Compare commits

...

33 Commits

Author SHA1 Message Date
Daniel Berteaud 3754826b45 Automatic commit of package [samba] minor release [4.9.1-106.dc]. 5 years ago
Daniel Berteaud ae71481e78 Automatic commit of package [samba] minor release [4.9.1-100.dc.beta4]. 5 years ago
Daniel Berteaud 91d65eadf9 Some more files missing in python-tests 5 years ago
Daniel Berteaud 9a497398a9 Automatic commit of package [samba] minor release [4.9.1-100.dc.beta3]. 5 years ago
Daniel Berteaud 592fee89d7 Include missing python files when built with dc 5 years ago
Daniel Berteaud 26ccb20581 Automatic commit of package [samba] minor release [4.9.1-100.dc.beta2]. 5 years ago
Daniel Berteaud 25318d536f samba_gpupdate is not built 5 years ago
Daniel Berteaud 634a9034e8 Automatic commit of package [samba] minor release [4.9.1-100.dc.beta1]. 5 years ago
Daniel Berteaud 1a3b9aab72 DC support needs gpgme 5 years ago
Daniel Berteaud a296282399 Automatic commit of package [samba] minor release [4.9.1-100.dc.beta0]. 5 years ago
Daniel Berteaud 4e2cf31532 Rebase on 4.9.1 from el 7.7 5 years ago
Daniel Berteaud 58a4cc823d Automatic commit of package [samba] minor release [4.8.3-106.1.dc]. 6 years ago
Daniel Berteaud af484ce6df Automatic commit of package [samba] minor release [4.8.3-105.2.beta0]. 6 years ago
Daniel Berteaud 9b5afea116 Fix date in changelog 6 years ago
Daniel Berteaud 91af4edcf1 Fixes in spec file 6 years ago
Daniel Berteaud d182168261 Automatic commit of package [samba] minor release [4.8.3-105.1.dc.beta1]. 6 years ago
Daniel Berteaud e1ee10b9a4 Automatic commit of package [samba] minor release [4.8.3-105.1.dc]. 6 years ago
Daniel Berteaud ad30453459 Rebase on 4.8.3-6 6 years ago
Daniel Berteaud c5fc5a4d90 Automatic commit of package [samba] minor release [4.8.3-106.dc]. 6 years ago
Daniel Berteaud 057b39d713 Automatic commit of package [samba] minor release [4.8.3-105.dc.beta1]. 6 years ago
Daniel Berteaud 57f9f00226 Automatic commit of package [samba] minor release [4.8.3-101.dc]. 6 years ago
Daniel Berteaud 71072a6b1a Automatic commit of package [samba] minor release [4.8.3-101.dc.beta0]. 6 years ago
Daniel Berteaud 7d70f10cf4 Enable JSON logging support 6 years ago
Daniel Berteaud 6e51999e0c Automatic commit of package [samba] minor release [4.8.3-100.dc]. 6 years ago
Daniel Berteaud e4c6aee1db Don't include libs which are not built, and include those which are 6 years ago
Daniel Berteaud a3d2851754 Rebase on 4.8.3 6 years ago
Daniel Berteaud b7dd157cc6 Switch to GitLfsBuilder 6 years ago
Daniel Berteaud 478a50617f Automatic commit of package [samba] minor release [4.7.1-9.101.dc]. 6 years ago
Daniel Berteaud c7709b773d Remove python2-samba Requires as it's not built 6 years ago
Daniel Berteaud c0d756f257 Automatic commit of package [samba] minor release [4.7.1-9.100.dc]. 6 years ago
Daniel Berteaud 39022edfdb Create needed bind-dns dir 6 years ago
Daniel Berteaud a668c9883c Automatic commit of package [samba] minor release [4.7.1-9.99.dc.beta1]. 6 years ago
Daniel Berteaud 1ea2856acd Rebase on 4.7.1-9 6 years ago
  1. 1
      .gitattributes
  2. 2
      .tito/packages/samba
  3. 2
      .tito/tito.props
  4. 63
      CVE-2017-14746.patch
  5. 45
      CVE-2017-15275.patch
  6. 38
      samba-4.10-fix_gencache_debug_message.patch
  7. 72
      samba-4.7-fix_aesni_intel_support.patch
  8. 313
      samba-4.7-fix_samba_with_systemd.patch
  9. 47
      samba-4.7-fix_smb2_client_read_after_free.patch
  10. 165
      samba-4.7-fix_smbclient_volume.patch
  11. 66
      samba-4.7-handle_smb_echo_gracefully.patch
  12. 84
      samba-4.7-net_ads_keytab_list.patch
  13. 6
      samba-4.7.1.tar.asc
  14. 1
      samba-4.7.1.tar.xz
  15. 151
      samba-4.9-CVE-2019-3880.patch
  16. 280
      samba-4.9-add_smbc_setOptionProtocols.patch
  17. 252
      samba-4.9-disable_netbios.patch
  18. 37
      samba-4.9-doc_smbclient_max_protocol.patch
  19. 1094
      samba-4.9-fix_cups_printing.patch
  20. 40
      samba-4.9-fix_debug_segfault.patch
  21. 87
      samba-4.9-fix_force_group_panic.patch
  22. 544
      samba-4.9-fix_net_ads_join_admin_otherdomain.patch
  23. 56
      samba-4.9-fix_net_ads_krb5.patch
  24. 521
      samba-4.9-fix_smbspool_as_cups_backend.patch
  25. 33
      samba-4.9-fix_smbspool_krb5_auth.patch
  26. 2126
      samba-4.9-fix_testparm_crash.patch
  27. 39
      samba-4.9-fix_winbind_passdb_segfault.patch
  28. 402
      samba-4.9-harden_homes_share.patch
  29. 119
      samba-4.9-net_ads_leave_keep_account.patch
  30. 179
      samba-4.9-static_analysis_fixes.patch
  31. 117
      samba-4.9.0rc5-stack-protector.patch
  32. 6
      samba-4.9.1.tar.asc
  33. BIN
      samba-4.9.1.tar.xz
  34. 730
      samba.spec

1
.gitattributes vendored

@ -0,0 +1 @@
*.tar.xz filter=lfs diff=lfs merge=lfs -text

@ -1 +1 @@
4.7.1-100 ./
4.9.1-106.dc ./

@ -1,5 +1,5 @@
[buildconfig]
builder = tito.builder.GitAnnexBuilder
builder = fws.builder.GitLfsBuilder
tagger = tito.tagger.ReleaseTagger
changelog_do_not_remove_cherrypick = 0
changelog_format = %s (%ae)

@ -1,63 +0,0 @@
From 5b2d738fb3e5d40590261702a8e7564a5b0e46d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 19 Sep 2017 16:11:33 -0700
Subject: [PATCH] s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyihan@360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/process.c | 7 ++++---
source3/smbd/reply.c | 5 +++++
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index b65ae2c1b1c..9b2b0a669a2 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078249b..81acedf0413 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
--
2.14.2.920.gcf0c67979c-goog

@ -1,45 +0,0 @@
From 6dd87a82a733184df3a6f09e020f6a3c2b365ca2 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
2.14.2.920.gcf0c67979c-goog

@ -0,0 +1,38 @@
From cbea69c909bfe4aed541d1b4ffc2f859642f4000 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 17 Jan 2019 13:58:14 +0100
Subject: [PATCH] s3:lib: Fix the debug message for adding cache entries.
To get correct values, we need to cast 'timeout' to 'long int' first in
order to do calculation in that integer space! Calculations are don in
the space of the lvalue!
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/lib/gencache.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/lib/gencache.c b/source3/lib/gencache.c
index ab12fc1c531..9f4e1cfcaa3 100644
--- a/source3/lib/gencache.c
+++ b/source3/lib/gencache.c
@@ -294,11 +294,11 @@ bool gencache_set_data_blob(const char *keystr, DATA_BLOB blob,
dbufs[0] = (TDB_DATA) { .dptr = (uint8_t *)hdr, .dsize = hdr_len };
dbufs[1] = (TDB_DATA) { .dptr = blob.data, .dsize = blob.length };
- DEBUG(10, ("Adding cache entry with key=[%s] and timeout="
- "[%s] (%d seconds %s)\n", keystr,
+ DBG_DEBUG("Adding cache entry with key=[%s] and timeout="
+ "[%s] (%ld seconds %s)\n", keystr,
timestring(talloc_tos(), timeout),
- (int)(timeout - time(NULL)),
- timeout > time(NULL) ? "ahead" : "in the past"));
+ ((long int)timeout) - time(NULL),
+ timeout > time(NULL) ? "ahead" : "in the past");
ret = tdb_storev(cache_notrans->tdb, string_term_tdb_data(keystr),
dbufs, 2, 0);
--
2.20.1

@ -1,72 +0,0 @@
From db7947e144d10c15468991cad50315b70f2609d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= <bb@sernet.de>
Date: Mon, 4 Dec 2017 10:49:19 +0100
Subject: [PATCH 1/2] third_party: Link th aesni-intel library with -z
noexecstack
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13174
Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 3 +++
1 file changed, 3 insertions(+)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index eb92d6626fe..0ccd9eb1e5b 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -12,6 +12,8 @@ def configure(conf):
raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
else:
raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
+ raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
@@ -20,4 +22,5 @@ def build(bld):
bld.SAMBA_LIBRARY('aesni-intel',
source='aesni-intel_asm.c',
cflags='-Wp,-E,-lang-asm',
+ ldflags='-Wl,-z,noexecstack',
private_library=True)
--
2.15.0
From ded56e00f81614e128301d75e38e4b692a712cc4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 4 Dec 2017 11:00:10 +0100
Subject: [PATCH 2/2] third_party: Fix a typo in the option name
Signed-off-by: Andreas Schneider <asn@samba.org>
---
third_party/aesni-intel/wscript | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/third_party/aesni-intel/wscript b/third_party/aesni-intel/wscript
index 0ccd9eb1e5b..f0723a52501 100644
--- a/third_party/aesni-intel/wscript
+++ b/third_party/aesni-intel/wscript
@@ -9,11 +9,11 @@ def configure(conf):
print("Compiling with Intel AES instructions")
conf.DEFINE('HAVE_AESNI_INTEL', 1)
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and non x86_64 CPU')
+ raise Utils.WafError('--accel-aes=intelaesni selected and non x86_64 CPU')
else:
- raise Utils.WafError('--aes-accel=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
+ raise Utils.WafError('--accel-aes=intelaesni selected and compiler rejects -Wp,-E,-lang-asm')
if not conf.CHECK_LDFLAGS('-Wl,-z,noexecstack'):
- raise Utils.WafError('--aes-accel=intelaesni selected and linker rejects -z noexecstack')
+ raise Utils.WafError('--accel-aes=intelaesni selected and linker rejects -z noexecstack')
def build(bld):
if not bld.CONFIG_SET('HAVE_AESNI_INTEL'):
--
2.15.0

@ -1,313 +0,0 @@
From e696afd2d810fef403c6e5d35a44cc0f22128310 Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Mon, 21 Aug 2017 15:12:04 +1200
Subject: [PATCH 1/4] s4/smbd: set the process group.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Set the process group in the samba daemon, the --no-process-group option
allows this to be disabled. The no-process-group option needs to be
disabled in self test.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Sep 18 04:39:50 CEST 2017 on sn-devel-144
---
selftest/target/Samba4.pm | 2 +-
source4/smbd/server.c | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 772f982cb9d..6a1856ef642 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -158,7 +158,7 @@ sub check_or_start($$$)
close($env_vars->{STDIN_PIPE});
open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
- exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+ exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--no-process-group", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
}
$env_vars->{SAMBA_PID} = $pid;
print "DONE ($pid)\n";
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index a8bad06bed3..ba520e0a8f5 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -341,6 +341,7 @@ static int binary_smbd_main(const char *binary_name,
{
bool opt_daemon = false;
bool opt_interactive = false;
+ bool opt_no_process_group = false;
int opt;
poptContext pc;
#define _MODULE_PROTO(init) extern NTSTATUS init(TALLOC_CTX *);
@@ -356,7 +357,8 @@ static int binary_smbd_main(const char *binary_name,
OPT_DAEMON = 1000,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
- OPT_SHOW_BUILD
+ OPT_SHOW_BUILD,
+ OPT_NO_PROCESS_GROUP,
};
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -371,6 +373,8 @@ static int binary_smbd_main(const char *binary_name,
"till autotermination", "seconds"},
{"show-build", 'b', POPT_ARG_NONE, NULL, OPT_SHOW_BUILD,
"show build info", NULL },
+ {"no-process-group", '\0', POPT_ARG_NONE, NULL,
+ OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
POPT_COMMON_SAMBA
POPT_COMMON_VERSION
{ NULL }
@@ -393,6 +397,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_SHOW_BUILD:
show_build();
break;
+ case OPT_NO_PROCESS_GROUP:
+ opt_no_process_group = true;
+ break;
default:
fprintf(stderr, "\nInvalid option %s: %s\n\n",
poptBadOption(pc, 0), poptStrerror(opt));
@@ -508,6 +515,15 @@ static int binary_smbd_main(const char *binary_name,
stdin_event_flags = 0;
}
+#if HAVE_SETPGID
+ /*
+ * If we're interactive we want to set our own process group for
+ * signal management, unless --no-process-group specified.
+ */
+ if (opt_interactive && !opt_no_process_group)
+ setpgid((pid_t)0, (pid_t)0);
+#endif
+
/* catch EOF on stdin */
#ifdef SIGTTIN
signal(SIGTTIN, SIG_IGN);
--
2.15.0
From 1e3f38e58d52c7424831855c8db63c391e0b4b75 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 Nov 2017 10:00:52 +0100
Subject: [PATCH 2/4] s4:samba: Do not segfault if we run into issues
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bfafabfb942668328401a3c89fc55b50dc56c209)
---
source4/smbd/server.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index ba520e0a8f5..406f79593b9 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -100,8 +100,16 @@ static void cleanup_tmp_files(struct loadparm_context *lp_ctx)
{
char *path;
TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ exit_daemon("Failed to create memory context",
+ ENOMEM);
+ }
path = smbd_tmp_path(mem_ctx, lp_ctx, NULL);
+ if (path == NULL) {
+ exit_daemon("Failed to cleanup temporary files",
+ EINVAL);
+ }
recursive_delete(path);
talloc_free(mem_ctx);
--
2.15.0
From b7d08eda158ba540dc7ca8755a6a8fdf34e52501 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:18:18 +0100
Subject: [PATCH 3/4] s4:samba: Allow samba daemon to run in foreground
We are passing the no_process_group to become_daemon() that setsid() is
not called. In case we are double forking, we run in SysV daemon mode,
setsid() should be called!
See:
https://www.freedesktop.org/software/systemd/man/daemon.html
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8736013dc42c5755b75bbb2e843a290bcd545909)
---
source3/smbd/server.c | 2 +-
source4/smbd/server.c | 13 ++++++++++---
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 181bcd1e123..252b43190d7 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1592,7 +1592,7 @@ extern void build_options(bool screen);
struct poptOption long_options[] = {
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON, "Become a daemon (default)" },
- {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon)"},
+ {"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE, "Run interactive (not a daemon) and log to stdout"},
{"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FORK, "Run daemon in foreground (for daemontools, etc.)" },
{"no-process-group", '\0', POPT_ARG_NONE, NULL, OPT_NO_PROCESS_GROUP, "Don't create a new process group" },
{"log-stdout", 'S', POPT_ARG_NONE, NULL, OPT_LOG_STDOUT, "Log to stdout" },
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 406f79593b9..2349d5c7fa0 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -348,6 +348,7 @@ static int binary_smbd_main(const char *binary_name,
const char *argv[])
{
bool opt_daemon = false;
+ bool opt_fork = true;
bool opt_interactive = false;
bool opt_no_process_group = false;
int opt;
@@ -363,6 +364,7 @@ static int binary_smbd_main(const char *binary_name,
struct stat st;
enum {
OPT_DAEMON = 1000,
+ OPT_FOREGROUND,
OPT_INTERACTIVE,
OPT_PROCESS_MODEL,
OPT_SHOW_BUILD,
@@ -372,6 +374,8 @@ static int binary_smbd_main(const char *binary_name,
POPT_AUTOHELP
{"daemon", 'D', POPT_ARG_NONE, NULL, OPT_DAEMON,
"Become a daemon (default)", NULL },
+ {"foreground", 'F', POPT_ARG_NONE, NULL, OPT_FOREGROUND,
+ "Run the daemon in foreground", NULL },
{"interactive", 'i', POPT_ARG_NONE, NULL, OPT_INTERACTIVE,
"Run interactive (not a daemon)", NULL},
{"model", 'M', POPT_ARG_STRING, NULL, OPT_PROCESS_MODEL,
@@ -396,6 +400,9 @@ static int binary_smbd_main(const char *binary_name,
case OPT_DAEMON:
opt_daemon = true;
break;
+ case OPT_FOREGROUND:
+ opt_fork = false;
+ break;
case OPT_INTERACTIVE:
opt_interactive = true;
break;
@@ -422,7 +429,7 @@ static int binary_smbd_main(const char *binary_name,
"not allowed together with -D|--daemon\n\n");
poptPrintUsage(pc, stderr, 0);
return 1;
- } else if (!opt_interactive) {
+ } else if (!opt_interactive && !opt_fork) {
/* default is --daemon */
opt_daemon = true;
}
@@ -458,8 +465,8 @@ static int binary_smbd_main(const char *binary_name,
}
if (opt_daemon) {
- DEBUG(3,("Becoming a daemon.\n"));
- become_daemon(true, false, false);
+ DBG_NOTICE("Becoming a daemon.\n");
+ become_daemon(opt_fork, opt_no_process_group, false);
}
/* Create the memory context to hang everything off. */
--
2.15.0
From 90588e8d08dcf38d97249eb39d87c5eb36f1fcd3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 10 Nov 2017 09:32:27 +0100
Subject: [PATCH 4/4] systemd: Start processes in forground and without a
process group
We should not double fork in notify mode or systemd think something
during startup will be wrong and send SIGTERM to the process. So
sometimes the daemon will not start up correctly.
systemd will also handle the process group.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13129
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8b6f58194da7e849cdb9d20712dff49b17a93a77)
---
packaging/systemd/nmb.service | 2 +-
packaging/systemd/samba.service | 2 +-
packaging/systemd/smb.service | 2 +-
packaging/systemd/winbind.service | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
index 992c0cd9d2b..71c93d6088b 100644
--- a/packaging/systemd/nmb.service
+++ b/packaging/systemd/nmb.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/nmbd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
+ExecStart=/usr/sbin/nmbd --foreground --no-process-group $NMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
index 824f89c2030..1b64c3b779d 100644
--- a/packaging/systemd/samba.service
+++ b/packaging/systemd/samba.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/samba $SAMBAOPTIONS
+ExecStart=/usr/sbin/samba --foreground --no-process-group $SAMBAOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
[Install]
diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
index 6053a5caaa5..adf6684c7d9 100644
--- a/packaging/systemd/smb.service
+++ b/packaging/systemd/smb.service
@@ -8,7 +8,7 @@ NotifyAccess=all
PIDFile=/run/smbd.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/smbd $SMBDOPTIONS
+ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
index c511488166e..46b3797251d 100644
--- a/packaging/systemd/winbind.service
+++ b/packaging/systemd/winbind.service
@@ -7,7 +7,7 @@ Type=notify
NotifyAccess=all
PIDFile=/run/winbindd.pid
EnvironmentFile=-/etc/sysconfig/samba
-ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
+ExecStart=/usr/sbin/winbindd --foreground --no-process-group "$WINBINDOPTIONS"
ExecReload=/usr/bin/kill -HUP $MAINPID
LimitCORE=infinity
--
2.15.0

@ -1,47 +0,0 @@
From a751c29e4ff3fbdf573252b791775fd805cd7759 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 29 Nov 2017 09:21:30 -0800
Subject: [PATCH] s3: libsmb: Fix valgrind read-after-free error in
cli_smb2_close_fnum_recv().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
cli_smb2_close_fnum_recv() uses tevent_req_simple_recv_ntstatus(req), which
frees req, then uses the state pointer which was owned by req.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13171
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 30 05:47:12 CET 2017 on sn-devel-144
(cherry picked from commit 5c8032b6b8ce4439b3ef8f43a62a419f081eb787)
---
source3/libsmb/cli_smb2_fnum.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index 5d46d543002..237e6bb2b54 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -449,8 +449,12 @@ NTSTATUS cli_smb2_close_fnum_recv(struct tevent_req *req)
{
struct cli_smb2_close_fnum_state *state = tevent_req_data(
req, struct cli_smb2_close_fnum_state);
- NTSTATUS status = tevent_req_simple_recv_ntstatus(req);
- state->cli->raw_status = status;
+ NTSTATUS status = NT_STATUS_OK;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ state->cli->raw_status = status;
+ }
+ tevent_req_received(req);
return status;
}
--
2.15.0.531.g2ccb3012c9-goog

@ -1,165 +0,0 @@
From b428a334105a28f55b784d284e865b3c42f1f96d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 14 Nov 2017 13:52:03 -0800
Subject: [PATCH] s3: libsmb: smbc_statvfs is missing the supporting SMB2
calls.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13138
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit eefc7a27155b70d027b1193187dd435267d863ea)
---
source3/libsmb/cli_smb2_fnum.c | 97 ++++++++++++++++++++++++++++++++++++++++++
source3/libsmb/cli_smb2_fnum.h | 6 +++
source3/libsmb/clifsinfo.c | 9 ++++
3 files changed, 112 insertions(+)
diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
index a478c41f068..89cb1f479d5 100644
--- a/source3/libsmb/cli_smb2_fnum.c
+++ b/source3/libsmb/cli_smb2_fnum.c
@@ -1992,6 +1992,103 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli, const char *path,
return status;
}
+/***************************************************************
+ Wrapper that allows SMB2 to query file system sizes.
+ Synchronous only.
+***************************************************************/
+
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector)
+{
+ NTSTATUS status;
+ uint16_t fnum = 0xffff;
+ DATA_BLOB outbuf = data_blob_null;
+ struct smb2_hnd *ph = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (smbXcli_conn_has_async_calls(cli->conn)) {
+ /*
+ * Can't use sync call while an async call is in flight
+ */
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto fail;
+ }
+
+ /* First open the top level directory. */
+ status =
+ cli_smb2_create_fnum(cli, "", 0, /* create_flags */
+ FILE_READ_ATTRIBUTES, /* desired_access */
+ FILE_ATTRIBUTE_DIRECTORY, /* file attributes */
+ FILE_SHARE_READ | FILE_SHARE_WRITE |
+ FILE_SHARE_DELETE, /* share_access */
+ FILE_OPEN, /* create_disposition */
+ FILE_DIRECTORY_FILE, /* create_options */
+ &fnum,
+ NULL);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ status = map_fnum_to_smb2_handle(cli, fnum, &ph);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ /* getinfo on the returned handle with info_type SMB2_GETINFO_FS (2),
+ level 7 (SMB_FS_FULL_SIZE_INFORMATION). */
+
+ status = smb2cli_query_info(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ SMB2_GETINFO_FS, /* in_info_type */
+ /* in_file_info_class */
+ SMB_FS_FULL_SIZE_INFORMATION - 1000,
+ 0xFFFF, /* in_max_output_length */
+ NULL, /* in_input_buffer */
+ 0, /* in_additional_info */
+ 0, /* in_flags */
+ ph->fid_persistent,
+ ph->fid_volatile,
+ frame,
+ &outbuf);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+ }
+
+ if (outbuf.length < 32) {
+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ goto fail;
+ }
+
+ *total_allocation_units = BIG_UINT(outbuf.data, 0);
+ *caller_allocation_units = BIG_UINT(outbuf.data, 8);
+ *actual_allocation_units = BIG_UINT(outbuf.data, 16);
+ *sectors_per_allocation_unit = (uint64_t)IVAL(outbuf.data, 24);
+ *bytes_per_sector = (uint64_t)IVAL(outbuf.data, 28);
+
+fail:
+
+ if (fnum != 0xffff) {
+ cli_smb2_close_fnum(cli, fnum);
+ }
+
+ cli->raw_status = status;
+
+ TALLOC_FREE(frame);
+ return status;
+}
+
/***************************************************************
Wrapper that allows SMB2 to query file system attributes.
Synchronous only.
diff --git a/source3/libsmb/cli_smb2_fnum.h b/source3/libsmb/cli_smb2_fnum.h
index 9a709e85d96..c9325b66902 100644
--- a/source3/libsmb/cli_smb2_fnum.h
+++ b/source3/libsmb/cli_smb2_fnum.h
@@ -136,6 +136,12 @@ NTSTATUS cli_smb2_dskattr(struct cli_state *cli,
uint64_t *total,
uint64_t *avail);
NTSTATUS cli_smb2_get_fs_attr_info(struct cli_state *cli, uint32_t *fs_attr);
+NTSTATUS cli_smb2_get_fs_full_size_info(struct cli_state *cli,
+ uint64_t *total_allocation_units,
+ uint64_t *caller_allocation_units,
+ uint64_t *actual_allocation_units,
+ uint64_t *sectors_per_allocation_unit,
+ uint64_t *bytes_per_sector);
NTSTATUS cli_smb2_query_security_descriptor(struct cli_state *cli,
uint16_t fnum,
uint32_t sec_info,
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 119b1216fb2..46236390022 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -439,6 +439,15 @@ NTSTATUS cli_get_fs_full_size_info(struct cli_state *cli,
uint32_t rdata_count;
NTSTATUS status;
+ if (smbXcli_conn_protocol(cli->conn) >= PROTOCOL_SMB2_02) {
+ return cli_smb2_get_fs_full_size_info(cli,
+ total_allocation_units,
+ caller_allocation_units,
+ actual_allocation_units,
+ sectors_per_allocation_unit,
+ bytes_per_sector);
+ }
+
SSVAL(setup, 0, TRANSACT2_QFSINFO);
SSVAL(param, 0, SMB_FS_FULL_SIZE_INFORMATION);
--
2.15.0.448.gf294e3d99a-goog

@ -1,66 +0,0 @@
From 79381295b788a8196ccbf2ff378268286d7782d5 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 16:20:34 -0700
Subject: [PATCH] libsmbclient: Allow server (NetApp) to return
STATUS_INVALID_PARAMETER from an echo.
It does this if we send a session ID of zero. The server still replied.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Nov 11 08:44:37 CET 2017 on sn-devel-144
(cherry picked from commit a0f6ea8dec1ab3d19bc93da12a9b0a1c0ccf6142)
---
source3/client/client.c | 8 +++++++-
source3/libsmb/libsmb_server.c | 11 ++++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/source3/client/client.c b/source3/client/client.c
index b4a6c7d0389..9c57375881d 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -5900,7 +5900,13 @@ static void readline_callback(void)
/* Ping the server to keep the connection alive using SMBecho. */
memset(garbage, 0xf0, sizeof(garbage));
status = cli_echo(cli, 1, data_blob_const(garbage, sizeof(garbage)));
- if (NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_IS_OK(status) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ /*
+ * Even if server returns NT_STATUS_INVALID_PARAMETER
+ * it still responded.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
return;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index b0e5926fa65..2d41f2facf3 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -61,7 +61,16 @@ SMBC_check_server(SMBCCTX * context,
1,
data_blob_const(data, sizeof(data)));
if (!NT_STATUS_IS_OK(status)) {
- return 1;
+ /*
+ * Some NetApp servers return
+ * NT_STATUS_INVALID_PARAMETER.That's OK, they still
+ * replied.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13007
+ */
+ if (!NT_STATUS_EQUAL(status,
+ NT_STATUS_INVALID_PARAMETER)) {
+ return 1;
+ }
}
server->last_echo_time = now;
}
--
2.15.0.448.gf294e3d99a-goog

@ -1,84 +0,0 @@
From b1f54d6b0a24a91ac3ef8b99b22ff68c2d0ca13d Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Thu, 23 Nov 2017 15:55:21 +0000
Subject: [PATCH 1/2] s3:libads: net ads keytab list fails with "Key table name
malformed"
When keytab_name is NULL don't call smb_krb5_kt_open use ads_keytab_open
instead, this function will determine the correct keytab to use.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3048ae318fc8b4d1b7663826972306372430a463)
---
source3/libads/kerberos_keytab.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index ff12ec04af6..ffd100c5636 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -639,7 +639,11 @@ int ads_keytab_list(const char *keytab_name)
return ret;
}
- ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ if (keytab_name == NULL) {
+ ret = ads_keytab_open(context, &keytab);
+ } else {
+ ret = smb_krb5_kt_open(context, keytab_name, False, &keytab);
+ }
if (ret) {
DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
error_message(ret)));
--
2.15.0
From 6e067b990a8cbb0589d3a83e699aa766a6fee939 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Fri, 24 Nov 2017 07:06:27 +0000
Subject: [PATCH 2/2] testprogs: Test net ads keytab list
Test that correct keytab is picked up.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13166
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4be05c835e9d8b8f13856d592aaf42b40ce397c2)
---
testprogs/blackbox/test_net_ads.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/testprogs/blackbox/test_net_ads.sh b/testprogs/blackbox/test_net_ads.sh
index bbd99b676bd..c5dbaf69ba2 100755
--- a/testprogs/blackbox/test_net_ads.sh
+++ b/testprogs/blackbox/test_net_ads.sh
@@ -46,6 +46,19 @@ testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -kP || fai
testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+# if there is no keytab, try and create it
+if [ ! -f $dedicated_keytab_file ]; then
+ if [ $(command -v ktutil) >/dev/null ]; then
+ printf "addent -password -p $DC_USERNAME@$REALM -k 1 -e rc4-hmac\n$DC_PASSWORD\nwkt $dedicated_keytab_file\n" | ktutil
+ fi
+fi
+
+if [ -f $dedicated_keytab_file ]; then
+ testit "keytab list (dedicated keytab)" $VALGRIND $net_tool ads keytab list --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+ testit "keytab list keytab specified on cmdline" $VALGRIND $net_tool ads keytab list $dedicated_keytab_file || failed=`expr $failed + 1`
+fi
+
rm -f $dedicated_keytab_file
testit_expect_failure "testjoin(not joined)" $VALGRIND $net_tool ads testjoin -kP || failed=`expr $failed + 1`
--
2.15.0

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAln7BUkVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
uE8AoLwq4CwndlLlfxZ771nZUMjKVQrmAKCMHeFPFaVfKPhVWW37nQxQ3EXeew==
=LZI3
-----END PGP SIGNATURE-----

@ -1 +0,0 @@
.git/annex/objects/6z/WQ/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz/SHA256E-s11099904--6a23ddd7b6ef3f86ca4a1b55776be1f1be596663bb917c0302aea118ac11d7de.tar.xz

@ -0,0 +1,151 @@
From a803d2524b8c06e2c360db0c686a212ac49f7321 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 21 Mar 2019 14:51:30 -0700
Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
SaveKey/RestoreKey.
The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.
If the incoming handle is valid, return WERR_BAD_PATHNAME.
[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.
As reported by Michael Hanselmann.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
1 file changed, 4 insertions(+), 88 deletions(-)
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index d9ee8d0602d..816c6bb2a12 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
}
/*******************************************************************
- ********************************************************************/
-
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
-{
- char *p = NULL;
- int num_services = lp_numservices();
- int snum = -1;
- const char *share_path = NULL;
- char *fname = *pp_fname;
-
- /* convert to a unix path, stripping the C:\ along the way */
-
- if (!(p = valid_share_pathname(ctx, fname))) {
- return -1;
- }
-
- /* has to exist within a valid file share */
-
- for (snum=0; snum<num_services; snum++) {
- if (!lp_snum_ok(snum) || lp_printable(snum)) {
- continue;
- }
-
- share_path = lp_path(talloc_tos(), snum);
-
- /* make sure we have a path (e.g. [homes] ) */
- if (strlen(share_path) == 0) {
- continue;
- }
-
- if (strncmp(share_path, p, strlen(share_path)) == 0) {
- break;
- }
- }
-
- *pp_fname = p;
- return (snum < num_services) ? snum : -1;
-}
-
-/*******************************************************************
_winreg_RestoreKey
********************************************************************/
@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
struct winreg_RestoreKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
- "\"%s\"\n", regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
- return WERR_BAD_PATHNAME;
-
- /* user must posses SeRestorePrivilege for this this proceed */
-
- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
- return WERR_ACCESS_DENIED;
- }
-
- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_restorekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
struct winreg_SaveKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
- regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
- return WERR_BAD_PATHNAME;
-
- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_savekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
--
2.11.0

@ -0,0 +1,280 @@
From 5192b35d5e8644f000277c2f075b2ae90c514cbd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 4 Sep 2018 15:48:03 +0200
Subject: [PATCH] s3:libsmbclient: Add function to set protocol levels
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 0dae4e2f5c65167fdb2405e232436921a0bb17e6)
---
source3/include/libsmbclient.h | 19 ++-
source3/libsmb/ABI/smbclient-0.5.0.sigs | 185 ++++++++++++++++++++++++
source3/libsmb/libsmb_setget.c | 18 +++
source3/libsmb/wscript | 2 +-
4 files changed, 222 insertions(+), 2 deletions(-)
create mode 100644 source3/libsmb/ABI/smbclient-0.5.0.sigs
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index ca5c7f87f71..5e4a1715402 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -831,7 +831,24 @@ smbc_getOptionUseNTHash(SMBCCTX *c);
void
smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b);
-
+/**
+ * @brief Set the 'client min protocol' and the 'client max protocol'.
+ *
+ * IMPORTANT: This overrrides the values 'client min protocol' and 'client max
+ * protocol' set in the smb.conf file!
+ *
+ * @param[in] c The smbc context to use.
+ *
+ * @param[in] min_proto The minimal protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @param[in] max_proto The maximum protocol to use or NULL for leaving it
+ * untouched.
+ *
+ * @returns true for success, false otherwise
+ */
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c, const char *min_proto, const char *max_proto);
/*************************************
* Getters and setters for FUNCTIONS *
diff --git a/source3/libsmb/ABI/smbclient-0.5.0.sigs b/source3/libsmb/ABI/smbclient-0.5.0.sigs
new file mode 100644
index 00000000000..b4245979c24
--- /dev/null
+++ b/source3/libsmb/ABI/smbclient-0.5.0.sigs
@@ -0,0 +1,185 @@
+smbc_chmod: int (const char *, mode_t)
+smbc_close: int (int)
+smbc_closedir: int (int)
+smbc_creat: int (const char *, mode_t)
+smbc_fgetxattr: int (int, const char *, const void *, size_t)
+smbc_flistxattr: int (int, char *, size_t)
+smbc_free_context: int (SMBCCTX *, int)
+smbc_fremovexattr: int (int, const char *)
+smbc_fsetxattr: int (int, const char *, const void *, size_t, int)
+smbc_fstat: int (int, struct stat *)
+smbc_fstatvfs: int (int, struct statvfs *)
+smbc_ftruncate: int (int, off_t)
+smbc_getDebug: int (SMBCCTX *)
+smbc_getFunctionAddCachedServer: smbc_add_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionAuthData: smbc_get_auth_data_fn (SMBCCTX *)
+smbc_getFunctionAuthDataWithContext: smbc_get_auth_data_with_context_fn (SMBCCTX *)
+smbc_getFunctionCheckServer: smbc_check_server_fn (SMBCCTX *)
+smbc_getFunctionChmod: smbc_chmod_fn (SMBCCTX *)
+smbc_getFunctionClose: smbc_close_fn (SMBCCTX *)
+smbc_getFunctionClosedir: smbc_closedir_fn (SMBCCTX *)
+smbc_getFunctionCreat: smbc_creat_fn (SMBCCTX *)
+smbc_getFunctionFstat: smbc_fstat_fn (SMBCCTX *)
+smbc_getFunctionFstatVFS: smbc_fstatvfs_fn (SMBCCTX *)
+smbc_getFunctionFstatdir: smbc_fstatdir_fn (SMBCCTX *)
+smbc_getFunctionFtruncate: smbc_ftruncate_fn (SMBCCTX *)
+smbc_getFunctionGetCachedServer: smbc_get_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionGetdents: smbc_getdents_fn (SMBCCTX *)
+smbc_getFunctionGetxattr: smbc_getxattr_fn (SMBCCTX *)
+smbc_getFunctionListPrintJobs: smbc_list_print_jobs_fn (SMBCCTX *)
+smbc_getFunctionListxattr: smbc_listxattr_fn (SMBCCTX *)
+smbc_getFunctionLseek: smbc_lseek_fn (SMBCCTX *)
+smbc_getFunctionLseekdir: smbc_lseekdir_fn (SMBCCTX *)
+smbc_getFunctionMkdir: smbc_mkdir_fn (SMBCCTX *)
+smbc_getFunctionNotify: smbc_notify_fn (SMBCCTX *)
+smbc_getFunctionOpen: smbc_open_fn (SMBCCTX *)
+smbc_getFunctionOpenPrintJob: smbc_open_print_job_fn (SMBCCTX *)
+smbc_getFunctionOpendir: smbc_opendir_fn (SMBCCTX *)
+smbc_getFunctionPrintFile: smbc_print_file_fn (SMBCCTX *)
+smbc_getFunctionPurgeCachedServers: smbc_purge_cached_fn (SMBCCTX *)
+smbc_getFunctionRead: smbc_read_fn (SMBCCTX *)
+smbc_getFunctionReaddir: smbc_readdir_fn (SMBCCTX *)
+smbc_getFunctionReaddirPlus: smbc_readdirplus_fn (SMBCCTX *)
+smbc_getFunctionRemoveCachedServer: smbc_remove_cached_srv_fn (SMBCCTX *)
+smbc_getFunctionRemoveUnusedServer: smbc_remove_unused_server_fn (SMBCCTX *)
+smbc_getFunctionRemovexattr: smbc_removexattr_fn (SMBCCTX *)
+smbc_getFunctionRename: smbc_rename_fn (SMBCCTX *)
+smbc_getFunctionRmdir: smbc_rmdir_fn (SMBCCTX *)
+smbc_getFunctionSetxattr: smbc_setxattr_fn (SMBCCTX *)
+smbc_getFunctionSplice: smbc_splice_fn (SMBCCTX *)
+smbc_getFunctionStat: smbc_stat_fn (SMBCCTX *)
+smbc_getFunctionStatVFS: smbc_statvfs_fn (SMBCCTX *)
+smbc_getFunctionTelldir: smbc_telldir_fn (SMBCCTX *)
+smbc_getFunctionUnlink: smbc_unlink_fn (SMBCCTX *)
+smbc_getFunctionUnlinkPrintJob: smbc_unlink_print_job_fn (SMBCCTX *)
+smbc_getFunctionUtimes: smbc_utimes_fn (SMBCCTX *)
+smbc_getFunctionWrite: smbc_write_fn (SMBCCTX *)
+smbc_getNetbiosName: const char *(SMBCCTX *)
+smbc_getOptionBrowseMaxLmbCount: int (SMBCCTX *)
+smbc_getOptionCaseSensitive: smbc_bool (SMBCCTX *)
+smbc_getOptionDebugToStderr: smbc_bool (SMBCCTX *)
+smbc_getOptionFallbackAfterKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionFullTimeNames: smbc_bool (SMBCCTX *)
+smbc_getOptionNoAutoAnonymousLogin: smbc_bool (SMBCCTX *)
+smbc_getOptionOneSharePerServer: smbc_bool (SMBCCTX *)
+smbc_getOptionOpenShareMode: smbc_share_mode (SMBCCTX *)
+smbc_getOptionSmbEncryptionLevel: smbc_smb_encrypt_level (SMBCCTX *)
+smbc_getOptionUrlEncodeReaddirEntries: smbc_bool (SMBCCTX *)
+smbc_getOptionUseCCache: smbc_bool (SMBCCTX *)
+smbc_getOptionUseKerberos: smbc_bool (SMBCCTX *)
+smbc_getOptionUseNTHash: smbc_bool (SMBCCTX *)
+smbc_getOptionUserData: void *(SMBCCTX *)
+smbc_getPort: uint16_t (SMBCCTX *)
+smbc_getServerCacheData: struct smbc_server_cache *(SMBCCTX *)
+smbc_getTimeout: int (SMBCCTX *)
+smbc_getUser: const char *(SMBCCTX *)
+smbc_getWorkgroup: const char *(SMBCCTX *)
+smbc_getdents: int (unsigned int, struct smbc_dirent *, int)
+smbc_getxattr: int (const char *, const char *, const void *, size_t)
+smbc_init: int (smbc_get_auth_data_fn, int)
+smbc_init_context: SMBCCTX *(SMBCCTX *)
+smbc_lgetxattr: int (const char *, const char *, const void *, size_t)
+smbc_list_print_jobs: int (const char *, smbc_list_print_job_fn)
+smbc_listxattr: int (const char *, char *, size_t)
+smbc_llistxattr: int (const char *, char *, size_t)
+smbc_lremovexattr: int (const char *, const char *)
+smbc_lseek: off_t (int, off_t, int)
+smbc_lseekdir: int (int, off_t)
+smbc_lsetxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_mkdir: int (const char *, mode_t)
+smbc_new_context: SMBCCTX *(void)
+smbc_notify: int (int, smbc_bool, uint32_t, unsigned int, smbc_notify_callback_fn, void *)
+smbc_open: int (const char *, int, mode_t)
+smbc_open_print_job: int (const char *)
+smbc_opendir: int (const char *)
+smbc_option_get: void *(SMBCCTX *, char *)
+smbc_option_set: void (SMBCCTX *, char *, ...)
+smbc_print_file: int (const char *, const char *)
+smbc_read: ssize_t (int, void *, size_t)
+smbc_readdir: struct smbc_dirent *(unsigned int)
+smbc_readdirplus: const struct libsmb_file_info *(unsigned int)
+smbc_removexattr: int (const char *, const char *)
+smbc_rename: int (const char *, const char *)
+smbc_rmdir: int (const char *)
+smbc_setConfiguration: int (SMBCCTX *, const char *)
+smbc_setDebug: void (SMBCCTX *, int)
+smbc_setFunctionAddCachedServer: void (SMBCCTX *, smbc_add_cached_srv_fn)
+smbc_setFunctionAuthData: void (SMBCCTX *, smbc_get_auth_data_fn)
+smbc_setFunctionAuthDataWithContext: void (SMBCCTX *, smbc_get_auth_data_with_context_fn)
+smbc_setFunctionCheckServer: void (SMBCCTX *, smbc_check_server_fn)
+smbc_setFunctionChmod: void (SMBCCTX *, smbc_chmod_fn)
+smbc_setFunctionClose: void (SMBCCTX *, smbc_close_fn)
+smbc_setFunctionClosedir: void (SMBCCTX *, smbc_closedir_fn)
+smbc_setFunctionCreat: void (SMBCCTX *, smbc_creat_fn)
+smbc_setFunctionFstat: void (SMBCCTX *, smbc_fstat_fn)
+smbc_setFunctionFstatVFS: void (SMBCCTX *, smbc_fstatvfs_fn)
+smbc_setFunctionFstatdir: void (SMBCCTX *, smbc_fstatdir_fn)
+smbc_setFunctionFtruncate: void (SMBCCTX *, smbc_ftruncate_fn)
+smbc_setFunctionGetCachedServer: void (SMBCCTX *, smbc_get_cached_srv_fn)
+smbc_setFunctionGetdents: void (SMBCCTX *, smbc_getdents_fn)
+smbc_setFunctionGetxattr: void (SMBCCTX *, smbc_getxattr_fn)
+smbc_setFunctionListPrintJobs: void (SMBCCTX *, smbc_list_print_jobs_fn)
+smbc_setFunctionListxattr: void (SMBCCTX *, smbc_listxattr_fn)
+smbc_setFunctionLseek: void (SMBCCTX *, smbc_lseek_fn)
+smbc_setFunctionLseekdir: void (SMBCCTX *, smbc_lseekdir_fn)
+smbc_setFunctionMkdir: void (SMBCCTX *, smbc_mkdir_fn)
+smbc_setFunctionNotify: void (SMBCCTX *, smbc_notify_fn)
+smbc_setFunctionOpen: void (SMBCCTX *, smbc_open_fn)
+smbc_setFunctionOpenPrintJob: void (SMBCCTX *, smbc_open_print_job_fn)
+smbc_setFunctionOpendir: void (SMBCCTX *, smbc_opendir_fn)
+smbc_setFunctionPrintFile: void (SMBCCTX *, smbc_print_file_fn)
+smbc_setFunctionPurgeCachedServers: void (SMBCCTX *, smbc_purge_cached_fn)
+smbc_setFunctionRead: void (SMBCCTX *, smbc_read_fn)
+smbc_setFunctionReaddir: void (SMBCCTX *, smbc_readdir_fn)
+smbc_setFunctionReaddirPlus: void (SMBCCTX *, smbc_readdirplus_fn)
+smbc_setFunctionRemoveCachedServer: void (SMBCCTX *, smbc_remove_cached_srv_fn)
+smbc_setFunctionRemoveUnusedServer: void (SMBCCTX *, smbc_remove_unused_server_fn)
+smbc_setFunctionRemovexattr: void (SMBCCTX *, smbc_removexattr_fn)
+smbc_setFunctionRename: void (SMBCCTX *, smbc_rename_fn)
+smbc_setFunctionRmdir: void (SMBCCTX *, smbc_rmdir_fn)
+smbc_setFunctionSetxattr: void (SMBCCTX *, smbc_setxattr_fn)
+smbc_setFunctionSplice: void (SMBCCTX *, smbc_splice_fn)
+smbc_setFunctionStat: void (SMBCCTX *, smbc_stat_fn)
+smbc_setFunctionStatVFS: void (SMBCCTX *, smbc_statvfs_fn)
+smbc_setFunctionTelldir: void (SMBCCTX *, smbc_telldir_fn)
+smbc_setFunctionUnlink: void (SMBCCTX *, smbc_unlink_fn)
+smbc_setFunctionUnlinkPrintJob: void (SMBCCTX *, smbc_unlink_print_job_fn)
+smbc_setFunctionUtimes: void (SMBCCTX *, smbc_utimes_fn)
+smbc_setFunctionWrite: void (SMBCCTX *, smbc_write_fn)
+smbc_setLogCallback: void (SMBCCTX *, void *, smbc_debug_callback_fn)
+smbc_setNetbiosName: void (SMBCCTX *, const char *)
+smbc_setOptionBrowseMaxLmbCount: void (SMBCCTX *, int)
+smbc_setOptionCaseSensitive: void (SMBCCTX *, smbc_bool)
+smbc_setOptionDebugToStderr: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFallbackAfterKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionFullTimeNames: void (SMBCCTX *, smbc_bool)
+smbc_setOptionNoAutoAnonymousLogin: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOneSharePerServer: void (SMBCCTX *, smbc_bool)
+smbc_setOptionOpenShareMode: void (SMBCCTX *, smbc_share_mode)
+smbc_setOptionProtocols: smbc_bool (SMBCCTX *, const char *, const char *)
+smbc_setOptionSmbEncryptionLevel: void (SMBCCTX *, smbc_smb_encrypt_level)
+smbc_setOptionUrlEncodeReaddirEntries: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseCCache: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseKerberos: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUseNTHash: void (SMBCCTX *, smbc_bool)
+smbc_setOptionUserData: void (SMBCCTX *, void *)
+smbc_setPort: void (SMBCCTX *, uint16_t)
+smbc_setServerCacheData: void (SMBCCTX *, struct smbc_server_cache *)
+smbc_setTimeout: void (SMBCCTX *, int)
+smbc_setUser: void (SMBCCTX *, const char *)
+smbc_setWorkgroup: void (SMBCCTX *, const char *)
+smbc_set_context: SMBCCTX *(SMBCCTX *)
+smbc_set_credentials: void (const char *, const char *, const char *, smbc_bool, const char *)
+smbc_set_credentials_with_fallback: void (SMBCCTX *, const char *, const char *, const char *)
+smbc_setxattr: int (const char *, const char *, const void *, size_t, int)
+smbc_stat: int (const char *, struct stat *)
+smbc_statvfs: int (char *, struct statvfs *)
+smbc_telldir: off_t (int)
+smbc_unlink: int (const char *)
+smbc_unlink_print_job: int (const char *, int)
+smbc_urldecode: int (char *, char *, size_t)
+smbc_urlencode: int (char *, char *, int)
+smbc_utime: int (const char *, struct utimbuf *)
+smbc_utimes: int (const char *, struct timeval *)
+smbc_version: const char *(void)
+smbc_write: ssize_t (int, const void *, size_t)
diff --git a/source3/libsmb/libsmb_setget.c b/source3/libsmb/libsmb_setget.c
index 60b822a395c..b1c4ff3b557 100644
--- a/source3/libsmb/libsmb_setget.c
+++ b/source3/libsmb/libsmb_setget.c
@@ -526,6 +526,24 @@ smbc_setOptionUseNTHash(SMBCCTX *c, smbc_bool b)
}
}
+smbc_bool
+smbc_setOptionProtocols(SMBCCTX *c,
+ const char *min_proto,
+ const char *max_proto)
+{
+ bool ok = true;
+
+ if (min_proto != NULL) {
+ ok = lp_set_cmdline("client min protocol", min_proto);
+ }
+
+ if (max_proto != NULL) {
+ ok &= lp_set_cmdline("client min protocol", max_proto);
+ }
+
+ return ok;
+}
+
/** Get the function for obtaining authentication data */
smbc_get_auth_data_fn
smbc_getFunctionAuthData(SMBCCTX *c)
diff --git a/source3/libsmb/wscript b/source3/libsmb/wscript
index 5482aea7d9c..298afc3c0e3 100644
--- a/source3/libsmb/wscript
+++ b/source3/libsmb/wscript
@@ -27,5 +27,5 @@ def build(bld):
public_headers='../include/libsmbclient.h',
abi_directory='ABI',
abi_match='smbc_*',
- vnum='0.4.0',
+ vnum='0.5.0',
pc_files='smbclient.pc')
--
2.19.2

@ -0,0 +1,252 @@
From 14d3e54fa87dc204223eba2c7e18b6e1bf0e4564 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Thu, 3 Jan 2019 12:07:01 -0500
Subject: [PATCH 1/5] s3:libsmb: Check disable_netbios in socket connect
If the disable_netbios option is set then return NT_STATUS_NOT_SUPPORTED
for a port 139 connection in the low level socket connection code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 78f51a1d3c53248159c1e7643364b62e52457bb9)
---
source3/libsmb/smbsock_connect.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index 9f915e1bb42..bb3cb07646c 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -376,6 +376,11 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_cleanup_fn(req, smbsock_connect_cleanup);
if (port == NBT_SMB_PORT) {
+ if (lp_disable_netbios()) {
+ tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
+ return tevent_req_post(req, ev);
+ }
+
state->req_139 = nb_connect_send(state, state->ev, state->addr,
state->called_name,
state->called_type,
--
2.20.1
From 94491362b882e49757f8ecd8e133149457e2f2e5 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:40:33 -0500
Subject: [PATCH 2/5] s3:libsmb: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 499f051c9d527a14f9712365f8403a1ee0662c5b)
---
source3/libsmb/clidfs.c | 10 +++++++---
source3/libsmb/libsmb_server.c | 4 ++++
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 0dfb8b33606..4342a3b1d1b 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -196,9 +196,13 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
flags, &c);
if (!NT_STATUS_IS_OK(status)) {
- d_printf("Connection to %s failed (Error %s)\n",
- server,
- nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
+ DBG_WARNING("Connection to %s failed (Error %s)\n",
+ server,
+ nt_errstr(status));
return status;
}
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 67dfcf72327..0067df48cac 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -489,6 +489,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
}
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect");
+ }
+
errno = map_errno_from_nt_status(status);
return NULL;
}
--
2.20.1
From a0e7b2e45efe680971ded1b66ea919f3fa4a9ad4 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 14:57:59 -0500
Subject: [PATCH 3/5] s3:smbpasswd: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ecbb2f78cec6d9e6f5180c8ba274a1da2152f098)
---
source3/libsmb/passchange.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 48ffba8036f..f60e3079975 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -46,10 +46,18 @@ NTSTATUS remote_password_change(const char *remote_machine,
result = cli_connect_nb(remote_machine, NULL, 0, 0x20, NULL,
SMB_SIGNING_IPC_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(result)) {
- if (asprintf(err_str, "Unable to connect to SMB server on "
- "machine %s. Error was : %s.\n",
- remote_machine, nt_errstr(result))==-1) {
- *err_str = NULL;
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. NetBIOS support disabled\n",
+ remote_machine) == -1) {
+ *err_str = NULL;
+ }
+ } else {
+ if (asprintf(err_str, "Unable to connect to SMB server on "
+ "machine %s. Error was : %s.\n",
+ remote_machine, nt_errstr(result))==-1) {
+ *err_str = NULL;
+ }
}
return result;
}
--
2.20.1
From 5f5420b85b0467c0cb3237c82bd4c151bbb0133b Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 15:17:24 -0500
Subject: [PATCH 4/5] s3:utils:net: Print debug message about Netbios
With a preceding patch, cli_connect_nb() will return
NT_STATUS_NOT_SUPPORTED when 'disable netbios' is set in smb.conf.
Print an informative error message to indicate Netbios is disabled
if this occurs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Noel Power <nopower@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 08867de2efde05e4730b41a335d13f775e44e397)
---
source3/utils/net_rpc.c | 3 +++
source3/utils/net_time.c | 9 +++++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 67fff2f4d1b..91ad90f9594 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7431,6 +7431,9 @@ bool net_rpc_check(struct net_context *c, unsigned flags)
lp_netbios_name(), SMB_SIGNING_IPC_DEFAULT,
0, &cli);
if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ DBG_ERR("NetBIOS support disabled, unable to connect\n");
+ }
return false;
}
status = smbXcli_negprot(cli->conn, cli->timeout, PROTOCOL_CORE,
diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
index 0091fc86333..5e6cf2ea15d 100644
--- a/source3/utils/net_time.c
+++ b/source3/utils/net_time.c
@@ -37,8 +37,13 @@ static time_t cli_servertime(const char *host,
status = cli_connect_nb(host, dest_ss, 0, 0x20, lp_netbios_name(),
SMB_SIGNING_DEFAULT, 0, &cli);
if (!NT_STATUS_IS_OK(status)) {
- fprintf(stderr, _("Can't contact server %s. Error %s\n"),
- host, nt_errstr(status));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED)) {
+ fprintf(stderr, "Can't contact server %s. NetBIOS support disabled,"
+ " Error %s\n", host, nt_errstr(status));
+ } else {
+ fprintf(stderr, "Can't contact server %s. Error %s\n",
+ host, nt_errstr(status));
+ }
goto done;
}
--
2.20.1
From c948bd0660c1ddba0205ccdbd156baefa1c27971 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 14 Jan 2019 10:36:47 -0500
Subject: [PATCH 5/5] s3:libsmb: Honor disable_netbios option in
smbsock_connect_send
If disable_netbios is set, return before the tevent timer is triggered
to prevent outgoing netbios connections.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13727
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c324f84a2fa25e29d2f7879fbcd35ce0e76a78f8)
---
source3/libsmb/smbsock_connect.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/libsmb/smbsock_connect.c b/source3/libsmb/smbsock_connect.c
index bb3cb07646c..be52b9a4f79 100644
--- a/source3/libsmb/smbsock_connect.c
+++ b/source3/libsmb/smbsock_connect.c
@@ -415,6 +415,13 @@ struct tevent_req *smbsock_connect_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(state->req_445, smbsock_connect_connected,
req);
+ /*
+ * Check for disable_netbios
+ */
+ if (lp_disable_netbios()) {
+ return req;
+ }
+
/*
* After 5 msecs, fire the 139 (NBT) request
*/
--
2.20.1

@ -0,0 +1,37 @@
From fac7c0a0357fc0c9fc472a0ee022a8db7571f054 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 22 Mar 2019 14:39:11 +0100
Subject: [PATCH] docs: Update smbclient manpage for --max-protocol
We default to SMB3 now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13857
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63084375e3c536f22f65e7b7796d114fa8c804c9)
---
docs-xml/manpages/smbclient.1.xml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
index e71a21a95e3..e25f7d3517b 100644
--- a/docs-xml/manpages/smbclient.1.xml
+++ b/docs-xml/manpages/smbclient.1.xml
@@ -261,9 +261,9 @@
<listitem><para>This allows the user to select the
highest SMB protocol level that smbclient will use to
connect to the server. By default this is set to
- NT1, which is the highest available SMB1 protocol.
- To connect using SMB2 or SMB3 protocol, use the
- strings SMB2 or SMB3 respectively. Note that to connect
+ highest available SMB3 protocol version.
+ To connect using SMB2 or SMB1 protocol, use the
+ strings SMB2 or NT1 respectively. Note that to connect
to a Windows 2012 server with encrypted transport selecting
a max-protocol of SMB3 is required.
</para></listitem>
--
2.21.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,40 @@
From 99c354431703a4408f0208e3f2b06a9da81937f2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 7 Nov 2018 14:32:29 +0100
Subject: [PATCH] lib:util: Fix DEBUGCLASS pointer initializiation
This fixes a segfault in pyglue:
==10142== Process terminating with default action of signal 11 (SIGSEGV)
==10142== Bad permissions for mapped region at address 0x6F00A20
==10142== at 0x6F1074B: py_set_debug_level (pyglue.c:165)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13679
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 71ef09c1afdbf967b829cb66b33c3a5cb1c18ba0)
---
lib/util/debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/util/debug.c b/lib/util/debug.c
index d41e0f99c77..847ec1f0a0c 100644
--- a/lib/util/debug.c
+++ b/lib/util/debug.c
@@ -557,10 +557,10 @@ static const char *default_classname_table[] = {
* This is to allow reading of DEBUGLEVEL_CLASS before the debug
* system has been initialized.
*/
-static const int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
+static int debug_class_list_initial[ARRAY_SIZE(default_classname_table)];
static size_t debug_num_classes = 0;
-int *DEBUGLEVEL_CLASS = discard_const_p(int, debug_class_list_initial);
+int *DEBUGLEVEL_CLASS = debug_class_list_initial;
/* -------------------------------------------------------------------------- **
--
2.19.1

@ -0,0 +1,87 @@
From fdc98f74d016bcfd9673f4bc011ba7ede59bdf48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 18 Jan 2019 14:24:30 -0800
Subject: [PATCH 2/2] smbd: uid: Don't crash if 'force group' is added to an
existing share connection.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
smbd could crash if "force group" is added to a
share definition whilst an existing connection
to that share exists. In that case, don't change
the existing credentials for force group, only
do so for new connections.
Remove knownfail from regression test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Jan 25 16:31:27 CET 2019 on sn-devel-144
(cherry picked from commit e37f9956c1f2416408bad048a4618f6366086b6a)
---
source3/smbd/uid.c | 35 +++++++++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 9d5321cf4cc..ced2d450f8e 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -296,6 +296,7 @@ static bool change_to_user_internal(connection_struct *conn,
int snum;
gid_t gid;
uid_t uid;
+ const char *force_group_name;
char group_c;
int num_groups = 0;
gid_t *group_list = NULL;
@@ -335,9 +336,39 @@ static bool change_to_user_internal(connection_struct *conn,
* See if we should force group for this service. If so this overrides
* any group set in the force user code.
*/
- if((group_c = *lp_force_group(talloc_tos(), snum))) {
+ force_group_name = lp_force_group(talloc_tos(), snum);
+ group_c = *force_group_name;
- SMB_ASSERT(conn->force_group_gid != (gid_t)-1);
+ if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {
+ /*
+ * This can happen if "force group" is added to a
+ * share definition whilst an existing connection
+ * to that share exists. In that case, don't change
+ * the existing credentials for force group, only
+ * do so for new connections.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
+ DBG_INFO("Not forcing group %s on existing connection to "
+ "share %s for SMB user %s (unix user %s)\n",
+ force_group_name,
+ lp_const_servicename(snum),
+ session_info->unix_info->sanitized_username,
+ session_info->unix_info->unix_name);
+ }
+
+ if((group_c != '\0') && (conn->force_group_gid != (gid_t)-1)) {
+ /*
+ * Only force group for connections where
+ * conn->force_group_gid has already been set
+ * to the correct value (i.e. the connection
+ * happened after the 'force group' definition
+ * was added to the share definition. Connections
+ * that were made before force group was added
+ * should stay with their existing credentials.
+ *
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=13690
+ */
if (group_c == '+') {
int i;
--
2.20.1.495.gaa96b0ce6b-goog

@ -0,0 +1,544 @@
From 996850e7c3bae8fa2f3fcb3f2e3a811c1e6c162f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 29 Mar 2019 11:34:53 +0100
Subject: [PATCH 01/11] s3:libads: Print more information when LDAP fails
Currently we just get an error but don't know what exactly we tried to
do in 'net ads join -d10'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40669e3739eb5cde135c371e2c8134d3f11a16a5)
---
source3/libads/ldap.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 13846695bd4..110f74a2dbb 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1521,8 +1521,10 @@ static void ads_print_error(int ret, LDAP *ld)
if (ret != 0) {
char *ld_error = NULL;
ldap_get_option(ld, LDAP_OPT_ERROR_STRING, &ld_error);
- DEBUG(10,("AD LDAP failure %d (%s):\n%s\n", ret,
- ldap_err2string(ret), ld_error));
+ DBG_ERR("AD LDAP ERROR: %d (%s): %s\n",
+ ret,
+ ldap_err2string(ret),
+ ld_error);
SAFE_FREE(ld_error);
}
}
@@ -1549,6 +1551,8 @@ ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods)
(char) 1};
LDAPControl *controls[2];
+ DBG_INFO("AD LDAP: Modifying %s\n", mod_dn);
+
controls[0] = &PermitModify;
controls[1] = NULL;
@@ -1580,6 +1584,8 @@ ADS_STATUS ads_gen_add(ADS_STRUCT *ads, const char *new_dn, ADS_MODLIST mods)
char *utf8_dn = NULL;
size_t converted_size;
+ DBG_INFO("AD LDAP: Adding %s\n", new_dn);
+
if (!push_utf8_talloc(talloc_tos(), &utf8_dn, new_dn, &converted_size)) {
DEBUG(1, ("ads_gen_add: push_utf8_talloc failed!"));
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
@@ -1612,6 +1618,8 @@ ADS_STATUS ads_del_dn(ADS_STRUCT *ads, char *del_dn)
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
+ DBG_INFO("AD LDAP: Deleting %s\n", del_dn);
+
ret = ldap_delete_s(ads->ldap.ld, utf8_dn);
ads_print_error(ret, ads->ldap.ld);
TALLOC_FREE(utf8_dn);
--
2.21.0
From 5fe5419bd6617fb33c7aafce20e1eeb3edd2f35f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 27 Mar 2019 16:45:39 +0100
Subject: [PATCH 02/11] s3:libsmb: Add some useful debug output to cliconnect
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 011a47f04dabe22095a30d284662d8ca50463ee8)
---
source3/libsmb/cliconnect.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 837299d9220..9a3d3c769f9 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -345,6 +345,8 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
return NT_STATUS_OK;
}
+ DBG_INFO("Doing kinit for %s to access %s\n",
+ user_principal, target_hostname);
/*
* TODO: This should be done within the gensec layer
@@ -374,6 +376,11 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli,
*/
}
+ DBG_DEBUG("Successfully authenticated as %s to access %s using "
+ "Kerberos\n",
+ user_principal,
+ target_hostname);
+
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -1293,6 +1300,10 @@ static struct tevent_req *cli_session_setup_spnego_send(
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using SPNEGO\n",
+ target_hostname,
+ cli_credentials_get_principal(creds, talloc_tos()));
+
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
target_service, target_hostname);
if (tevent_req_nomem(subreq, req)) {
@@ -1496,6 +1507,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ DBG_INFO("Connect to %s as %s using NTLM\n", domain, username);
+
if ((sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
bool use_unicode = smbXcli_conn_use_unicode(cli->conn);
uint8_t *bytes = NULL;
--
2.21.0
From 0ad85d0c8d5f1c0a8a2fc9bed2e685e3421195bc Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:46:39 +0200
Subject: [PATCH 03/11] s3:libnet: Fix debug message in libnet_DomainJoin()
A newline is missing but also use DBG_INFO macro and cleanup spelling.
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3a33c360071bb7cada58f1f71ccd8949fda70662)
---
source3/libnet/libnet_join.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 27fc5135442..ddc00f7ad7c 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2664,8 +2664,8 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
return WERR_NERR_DEFAULTJOINREQUIRED;
}
- DEBUG(5, ("failed to precreate account in ou %s: %s",
- r->in.account_ou, ads_errstr(ads_status)));
+ DBG_INFO("Failed to pre-create account in OU %s: %s\n",
+ r->in.account_ou, ads_errstr(ads_status));
}
rpc_join:
--
2.21.0
From d6802828cc9a0dbdd667966faea7cc331479179b Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Wed, 27 Mar 2019 17:51:04 +0100
Subject: [PATCH 04/11] auth:ntlmssp: Add back CRAP ndr debug output
This got lost somehow during refactoring. This is still viable
information when trying to figure out what is going wrong when
authenticating a user over NTLMSSP.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9e92654899db3c951bee0203415a15737402e7b7)
---
auth/ntlmssp/ntlmssp_client.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index ab406a2c5be..8e49dcee5ea 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -342,6 +342,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
}
+ if (DEBUGLEVEL >= 10) {
+ struct CHALLENGE_MESSAGE *challenge =
+ talloc(ntlmssp_state, struct CHALLENGE_MESSAGE);
+ if (challenge != NULL) {
+ NTSTATUS status;
+ challenge->NegotiateFlags = chal_flags;
+ status = ntlmssp_pull_CHALLENGE_MESSAGE(
+ &in, challenge, challenge);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(CHALLENGE_MESSAGE,
+ challenge);
+ }
+ TALLOC_FREE(challenge);
+ }
+ }
+
if (chal_flags & NTLMSSP_TARGET_TYPE_SERVER) {
ntlmssp_state->server.is_standalone = true;
} else {
@@ -702,6 +718,22 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
return nt_status;
}
+ if (DEBUGLEVEL >= 10) {
+ struct AUTHENTICATE_MESSAGE *authenticate =
+ talloc(ntlmssp_state, struct AUTHENTICATE_MESSAGE);
+ if (authenticate != NULL) {
+ NTSTATUS status;
+ authenticate->NegotiateFlags = ntlmssp_state->neg_flags;
+ status = ntlmssp_pull_AUTHENTICATE_MESSAGE(
+ out, authenticate, authenticate);
+ if (NT_STATUS_IS_OK(status)) {
+ NDR_PRINT_DEBUG(AUTHENTICATE_MESSAGE,
+ authenticate);
+ }
+ TALLOC_FREE(authenticate);
+ }
+ }
+
/*
* We always include the MIC, even without:
* av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
--
2.21.0
From 9a4a76ad58a96903129d1aef0c5ac05a9beeda4b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 15:59:10 +0200
Subject: [PATCH 05/11] auth:creds: Prefer the principal over DOMAIN/username
when using NTLM
If we want to authenticate using -Wadmin@otherdomain the DC should do
take care of the authentication with the right DC for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5c7f0a6902cfdd698e5f4159d37537bb4c9c1cc3)
---
auth/credentials/credentials.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4663185c979..7ef58d0752c 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1115,7 +1115,7 @@ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *c
const char **username,
const char **domain)
{
- if (cred->principal_obtained > cred->username_obtained) {
+ if (cred->principal_obtained >= cred->username_obtained) {
*domain = talloc_strdup(mem_ctx, "");
*username = cli_credentials_get_principal(cred, mem_ctx);
} else {
--
2.21.0
From 40267b96b2d596bf92139bbc794337fa828e63d5 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:39:45 +0200
Subject: [PATCH 06/11] s3:libnet: Use more secure name for the JOIN krb5.conf
Currently we create krb5.conf..JOIN, use krb5.conf._JOIN_ instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b7f0c64514a28cfb5d2cdee683c18943b97ea753)
---
source3/libnet/libnet_join.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index ddc00f7ad7c..e052306523d 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2598,12 +2598,14 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
}
/* The domain parameter is only used as modifier
- * to krb5.conf file name. .JOIN is is not a valid
+ * to krb5.conf file name. _JOIN_ is is not a valid
* NetBIOS name so it cannot clash with another domain
* -- Uri.
*/
- create_local_private_krb5_conf_for_domain(
- pre_connect_realm, ".JOIN", sitename, &ss);
+ create_local_private_krb5_conf_for_domain(pre_connect_realm,
+ "_JOIN_",
+ sitename,
+ &ss);
}
status = libnet_join_lookup_dc_rpc(mem_ctx, r, &cli);
--
2.21.0
From cdc7199588e89eec42f30d0ea00f406911739763 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 1 Apr 2019 16:47:26 +0200
Subject: [PATCH 07/11] s3:libads: Make sure we can lookup KDCs which are not
configured
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Guenther Deschner <gd@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c016afc832543514ebf7ecda1fbe6b272ea533d6)
---
source3/libads/kerberos.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e623f2456a8..360cdd741da 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -673,11 +673,19 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
}
#endif
+ /*
+ * We are setting 'dns_lookup_kdc' to true, because we want to lookup
+ * KDCs which are not configured via DNS SRV records, eg. if we do:
+ *
+ * net ads join -Uadmin@otherdomain
+ */
file_contents =
talloc_asprintf(fname,
- "[libdefaults]\n\tdefault_realm = %s\n"
+ "[libdefaults]\n"
+ "\tdefault_realm = %s\n"
"%s"
- "\tdns_lookup_realm = false\n\n"
+ "\tdns_lookup_realm = false\n"
+ "\tdns_lookup_kdc = true\n\n"
"[realms]\n\t%s = {\n"
"%s\t}\n"
"%s\n",
--
2.21.0
From 85d85aa3f79ab0a4c3f3f3aad94d7ed545992a45 Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@samba.org>
Date: Mon, 1 Apr 2019 17:40:03 +0200
Subject: [PATCH 08/11] s3:ldap: Leave add machine code early for pre-existing
accounts
This avoids numerous LDAP constraint violation errors when we try to
re-precreate an already existing machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2044ca0e20bd3180720a82506b3af041d14b5c68)
---
source3/libads/ldap.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 110f74a2dbb..e191ea792a8 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -2120,6 +2120,15 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
goto done;
}
+ ret = ads_find_machine_acct(ads, &res, machine_escaped);
+ ads_msgfree(ads, res);
+ if (ADS_ERR_OK(ret)) {
+ DBG_DEBUG("Host account for %s already exists.\n",
+ machine_escaped);
+ ret = ADS_ERROR_LDAP(LDAP_ALREADY_EXISTS);
+ goto done;
+ }
+
new_dn = talloc_asprintf(ctx, "cn=%s,%s", machine_escaped, org_unit);
samAccountName = talloc_asprintf(ctx, "%s$", machine_name);
@@ -2155,7 +2164,6 @@ ADS_STATUS ads_create_machine_acct(ADS_STRUCT *ads,
done:
SAFE_FREE(machine_escaped);
- ads_msgfree(ads, res);
talloc_destroy(ctx);
return ret;
--
2.21.0
From ff8c3e197107621f9398515120a33239940a507b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:14:06 +0200
Subject: [PATCH 09/11] s3-libnet_join: always pass down admin domain to ads
layer
Otherwise we could loose the information that a non-default domain name
has been used for admin creds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ea29aa27cbac4253ee1701fed99a3e0811f7475d)
---
source3/libnet/libnet_join.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index e052306523d..fc7429e6a23 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -205,7 +205,19 @@ static ADS_STATUS libnet_join_connect_ads(TALLOC_CTX *mem_ctx,
password = r->in.machine_password;
ccname = "MEMORY:libnet_join_machine_creds";
} else {
+ char *p = NULL;
+
username = r->in.admin_account;
+
+ p = strchr(r->in.admin_account, '@');
+ if (p == NULL) {
+ username = talloc_asprintf(mem_ctx, "%s@%s",
+ r->in.admin_account,
+ r->in.admin_domain);
+ }
+ if (username == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
password = r->in.admin_password;
/*
--
2.21.0
From a3939fb583bb21abb34ec4179ffeb65e9a621279 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:11 +0200
Subject: [PATCH 10/11] s3-libnet_join: setup libnet join error string when AD
connect fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 68121f46c74df9cef7a377040d01ba75cdcf5a26)
---
source3/libnet/libnet_join.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index fc7429e6a23..6d3fc1fe01f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2655,6 +2655,9 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
ads_status = libnet_join_connect_ads_user(mem_ctx, r);
if (!ADS_ERR_OK(ads_status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to connect to AD: %s",
+ ads_errstr(ads_status));
return WERR_NERR_DEFAULTJOINREQUIRED;
}
--
2.21.0
From d91788b9f257a3e87d9ad460bc4a3e8b8f1d49c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 2 Apr 2019 13:16:55 +0200
Subject: [PATCH 11/11] s3-libnet_join: allow fallback to NTLMSSP auth in
libnet_join
When a non-DNS and non-default admin domain is provided during the join
sometimes we might not be able to kinit with 'user@SHORTDOMAINNAME'
(e.g. when the winbind krb5 locator is not installed). In that case lets
fallback to NTLMSSP, like we do in winbind.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13861
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 3 18:57:31 UTC 2019 on sn-devel-144
(cherry picked from commit 377d27359ccdb8f2680fda36ca388f44456590e5)
---
source3/libnet/libnet_join.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 6d3fc1fe01f..b876d7ea89f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -145,6 +145,8 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
if (user_name) {
SAFE_FREE(my_ads->auth.user_name);
my_ads->auth.user_name = SMB_STRDUP(user_name);
--
2.21.0

@ -0,0 +1,56 @@
From 01b912069337c8dd2eab6be006813dc7fbc2f882 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Mon, 17 Dec 2018 11:26:11 -0500
Subject: [PATCH] s3: net: Do not set NET_FLAGS_ANONYMOUS with -k
This affects net rpc getsid and net rpc changetrustpw commands.
This avoids an anonymous IPC connection being made when -k is used,
this only affects net rpc getsid and net rpc changetrustpw commands.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13726
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
---
source3/utils/net_rpc.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index b99a036fca1..67fff2f4d1b 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -316,6 +316,12 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
{
+ int conn_flags = NET_FLAGS_PDC;
+
+ if (!c->opt_user_specified && !c->opt_kerberos) {
+ conn_flags |= NET_FLAGS_ANONYMOUS;
+ }
+
if (c->display_usage) {
d_printf( "%s\n"
"net rpc changetrustpw\n"
@@ -326,7 +332,7 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
}
return run_rpc_command(c, NULL, &ndr_table_netlogon,
- NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
+ conn_flags,
rpc_changetrustpw_internals,
argc, argv);
}
@@ -863,7 +869,7 @@ int net_rpc_getsid(struct net_context *c, int argc, const char **argv)
{
int conn_flags = NET_FLAGS_PDC;
- if (!c->opt_user_specified) {
+ if (!c->opt_user_specified && !c->opt_kerberos) {
conn_flags |= NET_FLAGS_ANONYMOUS;
}
--
2.20.1

@ -0,0 +1,521 @@
From 7c0a36d527800cd9d148c64b24371c76ac73db63 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:15:05 +0100
Subject: [PATCH 1/5] s3:script: Fix jobid check in test_smbspool.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fad5e4eaeb9202c1b63c42ea09254c17c473e33a)
---
source3/script/tests/test_smbspool.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/script/tests/test_smbspool.sh b/source3/script/tests/test_smbspool.sh
index d95ed064634..f28c0909334 100755
--- a/source3/script/tests/test_smbspool.sh
+++ b/source3/script/tests/test_smbspool.sh
@@ -99,8 +99,8 @@ test_vlp_verify()
fi
jobid=$(echo "$out" | awk '/[0-9]+/ { print $1 };')
- if [ $jobid -lt 1000 || $jobid -gt 2000 ]; then
- echo "failed to get jobid"
+ if [ -z "$jobid" ] || [ $jobid -lt 100 || [ $jobid -gt 2000 ]; then
+ echo "Invalid jobid: $jobid"
echo "$out"
return 1
fi
--
2.20.1
From 3cce23b5b863abf2c2352f5a066dc005d9728b18 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 09:40:58 +0100
Subject: [PATCH 2/5] s3:client: Pass DEVICE_URI and AUTH_INFO_REQUIRED env to
smbspool
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 43160184d254a57f87bb2adeba47f48d8539533a)
---
source3/client/smbspool_krb5_wrapper.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/source3/client/smbspool_krb5_wrapper.c b/source3/client/smbspool_krb5_wrapper.c
index dee3b4c54be..5c4da33238b 100644
--- a/source3/client/smbspool_krb5_wrapper.c
+++ b/source3/client/smbspool_krb5_wrapper.c
@@ -84,24 +84,36 @@ int main(int argc, char *argv[])
struct passwd *pwd;
char gen_cc[PATH_MAX] = {0};
struct stat sb;
- char *env;
+ char *env = NULL;
+ char auth_info_required[256] = {0};
+ char device_uri[4096] = {0};
uid_t uid = (uid_t)-1;
gid_t gid = (gid_t)-1;
unsigned long tmp;
int cmp;
int rc;
+ env = getenv("DEVICE_URI");
+ if (env != NULL && strlen(env) > 2) {
+ snprintf(device_uri, sizeof(device_uri), "%s", env);
+ }
+
/* Check if AuthInfoRequired is set to negotiate */
env = getenv("AUTH_INFO_REQUIRED");
/* If not set, then just call smbspool. */
- if (env == NULL) {
+ if (env == NULL || env[0] == 0) {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED is not set - "
"execute smbspool");
goto smbspool;
} else {
CUPS_SMB_DEBUG("AUTH_INFO_REQUIRED=%s", env);
+ snprintf(auth_info_required,
+ sizeof(auth_info_required),
+ "%s",
+ env);
+
cmp = strcmp(env, "username,password");
if (cmp == 0) {
CUPS_SMB_DEBUG("Authenticate using username/password - "
@@ -223,12 +235,18 @@ create_env:
#else
{
extern char **environ;
- environ = calloc(1, sizeof(*environ));
+ environ = calloc(3, sizeof(*environ));
}
#endif
CUPS_SMB_DEBUG("Setting KRB5CCNAME to '%s'", gen_cc);
setenv("KRB5CCNAME", gen_cc, 1);
+ if (device_uri[0] != '\0') {
+ setenv("DEVICE_URI", device_uri, 1);
+ }
+ if (auth_info_required[0] != '\0') {
+ setenv("AUTH_INFO_REQUIRED", auth_info_required, 1);
+ }
smbspool:
snprintf(smbspool_cmd,
--
2.20.1
From 0c03a0baf57ef4503e98b9e2ddd5695e6c8dd3fd Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 4 Jan 2019 09:21:24 +0100
Subject: [PATCH 3/5] s3:client: Evaluate the AUTH_INFO_REQUIRED variable set
by cups
This should not switch to username,password if cups has been configured
to use negotiate (Kerberos authentication).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5274b09fbaa5e45cc58f3301818d4e9f6a402845)
---
source3/client/smbspool.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 389e4ea553f..3dbf6be014b 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -60,7 +60,7 @@
* Local functions...
*/
-static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status, bool use_kerberos);
+static int get_exit_code(struct cli_state * cli, NTSTATUS nt_status);
static void list_devices(void);
static struct cli_state *smb_complete_connection(const char *, const char *,
int, const char *, const char *, const char *, const char *, int, bool *need_auth);
@@ -72,6 +72,8 @@ static char *uri_unescape_alloc(const char *);
static bool smb_encrypt;
#endif
+static const char *auth_info_required;
+
/*
* 'main()' - Main entry for SMB backend.
*/
@@ -185,6 +187,11 @@ main(int argc, /* I - Number of command-line arguments */
}
}
+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
+ if (auth_info_required == NULL) {
+ auth_info_required = "none";
+ }
+
cmp = strncmp(dev_uri, "smb://", 6);
if (cmp != 0) {
fprintf(stderr,
@@ -233,6 +240,10 @@ main(int argc, /* I - Number of command-line arguments */
server = uri + 6;
}
+ if (password != empty_str) {
+ auth_info_required = "username,password";
+ }
+
tmp = server;
if ((sep = strchr_m(tmp, '/')) == NULL) {
@@ -352,8 +363,7 @@ done:
static int
get_exit_code(struct cli_state * cli,
- NTSTATUS nt_status,
- bool use_kerberos)
+ NTSTATUS nt_status)
{
int i;
@@ -380,10 +390,7 @@ get_exit_code(struct cli_state * cli,
}
if (cli) {
- if (use_kerberos)
- fputs("ATTR: auth-info-required=negotiate\n", stderr);
- else
- fputs("ATTR: auth-info-required=username,password\n", stderr);
+ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
}
/*
@@ -452,6 +459,7 @@ smb_complete_connection(const char *myname,
}
if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
+ auth_info_required = "negotiate";
use_kerberos = true;
}
@@ -474,7 +482,7 @@ smb_complete_connection(const char *myname,
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: Session setup failed: %s\n", nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+ if (get_exit_code(cli, nt_status) == 2) {
*need_auth = true;
}
@@ -488,7 +496,7 @@ smb_complete_connection(const char *myname,
fprintf(stderr, "ERROR: Tree connect failed (%s)\n",
nt_errstr(nt_status));
- if (get_exit_code(cli, nt_status, use_kerberos) == 2) {
+ if (get_exit_code(cli, nt_status) == 2) {
*need_auth = true;
}
@@ -677,7 +685,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s opening remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status, false);
+ return get_exit_code(cli, nt_status);
}
/*
@@ -695,7 +703,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
status = cli_writeall(cli, fnum, 0, (uint8_t *)buffer,
tbytes, nbytes, NULL);
if (!NT_STATUS_IS_OK(status)) {
- int ret = get_exit_code(cli, status, false);
+ int ret = get_exit_code(cli, status);
fprintf(stderr, "ERROR: Error writing spool: %s\n",
nt_errstr(status));
fprintf(stderr, "DEBUG: Returning status %d...\n",
@@ -711,7 +719,7 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
if (!NT_STATUS_IS_OK(nt_status)) {
fprintf(stderr, "ERROR: %s closing remote spool %s\n",
nt_errstr(nt_status), title);
- return get_exit_code(cli, nt_status, false);
+ return get_exit_code(cli, nt_status);
} else {
return (0);
}
--
2.20.1
From 59c5b1c6bad46ac523504120833080836cdc19a1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 10:09:14 +0100
Subject: [PATCH 4/5] s3:client: Make sure we work on a copy of the title
We can't be sure we can write to the input buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 129ae27946318a075e99c9e6d1bacf8963f72282)
---
source3/client/smbspool.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 3dbf6be014b..94c7ea368a2 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -66,7 +66,7 @@ static struct cli_state *smb_complete_connection(const char *, const char *,
int, const char *, const char *, const char *, const char *, int, bool *need_auth);
static struct cli_state *smb_connect(const char *, const char *, int, const
char *, const char *, const char *, const char *, bool *need_auth);
-static int smb_print(struct cli_state *, char *, FILE *);
+static int smb_print(struct cli_state *, const char *, FILE *);
static char *uri_unescape_alloc(const char *);
#if 0
static bool smb_encrypt;
@@ -655,7 +655,7 @@ kerberos_auth:
static int /* O - 0 = success, non-0 = failure */
smb_print(struct cli_state * cli, /* I - SMB connection */
- char *title, /* I - Title/job name */
+ const char *print_title, /* I - Title/job name */
FILE * fp)
{ /* I - File to print */
uint16_t fnum; /* File number */
@@ -663,12 +663,18 @@ smb_print(struct cli_state * cli, /* I - SMB connection */
tbytes; /* Total bytes read */
char buffer[8192], /* Buffer for copy */
*ptr; /* Pointer into title */
+ char title[1024] = {0};
+ int len;
NTSTATUS nt_status;
/*
- * Sanitize the title...
- */
+ * Sanitize the title...
+ */
+ len = snprintf(title, sizeof(title), "%s", print_title);
+ if (len != strlen(print_title)) {
+ return 2;
+ }
for (ptr = title; *ptr; ptr++) {
if (!isalnum((int) *ptr) && !isspace((int) *ptr)) {
--
2.20.1
From 912e8b22b3b35c17bce35d10d543cc1505a15c46 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 12 Mar 2019 11:40:30 +0100
Subject: [PATCH 5/5] s3:client: Fix smbspool device uri handling
If we are executed as a CUPS backend, argv[0] is set to the device uri.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13832
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Bryan Mason <bmason@redhat.com>
Signed-off-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 69d7a496d3bf52eaa10e81132bb61430863fdd8a)
---
source3/client/smbspool.c | 120 ++++++++++++++++++++++++++++++--------
1 file changed, 96 insertions(+), 24 deletions(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 94c7ea368a2..97d00bdd011 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -99,10 +99,12 @@ main(int argc, /* I - Number of command-line arguments */
char empty_str[] = "";
int tries = 0;
bool need_auth = true;
- const char *dev_uri;
+ const char *dev_uri = NULL;
+ const char *env = NULL;
const char *config_file = NULL;
TALLOC_CTX *frame = talloc_stackframe();
- bool device_uri_cmdline = false;
+ const char *print_user = NULL;
+ const char *print_title = NULL;
const char *print_file = NULL;
const char *print_copies = NULL;
int cmp;
@@ -139,21 +141,81 @@ main(int argc, /* I - Number of command-line arguments */
}
/*
- * If we have 6 arguments find out if we have the device_uri from the
- * command line or the print data
+ * Find out if we have the device_uri in the command line.
+ *
+ * If we are started as a CUPS backend argv[0] is normally the
+ * device_uri!
*/
- if (argc == 7) {
- cmp = strncmp(argv[1], "smb://", 6);
- if (cmp == 0) {
- device_uri_cmdline = true;
+ if (argc == 8) {
+ /*
+ * smbspool <uri> <job> <user> <title> <copies> <options> <file>
+ * 0 1 2 3 4 5 6 7
+ */
+
+ dev_uri = argv[1];
+
+ print_user = argv[3];
+ print_title = argv[4];
+ print_copies = argv[5];
+ print_file = argv[7];
+ } else if (argc == 7) {
+ int cmp1;
+ int cmp2;
+
+ /*
+ * <uri> <job> <user> <title> <copies> <options> <file>
+ * smbspool <uri> <job> <user> <title> <copies> <options>
+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
+ */
+ cmp1 = strncmp(argv[0], "smb://", 6);
+ cmp2 = strncmp(argv[1], "smb://", 6);
+
+ if (cmp1 == 0) {
+ /*
+ * <uri> <job> <user> <title> <copies> <options> <file>
+ * 0 1 2 3 4 5 6
+ */
+ dev_uri = argv[0];
+
+ print_user = argv[2];
+ print_title = argv[3];
+ print_copies = argv[4];
+ print_file = argv[6];
+ } else if (cmp2 == 0) {
+ /*
+ * smbspool <uri> <job> <user> <title> <copies> <options>
+ * 0 1 2 3 4 5 6
+ */
+ dev_uri = argv[1];
+
+ print_user = argv[3];
+ print_title = argv[4];
+ print_copies = argv[5];
+ print_file = NULL;
} else {
+ /*
+ * smbspool <job> <user> <title> <copies> <options> <file> | DEVICE_URI
+ * 0 1 2 3 4 5 6
+ */
+ print_user = argv[2];
+ print_title = argv[3];
print_copies = argv[4];
print_file = argv[6];
}
- } else if (argc == 8) {
- device_uri_cmdline = true;
- print_copies = argv[5];
- print_file = argv[7];
+ } else if (argc == 6) {
+ /*
+ * <uri> <job> <user> <title> <copies> <options>
+ * smbspool <job> <user> <title> <copies> <options> | DEVICE_URI
+ * 0 1 2 3 4 5
+ */
+ cmp = strncmp(argv[0], "smb://", 6);
+ if (cmp == 0) {
+ dev_uri = argv[0];
+ }
+
+ print_user = argv[2];
+ print_title = argv[3];
+ print_copies = argv[4];
}
if (print_file != NULL) {
@@ -178,18 +240,17 @@ main(int argc, /* I - Number of command-line arguments */
/*
* Find the URI ...
*/
- if (device_uri_cmdline) {
- dev_uri = argv[1];
- } else {
- dev_uri = getenv("DEVICE_URI");
- if (dev_uri == NULL || strlen(dev_uri) == 0) {
- dev_uri = "";
+ if (dev_uri == NULL) {
+ env = getenv("DEVICE_URI");
+ if (env != NULL && env[0] != '\0') {
+ dev_uri = env;
}
}
- auth_info_required = getenv("AUTH_INFO_REQUIRED");
- if (auth_info_required == NULL) {
- auth_info_required = "none";
+ if (dev_uri == NULL) {
+ fprintf(stderr,
+ "ERROR: No valid device URI has been specified\n");
+ goto done;
}
cmp = strncmp(dev_uri, "smb://", 6);
@@ -205,6 +266,11 @@ main(int argc, /* I - Number of command-line arguments */
goto done;
}
+ auth_info_required = getenv("AUTH_INFO_REQUIRED");
+ if (auth_info_required == NULL) {
+ auth_info_required = "none";
+ }
+
/*
* Extract the destination from the URI...
*/
@@ -301,8 +367,14 @@ main(int argc, /* I - Number of command-line arguments */
load_interfaces();
do {
- cli = smb_connect(workgroup, server, port, printer,
- username, password, argv[3], &need_auth);
+ cli = smb_connect(workgroup,
+ server,
+ port,
+ printer,
+ username,
+ password,
+ print_user,
+ &need_auth);
if (cli == NULL) {
if (need_auth) {
exit(2);
@@ -338,7 +410,7 @@ main(int argc, /* I - Number of command-line arguments */
*/
for (i = 0; i < copies; i++) {
- status = smb_print(cli, argv[4] /* title */ , fp);
+ status = smb_print(cli, print_title, fp);
if (status != 0) {
break;
}
--
2.20.1

@ -0,0 +1,33 @@
From be97b5934ca163259676be27d5c254da30080fbe Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 9 May 2019 16:18:51 +0200
Subject: [PATCH] s3:smbspool: Fix regression printing with Kerberos
credentials
This is a regression which has been introduced with Samba 4.8.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13939
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit fd4b1f4f16aee3e3c9a2cb449655edfed171963a)
---
source3/client/smbspool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/client/smbspool.c b/source3/client/smbspool.c
index 97d00bdd011..c404b3a3f69 100644
--- a/source3/client/smbspool.c
+++ b/source3/client/smbspool.c
@@ -660,7 +660,7 @@ smb_connect(const char *workgroup, /* I - Workgroup */
* behavior with 3.0.14a
*/
- if (username != NULL && username[0] != '\0') {
+ if (username == NULL || username[0] == '\0') {
if (kerberos_ccache_is_valid()) {
goto kerberos_auth;
}
--
2.21.0

File diff suppressed because it is too large Load Diff

@ -0,0 +1,39 @@
From 38e6908f259b2bdbdba38a856b9d67585453af9a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 29 Oct 2018 19:45:58 +0100
Subject: [PATCH] s3:winbind: Check return code of initialize_password_db()
See https://retrace.fedoraproject.org/faf/reports/1577174/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13668
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ba17cae4cab686b8d018c39d16706e621f9f93ac)
---
source3/winbindd/winbindd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 254d93b344d..a8ffc31778c 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1845,7 +1845,13 @@ int main(int argc, const char **argv)
if (!NT_STATUS_IS_OK(status)) {
exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
}
- initialize_password_db(true, server_event_context());
+
+ ok = initialize_password_db(true, server_event_context());
+ if (!ok) {
+ exit_daemon("Failed to initialize passdb backend! "
+ "Check the 'passdb backend' variable in your "
+ "smb.conf file.", EINVAL);
+ }
/*
* Do not initialize the parent-child-pipe before becoming
--
2.19.1

@ -0,0 +1,402 @@
From b67bc28be3e0ab40e14f698951c9ba057ea8321d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 15 Nov 2018 16:06:49 +0100
Subject: [PATCH 1/4] selftest: Add gooduser and eviluser to Samba3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 3b38dddff2c1d1b51aed96368b358f349682bea0)
---
selftest/target/Samba3.pm | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 438cb3409bb..373f8152ca3 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1610,8 +1610,10 @@ sub provision($$$$$$$$$)
my ($gid_force_user);
my ($uid_user1);
my ($uid_user2);
+ my ($uid_gooduser);
+ my ($uid_eviluser);
- if ($unix_uid < 0xffff - 10) {
+ if ($unix_uid < 0xffff - 12) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1627,6 +1629,8 @@ sub provision($$$$$$$$$)
$uid_smbget = $max_uid - 8;
$uid_user1 = $max_uid - 9;
$uid_user2 = $max_uid - 10;
+ $uid_gooduser = $max_uid - 11;
+ $uid_eviluser = $max_uid - 12;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2248,6 +2252,8 @@ force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/f
smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
+gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
+eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2324,6 +2330,8 @@ force_user:x:$gid_force_user:
createuser($self, "smbget_user", $password, $conffile, \%createuser_env) || die("Unable to create smbget_user");
createuser($self, "user1", $password, $conffile, \%createuser_env) || die("Unable to create user1");
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
+ createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
+ createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
--
2.19.2
From ca57b6e4f02c725a3f47b8dde01d4b70dce42784 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 16 Nov 2018 15:40:59 +0100
Subject: [PATCH 2/4] s3:tests: Test for users connecting to their 'homes'
share
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This adds a test for CVE-2009-2813.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit cc471448df91c43fe38e2fcdf9b3874636ca51a6)
---
selftest/target/Samba3.pm | 4 ++
source3/script/tests/test_homes.sh | 99 ++++++++++++++++++++++++++++++
source3/selftest/tests.py | 1 +
3 files changed, 104 insertions(+)
create mode 100755 source3/script/tests/test_homes.sh
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 373f8152ca3..2031003210c 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -921,6 +921,10 @@ sub setup_fileserver
comment = inherit only unix owner
inherit owner = unix only
acl_xattr:ignore system acls = yes
+[homes]
+ comment = Home directories
+ browseable = No
+ read only = No
";
my $vars = $self->provision($path, "WORKGROUP",
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
new file mode 100755
index 00000000000..06de0a0c301
--- /dev/null
+++ b/source3/script/tests/test_homes.sh
@@ -0,0 +1,99 @@
+#!/bin/sh
+
+# Copyright (c) Andreas Schneider <asn@samba.org>
+# License: GPLv3
+
+if [ $# -lt 7 ]; then
+ echo "Usage: test_homes.sh SERVER USERNAME PASSWORD LOCAL_PATH PREFIX SMBCLIENT CONFIGURATION"
+ exit 1
+fi
+
+SERVER="${1}"
+USERNAME="${2}"
+PASSWORD="${3}"
+LOCAL_PATH="${4}"
+PREFIX="${5}"
+SMBCLIENT="${6}"
+CONFIGURATION="${7}"
+shift 7
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+test_gooduser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_gooduser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=gooduser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo "failed to connect error $ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'Try "help" to get a list of possible commands.'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: Try "help" to get a list of possible commands.'
+ return 1
+ fi
+
+ return 0
+}
+
+test_eviluser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_eviluser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=eviluser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
+testit "test gooduser home" \
+ test_gooduser_home || \
+ failed=`expr $failed + 1`
+
+testit "test eviluser home reject" \
+ test_eviluser_home || \
+ failed=`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 09cd5159a0d..4aef7a4d596 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -290,6 +290,7 @@ for env in ["fileserver"]:
plantestsuite("samba3.blackbox.large_acl.NT1", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'NT1'])
plantestsuite("samba3.blackbox.large_acl.SMB3", env, [os.path.join(samba3srcdir, "script/tests/test_large_acl.sh"), '$SERVER', '$USERNAME', '$PASSWORD', smbclient3, smbcacls, '-m', 'SMB3'])
plantestsuite("samba3.blackbox.give_owner", env, [os.path.join(samba3srcdir, "script/tests/test_give_owner.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$PREFIX', smbclient3, smbcacls, net, 'tmp'])
+ plantestsuite("samba3.blackbox.homes", env, [os.path.join(samba3srcdir, "script/tests/test_homes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$LOCAL_PATH', '$PREFIX', smbclient3, configuration])
#
# tar command tests
--
2.19.2
From 274e960fde8e680a487fd7f3af57c824f9a5151b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 22 Nov 2018 18:23:24 +0100
Subject: [PATCH 3/4] s3:smbd: Make sure we do not export "/" (root) as home
dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If "/" (root) is returned as the home directory, prevent exporting it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
(cherry picked from commit 99695528f7453023446956d5f8f0656574e243af)
---
source3/param/service.c | 6 +++++-
source3/smbd/password.c | 7 +++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/source3/param/service.c b/source3/param/service.c
index b21be6093d4..22f46f08894 100644
--- a/source3/param/service.c
+++ b/source3/param/service.c
@@ -149,7 +149,11 @@ int find_service(TALLOC_CTX *ctx, const char *service_in, char **p_service_out)
DEBUG(3,("checking for home directory %s gave %s\n",*p_service_out,
phome_dir?phome_dir:"(NULL)"));
- iService = add_home_service(*p_service_out,*p_service_out /* 'username' */, phome_dir);
+ if (!strequal(phome_dir, "/")) {
+ iService = add_home_service(*p_service_out,
+ *p_service_out, /* username */
+ phome_dir);
+ }
}
/* If we still don't have a service, attempt to add it as a printer. */
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index f472bda2c70..0576d2563eb 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -129,6 +129,13 @@ int register_homes_share(const char *username)
return -1;
}
+ if (strequal(pwd->pw_dir, "/")) {
+ DBG_NOTICE("Invalid home directory defined for user '%s'\n",
+ username);
+ TALLOC_FREE(pwd);
+ return -1;
+ }
+
DEBUG(3, ("Adding homes service for user '%s' using home directory: "
"'%s'\n", username, pwd->pw_dir));
--
2.19.2
From e26c6aa97e57432d2f2fee2eba870ba76c9b8d41 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Dec 2018 11:05:46 +0100
Subject: [PATCH 4/4] s3:tests: Add test for checking that root is not allowed
as home dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13699
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Böhme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Dec 5 05:22:43 CET 2018 on sn-devel-144
(cherry picked from commit a92f0ccce606be12e851a4100fbb44b069c5fe87)
---
selftest/target/Samba3.pm | 6 ++++-
source3/script/tests/test_homes.sh | 37 ++++++++++++++++++++++++++++++
2 files changed, 42 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 2031003210c..583396b3818 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1616,8 +1616,9 @@ sub provision($$$$$$$$$)
my ($uid_user2);
my ($uid_gooduser);
my ($uid_eviluser);
+ my ($uid_slashuser);
- if ($unix_uid < 0xffff - 12) {
+ if ($unix_uid < 0xffff - 13) {
$max_uid = 0xffff;
} else {
$max_uid = $unix_uid;
@@ -1635,6 +1636,7 @@ sub provision($$$$$$$$$)
$uid_user2 = $max_uid - 10;
$uid_gooduser = $max_uid - 11;
$uid_eviluser = $max_uid - 12;
+ $uid_slashuser = $max_uid - 13;
if ($unix_gids[0] < 0xffff - 8) {
$max_gid = 0xffff;
@@ -2258,6 +2260,7 @@ user1:x:$uid_user1:$gid_nogroup:user1 gecos:$prefix_abs:/bin/false
user2:x:$uid_user2:$gid_nogroup:user2 gecos:$prefix_abs:/bin/false
gooduser:x:$uid_gooduser:$gid_domusers:gooduser gecos:$prefix_abs:/bin/false
eviluser:x:$uid_eviluser:$gid_domusers:eviluser gecos::/bin/false
+slashuser:x:$uid_slashuser:$gid_domusers:slashuser gecos:/:/bin/false
";
if ($unix_uid != 0) {
print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
@@ -2336,6 +2339,7 @@ force_user:x:$gid_force_user:
createuser($self, "user2", $password, $conffile, \%createuser_env) || die("Unable to create user2");
createuser($self, "gooduser", $password, $conffile, \%createuser_env) || die("Unable to create gooduser");
createuser($self, "eviluser", $password, $conffile, \%createuser_env) || die("Unable to create eviluser");
+ createuser($self, "slashuser", $password, $conffile, \%createuser_env) || die("Unable to create slashuser");
open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
print DNS_UPDATE_LIST "A $server. $server_ip\n";
diff --git a/source3/script/tests/test_homes.sh b/source3/script/tests/test_homes.sh
index 06de0a0c301..90e84550dbc 100755
--- a/source3/script/tests/test_homes.sh
+++ b/source3/script/tests/test_homes.sh
@@ -88,6 +88,39 @@ EOF
return 0
}
+test_slashuser_home()
+{
+ tmpfile=$PREFIX/smbclient_homes_slashuser_commands
+ cat > $tmpfile <<EOF
+ls
+quit
+EOF
+
+ USERNAME=slashuser
+
+ cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT "$@" -U$USERNAME%$PASSWORD //$SERVER/$USERNAME $CONFIGURATION < $tmpfile 2>&1'
+ eval echo "$cmd"
+ out=$(eval $cmd)
+ ret=$?
+ rm -f $tmpfile
+
+ if [ $ret -ne 1 ] ; then
+ echo "$out"
+ echo "The server should reject connecting ret=$ret"
+ return 1
+ fi
+
+ echo "$out" | grep 'NT_STATUS_BAD_NETWORK_NAME'
+ ret=$?
+ if [ $ret -ne 0 ] ; then
+ echo "$out"
+ echo 'failed - should get: NT_STATUS_BAD_NETWORK_NAME.'
+ return 1
+ fi
+
+ return 0
+}
+
testit "test gooduser home" \
test_gooduser_home || \
failed=`expr $failed + 1`
@@ -96,4 +129,8 @@ testit "test eviluser home reject" \
test_eviluser_home || \
failed=`expr $failed + 1`
+testit "test slashuser home reject" \
+ test_slashuser_home || \
+ failed=`expr $failed + 1`
+
testok $0 $failed
--
2.19.2

@ -0,0 +1,119 @@
From 1038892f651cbc1a924cd7e74b393eb356dd5266 Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 27 Jun 2018 11:32:31 -0400
Subject: [PATCH] s3:libads: Add net ads leave keep-account option
Add the ability to leave the domain with --keep-account argument to avoid
removal of the host machine account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13498
Signed-off-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit d881f0c8a0ce2fc7cabf1966c5724e72c70d6694)
---
docs-xml/manpages/net.8.xml | 9 ++++++++-
source3/libnet/libnet_join.c | 2 ++
source3/utils/net.c | 3 ++-
source3/utils/net.h | 1 +
source3/utils/net_ads.c | 9 +++++++--
5 files changed, 20 insertions(+), 4 deletions(-)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 3154ee5ff85..d2bcd24c502 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -377,6 +377,13 @@
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--keep-account</term>
+ <listitem><para>Prevent the machine account removal as
+ part of "net ads leave".
+ </para></listitem>
+ </varlistentry>
+
&stdarg.encrypt;
&popt.common.samba.client;
@@ -1276,7 +1283,7 @@ against an NT4 Domain Controller.
</refsect2>
<refsect2>
-<title>ADS LEAVE</title>
+<title>ADS LEAVE [--keep-account]</title>
<para>Make the remote host leave the domain it is part of. </para>
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a9405e8d288..27fc5135442 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2868,6 +2868,8 @@ static WERROR libnet_DomainUnjoin(TALLOC_CTX *mem_ctx,
return ntstatus_to_werror(status);
}
+ r->out.dns_domain_name = talloc_strdup(mem_ctx,
+ r->in.domain_name);
r->out.disabled_machine_account = true;
}
diff --git a/source3/utils/net.c b/source3/utils/net.c
index 759d8cd442b..b3bd4b67118 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -970,8 +970,9 @@ static struct functable net_func[] = {
{"wipe", 0, POPT_ARG_NONE, &c->opt_wipe},
/* Options for 'net registry import' */
{"precheck", 0, POPT_ARG_STRING, &c->opt_precheck},
- /* Options for 'net ads join' */
+ /* Options for 'net ads join or leave' */
{"no-dns-updates", 0, POPT_ARG_NONE, &c->opt_no_dns_updates},
+ {"keep-account", 0, POPT_ARG_NONE, &c->opt_keep_account},
POPT_COMMON_SAMBA
{ 0, 0, 0, 0}
};
diff --git a/source3/utils/net.h b/source3/utils/net.h
index d6dfeb6208f..5e70fd3aafa 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -85,6 +85,7 @@ struct net_context {
int opt_wipe;
const char *opt_precheck;
int opt_no_dns_updates;
+ int opt_keep_account;
int opt_have_ip;
struct sockaddr_storage opt_dest_ip;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index ffa67d8f525..afe47dad839 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -964,7 +964,7 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
if (c->display_usage) {
d_printf( "%s\n"
- "net ads leave\n"
+ "net ads leave [--keep-account]\n"
" %s\n",
_("Usage:"),
_("Leave an AD domain"));
@@ -1009,7 +1009,12 @@ static int net_ads_leave(struct net_context *c, int argc, const char **argv)
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE really means "disable */
r->in.unjoin_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE;
- r->in.delete_machine_account = true;
+ if (c->opt_keep_account) {
+ r->in.delete_machine_account = false;
+ } else {
+ r->in.delete_machine_account = true;
+ }
+
r->in.msg_ctx = c->msg_ctx;
werr = libnet_Unjoin(ctx, r);
--
2.17.1

@ -0,0 +1,179 @@
From 0bd36d040129f511762b89555d98851a9dcaf3f6 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:09:23 +0100
Subject: [PATCH 1/5] s3:rpcclient: Initialize domain_name
This could be passed uninitialized to dcerpc_netr_DsRGetDCName()
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 56ac8944eb58f234422b4bd4dd9a64b8e51e874d)
---
source3/rpcclient/cmd_netlogon.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 8d62ef7e095..631740562c6 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -216,7 +216,7 @@ static WERROR cmd_netlogon_dsr_getdcname(struct rpc_pipe_client *cli,
WERROR werr = WERR_OK;
uint32_t flags = DS_RETURN_DNS_NAME;
const char *server_name = cli->desthost;
- const char *domain_name;
+ const char *domain_name = NULL;
struct GUID domain_guid = GUID_zero();
struct GUID site_guid = GUID_zero();
struct netr_DsRGetDCNameInfo *info = NULL;
--
2.19.2
From f14942265b08710d4e9bf6b17219f65b5ea79e01 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:13:51 +0100
Subject: [PATCH 2/5] librpc:ndr: Initialize inblob
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9c37ed26f0a814f77c934ae190f48d0a1e673f83)
---
librpc/ndr/ndr_backupkey.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/librpc/ndr/ndr_backupkey.c b/librpc/ndr/ndr_backupkey.c
index 827bc694230..adb6e393287 100644
--- a/librpc/ndr/ndr_backupkey.c
+++ b/librpc/ndr/ndr_backupkey.c
@@ -58,7 +58,9 @@ _PUBLIC_ void ndr_print_bkrp_BackupKey(struct ndr_print *ndr, const char *name,
ndr->flags |= LIBNDR_PRINT_SET_VALUES;
}
if (flags & NDR_IN) {
- union bkrp_data_in_blob inblob;
+ union bkrp_data_in_blob inblob = {
+ .empty._empty_ = '\0',
+ };
DATA_BLOB blob;
uint32_t level;
enum ndr_err_code ndr_err;
--
2.19.2
From 865ad3bb69c487589f24c755b2082fe51e5a261a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:16:06 +0100
Subject: [PATCH 3/5] libgpo: Make sure status is intialized
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 159f753732cdc1e4491f93617779861fb9d73bc7)
---
libgpo/gpo_ldap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
index fec00053b49..f087203f28a 100644
--- a/libgpo/gpo_ldap.c
+++ b/libgpo/gpo_ldap.c
@@ -474,7 +474,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
const char *guid_name,
struct GROUP_POLICY_OBJECT *gpo)
{
- ADS_STATUS status;
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
LDAPMessage *res = NULL;
char *dn;
const char *filter;
--
2.19.2
From b40b21c5b2f6ed6e4e123cb55d9279f88b3e5c3b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:17:37 +0100
Subject: [PATCH 4/5] lib:util Always initialize start and space
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 050d1e7d53c068efac109ec4ff7a686d152e6a45)
---
lib/util/talloc_report.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/lib/util/talloc_report.c b/lib/util/talloc_report.c
index 63213a014b6..bed0fd91e43 100644
--- a/lib/util/talloc_report.c
+++ b/lib/util/talloc_report.c
@@ -33,8 +33,8 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
const char *fmt, va_list ap)
{
ssize_t str_len = *pstr_len;
- size_t buflen, needed, space;
- char *start, *tmpbuf;
+ size_t buflen, needed, space = 0;
+ char *start = NULL, *tmpbuf = NULL;
va_list ap2;
int printlen;
@@ -52,9 +52,6 @@ static char *talloc_vasprintf_append_largebuf(char *buf, ssize_t *pstr_len,
if (buflen > str_len) {
start = buf + str_len;
space = buflen - str_len;
- } else {
- start = NULL;
- space = 0;
}
va_copy(ap2, ap);
--
2.19.2
From 01c2b8c1920744b9b46e3b2010f0487f23aa865b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 12 Nov 2018 10:21:15 +0100
Subject: [PATCH 5/5] ctdb: Fix an out of bound array access
Found by cppcheck.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13680
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 008b9652cacdfd99e68db9d88f4e0c33eefa87e9)
---
ctdb/common/logging.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ctdb/common/logging.c b/ctdb/common/logging.c
index dc8c4f75058..55e5d541735 100644
--- a/ctdb/common/logging.c
+++ b/ctdb/common/logging.c
@@ -85,7 +85,7 @@ const char *debug_level_to_string(int log_level)
{
int i;
- for (i=0; ARRAY_SIZE(log_string_map); i++) {
+ for (i=0; i < ARRAY_SIZE(log_string_map); i++) {
if (log_string_map[i].log_level == log_level) {
return log_string_map[i].log_string;
}
--
2.19.2

@ -0,0 +1,117 @@
From e2dd47233f467e2ab80564968be4af6da6505161 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:35:08 +0200
Subject: [PATCH 1/2] waf: Check for -fstack-protect-strong support
The -fstack-protector* flags are compiler only flags, don't pass them to
the linker.
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38e97f8b52e85bdfcf2d74a4fb3c848fa46ba371)
---
buildtools/wafsamba/samba_autoconf.py | 36 ++++++++++++++-------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index c4391d0c4dc..bfd6f9710db 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -674,23 +674,25 @@ def SAMBA_CONFIG_H(conf, path=None):
return
# we need to build real code that can't be optimized away to test
- if conf.check(fragment='''
- #include <stdio.h>
-
- int main(void)
- {
- char t[100000];
- while (fgets(t, sizeof(t), stdin));
- return 0;
- }
- ''',
- execute=0,
- ccflags='-fstack-protector',
- ldflags='-fstack-protector',
- mandatory=False,
- msg='Checking if toolchain accepts -fstack-protector'):
- conf.ADD_CFLAGS('-fstack-protector')
- conf.ADD_LDFLAGS('-fstack-protector')
+ stack_protect_list = ['-fstack-protector-strong', '-fstack-protector']
+ for stack_protect_flag in stack_protect_list:
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-Wp,-D_FORTIFY_SOURCE=2', stack_protect_flag],
+ mandatory=False,
+ msg='Checking if compiler accepts %s' % (stack_protect_flag))
+ if flag_supported:
+ conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
+ break
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0
From 09f3acb3497efb9ebb8a0d7d199726a8c318e4f8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 3 Sep 2018 10:49:52 +0200
Subject: [PATCH 2/2] waf: Add -fstack-clash-protection
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13601
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fc4df251c88365142515a81bea1120b2b84cc4a0)
---
buildtools/wafsamba/samba_autoconf.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index bfd6f9710db..f2b3ec8db8d 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -694,6 +694,23 @@ def SAMBA_CONFIG_H(conf, path=None):
conf.ADD_CFLAGS('-Wp,-D_FORTIFY_SOURCE=2 %s' % (stack_protect_flag))
break
+ flag_supported = conf.check(fragment='''
+ #include <stdio.h>
+
+ int main(void)
+ {
+ char t[100000];
+ while (fgets(t, sizeof(t), stdin));
+ return 0;
+ }
+ ''',
+ execute=0,
+ ccflags=[ '-Werror', '-fstack-clash-protection'],
+ mandatory=False,
+ msg='Checking if compiler accepts -fstack-clash-protection')
+ if flag_supported:
+ conf.ADD_CFLAGS('-fstack-clash-protection')
+
if Options.options.debug:
conf.ADD_CFLAGS('-g', testflags=True)
--
2.18.0

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iFwEABECABwFAluomosVHHNhbWJhLWJ1Z3NAc2FtYmEub3JnAAoJEG8zkVtlaLfq
Ef0AoLUiZNu1bqD0YjbzI8KCisfwPF/2AKDGrFuyL4ds6Ege/OiUbg7krCXrOg==
=2NTz
-----END PGP SIGNATURE-----

BIN
samba-4.9.1.tar.xz (Stored with Git LFS)

Binary file not shown.

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save