Rebase on 4.8.3

tags/samba-4.8.3-100.dc
Daniel Berteaud 6 years ago
parent b7dd157cc6
commit a3d2851754
  1. 63
      CVE-2017-14746.patch
  2. 45
      CVE-2017-15275.patch
  3. 199
      CVE-2018-10858.patch
  4. 753
      CVE-2018-1139.patch
  5. 72
      samba-4.7-fix_aesni_intel_support.patch
  6. 30
      samba-4.7-fix_dns_segfault_during_net_ads_join.patch
  7. 313
      samba-4.7-fix_samba_with_systemd.patch
  8. 105
      samba-4.7-fix_segfault_in_NT1_connection_setup.patch
  9. 33
      samba-4.7-fix_segfault_in_keytab_handling.patch
  10. 130
      samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch
  11. 2595
      samba-4.7-fix_smb2_anonymous_connections.patch
  12. 47
      samba-4.7-fix_smb2_client_read_after_free.patch
  13. 165
      samba-4.7-fix_smbclient_volume.patch
  14. 66
      samba-4.7-handle_smb_echo_gracefully.patch
  15. 84
      samba-4.7-net_ads_keytab_list.patch
  16. 6
      samba-4.7.1.tar.asc
  17. 1
      samba-4.7.1.tar.xz
  18. 270
      samba-4.8.3-fix_krb5_plugins.patch
  19. 216
      samba-4.8.3-fix_winbind_getpwnam_local_user.patch
  20. 64
      samba-4.8.3-smbclient_quiet_argument.patch
  21. 6
      samba-4.8.3.tar.asc
  22. BIN
      samba-4.8.3.tar.xz
  23. 253
      samba.spec

@ -1,63 +0,0 @@
From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 19 Sep 2017 16:11:33 -0700
Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyihan@360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/process.c | 7 ++++---
source3/smbd/reply.c | 5 +++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index b65ae2c1b1c..9b2b0a669a2 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078249b..81acedf0413 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
--
2.14.2.920.gcf0c67979c-goog

@ -1,45 +0,0 @@
From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,199 @@
From 8e9016a11c7ebd08e92277962e495945a3ad588f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:07:17 -0700
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_path.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index 01b0a61e483..ed70ab37550 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
}
}
- *dest++ = '\0';
- max_dest_len--;
+ if (max_dest_len == 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+
+ *dest++ = '\0';
+ max_dest_len--;
return max_dest_len;
}
--
2.11.0
From 0a259d3c56b7e436c0b589b175619565e0515fa0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:08:17 -0700
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
source3/libsmb/libsmb_path.c | 2 +-
2 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 72441c46736..54c2bcb3c73 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -943,27 +943,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
}
-static void
+static int
smbc_readdir_internal(SMBCCTX * context,
struct smbc_dirent *dest,
struct smbc_dirent *src,
int max_namebuf_len)
{
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
+ int remaining_len;
/* url-encode the name. get back remaining buffer space */
- max_namebuf_len =
+ remaining_len =
smbc_urlencode(dest->name, src->name, max_namebuf_len);
+ /* -1 means no null termination. */
+ if (remaining_len < 0) {
+ return -1;
+ }
+
/* We now know the name length */
dest->namelen = strlen(dest->name);
+ if (dest->namelen + 1 < 1) {
+ /* Integer wrap. */
+ return -1;
+ }
+
+ if (dest->namelen + 1 >= max_namebuf_len) {
+ /* Out of space for comment. */
+ return -1;
+ }
+
/* Save the pointer to the beginning of the comment */
dest->comment = dest->name + dest->namelen + 1;
+ if (remaining_len < 1) {
+ /* No room for comment null termination. */
+ return -1;
+ }
+
/* Copy the comment */
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
- dest->comment[max_namebuf_len - 1] = '\0';
+ strlcpy(dest->comment, src->comment, remaining_len);
/* Save other fields */
dest->smbc_type = src->smbc_type;
@@ -973,10 +993,21 @@ smbc_readdir_internal(SMBCCTX * context,
} else {
/* No encoding. Just copy the entry as is. */
+ if (src->dirlen > max_namebuf_len) {
+ return -1;
+ }
memcpy(dest, src, src->dirlen);
+ if (src->namelen + 1 < 1) {
+ /* Integer wrap */
+ return -1;
+ }
+ if (src->namelen + 1 >= max_namebuf_len) {
+ /* Comment off the end. */
+ return -1;
+ }
dest->comment = (char *)(&dest->name + src->namelen + 1);
}
-
+ return 0;
}
/*
@@ -988,6 +1019,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
SMBCFILE *dir)
{
int maxlen;
+ int ret;
struct smbc_dirent *dirp, *dirent;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1037,7 +1069,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
dirp = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirp, dirent, maxlen);
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return NULL;
+ }
dir->dir_next = dir->dir_next->next;
@@ -1095,6 +1132,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
*/
while ((dirlist = dir->dir_next)) {
+ int ret;
struct smbc_dirent *dirent;
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
@@ -1109,8 +1147,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
/* Do urlencoding of next entry, if so selected */
dirent = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirent,
+ ret = smbc_readdir_internal(context, dirent,
dirlist->dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return -1;
+ }
reqd = dirent->dirlen;
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index ed70ab37550..5b53b386a67 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
}
}
- if (max_dest_len == 0) {
+ if (max_dest_len <= 0) {
/* Ensure we return -1 if no null termination. */
return -1;
}
--
2.11.0

@ -0,0 +1,753 @@
From 34a9663509fe12778cca621e765b027e26ed1e34 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 22 Feb 2018 11:54:45 +1300
Subject: [PATCH 1/6] selftest/tests.py: remove always-needed, never-set
with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
---
selftest/tests.py | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/selftest/tests.py b/selftest/tests.py
index 126e1184230..3f5097b680c 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -38,7 +38,6 @@ finally:
f.close()
have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
-with_cmocka = ("HAVE_CMOCKA" in config_hash)
with_pam = ("WITH_PAM" in config_hash)
pam_wrapper_so_path=config_hash["LIBPAM_WRAPPER_SO_PATH"]
@@ -168,13 +167,12 @@ if with_pam:
valgrindify(python), pam_wrapper_so_path,
"$DOMAIN", "alice", "Secret007"])
-if with_cmocka:
- plantestsuite("samba.unittests.krb5samba", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
- plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
- plantestsuite("samba.unittests.lib_util_modules", "none",
- [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
+plantestsuite("samba.unittests.krb5samba", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_krb5samba")])
+plantestsuite("samba.unittests.sambafs_srv_pipe", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_sambafs_srv_pipe")])
+plantestsuite("samba.unittests.lib_util_modules", "none",
+ [os.path.join(bindir(), "default/testsuite/unittests/test_lib_util_modules")])
- plantestsuite("samba.unittests.smb1cli_session", "none",
- [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.smb1cli_session", "none",
+ [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
--
2.14.4
From e99322edcf4c39614d596fd1be636fd8dd610abc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 27 Jul 2018 08:44:24 +1200
Subject: [PATCH 2/6] CVE-2018-1139 libcli/auth: Add initial tests for
ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
libcli/auth/tests/ntlm_check.c | 413 +++++++++++++++++++++++++++++++++++++++++
libcli/auth/wscript_build | 13 ++
selftest/knownfail.d/ntlm | 2 +
selftest/tests.py | 2 +
4 files changed, 430 insertions(+)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/tests/ntlm_check.c b/libcli/auth/tests/ntlm_check.c
new file mode 100644
index 00000000000..e87a0a276d4
--- /dev/null
+++ b/libcli/auth/tests/ntlm_check.c
@@ -0,0 +1,413 @@
+/*
+ * Unit tests for the ntlm_check password hash check library.
+ *
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2018
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+/*
+ * Note that the messaging routines (audit_message_send and get_event_server)
+ * are not tested by these unit tests. Currently they are for integration
+ * test support, and as such are exercised by the integration tests.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "includes.h"
+#include "../lib/crypto/crypto.h"
+#include "librpc/gen_ndr/netlogon.h"
+#include "libcli/auth/libcli_auth.h"
+#include "auth/credentials/credentials.h"
+
+struct ntlm_state {
+ const char *username;
+ const char *domain;
+ DATA_BLOB challenge;
+ DATA_BLOB ntlm;
+ DATA_BLOB lm;
+ DATA_BLOB ntlm_key;
+ DATA_BLOB lm_key;
+ const struct samr_Password *nt_hash;
+};
+
+static int test_ntlm_setup_with_options(void **state,
+ int flags, bool upn)
+{
+ NTSTATUS status;
+ DATA_BLOB challenge = {
+ .data = discard_const_p(uint8_t, "I am a teapot"),
+ .length = 8
+ };
+ struct ntlm_state *ntlm_state = talloc(NULL, struct ntlm_state);
+ DATA_BLOB target_info = NTLMv2_generate_names_blob(ntlm_state,
+ NULL,
+ "serverdom");
+ struct cli_credentials *creds = cli_credentials_init(ntlm_state);
+ cli_credentials_set_username(creds,
+ "testuser",
+ CRED_SPECIFIED);
+ cli_credentials_set_domain(creds,
+ "testdom",
+ CRED_SPECIFIED);
+ cli_credentials_set_workstation(creds,
+ "testwksta",
+ CRED_SPECIFIED);
+ cli_credentials_set_password(creds,
+ "testpass",
+ CRED_SPECIFIED);
+
+ if (upn) {
+ cli_credentials_set_principal(creds,
+ "testuser@samba.org",
+ CRED_SPECIFIED);
+ }
+
+ cli_credentials_get_ntlm_username_domain(creds,
+ ntlm_state,
+ &ntlm_state->username,
+ &ntlm_state->domain);
+
+ status = cli_credentials_get_ntlm_response(creds,
+ ntlm_state,
+ &flags,
+ challenge,
+ NULL,
+ target_info,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ &ntlm_state->lm_key,
+ &ntlm_state->ntlm_key);
+ ntlm_state->challenge = challenge;
+
+ ntlm_state->nt_hash = cli_credentials_get_nt_hash(creds,
+ ntlm_state);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return -1;
+ }
+
+ *state = ntlm_state;
+ return 0;
+}
+
+static int test_ntlm_setup(void **state) {
+ return test_ntlm_setup_with_options(state, 0, false);
+}
+
+static int test_ntlm_and_lm_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_LANMAN_AUTH,
+ false);
+}
+
+static int test_ntlm2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLM2,
+ false);
+}
+
+static int test_ntlmv2_setup(void **state) {
+ return test_ntlm_setup_with_options(state,
+ CLI_CRED_NTLMv2_AUTH,
+ false);
+}
+
+static int test_ntlm_teardown(void **state)
+{
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ TALLOC_FREE(ntlm_state);
+ *state = NULL;
+ return 0;
+}
+
+static void test_ntlm_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_allowed_lm_supplied(void **state)
+{
+ return test_ntlm_allowed(state);
+}
+
+static void test_ntlm_disabled(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_DISABLED,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_NTLM_BLOCKED));
+}
+
+static void test_ntlm2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_ON,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ /*
+ * NTLM2 session security (where the real challenge is the
+ * MD5(challenge, client-challenge) (in the first 8 bytes of
+ * the lm) isn't decoded by ntlm_password_check(), it must
+ * first be converted back into normal NTLM by the NTLMSSP
+ * layer
+ */
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlm_mschapv2_only_allowed(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ MSV1_0_ALLOW_MSVCHAPV2,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlm_mschapv2_only_denied(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_MSCHAPv2_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlmv2(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status), NT_STATUS_V(NT_STATUS_OK));
+}
+
+static void test_ntlmv2_only_ntlm(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &ntlm_state->lm,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+static void test_ntlmv2_only_ntlm_and_lanman(void **state)
+{
+ return test_ntlmv2_only_ntlm(state);
+}
+
+static void test_ntlmv2_only_ntlm_once(void **state)
+{
+ DATA_BLOB user_sess_key, lm_sess_key;
+ struct ntlm_state *ntlm_state
+ = talloc_get_type_abort(*state,
+ struct ntlm_state);
+ NTSTATUS status;
+ status = ntlm_password_check(ntlm_state,
+ false,
+ NTLM_AUTH_NTLMV2_ONLY,
+ 0,
+ &ntlm_state->challenge,
+ &data_blob_null,
+ &ntlm_state->ntlm,
+ ntlm_state->username,
+ ntlm_state->username,
+ ntlm_state->domain,
+ NULL,
+ ntlm_state->nt_hash,
+ &user_sess_key,
+ &lm_sess_key);
+
+ assert_int_equal(NT_STATUS_V(status),
+ NT_STATUS_V(NT_STATUS_WRONG_PASSWORD));
+}
+
+int main(int argc, const char **argv)
+{
+ const struct CMUnitTest tests[] = {
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_allowed_lm_supplied,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_disabled,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm2,
+ test_ntlm2_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_allowed,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlm_mschapv2_only_denied,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_and_lanman,
+ test_ntlm_and_lm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlm_once,
+ test_ntlm_setup,
+ test_ntlm_teardown),
+ cmocka_unit_test_setup_teardown(test_ntlmv2_only_ntlmv2,
+ test_ntlmv2_setup,
+ test_ntlm_teardown)
+ };
+
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
+ return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 475b7d69406..d319d9b879e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -41,3 +41,16 @@ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
bld.SAMBA_SUBSYSTEM('SPNEGO_PARSE',
source='spnego_parse.c',
deps='asn1util')
+
+bld.SAMBA_BINARY(
+ 'test_ntlm_check',
+ source='tests/ntlm_check.c',
+ deps='''
+ NTLM_CHECK
+ CREDENTIALS_NTLM
+ samba-credentials
+ cmocka
+ talloc
+ ''',
+ install=False
+ )
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
new file mode 100644
index 00000000000..c6e6a3739ba
--- /dev/null
+++ b/selftest/knownfail.d/ntlm
@@ -0,0 +1,2 @@
+^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
+^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
diff --git a/selftest/tests.py b/selftest/tests.py
index 3f5097b680c..dc6486c13f8 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -176,3 +176,5 @@ plantestsuite("samba.unittests.lib_util_modules", "none",
plantestsuite("samba.unittests.smb1cli_session", "none",
[os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")])
+plantestsuite("samba.unittests.ntlm_check", "none",
+ [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")])
--
2.14.4
From 7a23af4b344ab3c9e9ba65bba5655f51a485c3b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:36:05 +0100
Subject: [PATCH 3/6] CVE-2018-1139 libcli/auth: fix debug messages in
hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc1d48..1c6499bd210 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: NT password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
} else if (client_lanman && stored_lanman) {
if (!lanman_auth) {
- DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
+ DEBUG(3,("hash_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
@@ -250,7 +250,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_lanman->hash, stored_lanman->hash, sizeof(stored_lanman->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: LANMAN password check failed for user %s\n",
+ DEBUG(3,("hash_password_check: Interactive logon: LANMAN password check failed for user %s\n",
username));
return NT_STATUS_WRONG_PASSWORD;
}
--
2.14.4
From fdb383c02e26305f4f312beae70bc5b8d4997a52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 14 Mar 2018 15:35:01 +0100
Subject: [PATCH 4/6] CVE-2018-1139 s3-utils: use enum ntlm_auth_level in
ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/ntlm_auth.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 3f544902a24..8f77680416f 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1010,7 +1010,7 @@ static NTSTATUS local_pw_check(struct auth4_context *auth4_context,
*pauthoritative = 1;
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true, NTLM_AUTH_ON, 0,
&auth4_context->challenge.data,
&user_info->password.response.lanman,
&user_info->password.response.nt,
@@ -1719,7 +1719,9 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
nt_lm_owf_gen (opt_password, nt_pw.hash, lm_pw.hash);
nt_status = ntlm_password_check(mem_ctx,
- true, true, 0,
+ true,
+ NTLM_AUTH_ON,
+ 0,
&challenge,
&lm_response,
&nt_response,
--
2.14.4
From 69662890219c8ff58619b47b24d2a7a4bdb08de8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 16 Mar 2018 17:25:12 +0100
Subject: [PATCH 5/6] CVE-2018-1139 selftest: verify whether ntlmv1 can be used
via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/selftest/tests.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 9092c1776c8..034c014e5b8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -187,7 +187,7 @@ for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc", "ad_dc_ntvfs", "s4memb
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
-for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", ""]:
+for options in ["--option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no", "--option=clientusespnego=no --option=clientntlmv2auth=no -mNT1", ""]:
for env in ["nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s member creds" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$SERVER/$USERNAME', '$PASSWORD', smbclient3, configuration, options])
--
2.14.4
From 9511ba41455865104c3c06f834dd44787a3044bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 13 Mar 2018 16:56:20 +0100
Subject: [PATCH 6/6] CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1
when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas@redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
libcli/auth/ntlm_check.c | 2 +-
selftest/knownfail | 3 ++-
selftest/knownfail.d/ntlm | 2 --
3 files changed, 3 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/ntlm
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 1c6499bd210..b68e9c87888 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -572,7 +572,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (ntlm_auth) {
+ if (ntlm_auth == NTLM_AUTH_ON) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
diff --git a/selftest/knownfail b/selftest/knownfail
index ba16fd72290..84776d4f35d 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -303,8 +303,9 @@
^samba4.smb.signing.*disabled.*signing=off.*\(ad_dc\)
# fl2000dc doesn't support AES
^samba4.krb5.kdc.*as-req-aes.*fl2000dc
-# nt4_member and ad_member don't support ntlmv1
+# nt4_member and ad_member don't support ntlmv1 (not even over SMB1)
^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.member.creds.*as.user
+^samba3.blackbox.smbclient_auth.plain.*_member.*option=clientntlmv2auth=no.*mNT1.member.creds.*as.user
#nt-vfs server blocks read with execute access
^samba4.smb2.read.access
#ntvfs server blocks copychunk with execute access on read handle
diff --git a/selftest/knownfail.d/ntlm b/selftest/knownfail.d/ntlm
deleted file mode 100644
index c6e6a3739ba..00000000000
--- a/selftest/knownfail.d/ntlm
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.ntlm_check.test_ntlm_mschapv2_only_denied
-^samba.unittests.ntlm_check.test_ntlmv2_only_ntlm\(
--
2.14.4

@ -1,72 +0,0 @@
From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 4 Dec 2017 10:49:19 +0100
Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z
noexecstack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 3 +++
1 file changed, 3 insertions(+)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index eb92d6626fe..0ccd9eb1e5b 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -12,6 +12,8 @@ def configure(conf):
raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
else:
raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
+ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
@@ -20,4 +22,5 @@ def build(bld):
bld.SAMBA_LIBRARY('aesni-intel',
source='aesni-intel_asm.c',
cflags='-Wp,-E,-lang-asm',
+ ldflags='-Wl,-z,noexecstack',
private_library=True)
--
2.15.0
From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Dec 2017 11:00:10 +0100
Subject: [PATCH 2/2] third_party: Fix a typo in the option name
Signed-off-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index 0ccd9eb1e5b..f0723a52501 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -9,11 +9,11 @@ def configure(conf):
print("Compiling with Intel AES instructions")
conf.DEFINE('HAVE_AESNI_INTEL', 1)
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
+ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU')
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
+ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
--
2.15.0

@ -1,30 +0,0 @@
From e3f491fde52c3c7f31b0137125cb0ab1d5721f87 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 May 2018 11:53:18 +0200
Subject: [PATCH] s3:utils: Do not segfault on error in DoDNSUpdate()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13440
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit cdd98aa1e2116fb97e16718d115ee883fe1bc8ba)
---
source3/utils/net_dns.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c
index d972a5d4bad..9ee856c0059 100644
--- a/source3/utils/net_dns.c
+++ b/source3/utils/net_dns.c
@@ -75,6 +75,7 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
if (!ERR_DNS_IS_OK(err)) {
DEBUG(3,("DoDNSUpdate: failed to probe DNS\n"));
+ goto error;
}
if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
--
2.16.3

@ -1,313 +0,0 @@
From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 21 Aug 2017 15:12:04 +1200
Subject: [PATCH 1/4] s4/smbd: set the process group.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Set the process group in the samba daemon, the --no-process-group option
allows this to be disabled. The no-process-group option needs to be
disabled in self test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144
---
selftest/target/Samba4.pm | 2 +-
source4/smbd/server.c | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 772f982cb9d..6a1856ef642 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -158,7 +158,7 @@ sub check_or_start($$$)
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index a8bad06bed3..ba520e0a8f5 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name,
{
bool opt_daemon = false;
bool opt_interactive = false;
+ bool opt_no_process_group = false;
int opt;
poptContext pc;
#define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name,
OPT_DAEMON = 1000,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
- OPT_SHOW_BUILD
+ OPT_SHOW_BUILD,
+ OPT_NO_PROCESS_GROUP,
};
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name,
"till autotermination", "seconds"},
{"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD,
"show build info", NULL },
+ {"no-process-group", '\0', POPT_ARG_NONE, NULL,
+ OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_SHOW_BUILD:
show_build();
break;
+ case OPT_NO_PROCESS_GROUP:
+ opt_no_process_group = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name,
stdin_event_flags = 0;
}
+#if HAVE_SETPGID
+ /*
+ * If we're interactive we want to set our own process group for
+ * signal management, unless --no-process-group specified.
+ */
+ if (opt_interactive && !opt_no_process_group)
+ setpgid((pid_t)0, (pid_t)0);
+#endif
+
/* catch EOF on stdin */
#ifdef SIGTTIN
signal(SIGTTIN, SIG_IGN);
--
2.15.0
From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 Nov 2017 10:00:52 +0100
Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209)
---
source4/smbd/server.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index ba520e0a8f5..406f79593b9 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
{
char *path;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ exit_daemon("Failed to create memory context",
+ ENOMEM);
+ }
path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
+ if (path == NULL) {
+ exit_daemon("Failed to cleanup temporary files",
+ EINVAL);
+ }
recursive_delete(path);
talloc_free(mem_ctx);
--
2.15.0
From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:18:18 +0100
Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground
We are passing the no_process_group to become_daemon() that setsid() is
not called. In case we are double forking, we run in SysV daemon mode,
setsid() should be called!
See:
https://www.freedesktop.org/software/systemd/man/daemon.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909)
---
source3/smbd/server.c | 2 +-
source4/smbd/server.c | 13 ++++++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 181bcd1e123..252b43190d7 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1592,7 +1592,7 @@ extern void build_options(bool screen);
struct poptOption long_options[] = {
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" },
- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"},
+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"},
{"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" },
{"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
{"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" },
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 406f79593b9..2349d5c7fa0 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name,
const char *argv[])
{
bool opt_daemon = false;
+ bool opt_fork = true;
bool opt_interactive = false;
bool opt_no_process_group = false;
int opt;
@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name,
struct stat st;
enum {
OPT_DAEMON = 1000,
+ OPT_FOREGROUND,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
OPT_SHOW_BUILD,
@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name,
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
"Become a daemon (default)", NULL },
+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND,
+ "Run the daemon in foreground", NULL },
{"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
"Run interactive (not a daemon)", NULL},
{"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_DAEMON:
opt_daemon = true;
break;
+ case OPT_FOREGROUND:
+ opt_fork = false;
+ break;
case OPT_INTERACTIVE:
opt_interactive = true;
break;
@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name,
"not allowed together with -D|--daemon\n\n");
poptPrintUsage(pc, stderr, 0);
return 1;
- } else if (!opt_interactive) {
+ } else if (!opt_interactive && !opt_fork) {
/* default is --daemon */
opt_daemon = true;
}
@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name,
}
if (opt_daemon) {
- DEBUG(3,("Becoming a daemon.\n"));
- become_daemon(true, false, false);
+ DBG_NOTICE("Becoming a daemon.\n");
+ become_daemon(opt_fork, opt_no_process_group, false);
}
/* Create the memory context to hang everything off. */
--
2.15.0
From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:32:27 +0100
Subject: [PATCH 4/4] systemd: Start processes in forground and without a
process group
We should not double fork in notify mode or systemd think something
during startup will be wrong and send SIGTERM to the process. So
sometimes the daemon will not start up correctly.
systemd will also handle the process group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77)
---
packaging/systemd/nmb.service | 2 +-
packaging/systemd/samba.service | 2 +-
packaging/systemd/smb.service | 2 +-
packaging/systemd/winbind.service | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
index 992c0cd9d2b..71c93d6088b 100644
--- a/packaging/systemd/nmb.service
+++ b/packaging/systemd/nmb.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/nmbd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
+ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
index 824f89c2030..1b64c3b779d 100644
--- a/packaging/systemd/samba.service
+++ b/packaging/systemd/samba.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/samba $SAMBAOPTIONS
+ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
[Install]
diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
index 6053a5caaa5..adf6684c7d9 100644
--- a/packaging/systemd/smb.service
+++ b/packaging/systemd/smb.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/smbd $SMBDOPTIONS
+ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
index c511488166e..46b3797251d 100644
--- a/packaging/systemd/winbind.service
+++ b/packaging/systemd/winbind.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/winbindd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
+ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
--
2.15.0

@ -1,105 +0,0 @@
From 27bd0925c556ff69ce5db306f513eb4e4e7d4c7e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 19 Feb 2018 18:07:50 +0100
Subject: [PATCH] s3:smbd: Do not crash if we fail to init the session table
This should the following segfault with SMB1:
#6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
#7 <signal handler called>
#8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
at ../source3/smbd/smbXsrv_session.c:1212
#9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
#10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
#11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
at ../source3/smbd/process.c:1762
#12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
#13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
#14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0
Inspection the core shows that:
conn->client-session_table is NULL
conn->protocol is PROTOCOL_NONE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878)
---
source3/smbd/negprot.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index d3f4776076f..70249f7b446 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -65,6 +65,8 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
time_t t = time(NULL);
struct smbXsrv_connection *xconn = req->xconn;
uint16_t raw;
+ NTSTATUS status;
+
if (lp_async_smb_echo_handler()) {
raw = 0;
} else {
@@ -88,7 +90,11 @@ static void reply_lanman1(struct smb_request *req, uint16_t choice)
SSVAL(req->outbuf,smb_vwv11, 8);
}
- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN1);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ return;
+ }
/* Reply, SMBlockread, SMBwritelock supported. */
SCVAL(req->outbuf,smb_flg, FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
@@ -115,6 +121,8 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
time_t t = time(NULL);
struct smbXsrv_connection *xconn = req->xconn;
uint16_t raw;
+ NTSTATUS status;
+
if (lp_async_smb_echo_handler()) {
raw = 0;
} else {
@@ -140,7 +148,11 @@ static void reply_lanman2(struct smb_request *req, uint16_t choice)
SSVAL(req->outbuf,smb_vwv11, 8);
}
- smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_LANMAN2);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ return;
+ }
/* Reply, SMBlockread, SMBwritelock supported. */
SCVAL(req->outbuf,smb_flg,FLAG_REPLY|FLAG_SUPPORT_LOCKREAD);
@@ -260,6 +272,7 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
struct smbXsrv_connection *xconn = req->xconn;
bool signing_desired = false;
bool signing_required = false;
+ NTSTATUS status;
xconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
@@ -337,7 +350,11 @@ static void reply_nt1(struct smb_request *req, uint16_t choice)
SSVAL(req->outbuf,smb_vwv0,choice);
SCVAL(req->outbuf,smb_vwv1,secword);
- smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
+ status = smbXsrv_connection_init_tables(xconn, PROTOCOL_NT1);
+ if (!NT_STATUS_IS_OK(status)) {
+ reply_nterror(req, status);
+ return;
+ }
SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */
SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */
--
2.16.2

@ -1,33 +0,0 @@
From 8fb23665ddad8f65a6461c310ed5680d104fd9bf Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 17 Apr 2018 08:55:23 +0200
Subject: [PATCH] s3:passdb: Do not return OK if we don't have pinfo set up
This prevents a crash in fill_mem_keytab_from_secrets()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13376
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 99859479fc6e12b2f74ce2dfa83da56d8b8f3d26)
---
source3/passdb/machine_account_secrets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index 75f31cb04e2..d36fa268a4b 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1317,7 +1317,7 @@ NTSTATUS secrets_fetch_or_upgrade_domain_info(const char *domain,
last_set_time = secrets_fetch_pass_last_set_time(domain);
if (last_set_time == 0) {
- return NT_STATUS_OK;
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
unix_to_nt_time(&last_set_nt, last_set_time);
--
2.16.3

@ -1,130 +0,0 @@
From 2f6d1b8b5a1643082d93f338b0528b861caeff80 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 11 Apr 2018 10:42:21 +0200
Subject: [PATCH] rpc_server: Init local_server_* in
make_internal_rpc_pipe_socketpair
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13370
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Apr 11 15:19:19 CEST 2018 on sn-devel-144
(cherry picked from commit 212815969f4a706bc8395e2f6dbf225318ff2ad7)
---
source3/rpc_server/rpc_ncacn_np.c | 31 +++++++++++++++++++++++--------
source3/rpc_server/rpc_ncacn_np.h | 18 ++++++++++--------
source3/rpc_server/srv_pipe_hnd.c | 18 ++++++++++--------
3 files changed, 43 insertions(+), 24 deletions(-)
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 0728f54b092..d7e7785248d 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -69,14 +69,16 @@ fail:
return NULL;
}
-NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev_ctx,
- struct messaging_context *msg_ctx,
- const char *pipe_name,
- const struct ndr_syntax_id *syntax,
- const struct tsocket_address *remote_address,
- const struct auth_session_info *session_info,
- struct npa_state **pnpa)
+NTSTATUS make_internal_rpc_pipe_socketpair(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev_ctx,
+ struct messaging_context *msg_ctx,
+ const char *pipe_name,
+ const struct ndr_syntax_id *syntax,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ const struct auth_session_info *session_info,
+ struct npa_state **pnpa)
{
TALLOC_CTX *tmp_ctx = talloc_stackframe();
struct named_pipe_client *npc;
@@ -136,6 +138,19 @@ NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
goto out;
}
+ npc->local_server_addr = tsocket_address_copy(local_address, npc);
+ if (npc->local_server_addr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ npc->local_server_name = tsocket_address_inet_addr_string(
+ npc->local_server_addr, npc);
+ if (npc->local_server_name == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
npc->session_info = copy_session_info(npc, session_info);
if (npc->session_info == NULL) {
status = NT_STATUS_NO_MEMORY;
diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
index 03bbd3f8af9..9ba58644ec0 100644
--- a/source3/rpc_server/rpc_ncacn_np.h
+++ b/source3/rpc_server/rpc_ncacn_np.h
@@ -44,14 +44,16 @@ NTSTATUS make_external_rpc_pipe(TALLOC_CTX *mem_ctx,
const struct auth_session_info *session_info,
struct npa_state **pnpa);
-NTSTATUS make_internal_rpc_pipe_socketpair(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev_ctx,
- struct messaging_context *msg_ctx,
- const char *pipe_name,
- const struct ndr_syntax_id *syntax,
- const struct tsocket_address *remote_address,
- const struct auth_session_info *session_info,
- struct npa_state **pnpa);
+NTSTATUS make_internal_rpc_pipe_socketpair(
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev_ctx,
+ struct messaging_context *msg_ctx,
+ const char *pipe_name,
+ const struct ndr_syntax_id *syntax,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
+ const struct auth_session_info *session_info,
+ struct npa_state **pnpa);
struct np_proxy_state {
uint16_t file_type;
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index f9b7855b40f..baa4ce96334 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -106,14 +106,16 @@ NTSTATUS np_open(TALLOC_CTX *mem_ctx, const char *name,
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
- status = make_internal_rpc_pipe_socketpair(handle,
- ev_ctx,
- msg_ctx,
- name,
- &syntax,
- remote_client_address,
- session_info,
- &npa);
+ status = make_internal_rpc_pipe_socketpair(
+ handle,
+ ev_ctx,
+ msg_ctx,
+ name,
+ &syntax,
+ remote_client_address,
+ local_server_address,
+ session_info,
+ &npa);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(handle);
return status;
--
2.11.0

File diff suppressed because it is too large Load Diff

@ -1,47 +0,0 @@
From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Nov 2017 09:21:30 -0800
Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
---
source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 5d46d543002..237e6bb2b54 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
{
struct cli_smb2_close_fnum_state *state = tevent_req_data(
req, struct cli_smb2_close_fnum_state);
- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
- state->cli->raw_status = status;
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ state->cli->raw_status = status;
+ }
+ tevent_req_received(req);
return status;
}
--
2.15.0.531.g2ccb3012c9-goog

@ -1,165 +0,0 @@
From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 14 Nov 2017 13:52:03 -0800
Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2
calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea)
---
source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++
source3/libsmb/cli_smb2_fnum.h | 6 +++
source3/libsmb/clifsinfo.c | 9 ++++
3 files changed, 112 insertions(+)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index a478c41f068..89cb1f479d5 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path,
return status;
}
+/***************************************************************
+ Wrapper that allows SMB2 to query file system sizes.
+ Synchronous only.
+***************************************************************/
+
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector)
+{
+ NTSTATUS status;
+ uint16_t fnum = 0xffff;
+ DATA_BLOB outbuf = data_blob_null;
+ struct smb2_hnd *ph = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (smbXcli_conn_has_async_calls(cli->conn)) {
+ /*
+ * Can't use sync call while an async call is in flight
+ */
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ /* First open the top level directory. */
+ status =
+ cli_smb2_create_fnum(cli, "", 0, /* create_flags */
+ FILE_READ_ATTRIBUTES, /* desired_access */
+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
+ FILE_SHARE_READ | FILE_SHARE_WRITE |
+ FILE_SHARE_DELETE, /* share_access */
+ FILE_OPEN, /* create_disposition */
+ FILE_DIRECTORY_FILE, /* create_options */
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = map_fnum_to_smb2_handle(cli, fnum, &ph);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
+ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */
+
+ status = smb2cli_query_info(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ SMB2_GETINFO_FS, /* in_info_type */
+ /* in_file_info_class */
+ SMB_FS_FULL_SIZE_INFORMATION - 1000,
+ 0xFFFF, /* in_max_output_length */
+ NULL, /* in_input_buffer */
+ 0, /* in_additional_info */
+ 0, /* in_flags */
+ ph->fid_persistent,
+ ph->fid_volatile,
+ frame,
+ &outbuf);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ if (outbuf.length < 32) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ goto fail;
+ }
+
+ *total_allocation_units = BIG_UINT(outbuf.data, 0);
+ *caller_allocation_units = BIG_UINT(outbuf.data, 8);
+ *actual_allocation_units = BIG_UINT(outbuf.data, 16);
+ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24);
+ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28);
+
+fail:
+
+ if (fnum != 0xffff) {
+ cli_smb2_close_fnum(cli, fnum);
+ }
+
+ cli->raw_status = status;
+
+ TALLOC_FREE(frame);
+ return status;
+}
+
/***************************************************************
Wrapper that allows SMB2 to query file system attributes.
Synchronous only.
diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
index 9a709e85d96..c9325b66902 100644
--- a/source3/libsmb/cli_smb2_fnum.h
+++ b/source3/libsmb/cli_smb2_fnum.h
@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli,
uint64_t *total,
uint64_t *avail);
NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr);
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector);
NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli,
uint16_t fnum,
uint32_t sec_info,
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 119b1216fb2..46236390022 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
uint32_t rdata_count;
NTSTATUS status;
+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
+ return cli_smb2_get_fs_full_size_info(cli,
+ total_allocation_units,
+ caller_allocation_units,
+ actual_allocation_units,
+ sectors_per_allocation_unit,
+ bytes_per_sector);
+ }
+
SSVAL(setup, 0, TRANSACT2_QFSINFO);
SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
--
2.15.0.448.gf294e3d99a-goog

@ -1,66 +0,0 @@
From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 16:20:34 -0700
Subject: [PATCH] libsmbclient: Allow server (NetApp) to return
STATUS_INVALID_PARAMETER from an echo.
It does this if we send a session ID of zero. The server still replied.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144
(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142)
---
source3/client/client.c | 8 +++++++-
source3/libsmb/libsmb_server.c | 11 ++++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index b4a6c7d0389..9c57375881d 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -5900,7 +5900,13 @@ static void readline_callback(void)
/* Ping the server to keep the connection alive using SMBecho. */
memset(garbage, 0xf0, sizeof(garbage));
status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage)));
- if (NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ /*
+ * Even if server returns NT_STATUS_INVALID_PARAMETER
+ * it still responded.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
return;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index b0e5926fa65..2d41f2facf3 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context,
1,
data_blob_const(data, sizeof(data)));
if (!NT_STATUS_IS_OK(status)) {
- return 1;
+ /*
+ * Some NetApp servers return
+ * NT_STATUS_INVALID_PARAMETER.That's OK, they still
+ * replied.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
+ if (!NT_STATUS_EQUAL(status,
+ NT_STATUS_INVALID_PARAMETER)) {
+ return 1;
+ }
}
server->last_echo_time = now;
}
--
2.15.0.448.gf294e3d99a-goog

@ -1,84 +0,0 @@
From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Thu, 23 Nov 2017 15:55:21 +0000
Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name
malformed"
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
---
source3/libads/kerberos_keytab.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ff12ec04af6..ffd100c5636 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name)
return ret;
}
- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ if (keytab_name == NULL) {
+ ret = ads_keytab_open(context, &keytab);
+ } else {
+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ }
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
--
2.15.0
From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 24 Nov 2017 07:06:27 +0000
Subject: [PATCH 2/2] testprogs: Test net ads keytab list
Test that correct keytab is picked up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2)
---
testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index bbd99b676bd..c5dbaf69ba2 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# if there is no keytab, try and create it
+if [ ! -f $dedicated_keytab_file ]; then
+ if [ $(command -v ktutil) >/dev/null ]; then
+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
+ fi
+fi
+
+if [ -f $dedicated_keytab_file ]; then
+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
+fi
+
rm -f $dedicated_keytab_file
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
--
2.15.0

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew==
=LZI3
-----END PGP SIGNATURE-----

@ -1 +0,0 @@
.git/annex/objects/6z/WQ/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz

@ -0,0 +1,270 @@
From 341da4f38809d0efaa282d5281ee69c62a826f9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:06:39 +0200
Subject: [PATCH 1/4] krb5_plugin: Install plugins to krb5 modules dir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/wscript_build | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 15e93db2f05..576855bb56c 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -105,16 +105,18 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
)
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
- bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
- deps='wbclient krb5 com_err',
- realname='winbind_krb5_locator.so')
+ bld.SAMBA_LIBRARY('winbind_krb5_locator',
+ source='winbind_krb5_locator.c',
+ deps='wbclient krb5 com_err',
+ realname='winbind_krb5_locator.so',
+ install_path='${MODULESDIR}/krb5')
if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_localauth',
source='krb5_plugin/winbind_krb5_localauth.c',
deps='wbclient krb5 com_err',
- realname='winbind-krb5-localauth.so')
+ realname='winbind_krb5_localauth.so',
+ install_path='${MODULESDIR}/krb5')
bld.SAMBA_SUBSYSTEM('WB_REQTRANS',
source='wb_reqtrans.c',
--
2.17.1
From a1e9527b207b4bb045012cf78649362b42351313 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 14:08:56 +0200
Subject: [PATCH 2/4] krb5_plugin: Move krb5 locator plugin to krb5_plugin
subdir
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c | 0
nsswitch/wscript_build | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename nsswitch/{ => krb5_plugin}/winbind_krb5_locator.c (100%)
diff --git a/nsswitch/winbind_krb5_locator.c b/nsswitch/krb5_plugin/winbind_krb5_locator.c
similarity index 100%
rename from nsswitch/winbind_krb5_locator.c
rename to nsswitch/krb5_plugin/winbind_krb5_locator.c
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 576855bb56c..dd1952b799b 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -106,7 +106,7 @@ if bld.CONFIG_SET('WITH_PAM_MODULES') and bld.CONFIG_SET('HAVE_PAM_START'):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBA_LIBRARY('winbind_krb5_locator',
- source='winbind_krb5_locator.c',
+ source='krb5_plugin/winbind_krb5_locator.c',
deps='wbclient krb5 com_err',
realname='winbind_krb5_locator.so',
install_path='${MODULESDIR}/krb5')
--
2.17.1
From b0fa360161aba9aa092bf4ecf0533a49d621a068 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:14:15 +0200
Subject: [PATCH 3/4] docs: Move winbind_krb5_locator manpage to volume 8
The vfs and idmap manpages are in volume 8 too.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
...inbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} | 6 +++---
docs-xml/wscript_build | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
rename docs-xml/manpages/{winbind_krb5_locator.7.xml => winbind_krb5_locator.8.xml} (96%)
diff --git a/docs-xml/manpages/winbind_krb5_locator.7.xml b/docs-xml/manpages/winbind_krb5_locator.8.xml
similarity index 96%
rename from docs-xml/manpages/winbind_krb5_locator.7.xml
rename to docs-xml/manpages/winbind_krb5_locator.8.xml
index 17e401a9da0..0af0c2cc95f 100644
--- a/docs-xml/manpages/winbind_krb5_locator.7.xml
+++ b/docs-xml/manpages/winbind_krb5_locator.8.xml
@@ -1,12 +1,12 @@
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
-<refentry id="winbind_krb5_locator.7">
+<refentry id="winbind_krb5_locator.8">
<refmeta>
<refentrytitle>winbind_krb5_locator</refentrytitle>
- <manvolnum>7</manvolnum>
+ <manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
- <refmiscinfo class="manual">7</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
<refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 954c62a29bc..2d686eb38b0 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -103,7 +103,7 @@ pam_winbind_manpages = '''
manpages/pam_winbind.conf.5
'''
-krb5_locator_manpages = 'manpages/winbind_krb5_locator.7'
+krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
--
2.17.1
From d16a8b65af5de19c1ccbb95e3542d01f77696be3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Jun 2018 15:06:07 +0200
Subject: [PATCH 4/4] docs: Add manpage for winbind_krb5_localauth.8
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13489
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
.../manpages/winbind_krb5_localauth.8.xml | 86 +++++++++++++++++++
docs-xml/wscript_build | 4 +
2 files changed, 90 insertions(+)
create mode 100644 docs-xml/manpages/winbind_krb5_localauth.8.xml
diff --git a/docs-xml/manpages/winbind_krb5_localauth.8.xml b/docs-xml/manpages/winbind_krb5_localauth.8.xml
new file mode 100644
index 00000000000..a382e71ead3
--- /dev/null
+++ b/docs-xml/manpages/winbind_krb5_localauth.8.xml
@@ -0,0 +1,86 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="winbind_krb5_localauth.8">
+
+<refmeta>
+ <refentrytitle>winbind_krb5_localauth</refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo class="source">Samba</refmiscinfo>
+ <refmiscinfo class="manual">8</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+ <refname>winbind_krb5_localauth</refname>
+ <refpurpose>A plugin for MIT Kerberos for mapping user accounts.</refpurpose>
+</refnamediv>
+
+
+<refsect1>
+ <title>DESCRIPTION</title>
+
+ <para>
+ This plugin is part of the
+ <citerefentry><refentrytitle>samba</refentrytitle>
+ <manvolnum>7</manvolnum></citerefentry> suite.
+ </para>
+
+ <para>
+ <command>winbind_krb5_localauth</command> is a plugin that
+ permits the MIT Kerberos libraries that Kerberos principals can
+ be validated against local user accounts.
+ </para>
+</refsect1>
+<refsect1>
+ <title>PREREQUISITES</title>
+ <para>
+ MIT Kerberos (at least version 1.12) is required.
+ </para>
+
+ <para>
+ The plugin queries the <citerefentry><refentrytitle>winbindd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> daemon which needs to be configured
+ and started separately.
+ </para>
+
+ <para>
+ The following sections needs to be added to the
+ <filename>krb5.conf</filename> file.
+
+ <programlisting>
+[plugins]
+ localauth = {
+ module = winbind:/usr/lib64/samba/krb5/winbind_krb5_localauth.so
+ enable_only = winbind
+ }
+ </programlisting>
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>VERSION</title>
+
+ <para>
+ This man page is part of version &doc.version; of the Samba
+ suite.
+ </para>
+</refsect1>
+
+<refsect1>
+ <title>AUTHOR</title>
+
+ <para>
+ The original Samba software and related utilities were created
+ by Andrew Tridgell. Samba is now developed by the Samba Team as
+ an Open Source project similar to the way the Linux kernel is
+ developed.
+ </para>
+
+ <para>
+ The winbind_krb5_localauth manpage was written by Andreas
+ Schneider.
+ </para>
+</refsect1>
+
+</refentry>
diff --git a/docs-xml/wscript_build b/docs-xml/wscript_build
index 2d686eb38b0..ec5d28fc62a 100644
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@@ -104,6 +104,7 @@ pam_winbind_manpages = '''
'''
krb5_locator_manpages = 'manpages/winbind_krb5_locator.8'
+krb5_localauth_manpages = 'manpages/winbind_krb5_localauth.8'
def smbdotconf_generate_parameter_list(task):
parameter_all = task.outputs[0].bldpath(task.env)
@@ -162,5 +163,8 @@ if ('XSLTPROC_MANPAGES' in bld.env and bld.env['XSLTPROC_MANPAGES']):
if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):
bld.SAMBAMANPAGES(krb5_locator_manpages)
+ if bld.CONFIG_SET('HAVE_KRB5_LOCALAUTH_PLUGIN_H'):
+ bld.SAMBAMANPAGES(krb5_localauth_manpages)
+
if bld.SAMBA3_IS_ENABLED_MODULE('vfs_zfsacl'):
bld.SAMBAMANPAGES('manpages/vfs_zfsacl.8')
--
2.17.1

@ -0,0 +1,216 @@
From 091731ca7cc89c10f698a8d52e0ade1a07bde0d3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:18:52 +0200
Subject: [PATCH 1/2] nsswitch: Add tests to lookup user via getpwnam
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 8e96e9ea46351de34ad5cac9a9a9ece4226b462c)
---
nsswitch/tests/test_wbinfo_user_info.sh | 71 ++++++++++++++++++++++++++++-----
selftest/knownfail.d/upn_handling | 2 +
source3/selftest/tests.py | 4 +-
3 files changed, 66 insertions(+), 11 deletions(-)
diff --git a/nsswitch/tests/test_wbinfo_user_info.sh b/nsswitch/tests/test_wbinfo_user_info.sh
index 2803ac1408b..da30f97be74 100755
--- a/nsswitch/tests/test_wbinfo_user_info.sh
+++ b/nsswitch/tests/test_wbinfo_user_info.sh
@@ -2,19 +2,20 @@
# Blackbox test for wbinfo lookup for account name and upn
# Copyright (c) 2018 Andreas Schneider <asn@samba.org>
-if [ $# -lt 5 ]; then
+if [ $# -lt 6 ]; then
cat <<EOF
-Usage: $(basename $0) DOMAIN REALM USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
+Usage: $(basename $0) DOMAIN REALM OWN_DOMAIN USERNAME1 UPN_NAME1 USERNAME2 UPN_NAME2
EOF
exit 1;
fi
DOMAIN=$1
REALM=$2
-USERNAME1=$3
-UPN_NAME1=$4
-USERNAME2=$5
-UPN_NAME2=$6
+OWN_DOMAIN=$3
+USERNAME1=$4
+UPN_NAME1=$5
+USERNAME2=$6
+UPN_NAME2=$7
shift 6
failed=0
@@ -31,9 +32,9 @@ test_user_info()
{
local cmd out ret user domain upn userinfo
- domain="$1"
- user="$2"
- upn="$3"
+ local domain="$1"
+ local user="$2"
+ local upn="$3"
if [ $# -lt 3 ]; then
userinfo="$domain/$user"
@@ -62,6 +63,39 @@ test_user_info()
return 0
}
+test_getpwnam()
+{
+ local cmd out ret
+
+ local lookup_username=$1
+ local expected_return=$2
+ local expected_output=$3
+
+ cmd='getent passwd $lookup_username'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+
+ if [ $ret -ne $expected_return ]; then
+ echo "return code: $ret, expected return code is: $expected_return"
+ echo "$out"
+ return 1
+ fi
+
+ if [ -n "$expected_output" ]; then
+ echo "$out" | grep "$expected_output"
+ ret=$?
+
+ if [ $ret -ne 0 ]; then
+ echo "Unable to find $expected_output in:"
+ echo "$out"
+ return 1
+ fi
+ fi
+
+ return 0
+}
+
testit "name_to_sid.domain.$USERNAME1" $wbinfo_tool --name-to-sid $DOMAIN/$USERNAME1 || failed=$(expr $failed + 1)
testit "name_to_sid.upn.$UPN_NAME1" $wbinfo_tool --name-to-sid $UPN1 || failed=$(expr $failed + 1)
@@ -80,4 +114,23 @@ UPN3="$UPN_NAME3@${REALM}.upn"
testit "name_to_sid.upn.$UPN_NAME3" $wbinfo_tool --name-to-sid $UPN3 || failed=$(expr $failed + 1)
testit "user_info.upn.$UPN_NAME3" test_user_info $DOMAIN $USERNAME3 $UPN3 || failed=$(expr $failed + 1)
+testit "getpwnam.domain.$DOMAIN.$USERNAME1" test_getpwnam "$DOMAIN/$USERNAME1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+testit "getpwnam.upn.$UPN_NAME1" test_getpwnam "$UPN1" 0 "$DOMAIN/$USERNAME1" || failed=$(expr $failed + 1)
+
+# We should not be able to lookup the user just by the name
+test_ret=0
+test_output="$DOMAIN/$USERNAME1"
+
+if [ "$ENVNAME" = "ad_member" ]; then
+ test_ret=2
+ test_output=""
+fi
+if [ "$ENVNAME" = "fl2008r2dc" ]; then
+ test_ret=0
+ test_output="$OWN_DOMAIN/$USERNAME1"
+fi
+
+testit "getpwnam.local.$USERNAME1" test_getpwnam "$USERNAME1" $test_ret $test_output || failed=$(expr $failed + 1)
+
exit $failed
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index bcbedb4f903..7dc9b71dc5e 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,8 +1,10 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
+^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f43d2b14d3a..a9cb2dad792 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -216,13 +216,13 @@ env = "ad_member:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$DOMAIN', '$REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$DOMAIN', '$REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "fl2008r2dc:local"
plantestsuite("samba3.wbinfo_user_info", env,
[ os.path.join(srcdir(),
"nsswitch/tests/test_wbinfo_user_info.sh"),
- '$TRUST_DOMAIN', '$TRUST_REALM', 'alice', 'alice', 'jane', 'jane.doe' ])
+ '$TRUST_DOMAIN', '$TRUST_REALM', '$DOMAIN', 'alice', 'alice', 'jane', 'jane.doe' ])
env = "ad_member"
t = "WBCLIENT-MULTI-PING"
--
2.13.6
From 495f43f5fa972076de996f9c639657672e378c7d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 2 Jul 2018 16:38:01 +0200
Subject: [PATCH 2/2] s3:winbind: Do not lookup local system accounts in AD
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13503
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Jul 4 23:55:56 CEST 2018 on sn-devel-144
(cherry picked from commit 9f28d30633af721efec02d8816a9fa48f795a01c)
---
selftest/knownfail.d/upn_handling | 2 --
source3/winbindd/winbindd_util.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/selftest/knownfail.d/upn_handling b/selftest/knownfail.d/upn_handling
index 7dc9b71dc5e..bcbedb4f903 100644
--- a/selftest/knownfail.d/upn_handling
+++ b/selftest/knownfail.d/upn_handling
@@ -1,10 +1,8 @@
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.ad_member
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.ad_member
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.ad_member
^samba3\.wbinfo_user_info\.user_info\.domain\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.alice.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.domain\.jane.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.jane\.doe.fl2008r2dc
^samba3\.wbinfo_user_info\.name_to_sid\.upn\.testdenied_upn.fl2008r2dc
^samba3\.wbinfo_user_info\.user_info\.upn\.testdenied_upn.fl2008r2dc
-^samba3\.wbinfo_user_info\.getpwnam\.local\.alice.fl2008r2dc
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index aa633419c9a..7a5fb73cdef 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1605,6 +1605,8 @@ bool parse_domain_user(const char *domuser,
} else if (assume_domain(lp_workgroup())) {
fstrcpy(domain, lp_workgroup());
fstrcpy(namespace, domain);
+ } else {
+ fstrcpy(namespace, lp_netbios_name());
}
}
--
2.13.6

@ -0,0 +1,64 @@
From a922e4e22c470fbfc7ef1b1ac1645a81f59d1846 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 25 Jun 2018 09:58:56 -0400
Subject: [PATCH 1/2] s3:client: Add --quiet option to smbclient
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add quiet command-line argument to allow suppressing the help log
message printed automatically after establishing a smbclient connection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13485
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Björn Baumbach <bb@sernet.de>
(cherry picked from commit 89a8b3ecd47b6d9a33e66f22d2786f0ae3b4cb72)
---
source3/client/client.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index 2c1c76036f7..c836e5a0477 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -52,6 +52,7 @@ static int port = 0;
static char *service;
static char *desthost;
static bool grepable = false;
+static bool quiet = false;
static char *cmdstr = NULL;
const char *cmd_ptr = NULL;
@@ -6059,7 +6060,9 @@ static int process_stdin(void)
{
int rc = 0;
- d_printf("Try \"help\" to get a list of possible commands.\n");
+ if (!quiet) {
+ d_printf("Try \"help\" to get a list of possible commands.\n");
+ }
while (!finished) {
TALLOC_CTX *frame = talloc_stackframe();
@@ -6329,6 +6332,7 @@ int main(int argc,char *argv[])
{ "timeout", 't', POPT_ARG_INT, &io_timeout, 'b', "Changes the per-operation timeout", "SECONDS" },
{ "port", 'p', POPT_ARG_INT, &port, 'p', "Port to connect to", "PORT" },
{ "grepable", 'g', POPT_ARG_NONE, NULL, 'g', "Produce grepable output" },
+ { "quiet", 'q', POPT_ARG_NONE, NULL, 'q', "Suppress help message" },
{ "browse", 'B', POPT_ARG_NONE, NULL, 'B', "Browse SMB servers using DNS" },
POPT_COMMON_SAMBA
POPT_COMMON_CONNECTION
@@ -6451,6 +6455,9 @@ int main(int argc,char *argv[])
case 'g':
grepable=true;
break;
+ case 'q':
+ quiet=true;
+ break;
case 'e':
smb_encrypt=true;
break;
--
2.17.1

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAlsyUq4VHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
U/4AoLhX0k1+ci295ajuSRq9yyBHIMysAJ49UqQcyMAhTdRz/BmgwC9hgrBldg==
=em2I
-----END PGP SIGNATURE-----

BIN
samba-4.8.3.tar.xz (Stored with Git LFS)

Binary file not shown.

@ -6,13 +6,13 @@
# ctdb is enabled by default, you can disable it with: --without clustering # ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering %bcond_without clustering
%define main_release 9 %define main_release 4
%define samba_version 4.7.1 %define samba_version 4.8.3
%define talloc_version 2.1.9 %define talloc_version 2.1.11
%define tdb_version 1.3.14 %define tdb_version 1.3.15
%define tevent_version 0.9.33 %define tevent_version 0.9.36
%define ldb_version 1.2.2 %define ldb_version 1.3.4
# This should be rc1 or nil # This should be rc1 or nil
%define pre_release %nil %define pre_release %nil
@ -25,6 +25,12 @@
# This is a network daemon, do a hardened build # This is a network daemon, do a hardened build
# Enables PIE and full RELRO protection # Enables PIE and full RELRO protection
%global _hardened_build 1 %global _hardened_build 1
# Samba cannot be linked with -Wl,-z,defs (from hardened build config)
# For exmple the samba-cluster-support library is marked to allow undefined
# symbols in the samba build.
#
# https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
%undefine _strict_symbol_defs_build
%global with_libsmbclient 1 %global with_libsmbclient 1
%global with_libwbclient 1 %global with_libwbclient 1
@ -81,9 +87,11 @@
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} %{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
%global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba"
Name: samba Name: samba
Version: %{samba_version} Version: 4.8.3
Release: 9.101.dc%{?dist} Release: 99.beta1.dc%{?dist}
%if 0%{?rhel} %if 0%{?rhel}
Epoch: 0 Epoch: 0
@ -116,19 +124,11 @@ Source14: samba.pamd
Source200: README.dc Source200: README.dc
Source201: README.downgrade Source201: README.downgrade
Patch0: CVE-2017-14746.patch Patch0: samba-4.8.3-fix_krb5_plugins.patch
Patch1: CVE-2017-15275.patch Patch1: samba-4.8.3-fix_winbind_getpwnam_local_user.patch
Patch2: samba-4.7-fix_smbclient_volume.patch Patch2: samba-4.8.3-smbclient_quiet_argument.patch
Patch3: samba-4.7-fix_samba_with_systemd.patch Patch3: CVE-2018-1139.patch
Patch4: samba-4.7-net_ads_keytab_list.patch Patch4: CVE-2018-10858.patch
Patch5: samba-4.7-fix_aesni_intel_support.patch
Patch6: samba-4.7-handle_smb_echo_gracefully.patch
Patch7: samba-4.7-fix_smb2_client_read_after_free.patch
Patch8: samba-4.7-fix_dns_segfault_during_net_ads_join.patch
Patch9: samba-4.7-fix_segfault_in_NT1_connection_setup.patch
Patch10: samba-4.7-fix_segfault_in_keytab_handling.patch
Patch11: samba-4.7-fix_segfault_in_smbclient_dfsgetinfo.patch
Patch12: samba-4.7-fix_smb2_anonymous_connections.patch
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(post): systemd Requires(post): systemd
@ -195,7 +195,7 @@ BuildRequires: python-dns
BuildRequires: python-iso8601 BuildRequires: python-iso8601
%if %{with testsuite} %if %{with testsuite}
BuildRequires: python2-pygpgme BuildRequires: python2-pygpgme
BuildRequires: python2-subunit BuildRequires: python2-markdown
%endif %endif
BuildRequires: quota-devel BuildRequires: quota-devel
BuildRequires: readline-devel BuildRequires: readline-devel
@ -831,7 +831,13 @@ xzcat %{SOURCE0} | gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} -
%if %with_intel_aes_accel %if %with_intel_aes_accel
--accel-aes=intelaesni \ --accel-aes=intelaesni \
%endif %endif
--with-systemd --with-systemd \
--systemd-install-services \
--with-systemddir=/usr/lib/systemd/system \
--systemd-smb-extra=%{_systemd_extra} \
--systemd-nmb-extra=%{_systemd_extra} \
--systemd-winbind-extra=%{_systemd_extra} \
--systemd-samba-extra=%{_systemd_extra}
make %{?_smp_mflags} make %{?_smp_mflags}
@ -860,7 +866,6 @@ install -d -m 0755 %{buildroot}/var/lib/samba/private
install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/scripts
install -d -m 0755 %{buildroot}/var/lib/samba/sysvol install -d -m 0755 %{buildroot}/var/lib/samba/sysvol
install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged
install -d -m 0755 %{buildroot}/var/lib/samba/bind-dns
install -d -m 0755 %{buildroot}/var/log/samba/old install -d -m 0755 %{buildroot}/var/log/samba/old
install -d -m 0755 %{buildroot}/var/spool/samba install -d -m 0755 %{buildroot}/var/spool/samba
install -d -m 0755 %{buildroot}/var/run/samba install -d -m 0755 %{buildroot}/var/run/samba
@ -929,15 +934,6 @@ install -m 0644 %{SOURCE200} packaging/README.dc
install -m 0644 %{SOURCE200} packaging/README.dc-libs install -m 0644 %{SOURCE200} packaging/README.dc-libs
%endif %endif
install -d -m 0755 %{buildroot}%{_unitdir}
services="nmb smb winbind"
%if %with_dc
services="$services samba"
%endif
for i in $services ; do
cat packaging/systemd/$i.service | sed -e 's@\[Service\]@[Service]\nEnvironment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba@g' >tmp$i.service
install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
done
%if %with_clustering_support %if %with_clustering_support
install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir} install -m 0644 ctdb/config/ctdb.service %{buildroot}%{_unitdir}
%endif %endif
@ -952,16 +948,28 @@ install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%if ! %with_dc %if ! %with_dc
for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \ for i in \
%{_libdir}/samba/libdfs-server-ad-samba4.so \
%{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdnsserver-common-samba4.so \
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba-tool.8 \
%{_libdir}/samba/ldb/ildap.so \ %{_libdir}/samba/ldb/ildap.so \
%{_libdir}/samba/ldb/ldbsamba_extensions.so \ %{_libdir}/samba/ldb/ldbsamba_extensions.so \
%{_mandir}/man8/samba.8 \
%{_mandir}/man8/samba-tool.8 \
%{_mandir}/man8/samba_gpoupdate.8 \
%{_sbindir}/samba_gpoupdate \
%{python_sitearch}/samba/colour.py* \
%{python_sitearch}/samba/domain_update.py* \
%{python_sitearch}/samba/forest_update.py* \
%{python_sitearch}/samba/gpclass.py* \
%{python_sitearch}/samba/graph.py* \
%{python_sitearch}/samba/ms_forest_updates_markdown.py* \
%{python_sitearch}/samba/ms_schema_markdown.py* \
%{python_sitearch}/samba/gpo.so \
%{python_sitearch}/samba/dcerpc/dnsserver.so \ %{python_sitearch}/samba/dcerpc/dnsserver.so \
%{python_sitearch}/samba/netcmd/fsmo.py* \ %{python_sitearch}/samba/netcmd/fsmo.py* \
%{python_sitearch}/samba/netcmd/rodc.py* \ %{python_sitearch}/samba/netcmd/rodc.py* \
%{python_sitearch}/samba/netcmd/visualize.py* \
%{python_sitearch}/samba/kcc/__init__.py* \ %{python_sitearch}/samba/kcc/__init__.py* \
%{python_sitearch}/samba/kcc/debug.py* \ %{python_sitearch}/samba/kcc/debug.py* \
%{python_sitearch}/samba/kcc/graph.py* \ %{python_sitearch}/samba/kcc/graph.py* \
@ -982,6 +990,9 @@ for i in %{_libdir}/samba/libdfs-server-ad-samba4.so \
%{python_sitearch}/samba/dsdb_dns.so \ %{python_sitearch}/samba/dsdb_dns.so \
%{python_sitearch}/samba/samdb.py* \ %{python_sitearch}/samba/samdb.py* \
%{python_sitearch}/samba/schema.py* \ %{python_sitearch}/samba/schema.py* \
%{python_sitearch}/samba/tests/krb5_credentials.py* \
%{python_sitearch}/samba/tests/password_quality.py* \
%{_unitdir}/samba.service \
; do ; do
rm -f %{buildroot}$i rm -f %{buildroot}$i
done done
@ -1137,18 +1148,18 @@ fi
%postun winbind-krb5-locator %postun winbind-krb5-locator
if [ "$1" -ge "1" ]; then if [ "$1" -ge "1" ]; then
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/winbind_krb5_locator.so" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "%{_libdir}/samba/krb5/winbind_krb5_locator.so" ]; then
%{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so %{_sbindir}/update-alternatives --set winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so
fi fi
fi fi
%post winbind-krb5-locator %post winbind-krb5-locator
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so 10 winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so 10
%preun winbind-krb5-locator %preun winbind-krb5-locator
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/winbind_krb5_locator.so %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so
fi fi
%post winbind-modules -p /sbin/ldconfig %post winbind-modules -p /sbin/ldconfig
@ -1194,7 +1205,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/acl_tdb.so %{_libdir}/samba/vfs/acl_tdb.so
%{_libdir}/samba/vfs/acl_xattr.so %{_libdir}/samba/vfs/acl_xattr.so
%{_libdir}/samba/vfs/aio_fork.so %{_libdir}/samba/vfs/aio_fork.so
%{_libdir}/samba/vfs/aio_linux.so
%{_libdir}/samba/vfs/aio_pthread.so %{_libdir}/samba/vfs/aio_pthread.so
%{_libdir}/samba/vfs/audit.so %{_libdir}/samba/vfs/audit.so
%{_libdir}/samba/vfs/btrfs.so %{_libdir}/samba/vfs/btrfs.so
@ -1230,6 +1240,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/vfs/syncops.so %{_libdir}/samba/vfs/syncops.so
%{_libdir}/samba/vfs/time_audit.so %{_libdir}/samba/vfs/time_audit.so
%{_libdir}/samba/vfs/unityed_media.so %{_libdir}/samba/vfs/unityed_media.so
%{_libdir}/samba/vfs/virusfilter.so
%{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/worm.so
%{_libdir}/samba/vfs/xattr_tdb.so %{_libdir}/samba/vfs/xattr_tdb.so
@ -1246,7 +1257,6 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_acl_tdb.8* %{_mandir}/man8/vfs_acl_tdb.8*
%{_mandir}/man8/vfs_acl_xattr.8* %{_mandir}/man8/vfs_acl_xattr.8*
%{_mandir}/man8/vfs_aio_fork.8* %{_mandir}/man8/vfs_aio_fork.8*
%{_mandir}/man8/vfs_aio_linux.8*
%{_mandir}/man8/vfs_aio_pthread.8* %{_mandir}/man8/vfs_aio_pthread.8*
%{_mandir}/man8/vfs_audit.8* %{_mandir}/man8/vfs_audit.8*
%{_mandir}/man8/vfs_btrfs.8* %{_mandir}/man8/vfs_btrfs.8*
@ -1266,6 +1276,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_linux_xfs_sgid.8* %{_mandir}/man8/vfs_linux_xfs_sgid.8*
%{_mandir}/man8/vfs_media_harmony.8* %{_mandir}/man8/vfs_media_harmony.8*
%{_mandir}/man8/vfs_netatalk.8* %{_mandir}/man8/vfs_netatalk.8*
%{_mandir}/man8/vfs_nfs4acl_xattr.8*
%{_mandir}/man8/vfs_offline.8* %{_mandir}/man8/vfs_offline.8*
%{_mandir}/man8/vfs_prealloc.8* %{_mandir}/man8/vfs_prealloc.8*
%{_mandir}/man8/vfs_preopen.8* %{_mandir}/man8/vfs_preopen.8*
@ -1282,6 +1293,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/vfs_time_audit.8* %{_mandir}/man8/vfs_time_audit.8*
%{_mandir}/man8/vfs_tsmsm.8* %{_mandir}/man8/vfs_tsmsm.8*
%{_mandir}/man8/vfs_unityed_media.8* %{_mandir}/man8/vfs_unityed_media.8*
%{_mandir}/man8/vfs_virusfilter.8*
%{_mandir}/man8/vfs_worm.8* %{_mandir}/man8/vfs_worm.8*
%{_mandir}/man8/vfs_xattr_tdb.8* %{_mandir}/man8/vfs_xattr_tdb.8*
@ -1340,6 +1352,8 @@ rm -rf %{buildroot}
%{_mandir}/man5/smbgetrc.5* %{_mandir}/man5/smbgetrc.5*
%{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtar.1*
%{_mandir}/man1/smbtree.1* %{_mandir}/man1/smbtree.1*
%{_mandir}/man7/traffic_learner.7.*
%{_mandir}/man7/traffic_replay.7.*
%{_mandir}/man8/cifsdd.8.* %{_mandir}/man8/cifsdd.8.*
%{_mandir}/man8/samba-regedit.8* %{_mandir}/man8/samba-regedit.8*
%{_mandir}/man8/smbspool.8* %{_mandir}/man8/smbspool.8*
@ -1421,7 +1435,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libflag-mapping-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so
%{_libdir}/samba/libgenrand-samba4.so %{_libdir}/samba/libgenrand-samba4.so
%{_libdir}/samba/libgensec-samba4.so %{_libdir}/samba/libgensec-samba4.so
%{_libdir}/samba/libgpo-samba4.so %{_libdir}/samba/libgpext-samba4.so
%{_libdir}/samba/libgse-samba4.so %{_libdir}/samba/libgse-samba4.so
%{_libdir}/samba/libhttp-samba4.so %{_libdir}/samba/libhttp-samba4.so
%{_libdir}/samba/libinterfaces-samba4.so %{_libdir}/samba/libinterfaces-samba4.so
@ -1572,12 +1586,14 @@ rm -rf %{buildroot}
%{_sbindir}/samba %{_sbindir}/samba
%{_sbindir}/samba_kcc %{_sbindir}/samba_kcc
%{_sbindir}/samba_dnsupdate %{_sbindir}/samba_dnsupdate
%{_sbindir}/samba_gpoupdate
%{_sbindir}/samba_spnupdate %{_sbindir}/samba_spnupdate
%{_sbindir}/samba_upgradedns %{_sbindir}/samba_upgradedns
#%{_libdir}/krb5/plugins/kdb/samba.so #%{_libdir}/krb5/plugins/kdb/samba.so
%{_libdir}/samba/auth/samba4.so %{_libdir}/samba/auth/samba4.so
%{_libdir}/samba/libgpo-samba4.so
%{_libdir}/samba/libpac-samba4.so %{_libdir}/samba/libpac-samba4.so
%dir %{_libdir}/samba/gensec %dir %{_libdir}/samba/gensec
%{_libdir}/samba/gensec/krb5.so %{_libdir}/samba/gensec/krb5.so
@ -1588,6 +1604,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/dirsync.so %{_libdir}/samba/ldb/dirsync.so
%{_libdir}/samba/ldb/dns_notify.so %{_libdir}/samba/ldb/dns_notify.so
%{_libdir}/samba/ldb/dsdb_notification.so %{_libdir}/samba/ldb/dsdb_notification.so
%{_libdir}/samba/ldb/encrypted_secrets.so
%{_libdir}/samba/ldb/extended_dn_in.so %{_libdir}/samba/ldb/extended_dn_in.so
%{_libdir}/samba/ldb/extended_dn_out.so %{_libdir}/samba/ldb/extended_dn_out.so
%{_libdir}/samba/ldb/extended_dn_store.so %{_libdir}/samba/ldb/extended_dn_store.so
@ -1622,6 +1639,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/ldb/subtree_delete.so %{_libdir}/samba/ldb/subtree_delete.so
%{_libdir}/samba/ldb/subtree_rename.so %{_libdir}/samba/ldb/subtree_rename.so
%{_libdir}/samba/ldb/tombstone_reanimate.so %{_libdir}/samba/ldb/tombstone_reanimate.so
%{_libdir}/samba/ldb/unique_object_sids.so
%{_libdir}/samba/ldb/update_keytab.so %{_libdir}/samba/ldb/update_keytab.so
%{_libdir}/samba/ldb/vlv.so %{_libdir}/samba/ldb/vlv.so
%{_libdir}/samba/ldb/wins_ldb.so %{_libdir}/samba/ldb/wins_ldb.so
@ -1630,6 +1648,7 @@ rm -rf %{buildroot}
%{_datadir}/samba/setup %{_datadir}/samba/setup
%{_mandir}/man8/samba.8* %{_mandir}/man8/samba.8*
%{_mandir}/man8/samba-tool.8* %{_mandir}/man8/samba-tool.8*
%{_mandir}/man8/samba_gpoupdate.8*
%else # with_dc %else # with_dc
%doc packaging/README.dc %doc packaging/README.dc
%endif # with_dc %endif # with_dc
@ -1642,6 +1661,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/libprocess-model-samba4.so %{_libdir}/samba/libprocess-model-samba4.so
%{_libdir}/samba/libservice-samba4.so %{_libdir}/samba/libservice-samba4.so
%dir %{_libdir}/samba/process_model %dir %{_libdir}/samba/process_model
%{_libdir}/samba/process_model/prefork.so
%{_libdir}/samba/process_model/standard.so %{_libdir}/samba/process_model/standard.so
%dir %{_libdir}/samba/service %dir %{_libdir}/samba/service
%{_libdir}/samba/service/cldap.so %{_libdir}/samba/service/cldap.so
@ -1662,20 +1682,6 @@ rm -rf %{buildroot}
%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdnsserver-common-samba4.so
%{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so
%{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so
%{_libdir}/samba/libHDB-SAMBA4-samba4.so
%{_libdir}/samba/libasn1-samba4.so.8*
%{_libdir}/samba/libcom_err-samba4.so.0*
%{_libdir}/samba/libgssapi-samba4.so.2*
%{_libdir}/samba/libhcrypto-samba4.so.5*
%{_libdir}/samba/libhdb-samba4.so.11*
%{_libdir}/samba/libheimbase-samba4.so.1*
%{_libdir}/samba/libheimntlm-samba4.so.1*
%{_libdir}/samba/libhx509-samba4.so.5*
%{_libdir}/samba/libkdc-samba4.so.2*
%{_libdir}/samba/libkrb5-samba4.so.26*
%{_libdir}/samba/libroken-samba4.so.19*
%{_libdir}/samba/libwind-samba4.so.0*
%else %else
%doc packaging/README.dc-libs %doc packaging/README.dc-libs
%endif # with_dc %endif # with_dc
@ -1993,6 +1999,10 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/ndr.py* %{python_sitearch}/samba/ndr.py*
%{python_sitearch}/samba/net.so %{python_sitearch}/samba/net.so
%{python_sitearch}/samba/netbios.so %{python_sitearch}/samba/netbios.so
%dir %{python_sitearch}/samba/emulate
%{python_sitearch}/samba/emulate/__init__.py*
%{python_sitearch}/samba/emulate/traffic.py*
%{python_sitearch}/samba/emulate/traffic_packets.py*
%dir %{python_sitearch}/samba/netcmd %dir %{python_sitearch}/samba/netcmd
%{python_sitearch}/samba/netcmd/__init__.py* %{python_sitearch}/samba/netcmd/__init__.py*
%{python_sitearch}/samba/netcmd/common.py* %{python_sitearch}/samba/netcmd/common.py*
@ -2070,11 +2080,17 @@ rm -rf %{buildroot}
%dir %{python_sitearch}/samba/web_server %dir %{python_sitearch}/samba/web_server
%{python_sitearch}/samba/web_server/__init__.py* %{python_sitearch}/samba/web_server/__init__.py*
%{python_sitearch}/samba/domain_update.py*
%{python_sitearch}/samba/dckeytab.so %{python_sitearch}/samba/dckeytab.so
%{python_sitearch}/samba/dnsserver.py* %{python_sitearch}/samba/dnsserver.py*
%{python_sitearch}/samba/drs_utils.py* %{python_sitearch}/samba/drs_utils.py*
%{python_sitearch}/samba/dsdb.so %{python_sitearch}/samba/dsdb.so
%{python_sitearch}/samba/dsdb_dns.so %{python_sitearch}/samba/dsdb_dns.so
%{python_sitearch}/samba/forest_update.py*
%{python_sitearch}/samba/gpclass.py*
%{python_sitearch}/samba/gpo.so
%{python_sitearch}/samba/ms_forest_updates_markdown.py*
%{python_sitearch}/samba/ms_schema_markdown.py*
%{python_sitearch}/samba/samdb.py* %{python_sitearch}/samba/samdb.py*
%{python_sitearch}/samba/schema.py* %{python_sitearch}/samba/schema.py*
%endif %endif
@ -2093,8 +2109,13 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/auth_log_samlogon.py* %{python_sitearch}/samba/tests/auth_log_samlogon.py*
%dir %{python_sitearch}/samba/tests/blackbox %dir %{python_sitearch}/samba/tests/blackbox
%{python_sitearch}/samba/tests/blackbox/__init__.py* %{python_sitearch}/samba/tests/blackbox/__init__.py*
%{python_sitearch}/samba/tests/blackbox/check_output.py*
%{python_sitearch}/samba/tests/blackbox/ndrdump.py* %{python_sitearch}/samba/tests/blackbox/ndrdump.py*
%{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py* %{python_sitearch}/samba/tests/blackbox/samba_dnsupdate.py*
%{python_sitearch}/samba/tests/blackbox/smbcontrol.py*
%{python_sitearch}/samba/tests/blackbox/traffic_learner.py*
%{python_sitearch}/samba/tests/blackbox/traffic_replay.py*
%{python_sitearch}/samba/tests/blackbox/traffic_summary.py*
%{python_sitearch}/samba/tests/common.py* %{python_sitearch}/samba/tests/common.py*
%{python_sitearch}/samba/tests/core.py* %{python_sitearch}/samba/tests/core.py*
%{python_sitearch}/samba/tests/credentials.py* %{python_sitearch}/samba/tests/credentials.py*
@ -2124,10 +2145,17 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/dns_wildcard.py* %{python_sitearch}/samba/tests/dns_wildcard.py*
%{python_sitearch}/samba/tests/docs.py* %{python_sitearch}/samba/tests/docs.py*
%{python_sitearch}/samba/tests/dsdb.py* %{python_sitearch}/samba/tests/dsdb.py*
%{python_sitearch}/samba/tests/dsdb_lock.py*
%{python_sitearch}/samba/tests/dsdb_schema_attributes.py* %{python_sitearch}/samba/tests/dsdb_schema_attributes.py*
%dir %{python_sitearch}/samba/tests/emulate
%{python_sitearch}/samba/tests/emulate/__init__.py*
%{python_sitearch}/samba/tests/emulate/traffic.py*
%{python_sitearch}/samba/tests/emulate/traffic_packet.py*
%{python_sitearch}/samba/tests/encrypted_secrets.py*
%{python_sitearch}/samba/tests/gensec.py* %{python_sitearch}/samba/tests/gensec.py*
%{python_sitearch}/samba/tests/get_opt.py* %{python_sitearch}/samba/tests/get_opt.py*
%{python_sitearch}/samba/tests/glue.py* %{python_sitearch}/samba/tests/glue.py*
%{python_sitearch}/samba/tests/graph.py*
%{python_sitearch}/samba/tests/hostconfig.py* %{python_sitearch}/samba/tests/hostconfig.py*
%{python_sitearch}/samba/tests/join.py* %{python_sitearch}/samba/tests/join.py*
%dir %{python_sitearch}/samba/tests/kcc %dir %{python_sitearch}/samba/tests/kcc
@ -2144,8 +2172,9 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/netcmd.py* %{python_sitearch}/samba/tests/netcmd.py*
%{python_sitearch}/samba/tests/netlogonsvc.py* %{python_sitearch}/samba/tests/netlogonsvc.py*
%{python_sitearch}/samba/tests/ntacls.py* %{python_sitearch}/samba/tests/ntacls.py*
%{python_sitearch}/samba/tests/ntlmauth.py* %{python_sitearch}/samba/tests/ntlmdisabled.py*
%{python_sitearch}/samba/tests/pam_winbind.py* %{python_sitearch}/samba/tests/pam_winbind.py*
%{python_sitearch}/samba/tests/pam_winbind_warn_pwd_expire.py*
%{python_sitearch}/samba/tests/param.py* %{python_sitearch}/samba/tests/param.py*
%{python_sitearch}/samba/tests/password_hash.py* %{python_sitearch}/samba/tests/password_hash.py*
%{python_sitearch}/samba/tests/password_hash_fl2003.py* %{python_sitearch}/samba/tests/password_hash_fl2003.py*
@ -2166,9 +2195,11 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/samba_tool/fsmo.py* %{python_sitearch}/samba/tests/samba_tool/fsmo.py*
%{python_sitearch}/samba/tests/samba_tool/gpo.py* %{python_sitearch}/samba/tests/samba_tool/gpo.py*
%{python_sitearch}/samba/tests/samba_tool/group.py* %{python_sitearch}/samba/tests/samba_tool/group.py*
%{python_sitearch}/samba/tests/samba_tool/help.py*
%{python_sitearch}/samba/tests/samba_tool/join.py* %{python_sitearch}/samba/tests/samba_tool/join.py*
%{python_sitearch}/samba/tests/samba_tool/ntacl.py* %{python_sitearch}/samba/tests/samba_tool/ntacl.py*
%{python_sitearch}/samba/tests/samba_tool/processes.py* %{python_sitearch}/samba/tests/samba_tool/processes.py*
%{python_sitearch}/samba/tests/samba_tool/provision_password_check.py*
%{python_sitearch}/samba/tests/samba_tool/rodc.py* %{python_sitearch}/samba/tests/samba_tool/rodc.py*
%{python_sitearch}/samba/tests/samba_tool/sites.py* %{python_sitearch}/samba/tests/samba_tool/sites.py*
%{python_sitearch}/samba/tests/samba_tool/timecmd.py* %{python_sitearch}/samba/tests/samba_tool/timecmd.py*
@ -2176,11 +2207,14 @@ rm -rf %{buildroot}
%{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py* %{python_sitearch}/samba/tests/samba_tool/user_check_password_script.py*
%{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py* %{python_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py*
%{python_sitearch}/samba/tests/samba_tool/user_wdigest.py* %{python_sitearch}/samba/tests/samba_tool/user_wdigest.py*
%{python_sitearch}/samba/tests/samba_tool/visualize.py*
%{python_sitearch}/samba/tests/samba_tool/visualize_drs.py*
%{python_sitearch}/samba/tests/samdb.py* %{python_sitearch}/samba/tests/samdb.py*
%{python_sitearch}/samba/tests/security.py* %{python_sitearch}/samba/tests/security.py*
%{python_sitearch}/samba/tests/source.py* %{python_sitearch}/samba/tests/source.py*
%{python_sitearch}/samba/tests/strings.py* %{python_sitearch}/samba/tests/strings.py*
%{python_sitearch}/samba/tests/subunitrun.py* %{python_sitearch}/samba/tests/subunitrun.py*
%{python_sitearch}/samba/tests/tdb_util.py*
%{python_sitearch}/samba/tests/unicodenames.py* %{python_sitearch}/samba/tests/unicodenames.py*
%{python_sitearch}/samba/tests/upgrade.py* %{python_sitearch}/samba/tests/upgrade.py*
%{python_sitearch}/samba/tests/upgradeprovision.py* %{python_sitearch}/samba/tests/upgradeprovision.py*
@ -2237,15 +2271,17 @@ rm -rf %{buildroot}
%defattr(-,root,root) %defattr(-,root,root)
%{_bindir}/ntlm_auth %{_bindir}/ntlm_auth
%{_bindir}/wbinfo %{_bindir}/wbinfo
%{_libdir}/samba/krb5/winbind_krb5_localauth.so
%{_mandir}/man1/ntlm_auth.1.gz %{_mandir}/man1/ntlm_auth.1.gz
%{_mandir}/man1/wbinfo.1* %{_mandir}/man1/wbinfo.1*
%{_mandir}/man8/winbind_krb5_localauth.8*
### WINBIND-KRB5-LOCATOR ### WINBIND-KRB5-LOCATOR
%files winbind-krb5-locator %files winbind-krb5-locator
%defattr(-,root,root) %defattr(-,root,root)
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_libdir}/winbind_krb5_locator.so %{_libdir}/samba/krb5/winbind_krb5_locator.so
%{_mandir}/man7/winbind_krb5_locator.7* %{_mandir}/man8/winbind_krb5_locator.8*
### WINBIND-MODULES ### WINBIND-MODULES
%files winbind-modules %files winbind-modules
@ -2381,7 +2417,11 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/pkt_read_test %{_libexecdir}/ctdb/tests/pkt_read_test
%{_libexecdir}/ctdb/tests/pkt_write_test %{_libexecdir}/ctdb/tests/pkt_write_test
%{_libexecdir}/ctdb/tests/porting_tests %{_libexecdir}/ctdb/tests/porting_tests
%{_libexecdir}/ctdb/tests/protocol_client_test %{_libexecdir}/ctdb/tests/protocol_basic_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_compat_test
%{_libexecdir}/ctdb/tests/protocol_ctdb_test
%{_libexecdir}/ctdb/tests/protocol_event_test
%{_libexecdir}/ctdb/tests/protocol_types_compat_test
%{_libexecdir}/ctdb/tests/protocol_types_test %{_libexecdir}/ctdb/tests/protocol_types_test
%{_libexecdir}/ctdb/tests/protocol_util_test %{_libexecdir}/ctdb/tests/protocol_util_test
%{_libexecdir}/ctdb/tests/rb_test %{_libexecdir}/ctdb/tests/rb_test
@ -2393,6 +2433,8 @@ rm -rf %{buildroot}
%{_libexecdir}/ctdb/tests/srvid_test %{_libexecdir}/ctdb/tests/srvid_test
%{_libexecdir}/ctdb/tests/test_mutex_raw %{_libexecdir}/ctdb/tests/test_mutex_raw
%{_libexecdir}/ctdb/tests/transaction_loop %{_libexecdir}/ctdb/tests/transaction_loop
%{_libexecdir}/ctdb/tests/tunnel_cmd
%{_libexecdir}/ctdb/tests/tunnel_test
%{_libexecdir}/ctdb/tests/update_record %{_libexecdir}/ctdb/tests/update_record
%{_libexecdir}/ctdb/tests/update_record_persistent %{_libexecdir}/ctdb/tests/update_record_persistent
@ -2409,6 +2451,8 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh %{_datadir}/ctdb/tests/complex/33_gratuitous_arp.sh
%{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh %{_datadir}/ctdb/tests/complex/34_nfs_tickle_restart.sh
%{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh %{_datadir}/ctdb/tests/complex/35_cifs_external_tickle.sh
%{_datadir}/ctdb/tests/complex/36_smb_reset_server.sh
%{_datadir}/ctdb/tests/complex/37_nfs_reset_server.sh
%{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh %{_datadir}/ctdb/tests/complex/41_failover_ping_discrete.sh
%{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh %{_datadir}/ctdb/tests/complex/42_failover_ssh_hostname.sh
%{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh %{_datadir}/ctdb/tests/complex/43_failover_nfs_basic.sh
@ -2432,7 +2476,11 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/cunit/porting_tests_001.sh %{_datadir}/ctdb/tests/cunit/porting_tests_001.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_001.sh %{_datadir}/ctdb/tests/cunit/protocol_test_001.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_002.sh %{_datadir}/ctdb/tests/cunit/protocol_test_002.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_003.sh %{_datadir}/ctdb/tests/cunit/protocol_test_012.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_101.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_102.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_111.sh
%{_datadir}/ctdb/tests/cunit/protocol_test_201.sh
%{_datadir}/ctdb/tests/cunit/rb_test_001.sh %{_datadir}/ctdb/tests/cunit/rb_test_001.sh
%{_datadir}/ctdb/tests/cunit/reqid_test_001.sh %{_datadir}/ctdb/tests/cunit/reqid_test_001.sh
%{_datadir}/ctdb/tests/cunit/run_event_001.sh %{_datadir}/ctdb/tests/cunit/run_event_001.sh
@ -2510,6 +2558,10 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.releaseip.002.sh
%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.001.sh
%{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh %{_datadir}/ctdb/tests/eventscripts/06.nfs.takeip.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.010.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.011.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.012.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.013.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.init.021.sh
@ -2536,10 +2588,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.multi.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.010.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.011.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.012.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.releaseip.013.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh %{_datadir}/ctdb/tests/eventscripts/10.interface.takeip.001.sh
@ -2593,13 +2641,28 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh %{_datadir}/ctdb/tests/eventscripts/20.multipathd.monitor.004.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/31.clamd.monitor.003.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh %{_datadir}/ctdb/tests/eventscripts/40.vsftpd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/40.vsftpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh %{_datadir}/ctdb/tests/eventscripts/41.httpd.monitor.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/41.httpd.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh %{_datadir}/ctdb/tests/eventscripts/49.winbind.monitor.102.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.shutdown.002.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.001.sh
%{_datadir}/ctdb/tests/eventscripts/49.winbind.startup.002.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.001.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.101.sh
%{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh %{_datadir}/ctdb/tests/eventscripts/50.samba.monitor.103.sh
@ -2735,7 +2798,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo %{_datadir}/ctdb/tests/eventscripts/stubs/wbinfo
%dir %{_datadir}/ctdb/tests/onnode %dir %{_datadir}/ctdb/tests/onnode
%{_datadir}/ctdb/tests/onnode/README
%{_datadir}/ctdb/tests/onnode/0001.sh %{_datadir}/ctdb/tests/onnode/0001.sh
%{_datadir}/ctdb/tests/onnode/0002.sh %{_datadir}/ctdb/tests/onnode/0002.sh
%{_datadir}/ctdb/tests/onnode/0003.sh %{_datadir}/ctdb/tests/onnode/0003.sh
@ -2754,7 +2816,6 @@ rm -rf %{buildroot}
%dir %{_datadir}/ctdb/tests/onnode/stubs %dir %{_datadir}/ctdb/tests/onnode/stubs
%{_datadir}/ctdb/tests/onnode/stubs/ctdb %{_datadir}/ctdb/tests/onnode/stubs/ctdb
%{_datadir}/ctdb/tests/onnode/stubs/onnode-buggy-001
%{_datadir}/ctdb/tests/onnode/stubs/ssh %{_datadir}/ctdb/tests/onnode/stubs/ssh
%dir %{_datadir}/ctdb/tests/scripts %dir %{_datadir}/ctdb/tests/scripts
@ -2829,6 +2890,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh %{_datadir}/ctdb/tests/simple/77_ctdb_db_recovery.sh
%{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh %{_datadir}/ctdb/tests/simple/78_ctdb_large_db_recovery.sh
%{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh %{_datadir}/ctdb/tests/simple/80_ctdb_traverse.sh
%{_datadir}/ctdb/tests/simple/81_tunnel_ring.sh
%{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh %{_datadir}/ctdb/tests/simple/99_daemons_shutdown.sh
%{_datadir}/ctdb/tests/simple/functions %{_datadir}/ctdb/tests/simple/functions
# This is a dangling symlink but needed for testing # This is a dangling symlink but needed for testing
@ -2875,6 +2937,7 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/takeover/lcp2.032.sh %{_datadir}/ctdb/tests/takeover/lcp2.032.sh
%{_datadir}/ctdb/tests/takeover/lcp2.033.sh %{_datadir}/ctdb/tests/takeover/lcp2.033.sh
%{_datadir}/ctdb/tests/takeover/lcp2.034.sh %{_datadir}/ctdb/tests/takeover/lcp2.034.sh
%{_datadir}/ctdb/tests/takeover/lcp2.035.sh
%{_datadir}/ctdb/tests/takeover/nondet.001.sh %{_datadir}/ctdb/tests/takeover/nondet.001.sh
%{_datadir}/ctdb/tests/takeover/nondet.002.sh %{_datadir}/ctdb/tests/takeover/nondet.002.sh
%{_datadir}/ctdb/tests/takeover/nondet.003.sh %{_datadir}/ctdb/tests/takeover/nondet.003.sh
@ -2939,11 +3002,9 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh %{_datadir}/ctdb/tests/tool/ctdb.disable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh %{_datadir}/ctdb/tests/tool/ctdb.disable.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh %{_datadir}/ctdb/tests/tool/ctdb.disable.004.sh
%{_datadir}/ctdb/tests/tool/ctdb.disablemonitor.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh %{_datadir}/ctdb/tests/tool/ctdb.enable.003.sh
%{_datadir}/ctdb/tests/tool/ctdb.enablemonitor.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh %{_datadir}/ctdb/tests/tool/ctdb.getcapabilities.003.sh
@ -2953,7 +3014,6 @@ rm -rf %{buildroot}
%{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getdbseqnum.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getdbstatus.002.sh
%{_datadir}/ctdb/tests/tool/ctdb.getmonmode.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getpid.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh %{_datadir}/ctdb/tests/tool/ctdb.getreclock.001.sh
%{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh %{_datadir}/ctdb/tests/tool/ctdb.getreclock.002.sh
@ -3057,20 +3117,49 @@ rm -rf %{buildroot}
%endif # with_clustering_support %endif # with_clustering_support
%changelog %changelog
* Sat Sep 22 2018 Daniel Berteaud <daniel@firewall-services.com> 4.7.1-9.100.dc * Thu Aug 09 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-4
- Rebuild with DC support - resolves: #1614132 - Fix delete-on-close after smb2_find
- resolves: #1614265 - Fix CVE-2018-1139
- resolves: #1614269 - Fix CVE-2018-10858
* Fri Jul 06 2018 Justin Stephenson <jstephen@redhat.com> - 4.8.3-3
- resolves: #1581016 - Add smbclient quiet argument
* Thu Jul 05 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-2
- related: #1538743 - Fix local user account lookup with winbind
* Wed Jun 27 2018 Andreas Schneider <asn@redhat.com> - 4.8.3-1
- related: #1558560 - Rebase to Samba version 4.8.3
- resolves: #1579398 - Add winbind localauth krb5 plugin
* Wed Jun 13 2018 Andreas Schneider <asn@redhat.com> - 4.8.2-2
- resolves: #1540457 - Fixed support for authenticaton on on way trusts
* Mon Jun 11 2018 Andreas Schneider <asn@redhat.com> - 4.8.2-1
- related: #1558560 - Rebase to newer Samba version
* Wed May 30 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-4
- resolves: #1582541 - Fix anonymous auth with SMB2/3
* Tue May 22 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-3
- resolves: #1575205 - Fix segfault when updating DNS with 'net ads join'
- resolves: #1525511 - Fix idmap_rid dependency on trusted domain list
* Wed May 16 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-2
- resolves: #1538743 - Fix UPN handling in winbind
* Wed Jul 04 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-9 * Fri Apr 27 2018 Andreas Schneider <asn@redhat.com> - 4.8.1-1
- related: #1581375 - Remove patch which doesn't fully work - related: #1558560 - Rebase to newer Samba version
- resolves: #1567896 - Fix possible crash if secrets db is emtpy
- resolves: #1570020 - Fix a crash in smbd when dfsgetinfo is called
* Mon May 28 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-8 * Thu Apr 12 2018 Andreas Schneider <asn@redhat.com> - 4.8.0-1
- resolves: #1582541 - Fix anyoumous and guest handling of SMB2/3 - resolves: #1558560 - Rebase to newer Samba version
- resolves: #1558943 - Fix winbind requests getting stuck on a child
- resolves: #1532618 - Fix segfault with NT1 connections in smbd
* Wed May 23 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-7 * Fri Mar 09 2018 Andreas Schneider <asn@redhat.com> - 4.7.1-7
- resolves: #1581369 - Fix segfault updating dns during 'net ads join' - resolves: #1552004 - Fix CVE-2018-1050
- resolves: #1581373 - Fix segfault during NT1 session setup
- resolves: #1581376 - Fix segfault in keytab handling
- resolves: #1581377 - Fix segfault in smbclient dfsgetinfo
* Wed Dec 20 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-6 * Wed Dec 20 2017 Andreas Schneider <asn@redhat.com> - 4.7.1-6
- resolves: #1476153 - Handle SMB echo responses more gracefully - resolves: #1476153 - Handle SMB echo responses more gracefully

Loading…
Cancel
Save