From f0333fc6d6d35e2d240714bd05afc916e133e143 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 11 Nov 2021 14:45:45 +0100 Subject: [PATCH] Fix winbind trusted domain regression related: #2021716 Guenther --- ...a-4.15-fix-winbind-no-trusted-domain.patch | 41 +++++++++++++++++++ samba.spec | 7 +++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 samba-4.15-fix-winbind-no-trusted-domain.patch diff --git a/samba-4.15-fix-winbind-no-trusted-domain.patch b/samba-4.15-fix-winbind-no-trusted-domain.patch new file mode 100644 index 0000000..4924872 --- /dev/null +++ b/samba-4.15-fix-winbind-no-trusted-domain.patch @@ -0,0 +1,41 @@ +From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 9 Nov 2021 20:50:20 +0100 +Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression + +add_trusted_domain() should only reject domains +based on is_allowed_domain(), which now also +checks "allow trusted domains = no", if we don't +have an explicit trust to the domain (SEC_CHAN_NULL). + +We use at least SEC_CHAN_LOCAL for local domains like +BUILTIN. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899 + +Signed-off-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184 + +(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935) +--- + source3/winbindd/winbindd_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c +index 42ddbfd2f44..9d54e462c42 100644 +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name, + return NT_STATUS_INVALID_PARAMETER; + } + +- if (!is_allowed_domain(domain_name)) { ++ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) { + return NT_STATUS_NO_SUCH_DOMAIN; + } + +-- +2.33.1 + diff --git a/samba.spec b/samba.spec index 4817ea7..dd53d8c 100644 --- a/samba.spec +++ b/samba.spec @@ -129,7 +129,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 0 +%global baserelease 1 %global samba_version 4.15.2 %global talloc_version 2.3.3 @@ -201,6 +201,7 @@ Source201: README.downgrade Patch0: samba-s4u.patch Patch1: samba-ctdb-etcd-reclock.patch Patch2: samba-4.15.1-winexe.patch +Patch3: samba-4.15-fix-winbind-no-trusted-domain.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -4092,6 +4093,10 @@ fi %endif %changelog +* Thu Nov 11 2021 Guenther Deschner - 4.15.2-1 +- Fix winbind trusted domain regression +- related: #2021716 + * Tue Nov 09 2021 Guenther Deschner - 4.15.2-0 - Update to Samba 4.15.2 - resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124