rpms
/
samba
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge RHEL 8.4 patches 

These patches are part of the https://gitlab.com/samba-redhat/samba/-/tree/v4-13-redhat

 [PATCH 001/105] libcli:smb2: Do not leak ptext on error
 [PATCH 002/105] libcli:smb2: Use talloc NULL context if we don't have
 [PATCH 003/105] auth:creds: Introduce CRED_SMB_CONF
 [PATCH 004/105] param: Add 'server smb encrypt' parameter
 [PATCH 005/105] param: Create and use enum_smb_encryption_vals
 [PATCH 006/105] s3:smbd: Use 'enum smb_encryption_setting' values
 [PATCH 007/105] docs-xml: Add 'client smb encrypt'
 [PATCH 008/105] lib:param: Add lpcfg_parse_enum_vals()
 [PATCH 009/105] libcli:smb: Add smb_signing_setting_translate()
 [PATCH 010/105] libcli:smb: Add smb_encryption_setting_translate()
 [PATCH 011/105] s3:lib: Use smb_signing_setting_translate for cmdline
 [PATCH 012/105] auth:creds: Remove unused credentials autoproto
 [PATCH 013/105] auth:creds: Add
 [PATCH 014/105] auth:creds: Add python bindings for
 [PATCH 015/105] auth:creds: Add
 [PATCH 016/105] auth:creds: Add python bindings for
 [PATCH 017/105] auth:creds: Add
 [PATCH 018/105] auth:creds: Add python bindings for
 [PATCH 019/105] auth:creds: Add python bindings for
 [PATCH 020/105] auth:creds: Bump library version
 [PATCH 021/105] s3:lib: Use cli_credential_(get|set)_smb_signing()
 [PATCH 022/105] s3:lib: Set smb encryption also via cli creds API
 [PATCH 023/105] python: Remove unused sign argument from
 [PATCH 024/105] python: Set smb signing via the creds API
 [PATCH 025/105] s3:libsmb: Introduce CLI_FULL_CONNECTION_IPC
 [PATCH 026/105] s3:pylibsmb: Add ipc=True support for
 [PATCH 027/105] python:tests: Mark libsmb connection as an IPC
 [PATCH 028/105] python:tests: Set smb ipc signing via the creds API
 [PATCH 029/105] s3:libsmb: Use 'enum smb_signing_setting' in
 [PATCH 030/105] s3:client: Turn off smb signing for message op
 [PATCH 031/105] s3:libsmb: Remove signing_state from
 [PATCH 032/105] s3:libsmb: Remove signing_state from
 [PATCH 033/105] s3:libsmb: Add encryption support to
 [PATCH 034/105] python: Add a test for SMB encryption
 [PATCH 035/105] s3:net: Use cli_credentials_set_smb_encryption()
 [PATCH 036/105] s3:libsmb: Use cli_credentials_set_smb_encryption()
 [PATCH 037/105] s3:client: Remove unused smb encryption code
 [PATCH 038/105] s3:utils: Remove obsolete force encryption from
 [PATCH 039/105] s3:utils: Remove obsolete force encryption from
 [PATCH 040/105] s3:utils: Remove obsolete force encryption from
 [PATCH 041/105] s3:rpcclient: Remove obsolete force encryption from
 [PATCH 042/105] examples: Remove obsolete force encryption from
 [PATCH 043/105] s3:libsmb: Make cli_cm_force_encryption_creds()
 [PATCH 044/105] s4:libcli: Return NTSTATUS errors for
 [PATCH 045/105] s4:libcli: Return if encryption is requested for SMB1
 [PATCH 046/105] s3:libcli: Split out smb2_connect_tcon_start()
 [PATCH 047/105] s4:libcli: Add smb2_connect_enc_start()
 [PATCH 048/105] s4:libcli: Require signing for SMB encryption
 [PATCH 049/105] python:tests: Add test for SMB encrypted DCERPC
 [PATCH 050/105] auth:gensec: Add gensec_security_sasl_names()
 [PATCH 051/105] s4:ldap_server: Use samba_server_gensec_start() in
 [PATCH 052/105] auth:gensec: Make gensec_use_kerberos_mechs() a
 [PATCH 053/105] auth:gensec: Pass use_kerberos and keep_schannel to
 [PATCH 054/105] auth:gensec: If Kerberos is required, keep schannel
 [PATCH 055/105] auth:creds: Add cli_credentials_init_server()
 [PATCH 056/105] s4:rpc_server: Use cli_credentials_init_server()
 [PATCH 057/105] s4:smb_server: Use cli_credentials_init_server() for
 [PATCH 058/105] selftest: Rename 'smb encrypt' to 'server smb
 [PATCH 059/105] selftest: Move enc_desired to provision to have it in
 [PATCH 060/105] s3:tests: Add smbclient tests for 'client smb
 [PATCH 061/105] s3:client: Remove global smb_encrypt
 [PATCH 062/105] s3:libsmb: Remove force_encrypt from cli_cm_open()
 [PATCH 063/105] s3:libsmb: Remove force_encrypt from cli_cm_connect()
 [PATCH 064/105] s3:libsmb: Remove force_encrypt from clidfs
 [PATCH 065/105] s3:libsmb: Remove force_encrypt from
 [PATCH 066/105] s3:libsmb: Pass cli_credentials to clidfs
 [PATCH 067/105] s3:libsmb: Pass cli_credentials to cli_cm_connect()
 [PATCH 068/105] s3:libsmb: Pass cli_credentials to cli_cm_open()
 [PATCH 069/105] s3:libsmb: Pass cli_credentials to
 [PATCH 070/105] s3:client: Remove global max_protocol
 [PATCH 071/105] s3:libsmb: Remove max_protocol from cli_cm_open()
 [PATCH 072/105] s3:libcmb: Remove max_protocol from cli_cm_connect()
 [PATCH 073/105] s3:libsmb: Remove max_protocol from clidfs
 [PATCH 074/105] s3:include: Move loadparm prototypes to own header
 [PATCH 075/105] s3:lib: Move interface prototypes to own header file
 [PATCH 076/105] idl: Add SID_SAMBA_SMB3
 [PATCH 077/105] s3:smbd: Add SMB3 connection information to session
 [PATCH 078/105] librpc: Add dcerpc helper
 [PATCH 079/105] s3:smbd: Use defines to set 'srv_smb_encrypt'
 [PATCH 080/105] s3:rpc_server: Allow to use RC4 for setting passwords
 [PATCH 081/105] s4:rpc_server: Allow to use RC4 for setting passwords
 [PATCH 082/105] lib:crypto: Add py binding for set_relax/strict fips
 [PATCH 083/105] s4:param: Add 'weak crypto' getter to pyparam
 [PATCH 084/105] python:tests: Add SAMR password change tests for fips
 [PATCH 085/105] python:tests: Add SAMR password change tests for fips
 [PATCH 086/105] auth:creds: Rename CRED_USE_KERBEROS values
 [PATCH 087/105] auth:creds:tests: Migrate test to a cmocka unit test
 [PATCH 088/105] s3-vfs_glusterfs: always disable write-behind
 [PATCH 089/105] Add smb2cli_session_get_encryption_cipher()
 [PATCH 090/105] Add dcerpc_transport_encrypted()
 [PATCH 091/105] Add py binding for dcerpc_transport_encrypted
 [PATCH 092/105] selftest: add a test for py dce transport_encrypted
 [PATCH 093/105] Add CreateTrustedDomainRelax wrapper for fips mode
 [PATCH 094/105] Use the new CreateTrustedDomainRelax()
 [PATCH 095/105] selftest: add a test for the CreateTrustedDomainRelax
 [PATCH 096/105] Remove source4/scripting/devel/createtrust script
 [PATCH 097/105] s3:rpc_server: Use gnutls_cipher_decrypt() in
 [PATCH 098/105] s4:rpc_server: Use gnutls_cipher_decrypt() in
 [PATCH 099/105] s3:rpc_server: Allow to use RC4 for creating trusts
 [PATCH 100/105] s4:rpc_server: Allow to use RC4 for creating trusts
 [PATCH 101/105] sefltest: Enable the dcerpc.createtrustrelax test
 [PATCH 102/105] s3: spoolss: Make parameters in call to
 [PATCH 103/105] s3:smbd: Fix possible null pointer dereference in
 [PATCH 104/105] lookup_name: allow lookup names prefixed with DNS
 [PATCH 105/105] auth_sam: use pdb_get_domain_info to look up DNS
This commit is contained in:
Alexander Bokovoy 2020-11-25 12:49:39 +02:00
parent 13eed773b0
commit 1d03aa069e
3 changed files with 12617 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12614
samba-4.13-redhat.patch Normal file
View File

File diff suppressed because it is too large Load Diff

210
samba-gc-lookup_unix_user_name-allow-lookup-for-own-realm.patch
View File

@ -1,210 +0,0 @@
From 81d6949acdad70ecfb130d3286eeab1b3a51937f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Wed, 7 Oct 2020 19:25:24 +0300
Subject: [PATCH 1/2] cli_credentials_parse_string: fix parsing of principals
When parsing a principal-like name, user name was left with full
principal instead of taking only the left part before '@' sign.
>>> from samba import credentials
>>> t = credentials.Credentials()
>>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
>>> t.get_username()
'admin@realm.test'
The issue is that cli_credentials_set_username() does a talloc_strdup()
of the argument, so we need to change order of assignment to allow
talloc_strdup() to copy the right part of the string.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
auth/credentials/credentials.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 77c35dd104b..06ac79058f9 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -840,11 +840,10 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
* in order to undo the effect of
* cli_credentials_guess().
*/
- cli_credentials_set_username(credentials, uname, obtained);
- cli_credentials_set_domain(credentials, "", obtained);
-
cli_credentials_set_principal(credentials, uname, obtained);
*p = 0;
+ cli_credentials_set_username(credentials, uname, obtained);
+ cli_credentials_set_domain(credentials, "", obtained);
cli_credentials_set_realm(credentials, p+1, obtained);
return;
} else if ((p = strchr_m(uname,'\\'))
--
2.28.0
From fa38bebb993011428612d51819530218d8358f5e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab@samba.org>
Date: Mon, 13 Jan 2020 16:04:20 +0200
Subject: [PATCH 2/2] lookup_name: allow lookup for own realm
When using security tab in Windows Explorer, a lookup over a trusted
forest might come as realm\name instead of NetBIOS domain name:
--------------------------------------------------------------------
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
lsa_LookupNames3: struct lsa_LookupNames3
in: struct lsa_LookupNames3
handle : *
handle: struct policy_handle
handle_type : 0x00000000 (0)
uuid : 0000000e-0000-0000-1c5e-a750e5810000
num_names : 0x00000001 (1)
names: ARRAY(1)
names: struct lsa_String
length : 0x001e (30)
size : 0x0020 (32)
string : *
string : 'ipa.test\admins'
sids : *
sids: struct lsa_TransSidArray3
count : 0x00000000 (0)
sids : NULL
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
count : *
count : 0x00000000 (0)
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
client_revision : LSA_CLIENT_REVISION_2 (2)
--------------------------------------------------------------------
Allow this lookup using realm to be done against primary domain.
Refactor user name parsing code to reuse cli_credentials_* API to be
consistent with other places. cli_credentials_parse_string() handles
both domain and realm-based user name variants.
Signed-off-by: Alexander Bokovoy <ab@samba.org>
---
source3/passdb/lookup_sid.c | 75 ++++++++++++++++++++++++++-----------
1 file changed, 53 insertions(+), 22 deletions(-)
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 82c47b3145b..39d599fed27 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -29,6 +29,7 @@
#include "../libcli/security/security.h"
#include "lib/winbind_util.h"
#include "../librpc/gen_ndr/idmap.h"
+#include "auth/credentials/credentials.h"
static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
{
@@ -78,52 +79,82 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
const char **ret_domain, const char **ret_name,
struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
{
- char *p;
const char *tmp;
const char *domain = NULL;
const char *name = NULL;
+ const char *realm = NULL;
uint32_t rid;
struct dom_sid sid;
enum lsa_SidType type;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ struct cli_credentials *creds = NULL;
if (tmp_ctx == NULL) {
DEBUG(0, ("talloc_new failed\n"));
return false;
}
- p = strchr_m(full_name, '\\');
-
- if (p != NULL) {
- domain = talloc_strndup(tmp_ctx, full_name,
- PTR_DIFF(p, full_name));
- name = talloc_strdup(tmp_ctx, p+1);
- } else {
- domain = talloc_strdup(tmp_ctx, "");
- name = talloc_strdup(tmp_ctx, full_name);
+ creds = cli_credentials_init(tmp_ctx);
+ if (creds == NULL) {
+ DEBUG(0, ("cli_credentials_init failed\n"));
+ return false;
}
- if ((domain == NULL) || (name == NULL)) {
- DEBUG(0, ("talloc failed\n"));
- TALLOC_FREE(tmp_ctx);
+ cli_credentials_parse_string(creds, full_name, CRED_SPECIFIED);
+ name = cli_credentials_get_username(creds);
+ domain = cli_credentials_get_domain(creds);
+ realm = cli_credentials_get_realm(creds);
+
+ /* At this point we have:
+ * - name -- normal name or empty string
+ * - domain -- either NULL or domain name
+ * - realm -- either NULL or realm name
+ *
+ * domain and realm are exclusive to each other
+ * the code below in lookup_name assumes domain
+ * to be at least empty string, not NULL
+ */
+
+ if ((name == NULL) || (name[0] == '\0')) {
+ DEBUG(0, ("lookup_name with empty name, exit\n"));
return false;
}
+ if ((domain == NULL) && (realm == NULL)) {
+ domain = talloc_strdup(creds, "");
+ }
+
DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
full_name, domain, name));
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
- strequal(domain, get_global_sam_name()))
- {
+ /* Windows clients may send a LookupNames request with both NetBIOS
+ * domain name- and realm-qualified user names. Thus, we need to check
+ * both against both of the SAM domain name and realm, if set. Since
+ * domain name and realm in the request are exclusive, test the one
+ * that is specified. cli_credentials_parse_string() will either set
+ * realm or wouldn't so we can use it to detect if realm was specified.
+ */
+ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
+ const char *domain_name = realm ? realm : domain;
+ bool check_global_sam = false;
+
+ if (domain_name[0] != '\0') {
+ check_global_sam = strequal(domain_name, get_global_sam_name());
+ if (!check_global_sam && lp_realm() != NULL) {
+ check_global_sam = strequal(domain_name, lp_realm());
+ }
+ }
- /* It's our own domain, lookup the name in passdb */
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
- sid_compose(&sid, get_global_sam_sid(), rid);
- goto ok;
+ if (check_global_sam) {
+ /* It's our own domain, lookup the name in passdb */
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
+ sid_compose(&sid, get_global_sam_sid(), rid);
+ goto ok;
+ }
+ TALLOC_FREE(tmp_ctx);
+ return false;
}
- TALLOC_FREE(tmp_ctx);
- return false;
}
if ((flags & LOOKUP_NAME_BUILTIN) &&
--
2.28.0

3
samba.spec
View File

@ -3789,6 +3789,9 @@ fi
%changelog
* Wed Nov 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.2-2
- rhbz#1892745, rhbz#1900232: smbclient mget crashes (upstream bug 14517)
- Merge RHEL 8.4 patches:
- FIPS-related enhancements
- FreeIPA Global Catalog patches
* Tue Nov 03 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-1
- Create a python3-samba-devel package to avoid unnessary dependencies