Rebase on upstream 4.7.1

tags/samba-4.7.1-99.beta1
Daniel Berteaud 7 years ago
parent eea9c06eb3
commit 690942f67d
  1. 1
      .gitignore
  2. 381
      CVE-2017-12150.patch
  3. 111
      CVE-2017-12151.patch
  4. 141
      CVE-2017-12163.patch
  5. 34
      CVE-2017-7494.patch
  6. 7
      samba-4.6.2.tar.asc
  7. 1
      samba-4.6.2.tar.gz
  8. 72
      samba-4.7-fix_aesni_intel_support.patch
  9. 313
      samba-4.7-fix_samba_with_systemd.patch
  10. 47
      samba-4.7-fix_smb2_client_read_after_free.patch
  11. 165
      samba-4.7-fix_smbclient_volume.patch
  12. 66
      samba-4.7-handle_smb_echo_gracefully.patch
  13. 84
      samba-4.7-net_ads_keytab_list.patch
  14. 6
      samba-4.7.1.tar.asc
  15. 1
      samba-4.7.1.tar.xz
  16. 37
      samba-v4-6-fix-building-with-new-glibc.patch
  17. 1731
      samba-v4-6-fix-cross-realm-refferals.patch
  18. 39
      samba-v4-6-fix-kerberos-debug-message.patch
  19. 293
      samba-v4-6-fix-net-ads-keytab-handling.patch
  20. 245
      samba-v4-6-fix-spoolss-32bit-driver-upload.patch
  21. 211
      samba-v4-6-fix-vfs-expand-msdfs.patch
  22. 74
      samba-v4-6-fix_net_ads_changetrustpw.patch
  23. 194
      samba-v4-6-fix_path_substitutions.patch
  24. 339
      samba-v4-6-fix_smbclient_session_setup_info.patch
  25. 162
      samba-v4-6-fix_smbclient_username_parsing.patch
  26. 227
      samba-v4-6-fix_winbind_child_crash.patch
  27. 76
      samba-v4-6-fix_winbind_normalize_names.patch
  28. 54
      samba-v4.6-credentials-fix-realm.patch
  29. 391
      samba-v4.6-fix_smbpasswd_user_pwd_change.patch
  30. 53
      samba-v4.6-graceful_fsctl_validate_negotiate_info.patch
  31. 543
      samba-v4.6-gss_krb5_import_cred.patch
  32. 179
      samba-v4.6-lib-crypto-implement-samba.crypto-Python-module-for-.patch
  33. 405
      samba-v4.7-config-dynamic-rpc-port-range.patch
  34. 16
      samba.service
  35. 691
      samba.spec
  36. 3
      smb.conf.vendor

1
.gitignore vendored

@ -0,0 +1 @@
samba.spec.mod

@ -1,381 +0,0 @@
From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 17:06:21 +0200
Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
username into a specified one
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/include/auth_info.h | 1 +
source3/lib/popt_common.c | 6 +-----
source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
3 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
index c6f71ad..8212c27 100644
--- a/source3/include/auth_info.h
+++ b/source3/include/auth_info.h
@@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
const char *username);
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
const char *domain);
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 9928c70..36b5e92 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
void popt_common_credentials_post(void)
{
struct user_auth_info *auth_info = cmdline_auth_info;
- const char *username = NULL;
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
!set_cmdline_auth_info_machine_account_creds(auth_info))
@@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
* correctly parsed yet. If we have a username we need to set it again
* to run the string parser for the username correctly.
*/
- username = get_cmdline_auth_info_username(auth_info);
- if (username != NULL && username[0] != '\0') {
- set_cmdline_auth_info_username(auth_info, username);
- }
+ reset_cmdline_auth_info_username(auth_info);
}
static void popt_common_credentials_callback(poptContext con,
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index ad51a4f..80142e2 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -37,6 +37,7 @@
struct user_auth_info {
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
+ bool got_username;
bool got_pass;
int signing_state;
bool smb_encrypt;
@@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
if (!ok) {
exit(EIO);
}
+ auth_info->got_username = true;
}
const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
@@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
exit(ENOMEM);
}
+ auth_info->got_username = true;
if (strchr_m(username, '%') != NULL) {
auth_info->got_pass = true;
}
}
+void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
+{
+ const char *username = NULL;
+ const char *new_val = NULL;
+
+ if (!auth_info->got_username) {
+ return;
+ }
+
+ username = cli_credentials_get_username(auth_info->creds);
+ if (username == NULL) {
+ return;
+ }
+ if (username[0] == '\0') {
+ return;
+ }
+
+ cli_credentials_parse_string(auth_info->creds,
+ username,
+ CRED_SPECIFIED);
+ new_val = cli_credentials_get_username(auth_info->creds);
+ if (new_val == NULL) {
+ exit(ENOMEM);
+ }
+}
+
const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
{
const char *domain = NULL;
--
1.9.1
From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Nov 2016 17:16:43 +0100
Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/lib/util_cmdline.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index 80142e2..90ee67c 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return SMB_SIGNING_REQUIRED;
+ }
return auth_info->signing_state;
}
--
1.9.1
From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Dec 2016 09:26:32 +0100
Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/pylibsmb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index 59c0998..350c6d4 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
req = cli_full_connection_creds_send(
NULL, self->ev, "myname", host, NULL, 0, share, "?????",
- cli_creds, 0, 0);
+ cli_creds, 0, SMB_SIGNING_DEFAULT);
if (!py_tevent_req_wait_exc(self->ev, req)) {
return -1;
}
--
1.9.1
From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 05:49:46 +0100
Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libgpo/gpo_fetch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 836bc23..3740d4e 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ SMB_SIGNING_REQUIRED);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--
1.9.1
From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:24:14 +0200
Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
cli_credentials_authentication_requested() should check for
NTLM_CCACHE/SIGN/SEAL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
auth/credentials/credentials.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 06648c7..5e3b5e8 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -25,6 +25,7 @@
#include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_internal.h"
+#include "auth/gensec/gensec.h"
#include "libcli/auth/libcli_auth.h"
#include "tevent.h"
#include "param/param.h"
@@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
_PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
{
+ uint32_t gensec_features = 0;
+
if (cred->bind_dn) {
return true;
}
@@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
return true;
}
+ gensec_features = cli_credentials_get_gensec_features(cred);
+ if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SIGN) {
+ return true;
+ }
+
+ if (gensec_features & GENSEC_FEATURE_SEAL) {
+ return true;
+ }
+
return false;
}
--
1.9.1
From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Aug 2017 15:35:49 +0200
Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
smbXcli_conn_signing_mandatory()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
libcli/smb/smbXcli_base.c | 5 +++++
libcli/smb/smbXcli_base.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index b21d796..239e5eb 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
return false;
}
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
+{
+ return conn->mandatory_signing;
+}
+
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
{
set_socket_options(conn->sock_fd, options);
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index e48fc35..2594f07 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
+bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
--
1.9.1
From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 06:07:56 +0100
Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 75012b2..fdcd665 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -26,6 +26,7 @@
#include "trans2.h"
#include "libsmb/nmblib.h"
#include "../libcli/smb/smbXcli_base.h"
+#include "auth/credentials/credentials.h"
/********************************************************************
Important point.
@@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
char *servicename;
char *sharename;
char *newserver, *newshare;
- const char *username;
- const char *password;
- const char *domain;
NTSTATUS status;
int flags = 0;
int signing_state = get_cmdline_auth_info_signing_state(auth_info);
@@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
}
- username = get_cmdline_auth_info_username(auth_info);
- password = get_cmdline_auth_info_password(auth_info);
- domain = get_cmdline_auth_info_domain(auth_info);
- if ((domain == NULL) || (domain[0] == '\0')) {
- domain = lp_workgroup();
- }
-
creds = get_cmdline_auth_info_creds(auth_info);
status = cli_session_setup_creds(c, creds);
if (!NT_STATUS_IS_OK(status)) {
/* If a password was not supplied then
* try again with a null username. */
- if (password[0] || !username[0] ||
- get_cmdline_auth_info_use_kerberos(auth_info) ||
+ if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
+ cli_credentials_authentication_requested(creds) ||
+ cli_credentials_is_anonymous(creds) ||
!NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
{
d_printf("session setup failed: %s\n",
--
1.9.1

@ -1,111 +0,0 @@
From be03c9118e812f93d50c71294fbf9f12bcf2a7f1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 14 Aug 2017 12:13:18 +0200
Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
cli_state_is_encryption_on() helper function
This allows to check if the current cli_state uses encryption
(either via unix extentions or via SMB3).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clientgen.c | 13 +++++++++++++
source3/libsmb/proto.h | 1 +
2 files changed, 14 insertions(+)
diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
index bc5c1b1ce3c..3e8523e5ce8 100644
--- a/source3/libsmb/clientgen.c
+++ b/source3/libsmb/clientgen.c
@@ -339,6 +339,19 @@ uint32_t cli_getpid(struct cli_state *cli)
return cli->smb1.pid;
}
+bool cli_state_is_encryption_on(struct cli_state *cli)
+{
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ return smb1cli_conn_encryption_on(cli->conn);
+ }
+
+ if (cli->smb2.tcon == NULL) {
+ return false;
+ }
+
+ return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
+}
+
bool cli_state_has_tcon(struct cli_state *cli)
{
uint16_t tid = cli_state_get_tid(cli);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index 764f3fc1b12..67fa43e4e4a 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -195,6 +195,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
uint16_t cli_state_get_vc_num(struct cli_state *cli);
uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
uint32_t cli_getpid(struct cli_state *cli);
+bool cli_state_is_encryption_on(struct cli_state *cli);
bool cli_state_has_tcon(struct cli_state *cli);
uint16_t cli_state_get_tid(struct cli_state *cli);
uint16_t cli_state_set_tid(struct cli_state *cli, uint16_t tid);
--
2.13.5
From 16d3c8288ae78a686715c242293691c00ec6d7a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 17 Dec 2016 10:36:49 +0100
Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
cli_state_is_encryption_on()
This will keep enforced encryption across dfs referrals.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/libsmb/clidfs.c | 4 ++--
source3/libsmb/libsmb_context.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index c477d7c6a46..99818a681e3 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -980,7 +980,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
"IPC$",
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
@@ -1038,7 +1038,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
dfs_refs[count].share,
dfs_auth_info,
false,
- smb1cli_conn_encryption_on(rootcli->conn),
+ cli_state_is_encryption_on(rootcli),
smbXcli_conn_protocol(rootcli->conn),
0,
0x20,
diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
index ed6ca2b1b9f..b55cf1e2d15 100644
--- a/source3/libsmb/libsmb_context.c
+++ b/source3/libsmb/libsmb_context.c
@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
for (s = context->internal->servers; s; s = s->next) {
num_servers++;
- if (!smb1cli_conn_encryption_on(s->cli->conn)) {
+ if (!cli_state_is_encryption_on(s->cli)) {
return (void *)false;
}
}
--
2.13.5

@ -1,141 +0,0 @@
From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 317143f..7b07078 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
off_t startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
off_t startpos;
const char *data;
@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
goto out;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
off_t startpos;
@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (fsp->print_file == NULL) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);
--
1.9.1

@ -1,34 +0,0 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 0633b5f..c3f0cd8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -475,6 +475,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
{
NTSTATUS status;
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;
--
1.9.1

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQBY3flHbzORW2Vot+oRAmTlAJ9sFlLebbYX3c7rOh1P9btozLmTPQCghScz
DQw3KuAbWCKIgkHcy1zZr2o=
=bIg5
-----END PGP SIGNATURE-----

@ -1 +0,0 @@
.git/annex/objects/75/91/SHA256E-s21097045--927afcc16e444718985e3952de92d34e7b776b9ca0238179d866da18a6441c35.tar.gz/SHA256E-s21097045--927afcc16e444718985e3952de92d34e7b776b9ca0238179d866da18a6441c35.tar.gz

@ -0,0 +1,72 @@
From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 4 Dec 2017 10:49:19 +0100
Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z
noexecstack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 3 +++
1 file changed, 3 insertions(+)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index eb92d6626fe..0ccd9eb1e5b 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -12,6 +12,8 @@ def configure(conf):
raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
else:
raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
+ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
@@ -20,4 +22,5 @@ def build(bld):
bld.SAMBA_LIBRARY('aesni-intel',
source='aesni-intel_asm.c',
cflags='-Wp,-E,-lang-asm',
+ ldflags='-Wl,-z,noexecstack',
private_library=True)
--
2.15.0
From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Dec 2017 11:00:10 +0100
Subject: [PATCH 2/2] third_party: Fix a typo in the option name
Signed-off-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index 0ccd9eb1e5b..f0723a52501 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -9,11 +9,11 @@ def configure(conf):
print("Compiling with Intel AES instructions")
conf.DEFINE('HAVE_AESNI_INTEL', 1)
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
+ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU')
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
+ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
--
2.15.0

@ -0,0 +1,313 @@
From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 21 Aug 2017 15:12:04 +1200
Subject: [PATCH 1/4] s4/smbd: set the process group.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Set the process group in the samba daemon, the --no-process-group option
allows this to be disabled. The no-process-group option needs to be
disabled in self test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144
---
selftest/target/Samba4.pm | 2 +-
source4/smbd/server.c | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 772f982cb9d..6a1856ef642 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -158,7 +158,7 @@ sub check_or_start($$$)
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index a8bad06bed3..ba520e0a8f5 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name,
{
bool opt_daemon = false;
bool opt_interactive = false;
+ bool opt_no_process_group = false;
int opt;
poptContext pc;
#define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name,
OPT_DAEMON = 1000,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
- OPT_SHOW_BUILD
+ OPT_SHOW_BUILD,
+ OPT_NO_PROCESS_GROUP,
};
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name,
"till autotermination", "seconds"},
{"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD,
"show build info", NULL },
+ {"no-process-group", '\0', POPT_ARG_NONE, NULL,
+ OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_SHOW_BUILD:
show_build();
break;
+ case OPT_NO_PROCESS_GROUP:
+ opt_no_process_group = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name,
stdin_event_flags = 0;
}
+#if HAVE_SETPGID
+ /*
+ * If we're interactive we want to set our own process group for
+ * signal management, unless --no-process-group specified.
+ */
+ if (opt_interactive && !opt_no_process_group)
+ setpgid((pid_t)0, (pid_t)0);
+#endif
+
/* catch EOF on stdin */
#ifdef SIGTTIN
signal(SIGTTIN, SIG_IGN);
--
2.15.0
From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 Nov 2017 10:00:52 +0100
Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209)
---
source4/smbd/server.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index ba520e0a8f5..406f79593b9 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
{
char *path;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ exit_daemon("Failed to create memory context",
+ ENOMEM);
+ }
path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
+ if (path == NULL) {
+ exit_daemon("Failed to cleanup temporary files",
+ EINVAL);
+ }
recursive_delete(path);
talloc_free(mem_ctx);
--
2.15.0
From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:18:18 +0100
Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground
We are passing the no_process_group to become_daemon() that setsid() is
not called. In case we are double forking, we run in SysV daemon mode,
setsid() should be called!
See:
https://www.freedesktop.org/software/systemd/man/daemon.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909)
---
source3/smbd/server.c | 2 +-
source4/smbd/server.c | 13 ++++++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 181bcd1e123..252b43190d7 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1592,7 +1592,7 @@ extern void build_options(bool screen);
struct poptOption long_options[] = {
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" },
- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"},
+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"},
{"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" },
{"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
{"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" },
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 406f79593b9..2349d5c7fa0 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name,
const char *argv[])
{
bool opt_daemon = false;
+ bool opt_fork = true;
bool opt_interactive = false;
bool opt_no_process_group = false;
int opt;
@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name,
struct stat st;
enum {
OPT_DAEMON = 1000,
+ OPT_FOREGROUND,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
OPT_SHOW_BUILD,
@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name,
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
"Become a daemon (default)", NULL },
+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND,
+ "Run the daemon in foreground", NULL },
{"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
"Run interactive (not a daemon)", NULL},
{"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_DAEMON:
opt_daemon = true;
break;
+ case OPT_FOREGROUND:
+ opt_fork = false;
+ break;
case OPT_INTERACTIVE:
opt_interactive = true;
break;
@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name,
"not allowed together with -D|--daemon\n\n");
poptPrintUsage(pc, stderr, 0);
return 1;
- } else if (!opt_interactive) {
+ } else if (!opt_interactive && !opt_fork) {
/* default is --daemon */
opt_daemon = true;
}
@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name,
}
if (opt_daemon) {
- DEBUG(3,("Becoming a daemon.\n"));
- become_daemon(true, false, false);
+ DBG_NOTICE("Becoming a daemon.\n");
+ become_daemon(opt_fork, opt_no_process_group, false);
}
/* Create the memory context to hang everything off. */
--
2.15.0
From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:32:27 +0100
Subject: [PATCH 4/4] systemd: Start processes in forground and without a
process group
We should not double fork in notify mode or systemd think something
during startup will be wrong and send SIGTERM to the process. So
sometimes the daemon will not start up correctly.
systemd will also handle the process group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77)
---
packaging/systemd/nmb.service | 2 +-
packaging/systemd/samba.service | 2 +-
packaging/systemd/smb.service | 2 +-
packaging/systemd/winbind.service | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
index 992c0cd9d2b..71c93d6088b 100644
--- a/packaging/systemd/nmb.service
+++ b/packaging/systemd/nmb.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/nmbd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
+ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
index 824f89c2030..1b64c3b779d 100644
--- a/packaging/systemd/samba.service
+++ b/packaging/systemd/samba.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/samba $SAMBAOPTIONS
+ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
[Install]
diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
index 6053a5caaa5..adf6684c7d9 100644
--- a/packaging/systemd/smb.service
+++ b/packaging/systemd/smb.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/smbd $SMBDOPTIONS
+ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
index c511488166e..46b3797251d 100644
--- a/packaging/systemd/winbind.service
+++ b/packaging/systemd/winbind.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/winbindd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
+ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
--
2.15.0

@ -0,0 +1,47 @@
From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Nov 2017 09:21:30 -0800
Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
---
source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 5d46d543002..237e6bb2b54 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
{
struct cli_smb2_close_fnum_state *state = tevent_req_data(
req, struct cli_smb2_close_fnum_state);
- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
- state->cli->raw_status = status;
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ state->cli->raw_status = status;
+ }
+ tevent_req_received(req);
return status;
}
--
2.15.0.531.g2ccb3012c9-goog

@ -0,0 +1,165 @@
From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 14 Nov 2017 13:52:03 -0800
Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2
calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea)
---
source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++
source3/libsmb/cli_smb2_fnum.h | 6 +++
source3/libsmb/clifsinfo.c | 9 ++++
3 files changed, 112 insertions(+)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index a478c41f068..89cb1f479d5 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path,
return status;
}
+/***************************************************************
+ Wrapper that allows SMB2 to query file system sizes.
+ Synchronous only.
+***************************************************************/
+
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector)
+{
+ NTSTATUS status;
+ uint16_t fnum = 0xffff;
+ DATA_BLOB outbuf = data_blob_null;
+ struct smb2_hnd *ph = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (smbXcli_conn_has_async_calls(cli->conn)) {
+ /*
+ * Can't use sync call while an async call is in flight
+ */
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ /* First open the top level directory. */
+ status =
+ cli_smb2_create_fnum(cli, "", 0, /* create_flags */
+ FILE_READ_ATTRIBUTES, /* desired_access */
+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
+ FILE_SHARE_READ | FILE_SHARE_WRITE |
+ FILE_SHARE_DELETE, /* share_access */
+ FILE_OPEN, /* create_disposition */
+ FILE_DIRECTORY_FILE, /* create_options */
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = map_fnum_to_smb2_handle(cli, fnum, &ph);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
+ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */
+
+ status = smb2cli_query_info(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ SMB2_GETINFO_FS, /* in_info_type */
+ /* in_file_info_class */
+ SMB_FS_FULL_SIZE_INFORMATION - 1000,
+ 0xFFFF, /* in_max_output_length */
+ NULL, /* in_input_buffer */
+ 0, /* in_additional_info */
+ 0, /* in_flags */
+ ph->fid_persistent,
+ ph->fid_volatile,
+ frame,
+ &outbuf);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ if (outbuf.length < 32) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ goto fail;
+ }
+
+ *total_allocation_units = BIG_UINT(outbuf.data, 0);
+ *caller_allocation_units = BIG_UINT(outbuf.data, 8);
+ *actual_allocation_units = BIG_UINT(outbuf.data, 16);
+ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24);
+ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28);
+
+fail:
+
+ if (fnum != 0xffff) {
+ cli_smb2_close_fnum(cli, fnum);
+ }
+
+ cli->raw_status = status;
+
+ TALLOC_FREE(frame);
+ return status;
+}
+
/***************************************************************
Wrapper that allows SMB2 to query file system attributes.
Synchronous only.
diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
index 9a709e85d96..c9325b66902 100644
--- a/source3/libsmb/cli_smb2_fnum.h
+++ b/source3/libsmb/cli_smb2_fnum.h
@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli,
uint64_t *total,
uint64_t *avail);
NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr);
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector);
NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli,
uint16_t fnum,
uint32_t sec_info,
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 119b1216fb2..46236390022 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
uint32_t rdata_count;
NTSTATUS status;
+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
+ return cli_smb2_get_fs_full_size_info(cli,
+ total_allocation_units,
+ caller_allocation_units,
+ actual_allocation_units,
+ sectors_per_allocation_unit,
+ bytes_per_sector);
+ }
+
SSVAL(setup, 0, TRANSACT2_QFSINFO);
SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
--
2.15.0.448.gf294e3d99a-goog

@ -0,0 +1,66 @@
From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 16:20:34 -0700
Subject: [PATCH] libsmbclient: Allow server (NetApp) to return
STATUS_INVALID_PARAMETER from an echo.
It does this if we send a session ID of zero. The server still replied.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144
(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142)
---
source3/client/client.c | 8 +++++++-
source3/libsmb/libsmb_server.c | 11 ++++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index b4a6c7d0389..9c57375881d 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -5900,7 +5900,13 @@ static void readline_callback(void)
/* Ping the server to keep the connection alive using SMBecho. */
memset(garbage, 0xf0, sizeof(garbage));
status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage)));
- if (NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ /*
+ * Even if server returns NT_STATUS_INVALID_PARAMETER
+ * it still responded.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
return;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index b0e5926fa65..2d41f2facf3 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context,
1,
data_blob_const(data, sizeof(data)));
if (!NT_STATUS_IS_OK(status)) {
- return 1;
+ /*
+ * Some NetApp servers return
+ * NT_STATUS_INVALID_PARAMETER.That's OK, they still
+ * replied.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
+ if (!NT_STATUS_EQUAL(status,
+ NT_STATUS_INVALID_PARAMETER)) {
+ return 1;
+ }
}
server->last_echo_time = now;
}
--
2.15.0.448.gf294e3d99a-goog

@ -0,0 +1,84 @@
From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Thu, 23 Nov 2017 15:55:21 +0000
Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name
malformed"
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
---
source3/libads/kerberos_keytab.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ff12ec04af6..ffd100c5636 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name)
return ret;
}
- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ if (keytab_name == NULL) {
+ ret = ads_keytab_open(context, &keytab);
+ } else {
+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ }
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
--
2.15.0
From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 24 Nov 2017 07:06:27 +0000
Subject: [PATCH 2/2] testprogs: Test net ads keytab list
Test that correct keytab is picked up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2)
---
testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index bbd99b676bd..c5dbaf69ba2 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# if there is no keytab, try and create it
+if [ ! -f $dedicated_keytab_file ]; then
+ if [ $(command -v ktutil) >/dev/null ]; then
+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
+ fi
+fi
+
+if [ -f $dedicated_keytab_file ]; then
+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
+fi
+
rm -f $dedicated_keytab_file
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
--
2.15.0

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew==
=LZI3
-----END PGP SIGNATURE-----

@ -0,0 +1 @@
.git/annex/objects/6z/WQ/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz

@ -1,37 +0,0 @@
From 69c97f1806f72a61f194acaaba7f2b919cb91227 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 5 Jan 2017 09:34:36 +0100
Subject: [PATCH] replace: Include sysmacros.h
In the GNU C Library, "makedev" is defined by <sys/sysmacros.h>. For
historical compatibility, it is currently defined by <sys/types.h> as
well, but it is planned to remove this soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12686
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 0127bdd33b251a52c6ffc44b6cb3b82b16a80741)
---
lib/replace/replace.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/replace/replace.h b/lib/replace/replace.h
index c69a069e4b3..1dbeacfff66 100644
--- a/lib/replace/replace.h
+++ b/lib/replace/replace.h
@@ -171,6 +171,10 @@
#include <sys/types.h>
#endif
+#ifdef HAVE_SYS_SYSMACROS_H
+#include <sys/sysmacros.h>
+#endif
+
#ifdef HAVE_SETPROCTITLE_H
#include <setproctitle.h>
#endif
--
2.12.0

File diff suppressed because it is too large Load Diff

@ -1,39 +0,0 @@
From dc05cb5cd01b3264109ddee8d1bc095cd585e09e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 20 Mar 2017 16:08:20 +0100
Subject: [PATCH] s3:libsmb: Only print error message if kerberos use is forced
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12704
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/cliconnect.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 029c3d4760e..93f873079db 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -349,9 +349,15 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
0 /* no time correction for now */,
NULL);
if (ret != 0) {
- DEBUG(0, ("Kinit for %s to access %s failed: %s\n",
- user_principal, target_hostname,
- error_message(ret)));
+ int dbglvl = DBGLVL_WARNING;
+
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ dbglvl = DBGLVL_ERR;
+ }
+
+ DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
+ user_principal, target_hostname,
+ error_message(ret)));
if (krb5_state == CRED_MUST_USE_KERBEROS) {
TALLOC_FREE(frame);
return krb5_to_nt_status(ret);
--
2.12.0

@ -1,293 +0,0 @@
From e73223b0edc62a6e89f68fe5f0a3c56cd14322de Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:30:37 +0100
Subject: [PATCH 1/5] testprogs: Correctly expand shell parameters
The old behaviour is:
for var in $*
do
echo "$var"
done
And you get this:
$ sh test.sh 1 2 '3 4'
1
2
3
4
Changing it to:
for var in "$@"
do
echo "$var"
done
will correctly expand to:
$ sh test.sh 1 2 '3 4'
1
2
3 4
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Mar 15 05:26:17 CET 2017 on sn-devel-144
(cherry picked from commit acad0adc2977ca26df44e5b22d8b8e991177af71)
---
testprogs/blackbox/subunit.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/testprogs/blackbox/subunit.sh b/testprogs/blackbox/subunit.sh
index 0791d775d27..5c81ce20a11 100755
--- a/testprogs/blackbox/subunit.sh
+++ b/testprogs/blackbox/subunit.sh
@@ -78,7 +78,7 @@ subunit_skip_test () {
testit () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
@@ -93,7 +93,7 @@ testit () {
testit_expect_failure () {
name="$1"
shift
- cmdline="$*"
+ cmdline="$@"
subunit_start_test "$name"
output=`$cmdline 2>&1`
status=$?
--
2.12.0
From 7a729d0c4ff2e423bd500f6e0acd91f2ba766b68 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:11:39 +0100
Subject: [PATCH 2/5] krb5_wrap: Print a warning for an invalid keytab name
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit a6a527e1e83a979ef035c49a087b5e79599c10a4)
---
lib/krb5_wrap/krb5_samba.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 10b42dec53f..fd8e4a96071 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1187,6 +1187,8 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
goto open_keytab;
}
+ DBG_WARNING("ERROR: Invalid keytab name: %s\n", keytab_name_req);
+
return KRB5_KT_BADNAME;
open_keytab:
--
2.12.0
From 8efd7f6c759a65ab83d7ec679915ea2a0d3752f3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:24:52 +0100
Subject: [PATCH 3/5] s3:libads: Correctly handle the keytab kerberos methods
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit ca2d8f3161c647c425c8c1eaaac1837c2e97faad)
---
source3/libads/kerberos_keytab.c | 69 +++++++++++++++++++++++++++++++++-------
1 file changed, 57 insertions(+), 12 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 3c73b089bbb..96df10fcf65 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -34,6 +34,57 @@
#ifdef HAVE_ADS
+/* This MAX_NAME_LEN is a constant defined in krb5.h */
+#ifndef MAX_KEYTAB_NAME_LEN
+#define MAX_KEYTAB_NAME_LEN 1100
+#endif
+
+static krb5_error_code ads_keytab_open(krb5_context context,
+ krb5_keytab *keytab)
+{
+ char keytab_str[MAX_KEYTAB_NAME_LEN] = {0};
+ const char *keytab_name = NULL;
+ krb5_error_code ret = 0;
+
+ switch (lp_kerberos_method()) {
+ case KERBEROS_VERIFY_SYSTEM_KEYTAB:
+ case KERBEROS_VERIFY_SECRETS_AND_KEYTAB:
+ ret = krb5_kt_default_name(context,
+ keytab_str,
+ sizeof(keytab_str) - 2);
+ if (ret != 0) {
+ DBG_WARNING("Failed to get default keytab name");
+ goto out;
+ }
+ keytab_name = keytab_str;
+ break;
+ case KERBEROS_VERIFY_DEDICATED_KEYTAB:
+ keytab_name = lp_dedicated_keytab_file();
+ break;
+ default:
+ DBG_ERR("Invalid kerberos method set (%d)\n",
+ lp_kerberos_method());
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ if (keytab_name == NULL || keytab_name[0] == '\0') {
+ DBG_ERR("Invalid keytab name\n");
+ ret = KRB5_KT_BADNAME;
+ goto out;
+ }
+
+ ret = smb_krb5_kt_open(context, keytab_name, true, keytab);
+ if (ret != 0) {
+ DBG_WARNING("smb_krb5_kt_open failed (%s)\n",
+ error_message(ret));
+ goto out;
+ }
+
+out:
+ return ret;
+}
+
/**********************************************************************
Adds a single service principal, i.e. 'host' to the system keytab
***********************************************************************/
@@ -75,10 +126,8 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
return -1;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -262,10 +311,8 @@ int ads_keytab_flush(ADS_STRUCT *ads)
return ret;
}
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto out;
}
@@ -447,10 +494,8 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
DEBUG(3, (__location__ ": Searching for keytab entries to preserve "
"and update.\n"));
- ret = smb_krb5_kt_open(context, NULL, True, &keytab);
- if (ret) {
- DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
- error_message(ret)));
+ ret = ads_keytab_open(context, &keytab);
+ if (ret != 0) {
goto done;
}
--
2.12.0
From d755048c0797e1c88382d63ae90e6ca0dceebb71 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 17:28:58 +0100
Subject: [PATCH 4/5] param: Allow to specify kerberos method on the
commandline
We support --option for our tools but you cannot set an option where the
value of the option includes a space.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 12d26899a45ce5d05ac4279fa5915318daa4f2e0)
---
lib/param/param_table.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 4b5234a7c9e..9a944ef19b3 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -202,9 +202,13 @@ static const struct enum_list enum_smbd_profiling_level[] = {
static const struct enum_list enum_kerberos_method[] = {
{KERBEROS_VERIFY_SECRETS, "default"},
{KERBEROS_VERIFY_SECRETS, "secrets only"},
+ {KERBEROS_VERIFY_SECRETS, "secretsonly"},
{KERBEROS_VERIFY_SYSTEM_KEYTAB, "system keytab"},
+ {KERBEROS_VERIFY_SYSTEM_KEYTAB, "systemkeytab"},
{KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicated keytab"},
+ {KERBEROS_VERIFY_DEDICATED_KEYTAB, "dedicatedkeytab"},
{KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secrets and keytab"},
+ {KERBEROS_VERIFY_SECRETS_AND_KEYTAB, "secretsandkeytab"},
{-1, NULL}
};
--
2.12.0
From 1916ab4c51bdde58480259d4b45dbcf9c0c46842 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 13 Mar 2017 16:34:05 +0100
Subject: [PATCH 5/5] testprogs: Test 'net ads join' with a dedicated keytab
This checks that a 'net ads join' can create the keytab and make sure we
will not regress in future.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 00e22fe3f63f986978d946e063e19e615cb00ab3)
---
testprogs/blackbox/test_net_ads.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 8e915cdcf1f..99b886f53eb 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -35,6 +35,15 @@ testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed +
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+# Test with kerberos method = secrets and keytab
+dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
+testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+
+testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+rm -f $dedicated_keytab_file
+
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
testit "join+kerberos" $VALGRIND $net_tool ads join -kU$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
--
2.12.0

@ -1,245 +0,0 @@
From 7afb2ec722fa628a3b214252535a8e31aac16f12 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 May 2017 17:48:42 +0200
Subject: [PATCH 1/3] s3:printing: Change to GUID dir if we deal with
COPY_FROM_DIRECTORY
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5b15c7e8908697b157d2593b7caa9be760594a05)
---
source3/printing/nt_printing.c | 51 +++++++++++++++++++++++++++++-------------
1 file changed, 35 insertions(+), 16 deletions(-)
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 394a3e5..49be5d9 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -666,16 +666,18 @@ Determine the correct cVersion associated with an architecture and driver
static uint32_t get_correct_cversion(struct auth_session_info *session_info,
const char *architecture,
const char *driverpath_in,
+ const char *driver_directory,
WERROR *perr)
{
int cversion = -1;
NTSTATUS nt_status;
struct smb_filename *smb_fname = NULL;
- char *driverpath = NULL;
files_struct *fsp = NULL;
connection_struct *conn = NULL;
char *oldcwd;
char *printdollar = NULL;
+ char *printdollar_path = NULL;
+ char *working_dir = NULL;
int printdollar_snum;
*perr = WERR_INVALID_PARAMETER;
@@ -704,12 +706,33 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
return -1;
}
+ printdollar_path = lp_path(talloc_tos(), printdollar_snum);
+ if (printdollar_path == NULL) {
+ *perr = WERR_NOT_ENOUGH_MEMORY;
+ return -1;
+ }
+
+ working_dir = talloc_asprintf(talloc_tos(),
+ "%s/%s",
+ printdollar_path,
+ architecture);
+ /*
+ * If the driver has been uploaded into a temorpary driver
+ * directory, switch to the driver directory.
+ */
+ if (driver_directory != NULL) {
+ working_dir = talloc_asprintf(talloc_tos(), "%s/%s/%s",
+ printdollar_path,
+ architecture,
+ driver_directory);
+ }
+
nt_status = create_conn_struct_cwd(talloc_tos(),
server_event_context(),
server_messaging_context(),
&conn,
printdollar_snum,
- lp_path(talloc_tos(), printdollar_snum),
+ working_dir,
session_info, &oldcwd);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("get_correct_cversion: create_conn_struct "
@@ -731,18 +754,11 @@ static uint32_t get_correct_cversion(struct auth_session_info *session_info,
goto error_free_conn;
}
- /* Open the driver file (Portable Executable format) and determine the
- * deriver the cversion. */
- driverpath = talloc_asprintf(talloc_tos(),
- "%s/%s",
- architecture,
- driverpath_in);
- if (!driverpath) {
- *perr = WERR_NOT_ENOUGH_MEMORY;
- goto error_exit;
- }
-
- nt_status = driver_unix_convert(conn, driverpath, &smb_fname);
+ /*
+ * We switch to the directory where the driver files are located,
+ * so only work on the file names
+ */
+ nt_status = driver_unix_convert(conn, driverpath_in, &smb_fname);
if (!NT_STATUS_IS_OK(nt_status)) {
*perr = ntstatus_to_werror(nt_status);
goto error_exit;
@@ -956,8 +972,11 @@ static WERROR clean_up_driver_struct_level(TALLOC_CTX *mem_ctx,
* NT2K: cversion=3
*/
- *version = get_correct_cversion(session_info, short_architecture,
- *driver_path, &err);
+ *version = get_correct_cversion(session_info,
+ short_architecture,
+ *driver_path,
+ *driver_directory,
+ &err);
if (*version == -1) {
return err;
}
--
2.9.3
From f0c2a79e1312d2f8231940c12e08b09d65d03648 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:11:25 +0200
Subject: [PATCH 2/3] smbtorture:spoolss: Rename the copy_from_directory test
for 64bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 86798a0fa16b4cc89c35d698bffe0b436fc4eb2e)
---
source4/torture/rpc/spoolss.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index 409ba57..c4b7bf1 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11109,7 +11109,8 @@ static bool test_multiple_drivers(struct torture_context *tctx,
}
static bool test_driver_copy_from_directory(struct torture_context *tctx,
- struct dcerpc_pipe *p)
+ struct dcerpc_pipe *p,
+ const char *architecture)
{
struct torture_driver_context *d;
struct spoolss_StringArray *a;
@@ -11125,8 +11126,7 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d = talloc_zero(tctx, struct torture_driver_context);
torture_assert_not_null(tctx, d, "ENOMEM");
- d->local.environment =
- talloc_asprintf(d, SPOOLSS_ARCHITECTURE_x64);
+ d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
d->local.driver_directory =
@@ -11208,6 +11208,12 @@ done:
return ok;
}
+static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11401,8 +11407,8 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
torture_rpc_tcase_add_test(tcase, "multiple_drivers", test_multiple_drivers);
torture_rpc_tcase_add_test(tcase,
- "test_driver_copy_from_directory",
- test_driver_copy_from_directory);
+ "test_driver_copy_from_directory_64",
+ test_driver_copy_from_directory_64);
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
--
2.9.3
From daca3311db095c96a471f49dcfe291e5e048ed19 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 5 May 2017 11:12:02 +0200
Subject: [PATCH 3/3] smbtorture:spoolss: Add a 32bit test for
copy_from_directory
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12761
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 23009b97bf2f831811c4690141db7355537659d0)
---
source4/torture/rpc/spoolss.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/source4/torture/rpc/spoolss.c b/source4/torture/rpc/spoolss.c
index c4b7bf1..e17ac6f 100644
--- a/source4/torture/rpc/spoolss.c
+++ b/source4/torture/rpc/spoolss.c
@@ -11129,8 +11129,13 @@ static bool test_driver_copy_from_directory(struct torture_context *tctx,
d->local.environment = talloc_strdup(d, architecture);
torture_assert_not_null_goto(tctx, d->local.environment, ok, done, "ENOMEM");
- d->local.driver_directory =
- talloc_asprintf(d, "/usr/share/cups/drivers/x64");
+ if (strequal(architecture, SPOOLSS_ARCHITECTURE_x64)) {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/x64");
+ } else {
+ d->local.driver_directory =
+ talloc_strdup(d, "/usr/share/cups/drivers/i386");
+ }
torture_assert_not_null_goto(tctx, d->local.driver_directory, ok, done, "ENOMEM");
d->remote.driver_upload_directory = GUID_string2(d, &guid);
@@ -11214,6 +11219,12 @@ static bool test_driver_copy_from_directory_64(struct torture_context *tctx,
return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_x64);
}
+static bool test_driver_copy_from_directory_32(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+{
+ return test_driver_copy_from_directory(tctx, p, SPOOLSS_ARCHITECTURE_NT_X86);
+}
+
static bool test_del_driver_all_files(struct torture_context *tctx,
struct dcerpc_pipe *p)
{
@@ -11410,6 +11421,10 @@ struct torture_suite *torture_rpc_spoolss_driver(TALLOC_CTX *mem_ctx)
"test_driver_copy_from_directory_64",
test_driver_copy_from_directory_64);
+ torture_rpc_tcase_add_test(tcase,
+ "test_driver_copy_from_directory_32",
+ test_driver_copy_from_directory_32);
+
torture_rpc_tcase_add_test(tcase, "del_driver_all_files", test_del_driver_all_files);
torture_rpc_tcase_add_test(tcase, "del_driver_unused_files", test_del_driver_unused_files);
--
2.9.3

@ -1,211 +0,0 @@
From be3f182c7bda75d531fa60c6d08a734f0098f2cc Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 Mar 2017 16:12:20 +0100
Subject: [PATCH] s3:vfs_expand_msdfs: Do not open the remote address as a file
The arguments get passed in the wrong order to read_target_host().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Signed-off-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1115f152de9ec25bc9e5e499874b4a7c92c888c0)
---
source3/modules/vfs_expand_msdfs.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/source3/modules/vfs_expand_msdfs.c b/source3/modules/vfs_expand_msdfs.c
index ffbfa333bad..e42d0098b32 100644
--- a/source3/modules/vfs_expand_msdfs.c
+++ b/source3/modules/vfs_expand_msdfs.c
@@ -147,8 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
return NULL;
}
- targethost = read_target_host(
- ctx, raddr, mapfilename);
+ targethost = read_target_host(ctx, mapfilename, raddr);
if (targethost == NULL) {
DEBUG(1, ("Could not expand target host from file %s\n",
mapfilename));
--
2.12.0
From cf65cc80e8598beef855678118c7c603d4b5729e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 15:32:37 +0100
Subject: [PATCH 1/2] s3:smbd: Pass down remote and local address to
get_referred_path()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit cbf67123e037207662ec0d4e53c55990e21b157e)
---
source3/modules/vfs_default.c | 2 ++
source3/rpc_server/dfs/srv_dfs_nt.c | 6 ++++++
source3/smbd/msdfs.c | 12 +++++++-----
source3/smbd/proto.h | 12 +++++++-----
4 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index e0b6125f7d8..dcae861103d 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -216,6 +216,8 @@ static NTSTATUS vfswrap_get_dfs_referrals(struct vfs_handle_struct *handle,
/* The following call can change cwd. */
status = get_referred_path(r, pathnamep,
+ handle->conn->sconn->remote_address,
+ handle->conn->sconn->local_address,
!handle->conn->sconn->using_smb2,
junction, &consumedcnt, &self_referral);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/dfs/srv_dfs_nt.c b/source3/rpc_server/dfs/srv_dfs_nt.c
index ab2af53c0ba..0a4d6d31b7c 100644
--- a/source3/rpc_server/dfs/srv_dfs_nt.c
+++ b/source3/rpc_server/dfs/srv_dfs_nt.c
@@ -76,6 +76,8 @@ WERROR _dfs_Add(struct pipes_struct *p, struct dfs_Add *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -146,6 +148,8 @@ WERROR _dfs_Remove(struct pipes_struct *p, struct dfs_Remove *r)
}
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status)) {
@@ -374,6 +378,8 @@ WERROR _dfs_GetInfo(struct pipes_struct *p, struct dfs_GetInfo *r)
/* The following call can change the cwd. */
status = get_referred_path(ctx, r->in.dfs_entry_path,
+ p->remote_address,
+ p->local_address,
true, /*allow_broken_path */
jn, &consumedcnt, &self_ref);
if(!NT_STATUS_IS_OK(status) ||
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 61538cec832..3cf82d3b430 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -953,11 +953,13 @@ static NTSTATUS self_ref(TALLOC_CTX *ctx,
**********************************************************************/
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- const char *dfs_path,
- bool allow_broken_path,
- struct junction_map *jucn,
- int *consumedcntp,
- bool *self_referralp)
+ const char *dfs_path,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ bool allow_broken_path,
+ struct junction_map *jucn,
+ int *consumedcntp,
+ bool *self_referralp)
{
struct connection_struct *conn;
char *targetpath = NULL;
diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
index c1b8201b472..e64457cf9e0 100644
--- a/source3/smbd/proto.h
+++ b/source3/smbd/proto.h
@@ -473,11 +473,13 @@ bool is_msdfs_link(connection_struct *conn,
SMB_STRUCT_STAT *sbufp);
struct junction_map;
NTSTATUS get_referred_path(TALLOC_CTX *ctx,
- const char *dfs_path,
- bool allow_broken_path,
- struct junction_map *jucn,
- int *consumedcntp,
- bool *self_referralp);
+ const char *dfs_path,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ bool allow_broken_path,
+ struct junction_map *jucn,
+ int *consumedcntp,
+ bool *self_referralp);
int setup_dfs_referral(connection_struct *orig_conn,
const char *dfs_path,
int max_referral_level,
--
2.13.0
From 8f748924275fa8cb3951c296ad4ba5ca5989ac41 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 15:45:34 +0100
Subject: [PATCH 2/2] s3:smbd: Set up local and remote address for fake
connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12687
Pair-Programmed-With: Ralph Boehme <slow@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e530e43d67436881fd039877f956f0ad9b562af9)
---
source3/smbd/msdfs.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 3cf82d3b430..c25fb17cee8 100644
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -31,6 +31,7 @@
#include "lib/param/loadparm.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_dfsblobs.h"
+#include "lib/tsocket/tsocket.h"
/**********************************************************************
Parse a DFS pathname of the form \hostname\service\reqpath
@@ -1071,6 +1072,29 @@ NTSTATUS get_referred_path(TALLOC_CTX *ctx,
return status;
}
+ /*
+ * TODO
+ *
+ * The remote and local address should be passed down to
+ * create_conn_struct_cwd.
+ */
+ if (conn->sconn->remote_address == NULL) {
+ conn->sconn->remote_address =
+ tsocket_address_copy(remote_address, conn->sconn);
+ if (conn->sconn->remote_address == NULL) {
+ TALLOC_FREE(pdp);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ if (conn->sconn->local_address == NULL) {
+ conn->sconn->local_address =
+ tsocket_address_copy(local_address, conn->sconn);
+ if (conn->sconn->local_address == NULL) {
+ TALLOC_FREE(pdp);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
/* If this is a DFS path dfs_lookup should return
* NT_STATUS_PATH_NOT_COVERED. */
--
2.13.0

@ -1,74 +0,0 @@
From 646b3c4b920f4ae4d1289eeb10018cd9d069382a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Aug 2017 18:14:23 +0200
Subject: [PATCH 1/2] s3:libads: Fix changing passwords with Kerberos
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
(cherry picked from commit b81ca4f9dcbb378a95fb3ac31bfd9a1cbe505d7d)
---
source3/libads/krb5_setpw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 630c2e46631..bc96ac603b1 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -251,7 +251,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
ret = krb5_set_password(context,
&creds,
discard_const_p(char, newpw),
- princ,
+ NULL,
&result_code,
&result_code_string,
&result_string);
--
2.14.0
From be45f32ffb1504f36b860195b480b661699de049 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 9 Aug 2017 12:14:34 +0200
Subject: [PATCH 2/2] blackbox: Add test for 'net ads changetrustpw'
BUG: BUG: https://bugzilla.samba.org/show_bug.cgi?id=12956
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Aug 11 22:09:27 CEST 2017 on sn-devel-144
(cherry picked from commit e2c0fd36ba54d984b554248aecffd3e4e7f43e1f)
---
testprogs/blackbox/test_net_ads.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index 99b886f53eb..bbd99b676bd 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -33,6 +33,8 @@ testit "join" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD || failed
testit "testjoin" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+testit "changetrustpw" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
# Test with kerberos method = secrets and keytab
@@ -41,6 +43,8 @@ testit "join (decicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC
testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
+testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
+
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
rm -f $dedicated_keytab_file
--
2.14.0

@ -1,194 +0,0 @@
From d80f5dc85d6fb9ebfef807932bef10e6c0c86468 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 17 Mar 2017 13:52:57 +0100
Subject: [PATCH 1/3] s3:winbind: Use the correct talloc context for user
information
This fixes the substitution for 'template homedir'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Sat Mar 18 19:47:40 CET 2017 on sn-devel-144
(cherry picked from commit ece5e67bbc027432aeb3d97205ef093a0acda8d5)
---
source3/winbindd/wb_queryuser.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c
index be4d3d3e665..69b4c8dad5a 100644
--- a/source3/winbindd/wb_queryuser.c
+++ b/source3/winbindd/wb_queryuser.c
@@ -329,7 +329,7 @@ static void wb_queryuser_got_group_name(struct tevent_req *subreq)
NTSTATUS status;
const char *domain_name;
- status = wb_lookupsid_recv(subreq, state, &type, &domain_name,
+ status = wb_lookupsid_recv(subreq, state->info, &type, &domain_name,
&state->info->primary_group_name);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
--
2.12.0
From 80fddd3572702bd45565fcc53e75d098c4fb0cf3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 Mar 2017 12:37:08 +0100
Subject: [PATCH 2/3] s3:tests: Add a subsitution test for %D %u %g
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2be02fdd1ed1d565e28f50d02ff5216391ac0660)
---
selftest/target/Samba3.pm | 19 ++++++++++++++++++-
source3/script/tests/test_substitutions.sh | 9 +++++++--
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5b2c510224..1e053f12297 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -394,16 +394,33 @@ sub setup_admember($$$$)
$substitution_path = "$share_dir/D_SAMBADOMAIN/U_alice/G_domain users";
push(@dirs, $substitution_path);
+ # Using '/' as the winbind separator is a bad idea ...
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN";
+ push(@dirs, $substitution_path);
+
+ $substitution_path = "$share_dir/D_SAMBADOMAIN/u_SAMBADOMAIN/alice/g_SAMBADOMAIN/domain users";
+ push(@dirs, $substitution_path);
+
my $member_options = "
security = ads
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
-[subDUG]
+[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
writeable = yes
+[sub_dug2]
+ path = $share_dir/D_%D/u_%u/g_%g
+ writeable = yes
+
";
my $ret = $self->provision($prefix,
diff --git a/source3/script/tests/test_substitutions.sh b/source3/script/tests/test_substitutions.sh
index 0852ad969f0..1a46f11c85d 100755
--- a/source3/script/tests/test_substitutions.sh
+++ b/source3/script/tests/test_substitutions.sh
@@ -24,9 +24,14 @@ smbclient="$samba_bindir/smbclient"
. $samba_srcdir/testprogs/blackbox/subunit.sh
. $samba_srcdir/testprogs/blackbox/common_test_fns.inc
-SMB_UNC="//$SERVER/subDUG"
+SMB_UNC="//$SERVER/sub_dug"
-test_smbclient "Test login to share with substitution" \
+test_smbclient "Test login to share with substitution (DUG)" \
+ "ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
+
+SMB_UNC="//$SERVER/sub_dug2"
+
+test_smbclient "Test login to share with substitution (Dug)" \
"ls" "$SMB_UNC" "-U$USERNAME%$PASSWORD" || failed=$(expr $failed + 1)
exit $failed
--
2.12.0
From 3868c86ec0800b08c0ef1bf8328b6c1f3cd9437c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 17 Mar 2017 10:04:19 +0100
Subject: [PATCH 3/3] selftest: Define template homedir for 'ad_member' env
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12699
With this set, the samba3.local.nss test for ad_member will ensure that
we correctly substitute those smb.conf options.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 30 04:26:18 CEST 2017 on sn-devel-144
(cherry picked from commit 5f4979509950547e68af7f64ac263d0e0705ee03)
---
nsswitch/tests/test_wbinfo.sh | 17 +++++++++++------
selftest/target/Samba3.pm | 1 +
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index cfe582df068..f9c040e5f43 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -205,13 +205,18 @@ subunit_start_test "$test_name"
# The full name (GECOS) is based on name (the RDN, in this case CN)
# and displayName in winbindd_ads, and is based only on displayName in
# winbindd_msrpc and winbindd_rpc. Allow both versions.
-expected_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
-expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+if test "$TARGET" = "ad_member"; then
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/Domain Users/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/Domain Users/administrator:/bin/false"
+else
+ expected1_line="$DOMAIN/administrator:*:$admin_uid:$gid:Administrator:/home/$DOMAIN/administrator:/bin/false"
+ expected2_line="$DOMAIN/administrator:*:$admin_uid:$gid::/home/$DOMAIN/administrator:/bin/false"
+fi
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
subunit_pass_test "$test_name"
else
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
failed=`expr $failed + 1`
fi
@@ -227,10 +232,10 @@ fi
test_name="confirm output of wbinfo --uid-info against $TARGET"
subunit_start_test "$test_name"
-if test x$passwd_line = x"$expected_line" -o x$passwd_line = x"$expected2_line"; then
+if test "x$passwd_line" = "x$expected1_line" -o "x$passwd_line" = "x$expected2_line"; then
subunit_pass_test "$test_name"
else
- echo "expected '$expected_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
+ echo "expected '$expected1_line' or '$expected2_line' got '$passwd_line'" | subunit_fail_test "$test_name"
failed=`expr $failed + 1`
fi
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 1e053f12297..cb4970828a5 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -412,6 +412,7 @@ sub setup_admember($$$$)
workgroup = $dcvars->{DOMAIN}
realm = $dcvars->{REALM}
netbios aliases = foo bar
+ template homedir = /home/%D/%G/%U
[sub_dug]
path = $share_dir/D_%D/U_%U/G_%G
--
2.12.0

@ -1,339 +0,0 @@
From a57290580b7fcffea9b76991f2dd49ad480d3b64 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Mar 2017 17:04:30 +0000
Subject: [PATCH 1/2] libcli/smb: Fix alignment problems of
smb_bytes_pull_str()
This function needs to get the whole smb buffer in order to get
the alignment for unicode correct.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12824
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e60e77a8afd095bfdb3d678aa48570ca159d9b24)
---
libcli/smb/smb1cli_session.c | 28 +++++++++++++-------------
libcli/smb/smb_util.h | 3 ++-
libcli/smb/util.c | 47 +++++++++++++++++++++++++++++---------------
3 files changed, 47 insertions(+), 31 deletions(-)
diff --git a/libcli/smb/smb1cli_session.c b/libcli/smb/smb1cli_session.c
index 9d92aa6aed4..11614df0ae4 100644
--- a/libcli/smb/smb1cli_session.c
+++ b/libcli/smb/smb1cli_session.c
@@ -210,16 +210,16 @@ static void smb1cli_session_setup_lm21_done(struct tevent_req *subreq)
p = bytes;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
@@ -493,24 +493,24 @@ static void smb1cli_session_setup_nt1_done(struct tevent_req *subreq)
p = bytes;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_primary_domain,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
@@ -754,16 +754,16 @@ static void smb1cli_session_setup_ext_done(struct tevent_req *subreq)
p += out_security_blob_length;
status = smb_bytes_pull_str(state, &state->out_native_os,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
p += ret;
status = smb_bytes_pull_str(state, &state->out_native_lm,
- use_unicode, p,
- bytes+num_bytes-p, &ret);
+ use_unicode, bytes, num_bytes,
+ p, &ret);
if (tevent_req_nterror(req, status)) {
return;
}
diff --git a/libcli/smb/smb_util.h b/libcli/smb/smb_util.h
index 7e6f0a4ebc4..2884786339d 100644
--- a/libcli/smb/smb_util.h
+++ b/libcli/smb/smb_util.h
@@ -38,4 +38,5 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
const uint8_t *bytes, size_t num_bytes);
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
const uint8_t *buf, size_t buf_len,
- size_t *pbuf_consumed);
+ const uint8_t *position,
+ size_t *_consumed);
diff --git a/libcli/smb/util.c b/libcli/smb/util.c
index ef8c9fafa35..7ef909c6077 100644
--- a/libcli/smb/util.c
+++ b/libcli/smb/util.c
@@ -319,29 +319,43 @@ uint8_t *trans2_bytes_push_bytes(uint8_t *buf,
static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
bool ucs2, bool align_odd,
const uint8_t *buf, size_t buf_len,
- size_t *pbuf_consumed)
+ const uint8_t *position,
+ size_t *p_consumed)
{
size_t pad = 0;
+ size_t offset;
char *str = NULL;
size_t str_len = 0;
bool ok;
*_str = NULL;
- if (pbuf_consumed != NULL) {
- *pbuf_consumed = 0;
+ if (p_consumed != NULL) {
+ *p_consumed = 0;
+ }
+
+ if (position < buf) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ offset = PTR_DIFF(position, buf);
+ if (offset > buf_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
if (ucs2 &&
- ((align_odd && (buf_len % 2 == 0)) ||
- (!align_odd && (buf_len % 2 == 1)))) {
- if (buf_len < 1) {
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
- pad = 1;
- buf_len -= pad;
- buf += pad;
+ ((align_odd && (offset % 2 == 0)) ||
+ (!align_odd && (offset % 2 == 1)))) {
+ pad += 1;
+ offset += 1;
+ }
+
+ if (offset > buf_len) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
}
+ buf_len -= offset;
+ buf += offset;
+
if (ucs2) {
buf_len = utf16_len_n(buf, buf_len);
} else {
@@ -361,17 +375,18 @@ static NTSTATUS internal_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str,
return map_nt_error_from_unix_common(errno);
}
- if (pbuf_consumed != NULL) {
- *pbuf_consumed = buf_len + pad;
+ if (p_consumed != NULL) {
+ *p_consumed = buf_len + pad;
}
*_str = str;
- return NT_STATUS_OK;;
+ return NT_STATUS_OK;
}
NTSTATUS smb_bytes_pull_str(TALLOC_CTX *mem_ctx, char **_str, bool ucs2,
const uint8_t *buf, size_t buf_len,
- size_t *_buf_consumed)
+ const uint8_t *position,
+ size_t *_consumed)
{
return internal_bytes_pull_str(mem_ctx, _str, ucs2, true,
- buf, buf_len, _buf_consumed);
+ buf, buf_len, position, _consumed);
}
--
2.13.1
From 460941fe916d787057437412eef64c0ffdd1f65d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 15 Mar 2017 17:04:44 +0000
Subject: [PATCH 2/2] s3:libsmb: add cli_state_update_after_sesssetup() helper
function
This function updates cli->server_{os,type,domain} to valid values
after a session setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12779
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e0069bd2a4820eca17c59d91bd1853f2f053a7a3)
---
source3/libsmb/cliconnect.c | 74 +++++++++++++++++++++++++++++++--------------
1 file changed, 52 insertions(+), 22 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index a2362ceb863..ef03da17eec 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -372,6 +372,38 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+static NTSTATUS cli_state_update_after_sesssetup(struct cli_state *cli,
+ const char *native_os,
+ const char *native_lm,
+ const char *primary_domain)
+{
+#define _VALID_STR(p) ((p) != NULL && (p)[0] != '\0')
+
+ if (!_VALID_STR(cli->server_os) && _VALID_STR(native_os)) {
+ cli->server_os = talloc_strdup(cli, native_os);
+ if (cli->server_os == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (!_VALID_STR(cli->server_type) && _VALID_STR(native_lm)) {
+ cli->server_type = talloc_strdup(cli, native_lm);
+ if (cli->server_type == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (!_VALID_STR(cli->server_domain) && _VALID_STR(primary_domain)) {
+ cli->server_domain = talloc_strdup(cli, primary_domain);
+ if (cli->server_domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+#undef _VALID_STRING
+ return NT_STATUS_OK;
+}
+
/********************************************************
Utility function to ensure we always return at least
a valid char * pointer to an empty string for the
@@ -762,7 +794,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
subreq, struct tevent_req);
struct cli_sesssetup_blob_state *state = tevent_req_data(
req, struct cli_sesssetup_blob_state);
- struct cli_state *cli = state->cli;
NTSTATUS status;
if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
@@ -784,15 +815,16 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
- }
-
state->status = status;
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ NULL);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
if (state->blob.length != 0) {
/*
* More to send
@@ -1667,14 +1699,12 @@ static void cli_session_setup_creds_done_nt1(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
- }
- if (cli->server_domain == NULL) {
- cli->server_domain = talloc_move(cli, &state->out_primary_domain);
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ state->out_primary_domain);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
ok = smb1cli_conn_activate_signing(cli->conn,
@@ -1707,7 +1737,6 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
subreq, struct tevent_req);
struct cli_session_setup_creds_state *state = tevent_req_data(
req, struct cli_session_setup_creds_state);
- struct cli_state *cli = state->cli;
NTSTATUS status;
status = smb1cli_session_setup_lm21_recv(subreq, state,
@@ -1720,11 +1749,12 @@ static void cli_session_setup_creds_done_lm21(struct tevent_req *subreq)
return;
}
- if (cli->server_os == NULL) {
- cli->server_os = talloc_move(cli, &state->out_native_os);
- }
- if (cli->server_type == NULL) {
- cli->server_type = talloc_move(cli, &state->out_native_lm);
+ status = cli_state_update_after_sesssetup(state->cli,
+ state->out_native_os,
+ state->out_native_lm,
+ NULL);
+ if (tevent_req_nterror(req, status)) {
+ return;
}
tevent_req_done(req);
--
2.13.1

@ -1,162 +0,0 @@
From 7417ea49cc998d07e0208736269b40f8ac3f2c48 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Jun 2017 14:50:33 +0200
Subject: [PATCH 1/2] s3:popt_common: Reparse the username in
popt_common_credentials_post()
When we parse the username in the options handling, the smb.conf file
has not been loaded yet. So we are not aware of a 'winbind separator'
set in the config file.
We need to read and set the username again in the post-processing of the
credentials.
https://bugzilla.samba.org/show_bug.cgi?id=12849
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0caf40ec0196de0de016fda0d4aff0734d498d2b)
---
source3/lib/popt_common.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
index 3589a4fbd2b..9928c708e89 100644
--- a/source3/lib/popt_common.c
+++ b/source3/lib/popt_common.c
@@ -238,6 +238,7 @@ void popt_common_credentials_set_delay_post(void)
void popt_common_credentials_post(void)
{
struct user_auth_info *auth_info = cmdline_auth_info;
+ const char *username = NULL;
if (get_cmdline_auth_info_use_machine_account(auth_info) &&
!set_cmdline_auth_info_machine_account_creds(auth_info))
@@ -248,6 +249,20 @@ void popt_common_credentials_post(void)
}
set_cmdline_auth_info_getpass(auth_info);
+
+ /*
+ * When we set the username during the handling of the options passed to
+ * the binary we haven't loaded the config yet. This means that we
+ * didnn't take the 'winbind separator' into account.
+ *
+ * The username might contain the domain name and thus it hasn't been
+ * correctly parsed yet. If we have a username we need to set it again
+ * to run the string parser for the username correctly.
+ */
+ username = get_cmdline_auth_info_username(auth_info);
+ if (username != NULL && username[0] != '\0') {
+ set_cmdline_auth_info_username(auth_info, username);
+ }
}
static void popt_common_credentials_callback(poptContext con,
--
2.13.1
From 5143e70481e5b47f37a2eb16a8b74bf74d8ec639 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Jun 2017 15:52:23 +0200
Subject: [PATCH 2/2] s3:tests: Add test for smbclient -UDOMAIN+username
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12849
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 20 14:48:33 CEST 2017 on sn-devel-144
(cherry picked from commit e60aeb6f56a26019788442247361ed516bf965af)
---
source3/script/tests/test_smbclient_basic.sh | 62 ++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
2 files changed, 63 insertions(+)
create mode 100755 source3/script/tests/test_smbclient_basic.sh
diff --git a/source3/script/tests/test_smbclient_basic.sh b/source3/script/tests/test_smbclient_basic.sh
new file mode 100755
index 00000000000..90e579b68e9
--- /dev/null
+++ b/source3/script/tests/test_smbclient_basic.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# this runs the file serving tests that are expected to pass with samba3 against shares with various options
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_smbclient_basic.sh SERVER SERVER_IP DOMAIN USERNAME PASSWORD SMBCLIENT <smbclient arguments>
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+SERVER_IP="$2"
+USERNAME="$3"
+PASSWORD="$4"
+smbclient="$5"
+CONFIGURATION="$6"
+shift 6
+ADDARGS="$@"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+test_smbclient() {
+ name="$1"
+ cmd="$2"
+ shift
+ shift
+ echo "test: $name"
+ $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" $@
+ status=$?
+ if [ x$status = x0 ]; then
+ echo "success: $name"
+ else
+ echo "failure: $name"
+ fi
+ return $status
+}
+
+# TEST using \ as the separator (default)
+test_smbclient "smbclient as $DOMAIN\\$USERNAME" 'ls' -U$DOMAIN\\$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
+# TEST using / as the separator (default)
+test_smbclient "smbclient as $DOMAIN/$USERNAME" 'ls' -U$DOMAIN/$USERNAME%$PASSWORD $CONFIGURATION || failed=`expr $failed + 1`
+
+# TEST using 'winbind separator = +'
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD $CONFIGURATION --option=winbindseparator=+ || failed=`expr $failed + 1`
+
+# TEST using 'winbind separator = +' set in a config file
+smbclient_config="$PREFIX/tmpsmbconf"
+cat > $smbclient_config <<EOF
+[global]
+ include = $(echo $CONFIGURATION | cut -d= -f2)
+ winbind separator = +
+EOF
+
+SAVE_CONFIGURATION="$CONFIGURATION"
+CONFIGURATION="--configfile=$smbclient_config"
+test_smbclient "smbclient as $DOMAIN+$USERNAME" 'ls' -U$DOMAIN+$USERNAME%$PASSWORD || failed=`expr $failed + 1`
+CONFIGURATION="$SAVE_CONFIGURATION"
+rm -rf $smbclient_config
+
+exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index dfe7866b283..d3cb071b903 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -152,6 +152,7 @@ plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3s
plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+plantestsuite("samba3.blackbox.smbclient_basic", "ad_member", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
for options in ["", "--option=clientntlmv2auth=no", "--option=clientusespnego=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --max-protocol=LANMAN2", "--option=clientntlmv2auth=no --option=clientlanmanauth=yes --option=clientmaxprotocol=NT1"]:
env = "nt4_dc"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
--
2.13.1

@ -1,227 +0,0 @@
From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 09:57:30 +0100
Subject: [PATCH 1/2] s3:libads: Remove obsolete
smb_krb5_get_ntstatus_from_init_creds()
There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
---
source3/libads/kerberos.c | 169 ----------------------------------------------
1 file changed, 169 deletions(-)
Index: samba-4.6.2/source3/libads/kerberos.c
===================================================================
--- samba-4.6.2.orig/source3/libads/kerberos.c
+++ samba-4.6.2/source3/libads/kerberos.c
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *da
return 0;
}
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
- DATA_BLOB *edata,
- DATA_BLOB *edata_out)
-{
- DATA_BLOB edata_contents;
- ASN1_DATA *data;
- int edata_type;
-
- if (!edata->length) {
- return false;
- }
-
- data = asn1_init(mem_ctx);
- if (data == NULL) {
- return false;
- }
-
- if (!asn1_load(data, *edata)) goto err;
- if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
- if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
- if (!asn1_read_Integer(data, &edata_type)) goto err;
-
- if (edata_type != KRB5_PADATA_PW_SALT) {
- DEBUG(0,("edata is not of required type %d but of type %d\n",
- KRB5_PADATA_PW_SALT, edata_type));
- goto err;
- }
-
- if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
- if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- if (!asn1_end_tag(data)) goto err;
- asn1_free(data);
-
- *edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
-
- data_blob_free(&edata_contents);
-
- return true;
-
- err:
-
- asn1_free(data);
- return false;
-}
-
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
- NTSTATUS *nt_status)
-{
- DATA_BLOB edata;
- DATA_BLOB unwrapped_edata;
- TALLOC_CTX *mem_ctx;
- struct KRB5_EDATA_NTSTATUS parsed_edata;
- enum ndr_err_code ndr_err;
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- edata = data_blob(error->e_data->data, error->e_data->length);
-#else
- edata = data_blob(error->e_data.data, error->e_data.length);
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
-
-#ifdef DEVELOPER
- dump_data(10, edata.data, edata.length);
-#endif /* DEVELOPER */
-
- mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
- if (mem_ctx == NULL) {
- data_blob_free(&edata);
- return False;
- }
-
- if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
- data_blob_free(&edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&edata);
-
- ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx,
- &parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- data_blob_free(&unwrapped_edata);
- TALLOC_FREE(mem_ctx);
- return False;
- }
-
- data_blob_free(&unwrapped_edata);
-
- if (nt_status) {
- *nt_status = parsed_edata.ntstatus;
- }
-
- TALLOC_FREE(mem_ctx);
-
- return True;
-}
-
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
- krb5_principal client,
- krb5_get_init_creds_opt *opt,
- NTSTATUS *nt_status)
-{
- krb5_init_creds_context icc;
- krb5_error_code code;
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- /* HEIMDAL */
- krb5_error error;
-#else
- krb5_error *error = NULL;
-#endif
- bool ok;
-
- code = krb5_init_creds_init(ctx,
- client,
- NULL,
- NULL,
- 0,
- opt,
- &icc);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_init failed with: %s\n",
- error_message(code));
- return false;
- }
-
- code = krb5_init_creds_get_error(ctx,
- icc,
- &error);
- if (code != 0) {
- DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
- error_message(code));
- return false;
- }
- krb5_init_creds_free(ctx, icc);
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
- ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
-
- krb5_free_error_contents(ctx, &error);
-#else
- ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
-
- krb5_free_error(ctx, error);
-#endif
-
- return ok;
-}
-
/*
simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
place in default cache location.
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const ch
}
out:
if (ntstatus) {
-
- NTSTATUS status;
-
/* fast path */
if (code == 0) {
*ntstatus = NT_STATUS_OK;
goto cleanup;
}
- /* try to get ntstatus code out of krb5_error when we have it
- * inside the krb5_get_init_creds_opt - gd */
-
- if (opt != NULL) {
- bool ok;
-
- ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
- me,
- opt,
- &status);
- if (ok) {
- *ntstatus = status;
- goto cleanup;
- }
- }
-
/* fall back to self-made-mapping */
*ntstatus = krb5_to_nt_status(code);
}
Index: samba-4.6.2/nsswitch/tests/test_wbinfo.sh
===================================================================
--- samba-4.6.2.orig/nsswitch/tests/test_wbinfo.sh
+++ samba-4.6.2/nsswitch/tests/test_wbinfo.sh
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with d
testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
rm -f $KRB5CCNAME_PATH
exit $failed

@ -1,76 +0,0 @@
From 0eb6274aacc95601cb9a94922a8176935f336f92 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 20 Jun 2017 10:27:07 +0200
Subject: [PATCH] s3:winbind: Fix 'winbind normalize names' in wb_getpwsid()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12851
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/winbindd/wb_getpwsid.c | 34 +++++++++++++++++++++++++++++++---
1 file changed, 31 insertions(+), 3 deletions(-)
diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
index 8c764f77b08..b0bf6784ba6 100644
--- a/source3/winbindd/wb_getpwsid.c
+++ b/source3/winbindd/wb_getpwsid.c
@@ -63,7 +63,9 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
req, struct wb_getpwsid_state);
struct winbindd_pw *pw = state->pw;
struct wbint_userinfo *info;
+ struct winbindd_domain *domain = NULL;
fstring acct_name, output_username;
+ char *mapped_name = NULL;
char *tmp;
NTSTATUS status;
@@ -83,8 +85,34 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
return;
}
- fill_domain_username(output_username, info->domain_name,
- acct_name, true);
+ domain = find_domain_from_name_noinit(info->domain_name);
+ if (tevent_req_nomem(domain, req)) {
+ return;
+ }
+
+ /*
+ * TODO:
+ * This function should be called in 'idmap winbind child'. It shouldn't
+ * be a blocking call, but for this we need to add a new function for
+ * winbind.idl. This is a fix which can be backported for now.
+ */
+ status = normalize_name_map(state,
+ domain,
+ acct_name,
+ &mapped_name);
+ if (NT_STATUS_IS_OK(status)) {
+ fill_domain_username(output_username,
+ info->domain_name,
+ mapped_name, true);
+ fstrcpy(acct_name, mapped_name);
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(acct_name, mapped_name);
+ } else {
+ fill_domain_username(output_username,
+ info->domain_name,
+ acct_name, true);
+ }
+
strlcpy(pw->pw_name, output_username, sizeof(pw->pw_name));
strlcpy(pw->pw_gecos, info->full_name ? info->full_name : "",
@@ -101,7 +129,7 @@ static void wb_getpwsid_queryuser_done(struct tevent_req *subreq)
TALLOC_FREE(tmp);
tmp = talloc_sub_specified(
- state, info->shell, info->acct_name,
+ state, info->shell, acct_name,
info->primary_group_name, info->domain_name,
pw->pw_uid, pw->pw_gid);
if (tevent_req_nomem(tmp, req)) {
--
2.13.1

@ -1,54 +0,0 @@
commit 4dc389c6ae95b7bd34e762b5362c8a79fbda7c7c
Author: Andreas Schneider <asn@samba.org>
Date: Wed Dec 21 22:17:22 2016 +0100
auth/credentials: Always set the the realm if we set the principal from the ccache
This fixes a bug in gensec_gssapi_client_start() where an invalid realm
is used to get a Kerberos ticket.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 30c07065300281e3a67197fe39ed928346480ff7)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 0e68012..1912c48 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -107,7 +107,8 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
enum credentials_obtained obtained,
const char **error_string)
{
-
+ bool ok;
+ char *realm;
krb5_principal princ;
krb5_error_code ret;
char *name;
@@ -134,11 +135,24 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
return ret;
}
- cli_credentials_set_principal(cred, name, obtained);
-
+ ok = cli_credentials_set_principal(cred, name, obtained);
+ if (!ok) {
+ krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ return ENOMEM;
+ }
free(name);
+ realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
+ princ);
krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
+ if (realm == NULL) {
+ return ENOMEM;
+ }
+ ok = cli_credentials_set_realm(cred, realm, obtained);
+ SAFE_FREE(realm);
+ if (!ok) {
+ return ENOMEM;
+ }
/* set the ccache_obtained here, as it just got set to UNINITIALISED by the calls above */
cred->ccache_obtained = obtained;

@ -1,391 +0,0 @@
From f7046a874ce3ab5d9b4024442daf03e79f25956b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:08:46 +0200
Subject: [PATCH 1/6] s3:libsmb: Pass domain to remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 7a554ee7dcefdff599ebc6fbf4e128b33ffccf29)
---
source3/include/proto.h | 3 ++-
source3/libsmb/passchange.c | 5 +++--
source3/utils/smbpasswd.c | 3 ++-
3 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index baa579995a5..9deb27b416b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -834,7 +834,8 @@ bool get_dc_name(const char *domain,
/* The following definitions come from libsmb/passchange.c */
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str);
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index c89b7ca85d1..48ffba8036f 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -30,7 +30,8 @@
Change a password on a remote machine using IPC calls.
*************************************************************/
-NTSTATUS remote_password_change(const char *remote_machine, const char *user_name,
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
const char *old_passwd, const char *new_passwd,
char **err_str)
{
@@ -55,7 +56,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
creds = cli_session_creds_init(cli,
user_name,
- NULL, /* domain */
+ domain,
NULL, /* realm */
old_passwd,
false, /* use_kerberos */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 437a5e551bb..4d7a3c739bc 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -258,7 +258,8 @@ static NTSTATUS password_change(const char *remote_mach, char *username,
fprintf(stderr, "Invalid remote operation!\n");
return NT_STATUS_UNSUCCESSFUL;
}
- ret = remote_password_change(remote_mach, username,
+ ret = remote_password_change(remote_mach,
+ NULL, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
--
2.14.1
From f215f7c53032689dbdaac96a3a16fa7d3fe3d3c5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:10:06 +0200
Subject: [PATCH 2/6] s3:libsmb: Move prototye of remote_password_change()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit c773844e7529b83b2633671c7bcf1e7b84ad7950)
---
source3/include/proto.h | 7 -------
source3/libsmb/proto.h | 10 ++++++++++
source3/utils/smbpasswd.c | 1 +
3 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 9deb27b416b..67e1a9d750e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -832,13 +832,6 @@ bool get_dc_name(const char *domain,
fstring srv_name,
struct sockaddr_storage *ss_out);
-/* The following definitions come from libsmb/passchange.c */
-
-NTSTATUS remote_password_change(const char *remote_machine,
- const char *domain, const char *user_name,
- const char *old_passwd, const char *new_passwd,
- char **err_str);
-
/* The following definitions come from libsmb/smberr.c */
const char *smb_dos_err_name(uint8_t e_class, uint16_t num);
diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
index a583a8ee159..44f4d04cff5 100644
--- a/source3/libsmb/proto.h
+++ b/source3/libsmb/proto.h
@@ -31,6 +31,9 @@
struct smb_trans_enc_state;
struct cli_credentials;
+struct cli_state;
+struct file_info;
+struct print_job_info;
/* The following definitions come from libsmb/cliconnect.c */
@@ -964,4 +967,11 @@ NTSTATUS cli_readlink(struct cli_state *cli, const char *fname,
TALLOC_CTX *mem_ctx, char **psubstitute_name,
char **pprint_name, uint32_t *pflags);
+/* The following definitions come from libsmb/passchange.c */
+
+NTSTATUS remote_password_change(const char *remote_machine,
+ const char *domain, const char *user_name,
+ const char *old_passwd, const char *new_passwd,
+ char **err_str);
+
#endif /* _LIBSMB_PROTO_H_ */
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 4d7a3c739bc..6eb2deb7a3b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -21,6 +21,7 @@
#include "secrets.h"
#include "../librpc/gen_ndr/samr.h"
#include "../lib/util/util_pw.h"
+#include "libsmb/proto.h"
#include "passdb.h"
/*
--
2.14.1
From 7e6e01b965c838494203c964fa5ac55b355bd58a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:13:15 +0200
Subject: [PATCH 3/6] s3:utils: Make strings const passed to password_change()
in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 41a31a71abe144362fc7483fabba39aafa866373)
---
source3/utils/smbpasswd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 6eb2deb7a3b..b0e08cc0e58 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -243,8 +243,9 @@ static char *prompt_for_new_password(bool stdin_get)
Change a password either locally or remotely.
*************************************************************/
-static NTSTATUS password_change(const char *remote_mach, char *username,
- char *old_passwd, char *new_pw,
+static NTSTATUS password_change(const char *remote_mach,
+ const char *username,
+ const char *old_passwd, const char *new_pw,
int local_flags)
{
NTSTATUS ret;
--
2.14.1
From bec5dc7c8b1bca092fa4ea87016bbfdb2750896c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:14:57 +0200
Subject: [PATCH 4/6] s3:utils: Pass domain to password_change() in smbpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit b483340639157fe95777672f5723455c48c3c616)
---
source3/utils/smbpasswd.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index b0e08cc0e58..92712e38f6b 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -244,7 +244,7 @@ static char *prompt_for_new_password(bool stdin_get)
*************************************************************/
static NTSTATUS password_change(const char *remote_mach,
- const char *username,
+ const char *domain, const char *username,
const char *old_passwd, const char *new_pw,
int local_flags)
{
@@ -261,7 +261,7 @@ static NTSTATUS password_change(const char *remote_mach,
return NT_STATUS_UNSUCCESSFUL;
}
ret = remote_password_change(remote_mach,
- NULL, username,
+ domain, username,
old_passwd, new_pw, &err_str);
} else {
ret = local_password_change(username, local_flags, new_pw,
@@ -466,7 +466,8 @@ static int process_root(int local_flags)
}
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name,
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
old_passwd, new_passwd,
local_flags))) {
result = 1;
@@ -566,8 +567,9 @@ static int process_nonroot(int local_flags)
exit(1);
}
- if (!NT_STATUS_IS_OK(password_change(remote_machine, user_name, old_pw,
- new_pw, 0))) {
+ if (!NT_STATUS_IS_OK(password_change(remote_machine,
+ NULL, user_name,
+ old_pw, new_pw, 0))) {
result = 1;
goto done;
}
--
2.14.1
From 72dd200ce430b23a887ddfa73c2b618bf387c583 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 18 Aug 2017 16:17:08 +0200
Subject: [PATCH 5/6] s3:utils: Make sure we authenticate against our SAM name
in smbpasswd
If a local user wants to change his password using smbpasswd and the
machine is a domain member, we need to make sure we authenticate against
our SAM and not ask winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit dc129a968afdac8be70f9756bd18a7bf1f4c3b02)
---
source3/utils/smbpasswd.c | 32 +++++++++++++++++++++++++++-----
1 file changed, 27 insertions(+), 5 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 92712e38f6b..556e6869da7 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -58,7 +58,7 @@ static void usage(void)
printf(" -c smb.conf file Use the given path to the smb.conf file\n");
printf(" -D LEVEL debug level\n");
printf(" -r MACHINE remote machine\n");
- printf(" -U USER remote username\n");
+ printf(" -U USER remote username (e.g. SAM/user)\n");
printf("extra options when run by root or in local mode:\n");
printf(" -a add user\n");
@@ -95,7 +95,7 @@ static int process_options(int argc, char **argv, int local_flags)
user_name[0] = '\0';
- while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LW")) != EOF) {
+ while ((ch = getopt(argc, argv, "c:axdehminjr:sw:R:D:U:LWS:")) != EOF) {
switch(ch) {
case 'L':
if (getuid() != 0) {
@@ -519,6 +519,9 @@ static int process_nonroot(int local_flags)
int result = 0;
char *old_pw = NULL;
char *new_pw = NULL;
+ const char *username = user_name;
+ const char *domain = NULL;
+ char *p = NULL;
if (local_flags & ~(LOCAL_AM_ROOT | LOCAL_SET_PASSWORD)) {
/* Extra flags that we can't honor non-root */
@@ -536,6 +539,15 @@ static int process_nonroot(int local_flags)
}
}
+ /* Allow domain as part of the username */
+ if ((p = strchr_m(user_name, '\\')) ||
+ (p = strchr_m(user_name, '/')) ||
+ (p = strchr_m(user_name, *lp_winbind_separator()))) {
+ *p = '\0';
+ username = p + 1;
+ domain = user_name;
+ }
+
/*
* A non-root user is always setting a password
* via a remote machine (even if that machine is
@@ -544,8 +556,18 @@ static int process_nonroot(int local_flags)
load_interfaces(); /* Delayed from main() */
- if (remote_machine == NULL) {
+ if (remote_machine != NULL) {
+ if (!is_ipaddress(remote_machine)) {
+ domain = remote_machine;
+ }
+ } else {
remote_machine = "127.0.0.1";
+
+ /*
+ * If we deal with a local user, change the password for the
+ * user in our SAM.
+ */
+ domain = get_global_sam_name();
}
if (remote_machine != NULL) {
@@ -568,13 +590,13 @@ static int process_nonroot(int local_flags)
}
if (!NT_STATUS_IS_OK(password_change(remote_machine,
- NULL, user_name,
+ domain, username,
old_pw, new_pw, 0))) {
result = 1;
goto done;
}
- printf("Password changed for user %s\n", user_name);
+ printf("Password changed for user %s\n", username);
done:
SAFE_FREE(old_pw);
--
2.14.1
From 7d8aae447a411eb4903850c30366a18d1714f7c0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 22 Aug 2017 15:46:07 +0200
Subject: [PATCH 6/6] s3:utils: Remove pointless if-clause for remote_machine
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12975
Review with: git show -U20
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
(cherry picked from commit 4a4bfcb539b4489f397b2bc9369215b7e03e620e)
---
source3/utils/smbpasswd.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/source3/utils/smbpasswd.c b/source3/utils/smbpasswd.c
index 556e6869da7..fb7ad283995 100644
--- a/source3/utils/smbpasswd.c
+++ b/source3/utils/smbpasswd.c
@@ -570,12 +570,10 @@ static int process_nonroot(int local_flags)
domain = get_global_sam_name();
}
- if (remote_machine != NULL) {
- old_pw = get_pass("Old SMB password:",stdin_passwd_get);
- if (old_pw == NULL) {
- fprintf(stderr, "Unable to get old password.\n");
- exit(1);
- }
+ old_pw = get_pass("Old SMB password:",stdin_passwd_get);
+ if (old_pw == NULL) {
+ fprintf(stderr, "Unable to get old password.\n");
+ exit(1);
}
if (!new_passwd) {
--
2.14.1

@ -1,53 +0,0 @@
From fbef6bd05629e3f5939317bd073a2281fcc3b636 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 30 May 2017 16:30:33 +0200
Subject: [PATCH] libcli:smb2: Gracefully handle not supported for
FSCTL_VALIDATE_NEGOTIATE_INFO
If FSCTL_VALIDATE_NEGOTIATE_INFO is not implemented, e.g. in a SMB2 only
server then gracefully handle NT_STATUS_NOT_SUPPORTED too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12808
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Jun 15 17:32:45 CEST 2017 on sn-devel-144
(cherry picked from commit a4d9438ecf92614a0915b9cf61f905ea8170043a)
---
libcli/smb/smbXcli_base.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index a7b24f01497..593edf9ce78 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5321,6 +5321,21 @@ static void smb2cli_validate_negotiate_info_done(struct tevent_req *subreq)
tevent_req_done(req);
return;
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ /*
+ * The response was signed, but not supported
+ *
+ * This might be returned by older Windows versions or by
+ * NetApp SMB server implementations.
+ *
+ * See
+ *
+ * https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/
+ *
+ */
+ tevent_req_done(req);
+ return;
+ }
if (tevent_req_nterror(req, status)) {
return;
}
--
2.13.1.518.g3df882009-goog

@ -1,543 +0,0 @@
From 334a4870cbbfefcd09c10f432a320ceaac29a14a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 17:08:09 +0200
Subject: [PATCH 1/6] gssapi: check for gss_acquire_cred_from
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d630a364f9d74443e482934f76cd7107c331e108)
---
wscript_configure_system_mitkrb5 | 1 +
1 file changed, 1 insertion(+)
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index 06a9821..d3e8ebf 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -92,6 +92,7 @@ conf.CHECK_FUNCS_IN('''
gsskrb5_extract_authz_data_from_sec_context
gss_krb5_export_lucid_sec_context
gss_import_cred gss_export_cred
+ gss_acquire_cred_from
''', 'gssapi gssapi_krb5')
conf.CHECK_VARIABLE('GSS_KRB5_CRED_NO_CI_FLAGS_X', headers=possible_gssapi_headers)
conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
--
2.9.3
From 4b4a95436a56ee91e6bef8e905656c387ce2f62c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:14:57 +0200
Subject: [PATCH 2/6] lib/krb5_wrap: add smb_gss_krb5_import_cred wrapper
Wrap gss_krb5_import_cred() to allow re-implementing it with
gss_acquire_cred_from() for newer MIT versions. gss_acquire_cred_from()
works fine with GSSAPI interposer (GSS-proxy) while
gss_krb5_import_cred() is not interposed yet.
The wrapper has additional parameter, krb5_context handle, to facilitate
with credentials cache name discovery. All our callers to
gss_krb5_import_cred() already have krb5 context handy.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0e6e8dd2600c699a7a02e3d11fed21b5bc49858d)
---
lib/krb5_wrap/gss_samba.c | 121 ++++++++++++++++++++++++++++++++++++++++++++++
lib/krb5_wrap/gss_samba.h | 13 +++++
2 files changed, 134 insertions(+)
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index b444633..757ffc5 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -48,4 +48,125 @@ int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid)
}
#endif /* !HAVE_GSS_OID_EQUAL */
+
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSSPROXY while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve ccache name.
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
+ krb5_ccache id, krb5_principal keytab_principal,
+ krb5_keytab keytab, gss_cred_id_t *cred)
+{
+ uint32_t major_status = 0;
+
+#if HAVE_GSS_ACQUIRE_CRED_FROM
+ uint32_t minor = 0;
+ gss_key_value_element_desc ccache_element = {
+ .key = "ccache",
+ .value = NULL,
+ };
+
+ gss_key_value_element_desc keytab_element = {
+ .key = "keytab",
+ .value = NULL,
+ };
+
+ gss_key_value_element_desc elements[2];
+
+ gss_key_value_set_desc cred_store = {
+ .elements = &ccache_element,
+ .count = 1,
+ };
+
+ gss_OID_set mech_set = GSS_C_NO_OID_SET;
+ gss_cred_usage_t cred_usage = GSS_C_INITIATE;
+ gss_name_t name = NULL;
+ gss_buffer_desc pr_name = {
+ .value = NULL,
+ .length = 0,
+ };
+
+ if (id != NULL) {
+ major_status = krb5_cc_get_full_name(ctx,
+ id,
+ discard_const(&ccache_element.value));
+ if (major_status != 0) {
+ return major_status;
+ }
+ }
+
+ if (keytab != NULL) {
+ keytab_element.value = malloc(4096);
+ if (!keytab_element.value) {
+ return ENOMEM;
+ }
+ major_status = krb5_kt_get_name(ctx,
+ keytab,
+ discard_const(keytab_element.value), 4096);
+ if (major_status != 0) {
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ cred_usage = GSS_C_ACCEPT;
+ cred_store.elements = &keytab_element;
+
+ if (keytab_principal != NULL) {
+ major_status = krb5_unparse_name(ctx, keytab_principal, (char**)&pr_name.value);
+ if (major_status != 0) {
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ pr_name.length = strlen(pr_name.value);
+
+ major_status = gss_import_name(minor_status,
+ &pr_name,
+ discard_const(GSS_KRB5_NT_PRINCIPAL_NAME),
+ &name);
+ if (major_status != 0) {
+ krb5_free_unparsed_name(ctx, pr_name.value);
+ free(discard_const(keytab_element.value));
+ return major_status;
+ }
+ }
+ }
+
+ if (id != NULL && keytab != NULL) {
+ elements[0] = ccache_element;
+ elements[1] = keytab_element;
+
+ cred_store.elements = elements;
+ cred_store.count = 2;
+ cred_usage = GSS_C_BOTH;
+ }
+
+ major_status = gss_acquire_cred_from(minor_status,
+ name,
+ 0,
+ mech_set,
+ cred_usage,
+ &cred_store,
+ cred,
+ NULL,
+ NULL);
+
+ if (pr_name.value != NULL) {
+ (void)gss_release_name(&minor, &name);
+ krb5_free_unparsed_name(ctx, pr_name.value);
+ }
+ if (keytab_element.value != NULL) {
+ free(discard_const(keytab_element.value));
+ }
+ krb5_free_string(ctx, discard_const(ccache_element.value));
+#else
+ major_status = gss_krb5_import_cred(minor_status,
+ id,
+ keytab_principal,
+ keytab, cred);
+#endif
+ return major_status;
+}
+
+
#endif /* HAVE_GSSAPI */
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
index 5319932..89aee34 100644
--- a/lib/krb5_wrap/gss_samba.h
+++ b/lib/krb5_wrap/gss_samba.h
@@ -25,6 +25,7 @@
#ifdef HAVE_GSSAPI
#include "system/gssapi.h"
+#include "krb5_samba.h"
#if defined(HAVE_GSS_OID_EQUAL)
#define smb_gss_oid_equal gss_oid_equal
@@ -32,5 +33,17 @@
int smb_gss_oid_equal(const gss_OID first_oid, const gss_OID second_oid);
#endif /* HAVE_GSS_OID_EQUAL */
+/* wrapper around gss_krb5_import_cred() that prefers to use gss_acquire_cred_from()
+ * if this GSSAPI extension is available. gss_acquire_cred_from() is properly
+ * interposed by GSS-proxy while gss_krb5_import_cred() is not.
+ *
+ * This wrapper requires a proper krb5_context to resolve the ccache name for
+ * gss_acquire_cred_from().
+ *
+ * All gss_krb5_import_cred() callers in Samba already have krb5_context available. */
+uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
+ krb5_ccache id, krb5_principal keytab_principal,
+ krb5_keytab keytab, gss_cred_id_t *cred);
+
#endif /* HAVE_GSSAPI */
#endif /* _GSS_SAMBA_H */
--
2.9.3
From f06fafce32a27acf4028ab573297c64189b62e30 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:57:13 +0200
Subject: [PATCH 3/6] credentials_krb5: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ca8fd793930173b4e625d3f286739de214155bc1)
---
auth/credentials/credentials_krb5.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e974df9..0e68012 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -579,8 +579,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ENOMEM;
}
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+ ccache->ccache, NULL, NULL,
+ &gcc->creds);
if ((maj_stat == GSS_S_FAILURE) &&
(min_stat == (OM_uint32)KRB5_CC_END ||
min_stat == (OM_uint32)KRB5_CC_NOTFOUND ||
@@ -597,8 +598,9 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
return ret;
}
- maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, ccache->smb_krb5_context->krb5_context,
+ ccache->ccache, NULL, NULL,
+ &gcc->creds);
}
@@ -609,7 +611,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
} else {
ret = EINVAL;
}
- (*error_string) = talloc_asprintf(cred, "gss_krb5_import_cred failed: %s", error_message(ret));
+ (*error_string) = talloc_asprintf(cred, "smb_gss_krb5_import_cred failed: %s", error_message(ret));
return ret;
}
@@ -1076,12 +1078,14 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred,
if (ktc->password_based || obtained < CRED_SPECIFIED) {
/* This creates a GSSAPI cred_id_t for match-by-key with only the keytab set */
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, NULL, ktc->keytab,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+ NULL, NULL, ktc->keytab,
+ &gcc->creds);
} else {
/* This creates a GSSAPI cred_id_t with the principal and keytab set, matching by name */
- maj_stat = gss_krb5_import_cred(&min_stat, NULL, princ, ktc->keytab,
- &gcc->creds);
+ maj_stat = smb_gss_krb5_import_cred(&min_stat, smb_krb5_context->krb5_context,
+ NULL, princ, ktc->keytab,
+ &gcc->creds);
}
if (maj_stat) {
if (min_stat) {
--
2.9.3
From 5305bffd4c72a85cc6c3148222ef7e346cbe3d87 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:57:50 +0200
Subject: [PATCH 4/6] libads: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 520167992bd2477bc11920d2dc9ec87f2cb339c9)
---
source3/libads/sasl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 8570788..30127fa 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -372,7 +372,7 @@ static ADS_STATUS ads_init_gssapi_cred(ADS_STRUCT *ads, gss_cred_id_t *cred)
goto done;
}
- maj = gss_krb5_import_cred(&min, kccache, NULL, NULL, cred);
+ maj = smb_gss_krb5_import_cred(&min, kctx, kccache, NULL, NULL, cred);
if (maj != GSS_S_COMPLETE) {
status = ADS_ERROR_GSS(maj, min);
goto done;
--
2.9.3
From 1dbc68f9bee19a9c26825cc5be7d81951dcac710 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 3 Mar 2017 16:58:14 +0200
Subject: [PATCH 5/6] s3-gse: convert to use smb_gss_krb5_import_cred
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3d733d5791a6d82edda13ac39790bd8ba893f3d7)
---
source3/librpc/crypto/gse.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index abf20bc..f4238f3 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -252,11 +252,12 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
- gss_maj = gss_krb5_import_cred(&gss_min,
- gse_ctx->ccache,
- NULL, /* keytab_principal */
- NULL, /* keytab */
- &gse_ctx->creds);
+ gss_maj = smb_gss_krb5_import_cred(&gss_min,
+ gse_ctx->k5ctx,
+ gse_ctx->ccache,
+ NULL, /* keytab_principal */
+ NULL, /* keytab */
+ &gse_ctx->creds);
if (gss_maj) {
char *ccache = NULL;
int kret;
@@ -268,7 +269,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
ccache = NULL;
}
- DEBUG(5, ("gss_krb5_import_cred ccache[%s] failed with [%s] -"
+ DEBUG(5, ("smb_gss_krb5_import_cred ccache[%s] failed with [%s] -"
"the caller may retry after a kinit.\n",
ccache, gse_errstr(gse_ctx, gss_maj, gss_min)));
SAFE_FREE(ccache);
@@ -430,12 +431,13 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
}
/* This creates a GSSAPI cred_id_t with the keytab set */
- gss_maj = gss_krb5_import_cred(&gss_min, NULL, NULL, gse_ctx->keytab,
- &gse_ctx->creds);
+ gss_maj = smb_gss_krb5_import_cred(&gss_min, gse_ctx->k5ctx,
+ NULL, NULL, gse_ctx->keytab,
+ &gse_ctx->creds);
if (gss_maj != 0
&& gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
- DEBUG(0, ("gss_krb5_import_cred failed with [%s]\n",
+ DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
--
2.9.3
From 3c9390d26cf12e483d98f005b43da7b10348753d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 8 Mar 2017 12:38:49 +0200
Subject: [PATCH 6/6] s3-gse: move krb5 fallback to smb_gss_krb5_import_cred
wrapper
MIT krb5 1.9 version of gss_krb5_import_cred() may fail when importing
credentials from a keytab without specifying actual principal.
This was fixed in MIT krb5 1.9.2 (see commit
71c3be093db577aa52f6b9a9a3a9f442ca0d8f20 in MIT krb5-1.9 branch, git
master's version is bd18687a705a8a6cdcb7c140764d1a7c6a3381b5).
Move fallback code to the smb_gss_krb5_import_cred wrapper. We only
expect this fallback to happen with krb5 GSSAPI mechanism, thus hard
code use of krb5 mech when calling to gss_acquire_cred.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12611
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Wed Mar 8 22:00:24 CET 2017 on sn-devel-144
(cherry picked from commit 57286d57732d49fdb8b8e21f584787cdbc917c32)
---
lib/krb5_wrap/gss_samba.c | 46 +++++++++++++++++++++++++++++++++++++++---
source3/librpc/crypto/gse.c | 49 +--------------------------------------------
2 files changed, 44 insertions(+), 51 deletions(-)
diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index 757ffc5..9e5ad4a 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -161,9 +161,49 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
krb5_free_string(ctx, discard_const(ccache_element.value));
#else
major_status = gss_krb5_import_cred(minor_status,
- id,
- keytab_principal,
- keytab, cred);
+ id,
+ keytab_principal,
+ keytab, cred);
+
+ if (major_status == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+ if ((keytab_principal == NULL) && (keytab != NULL)) {
+ /* No principal was specified and MIT krb5 1.9 version failed.
+ * We have to fall back to set global acceptor identity */
+ gss_OID_set_desc mech_set;
+ char *kt_name = NULL;
+
+ kt_name = malloc(4096);
+ if (!kt_name) {
+ return ENOMEM;
+ }
+
+ major_status = krb5_kt_get_name(ctx,
+ keytab,
+ kt_name, 4096);
+ if (major_status != 0) {
+ free(kt_name);
+ return major_status;
+ }
+
+ major_status = gsskrb5_register_acceptor_identity(kt_name);
+ if (major_status) {
+ free(kt_name);
+ return major_status;
+ }
+
+ /* We are dealing with krb5 GSSAPI mech in this fallback */
+ mech_set.count = 1;
+ mech_set.elements = gss_mech_krb5;
+ major_status = gss_acquire_cred(minor_status,
+ GSS_C_NO_NAME,
+ GSS_C_INDEFINITE,
+ &mech_set,
+ GSS_C_ACCEPT,
+ cred,
+ NULL, NULL);
+ free(kt_name);
+ }
+ }
#endif
return major_status;
}
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index f4238f3..a111320 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -435,58 +435,11 @@ static NTSTATUS gse_init_server(TALLOC_CTX *mem_ctx,
NULL, NULL, gse_ctx->keytab,
&gse_ctx->creds);
- if (gss_maj != 0
- && gss_maj != (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME)) {
+ if (gss_maj != 0) {
DEBUG(0, ("smb_gss_krb5_import_cred failed with [%s]\n",
gse_errstr(gse_ctx, gss_maj, gss_min)));
status = NT_STATUS_INTERNAL_ERROR;
goto done;
-
- /* This is the error the MIT krb5 1.9 gives when it
- * implements the function, but we do not specify the
- * principal. However, when we specify the principal
- * as host$@REALM the GSS acceptor fails with 'wrong
- * principal in request'. Work around the issue by
- * falling back to the alternate approach below. */
- } else if (gss_maj == (GSS_S_CALL_BAD_STRUCTURE|GSS_S_BAD_NAME))
- /* FIXME!!!
- * This call sets the default keytab for the whole server, not
- * just for this context. Need to find a way that does not alter
- * the state of the whole server ... */
- {
- const char *ktname;
- gss_OID_set_desc mech_set;
-
- ret = smb_krb5_kt_get_name(gse_ctx, gse_ctx->k5ctx,
- gse_ctx->keytab, &ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- ret = gsskrb5_register_acceptor_identity(ktname);
- if (ret) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
- mech_set.count = 1;
- mech_set.elements = &gse_ctx->gss_mech;
-
- gss_maj = gss_acquire_cred(&gss_min,
- GSS_C_NO_NAME,
- GSS_C_INDEFINITE,
- &mech_set,
- GSS_C_ACCEPT,
- &gse_ctx->creds,
- NULL, NULL);
-
- if (gss_maj) {
- DEBUG(0, ("gss_acquire_creds failed with [%s]\n",
- gse_errstr(gse_ctx, gss_maj, gss_min)));
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
}
status = NT_STATUS_OK;
--
2.9.3

@ -1,179 +0,0 @@
From 8a696458dac335071d98f39dfd1380192fbe7733 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 10 Mar 2017 16:20:06 +0200
Subject: [PATCH] lib/crypto: implement samba.crypto Python module for RC4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Implement a small Python module that exposes arcfour_crypt_blob()
function widely used in Samba C code.
When Samba Python bindings are used to call LSA CreateTrustedDomainEx2,
there is a need to encrypt trusted credentials with RC4 cipher.
Current Samba Python code relies on Python runtime to provide RC4
cipher. However, in FIPS 140-2 mode system crypto libraries do not
provide access RC4 cipher at all. According to Microsoft dochelp team,
Windows is treating AuthenticationInformation blob encryption as 'plain
text' in terms of FIPS 140-2, thus doing application-level encryption.
Replace samba.arcfour_encrypt() implementation with a call to
samba.crypto.arcfour_crypt_blob().
Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Wed Mar 15 01:30:24 CET 2017 on sn-devel-144
(cherry picked from commit bbeef554f2c15e739f6095fcb57d9ef6646b411c)
---
lib/crypto/py_crypto.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/crypto/wscript_build | 7 ++++
python/samba/__init__.py | 16 ++-------
3 files changed, 99 insertions(+), 14 deletions(-)
create mode 100644 lib/crypto/py_crypto.c
diff --git a/lib/crypto/py_crypto.c b/lib/crypto/py_crypto.c
new file mode 100644
index 0000000..bf7f9f4
--- /dev/null
+++ b/lib/crypto/py_crypto.c
@@ -0,0 +1,90 @@
+/*
+ Unix SMB/CIFS implementation.
+ Samba crypto functions
+
+ Copyright (C) Alexander Bokovoy <ab@samba.org> 2017
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <Python.h>
+#include "includes.h"
+#include "python/py3compat.h"
+#include "lib/crypto/arcfour.h"
+
+static PyObject *py_crypto_arcfour_crypt_blob(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+ DATA_BLOB data, key;
+ PyObject *py_data, *py_key, *result;
+ TALLOC_CTX *ctx;
+
+ if (!PyArg_ParseTuple(args, "OO", &py_data, &py_key))
+ return NULL;
+
+ if (!PyBytes_Check(py_data)) {
+ PyErr_Format(PyExc_TypeError, "bytes expected");
+ return NULL;
+ }
+
+ if (!PyBytes_Check(py_key)) {
+ PyErr_Format(PyExc_TypeError, "bytes expected");
+ return NULL;
+ }
+
+ ctx = talloc_new(NULL);
+
+ data.length = PyBytes_Size(py_data);
+ data.data = talloc_memdup(ctx, PyBytes_AsString(py_data), data.length);
+ if (!data.data) {
+ talloc_free(ctx);
+ return PyErr_NoMemory();
+ }
+
+ key.data = (uint8_t *)PyBytes_AsString(py_key);
+ key.length = PyBytes_Size(py_key);
+
+ arcfour_crypt_blob(data.data, data.length, &key);
+
+ result = PyBytes_FromStringAndSize((const char*) data.data, data.length);
+ talloc_free(ctx);
+ return result;
+}
+
+
+static const char py_crypto_arcfour_crypt_blob_doc[] = "arcfour_crypt_blob(data, key)\n"
+ "Encrypt the data with RC4 algorithm using the key";
+
+static PyMethodDef py_crypto_methods[] = {
+ { "arcfour_crypt_blob", (PyCFunction)py_crypto_arcfour_crypt_blob, METH_VARARGS, py_crypto_arcfour_crypt_blob_doc },
+ { NULL },
+};
+
+static struct PyModuleDef moduledef = {
+ PyModuleDef_HEAD_INIT,
+ .m_name = "crypto",
+ .m_doc = "Crypto functions required for SMB",
+ .m_size = -1,
+ .m_methods = py_crypto_methods,
+};
+
+MODULE_INIT_FUNC(crypto)
+{
+ PyObject *m;
+
+ m = PyModule_Create(&moduledef);
+ if (m == NULL)
+ return NULL;
+
+ return m;
+}
diff --git a/lib/crypto/wscript_build b/lib/crypto/wscript_build
index 7f94532..d1f152e 100644
--- a/lib/crypto/wscript_build
+++ b/lib/crypto/wscript_build
@@ -25,3 +25,10 @@ bld.SAMBA_SUBSYSTEM('TORTURE_LIBCRYPTO',
autoproto='test_proto.h',
deps='LIBCRYPTO'
)
+
+for env in bld.gen_python_environments():
+ bld.SAMBA_PYTHON('python_crypto',
+ source='py_crypto.c',
+ deps='LIBCRYPTO',
+ realname='samba/crypto.so'
+ )
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 19d5e38..fa4244a 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -371,20 +371,8 @@ def string_to_byte_array(string):
return blob
def arcfour_encrypt(key, data):
- try:
- from Crypto.Cipher import ARC4
- c = ARC4.new(key)
- return c.encrypt(data)
- except ImportError as e:
- pass
- try:
- from M2Crypto.RC4 import RC4
- c = RC4(key)
- return c.update(data)
- except ImportError as e:
- pass
- raise Exception("arcfour_encrypt() requires " +
- "python*-crypto or python*-m2crypto or m2crypto")
+ from samba.crypto import arcfour_crypt_blob
+ return arcfour_crypt_blob(data, key)
import _glue
version = _glue.version
--
2.9.3

@ -1,405 +0,0 @@
From 1f192fad31923af2bec692ded84e46add5bde76b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Jan 2017 11:43:12 +0100
Subject: [PATCH 1/2] rpc_server: Use the RPC TCPIP ports of Windows
Since Windows Server 2008 Microsoft uses a different port range for RPC
services. Before it was 1024-65535 and they changed it to 49152-65535.
We should use the same range as these are the ports the firewall in AD
networks normally allow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 35dfa5c6e2bf60f8f1efda5eb7026cabe8bf5ba3)
---
source3/rpc_server/rpc_server.c | 4 ++--
source4/smbd/service_stream.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 5effe66d9bb..37fe68fc36d 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -34,8 +34,8 @@
#include "rpc_server/srv_pipe_hnd.h"
#include "rpc_server/srv_pipe.h"
-#define SERVER_TCP_LOW_PORT 1024
-#define SERVER_TCP_HIGH_PORT 1300
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index f0a379acf6a..96a303fc6a9 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -30,8 +30,8 @@
#include "lib/util/util_net.h"
/* the range of ports to try for dcerpc over tcp endpoints */
-#define SERVER_TCP_LOW_PORT 1024
-#define SERVER_TCP_HIGH_PORT 1300
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
/* size of listen() backlog in smbd */
#define SERVER_LISTEN_BACKLOG 10
--
2.11.0
From a48a358caa69d42191f285c1b28ba52b00d4e230 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Jan 2017 12:05:09 +0100
Subject: [PATCH 2/2] rpc_server: Allow to configure the port range for RPC
services
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12521
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 9d60ad53b809281a5a6f6ad82a0daea99c989f2d)
---
docs-xml/smbdotconf/protocol/rpcserverport.xml | 14 +++++--
.../smbdotconf/rpc/rpcserverdynamicportrange.xml | 22 ++++++++++
lib/param/loadparm.c | 47 ++++++++++++++++++++++
lib/param/loadparm.h | 9 ++++-
lib/param/param.h | 3 ++
python/samba/tests/docs.py | 11 +++--
source3/include/proto.h | 2 +
source3/param/loadparm.c | 16 ++++++++
source3/rpc_server/rpc_server.c | 5 +--
source4/smbd/service_stream.c | 8 ++--
10 files changed, 120 insertions(+), 17 deletions(-)
create mode 100644 docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
diff --git a/docs-xml/smbdotconf/protocol/rpcserverport.xml b/docs-xml/smbdotconf/protocol/rpcserverport.xml
index 8a70835612f..0fd87d69212 100644
--- a/docs-xml/smbdotconf/protocol/rpcserverport.xml
+++ b/docs-xml/smbdotconf/protocol/rpcserverport.xml
@@ -4,11 +4,19 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>Specifies which port the server should listen on for DCE/RPC over TCP/IP traffic.</para>
- <para>This controls default port for all protocols, except for NETLOGON. If unset, the first available port after 1024 is used.</para>
- <para>The NETLOGON server will use the next available port, eg 1025. To change this port use (eg) rpc server port:netlogon = 4000.</para>
+ <para>This controls the default port for all protocols, except for NETLOGON.</para>
+ <para>If unset, the first available port from <smbconfoption name="rpc server dynamic port range"/> is used, e.g. 49152.</para>
+ <para>The NETLOGON server will use the next available port, e.g. 49153. To change this port use (eg) rpc server port:netlogon = 4000.</para>
<para>Furthermore, all RPC servers can have the port they use specified independenty, with (for example) rpc server port:drsuapi = 5000.</para>
+ <para>This option applies currently only when
+ <citerefentry><refentrytitle>samba</refentrytitle> <manvolnum>8</manvolnum></citerefentry>
+ runs as an active directory domain controller.</para>
+
+ <para>The default value 0 causes Samba to select the first available port from <smbconfoption name="rpc server dynamic port range"/>.</para>
</description>
-<para>The default value 0 causes Samba to select the first available port after 1024.</para>
+
+<related>rpc server dynamic port range</related>
+
<value type="default">0</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
new file mode 100644
index 00000000000..a9c51d2fe41
--- /dev/null
+++ b/docs-xml/smbdotconf/rpc/rpcserverdynamicportrange.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="rpc server dynamic port range"
+ context="G"
+ type="string"
+ handler="handle_rpc_server_dynamic_port_range"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter tells the RPC server which port range it is
+ allowed to use to create a listening socket for LSA, SAM,
+ Netlogon and others without wellknown tcp ports.
+ The first value is the lowest number of the port
+ range and the second the hightest.
+ </para>
+ <para>
+ This applies to RPC servers in all server roles.
+ </para>
+</description>
+
+<related>rpc server port</related>
+
+<value type="default">49152-65535</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 6aa757f7c6b..3b54ff232aa 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -83,6 +83,16 @@ struct loadparm_service *lpcfg_default_service(struct loadparm_context *lp_ctx)
return lp_ctx->sDefault;
}
+int lpcfg_rpc_low_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_low_port;
+}
+
+int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
+{
+ return lp_ctx->globals->rpc_high_port;
+}
+
/**
* Convenience routine to grab string parameters into temporary memory
* and run standard_sub_basic on them.
@@ -1435,6 +1445,37 @@ bool handle_smb_ports(struct loadparm_context *lp_ctx, struct loadparm_service *
return true;
}
+bool handle_rpc_server_dynamic_port_range(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue,
+ char **ptr)
+{
+ int low_port = -1, high_port = -1;
+ int rc;
+
+ if (pszParmValue == NULL || pszParmValue[0] == '\0') {
+ return false;
+ }
+
+ rc = sscanf(pszParmValue, "%d - %d", &low_port, &high_port);
+ if (rc != 2) {
+ return false;
+ }
+
+ if (low_port > high_port) {
+ return false;
+ }
+
+ if (low_port < SERVER_TCP_PORT_MIN|| high_port > SERVER_TCP_PORT_MAX) {
+ return false;
+ }
+
+ lp_ctx->globals->rpc_low_port = low_port;
+ lp_ctx->globals->rpc_high_port = high_port;
+
+ return true;
+}
+
bool handle_smb2_max_credits(struct loadparm_context *lp_ctx,
struct loadparm_service *service,
const char *pszParmValue, char **ptr)
@@ -2498,6 +2539,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lp_ctx->globals = talloc_zero(lp_ctx, struct loadparm_global);
/* This appears odd, but globals in s3 isn't a pointer */
lp_ctx->globals->ctx = lp_ctx->globals;
+ lp_ctx->globals->rpc_low_port = SERVER_TCP_LOW_PORT;
+ lp_ctx->globals->rpc_high_port = SERVER_TCP_HIGH_PORT;
lp_ctx->sDefault = talloc_zero(lp_ctx, struct loadparm_service);
lp_ctx->flags = talloc_zero_array(lp_ctx, unsigned int, num_parameters());
@@ -2902,6 +2945,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+ lpcfg_do_global_parameter(lp_ctx,
+ "rpc server dynamic port range",
+ "49152-65535");
+
/* Allow modules to adjust defaults */
for (defaults_hook = defaults_hooks; defaults_hook;
defaults_hook = defaults_hook->next) {
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index f9fb7d8d804..c63683d6b66 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -194,6 +194,11 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
#endif /* DEVELOPER */
};
+#define SERVER_TCP_LOW_PORT 49152
+#define SERVER_TCP_HIGH_PORT 65535
+
+#define SERVER_TCP_PORT_MIN 1024
+#define SERVER_TCP_PORT_MAX 65535
@@ -272,7 +277,9 @@ enum inheritowner_options {
#define LOADPARM_EXTRA_GLOBALS \
struct parmlist_entry *param_opt; \
char *dnsdomain; \
- char *realm_original;
+ char *realm_original; \
+ int rpc_low_port; \
+ int rpc_high_port;
const char* server_role_str(uint32_t role);
int lp_find_server_role(int server_role, int security, int domain_logons, int domain_master);
diff --git a/lib/param/param.h b/lib/param/param.h
index 66037e2ef1b..e123e67a990 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -313,6 +313,9 @@ void lpcfg_default_kdc_policy(struct loadparm_context *lp_ctx,
time_t *usr_tkt_lifetime,
time_t *renewal_lifetime);
+int lpcfg_rpc_port_low(struct loadparm_context *lp_ctx);
+int lpcfg_rpc_port_high(struct loadparm_context *lp_ctx);
+
/* The following definitions come from lib/version.c */
const char *samba_version_string(void);
diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index 22e022583f6..65df573a350 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -108,7 +108,7 @@ class SmbDotConfTests(TestCase):
'lprm command', 'lpq command', 'print command', 'template homedir',
'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
'max open files', 'fss: prune stale', 'fss: sequence timeout',
- 'include system krb5 conf'])
+ 'include system krb5 conf', 'rpc server dynamic port range'])
def setUp(self):
super(SmbDotConfTests, self).setUp()
@@ -162,14 +162,16 @@ class SmbDotConfTests(TestCase):
exceptions = ['client lanman auth',
'client plaintext auth',
'registry shares',
- 'smb ports'])
+ 'smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/testparm'])
def test_default_s4(self):
self._test_default(['bin/samba-tool', 'testparm'])
self._set_defaults(['bin/samba-tool', 'testparm'])
self._set_arbitrary(['bin/samba-tool', 'testparm'],
- exceptions = ['smb ports'])
+ exceptions = ['smb ports',
+ 'rpc server dynamic port range'])
self._test_empty(['bin/samba-tool', 'testparm'])
def _test_default(self, program):
@@ -178,6 +180,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
+
if param in self.special_cases:
continue
section = None
@@ -206,7 +209,7 @@ class SmbDotConfTests(TestCase):
for tuples in self.defaults:
param, default, context, param_type = tuples
- if param in ['printing']:
+ if param in ['printing', 'rpc server dynamic port range']:
continue
section = None
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 642900ed67c..b3d3ca0e5d1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -889,6 +889,8 @@ int lp_client_ipc_signing(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );
+int lp_rpc_low_port(void);
+int lp_rpc_high_port(void);
int lp_wi_scan_global_parametrics(
const char *regex, size_t max_matches,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d8da749ccba..2c8380067f6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -933,6 +933,12 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.aio_max_threads = 100;
+ lpcfg_string_set(Globals.ctx,
+ &Globals.rpc_server_dynamic_port_range,
+ "49152-65535");
+ Globals.rpc_low_port = SERVER_TCP_LOW_PORT;
+ Globals.rpc_high_port = SERVER_TCP_HIGH_PORT;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
@@ -4552,6 +4558,16 @@ int lp_client_ipc_signing(void)
return client_ipc_signing;
}
+int lp_rpc_low_port(void)
+{
+ return Globals.rpc_low_port;
+}
+
+int lp_rpc_high_port(void)
+{
+ return Globals.rpc_high_port;
+}
+
struct loadparm_global * get_globals(void)
{
return &Globals;
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 37fe68fc36d..f7fb8ef5207 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -34,9 +34,6 @@
#include "rpc_server/srv_pipe_hnd.h"
#include "rpc_server/srv_pipe.h"
-#define SERVER_TCP_LOW_PORT 49152
-#define SERVER_TCP_HIGH_PORT 65535
-
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
@@ -608,7 +605,7 @@ int create_tcpip_socket(const struct sockaddr_storage *ifss, uint16_t *port)
if (*port == 0) {
uint16_t i;
- for (i = SERVER_TCP_LOW_PORT; i <= SERVER_TCP_HIGH_PORT; i++) {
+ for (i = lp_rpc_low_port(); i <= lp_rpc_high_port(); i++) {
fd = open_socket_in(SOCK_STREAM,
i,
0,
diff --git a/source4/smbd/service_stream.c b/source4/smbd/service_stream.c
index 96a303fc6a9..deb96d8d69d 100644
--- a/source4/smbd/service_stream.c
+++ b/source4/smbd/service_stream.c
@@ -29,10 +29,6 @@
#include "../lib/tsocket/tsocket.h"
#include "lib/util/util_net.h"
-/* the range of ports to try for dcerpc over tcp endpoints */
-#define SERVER_TCP_LOW_PORT 49152
-#define SERVER_TCP_HIGH_PORT 65535
-
/* size of listen() backlog in smbd */
#define SERVER_LISTEN_BACKLOG 10
@@ -331,7 +327,9 @@ NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
if (!port) {
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
} else if (*port == 0) {
- for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
+ for (i = lpcfg_rpc_low_port(lp_ctx);
+ i <= lpcfg_rpc_high_port(lp_ctx);
+ i++) {
socket_address->port = i;
status = socket_listen(stream_socket->sock, socket_address,
SERVER_LISTEN_BACKLOG, 0);
--
2.11.0

@ -1,16 +0,0 @@
[Unit]
Description=Samba AD Daemon
After=syslog.target network.target
[Service]
Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
Type=notify
NotifyAccess=all
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
ExecStart=/usr/sbin/samba --interactive $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target

File diff suppressed because it is too large Load Diff

@ -31,6 +31,7 @@
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

Loading…
Cancel
Save