownfail.d/ntlm
|
|
||||||
|
|
||||||
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..e87a0a276d4
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/libcli/auth/tests/ntlm_check.c
|
|
||||||
@@ -0,0 +1,413 @@
|
|
||||||
+/*
|
|
||||||
+ * Unit tests for the ntlm_check password hash check library.
|
|
||||||
+ *
|
|
||||||
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
|
|
||||||
+ *
|
|
||||||
+ * This program is free software; you can redistribute it and/or modify
|
|
||||||
+ * it under the terms of the GNU General Public License as published by
|
|
||||||
+ * the Free Software Foundation; either version 3 of the License, or
|
|
||||||
+ * (at your option) any later version.
|
|
||||||
+ *
|
|
||||||
+ * This program is distributed in the hope that it will be useful,
|
|
||||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+ * GNU General Public License for more details.
|
|
||||||
+ *
|
|
||||||
+ * You should have received a copy of the GNU General Public License
|
|
||||||
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * from cmocka.c:
|
|
||||||
+ * These headers or their equivalents should be included prior to
|
|
||||||
+ * including
|
|
||||||
+ * this header file.
|
|
||||||
+ *
|
|
||||||
+ * #include <stdarg.h>
|
|
||||||
+ * #include <stddef.h>
|
|
||||||
+ * #include <setjmp.h>
|
|
||||||
+ *
|
|
||||||
+ * This allows test applications to use custom definitions of C standard
|
|
||||||
+ * library functions and types.
|
|
||||||
+ *
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Note that the messaging routines (audit_message_send and get_event_server)
|
|
||||||
+ * are not tested by these unit tests. Currently they are for integration
|
|
||||||
+ * test support, and as such are exercised by the integration tests.
|
|
||||||
+ */
|
|
||||||
+#include <stdarg.h>
|
|
||||||
+#include <stddef.h>
|
|
||||||
+#include <setjmp.h>
|
|
||||||
+#include <cmocka.h>
|
|
||||||
+
|
|
||||||
+#include "includes.h"
|
|
||||||
+#include "../lib/crypto/crypto.h"
|
|
||||||
+#include "librpc/gen_ndr/netlogon.h"
|
|
||||||
+#include "libcli/auth/libcli_auth.h"
|
|
||||||
+#include "auth/credentials/credentials.h"
|
|
||||||
+
|
|
||||||
+struct ntlm_state {
|
|
||||||
+ const char *username;
|
|
||||||
+ const char *domain;
|
|
||||||
+ DATA_BLOB challenge;
|
|
||||||
+ DATA_BLOB ntlm;
|
|
||||||
+ DATA_BLOB lm;
|
|
||||||
+ DATA_BLOB ntlm_key;
|
|
||||||
+ DATA_BLOB lm_key;
|
|
||||||
+ const struct samr_Password *nt_hash;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static int test_ntlm_setup_with_options(void **state,
|
|
||||||
+ int flags, bool upn)
|
|
||||||
+{
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ DATA_BLOB challenge = {
|
|
||||||
+ .data = discard_const_p(uint8_t, "I am a teapot"),
|
|
||||||
+ .length = 8
|
|
||||||
+ };
|
|
||||||
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
|
|
||||||
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
|
|
||||||
+ NULL,
|
|
||||||
+ "serverdom");
|
|
||||||
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
|
|
||||||
+ cli_credentials_set_username(creds,
|
|
||||||
+ "testuser",
|
|
||||||
+ CRED_SPECIFIED);
|
|
||||||
+ cli_credentials_set_domain(creds,
|
|
||||||
+ "testdom",
|
|
||||||
+ CRED_SPECIFIED);
|
|
||||||
+ cli_credentials_set_workstation(creds,
|
|
||||||
+ "testwksta",
|
|
||||||
+ CRED_SPECIFIED);
|
|
||||||
+ cli_credentials_set_password(creds,
|
|
||||||
+ "testpass",
|
|
||||||
+ CRED_SPECIFIED);
|
|
||||||
+
|
|
||||||
+ if (upn) {
|
|
||||||
+ cli_credentials_set_principal(creds,
|
|
||||||
+ "testuser@samba.org",
|
|
||||||
+ CRED_SPECIFIED);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cli_credentials_get_ntlm_username_domain(creds,
|
|
||||||
+ ntlm_state,
|
|
||||||
+ &ntlm_state->username,
|
|
||||||
+ &ntlm_state->domain);
|
|
||||||
+
|
|
||||||
+ status = cli_credentials_get_ntlm_response(creds,
|
|
||||||
+ ntlm_state,
|
|
||||||
+ &flags,
|
|
||||||
+ challenge,
|
|
||||||
+ NULL,
|
|
||||||
+ target_info,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ &ntlm_state->lm_key,
|
|
||||||
+ &ntlm_state->ntlm_key);
|
|
||||||
+ ntlm_state->challenge = challenge;
|
|
||||||
+
|
|
||||||
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
|
|
||||||
+ ntlm_state);
|
|
||||||
+
|
|
||||||
+ if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *state = ntlm_state;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_ntlm_setup(void **state) {
|
|
||||||
+ return test_ntlm_setup_with_options(state, 0, false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_ntlm_and_lm_setup(void **state) {
|
|
||||||
+ return test_ntlm_setup_with_options(state,
|
|
||||||
+ CLI_CRED_LANMAN_AUTH,
|
|
||||||
+ false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_ntlm2_setup(void **state) {
|
|
||||||
+ return test_ntlm_setup_with_options(state,
|
|
||||||
+ CLI_CRED_NTLM2,
|
|
||||||
+ false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_ntlmv2_setup(void **state) {
|
|
||||||
+ return test_ntlm_setup_with_options(state,
|
|
||||||
+ CLI_CRED_NTLMv2_AUTH,
|
|
||||||
+ false);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static int test_ntlm_teardown(void **state)
|
|
||||||
+{
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ TALLOC_FREE(ntlm_state);
|
|
||||||
+ *state = NULL;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm_allowed(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_ON,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm_allowed_lm_supplied(void **state)
|
|
||||||
+{
|
|
||||||
+ return test_ntlm_allowed(state);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm_disabled(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_DISABLED,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm2(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_ON,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ /*
|
|
||||||
+ * NTLM2 session security (where the real challenge is the
|
|
||||||
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
|
|
||||||
+ * the lm) isn't decoded by ntlm_password_check(), it must
|
|
||||||
+ * first be converted back into normal NTLM by the NTLMSSP
|
|
||||||
+ * layer
|
|
||||||
+ */
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status),
|
|
||||||
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm_mschapv2_only_allowed(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
|
|
||||||
+ MSV1_0_ALLOW_MSVCHAPV2,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlm_mschapv2_only_denied(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status),
|
|
||||||
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlmv2_only_ntlmv2(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlmv2_only_ntlm(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &ntlm_state->lm,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status),
|
|
||||||
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
|
|
||||||
+{
|
|
||||||
+ return test_ntlmv2_only_ntlm(state);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static void test_ntlmv2_only_ntlm_once(void **state)
|
|
||||||
+{
|
|
||||||
+ DATA_BLOB user_sess_key, lm_sess_key;
|
|
||||||
+ struct ntlm_state *ntlm_state
|
|
||||||
+ = talloc_get_type_abort(*state,
|
|
||||||
+ struct ntlm_state);
|
|
||||||
+ NTSTATUS status;
|
|
||||||
+ status = ntlm_password_check(ntlm_state,
|
|
||||||
+ false,
|
|
||||||
+ NTLM_AUTH_NTLMV2_ONLY,
|
|
||||||
+ 0,
|
|
||||||
+ &ntlm_state->challenge,
|
|
||||||
+ &data_blob_null,
|
|
||||||
+ &ntlm_state->ntlm,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->username,
|
|
||||||
+ ntlm_state->domain,
|
|
||||||
+ NULL,
|
|
||||||
+ ntlm_state->nt_hash,
|
|
||||||
+ &user_sess_key,
|
|
||||||
+ &lm_sess_key);
|
|
||||||
+
|
|
||||||
+ assert_int_equal(NT_STATUS_V(status),
|
|
||||||
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+int main(int argc, const char **argv)
|
|
||||||
+{
|
|
||||||
+ const struct CMUnitTest tests[] = {
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
|
|
||||||
+ test_ntlm_and_lm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm2,
|
|
||||||
+ test_ntlm2_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
|
|
||||||
+ test_ntlm_and_lm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
|
|
||||||
+ test_ntlm_setup,
|
|
||||||
+ test_ntlm_teardown),
|
|
||||||
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
|
|
||||||
+ test_ntlmv2_setup,
|
|
||||||
+ test_ntlm_teardown)
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
||||||
+ return cmocka_run_group_tests(tests, NULL, NULL);
|
|
||||||
+}
|
|
||||||
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
|
|
||||||
index 475b7d69406..d319d9b879e 100644
|
|
||||||
--- a/libcli/auth/wscript_build
|
|
||||||
+++ b/libcli/auth/wscript_build
|
|
||||||
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
|
|
||||||
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
|
|
||||||
source='spnego_parse.c',
|
|
||||||
deps='asn1util')
|
|
||||||
+
|
|
||||||
+bld.SAMBA_BINARY(
|
|
||||||
+ 'test_ntlm_check',
|
|
||||||
+ source='tests/ntlm_check.c',
|
|
||||||
+ deps='''
|
|
||||||
+ NTLM_CHECK
|
|
||||||
+ CREDENTIALS_NTLM
|
|
||||||
+ samba-credentials
|
|
||||||
+ cmocka
|
|
||||||
+ talloc
|
|
||||||
+ ''',
|
|
||||||
+ install=False
|
|
||||||
+ )
|
|
||||||
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..c6e6a3739ba
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/selftest/knownfail.d/ntlm
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
|
|
||||||
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
|
|
||||||
diff --git a/selftest/tests.py b/selftest/tests.py
|
|
||||||
index 3f5097b680c..dc6486c13f8 100644
|
|
||||||
--- a/selftest/tests.py
|
|
||||||
+++ b/selftest/tests.py
|
|
||||||
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
|
|
||||||
|
|
||||||
plantestsuite("samba.unittests.smb1cli_session", "none",
|
|
||||||
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
|
|
||||||
+plantestsuite("samba.unittests.ntlm_check", "none",
|
|
||||||
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
||||||
|
|
||||||
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
||||||
Date: Wed, 14 Mar 2018 15:36:05 +0100
|
|
||||||
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
|
|
||||||
hash_password_check()
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
||||||
|
|
||||||
CVE-2018-1139: Weak authentication protocol allowed.
|
|
||||||
|
|
||||||
Guenther
|
|
||||||
|
|
||||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
libcli/auth/ntlm_check.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
|
|
||||||
index 3b02adc1d48..1c6499bd210 100644
|
|
||||||
--- a/libcli/auth/ntlm_check.c
|
|
||||||
+++ b/libcli/auth/ntlm_check.c
|
|
||||||
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
||||||
const struct samr_Password *stored_nt)
|
|
||||||
{
|
|
||||||
if (stored_nt == NULL) {
|
|
||||||
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
|
|
||||||
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
|
|
||||||
username));
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
||||||
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
} else {
|
|
||||||
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
|
|
||||||
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
|
|
||||||
username));
|
|
||||||
return NT_STATUS_WRONG_PASSWORD;
|
|
||||||
}
|
|
||||||
|
|
||||||
} else if (client_lanman && stored_lanman) {
|
|
||||||
if (!lanman_auth) {
|
|
||||||
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
|
|
||||||
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
|
|
||||||
username));
|
|
||||||
return NT_STATUS_WRONG_PASSWORD;
|
|
||||||
}
|
|
||||||
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
|
|
||||||
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
} else {
|
|
||||||
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
|
|
||||||
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
|
|
||||||
username));
|
|
||||||
return NT_STATUS_WRONG_PASSWORD;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
||||||
|
|
||||||
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
||||||
Date: Wed, 14 Mar 2018 15:35:01 +0100
|
|
||||||
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
|
|
||||||
ntlm_password_check().
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
||||||
|
|
||||||
CVE-2018-1139: Weak authentication protocol allowed.
|
|
||||||
|
|
||||||
Guenther
|
|
||||||
|
|
||||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source3/utils/ntlm_auth.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
|
|
||||||
index 3f544902a24..8f77680416f 100644
|
|
||||||
--- a/source3/utils/ntlm_auth.c
|
|
||||||
+++ b/source3/utils/ntlm_auth.c
|
|
||||||
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
|
|
||||||
*pauthoritative = 1;
|
|
||||||
|
|
||||||
nt_status = ntlm_password_check(mem_ctx,
|
|
||||||
- true, true, 0,
|
|
||||||
+ true, NTLM_AUTH_ON, 0,
|
|
||||||
&auth4_context->challenge.data,
|
|
||||||
&user_info->password.response.lanman,
|
|
||||||
&user_info->password.response.nt,
|
|
||||||
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
|
|
||||||
|
|
||||||
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
|
|
||||||
nt_status = ntlm_password_check(mem_ctx,
|
|
||||||
- true, true, 0,
|
|
||||||
+ true,
|
|
||||||
+ NTLM_AUTH_ON,
|
|
||||||
+ 0,
|
|
||||||
&challenge,
|
|
||||||
&lm_response,
|
|
||||||
&nt_response,
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
||||||
|
|
||||||
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
||||||
Date: Fri, 16 Mar 2018 17:25:12 +0100
|
|
||||||
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
|
|
||||||
via SMB1 when it is disabled.
|
|
||||||
|
|
||||||
Right now, this test will succeed.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
||||||
|
|
||||||
CVE-2018-1139: Weak authentication protocol allowed.
|
|
||||||
|
|
||||||
Guenther
|
|
||||||
|
|
||||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source3/selftest/tests.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
|
||||||
index 9092c1776c8..034c014e5b8 100755
|
|
||||||
--- a/source3/selftest/tests.py
|
|
||||||
+++ b/source3/selftest/tests.py
|
|
||||||
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
|
|
||||||
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
|
|
||||||
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
|
|
||||||
|
|
||||||
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
|
|
||||||
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
|
|
||||||
for env in ["nt4_member", "ad_member"]:
|
|
||||||
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
|
|
||||||
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
||||||
|
|
||||||
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
|
||||||
Date: Tue, 13 Mar 2018 16:56:20 +0100
|
|
||||||
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
|
|
||||||
when it is disabled via "ntlm auth".
|
|
||||||
|
|
||||||
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
|
|
||||||
|
|
||||||
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
|
|
||||||
|
|
||||||
In order to demonstrate simply run:
|
|
||||||
|
|
||||||
smbclient //server/share -U user%password -mNT1 -c quit \
|
|
||||||
--option="client ntlmv2 auth"=no \
|
|
||||||
--option="client use spnego"=no
|
|
||||||
|
|
||||||
against a server that uses "ntlm auth = ntlmv2-only" (our default
|
|
||||||
setting).
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
|
|
||||||
|
|
||||||
CVE-2018-1139: Weak authentication protocol allowed.
|
|
||||||
|
|
||||||
Guenther
|
|
||||||
|
|
||||||
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
|
|
||||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
libcli/auth/ntlm_check.c | 2 +-
|
|
||||||
selftest/knownfail | 3 ++-
|
|
||||||
selftest/knownfail.d/ntlm | 2 --
|
|
||||||
3 files changed, 3 insertions(+), 4 deletions(-)
|
|
||||||
delete mode 100644 selftest/knownfail.d/ntlm
|
|
||||||
|
|
||||||
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
|
|
||||||
index 1c6499bd210..b68e9c87888 100644
|
|
||||||
--- a/libcli/auth/ntlm_check.c
|
|
||||||
+++ b/libcli/auth/ntlm_check.c
|
|
||||||
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
|
|
||||||
- I think this is related to Win9X pass-though authentication
|
|
||||||
*/
|
|
||||||
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
|
|
||||||
- if (ntlm_auth) {
|
|
||||||
+ if (ntlm_auth == NTLM_AUTH_ON) {
|
|
||||||
if (smb_pwd_check_ntlmv1(mem_ctx,
|
|
||||||
lm_response,
|
|
||||||
stored_nt->hash, challenge,
|
|
||||||
diff --git a/selftest/knownfail b/selftest/knownfail
|
|
||||||
index ba16fd72290..84776d4f35d 100644
|
|
||||||
--- a/selftest/knownfail
|
|
||||||
+++ b/selftest/knownfail
|
|
||||||
@@ -303,8 +303,9 @@
|
|
||||||
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
|
|
||||||
# fl2000dc doesn't support AES
|
|
||||||
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
|
|
||||||
-# nt4_member and ad_member don't support ntlmv1
|
|
||||||
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
|
|
||||||
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
|
|
||||||
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
|
|
||||||
#nt-vfs server blocks read with execute access
|
|
||||||
^samba4.smb2.read.access
|
|
||||||
#ntvfs server blocks copychunk with execute access on read handle
|
|
||||||
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
|
|
||||||
deleted file mode 100644
|
|
||||||
index c6e6a3739ba..00000000000
|
|
||||||
--- a/selftest/knownfail.d/ntlm
|
|
||||||
+++ /dev/null
|
|
||||||
@@ -1,2 +0,0 @@
|
|
||||||
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
|
|
||||||
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
|
|
||||||
--
|
|
||||||
2.14.4
|
|
||||||
|
|
@ -0,0 +1,38 @@ |
|||||||
|
From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Thu, 17 Jan 2019 13:58:14 +0100
|
||||||
|
Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
|
||||||
|
|
||||||
|
To get correct values, we need to cast 'timeout' to 'long int' first in
|
||||||
|
order to do calculation in that integer space! Calculations are don in
|
||||||
|
the space of the lvalue!
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Volker Lendecke <vl@samba.org>
|
||||||
|
---
|
||||||
|
source3/lib/gencache.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
|
||||||
|
index ab12fc1c531..9f4e1cfcaa3 100644
|
||||||
|
--- a/source3/lib/gencache.c
|
||||||
|
+++ b/source3/lib/gencache.c
|
||||||
|
@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
|
||||||
|
dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
|
||||||
|
dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
|
||||||
|
|
||||||
|
- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
|
||||||
|
- "[%s] (%d seconds %s)\n", keystr,
|
||||||
|
+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
|
||||||
|
+ "[%s] (%ld seconds %s)\n", keystr,
|
||||||
|
timestring(talloc_tos(), timeout),
|
||||||
|
- (int)(timeout - time(NULL)),
|
||||||
|
- timeout > time(NULL) ? "ahead" : "in the past"));
|
||||||
|
+ ((long int)timeout) - time(NULL),
|
||||||
|
+ timeout > time(NULL) ? "ahead" : "in the past");
|
||||||
|
|
||||||
|
ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
|
||||||
|
dbufs, 2, 0);
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -1,270 +0,0 @@ |
|||||||
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Wed, 27 Jun 2018 14:06:39 +0200
|
|
||||||
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
---
|
|
||||||
nsswitch/wscript_build | 12 +++++++-----
|
|
||||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
|
|
||||||
index 15e93db2f05..576855bb56c 100644
|
|
||||||
--- a/nsswitch/wscript_build
|
|
||||||
+++ b/nsswitch/wscript_build
|
|
||||||
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
|
|
||||||
)
|
|
||||||
|
|
||||||
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
|
|
||||||
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
|
|
||||||
- source='winbind_krb5_locator.c',
|
|
||||||
- deps='wbclient krb5 com_err',
|
|
||||||
- realname='winbind_krb5_locator.so')
|
|
||||||
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
|
|
||||||
+ source='winbind_krb5_locator.c',
|
|
||||||
+ deps='wbclient krb5 com_err',
|
|
||||||
+ realname='winbind_krb5_locator.so',
|
|
||||||
+ install_path='${MODULESDIR}/krb5')
|
|
||||||
|
|
||||||
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
|
|
||||||
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
|
|
||||||
source='krb5_plugin/winbind_krb5_localauth.c',
|
|
||||||
deps='wbclient krb5 com_err',
|
|
||||||
- realname='winbind-krb5-localauth.so')
|
|
||||||
+ realname='winbind_krb5_localauth.so',
|
|
||||||
+ install_path='${MODULESDIR}/krb5')
|
|
||||||
|
|
||||||
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
|
|
||||||
source='wb_reqtrans.c',
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
||||||
|
|
||||||
From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Wed, 27 Jun 2018 14:08:56 +0200
|
|
||||||
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
|
|
||||||
subdir
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
---
|
|
||||||
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
|
|
||||||
nsswitch/wscript_build | 2 +-
|
|
||||||
2 files changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
|
|
||||||
|
|
||||||
diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
|
|
||||||
similarity index 100%
|
|
||||||
rename from nsswitch/winbind_krb5_locator.c
|
|
||||||
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
|
|
||||||
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
|
|
||||||
index 576855bb56c..dd1952b799b 100644
|
|
||||||
--- a/nsswitch/wscript_build
|
|
||||||
+++ b/nsswitch/wscript_build
|
|
||||||
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
|
|
||||||
|
|
||||||
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
|
|
||||||
bld.SAMBA_LIBRARY('winbind_krb5_locator',
|
|
||||||
- source='winbind_krb5_locator.c',
|
|
||||||
+ source='krb5_plugin/winbind_krb5_locator.c',
|
|
||||||
deps='wbclient krb5 com_err',
|
|
||||||
realname='winbind_krb5_locator.so',
|
|
||||||
install_path='${MODULESDIR}/krb5')
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
||||||
|
|
||||||
From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Wed, 27 Jun 2018 15:14:15 +0200
|
|
||||||
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
|
|
||||||
|
|
||||||
The vfs and idmap manpages are in volume 8 too.
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
---
|
|
||||||
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
|
|
||||||
docs-xml/wscript_build | 2 +-
|
|
||||||
2 files changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
|
|
||||||
|
|
||||||
diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
|
|
||||||
similarity index 96%
|
|
||||||
rename from docs-xml/manpages/winbind_krb5_locator.7.xml
|
|
||||||
rename to docs-xml/manpages/winbind_krb5_locator.8.xml
|
|
||||||
index 17e401a9da0..0af0c2cc95f 100644
|
|
||||||
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
|
|
||||||
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
|
|
||||||
@@ -1,12 +1,12 @@
|
|
||||||
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
||||||
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
||||||
-<refentry id="winbind_krb5_locator.7">
|
|
||||||
+<refentry id="winbind_krb5_locator.8">
|
|
||||||
|
|
||||||
<refmeta>
|
|
||||||
<refentrytitle>winbind_krb5_locator</refentrytitle>
|
|
||||||
- <manvolnum>7</manvolnum>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
<refmiscinfo class="source">Samba</refmiscinfo>
|
|
||||||
- <refmiscinfo class="manual">7</refmiscinfo>
|
|
||||||
+ <refmiscinfo class="manual">8</refmiscinfo>
|
|
||||||
<refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
||||||
</refmeta>
|
|
||||||
|
|
||||||
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
|
|
||||||
index 954c62a29bc..2d686eb38b0 100644
|
|
||||||
--- a/docs-xml/wscript_build
|
|
||||||
+++ b/docs-xml/wscript_build
|
|
||||||
@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
|
|
||||||
manpages/pam_winbind.conf.5
|
|
||||||
'''
|
|
||||||
|
|
||||||
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
|
|
||||||
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
|
|
||||||
|
|
||||||
def smbdotconf_generate_parameter_list(task):
|
|
||||||
parameter_all = task.outputs[0].bldpath(task.env)
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
||||||
|
|
||||||
From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Wed, 27 Jun 2018 15:06:07 +0200
|
|
||||||
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
---
|
|
||||||
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
|
|
||||||
docs-xml/wscript_build | 4 +
|
|
||||||
2 files changed, 90 insertions(+)
|
|
||||||
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
|
|
||||||
|
|
||||||
diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000000..a382e71ead3
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
|
|
||||||
@@ -0,0 +1,86 @@
|
|
||||||
+<?xml version="1.0" encoding="iso-8859-1"?>
|
|
||||||
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
||||||
+<refentry id="winbind_krb5_localauth.8">
|
|
||||||
+
|
|
||||||
+<refmeta>
|
|
||||||
+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum>
|
|
||||||
+ <refmiscinfo class="source">Samba</refmiscinfo>
|
|
||||||
+ <refmiscinfo class="manual">8</refmiscinfo>
|
|
||||||
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
|
|
||||||
+</refmeta>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+<refnamediv>
|
|
||||||
+ <refname>winbind_krb5_localauth</refname>
|
|
||||||
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
|
|
||||||
+</refnamediv>
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+<refsect1>
|
|
||||||
+ <title>DESCRIPTION</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ This plugin is part of the
|
|
||||||
+ <citerefentry><refentrytitle>samba</refentrytitle>
|
|
||||||
+ <manvolnum>7</manvolnum></citerefentry> suite.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ <command>winbind_krb5_localauth</command> is a plugin that
|
|
||||||
+ permits the MIT Kerberos libraries that Kerberos principals can
|
|
||||||
+ be validated against local user accounts.
|
|
||||||
+ </para>
|
|
||||||
+</refsect1>
|
|
||||||
+<refsect1>
|
|
||||||
+ <title>PREREQUISITES</title>
|
|
||||||
+ <para>
|
|
||||||
+ MIT Kerberos (at least version 1.12) is required.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
|
|
||||||
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
|
|
||||||
+ and started separately.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The following sections needs to be added to the
|
|
||||||
+ <filename>krb5.conf</filename> file.
|
|
||||||
+
|
|
||||||
+ <programlisting>
|
|
||||||
+[plugins]
|
|
||||||
+ localauth = {
|
|
||||||
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
|
|
||||||
+ enable_only = winbind
|
|
||||||
+ }
|
|
||||||
+ </programlisting>
|
|
||||||
+ </para>
|
|
||||||
+</refsect1>
|
|
||||||
+
|
|
||||||
+<refsect1>
|
|
||||||
+ <title>VERSION</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ This man page is part of version &doc.version; of the Samba
|
|
||||||
+ suite.
|
|
||||||
+ </para>
|
|
||||||
+</refsect1>
|
|
||||||
+
|
|
||||||
+<refsect1>
|
|
||||||
+ <title>AUTHOR</title>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The original Samba software and related utilities were created
|
|
||||||
+ by Andrew Tridgell. Samba is now developed by the Samba Team as
|
|
||||||
+ an Open Source project similar to the way the Linux kernel is
|
|
||||||
+ developed.
|
|
||||||
+ </para>
|
|
||||||
+
|
|
||||||
+ <para>
|
|
||||||
+ The winbind_krb5_localauth manpage was written by Andreas
|
|
||||||
+ Schneider.
|
|
||||||
+ </para>
|
|
||||||
+</refsect1>
|
|
||||||
+
|
|
||||||
+</refentry>
|
|
||||||
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
|
|
||||||
index 2d686eb38b0..ec5d28fc62a 100644
|
|
||||||
--- a/docs-xml/wscript_build
|
|
||||||
+++ b/docs-xml/wscript_build
|
|
||||||
@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
|
|
||||||
'''
|
|
||||||
|
|
||||||
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
|
|
||||||
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
|
|
||||||
|
|
||||||
def smbdotconf_generate_parameter_list(task):
|
|
||||||
parameter_all = task.outputs[0].bldpath(task.env)
|
|
||||||
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
|
|
||||||
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
|
|
||||||
bld.SAMBAMANPAGES(krb5_locator_manpages)
|
|
||||||
|
|
||||||
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
|
|
||||||
+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
|
|
||||||
+
|
|
||||||
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
|
|
||||||
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
|
|
||||||
--
|
|
||||||
2.17.1
|
|
||||||
|
|
@ -1,216 +0,0 @@ |
|||||||
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 2 Jul 2018 16:18:52 +0200
|
|
||||||
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
||||||
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
|
|
||||||
---
|
|
||||||
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
|
|
||||||
selftest/knownfail.d/upn_handling | 2 +
|
|
||||||
source3/selftest/tests.py | 4 +-
|
|
||||||
3 files changed, 66 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
|
|
||||||
index 2803ac1408b..da30f97be74 100755
|
|
||||||
--- a/nsswitch/tests/test_wbinfo_user_info.sh
|
|
||||||
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
|
|
||||||
@@ -2,19 +2,20 @@
|
|
||||||
# Blackbox test for wbinfo lookup for account name and upn
|
|
||||||
# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
|
|
||||||
|
|
||||||
-if [ $# -lt 5 ]; then
|
|
||||||
+if [ $# -lt 6 ]; then
|
|
||||||
cat <<EOF
|
|
||||||
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
|
|
||||||
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
|
|
||||||
EOF
|
|
||||||
exit 1;
|
|
||||||
fi
|
|
||||||
|
|
||||||
DOMAIN=$1
|
|
||||||
REALM=$2
|
|
||||||
-USERNAME1=$3
|
|
||||||
-UPN_NAME1=$4
|
|
||||||
-USERNAME2=$5
|
|
||||||
-UPN_NAME2=$6
|
|
||||||
+OWN_DOMAIN=$3
|
|
||||||
+USERNAME1=$4
|
|
||||||
+UPN_NAME1=$5
|
|
||||||
+USERNAME2=$6
|
|
||||||
+UPN_NAME2=$7
|
|
||||||
shift 6
|
|
||||||
|
|
||||||
failed=0
|
|
||||||
@@ -31,9 +32,9 @@ test_user_info()
|
|
||||||
{
|
|
||||||
local cmd out ret user domain upn userinfo
|
|
||||||
|
|
||||||
- domain="$1"
|
|
||||||
- user="$2"
|
|
||||||
- upn="$3"
|
|
||||||
+ local domain="$1"
|
|
||||||
+ local user="$2"
|
|
||||||
+ local upn="$3"
|
|
||||||
|
|
||||||
if [ $# -lt 3 ]; then
|
|
||||||
userinfo="$domain/$user"
|
|
||||||
@@ -62,6 +63,39 @@ test_user_info()
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
+test_getpwnam()
|
|
||||||
+{
|
|
||||||
+ local cmd out ret
|
|
||||||
+
|
|
||||||
+ local lookup_username=$1
|
|
||||||
+ local expected_return=$2
|
|
||||||
+ local expected_output=$3
|
|
||||||
+
|
|
||||||
+ cmd='getent passwd $lookup_username'
|
|
||||||
+ eval echo "$cmd"
|
|
||||||
+ out=$(eval $cmd)
|
|
||||||
+ ret=$?
|
|
||||||
+
|
|
||||||
+ if [ $ret -ne $expected_return ]; then
|
|
||||||
+ echo "return code: $ret, expected return code is: $expected_return"
|
|
||||||
+ echo "$out"
|
|
||||||
+ return 1
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -n "$expected_output" ]; then
|
|
||||||
+ echo "$out" | grep "$expected_output"
|
|
||||||
+ ret=$?
|
|
||||||
+
|
|
||||||
+ if [ $ret -ne 0 ]; then
|
|
||||||
+ echo "Unable to find $expected_output in:"
|
|
||||||
+ echo "$out"
|
|
||||||
+ return 1
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ return 0
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
|
|
||||||
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
|
|
||||||
|
|
||||||
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
|
|
||||||
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
|
|
||||||
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
|
|
||||||
|
|
||||||
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
|
|
||||||
+
|
|
||||||
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
|
|
||||||
+
|
|
||||||
+# We should not be able to lookup the user just by the name
|
|
||||||
+test_ret=0
|
|
||||||
+test_output="$DOMAIN/$USERNAME1"
|
|
||||||
+
|
|
||||||
+if [ "$ENVNAME" = "ad_member" ]; then
|
|
||||||
+ test_ret=2
|
|
||||||
+ test_output=""
|
|
||||||
+fi
|
|
||||||
+if [ "$ENVNAME" = "fl2008r2dc" ]; then
|
|
||||||
+ test_ret=0
|
|
||||||
+ test_output="$OWN_DOMAIN/$USERNAME1"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
|
|
||||||
+
|
|
||||||
exit $failed
|
|
||||||
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
|
|
||||||
index bcbedb4f903..7dc9b71dc5e 100644
|
|
||||||
--- a/selftest/knownfail.d/upn_handling
|
|
||||||
+++ b/selftest/knownfail.d/upn_handling
|
|
||||||
@@ -1,8 +1,10 @@
|
|
||||||
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
|
|
||||||
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
|
|
||||||
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
|
|
||||||
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
|
||||||
index f43d2b14d3a..a9cb2dad792 100755
|
|
||||||
--- a/source3/selftest/tests.py
|
|
||||||
+++ b/source3/selftest/tests.py
|
|
||||||
@@ -216,13 +216,13 @@ env = "ad_member:local"
|
|
||||||
plantestsuite("samba3.wbinfo_user_info", env,
|
|
||||||
[ os.path.join(srcdir(),
|
|
||||||
"nsswitch/tests/test_wbinfo_user_info.sh"),
|
|
||||||
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
|
|
||||||
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
|
|
||||||
|
|
||||||
env = "fl2008r2dc:local"
|
|
||||||
plantestsuite("samba3.wbinfo_user_info", env,
|
|
||||||
[ os.path.join(srcdir(),
|
|
||||||
"nsswitch/tests/test_wbinfo_user_info.sh"),
|
|
||||||
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
|
|
||||||
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
|
|
||||||
|
|
||||||
env = "ad_member"
|
|
||||||
t = "WBCLIENT-MULTI-PING"
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
||||||
|
|
||||||
From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 2 Jul 2018 16:38:01 +0200
|
|
||||||
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
||||||
|
|
||||||
Autobuild-User(master): Ralph Böhme <slow@samba.org>
|
|
||||||
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
|
|
||||||
|
|
||||||
(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
|
|
||||||
---
|
|
||||||
selftest/knownfail.d/upn_handling | 2 --
|
|
||||||
source3/winbindd/winbindd_util.c | 2 ++
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
|
|
||||||
index 7dc9b71dc5e..bcbedb4f903 100644
|
|
||||||
--- a/selftest/knownfail.d/upn_handling
|
|
||||||
+++ b/selftest/knownfail.d/upn_handling
|
|
||||||
@@ -1,10 +1,8 @@
|
|
||||||
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
|
|
||||||
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
|
|
||||||
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
|
|
||||||
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
|
|
||||||
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
|
|
||||||
index aa633419c9a..7a5fb73cdef 100644
|
|
||||||
--- a/source3/winbindd/winbindd_util.c
|
|
||||||
+++ b/source3/winbindd/winbindd_util.c
|
|
||||||
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
|
|
||||||
} else if (assume_domain(lp_workgroup())) {
|
|
||||||
fstrcpy(domain, lp_workgroup());
|
|
||||||
fstrcpy(namespace, domain);
|
|
||||||
+ } else {
|
|
||||||
+ fstrcpy(namespace, lp_netbios_name());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.13.6
|
|
||||||
|
|
@ -1,64 +0,0 @@ |
|||||||
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Date: Mon, 25 Jun 2018 09:58:56 -0400
|
|
||||||
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Add quiet command-line argument to allow suppressing the help log
|
|
||||||
message printed automatically after establishing a smbclient connection
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
|
|
||||||
|
|
||||||
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Björn Baumbach <bb@sernet.de>
|
|
||||||
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
|
|
||||||
---
|
|
||||||
source3/client/client.c | 9 ++++++++-
|
|
||||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/source3/client/client.c b/source3/client/client.c
|
|
||||||
index 2c1c76036f7..c836e5a0477 100644
|
|
||||||
--- a/source3/client/client.c
|
|
||||||
+++ b/source3/client/client.c
|
|
||||||
@@ -52,6 +52,7 @@ static int port = 0;
|
|
||||||
static char *service;
|
|
||||||
static char *desthost;
|
|
||||||
static bool grepable = false;
|
|
||||||
+static bool quiet = false;
|
|
||||||
static char *cmdstr = NULL;
|
|
||||||
const char *cmd_ptr = NULL;
|
|
||||||
|
|
||||||
@@ -6059,7 +6060,9 @@ static int process_stdin(void)
|
|
||||||
{
|
|
||||||
int rc = 0;
|
|
||||||
|
|
||||||
- d_printf("Try \"help\" to get a list of possible commands.\n");
|
|
||||||
+ if (!quiet) {
|
|
||||||
+ d_printf("Try \"help\" to get a list of possible commands.\n");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
while (!finished) {
|
|
||||||
TALLOC_CTX *frame = talloc_stackframe();
|
|
||||||
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
|
|
||||||
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
|
|
||||||
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
|
|
||||||
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
|
|
||||||
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
|
|
||||||
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
|
|
||||||
POPT_COMMON_SAMBA
|
|
||||||
POPT_COMMON_CONNECTION
|
|
||||||
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
|
|
||||||
case 'g':
|
|
||||||
grepable=true;
|
|
||||||
break;
|
|
||||||
+ case 'q':
|
|
||||||
+ quiet=true;
|
|
||||||
+ break;
|
|
||||||
case 'e':
|
|
||||||
smb_encrypt=true;
|
|
||||||
break;
|
|
||||||
--
|
|
||||||
2.17.1
|
|
@ -1,6 +0,0 @@ |
|||||||
-----BEGIN PGP SIGNATURE----- |
|
||||||
|
|
||||||
iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq |
|
||||||
U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg== |
|
||||||
=em2I |
|
||||||
-----END PGP SIGNATURE----- |
|
Binary file not shown.
@ -0,0 +1,151 @@ |
|||||||
|
From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Allison <jra@samba.org>
|
||||||
|
Date: Thu, 21 Mar 2019 14:51:30 -0700
|
||||||
|
Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
|
||||||
|
SaveKey/RestoreKey.
|
||||||
|
|
||||||
|
The were not using VFS backend calls and could only work
|
||||||
|
locally, and were unsafe against symlink races and other
|
||||||
|
security issues.
|
||||||
|
|
||||||
|
If the incoming handle is valid, return WERR_BAD_PATHNAME.
|
||||||
|
|
||||||
|
[MS-RRP] states "The format of the file name is implementation-specific"
|
||||||
|
so ensure we don't allow this.
|
||||||
|
|
||||||
|
As reported by Michael Hanselmann.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
---
|
||||||
|
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
|
||||||
|
1 file changed, 4 insertions(+), 88 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
|
||||||
|
index d9ee8d0602d..816c6bb2a12 100644
|
||||||
|
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
|
||||||
|
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
|
||||||
|
@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
|
||||||
|
}
|
||||||
|
|
||||||
|
/*******************************************************************
|
||||||
|
- ********************************************************************/
|
||||||
|
-
|
||||||
|
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
|
||||||
|
-{
|
||||||
|
- char *p = NULL;
|
||||||
|
- int num_services = lp_numservices();
|
||||||
|
- int snum = -1;
|
||||||
|
- const char *share_path = NULL;
|
||||||
|
- char *fname = *pp_fname;
|
||||||
|
-
|
||||||
|
- /* convert to a unix path, stripping the C:\ along the way */
|
||||||
|
-
|
||||||
|
- if (!(p = valid_share_pathname(ctx, fname))) {
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* has to exist within a valid file share */
|
||||||
|
-
|
||||||
|
- for (snum=0; snum<num_services; snum++) {
|
||||||
|
- if (!lp_snum_ok(snum) || lp_printable(snum)) {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- share_path = lp_path(talloc_tos(), snum);
|
||||||
|
-
|
||||||
|
- /* make sure we have a path (e.g. [homes] ) */
|
||||||
|
- if (strlen(share_path) == 0) {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (strncmp(share_path, p, strlen(share_path)) == 0) {
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- *pp_fname = p;
|
||||||
|
- return (snum < num_services) ? snum : -1;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-/*******************************************************************
|
||||||
|
_winreg_RestoreKey
|
||||||
|
********************************************************************/
|
||||||
|
|
||||||
|
@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
|
||||||
|
struct winreg_RestoreKey *r)
|
||||||
|
{
|
||||||
|
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
|
||||||
|
- char *fname = NULL;
|
||||||
|
- int snum = -1;
|
||||||
|
|
||||||
|
- if ( !regkey )
|
||||||
|
+ if ( !regkey ) {
|
||||||
|
return WERR_INVALID_HANDLE;
|
||||||
|
-
|
||||||
|
- if ( !r->in.filename || !r->in.filename->name )
|
||||||
|
- return WERR_INVALID_PARAMETER;
|
||||||
|
-
|
||||||
|
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
|
||||||
|
- if (!fname) {
|
||||||
|
- return WERR_NOT_ENOUGH_MEMORY;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
|
||||||
|
- "\"%s\"\n", regkey->key->name, fname));
|
||||||
|
-
|
||||||
|
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
|
||||||
|
- return WERR_BAD_PATHNAME;
|
||||||
|
-
|
||||||
|
- /* user must posses SeRestorePrivilege for this this proceed */
|
||||||
|
-
|
||||||
|
- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
|
||||||
|
- return WERR_ACCESS_DENIED;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
|
||||||
|
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
|
||||||
|
-
|
||||||
|
- return reg_restorekey(regkey, fname);
|
||||||
|
+ return WERR_BAD_PATHNAME;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*******************************************************************
|
||||||
|
@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
|
||||||
|
struct winreg_SaveKey *r)
|
||||||
|
{
|
||||||
|
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
|
||||||
|
- char *fname = NULL;
|
||||||
|
- int snum = -1;
|
||||||
|
|
||||||
|
- if ( !regkey )
|
||||||
|
+ if ( !regkey ) {
|
||||||
|
return WERR_INVALID_HANDLE;
|
||||||
|
-
|
||||||
|
- if ( !r->in.filename || !r->in.filename->name )
|
||||||
|
- return WERR_INVALID_PARAMETER;
|
||||||
|
-
|
||||||
|
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
|
||||||
|
- if (!fname) {
|
||||||
|
- return WERR_NOT_ENOUGH_MEMORY;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
|
||||||
|
- regkey->key->name, fname));
|
||||||
|
-
|
||||||
|
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
|
||||||
|
- return WERR_BAD_PATHNAME;
|
||||||
|
-
|
||||||
|
- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
|
||||||
|
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
|
||||||
|
-
|
||||||
|
- return reg_savekey(regkey, fname);
|
||||||
|
+ return WERR_BAD_PATHNAME;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*******************************************************************
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
@ -0,0 +1,280 @@ |
|||||||
|
From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Tue, 4 Sep 2018 15:48:03 +0200
|
||||||
|
Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
|
||||||
|
---
|
||||||
|
source3/include/libsmbclient.h | 19 ++-
|
||||||
|
source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
|
||||||
|
source3/libsmb/libsmb_setget.c | 18 +++
|
||||||
|
source3/libsmb/wscript | 2 +-
|
||||||
|
4 files changed, 222 insertions(+), 2 deletions(-)
|
||||||
|
create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
|
||||||
|
|
||||||
|
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
|
||||||
|
index ca5c7f87f71..5e4a1715402 100644
|
||||||
|
--- a/source3/include/libsmbclient.h
|
||||||
|
+++ b/source3/include/libsmbclient.h
|
||||||
|
@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
|
||||||
|
void
|
||||||
|
smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
|
||||||
|
|
||||||
|
-
|
||||||
|
+/**
|
||||||
|
+ * @brief Set the 'client min protocol' and the 'client max protocol'.
|
||||||
|
+ *
|
||||||
|
+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
|
||||||
|
+ * protocol' set in the smb.conf file!
|
||||||
|
+ *
|
||||||
|
+ * @param[in] c The smbc context to use.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
|
||||||
|
+ * untouched.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
|
||||||
|
+ * untouched.
|
||||||
|
+ *
|
||||||
|
+ * @returns true for success, false otherwise
|
||||||
|
+ */
|
||||||
|
+smbc_bool
|
||||||
|
+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
|
||||||
|
|
||||||
|
/*************************************
|
||||||
|
* Getters and setters for FUNCTIONS *
|
||||||
|
diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..b4245979c24
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
|
||||||
|
@@ -0,0 +1,185 @@
|
||||||
|
+smbc_chmod: int (const char *, mode_t)
|
||||||
|
+smbc_close: int (int)
|
||||||
|
+smbc_closedir: int (int)
|
||||||
|
+smbc_creat: int (const char *, mode_t)
|
||||||
|
+smbc_fgetxattr: int (int, const char *, const void *, size_t)
|
||||||
|
+smbc_flistxattr: int (int, char *, size_t)
|
||||||
|
+smbc_free_context: int (SMBCCTX *, int)
|
||||||
|
+smbc_fremovexattr: int (int, const char *)
|
||||||
|
+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
|
||||||
|
+smbc_fstat: int (int, struct stat *)
|
||||||
|
+smbc_fstatvfs: int (int, struct statvfs *)
|
||||||
|
+smbc_ftruncate: int (int, off_t)
|
||||||
|
+smbc_getDebug: int (SMBCCTX *)
|
||||||
|
+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
|
||||||
|
+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
|
||||||
|
+smbc_getNetbiosName: const char *(SMBCCTX *)
|
||||||
|
+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
|
||||||
|
+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
|
||||||
|
+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
|
||||||
|
+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
|
||||||
|
+smbc_getOptionUserData: void *(SMBCCTX *)
|
||||||
|
+smbc_getPort: uint16_t (SMBCCTX *)
|
||||||
|
+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
|
||||||
|
+smbc_getTimeout: int (SMBCCTX *)
|
||||||
|
+smbc_getUser: const char *(SMBCCTX *)
|
||||||
|
+smbc_getWorkgroup: const char *(SMBCCTX *)
|
||||||
|
+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
|
||||||
|
+smbc_getxattr: int (const char *, const char *, const void *, size_t)
|
||||||
|
+smbc_init: int (smbc_get_auth_data_fn, int)
|
||||||
|
+smbc_init_context: SMBCCTX *(SMBCCTX *)
|
||||||
|
+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
|
||||||
|
+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
|
||||||
|
+smbc_listxattr: int (const char *, char *, size_t)
|
||||||
|
+smbc_llistxattr: int (const char *, char *, size_t)
|
||||||
|
+smbc_lremovexattr: int (const char *, const char *)
|
||||||
|
+smbc_lseek: off_t (int, off_t, int)
|
||||||
|
+smbc_lseekdir: int (int, off_t)
|
||||||
|
+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
|
||||||
|
+smbc_mkdir: int (const char *, mode_t)
|
||||||
|
+smbc_new_context: SMBCCTX *(void)
|
||||||
|
+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
|
||||||
|
+smbc_open: int (const char *, int, mode_t)
|
||||||
|
+smbc_open_print_job: int (const char *)
|
||||||
|
+smbc_opendir: int (const char *)
|
||||||
|
+smbc_option_get: void *(SMBCCTX *, char *)
|
||||||
|
+smbc_option_set: void (SMBCCTX *, char *, ...)
|
||||||
|
+smbc_print_file: int (const char *, const char *)
|
||||||
|
+smbc_read: ssize_t (int, void *, size_t)
|
||||||
|
+smbc_readdir: struct smbc_dirent *(unsigned int)
|
||||||
|
+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
|
||||||
|
+smbc_removexattr: int (const char *, const char *)
|
||||||
|
+smbc_rename: int (const char *, const char *)
|
||||||
|
+smbc_rmdir: int (const char *)
|
||||||
|
+smbc_setConfiguration: int (SMBCCTX *, const char *)
|
||||||
|
+smbc_setDebug: void (SMBCCTX *, int)
|
||||||
|
+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
|
||||||
|
+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
|
||||||
|
+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
|
||||||
|
+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
|
||||||
|
+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
|
||||||
|
+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
|
||||||
|
+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
|
||||||
|
+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
|
||||||
|
+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
|
||||||
|
+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
|
||||||
|
+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
|
||||||
|
+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
|
||||||
|
+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
|
||||||
|
+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
|
||||||
|
+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
|
||||||
|
+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
|
||||||
|
+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
|
||||||
|
+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
|
||||||
|
+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
|
||||||
|
+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
|
||||||
|
+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
|
||||||
|
+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
|
||||||
|
+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
|
||||||
|
+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
|
||||||
|
+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
|
||||||
|
+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
|
||||||
|
+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
|
||||||
|
+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
|
||||||
|
+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
|
||||||
|
+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
|
||||||
|
+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
|
||||||
|
+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
|
||||||
|
+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
|
||||||
|
+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
|
||||||
|
+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
|
||||||
|
+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
|
||||||
|
+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
|
||||||
|
+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
|
||||||
|
+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
|
||||||
|
+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
|
||||||
|
+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
|
||||||
|
+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
|
||||||
|
+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
|
||||||
|
+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
|
||||||
|
+smbc_setNetbiosName: void (SMBCCTX *, const char *)
|
||||||
|
+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
|
||||||
|
+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
|
||||||
|
+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
|
||||||
|
+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
|
||||||
|
+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
|
||||||
|
+smbc_setOptionUserData: void (SMBCCTX *, void *)
|
||||||
|
+smbc_setPort: void (SMBCCTX *, uint16_t)
|
||||||
|
+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
|
||||||
|
+smbc_setTimeout: void (SMBCCTX *, int)
|
||||||
|
+smbc_setUser: void (SMBCCTX *, const char *)
|
||||||
|
+smbc_setWorkgroup: void (SMBCCTX *, const char *)
|
||||||
|
+smbc_set_context: SMBCCTX *(SMBCCTX *)
|
||||||
|
+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
|
||||||
|
+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
|
||||||
|
+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
|
||||||
|
+smbc_stat: int (const char *, struct stat *)
|
||||||
|
+smbc_statvfs: int (char *, struct statvfs *)
|
||||||
|
+smbc_telldir: off_t (int)
|
||||||
|
+smbc_unlink: int (const char *)
|
||||||
|
+smbc_unlink_print_job: int (const char *, int)
|
||||||
|
+smbc_urldecode: int (char *, char *, size_t)
|
||||||
|
+smbc_urlencode: int (char *, char *, int)
|
||||||
|
+smbc_utime: int (const char *, struct utimbuf *)
|
||||||
|
+smbc_utimes: int (const char *, struct timeval *)
|
||||||
|
+smbc_version: const char *(void)
|
||||||
|
+smbc_write: ssize_t (int, const void *, size_t)
|
||||||
|
diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
|
||||||
|
index 60b822a395c..b1c4ff3b557 100644
|
||||||
|
--- a/source3/libsmb/libsmb_setget.c
|
||||||
|
+++ b/source3/libsmb/libsmb_setget.c
|
||||||
|
@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+smbc_bool
|
||||||
|
+smbc_setOptionProtocols(SMBCCTX *c,
|
||||||
|
+ const char *min_proto,
|
||||||
|
+ const char *max_proto)
|
||||||
|
+{
|
||||||
|
+ bool ok = true;
|
||||||
|
+
|
||||||
|
+ if (min_proto != NULL) {
|
||||||
|
+ ok = lp_set_cmdline("client min protocol", min_proto);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (max_proto != NULL) {
|
||||||
|
+ ok &= lp_set_cmdline("client min protocol", max_proto);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ok;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/** Get the function for obtaining authentication data */
|
||||||
|
smbc_get_auth_data_fn
|
||||||
|
smbc_getFunctionAuthData(SMBCCTX *c)
|
||||||
|
diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
|
||||||
|
index 5482aea7d9c..298afc3c0e3 100644
|
||||||
|
--- a/source3/libsmb/wscript
|
||||||
|
+++ b/source3/libsmb/wscript
|
||||||
|
@@ -27,5 +27,5 @@ def build(bld):
|
||||||
|
public_headers='../include/libsmbclient.h',
|
||||||
|
abi_directory='ABI',
|
||||||
|
abi_match='smbc_*',
|
||||||
|
- vnum='0.4.0',
|
||||||
|
+ vnum='0.5.0',
|
||||||
|
pc_files='smbclient.pc')
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
@ -0,0 +1,252 @@ |
|||||||
|
From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Thu, 3 Jan 2019 12:07:01 -0500
|
||||||
|
Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
|
||||||
|
|
||||||
|
If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
|
||||||
|
for a port 139 connection in the low level socket connection code.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Noel Power <nopower@suse.com>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
|
||||||
|
---
|
||||||
|
source3/libsmb/smbsock_connect.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
|
||||||
|
index 9f915e1bb42..bb3cb07646c 100644
|
||||||
|
--- a/source3/libsmb/smbsock_connect.c
|
||||||
|
+++ b/source3/libsmb/smbsock_connect.c
|
||||||
|
@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
|
||||||
|
tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
|
||||||
|
|
||||||
|
if (port == NBT_SMB_PORT) {
|
||||||
|
+ if (lp_disable_netbios()) {
|
||||||
|
+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
|
||||||
|
+ return tevent_req_post(req, ev);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
state->req_139 = nb_connect_send(state, state->ev, state->addr,
|
||||||
|
state->called_name,
|
||||||
|
state->called_type,
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Mon, 17 Dec 2018 14:40:33 -0500
|
||||||
|
Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
|
||||||
|
|
||||||
|
With a preceding patch, cli_connect_nb() will return
|
||||||
|
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
|
||||||
|
|
||||||
|
Print an informative error message to indicate Netbios is disabled
|
||||||
|
if this occurs.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Noel Power <nopower@suse.com>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
|
||||||
|
---
|
||||||
|
source3/libsmb/clidfs.c | 10 +++++++---
|
||||||
|
source3/libsmb/libsmb_server.c | 4 ++++
|
||||||
|
2 files changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
|
||||||
|
index 0dfb8b33606..4342a3b1d1b 100644
|
||||||
|
--- a/source3/libsmb/clidfs.c
|
||||||
|
+++ b/source3/libsmb/clidfs.c
|
||||||
|
@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
|
||||||
|
flags, &c);
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
- d_printf("Connection to %s failed (Error %s)\n",
|
||||||
|
- server,
|
||||||
|
- nt_errstr(status));
|
||||||
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
||||||
|
+ DBG_ERR("NetBIOS support disabled, unable to connect");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ DBG_WARNING("Connection to %s failed (Error %s)\n",
|
||||||
|
+ server,
|
||||||
|
+ nt_errstr(status));
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
|
||||||
|
index 67dfcf72327..0067df48cac 100644
|
||||||
|
--- a/source3/libsmb/libsmb_server.c
|
||||||
|
+++ b/source3/libsmb/libsmb_server.c
|
||||||
|
@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
||||||
|
+ DBG_ERR("NetBIOS support disabled, unable to connect");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
errno = map_errno_from_nt_status(status);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Mon, 17 Dec 2018 14:57:59 -0500
|
||||||
|
Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
|
||||||
|
|
||||||
|
With a preceding patch, cli_connect_nb() will return
|
||||||
|
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
|
||||||
|
|
||||||
|
Print an informative error message to indicate Netbios is disabled
|
||||||
|
if this occurs.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Noel Power <nopower@suse.com>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
|
||||||
|
---
|
||||||
|
source3/libsmb/passchange.c | 16 ++++++++++++----
|
||||||
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
|
||||||
|
index 48ffba8036f..f60e3079975 100644
|
||||||
|
--- a/source3/libsmb/passchange.c
|
||||||
|
+++ b/source3/libsmb/passchange.c
|
||||||
|
@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
|
||||||
|
result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
|
||||||
|
SMB_SIGNING_IPC_DEFAULT, 0, &cli);
|
||||||
|
if (!NT_STATUS_IS_OK(result)) {
|
||||||
|
- if (asprintf(err_str, "Unable to connect to SMB server on "
|
||||||
|
- "machine %s. Error was : %s.\n",
|
||||||
|
- remote_machine, nt_errstr(result))==-1) {
|
||||||
|
- *err_str = NULL;
|
||||||
|
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
|
||||||
|
+ if (asprintf(err_str, "Unable to connect to SMB server on "
|
||||||
|
+ "machine %s. NetBIOS support disabled\n",
|
||||||
|
+ remote_machine) == -1) {
|
||||||
|
+ *err_str = NULL;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ if (asprintf(err_str, "Unable to connect to SMB server on "
|
||||||
|
+ "machine %s. Error was : %s.\n",
|
||||||
|
+ remote_machine, nt_errstr(result))==-1) {
|
||||||
|
+ *err_str = NULL;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Mon, 17 Dec 2018 15:17:24 -0500
|
||||||
|
Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
|
||||||
|
|
||||||
|
With a preceding patch, cli_connect_nb() will return
|
||||||
|
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
|
||||||
|
|
||||||
|
Print an informative error message to indicate Netbios is disabled
|
||||||
|
if this occurs.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Noel Power <nopower@suse.com>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
|
||||||
|
---
|
||||||
|
source3/utils/net_rpc.c | 3 +++
|
||||||
|
source3/utils/net_time.c | 9 +++++++--
|
||||||
|
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
|
||||||
|
index 67fff2f4d1b..91ad90f9594 100644
|
||||||
|
--- a/source3/utils/net_rpc.c
|
||||||
|
+++ b/source3/utils/net_rpc.c
|
||||||
|
@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
|
||||||
|
lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
|
||||||
|
0, &cli);
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
||||||
|
+ DBG_ERR("NetBIOS support disabled, unable to connect\n");
|
||||||
|
+ }
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
|
||||||
|
diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
|
||||||
|
index 0091fc86333..5e6cf2ea15d 100644
|
||||||
|
--- a/source3/utils/net_time.c
|
||||||
|
+++ b/source3/utils/net_time.c
|
||||||
|
@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
|
||||||
|
status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
|
||||||
|
SMB_SIGNING_DEFAULT, 0, &cli);
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
|
||||||
|
- host, nt_errstr(status));
|
||||||
|
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
|
||||||
|
+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
|
||||||
|
+ " Error %s\n", host, nt_errstr(status));
|
||||||
|
+ } else {
|
||||||
|
+ fprintf(stderr, "Can't contact server %s. Error %s\n",
|
||||||
|
+ host, nt_errstr(status));
|
||||||
|
+ }
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
|
|
||||||
|
From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Mon, 14 Jan 2019 10:36:47 -0500
|
||||||
|
Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
|
||||||
|
smbsock_connect_send
|
||||||
|
|
||||||
|
If disable_netbios is set, return before the tevent timer is triggered
|
||||||
|
to prevent outgoing netbios connections.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
|
||||||
|
---
|
||||||
|
source3/libsmb/smbsock_connect.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
|
||||||
|
index bb3cb07646c..be52b9a4f79 100644
|
||||||
|
--- a/source3/libsmb/smbsock_connect.c
|
||||||
|
+++ b/source3/libsmb/smbsock_connect.c
|
||||||
|
@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
|
||||||
|
tevent_req_set_callback(state->req_445, smbsock_connect_connected,
|
||||||
|
req);
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * Check for disable_netbios
|
||||||
|
+ */
|
||||||
|
+ if (lp_disable_netbios()) {
|
||||||
|
+ return req;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* After 5 msecs, fire the 139 (NBT) request
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -0,0 +1,37 @@ |
|||||||
|
From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 22 Mar 2019 14:39:11 +0100
|
||||||
|
Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
|
||||||
|
|
||||||
|
We default to SMB3 now.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
|
||||||
|
---
|
||||||
|
docs-xml/manpages/smbclient.1.xml | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
|
||||||
|
index e71a21a95e3..e25f7d3517b 100644
|
||||||
|
--- a/docs-xml/manpages/smbclient.1.xml
|
||||||
|
+++ b/docs-xml/manpages/smbclient.1.xml
|
||||||
|
@@ -261,9 +261,9 @@
|
||||||
|
<listitem><para>This allows the user to select the
|
||||||
|
highest SMB protocol level that smbclient will use to
|
||||||
|
connect to the server. By default this is set to
|
||||||
|
- NT1, which is the highest available SMB1 protocol.
|
||||||
|
- To connect using SMB2 or SMB3 protocol, use the
|
||||||
|
- strings SMB2 or SMB3 respectively. Note that to connect
|
||||||
|
+ highest available SMB3 protocol version.
|
||||||
|
+ To connect using SMB2 or SMB1 protocol, use the
|
||||||
|
+ strings SMB2 or NT1 respectively. Note that to connect
|
||||||
|
to a Windows 2012 server with encrypted transport selecting
|
||||||
|
a max-protocol of SMB3 is required.
|
||||||
|
</para></listitem>
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -0,0 +1,40 @@ |
|||||||
|
From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Wed, 7 Nov 2018 14:32:29 +0100
|
||||||
|
Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
|
||||||
|
|
||||||
|
This fixes a segfault in pyglue:
|
||||||
|
|
||||||
|
==10142== Process terminating with default action of signal 11 (SIGSEGV)
|
||||||
|
==10142== Bad permissions for mapped region at address 0x6F00A20
|
||||||
|
==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
|
||||||
|
---
|
||||||
|
lib/util/debug.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/util/debug.c b/lib/util/debug.c
|
||||||
|
index d41e0f99c77..847ec1f0a0c 100644
|
||||||
|
--- a/lib/util/debug.c
|
||||||
|
+++ b/lib/util/debug.c
|
||||||
|
@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
|
||||||
|
* This is to allow reading of DEBUGLEVEL_CLASS before the debug
|
||||||
|
* system has been initialized.
|
||||||
|
*/
|
||||||
|
-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
|
||||||
|
+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
|
||||||
|
|
||||||
|
static size_t debug_num_classes = 0;
|
||||||
|
-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
|
||||||
|
+int *DEBUGLEVEL_CLASS = debug_class_list_initial;
|
||||||
|
|
||||||
|
|
||||||
|
/* -------------------------------------------------------------------------- **
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
@ -0,0 +1,87 @@ |
|||||||
|
From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jeremy Allison <jra@samba.org>
|
||||||
|
Date: Fri, 18 Jan 2019 14:24:30 -0800
|
||||||
|
Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
|
||||||
|
existing share connection.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
smbd could crash if "force group" is added to a
|
||||||
|
share definition whilst an existing connection
|
||||||
|
to that share exists. In that case, don't change
|
||||||
|
the existing credentials for force group, only
|
||||||
|
do so for new connections.
|
||||||
|
|
||||||
|
Remove knownfail from regression test.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
|
||||||
|
|
||||||
|
Signed-off-by: Jeremy Allison <jra@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
|
||||||
|
Autobuild-User(master): Ralph Böhme <slow@samba.org>
|
||||||
|
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
|
||||||
|
|
||||||
|
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
|
||||||
|
---
|
||||||
|
source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
|
||||||
|
2 files changed, 33 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
|
||||||
|
index 9d5321cf4cc..ced2d450f8e 100644
|
||||||
|
--- a/source3/smbd/uid.c
|
||||||
|
+++ b/source3/smbd/uid.c
|
||||||
|
@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
|
||||||
|
int snum;
|
||||||
|
gid_t gid;
|
||||||
|
uid_t uid;
|
||||||
|
+ const char *force_group_name;
|
||||||
|
char group_c;
|
||||||
|
int num_groups = 0;
|
||||||
|
gid_t *group_list = NULL;
|
||||||
|
@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
|
||||||
|
* See if we should force group for this service. If so this overrides
|
||||||
|
* any group set in the force user code.
|
||||||
|
*/
|
||||||
|
- if((group_c = *lp_force_group(talloc_tos(), snum))) {
|
||||||
|
+ force_group_name = lp_force_group(talloc_tos(), snum);
|
||||||
|
+ group_c = *force_group_name;
|
||||||
|
|
||||||
|
- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
|
||||||
|
+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
|
||||||
|
+ /*
|
||||||
|
+ * This can happen if "force group" is added to a
|
||||||
|
+ * share definition whilst an existing connection
|
||||||
|
+ * to that share exists. In that case, don't change
|
||||||
|
+ * the existing credentials for force group, only
|
||||||
|
+ * do so for new connections.
|
||||||
|
+ *
|
||||||
|
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
|
||||||
|
+ */
|
||||||
|
+ DBG_INFO("Not forcing group %s on existing connection to "
|
||||||
|
+ "share %s for SMB user %s (unix user %s)\n",
|
||||||
|
+ force_group_name,
|
||||||
|
+ lp_const_servicename(snum),
|
||||||
|
+ session_info->unix_info->sanitized_username,
|
||||||
|
+ session_info->unix_info->unix_name);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
|
||||||
|
+ /*
|
||||||
|
+ * Only force group for connections where
|
||||||
|
+ * conn->force_group_gid has already been set
|
||||||
|
+ * to the correct value (i.e. the connection
|
||||||
|
+ * happened after the 'force group' definition
|
||||||
|
+ * was added to the share definition. Connections
|
||||||
|
+ * that were made before force group was added
|
||||||
|
+ * should stay with their existing credentials.
|
||||||
|
+ *
|
||||||
|
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
|
||||||
|
+ */
|
||||||
|
|
||||||
|
if (group_c == '+') {
|
||||||
|
int i;
|
||||||
|
--
|
||||||
|
2.20.1.495.gaa96b0ce6b-goog
|
||||||
|
|
@ -0,0 +1,544 @@ |
|||||||
|
From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 29 Mar 2019 11:34:53 +0100
|
||||||
|
Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
|
||||||
|
|
||||||
|
Currently we just get an error but don't know what exactly we tried to
|
||||||
|
do in 'net ads join -d10'.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
|
||||||
|
---
|
||||||
|
source3/libads/ldap.c | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
||||||
|
index 13846695bd4..110f74a2dbb 100644
|
||||||
|
--- a/source3/libads/ldap.c
|
||||||
|
+++ b/source3/libads/ldap.c
|
||||||
|
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
|
||||||
|
if (ret != 0) {
|
||||||
|
char *ld_error = NULL;
|
||||||
|
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
|
||||||
|
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
|
||||||
|
- ldap_err2string(ret), ld_error));
|
||||||
|
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
|
||||||
|
+ ret,
|
||||||
|
+ ldap_err2string(ret),
|
||||||
|
+ ld_error);
|
||||||
|
SAFE_FREE(ld_error);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
|
||||||
|
(char) 1};
|
||||||
|
LDAPControl *controls[2];
|
||||||
|
|
||||||
|
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
|
||||||
|
+
|
||||||
|
controls[0] = &PermitModify;
|
||||||
|
controls[1] = NULL;
|
||||||
|
|
||||||
|
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
|
||||||
|
char *utf8_dn = NULL;
|
||||||
|
size_t converted_size;
|
||||||
|
|
||||||
|
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
|
||||||
|
+
|
||||||
|
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
|
||||||
|
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
|
||||||
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
||||||
|
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
|
||||||
|
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
|
||||||
|
+
|
||||||
|
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
|
||||||
|
ads_print_error(ret, ads->ldap.ld);
|
||||||
|
TALLOC_FREE(utf8_dn);
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Wed, 27 Mar 2019 16:45:39 +0100
|
||||||
|
Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
|
||||||
|
---
|
||||||
|
source3/libsmb/cliconnect.c | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
||||||
|
index 837299d9220..9a3d3c769f9 100644
|
||||||
|
--- a/source3/libsmb/cliconnect.c
|
||||||
|
+++ b/source3/libsmb/cliconnect.c
|
||||||
|
@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DBG_INFO("Doing kinit for %s to access %s\n",
|
||||||
|
+ user_principal, target_hostname);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TODO: This should be done within the gensec layer
|
||||||
|
@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
|
||||||
|
*/
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
|
||||||
|
+ "Kerberos\n",
|
||||||
|
+ user_principal,
|
||||||
|
+ target_hostname);
|
||||||
|
+
|
||||||
|
TALLOC_FREE(frame);
|
||||||
|
return NT_STATUS_OK;
|
||||||
|
}
|
||||||
|
@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
|
||||||
|
return tevent_req_post(req, ev);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
|
||||||
|
+ target_hostname,
|
||||||
|
+ cli_credentials_get_principal(creds, talloc_tos()));
|
||||||
|
+
|
||||||
|
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
|
||||||
|
target_service, target_hostname);
|
||||||
|
if (tevent_req_nomem(subreq, req)) {
|
||||||
|
@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
|
||||||
|
return tevent_req_post(req, ev);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
|
||||||
|
+
|
||||||
|
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
|
||||||
|
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
|
||||||
|
uint8_t *bytes = NULL;
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guenther Deschner <gd@samba.org>
|
||||||
|
Date: Mon, 1 Apr 2019 17:46:39 +0200
|
||||||
|
Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
|
||||||
|
|
||||||
|
A newline is missing but also use DBG_INFO macro and cleanup spelling.
|
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
|
||||||
|
---
|
||||||
|
source3/libnet/libnet_join.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index 27fc5135442..ddc00f7ad7c 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
|
||||||
|
return WERR_NERR_DEFAULTJOINREQUIRED;
|
||||||
|
}
|
||||||
|
|
||||||
|
- DEBUG(5, ("failed to precreate account in ou %s: %s",
|
||||||
|
- r->in.account_ou, ads_errstr(ads_status)));
|
||||||
|
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
|
||||||
|
+ r->in.account_ou, ads_errstr(ads_status));
|
||||||
|
}
|
||||||
|
rpc_join:
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guenther Deschner <gd@samba.org>
|
||||||
|
Date: Wed, 27 Mar 2019 17:51:04 +0100
|
||||||
|
Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
|
||||||
|
|
||||||
|
This got lost somehow during refactoring. This is still viable
|
||||||
|
information when trying to figure out what is going wrong when
|
||||||
|
authenticating a user over NTLMSSP.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
|
||||||
|
---
|
||||||
|
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 32 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
|
||||||
|
index ab406a2c5be..8e49dcee5ea 100644
|
||||||
|
--- a/auth/ntlmssp/ntlmssp_client.c
|
||||||
|
+++ b/auth/ntlmssp/ntlmssp_client.c
|
||||||
|
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (DEBUGLEVEL >= 10) {
|
||||||
|
+ struct CHALLENGE_MESSAGE *challenge =
|
||||||
|
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
|
||||||
|
+ if (challenge != NULL) {
|
||||||
|
+ NTSTATUS status;
|
||||||
|
+ challenge->NegotiateFlags = chal_flags;
|
||||||
|
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
|
||||||
|
+ &in, challenge, challenge);
|
||||||
|
+ if (NT_STATUS_IS_OK(status)) {
|
||||||
|
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
|
||||||
|
+ challenge);
|
||||||
|
+ }
|
||||||
|
+ TALLOC_FREE(challenge);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
|
||||||
|
ntlmssp_state->server.is_standalone = true;
|
||||||
|
} else {
|
||||||
|
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
|
||||||
|
return nt_status;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (DEBUGLEVEL >= 10) {
|
||||||
|
+ struct AUTHENTICATE_MESSAGE *authenticate =
|
||||||
|
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
|
||||||
|
+ if (authenticate != NULL) {
|
||||||
|
+ NTSTATUS status;
|
||||||
|
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
|
||||||
|
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
|
||||||
|
+ out, authenticate, authenticate);
|
||||||
|
+ if (NT_STATUS_IS_OK(status)) {
|
||||||
|
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
|
||||||
|
+ authenticate);
|
||||||
|
+ }
|
||||||
|
+ TALLOC_FREE(authenticate);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* We always include the MIC, even without:
|
||||||
|
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 1 Apr 2019 15:59:10 +0200
|
||||||
|
Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
|
||||||
|
when using NTLM
|
||||||
|
|
||||||
|
If we want to authenticate using -Wadmin@otherdomain the DC should do
|
||||||
|
take care of the authentication with the right DC for us.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
|
||||||
|
---
|
||||||
|
auth/credentials/credentials.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
||||||
|
index 4663185c979..7ef58d0752c 100644
|
||||||
|
--- a/auth/credentials/credentials.c
|
||||||
|
+++ b/auth/credentials/credentials.c
|
||||||
|
@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
|
||||||
|
const char **username,
|
||||||
|
const char **domain)
|
||||||
|
{
|
||||||
|
- if (cred->principal_obtained > cred->username_obtained) {
|
||||||
|
+ if (cred->principal_obtained >= cred->username_obtained) {
|
||||||
|
*domain = talloc_strdup(mem_ctx, "");
|
||||||
|
*username = cli_credentials_get_principal(cred, mem_ctx);
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 1 Apr 2019 16:39:45 +0200
|
||||||
|
Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
|
||||||
|
|
||||||
|
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
|
||||||
|
---
|
||||||
|
source3/libnet/libnet_join.c | 8 +++++---
|
||||||
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index ddc00f7ad7c..e052306523d 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The domain parameter is only used as modifier
|
||||||
|
- * to krb5.conf file name. .JOIN is is not a valid
|
||||||
|
+ * to krb5.conf file name. _JOIN_ is is not a valid
|
||||||
|
* NetBIOS name so it cannot clash with another domain
|
||||||
|
* -- Uri.
|
||||||
|
*/
|
||||||
|
- create_local_private_krb5_conf_for_domain(
|
||||||
|
- pre_connect_realm, ".JOIN", sitename, &ss);
|
||||||
|
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
|
||||||
|
+ "_JOIN_",
|
||||||
|
+ sitename,
|
||||||
|
+ &ss);
|
||||||
|
}
|
||||||
|
|
||||||
|
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 1 Apr 2019 16:47:26 +0200
|
||||||
|
Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
|
||||||
|
configured
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
|
||||||
|
---
|
||||||
|
source3/libads/kerberos.c | 12 ++++++++++--
|
||||||
|
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
|
||||||
|
index e623f2456a8..360cdd741da 100644
|
||||||
|
--- a/source3/libads/kerberos.c
|
||||||
|
+++ b/source3/libads/kerberos.c
|
||||||
|
@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ /*
|
||||||
|
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
|
||||||
|
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
|
||||||
|
+ *
|
||||||
|
+ * net ads join -Uadmin@otherdomain
|
||||||
|
+ */
|
||||||
|
file_contents =
|
||||||
|
talloc_asprintf(fname,
|
||||||
|
- "[libdefaults]\n\tdefault_realm = %s\n"
|
||||||
|
+ "[libdefaults]\n"
|
||||||
|
+ "\tdefault_realm = %s\n"
|
||||||
|
"%s"
|
||||||
|
- "\tdns_lookup_realm = false\n\n"
|
||||||
|
+ "\tdns_lookup_realm = false\n"
|
||||||
|
+ "\tdns_lookup_kdc = true\n\n"
|
||||||
|
"[realms]\n\t%s = {\n"
|
||||||
|
"%s\t}\n"
|
||||||
|
"%s\n",
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Guenther Deschner <gd@samba.org>
|
||||||
|
Date: Mon, 1 Apr 2019 17:40:03 +0200
|
||||||
|
Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
|
||||||
|
accounts
|
||||||
|
|
||||||
|
This avoids numerous LDAP constraint violation errors when we try to
|
||||||
|
re-precreate an already existing machine account.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
|
||||||
|
---
|
||||||
|
source3/libads/ldap.c | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
|
||||||
|
index 110f74a2dbb..e191ea792a8 100644
|
||||||
|
--- a/source3/libads/ldap.c
|
||||||
|
+++ b/source3/libads/ldap.c
|
||||||
|
@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
|
||||||
|
+ ads_msgfree(ads, res);
|
||||||
|
+ if (ADS_ERR_OK(ret)) {
|
||||||
|
+ DBG_DEBUG("Host account for %s already exists.\n",
|
||||||
|
+ machine_escaped);
|
||||||
|
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
|
||||||
|
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
|
||||||
|
|
||||||
|
@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
|
||||||
|
|
||||||
|
done:
|
||||||
|
SAFE_FREE(machine_escaped);
|
||||||
|
- ads_msgfree(ads, res);
|
||||||
|
talloc_destroy(ctx);
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||||
|
Date: Tue, 2 Apr 2019 13:14:06 +0200
|
||||||
|
Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
|
||||||
|
layer
|
||||||
|
|
||||||
|
Otherwise we could loose the information that a non-default domain name
|
||||||
|
has been used for admin creds.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Guenther
|
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
|
||||||
|
---
|
||||||
|
source3/libnet/libnet_join.c | 12 ++++++++++++
|
||||||
|
1 file changed, 12 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index e052306523d..fc7429e6a23 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
|
||||||
|
password = r->in.machine_password;
|
||||||
|
ccname = "MEMORY:libnet_join_machine_creds";
|
||||||
|
} else {
|
||||||
|
+ char *p = NULL;
|
||||||
|
+
|
||||||
|
username = r->in.admin_account;
|
||||||
|
+
|
||||||
|
+ p = strchr(r->in.admin_account, '@');
|
||||||
|
+ if (p == NULL) {
|
||||||
|
+ username = talloc_asprintf(mem_ctx, "%s@%s",
|
||||||
|
+ r->in.admin_account,
|
||||||
|
+ r->in.admin_domain);
|
||||||
|
+ }
|
||||||
|
+ if (username == NULL) {
|
||||||
|
+ return ADS_ERROR(LDAP_NO_MEMORY);
|
||||||
|
+ }
|
||||||
|
password = r->in.admin_password;
|
||||||
|
|
||||||
|
/*
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||||
|
Date: Tue, 2 Apr 2019 13:16:11 +0200
|
||||||
|
Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
|
||||||
|
connect fails
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Guenther
|
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
|
||||||
|
---
|
||||||
|
source3/libnet/libnet_join.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index fc7429e6a23..6d3fc1fe01f 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
|
||||||
|
if (!ADS_ERR_OK(ads_status)) {
|
||||||
|
+ libnet_join_set_error_string(mem_ctx, r,
|
||||||
|
+ "failed to connect to AD: %s",
|
||||||
|
+ ads_errstr(ads_status));
|
||||||
|
return WERR_NERR_DEFAULTJOINREQUIRED;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
||||||
|
|
||||||
|
From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||||
|
Date: Tue, 2 Apr 2019 13:16:55 +0200
|
||||||
|
Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
|
||||||
|
libnet_join
|
||||||
|
|
||||||
|
When a non-DNS and non-default admin domain is provided during the join
|
||||||
|
sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
|
||||||
|
(e.g. when the winbind krb5 locator is not installed). In that case lets
|
||||||
|
fallback to NTLMSSP, like we do in winbind.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
|
||||||
|
|
||||||
|
Guenther
|
||||||
|
|
||||||
|
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
|
||||||
|
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
||||||
|
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
|
||||||
|
|
||||||
|
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
|
||||||
|
---
|
||||||
|
source3/libnet/libnet_join.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index 6d3fc1fe01f..b876d7ea89f 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
|
||||||
|
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
|
||||||
|
+
|
||||||
|
if (user_name) {
|
||||||
|
SAFE_FREE(my_ads->auth.user_name);
|
||||||
|
my_ads->auth.user_name = SMB_STRDUP(user_name);
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
@ -0,0 +1,56 @@ |
|||||||
|
From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Mon, 17 Dec 2018 11:26:11 -0500
|
||||||
|
Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
|
||||||
|
|
||||||
|
This affects net rpc getsid and net rpc changetrustpw commands.
|
||||||
|
This avoids an anonymous IPC connection being made when -k is used,
|
||||||
|
this only affects net rpc getsid and net rpc changetrustpw commands.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Noel Power <npower@samba.org>
|
||||||
|
---
|
||||||
|
source3/utils/net_rpc.c | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
|
||||||
|
index b99a036fca1..67fff2f4d1b 100644
|
||||||
|
--- a/source3/utils/net_rpc.c
|
||||||
|
+++ b/source3/utils/net_rpc.c
|
||||||
|
@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
|
||||||
|
|
||||||
|
int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
|
||||||
|
{
|
||||||
|
+ int conn_flags = NET_FLAGS_PDC;
|
||||||
|
+
|
||||||
|
+ if (!c->opt_user_specified && !c->opt_kerberos) {
|
||||||
|
+ conn_flags |= NET_FLAGS_ANONYMOUS;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (c->display_usage) {
|
||||||
|
d_printf( "%s\n"
|
||||||
|
"net rpc changetrustpw\n"
|
||||||
|
@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
|
||||||
|
}
|
||||||
|
|
||||||
|
return run_rpc_command(c, NULL, &ndr_table_netlogon,
|
||||||
|
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
|
||||||
|
+ conn_flags,
|
||||||
|
rpc_changetrustpw_internals,
|
||||||
|
argc, argv);
|
||||||
|
}
|
||||||
|
@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
|
||||||
|
{
|
||||||
|
int conn_flags = NET_FLAGS_PDC;
|
||||||
|
|
||||||
|
- if (!c->opt_user_specified) {
|
||||||
|
+ if (!c->opt_user_specified && !c->opt_kerberos) {
|
||||||
|
conn_flags |= NET_FLAGS_ANONYMOUS;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,39 @@ |
|||||||
|
From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 29 Oct 2018 19:45:58 +0100
|
||||||
|
Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
|
||||||
|
|
||||||
|
See https://retrace.fedoraproject.org/faf/reports/1577174/
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
|
||||||
|
(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
|
||||||
|
---
|
||||||
|
source3/winbindd/winbindd.c | 8 +++++++-
|
||||||
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
|
||||||
|
index 254d93b344d..a8ffc31778c 100644
|
||||||
|
--- a/source3/winbindd/winbindd.c
|
||||||
|
+++ b/source3/winbindd/winbindd.c
|
||||||
|
@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
|
||||||
|
}
|
||||||
|
- initialize_password_db(true, server_event_context());
|
||||||
|
+
|
||||||
|
+ ok = initialize_password_db(true, server_event_context());
|
||||||
|
+ if (!ok) {
|
||||||
|
+ exit_daemon("Failed to initialize passdb backend! "
|
||||||
|
+ "Check the 'passdb backend' variable in your "
|
||||||
|
+ "smb.conf file.", EINVAL);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Do not initialize the parent-child-pipe before becoming
|
||||||
|
--
|
||||||
|
2.19.1
|
||||||
|
|
@ -0,0 +1,402 @@ |
|||||||
|
From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Thu, 15 Nov 2018 16:06:49 +0100
|
||||||
|
Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Böhme <slow@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
|
||||||
|
---
|
||||||
|
selftest/target/Samba3.pm | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||||
|
index 438cb3409bb..373f8152ca3 100755
|
||||||
|
--- a/selftest/target/Samba3.pm
|
||||||
|
+++ b/selftest/target/Samba3.pm
|
||||||
|
@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
|
||||||
|
my ($gid_force_user);
|
||||||
|
my ($uid_user1);
|
||||||
|
my ($uid_user2);
|
||||||
|
+ my ($uid_gooduser);
|
||||||
|
+ my ($uid_eviluser);
|
||||||
|
|
||||||
|
- if ($unix_uid < 0xffff - 10) {
|
||||||
|
+ if ($unix_uid < 0xffff - 12) {
|
||||||
|
$max_uid = 0xffff;
|
||||||
|
} else {
|
||||||
|
$max_uid = $unix_uid;
|
||||||
|
@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
|
||||||
|
$uid_smbget = $max_uid - 8;
|
||||||
|
$uid_user1 = $max_uid - 9;
|
||||||
|
$uid_user2 = $max_uid - 10;
|
||||||
|
+ $uid_gooduser = $max_uid - 11;
|
||||||
|
+ $uid_eviluser = $max_uid - 12;
|
||||||
|
|
||||||
|
if ($unix_gids[0] < 0xffff - 8) {
|
||||||
|
$max_gid = 0xffff;
|
||||||
|
@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
|
||||||
|
smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
|
||||||
|
user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
|
||||||
|
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
|
||||||
|
+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
|
||||||
|
+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
|
||||||
|
";
|
||||||
|
if ($unix_uid != 0) {
|
||||||
|
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
|
||||||
|
@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
|
||||||
|
createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
|
||||||
|
createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
|
||||||
|
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
|
||||||
|
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
|
||||||
|
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
|
||||||
|
|
||||||
|
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
|
||||||
|
print DNS_UPDATE_LIST "A $server. $server_ip\n";
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Fri, 16 Nov 2018 15:40:59 +0100
|
||||||
|
Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
|
||||||
|
share
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This adds a test for CVE-2009-2813.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Böhme <slow@samba.org>
|
||||||
|
(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
|
||||||
|
---
|
||||||
|
selftest/target/Samba3.pm | 4 ++
|
||||||
|
source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
|
||||||
|
source3/selftest/tests.py | 1 +
|
||||||
|
3 files changed, 104 insertions(+)
|
||||||
|
create mode 100755 source3/script/tests/test_homes.sh
|
||||||
|
|
||||||
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||||
|
index 373f8152ca3..2031003210c 100755
|
||||||
|
--- a/selftest/target/Samba3.pm
|
||||||
|
+++ b/selftest/target/Samba3.pm
|
||||||
|
@@ -921,6 +921,10 @@ sub setup_fileserver
|
||||||
|
comment = inherit only unix owner
|
||||||
|
inherit owner = unix only
|
||||||
|
acl_xattr:ignore system acls = yes
|
||||||
|
+[homes]
|
||||||
|
+ comment = Home directories
|
||||||
|
+ browseable = No
|
||||||
|
+ read only = No
|
||||||
|
";
|
||||||
|
|
||||||
|
my $vars = $self->provision($path, "WORKGROUP",
|
||||||
|
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000000..06de0a0c301
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/source3/script/tests/test_homes.sh
|
||||||
|
@@ -0,0 +1,99 @@
|
||||||
|
+#!/bin/sh
|
||||||
|
+
|
||||||
|
+# Copyright (c) Andreas Schneider <asn@samba.org>
|
||||||
|
+# License: GPLv3
|
||||||
|
+
|
||||||
|
+if [ $# -lt 7 ]; then
|
||||||
|
+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
|
||||||
|
+ exit 1
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+SERVER="${1}"
|
||||||
|
+USERNAME="${2}"
|
||||||
|
+PASSWORD="${3}"
|
||||||
|
+LOCAL_PATH="${4}"
|
||||||
|
+PREFIX="${5}"
|
||||||
|
+SMBCLIENT="${6}"
|
||||||
|
+CONFIGURATION="${7}"
|
||||||
|
+shift 7
|
||||||
|
+
|
||||||
|
+incdir=`dirname $0`/../../../testprogs/blackbox
|
||||||
|
+. $incdir/subunit.sh
|
||||||
|
+
|
||||||
|
+failed=0
|
||||||
|
+
|
||||||
|
+test_gooduser_home()
|
||||||
|
+{
|
||||||
|
+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
|
||||||
|
+ cat > $tmpfile <<EOF
|
||||||
|
+ls
|
||||||
|
+quit
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+ USERNAME=gooduser
|
||||||
|
+
|
||||||
|
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
|
||||||
|
+ eval echo "$cmd"
|
||||||
|
+ out=$(eval $cmd)
|
||||||
|
+ ret=$?
|
||||||
|
+ rm -f $tmpfile
|
||||||
|
+
|
||||||
|
+ if [ $ret -ne 0 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo "failed to connect error $ret"
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo "$out" | grep 'Try "help" to get a list of possible commands.'
|
||||||
|
+ ret=$?
|
||||||
|
+ if [ $ret -ne 0 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo 'failed - should get: Try "help" to get a list of possible commands.'
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+test_eviluser_home()
|
||||||
|
+{
|
||||||
|
+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
|
||||||
|
+ cat > $tmpfile <<EOF
|
||||||
|
+ls
|
||||||
|
+quit
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+ USERNAME=eviluser
|
||||||
|
+
|
||||||
|
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
|
||||||
|
+ eval echo "$cmd"
|
||||||
|
+ out=$(eval $cmd)
|
||||||
|
+ ret=$?
|
||||||
|
+ rm -f $tmpfile
|
||||||
|
+
|
||||||
|
+ if [ $ret -ne 1 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo "The server should reject connecting ret=$ret"
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
|
||||||
|
+ ret=$?
|
||||||
|
+ if [ $ret -ne 0 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+testit "test gooduser home" \
|
||||||
|
+ test_gooduser_home || \
|
||||||
|
+ failed=`expr $failed + 1`
|
||||||
|
+
|
||||||
|
+testit "test eviluser home reject" \
|
||||||
|
+ test_eviluser_home || \
|
||||||
|
+ failed=`expr $failed + 1`
|
||||||
|
+
|
||||||
|
+testok $0 $failed
|
||||||
|
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
|
||||||
|
index 09cd5159a0d..4aef7a4d596 100755
|
||||||
|
--- a/source3/selftest/tests.py
|
||||||
|
+++ b/source3/selftest/tests.py
|
||||||
|
@@ -290,6 +290,7 @@ for env in ["fileserver"]:
|
||||||
|
plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
|
||||||
|
plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
|
||||||
|
plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
|
||||||
|
+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
|
||||||
|
|
||||||
|
#
|
||||||
|
# tar command tests
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Thu, 22 Nov 2018 18:23:24 +0100
|
||||||
|
Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
|
||||||
|
dir
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
If "/" (root) is returned as the home directory, prevent exporting it.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Böhme <slow@samba.org>
|
||||||
|
(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
|
||||||
|
---
|
||||||
|
source3/param/service.c | 6 +++++-
|
||||||
|
source3/smbd/password.c | 7 +++++++
|
||||||
|
2 files changed, 12 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/param/service.c b/source3/param/service.c
|
||||||
|
index b21be6093d4..22f46f08894 100644
|
||||||
|
--- a/source3/param/service.c
|
||||||
|
+++ b/source3/param/service.c
|
||||||
|
@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
|
||||||
|
DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
|
||||||
|
phome_dir?phome_dir:"(NULL)"));
|
||||||
|
|
||||||
|
- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
|
||||||
|
+ if (!strequal(phome_dir, "/")) {
|
||||||
|
+ iService = add_home_service(*p_service_out,
|
||||||
|
+ *p_service_out, /* username */
|
||||||
|
+ phome_dir);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If we still don't have a service, attempt to add it as a printer. */
|
||||||
|
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
|
||||||
|
index f472bda2c70..0576d2563eb 100644
|
||||||
|
--- a/source3/smbd/password.c
|
||||||
|
+++ b/source3/smbd/password.c
|
||||||
|
@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (strequal(pwd->pw_dir, "/")) {
|
||||||
|
+ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
|
||||||
|
+ username);
|
||||||
|
+ TALLOC_FREE(pwd);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
DEBUG(3, ("Adding homes service for user '%s' using home directory: "
|
||||||
|
"'%s'\n", username, pwd->pw_dir));
|
||||||
|
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 3 Dec 2018 11:05:46 +0100
|
||||||
|
Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
|
||||||
|
as home dir
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Ralph Böhme <slow@samba.org>
|
||||||
|
Reviewed-by: Jeremy Allison <jra@samba.org>
|
||||||
|
|
||||||
|
Autobuild-User(master): Jeremy Allison <jra@samba.org>
|
||||||
|
Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
|
||||||
|
|
||||||
|
(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
|
||||||
|
---
|
||||||
|
selftest/target/Samba3.pm | 6 ++++-
|
||||||
|
source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 42 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
|
||||||
|
index 2031003210c..583396b3818 100755
|
||||||
|
--- a/selftest/target/Samba3.pm
|
||||||
|
+++ b/selftest/target/Samba3.pm
|
||||||
|
@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
|
||||||
|
my ($uid_user2);
|
||||||
|
my ($uid_gooduser);
|
||||||
|
my ($uid_eviluser);
|
||||||
|
+ my ($uid_slashuser);
|
||||||
|
|
||||||
|
- if ($unix_uid < 0xffff - 12) {
|
||||||
|
+ if ($unix_uid < 0xffff - 13) {
|
||||||
|
$max_uid = 0xffff;
|
||||||
|
} else {
|
||||||
|
$max_uid = $unix_uid;
|
||||||
|
@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
|
||||||
|
$uid_user2 = $max_uid - 10;
|
||||||
|
$uid_gooduser = $max_uid - 11;
|
||||||
|
$uid_eviluser = $max_uid - 12;
|
||||||
|
+ $uid_slashuser = $max_uid - 13;
|
||||||
|
|
||||||
|
if ($unix_gids[0] < 0xffff - 8) {
|
||||||
|
$max_gid = 0xffff;
|
||||||
|
@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
|
||||||
|
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
|
||||||
|
gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
|
||||||
|
eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
|
||||||
|
+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
|
||||||
|
";
|
||||||
|
if ($unix_uid != 0) {
|
||||||
|
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
|
||||||
|
@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
|
||||||
|
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
|
||||||
|
createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
|
||||||
|
createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
|
||||||
|
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
|
||||||
|
|
||||||
|
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
|
||||||
|
print DNS_UPDATE_LIST "A $server. $server_ip\n";
|
||||||
|
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
|
||||||
|
index 06de0a0c301..90e84550dbc 100755
|
||||||
|
--- a/source3/script/tests/test_homes.sh
|
||||||
|
+++ b/source3/script/tests/test_homes.sh
|
||||||
|
@@ -88,6 +88,39 @@ EOF
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
+test_slashuser_home()
|
||||||
|
+{
|
||||||
|
+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
|
||||||
|
+ cat > $tmpfile <<EOF
|
||||||
|
+ls
|
||||||
|
+quit
|
||||||
|
+EOF
|
||||||
|
+
|
||||||
|
+ USERNAME=slashuser
|
||||||
|
+
|
||||||
|
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
|
||||||
|
+ eval echo "$cmd"
|
||||||
|
+ out=$(eval $cmd)
|
||||||
|
+ ret=$?
|
||||||
|
+ rm -f $tmpfile
|
||||||
|
+
|
||||||
|
+ if [ $ret -ne 1 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo "The server should reject connecting ret=$ret"
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
|
||||||
|
+ ret=$?
|
||||||
|
+ if [ $ret -ne 0 ] ; then
|
||||||
|
+ echo "$out"
|
||||||
|
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
|
||||||
|
+ return 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
testit "test gooduser home" \
|
||||||
|
test_gooduser_home || \
|
||||||
|
failed=`expr $failed + 1`
|
||||||
|
@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
|
||||||
|
test_eviluser_home || \
|
||||||
|
failed=`expr $failed + 1`
|
||||||
|
|
||||||
|
+testit "test slashuser home reject" \
|
||||||
|
+ test_slashuser_home || \
|
||||||
|
+ failed=`expr $failed + 1`
|
||||||
|
+
|
||||||
|
testok $0 $failed
|
||||||
|
--
|
||||||
|
2.19.2
|
@ -0,0 +1,119 @@ |
|||||||
|
From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Date: Wed, 27 Jun 2018 11:32:31 -0400
|
||||||
|
Subject: [PATCH] s3:libads: Add net ads leave keep-account option
|
||||||
|
|
||||||
|
Add the ability to leave the domain with --keep-account argument to avoid
|
||||||
|
removal of the host machine account.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
|
||||||
|
|
||||||
|
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||||
|
(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
|
||||||
|
---
|
||||||
|
docs-xml/manpages/net.8.xml | 9 ++++++++-
|
||||||
|
source3/libnet/libnet_join.c | 2 ++
|
||||||
|
source3/utils/net.c | 3 ++-
|
||||||
|
source3/utils/net.h | 1 +
|
||||||
|
source3/utils/net_ads.c | 9 +++++++--
|
||||||
|
5 files changed, 20 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
|
||||||
|
index 3154ee5ff85..d2bcd24c502 100644
|
||||||
|
--- a/docs-xml/manpages/net.8.xml
|
||||||
|
+++ b/docs-xml/manpages/net.8.xml
|
||||||
|
@@ -377,6 +377,13 @@
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
+ <varlistentry>
|
||||||
|
+ <term>--keep-account</term>
|
||||||
|
+ <listitem><para>Prevent the machine account removal as
|
||||||
|
+ part of "net ads leave".
|
||||||
|
+ </para></listitem>
|
||||||
|
+ </varlistentry>
|
||||||
|
+
|
||||||
|
&stdarg.encrypt;
|
||||||
|
&popt.common.samba.client;
|
||||||
|
|
||||||
|
@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
|
||||||
|
</refsect2>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
-<title>ADS LEAVE</title>
|
||||||
|
+<title>ADS LEAVE [--keep-account]</title>
|
||||||
|
|
||||||
|
<para>Make the remote host leave the domain it is part of. </para>
|
||||||
|
|
||||||
|
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
|
||||||
|
index a9405e8d288..27fc5135442 100644
|
||||||
|
--- a/source3/libnet/libnet_join.c
|
||||||
|
+++ b/source3/libnet/libnet_join.c
|
||||||
|
@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
|
||||||
|
return ntstatus_to_werror(status);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
|
||||||
|
+ r->in.domain_name);
|
||||||
|
r->out.disabled_machine_account = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/source3/utils/net.c b/source3/utils/net.c
|
||||||
|
index 759d8cd442b..b3bd4b67118 100644
|
||||||
|
--- a/source3/utils/net.c
|
||||||
|
+++ b/source3/utils/net.c
|
||||||
|
@@ -970,8 +970,9 @@ static struct functable net_func[] = {
|
||||||
|
{"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
|
||||||
|
/* Options for 'net registry import' */
|
||||||
|
{"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
|
||||||
|
- /* Options for 'net ads join' */
|
||||||
|
+ /* Options for 'net ads join or leave' */
|
||||||
|
{"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
|
||||||
|
+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
|
||||||
|
POPT_COMMON_SAMBA
|
||||||
|
{ 0, 0, 0, 0}
|
||||||
|
};
|
||||||
|
diff --git a/source3/utils/net.h b/source3/utils/net.h
|
||||||
|
index d6dfeb6208f..5e70fd3aafa 100644
|
||||||
|
--- a/source3/utils/net.h
|
||||||
|
+++ b/source3/utils/net.h
|
||||||
|
@@ -85,6 +85,7 @@ struct net_context {
|
||||||
|
int opt_wipe;
|
||||||
|
const char *opt_precheck;
|
||||||
|
int opt_no_dns_updates;
|
||||||
|
+ int opt_keep_account;
|
||||||
|
|
||||||
|
int opt_have_ip;
|
||||||
|
struct sockaddr_storage opt_dest_ip;
|
||||||
|
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
||||||
|
index ffa67d8f525..afe47dad839 100644
|
||||||
|
--- a/source3/utils/net_ads.c
|
||||||
|
+++ b/source3/utils/net_ads.c
|
||||||
|
@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
|
||||||
|
|
||||||
|
if (c->display_usage) {
|
||||||
|
d_printf( "%s\n"
|
||||||
|
- "net ads leave\n"
|
||||||
|
+ "net ads leave [--keep-account]\n"
|
||||||
|
" %s\n",
|
||||||
|
_("Usage:"),
|
||||||
|
_("Leave an AD domain"));
|
||||||
|
@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
|
||||||
|
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
|
||||||
|
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
|
||||||
|
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
|
||||||
|
- r->in.delete_machine_account = true;
|
||||||
|
+ if (c->opt_keep_account) {
|
||||||
|
+ r->in.delete_machine_account = false;
|
||||||
|
+ } else {
|
||||||
|
+ r->in.delete_machine_account = true;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
r->in.msg_ctx = c->msg_ctx;
|
||||||
|
|
||||||
|
werr = libnet_Unjoin(ctx, r);
|
||||||
|
--
|
||||||
|
2.17.1
|
||||||
|
|
@ -0,0 +1,179 @@ |
|||||||
|
From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 12 Nov 2018 10:09:23 +0100
|
||||||
|
Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
|
||||||
|
|
||||||
|
This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
|
||||||
|
|
||||||
|
Found by cppcheck.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
|
||||||
|
---
|
||||||
|
source3/rpcclient/cmd_netlogon.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
|
||||||
|
index 8d62ef7e095..631740562c6 100644
|
||||||
|
--- a/source3/rpcclient/cmd_netlogon.c
|
||||||
|
+++ b/source3/rpcclient/cmd_netlogon.c
|
||||||
|
@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
|
||||||
|
WERROR werr = WERR_OK;
|
||||||
|
uint32_t flags = DS_RETURN_DNS_NAME;
|
||||||
|
const char *server_name = cli->desthost;
|
||||||
|
- const char *domain_name;
|
||||||
|
+ const char *domain_name = NULL;
|
||||||
|
struct GUID domain_guid = GUID_zero();
|
||||||
|
struct GUID site_guid = GUID_zero();
|
||||||
|
struct netr_DsRGetDCNameInfo *info = NULL;
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 12 Nov 2018 10:13:51 +0100
|
||||||
|
Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
|
||||||
|
|
||||||
|
Found by cppcheck.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
|
||||||
|
---
|
||||||
|
librpc/ndr/ndr_backupkey.c | 4 +++-
|
||||||
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
|
||||||
|
index 827bc694230..adb6e393287 100644
|
||||||
|
--- a/librpc/ndr/ndr_backupkey.c
|
||||||
|
+++ b/librpc/ndr/ndr_backupkey.c
|
||||||
|
@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
|
||||||
|
ndr->flags |= LIBNDR_PRINT_SET_VALUES;
|
||||||
|
}
|
||||||
|
if (flags & NDR_IN) {
|
||||||
|
- union bkrp_data_in_blob inblob;
|
||||||
|
+ union bkrp_data_in_blob inblob = {
|
||||||
|
+ .empty._empty_ = '\0',
|
||||||
|
+ };
|
||||||
|
DATA_BLOB blob;
|
||||||
|
uint32_t level;
|
||||||
|
enum ndr_err_code ndr_err;
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 12 Nov 2018 10:16:06 +0100
|
||||||
|
Subject: [PATCH 3/5] libgpo: Make sure status is intialized
|
||||||
|
|
||||||
|
Found by cppcheck.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
|
||||||
|
---
|
||||||
|
libgpo/gpo_ldap.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
|
||||||
|
index fec00053b49..f087203f28a 100644
|
||||||
|
--- a/libgpo/gpo_ldap.c
|
||||||
|
+++ b/libgpo/gpo_ldap.c
|
||||||
|
@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
|
||||||
|
const char *guid_name,
|
||||||
|
struct GROUP_POLICY_OBJECT *gpo)
|
||||||
|
{
|
||||||
|
- ADS_STATUS status;
|
||||||
|
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
|
||||||
|
LDAPMessage *res = NULL;
|
||||||
|
char *dn;
|
||||||
|
const char *filter;
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 12 Nov 2018 10:17:37 +0100
|
||||||
|
Subject: [PATCH 4/5] lib:util Always initialize start and space
|
||||||
|
|
||||||
|
Found by cppcheck.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
|
||||||
|
---
|
||||||
|
lib/util/talloc_report.c | 7 ++-----
|
||||||
|
1 file changed, 2 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
|
||||||
|
index 63213a014b6..bed0fd91e43 100644
|
||||||
|
--- a/lib/util/talloc_report.c
|
||||||
|
+++ b/lib/util/talloc_report.c
|
||||||
|
@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
|
||||||
|
const char *fmt, va_list ap)
|
||||||
|
{
|
||||||
|
ssize_t str_len = *pstr_len;
|
||||||
|
- size_t buflen, needed, space;
|
||||||
|
- char *start, *tmpbuf;
|
||||||
|
+ size_t buflen, needed, space = 0;
|
||||||
|
+ char *start = NULL, *tmpbuf = NULL;
|
||||||
|
va_list ap2;
|
||||||
|
int printlen;
|
||||||
|
|
||||||
|
@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
|
||||||
|
if (buflen > str_len) {
|
||||||
|
start = buf + str_len;
|
||||||
|
space = buflen - str_len;
|
||||||
|
- } else {
|
||||||
|
- start = NULL;
|
||||||
|
- space = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
va_copy(ap2, ap);
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
||||||
|
|
||||||
|
From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 12 Nov 2018 10:21:15 +0100
|
||||||
|
Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
|
||||||
|
|
||||||
|
Found by cppcheck.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
|
||||||
|
---
|
||||||
|
ctdb/common/logging.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
|
||||||
|
index dc8c4f75058..55e5d541735 100644
|
||||||
|
--- a/ctdb/common/logging.c
|
||||||
|
+++ b/ctdb/common/logging.c
|
||||||
|
@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
|
||||||
|
- for (i=0; ARRAY_SIZE(log_string_map); i++) {
|
||||||
|
+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
|
||||||
|
if (log_string_map[i].log_level == log_level) {
|
||||||
|
return log_string_map[i].log_string;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.19.2
|
@ -0,0 +1,117 @@ |
|||||||
|
From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 3 Sep 2018 10:35:08 +0200
|
||||||
|
Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
|
||||||
|
|
||||||
|
The -fstack-protector* flags are compiler only flags, don't pass them to
|
||||||
|
the linker.
|
||||||
|
|
||||||
|
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
|
||||||
|
---
|
||||||
|
buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
|
||||||
|
1 file changed, 19 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
index c4391d0c4dc..bfd6f9710db 100644
|
||||||
|
--- a/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
+++ b/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
|
||||||
|
return
|
||||||
|
|
||||||
|
# we need to build real code that can't be optimized away to test
|
||||||
|
- if conf.check(fragment='''
|
||||||
|
- #include <stdio.h>
|
||||||
|
-
|
||||||
|
- int main(void)
|
||||||
|
- {
|
||||||
|
- char t[100000];
|
||||||
|
- while (fgets(t, sizeof(t), stdin));
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- ''',
|
||||||
|
- execute=0,
|
||||||
|
- ccflags='-fstack-protector',
|
||||||
|
- ldflags='-fstack-protector',
|
||||||
|
- mandatory=False,
|
||||||
|
- msg='Checking if toolchain accepts -fstack-protector'):
|
||||||
|
- conf.ADD_CFLAGS('-fstack-protector')
|
||||||
|
- conf.ADD_LDFLAGS('-fstack-protector')
|
||||||
|
+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
|
||||||
|
+ for stack_protect_flag in stack_protect_list:
|
||||||
|
+ flag_supported = conf.check(fragment='''
|
||||||
|
+ #include <stdio.h>
|
||||||
|
+
|
||||||
|
+ int main(void)
|
||||||
|
+ {
|
||||||
|
+ char t[100000];
|
||||||
|
+ while (fgets(t, sizeof(t), stdin));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ ''',
|
||||||
|
+ execute=0,
|
||||||
|
+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
|
||||||
|
+ mandatory=False,
|
||||||
|
+ msg='Checking if compiler accepts %s' % (stack_protect_flag))
|
||||||
|
+ if flag_supported:
|
||||||
|
+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
|
||||||
|
+ break
|
||||||
|
|
||||||
|
if Options.options.debug:
|
||||||
|
conf.ADD_CFLAGS('-g', testflags=True)
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
||||||
|
|
||||||
|
From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Schneider <asn@samba.org>
|
||||||
|
Date: Mon, 3 Sep 2018 10:49:52 +0200
|
||||||
|
Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
|
||||||
|
|
||||||
|
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
|
||||||
|
|
||||||
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||||
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
|
||||||
|
---
|
||||||
|
buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
|
||||||
|
1 file changed, 17 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
index bfd6f9710db..f2b3ec8db8d 100644
|
||||||
|
--- a/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
+++ b/buildtools/wafsamba/samba_autoconf.py
|
||||||
|
@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
|
||||||
|
conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
|
||||||
|
break
|
||||||
|
|
||||||
|
+ flag_supported = conf.check(fragment='''
|
||||||
|
+ #include <stdio.h>
|
||||||
|
+
|
||||||
|
+ int main(void)
|
||||||
|
+ {
|
||||||
|
+ char t[100000];
|
||||||
|
+ while (fgets(t, sizeof(t), stdin));
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ ''',
|
||||||
|
+ execute=0,
|
||||||
|
+ ccflags=[ '-Werror', '-fstack-clash-protection'],
|
||||||
|
+ mandatory=False,
|
||||||
|
+ msg='Checking if compiler accepts -fstack-clash-protection')
|
||||||
|
+ if flag_supported:
|
||||||
|
+ conf.ADD_CFLAGS('-fstack-clash-protection')
|
||||||
|
+
|
||||||
|
if Options.options.debug:
|
||||||
|
conf.ADD_CFLAGS('-g', testflags=True)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
@ -0,0 +1,6 @@ |
|||||||
|
-----BEGIN PGP SIGNATURE----- |
||||||
|
|
||||||
|
iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq |
||||||
|
Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg== |
||||||
|
=2NTz |
||||||
|
-----END PGP SIGNATURE----- |
Binary file not shown.
Loading…
Reference in new issue