rpms
/
samba
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix winbind trusted domain regression 

related: #2021716

Guenther
This commit is contained in:
Günther Deschner 2021-11-11 14:45:45 +01:00
parent 85d7de80b2
commit 598cab6469
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
samba-4.13-fix-winbind-no-trusted-domain.patch Normal file
View File

@ -0,0 +1,41 @@
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Nov 2021 20:50:20 +0100
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
---
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 42ddbfd2f44..9d54e462c42 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
2.33.1

7
samba.spec
View File

@ -8,7 +8,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%define main_release 0
%define main_release 1
%define samba_version 4.13.14
%define talloc_version 2.3.1
@ -136,6 +136,7 @@ Patch1: samba-s4u.patch
#
# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.13-redhat.patch
Patch2: samba-4.13-redhat.patch
Patch3: samba-4.13-fix-winbind-no-trusted-domain.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -3674,6 +3675,10 @@ fi
%endif
%changelog
* Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-1
- Fix winbind trusted domain regression
- related: #2021716
* Tue Nov 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-0
- Update to Samba 4.13.14
- resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124