Compare commits
44 Commits
Author | SHA1 | Date |
---|---|---|
Günther Deschner | d2806fa77c | |
Günther Deschner | 598cab6469 | |
Günther Deschner | 85d7de80b2 | |
Günther Deschner | afe3fcb7fd | |
Günther Deschner | 42f8f093c9 | |
Günther Deschner | 2998d67919 | |
Günther Deschner | 62ad5fa922 | |
Günther Deschner | 0bbffd4f99 | |
Günther Deschner | 4ccc117a9d | |
Alexander Bokovoy | 4ff027fceb | |
Günther Deschner | 7529559608 | |
Günther Deschner | 9031c9ac48 | |
Günther Deschner | 49bc60d14a | |
Günther Deschner | ede8ff5ae9 | |
Günther Deschner | 457752eadc | |
Günther Deschner | 74b988a0b9 | |
Günther Deschner | fe07656b85 | |
Günther Deschner | e2885c339a | |
Alexander Bokovoy | 0db49376b0 | |
Alexander Bokovoy | 9962ff5e45 | |
Alexander Bokovoy | ab926fdf1e | |
Alexander Bokovoy | 4e36f6e2eb | |
Andreas Schneider | 4416117f2a | |
Günther Deschner | 8e9460d4b5 | |
Günther Deschner | 7935db43f9 | |
Günther Deschner | 9fb579caaa | |
Günther Deschner | 72564d3e4e | |
Alexander Bokovoy | 54b7288a22 | |
Alexander Bokovoy | 3037ed05f4 | |
Isaac Boukris | 8954603ac9 | |
Günther Deschner | b62fe79160 | |
Günther Deschner | c0da1c5303 | |
Günther Deschner | 0a5021c37e | |
Günther Deschner | 2804f931d0 | |
Günther Deschner | a2f88f217f | |
Neal Gompa | 41ab0cd76d | |
Günther Deschner | 692491a456 | |
Günther Deschner | a31354402a | |
Anoop C S | 57015c72af | |
Günther Deschner | 3f3c9ecde9 | |
Andreas Schneider | 67ed8f8f78 | |
Fedora Release Engineering | 0e393ad6d6 | |
Andreas Schneider | a000c31c78 | |
Tom Stellard | 2659a5f9b5 |
|
@ -211,3 +211,43 @@ samba-3.6.0pre1.tar.gz
|
|||
/samba-4.12.5.tar.asc
|
||||
/samba-4.13.0rc1.tar.xz
|
||||
/samba-4.13.0rc1.tar.asc
|
||||
/samba-4.13.0rc2.tar.xz
|
||||
/samba-4.13.0rc2.tar.asc
|
||||
/samba-4.13.0rc3.tar.xz
|
||||
/samba-4.13.0rc3.tar.asc
|
||||
/samba-4.13.0rc4.tar.xz
|
||||
/samba-4.13.0rc4.tar.asc
|
||||
/samba-4.13.0rc5.tar.xz
|
||||
/samba-4.13.0rc5.tar.asc
|
||||
/samba-4.13.0rc6.tar.xz
|
||||
/samba-4.13.0rc6.tar.asc
|
||||
/samba-4.13.0.tar.xz
|
||||
/samba-4.13.0.tar.asc
|
||||
/samba-4.13.1.tar.xz
|
||||
/samba-4.13.1.tar.asc
|
||||
/samba-4.13.2.tar.xz
|
||||
/samba-4.13.2.tar.asc
|
||||
/samba-4.13.3.tar.xz
|
||||
/samba-4.13.3.tar.asc
|
||||
/samba-4.13.4.tar.xz
|
||||
/samba-4.13.4.tar.asc
|
||||
/samba-4.13.5.tar.xz
|
||||
/samba-4.13.5.tar.asc
|
||||
/samba-4.13.6.tar.xz
|
||||
/samba-4.13.6.tar.asc
|
||||
/samba-4.13.7.tar.xz
|
||||
/samba-4.13.7.tar.asc
|
||||
/samba-4.13.8.tar.xz
|
||||
/samba-4.13.8.tar.asc
|
||||
/samba-4.13.9.tar.xz
|
||||
/samba-4.13.9.tar.asc
|
||||
/samba-4.13.10.tar.xz
|
||||
/samba-4.13.10.tar.asc
|
||||
/samba-4.13.11.tar.xz
|
||||
/samba-4.13.11.tar.asc
|
||||
/samba-4.13.12.tar.xz
|
||||
/samba-4.13.12.tar.asc
|
||||
/samba-4.13.13.tar.xz
|
||||
/samba-4.13.13.tar.asc
|
||||
/samba-4.13.14.tar.xz
|
||||
/samba-4.13.14.tar.asc
|
||||
|
|
Binary file not shown.
|
@ -0,0 +1,41 @@
|
|||
From 2edaf32b4204b9fe363c441c25b6989fe76911a4 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Metzmacher <metze@samba.org>
|
||||
Date: Tue, 9 Nov 2021 20:50:20 +0100
|
||||
Subject: [PATCH] s3:winbindd: fix "allow trusted domains = no" regression
|
||||
|
||||
add_trusted_domain() should only reject domains
|
||||
based on is_allowed_domain(), which now also
|
||||
checks "allow trusted domains = no", if we don't
|
||||
have an explicit trust to the domain (SEC_CHAN_NULL).
|
||||
|
||||
We use at least SEC_CHAN_LOCAL for local domains like
|
||||
BUILTIN.
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14899
|
||||
|
||||
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
||||
|
||||
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
|
||||
Autobuild-Date(master): Wed Nov 10 11:21:31 UTC 2021 on sn-devel-184
|
||||
|
||||
(cherry picked from commit a7f6c60cb037b4bc9eee276236539b8282213935)
|
||||
---
|
||||
source3/winbindd/winbindd_util.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
|
||||
index 42ddbfd2f44..9d54e462c42 100644
|
||||
--- a/source3/winbindd/winbindd_util.c
|
||||
+++ b/source3/winbindd/winbindd_util.c
|
||||
@@ -134,7 +134,7 @@ static NTSTATUS add_trusted_domain(const char *domain_name,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
- if (!is_allowed_domain(domain_name)) {
|
||||
+ if (secure_channel_type == SEC_CHAN_NULL && !is_allowed_domain(domain_name)) {
|
||||
return NT_STATUS_NO_SUCH_DOMAIN;
|
||||
}
|
||||
|
||||
--
|
||||
2.33.1
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
From 3fc4d1d3998f3956a84c855cb60a9dcb335e1f59 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Fri, 12 Nov 2021 19:06:01 +0200
|
||||
Subject: [PATCH] IPA DC: add missing checks
|
||||
|
||||
When introducing FreeIPA support, two places were forgotten:
|
||||
|
||||
- schannel gensec module needs to be aware of IPA DC
|
||||
- _lsa_QueryInfoPolicy should treat IPA DC as PDC
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14903
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
auth/gensec/schannel.c | 1 +
|
||||
source3/rpc_server/lsa/srv_lsa_nt.c | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
|
||||
index 0cdae141ead..6ebbe8f3179 100644
|
||||
--- a/auth/gensec/schannel.c
|
||||
+++ b/auth/gensec/schannel.c
|
||||
@@ -1080,6 +1080,7 @@ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
|
||||
case ROLE_DOMAIN_BDC:
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
+ case ROLE_IPA_DC:
|
||||
return NT_STATUS_OK;
|
||||
default:
|
||||
return NT_STATUS_NOT_IMPLEMENTED;
|
||||
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
|
||||
index 8d71b5252ab..ea92a22cbc9 100644
|
||||
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
|
||||
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
|
||||
@@ -683,6 +683,7 @@ NTSTATUS _lsa_QueryInfoPolicy(struct pipes_struct *p,
|
||||
switch (lp_server_role()) {
|
||||
case ROLE_DOMAIN_PDC:
|
||||
case ROLE_DOMAIN_BDC:
|
||||
+ case ROLE_IPA_DC:
|
||||
name = get_global_sam_name();
|
||||
sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid());
|
||||
if (!sid) {
|
||||
--
|
||||
2.33.1
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,210 @@
|
|||
From 81d6949acdad70ecfb130d3286eeab1b3a51937f Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Wed, 7 Oct 2020 19:25:24 +0300
|
||||
Subject: [PATCH 1/2] cli_credentials_parse_string: fix parsing of principals
|
||||
|
||||
When parsing a principal-like name, user name was left with full
|
||||
principal instead of taking only the left part before '@' sign.
|
||||
|
||||
>>> from samba import credentials
|
||||
>>> t = credentials.Credentials()
|
||||
>>> t.parse_string('admin@realm.test', credentials.SPECIFIED)
|
||||
>>> t.get_username()
|
||||
'admin@realm.test'
|
||||
|
||||
The issue is that cli_credentials_set_username() does a talloc_strdup()
|
||||
of the argument, so we need to change order of assignment to allow
|
||||
talloc_strdup() to copy the right part of the string.
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
auth/credentials/credentials.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
|
||||
index 77c35dd104b..06ac79058f9 100644
|
||||
--- a/auth/credentials/credentials.c
|
||||
+++ b/auth/credentials/credentials.c
|
||||
@@ -840,11 +840,10 @@ _PUBLIC_ void cli_credentials_parse_string(struct cli_credentials *credentials,
|
||||
* in order to undo the effect of
|
||||
* cli_credentials_guess().
|
||||
*/
|
||||
- cli_credentials_set_username(credentials, uname, obtained);
|
||||
- cli_credentials_set_domain(credentials, "", obtained);
|
||||
-
|
||||
cli_credentials_set_principal(credentials, uname, obtained);
|
||||
*p = 0;
|
||||
+ cli_credentials_set_username(credentials, uname, obtained);
|
||||
+ cli_credentials_set_domain(credentials, "", obtained);
|
||||
cli_credentials_set_realm(credentials, p+1, obtained);
|
||||
return;
|
||||
} else if ((p = strchr_m(uname,'\\'))
|
||||
--
|
||||
2.28.0
|
||||
|
||||
|
||||
From fa38bebb993011428612d51819530218d8358f5e Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <ab@samba.org>
|
||||
Date: Mon, 13 Jan 2020 16:04:20 +0200
|
||||
Subject: [PATCH 2/2] lookup_name: allow lookup for own realm
|
||||
|
||||
When using security tab in Windows Explorer, a lookup over a trusted
|
||||
forest might come as realm\name instead of NetBIOS domain name:
|
||||
|
||||
--------------------------------------------------------------------
|
||||
[2020/01/13 11:12:39.859134, 1, pid=33253, effective(1732401004, 1732401004), real(1732401004, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
|
||||
lsa_LookupNames3: struct lsa_LookupNames3
|
||||
in: struct lsa_LookupNames3
|
||||
handle : *
|
||||
handle: struct policy_handle
|
||||
handle_type : 0x00000000 (0)
|
||||
uuid : 0000000e-0000-0000-1c5e-a750e5810000
|
||||
num_names : 0x00000001 (1)
|
||||
names: ARRAY(1)
|
||||
names: struct lsa_String
|
||||
length : 0x001e (30)
|
||||
size : 0x0020 (32)
|
||||
string : *
|
||||
string : 'ipa.test\admins'
|
||||
sids : *
|
||||
sids: struct lsa_TransSidArray3
|
||||
count : 0x00000000 (0)
|
||||
sids : NULL
|
||||
level : LSA_LOOKUP_NAMES_UPLEVEL_TRUSTS_ONLY2 (6)
|
||||
count : *
|
||||
count : 0x00000000 (0)
|
||||
lookup_options : LSA_LOOKUP_OPTION_SEARCH_ISOLATED_NAMES (0)
|
||||
client_revision : LSA_CLIENT_REVISION_2 (2)
|
||||
--------------------------------------------------------------------
|
||||
|
||||
Allow this lookup using realm to be done against primary domain.
|
||||
|
||||
Refactor user name parsing code to reuse cli_credentials_* API to be
|
||||
consistent with other places. cli_credentials_parse_string() handles
|
||||
both domain and realm-based user name variants.
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||||
---
|
||||
source3/passdb/lookup_sid.c | 75 ++++++++++++++++++++++++++-----------
|
||||
1 file changed, 53 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
|
||||
index 82c47b3145b..39d599fed27 100644
|
||||
--- a/source3/passdb/lookup_sid.c
|
||||
+++ b/source3/passdb/lookup_sid.c
|
||||
@@ -29,6 +29,7 @@
|
||||
#include "../libcli/security/security.h"
|
||||
#include "lib/winbind_util.h"
|
||||
#include "../librpc/gen_ndr/idmap.h"
|
||||
+#include "auth/credentials/credentials.h"
|
||||
|
||||
static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
|
||||
{
|
||||
@@ -78,52 +79,82 @@ bool lookup_name(TALLOC_CTX *mem_ctx,
|
||||
const char **ret_domain, const char **ret_name,
|
||||
struct dom_sid *ret_sid, enum lsa_SidType *ret_type)
|
||||
{
|
||||
- char *p;
|
||||
const char *tmp;
|
||||
const char *domain = NULL;
|
||||
const char *name = NULL;
|
||||
+ const char *realm = NULL;
|
||||
uint32_t rid;
|
||||
struct dom_sid sid;
|
||||
enum lsa_SidType type;
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
+ struct cli_credentials *creds = NULL;
|
||||
|
||||
if (tmp_ctx == NULL) {
|
||||
DEBUG(0, ("talloc_new failed\n"));
|
||||
return false;
|
||||
}
|
||||
|
||||
- p = strchr_m(full_name, '\\');
|
||||
-
|
||||
- if (p != NULL) {
|
||||
- domain = talloc_strndup(tmp_ctx, full_name,
|
||||
- PTR_DIFF(p, full_name));
|
||||
- name = talloc_strdup(tmp_ctx, p+1);
|
||||
- } else {
|
||||
- domain = talloc_strdup(tmp_ctx, "");
|
||||
- name = talloc_strdup(tmp_ctx, full_name);
|
||||
+ creds = cli_credentials_init(tmp_ctx);
|
||||
+ if (creds == NULL) {
|
||||
+ DEBUG(0, ("cli_credentials_init failed\n"));
|
||||
+ return false;
|
||||
}
|
||||
|
||||
- if ((domain == NULL) || (name == NULL)) {
|
||||
- DEBUG(0, ("talloc failed\n"));
|
||||
- TALLOC_FREE(tmp_ctx);
|
||||
+ cli_credentials_parse_string(creds, full_name, CRED_SPECIFIED);
|
||||
+ name = cli_credentials_get_username(creds);
|
||||
+ domain = cli_credentials_get_domain(creds);
|
||||
+ realm = cli_credentials_get_realm(creds);
|
||||
+
|
||||
+ /* At this point we have:
|
||||
+ * - name -- normal name or empty string
|
||||
+ * - domain -- either NULL or domain name
|
||||
+ * - realm -- either NULL or realm name
|
||||
+ *
|
||||
+ * domain and realm are exclusive to each other
|
||||
+ * the code below in lookup_name assumes domain
|
||||
+ * to be at least empty string, not NULL
|
||||
+ */
|
||||
+
|
||||
+ if ((name == NULL) || (name[0] == '\0')) {
|
||||
+ DEBUG(0, ("lookup_name with empty name, exit\n"));
|
||||
return false;
|
||||
}
|
||||
|
||||
+ if ((domain == NULL) && (realm == NULL)) {
|
||||
+ domain = talloc_strdup(creds, "");
|
||||
+ }
|
||||
+
|
||||
DEBUG(10,("lookup_name: %s => domain=[%s], name=[%s]\n",
|
||||
full_name, domain, name));
|
||||
DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
|
||||
|
||||
- if (((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) &&
|
||||
- strequal(domain, get_global_sam_name()))
|
||||
- {
|
||||
+ /* Windows clients may send a LookupNames request with both NetBIOS
|
||||
+ * domain name- and realm-qualified user names. Thus, we need to check
|
||||
+ * both against both of the SAM domain name and realm, if set. Since
|
||||
+ * domain name and realm in the request are exclusive, test the one
|
||||
+ * that is specified. cli_credentials_parse_string() will either set
|
||||
+ * realm or wouldn't so we can use it to detect if realm was specified.
|
||||
+ */
|
||||
+ if ((flags & LOOKUP_NAME_DOMAIN) || (flags == 0)) {
|
||||
+ const char *domain_name = realm ? realm : domain;
|
||||
+ bool check_global_sam = false;
|
||||
+
|
||||
+ if (domain_name[0] != '\0') {
|
||||
+ check_global_sam = strequal(domain_name, get_global_sam_name());
|
||||
+ if (!check_global_sam && lp_realm() != NULL) {
|
||||
+ check_global_sam = strequal(domain_name, lp_realm());
|
||||
+ }
|
||||
+ }
|
||||
|
||||
- /* It's our own domain, lookup the name in passdb */
|
||||
- if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
||||
- sid_compose(&sid, get_global_sam_sid(), rid);
|
||||
- goto ok;
|
||||
+ if (check_global_sam) {
|
||||
+ /* It's our own domain, lookup the name in passdb */
|
||||
+ if (lookup_global_sam_name(name, flags, &rid, &type)) {
|
||||
+ sid_compose(&sid, get_global_sam_sid(), rid);
|
||||
+ goto ok;
|
||||
+ }
|
||||
+ TALLOC_FREE(tmp_ctx);
|
||||
+ return false;
|
||||
}
|
||||
- TALLOC_FREE(tmp_ctx);
|
||||
- return false;
|
||||
}
|
||||
|
||||
if ((flags & LOOKUP_NAME_BUILTIN) &&
|
||||
--
|
||||
2.28.0
|
||||
|
Binary file not shown.
|
@ -0,0 +1,697 @@
|
|||
From e649f9aedfa8a0d5caa241743bb4191927430879 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:25:03 +0300
|
||||
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
source4/kdc/mit-kdb/kdb_samba_policies.c | 124 +++++++++++------------
|
||||
source4/kdc/mit_samba.c | 47 ++-------
|
||||
source4/kdc/mit_samba.h | 6 +-
|
||||
3 files changed, 71 insertions(+), 106 deletions(-)
|
||||
|
||||
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
index 7bc9a7b3347..fc20bfed2f4 100644
|
||||
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
|
||||
@@ -192,13 +192,17 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
krb5_keyblock *krbtgt_key,
|
||||
krb5_timestamp authtime,
|
||||
krb5_authdata **tgt_auth_data,
|
||||
- krb5_pac *pac)
|
||||
+ krb5_pac *out_pac)
|
||||
{
|
||||
struct mit_samba_context *mit_ctx;
|
||||
krb5_authdata **authdata = NULL;
|
||||
- krb5_pac ipac = NULL;
|
||||
- DATA_BLOB logon_data = { NULL, 0 };
|
||||
+ krb5_keyblock *header_server_key = NULL;
|
||||
+ krb5_key_data *impersonator_kd = NULL;
|
||||
+ krb5_keyblock impersonator_key = {0};
|
||||
krb5_error_code code;
|
||||
+ krb5_pac pac;
|
||||
+
|
||||
+ *out_pac = NULL;
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
@@ -230,41 +234,43 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = krb5_pac_parse(context,
|
||||
authdata[0]->contents,
|
||||
authdata[0]->length,
|
||||
- &ipac);
|
||||
+ &pac);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- /* TODO: verify this is correct
|
||||
- *
|
||||
- * In the constrained delegation case, the PAC is from a service
|
||||
- * ticket rather than a TGT; we must verify the server and KDC
|
||||
- * signatures to assert that the server did not forge the PAC.
|
||||
+ /*
|
||||
+ * For constrained delegation in MIT version < 1.18 we aren't provided
|
||||
+ * with the 2nd ticket server key to verify the PAC.
|
||||
+ * We can workaround that by fetching the key from the client db entry,
|
||||
+ * which is the impersonator account in that version.
|
||||
+ * TODO: use the provided entry in the new 1.18 version.
|
||||
*/
|
||||
if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
|
||||
- code = krb5_pac_verify(context,
|
||||
- ipac,
|
||||
- authtime,
|
||||
- client_princ,
|
||||
- server_key,
|
||||
- krbtgt_key);
|
||||
+ /* The impersonator must be local. */
|
||||
+ if (client == NULL) {
|
||||
+ code = KRB5KDC_ERR_BADOPTION;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ /* Fetch and decrypt 2nd ticket server's current key. */
|
||||
+ code = krb5_dbe_find_enctype(context, client, -1, -1, 0,
|
||||
+ &impersonator_kd);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ code = krb5_dbe_decrypt_key_data(context, NULL,
|
||||
+ impersonator_kd,
|
||||
+ &impersonator_key, NULL);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ header_server_key = &impersonator_key;
|
||||
} else {
|
||||
- code = krb5_pac_verify(context,
|
||||
- ipac,
|
||||
- authtime,
|
||||
- client_princ,
|
||||
- krbtgt_key,
|
||||
- NULL);
|
||||
- }
|
||||
- if (code != 0) {
|
||||
- goto done;
|
||||
+ header_server_key = krbtgt_key;
|
||||
}
|
||||
|
||||
- /* check and update PAC */
|
||||
- code = krb5_pac_parse(context,
|
||||
- authdata[0]->contents,
|
||||
- authdata[0]->length,
|
||||
- pac);
|
||||
+ code = krb5_pac_verify(context, pac, authtime, client_princ,
|
||||
+ header_server_key, NULL);
|
||||
if (code != 0) {
|
||||
goto done;
|
||||
}
|
||||
@@ -272,17 +278,22 @@ static krb5_error_code ks_verify_pac(krb5_context context,
|
||||
code = mit_samba_reget_pac(mit_ctx,
|
||||
context,
|
||||
flags,
|
||||
- client_princ,
|
||||
client,
|
||||
server,
|
||||
krbtgt,
|
||||
krbtgt_key,
|
||||
- pac);
|
||||
+ &pac);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ *out_pac = pac;
|
||||
+ pac = NULL;
|
||||
|
||||
done:
|
||||
+ krb5_free_keyblock_contents(context, &impersonator_key);
|
||||
krb5_free_authdata(context, authdata);
|
||||
- krb5_pac_free(context, ipac);
|
||||
- free(logon_data.data);
|
||||
+ krb5_pac_free(context, pac);
|
||||
|
||||
return code;
|
||||
}
|
||||
@@ -328,6 +339,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krb5_authdata **pac_auth_data = NULL;
|
||||
krb5_authdata **authdata = NULL;
|
||||
krb5_boolean is_as_req;
|
||||
+ krb5_const_principal pac_client;
|
||||
krb5_error_code code;
|
||||
krb5_pac pac = NULL;
|
||||
krb5_data pac_data;
|
||||
@@ -341,11 +353,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
|
||||
#endif
|
||||
|
||||
- /* FIXME: We don't support S4U yet */
|
||||
- if (flags & KRB5_KDB_FLAGS_S4U) {
|
||||
- return KRB5_KDB_DBTYPE_NOSUP;
|
||||
- }
|
||||
-
|
||||
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
|
||||
|
||||
/*
|
||||
@@ -406,6 +413,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
ks_client_princ = client->princ;
|
||||
}
|
||||
|
||||
+ /* In protocol transition, we are currently not provided with the tgt
|
||||
+ * client name to verify the PAC, we could probably skip the name
|
||||
+ * verification and just verify the signatures, but since we don't
|
||||
+ * support cross-realm nor aliases, we can just use server->princ */
|
||||
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
|
||||
+ pac_client = server->princ;
|
||||
+ } else {
|
||||
+ pac_client = ks_client_princ;
|
||||
+ }
|
||||
+
|
||||
if (client_entry == NULL) {
|
||||
client_entry = client;
|
||||
}
|
||||
@@ -470,7 +487,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
|
||||
code = ks_verify_pac(context,
|
||||
flags,
|
||||
- ks_client_princ,
|
||||
+ pac_client,
|
||||
client_entry,
|
||||
server,
|
||||
krbtgt,
|
||||
@@ -510,7 +527,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
is_as_req ? "AS-REQ" : "TGS-REQ",
|
||||
client_name);
|
||||
code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
|
||||
- server_key, krbtgt_key, &pac_data);
|
||||
+ server_key, krbtgt_key, &pac_data);
|
||||
if (code != 0) {
|
||||
DBG_ERR("krb5_pac_sign failed: %d\n", code);
|
||||
goto done;
|
||||
@@ -536,12 +553,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
|
||||
KRB5_AUTHDATA_IF_RELEVANT,
|
||||
authdata,
|
||||
signed_auth_data);
|
||||
- if (code != 0) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- code = 0;
|
||||
-
|
||||
done:
|
||||
if (client_entry != NULL && client_entry != client) {
|
||||
ks_free_principal(context, client_entry);
|
||||
@@ -567,32 +578,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context,
|
||||
* server; -> delegating service
|
||||
* proxy; -> target principal
|
||||
*/
|
||||
- krb5_db_entry *delegating_service = discard_const_p(krb5_db_entry, server);
|
||||
-
|
||||
- char *target_name = NULL;
|
||||
- bool is_enterprise;
|
||||
- krb5_error_code code;
|
||||
|
||||
mit_ctx = ks_get_context(context);
|
||||
if (mit_ctx == NULL) {
|
||||
return KRB5_KDB_DBNOTINITED;
|
||||
}
|
||||
|
||||
- code = krb5_unparse_name(context, proxy, &target_name);
|
||||
- if (code) {
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- is_enterprise = (proxy->type == KRB5_NT_ENTERPRISE_PRINCIPAL);
|
||||
-
|
||||
- code = mit_samba_check_s4u2proxy(mit_ctx,
|
||||
- delegating_service,
|
||||
- target_name,
|
||||
- is_enterprise);
|
||||
-
|
||||
-done:
|
||||
- free(target_name);
|
||||
- return code;
|
||||
+ return mit_samba_check_s4u2proxy(mit_ctx, server, proxy);
|
||||
}
|
||||
|
||||
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index e015c5a52db..2a48d731501 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -475,7 +475,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
- krb5_const_principal client_principal,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -639,7 +638,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
context,
|
||||
*pac,
|
||||
server->princ,
|
||||
- discard_const(client_principal),
|
||||
+ client->princ,
|
||||
deleg_blob);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("Update delegation info failed: %s\n",
|
||||
@@ -961,41 +960,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
}
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
- krb5_db_entry *kentry,
|
||||
- const char *target_name,
|
||||
- bool is_nt_enterprise_name)
|
||||
+ const krb5_db_entry *server,
|
||||
+ krb5_const_principal target_principal)
|
||||
{
|
||||
-#if 1
|
||||
- /*
|
||||
- * This is disabled because mit_samba_update_pac_data() does not handle
|
||||
- * S4U_DELEGATION_INFO
|
||||
- */
|
||||
-
|
||||
- return KRB5KDC_ERR_BADOPTION;
|
||||
-#else
|
||||
- krb5_principal target_principal;
|
||||
- int flags = 0;
|
||||
- int ret;
|
||||
-
|
||||
- if (is_nt_enterprise_name) {
|
||||
- flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
|
||||
- }
|
||||
-
|
||||
- ret = krb5_parse_name_flags(ctx->context, target_name,
|
||||
- flags, &target_principal);
|
||||
- if (ret) {
|
||||
- return ret;
|
||||
- }
|
||||
-
|
||||
- ret = samba_kdc_check_s4u2proxy(ctx->context,
|
||||
- ctx->db_ctx,
|
||||
- skdc_entry,
|
||||
- target_principal);
|
||||
-
|
||||
- krb5_free_principal(ctx->context, target_principal);
|
||||
-
|
||||
- return ret;
|
||||
-#endif
|
||||
+ struct samba_kdc_entry *server_skdc_entry =
|
||||
+ talloc_get_type_abort(server->e_data,
|
||||
+ struct samba_kdc_entry);
|
||||
+
|
||||
+ return samba_kdc_check_s4u2proxy(ctx->context,
|
||||
+ ctx->db_ctx,
|
||||
+ server_skdc_entry,
|
||||
+ target_principal);
|
||||
}
|
||||
|
||||
static krb5_error_code mit_samba_change_pwd_error(krb5_context context,
|
||||
diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h
|
||||
index 636c77ec97c..9cb00c9610e 100644
|
||||
--- a/source4/kdc/mit_samba.h
|
||||
+++ b/source4/kdc/mit_samba.h
|
||||
@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
|
||||
krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
|
||||
krb5_context context,
|
||||
int flags,
|
||||
- krb5_const_principal client_principal,
|
||||
krb5_db_entry *client,
|
||||
krb5_db_entry *server,
|
||||
krb5_db_entry *krbtgt,
|
||||
@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
|
||||
DATA_BLOB *e_data);
|
||||
|
||||
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
|
||||
- krb5_db_entry *kentry,
|
||||
- const char *target_name,
|
||||
- bool is_nt_enterprise_name);
|
||||
+ const krb5_db_entry *server,
|
||||
+ krb5_const_principal target_principal);
|
||||
|
||||
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
|
||||
char *pwd,
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 9eca7b08a3987d6320d6584e146005bbc01720f6 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Fri, 27 Sep 2019 18:35:30 +0300
|
||||
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
|
||||
|
||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
||||
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
|
||||
---
|
||||
lib/krb5_wrap/krb5_samba.c | 185 ++++++++++++++++++++++++++
|
||||
lib/krb5_wrap/krb5_samba.h | 2 -
|
||||
source4/auth/kerberos/kerberos_util.c | 11 --
|
||||
3 files changed, 185 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
|
||||
index fff5b4e2a22..791b417d5ba 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.c
|
||||
+++ b/lib/krb5_wrap/krb5_samba.c
|
||||
@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+#else /* MIT */
|
||||
+
|
||||
+static bool princ_compare_no_dollar(krb5_context ctx,
|
||||
+ krb5_principal a,
|
||||
+ krb5_principal b)
|
||||
+{
|
||||
+ bool cmp;
|
||||
+ krb5_principal mod = NULL;
|
||||
+
|
||||
+ if (a->length == 1 && b->length == 1 &&
|
||||
+ a->data[0].length != 0 && b->data[0].length != 0 &&
|
||||
+ a->data[0].data[a->data[0].length -1] !=
|
||||
+ b->data[0].data[b->data[0].length -1]) {
|
||||
+ if (a->data[0].data[a->data[0].length -1] == '$') {
|
||||
+ mod = a;
|
||||
+ mod->data[0].length--;
|
||||
+ } else if (b->data[0].data[b->data[0].length -1] == '$') {
|
||||
+ mod = b;
|
||||
+ mod->data[0].length--;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ cmp = krb5_principal_compare_flags(ctx, a, b,
|
||||
+ KRB5_PRINCIPAL_COMPARE_CASEFOLD);
|
||||
+
|
||||
+ if (mod != NULL) {
|
||||
+ mod->data[0].length++;
|
||||
+ }
|
||||
+
|
||||
+ return cmp;
|
||||
+}
|
||||
+
|
||||
+krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
+ krb5_ccache store_cc,
|
||||
+ krb5_principal init_principal,
|
||||
+ const char *init_password,
|
||||
+ krb5_principal impersonate_principal,
|
||||
+ const char *self_service,
|
||||
+ const char *target_service,
|
||||
+ krb5_get_init_creds_opt *krb_options,
|
||||
+ time_t *expire_time,
|
||||
+ time_t *kdc_time)
|
||||
+{
|
||||
+ krb5_error_code code;
|
||||
+ krb5_principal self_princ = NULL;
|
||||
+ krb5_principal target_princ = NULL;
|
||||
+ krb5_creds *store_creds;
|
||||
+ krb5_creds *s4u2self_creds = NULL;
|
||||
+ krb5_creds *s4u2proxy_creds = NULL;
|
||||
+ krb5_creds init_creds = {0};
|
||||
+ krb5_creds mcreds = {0};
|
||||
+ krb5_flags options = KRB5_GC_NO_STORE;
|
||||
+ krb5_ccache tmp_cc;
|
||||
+ bool s4u2proxy;
|
||||
+
|
||||
+ code = krb5_cc_new_unique(ctx, "MEMORY", NULL, &tmp_cc);
|
||||
+ if (code != 0) {
|
||||
+ return code;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_get_init_creds_password(ctx, &init_creds,
|
||||
+ init_principal,
|
||||
+ init_password,
|
||||
+ NULL, NULL,
|
||||
+ 0,
|
||||
+ NULL,
|
||||
+ krb_options);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_initialize(ctx, tmp_cc, init_creds.client);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_store_cred(ctx, tmp_cc, &init_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Check if we also need S4U2Proxy or if S4U2Self is
|
||||
+ * enough in order to get a ticket for the target.
|
||||
+ */
|
||||
+ if (target_service == NULL) {
|
||||
+ s4u2proxy = false;
|
||||
+ } else if (strcmp(target_service, self_service) == 0) {
|
||||
+ s4u2proxy = false;
|
||||
+ } else {
|
||||
+ s4u2proxy = true;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_parse_name(ctx, self_service, &self_princ);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* MIT lacks aliases support in S4U, for S4U2Self we require the tgt
|
||||
+ * client and the request server to be the same principal name. */
|
||||
+ if (!princ_compare_no_dollar(ctx, init_creds.client, self_princ)) {
|
||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ mcreds.client = impersonate_principal;
|
||||
+ mcreds.server = init_creds.client;
|
||||
+
|
||||
+ code = krb5_get_credentials_for_user(ctx, options, tmp_cc, &mcreds,
|
||||
+ NULL, &s4u2self_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (s4u2proxy) {
|
||||
+ code = krb5_parse_name(ctx, target_service, &target_princ);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ mcreds.client = init_creds.client;
|
||||
+ mcreds.server = target_princ;
|
||||
+ mcreds.second_ticket = s4u2self_creds->ticket;
|
||||
+
|
||||
+ code = krb5_get_credentials(ctx, options |
|
||||
+ KRB5_GC_CONSTRAINED_DELEGATION,
|
||||
+ tmp_cc, &mcreds, &s4u2proxy_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Check KDC support of S4U2Proxy extension */
|
||||
+ if (!krb5_principal_compare(ctx, s4u2self_creds->client,
|
||||
+ s4u2proxy_creds->client)) {
|
||||
+ code = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ store_creds = s4u2proxy_creds;
|
||||
+ } else {
|
||||
+ store_creds = s4u2self_creds;;
|
||||
+
|
||||
+ /* We need to save the ticket with the requested server name
|
||||
+ * or the caller won't be able to find it in cache. */
|
||||
+ if (!krb5_principal_compare(ctx, self_princ,
|
||||
+ store_creds->server)) {
|
||||
+ krb5_free_principal(ctx, store_creds->server);
|
||||
+ store_creds->server = NULL;
|
||||
+ code = krb5_copy_principal(ctx, self_princ,
|
||||
+ &store_creds->server);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_initialize(ctx, store_cc, store_creds->client);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ code = krb5_cc_store_cred(ctx, store_cc, store_creds);
|
||||
+ if (code != 0) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (expire_time) {
|
||||
+ *expire_time = (time_t) store_creds->times.endtime;
|
||||
+ }
|
||||
+
|
||||
+ if (kdc_time) {
|
||||
+ *kdc_time = (time_t) store_creds->times.starttime;
|
||||
+ }
|
||||
+
|
||||
+done:
|
||||
+ krb5_cc_destroy(ctx, tmp_cc);
|
||||
+ krb5_free_cred_contents(ctx, &init_creds);
|
||||
+ krb5_free_creds(ctx, s4u2self_creds);
|
||||
+ krb5_free_creds(ctx, s4u2proxy_creds);
|
||||
+ krb5_free_principal(ctx, self_princ);
|
||||
+ krb5_free_principal(ctx, target_princ);
|
||||
+
|
||||
+ return code;
|
||||
+}
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_KRB5_MAKE_PRINCIPAL) && defined(HAVE_KRB5_BUILD_PRINCIPAL_ALLOC_VA)
|
||||
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
|
||||
index 56a2a975278..5af9c6d73c1 100644
|
||||
--- a/lib/krb5_wrap/krb5_samba.h
|
||||
+++ b/lib/krb5_wrap/krb5_samba.h
|
||||
@@ -252,7 +252,6 @@ krb5_error_code smb_krb5_kinit_password_ccache(krb5_context ctx,
|
||||
krb5_get_init_creds_opt *krb_options,
|
||||
time_t *expire_time,
|
||||
time_t *kdc_time);
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
krb5_ccache store_cc,
|
||||
krb5_principal init_principal,
|
||||
@@ -263,7 +262,6 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
|
||||
krb5_get_init_creds_opt *krb_options,
|
||||
time_t *expire_time,
|
||||
time_t *kdc_time);
|
||||
-#endif
|
||||
|
||||
#if defined(HAVE_KRB5_MAKE_PRINCIPAL)
|
||||
#define smb_krb5_make_principal krb5_make_principal
|
||||
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
|
||||
index 544d9d853cc..c14d8c72d8c 100644
|
||||
--- a/source4/auth/kerberos/kerberos_util.c
|
||||
+++ b/source4/auth/kerberos/kerberos_util.c
|
||||
@@ -234,9 +234,7 @@ done:
|
||||
{
|
||||
krb5_error_code ret;
|
||||
const char *password;
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
const char *self_service;
|
||||
-#endif
|
||||
const char *target_service;
|
||||
time_t kdc_time = 0;
|
||||
krb5_principal princ;
|
||||
@@ -268,9 +266,7 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
self_service = cli_credentials_get_self_service(credentials);
|
||||
-#endif
|
||||
target_service = cli_credentials_get_target_service(credentials);
|
||||
|
||||
password = cli_credentials_get_password(credentials);
|
||||
@@ -331,7 +327,6 @@ done:
|
||||
#endif
|
||||
if (password) {
|
||||
if (impersonate_principal) {
|
||||
-#ifdef SAMBA4_USES_HEIMDAL
|
||||
ret = smb_krb5_kinit_s4u2_ccache(smb_krb5_context->krb5_context,
|
||||
ccache,
|
||||
princ,
|
||||
@@ -342,12 +337,6 @@ done:
|
||||
krb_options,
|
||||
NULL,
|
||||
&kdc_time);
|
||||
-#else
|
||||
- talloc_free(mem_ctx);
|
||||
- (*error_string) = "INTERNAL error: s4u2 ops "
|
||||
- "are not supported with MIT build yet";
|
||||
- return EINVAL;
|
||||
-#endif
|
||||
} else {
|
||||
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
|
||||
ccache,
|
||||
--
|
||||
2.33.1
|
||||
|
||||
|
||||
From 80289eca2bb614aacd0df86bcf7ad7027c080671 Mon Sep 17 00:00:00 2001
|
||||
From: Isaac Boukris <iboukris@gmail.com>
|
||||
Date: Sat, 19 Sep 2020 14:16:20 +0200
|
||||
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
|
||||
|
||||
---
|
||||
source4/heimdal/lib/hdb/hdb.h | 1 +
|
||||
source4/kdc/db-glue.c | 8 ++++++--
|
||||
source4/kdc/mit_samba.c | 3 +++
|
||||
source4/kdc/sdb.h | 1 +
|
||||
4 files changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h
|
||||
index 5ef9d9565f3..dafaffc6c2d 100644
|
||||
--- a/source4/heimdal/lib/hdb/hdb.h
|
||||
+++ b/source4/heimdal/lib/hdb/hdb.h
|
||||
@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK };
|
||||
#define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */
|
||||
#define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
/* hdb_capability_flags */
|
||||
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
|
||||
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
||||
index aff74f2ee71..d16b4c3329a 100644
|
||||
--- a/source4/kdc/db-glue.c
|
||||
+++ b/source4/kdc/db-glue.c
|
||||
@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) {
|
||||
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ?
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
krb5_clear_error_message(context);
|
||||
goto out;
|
||||
}
|
||||
- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) {
|
||||
+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){
|
||||
/*
|
||||
* SDB_F_CANON maps from the canonicalize flag in the
|
||||
* packet, and has a different meaning between AS-REQ
|
||||
* and TGS-REQ. We only change the principal in the AS-REQ case
|
||||
+ *
|
||||
+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants
|
||||
+ * the canonical name in all lookups, and takes care to canonicalize
|
||||
+ * only when appropriate.
|
||||
*/
|
||||
ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL);
|
||||
if (ret) {
|
||||
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
|
||||
index 2a48d731501..a8d3e7ed493 100644
|
||||
--- a/source4/kdc/mit_samba.c
|
||||
+++ b/source4/kdc/mit_samba.c
|
||||
@@ -198,6 +198,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
|
||||
if (kflags & KRB5_KDB_FLAG_CANONICALIZE) {
|
||||
sflags |= SDB_F_CANON;
|
||||
}
|
||||
+#if KRB5_KDB_API_VERSION >= 10
|
||||
+ sflags |= SDB_F_FORCE_CANON;
|
||||
+#endif
|
||||
if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY |
|
||||
KRB5_KDB_FLAG_INCLUDE_PAC)) {
|
||||
/*
|
||||
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
|
||||
index c929acccce6..a9115ec23d7 100644
|
||||
--- a/source4/kdc/sdb.h
|
||||
+++ b/source4/kdc/sdb.h
|
||||
@@ -116,6 +116,7 @@ struct sdb_entry_ex {
|
||||
#define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */
|
||||
#define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */
|
||||
#define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */
|
||||
+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */
|
||||
|
||||
void sdb_free_entry(struct sdb_entry_ex *e);
|
||||
void free_sdb_entry(struct sdb_entry *s);
|
||||
--
|
||||
2.33.1
|
||||
|
262
samba.spec
262
samba.spec
|
@ -8,15 +8,15 @@
|
|||
|
||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||
|
||||
%define main_release 1
|
||||
%define main_release 2
|
||||
|
||||
%define samba_version 4.13.0
|
||||
%define samba_version 4.13.14
|
||||
%define talloc_version 2.3.1
|
||||
%define tdb_version 1.4.3
|
||||
%define tevent_version 0.10.2
|
||||
%define ldb_version 2.2.0
|
||||
%define ldb_version 2.2.3
|
||||
# This should be rc1 or nil
|
||||
%define pre_release rc1
|
||||
%define pre_release %nil
|
||||
|
||||
%if "x%{?pre_release}" != "x"
|
||||
%define samba_release 0.%{main_release}.%{pre_release}%{?dist}
|
||||
|
@ -83,10 +83,8 @@
|
|||
%global with_clustering_support 1
|
||||
%endif
|
||||
|
||||
%global with_winexe 1
|
||||
%if 0%{?rhel}
|
||||
%global with_winexe 0
|
||||
%endif
|
||||
# Enable winexe by default
|
||||
%bcond_without winexe
|
||||
|
||||
%global with_vfs_io_uring 0
|
||||
# We need liburing >= 0.4 which is not available in RHEL yet
|
||||
|
@ -122,7 +120,7 @@ URL: https://www.samba.org
|
|||
# This is a xz recompressed file of https://ftp.samba.org/pub/samba/samba-%%{version}%%{pre_release}.tar.gz
|
||||
Source0: https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.gz#/samba-%{version}%{pre_release}.tar.xz
|
||||
Source1: https://ftp.samba.org/pub/samba/samba-%{version}%{pre_release}.tar.asc
|
||||
Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg
|
||||
Source2: samba-pubkey_AA99442FB680B620.gpg
|
||||
|
||||
# Red Hat specific replacement-files
|
||||
Source10: samba.logrotate
|
||||
|
@ -132,6 +130,14 @@ Source13: pam_winbind.conf
|
|||
Source14: samba.pamd
|
||||
|
||||
Source201: README.downgrade
|
||||
Patch1: samba-s4u.patch
|
||||
# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-13-redhat
|
||||
# This will give us CI and makes it easy to generate patchsets.
|
||||
#
|
||||
# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.13-redhat.patch
|
||||
Patch2: samba-4.13-redhat.patch
|
||||
Patch3: samba-4.13-fix-winbind-no-trusted-domain.patch
|
||||
Patch4: samba-4.13-ipa-dc-schannel.patch
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
Requires(post): systemd
|
||||
|
@ -194,7 +200,7 @@ BuildRequires: libtirpc-devel
|
|||
BuildRequires: libuuid-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: lmdb
|
||||
%if %{with_winexe}
|
||||
%if %{with winexe}
|
||||
BuildRequires: mingw32-gcc
|
||||
BuildRequires: mingw64-gcc
|
||||
%endif
|
||||
|
@ -391,7 +397,6 @@ Requires: ldb-tools
|
|||
# See bug 1507420
|
||||
%samba_requires_eq libldb
|
||||
|
||||
Requires: python3-crypto
|
||||
Requires: python3-%{name} = %{samba_depver}
|
||||
Requires: python3-%{name}-dc = %{samba_depver}
|
||||
Requires: krb5-server >= %{required_mit_krb5}
|
||||
|
@ -587,6 +592,13 @@ Requires: libwbclient = %{samba_depver}
|
|||
The python3-%{name} package contains the Python 3 libraries needed by programs
|
||||
that use SMB, RPC and other Samba provided protocols in Python 3 programs.
|
||||
|
||||
%package -n python3-%{name}-devel
|
||||
Summary: Samba python devel files
|
||||
Requires: python3-%{name} = %{samba_depver}
|
||||
|
||||
%description -n python3-%{name}-devel
|
||||
The python3-%{name}-devel package contains the Python 3 defel files.
|
||||
|
||||
%package -n python3-samba-test
|
||||
Summary: Samba Python libraries
|
||||
Requires: python3-%{name} = %{samba_depver}
|
||||
|
@ -754,7 +766,7 @@ The samba-winbind-modules package provides the NSS library and a PAM module
|
|||
necessary to communicate to the Winbind Daemon
|
||||
|
||||
### WINEXE
|
||||
%if %{with_winexe}
|
||||
%if %{with winexe}
|
||||
%package winexe
|
||||
Summary: Samba Winexe Windows Binary
|
||||
License: GPLv3
|
||||
|
@ -909,16 +921,16 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold"
|
|||
--systemd-winbind-extra=%{_systemd_extra} \
|
||||
--systemd-samba-extra=%{_systemd_extra}
|
||||
|
||||
make %{?_smp_mflags}
|
||||
%make_build
|
||||
|
||||
pushd pidl
|
||||
%__perl Makefile.PL PREFIX=%{_prefix}
|
||||
|
||||
make %{?_smp_mflags}
|
||||
%make_build
|
||||
popd
|
||||
|
||||
%install
|
||||
make %{?_smp_mflags} install DESTDIR=%{buildroot}
|
||||
%make_install
|
||||
|
||||
install -d -m 0755 %{buildroot}/usr/{sbin,bin}
|
||||
install -d -m 0755 %{buildroot}%{_libdir}/security
|
||||
|
@ -1083,16 +1095,6 @@ rm -f %{buildroot}%{_mandir}/man8/vfs_ceph_snapshots.8*
|
|||
# the ldconfig-created links be recorded in the RPM.
|
||||
/sbin/ldconfig -N -n %{buildroot}%{_libdir}
|
||||
|
||||
%if ! %with_dc
|
||||
for f in samba/libsamba-net-samba4.so \
|
||||
samba/libsamba-python-samba4.so \
|
||||
libsamba-policy.so* \
|
||||
pkgconfig/samba-policy.pc ; do
|
||||
rm -f %{buildroot}%{_libdir}/$f
|
||||
done
|
||||
#endif ! with_dc
|
||||
%endif
|
||||
|
||||
pushd pidl
|
||||
make DESTDIR=%{buildroot} install_vendor
|
||||
|
||||
|
@ -1105,7 +1107,7 @@ popd
|
|||
|
||||
%if %{with testsuite}
|
||||
%check
|
||||
TDB_NO_FSYNC=1 make %{?_smp_mflags} test FAIL_IMMEDIATELY=1
|
||||
TDB_NO_FSYNC=1 %make_build test FAIL_IMMEDIATELY=1
|
||||
#endif with testsuite
|
||||
%endif
|
||||
|
||||
|
@ -1493,6 +1495,7 @@ fi
|
|||
%{_libdir}/samba/libcommon-auth-samba4.so
|
||||
%{_libdir}/samba/libctdb-event-client-samba4.so
|
||||
%{_libdir}/samba/libdbwrap-samba4.so
|
||||
%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so
|
||||
%{_libdir}/samba/libdcerpc-samba-samba4.so
|
||||
%{_libdir}/samba/libevents-samba4.so
|
||||
%{_libdir}/samba/libflag-mapping-samba4.so
|
||||
|
@ -1537,7 +1540,6 @@ fi
|
|||
%{_libdir}/samba/libsmb-transport-samba4.so
|
||||
%{_libdir}/samba/libsmbclient-raw-samba4.so
|
||||
%{_libdir}/samba/libsmbd-base-samba4.so
|
||||
%{_libdir}/samba/libsmbd-conn-samba4.so
|
||||
%{_libdir}/samba/libsmbd-shim-samba4.so
|
||||
%{_libdir}/samba/libsmbldaphelper-samba4.so
|
||||
%{_libdir}/samba/libsys-rw-samba4.so
|
||||
|
@ -1732,6 +1734,8 @@ fi
|
|||
%{_libdir}/samba/bind9/dlz_bind9_10.so
|
||||
%{_libdir}/samba/bind9/dlz_bind9_11.so
|
||||
%{_libdir}/samba/bind9/dlz_bind9_12.so
|
||||
%{_libdir}/samba/bind9/dlz_bind9_14.so
|
||||
%{_libdir}/samba/bind9/dlz_bind9_16.so
|
||||
#endif with_dc
|
||||
%endif
|
||||
|
||||
|
@ -1985,6 +1989,7 @@ fi
|
|||
%{python3_sitearch}/samba/__pycache__/compat.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/descriptor.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/getopt.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/gpclass.*.pyc
|
||||
|
@ -2005,6 +2010,7 @@ fi
|
|||
%{python3_sitearch}/samba/__pycache__/sites.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/subnets.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/upgrade.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc
|
||||
%{python3_sitearch}/samba/__pycache__/xattr.*.pyc
|
||||
|
@ -2036,6 +2042,7 @@ fi
|
|||
%{python3_sitearch}/samba/dcerpc/idmap.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/initshutdown.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/irpc.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/krb5pac.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/lsa.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/messaging.*.so
|
||||
|
@ -2062,6 +2069,7 @@ fi
|
|||
%{python3_sitearch}/samba/dcerpc/wkssvc.*.so
|
||||
%{python3_sitearch}/samba/dcerpc/xattr.*.so
|
||||
%{python3_sitearch}/samba/descriptor.py
|
||||
%{python3_sitearch}/samba/dnsresolver.py
|
||||
%{python3_sitearch}/samba/drs_utils.py
|
||||
%{python3_sitearch}/samba/gensec.*.so
|
||||
%{python3_sitearch}/samba/getopt.py
|
||||
|
@ -2194,25 +2202,20 @@ fi
|
|||
%{python3_sitearch}/samba/third_party/__init__.py
|
||||
%dir %{python3_sitearch}/samba/third_party/__pycache__
|
||||
%{python3_sitearch}/samba/third_party/__pycache__/__init__.*.pyc
|
||||
%{python3_sitearch}/samba/trust_utils.py
|
||||
%{python3_sitearch}/samba/upgrade.py
|
||||
%{python3_sitearch}/samba/upgradehelpers.py
|
||||
%{python3_sitearch}/samba/werror.*.so
|
||||
%{python3_sitearch}/samba/xattr.py
|
||||
%{python3_sitearch}/samba/xattr_native.*.so
|
||||
%{python3_sitearch}/samba/xattr_tdb.*.so
|
||||
# FIXME:
|
||||
# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so
|
||||
# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so.0
|
||||
# /usr/lib64/libsamba-policy.cpython-36m-x86-64-linux-gnu.so.0.0.1
|
||||
%{_libdir}/libsamba-policy.*.so*
|
||||
# FIXME:
|
||||
# /usr/lib64/pkgconfig/samba-policy.cpython-36m-x86_64-linux-gnu.pc
|
||||
%{_libdir}/libsamba-policy.cpython*.so.*
|
||||
%{_libdir}/samba/libsamba-net.cpython*.so
|
||||
%{_libdir}/samba/libsamba-python.cpython*.so
|
||||
|
||||
%files -n python3-%{name}-devel
|
||||
%{_libdir}/libsamba-policy.cpython*.so
|
||||
%{_libdir}/pkgconfig/samba-policy.*.pc
|
||||
# FIXME:
|
||||
# /usr/lib64/samba/libsamba-net.cpython-36m-x86-64-linux-gnu-samba4.so
|
||||
# /usr/lib64/samba/libsamba-python.cpython-36m-x86-64-linux-gnu-samba4.so
|
||||
%{_libdir}/samba/libsamba-net.*-samba4.so
|
||||
%{_libdir}/samba/libsamba-python.*-samba4.so
|
||||
|
||||
%if %{with_dc}
|
||||
%files -n python3-%{name}-dc
|
||||
|
@ -2305,6 +2308,7 @@ fi
|
|||
%{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc
|
||||
|
@ -2323,6 +2327,8 @@ fi
|
|||
%{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc
|
||||
%{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc
|
||||
|
@ -2434,8 +2440,11 @@ fi
|
|||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/createtrustrelax.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc
|
||||
|
@ -2444,14 +2453,18 @@ fi
|
|||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpc_talloc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpcecho.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/sam.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/samr_change_password.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/srvsvc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/string_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/testrpc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/__pycache__/unix.*.pyc
|
||||
%{python3_sitearch}/samba/tests/dcerpc/array.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/bare.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/binding.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/dnsserver.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/integer.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/lsa.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/mdssvc.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/misc.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py
|
||||
|
@ -2460,6 +2473,7 @@ fi
|
|||
%{python3_sitearch}/samba/tests/dcerpc/rpc_talloc.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/rpcecho.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/sam.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/samr_change_password.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/srvsvc.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/string_tests.py
|
||||
%{python3_sitearch}/samba/tests/dcerpc/testrpc.py
|
||||
|
@ -2476,6 +2490,7 @@ fi
|
|||
%{python3_sitearch}/samba/tests/dns_tkey.py
|
||||
%{python3_sitearch}/samba/tests/dns_wildcard.py
|
||||
%{python3_sitearch}/samba/tests/dsdb.py
|
||||
%{python3_sitearch}/samba/tests/dsdb_api.py
|
||||
%{python3_sitearch}/samba/tests/dsdb_lock.py
|
||||
%{python3_sitearch}/samba/tests/dsdb_schema_attributes.py
|
||||
%{python3_sitearch}/samba/tests/docs.py
|
||||
|
@ -2513,21 +2528,60 @@ fi
|
|||
%{python3_sitearch}/samba/tests/kcc/ldif_import_export.py
|
||||
%dir %{python3_sitearch}/samba/tests/krb5
|
||||
%dir %{python3_sitearch}/samba/tests/krb5/__pycache__
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc
|
||||
%{python3_sitearch}/samba/tests/krb5/alias_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/as_req_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/compatability_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/fast_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/kcrypto.py
|
||||
%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
|
||||
%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py
|
||||
%{python3_sitearch}/samba/tests/krb5/simple_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/rodc_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/s4u_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/salt_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/simple_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/spn_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_ccache.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_ldap.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_rpc.py
|
||||
%{python3_sitearch}/samba/tests/krb5/test_smb.py
|
||||
%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py
|
||||
%{python3_sitearch}/samba/tests/krb5_credentials.py
|
||||
%{python3_sitearch}/samba/tests/ldap_raw.py
|
||||
%{python3_sitearch}/samba/tests/ldap_referrals.py
|
||||
%{python3_sitearch}/samba/tests/ldap_spn.py
|
||||
%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py
|
||||
%{python3_sitearch}/samba/tests/libsmb.py
|
||||
%{python3_sitearch}/samba/tests/loadparm.py
|
||||
%{python3_sitearch}/samba/tests/lsa_string.py
|
||||
|
@ -2712,6 +2766,7 @@ fi
|
|||
### WINBIND-KRB5-LOCATOR
|
||||
%files winbind-krb5-locator
|
||||
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
%dir %{_libdir}/samba/krb5
|
||||
%{_libdir}/samba/krb5/winbind_krb5_locator.so
|
||||
%{_mandir}/man8/winbind_krb5_locator.8*
|
||||
|
||||
|
@ -3342,6 +3397,7 @@ fi
|
|||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof
|
||||
%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill
|
||||
|
@ -3612,13 +3668,135 @@ fi
|
|||
#endif with_clustering_support
|
||||
%endif
|
||||
|
||||
%if %{with_winexe}
|
||||
%if %{with winexe}
|
||||
### WINEXE
|
||||
%files winexe
|
||||
%{_bindir}/winexe
|
||||
%{_mandir}/man1/winexe.1.gz
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Sat Nov 13 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-2
|
||||
- Fix IPA DC schannel support
|
||||
|
||||
* Thu Nov 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-1
|
||||
- Fix winbind trusted domain regression
|
||||
- related: #2021716
|
||||
|
||||
* Tue Nov 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.14-0
|
||||
- Update to Samba 4.13.14
|
||||
- resolves: #2019660, #2021711 - Security fixes for CVE-2016-2124
|
||||
- resolves: #2019672, #2021716 - Security fixes for CVE-2020-25717
|
||||
- resolves: #2019726, #2021718 - Security fixes for CVE-2020-25718
|
||||
- resolves: #2019732, #2021719 - Security fixes for CVE-2020-25719
|
||||
- resolves: #2021728, #2021729 - Security fixes for CVE-2020-25721
|
||||
- resolves: #2019764, #2021721 - Security fixes for CVE-2020-25722
|
||||
- resolves: #2021726, #2021727 - Security fixes for CVE-2021-3738
|
||||
- resolves: #2019666, #2021715 - Security fixes for CVE-2021-23192
|
||||
|
||||
* Fri Oct 29 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.13-0
|
||||
- Update to Samba 4.13.13
|
||||
|
||||
* Wed Sep 22 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.12-0
|
||||
- Update to Samba 4.13.12
|
||||
|
||||
* Tue Sep 07 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.11-0
|
||||
- Update to Samba 4.13.11
|
||||
|
||||
* Wed Jul 14 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.10-0
|
||||
- Update to Samba 4.13.10
|
||||
|
||||
* Tue May 11 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.9-0
|
||||
- Update to Samba 4.13.9
|
||||
|
||||
* Thu Apr 29 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.8-0
|
||||
- Update to Samba 4.13.8
|
||||
- resolves: #1949442, #1955027 - Security fixes for CVE-2021-20254
|
||||
|
||||
* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.7-1
|
||||
- Fix memory leaks in RPC server
|
||||
- resolves: #1946950
|
||||
|
||||
* Thu Mar 25 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.7-0
|
||||
- Update to Samba 4.13.7
|
||||
- related: #1941400, #1942496 - Security fixes for CVE-2020-27840
|
||||
- related: #1941402, #1942497 - Security fixes for CVE-2021-20277
|
||||
|
||||
* Wed Mar 24 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.6-0
|
||||
- Update to Samba 4.13.6
|
||||
- resolves: #1941400, #1942496 - Security fixes for CVE-2020-27840
|
||||
- resolves: #1941402, #1942497 - Security fixes for CVE-2021-20277
|
||||
|
||||
* Tue Mar 09 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.5-0
|
||||
- Update to Samba 4.13.5
|
||||
|
||||
* Tue Jan 26 2021 Guenther Deschner <gdeschner@redhat.com> - 4.13.4-0
|
||||
- Update to Samba 4.13.4
|
||||
|
||||
* Tue Dec 15 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.3-0
|
||||
- Update to Samba 4.13.3
|
||||
|
||||
* Wed Nov 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.2-2
|
||||
- rhbz#1892745, rhbz#1900232: smbclient mget crashes (upstream bug 14517)
|
||||
- Merge RHEL 8.4 patches:
|
||||
- FIPS-related enhancements
|
||||
- FreeIPA Global Catalog patches
|
||||
|
||||
* Tue Nov 03 2020 Andreas Schneider <asn@redhat.com> - 4.13.2-1
|
||||
- Create a python3-samba-devel package to avoid unnessary dependencies
|
||||
|
||||
* Tue Nov 03 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.2-0
|
||||
- Update to Samba 4.13.2
|
||||
|
||||
* Thu Oct 29 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.1-0
|
||||
- Update to Samba 4.13.1
|
||||
- resolves: #1892631, #1892634 - Security fixes for CVE-2020-14318
|
||||
- resolves: #1891685, #1892628 - Security fixes for CVE-2020-14323
|
||||
- resolves: #1892636, #1892640 - Security fixes for CVE-2020-14383
|
||||
|
||||
* Sun Oct 25 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-13
|
||||
- Report 'samba' daemon status back to systemd
|
||||
- Support dnspython 2.0.0 or later in samba_dnsupdate
|
||||
|
||||
* Thu Oct 22 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.13.0-12
|
||||
- Add preliminary support for S4U operations in Samba AD DC
|
||||
resolves: #1836630 - Samba DC: Remote Desktop cannot access files
|
||||
- Fix lookup_unix_user_name to allow lookup of realm-qualified users and groups
|
||||
required for upcoming FreeIPA Global Catalog support
|
||||
|
||||
* Tue Sep 22 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0-11
|
||||
- Update to Samba 4.13.0
|
||||
|
||||
* Fri Sep 18 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc6-10
|
||||
- Update to Samba 4.13.0rc6
|
||||
- resolves: #1879822, #1880703 - Security fixes for CVE-2020-1472
|
||||
|
||||
* Wed Sep 16 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc5-9
|
||||
- Update to Samba 4.13.0rc5
|
||||
|
||||
* Mon Sep 07 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc4-8
|
||||
- Update to Samba 4.13.0rc4
|
||||
|
||||
* Fri Aug 28 2020 Neal Gompa <ngompa13@gmail.com> - 4.13.0rc3-6
|
||||
- Enable winexe by default everywhere
|
||||
|
||||
* Fri Aug 28 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc3-5
|
||||
- Update to Samba 4.13.0rc3
|
||||
|
||||
* Fri Aug 14 2020 Guenther Deschner <gdeschner@redhat.com> - 4.13.0rc2-4
|
||||
- Update to Samba 4.13.0rc2
|
||||
|
||||
* Wed Aug 12 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-3
|
||||
- resolves: #1865831 - Add missing /usr/lib64/samba/krb5 directory
|
||||
- resolves: #1866989 - Remove obsolete python3-crypto dependency
|
||||
|
||||
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.13.0-0.2.rc1.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 2:4.13.0-0.2.rc1
|
||||
- Use make macros
|
||||
https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
|
||||
|
||||
* Tue Jul 14 2020 Andreas Schneider <asn@redhat.com> - 4.13.0rc1-1
|
||||
- Move mdssvc data files to correct package
|
||||
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
# read the smb.conf manpage.
|
||||
# Run 'testparm' to verify the config is correct after
|
||||
# you modified it.
|
||||
#
|
||||
# Note:
|
||||
# SMB1 is disabled by default. This means clients without support for SMB2 or
|
||||
# SMB3 are no longer able to connect to smbd (by default).
|
||||
|
||||
[global]
|
||||
workgroup = SAMBA
|
||||
|
|
4
sources
4
sources
|
@ -1,2 +1,2 @@
|
|||
SHA512 (samba-4.13.0rc1.tar.xz) = 3e6d431998907ad8c81f488ddf78dcef5fd6a4cdf8ca684e5ad0ce9bf7217d82fcca7501155446c83d804f939bea7012f1d37c1f738d8ec7bc769a9148a6592a
|
||||
SHA512 (samba-4.13.0rc1.tar.asc) = 6dfe9467fd7fd28db91ae15fa3314a7707cfeb88c8ecd2af532d57614bec311119546a2fd4ced71063df9b7d6879a62f9ba512ae05d494323e0362a5492d33fa
|
||||
SHA512 (samba-4.13.14.tar.xz) = 9df1de1ef80010e83ac36239d4af7958fe4f44a0cad4c68cdde71d63d502372767dfe4e01f4743e3ab1d23fe3b65ac7571c14ef9614a3b6feba53c2295a7f28e
|
||||
SHA512 (samba-4.13.14.tar.asc) = 525f0d8087076e39db3205d878a2aba8242ef79927bca253963b2df7f181439dc825efd5ed457103a06251f2870fda68811ed1395a6cb7a995630e8f193153e7
|
||||
|
|
Loading…
Reference in New Issue