Update to Samba 4.0.0rc5.

2012-11-13 12:59:39 +01:00 · 2012-11-13 12:59:39 +01:00 · b9c801614f
parent 3eabd5bb16
commit b9c801614f
6 changed files with 106 additions and 201 deletions
--- a/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch
+++ b/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch
@ -1,64 +0,0 @@
-commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe
-Author:     Günther Deschner <gd@samba.org>
-AuthorDate: Mon Dec 19 10:52:58 2011 +0100
-Commit:     Günther Deschner <gd@samba.org>
-CommitDate: Tue Oct 2 16:22:31 2012 +0200
-
-    s3-kerberos: add aes enctypes to generated krb5.conf.
-    
-    Guenther
---
- source3/libads/kerberos.c | 29 ++++++++++++++++++++++++-----
- 1 file changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index fd39394..3183e26 100644
--- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- 	int fd;
- 	char *realm_upper = NULL;
- 	bool result = false;
-+	char *aes_enctypes = NULL;
- 
- 	if (!lp_create_krb5_conf()) {
- 		return false;
-@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- 		goto done;
- 	}
- 
-	/* FIXME: add aes here - gd */
-+	aes_enctypes = talloc_strdup(fname, "");
-+	if (aes_enctypes == NULL) {
-+		goto done;
-+	}
-+
-+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-+	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
-+	if (aes_enctypes == NULL) {
-+		goto done;
-+	}
-+#endif
-+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-+	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
-+	if (aes_enctypes == NULL) {
-+		goto done;
-+	}
-+#endif
-+
- 	file_contents = talloc_asprintf(fname,
- 					"[libdefaults]\n\tdefault_realm = %s\n"
-					"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-					"\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-					"\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
-+					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-+					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-+					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
- 					"[realms]\n\t%s = {\n"
- 					"\t%s\t}\n",
-					realm_upper, realm_upper, kdc_ip_string);
-+					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
-+					realm_upper, kdc_ip_string);
- 
- 	if (!file_contents) {
- 		goto done;
--- a/samba-4.0.0rc4-request_aes_krb_keys.patch
+++ b/samba-4.0.0rc4-request_aes_krb_keys.patch
@ -1,65 +0,0 @@
-commit eae33e96fcaa456830862325b91579faf2a96213
-Author:     Günther Deschner <gd@samba.org>
-AuthorDate: Thu Dec 15 18:12:41 2011 +0100
-Commit:     Günther Deschner <gd@samba.org>
-CommitDate: Tue Oct 2 16:22:31 2012 +0200
-
-    s3-krb5: use and request AES keys in kerberos operations.
-    
-    Guenther
---
- lib/krb5_wrap/krb5_samba.c       | 6 ++++++
- source3/libads/kerberos.c        | 1 +
- source3/libads/kerberos_keytab.c | 8 +++++++-
- 3 files changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 1a5a710..8037337 100644
--- a/lib/krb5_wrap/krb5_samba.c
-+++ b/lib/krb5_wrap/krb5_samba.c
-@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
- 		ENCTYPE_ARCFOUR_HMAC,
- 		ENCTYPE_DES_CBC_MD5,
- 		ENCTYPE_DES_CBC_CRC,
-+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-+#endif
-+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-+#endif
- 		ENCTYPE_NULL};
- 
- 	initialize_krb5_error_table();
-diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
-index 1093d12..fd39394 100644
--- a/source3/libads/kerberos.c
-+++ b/source3/libads/kerberos.c
-@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
- 		goto done;
- 	}
- 
-+	/* FIXME: add aes here - gd */
- 	file_contents = talloc_asprintf(fname,
- 					"[libdefaults]\n\tdefault_realm = %s\n"
- 					"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
-index eb2603b..b7df50d 100644
--- a/source3/libads/kerberos_keytab.c
-+++ b/source3/libads/kerberos_keytab.c
-@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
- 	krb5_keytab keytab = NULL;
- 	krb5_data password;
- 	krb5_kvno kvno;
-        krb5_enctype enctypes[4] = {
-+        krb5_enctype enctypes[6] = {
- 		ENCTYPE_DES_CBC_CRC,
- 		ENCTYPE_DES_CBC_MD5,
-+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-+		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-+#endif
-+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-+		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-+#endif
- 		ENCTYPE_ARCFOUR_HMAC,
- 		0
- 	};
--- a/samba-4.0.0rc5-fix_winbind_offline_logon.patch
+++ b/samba-4.0.0rc5-fix_winbind_offline_logon.patch
@ -1,40 +0,0 @@
-From 6c148a1532f9b29b1ec6283a971caeb7de4ff24e Mon Sep 17 00:00:00 2001
-From: Michael Adam <obnox@samba.org>
-Date: Thu, 1 Nov 2012 14:41:56 +0100
-Subject: [PATCH] s3:winbindd:cache: fix offline logons with cached
- credentials (bug #9321)
-
-The removal of consumption of the time field from the centry
-as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a
-had the side effect of changing the offset for reading the following
-nt password hash, so the read password hash was wrong.
-
-This patch re-installs the consumption of the time,
-thereby fixing the bug without changing the disk format of the cache.
-
-Signed-off-by: Michael Adam <obnox@samba.org>
---
- source3/winbindd/winbindd_cache.c |    7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
-index 2c9dd4a..c79d3b6 100644
--- a/source3/winbindd/winbindd_cache.c
-+++ b/source3/winbindd/winbindd_cache.c
-@@ -1329,6 +1329,13 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
- 		return NT_STATUS_OBJECT_NAME_NOT_FOUND;
- 	}
- 
-+	/*
-+	 * We don't use the time element at this moment,
-+	 * but we have to consume it, so that we don't
-+	 * neet to change the disk format of the cache.
-+	 */
-+	(void)centry_time(centry);
-+
- 	/* In the salted case this isn't actually the nt_hash itself,
- 	   but the MD5 of the salt + nt_hash. Let the caller
- 	   sort this out. It can tell as we only return the cached_salt
-- 
-1.7.9.5
-
--- a/samba-4.0.0rc6-LogonSamLogon_failover.patch
+++ b/samba-4.0.0rc6-LogonSamLogon_failover.patch
@ -0,0 +1,95 @@
+commit 3b01dd5f59841b11e9906b8c23345946e0d0ea8c
+Author:     Andreas Schneider <asn@samba.org>
+AuthorDate: Fri Nov 9 15:33:09 2012 +0100
+Commit:     Stefan Metzmacher <metze@samba.org>
+CommitDate: Mon Nov 12 18:57:18 2012 +0100
+
+    s3:winbind: BUG 9386: Failover if netlogon pipe is not available.
+    
+    Samba continues to query a broken DC while the DC did not finish to
+    rebuild Sysvol (after a Windows crash, for example). It causes end users
+    to received strange codes while trying to authenticate, even if there is
+    a secondary DC available.
+    
+    Signed-off-by: Andreas Schneider <asn@samba.org>
+    Reviewed-by: Stefan Metzmacher <metze@samba.org>
+    
+    Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+    Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
+---
+ source3/winbindd/winbindd_pam.c | 52 ++++++++++++++++++++++++++++++-----------
+ 1 file changed, 39 insertions(+), 13 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 5b6b77b..b23d421 100644
+--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
+@@ -1175,6 +1175,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ 					    struct netr_SamInfo3 **info3)
+ {
+ 	int attempts = 0;
+	int netr_attempts = 0;
+ 	bool retry = false;
+ 	NTSTATUS result;
+ 
+@@ -1189,22 +1190,47 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ 		result = cm_connect_netlogon(domain, &netlogon_pipe);
+ 
+ 		if (!NT_STATUS_IS_OK(result)) {
+-			DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n",
+-				  nt_errstr(result)));
+-			if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
+-				if (attempts > 0) {
+-					DEBUG(3, ("This is the second problem for this "
+-						"particular call, forcing the close of "
+-						"this connection\n"));
+-					invalidate_cm_connection(&domain->conn);
+-				} else {
+-					DEBUG(3, ("First call to cm_connect_netlogon "
+-						"has timed out, retrying\n"));
+-					continue;
+-				}
+			DEBUG(3,("Could not open handle to NETLOGON pipe "
+				 "(error: %s, attempts: %d)\n",
+				  nt_errstr(result), netr_attempts));
+
+			/* After the first retry always close the connection */
+			if (netr_attempts > 0) {
+				DEBUG(3, ("This is again a problem for this "
+					  "particular call, forcing the close "
+					  "of this connection\n"));
+				invalidate_cm_connection(&domain->conn);
+			}
+
+			/* After the second retry failover to the next DC */
+			if (netr_attempts > 1) {
+				/*
+				 * If the netlogon server is not reachable then
+				 * it is possible that the DC is rebuilding
+				 * sysvol and shutdown netlogon for that time.
+				 * We should failover to the next dc.
+				 */
+				DEBUG(3, ("This is the third problem for this "
+					  "particular call, adding DC to the "
+					  "negative cache list\n"));
+				add_failed_connection_entry(domain->name,
+							    domain->dcname,
+							    result);
+				saf_delete(domain->name);
+			}
+
+			/* Only allow 3 retries */
+			if (netr_attempts < 3) {
+				DEBUG(3, ("The connection to netlogon "
+					  "failed, retrying\n"));
+				netr_attempts++;
+				retry = true;
+				continue;
+ 			}
+ 			return result;
+ 		}
+		netr_attempts = 0;
+
+ 		auth = netlogon_pipe->auth;
+ 		if (netlogon_pipe->dc) {
+ 			neg_flags = netlogon_pipe->dc->negotiate_flags;
--- a/samba.spec
+++ b/samba.spec
@ -1,4 +1,4 @@
-%define main_release 165
+%define main_release 166

 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@ -6,7 +6,7 @@
 %define tdb_version 1.2.10
 %define tevent_version 0.9.17
 %define ldb_version 1.1.12
-%define pre_release rc4
+%define pre_release rc5

 %define samba_release %{main_release}%{?dist}.%{pre_release}

@ -57,14 +57,11 @@ Source2: samba.xinetd
 Source3: swat.desktop
 Source4: smb.conf.default
 Source5: pam_winbind.conf
-Source7: winbind.networkmanager

 Source200: README.dc
 Source201: README.downgrade

-Patch0: samba-4.0.0rc4-request_aes_krb_keys.patch
-Patch1: samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch
-Patch2: samba-4.0.0rc5-fix_winbind_offline_logon.patch
+Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch

 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

@ -407,9 +404,7 @@ the local kerberos library to use the same KDC as samba and winbind use
 %prep
 %setup -q -n samba-%{version}%{pre_release}

-%patch0 -p1 -b .request_aes_krb_keys
-%patch1 -p1 -b .add_aes_enctypes_to_krb5_conf
-%patch2 -p1 -b .winbind_offline_logon
+%patch0 -p1 -b .samlogon_failover

 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
@ -554,9 +549,10 @@ for i in nmb smb winbind ; do
    install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service
 done

-# FIXME use packaging/NetworkManager/30-winbind
+# NetworkManager online/offline script
 install -d -m 0755 %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/
-install -m 0755 %{SOURCE7} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind
+install -m 0755 packaging/NetworkManager/30-winbind-systemd \
+            %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind

 # winbind krb5 locator
 install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5
@ -772,7 +768,6 @@ rm -rf %{buildroot}
 %{_bindir}/profiles
 %{_bindir}/smbcontrol
 %{_bindir}/testparm
-%{_libdir}/samba/libgpo.so
 %{_datadir}/samba/codepages
 %config(noreplace) %{_sysconfdir}/logrotate.d/samba
 %attr(0700,root,root) %dir /var/log/samba
@ -1069,6 +1064,7 @@ rm -rf %{buildroot}
 %{_libdir}/samba/liberrors.so
 %{_libdir}/samba/libevents.so
 %{_libdir}/samba/libflag_mapping.so
+%{_libdir}/samba/libgpo.so
 %{_libdir}/samba/libgse.so
 %{_libdir}/samba/libinterfaces.so
 %{_libdir}/samba/libkrb5samba.so
@ -1302,6 +1298,9 @@ rm -rf %{buildroot}
 %{_mandir}/man7/winbind_krb5_locator.7*

 %changelog
+* Tue Nov 13 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-166.rc5
+- Update to Samba 4.0.0rc5.
+
 * Mon Nov 05 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-165.rc4
 - Fix library dependencies of libnetapi.

--- a/winbind.networkmanager
+++ b/winbind.networkmanager
@ -1,20 +0,0 @@
-#!/bin/sh
-
-winbind_is_active=$(/bin/systemctl is-active winbind.service)
-test "${winbind_is_active}" = "active" || exit 0
-
-winbind_offline_logon=$(testparm -s --parameter-name "winbind offline logon" 2>/dev/null)
-test "${winbind_offline_logon}" = "Yes" || exit 0
-
-case "$2" in
-	up|vpn-up)
-		nmb_is_active=$(/bin/systemctl is-active nmb.service)
-		if test "${nmb_is_active}" = "active"; then
-			/bin/systemctl try-restart nmb.service || :
-		fi
-		/usr/bin/smbcontrol winbind online || :
-	;;
-	down)
-		/usr/bin/smbcontrol winbind offline
-	;;
-esac