rpms/samba
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix winbind trusted domain regression

Browse Source 
related: #2021716

Guenther
This commit is contained in:
Günther Deschner 2021-11-11 14:45:45 +01:00
parent 56ca6af06a
commit f0333fc6d6
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
samba-4.15-fix-winbind-no-trusted-domain.patch Normal file
View File

@ -0,0 +1,41 @@
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 9 Nov 2021 20:50:20 +0100
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
add_trusted_domain() should only reject domains
based on is_allowed_domain(), which now also
checks "allow trusted domains = no", if we don't
have an explicit trust to the domain (SEC_CHAN_NULL).
We use at least SEC_CHAN_LOCAL for local domains like
BUILTIN.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
---
source3/winbindd/winbindd_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 42ddbfd2f44..9d54e462c42 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
return NT_STATUS_INVALID_PARAMETER;
}
- if (!is_allowed_domain(domain_name)) {
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
--
2.33.1

7
samba.spec
View File

@ -129,7 +129,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global baserelease 0
%global baserelease 1
%global samba_version 4.15.2
%global talloc_version 2.3.3
@ -201,6 +201,7 @@ Source201: README.downgrade
Patch0: samba-s4u.patch
Patch1: samba-ctdb-etcd-reclock.patch
Patch2: samba-4.15.1-winexe.patch
Patch3: samba-4.15-fix-winbind-no-trusted-domain.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -4092,6 +4093,10 @@ fi
%endif
%changelog
* Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.15.2-1
- Fix winbind trusted domain regression
- related: #2021716
* Tue Nov 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.15.2-0
- Update to Samba 4.15.2
- resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124