Compare commits
10 Commits
2d446a3116
...
c9961d895d
Author | SHA1 | Date |
---|---|---|
Kalev Lember | c9961d895d | |
Andreas Schneider | bf99358854 | |
Günther Deschner | 714a18ed41 | |
Günther Deschner | a739d7195b | |
Andreas Schneider | 5a778122c6 | |
Pavel Filipenský | 6da3682bce | |
Andreas Schneider | a6e266bad8 | |
Andreas Schneider | 2a727e7521 | |
Günther Deschner | 798ea95f57 | |
Andreas Schneider | e8c2a9fd87 |
|
@ -321,3 +321,9 @@ samba-3.6.0pre1.tar.gz
|
||||||
/samba-4.18.0rc1.tar.asc
|
/samba-4.18.0rc1.tar.asc
|
||||||
/samba-4.18.0rc2.tar.xz
|
/samba-4.18.0rc2.tar.xz
|
||||||
/samba-4.18.0rc2.tar.asc
|
/samba-4.18.0rc2.tar.asc
|
||||||
|
/samba-4.18.0rc3.tar.xz
|
||||||
|
/samba-4.18.0rc3.tar.asc
|
||||||
|
/samba-4.18.0rc4.tar.xz
|
||||||
|
/samba-4.18.0rc4.tar.asc
|
||||||
|
/samba-4.18.0.tar.xz
|
||||||
|
/samba-4.18.0.tar.asc
|
||||||
|
|
|
@ -1,540 +0,0 @@
|
||||||
From a3e3d05f35d6082ea48450060b39084e3d0e4056 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 10 Oct 2022 15:15:20 +0200
|
|
||||||
Subject: [PATCH 1/5] s3:librpc: Improve GSE error message
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source3/librpc/crypto/gse.c | 21 +++++++++++++++++++--
|
|
||||||
1 file changed, 19 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
|
|
||||||
index c50a8a036df..c2cac7abf82 100644
|
|
||||||
--- a/source3/librpc/crypto/gse.c
|
|
||||||
+++ b/source3/librpc/crypto/gse.c
|
|
||||||
@@ -546,11 +546,28 @@ init_sec_context_done:
|
|
||||||
goto done;
|
|
||||||
case GSS_S_FAILURE:
|
|
||||||
switch (gss_min) {
|
|
||||||
- case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
|
|
||||||
- DBG_NOTICE("Server principal not found\n");
|
|
||||||
+ case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: {
|
|
||||||
+ gss_buffer_desc name_token = {
|
|
||||||
+ .length = 0,
|
|
||||||
+ };
|
|
||||||
+
|
|
||||||
+ gss_maj = gss_display_name(&gss_min,
|
|
||||||
+ gse_ctx->server_name,
|
|
||||||
+ &name_token,
|
|
||||||
+ NULL);
|
|
||||||
+ if (gss_maj == GSS_S_COMPLETE) {
|
|
||||||
+ DBG_NOTICE("Server principal %.*s not found\n",
|
|
||||||
+ (int)name_token.length,
|
|
||||||
+ (char *)name_token.value);
|
|
||||||
+ gss_release_buffer(&gss_maj, &name_token);
|
|
||||||
+ } else {
|
|
||||||
+ DBG_NOTICE("Server principal not found\n");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Make SPNEGO ignore us, we can't go any further here */
|
|
||||||
status = NT_STATUS_INVALID_PARAMETER;
|
|
||||||
goto done;
|
|
||||||
+ }
|
|
||||||
case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED:
|
|
||||||
DBG_NOTICE("Ticket expired\n");
|
|
||||||
/* Make SPNEGO ignore us, we can't go any further here */
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From d2e2e9acd717e45806f1b19378e09f39c8fe3da8 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Fri, 7 Oct 2022 14:35:15 +0200
|
|
||||||
Subject: [PATCH 2/5] s3:rpcclient: Pass salt down to
|
|
||||||
init_samr_CryptPasswordAES()
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source3/rpc_client/init_samr.c | 15 ++++-----------
|
|
||||||
source3/rpc_client/init_samr.h | 1 +
|
|
||||||
source3/rpcclient/cmd_samr.c | 8 ++++++++
|
|
||||||
source4/libnet/libnet_passwd.c | 13 +++++++------
|
|
||||||
source4/torture/rpc/samr.c | 27 +++++++++++++++++++++++++++
|
|
||||||
5 files changed, 47 insertions(+), 17 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/rpc_client/init_samr.c b/source3/rpc_client/init_samr.c
|
|
||||||
index 68f42b602b3..52fa2f90d6e 100644
|
|
||||||
--- a/source3/rpc_client/init_samr.c
|
|
||||||
+++ b/source3/rpc_client/init_samr.c
|
|
||||||
@@ -79,6 +79,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
|
|
||||||
|
|
||||||
NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *password,
|
|
||||||
+ DATA_BLOB *salt,
|
|
||||||
DATA_BLOB *session_key,
|
|
||||||
struct samr_EncryptedPasswordAES *ppwd_buf)
|
|
||||||
{
|
|
||||||
@@ -87,12 +88,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
.data = pw_data,
|
|
||||||
.length = sizeof(pw_data),
|
|
||||||
};
|
|
||||||
- size_t iv_size = gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_256_CBC);
|
|
||||||
- uint8_t iv_data[iv_size];
|
|
||||||
- DATA_BLOB iv = {
|
|
||||||
- .data = iv_data,
|
|
||||||
- .length = iv_size,
|
|
||||||
- };
|
|
||||||
DATA_BLOB ciphertext = data_blob_null;
|
|
||||||
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
|
|
||||||
bool ok;
|
|
||||||
@@ -101,8 +96,6 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
return NT_STATUS_INVALID_PARAMETER;
|
|
||||||
}
|
|
||||||
|
|
||||||
- generate_nonce_buffer(iv.data, iv.length);
|
|
||||||
-
|
|
||||||
ok = encode_pwd_buffer514_from_str(pw_data, password, STR_UNICODE);
|
|
||||||
if (!ok) {
|
|
||||||
return NT_STATUS_INTERNAL_ERROR;
|
|
||||||
@@ -114,7 +107,7 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
session_key,
|
|
||||||
&samr_aes256_enc_key_salt,
|
|
||||||
&samr_aes256_mac_key_salt,
|
|
||||||
- &iv,
|
|
||||||
+ salt,
|
|
||||||
&ciphertext,
|
|
||||||
ppwd_buf->auth_data);
|
|
||||||
BURN_DATA(pw_data);
|
|
||||||
@@ -126,8 +119,8 @@ NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
ppwd_buf->cipher = ciphertext.data;
|
|
||||||
ppwd_buf->PBKDF2Iterations = 0;
|
|
||||||
|
|
||||||
- SMB_ASSERT(iv.length == sizeof(ppwd_buf->salt));
|
|
||||||
- memcpy(ppwd_buf->salt, iv.data, iv.length);
|
|
||||||
+ SMB_ASSERT(salt->length == sizeof(ppwd_buf->salt));
|
|
||||||
+ memcpy(ppwd_buf->salt, salt->data, salt->length);
|
|
||||||
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
diff --git a/source3/rpc_client/init_samr.h b/source3/rpc_client/init_samr.h
|
|
||||||
index 940534e7168..71b4c0e573d 100644
|
|
||||||
--- a/source3/rpc_client/init_samr.h
|
|
||||||
+++ b/source3/rpc_client/init_samr.h
|
|
||||||
@@ -47,6 +47,7 @@ NTSTATUS init_samr_CryptPassword(const char *pwd,
|
|
||||||
*/
|
|
||||||
NTSTATUS init_samr_CryptPasswordAES(TALLOC_CTX *mem_ctx,
|
|
||||||
const char *password,
|
|
||||||
+ DATA_BLOB *salt,
|
|
||||||
DATA_BLOB *session_key,
|
|
||||||
struct samr_EncryptedPasswordAES *ppwd_buf);
|
|
||||||
|
|
||||||
diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
|
|
||||||
index 9ccd2f78a8d..8106ca90cf2 100644
|
|
||||||
--- a/source3/rpcclient/cmd_samr.c
|
|
||||||
+++ b/source3/rpcclient/cmd_samr.c
|
|
||||||
@@ -3172,6 +3172,11 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
uint8_t nt_hash[16];
|
|
||||||
uint8_t lm_hash[16];
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
uint8_t password_expired = 0;
|
|
||||||
struct dcerpc_binding_handle *b = cli->binding_handle;
|
|
||||||
TALLOC_CTX *frame = NULL;
|
|
||||||
@@ -3198,6 +3203,8 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
switch(level) {
|
|
||||||
case 18:
|
|
||||||
case 21:
|
|
||||||
@@ -3220,6 +3227,7 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
|
|
||||||
case 31:
|
|
||||||
status = init_samr_CryptPasswordAES(frame,
|
|
||||||
param,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&pwd_buf_aes);
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
|
|
||||||
index 4f662110e55..a1672104824 100644
|
|
||||||
--- a/source4/libnet/libnet_passwd.c
|
|
||||||
+++ b/source4/libnet/libnet_passwd.c
|
|
||||||
@@ -57,13 +57,13 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
struct samr_EncryptedPasswordAES pwd_buf = {
|
|
||||||
.cipher_len = 0
|
|
||||||
};
|
|
||||||
- DATA_BLOB iv = {
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
.data = pwd_buf.salt,
|
|
||||||
.length = sizeof(pwd_buf.salt),
|
|
||||||
};
|
|
||||||
- gnutls_datum_t iv_datum = {
|
|
||||||
- .data = iv.data,
|
|
||||||
- .size = iv.length,
|
|
||||||
+ gnutls_datum_t salt_datum = {
|
|
||||||
+ .data = pwd_buf.salt,
|
|
||||||
+ .size = sizeof(pwd_buf.salt),
|
|
||||||
};
|
|
||||||
uint64_t pbkdf2_iterations = generate_random_u64_range(5000, 1000000);
|
|
||||||
NTSTATUS status;
|
|
||||||
@@ -71,11 +71,11 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
E_md4hash(old_password, old_nt_key_data);
|
|
||||||
|
|
||||||
- generate_nonce_buffer(iv.data, iv.length);
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
|
|
||||||
rc = gnutls_pbkdf2(GNUTLS_MAC_SHA512,
|
|
||||||
&old_nt_key,
|
|
||||||
- &iv_datum,
|
|
||||||
+ &salt_datum,
|
|
||||||
pbkdf2_iterations,
|
|
||||||
cek.data,
|
|
||||||
cek.length);
|
|
||||||
@@ -86,6 +86,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(mem_ctx,
|
|
||||||
new_password,
|
|
||||||
+ &salt,
|
|
||||||
&cek,
|
|
||||||
&pwd_buf);
|
|
||||||
data_blob_clear(&cek);
|
|
||||||
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
|
|
||||||
index de354659067..0b1880efa18 100644
|
|
||||||
--- a/source4/torture/rpc/samr.c
|
|
||||||
+++ b/source4/torture/rpc/samr.c
|
|
||||||
@@ -783,6 +783,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
struct samr_SetUserInfo s;
|
|
||||||
union samr_UserInfo u;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass = NULL;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -818,8 +823,11 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -852,6 +860,7 @@ static bool test_SetUserPass_32(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -896,6 +905,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
union samr_UserInfo u;
|
|
||||||
bool ret = true;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -931,8 +945,11 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -959,6 +976,7 @@ static bool test_SetUserPass_31(struct dcerpc_pipe *p, struct torture_context *t
|
|
||||||
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
torture_assert_ntstatus_ok(tctx,
|
|
||||||
@@ -1381,6 +1399,11 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
union samr_UserInfo u;
|
|
||||||
bool ret = true;
|
|
||||||
DATA_BLOB session_key;
|
|
||||||
+ uint8_t salt_data[16];
|
|
||||||
+ DATA_BLOB salt = {
|
|
||||||
+ .data = salt_data,
|
|
||||||
+ .length = sizeof(salt_data),
|
|
||||||
+ };
|
|
||||||
char *newpass;
|
|
||||||
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
||||||
struct samr_GetUserPwInfo pwp;
|
|
||||||
@@ -1490,6 +1513,8 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ generate_nonce_buffer(salt.data, salt.length);
|
|
||||||
+
|
|
||||||
switch (level) {
|
|
||||||
case 18:
|
|
||||||
{
|
|
||||||
@@ -1561,6 +1586,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
case 31:
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info31.password);
|
|
||||||
|
|
||||||
@@ -1568,6 +1594,7 @@ static bool test_SetUserPass_level_ex(struct dcerpc_pipe *p,
|
|
||||||
case 32:
|
|
||||||
status = init_samr_CryptPasswordAES(tctx,
|
|
||||||
newpass,
|
|
||||||
+ &salt,
|
|
||||||
&session_key,
|
|
||||||
&u.info32.password);
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From 1d630363c9b2497266e418aad89c55d5b51a63ad Mon Sep 17 00:00:00 2001
|
|
||||||
From: Andreas Schneider <asn@samba.org>
|
|
||||||
Date: Mon, 17 Oct 2022 09:02:28 +0200
|
|
||||||
Subject: [PATCH 3/5] s4:libnet: If we successfully changed the password we are
|
|
||||||
done
|
|
||||||
|
|
||||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15206
|
|
||||||
|
|
||||||
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
||||||
Reviewed-by: Noel Power <noel.power@suse.com>
|
|
||||||
---
|
|
||||||
source4/libnet/libnet_passwd.c | 32 ++++++++++++++++++--------------
|
|
||||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
|
|
||||||
index a1672104824..b17614bcd97 100644
|
|
||||||
--- a/source4/libnet/libnet_passwd.c
|
|
||||||
+++ b/source4/libnet/libnet_passwd.c
|
|
||||||
@@ -101,7 +101,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
r.in.password = &pwd_buf;
|
|
||||||
|
|
||||||
status = dcerpc_samr_ChangePasswordUser4_r(h, mem_ctx, &r);
|
|
||||||
- if (NT_STATUS_IS_OK(status)) {
|
|
||||||
+ if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
if (!NT_STATUS_IS_OK(r.out.result)) {
|
|
||||||
@@ -112,6 +112,7 @@ static NTSTATUS libnet_ChangePassword_samr_aes(TALLOC_CTX *mem_ctx,
|
|
||||||
account->string,
|
|
||||||
nt_errstr(status));
|
|
||||||
status = r.out.result;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
done:
|
|
||||||
@@ -424,20 +425,23 @@ static NTSTATUS libnet_ChangePassword_samr(struct libnet_context *ctx, TALLOC_CT
|
|
||||||
r->samr.in.oldpassword,
|
|
||||||
r->samr.in.newpassword,
|
|
||||||
&(r->samr.out.error_string));
|
|
||||||
- if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
- if (NT_STATUS_EQUAL(status,
|
|
||||||
- NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
|
|
||||||
- NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
|
|
||||||
- NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
||||||
- /*
|
|
||||||
- * Don't fallback to RC4 based SAMR if weak crypto is not
|
|
||||||
- * allowed.
|
|
||||||
- */
|
|
||||||
- if (lpcfg_weak_crypto(ctx->lp_ctx) ==
|
|
||||||
- SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
||||||
- goto disconnect;
|
|
||||||
- }
|
|
||||||
+ if (NT_STATUS_IS_OK(status)) {
|
|
||||||
+ goto disconnect;
|
|
||||||
+ } else if (NT_STATUS_EQUAL(status,
|
|
||||||
+ NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE) ||
|
|
||||||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
|
|
||||||
+ NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
|
|
||||||
+ /*
|
|
||||||
+ * Don't fallback to RC4 based SAMR if weak crypto is not
|
|
||||||
+ * allowed.
|
|
||||||
+ */
|
|
||||||
+ if (lpcfg_weak_crypto(ctx->lp_ctx) ==
|
|
||||||
+ SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
||||||
+ goto disconnect;
|
|
||||||
}
|
|
||||||
+ } else {
|
|
||||||
+ /* libnet_ChangePassword_samr_aes is implemented and failed */
|
|
||||||
+ goto disconnect;
|
|
||||||
}
|
|
||||||
|
|
||||||
status = libnet_ChangePassword_samr_rc4(
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From 9a4a169ab34641afb87e7f81708c9a72b321879e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Noel Power <noel.power@suse.com>
|
|
||||||
Date: Fri, 21 Oct 2022 17:40:36 +0100
|
|
||||||
Subject: [PATCH 4/5] s4/rpc_server/sambr: don't mutate the return of
|
|
||||||
samdb_set_password_aes
|
|
||||||
|
|
||||||
prior to this commit return of samdb_set_password_aes was set to
|
|
||||||
NT_STATUS_WRONG_PASSWORD on failure. Useful status that should be
|
|
||||||
returned such as NT_STATUS_PASSWORD_RESTRICTION are swallowed here
|
|
||||||
otherwise (and in this case can be partially responsible for failures
|
|
||||||
in test samba.tests.auth_log_pass_change (with later gnutls)
|
|
||||||
|
|
||||||
Signed-off-by: Noel Power <noel.power@suse.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source4/rpc_server/samr/samr_password.c | 1 -
|
|
||||||
1 file changed, 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
|
|
||||||
index 4691f9a47a9..b581be6361c 100644
|
|
||||||
--- a/source4/rpc_server/samr/samr_password.c
|
|
||||||
+++ b/source4/rpc_server/samr/samr_password.c
|
|
||||||
@@ -250,7 +250,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser4(struct dcesrv_call_state *dce_call,
|
|
||||||
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
ldb_transaction_cancel(sam_ctx);
|
|
||||||
- status = NT_STATUS_WRONG_PASSWORD;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
||||||
|
|
||||||
From b8b36ecba0f22dbc203c12627ebd629c2437c635 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Noel Power <noel.power@suse.com>
|
|
||||||
Date: Fri, 21 Oct 2022 17:14:44 +0100
|
|
||||||
Subject: [PATCH 5/5] python/samba/tests: fix samba.tests.auth_log_pass_change
|
|
||||||
for later gnutls
|
|
||||||
|
|
||||||
later gnutls that support GNUTLS_PBKDF2 currently fail,
|
|
||||||
we need to conditionally switch test data to reflect use of
|
|
||||||
'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4'
|
|
||||||
depending on whether GNUTLS_PBKDF2 is supported or not
|
|
||||||
|
|
||||||
Signed-off-by: Noel Power <noel.power@suse.com>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
python/samba/tests/auth_log_pass_change.py | 20 ++++++++++++++++----
|
|
||||||
source4/selftest/tests.py | 9 ++++++---
|
|
||||||
2 files changed, 22 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
|
|
||||||
index 972af2158dd..1ca46c586b3 100644
|
|
||||||
--- a/python/samba/tests/auth_log_pass_change.py
|
|
||||||
+++ b/python/samba/tests/auth_log_pass_change.py
|
|
||||||
@@ -72,6 +72,18 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
|
|
||||||
# discard any auth log messages for the password setup
|
|
||||||
self.discardMessages()
|
|
||||||
+ gnutls_pbkdf2_support = samba.tests.env_get_var_value(
|
|
||||||
+ 'GNUTLS_PBKDF2_SUPPORT',
|
|
||||||
+ allow_missing=True)
|
|
||||||
+ if gnutls_pbkdf2_support is None:
|
|
||||||
+ gnutls_pbkdf2_support = '0'
|
|
||||||
+ self.gnutls_pbkdf2_support = bool(int(gnutls_pbkdf2_support))
|
|
||||||
+
|
|
||||||
+ def _authDescription(self):
|
|
||||||
+ if self.gnutls_pbkdf2_support:
|
|
||||||
+ return "samr_ChangePasswordUser4"
|
|
||||||
+ else:
|
|
||||||
+ return "samr_ChangePasswordUser3"
|
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
super(AuthLogPassChangeTests, self).tearDown()
|
|
||||||
@@ -83,7 +95,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_SUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -109,7 +121,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -141,7 +153,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
@@ -174,7 +186,7 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
|
|
||||||
(msg["Authentication"]["serviceDescription"] ==
|
|
||||||
"SAMR Password Change") and
|
|
||||||
(msg["Authentication"]["authDescription"] ==
|
|
||||||
- "samr_ChangePasswordUser3") and
|
|
||||||
+ self._authDescription()) and
|
|
||||||
(msg["Authentication"]["eventId"] ==
|
|
||||||
EVT_ID_UNSUCCESSFUL_LOGON) and
|
|
||||||
(msg["Authentication"]["logonType"] ==
|
|
||||||
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
||||||
index a803d4704ea..c92105586a7 100755
|
|
||||||
--- a/source4/selftest/tests.py
|
|
||||||
+++ b/source4/selftest/tests.py
|
|
||||||
@@ -1094,9 +1094,11 @@ if have_heimdal_support:
|
|
||||||
environ={'CLIENT_IP': '10.53.57.11',
|
|
||||||
'SOCKET_WRAPPER_DEFAULT_IFACE': 11})
|
|
||||||
planoldpythontestsuite("ad_dc_smb1", "samba.tests.auth_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
planoldpythontestsuite("ad_dc_ntvfs", "samba.tests.auth_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
|
|
||||||
# these tests use a NCA local RPC connection, so always run on the
|
|
||||||
# :local testenv, and so don't need to fake a client connection
|
|
||||||
@@ -1113,7 +1115,8 @@ if have_heimdal_support:
|
|
||||||
"samba.tests.auth_log_winbind",
|
|
||||||
extra_args=['-U"$DC_USERNAME%$DC_PASSWORD"'])
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_pass_change",
|
|
||||||
- extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
+ extra_args=['-U"$USERNAME%$PASSWORD"'],
|
|
||||||
+ environ={'GNUTLS_PBKDF2_SUPPORT': gnutls_pbkdf2_support})
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.audit_log_dsdb",
|
|
||||||
extra_args=['-U"$USERNAME%$PASSWORD"'])
|
|
||||||
planoldpythontestsuite("ad_dc", "samba.tests.group_audit",
|
|
||||||
--
|
|
||||||
2.37.3
|
|
||||||
|
|
37
samba.spec
37
samba.spec
|
@ -135,9 +135,9 @@
|
||||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||||
|
|
||||||
%global samba_version 4.18.0
|
%global samba_version 4.18.0
|
||||||
%global baserelease 4
|
%global baserelease 10
|
||||||
# This should be rc1 or %%nil
|
# This should be rc1 or %%nil
|
||||||
%global pre_release rc2
|
%global pre_release %nil
|
||||||
|
|
||||||
%global samba_release %{baserelease}
|
%global samba_release %{baserelease}
|
||||||
%if "x%{?pre_release}" != "x"
|
%if "x%{?pre_release}" != "x"
|
||||||
|
@ -170,8 +170,8 @@
|
||||||
|
|
||||||
%global talloc_version 2.4.0
|
%global talloc_version 2.4.0
|
||||||
%global tdb_version 1.4.8
|
%global tdb_version 1.4.8
|
||||||
%global tevent_version 0.14.0
|
%global tevent_version 0.14.1
|
||||||
%global ldb_version 2.7.0
|
%global ldb_version 2.7.1
|
||||||
|
|
||||||
%global required_mit_krb5 1.20.1
|
%global required_mit_krb5 1.20.1
|
||||||
|
|
||||||
|
@ -210,7 +210,7 @@ Epoch: 0
|
||||||
%global samba_depver %{epoch}:%{version}-%{release}
|
%global samba_depver %{epoch}:%{version}-%{release}
|
||||||
|
|
||||||
Summary: Server and Client software to interoperate with Windows machines
|
Summary: Server and Client software to interoperate with Windows machines
|
||||||
License: GPLv3+ and LGPLv3+
|
License: GPL-3.0-or-later AND LGPL-3.0-or-later
|
||||||
URL: https://www.samba.org
|
URL: https://www.samba.org
|
||||||
|
|
||||||
# This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
|
# This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
|
||||||
|
@ -270,6 +270,7 @@ Provides: bundled(libreplace)
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
|
BuildRequires: glibc-gconv-extra
|
||||||
BuildRequires: avahi-devel
|
BuildRequires: avahi-devel
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cups-devel
|
BuildRequires: cups-devel
|
||||||
|
@ -448,6 +449,8 @@ Requires: %{name}-common-libs = %{samba_depver}
|
||||||
Requires: libwbclient = %{samba_depver}
|
Requires: libwbclient = %{samba_depver}
|
||||||
%endif
|
%endif
|
||||||
Requires: krb5-libs >= %{required_mit_krb5}
|
Requires: krb5-libs >= %{required_mit_krb5}
|
||||||
|
# This is needed for charset conversion
|
||||||
|
Requires: glibc-gconv-extra
|
||||||
|
|
||||||
%description client-libs
|
%description client-libs
|
||||||
The samba-client-libs package contains internal libraries needed by the
|
The samba-client-libs package contains internal libraries needed by the
|
||||||
|
@ -537,6 +540,7 @@ Requires: python3-%{name}-dc = %{samba_depver}
|
||||||
# samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision
|
# samba-tool needs mdb_copy and tdbackup for domain backup or upgrade provision
|
||||||
Requires: lmdb
|
Requires: lmdb
|
||||||
Requires: tdb-tools
|
Requires: tdb-tools
|
||||||
|
Requires: python3-gpg
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%description tools
|
%description tools
|
||||||
|
@ -565,6 +569,7 @@ Requires: %{name} = %{samba_depver}
|
||||||
Requires: %{name}-client-libs = %{samba_depver}
|
Requires: %{name}-client-libs = %{samba_depver}
|
||||||
Requires: %{name}-common-libs = %{samba_depver}
|
Requires: %{name}-common-libs = %{samba_depver}
|
||||||
Requires: %{name}-common-tools = %{samba_depver}
|
Requires: %{name}-common-tools = %{samba_depver}
|
||||||
|
Requires: %{name}-tools = %{samba_depver}
|
||||||
Requires: %{name}-libs = %{samba_depver}
|
Requires: %{name}-libs = %{samba_depver}
|
||||||
Requires: %{name}-dc-provision = %{samba_depver}
|
Requires: %{name}-dc-provision = %{samba_depver}
|
||||||
Requires: %{name}-dc-libs = %{samba_depver}
|
Requires: %{name}-dc-libs = %{samba_depver}
|
||||||
|
@ -1074,7 +1079,7 @@ necessary to communicate to the Winbind Daemon
|
||||||
%if %{with winexe}
|
%if %{with winexe}
|
||||||
%package winexe
|
%package winexe
|
||||||
Summary: Samba Winexe Windows Binary
|
Summary: Samba Winexe Windows Binary
|
||||||
License: GPLv3
|
License: GPL-3.0-only
|
||||||
Requires: %{name}-client-libs = %{samba_depver}
|
Requires: %{name}-client-libs = %{samba_depver}
|
||||||
Requires: %{name}-common-libs = %{samba_depver}
|
Requires: %{name}-common-libs = %{samba_depver}
|
||||||
|
|
||||||
|
@ -1950,6 +1955,7 @@ fi
|
||||||
%{_libdir}/samba/libsmbd-base-samba4.so
|
%{_libdir}/samba/libsmbd-base-samba4.so
|
||||||
%{_libdir}/samba/libsmbd-shim-samba4.so
|
%{_libdir}/samba/libsmbd-shim-samba4.so
|
||||||
%{_libdir}/samba/libsmbldaphelper-samba4.so
|
%{_libdir}/samba/libsmbldaphelper-samba4.so
|
||||||
|
%{_libdir}/samba/libstable-sort-samba4.so
|
||||||
%{_libdir}/samba/libsys-rw-samba4.so
|
%{_libdir}/samba/libsys-rw-samba4.so
|
||||||
%{_libdir}/samba/libsocket-blocking-samba4.so
|
%{_libdir}/samba/libsocket-blocking-samba4.so
|
||||||
%{_libdir}/samba/libtalloc-report-printf-samba4.so
|
%{_libdir}/samba/libtalloc-report-printf-samba4.so
|
||||||
|
@ -2375,7 +2381,6 @@ fi
|
||||||
%{_libdir}/samba/libdnsserver-common-samba4.so
|
%{_libdir}/samba/libdnsserver-common-samba4.so
|
||||||
%{_libdir}/samba/libshares-samba4.so
|
%{_libdir}/samba/libshares-samba4.so
|
||||||
%{_libdir}/samba/libsmbpasswdparser-samba4.so
|
%{_libdir}/samba/libsmbpasswdparser-samba4.so
|
||||||
%{_libdir}/samba/libstable-sort-samba4.so
|
|
||||||
%{_libdir}/samba/libxattr-tdb-samba4.so
|
%{_libdir}/samba/libxattr-tdb-samba4.so
|
||||||
%{_libdir}/samba/libREG-FULL-samba4.so
|
%{_libdir}/samba/libREG-FULL-samba4.so
|
||||||
%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so
|
%{_libdir}/samba/libRPC-SERVER-LOOP-samba4.so
|
||||||
|
@ -4332,6 +4337,24 @@ fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 17 2023 Kalev Lember <klember@redhat.com> - 4.18.0-10
|
||||||
|
- Move libstable-sort-samba4.so to samba-client-libs subpackage
|
||||||
|
|
||||||
|
* Wed Mar 08 2023 Guenther Deschner <gdeschner@redhat.com> - 4.18.0-9
|
||||||
|
- resolves: #2176469 - Update to version 4.18.0
|
||||||
|
|
||||||
|
* Wed Mar 01 2023 Guenther Deschner <gdeschner@redhat.com> - 4.18.0rc4-8
|
||||||
|
- resolves: #2174415 - Update to version 4.18.0rc4
|
||||||
|
|
||||||
|
* Tue Feb 28 2023 Andreas Schneider <asn@redhat.com> - 4.18.0-0.7.rc3
|
||||||
|
- resolves: #2173619 - Add missing Requires for glibc-gconv-extra
|
||||||
|
|
||||||
|
* Thu Feb 23 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.0-0.6.rc3
|
||||||
|
- SPDX migration
|
||||||
|
|
||||||
|
* Wed Feb 15 2023 Guenther Deschner <gdeschner@redhat.com> - 4.18.0rc3-6
|
||||||
|
- resolves: #2166416 - Update to version 4.18.0rc3
|
||||||
|
|
||||||
* Tue Feb 14 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.0rc2-4
|
* Tue Feb 14 2023 Pavel Filipenský <pfilipen@redhat.com> - 4.18.0rc2-4
|
||||||
- resolves: rhbz#2166124 - Create package samba-tools, move there samba-tool binary
|
- resolves: rhbz#2166124 - Create package samba-tools, move there samba-tool binary
|
||||||
|
|
||||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
||||||
SHA512 (samba-4.18.0rc2.tar.xz) = 1467ee97c5861e7306d2bf96c0c600404212d9b241cc28e5fb649f8297bdb3bb86a774cb78ccfc82a70f7b715eff7eb0de9dc3563ba0300c6a069d9609fbdef4
|
SHA512 (samba-4.18.0.tar.xz) = bb4947335bd1fc501c29a62b413a9c3a1bbaf162d6965a4b2eeb65bf74363c300234b5c73d09e826e596989cd8afdee41b2470647bfdf8f7c42b998e7d367a64
|
||||||
SHA512 (samba-4.18.0rc2.tar.asc) = 557eec6485669b172b16fd5032750d8cfa8058d1615316d7e539924d561d7d7e7d0990bcf62f96d0ec467c8fc5e59c0bb8ea1a963396055b6af8659e166073cd
|
SHA512 (samba-4.18.0.tar.asc) = 1a478fd0e863e6b6874b703e04f449872b4d581e4c32c853ee4111bc94d1addcf3047331a288e8115a20d9ea22d8e04aade918e8623bd3d08d5122baf4ef0f3d
|
||||||
|
|
Loading…
Reference in New Issue