From b9c801614f3b719fd82c440eafd059e923feb9fb Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 13 Nov 2012 12:59:39 +0100 Subject: [PATCH] Update to Samba 4.0.0rc5. --- ...0.0rc4-add_aes_enctypes_to_krb5_conf.patch | 64 ------------- samba-4.0.0rc4-request_aes_krb_keys.patch | 65 ------------- ...a-4.0.0rc5-fix_winbind_offline_logon.patch | 40 -------- samba-4.0.0rc6-LogonSamLogon_failover.patch | 95 +++++++++++++++++++ samba.spec | 23 +++-- winbind.networkmanager | 20 ---- 6 files changed, 106 insertions(+), 201 deletions(-) delete mode 100644 samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch delete mode 100644 samba-4.0.0rc4-request_aes_krb_keys.patch delete mode 100644 samba-4.0.0rc5-fix_winbind_offline_logon.patch create mode 100644 samba-4.0.0rc6-LogonSamLogon_failover.patch delete mode 100755 winbind.networkmanager diff --git a/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch b/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch deleted file mode 100644 index f34cef2..0000000 --- a/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch +++ /dev/null @@ -1,64 +0,0 @@ -commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe -Author: Günther Deschner -AuthorDate: Mon Dec 19 10:52:58 2011 +0100 -Commit: Günther Deschner -CommitDate: Tue Oct 2 16:22:31 2012 +0200 - - s3-kerberos: add aes enctypes to generated krb5.conf. - - Guenther ---- - source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- - 1 file changed, 24 insertions(+), 5 deletions(-) - -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index fd39394..3183e26 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - int fd; - char *realm_upper = NULL; - bool result = false; -+ char *aes_enctypes = NULL; - - if (!lp_create_krb5_conf()) { - return false; -@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - goto done; - } - -- /* FIXME: add aes here - gd */ -+ aes_enctypes = talloc_strdup(fname, ""); -+ if (aes_enctypes == NULL) { -+ goto done; -+ } -+ -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); -+ if (aes_enctypes == NULL) { -+ goto done; -+ } -+#endif -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); -+ if (aes_enctypes == NULL) { -+ goto done; -+ } -+#endif -+ - file_contents = talloc_asprintf(fname, - "[libdefaults]\n\tdefault_realm = %s\n" -- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" -- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" -- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" -+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" -+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" -+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" - "[realms]\n\t%s = {\n" - "\t%s\t}\n", -- realm_upper, realm_upper, kdc_ip_string); -+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, -+ realm_upper, kdc_ip_string); - - if (!file_contents) { - goto done; diff --git a/samba-4.0.0rc4-request_aes_krb_keys.patch b/samba-4.0.0rc4-request_aes_krb_keys.patch deleted file mode 100644 index 31391f8..0000000 --- a/samba-4.0.0rc4-request_aes_krb_keys.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit eae33e96fcaa456830862325b91579faf2a96213 -Author: Günther Deschner -AuthorDate: Thu Dec 15 18:12:41 2011 +0100 -Commit: Günther Deschner -CommitDate: Tue Oct 2 16:22:31 2012 +0200 - - s3-krb5: use and request AES keys in kerberos operations. - - Guenther ---- - lib/krb5_wrap/krb5_samba.c | 6 ++++++ - source3/libads/kerberos.c | 1 + - source3/libads/kerberos_keytab.c | 8 +++++++- - 3 files changed, 14 insertions(+), 1 deletion(-) - -diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index 1a5a710..8037337 100644 ---- a/lib/krb5_wrap/krb5_samba.c -+++ b/lib/krb5_wrap/krb5_samba.c -@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, - ENCTYPE_ARCFOUR_HMAC, - ENCTYPE_DES_CBC_MD5, - ENCTYPE_DES_CBC_CRC, -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+#endif -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+#endif - ENCTYPE_NULL}; - - initialize_krb5_error_table(); -diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c -index 1093d12..fd39394 100644 ---- a/source3/libads/kerberos.c -+++ b/source3/libads/kerberos.c -@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, - goto done; - } - -+ /* FIXME: add aes here - gd */ - file_contents = talloc_asprintf(fname, - "[libdefaults]\n\tdefault_realm = %s\n" - "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" -diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c -index eb2603b..b7df50d 100644 ---- a/source3/libads/kerberos_keytab.c -+++ b/source3/libads/kerberos_keytab.c -@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) - krb5_keytab keytab = NULL; - krb5_data password; - krb5_kvno kvno; -- krb5_enctype enctypes[4] = { -+ krb5_enctype enctypes[6] = { - ENCTYPE_DES_CBC_CRC, - ENCTYPE_DES_CBC_MD5, -+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+#endif -+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+#endif - ENCTYPE_ARCFOUR_HMAC, - 0 - }; diff --git a/samba-4.0.0rc5-fix_winbind_offline_logon.patch b/samba-4.0.0rc5-fix_winbind_offline_logon.patch deleted file mode 100644 index abc5eb1..0000000 --- a/samba-4.0.0rc5-fix_winbind_offline_logon.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6c148a1532f9b29b1ec6283a971caeb7de4ff24e Mon Sep 17 00:00:00 2001 -From: Michael Adam -Date: Thu, 1 Nov 2012 14:41:56 +0100 -Subject: [PATCH] s3:winbindd:cache: fix offline logons with cached - credentials (bug #9321) - -The removal of consumption of the time field from the centry -as "removal of unused variable" in 21528da9cd12a4f5c3792a482a5d18fe946a6f7a -had the side effect of changing the offset for reading the following -nt password hash, so the read password hash was wrong. - -This patch re-installs the consumption of the time, -thereby fixing the bug without changing the disk format of the cache. - -Signed-off-by: Michael Adam ---- - source3/winbindd/winbindd_cache.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c -index 2c9dd4a..c79d3b6 100644 ---- a/source3/winbindd/winbindd_cache.c -+++ b/source3/winbindd/winbindd_cache.c -@@ -1329,6 +1329,13 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain, - return NT_STATUS_OBJECT_NAME_NOT_FOUND; - } - -+ /* -+ * We don't use the time element at this moment, -+ * but we have to consume it, so that we don't -+ * neet to change the disk format of the cache. -+ */ -+ (void)centry_time(centry); -+ - /* In the salted case this isn't actually the nt_hash itself, - but the MD5 of the salt + nt_hash. Let the caller - sort this out. It can tell as we only return the cached_salt --- -1.7.9.5 - diff --git a/samba-4.0.0rc6-LogonSamLogon_failover.patch b/samba-4.0.0rc6-LogonSamLogon_failover.patch new file mode 100644 index 0000000..e4aa594 --- /dev/null +++ b/samba-4.0.0rc6-LogonSamLogon_failover.patch @@ -0,0 +1,95 @@ +commit 3b01dd5f59841b11e9906b8c23345946e0d0ea8c +Author: Andreas Schneider +AuthorDate: Fri Nov 9 15:33:09 2012 +0100 +Commit: Stefan Metzmacher +CommitDate: Mon Nov 12 18:57:18 2012 +0100 + + s3:winbind: BUG 9386: Failover if netlogon pipe is not available. + + Samba continues to query a broken DC while the DC did not finish to + rebuild Sysvol (after a Windows crash, for example). It causes end users + to received strange codes while trying to authenticate, even if there is + a secondary DC available. + + Signed-off-by: Andreas Schneider + Reviewed-by: Stefan Metzmacher + + Autobuild-User(master): Stefan Metzmacher + Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104 +--- + source3/winbindd/winbindd_pam.c | 52 ++++++++++++++++++++++++++++++----------- + 1 file changed, 39 insertions(+), 13 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index 5b6b77b..b23d421 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -1175,6 +1175,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, + struct netr_SamInfo3 **info3) + { + int attempts = 0; ++ int netr_attempts = 0; + bool retry = false; + NTSTATUS result; + +@@ -1189,22 +1190,47 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, + result = cm_connect_netlogon(domain, &netlogon_pipe); + + if (!NT_STATUS_IS_OK(result)) { +- DEBUG(3,("could not open handle to NETLOGON pipe (error: %s)\n", +- nt_errstr(result))); +- if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) { +- if (attempts > 0) { +- DEBUG(3, ("This is the second problem for this " +- "particular call, forcing the close of " +- "this connection\n")); +- invalidate_cm_connection(&domain->conn); +- } else { +- DEBUG(3, ("First call to cm_connect_netlogon " +- "has timed out, retrying\n")); +- continue; +- } ++ DEBUG(3,("Could not open handle to NETLOGON pipe " ++ "(error: %s, attempts: %d)\n", ++ nt_errstr(result), netr_attempts)); ++ ++ /* After the first retry always close the connection */ ++ if (netr_attempts > 0) { ++ DEBUG(3, ("This is again a problem for this " ++ "particular call, forcing the close " ++ "of this connection\n")); ++ invalidate_cm_connection(&domain->conn); ++ } ++ ++ /* After the second retry failover to the next DC */ ++ if (netr_attempts > 1) { ++ /* ++ * If the netlogon server is not reachable then ++ * it is possible that the DC is rebuilding ++ * sysvol and shutdown netlogon for that time. ++ * We should failover to the next dc. ++ */ ++ DEBUG(3, ("This is the third problem for this " ++ "particular call, adding DC to the " ++ "negative cache list\n")); ++ add_failed_connection_entry(domain->name, ++ domain->dcname, ++ result); ++ saf_delete(domain->name); ++ } ++ ++ /* Only allow 3 retries */ ++ if (netr_attempts < 3) { ++ DEBUG(3, ("The connection to netlogon " ++ "failed, retrying\n")); ++ netr_attempts++; ++ retry = true; ++ continue; + } + return result; + } ++ netr_attempts = 0; ++ + auth = netlogon_pipe->auth; + if (netlogon_pipe->dc) { + neg_flags = netlogon_pipe->dc->negotiate_flags; diff --git a/samba.spec b/samba.spec index e9e6ef3..9afc3fd 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 165 +%define main_release 166 %define samba_version 4.0.0 %define talloc_version 2.0.7 @@ -6,7 +6,7 @@ %define tdb_version 1.2.10 %define tevent_version 0.9.17 %define ldb_version 1.1.12 -%define pre_release rc4 +%define pre_release rc5 %define samba_release %{main_release}%{?dist}.%{pre_release} @@ -57,14 +57,11 @@ Source2: samba.xinetd Source3: swat.desktop Source4: smb.conf.default Source5: pam_winbind.conf -Source7: winbind.networkmanager Source200: README.dc Source201: README.downgrade -Patch0: samba-4.0.0rc4-request_aes_krb_keys.patch -Patch1: samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch -Patch2: samba-4.0.0rc5-fix_winbind_offline_logon.patch +Patch0: samba-4.0.0rc6-LogonSamLogon_failover.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -407,9 +404,7 @@ the local kerberos library to use the same KDC as samba and winbind use %prep %setup -q -n samba-%{version}%{pre_release} -%patch0 -p1 -b .request_aes_krb_keys -%patch1 -p1 -b .add_aes_enctypes_to_krb5_conf -%patch2 -p1 -b .winbind_offline_logon +%patch0 -p1 -b .samlogon_failover %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -554,9 +549,10 @@ for i in nmb smb winbind ; do install -m 0644 tmp$i.service %{buildroot}%{_unitdir}/$i.service done -# FIXME use packaging/NetworkManager/30-winbind +# NetworkManager online/offline script install -d -m 0755 %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/ -install -m 0755 %{SOURCE7} %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind +install -m 0755 packaging/NetworkManager/30-winbind-systemd \ + %{buildroot}%{_sysconfdir}/NetworkManager/dispatcher.d/30-winbind # winbind krb5 locator install -d -m 0755 %{buildroot}%{_libdir}/krb5/plugins/libkrb5 @@ -772,7 +768,6 @@ rm -rf %{buildroot} %{_bindir}/profiles %{_bindir}/smbcontrol %{_bindir}/testparm -%{_libdir}/samba/libgpo.so %{_datadir}/samba/codepages %config(noreplace) %{_sysconfdir}/logrotate.d/samba %attr(0700,root,root) %dir /var/log/samba @@ -1069,6 +1064,7 @@ rm -rf %{buildroot} %{_libdir}/samba/liberrors.so %{_libdir}/samba/libevents.so %{_libdir}/samba/libflag_mapping.so +%{_libdir}/samba/libgpo.so %{_libdir}/samba/libgse.so %{_libdir}/samba/libinterfaces.so %{_libdir}/samba/libkrb5samba.so @@ -1302,6 +1298,9 @@ rm -rf %{buildroot} %{_mandir}/man7/winbind_krb5_locator.7* %changelog +* Tue Nov 13 2012 - Andreas Schneider - 2:4.0.0-166.rc5 +- Update to Samba 4.0.0rc5. + * Mon Nov 05 2012 - Andreas Schneider - 2:4.0.0-165.rc4 - Fix library dependencies of libnetapi. diff --git a/winbind.networkmanager b/winbind.networkmanager deleted file mode 100755 index af0edf9..0000000 --- a/winbind.networkmanager +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/sh - -winbind_is_active=$(/bin/systemctl is-active winbind.service) -test "${winbind_is_active}" = "active" || exit 0 - -winbind_offline_logon=$(testparm -s --parameter-name "winbind offline logon" 2>/dev/null) -test "${winbind_offline_logon}" = "Yes" || exit 0 - -case "$2" in - up|vpn-up) - nmb_is_active=$(/bin/systemctl is-active nmb.service) - if test "${nmb_is_active}" = "active"; then - /bin/systemctl try-restart nmb.service || : - fi - /usr/bin/smbcontrol winbind online || : - ;; - down) - /usr/bin/smbcontrol winbind offline - ;; -esac