Update to Samba 4.16.0rc1
This commit is contained in:
parent
c1f9bec1db
commit
c8ac21e6f1
2
.gitignore
vendored
2
.gitignore
vendored
@ -277,3 +277,5 @@ samba-3.6.0pre1.tar.gz
|
||||
/samba-4.15.3.tar.asc
|
||||
/samba-4.15.4.tar.xz
|
||||
/samba-4.15.4.tar.asc
|
||||
/samba-4.16.0rc1.tar.xz
|
||||
/samba-4.16.0rc1.tar.asc
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 939aed0498269df3c1e012f3b68c314b583f25bd Mon Sep 17 00:00:00 2001
|
||||
From: Martin Schwenke <martin@meltin.net>
|
||||
Date: Tue, 27 Apr 2021 15:46:14 +1000
|
||||
Subject: [PATCH] utils: Use Python 3
|
||||
|
||||
Due to the number of flake8 and pylint warnings it is unclear if the
|
||||
source has Python 3 incompatibilities. These will be cleaned up in
|
||||
subsequent commits.
|
||||
|
||||
Signed-off-by: "L.P.H. van Belle" <belle@bazuin.nl>
|
||||
Reviewed-by: Martin Schwenke <martin@meltin.net>
|
||||
Reviewed-by: David Disseldorp <ddiss@samba.org>
|
||||
Reviewed-by: Jose A. Rivera <jarrpa@samba.org>
|
||||
---
|
||||
ctdb/utils/etcd/ctdb_etcd_lock | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ctdb/utils/etcd/ctdb_etcd_lock b/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
index 000c6bb7208..7f5194eff0a 100755
|
||||
--- a/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
+++ b/ctdb/utils/etcd/ctdb_etcd_lock
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python
|
||||
+#!/usr/bin/env python3
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,64 +0,0 @@
|
||||
From e556b4067e0c4036e20fc26523e3b4d6d5c6be42 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Thu, 7 Oct 2021 15:55:37 +0200
|
||||
Subject: [PATCH] waf: Fix resolv_wrapper with glibc 2.34
|
||||
|
||||
With glibc 2.34 we are not able to talk to the DNS server via socket_wrapper
|
||||
anymore. The res_* symbols have been moved from libresolv to libc. We are not
|
||||
able to intercept any traffic inside of libc.
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
|
||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
selftest/wscript | 2 +-
|
||||
third_party/resolv_wrapper/wscript | 13 +++++++++++++
|
||||
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/selftest/wscript b/selftest/wscript
|
||||
index a6be06c2ae9..85d9338489a 100644
|
||||
--- a/selftest/wscript
|
||||
+++ b/selftest/wscript
|
||||
@@ -252,7 +252,7 @@ def cmd_testonly(opt):
|
||||
if os.environ.get('USE_NAMESPACES') is None:
|
||||
env.OPTIONS += " --socket_wrapper_so_path=" + CONFIG_GET(opt, 'LIBSOCKET_WRAPPER_SO_PATH')
|
||||
|
||||
- if Utils.unversioned_sys_platform() in ('netbsd', 'openbsd', 'sunos'):
|
||||
+ if not CONFIG_SET(opt, 'HAVE_RESOLV_CONF_SUPPORT'):
|
||||
env.OPTIONS += " --use-dns-faking"
|
||||
|
||||
if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'):
|
||||
diff --git a/third_party/resolv_wrapper/wscript b/third_party/resolv_wrapper/wscript
|
||||
index a7f18389b0f..7e369bd90b5 100644
|
||||
--- a/third_party/resolv_wrapper/wscript
|
||||
+++ b/third_party/resolv_wrapper/wscript
|
||||
@@ -1,6 +1,7 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import os
|
||||
+from waflib import Logs
|
||||
|
||||
VERSION="1.1.7"
|
||||
|
||||
@@ -49,6 +50,18 @@ def configure(conf):
|
||||
if conf.CONFIG_SET('HAVE_RES_NCLOSE'):
|
||||
conf.DEFINE('HAVE_RES_NCLOSE_IN_LIBRESOLV', 1)
|
||||
|
||||
+ # If we find res_nquery in libc, we can't do resolv.conf redirect
|
||||
+ conf.CHECK_FUNCS('res_nquery __res_nquery')
|
||||
+ if (conf.CONFIG_SET('HAVE_RES_NQUERY')
|
||||
+ or conf.CONFIG_SET('HAVE___RES_NQUERY')):
|
||||
+ Logs.warn("Detection for resolv_wrapper: "
|
||||
+ "Only dns faking will be available")
|
||||
+ else:
|
||||
+ if conf.CHECK_FUNCS('res_nquery', lib='resolv'):
|
||||
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
|
||||
+ if conf.CHECK_FUNCS('__res_nquery', lib='resolv'):
|
||||
+ conf.DEFINE('HAVE_RESOLV_CONF_SUPPORT', 1)
|
||||
+
|
||||
conf.CHECK_FUNCS_IN('res_init __res_init', 'resolv', checklibc=True)
|
||||
conf.CHECK_FUNCS_IN('res_ninit __res_ninit', 'resolv', checklibc=True)
|
||||
conf.CHECK_FUNCS_IN('res_close __res_close', 'resolv', checklibc=True)
|
||||
--
|
||||
2.33.1
|
||||
|
145
samba-s4u.patch
145
samba-s4u.patch
@ -1,7 +1,7 @@
|
||||
From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001
|
||||
From 17eb98d3f8ebd0fe48e218bb03a3c0165b9b6e95 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:25:03 +0300
|
||||
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
|
||||
Subject: [PATCH 1/4] mit-kdc: add basic loacl realm S4U support
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
3 files changed, 71 insertions(+), 106 deletions(-)
|
||||
|
||||
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
index f35210669c2..b1c7c5dcc5e 100644
|
||||
index 793fe366c35..22534c09974 100644
|
||||
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
@@ -200,13 +200,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
krb5_keyblock *krbtgt_key,
|
||||
krb5_timestamp authtime,
|
||||
krb5_authdata **tgt_auth_data,
|
||||
@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
@@ -238,41 +242,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = krb5_pac_parse(context,
|
||||
authdata[0]->contents,
|
||||
authdata[0]->length,
|
||||
@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
@@ -280,17 +286,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = mit_samba_reget_pac(mit_ctx,
|
||||
context,
|
||||
flags,
|
||||
@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
|
||||
return code;
|
||||
}
|
||||
@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -319,6 +330,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krb5_authdata **pac_auth_data = NULL;
|
||||
krb5_authdata **authdata = NULL;
|
||||
krb5_boolean is_as_req;
|
||||
@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
krb5_error_code code;
|
||||
krb5_pac pac = NULL;
|
||||
krb5_data pac_data;
|
||||
@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -330,11 +342,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
|
||||
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
||||
|
||||
@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
||||
|
||||
/*
|
||||
@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -395,6 +402,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
ks_client_princ = client->princ;
|
||||
}
|
||||
|
||||
@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
if (client_entry == NULL) {
|
||||
client_entry = client;
|
||||
}
|
||||
@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -469,7 +486,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
|
||||
code = ks_verify_pac(context,
|
||||
flags,
|
||||
@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
client_entry,
|
||||
server,
|
||||
krbtgt,
|
||||
@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -515,7 +532,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
is_as_req ? "AS-REQ" : "TGS-REQ",
|
||||
client_name);
|
||||
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
||||
@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
if (code != 0) {
|
||||
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
||||
goto done;
|
||||
@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
@@ -541,12 +558,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
KRB5_AUTHDATA_IF_RELEVANT,
|
||||
authdata,
|
||||
signed_auth_data);
|
||||
@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
done:
|
||||
if (client_entry != NULL && client_entry != client) {
|
||||
ks_free_principal(context, client_entry);
|
||||
@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
@@ -572,32 +583,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
* server; -> delegating service
|
||||
* proxy; -> target principal
|
||||
*/
|
||||
@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644
|
||||
|
||||
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index 4239332f0d9..acc3cba6254 100644
|
||||
index 27b15828468..994dfed312b 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
@@ -682,7 +681,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
context,
|
||||
*pac,
|
||||
server->princ,
|
||||
@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644
|
||||
deleg_blob);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("Update delegation info failed: %s\n",
|
||||
@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
@@ -1004,41 +1003,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
}
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644
|
||||
|
||||
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
|
||||
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
|
||||
index 636c77ec97c..9cb00c9610e 100644
|
||||
index 4431e82a1b2..9370ab533af 100644
|
||||
--- a/source4/kdc/mit_samba.h
|
||||
+++ b/source4/kdc/mit_samba.h
|
||||
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
DATA_BLOB *e_data);
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
@ -336,10 +336,10 @@ index 636c77ec97c..9cb00c9610e 100644
|
||||
2.33.1
|
||||
|
||||
|
||||
From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001
|
||||
From f4fc23103f47b712baf3b4b0ebcb42d0f3f3fd42 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:35:30 +0300
|
||||
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
|
||||
Subject: [PATCH 2/4] krb5-mit: enable S4U client support for MIT build
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
3 files changed, 185 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index fff5b4e2a22..791b417d5ba 100644
|
||||
index 61d651b4d5f..462acec90b6 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
@@ -2699,6 +2699,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -546,7 +546,7 @@ index fff5b4e2a22..791b417d5ba 100644
|
||||
|
||||
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
|
||||
index eab67f6d969..b5385c69a33 100644
|
||||
index a66b7465530..c8573f52bd9 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.h
|
||||
+++ b/lib/krb5_wrap/krb5_samba.h
|
||||
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
|
||||
@ -614,63 +614,20 @@ index 544d9d853cc..c14d8c72d8c 100644
|
||||
2.33.1
|
||||
|
||||
|
||||
From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001
|
||||
From 48d73d552f2fbbdb07bd9aff4d0294883b70417f Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Sat, 19 Sep 2020 14:16:20 +0200
|
||||
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
|
||||
Subject: [PATCH 3/4] wip: for canonicalization with new MIT kdc code
|
||||
|
||||
---
|
||||
source4/heimdal/lib/hdb/hdb.h | 1 +
|
||||
source4/kdc/db-glue.c | 8 ++++++--
|
||||
source4/kdc/mit_samba.c | 3 +++
|
||||
source4/kdc/sdb.h | 1 +
|
||||
4 files changed, 11 insertions(+), 2 deletions(-)
|
||||
source4/kdc/mit_samba.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
|
||||
index 5ef9d9565f3..dafaffc6c2d 100644
|
||||
--- a/source4/heimdal/lib/hdb/hdb.h
|
||||
+++ b/source4/heimdal/lib/hdb/hdb.h
|
||||
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
|
||||
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
|
||||
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
/* hdb_capability_flags */
|
||||
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
|
||||
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
||||
index aff74f2ee71..d16b4c3329a 100644
|
||||
--- a/source4/kdc/db-glue.c
|
||||
+++ b/source4/kdc/db-glue.c
|
||||
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
|
||||
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
krb5_clear_error_message(context);
|
||||
goto out;
|
||||
}
|
||||
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
|
||||
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
|
||||
/*
|
||||
* SDB_F_CANON maps from the canonicalize flag in the
|
||||
* packet, and has a different meaning between AS-REQ
|
||||
* and TGS-REQ. We only change the principal in the AS-REQ case
|
||||
+ *
|
||||
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
|
||||
+ * the canonical name in all lookups, and takes care to canonicalize
|
||||
+ * only when appropriate.
|
||||
*/
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index acc3cba6254..f0b9df8b613 100644
|
||||
index 994dfed312b..9d039e5601b 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
|
||||
sflags |= SDB_F_CANON;
|
||||
}
|
||||
@ -680,18 +637,34 @@ index acc3cba6254..f0b9df8b613 100644
|
||||
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
|
||||
KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
||||
/*
|
||||
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
|
||||
index c929acccce6..a9115ec23d7 100644
|
||||
--- a/source4/kdc/sdb.h
|
||||
+++ b/source4/kdc/sdb.h
|
||||
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
|
||||
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
|
||||
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
void sdb_free_entry(struct sdb_entry_ex *e);
|
||||
void free_sdb_entry(struct sdb_entry *s);
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From f5f54026d151f6d899e8ff52d8829a2f9cf57f25 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schneider <asn@samba.org>
|
||||
Date: Tue, 21 Dec 2021 12:17:11 +0100
|
||||
Subject: [PATCH 4/4] s4:kdc: Also cannoicalize krbtgt principals when
|
||||
enforcing canonicalization
|
||||
|
||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source4/kdc/db-glue.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
||||
index 8d17038cfe6..77c0c0e4746 100644
|
||||
--- a/source4/kdc/db-glue.c
|
||||
+++ b/source4/kdc/db-glue.c
|
||||
@@ -946,7 +946,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
|
||||
p->is_krbtgt = true;
|
||||
|
||||
- if (flags & (SDB_F_CANON)) {
|
||||
+ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) {
|
||||
/*
|
||||
* When requested to do so, ensure that the
|
||||
* both realm values in the principal are set
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
66
samba.spec
66
samba.spec
@ -134,13 +134,13 @@
|
||||
|
||||
%global baserelease 0
|
||||
|
||||
%global samba_version 4.15.4
|
||||
%global samba_version 4.16.0
|
||||
%global talloc_version 2.3.3
|
||||
%global tdb_version 1.4.4
|
||||
%global tdb_version 1.4.6
|
||||
%global tevent_version 0.11.0
|
||||
%global ldb_version 2.4.1
|
||||
%global ldb_version 2.5.0
|
||||
# This should be rc1 or nil
|
||||
%global pre_release %nil
|
||||
%global pre_release rc1
|
||||
|
||||
%global samba_release %{baserelease}
|
||||
%if "x%{?pre_release}" != "x"
|
||||
@ -202,8 +202,6 @@ Source14: samba.pamd
|
||||
Source201: README.downgrade
|
||||
|
||||
Patch0: samba-s4u.patch
|
||||
Patch1: samba-ctdb-etcd-reclock.patch
|
||||
Patch2: samba-glibc-dns.patch
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
Requires(post): systemd
|
||||
@ -1614,11 +1612,21 @@ fi
|
||||
%{_libdir}/samba/vfs/nfs4acl_xattr.so
|
||||
%endif
|
||||
|
||||
%dir %{_libexecdir}/samba
|
||||
%{_libexecdir}/samba/samba-bgqd
|
||||
%{_libexecdir}/samba/samba-dcerpcd
|
||||
%{_libexecdir}/samba/rpcd_classic
|
||||
%{_libexecdir}/samba/rpcd_epmapper
|
||||
%{_libexecdir}/samba/rpcd_fsrvp
|
||||
%{_libexecdir}/samba/rpcd_lsad
|
||||
%{_libexecdir}/samba/rpcd_mdssvc
|
||||
%{_libexecdir}/samba/rpcd_rpcecho
|
||||
%{_libexecdir}/samba/rpcd_spoolss
|
||||
%{_libexecdir}/samba/rpcd_winreg
|
||||
|
||||
%dir %{_datadir}/samba
|
||||
%dir %{_datadir}/samba/mdssvc
|
||||
%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
|
||||
#%%dir %%{_datadir}/samba/mdssvc
|
||||
#%%{_datadir}/samba/mdssvc/elasticsearch_mappings.json
|
||||
|
||||
%{_unitdir}/nmb.service
|
||||
%{_unitdir}/smb.service
|
||||
@ -1628,6 +1636,7 @@ fi
|
||||
%{_mandir}/man1/smbstatus.1*
|
||||
%{_mandir}/man8/eventlogadm.8*
|
||||
%{_mandir}/man8/samba-bgqd.8*
|
||||
%{_mandir}/man8/samba-dcerpcd.8*
|
||||
%{_mandir}/man8/smbd.8*
|
||||
%{_mandir}/man8/nmbd.8*
|
||||
%{_mandir}/man8/vfs_acl_tdb.8*
|
||||
@ -1642,6 +1651,7 @@ fi
|
||||
%{_mandir}/man8/vfs_crossrename.8*
|
||||
%{_mandir}/man8/vfs_default_quota.8*
|
||||
%{_mandir}/man8/vfs_dirsort.8*
|
||||
%{_mandir}/man8/vfs_expand_msdfs.8*
|
||||
%{_mandir}/man8/vfs_extd_audit.8*
|
||||
%{_mandir}/man8/vfs_fake_perms.8*
|
||||
%{_mandir}/man8/vfs_fileid.8*
|
||||
@ -1852,7 +1862,7 @@ fi
|
||||
|
||||
%if %{without libwbclient}
|
||||
%{_libdir}/samba/libwbclient.so.*
|
||||
%{_libdir}/samba/libwinbind-client-samba4.so
|
||||
#%%{_libdir}/samba/libwinbind-client-samba4.so
|
||||
#endif without libwbclient
|
||||
%endif
|
||||
|
||||
@ -2232,6 +2242,9 @@ fi
|
||||
%{_libdir}/samba/libshares-samba4.so
|
||||
%{_libdir}/samba/libsmbpasswdparser-samba4.so
|
||||
%{_libdir}/samba/libxattr-tdb-samba4.so
|
||||
%{_libdir}/samba/libREG-FULL-samba4.so
|
||||
%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so
|
||||
%{_libdir}/samba/libRPC-WORKER-samba4.so
|
||||
|
||||
### LIBSMBCLIENT
|
||||
%if %{with libsmbclient}
|
||||
@ -2251,7 +2264,7 @@ fi
|
||||
%if %{with libwbclient}
|
||||
%files -n libwbclient
|
||||
%{_libdir}/samba/wbclient/libwbclient.so.*
|
||||
%{_libdir}/samba/libwinbind-client-samba4.so
|
||||
#%%{_libdir}/samba/libwinbind-client-samba4.so
|
||||
|
||||
### LIBWBCLIENT-DEVEL
|
||||
%files -n libwbclient-devel
|
||||
@ -2322,7 +2335,11 @@ fi
|
||||
%{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/getopt.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_cert_auto_enroll_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_chromium_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_firefox_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_firewalld_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc
|
||||
@ -2438,7 +2455,11 @@ fi
|
||||
%{python3_sitearch}/samba/emulate/__init__.py
|
||||
%{python3_sitearch}/samba/emulate/traffic.py
|
||||
%{python3_sitearch}/samba/emulate/traffic_packets.py
|
||||
%{python3_sitearch}/samba/gp_cert_auto_enroll_ext.py
|
||||
%{python3_sitearch}/samba/gp_chromium_ext.py
|
||||
%{python3_sitearch}/samba/gp_ext_loader.py
|
||||
%{python3_sitearch}/samba/gp_firefox_ext.py
|
||||
%{python3_sitearch}/samba/gp_firewalld_ext.py
|
||||
%{python3_sitearch}/samba/gp_msgs_ext.py
|
||||
%{python3_sitearch}/samba/gp_smb_conf_ext.py
|
||||
%{python3_sitearch}/samba/gp_sudoers_ext.py
|
||||
@ -2755,6 +2776,7 @@ fi
|
||||
%{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/source.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/source_chars.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/strings.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/subunitrun.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/tdb_util.*.pyc
|
||||
@ -2924,14 +2946,15 @@ fi
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
|
||||
@ -2949,25 +2972,26 @@ fi
|
||||
%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/salt_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/simple_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/spn_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_ccache.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_ccache.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_ldap.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_rpc.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_smb.py
|
||||
%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/salt_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/spn_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5_credentials.py
|
||||
%{python3_sitearch}/samba/tests/ldap_raw.py
|
||||
%{python3_sitearch}/samba/tests/ldap_referrals.py
|
||||
%{python3_sitearch}/samba/tests/ldap_spn.py
|
||||
%{python3_sitearch}/samba/tests/ldap_referrals.py
|
||||
%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
|
||||
%{python3_sitearch}/samba/tests/libsmb.py
|
||||
%{python3_sitearch}/samba/tests/loadparm.py
|
||||
@ -3031,6 +3055,7 @@ fi
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_lmdb_size.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/join_member.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ntacl.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/ou.*.pyc
|
||||
%{python3_sitearch}/samba/tests/samba_tool/__pycache__/passwordsettings.*.pyc
|
||||
@ -3067,6 +3092,7 @@ fi
|
||||
%{python3_sitearch}/samba/tests/samba_tool/help.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/join.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/join_lmdb_size.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/join_member.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/ntacl.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/ou.py
|
||||
%{python3_sitearch}/samba/tests/samba_tool/passwordsettings.py
|
||||
@ -3098,6 +3124,7 @@ fi
|
||||
%{python3_sitearch}/samba/tests/smbd_base.py
|
||||
%{python3_sitearch}/samba/tests/smbd_fuzztest.py
|
||||
%{python3_sitearch}/samba/tests/source.py
|
||||
%{python3_sitearch}/samba/tests/source_chars.py
|
||||
%{python3_sitearch}/samba/tests/strings.py
|
||||
%{python3_sitearch}/samba/tests/subunitrun.py
|
||||
%{python3_sitearch}/samba/tests/tdb_util.py
|
||||
@ -3119,7 +3146,6 @@ fi
|
||||
%{_mandir}/man1/masktest.1*
|
||||
%{_mandir}/man1/ndrdump.1*
|
||||
%{_mandir}/man1/smbtorture.1*
|
||||
%{_mandir}/man1/vfstest.1*
|
||||
|
||||
%if %{with testsuite}
|
||||
# files to ignore in testsuite mode
|
||||
@ -4103,6 +4129,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Jan 25 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.16.0rc1
|
||||
- Update to Samba 4.16.0rc1
|
||||
- resolves: #2042518
|
||||
|
||||
* Thu Jan 20 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.4-0
|
||||
- Update to Samba 4.15.4
|
||||
- resolves: #2009673, #2039034 - Security fixes for CVE-2021-20316
|
||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (samba-4.15.4.tar.xz) = 19aa7edc55d545c42ba9c2d2bb987df63a825c5a1a6fa2a350d6bca41f04fde6f63b643f6e38d32f4d4067c24420e1ca62ef28dc285c70105ca78487e80ee2dc
|
||||
SHA512 (samba-4.15.4.tar.asc) = 6878efc500f423e7061966954163ef3503e4ab43a527b370a3e26e6992bc9b6a3161e296800b6cd78d5e0d99ac7f1db249d52c2475d035973e2121bc67df6fab
|
||||
SHA512 (samba-4.16.0rc1.tar.asc) = 07aebb0d76834a1a56021d3a9004d6eefae8fb1426aabaca89c9df3572cbcb09dfc0c649c5e28e1844ce53dfd1e94cc828915df26e63268ce883045e4f3c3548
|
||||
SHA512 (samba-4.16.0rc1.tar.xz) = dd7711c998e6d33056d913af64ef33957badf09fb59ba21921f81676b96a939bbf491bfb1362d2625ba30d08526abc6c889376b4e1e439e266bd9b2e9864bcbc
|
||||
|
Loading…
Reference in New Issue
Block a user