Compare commits

...

No commits in common. 'synced/git-annex' and 'master' have entirely different histories.

  1. 1
      .gitattributes
  2. 1
      .gitignore
  3. 3
      .tito/packages/.readme
  4. 1
      .tito/packages/samba
  5. 1
      .tito/releasers.conf
  6. 6
      .tito/tito.props
  7. 20
      README.dc
  8. 29
      README.downgrade
  9. 1
      aa6/1f3/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz.log
  10. 2
      c51/926/SHA256E-s21097045--927afcc16e444718985e3952de92d34e7b776b9ca0238179d866da18a6441c35.tar.gz.log
  11. 1
      c51/926/SHA256E-s21097045--927afcc16e444718985e3952de92d34e7b776b9ca0238179d866da18a6441c35.tar.gz.log.web
  12. BIN
      gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
  13. 38
      pam_winbind.conf
  14. 38
      samba-4.10-fix_gencache_debug_message.patch
  15. 151
      samba-4.9-CVE-2019-3880.patch
  16. 280
      samba-4.9-add_smbc_setOptionProtocols.patch
  17. 252
      samba-4.9-disable_netbios.patch
  18. 37
      samba-4.9-doc_smbclient_max_protocol.patch
  19. 1094
      samba-4.9-fix_cups_printing.patch
  20. 40
      samba-4.9-fix_debug_segfault.patch
  21. 87
      samba-4.9-fix_force_group_panic.patch
  22. 544
      samba-4.9-fix_net_ads_join_admin_otherdomain.patch
  23. 56
      samba-4.9-fix_net_ads_krb5.patch
  24. 521
      samba-4.9-fix_smbspool_as_cups_backend.patch
  25. 33
      samba-4.9-fix_smbspool_krb5_auth.patch
  26. 2126
      samba-4.9-fix_testparm_crash.patch
  27. 39
      samba-4.9-fix_winbind_passdb_segfault.patch
  28. 402
      samba-4.9-harden_homes_share.patch
  29. 119
      samba-4.9-net_ads_leave_keep_account.patch
  30. 179
      samba-4.9-static_analysis_fixes.patch
  31. 117
      samba-4.9.0rc5-stack-protector.patch
  32. 6
      samba-4.9.1.tar.asc
  33. BIN
      samba-4.9.1.tar.xz
  34. 7
      samba.log
  35. 6
      samba.pamd
  36. 5521
      samba.spec
  37. 313
      smb.conf.example
  38. 37
      smb.conf.vendor
  39. 1
      uuid.log

1
.gitattributes vendored

@ -0,0 +1 @@
*.tar.xz filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored

@ -0,0 +1 @@
samba.spec.mod

@ -0,0 +1,3 @@
the .tito/packages directory contains metadata files
named after their packages. Each file has the latest tagged
version and the project's relative directory.

@ -0,0 +1 @@
4.9.1-106.dc ./

@ -0,0 +1 @@
../../tito_libs/releasers.conf

@ -0,0 +1,6 @@
[buildconfig]
builder = fws.builder.GitLfsBuilder
tagger = tito.tagger.ReleaseTagger
changelog_do_not_remove_cherrypick = 0
changelog_format = %s (%ae)
lib_dir = ../tito_libs

@ -0,0 +1,20 @@
MIT Kerberos 5 Support
=======================
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of
choice. The Samba build in Fedora is using MIT Kerberos implementation in order
to allow system-wide interoperability between both desktop and server
applications running on the same machine.
At the moment the Samba Active Directory Domain Controller implementation is
not available with MIT Kereberos. FreeIPA and Samba Team members are currently
working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux
distribution integration of Samba AD DC features.
We have just finished migrating the file server and all client utilities to MIT
Kerberos. The result of this work is available in samba-* packages in Fedora.
We'll provide Samba AD DC functionality as soon as its support of MIT Kerberos
KDC will be ready.
In case of further questions do not hesitate to send your inquiries to
samba-owner@fedoraproject.org

@ -0,0 +1,29 @@
Downgrading Samba
=================
Short version: data-preserving downgrades between Samba versions are not supported
Long version:
With Samba development there are cases when on-disk database format evolves.
In general, Samba Team attempts to maintain forward compatibility and
automatically upgrade databases during runtime when requires.
However, when downgrade is required Samba will not perform downgrade to
existing databases. It may be impossible if new features that caused database
upgrade are in use. Thus, one needs to consider a downgrade procedure before
actually downgrading Samba setup.
Please always perform back up prior both upgrading and downgrading across major
version changes. Restoring database files is easiest and simplest way to get to
previously working setup.
Easiest way to downgrade is to remove all created databases and start from scratch.
This means losing all authentication and domain relationship data, as well as
user databases (in case of tdb storage), printers, registry settings, and winbindd
caches.
Remove databases in following locations:
/var/lib/samba/*.tdb
/var/lib/samba/private/*.tdb
In particular, registry settings are known to prevent running downgraded versions
(Samba 4 to Samba 3) as registry format has changed between Samba 3 and Samba 4.

@ -1,2 +0,0 @@
1521556542.293351514s 1 00000000-0000-0000-0000-000000000001
1521556542.295925385s 1 e2299539-99e7-4f60-9098-872d514dc801

@ -1 +0,0 @@
1521556542.292001502s 1 https://download.samba.org/pub/samba/stable/samba-4.6.2.tar.gz

@ -0,0 +1,38 @@
#
# pam_winbind configuration file
#
# /etc/security/pam_winbind.conf
#
[global]
# turn on debugging
;debug = no
# turn on extended PAM state debugging
;debug_state = no
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
;cached_login = no
# authenticate using kerberos
;krb5_auth = no
# when using kerberos, request a "FILE" krb5 credential cache type
# (leave empty to just do krb5 authentication but not have a ticket
# afterwards)
;krb5_ccache_type =
# make successful authentication dependend on membership of one SID
# (can also take a name)
;require_membership_of =
# password expiry warning period in days
;warn_pwd_expire = 14
# omit pam conversations
;silent = no
# create homedirectory on the fly
;mkhomedir = no

@ -0,0 +1,38 @@
From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 13:58:14 +0100
Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/lib/gencache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index ab12fc1c531..9f4e1cfcaa3 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
- "[%s] (%d seconds %s)\n", keystr,
+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
+ "[%s] (%ld seconds %s)\n", keystr,
timestring(talloc_tos(), timeout),
- (int)(timeout - time(NULL)),
- timeout > time(NULL) ? "ahead" : "in the past"));
+ ((long int)timeout) - time(NULL),
+ timeout > time(NULL) ? "ahead" : "in the past");
ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
dbufs, 2, 0);
--
2.20.1

@ -0,0 +1,151 @@
From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 Mar 2019 14:51:30 -0700
Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.
If the incoming handle is valid, return WERR_BAD_PATHNAME.
[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.
As reported by Michael Hanselmann.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
1 file changed, 4 insertions(+), 88 deletions(-)
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index d9ee8d0602d..816c6bb2a12 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
}
/*******************************************************************
- ********************************************************************/
-
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
-{
- char *p = NULL;
- int num_services = lp_numservices();
- int snum = -1;
- const char *share_path = NULL;
- char *fname = *pp_fname;
-
- /* convert to a unix path, stripping the C:\ along the way */
-
- if (!(p = valid_share_pathname(ctx, fname))) {
- return -1;
- }
-
- /* has to exist within a valid file share */
-
- for (snum=0; snum<num_services; snum++) {
- if (!lp_snum_ok(snum) || lp_printable(snum)) {
- continue;
- }
-
- share_path = lp_path(talloc_tos(), snum);
-
- /* make sure we have a path (e.g. [homes] ) */
- if (strlen(share_path) == 0) {
- continue;
- }
-
- if (strncmp(share_path, p, strlen(share_path)) == 0) {
- break;
- }
- }
-
- *pp_fname = p;
- return (snum < num_services) ? snum : -1;
-}
-
-/*******************************************************************
_winreg_RestoreKey
********************************************************************/
@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
struct winreg_RestoreKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
- "\"%s\"\n", regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
- return WERR_BAD_PATHNAME;
-
- /* user must posses SeRestorePrivilege for this this proceed */
-
- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
- return WERR_ACCESS_DENIED;
- }
-
- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_restorekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
struct winreg_SaveKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
- regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
- return WERR_BAD_PATHNAME;
-
- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_savekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
--
2.11.0

@ -0,0 +1,280 @@
From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 4 Sep 2018 15:48:03 +0200
Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
---
source3/include/libsmbclient.h | 19 ++-
source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
source3/libsmb/libsmb_setget.c | 18 +++
source3/libsmb/wscript | 2 +-
4 files changed, 222 insertions(+), 2 deletions(-)
create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index ca5c7f87f71..5e4a1715402 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
void
smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
-
+/**
+ * @brief Set the 'client min protocol' and the 'client max protocol'.
+ *
+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
+ * protocol' set in the smb.conf file!
+ *
+ * @param[in] c The smbc context to use.
+ *
+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @returns true for success, false otherwise
+ */
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
/*************************************
* Getters and setters for FUNCTIONS *
diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
new file mode 100644
index 00000000000..b4245979c24
--- /dev/null
+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
@@ -0,0 +1,185 @@
+smbc_chmod: int (const char *, mode_t)
+smbc_close: int (int)
+smbc_closedir: int (int)
+smbc_creat: int (const char *, mode_t)
+smbc_fgetxattr: int (int, const char *, const void *, size_t)
+smbc_flistxattr: int (int, char *, size_t)
+smbc_free_context: int (SMBCCTX *, int)
+smbc_fremovexattr: int (int, const char *)
+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
+smbc_fstat: int (int, struct stat *)
+smbc_fstatvfs: int (int, struct statvfs *)
+smbc_ftruncate: int (int, off_t)
+smbc_getDebug: int (SMBCCTX *)
+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
+smbc_getNetbiosName: const char *(SMBCCTX *)
+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
+smbc_getOptionUserData: void *(SMBCCTX *)
+smbc_getPort: uint16_t (SMBCCTX *)
+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
+smbc_getTimeout: int (SMBCCTX *)
+smbc_getUser: const char *(SMBCCTX *)
+smbc_getWorkgroup: const char *(SMBCCTX *)
+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
+smbc_getxattr: int (const char *, const char *, const void *, size_t)
+smbc_init: int (smbc_get_auth_data_fn, int)
+smbc_init_context: SMBCCTX *(SMBCCTX *)
+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
+smbc_listxattr: int (const char *, char *, size_t)
+smbc_llistxattr: int (const char *, char *, size_t)
+smbc_lremovexattr: int (const char *, const char *)
+smbc_lseek: off_t (int, off_t, int)
+smbc_lseekdir: int (int, off_t)
+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_mkdir: int (const char *, mode_t)
+smbc_new_context: SMBCCTX *(void)
+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
+smbc_open: int (const char *, int, mode_t)
+smbc_open_print_job: int (const char *)
+smbc_opendir: int (const char *)
+smbc_option_get: void *(SMBCCTX *, char *)
+smbc_option_set: void (SMBCCTX *, char *, ...)
+smbc_print_file: int (const char *, const char *)
+smbc_read: ssize_t (int, void *, size_t)
+smbc_readdir: struct smbc_dirent *(unsigned int)
+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
+smbc_removexattr: int (const char *, const char *)
+smbc_rename: int (const char *, const char *)
+smbc_rmdir: int (const char *)
+smbc_setConfiguration: int (SMBCCTX *, const char *)
+smbc_setDebug: void (SMBCCTX *, int)
+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
+smbc_setNetbiosName: void (SMBCCTX *, const char *)
+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUserData: void (SMBCCTX *, void *)
+smbc_setPort: void (SMBCCTX *, uint16_t)
+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
+smbc_setTimeout: void (SMBCCTX *, int)
+smbc_setUser: void (SMBCCTX *, const char *)
+smbc_setWorkgroup: void (SMBCCTX *, const char *)
+smbc_set_context: SMBCCTX *(SMBCCTX *)
+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_stat: int (const char *, struct stat *)
+smbc_statvfs: int (char *, struct statvfs *)
+smbc_telldir: off_t (int)
+smbc_unlink: int (const char *)
+smbc_unlink_print_job: int (const char *, int)
+smbc_urldecode: int (char *, char *, size_t)
+smbc_urlencode: int (char *, char *, int)
+smbc_utime: int (const char *, struct utimbuf *)
+smbc_utimes: int (const char *, struct timeval *)
+smbc_version: const char *(void)
+smbc_write: ssize_t (int, const void *, size_t)
diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
index 60b822a395c..b1c4ff3b557 100644
--- a/source3/libsmb/libsmb_setget.c
+++ b/source3/libsmb/libsmb_setget.c
@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
}
}
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c,
+ const char *min_proto,
+ const char *max_proto)
+{
+ bool ok = true;
+
+ if (min_proto != NULL) {
+ ok = lp_set_cmdline("client min protocol", min_proto);
+ }
+
+ if (max_proto != NULL) {
+ ok &= lp_set_cmdline("client min protocol", max_proto);
+ }
+
+ return ok;
+}
+
/** Get the function for obtaining authentication data */
smbc_get_auth_data_fn
smbc_getFunctionAuthData(SMBCCTX *c)
diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
index 5482aea7d9c..298afc3c0e3 100644
--- a/source3/libsmb/wscript
+++ b/source3/libsmb/wscript
@@ -27,5 +27,5 @@ def build(bld):
public_headers='../include/libsmbclient.h',
abi_directory='ABI',
abi_match='smbc_*',
- vnum='0.4.0',
+ vnum='0.5.0',
pc_files='smbclient.pc')
--
2.19.2

@ -0,0 +1,252 @@
From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 3 Jan 2019 12:07:01 -0500
Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
for a port 139 connection in the low level socket connection code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
---
source3/libsmb/smbsock_connect.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index 9f915e1bb42..bb3cb07646c 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
if (port == NBT_SMB_PORT) {
+ if (lp_disable_netbios()) {
+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
+ return tevent_req_post(req, ev);
+ }
+
state->req_139 = nb_connect_send(state, state->ev, state->addr,
state->called_name,
state->called_type,
--
2.20.1
From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:40:33 -0500
Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
---
source3/libsmb/clidfs.c | 10 +++++++---
source3/libsmb/libsmb_server.c | 4 ++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 0dfb8b33606..4342a3b1d1b 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
flags, &c);
if (!NT_STATUS_IS_OK(status)) {
- d_printf("Connection to %s failed (Error %s)\n",
- server,
- nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
+ DBG_WARNING("Connection to %s failed (Error %s)\n",
+ server,
+ nt_errstr(status));
return status;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 67dfcf72327..0067df48cac 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
}
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
errno = map_errno_from_nt_status(status);
return NULL;
}
--
2.20.1
From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:57:59 -0500
Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
---
source3/libsmb/passchange.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 48ffba8036f..f60e3079975 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
SMB_SIGNING_IPC_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(result)) {
- if (asprintf(err_str, "Unable to connect to SMB server on "
- "machine %s. Error was : %s.\n",
- remote_machine, nt_errstr(result))==-1) {
- *err_str = NULL;
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. NetBIOS support disabled\n",
+ remote_machine) == -1) {
+ *err_str = NULL;
+ }
+ } else {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. Error was : %s.\n",
+ remote_machine, nt_errstr(result))==-1) {
+ *err_str = NULL;
+ }
}
return result;
}
--
2.20.1
From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 15:17:24 -0500
Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
---
source3/utils/net_rpc.c | 3 +++
source3/utils/net_time.c | 9 +++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 67fff2f4d1b..91ad90f9594 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
0, &cli);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect\n");
+ }
return false;
}
status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
index 0091fc86333..5e6cf2ea15d 100644
--- a/source3/utils/net_time.c
+++ b/source3/utils/net_time.c
@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
SMB_SIGNING_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(status)) {
- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
- host, nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
+ " Error %s\n", host, nt_errstr(status));
+ } else {
+ fprintf(stderr, "Can't contact server %s. Error %s\n",
+ host, nt_errstr(status));
+ }
goto done;
}
--
2.20.1
From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 14 Jan 2019 10:36:47 -0500
Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
smbsock_connect_send
If disable_netbios is set, return before the tevent timer is triggered
to prevent outgoing netbios connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
---
source3/libsmb/smbsock_connect.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index bb3cb07646c..be52b9a4f79 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(state->req_445, smbsock_connect_connected,
req);
+ /*
+ * Check for disable_netbios
+ */
+ if (lp_disable_netbios()) {
+ return req;
+ }
+
/*
* After 5 msecs, fire the 139 (NBT) request
*/
--
2.20.1

@ -0,0 +1,37 @@
From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Mar 2019 14:39:11 +0100
Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
We default to SMB3 now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
---
docs-xml/manpages/smbclient.1.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
index e71a21a95e3..e25f7d3517b 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -261,9 +261,9 @@
<listitem><para>This allows the user to select the
highest SMB protocol level that smbclient will use to
connect to the server. By default this is set to
- NT1, which is the highest available SMB1 protocol.
- To connect using SMB2 or SMB3 protocol, use the
- strings SMB2 or SMB3 respectively. Note that to connect
+ highest available SMB3 protocol version.
+ To connect using SMB2 or SMB1 protocol, use the
+ strings SMB2 or NT1 respectively. Note that to connect
to a Windows 2012 server with encrypted transport selecting
a max-protocol of SMB3 is required.
</para></listitem>
--
2.21.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,40 @@
From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Nov 2018 14:32:29 +0100
Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
This fixes a segfault in pyglue:
==10142== Process terminating with default action of signal 11 (SIGSEGV)
==10142== Bad permissions for mapped region at address 0x6F00A20
==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
---
lib/util/debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/util/debug.c b/lib/util/debug.c
index d41e0f99c77..847ec1f0a0c 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
* This is to allow reading of DEBUGLEVEL_CLASS before the debug
* system has been initialized.
*/
-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
static size_t debug_num_classes = 0;
-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
+int *DEBUGLEVEL_CLASS = debug_class_list_initial;
/* -------------------------------------------------------------------------- **
--
2.19.1

@ -0,0 +1,87 @@
From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 18 Jan 2019 14:24:30 -0800
Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
existing share connection.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
smbd could crash if "force group" is added to a
share definition whilst an existing connection
to that share exists. In that case, don't change
the existing credentials for force group, only
do so for new connections.
Remove knownfail from regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
---
source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 9d5321cf4cc..ced2d450f8e 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
int snum;
gid_t gid;
uid_t uid;
+ const char *force_group_name;
char group_c;
int num_groups = 0;
gid_t *group_list = NULL;
@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
* See if we should force group for this service. If so this overrides
* any group set in the force user code.
*/
- if((group_c = *lp_force_group(talloc_tos(), snum))) {
+ force_group_name = lp_force_group(talloc_tos(), snum);
+ group_c = *force_group_name;
- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
+ /*
+ * This can happen if "force group" is added to a
+ * share definition whilst an existing connection
+ * to that share exists. In that case, don't change
+ * the existing credentials for force group, only
+ * do so for new connections.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
+ DBG_INFO("Not forcing group %s on existing connection to "
+ "share %s for SMB user %s (unix user %s)\n",
+ force_group_name,
+ lp_const_servicename(snum),
+ session_info->unix_info->sanitized_username,
+ session_info->unix_info->unix_name);
+ }
+
+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
+ /*
+ * Only force group for connections where
+ * conn->force_group_gid has already been set
+ * to the correct value (i.e. the connection
+ * happened after the 'force group' definition
+ * was added to the share definition. Connections
+ * that were made before force group was added
+ * should stay with their existing credentials.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
if (group_c == '+') {
int i;
--
2.20.1.495.gaa96b0ce6b-goog

@ -0,0 +1,544 @@
From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 29 Mar 2019 11:34:53 +0100
Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
---
source3/libads/ldap.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 13846695bd4..110f74a2dbb 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
if (ret != 0) {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
- ldap_err2string(ret), ld_error));
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
SAFE_FREE(ld_error);
}
}
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
--
2.21.0
From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Mar 2019 16:45:39 +0100
Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
---
source3/libsmb/cliconnect.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 837299d9220..9a3d3c769f9 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+ DBG_INFO("Doing kinit for %s to access %s\n",
+ user_principal, target_hostname);
/*
* TODO: This should be done within the gensec layer
@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
*/
}
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+ "Kerberos\n",
+ user_principal,
+ target_hostname);
+
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
+ target_hostname,
+ cli_credentials_get_principal(creds, talloc_tos()));
+
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
+
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
uint8_t *bytes = NULL;
--
2.21.0
From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:46:39 +0200
Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
A newline is missing but also use DBG_INFO macro and cleanup spelling.
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
---
source3/libnet/libnet_join.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 27fc5135442..ddc00f7ad7c 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
return WERR_NERR_DEFAULTJOINREQUIRED;
}
- DEBUG(5, ("failed to precreate account in ou %s: %s",
- r->in.account_ou, ads_errstr(ads_status)));
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
}
rpc_join:
--
2.21.0
From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Wed, 27 Mar 2019 17:51:04 +0100
Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
---
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index ab406a2c5be..8e49dcee5ea 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
}
+ if (DEBUGLEVEL >= 10) {
+ struct CHALLENGE_MESSAGE *challenge =
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
+ if (challenge != NULL) {
+ NTSTATUS status;
+ challenge->NegotiateFlags = chal_flags;
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
+ &in, challenge, challenge);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
+ challenge);
+ }
+ TALLOC_FREE(challenge);
+ }
+ }
+
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return nt_status;
}
+ if (DEBUGLEVEL >= 10) {
+ struct AUTHENTICATE_MESSAGE *authenticate =
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
+ if (authenticate != NULL) {
+ NTSTATUS status;
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
+ out, authenticate, authenticate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
+ authenticate);
+ }
+ TALLOC_FREE(authenticate);
+ }
+ }
+
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
--
2.21.0
From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 15:59:10 +0200
Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
when using NTLM
If we want to authenticate using -Wadmin@otherdomain the DC should do
take care of the authentication with the right DC for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
---
auth/credentials/credentials.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4663185c979..7ef58d0752c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
const char **username,
const char **domain)
{
- if (cred->principal_obtained > cred->username_obtained) {
+ if (cred->principal_obtained >= cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
--
2.21.0
From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:39:45 +0200
Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
---
source3/libnet/libnet_join.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index ddc00f7ad7c..e052306523d 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
/* The domain parameter is only used as modifier
- * to krb5.conf file name. .JOIN is is not a valid
+ * to krb5.conf file name. _JOIN_ is is not a valid
* NetBIOS name so it cannot clash with another domain
* -- Uri.
*/
- create_local_private_krb5_conf_for_domain(
- pre_connect_realm, ".JOIN", sitename, &ss);
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
+ "_JOIN_",
+ sitename,
+ &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
--
2.21.0
From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:47:26 +0200
Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
---
source3/libads/kerberos.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e623f2456a8..360cdd741da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
}
#endif
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin@otherdomain
+ */
file_contents =
talloc_asprintf(fname,
- "[libdefaults]\n\tdefault_realm = %s\n"
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
"%s"
- "\tdns_lookup_realm = false\n\n"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"%s\n",
--
2.21.0
From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:40:03 +0200
Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
---
source3/libads/ldap.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 110f74a2dbb..e191ea792a8 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
goto done;
}
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ ads_msgfree(ads, res);
+ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ goto done;
+ }
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
--
2.21.0
From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:14:06 +0200
Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
layer
Otherwise we could loose the information that a non-default domain name
has been used for admin creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
---
source3/libnet/libnet_join.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e052306523d..fc7429e6a23 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
password = r->in.machine_password;
ccname = "MEMORY:libnet_join_machine_creds";
} else {
+ char *p = NULL;
+
username = r->in.admin_account;
+
+ p = strchr(r->in.admin_account, '@');
+ if (p == NULL) {
+ username = talloc_asprintf(mem_ctx, "%s@%s",
+ r->in.admin_account,
+ r->in.admin_domain);
+ }
+ if (username == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
password = r->in.admin_password;
/*
--
2.21.0
From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:11 +0200
Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
connect fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
---
source3/libnet/libnet_join.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index fc7429e6a23..6d3fc1fe01f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to connect to AD: %s",
+ ads_errstr(ads_status));
return WERR_NERR_DEFAULTJOINREQUIRED;
}
--
2.21.0
From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:55 +0200
Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
libnet_join
When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
---
source3/libnet/libnet_join.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 6d3fc1fe01f..b876d7ea89f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
my_ads->auth.user_name = SMB_STRDUP(user_name);
--
2.21.0

@ -0,0 +1,56 @@
From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 11:26:11 -0500
Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
This affects net rpc getsid and net rpc changetrustpw commands.
This avoids an anonymous IPC connection being made when -k is used,
this only affects net rpc getsid and net rpc changetrustpw commands.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
---
source3/utils/net_rpc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index b99a036fca1..67fff2f4d1b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
{
+ int conn_flags = NET_FLAGS_PDC;
+
+ if (!c->opt_user_specified && !c->opt_kerberos) {
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
if (c->display_usage) {
d_printf( "%s\n"
"net rpc changetrustpw\n"
@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
}
return run_rpc_command(c, NULL, &ndr_table_netlogon,
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
+ conn_flags,
rpc_changetrustpw_internals,
argc, argv);
}
@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
{
int conn_flags = NET_FLAGS_PDC;
- if (!c->opt_user_specified) {
+ if (!c->opt_user_specified && !c->opt_kerberos) {
conn_flags |= NET_FLAGS_ANONYMOUS;
}
--
2.20.1

@ -0,0 +1,521 @@
From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:15:05 +0100
Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
---
source3/script/tests/test_smbspool.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
index d95ed064634..f28c0909334 100755
--- a/source3/script/tests/test_smbspool.sh
+++ b/source3/script/tests/test_smbspool.sh
@@ -99,8 +99,8 @@ test_vlp_verify()
fi
jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
- echo "failed to get jobid"
+ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
+ echo "Invalid jobid: $jobid"
echo "$out"
return 1
fi
--
2.20.1
From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 09:40:58 +0100
Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
smbspool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
---
source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
index dee3b4c54be..5c4da33238b 100644
--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
struct passwd *pwd;
char gen_cc[PATH_MAX] = {0};
struct stat sb;
- char *env;
+ char *env = NULL;
+ char auth_info_required[256] = {0};
+ char device_uri[4096] = {0};
uid_t uid = (uid_t)-1;
gid_t gid = (gid_t)-1;
unsigned long tmp;
int cmp;
int rc;
+ env = getenv("DEVICE_URI");
+ if (env != NULL && strlen(env) > 2) {
+ snprintf(device_uri, sizeof(device_uri), "%s", env);
+ }
+
/* Check if AuthInfoRequired is set to negotiate */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
- if (env == NULL) {
+ if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
"execute smbspool");
goto smbspool;
} else {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+ snprintf(auth_info_required,
+ sizeof(auth_info_required),
+ "%s",
+ env);
+
cmp = strcmp(env, "username,password");
if (cmp == 0) {
CUPS_SMB_DEBUG("Authenticate using username/password - "
@@ -223,12 +235,18 @@ create_env:
#else
{
extern char **environ;
- environ = calloc(1, sizeof(*environ));
+ environ = calloc(3, sizeof(*environ));
}
#endif
CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
setenv("KRB5CCNAME", gen_cc, 1);
+ if (device_uri[0] != '\0') {
+ setenv("DEVICE_URI", device_uri, 1);
+ }
+ if (auth_info_required[0] != '\0') {
+ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
+ }
smbspool:
snprintf(smbspool_cmd,
--
2.20.1
From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 Jan 2019 09:21:24 +0100
Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
by cups
This should not switch to username,password if cups has been configured
to use negotiate (Kerberos authentication).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
---
source3/client/smbspool.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 389e4ea553f..3dbf6be014b 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -60,7 +60,7 @@
* Local functions...
*/
-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
static void list_devices(void);
static struct cli_state *smb_complete_connection(const char *, const char *,
int, const char *, const char *, const char *, const char *, int, bool *need_auth);
@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *);
static bool smb_encrypt;
#endif
+static const char *auth_info_required;
+
/*
* 'main()' - Main entry for SMB backend.
*/
@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
}
}
+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
+ if (auth_info_required == NULL) {
+ auth_info_required = "none";
+ }
+
cmp = strncmp(dev_uri, "smb://", 6);
if (cmp != 0) {
fprintf(stderr,
@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */
server = uri + 6;
}
+ if (password != empty_str) {
+ auth_info_required = "username,password";
+ }
+
tmp = server;
if ((sep = strchr_m(tmp, '/')) == NULL) {
@@ -352,8 +363,7 @@ done:
static int
get_exit_code(struct cli_state * cli,
- NTSTATUS nt_status,
- bool use_kerberos)
+ NTSTATUS nt_status)
{
int i;
@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
}
if (cli) {
- if (use_kerberos)
- fputs("ATTR: auth-info-required=negotiate\n", stderr);
- else
- fputs("ATTR: auth-info-required=username,password\n", stderr);
+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
}
/*
@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
}
if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+ auth_info_required = "negotiate";
use_kerberos = true;
}
@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+ if (get_exit_code(cli, nt_status) == 2) {
*need_auth = true;
}
@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+ if (get_exit_code(cli, nt_status) == 2) {
*need_auth = true;
}
@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s opening remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status, false);
+ return get_exit_code(cli, nt_status);
}
/*
@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
tbytes, nbytes, NULL);
if (!NT_STATUS_IS_OK(status)) {
- int ret = get_exit_code(cli, status, false);
+ int ret = get_exit_code(cli, status);
fprintf(stderr, "ERROR: Error writing spool: %s\n",
nt_errstr(status));
fprintf(stderr, "DEBUG: Returning status %d...\n",
@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s closing remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status, false);
+ return get_exit_code(cli, nt_status);
} else {
return (0);
}
--
2.20.1
From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:09:14 +0100
Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
We can't be sure we can write to the input buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
---
source3/client/smbspool.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 3dbf6be014b..94c7ea368a2 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
int, const char *, const char *, const char *, const char *, int, bool *need_auth);
static struct cli_state *smb_connect(const char *, const char *, int, const
char *, const char *, const char *, const char *, bool *need_auth);
-static int smb_print(struct cli_state *, char *, FILE *);
+static int smb_print(struct cli_state *, const char *, FILE *);
static char *uri_unescape_alloc(const char *);
#if 0
static bool smb_encrypt;
@@ -655,7 +655,7 @@ kerberos_auth:
static int /* O - 0 = success, non-0 = failure */
smb_print(struct cli_state * cli, /* I - SMB connection */
- char *title, /* I - Title/job name */
+ const char *print_title, /* I - Title/job name */
FILE * fp)
{ /* I - File to print */
uint16_t fnum; /* File number */
@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
tbytes; /* Total bytes read */
char buffer[8192], /* Buffer for copy */
*ptr; /* Pointer into title */
+ char title[1024] = {0};
+ int len;
NTSTATUS nt_status;
/*
- * Sanitize the title...
- */
+ * Sanitize the title...
+ */
+ len = snprintf(title, sizeof(title), "%s", print_title);
+ if (len != strlen(print_title)) {
+ return 2;
+ }
for (ptr = title; *ptr; ptr++) {
if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
--
2.20.1
From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 11:40:30 +0100
Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
If we are executed as a CUPS backend, argv[0] is set to the device uri.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
---
source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
1 file changed, 96 insertions(+), 24 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 94c7ea368a2..97d00bdd011 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */
char empty_str[] = "";
int tries = 0;
bool need_auth = true;
- const char *dev_uri;
+ const char *dev_uri = NULL;
+ const char *env = NULL;
const char *config_file = NULL;
TALLOC_CTX *frame = talloc_stackframe();
- bool device_uri_cmdline = false;
+ const char *print_user = NULL;
+ const char *print_title = NULL;
const char *print_file = NULL;
const char *print_copies = NULL;
int cmp;
@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */
}
/*
- * If we have 6 arguments find out if we have the device_uri from the
- * command line or the print data
+ * Find out if we have the device_uri in the command line.
+ *
+ * If we are started as a CUPS backend argv[0] is normally the
+ * device_uri!
*/
- if (argc == 7) {
- cmp = strncmp(argv[1], "smb://", 6);
- if (cmp == 0) {
- device_uri_cmdline = true;
+ if (argc == 8) {
+ /*
+ * smbspool <uri> <job> <user> <title> <copies> <options> <file>
+ * 0 1 2 3 4 5 6 7
+ */
+
+ dev_uri = argv[1];
+
+ print_user = argv[3];
+ print_title = argv[4];
+ print_copies = argv[5];
+ print_file = argv[7];
+ } else if (argc == 7) {
+ int cmp1;
+ int cmp2;
+
+ /*
+ * <uri> <job> <user> <title> <copies> <options> <file>
+ * smbspool <uri> <job> <user> <title> <copies> <options>
+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
+ */
+ cmp1 = strncmp(argv[0], "smb://", 6);
+ cmp2 = strncmp(argv[1], "smb://", 6);
+
+ if (cmp1 == 0) {
+ /*
+ * <uri> <job> <user> <title> <copies> <options> <file>
+ * 0 1 2 3 4 5 6
+ */
+ dev_uri = argv[0];
+
+ print_user = argv[2];
+ print_title = argv[3];
+ print_copies = argv[4];
+ print_file = argv[6];
+ } else if (cmp2 == 0) {
+ /*
+ * smbspool <uri> <job> <user> <title> <copies> <options>
+ * 0 1 2 3 4 5 6
+ */
+ dev_uri = argv[1];
+
+ print_user = argv[3];
+ print_title = argv[4];
+ print_copies = argv[5];
+ print_file = NULL;
} else {
+ /*
+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
+ * 0 1 2 3 4 5 6
+ */
+ print_user = argv[2];
+ print_title = argv[3];
print_copies = argv[4];
print_file = argv[6];
}
- } else if (argc == 8) {
- device_uri_cmdline = true;
- print_copies = argv[5];
- print_file = argv[7];
+ } else if (argc == 6) {
+ /*
+ * <uri> <job> <user> <title> <copies> <options>
+ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
+ * 0 1 2 3 4 5
+ */
+ cmp = strncmp(argv[0], "smb://", 6);
+ if (cmp == 0) {
+ dev_uri = argv[0];
+ }
+
+ print_user = argv[2];
+ print_title = argv[3];
+ print_copies = argv[4];
}
if (print_file != NULL) {
@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */
/*
* Find the URI ...
*/
- if (device_uri_cmdline) {
- dev_uri = argv[1];
- } else {
- dev_uri = getenv("DEVICE_URI");
- if (dev_uri == NULL || strlen(dev_uri) == 0) {
- dev_uri = "";
+ if (dev_uri == NULL) {
+ env = getenv("DEVICE_URI");
+ if (env != NULL && env[0] != '\0') {
+ dev_uri = env;
}
}
- auth_info_required = getenv("AUTH_INFO_REQUIRED");
- if (auth_info_required == NULL) {
- auth_info_required = "none";
+ if (dev_uri == NULL) {
+ fprintf(stderr,
+ "ERROR: No valid device URI has been specified\n");
+ goto done;
}
cmp = strncmp(dev_uri, "smb://", 6);
@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */
goto done;
}
+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
+ if (auth_info_required == NULL) {
+ auth_info_required = "none";
+ }
+
/*
* Extract the destination from the URI...
*/
@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */
load_interfaces();
do {
- cli = smb_connect(workgroup, server, port, printer,
- username, password, argv[3], &need_auth);
+ cli = smb_connect(workgroup,
+ server,
+ port,
+ printer,
+ username,
+ password,
+ print_user,
+ &need_auth);
if (cli == NULL) {
if (need_auth) {
exit(2);
@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */
*/
for (i = 0; i < copies; i++) {
- status = smb_print(cli, argv[4] /* title */ , fp);
+ status = smb_print(cli, print_title, fp);
if (status != 0) {
break;
}
--
2.20.1

@ -0,0 +1,33 @@
From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 May 2019 16:18:51 +0200
Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
credentials
This is a regression which has been introduced with Samba 4.8.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
---
source3/client/smbspool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 97d00bdd011..c404b3a3f69 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */
* behavior with 3.0.14a
*/
- if (username != NULL && username[0] != '\0') {
+ if (username == NULL || username[0] == '\0') {
if (kerberos_ccache_is_valid()) {
goto kerberos_auth;
}
--
2.21.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,39 @@
From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Oct 2018 19:45:58 +0100
Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
See https://retrace.fedoraproject.org/faf/reports/1577174/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
---
source3/winbindd/winbindd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 254d93b344d..a8ffc31778c 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
if (!NT_STATUS_IS_OK(status)) {
exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
}
- initialize_password_db(true, server_event_context());
+
+ ok = initialize_password_db(true, server_event_context());
+ if (!ok) {
+ exit_daemon("Failed to initialize passdb backend! "
+ "Check the 'passdb backend' variable in your "
+ "smb.conf file.", EINVAL);
+ }
/*
* Do not initialize the parent-child-pipe before becoming
--
2.19.1

@ -0,0 +1,402 @@
From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 15 Nov 2018 16:06:49 +0100
Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
---
selftest/target/Samba3.pm | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 438cb3409bb..373f8152ca3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
my ($gid_force_user);
my ($uid_user1);
my ($uid_user2);
+ my ($uid_gooduser);
+ my ($uid_eviluser);
- if ($unix_uid < 0xffff - 10) {
+ if ($unix_uid < 0xffff - 12) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
$uid_smbget = $max_uid - 8;
$uid_user1 = $max_uid - 9;
$uid_user2 = $max_uid - 10;
+ $uid_gooduser = $max_uid - 11;
+ $uid_eviluser = $max_uid - 12;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
--
2.19.2
From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 16 Nov 2018 15:40:59 +0100
Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
share
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a test for CVE-2009-2813.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
---
selftest/target/Samba3.pm | 4 ++
source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
3 files changed, 104 insertions(+)
create mode 100755 source3/script/tests/test_homes.sh
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 373f8152ca3..2031003210c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -921,6 +921,10 @@ sub setup_fileserver
comment = inherit only unix owner
inherit owner = unix only
acl_xattr:ignore system acls = yes
+[homes]
+ comment = Home directories
+ browseable = No
+ read only = No
";
my $vars = $self->provision($path, "WORKGROUP",
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
new file mode 100755
index 00000000000..06de0a0c301
--- /dev/null
+++ b/source3/script/tests/test_homes.sh
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# Copyright (c) Andreas Schneider <asn@samba.org>
+# License: GPLv3
+
+if [ $# -lt 7 ]; then
+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
+ exit 1
+fi
+
+SERVER="${1}"
+USERNAME="${2}"
+PASSWORD="${3}"
+LOCAL_PATH="${4}"
+PREFIX="${5}"
+SMBCLIENT="${6}"
+CONFIGURATION="${7}"
+shift 7
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+test_gooduser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=gooduser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo "failed to connect error $ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'Try "help" to get a list of possible commands.'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: Try "help" to get a list of possible commands.'
+ return 1
+ fi
+
+ return 0
+}
+
+test_eviluser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=eviluser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
+testit "test gooduser home" \
+ test_gooduser_home || \
+ failed=`expr $failed + 1`
+
+testit "test eviluser home reject" \
+ test_eviluser_home || \
+ failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 09cd5159a0d..4aef7a4d596 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -290,6 +290,7 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
#
# tar command tests
--
2.19.2
From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Nov 2018 18:23:24 +0100
Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If "/" (root) is returned as the home directory, prevent exporting it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
---
source3/param/service.c | 6 +++++-
source3/smbd/password.c | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/source3/param/service.c b/source3/param/service.c
index b21be6093d4..22f46f08894 100644
--- a/source3/param/service.c
+++ b/source3/param/service.c
@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
phome_dir?phome_dir:"(NULL)"));
- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
+ if (!strequal(phome_dir, "/")) {
+ iService = add_home_service(*p_service_out,
+ *p_service_out, /* username */
+ phome_dir);
+ }
}
/* If we still don't have a service, attempt to add it as a printer. */
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index f472bda2c70..0576d2563eb 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
return -1;
}
+ if (strequal(pwd->pw_dir, "/")) {
+ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
+ username);
+ TALLOC_FREE(pwd);
+ return -1;
+ }
+
DEBUG(3, ("Adding homes service for user '%s' using home directory: "
"'%s'\n", username, pwd->pw_dir));
--
2.19.2
From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Dec 2018 11:05:46 +0100
Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
as home dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
---
selftest/target/Samba3.pm | 6 ++++-
source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2031003210c..583396b3818 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
my ($uid_user2);
my ($uid_gooduser);
my ($uid_eviluser);
+ my ($uid_slashuser);
- if ($unix_uid < 0xffff - 12) {
+ if ($unix_uid < 0xffff - 13) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
$uid_user2 = $max_uid - 10;
$uid_gooduser = $max_uid - 11;
$uid_eviluser = $max_uid - 12;
+ $uid_slashuser = $max_uid - 13;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
index 06de0a0c301..90e84550dbc 100755
--- a/source3/script/tests/test_homes.sh
+++ b/source3/script/tests/test_homes.sh
@@ -88,6 +88,39 @@ EOF
return 0
}
+test_slashuser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=slashuser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
testit "test gooduser home" \
test_gooduser_home || \
failed=`expr $failed + 1`
@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
test_eviluser_home || \
failed=`expr $failed + 1`
+testit "test slashuser home reject" \
+ test_slashuser_home || \
+ failed=`expr $failed + 1`
+
testok $0 $failed
--
2.19.2

@ -0,0 +1,119 @@
From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 27 Jun 2018 11:32:31 -0400
Subject: [PATCH] s3:libads: Add net ads leave keep-account option
Add the ability to leave the domain with --keep-account argument to avoid
removal of the host machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
---
docs-xml/manpages/net.8.xml | 9 ++++++++-
source3/libnet/libnet_join.c | 2 ++
source3/utils/net.c | 3 ++-
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 9 +++++++--
5 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 3154ee5ff85..d2bcd24c502 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -377,6 +377,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--keep-account</term>
+ <listitem><para>Prevent the machine account removal as
+ part of "net ads leave".
+ </para></listitem>
+ </varlistentry>
+
&stdarg.encrypt;
&popt.common.samba.client;
@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
</refsect2>
<refsect2>
-<title>ADS LEAVE</title>
+<title>ADS LEAVE [--keep-account]</title>
<para>Make the remote host leave the domain it is part of. </para>
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a9405e8d288..27fc5135442 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
return ntstatus_to_werror(status);
}
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.domain_name);
r->out.disabled_machine_account = true;
}
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 759d8cd442b..b3bd4b67118 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -970,8 +970,9 @@ static struct functable net_func[] = {
{"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
/* Options for 'net registry import' */
{"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
- /* Options for 'net ads join' */
+ /* Options for 'net ads join or leave' */
{"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
POPT_COMMON_SAMBA
{ 0, 0, 0, 0}
};
diff --git a/source3/utils/net.h b/source3/utils/net.h
index d6dfeb6208f..5e70fd3aafa 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -85,6 +85,7 @@ struct net_context {
int opt_wipe;
const char *opt_precheck;
int opt_no_dns_updates;
+ int opt_keep_account;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index ffa67d8f525..afe47dad839 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
if (c->display_usage) {
d_printf( "%s\n"
- "net ads leave\n"
+ "net ads leave [--keep-account]\n"
" %s\n",
_("Usage:"),
_("Leave an AD domain"));
@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
- r->in.delete_machine_account = true;
+ if (c->opt_keep_account) {
+ r->in.delete_machine_account = false;
+ } else {
+ r->in.delete_machine_account = true;
+ }
+
r->in.msg_ctx = c->msg_ctx;
werr = libnet_Unjoin(ctx, r);
--
2.17.1

@ -0,0 +1,179 @@
From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:09:23 +0100
Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
---
source3/rpcclient/cmd_netlogon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 8d62ef7e095..631740562c6 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
WERROR werr = WERR_OK;
uint32_t flags = DS_RETURN_DNS_NAME;
const char *server_name = cli->desthost;
- const char *domain_name;
+ const char *domain_name = NULL;
struct GUID domain_guid = GUID_zero();
struct GUID site_guid = GUID_zero();
struct netr_DsRGetDCNameInfo *info = NULL;
--
2.19.2
From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:13:51 +0100
Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
---
librpc/ndr/ndr_backupkey.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
index 827bc694230..adb6e393287 100644
--- a/librpc/ndr/ndr_backupkey.c
+++ b/librpc/ndr/ndr_backupkey.c
@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
ndr->flags |= LIBNDR_PRINT_SET_VALUES;
}
if (flags & NDR_IN) {
- union bkrp_data_in_blob inblob;
+ union bkrp_data_in_blob inblob = {
+ .empty._empty_ = '\0',
+ };
DATA_BLOB blob;
uint32_t level;
enum ndr_err_code ndr_err;
--
2.19.2
From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:16:06 +0100
Subject: [PATCH 3/5] libgpo: Make sure status is intialized
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
---
libgpo/gpo_ldap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
index fec00053b49..f087203f28a 100644
--- a/libgpo/gpo_ldap.c
+++ b/libgpo/gpo_ldap.c
@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
const char *guid_name,
struct GROUP_POLICY_OBJECT *gpo)
{
- ADS_STATUS status;
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
LDAPMessage *res = NULL;
char *dn;
const char *filter;
--
2.19.2
From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:17:37 +0100
Subject: [PATCH 4/5] lib:util Always initialize start and space
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
---
lib/util/talloc_report.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
index 63213a014b6..bed0fd91e43 100644
--- a/lib/util/talloc_report.c
+++ b/lib/util/talloc_report.c
@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
const char *fmt, va_list ap)
{
ssize_t str_len = *pstr_len;
- size_t buflen, needed, space;
- char *start, *tmpbuf;
+ size_t buflen, needed, space = 0;
+ char *start = NULL, *tmpbuf = NULL;
va_list ap2;
int printlen;
@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
if (buflen > str_len) {
start = buf + str_len;
space = buflen - str_len;
- } else {
- start = NULL;
- space = 0;
}
va_copy(ap2, ap);
--
2.19.2
From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:21:15 +0100
Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
---
ctdb/common/logging.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
index dc8c4f75058..55e5d541735 100644
--- a/ctdb/common/logging.c
+++ b/ctdb/common/logging.c
@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
{
int i;
- for (i=0; ARRAY_SIZE(log_string_map); i++) {
+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
if (log_string_map[i].log_level == log_level) {
return log_string_map[i].log_string;
}
--
2.19.2

@ -0,0 +1,117 @@
From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:35:08 +0200
Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
The -fstack-protector* flags are compiler only flags, don't pass them to
the linker.
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
---
buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index c4391d0c4dc..bfd6f9710db 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
return
# we need to build real code that can't be optimized away to test
- if conf.check(fragment='''
- #include <stdio.h>
-
- int main(void)
- {
- char t[100000];
- while (fgets(t, sizeof(t), stdin));
- return 0;
- }
- ''',
- execute=0,
- ccflags='-fstack-protector',
- ldflags='-fstack-protector',
- mandatory=False,
- msg='Checking if toolchain accepts -fstack-protector'):
- conf.ADD_CFLAGS('-fstack-protector')
- conf.ADD_LDFLAGS('-fstack-protector')
+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
+ for stack_protect_flag in stack_protect_list:
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
+ mandatory=False,
+ msg='Checking if compiler accepts %s' % (stack_protect_flag))
+ if flag_supported:
+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
+ break
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0
From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:49:52 +0200
Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
---
buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index bfd6f9710db..f2b3ec8db8d 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
break
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-fstack-clash-protection'],
+ mandatory=False,
+ msg='Checking if compiler accepts -fstack-clash-protection')
+ if flag_supported:
+ conf.ADD_CFLAGS('-fstack-clash-protection')
+
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
=2NTz
-----END PGP SIGNATURE-----

BIN
samba-4.9.1.tar.xz (Stored with Git LFS)

Binary file not shown.

@ -0,0 +1,7 @@
/var/log/samba/* {
notifempty
olddir /var/log/samba/old
missingok
sharedscripts
copytruncate
}

@ -0,0 +1,6 @@
#%PAM-1.0
auth required pam_nologin.so
auth include password-auth
account include password-auth
session include password-auth
password include password-auth

File diff suppressed because it is too large Load Diff

@ -0,0 +1,313 @@
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Samba Wiki contains a lot of step-by-step guides installing, configuring,
# and using Samba:
# https://wiki.samba.org/index.php/User_Documentation
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# NOTE: Run the "testparm" command after modifying this file to check for basic
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow a Samba PDC to use the
# useradd and groupadd family of binaries. Run the following command as the
# root user to turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================
[global]
# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname,
# maximum is 15 characters.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
workgroup = MYGROUP
server string = Samba Server Version %v
; netbios name = MYSERVER
; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
; hosts allow = 127. 192.168.12. 192.168.13.
# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".
#
# log files split per-machine:
log file = /var/log/samba/log.%m
# maximum size of 50KB per log file, then rotate:
max log size = 50
# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
security = user
passdb backend = tdbsam
# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.
; security = domain
; passdb backend = tdbsam
; realm = MY_REALM
; password server = <NT-Server-Name>
# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
; security = user
; passdb backend = tdbsam
; domain master = yes
; domain logons = yes
# the following login script name is determined by the machine name
# (%m):
; logon script = %m.bat
# the following login script name is determined by the UNIX user used:
; logon script = %u.bat
; logon path = \\%L\Profiles\%u
# use an empty path to disable profile support:
; logon path =
# various scripts can be used on a domain controller or a stand-alone
# machine to add or delete corresponding UNIX accounts:
; add user script = /usr/sbin/useradd "%u" -n -g users
; add group script = /usr/sbin/groupadd "%g"
; add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
; delete user script = /usr/sbin/userdel "%u"
; delete user from group script = /usr/sbin/userdel "%u" "%g"
; delete group script = /usr/sbin/groupdel "%g"
# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
; local master = no
; os level = 33
; preferred master = yes
#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
; dns proxy = yes
# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#
load printers = yes
cups options = raw
; printcap name = /etc/printcap
# obtain a list of printers automatically on UNIX System V systems:
; printcap name = lpstat
; printing = cups
# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.
; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
# Un-comment the following and create the netlogon directory for Domain Logons:
; [netlogon]
; comment = Network Logon Service
; path = /var/lib/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roaming profile share.
# The default is to use the user's home directory:
; [Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):
; [public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = +staff

@ -0,0 +1,37 @@
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
printing = cups
printcap name = cups
load printers = yes
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @printadmin root
force group = @printadmin
create mask = 0664
directory mask = 0775

@ -1 +0,0 @@
e2299539-99e7-4f60-9098-872d514dc801 dani@germaine.lapiole.org:~/big/e-smith/files/users/dani/src/samba timestamp=1521556525.952488263s
Loading…
Cancel
Save