Rebase on 4.9.1 from el 7.7

With DC support
tags/samba-4.9.1-100.dc.beta0
Daniel Berteaud 5 years ago
parent 58a4cc823d
commit 4e2cf31532
  1. 199
      CVE-2018-10858.patch
  2. 753
      CVE-2018-1139.patch
  3. 38
      samba-4.10-fix_gencache_debug_message.patch
  4. 270
      samba-4.8.3-fix_krb5_plugins.patch
  5. 216
      samba-4.8.3-fix_winbind_getpwnam_local_user.patch
  6. 64
      samba-4.8.3-smbclient_quiet_argument.patch
  7. 6
      samba-4.8.3.tar.asc
  8. BIN
      samba-4.8.3.tar.xz
  9. 151
      samba-4.9-CVE-2019-3880.patch
  10. 280
      samba-4.9-add_smbc_setOptionProtocols.patch
  11. 252
      samba-4.9-disable_netbios.patch
  12. 37
      samba-4.9-doc_smbclient_max_protocol.patch
  13. 32
      samba-4.9-fix_cups_printing.patch
  14. 40
      samba-4.9-fix_debug_segfault.patch
  15. 87
      samba-4.9-fix_force_group_panic.patch
  16. 544
      samba-4.9-fix_net_ads_join_admin_otherdomain.patch
  17. 56
      samba-4.9-fix_net_ads_krb5.patch
  18. 76
      samba-4.9-fix_smbspool_as_cups_backend.patch
  19. 4
      samba-4.9-fix_smbspool_krb5_auth.patch
  20. 2126
      samba-4.9-fix_testparm_crash.patch
  21. 39
      samba-4.9-fix_winbind_passdb_segfault.patch
  22. 402
      samba-4.9-harden_homes_share.patch
  23. 119
      samba-4.9-net_ads_leave_keep_account.patch
  24. 179
      samba-4.9-static_analysis_fixes.patch
  25. 117
      samba-4.9.0rc5-stack-protector.patch
  26. 6
      samba-4.9.1.tar.asc
  27. BIN
      samba-4.9.1.tar.xz
  28. 481
      samba.spec

@ -1,199 +0,0 @@
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:07:17 -0700
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_path.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index 01b0a61e483..ed70ab37550 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
}
}
- *dest++ = '\0';
- max_dest_len--;
+ if (max_dest_len == 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+
+ *dest++ = '\0';
+ max_dest_len--;
return max_dest_len;
}
--
2.11.0
From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:08:17 -0700
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
source3/libsmb/libsmb_path.c | 2 +-
2 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 72441c46736..54c2bcb3c73 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
}
-static void
+static int
smbc_readdir_internal(SMBCCTX * context,
struct smbc_dirent *dest,
struct smbc_dirent *src,
int max_namebuf_len)
{
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
+ int remaining_len;
/* url-encode the name. get back remaining buffer space */
- max_namebuf_len =
+ remaining_len =
smbc_urlencode(dest->name, src->name, max_namebuf_len);
+ /* -1 means no null termination. */
+ if (remaining_len < 0) {
+ return -1;
+ }
+
/* We now know the name length */
dest->namelen = strlen(dest->name);
+ if (dest->namelen + 1 < 1) {
+ /* Integer wrap. */
+ return -1;
+ }
+
+ if (dest->namelen + 1 >= max_namebuf_len) {
+ /* Out of space for comment. */
+ return -1;
+ }
+
/* Save the pointer to the beginning of the comment */
dest->comment = dest->name + dest->namelen + 1;
+ if (remaining_len < 1) {
+ /* No room for comment null termination. */
+ return -1;
+ }
+
/* Copy the comment */
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
- dest->comment[max_namebuf_len - 1] = '\0';
+ strlcpy(dest->comment, src->comment, remaining_len);
/* Save other fields */
dest->smbc_type = src->smbc_type;
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
} else {
/* No encoding. Just copy the entry as is. */
+ if (src->dirlen > max_namebuf_len) {
+ return -1;
+ }
memcpy(dest, src, src->dirlen);
+ if (src->namelen + 1 < 1) {
+ /* Integer wrap */
+ return -1;
+ }
+ if (src->namelen + 1 >= max_namebuf_len) {
+ /* Comment off the end. */
+ return -1;
+ }
dest->comment = (char *)(&dest->name + src->namelen + 1);
}
-
+ return 0;
}
/*
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
SMBCFILE *dir)
{
int maxlen;
+ int ret;
struct smbc_dirent *dirp, *dirent;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
dirp = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirp, dirent, maxlen);
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return NULL;
+ }
dir->dir_next = dir->dir_next->next;
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
*/
while ((dirlist = dir->dir_next)) {
+ int ret;
struct smbc_dirent *dirent;
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
/* Do urlencoding of next entry, if so selected */
dirent = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirent,
+ ret = smbc_readdir_internal(context, dirent,
dirlist->dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return -1;
+ }
reqd = dirent->dirlen;
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index ed70ab37550..5b53b386a67 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
}
}
- if (max_dest_len == 0) {
+ if (max_dest_len <= 0) {
/* Ensure we return -1 if no null termination. */
return -1;
}
--
2.11.0

@ -1,753 +0,0 @@
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 22 Feb 2018 11:54:45 +1300
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
---
selftest/tests.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 126e1184230..3f5097b680c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -38,7 +38,6 @@ finally:
f.close()
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
@@ -168,13 +167,12 @@ if with_pam:
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "alice", "Secret007"])
-if with_cmocka:
- plantestsuite("samba.unittests.krb5samba", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
- plantestsuite("samba.unittests.lib_util_modules", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
--
2.14.4
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Jul 2018 08:44:24 +1200
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
libcli/auth/wscript_build | 13 ++
selftest/knownfail.d/ntlm | 2 +
selftest/tests.py | 2 +
4 files changed, 430 insertions(+)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 00000000000..e87a0a276d4
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests. Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+ const char *username;
+ const char *domain;
+ DATA_BLOB challenge;
+ DATA_BLOB ntlm;
+ DATA_BLOB lm;
+ DATA_BLOB ntlm_key;
+ DATA_BLOB lm_key;
+ const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+ int flags, bool upn)
+{
+ NTSTATUS status;
+ DATA_BLOB challenge = {
+ .data = discard_const_p(uint8_t, "I am a teapot"),
+ .length = 8
+ };
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+ NULL,
+ "serverdom");
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+ cli_credentials_set_username(creds,
+ "testuser",
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(creds,
+ "testdom",
+ CRED_SPECIFIED);
+ cli_credentials_set_workstation(creds,
+ "testwksta",
+ CRED_SPECIFIED);
+ cli_credentials_set_password(creds,
+ "testpass",
+ CRED_SPECIFIED);
+
+ if (upn) {
+ cli_credentials_set_principal(creds,
+ "testuser@samba.org",
+ CRED_SPECIFIED);
+ }
+
+ cli_credentials_get_ntlm_username_domain(creds,
+ ntlm_state,
+ &ntlm_state->username,
+ &ntlm_state->domain);
+
+ status = cli_credentials_get_ntlm_response(creds,
+ ntlm_state,
+ &flags,
+ challenge,
+ NULL,
+ target_info,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ &ntlm_state->lm_key,
+ &ntlm_state->ntlm_key);
+ ntlm_state->challenge = challenge;
+
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+ ntlm_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+
+ *state = ntlm_state;
+ return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+ return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_LANMAN_AUTH,
+ false);
+}
+
+static int test_ntlm2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLM2,
+ false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLMv2_AUTH,
+ false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ TALLOC_FREE(ntlm_state);
+ *state = NULL;
+ return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+ return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_DISABLED,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ /*
+ * NTLM2 session security (where the real challenge is the
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
+ * the lm) isn't decoded by ntlm_password_check(), it must
+ * first be converted back into normal NTLM by the NTLMSSP
+ * layer
+ */
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ MSV1_0_ALLOW_MSVCHAPV2,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
+{
+ return test_ntlmv2_only_ntlm(state);
+}
+
+static void test_ntlmv2_only_ntlm_once(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &data_blob_null,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm2,
+ test_ntlm2_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
+ test_ntlmv2_setup,
+ test_ntlm_teardown)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 475b7d69406..d319d9b879e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
source='spnego_parse.c',
deps='asn1util')
+
+bld.SAMBA_BINARY(
+ 'test_ntlm_check',
+ source='tests/ntlm_check.c',
+ deps='''
+ NTLM_CHECK
+ CREDENTIALS_NTLM
+ samba-credentials
+ cmocka
+ talloc
+ ''',
+ install=False
+ )
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
new file mode 100644
index 00000000000..c6e6a3739ba
--- /dev/null
+++ b/selftest/knownfail.d/ntlm
@@ -0,0 +1,2 @@
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
diff --git a/selftest/tests.py b/selftest/tests.py
index 3f5097b680c..dc6486c13f8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
--
2.14.4
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:36:05 +0100
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc1d48..1c6499bd210 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
--
2.14.4
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:35:01 +0100
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/ntlm_auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..8f77680416f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
*pauthoritative = 1;
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true, NTLM_AUTH_ON, 0,
&auth4_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true,
+ NTLM_AUTH_ON,
+ 0,
&challenge,
&lm_response,
&nt_response,
--
2.14.4
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 16 Mar 2018 17:25:12 +0100
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9092c1776c8..034c014e5b8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
for env in ["nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
--
2.14.4
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Mar 2018 16:56:20 +0100
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 2 +-
selftest/knownfail | 3 ++-
selftest/knownfail.d/ntlm | 2 --
3 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index ba16fd72290..84776d4f35d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -303,8 +303,9 @@
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
--
2.14.4

@ -0,0 +1,38 @@
From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 13:58:14 +0100
Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/lib/gencache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index ab12fc1c531..9f4e1cfcaa3 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
- "[%s] (%d seconds %s)\n", keystr,
+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
+ "[%s] (%ld seconds %s)\n", keystr,
timestring(talloc_tos(), timeout),
- (int)(timeout - time(NULL)),
- timeout > time(NULL) ? "ahead" : "in the past"));
+ ((long int)timeout) - time(NULL),
+ timeout > time(NULL) ? "ahead" : "in the past");
ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
dbufs, 2, 0);
--
2.20.1

@ -1,270 +0,0 @@
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:06:39 +0200
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/wscript_build | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 15e93db2f05..576855bb56c 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
)
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
- deps='wbclient krb5 com_err',
- realname='winbind_krb5_locator.so')
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
+ source='winbind_krb5_locator.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
deps='wbclient krb5 com_err',
- realname='winbind-krb5-localauth.so')
+ realname='winbind_krb5_localauth.so',
+ install_path='${MODULESDIR}/krb5')
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
--
2.17.1
From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:08:56 +0200
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
subdir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
nsswitch/wscript_build | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
similarity index 100%
rename from nsswitch/winbind_krb5_locator.c
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 576855bb56c..dd1952b799b 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
+ source='krb5_plugin/winbind_krb5_locator.c',
deps='wbclient krb5 com_err',
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
--
2.17.1
From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:14:15 +0200
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
The vfs and idmap manpages are in volume 8 too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
docs-xml/wscript_build | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
similarity index 96%
rename from docs-xml/manpages/winbind_krb5_locator.7.xml
rename to docs-xml/manpages/winbind_krb5_locator.8.xml
index 17e401a9da0..0af0c2cc95f 100644
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
@@ -1,12 +1,12 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="winbind_krb5_locator.7">
+<refentry id="winbind_krb5_locator.8">
<refmeta>
<refentrytitle>winbind_krb5_locator</refentrytitle>
- <manvolnum>7</manvolnum>
+ <manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">7</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 954c62a29bc..2d686eb38b0 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
manpages/pam_winbind.conf.5
'''
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
--
2.17.1
From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:06:07 +0200
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
docs-xml/wscript_build | 4 +
2 files changed, 90 insertions(+)
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
new file mode 100644
index 00000000000..a382e71ead3
--- /dev/null
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="winbind_krb5_localauth.8">
+
+<refmeta>
+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbind_krb5_localauth</refname>
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
+</refnamediv>
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>
+ This plugin is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.
+ </para>
+
+ <para>
+ <command>winbind_krb5_localauth</command> is a plugin that
+ permits the MIT Kerberos libraries that Kerberos principals can
+ be validated against local user accounts.
+ </para>
+</refsect1>
+<refsect1>
+ <title>PREREQUISITES</title>
+ <para>
+ MIT Kerberos (at least version 1.12) is required.
+ </para>
+
+ <para>
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
+ and started separately.
+ </para>
+
+ <para>
+ The following sections needs to be added to the
+ <filename>krb5.conf</filename> file.
+
+ <programlisting>
+[plugins]
+ localauth = {
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
+ enable_only = winbind
+ }
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>
+ This man page is part of version &doc.version; of the Samba
+ suite.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created
+ by Andrew Tridgell. Samba is now developed by the Samba Team as
+ an Open Source project similar to the way the Linux kernel is
+ developed.
+ </para>
+
+ <para>
+ The winbind_krb5_localauth manpage was written by Andreas
+ Schneider.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 2d686eb38b0..ec5d28fc62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
'''
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBAMANPAGES(krb5_locator_manpages)
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
+
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
--
2.17.1

@ -1,216 +0,0 @@
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:18:52 +0200
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
---
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
selftest/knownfail.d/upn_handling | 2 +
source3/selftest/tests.py | 4 +-
3 files changed, 66 insertions(+), 11 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
index 2803ac1408b..da30f97be74 100755
--- a/nsswitch/tests/test_wbinfo_user_info.sh
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -2,19 +2,20 @@
# Blackbox test for wbinfo lookup for account name and upn
# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
cat <<EOF
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
EOF
exit 1;
fi
DOMAIN=$1
REALM=$2
-USERNAME1=$3
-UPN_NAME1=$4
-USERNAME2=$5
-UPN_NAME2=$6
+OWN_DOMAIN=$3
+USERNAME1=$4
+UPN_NAME1=$5
+USERNAME2=$6
+UPN_NAME2=$7
shift 6
failed=0
@@ -31,9 +32,9 @@ test_user_info()
{
local cmd out ret user domain upn userinfo
- domain="$1"
- user="$2"
- upn="$3"
+ local domain="$1"
+ local user="$2"
+ local upn="$3"
if [ $# -lt 3 ]; then
userinfo="$domain/$user"
@@ -62,6 +63,39 @@ test_user_info()
return 0
}
+test_getpwnam()
+{
+ local cmd out ret
+
+ local lookup_username=$1
+ local expected_return=$2
+ local expected_output=$3
+
+ cmd='getent passwd $lookup_username'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+
+ if [ $ret -ne $expected_return ]; then
+ echo "return code: $ret, expected return code is: $expected_return"
+ echo "$out"
+ return 1
+ fi
+
+ if [ -n "$expected_output" ]; then
+ echo "$out" | grep "$expected_output"
+ ret=$?
+
+ if [ $ret -ne 0 ]; then
+ echo "Unable to find $expected_output in:"
+ echo "$out"
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+# We should not be able to lookup the user just by the name
+test_ret=0
+test_output="$DOMAIN/$USERNAME1"
+
+if [ "$ENVNAME" = "ad_member" ]; then
+ test_ret=2
+ test_output=""
+fi
+if [ "$ENVNAME" = "fl2008r2dc" ]; then
+ test_ret=0
+ test_output="$OWN_DOMAIN/$USERNAME1"
+fi
+
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
+
exit $failed
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index bcbedb4f903..7dc9b71dc5e 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,8 +1,10 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f43d2b14d3a..a9cb2dad792 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -216,13 +216,13 @@ env = "ad_member:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
--
2.13.6
From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:38:01 +0200
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
---
selftest/knownfail.d/upn_handling | 2 --
source3/winbindd/winbindd_util.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 7dc9b71dc5e..bcbedb4f903 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,10 +1,8 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index aa633419c9a..7a5fb73cdef 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
} else if (assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(namespace, lp_netbios_name());
}
}
--
2.13.6

@ -1,64 +0,0 @@
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 25 Jun 2018 09:58:56 -0400
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add quiet command-line argument to allow suppressing the help log
message printed automatically after establishing a smbclient connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
---
source3/client/client.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index 2c1c76036f7..c836e5a0477 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -52,6 +52,7 @@ static int port = 0;
static char *service;
static char *desthost;
static bool grepable = false;
+static bool quiet = false;
static char *cmdstr = NULL;
const char *cmd_ptr = NULL;
@@ -6059,7 +6060,9 @@ static int process_stdin(void)
{
int rc = 0;
- d_printf("Try \"help\" to get a list of possible commands.\n");
+ if (!quiet) {
+ d_printf("Try \"help\" to get a list of possible commands.\n");
+ }
while (!finished) {
TALLOC_CTX *frame = talloc_stackframe();
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
POPT_COMMON_SAMBA
POPT_COMMON_CONNECTION
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
case 'g':
grepable=true;
break;
+ case 'q':
+ quiet=true;
+ break;
case 'e':
smb_encrypt=true;
break;
--
2.17.1

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg==
=em2I
-----END PGP SIGNATURE-----

BIN
samba-4.8.3.tar.xz (Stored with Git LFS)

Binary file not shown.

@ -0,0 +1,151 @@
From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 Mar 2019 14:51:30 -0700
Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.
If the incoming handle is valid, return WERR_BAD_PATHNAME.
[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.
As reported by Michael Hanselmann.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
1 file changed, 4 insertions(+), 88 deletions(-)
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index d9ee8d0602d..816c6bb2a12 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
}
/*******************************************************************
- ********************************************************************/
-
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
-{
- char *p = NULL;
- int num_services = lp_numservices();
- int snum = -1;
- const char *share_path = NULL;
- char *fname = *pp_fname;
-
- /* convert to a unix path, stripping the C:\ along the way */
-
- if (!(p = valid_share_pathname(ctx, fname))) {
- return -1;
- }
-
- /* has to exist within a valid file share */
-
- for (snum=0; snum<num_services; snum++) {
- if (!lp_snum_ok(snum) || lp_printable(snum)) {
- continue;
- }
-
- share_path = lp_path(talloc_tos(), snum);
-
- /* make sure we have a path (e.g. [homes] ) */
- if (strlen(share_path) == 0) {
- continue;
- }
-
- if (strncmp(share_path, p, strlen(share_path)) == 0) {
- break;
- }
- }
-
- *pp_fname = p;
- return (snum < num_services) ? snum : -1;
-}
-
-/*******************************************************************
_winreg_RestoreKey
********************************************************************/
@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
struct winreg_RestoreKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
- "\"%s\"\n", regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
- return WERR_BAD_PATHNAME;
-
- /* user must posses SeRestorePrivilege for this this proceed */
-
- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
- return WERR_ACCESS_DENIED;
- }
-
- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_restorekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
struct winreg_SaveKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
- regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
- return WERR_BAD_PATHNAME;
-
- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_savekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
--
2.11.0

@ -0,0 +1,280 @@
From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 4 Sep 2018 15:48:03 +0200
Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
---
source3/include/libsmbclient.h | 19 ++-
source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
source3/libsmb/libsmb_setget.c | 18 +++
source3/libsmb/wscript | 2 +-
4 files changed, 222 insertions(+), 2 deletions(-)
create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index ca5c7f87f71..5e4a1715402 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
void
smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
-
+/**
+ * @brief Set the 'client min protocol' and the 'client max protocol'.
+ *
+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
+ * protocol' set in the smb.conf file!
+ *
+ * @param[in] c The smbc context to use.
+ *
+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @returns true for success, false otherwise
+ */
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
/*************************************
* Getters and setters for FUNCTIONS *
diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
new file mode 100644
index 00000000000..b4245979c24
--- /dev/null
+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
@@ -0,0 +1,185 @@
+smbc_chmod: int (const char *, mode_t)
+smbc_close: int (int)
+smbc_closedir: int (int)
+smbc_creat: int (const char *, mode_t)
+smbc_fgetxattr: int (int, const char *, const void *, size_t)
+smbc_flistxattr: int (int, char *, size_t)
+smbc_free_context: int (SMBCCTX *, int)
+smbc_fremovexattr: int (int, const char *)
+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
+smbc_fstat: int (int, struct stat *)
+smbc_fstatvfs: int (int, struct statvfs *)
+smbc_ftruncate: int (int, off_t)
+smbc_getDebug: int (SMBCCTX *)
+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
+smbc_getNetbiosName: const char *(SMBCCTX *)
+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
+smbc_getOptionUserData: void *(SMBCCTX *)
+smbc_getPort: uint16_t (SMBCCTX *)
+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
+smbc_getTimeout: int (SMBCCTX *)
+smbc_getUser: const char *(SMBCCTX *)
+smbc_getWorkgroup: const char *(SMBCCTX *)
+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
+smbc_getxattr: int (const char *, const char *, const void *, size_t)
+smbc_init: int (smbc_get_auth_data_fn, int)
+smbc_init_context: SMBCCTX *(SMBCCTX *)
+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
+smbc_listxattr: int (const char *, char *, size_t)
+smbc_llistxattr: int (const char *, char *, size_t)
+smbc_lremovexattr: int (const char *, const char *)
+smbc_lseek: off_t (int, off_t, int)
+smbc_lseekdir: int (int, off_t)
+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_mkdir: int (const char *, mode_t)
+smbc_new_context: SMBCCTX *(void)
+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
+smbc_open: int (const char *, int, mode_t)
+smbc_open_print_job: int (const char *)
+smbc_opendir: int (const char *)
+smbc_option_get: void *(SMBCCTX *, char *)
+smbc_option_set: void (SMBCCTX *, char *, ...)
+smbc_print_file: int (const char *, const char *)
+smbc_read: ssize_t (int, void *, size_t)
+smbc_readdir: struct smbc_dirent *(unsigned int)
+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
+smbc_removexattr: int (const char *, const char *)
+smbc_rename: int (const char *, const char *)
+smbc_rmdir: int (const char *)
+smbc_setConfiguration: int (SMBCCTX *, const char *)
+smbc_setDebug: void (SMBCCTX *, int)
+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
+smbc_setNetbiosName: void (SMBCCTX *, const char *)
+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUserData: void (SMBCCTX *, void *)
+smbc_setPort: void (SMBCCTX *, uint16_t)
+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
+smbc_setTimeout: void (SMBCCTX *, int)
+smbc_setUser: void (SMBCCTX *, const char *)
+smbc_setWorkgroup: void (SMBCCTX *, const char *)
+smbc_set_context: SMBCCTX *(SMBCCTX *)
+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_stat: int (const char *, struct stat *)
+smbc_statvfs: int (char *, struct statvfs *)
+smbc_telldir: off_t (int)
+smbc_unlink: int (const char *)
+smbc_unlink_print_job: int (const char *, int)
+smbc_urldecode: int (char *, char *, size_t)
+smbc_urlencode: int (char *, char *, int)
+smbc_utime: int (const char *, struct utimbuf *)
+smbc_utimes: int (const char *, struct timeval *)
+smbc_version: const char *(void)
+smbc_write: ssize_t (int, const void *, size_t)
diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
index 60b822a395c..b1c4ff3b557 100644
--- a/source3/libsmb/libsmb_setget.c
+++ b/source3/libsmb/libsmb_setget.c
@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
}
}
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c,
+ const char *min_proto,
+ const char *max_proto)
+{
+ bool ok = true;
+
+ if (min_proto != NULL) {
+ ok = lp_set_cmdline("client min protocol", min_proto);
+ }
+
+ if (max_proto != NULL) {
+ ok &= lp_set_cmdline("client min protocol", max_proto);
+ }
+
+ return ok;
+}
+
/** Get the function for obtaining authentication data */
smbc_get_auth_data_fn
smbc_getFunctionAuthData(SMBCCTX *c)
diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
index 5482aea7d9c..298afc3c0e3 100644
--- a/source3/libsmb/wscript
+++ b/source3/libsmb/wscript
@@ -27,5 +27,5 @@ def build(bld):
public_headers='../include/libsmbclient.h',
abi_directory='ABI',
abi_match='smbc_*',
- vnum='0.4.0',
+ vnum='0.5.0',
pc_files='smbclient.pc')
--
2.19.2

@ -0,0 +1,252 @@
From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 3 Jan 2019 12:07:01 -0500
Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
for a port 139 connection in the low level socket connection code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
---
source3/libsmb/smbsock_connect.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index 9f915e1bb42..bb3cb07646c 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
if (port == NBT_SMB_PORT) {
+ if (lp_disable_netbios()) {
+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
+ return tevent_req_post(req, ev);
+ }
+
state->req_139 = nb_connect_send(state, state->ev, state->addr,
state->called_name,
state->called_type,
--
2.20.1
From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:40:33 -0500
Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
---
source3/libsmb/clidfs.c | 10 +++++++---
source3/libsmb/libsmb_server.c | 4 ++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 0dfb8b33606..4342a3b1d1b 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
flags, &c);
if (!NT_STATUS_IS_OK(status)) {
- d_printf("Connection to %s failed (Error %s)\n",
- server,
- nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
+ DBG_WARNING("Connection to %s failed (Error %s)\n",
+ server,
+ nt_errstr(status));
return status;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 67dfcf72327..0067df48cac 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
}
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
errno = map_errno_from_nt_status(status);
return NULL;
}
--
2.20.1
From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:57:59 -0500
Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
---
source3/libsmb/passchange.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 48ffba8036f..f60e3079975 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
SMB_SIGNING_IPC_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(result)) {
- if (asprintf(err_str, "Unable to connect to SMB server on "
- "machine %s. Error was : %s.\n",
- remote_machine, nt_errstr(result))==-1) {
- *err_str = NULL;
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. NetBIOS support disabled\n",
+ remote_machine) == -1) {
+ *err_str = NULL;
+ }
+ } else {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. Error was : %s.\n",
+ remote_machine, nt_errstr(result))==-1) {
+ *err_str = NULL;
+ }
}
return result;
}
--
2.20.1
From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 15:17:24 -0500
Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
---
source3/utils/net_rpc.c | 3 +++
source3/utils/net_time.c | 9 +++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 67fff2f4d1b..91ad90f9594 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
0, &cli);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect\n");
+ }
return false;
}
status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
index 0091fc86333..5e6cf2ea15d 100644
--- a/source3/utils/net_time.c
+++ b/source3/utils/net_time.c
@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
SMB_SIGNING_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(status)) {
- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
- host, nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
+ " Error %s\n", host, nt_errstr(status));
+ } else {
+ fprintf(stderr, "Can't contact server %s. Error %s\n",
+ host, nt_errstr(status));
+ }
goto done;
}
--
2.20.1
From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 14 Jan 2019 10:36:47 -0500
Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
smbsock_connect_send
If disable_netbios is set, return before the tevent timer is triggered
to prevent outgoing netbios connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
---
source3/libsmb/smbsock_connect.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index bb3cb07646c..be52b9a4f79 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(state->req_445, smbsock_connect_connected,
req);
+ /*
+ * Check for disable_netbios
+ */
+ if (lp_disable_netbios()) {
+ return req;
+ }
+
/*
* After 5 msecs, fire the 139 (NBT) request
*/
--
2.20.1

@ -0,0 +1,37 @@
From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Mar 2019 14:39:11 +0100
Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
We default to SMB3 now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
---
docs-xml/manpages/smbclient.1.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
index e71a21a95e3..e25f7d3517b 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -261,9 +261,9 @@
<listitem><para>This allows the user to select the
highest SMB protocol level that smbclient will use to
connect to the server. By default this is set to
- NT1, which is the highest available SMB1 protocol.
- To connect using SMB2 or SMB3 protocol, use the
- strings SMB2 or SMB3 respectively. Note that to connect
+ highest available SMB3 protocol version.
+ To connect using SMB2 or SMB1 protocol, use the
+ strings SMB2 or NT1 respectively. Note that to connect
to a Windows 2012 server with encrypted transport selecting
a max-protocol of SMB3 is required.
</para></listitem>
--
2.21.0

@ -1,4 +1,4 @@
From ab9266a2907fe523937d8576f6de7313d577c2e8 Mon Sep 17 00:00:00 2001
From 1f64c74fec614bde510411b339e731f53b4707dd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 May 2019 16:55:49 +0200
Subject: [PATCH 1/9] s3:smbspool: Add the 'lp' group to the users groups
@ -66,7 +66,7 @@ index 5c4da33238b..e6684fc0d0c 100644
2.21.0
From d3ab97ba608b0c3000e733e3e56dd7da7bae617a Mon Sep 17 00:00:00 2001
From e634ee57d57cf4e5e2c8922f27576d402c6f06af Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 16 May 2019 13:41:02 +0200
Subject: [PATCH 2/9] s3:smbspool: Print the principal we use to authenticate
@ -82,7 +82,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 11 insertions(+)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index ecaaf3c3f22..98959bb677b 100644
index c404b3a3f69..78c13b9ebdb 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -612,6 +612,7 @@ static bool kerberos_ccache_is_valid(void) {
@ -114,7 +114,7 @@ index ecaaf3c3f22..98959bb677b 100644
2.21.0
From b8588870940e282aa2d5f9d553771fcba91681c7 Mon Sep 17 00:00:00 2001
From 997a9c4e9eed11d5c9e1635db3fe402c3c686989 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 16 May 2019 14:25:00 +0200
Subject: [PATCH 3/9] s3:smbspool: Add debug for finding KRB5CCNAME
@ -151,7 +151,7 @@ index e6684fc0d0c..2cdcd372ec6 100644
2.21.0
From 30feae8f20fb60999727cc4a6777b2823db46a64 Mon Sep 17 00:00:00 2001
From 793b16c22b0732a48de9bc927aab012bab87e8e4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 16 May 2019 17:10:57 +0200
Subject: [PATCH 4/9] s3:smbspool: Use %u format specifier to print uid
@ -190,7 +190,7 @@ index 2cdcd372ec6..3266b90ec1a 100644
2.21.0
From 98b782f300a899ad39fe17fa62ccbe4932e8cd29 Mon Sep 17 00:00:00 2001
From a2eb883469617688bef4f5c5dbbb1fc916299923 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 16 May 2019 17:40:43 +0200
Subject: [PATCH 5/9] s3:smbspool: Fallback to default ccache if KRB5CCNAME is
@ -329,10 +329,10 @@ index 3266b90ec1a..bff1df417e8 100644
/*
* Make sure we do not have LD_PRELOAD or other security relevant
diff --git a/source3/wscript_build b/source3/wscript_build
index 15c93e46bc3..694acbfa754 100644
index bbcfc72a714..a601ab4e9b1 100644
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1120,6 +1120,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
@@ -1137,6 +1137,7 @@ bld.SAMBA3_BINARY('smbspool_krb5_wrapper',
deps='''
DYNCONFIG
cups
@ -344,7 +344,7 @@ index 15c93e46bc3..694acbfa754 100644
2.21.0
From 0ffe2ecb356780264b157a03157875758431102f Mon Sep 17 00:00:00 2001
From ec526ef97fc6edf0342dea9ee82ecc14433cc063 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 May 2019 16:48:31 +0200
Subject: [PATCH 6/9] s3:smbspool: Print the filename we failed to open
@ -359,7 +359,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 98959bb677b..43f0cbc04e1 100644
index 78c13b9ebdb..805ad88b88d 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -223,7 +223,9 @@ main(int argc, /* I - Number of command-line arguments */
@ -377,7 +377,7 @@ index 98959bb677b..43f0cbc04e1 100644
2.21.0
From 9d662cda9def334de3a27cab7d77ab6c9deb3f16 Mon Sep 17 00:00:00 2001
From cd9e3a2a7666dfe545a8d0e9a68def6aa536641b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 May 2019 18:54:02 +0200
Subject: [PATCH 7/9] s3:smbspool: Always try to authenticate using Kerberos
@ -396,7 +396,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 51 insertions(+), 39 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 43f0cbc04e1..f8e6a76ba11 100644
index 805ad88b88d..d336cd08209 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -87,8 +87,8 @@ main(int argc, /* I - Number of command-line arguments */
@ -572,7 +572,7 @@ index 43f0cbc04e1..f8e6a76ba11 100644
2.21.0
From 56f58726a1f3b98e64e9f6b27c275cc0044e2a9f Mon Sep 17 00:00:00 2001
From f470477d71214b00a4b33f6934d7dbef3b3fce1d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 16 May 2019 18:24:32 +0200
Subject: [PATCH 8/9] s3:smbspool: Add debug messages to
@ -588,7 +588,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 7 insertions(+)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index f8e6a76ba11..ed5837daa0d 100644
index d336cd08209..221c50af196 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -599,11 +599,15 @@ static bool kerberos_ccache_is_valid(void) {
@ -621,7 +621,7 @@ index f8e6a76ba11..ed5837daa0d 100644
2.21.0
From cec536a0437b28e207cb69c318cb5769575d1761 Mon Sep 17 00:00:00 2001
From 27511ca2bbb05134681714475c634473b5125503 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 May 2019 11:35:46 +0200
Subject: [PATCH 9/9] s3:smbspool: Use NTSTATUS return codes
@ -638,7 +638,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 145 insertions(+), 105 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index ed5837daa0d..1c09ca0826d 100644
index 221c50af196..5ab286cd3e9 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -60,12 +60,27 @@

@ -0,0 +1,40 @@
From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Nov 2018 14:32:29 +0100
Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
This fixes a segfault in pyglue:
==10142== Process terminating with default action of signal 11 (SIGSEGV)
==10142== Bad permissions for mapped region at address 0x6F00A20
==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
---
lib/util/debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/util/debug.c b/lib/util/debug.c
index d41e0f99c77..847ec1f0a0c 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
* This is to allow reading of DEBUGLEVEL_CLASS before the debug
* system has been initialized.
*/
-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
static size_t debug_num_classes = 0;
-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
+int *DEBUGLEVEL_CLASS = debug_class_list_initial;
/* -------------------------------------------------------------------------- **
--
2.19.1

@ -0,0 +1,87 @@
From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 18 Jan 2019 14:24:30 -0800
Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
existing share connection.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
smbd could crash if "force group" is added to a
share definition whilst an existing connection
to that share exists. In that case, don't change
the existing credentials for force group, only
do so for new connections.
Remove knownfail from regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
---
source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 9d5321cf4cc..ced2d450f8e 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
int snum;
gid_t gid;
uid_t uid;
+ const char *force_group_name;
char group_c;
int num_groups = 0;
gid_t *group_list = NULL;
@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
* See if we should force group for this service. If so this overrides
* any group set in the force user code.
*/
- if((group_c = *lp_force_group(talloc_tos(), snum))) {
+ force_group_name = lp_force_group(talloc_tos(), snum);
+ group_c = *force_group_name;
- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
+ /*
+ * This can happen if "force group" is added to a
+ * share definition whilst an existing connection
+ * to that share exists. In that case, don't change
+ * the existing credentials for force group, only
+ * do so for new connections.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
+ DBG_INFO("Not forcing group %s on existing connection to "
+ "share %s for SMB user %s (unix user %s)\n",
+ force_group_name,
+ lp_const_servicename(snum),
+ session_info->unix_info->sanitized_username,
+ session_info->unix_info->unix_name);
+ }
+
+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
+ /*
+ * Only force group for connections where
+ * conn->force_group_gid has already been set
+ * to the correct value (i.e. the connection
+ * happened after the 'force group' definition
+ * was added to the share definition. Connections
+ * that were made before force group was added
+ * should stay with their existing credentials.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
if (group_c == '+') {
int i;
--
2.20.1.495.gaa96b0ce6b-goog

@ -0,0 +1,544 @@
From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 29 Mar 2019 11:34:53 +0100
Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
---
source3/libads/ldap.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 13846695bd4..110f74a2dbb 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
if (ret != 0) {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
- ldap_err2string(ret), ld_error));
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
SAFE_FREE(ld_error);
}
}
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
--
2.21.0
From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Mar 2019 16:45:39 +0100
Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
---
source3/libsmb/cliconnect.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 837299d9220..9a3d3c769f9 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+ DBG_INFO("Doing kinit for %s to access %s\n",
+ user_principal, target_hostname);
/*
* TODO: This should be done within the gensec layer
@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
*/
}
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+ "Kerberos\n",
+ user_principal,
+ target_hostname);
+
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
+ target_hostname,
+ cli_credentials_get_principal(creds, talloc_tos()));
+
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
+
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
uint8_t *bytes = NULL;
--
2.21.0
From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:46:39 +0200
Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
A newline is missing but also use DBG_INFO macro and cleanup spelling.
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
---
source3/libnet/libnet_join.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 27fc5135442..ddc00f7ad7c 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
return WERR_NERR_DEFAULTJOINREQUIRED;
}
- DEBUG(5, ("failed to precreate account in ou %s: %s",
- r->in.account_ou, ads_errstr(ads_status)));
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
}
rpc_join:
--
2.21.0
From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Wed, 27 Mar 2019 17:51:04 +0100
Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
---
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index ab406a2c5be..8e49dcee5ea 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
}
+ if (DEBUGLEVEL >= 10) {
+ struct CHALLENGE_MESSAGE *challenge =
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
+ if (challenge != NULL) {
+ NTSTATUS status;
+ challenge->NegotiateFlags = chal_flags;
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
+ &in, challenge, challenge);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
+ challenge);
+ }
+ TALLOC_FREE(challenge);
+ }
+ }
+
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return nt_status;
}
+ if (DEBUGLEVEL >= 10) {
+ struct AUTHENTICATE_MESSAGE *authenticate =
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
+ if (authenticate != NULL) {
+ NTSTATUS status;
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
+ out, authenticate, authenticate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
+ authenticate);
+ }
+ TALLOC_FREE(authenticate);
+ }
+ }
+
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
--
2.21.0
From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 15:59:10 +0200
Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
when using NTLM
If we want to authenticate using -Wadmin@otherdomain the DC should do
take care of the authentication with the right DC for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
---
auth/credentials/credentials.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4663185c979..7ef58d0752c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
const char **username,
const char **domain)
{
- if (cred->principal_obtained > cred->username_obtained) {
+ if (cred->principal_obtained >= cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
--
2.21.0
From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:39:45 +0200
Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
---
source3/libnet/libnet_join.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index ddc00f7ad7c..e052306523d 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
/* The domain parameter is only used as modifier
- * to krb5.conf file name. .JOIN is is not a valid
+ * to krb5.conf file name. _JOIN_ is is not a valid
* NetBIOS name so it cannot clash with another domain
* -- Uri.
*/
- create_local_private_krb5_conf_for_domain(
- pre_connect_realm, ".JOIN", sitename, &ss);
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
+ "_JOIN_",
+ sitename,
+ &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
--
2.21.0
From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:47:26 +0200
Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
---
source3/libads/kerberos.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e623f2456a8..360cdd741da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
}
#endif
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin@otherdomain
+ */
file_contents =
talloc_asprintf(fname,
- "[libdefaults]\n\tdefault_realm = %s\n"
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
"%s"
- "\tdns_lookup_realm = false\n\n"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"%s\n",
--
2.21.0
From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:40:03 +0200
Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
---
source3/libads/ldap.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 110f74a2dbb..e191ea792a8 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
goto done;
}
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ ads_msgfree(ads, res);
+ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ goto done;
+ }
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
--
2.21.0
From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:14:06 +0200
Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
layer
Otherwise we could loose the information that a non-default domain name
has been used for admin creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
---
source3/libnet/libnet_join.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e052306523d..fc7429e6a23 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
password = r->in.machine_password;
ccname = "MEMORY:libnet_join_machine_creds";
} else {
+ char *p = NULL;
+
username = r->in.admin_account;
+
+ p = strchr(r->in.admin_account, '@');
+ if (p == NULL) {
+ username = talloc_asprintf(mem_ctx, "%s@%s",
+ r->in.admin_account,
+ r->in.admin_domain);
+ }
+ if (username == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
password = r->in.admin_password;
/*
--
2.21.0
From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:11 +0200
Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
connect fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
---
source3/libnet/libnet_join.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index fc7429e6a23..6d3fc1fe01f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to connect to AD: %s",
+ ads_errstr(ads_status));
return WERR_NERR_DEFAULTJOINREQUIRED;
}
--
2.21.0
From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:55 +0200
Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
libnet_join
When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
---
source3/libnet/libnet_join.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 6d3fc1fe01f..b876d7ea89f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
my_ads->auth.user_name = SMB_STRDUP(user_name);
--
2.21.0

@ -0,0 +1,56 @@
From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 11:26:11 -0500
Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
This affects net rpc getsid and net rpc changetrustpw commands.
This avoids an anonymous IPC connection being made when -k is used,
this only affects net rpc getsid and net rpc changetrustpw commands.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
---
source3/utils/net_rpc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index b99a036fca1..67fff2f4d1b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
{
+ int conn_flags = NET_FLAGS_PDC;
+
+ if (!c->opt_user_specified && !c->opt_kerberos) {
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
if (c->display_usage) {
d_printf( "%s\n"
"net rpc changetrustpw\n"
@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
}
return run_rpc_command(c, NULL, &ndr_table_netlogon,
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
+ conn_flags,
rpc_changetrustpw_internals,
argc, argv);
}
@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
{
int conn_flags = NET_FLAGS_PDC;
- if (!c->opt_user_specified) {
+ if (!c->opt_user_specified && !c->opt_kerberos) {
conn_flags |= NET_FLAGS_ANONYMOUS;
}
--
2.20.1

@ -1,4 +1,4 @@
From c4c36c2ecc0ed1254e02f046ce08b4937fe26ee6 Mon Sep 17 00:00:00 2001
From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:15:05 +0100
Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
@ -32,7 +32,7 @@ index d95ed064634..f28c0909334 100755
2.20.1
From 72f86fe6f41bbe7891fe81811b3234b6662de8da Mon Sep 17 00:00:00 2001
From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 09:40:58 +0100
Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
@ -115,7 +115,7 @@ index dee3b4c54be..5c4da33238b 100644
2.20.1
From 47771d9ceff2771b5fda430e1836237d85300407 Mon Sep 17 00:00:00 2001
From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 Jan 2019 09:21:24 +0100
Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
@ -131,11 +131,11 @@ Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
---
source3/client/smbspool.c | 42 ++++++++++++++++++++++-----------------
1 file changed, 24 insertions(+), 18 deletions(-)
source3/client/smbspool.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index d6e944d547c..e94d5b33324 100644
index 389e4ea553f..3dbf6be014b 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -60,7 +60,7 @@
@ -156,25 +156,7 @@ index d6e944d547c..e94d5b33324 100644
/*
* 'main()' - Main entry for SMB backend.
*/
@@ -94,7 +96,7 @@ main(int argc, /* I - Number of command-line arguments */
FILE *fp; /* File to print */
int status = 1; /* Status of LPD job */
struct cli_state *cli; /* SMB interface */
- char null_str[1];
+ char empty_str[] = "";
int tries = 0;
bool need_auth = true;
const char *dev_uri;
@@ -106,8 +108,6 @@ main(int argc, /* I - Number of command-line arguments */
int cmp;
int len;
- null_str[0] = '\0';
-
if (argc == 1) {
/*
* NEW! In CUPS 1.1 the backends are run with no arguments
@@ -187,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
}
}
@ -186,25 +168,7 @@ index d6e944d547c..e94d5b33324 100644
cmp = strncmp(dev_uri, "smb://", 6);
if (cmp != 0) {
fprintf(stderr,
@@ -220,21 +225,25 @@ main(int argc, /* I - Number of command-line arguments */
*tmp2++ = '\0';
password = uri_unescape_alloc(tmp2);
} else {
- password = null_str;
+ password = empty_str;
}
username = uri_unescape_alloc(tmp);
} else {
if ((username = getenv("AUTH_USERNAME")) == NULL) {
- username = null_str;
+ username = empty_str;
}
if ((password = getenv("AUTH_PASSWORD")) == NULL) {
- password = null_str;
+ password = empty_str;
}
@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */
server = uri + 6;
}
@ -215,7 +179,7 @@ index d6e944d547c..e94d5b33324 100644
tmp = server;
if ((sep = strchr_m(tmp, '/')) == NULL) {
@@ -354,8 +363,7 @@ done:
@@ -352,8 +363,7 @@ done:
static int
get_exit_code(struct cli_state * cli,
@ -225,7 +189,7 @@ index d6e944d547c..e94d5b33324 100644
{
int i;
@@ -382,10 +390,7 @@ get_exit_code(struct cli_state * cli,
@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
}
if (cli) {
@ -237,7 +201,7 @@ index d6e944d547c..e94d5b33324 100644
}
/*
@@ -454,6 +459,7 @@ smb_complete_connection(const char *myname,
@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
}
if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
@ -245,7 +209,7 @@ index d6e944d547c..e94d5b33324 100644
use_kerberos = true;
}
@@ -476,7 +482,7 @@ smb_complete_connection(const char *myname,
@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
@ -254,7 +218,7 @@ index d6e944d547c..e94d5b33324 100644
*need_auth = true;
}
@@ -490,7 +496,7 @@ smb_complete_connection(const char *myname,
@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
nt_errstr(nt_status));
@ -263,7 +227,7 @@ index d6e944d547c..e94d5b33324 100644
*need_auth = true;
}
@@ -679,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s opening remote spool %s\n",
nt_errstr(nt_status), title);
@ -272,7 +236,7 @@ index d6e944d547c..e94d5b33324 100644
}
/*
@@ -697,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
tbytes, nbytes, NULL);
if (!NT_STATUS_IS_OK(status)) {
@ -281,7 +245,7 @@ index d6e944d547c..e94d5b33324 100644
fprintf(stderr, "ERROR: Error writing spool: %s\n",
nt_errstr(status));
fprintf(stderr, "DEBUG: Returning status %d...\n",
@@ -713,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s closing remote spool %s\n",
nt_errstr(nt_status), title);
@ -294,7 +258,7 @@ index d6e944d547c..e94d5b33324 100644
2.20.1
From 6e83c1c9c02889bf9b7d42366ae25cd7b8738810 Mon Sep 17 00:00:00 2001
From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:09:14 +0100
Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
@ -312,7 +276,7 @@ Signed-off-by: Guenther Deschner <gd@samba.org>
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index e94d5b33324..4d78db7f77c 100644
index 3dbf6be014b..94c7ea368a2 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
@ -358,7 +322,7 @@ index e94d5b33324..4d78db7f77c 100644
2.20.1
From 5a17e86e0dde91b52afd4a192fd5a635a83b412d Mon Sep 17 00:00:00 2001
From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 11:40:30 +0100
Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
@ -377,7 +341,7 @@ Signed-off-by: Guenther Deschner <gd@samba.org>
1 file changed, 96 insertions(+), 24 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 4d78db7f77c..8be1009c0a8 100644
index 94c7ea368a2..97d00bdd011 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */

@ -1,4 +1,4 @@
From 56fb8aec557bb5b7264df2713b85b282e1c81f84 Mon Sep 17 00:00:00 2001
From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 May 2019 16:18:51 +0200
Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
@ -16,7 +16,7 @@ Reviewed-by: Guenther Deschner <gd@samba.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 8be1009c0a8..ecaaf3c3f22 100644
index 97d00bdd011..c404b3a3f69 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */

File diff suppressed because it is too large Load Diff

@ -0,0 +1,39 @@
From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Oct 2018 19:45:58 +0100
Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
See https://retrace.fedoraproject.org/faf/reports/1577174/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
---
source3/winbindd/winbindd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 254d93b344d..a8ffc31778c 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
if (!NT_STATUS_IS_OK(status)) {
exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
}
- initialize_password_db(true, server_event_context());
+
+ ok = initialize_password_db(true, server_event_context());
+ if (!ok) {
+ exit_daemon("Failed to initialize passdb backend! "
+ "Check the 'passdb backend' variable in your "
+ "smb.conf file.", EINVAL);
+ }
/*
* Do not initialize the parent-child-pipe before becoming
--
2.19.1

@ -0,0 +1,402 @@
From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 15 Nov 2018 16:06:49 +0100
Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
---
selftest/target/Samba3.pm | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 438cb3409bb..373f8152ca3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
my ($gid_force_user);
my ($uid_user1);
my ($uid_user2);
+ my ($uid_gooduser);
+ my ($uid_eviluser);
- if ($unix_uid < 0xffff - 10) {
+ if ($unix_uid < 0xffff - 12) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
$uid_smbget = $max_uid - 8;
$uid_user1 = $max_uid - 9;
$uid_user2 = $max_uid - 10;
+ $uid_gooduser = $max_uid - 11;
+ $uid_eviluser = $max_uid - 12;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
--
2.19.2
From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 16 Nov 2018 15:40:59 +0100
Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
share
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a test for CVE-2009-2813.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
---
selftest/target/Samba3.pm | 4 ++
source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
3 files changed, 104 insertions(+)
create mode 100755 source3/script/tests/test_homes.sh
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 373f8152ca3..2031003210c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -921,6 +921,10 @@ sub setup_fileserver
comment = inherit only unix owner
inherit owner = unix only
acl_xattr:ignore system acls = yes
+[homes]
+ comment = Home directories
+ browseable = No
+ read only = No
";
my $vars = $self->provision($path, "WORKGROUP",
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
new file mode 100755
index 00000000000..06de0a0c301
--- /dev/null
+++ b/source3/script/tests/test_homes.sh
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# Copyright (c) Andreas Schneider <asn@samba.org>
+# License: GPLv3
+
+if [ $# -lt 7 ]; then
+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
+ exit 1
+fi
+
+SERVER="${1}"
+USERNAME="${2}"
+PASSWORD="${3}"
+LOCAL_PATH="${4}"
+PREFIX="${5}"
+SMBCLIENT="${6}"
+CONFIGURATION="${7}"
+shift 7
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+test_gooduser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=gooduser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo "failed to connect error $ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'Try "help" to get a list of possible commands.'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: Try "help" to get a list of possible commands.'
+ return 1
+ fi
+
+ return 0
+}
+
+test_eviluser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=eviluser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
+testit "test gooduser home" \
+ test_gooduser_home || \
+ failed=`expr $failed + 1`
+
+testit "test eviluser home reject" \
+ test_eviluser_home || \
+ failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 09cd5159a0d..4aef7a4d596 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -290,6 +290,7 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
#
# tar command tests
--
2.19.2
From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Nov 2018 18:23:24 +0100
Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If "/" (root) is returned as the home directory, prevent exporting it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
---
source3/param/service.c | 6 +++++-
source3/smbd/password.c | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/source3/param/service.c b/source3/param/service.c
index b21be6093d4..22f46f08894 100644
--- a/source3/param/service.c
+++ b/source3/param/service.c
@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
phome_dir?phome_dir:"(NULL)"));
- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
+ if (!strequal(phome_dir, "/")) {
+ iService = add_home_service(*p_service_out,
+ *p_service_out, /* username */
+ phome_dir);
+ }
}
/* If we still don't have a service, attempt to add it as a printer. */
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index f472bda2c70..0576d2563eb 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
return -1;
}
+ if (strequal(pwd->pw_dir, "/")) {
+ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
+ username);
+ TALLOC_FREE(pwd);
+ return -1;
+ }
+
DEBUG(3, ("Adding homes service for user '%s' using home directory: "
"'%s'\n", username, pwd->pw_dir));
--
2.19.2
From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Dec 2018 11:05:46 +0100
Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
as home dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
---
selftest/target/Samba3.pm | 6 ++++-
source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2031003210c..583396b3818 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
my ($uid_user2);
my ($uid_gooduser);
my ($uid_eviluser);
+ my ($uid_slashuser);
- if ($unix_uid < 0xffff - 12) {
+ if ($unix_uid < 0xffff - 13) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
$uid_user2 = $max_uid - 10;
$uid_gooduser = $max_uid - 11;
$uid_eviluser = $max_uid - 12;
+ $uid_slashuser = $max_uid - 13;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
index 06de0a0c301..90e84550dbc 100755
--- a/source3/script/tests/test_homes.sh
+++ b/source3/script/tests/test_homes.sh
@@ -88,6 +88,39 @@ EOF
return 0
}
+test_slashuser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=slashuser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
testit "test gooduser home" \
test_gooduser_home || \
failed=`expr $failed + 1`
@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
test_eviluser_home || \
failed=`expr $failed + 1`
+testit "test slashuser home reject" \
+ test_slashuser_home || \
+ failed=`expr $failed + 1`
+
testok $0 $failed
--
2.19.2

@ -0,0 +1,119 @@
From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 27 Jun 2018 11:32:31 -0400
Subject: [PATCH] s3:libads: Add net ads leave keep-account option
Add the ability to leave the domain with --keep-account argument to avoid
removal of the host machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
---
docs-xml/manpages/net.8.xml | 9 ++++++++-
source3/libnet/libnet_join.c | 2 ++
source3/utils/net.c | 3 ++-
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 9 +++++++--
5 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 3154ee5ff85..d2bcd24c502 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -377,6 +377,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--keep-account</term>
+ <listitem><para>Prevent the machine account removal as
+ part of "net ads leave".
+ </para></listitem>
+ </varlistentry>
+
&stdarg.encrypt;
&popt.common.samba.client;
@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
</refsect2>
<refsect2>
-<title>ADS LEAVE</title>
+<title>ADS LEAVE [--keep-account]</title>
<para>Make the remote host leave the domain it is part of. </para>
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a9405e8d288..27fc5135442 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
return ntstatus_to_werror(status);
}
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.domain_name);
r->out.disabled_machine_account = true;
}
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 759d8cd442b..b3bd4b67118 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -970,8 +970,9 @@ static struct functable net_func[] = {
{"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
/* Options for 'net registry import' */
{"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
- /* Options for 'net ads join' */
+ /* Options for 'net ads join or leave' */
{"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
POPT_COMMON_SAMBA
{ 0, 0, 0, 0}
};
diff --git a/source3/utils/net.h b/source3/utils/net.h
index d6dfeb6208f..5e70fd3aafa 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -85,6 +85,7 @@ struct net_context {
int opt_wipe;
const char *opt_precheck;
int opt_no_dns_updates;
+ int opt_keep_account;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index ffa67d8f525..afe47dad839 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
if (c->display_usage) {
d_printf( "%s\n"
- "net ads leave\n"
+ "net ads leave [--keep-account]\n"
" %s\n",
_("Usage:"),
_("Leave an AD domain"));
@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
- r->in.delete_machine_account = true;
+ if (c->opt_keep_account) {
+ r->in.delete_machine_account = false;
+ } else {
+ r->in.delete_machine_account = true;
+ }
+
r->in.msg_ctx = c->msg_ctx;
werr = libnet_Unjoin(ctx, r);
--
2.17.1

@ -0,0 +1,179 @@
From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:09:23 +0100
Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
---
source3/rpcclient/cmd_netlogon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 8d62ef7e095..631740562c6 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
WERROR werr = WERR_OK;
uint32_t flags = DS_RETURN_DNS_NAME;
const char *server_name = cli->desthost;
- const char *domain_name;
+ const char *domain_name = NULL;
struct GUID domain_guid = GUID_zero();
struct GUID site_guid = GUID_zero();
struct netr_DsRGetDCNameInfo *info = NULL;
--
2.19.2
From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:13:51 +0100
Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
---
librpc/ndr/ndr_backupkey.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
index 827bc694230..adb6e393287 100644
--- a/librpc/ndr/ndr_backupkey.c
+++ b/librpc/ndr/ndr_backupkey.c
@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
ndr->flags |= LIBNDR_PRINT_SET_VALUES;
}
if (flags & NDR_IN) {
- union bkrp_data_in_blob inblob;
+ union bkrp_data_in_blob inblob = {
+ .empty._empty_ = '\0',
+ };
DATA_BLOB blob;
uint32_t level;
enum ndr_err_code ndr_err;
--
2.19.2
From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:16:06 +0100
Subject: [PATCH 3/5] libgpo: Make sure status is intialized
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
---
libgpo/gpo_ldap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
index fec00053b49..f087203f28a 100644
--- a/libgpo/gpo_ldap.c
+++ b/libgpo/gpo_ldap.c
@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
const char *guid_name,
struct GROUP_POLICY_OBJECT *gpo)
{
- ADS_STATUS status;
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
LDAPMessage *res = NULL;
char *dn;
const char *filter;
--
2.19.2
From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:17:37 +0100
Subject: [PATCH 4/5] lib:util Always initialize start and space
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
---
lib/util/talloc_report.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
index 63213a014b6..bed0fd91e43 100644
--- a/lib/util/talloc_report.c
+++ b/lib/util/talloc_report.c
@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
const char *fmt, va_list ap)
{
ssize_t str_len = *pstr_len;
- size_t buflen, needed, space;
- char *start, *tmpbuf;
+ size_t buflen, needed, space = 0;
+ char *start = NULL, *tmpbuf = NULL;
va_list ap2;
int printlen;
@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
if (buflen > str_len) {
start = buf + str_len;
space = buflen - str_len;
- } else {
- start = NULL;
- space = 0;
}
va_copy(ap2, ap);
--
2.19.2
From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:21:15 +0100
Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
---
ctdb/common/logging.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
index dc8c4f75058..55e5d541735 100644
--- a/ctdb/common/logging.c
+++ b/ctdb/common/logging.c
@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
{
int i;
- for (i=0; ARRAY_SIZE(log_string_map); i++) {
+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
if (log_string_map[i].log_level == log_level) {
return log_string_map[i].log_string;
}
--
2.19.2

@ -0,0 +1,117 @@
From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:35:08 +0200
Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
The -fstack-protector* flags are compiler only flags, don't pass them to
the linker.
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
---
buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index c4391d0c4dc..bfd6f9710db 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
return
# we need to build real code that can't be optimized away to test
- if conf.check(fragment='''
- #include <stdio.h>
-
- int main(void)
- {
- char t[100000];
- while (fgets(t, sizeof(t), stdin));
- return 0;
- }
- ''',
- execute=0,
- ccflags='-fstack-protector',
- ldflags='-fstack-protector',
- mandatory=False,
- msg='Checking if toolchain accepts -fstack-protector'):
- conf.ADD_CFLAGS('-fstack-protector')
- conf.ADD_LDFLAGS('-fstack-protector')
+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
+ for stack_protect_flag in stack_protect_list:
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
+ mandatory=False,
+ msg='Checking if compiler accepts %s' % (stack_protect_flag))
+ if flag_supported:
+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
+ break
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0
From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:49:52 +0200
Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
---
buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index bfd6f9710db..f2b3ec8db8d 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
break
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-fstack-clash-protection'],
+ mandatory=False,
+ msg='Checking if compiler accepts -fstack-clash-protection')
+ if flag_supported:
+ conf.ADD_CFLAGS('-fstack-clash-protection')
+
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
=2NTz
-----END PGP SIGNATURE-----

BIN
samba-4.9.1.tar.xz (Stored with Git LFS)

Binary file not shown.

@ -8,11 +8,11 @@
%define main_release 6
%define samba_version 4.8.3
%define talloc_version 2.1.11
%define tdb_version 1.3.15
%define tevent_version 0.9.36
%define ldb_version 1.3.4
%define samba_version 4.9.1
%define talloc_version 2.1.14
%define tdb_version 1.3.16
%define tevent_version 0.9.37
%define ldb_version 1.4.2
# This should be rc1 or nil
%define pre_release %nil
@ -90,8 +90,8 @@
%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
Name: samba
Version: 4.8.3
Release: 106.1.dc%{?dist}
Version: 4.9.1
Release: 100.dc%{?dist}
%if 0%{?rhel}
Epoch: 0
@ -124,14 +124,24 @@ Source14: samba.pamd
Source200: README.dc
Source201: README.downgrade
Patch0: samba-4.8.3-fix_krb5_plugins.patch
Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch
Patch2: samba-4.8.3-smbclient_quiet_argument.patch
Patch3: CVE-2018-1139.patch
Patch4: CVE-2018-10858.patch
Patch5: samba-4.8-fix_smbspool_as_cups_backend.patch
Patch6: samba-4.8-fix_cups_smbspool_backend.part1.patch
Patch7: samba-4.8-fix_cups_smbspool_backend.part2.patch
Patch0: samba-4.9.0rc5-stack-protector.patch
Patch1: samba-4.9-harden_homes_share.patch
Patch2: samba-4.9-static_analysis_fixes.patch
Patch3: samba-4.9-fix_debug_segfault.patch
Patch4: samba-4.9-fix_winbind_passdb_segfault.patch
Patch5: samba-4.9-fix_testparm_crash.patch
Patch6: samba-4.9-disable_netbios.patch
Patch7: samba-4.9-net_ads_leave_keep_account.patch
Patch8: samba-4.9-fix_force_group_panic.patch
Patch9: samba-4.10-fix_gencache_debug_message.patch
Patch10: samba-4.9-fix_net_ads_krb5.patch
Patch11: samba-4.9-add_smbc_setOptionProtocols.patch
Patch12: samba-4.9-fix_smbspool_as_cups_backend.patch
Patch13: samba-4.9-doc_smbclient_max_protocol.patch
Patch14: samba-4.9-fix_net_ads_join_admin_otherdomain.patch
Patch15: samba-4.9-CVE-2019-3880.patch
Patch16: samba-4.9-fix_smbspool_krb5_auth.patch
Patch17: samba-4.9-fix_cups_printing.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -175,6 +185,7 @@ BuildRequires: docbook-style-xsl
BuildRequires: e2fsprogs-devel
BuildRequires: gawk
BuildRequires: gnupg2
BuildRequires: jansson-devel
BuildRequires: krb5-devel >= %{required_mit_krb5}
BuildRequires: libacl-devel
BuildRequires: libaio-devel
@ -187,6 +198,7 @@ BuildRequires: libxslt
BuildRequires: ncurses-devel
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: perl-interpreter
BuildRequires: perl(Test::More)
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Parse::Yapp)
@ -209,9 +221,6 @@ BuildRequires: zlib-devel >= 1.2.3
BuildRequires: pkgconfig(libsystemd)
# Enable JSON logging
BuildRequires: jansson-devel
%if %{with_vfs_glusterfs}
BuildRequires: glusterfs-api-devel >= 3.4.0.16
BuildRequires: glusterfs-devel >= 3.4.0.16
@ -563,6 +572,7 @@ managing Samba AD.
### PIDL
%package pidl
Summary: Perl IDL compiler
Requires: perl-interpreter
Requires: perl(Parse::Yapp)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
BuildArch: noarch
@ -700,7 +710,6 @@ Summary: A Clustered Database based on Samba's Trivial Database (TDB)
Requires: %{name}-client-libs = %{samba_depver}
Requires: coreutils
Requires: fileutils
# for ps and killall
Requires: psmisc
Requires: sed
@ -874,8 +883,8 @@ install -d -m 0755 %{buildroot}/var/lib/samba/sysvol
install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged
install -d -m 0755 %{buildroot}/var/log/samba/old
install -d -m 0755 %{buildroot}/var/spool/samba
install -d -m 0755 %{buildroot}/var/run/samba
install -d -m 0755 %{buildroot}/var/run/winbindd
install -d -m 0755 %{buildroot}/run/samba
install -d -m 0755 %{buildroot}/run/winbindd
install -d -m 0755 %{buildroot}/%{_libdir}/samba
install -d -m 0755 %{buildroot}/%{_libdir}/samba/ldb
install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig
@ -915,22 +924,21 @@ install -m644 examples/LDAP/samba.schema %{buildroot}%{_sysconfdir}/openldap/sch
install -m 0744 packaging/printing/smbprint %{buildroot}%{_bindir}/smbprint
install -d -m 0755 %{buildroot}%{_tmpfilesdir}
install -m644 packaging/systemd/samba.conf.tmp %{buildroot}%{_tmpfilesdir}/samba.conf
# create /run/samba too.
echo "d /run/samba 755 root root" >> %{buildroot}%{_tmpfilesdir}/samba.conf
# Create /run/samba too.
echo "d /run/samba 755 root root" > %{buildroot}%{_tmpfilesdir}/samba.conf
%if %with_clustering_support
echo "d /run/ctdb 755 root root" >> %{buildroot}%{_tmpfilesdir}/ctdb.conf
echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf
%endif
install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig
install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba
%if %with_clustering_support
cat > %{buildroot}%{_sysconfdir}/sysconfig/ctdb <<EOF
# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdbd.conf
# CTDB configuration is now in %{_sysconfdir}/ctdb/ctdb.conf
EOF
install -d -m 0755 %{buildroot}%{_sysconfdir}/ctdb
install -m 0644 ctdb/config/ctdbd.conf %{buildroot}%{_sysconfdir}/ctdb/ctdbd.conf
install -m 0644 ctdb/config/ctdb.conf %{buildroot}%{_sysconfdir}/ctdb/ctdb.conf
%endif
install -m 0644 %{SOURCE201} packaging/README.downgrade
@ -962,8 +970,10 @@ for i in \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba-tool.8 \
%{_mandir}/man8/samba_gpoupdate.8 \
%{_sbindir}/samba_gpoupdate \
%{_mandir}/man8/samba-gpupdate.8 \
%{_sbindir}/samba-gpupdate \
%{_libdir}/libsamba-policy.so \
%{_libdir}/pkgconfig/samba-policy.pc \
%{python_sitearch}/samba/colour.py* \
%{python_sitearch}/samba/domain_update.py* \
%{python_sitearch}/samba/forest_update.py* \
@ -998,6 +1008,35 @@ for i in \
%{python_sitearch}/samba/schema.py* \
%{python_sitearch}/samba/tests/krb5_credentials.py* \
%{python_sitearch}/samba/tests/password_quality.py* \
%{python_sitearch}/samba/gp_sec_ext.py* \
%{python_sitearch}/samba/mdb_util.py* \
%{python_sitearch}/samba/tests/audit_log_base.py* \
%{python_sitearch}/samba/tests/audit_log_dsdb.py* \
%{python_sitearch}/samba/tests/audit_log_pass_change.py* \
%{python_sitearch}/samba/tests/dckeytab.py* \
%{python_sitearch}/samba/tests/dns_invalid.py* \
%{python_sitearch}/samba/tests/domain_backup.py* \
%{python_sitearch}/samba/tests/getdcname.py* \
%{python_sitearch}/samba/tests/gpo.py* \
%{python_sitearch}/samba/tests/group_audit.py* \
%{python_sitearch}/samba/tests/loadparm.py* \
%{python_sitearch}/samba/tests/netbios.py* \
%{python_sitearch}/samba/tests/ntacls_backup.py* \
%{python_sitearch}/samba/tests/password_test.py* \
%{python_sitearch}/samba/tests/pso.py* \
%{python_sitearch}/samba/tests/s3idmapdb.py* \
%{python_sitearch}/samba/tests/s3param.py* \
%{python_sitearch}/samba/tests/s3passdb.py* \
%{python_sitearch}/samba/tests/s3registry.py* \
%{python_sitearch}/samba/tests/s3windb.py* \
%{python_sitearch}/samba/tests/samba_tool/computer.py* \
%{python_sitearch}/samba/tests/samba_tool/demote.py* \
%{python_sitearch}/samba/tests/samba_tool/forest.py* \
%{python_sitearch}/samba/tests/samba_tool/ou.py* \
%{python_sitearch}/samba/tests/samba_tool/passwordsettings.py* \
%{python_sitearch}/samba/tests/samba_tool/schema.py* \
%{python_sitearch}/samba/tests/samdb_api.py* \
%{python_sitearch}/samba/tests/smb.py* \
%{_unitdir}/samba.service \
; do
rm -f %{buildroot}$i
@ -1197,7 +1236,7 @@ rm -rf %{buildroot}
%doc examples/printer-accounting examples/printing
%doc packaging/README.downgrade
%{_bindir}/smbstatus
%{_bindir}/eventlogadm
%{_sbindir}/eventlogadm
%{_sbindir}/nmbd
%{_sbindir}/smbd
%if %with_dc
@ -1421,6 +1460,7 @@ rm -rf %{buildroot}
%dir %{_libdir}/samba
%{_libdir}/samba/libCHARSET3-samba4.so
%{_libdir}/samba/libMESSAGING-SEND-samba4.so
%{_libdir}/samba/libaddns-samba4.so
%{_libdir}/samba/libads-samba4.so
%{_libdir}/samba/libasn1util-samba4.so
@ -1435,6 +1475,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libcliauth-samba4.so
%{_libdir}/samba/libcmdline-credentials-samba4.so
%{_libdir}/samba/libcommon-auth-samba4.so
%{_libdir}/samba/libctdb-event-client-samba4.so
%{_libdir}/samba/libdbwrap-samba4.so
%{_libdir}/samba/libdcerpc-samba-samba4.so
%{_libdir}/samba/libevents-samba4.so
@ -1561,8 +1602,8 @@ rm -rf %{buildroot}
%config(noreplace) %{_sysconfdir}/logrotate.d/samba
%attr(0700,root,root) %dir /var/log/samba
%attr(0700,root,root) %dir /var/log/samba/old
%ghost %dir /var/run/samba
%ghost %dir /var/run/winbindd
%ghost %dir /run/samba
%ghost %dir /run/winbindd
%dir /var/lib/samba
%attr(700,root,root) %dir /var/lib/samba/private
%dir /var/lib/samba/lock
@ -1580,6 +1621,8 @@ rm -rf %{buildroot}
%files common-libs
%defattr(-,root,root)
# common libraries
%{_libdir}/samba/libcmdline-contexts-samba4.so
%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so
%{_libdir}/samba/libpopt-samba3-samba4.so
%if %{with_intel_aes_accel}
%{_libdir}/samba/libaesni-intel-samba4.so
@ -1617,20 +1660,20 @@ rm -rf %{buildroot}
%{_sbindir}/samba
%{_sbindir}/samba_kcc
%{_sbindir}/samba_dnsupdate
%{_sbindir}/samba_gpoupdate
%{_sbindir}/samba_gpupdate
%{_sbindir}/samba_spnupdate
%{_sbindir}/samba_upgradedns
#%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so
#%{_libdir}/samba/libgpo-samba4.so
%{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so
%{_libdir}/samba/ldb/acl.so
%{_libdir}/samba/ldb/aclread.so
%{_libdir}/samba/ldb/anr.so
%{_libdir}/samba/ldb/audit_log.so
%{_libdir}/samba/ldb/descriptor.so
%{_libdir}/samba/ldb/dirsync.so
%{_libdir}/samba/ldb/dns_notify.so
@ -1639,6 +1682,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/extended_dn_in.so
%{_libdir}/samba/ldb/extended_dn_out.so
%{_libdir}/samba/ldb/extended_dn_store.so
%{_libdir}/samba/ldb/group_audit_log.so
%{_libdir}/samba/ldb/ildap.so
%{_libdir}/samba/ldb/instancetype.so
%{_libdir}/samba/ldb/lazy_commit.so
@ -1679,7 +1723,7 @@ rm -rf %{buildroot}
%{_datadir}/samba/setup
%{_mandir}/man8/samba.8*
%{_mandir}/man8/samba-tool.8*
%{_mandir}/man8/samba_gpoupdate.8*
%{_mandir}/man8/samba_gpupdate.8*
%else # with_dc
%doc packaging/README.dc
%endif # with_dc
@ -1713,6 +1757,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%{_libdir}/samba/libscavenge-dns-records-samba4.so
%else
%doc packaging/README.dc-libs
%endif # with_dc
@ -1826,7 +1871,6 @@ rm -rf %{buildroot}
%{_libdir}/libsamba-credentials.so
%{_libdir}/libsamba-errors.so
%{_libdir}/libsamba-hostconfig.so
%{_libdir}/libsamba-policy.so
%{_libdir}/libsamba-util.so
%{_libdir}/libsamdb.so
%{_libdir}/libsmbconf.so
@ -1840,7 +1884,6 @@ rm -rf %{buildroot}
%{_libdir}/pkgconfig/netapi.pc
%{_libdir}/pkgconfig/samba-credentials.pc
%{_libdir}/pkgconfig/samba-hostconfig.pc
%{_libdir}/pkgconfig/samba-policy.pc
%{_libdir}/pkgconfig/samba-util.pc
%{_libdir}/pkgconfig/samdb.pc
%{_libdir}/libsamba-passdb.so
@ -1850,6 +1893,9 @@ rm -rf %{buildroot}
%{_includedir}/samba-4.0/dcerpc_server.h
%{_libdir}/libdcerpc-server.so
%{_libdir}/pkgconfig/dcerpc_server.pc
%{_libdir}/libsamba-policy.so
%{_libdir}/pkgconfig/samba-policy.pc
%endif
%if ! %with_libsmbclient
@ -1884,11 +1930,9 @@ rm -rf %{buildroot}
%files libs
%defattr(-,root,root)
%{_libdir}/libdcerpc-samr.so.*
%{_libdir}/libsamba-policy.so.*
# libraries needed by the public libraries
%{_libdir}/samba/libMESSAGING-samba4.so
%{_libdir}/samba/libMESSAGING-SEND-samba4.so
%{_libdir}/samba/libLIBWBCLIENT-OLD-samba4.so
%{_libdir}/samba/libauth4-samba4.so
%{_libdir}/samba/libauth-unix-token-samba4.so
@ -1973,6 +2017,8 @@ rm -rf %{buildroot}
### PYTHON
%files python
%defattr(-,root,root,-)
%{_libdir}/libsamba-policy.so.*
%dir %{python_sitearch}/samba
%{python_sitearch}/samba/__init__.py*
%{python_sitearch}/samba/_glue.so
@ -1983,6 +2029,37 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/credentials.so
%{python_sitearch}/samba/crypto.so
%{python_sitearch}/samba/dbchecker.py*
%{python_sitearch}/samba/descriptor.py*
%{python_sitearch}/samba/gensec.so
%{python_sitearch}/samba/getopt.py*
%{python_sitearch}/samba/hostconfig.py*
%{python_sitearch}/samba/idmap.py*
%{python_sitearch}/samba/join.py*
%{python_sitearch}/samba/messaging.so
%{python_sitearch}/samba/ms_display_specifiers.py*
%{python_sitearch}/samba/ms_schema.py*
%{python_sitearch}/samba/ndr.py*
%{python_sitearch}/samba/net.so
%{python_sitearch}/samba/netbios.so
%{python_sitearch}/samba/ntacls.py*
%{python_sitearch}/samba/ntstatus.so
%{python_sitearch}/samba/param.so
%{python_sitearch}/samba/policy.so
%{python_sitearch}/samba/posix_eadb.so
%{python_sitearch}/samba/registry.so
%{python_sitearch}/samba/remove_dc.py*
%{python_sitearch}/samba/sd_utils.py*
%{python_sitearch}/samba/security.so
%{python_sitearch}/samba/sites.py*
%{python_sitearch}/samba/smb.so
%{python_sitearch}/samba/subnets.py*
%{python_sitearch}/samba/upgrade.py*
%{python_sitearch}/samba/upgradehelpers.py*
%{python_sitearch}/samba/werror.so
%{python_sitearch}/samba/xattr.py*
%{python_sitearch}/samba/xattr_native.so
%{python_sitearch}/samba/xattr_tdb.so
%dir %{python_sitearch}/samba/dcerpc
%{python_sitearch}/samba/dcerpc/__init__.py*
%{python_sitearch}/samba/dcerpc/atsvc.so
@ -2018,82 +2095,73 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/dcerpc/winreg.so
%{python_sitearch}/samba/dcerpc/wkssvc.so
%{python_sitearch}/samba/dcerpc/xattr.so
%{python_sitearch}/samba/descriptor.py*
%{python_sitearch}/samba/gensec.so
%{python_sitearch}/samba/getopt.py*
%{python_sitearch}/samba/hostconfig.py*
%{python_sitearch}/samba/idmap.py*
%{python_sitearch}/samba/join.py*
%{python_sitearch}/samba/messaging.so
%{python_sitearch}/samba/ms_display_specifiers.py*
%{python_sitearch}/samba/ms_schema.py*
%{python_sitearch}/samba/ndr.py*
%{python_sitearch}/samba/colour.py*
%{python_sitearch}/samba/graph.py*
%{python_sitearch}/samba/net.so
%{python_sitearch}/samba/netbios.so
%dir %{python_sitearch}/samba/emulate
%{python_sitearch}/samba/emulate/__init__.py*
%{python_sitearch}/samba/emulate/traffic.py*
%{python_sitearch}/samba/emulate/traffic_packets.py*
%dir %{python_sitearch}/samba/netcmd
%{python_sitearch}/samba/netcmd/__init__.py*
%{python_sitearch}/samba/netcmd/common.py*
%{python_sitearch}/samba/netcmd/computer.py*
%{python_sitearch}/samba/netcmd/dbcheck.py*
%{python_sitearch}/samba/netcmd/delegation.py*
%{python_sitearch}/samba/netcmd/dns.py*
%{python_sitearch}/samba/netcmd/domain.py*
%{python_sitearch}/samba/netcmd/domain_backup.py*
%{python_sitearch}/samba/netcmd/drs.py*
%{python_sitearch}/samba/netcmd/dsacl.py*
%{python_sitearch}/samba/netcmd/forest.py*
%{python_sitearch}/samba/netcmd/gpo.py*
%{python_sitearch}/samba/netcmd/group.py*
%{python_sitearch}/samba/netcmd/ldapcmp.py*
%{python_sitearch}/samba/netcmd/main.py*
%{python_sitearch}/samba/netcmd/nettime.py*
%{python_sitearch}/samba/netcmd/ntacl.py*
%{python_sitearch}/samba/netcmd/ou.py*
%{python_sitearch}/samba/netcmd/processes.py*
%{python_sitearch}/samba/netcmd/pso.py*
%{python_sitearch}/samba/netcmd/schema.py*
%{python_sitearch}/samba/netcmd/sites.py*
%{python_sitearch}/samba/netcmd/spn.py*
%{python_sitearch}/samba/netcmd/testparm.py*
%{python_sitearch}/samba/netcmd/user.py*
%{python_sitearch}/samba/ntacls.py*
%{python_sitearch}/samba/ntstatus.so
%{python_sitearch}/samba/param.so
%{python_sitearch}/samba/policy.so
%{python_sitearch}/samba/posix_eadb.so
%{python_sitearch}/samba/registry.so
%{python_sitearch}/samba/remove_dc.py*
%dir %{python_sitearch}/samba/samba3
%{python_sitearch}/samba/samba3/__init__.py*
%{python_sitearch}/samba/samba3/libsmb_samba_internal.so
%{python_sitearch}/samba/samba3/param.so
%{python_sitearch}/samba/samba3/passdb.so
%{python_sitearch}/samba/samba3/smbd.so
%{python_sitearch}/samba/sd_utils.py*
%{python_sitearch}/samba/security.so
%{python_sitearch}/samba/sites.py*
%{python_sitearch}/samba/smb.so
%{python_sitearch}/samba/subnets.py*
%dir %{python_sitearch}/samba/subunit
%{python_sitearch}/samba/subunit/__init__.py*
%{python_sitearch}/samba/subunit/run.py*
%{python_sitearch}/samba/tdb_util.py*
%dir %{python_sitearch}/samba/third_party
%{python_sitearch}/samba/third_party/__init__.py*
%{python_sitearch}/samba/upgrade.py*
%{python_sitearch}/samba/upgradehelpers.py*
%{python_sitearch}/samba/werror.so
%{python_sitearch}/samba/xattr.py*
%{python_sitearch}/samba/xattr_native.so
%{python_sitearch}/samba/xattr_tdb.so
%if %{with_dc}
%files python-dc
%defattr(-,root,root,-)
%{python_sitearch}/samba/domain_update.py*
%{python_sitearch}/samba/dckeytab.so
%{python_sitearch}/samba/dsdb.so
%{python_sitearch}/samba/dsdb_dns.so
%{python_sitearch}/samba/dnsserver.py*
%{python_sitearch}/samba/forest_update.py*
%{python_sitearch}/samba/gpclass.py*
%{python_sitearch}/samba/gpo.so
%{python_sitearch}/samba/gp_sec_ext.py*
%{python_sitearch}/samba/mdb_util.py*
%{python_sitearch}/samba/ms_forest_updates_markdown.py*
%{python_sitearch}/samba/ms_schema_markdown.py*
%{python_sitearch}/samba/samdb.py*
%{python_sitearch}/samba/schema.py*
%{python_sitearch}/samba/dcerpc/dnsserver.so
%{python_sitearch}/samba/netcmd/fsmo.py*
%{python_sitearch}/samba/netcmd/rodc.py*
%{python_sitearch}/samba/netcmd/visualize.py*
%dir %{python_sitearch}/samba/kcc
%{python_sitearch}/samba/kcc/__init__.py*
@ -2113,20 +2181,6 @@ rm -rf %{buildroot}
%dir %{python_sitearch}/samba/web_server
%{python_sitearch}/samba/web_server/__init__.py*
%{python_sitearch}/samba/domain_update.py*
%{python_sitearch}/samba/dckeytab.so
%{python_sitearch}/samba/dnsserver.py*
%{python_sitearch}/samba/drs_utils.py*
%{python_sitearch}/samba/dsdb.so
%{python_sitearch}/samba/dsdb_dns.so
%{python_sitearch}/samba/forest_update.py*
%{python_sitearch}/samba/gpclass.py*
%{python_sitearch}/samba/gpo.so
%{python_sitearch}/samba/ms_forest_updates_markdown.py*
%{python_sitearch}/samba/ms_schema_markdown.py*
%{python_sitearch}/samba/samdb.py*
%{python_sitearch}/samba/schema.py*
%endif
%files python-test
@ -2220,7 +2274,6 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/provision.py*
%{python_sitearch}/samba/tests/py_credentials.py*
%{python_sitearch}/samba/tests/registry.py*
%{python_sitearch}/samba/tests/samba3.py*
%{python_sitearch}/samba/tests/samba3sam.py*
%dir %{python_sitearch}/samba/tests/samba_tool
%{python_sitearch}/samba/tests/samba_tool/__init__.py*
@ -2254,8 +2307,6 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/upgradeprovision.py*
%{python_sitearch}/samba/tests/upgradeprovisionneeddc.py*
%{python_sitearch}/samba/tests/xattr.py*
%{python_sitearch}/samba/tests/krb5_credentials.py*
%{python_sitearch}/samba/tests/password_quality.py*
### TEST
%files test
@ -2333,15 +2384,15 @@ rm -rf %{buildroot}
%files -n ctdb
%defattr(-,root,root)
%doc ctdb/README
%doc ctdb/doc/examples
# Obsolete
%config(noreplace, missingok) %{_sysconfdir}/sysconfig/ctdb
%dir %{_sysconfdir}/ctdb
%config(noreplace) %{_sysconfdir}/ctdb/ctdbd.conf
%config(noreplace) %{_sysconfdir}/ctdb/ctdb.conf
%config(noreplace) %{_sysconfdir}/ctdb/notify.sh
%config(noreplace) %{_sysconfdir}/ctdb/debug-hung-script.sh
%config(noreplace) %{_sysconfdir}/ctdb/ctdb-crash-cleanup.sh
%config(noreplace) %{_sysconfdir}/ctdb/gcore_trace.sh
%config(noreplace) %{_sysconfdir}/ctdb/debug_locks.sh
%{_sysconfdir}/ctdb/functions
@ -2351,29 +2402,9 @@ rm -rf %{buildroot}
# CTDB scripts, no config files
# script with executable bit means activated
%dir %{_sysconfdir}/ctdb/events.d
%{_sysconfdir}/ctdb/events.d/00.ctdb
%{_sysconfdir}/ctdb/events.d/01.reclock
%{_sysconfdir}/ctdb/events.d/05.system
%{_sysconfdir}/ctdb/events.d/06.nfs
%{_sysconfdir}/ctdb/events.d/10.external
%{_sysconfdir}/ctdb/events.d/10.interface
%{_sysconfdir}/ctdb/events.d/11.natgw
%{_sysconfdir}/ctdb/events.d/11.routing
%{_sysconfdir}/ctdb/events.d/13.per_ip_routing
%{_sysconfdir}/ctdb/events.d/20.multipathd
%{_sysconfdir}/ctdb/events.d/31.clamd
%{_sysconfdir}/ctdb/events.d/40.vsftpd
%{_sysconfdir}/ctdb/events.d/41.httpd
%{_sysconfdir}/ctdb/events.d/49.winbind
%{_sysconfdir}/ctdb/events.d/50.samba
%{_sysconfdir}/ctdb/events.d/60.nfs
%{_sysconfdir}/ctdb/events.d/70.iscsi
%{_sysconfdir}/ctdb/events.d/91.lvs
%{_sysconfdir}/ctdb/events.d/99.timeout
%{_sysconfdir}/ctdb/events.d/README
%dir %{_sysconfdir}/ctdb/notify.d
%{_sysconfdir}/ctdb/notify.d/README
%dir %{_sysconfdir}/ctdb/events
%dir %{_sysconfdir}/ctdb/events/notification
%{_sysconfdir}/ctdb/events/notification/README
# CTDB scripts, no config files
# script with executable bit means activated
@ -2395,13 +2426,15 @@ rm -rf %{buildroot}
%{_bindir}/onnode
%dir %{_libexecdir}/ctdb
%{_libexecdir}/ctdb/ctdb_event
%{_libexecdir}/ctdb/ctdb_eventd
%{_libexecdir}/ctdb/ctdb-config
%{_libexecdir}/ctdb/ctdb-event
%{_libexecdir}/ctdb/ctdb-eventd
%{_libexecdir}/ctdb/ctdb_killtcp
%{_libexecdir}/ctdb/ctdb_lock_helper
%{_libexecdir}/ctdb/ctdb_lvs
%{_libexecdir}/ctdb/ctdb_mutex_fcntl_helper
%{_libexecdir}/ctdb/ctdb_natgw
%{_libexecdir}/ctdb/ctdb-path
%{_libexecdir}/ctdb/ctdb_recovery_helper
%{_libexecdir}/ctdb/ctdb_takeover_helper
%{_libexecdir}/ctdb/smnotify
@ -2415,7 +2448,9 @@ rm -rf %{buildroot}
%{_mandir}/man1/ltdbtool.1.gz
%{_mandir}/man1/ping_pong.1.gz
%{_mandir}/man1/ctdbd_wrapper.1.gz
%{_mandir}/man5/ctdbd.conf.5.gz
%{_mandir}/man5/ctdb.conf.5.gz
%{_mandir}/man5/ctdb-script.options.5.gz
%{_mandir}/man5/ctdb.sysconfig.5.gz
%{_mandir}/man7/ctdb.7.gz
%{_mandir}/man7/ctdb-tunables.7.gz
%{_mandir}/man7/ctdb-statistics.7.gz
@ -2424,6 +2459,27 @@ rm -rf %{buildroot}
%{_unitdir}/ctdb.service
%dir %{_datadir}/ctdb
%dir %{_datadir}/ctdb/events
%dir %{_datadir}/ctdb/events/legacy/
%{_datadir}/ctdb/events/legacy/00.ctdb.script
%{_datadir}/ctdb/events/legacy/01.reclock.script
%{_datadir}/ctdb/events/legacy/05.system.script
%{_datadir}/ctdb/events/legacy/06.nfs.script
%{_datadir}/ctdb/events/legacy/10.interface.script
%{_datadir}/ctdb/events/legacy/11.natgw.script
%{_datadir}/ctdb/events/legacy/11.routing.script
%{_datadir}/ctdb/events/legacy/13.per_ip_routing.script
%{_datadir}/ctdb/events/legacy/20.multipathd.script
%{_datadir}/ctdb/events/legacy/31.clamd.script
%{_datadir}/ctdb/events/legacy/40.vsftpd.script
%{_datadir}/ctdb/events/legacy/41.httpd.script
%{_datadir}/ctdb/events/legacy/49.winbind.script
%{_datadir}/ctdb/events/legacy/50.samba.script
%{_datadir}/ctdb/events/legacy/60.nfs.script
%{_datadir}/ctdb/events/legacy/70.iscsi.script
%{_datadir}/ctdb/events/legacy/91.lvs.script
%files -n ctdb-tests
%defattr(-,root,root)
%doc ctdb/tests/README
@ -2432,13 +2488,18 @@ rm -rf %{buildroot}
%dir %{_libexecdir}/ctdb
%dir %{_libexecdir}/ctdb/tests
%{_libexecdir}/ctdb/tests/cmdline_test
%{_libexecdir}/ctdb/tests/comm_client_test
%{_libexecdir}/ctdb/tests/comm_server_test
%{_libexecdir}/ctdb/tests/comm_test
%{_libexecdir}/ctdb/tests/conf_test
%{_libexecdir}/ctdb/tests/ctdb_packet_parse
%{_libexecdir}/ctdb/tests/ctdb_takeover_tests
%{_libexecdir}/ctdb/tests/db_hash_test
%{_libexecdir}/ctdb/tests/dummy_client
%{_libexecdir}/ctdb/tests/errcode
%{_libexecdir}/ctdb/tests/event_protocol_test
%{_libexecdir}/ctdb/tests/event_script_test
%{_libexecdir}/ctdb/tests/fake_ctdbd
%{_libexecdir}/ctdb/tests/fetch_loop
%{_libexecdir}/ctdb/tests/fetch_loop_key
@ -2447,6 +2508,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/fetch_ring
%{_libexecdir}/ctdb/tests/g_lock_loop
%{_libexecdir}/ctdb/tests/hash_count_test
%{_libexecdir}/ctdb/tests/line_test
%{_libexecdir}/ctdb/tests/lock_tdb
%{_libexecdir}/ctdb/tests/message_ring
%{_libexecdir}/ctdb/tests/pidfile_test
@ -2456,7 +2518,6 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/protocol_basic_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_test
%{_libexecdir}/ctdb/tests/protocol_event_test
%{_libexecdir}/ctdb/tests/protocol_types_compat_test
%{_libexecdir}/ctdb/tests/protocol_types_test
%{_libexecdir}/ctdb/tests/protocol_util_test
@ -2464,6 +2525,7 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/reqid_test
%{_libexecdir}/ctdb/tests/run_event_test
%{_libexecdir}/ctdb/tests/run_proc_test
%{_libexecdir}/ctdb/tests/sigcode
%{_libexecdir}/ctdb/tests/sock_daemon_test
%{_libexecdir}/ctdb/tests/sock_io_test
%{_libexecdir}/ctdb/tests/srvid_test
@ -2474,11 +2536,11 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/update_record
%{_libexecdir}/ctdb/tests/update_record_persistent
%dir %{_datadir}/ctdb
%dir %{_datadir}/ctdb/tests
%dir %{_datadir}/ctdb/tests/complex
%{_datadir}/ctdb/tests/complex/README
%{_datadir}/ctdb/tests/complex/00_ctdb_init.sh
%{_datadir}/ctdb/tests/complex/11_ctdb_delip_removes_ip.sh
%{_datadir}/ctdb/tests/complex/18_ctdb_reloadips.sh
%{_datadir}/ctdb/tests/complex/30_nfs_tickle_killtcp.sh
@ -2486,7 +2548,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/32_cifs_tickle.sh
%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh
%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh
%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
@ -2496,16 +2557,28 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/45_failover_nfs_kill.sh
%{_datadir}/ctdb/tests/complex/60_rogueip_releaseip.sh
%{_datadir}/ctdb/tests/complex/61_rogueip_takeip.sh
%{_datadir}/ctdb/tests/complex/90_debug_hung_script.sh
%dir %{_datadir}/ctdb/tests/complex/scripts
%{_datadir}/ctdb/tests/complex/scripts/local.bash
%dir %{_datadir}/ctdb/tests/cunit
%{_datadir}/ctdb/tests/cunit/cmdline_test_001.sh
%{_datadir}/ctdb/tests/cunit/comm_test_001.sh
%{_datadir}/ctdb/tests/cunit/comm_test_002.sh
%{_datadir}/ctdb/tests/cunit/conf_test_001.sh
%{_datadir}/ctdb/tests/cunit/config_test_001.sh
%{_datadir}/ctdb/tests/cunit/config_test_002.sh
%{_datadir}/ctdb/tests/cunit/config_test_003.sh
%{_datadir}/ctdb/tests/cunit/config_test_004.sh
%{_datadir}/ctdb/tests/cunit/config_test_005.sh
%{_datadir}/ctdb/tests/cunit/config_test_006.sh
%{_datadir}/ctdb/tests/cunit/config_test_007.sh
%{_datadir}/ctdb/tests/cunit/db_hash_test_001.sh
%{_datadir}/ctdb/tests/cunit/event_protocol_test_001.sh
%{_datadir}/ctdb/tests/cunit/event_script_test_001.sh
%{_datadir}/ctdb/tests/cunit/hash_count_test_001.sh
%{_datadir}/ctdb/tests/cunit/line_test_001.sh
%{_datadir}/ctdb/tests/cunit/path_tests_001.sh
%{_datadir}/ctdb/tests/cunit/pidfile_test_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_read_001.sh
%{_datadir}/ctdb/tests/cunit/pkt_write_001.sh
@ -2514,7 +2587,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_012.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_102.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh
%{_datadir}/ctdb/tests/cunit/rb_test_001.sh
@ -2527,6 +2599,36 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/eventd
%{_datadir}/ctdb/tests/eventd/README
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb
%{_datadir}/ctdb/tests/eventd/etc-ctdb/ctdb.conf
%{_datadir}/ctdb/tests/eventd/etc-ctdb/debug-script.sh
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/README
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/data/03.notalink.script
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/empty/README
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/01.test.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/02.test.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/multi/03.test.script
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/01.disabled.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/02.enabled.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/README.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/events/random/a.script
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/01.dummy.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/data/02.disabled.script
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/empty/README
%dir %{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/01.disabled.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/02.enabled.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/a.script
%{_datadir}/ctdb/tests/eventd/etc-ctdb/share/events/random/README.script
%{_datadir}/ctdb/tests/eventd/eventd_001.sh
%{_datadir}/ctdb/tests/eventd/eventd_002.sh
%{_datadir}/ctdb/tests/eventd/eventd_003.sh
@ -2534,6 +2636,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventd/eventd_005.sh
%{_datadir}/ctdb/tests/eventd/eventd_006.sh
%{_datadir}/ctdb/tests/eventd/eventd_007.sh
%{_datadir}/ctdb/tests/eventd/eventd_008.sh
%{_datadir}/ctdb/tests/eventd/eventd_009.sh
%{_datadir}/ctdb/tests/eventd/eventd_011.sh
%{_datadir}/ctdb/tests/eventd/eventd_012.sh
%{_datadir}/ctdb/tests/eventd/eventd_013.sh
@ -2548,13 +2652,12 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventd/eventd_041.sh
%{_datadir}/ctdb/tests/eventd/eventd_042.sh
%{_datadir}/ctdb/tests/eventd/eventd_043.sh
%{_datadir}/ctdb/tests/eventd/eventd_044.sh
%{_datadir}/ctdb/tests/eventd/eventd_051.sh
%{_datadir}/ctdb/tests/eventd/eventd_052.sh
%dir %{_datadir}/ctdb/tests/eventd/scripts
%{_datadir}/ctdb/tests/eventd/scripts/local.sh
%dir %{_datadir}/ctdb/tests/events.d
%{_datadir}/ctdb/tests/events.d/00.test
%dir %{_datadir}/ctdb/tests/eventscripts
%{_datadir}/ctdb/tests/eventscripts/README
%{_datadir}/ctdb/tests/eventscripts/00.ctdb.init.001.sh
@ -2609,8 +2712,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.004.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.005.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.006.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.007.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.008.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.009.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.010.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.monitor.011.sh
@ -2677,29 +2778,18 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.104.sh
@ -2713,7 +2803,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.shutdown.011.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.startup.011.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.102.sh
%{_datadir}/ctdb/tests/eventscripts/60.nfs.monitor.103.sh
@ -2771,13 +2860,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/statd-callout.007.sh
%dir %{_datadir}/ctdb/tests/eventscripts/etc-ctdb
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/events.d
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/functions
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-checks.d
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/nfs-linux-kernel-callout
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/public_addresses
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/rc.local
%{_datadir}/ctdb/tests/eventscripts/etc-ctdb/statd-callout
%dir %{_datadir}/ctdb/tests/eventscripts/etc
%dir %{_datadir}/ctdb/tests/eventscripts/etc/init.d
@ -2788,14 +2872,30 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/etc/samba/smb.conf
%dir %{_datadir}/ctdb/tests/eventscripts/etc/sysconfig
%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/ctdb
%{_datadir}/ctdb/tests/eventscripts/etc/sysconfig/nfs
%dir %{_datadir}/ctdb/tests/eventscripts/scripts
%{_datadir}/ctdb/tests/eventscripts/scripts/local.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/00.ctdb.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/01.reclock.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/05.system.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/06.nfs.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/10.interface.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/11.natgw.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/13.per_ip_routing.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/20.multipathd.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/31.clamd.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/40.vsftpd.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/41.httpd.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/49.winbind.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/50.samba.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/60.nfs.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/91.lvs.sh
%{_datadir}/ctdb/tests/eventscripts/scripts/statd-callout.sh
%dir %{_datadir}/ctdb/tests/eventscripts/stubs
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb-config
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_killtcp
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_lvs
%{_datadir}/ctdb/tests/eventscripts/stubs/ctdb_natgw
@ -2812,8 +2912,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/stubs/killall
%{_datadir}/ctdb/tests/eventscripts/stubs/multipath
%{_datadir}/ctdb/tests/eventscripts/stubs/net
%{_datadir}/ctdb/tests/eventscripts/stubs/netstat
%{_datadir}/ctdb/tests/eventscripts/stubs/nmap
%{_datadir}/ctdb/tests/eventscripts/stubs/pidof
%{_datadir}/ctdb/tests/eventscripts/stubs/pkill
%{_datadir}/ctdb/tests/eventscripts/stubs/ps
@ -2844,8 +2942,9 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/onnode/0071.sh
%{_datadir}/ctdb/tests/onnode/0072.sh
%{_datadir}/ctdb/tests/onnode/0075.sh
%{_datadir}/ctdb/tests/onnode/functions
%{_datadir}/ctdb/tests/onnode/nodes
%dir %{_datadir}/ctdb/tests/onnode/etc-ctdb
%{_datadir}/ctdb/tests/onnode/etc-ctdb/nodes
%dir %{_datadir}/ctdb/tests/onnode/scripts
%{_datadir}/ctdb/tests/onnode/scripts/local.sh
@ -2925,16 +3024,21 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/76_ctdb_pdb_recovery.sh
%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
%{_datadir}/ctdb/tests/simple/79_volatile_db_traverse.sh
%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
%{_datadir}/ctdb/tests/simple/90_debug_hung_script.sh
%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
%{_datadir}/ctdb/tests/simple/functions
# This is a dangling symlink but needed for testing
%{_datadir}/ctdb/tests/simple/nodes
%dir %{_datadir}/ctdb/tests/simple/etc-ctdb
%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events
%dir %{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy
%{_datadir}/ctdb/tests/simple/etc-ctdb/events/legacy/00.test.script
%dir %{_datadir}/ctdb/tests/simple/scripts
%{_datadir}/ctdb/tests/simple/scripts/local.bash
%{_datadir}/ctdb/tests/simple/scripts/local_daemons.bash
%{_datadir}/ctdb/tests/simple/scripts/ssh_local_daemons.sh
%dir %{_datadir}/ctdb/tests/takeover
%{_datadir}/ctdb/tests/takeover/README
@ -2957,14 +3061,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover/lcp2.014.sh
%{_datadir}/ctdb/tests/takeover/lcp2.015.sh
%{_datadir}/ctdb/tests/takeover/lcp2.016.sh
%{_datadir}/ctdb/tests/takeover/lcp2.017.sh
%{_datadir}/ctdb/tests/takeover/lcp2.018.sh
%{_datadir}/ctdb/tests/takeover/lcp2.019.sh
%{_datadir}/ctdb/tests/takeover/lcp2.022.sh
%{_datadir}/ctdb/tests/takeover/lcp2.023.sh
%{_datadir}/ctdb/tests/takeover/lcp2.024.sh
%{_datadir}/ctdb/tests/takeover/lcp2.025.sh
%{_datadir}/ctdb/tests/takeover/lcp2.026.sh
%{_datadir}/ctdb/tests/takeover/lcp2.027.sh
%{_datadir}/ctdb/tests/takeover/lcp2.028.sh
%{_datadir}/ctdb/tests/takeover/lcp2.029.sh
@ -2988,12 +3086,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover_helper/012.sh
%{_datadir}/ctdb/tests/takeover_helper/013.sh
%{_datadir}/ctdb/tests/takeover_helper/014.sh
%{_datadir}/ctdb/tests/takeover_helper/015.sh
%{_datadir}/ctdb/tests/takeover_helper/016.sh
%{_datadir}/ctdb/tests/takeover_helper/017.sh
%{_datadir}/ctdb/tests/takeover_helper/018.sh
%{_datadir}/ctdb/tests/takeover_helper/019.sh
%{_datadir}/ctdb/tests/takeover_helper/020.sh
%{_datadir}/ctdb/tests/takeover_helper/021.sh
%{_datadir}/ctdb/tests/takeover_helper/022.sh
%{_datadir}/ctdb/tests/takeover_helper/023.sh
@ -3028,12 +3124,20 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/tool
%{_datadir}/ctdb/tests/tool/README
%{_datadir}/ctdb/tests/tool/ctdb.attach.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.attach.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.attach.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.ban.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.catdb.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.catdb.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.cattdb.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.cattdb.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.continue.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.deletekey.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
@ -3091,11 +3195,15 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.004.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.005.sh
%{_datadir}/ctdb/tests/tool/ctdb.nodestatus.006.sh
%{_datadir}/ctdb/tests/tool/ctdb.pdelete.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.ping.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.pnn.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.process-exists.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.pstore.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.ptrans.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.readkey.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.recmaster.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.recover.001.sh
@ -3146,6 +3254,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.unban.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.unban.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.uptime.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.writekey.001.sh
%dir %{_datadir}/ctdb/tests/tool/scripts
%{_datadir}/ctdb/tests/tool/scripts/local.sh
@ -3153,15 +3262,45 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
* Fri Aug 02 2019 Daniel Berteaud <daniel@firewall-services.com> 4.8.3-106.1.dc
- Enable JSON logging support
- Enable DC support
* Tue May 28 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-6
- resolves: #1713637 - Fix smbspool with krb5 as CUPS backend
* Wed Mar 20 2019 Andreas Schneider <asn@redhat.com> - 4.8.3-5
- resolves: #1690517 - Fix smbspool as CUPS backend
* Fri May 24 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-6
- related: #1703204 - Fix printing with smbspool as CUPS backend
* Fri May 10 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-5
- resolves: #1703204 - Fix smbspool krb5 authentication
* Thu Mar 28 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-4
- resolves: #1690222 - Fix --max-protocol documentation of smbclient
- resolves: #1518353 - Fix 'net ads join -Uadmin@forestdomain'
- resolves: #1696524 - Fix CVE-2019-3880
* Thu Mar 14 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-3
- resolves: #1479451 - Fix 'net' command auth with Kerberos
- resolves: #1686158 - Fix printing with CUPS
- resolves: #1662408 - Fix username/password printing with CUPS
* Mon Feb 11 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-2
- resolves: #1674403 - Fix panic when setting 'force group' on a share with
an active connections
- resolves: #1670720 - Fix installation of samba-python
- resolves: #1669476 - Fix user lookup via UPN
* Fri Jan 18 2019 Andreas Schneider <asn@redhat.com> - 4.9.1-1
- resolves: #1649434 - Update to version 4.9.1
- resolves: #1648852 - Fix out of bound array access in ctdb
- resolves: #1647960 - Fix segfault in the debug system with hardended build
- resolves: #1644328 - Fix segfault if wrong 'passdb backend' is configured
- resolves: #1650452 - Add smbc_setOptionProtocols()
- resolves: #1659513 - Fix testparm/pdbedit crash
- resolves: #1529301 - Added new 'net ads spn' command
- resolves: #1595277 - Fix manpage for 'net ads lookup'
- resolves: #1600274 - Fix vfs_audit log which does not show full path names
- resolves: #1623140 - Fix handling the 'disable netbios' option
- resolves: #1624227 - Connect to spoolss with the correct version information
- resolves: #1659533 - Fix new file and folder creation with vfs_glusterfs
- resolves: #1579401 - Implement 'net ads leave --keep-account'
- resolves: #1624227 - Fix spoolss client operations against newer Windows
versions
- resolves: #1656405 - Fix looking up local system accounts
* Thu Aug 09 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-4
- resolves: #1614132 - Fix delete-on-close after smb2_find

Loading…
Cancel
Save