From 9220df7904cd20c1c1c56c5f65d0c0cf3fd1867f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 12 Aug 2013 10:30:14 +0200 Subject: [PATCH] Update to Samba 4.1.0rc2. related: #985609 --- .gitignore | 1 + samba-4.0.6_add_passdb_upn_enum.patch | 406 ------------------ samba-4.0.8-fix_winbind_ccache_cleanup.patch | 44 -- ...4.1.0rc1-add_support_for_cc_type_dir.patch | 217 ---------- samba-4.1.0rc1-fix_regedit_name.patch | 36 -- samba.spec | 21 +- sources | 2 +- 7 files changed, 12 insertions(+), 715 deletions(-) delete mode 100644 samba-4.0.6_add_passdb_upn_enum.patch delete mode 100644 samba-4.0.8-fix_winbind_ccache_cleanup.patch delete mode 100644 samba-4.1.0rc1-add_support_for_cc_type_dir.patch delete mode 100644 samba-4.1.0rc1-fix_regedit_name.patch diff --git a/.gitignore b/.gitignore index 1f65a9a..e8cb0a6 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ samba-3.6.0pre1.tar.gz /samba-4.0.6.tar.bz2 /samba-4.0.7.tar.xz /samba-4.1.0rc1.tar.xz +/samba-4.1.0rc2.tar.xz diff --git a/samba-4.0.6_add_passdb_upn_enum.patch b/samba-4.0.6_add_passdb_upn_enum.patch deleted file mode 100644 index e124f62..0000000 --- a/samba-4.0.6_add_passdb_upn_enum.patch +++ /dev/null @@ -1,406 +0,0 @@ -From bc7060261e5ad4db03d49414f8d3910ae231b79f Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 3 Apr 2013 15:52:06 +0300 -Subject: [PATCH 1/4] wafsamba: fix samba_abi for default catch-all case - -Only filter out the symbol when positive match was not found and there is -negative match. - -ABI signature file generator worked incorrectly for cases when mixture of -positive and negative matches were provided. This resulted in generating empty -signature file for libpdb since there was no catch-all positive match anymore. - -Commit 9ba44cc610426fb558b49aa9680b5bdf55c29082 removed explicit '*' positive -match and corresponding vscript generator adds '*' by default if global match -list is empty, so this commit introduces feature parity into signature -generator. - -Reviewed-by: Andreas Schneider ---- - buildtools/wafsamba/samba_abi.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py -index 488dab8..76acd00 100644 ---- a/buildtools/wafsamba/samba_abi.py -+++ b/buildtools/wafsamba/samba_abi.py -@@ -50,13 +50,15 @@ def parse_sigs(sigs, abi_match): - sa = s.split(':') - if abi_match: - matched = False -+ negative = False - for p in abi_match: - if p[0] == '!' and fnmatch.fnmatch(sa[0], p[1:]): -+ negative = True - break - elif fnmatch.fnmatch(sa[0], p): - matched = True - break -- if not matched: -+ if (not matched) and negative: - continue - Logs.debug("%s -> %s" % (sa[1], normalise_signature(sa[1]))) - ret[sa[0]] = normalise_signature(sa[1]) --- -1.8.1.4 - -From ff9cbe37219a41ceb0c624a995f12692f6634760 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 3 Apr 2013 16:01:34 +0300 -Subject: [PATCH 2/4] s3-waf: filter out ldapsam internal init functions - -pdb_ldapsam_init* functions (init and init_common) are used in -pdb_ipa.c and pdb_nds.c which are always linked together with -pdb_ldap.c where pdb_ldapsam_init* functions reside. - -Tested with both ldapsam integrated (into libpdb) and as -a separate module. - -Reviewed-by: Andreas Schneider ---- - source3/wscript_build | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/wscript_build b/source3/wscript_build -index 02040bf..fd20b81 100755 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -716,6 +716,7 @@ ldapsam_pdb_match = ['!priv2ld', '!smbldap_search_domain_info', - '!get_attr_list'] - private_pdb_match.append('!pdb_nds_*') - private_pdb_match.append('!pdb_init_ldapsam') -+private_pdb_match.append('!pdb_ldapsam_init*') - private_pdb_match = private_pdb_match + ldapsam_pdb_match - - private_pdb_match = private_pdb_match + map(lambda x: '!pdb_%s_init' % x, static_pdb_match) --- -1.8.1.4 - -From 67e4a28c0b14259f0f25a292f91924f82c84bae1 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 3 Apr 2013 16:37:00 +0300 -Subject: [PATCH 3/4] PASSDB: add support to set and enumerate UPN suffixes - associated with our forest - -Samba PDC may manage a forest containing DNS domains in addition to the primary one. -Information about them is advertised via netr_DsRGetForestTrustInformation when -trusted_domain_name is NULL, according to MS-NRPC and MS-LSAD, and -via netr_GetForestTrustInformation. - -This changeset only expands PASSDB API; how suffixes are maintained is left -to specific PDB modules. Set function is added so that suffixes could be -managed through 'net' and other Samba utilities, if possible. - -One possible implementation is available for ipasam module in FreeIPA: -http://git.fedorahosted.org/cgit/freeipa.git/commit/?id=cc56723151c9ebf58d891e85617319d861af14a4 - -Reviewed-by: Andreas Schneider ---- - source3/include/passdb.h | 18 +++++++++++++++++- - source3/passdb/ABI/pdb-0.sigs | 2 ++ - source3/passdb/pdb_interface.c | 36 ++++++++++++++++++++++++++++++++++++ - 3 files changed, 55 insertions(+), 1 deletion(-) - -diff --git a/source3/include/passdb.h b/source3/include/passdb.h -index 908631d..5e5a7bf 100644 ---- a/source3/include/passdb.h -+++ b/source3/include/passdb.h -@@ -412,9 +412,10 @@ enum pdb_policy_type { - * Changed to 18, pdb_rid_algorithm -> pdb_capabilities - * Changed to 19, removed uid_to_rid - * Changed to 20, pdb_secret calls -+ * Changed to 21, set/enum_upn_suffixes. AB. - */ - --#define PASSDB_INTERFACE_VERSION 20 -+#define PASSDB_INTERFACE_VERSION 21 - - struct pdb_methods - { -@@ -614,6 +615,15 @@ struct pdb_methods - NTSTATUS (*delete_secret)(struct pdb_methods *methods, - const char *secret_name); - -+ NTSTATUS (*enum_upn_suffixes)(struct pdb_methods *methods, -+ TALLOC_CTX *mem_ctx, -+ uint32_t *num_suffixes, -+ char ***suffixes); -+ -+ NTSTATUS (*set_upn_suffixes)(struct pdb_methods *methods, -+ uint32_t num_suffixes, -+ const char **suffixes); -+ - void *private_data; /* Private data of some kind */ - - void (*free_private_data)(void **); -@@ -911,6 +921,12 @@ NTSTATUS pdb_delete_secret(const char *secret_name); - bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid, - struct unixid *id); - -+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx, -+ uint32_t *num_suffixes, -+ char ***suffixes); -+ -+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes, -+ const char **suffixes); - - /* The following definitions come from passdb/pdb_util.c */ - -diff --git a/source3/passdb/ABI/pdb-0.sigs b/source3/passdb/ABI/pdb-0.sigs -index 4108b9a..51810ef 100644 ---- a/source3/passdb/ABI/pdb-0.sigs -+++ b/source3/passdb/ABI/pdb-0.sigs -@@ -112,6 +112,7 @@ pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t - pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *) - pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***) - pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) -+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***) - pdb_find_backend_entry: struct pdb_init_function_entry *(const char *) - pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *) - pdb_get_acct_ctrl: uint32_t (const struct samu *) -@@ -230,6 +231,7 @@ pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain - pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *) - pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *) - pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state) -+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **) - pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) - pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) - pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state) -diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c -index 775f8a3..36dde6f 100644 ---- a/source3/passdb/pdb_interface.c -+++ b/source3/passdb/pdb_interface.c -@@ -2340,6 +2340,39 @@ static struct pdb_domain_info *pdb_default_get_domain_info( - return NULL; - } - -+/***************************************************************** -+ UPN suffixes -+ *****************************************************************/ -+static NTSTATUS pdb_default_enum_upn_suffixes(struct pdb_methods *pdb, -+ TALLOC_CTX *mem_ctx, -+ uint32_t *num_suffixes, -+ char ***suffixes) -+{ -+ return NT_STATUS_NOT_IMPLEMENTED; -+} -+ -+static NTSTATUS pdb_default_set_upn_suffixes(struct pdb_methods *pdb, -+ uint32_t num_suffixes, -+ const char **suffixes) -+{ -+ return NT_STATUS_NOT_IMPLEMENTED; -+} -+ -+NTSTATUS pdb_enum_upn_suffixes(TALLOC_CTX *mem_ctx, -+ uint32_t *num_suffixes, -+ char ***suffixes) -+{ -+ struct pdb_methods *pdb = pdb_get_methods(); -+ return pdb->enum_upn_suffixes(pdb, mem_ctx, num_suffixes, suffixes); -+} -+ -+NTSTATUS pdb_set_upn_suffixes(uint32_t num_suffixes, -+ const char **suffixes) -+{ -+ struct pdb_methods *pdb = pdb_get_methods(); -+ return pdb->set_upn_suffixes(pdb, num_suffixes, suffixes); -+} -+ - /******************************************************************* - secret methods - *******************************************************************/ -@@ -2487,5 +2520,8 @@ NTSTATUS make_pdb_method( struct pdb_methods **methods ) - (*methods)->set_secret = pdb_default_set_secret; - (*methods)->delete_secret = pdb_default_delete_secret; - -+ (*methods)->enum_upn_suffixes = pdb_default_enum_upn_suffixes; -+ (*methods)->set_upn_suffixes = pdb_default_set_upn_suffixes; -+ - return NT_STATUS_OK; - } --- -1.8.1.4 - -From 801d299067c1ad8e9e63e0c675a4d1284de2f85c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 3 Apr 2013 16:52:45 +0300 -Subject: [PATCH 4/4] s3-netlogon: enumerate UPN suffixes from PASSDB when - available - -Optionally append list of UPN suffixes if PDB module returns non-empty one. - -Refactor fill_forest_trust_array() in source3 to allow reuse of the code between -_netr_DsRGetForestTrustInformation() and _netr_GetForestTrustInformation() - -Implement a special case of _netr_DsRGetForestTrustInformation in smbd -when trusted_domain_name is NULL (covered by test_DsrEnumerateDomainTrusts() -in rpc.netlogon torture tests, see comment in source4/torture/rpc/netlogon.c). - -Reviewed-by: Andreas Schneider - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Tue Apr 9 22:19:34 CEST 2013 on sn-devel-104 ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 106 ++++++++++++++++++++++++---- - 1 file changed, 94 insertions(+), 12 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 9b50655..c45f33f 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2309,22 +2309,16 @@ NTSTATUS _netr_ServerTrustPasswordsGet(struct pipes_struct *p, - /**************************************************************** - ****************************************************************/ - --WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, -- struct netr_DsRGetForestTrustInformation *r) --{ -- p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; -- return WERR_NOT_SUPPORTED; --} -- --/**************************************************************** --****************************************************************/ -- - static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx, - struct lsa_ForestTrustInformation *info) - { - struct lsa_ForestTrustRecord *e; - struct pdb_domain_info *dom_info; - struct lsa_ForestTrustDomainInfo *domain_info; -+ char **upn_suffixes = NULL; -+ uint32_t num_suffixes = 0; -+ uint32_t i = 0; -+ NTSTATUS status; - - dom_info = pdb_get_domain_info(mem_ctx); - if (dom_info == NULL) { -@@ -2332,7 +2326,15 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx, - } - - info->count = 2; -- info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, 2); -+ -+ become_root(); -+ status = pdb_enum_upn_suffixes(info, &num_suffixes, &upn_suffixes); -+ unbecome_root(); -+ if (NT_STATUS_IS_OK(status) && (num_suffixes > 0)) { -+ info->count += num_suffixes; -+ } -+ -+ info->entries = talloc_array(info, struct lsa_ForestTrustRecord *, info->count); - if (info->entries == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -2350,6 +2352,21 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx, - - info->entries[0] = e; - -+ if (num_suffixes > 0) { -+ for (i = 0; i < num_suffixes ; i++) { -+ e = talloc(info, struct lsa_ForestTrustRecord); -+ if (e == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ e->flags = 0; -+ e->type = LSA_FOREST_TRUST_TOP_LEVEL_NAME; -+ e->time = 0; /* so far always 0 in traces. */ -+ e->forest_trust_data.top_level_name.string = upn_suffixes[i]; -+ info->entries[1 + i] = e; -+ } -+ } -+ - e = talloc(info, struct lsa_ForestTrustRecord); - if (e == NULL) { - return NT_STATUS_NO_MEMORY; -@@ -2368,12 +2385,76 @@ static NTSTATUS fill_forest_trust_array(TALLOC_CTX *mem_ctx, - domain_info->netbios_domain_name.string = talloc_steal(info, - dom_info->name); - -- info->entries[1] = e; -+ info->entries[info->count - 1] = e; - - return NT_STATUS_OK; - } - - /**************************************************************** -+****************************************************************/ -+ -+WERROR _netr_DsRGetForestTrustInformation(struct pipes_struct *p, -+ struct netr_DsRGetForestTrustInformation *r) -+{ -+ NTSTATUS status; -+ struct lsa_ForestTrustInformation *info, **info_ptr; -+ -+ if (!(p->pipe_bound && (p->auth.auth_type != DCERPC_AUTH_TYPE_NONE) -+ && (p->auth.auth_level != DCERPC_AUTH_LEVEL_NONE))) { -+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED; -+ return WERR_ACCESS_DENIED; -+ } -+ -+ if (r->in.flags & (~DS_GFTI_UPDATE_TDO)) { -+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; -+ return WERR_INVALID_FLAGS; -+ } -+ -+ if ((r->in.flags & DS_GFTI_UPDATE_TDO) && (lp_server_role() != ROLE_DOMAIN_PDC)) { -+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; -+ return WERR_NERR_NOTPRIMARY; -+ } -+ -+ if ((r->in.trusted_domain_name == NULL) && (r->in.flags & DS_GFTI_UPDATE_TDO)) { -+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; -+ return WERR_INVALID_PARAMETER; -+ } -+ -+ /* retrieve forest trust information and stop further processing */ -+ if (r->in.trusted_domain_name == NULL) { -+ info_ptr = talloc(p->mem_ctx, struct lsa_ForestTrustInformation *); -+ if (info_ptr == NULL) { -+ p->fault_state = DCERPC_FAULT_CANT_PERFORM; -+ return WERR_NOMEM; -+ } -+ info = talloc_zero(info_ptr, struct lsa_ForestTrustInformation); -+ if (info == NULL) { -+ p->fault_state = DCERPC_FAULT_CANT_PERFORM; -+ return WERR_NOMEM; -+ } -+ -+ /* Fill forest trust information and expand UPN suffixes list */ -+ status = fill_forest_trust_array(p->mem_ctx, info); -+ if (!NT_STATUS_IS_OK(status)) { -+ p->fault_state = DCERPC_FAULT_CANT_PERFORM; -+ return WERR_NOMEM; -+ } -+ -+ *info_ptr = info; -+ r->out.forest_trust_info = info_ptr; -+ -+ return WERR_OK; -+ -+ } -+ -+ /* TODO: implement remaining parts of DsrGetForestTrustInformation (opnum 43) -+ * when trusted_domain_name is not NULL */ -+ -+ p->fault_state = DCERPC_FAULT_OP_RNG_ERROR; -+ return WERR_NOT_SUPPORTED; -+} -+ -+/**************************************************************** - _netr_GetForestTrustInformation - ****************************************************************/ - -@@ -2417,6 +2498,7 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, - return NT_STATUS_NO_MEMORY; - } - -+ /* Fill forest trust information, do expand UPN suffixes list */ - status = fill_forest_trust_array(p->mem_ctx, info); - if (!NT_STATUS_IS_OK(status)) { - return status; --- -1.8.1.4 - diff --git a/samba-4.0.8-fix_winbind_ccache_cleanup.patch b/samba-4.0.8-fix_winbind_ccache_cleanup.patch deleted file mode 100644 index 68d5444..0000000 --- a/samba-4.0.8-fix_winbind_ccache_cleanup.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 91300255f4b93dad920af2399a6cd64720d47e4f Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Thu, 11 Jul 2013 13:44:53 +0200 -Subject: [PATCH] s3-winbind: Do not delete an existing valid credential cache. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994 - -Thanks to David Woodhouse . - -Reviewed-by: Günther Deschner - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104 - -(cherry picked from commit 0529b59fbe3f96509893fc4e93a75d6928b5a532) ---- - source3/winbindd/winbindd_pam.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index b23d421..99794e6 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -677,6 +677,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - return NT_STATUS_OK; - - failed: -+ /* -+ * Do not delete an existing valid credential cache, if the user -+ * e.g. enters a wrong password -+ */ -+ if ((strequal(krb5_cc_type, "FILE") || strequal(krb5_cc_type, "WRFILE")) -+ && user_ccache_file != NULL) { -+ return result; -+ } - - /* we could have created a new credential cache with a valid tgt in it - * but we werent able to get or verify the service ticket for this --- -1.8.3.1 - diff --git a/samba-4.1.0rc1-add_support_for_cc_type_dir.patch b/samba-4.1.0rc1-add_support_for_cc_type_dir.patch deleted file mode 100644 index 219757c..0000000 --- a/samba-4.1.0rc1-add_support_for_cc_type_dir.patch +++ /dev/null @@ -1,217 +0,0 @@ -From bfbf322626965100a72eeaed31573a36a61b33d1 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 18 Jul 2013 19:04:29 +0200 -Subject: [PATCH 1/3] wbinfo: allow to define a custom krb5ccname for - kerberized pam auth. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner -Reviewed-by: Jeremy Allison - -(cherry picked from commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95) ---- - nsswitch/wbinfo.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c -index 1d1557d..cfb430b 100644 ---- a/nsswitch/wbinfo.c -+++ b/nsswitch/wbinfo.c -@@ -2083,6 +2083,7 @@ int main(int argc, char **argv, char **envp) - bool use_lanman = false; - char *logoff_user = getenv("USER"); - int logoff_uid = geteuid(); -+ const char *opt_krb5ccname = "FILE"; - - struct poptOption long_options[] = { - POPT_AUTOHELP -@@ -2164,6 +2165,7 @@ int main(int argc, char **argv, char **envp) - { "krb5auth", 'K', POPT_ARG_STRING, &string_arg, 'K', "authenticate user using Kerberos", "user%password" }, - /* destroys wbinfo --help output */ - /* "user%password,DOM\\user%password,user@EXAMPLE.COM,EXAMPLE.COM\\user%password" }, */ -+ { "krb5ccname", 0, POPT_ARG_STRING, &opt_krb5ccname, '0', "authenticate user using Kerberos and specific credential cache type", "krb5ccname" }, - #endif - { "separator", 0, POPT_ARG_NONE, 0, OPT_SEPARATOR, "Get the active winbind separator", NULL }, - { "verbose", 0, POPT_ARG_NONE, 0, OPT_VERBOSE, "Print additional information per command", NULL }, -@@ -2533,13 +2535,13 @@ int main(int argc, char **argv, char **envp) - WBFLAG_PAM_INFO3_TEXT | - WBFLAG_PAM_CONTACT_TRUSTDOM; - -- if (!wbinfo_auth_krb5(string_arg, "FILE", -+ if (!wbinfo_auth_krb5(string_arg, opt_krb5ccname, - flags)) { - d_fprintf(stderr, - "Could not authenticate user " - "[%s] with Kerberos " - "(ccache: %s)\n", string_arg, -- "FILE"); -+ opt_krb5ccname); - goto done; - } - break; --- -1.8.3.1 - - -From b9c191e3cde6aa5d726f3bea46d853441bf7daf0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 18 Jul 2013 19:05:51 +0200 -Subject: [PATCH 2/3] s3-winbindd: support the DIR pragma for raw kerberos user - pam authentication. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It is currently only available in MIT. In addition, allow to define custom -filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the -%u pattern. - -Guenther - -Signed-off-by: Günther Deschner -Pair-Programmed-With: Andreas Schneider -Reviewed-by: Jeremy Allison - -(cherry picked from commit 7ad3a367d52b1f123c318946d654e95639202130) ---- - source3/winbindd/winbindd_pam.c | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index aed4741..7b67154 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -492,6 +492,29 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, - gen_cc = talloc_asprintf( - mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); - } -+ if (strequal(type, "DIR")) { -+ gen_cc = talloc_asprintf( -+ mem_ctx, "DIR:/run/user/%d/krb5cc", uid); -+ } -+ -+ if (strnequal(type, "FILE:/", 6) || -+ strnequal(type, "WRFILE:/", 8) || -+ strnequal(type, "DIR:/", 5)) { -+ -+ /* we allow only one "%u" substitution */ -+ -+ char *p; -+ -+ p = strchr(type, '%'); -+ if (p != NULL) { -+ -+ p++; -+ -+ if (p != NULL && *p == 'u' && strchr(p, '%') == NULL) { -+ gen_cc = talloc_asprintf(mem_ctx, type, uid); -+ } -+ } -+ } - } - - *user_ccache_file = gen_cc; --- -1.8.3.1 - - -From c488253925831a3683446e93bd79d9593c4f9295 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 18 Jul 2013 19:09:14 +0200 -Subject: [PATCH 3/3] pam_winbind: update documentation for "DIR" krb5ccname - pragma. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104 - -(cherry picked from commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb) ---- - docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++++++++++++++++++++++++-------- - examples/pam_winbind/pam_winbind.conf | 3 ++- - 2 files changed, 31 insertions(+), 11 deletions(-) - -diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml -index 7098ff4..be7f684 100644 ---- a/docs-xml/manpages/pam_winbind.conf.5.xml -+++ b/docs-xml/manpages/pam_winbind.conf.5.xml -@@ -106,16 +106,35 @@ - krb5_ccache_type = [type] - - -- When pam_winbind is configured to try kerberos authentication -- by enabling the krb5_auth option, it can -- store the retrieved Ticket Granting Ticket (TGT) in a -- credential cache. The type of credential cache can be set with -- this option. Currently the only supported value is: -- FILE. In that case a credential cache in -- the form of /tmp/krb5cc_UID will be created, where UID is -- replaced with the numeric user id. Leave empty to just do -- kerberos authentication without having a ticket cache after the -- logon has succeeded. This setting is empty by default. -+ When pam_winbind is configured to try kerberos authentication by -+ enabling the krb5_auth option, it can -+ store the retrieved Ticket Granting Ticket (TGT) in a credential -+ cache. The type of credential cache can be controlled with this -+ option. The supported values are: FILE -+ and DIR (when the DIR type is supported -+ by the system's Kerberos library). In case of FILE a credential -+ cache in the form of /tmp/krb5cc_UID will be created - in case -+ of DIR it will be located under the /run/user/UID/krb5cc -+ directory. UID is replaced with the numeric user id. -+ -+ It is also possible to define custom filepaths and use the "%u" -+ pattern in order to substitue the numeric user id. -+ Examples: -+ -+ -+ -+ krb5_ccache_type = DIR:/run/user/%u/krb5cc -+ This will create a credential cache file in the specified directory. -+ -+ -+ krb5_ccache_type = FILE:/tmp/krb5cc_%u -+ This will create a credential cache file. -+ -+ -+ -+ Leave empty to just do kerberos authentication without -+ having a ticket cache after the logon has succeeded. -+ This setting is empty by default. - - - -diff --git a/examples/pam_winbind/pam_winbind.conf b/examples/pam_winbind/pam_winbind.conf -index dd0b112..87bc388 100644 ---- a/examples/pam_winbind/pam_winbind.conf -+++ b/examples/pam_winbind/pam_winbind.conf -@@ -3,6 +3,7 @@ - # - # /etc/security/pam_winbind.conf - # -+# For more details see man pam_winbind.conf(5) - - [global] - -@@ -19,7 +20,7 @@ - # authenticate using kerberos - ;krb5_auth = no - --# when using kerberos, request a "FILE" krb5 credential cache type -+# when using kerberos, request a "FILE" or "DIR" krb5 credential cache type - # (leave empty to just do krb5 authentication but not have a ticket - # afterwards) - ;krb5_ccache_type = --- -1.8.3.1 diff --git a/samba-4.1.0rc1-fix_regedit_name.patch b/samba-4.1.0rc1-fix_regedit_name.patch deleted file mode 100644 index 851e491..0000000 --- a/samba-4.1.0rc1-fix_regedit_name.patch +++ /dev/null @@ -1,36 +0,0 @@ -From f0ff2d8ee925921c70f2b9149316f123402ab81b Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 19 Jul 2013 16:08:39 +0200 -Subject: [PATCH] s3-waf: Rename regedit to samba-regedit. - -This is needed cause wine already provides a binary with the name -regedit. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=10040 - -Signed-off-by: Andreas Schneider -Reviewed-by: Kai Blin - -Autobuild-User(master): Andreas Schneider -Autobuild-Date(master): Mon Jul 22 14:12:38 CEST 2013 on sn-devel-104 - -(cherry picked from commit b5051111d2fd3a9ae3b3aa028ccf013a98c20b38) ---- - source3/wscript_build | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/wscript_build b/source3/wscript_build -index 19c6d08..a8bdaf0 100755 ---- a/source3/wscript_build -+++ b/source3/wscript_build -@@ -1615,7 +1615,7 @@ bld.SAMBA3_PYTHON('pylibsmb', - realname='samba/samba3/libsmb_samba_internal.so' - ) - --bld.SAMBA3_BINARY('regedit', -+bld.SAMBA3_BINARY('samba-regedit', - source="""utils/regedit.c utils/regedit_samba3.c - utils/regedit_wrap.c utils/regedit_treeview.c - utils/regedit_valuelist.c utils/regedit_dialog.c --- -1.8.3.1 diff --git a/samba.spec b/samba.spec index 481c92c..a09e699 100644 --- a/samba.spec +++ b/samba.spec @@ -1,7 +1,7 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 2 +%define main_release 3 %define samba_version 4.1.0 %define talloc_version 2.0.8 @@ -10,7 +10,7 @@ %define tevent_version 0.9.18 %define ldb_version 1.1.16 # This should be rc1 or nil -%define pre_release rc1 +%define pre_release rc2 %if "x%{?pre_release}" != "x" %define samba_release 0.%{main_release}.%{pre_release}%{?dist} @@ -44,7 +44,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}.1 +Release: %{samba_release} %if 0%{?rhel} Epoch: 0 @@ -75,10 +75,6 @@ Source6: samba.pamd Source200: README.dc Source201: README.downgrade -Patch0: samba-4.0.8-fix_winbind_ccache_cleanup.patch -Patch1: samba-4.1.0rc1-fix_regedit_name.patch -Patch2: samba-4.1.0rc1-add_support_for_cc_type_dir.patch - BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -435,9 +431,6 @@ the local kerberos library to use the same KDC as samba and winbind use %prep %setup -q -n samba-%{version}%{pre_release} -%patch0 -p1 -b .samba-4.0.8-fix_winbind_ccache_cleanup.patch -%patch1 -p1 -b .samba-4.1.0rc1-fix_regedit_name.patch -%patch2 -p1 -b .samba-4.1.0rc1-add_support_for_cc_type_dir.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -708,7 +701,10 @@ rm -rf %{buildroot} %{_bindir}/eventlogadm %{_sbindir}/nmbd %{_sbindir}/smbd -%{_libdir}/samba/auth +%dir %{_libdir}/samba/auth +%{_libdir}/samba/auth/script.so +%{_libdir}/samba/auth/unix.so +%{_libdir}/samba/auth/wbc.so %dir %{_libdir}/samba/vfs %{_libdir}/samba/vfs/acl_tdb.so %{_libdir}/samba/vfs/acl_xattr.so @@ -1463,6 +1459,9 @@ rm -rf %{buildroot} %{_mandir}/man7/winbind_krb5_locator.7* %changelog +* Mon Aug 12 2013 - Andreas Schneider - 2:4.1.0-0.3 +- related: #985609 - Update to Samba 4.1.0rc2. + * Sat Aug 03 2013 Petr Pisar - 2:4.1.0-0.2.rc1.1 - Perl 5.18 rebuild diff --git a/sources b/sources index b4791a1..e6b1d20 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -0ce7a9ca50e4cca0c6d5da4a4e0e03c1 samba-4.1.0rc1.tar.xz +ee14addf3363d93ce8c62dcc5d6dc94b samba-4.1.0rc2.tar.xz