From a79780284253c609ffd85f1a8b9174745a91b6a5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 11 May 2015 20:29:59 +0300 Subject: [PATCH] Samba 4.2 broke FreeIPA trusts to AD Fixes #1219834 --- ...-if-credentials-have-principal-set-t.patch | 35 +++++++++++++++++++ samba.spec | 7 +++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch diff --git a/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch b/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch new file mode 100644 index 0000000..f6ae63a --- /dev/null +++ b/samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch @@ -0,0 +1,35 @@ +From 97d7bc19bb463cfbb9d45b69cec1e668eb15b4a1 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 7 May 2015 14:12:03 +0000 +Subject: [PATCH] auth/credentials: if credentials have principal set, they are + not anonymous anymore + +When dealing with Kerberos, we cannot consider credentials anonymous +if credentials were obtained properly. + +Signed-off: Alexander Bokovoy +--- + auth/credentials/credentials.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c +index 78b5955..b1ccc5a 100644 +--- a/auth/credentials/credentials.c ++++ b/auth/credentials/credentials.c +@@ -921,6 +921,13 @@ _PUBLIC_ bool cli_credentials_is_anonymous(struct cli_credentials *cred) + cred->machine_account_pending_lp_ctx); + } + ++ if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { ++ /* if principal is set, it's not anonymous */ ++ if (cred->principal && cred->principal_obtained >= cred->username_obtained) { ++ return false; ++ } ++ } ++ + username = cli_credentials_get_username(cred); + + /* Yes, it is deliberate that we die if we have a NULL pointer +-- +2.4.0 + diff --git a/samba.spec b/samba.spec index f003093..f2e0cf9 100644 --- a/samba.spec +++ b/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 7 +%define main_release 8 %define samba_version 4.2.1 %define talloc_version 2.1.2 @@ -95,6 +95,7 @@ Source0: samba-%{version}%{pre_release}.tar.xz Patch0: samba-4.2.2-fix_debug_macro.patch Patch1: samba-4.2.2-lib-util-fix-detection-of-systemd-libraries.patch Patch2: samba-4.2-fix-rpc-helper.patch +Patch3: samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch # Red Hat specific replacement-files Source1: samba.log @@ -643,6 +644,7 @@ and use CTDB instead. %patch0 -p1 -b .samba-4.2.2-fix_debug_macro.patch %patch1 -p1 -b .samba-4.2.2-lib-util-fix-detection-of-systemd-libraries.patch %patch2 -p1 -b .samba-4.2-fix-rpc-helper.patch +%patch3 -p1 -b .samba-4.2-auth-credentials-if-credentials-have-principal-set-t.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1931,6 +1933,9 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Mon May 11 2015 Alexander Bokovoy - 4.2.1-8 +- Fixes: #1219832: Samba 4.2 broke FreeIPA trusts to AD + * Thu Apr 30 2015 Alexander Bokovoy - 4.2.1-7 - Fix LSASD daemon - resolves: #1217346 - FreeIPA trusts to AD broken due to Samba 4.2 failure to run LSARPC pipe externally