From 7d1a6123332d18260a4a20bc4944c1aecda400cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 22 Aug 2013 18:03:00 +0200 Subject: [PATCH] resolves: #996160 - Fix winbind with trusted domains. Guenther --- samba-4.1.0rc3-winbind-ads.patch | 292 +++++++++++++++++++++++++++++++ samba.spec | 7 +- 2 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 samba-4.1.0rc3-winbind-ads.patch diff --git a/samba-4.1.0rc3-winbind-ads.patch b/samba-4.1.0rc3-winbind-ads.patch new file mode 100644 index 0000000..bef971e --- /dev/null +++ b/samba-4.1.0rc3-winbind-ads.patch @@ -0,0 +1,292 @@ +From 48ccd15ba80c35a3f3595c8dddcf063efa6d3444 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 22 Aug 2013 15:39:08 +0200 +Subject: [PATCH 1/6] s3-winbindd: remove pointless variable assigment, see the + strdup below. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/winbindd_ads.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 1e45ad9..5e6bb92 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -101,7 +101,6 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, + + ads->auth.renewable = renewable; + ads->auth.password = password; +- ads->auth.realm = realm; + + ads->auth.realm = SMB_STRDUP(realm); + if (!strupper_m(ads->auth.realm)) { +-- +1.8.3.1 + + +From 21099d6a30904e0d7aa076d9e494c61b6c70e658 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 23 Aug 2013 12:33:53 +0200 +Subject: [PATCH 2/6] s3-winbindd: Fix memory leak in ads_cached_connection(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/winbindd_ads.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 5e6bb92..924bc83 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -220,7 +220,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + domain->name, NULL, + password, realm, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); +- ++ SAFE_FREE(realm); + + if (!ADS_ERR_OK(status)) { + /* if we get ECONNREFUSED then it might be a NT4 +-- +1.8.3.1 + + +From a2e83d0b0b2fbb6c46a762d19bbf7d4dc3111778 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Thu, 22 Aug 2013 16:36:27 +0200 +Subject: [PATCH 3/6] s3-winbindd: Fix winbind on DC crash with trusted AD + domains. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/winbindd_ads.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 924bc83..d6eb4b4 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -193,7 +193,7 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + NULL ) ) { + return NULL; + } +- realm = NULL; ++ realm = SMB_STRDUP(domain->alt_name); + } + else { + struct winbindd_domain *our_domain = domain; +-- +1.8.3.1 + + +From f1db526d94c2dc7f94f535feabab3e1a3e5bb815 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 28 Aug 2013 15:00:06 +0200 +Subject: [PATCH 4/6] s3-winbindd: use find_domain_from_name() instead of + find_domain_from_name_no_init(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise there is a good chance the domain has not been connected and we don't +know the realm name yet. + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/winbindd_ads.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index d6eb4b4..7aa936b 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -151,12 +151,12 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name) + DEBUG(10, ("ldap_server from saf cache: '%s'\n", + ldap_server ? ldap_server : "")); + +- wb_dom = find_domain_from_name_noinit(dom_name); ++ wb_dom = find_domain_from_name(dom_name); + if (wb_dom == NULL) { + DEBUG(10, ("could not find domain '%s'\n", dom_name)); + realm = NULL; + } else { +- DEBUG(10, ("find_domain_from_name_noinit found realm '%s' for " ++ DEBUG(10, ("find_domain_from_name found realm '%s' for " + " domain '%s'\n", wb_dom->alt_name, dom_name)); + realm = wb_dom->alt_name; + } +-- +1.8.3.1 + + +From 42f8df74231d085000e24809bb03e868c1e9bd30 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Fri, 23 Aug 2013 14:56:17 +0200 +Subject: [PATCH 5/6] s3-winbindd: make sure also the idmap code can deal with + trusted domains. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/winbindd_ads.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index 7aa936b..fc44158 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -136,6 +136,7 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name) + { + char *ldap_server, *realm, *password; + struct winbindd_domain *wb_dom; ++ ADS_STATUS status; + + ads_cached_connection_reuse(adsp); + if (*adsp != NULL) { +@@ -154,19 +155,40 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name) + wb_dom = find_domain_from_name(dom_name); + if (wb_dom == NULL) { + DEBUG(10, ("could not find domain '%s'\n", dom_name)); +- realm = NULL; +- } else { +- DEBUG(10, ("find_domain_from_name found realm '%s' for " ++ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); ++ } ++ ++ DEBUG(10, ("find_domain_from_name found realm '%s' for " + " domain '%s'\n", wb_dom->alt_name, dom_name)); +- realm = wb_dom->alt_name; ++ ++ if (!get_trust_pw_clear(dom_name, &password, NULL, NULL)) { ++ return ADS_ERROR_NT(NT_STATUS_CANT_ACCESS_DOMAIN_INFO); + } + +- /* the machine acct password might have change - fetch it every time */ +- password = secrets_fetch_machine_password(lp_workgroup(), NULL, NULL); +- realm = SMB_STRDUP(lp_realm()); ++ if (IS_DC) { ++ realm = SMB_STRDUP(wb_dom->alt_name); ++ } else { ++ struct winbindd_domain *our_domain = wb_dom; + +- return ads_cached_connection_connect(adsp, realm, dom_name, ldap_server, +- password, realm, 0); ++ /* always give preference to the alt_name in our ++ primary domain if possible */ ++ ++ if (!wb_dom->primary) { ++ our_domain = find_our_domain(); ++ } ++ ++ if (our_domain->alt_name != NULL) { ++ realm = SMB_STRDUP(our_domain->alt_name); ++ } else { ++ realm = SMB_STRDUP(lp_realm()); ++ } ++ } ++ ++ status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server, ++ password, realm, 0); ++ SAFE_FREE(realm); ++ ++ return status; + } + + /* +-- +1.8.3.1 + + +From aeb6a0f932174f9259a04f95701bb8360d777cb5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?G=C3=BCnther=20Deschner?= +Date: Wed, 28 Aug 2013 14:53:08 +0200 +Subject: [PATCH 6/6] s3-winbindd: use get_trust_pw_clear() wrapper for AD + connection code. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This avoids calling secrets functions directly. + +Guenther + +Signed-off-by: Günther Deschner +--- + source3/winbindd/idmap_ad.c | 1 - + source3/winbindd/winbindd_ads.c | 11 ++++------- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c +index 1ed6570..8b63801 100644 +--- a/source3/winbindd/idmap_ad.c ++++ b/source3/winbindd/idmap_ad.c +@@ -31,7 +31,6 @@ + #include "ads.h" + #include "libads/ldap_schema.h" + #include "nss_info.h" +-#include "secrets.h" + #include "idmap.h" + #include "../libcli/ldap/ldap_ndr.h" + #include "../libcli/security/security.h" +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index fc44158..c33b1bc 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -27,7 +27,6 @@ + #include "../librpc/gen_ndr/ndr_netlogon_c.h" + #include "../libds/common/flags.h" + #include "ads.h" +-#include "secrets.h" + #include "../libcli/ldap/ldap_ndr.h" + #include "../libcli/security/security.h" + #include "../libds/common/flag_mapping.h" +@@ -209,20 +208,18 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) + + /* the machine acct password might have change - fetch it every time */ + ++ if (!get_trust_pw_clear(domain->name, &password, NULL, NULL)) { ++ return NULL; ++ } ++ + if ( IS_DC ) { + +- if ( !pdb_get_trusteddom_pw( domain->name, &password, NULL, +- NULL ) ) { +- return NULL; +- } + realm = SMB_STRDUP(domain->alt_name); + } + else { + struct winbindd_domain *our_domain = domain; + + +- password = secrets_fetch_machine_password(lp_workgroup(), NULL, +- NULL); + /* always give preference to the alt_name in our + primary domain if possible */ + +-- +1.8.3.1 + diff --git a/samba.spec b/samba.spec index f99a6b2..1bd564f 100644 --- a/samba.spec +++ b/samba.spec @@ -1,7 +1,7 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 4 +%define main_release 5 %define samba_version 4.1.0 %define talloc_version 2.0.8 @@ -76,6 +76,7 @@ Source200: README.dc Source201: README.downgrade Patch0: samba-4.1.0rc3-fix_winbind_nbtname_segfault.patch +Patch1: samba-4.1.0rc3-winbind-ads.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -435,6 +436,7 @@ the local kerberos library to use the same KDC as samba and winbind use %setup -q -n samba-%{version}%{pre_release} %patch0 -p1 -b .samba-4.1.0rc3-fix_winbind_nbtname_segfault.patch +%patch1 -p1 -b .samba-4.1.0rc3-winbind_ads.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1463,6 +1465,9 @@ rm -rf %{buildroot} %{_mandir}/man7/winbind_krb5_locator.7* %changelog +* Thu Aug 22 2013 - Guenther Deschner - 2:4.1.0-0.5 +- resolves: #996160 - Fix winbind with trusted domains. + * Wed Aug 14 2013 - Andreas Schneider 2:4.1.0-0.4 - resolves: #996160 - Fix winbind nbt name lookup segfault.