From b8c2d679e66bde153229d7be9fd2cb4619302770 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Thu, 13 Jun 2024 03:37:18 +0300 Subject: [PATCH] import samba-4.19.4-105.el9_4 --- .gitignore | 2 +- .samba.metadata | 2 +- SOURCES/CVE-2023-3961-pipename-4.18.6.patch | 296 --- SOURCES/CVE-2023-4091-truncate-4.18.patch | 240 --- .../CVE-2023-42669-remove-rpcecho-4.18.patch | 124 -- ...18-fix-nss-winbind-memory-corruption.patch | 614 ------- SOURCES/samba-4.18.6.tar.asc | 16 - SOURCES/samba-4.19-redhat.patch | 1632 +++++++++++++++++ SOURCES/samba-4.19.4.tar.asc | 16 + SOURCES/samba-winbind-systemd-sysusers.conf | 2 + SPECS/samba.spec | 259 ++- 11 files changed, 1860 insertions(+), 1343 deletions(-) delete mode 100644 SOURCES/CVE-2023-3961-pipename-4.18.6.patch delete mode 100644 SOURCES/CVE-2023-4091-truncate-4.18.patch delete mode 100644 SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch delete mode 100644 SOURCES/samba-4.18-fix-nss-winbind-memory-corruption.patch delete mode 100644 SOURCES/samba-4.18.6.tar.asc create mode 100644 SOURCES/samba-4.19-redhat.patch create mode 100644 SOURCES/samba-4.19.4.tar.asc create mode 100644 SOURCES/samba-winbind-systemd-sysusers.conf diff --git a/.gitignore b/.gitignore index c1e928f..775a82a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/samba-4.18.6.tar.xz +SOURCES/samba-4.19.4.tar.xz SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/.samba.metadata b/.samba.metadata index c0a00fe..8a5c50b 100644 --- a/.samba.metadata +++ b/.samba.metadata @@ -1,2 +1,2 @@ -12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz +6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg diff --git a/SOURCES/CVE-2023-3961-pipename-4.18.6.patch b/SOURCES/CVE-2023-3961-pipename-4.18.6.patch deleted file mode 100644 index 7aa0e97..0000000 --- a/SOURCES/CVE-2023-3961-pipename-4.18.6.patch +++ /dev/null @@ -1,296 +0,0 @@ -From c87e6b4ec57120cf1d14e82fd2bfc162ce65f663 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 25 Jul 2023 17:41:04 -0700 -Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that - could exit socket_dir. - -For now, SMB_ASSERT() to exit the server. We will remove -this once the test code is in place. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 - -Signed-off-by: Jeremy Allison ---- - source3/rpc_client/local_np.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c -index 0b323404f06..95228d5d801 100644 ---- a/source3/rpc_client/local_np.c -+++ b/source3/rpc_client/local_np.c -@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send( - return tevent_req_post(req, ev); - } - -+ /* -+ * Ensure we cannot process a path that exits -+ * the socket_dir. -+ */ -+ if (ISDOTDOT(lower_case_pipename) || -+ (strchr(lower_case_pipename, '/')!=NULL)) -+ { -+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", -+ lower_case_pipename); -+ /* -+ * For now, panic the server until we have -+ * the test code in place. -+ */ -+ SMB_ASSERT(false); -+ tevent_req_error(req, ENOENT); -+ return tevent_req_post(req, ev); -+ } -+ - state->socketpath = talloc_asprintf( - state, "%s/np/%s", socket_dir, lower_case_pipename); - if (tevent_req_nomem(state->socketpath, req)) { --- -2.41.0 - - -From 1571d37b9cfb4df7333639b5ddfbe7e321959f4e Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 25 Jul 2023 17:49:21 -0700 -Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME - to show we allow bad pipenames with unix separators through to the UNIX - domain socket code. - -The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, -as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. - -Add the knownfail. - -BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 - -Signed-off-by: Jeremy Allison ---- - selftest/knownfail.d/badpipename | 1 + - source3/selftest/tests.py | 14 ++++ - source3/torture/proto.h | 1 + - source3/torture/test_smb2.c | 107 +++++++++++++++++++++++++++++++ - source3/torture/torture.c | 4 ++ - 5 files changed, 127 insertions(+) - create mode 100644 selftest/knownfail.d/badpipename - -diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename -new file mode 100644 -index 00000000000..e69715f863d ---- /dev/null -+++ b/selftest/knownfail.d/badpipename -@@ -0,0 +1 @@ -+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 178f550b5b7..139f98637cb 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -296,6 +296,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH", - smbtorture3, - "-mSMB2"]) - -+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 -+# Prevent bad pipenames. -+# -+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME", -+ "fileserver", -+ [os.path.join(samba3srcdir, -+ "script/tests/test_smbtorture_s3.sh"), -+ 'SMB2-INVALID-PIPENAME', -+ '//$SERVER_IP/tmp', -+ '$USERNAME', -+ '$PASSWORD', -+ smbtorture3, -+ "-mSMB2"]) -+ - # - # SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share - # This is an empty non-DFS share with no links, used merely to test -diff --git a/source3/torture/proto.h b/source3/torture/proto.h -index 5e6d914c3da..ecd7fa2ef2d 100644 ---- a/source3/torture/proto.h -+++ b/source3/torture/proto.h -@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy); - bool run_smb2_non_dfs_share(int dummy); - bool run_smb2_dfs_share_non_dfs_path(int dummy); - bool run_smb2_dfs_filename_leading_backslash(int dummy); -+bool run_smb2_invalid_pipename(int dummy); - bool run_smb1_dfs_paths(int dummy); - bool run_smb1_dfs_search_paths(int dummy); - bool run_smb1_dfs_operations(int dummy); -diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c -index dc249643aa6..337181ae893 100644 ---- a/source3/torture/test_smb2.c -+++ b/source3/torture/test_smb2.c -@@ -5136,3 +5136,110 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy) - (void)smb2_dfs_delete(cli, dfs_filename_slash); - return retval; - } -+ -+bool run_smb2_invalid_pipename(int dummy) -+{ -+ struct cli_state *cli = NULL; -+ NTSTATUS status; -+ uint64_t fid_persistent = 0; -+ uint64_t fid_volatile = 0; -+ const char *unknown_pipe = "badpipe"; -+ const char *invalid_pipe = "../../../../../../../../../badpipe"; -+ -+ printf("Starting SMB2-INVALID-PIPENAME\n"); -+ -+ if (!torture_init_connection(&cli)) { -+ return false; -+ } -+ -+ status = smbXcli_negprot(cli->conn, -+ cli->timeout, -+ PROTOCOL_SMB2_02, -+ PROTOCOL_SMB3_11); -+ if (!NT_STATUS_IS_OK(status)) { -+ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); -+ return false; -+ } -+ -+ status = cli_session_setup_creds(cli, torture_creds); -+ if (!NT_STATUS_IS_OK(status)) { -+ printf("cli_session_setup returned %s\n", nt_errstr(status)); -+ return false; -+ } -+ -+ status = cli_tree_connect(cli, "IPC$", "?????", NULL); -+ if (!NT_STATUS_IS_OK(status)) { -+ printf("cli_tree_connect returned %s\n", nt_errstr(status)); -+ return false; -+ } -+ -+ /* Try and connect to an unknown pipename. */ -+ status = smb2cli_create(cli->conn, -+ cli->timeout, -+ cli->smb2.session, -+ cli->smb2.tcon, -+ unknown_pipe, -+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ -+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ -+ SEC_STD_SYNCHRONIZE| -+ SEC_FILE_READ_DATA| -+ SEC_FILE_WRITE_DATA| -+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ -+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ -+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ -+ FILE_CREATE, /* create_disposition, */ -+ 0, /* create_options, */ -+ NULL, /* smb2_create_blobs *blobs */ -+ &fid_persistent, -+ &fid_volatile, -+ NULL, /* struct smb_create_returns * */ -+ talloc_tos(), /* mem_ctx. */ -+ NULL, /* struct smb2_create_blobs * */ -+ NULL); /* struct symlink_reparse_struct */ -+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */ -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { -+ printf("%s:%d smb2cli_create on name %s returned %s\n", -+ __FILE__, -+ __LINE__, -+ unknown_pipe, -+ nt_errstr(status)); -+ return false; -+ } -+ -+ /* Try and connect to an invalid pipename containing unix separators. */ -+ status = smb2cli_create(cli->conn, -+ cli->timeout, -+ cli->smb2.session, -+ cli->smb2.tcon, -+ invalid_pipe, -+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ -+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ -+ SEC_STD_SYNCHRONIZE| -+ SEC_FILE_READ_DATA| -+ SEC_FILE_WRITE_DATA| -+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ -+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ -+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ -+ FILE_CREATE, /* create_disposition, */ -+ 0, /* create_options, */ -+ NULL, /* smb2_create_blobs *blobs */ -+ &fid_persistent, -+ &fid_volatile, -+ NULL, /* struct smb_create_returns * */ -+ talloc_tos(), /* mem_ctx. */ -+ NULL, /* struct smb2_create_blobs * */ -+ NULL); /* struct symlink_reparse_struct */ -+ /* -+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND -+ * (tested against Windows 2022). -+ */ -+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { -+ printf("%s:%d smb2cli_create on name %s returned %s\n", -+ __FILE__, -+ __LINE__, -+ invalid_pipe, -+ nt_errstr(status)); -+ return false; -+ } -+ return true; -+} -diff --git a/source3/torture/torture.c b/source3/torture/torture.c -index 63fe4ac6f7f..99eab0b2768 100644 ---- a/source3/torture/torture.c -+++ b/source3/torture/torture.c -@@ -15727,6 +15727,10 @@ static struct { - .name = "SMB2-DFS-FILENAME-LEADING-BACKSLASH", - .fn = run_smb2_dfs_filename_leading_backslash, - }, -+ { -+ .name = "SMB2-INVALID-PIPENAME", -+ .fn = run_smb2_invalid_pipename, -+ }, - { - .name = "SMB1-TRUNCATED-SESSSETUP", - .fn = run_smb1_truncated_sesssetup, --- -2.41.0 - - -From fbd7c2a5912e21a2b514624ed886a77e2f4c65fd Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 25 Jul 2023 17:54:41 -0700 -Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that - crashes on bad pipenames. - -We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). - -Remove knowfail. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 - -Signed-off-by: Jeremy Allison ---- - selftest/knownfail.d/badpipename | 1 - - source3/rpc_client/local_np.c | 5 ----- - 2 files changed, 6 deletions(-) - delete mode 100644 selftest/knownfail.d/badpipename - -diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename -deleted file mode 100644 -index e69715f863d..00000000000 ---- a/selftest/knownfail.d/badpipename -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) -diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c -index 95228d5d801..791ded99a47 100644 ---- a/source3/rpc_client/local_np.c -+++ b/source3/rpc_client/local_np.c -@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send( - { - DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", - lower_case_pipename); -- /* -- * For now, panic the server until we have -- * the test code in place. -- */ -- SMB_ASSERT(false); - tevent_req_error(req, ENOENT); - return tevent_req_post(req, ev); - } --- -2.41.0 - diff --git a/SOURCES/CVE-2023-4091-truncate-4.18.patch b/SOURCES/CVE-2023-4091-truncate-4.18.patch deleted file mode 100644 index 8b4b2cc..0000000 --- a/SOURCES/CVE-2023-4091-truncate-4.18.patch +++ /dev/null @@ -1,240 +0,0 @@ -From a4a3868fda277ddf0f174b77a859c33e4c339538 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 1 Aug 2023 12:30:00 +0200 -Subject: [PATCH 1/2] CVE-2023-4091: smbtorture: test overwrite dispositions on - read-only file - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 - -Signed-off-by: Ralph Boehme ---- - selftest/knownfail.d/samba3.smb2.acls | 1 + - source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++ - 2 files changed, 144 insertions(+) - create mode 100644 selftest/knownfail.d/samba3.smb2.acls - -diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls -new file mode 100644 -index 000000000000..18df260c0e50 ---- /dev/null -+++ b/selftest/knownfail.d/samba3.smb2.acls -@@ -0,0 +1 @@ -+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE -diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c -index a27d4e079e67..5a892d004ea8 100644 ---- a/source4/torture/smb2/acls.c -+++ b/source4/torture/smb2/acls.c -@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx, - return ret; - } - -+static bool test_overwrite_read_only_file(struct torture_context *tctx, -+ struct smb2_tree *tree) -+{ -+ NTSTATUS status; -+ struct smb2_create c; -+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt"; -+ struct smb2_handle handle = {{0}}; -+ union smb_fileinfo q; -+ union smb_setfileinfo set; -+ struct security_descriptor *sd = NULL, *sd_orig = NULL; -+ const char *owner_sid = NULL; -+ int i; -+ bool ret = true; -+ -+ struct tcase { -+ int disposition; -+ const char *disposition_string; -+ NTSTATUS expected_status; -+ } tcases[] = { -+#define TCASE(d, s) { \ -+ .disposition = d, \ -+ .disposition_string = #d, \ -+ .expected_status = s, \ -+ } -+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK), -+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED), -+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED), -+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED), -+ }; -+#undef TCASE -+ -+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR); -+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok"); -+ -+ c = (struct smb2_create) { -+ .in.desired_access = SEC_STD_READ_CONTROL | -+ SEC_STD_WRITE_DAC | -+ SEC_STD_WRITE_OWNER, -+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, -+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ | -+ NTCREATEX_SHARE_ACCESS_WRITE, -+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, -+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, -+ .in.fname = fname, -+ }; -+ -+ status = smb2_create(tree, tctx, &c); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "smb2_create failed\n"); -+ handle = c.out.file.handle; -+ -+ torture_comment(tctx, "get the original sd\n"); -+ -+ ZERO_STRUCT(q); -+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; -+ q.query_secdesc.in.file.handle = handle; -+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; -+ -+ status = smb2_getinfo_file(tree, tctx, &q); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "smb2_getinfo_file failed\n"); -+ sd_orig = q.query_secdesc.out.sd; -+ -+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); -+ -+ sd = security_descriptor_dacl_create(tctx, -+ 0, NULL, NULL, -+ owner_sid, -+ SEC_ACE_TYPE_ACCESS_ALLOWED, -+ SEC_FILE_READ_DATA, -+ 0, -+ NULL); -+ -+ ZERO_STRUCT(set); -+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; -+ set.set_secdesc.in.file.handle = handle; -+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; -+ set.set_secdesc.in.sd = sd; -+ -+ status = smb2_setinfo_file(tree, &set); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "smb2_setinfo_file failed\n"); -+ -+ smb2_util_close(tree, handle); -+ ZERO_STRUCT(handle); -+ -+ for (i = 0; i < ARRAY_SIZE(tcases); i++) { -+ torture_comment(tctx, "Verify open with %s dispostion\n", -+ tcases[i].disposition_string); -+ -+ c = (struct smb2_create) { -+ .in.create_disposition = tcases[i].disposition, -+ .in.desired_access = SEC_FILE_READ_DATA, -+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, -+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, -+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, -+ .in.fname = fname, -+ }; -+ -+ status = smb2_create(tree, tctx, &c); -+ smb2_util_close(tree, c.out.file.handle); -+ torture_assert_ntstatus_equal_goto( -+ tctx, status, tcases[i].expected_status, ret, done, -+ "smb2_create failed\n"); -+ }; -+ -+ torture_comment(tctx, "put back original sd\n"); -+ -+ c = (struct smb2_create) { -+ .in.desired_access = SEC_STD_WRITE_DAC, -+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, -+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, -+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, -+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, -+ .in.fname = fname, -+ }; -+ -+ status = smb2_create(tree, tctx, &c); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "smb2_create failed\n"); -+ handle = c.out.file.handle; -+ -+ ZERO_STRUCT(set); -+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; -+ set.set_secdesc.in.file.handle = handle; -+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; -+ set.set_secdesc.in.sd = sd_orig; -+ -+ status = smb2_setinfo_file(tree, &set); -+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, -+ "smb2_setinfo_file failed\n"); -+ -+ smb2_util_close(tree, handle); -+ ZERO_STRUCT(handle); -+ -+done: -+ smb2_util_close(tree, handle); -+ smb2_util_unlink(tree, fname); -+ smb2_deltree(tree, BASEDIR); -+ return ret; -+} -+ - /* - basic testing of SMB2 ACLs - */ -@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) - test_deny1); - torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", - test_mxac_not_granted); -+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file); - - suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); - --- -2.41.0 - - -From 5b5e2b1714e4a242b1cea44deff1f380620872c9 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 1 Aug 2023 13:04:36 +0200 -Subject: [PATCH 2/2] CVE-2023-4091: smbd: use open_access_mask for access - check in open_file() - -If the client requested FILE_OVERWRITE[_IF], we're implicitly adding -FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the -access check we're using access_mask which doesn't contain the additional -right, which means we can end up truncating a file for which the user has -only read-only access via an SD. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 - -Signed-off-by: Ralph Boehme ---- - selftest/knownfail.d/samba3.smb2.acls | 1 - - source3/smbd/open.c | 4 ++-- - 2 files changed, 2 insertions(+), 3 deletions(-) - delete mode 100644 selftest/knownfail.d/samba3.smb2.acls - -diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls -deleted file mode 100644 -index 18df260c0e50..000000000000 ---- a/selftest/knownfail.d/samba3.smb2.acls -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE -diff --git a/source3/smbd/open.c b/source3/smbd/open.c -index 94f50becb247..0c9ddfe7c948 100644 ---- a/source3/smbd/open.c -+++ b/source3/smbd/open.c -@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req, - dirfsp, - fsp, - false, -- access_mask); -+ open_access_mask); - - if (!NT_STATUS_IS_OK(status)) { - DBG_DEBUG("smbd_check_access_rights_fsp" -@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req, - status = smbd_check_access_rights_fsp(dirfsp, - fsp, - false, -- access_mask); -+ open_access_mask); - - if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && - posix_open && --- -2.41.0 - diff --git a/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch b/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch deleted file mode 100644 index 7f8b80c..0000000 --- a/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch +++ /dev/null @@ -1,124 +0,0 @@ -From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 12 Sep 2023 18:59:44 +1200 -Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by - default - -The rpcecho server is useful in development and testing, but should never -have been allowed into production, as it includes the facility to -do a blocking sleep() in the single-threaded rpc worker. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 - -Signed-off-by: Andrew Bartlett ---- - docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- - lib/param/loadparm.c | 2 +- - selftest/target/Samba4.pm | 2 +- - source3/param/loadparm.c | 2 +- - source4/rpc_server/wscript_build | 3 ++- - 5 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml -index 8a217cc7f11..c6642b795fd 100644 ---- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml -+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml -@@ -6,6 +6,6 @@ - Specifies which DCE/RPC endpoint servers should be run. - - --epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver -+epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver - rpcecho - -diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c -index 16cb0d47f31..83b05260e09 100644 ---- a/lib/param/loadparm.c -+++ b/lib/param/loadparm.c -@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) - lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); - lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); - -- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); -+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); - lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); - lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); - /* the winbind method for domain controllers is for both RODC -diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm -index d15156a538b..5687d2a8587 100755 ---- a/selftest/target/Samba4.pm -+++ b/selftest/target/Samba4.pm -@@ -783,7 +783,7 @@ sub provision_raw_step1($$) - wins support = yes - server role = $ctx->{server_role} - server services = +echo $services -- dcerpc endpoint servers = +winreg +srvsvc -+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho - notify:inotify = false - ldb:nosync = true - ldap server require strong auth = yes -diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c -index 12718ced9e7..e33751a27e3 100644 ---- a/source3/param/loadparm.c -+++ b/source3/param/loadparm.c -@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) - - Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); - -- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); -+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); - - Globals.tls_enabled = true; - Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; -diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build -index 0e44a3c2bae..31ec4f60c9a 100644 ---- a/source4/rpc_server/wscript_build -+++ b/source4/rpc_server/wscript_build -@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', - source='echo/rpc_echo.c', - subsystem='dcerpc_server', - init_function='dcerpc_server_rpcecho_init', -- deps='ndr-standard events' -+ deps='ndr-standard events', -+ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') - ) - - --- -2.25.1 - - -From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001 -From: Andrew Bartlett -Date: Tue, 12 Sep 2023 19:01:03 +1200 -Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for - consistency with the AD DC - -The rpcecho server in source3 does have samba the sleep() feature that -the s4 version has, but the task architecture is different, so there -is not the same impact. Hoever equally this is not something that -should be enabled on production builds of Samba, so restrict to -selftest builds. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 - -Signed-off-by: Andrew Bartlett ---- - source3/rpc_server/wscript_build | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build -index 341df41a321..5ed81283395 100644 ---- a/source3/rpc_server/wscript_build -+++ b/source3/rpc_server/wscript_build -@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho', - RPC_WORKER - RPC_RPCECHO - ''', -+ for_selftest=True, - install_path='${SAMBA_LIBEXECDIR}') - - bld.SAMBA3_BINARY('rpcd_classic', --- -2.25.1 - diff --git a/SOURCES/samba-4.18-fix-nss-winbind-memory-corruption.patch b/SOURCES/samba-4.18-fix-nss-winbind-memory-corruption.patch deleted file mode 100644 index d39c454..0000000 --- a/SOURCES/samba-4.18-fix-nss-winbind-memory-corruption.patch +++ /dev/null @@ -1,614 +0,0 @@ -From ced40c5a805dcfb06d5f3d68aa45a0aaa44bfdca Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Sep 2023 13:57:26 +0200 -Subject: [PATCH 1/5] nsswitch: add test for pthread_key_delete missuse (bug - 15464) - -This is based on https://bugzilla.samba.org/attachment.cgi?id=18081 -written by Krzysztof Piotr Oledzki - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison -(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76) ---- - nsswitch/b15464-testcase.c | 77 +++++++++++++++++++++++++++ - nsswitch/wscript_build | 5 ++ - selftest/knownfail.d/b15464_testcase | 1 + - source3/selftest/tests.py | 6 +++ - testprogs/blackbox/b15464-testcase.sh | 21 ++++++++ - 5 files changed, 110 insertions(+) - create mode 100644 nsswitch/b15464-testcase.c - create mode 100644 selftest/knownfail.d/b15464_testcase - create mode 100755 testprogs/blackbox/b15464-testcase.sh - -diff --git a/nsswitch/b15464-testcase.c b/nsswitch/b15464-testcase.c -new file mode 100644 -index 000000000000..decb474a81ee ---- /dev/null -+++ b/nsswitch/b15464-testcase.c -@@ -0,0 +1,77 @@ -+#include "replace.h" -+#include "system/wait.h" -+#include "system/threads.h" -+#include -+ -+int main(int argc, const char *argv[]) -+{ -+ pid_t pid; -+ int wstatus; -+ pthread_key_t k1; -+ pthread_key_t k2; -+ pthread_key_t k3; -+ char *val = NULL; -+ const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2"); -+ void *nss_winbind_handle = NULL; -+ union { -+ int (*fn)(void); -+ void *symbol; -+ } nss_winbind_endpwent = { .symbol = NULL, }; -+ -+ /* -+ * load and invoke something simple like -+ * _nss_winbind_endpwent in order to -+ * get the libnss_winbind internal going -+ */ -+ nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW); -+ printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n", -+ getpid(), nss_winbind, nss_winbind_handle); -+ assert(nss_winbind_handle != NULL); -+ -+ nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle, -+ "_nss_winbind_endpwent"); -+ printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n", -+ getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol); -+ assert(nss_winbind_endpwent.symbol != NULL); -+ (void)nss_winbind_endpwent.fn(); -+ -+ val = malloc(1); -+ assert(val != NULL); -+ -+ pthread_key_create(&k1, NULL); -+ pthread_setspecific(k1, val); -+ printf("%d: k1=%d\n", getpid(), k1); -+ -+ pid = fork(); -+ if (pid) { -+ free(val); -+ wait(&wstatus); -+ return WEXITSTATUS(wstatus); -+ } -+ -+ pthread_key_create(&k2, NULL); -+ pthread_setspecific(k2, val); -+ -+ printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2); -+ -+ pid = fork(); -+ -+ if (pid) { -+ free(val); -+ wait(&wstatus); -+ return WEXITSTATUS(wstatus); -+ } -+ -+ pthread_key_create(&k3, NULL); -+ pthread_setspecific(k3, val); -+ -+ printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3); -+ -+ if (k1 == k2 || k2 == k3) { -+ printf("%d: FAIL inconsistent keys\n", getpid()); -+ return 1; -+ } -+ -+ printf("%d: OK consistent keys\n", getpid()); -+ return 0; -+} -diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build -index 3247b6c2b7c3..4e62bb4c9461 100644 ---- a/nsswitch/wscript_build -+++ b/nsswitch/wscript_build -@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'): - deps='wbclient pthread', - for_selftest=True - ) -+ bld.SAMBA_BINARY('b15464-testcase', -+ source='b15464-testcase.c', -+ deps='replace pthread dl', -+ for_selftest=True -+ ) - - # The nss_wrapper code relies strictly on the linux implementation and - # name, so compile but do not install a copy under this name. -diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase -new file mode 100644 -index 000000000000..94dd7db7c2a5 ---- /dev/null -+++ b/selftest/knownfail.d/b15464_testcase -@@ -0,0 +1 @@ -+^b15464_testcase.run.b15464-testcase -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index 0c834ed48b5e..ea17ead3eda7 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -67,6 +67,8 @@ except KeyError: - samba4bindir = bindir() - config_h = os.path.join(samba4bindir, "default/include/config.h") - -+bbdir = os.path.join(srcdir(), "testprogs/blackbox") -+ - # check available features - config_hash = dict() - f = open(config_h, 'r') -@@ -936,6 +938,10 @@ if with_pthreadpool: - [os.path.join(samba3srcdir, - "script/tests/test_libwbclient_threads.sh"), - "$DOMAIN", "$DC_USERNAME"]) -+ plantestsuite("b15464_testcase", "none", -+ [os.path.join(bbdir, "b15464-testcase.sh"), -+ binpath("b15464-testcase"), -+ binpath("plugins/libnss_winbind.so.2")]) - - plantestsuite("samba3.test_nfs4_acl", "none", - [os.path.join(bindir(), "test_nfs4_acls"), -diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh -new file mode 100755 -index 000000000000..b0c88260d4cc ---- /dev/null -+++ b/testprogs/blackbox/b15464-testcase.sh -@@ -0,0 +1,21 @@ -+#!/bin/sh -+# Blackbox wrapper for bug 15464 -+# Copyright (C) 2023 Stefan Metzmacher -+ -+if [ $# -lt 2 ]; then -+ cat < -Date: Thu, 7 Sep 2023 16:02:32 +0200 -Subject: [PATCH 2/5] nsswitch/wb_common.c: fix build without HAVE_PTHREAD - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison -(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f) ---- - nsswitch/wb_common.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c -index d569e761ebe4..c382a44c1209 100644 ---- a/nsswitch/wb_common.c -+++ b/nsswitch/wb_common.c -@@ -104,7 +104,6 @@ static void wb_thread_ctx_initialize(void) - wb_thread_ctx_destructor); - assert(ret == 0); - } --#endif - - static struct winbindd_context *get_wb_thread_ctx(void) - { -@@ -139,6 +138,7 @@ static struct winbindd_context *get_wb_thread_ctx(void) - } - return ctx; - } -+#endif /* HAVE_PTHREAD */ - - static struct winbindd_context *get_wb_global_ctx(void) - { --- -2.34.1 - - -From d1f43cd4cc6aeb2ac9fcaee9aa512012ca92ecb3 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Sep 2023 09:53:42 +0200 -Subject: [PATCH 3/5] nsswitch/wb_common.c: winbind_destructor can always use - get_wb_global_ctx() - -The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all -required magic. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison -(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8) ---- - nsswitch/wb_common.c | 6 +----- - 1 file changed, 1 insertion(+), 5 deletions(-) - -diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c -index c382a44c1209..d56e48d9bdb8 100644 ---- a/nsswitch/wb_common.c -+++ b/nsswitch/wb_common.c -@@ -246,14 +246,10 @@ static void winbind_destructor(void) - return; - } - --#ifdef HAVE_PTHREAD_H -- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key); -+ ctx = get_wb_global_ctx(); - if (ctx == NULL) { - return; - } --#else -- ctx = get_wb_global_ctx(); --#endif - - winbind_close_sock(ctx); - } --- -2.34.1 - - -From 6e29ea5b9efe5cf166cc9d633c1dc4eb8f192736 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 8 Sep 2023 09:56:47 +0200 -Subject: [PATCH 4/5] nsswitch/wb_common.c: don't operate on a stale - wb_global_ctx.key - -If nss_winbind is loaded into a process that uses fork multiple times -without any further calls into nss_winbind, wb_atfork_child handler -was using a wb_global_ctx.key that was no longer registered in the -pthread library, so we operated on a slot that was potentially -reused by other libraries or the main application. Which is likely -to cause memory corruption. - -So we better don't call pthread_key_delete() in wb_atfork_child(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 - -Reported-by: Krzysztof Piotr Oledzki -Tested-by: Krzysztof Piotr Oledzki -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison -(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9) ---- - nsswitch/wb_common.c | 5 ----- - selftest/knownfail.d/b15464_testcase | 1 - - 2 files changed, 6 deletions(-) - delete mode 100644 selftest/knownfail.d/b15464_testcase - -diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c -index d56e48d9bdb8..38f9f334016b 100644 ---- a/nsswitch/wb_common.c -+++ b/nsswitch/wb_common.c -@@ -76,11 +76,6 @@ static void wb_atfork_child(void) - - winbind_close_sock(ctx); - free(ctx); -- -- ret = pthread_key_delete(wb_global_ctx.key); -- assert(ret == 0); -- -- wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT; - } - - static void wb_thread_ctx_destructor(void *p) -diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase -deleted file mode 100644 -index 94dd7db7c2a5..000000000000 ---- a/selftest/knownfail.d/b15464_testcase -+++ /dev/null -@@ -1 +0,0 @@ --^b15464_testcase.run.b15464-testcase --- -2.34.1 - - -From 61ca2c66e0a3c837f2c542b8d9321a8d8cd03382 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 7 Sep 2023 15:59:59 +0200 -Subject: [PATCH 5/5] nsswitch/wb_common.c: fix socket fd and memory leaks of - global state - -When we are called in wb_atfork_child() or winbind_destructor(), -wb_thread_ctx_destructor() is not called for the global state -of the current nor any other thread, which means we would -leak the related memory and socket fds. - -Now we maintain a global list protected by a global mutex. -We traverse the list and close all socket fds, which are no -longer used (winbind_destructor) or no longer valid in the -current process (wb_atfork_child), in addition we 'autofree' -the ones, which are only visible internally as global (per thread) -context. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464 - -Tested-by: Krzysztof Piotr Oledzki -Signed-off-by: Stefan Metzmacher -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224 - -(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5) ---- - nsswitch/wb_common.c | 143 ++++++++++++++++++++++++++++++++++--------- - 1 file changed, 113 insertions(+), 30 deletions(-) - -diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c -index 38f9f334016b..b7f84435a4ee 100644 ---- a/nsswitch/wb_common.c -+++ b/nsswitch/wb_common.c -@@ -26,6 +26,7 @@ - #include "replace.h" - #include "system/select.h" - #include "winbind_client.h" -+#include "lib/util/dlinklist.h" - #include - - #ifdef HAVE_PTHREAD_H -@@ -37,67 +38,112 @@ static __thread char client_name[32]; - /* Global context */ - - struct winbindd_context { -+ struct winbindd_context *prev, *next; - int winbindd_fd; /* winbind file descriptor */ - bool is_privileged; /* using the privileged socket? */ - pid_t our_pid; /* calling process pid */ -+ bool autofree; /* this is a thread global context */ - }; - - static struct wb_global_ctx { -- bool initialized; - #ifdef HAVE_PTHREAD - pthread_once_t control; - pthread_key_t key; -+ bool key_initialized; -+#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP -+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP - #else -- bool dummy; -+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER - #endif -+#define WB_GLOBAL_LIST_LOCK do { \ -+ int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \ -+ assert(__pret == 0); \ -+} while(0) -+#define WB_GLOBAL_LIST_UNLOCK do { \ -+ int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \ -+ assert(__pret == 0); \ -+} while(0) -+ pthread_mutex_t list_mutex; -+#else /* => not HAVE_PTHREAD */ -+#define WB_GLOBAL_LIST_LOCK do { } while(0) -+#define WB_GLOBAL_LIST_UNLOCK do { } while(0) -+#endif /* not HAVE_PTHREAD */ -+ struct winbindd_context *list; - } wb_global_ctx = { - #ifdef HAVE_PTHREAD - .control = PTHREAD_ONCE_INIT, -+ .list_mutex = WB_GLOBAL_MUTEX_INITIALIZER, - #endif -+ .list = NULL, - }; - - static void winbind_close_sock(struct winbindd_context *ctx); -+static void winbind_ctx_free_locked(struct winbindd_context *ctx); -+static void winbind_cleanup_list(void); - - #ifdef HAVE_PTHREAD - static void wb_thread_ctx_initialize(void); - -+static void wb_atfork_prepare(void) -+{ -+ WB_GLOBAL_LIST_LOCK; -+} -+ -+static void wb_atfork_parent(void) -+{ -+ WB_GLOBAL_LIST_UNLOCK; -+} -+ - static void wb_atfork_child(void) - { -- struct winbindd_context *ctx = NULL; -- int ret; -+ wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER; - -- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key); -- if (ctx == NULL) { -- return; -- } -+ if (wb_global_ctx.key_initialized) { -+ int ret; - -- ret = pthread_setspecific(wb_global_ctx.key, NULL); -- assert(ret == 0); -+ /* -+ * After a fork the child still believes -+ * it is the same thread as in the parent. -+ * So pthread_getspecific() would return the -+ * value of the thread that called fork(). -+ * -+ * But we don't want that behavior, so -+ * we just clear the reference and let -+ * winbind_cleanup_list() below 'autofree' -+ * the parent threads global context. -+ */ -+ ret = pthread_setspecific(wb_global_ctx.key, NULL); -+ assert(ret == 0); -+ } - -- winbind_close_sock(ctx); -- free(ctx); -+ /* -+ * But we need to close/cleanup the global state -+ * of the parents threads. -+ */ -+ winbind_cleanup_list(); - } - - static void wb_thread_ctx_destructor(void *p) - { - struct winbindd_context *ctx = (struct winbindd_context *)p; - -- winbind_close_sock(ctx); -- free(ctx); -+ winbindd_ctx_free(ctx); - } - - static void wb_thread_ctx_initialize(void) - { - int ret; - -- ret = pthread_atfork(NULL, -- NULL, -+ ret = pthread_atfork(wb_atfork_prepare, -+ wb_atfork_parent, - wb_atfork_child); - assert(ret == 0); - - ret = pthread_key_create(&wb_global_ctx.key, - wb_thread_ctx_destructor); - assert(ret == 0); -+ -+ wb_global_ctx.key_initialized = true; - } - - static struct winbindd_context *get_wb_thread_ctx(void) -@@ -123,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void) - *ctx = (struct winbindd_context) { - .winbindd_fd = -1, - .is_privileged = false, -- .our_pid = 0 -+ .our_pid = 0, -+ .autofree = true, - }; - -+ WB_GLOBAL_LIST_LOCK; -+ DLIST_ADD_END(wb_global_ctx.list, ctx); -+ WB_GLOBAL_LIST_UNLOCK; -+ - ret = pthread_setspecific(wb_global_ctx.key, ctx); - if (ret != 0) { - free(ctx); -@@ -142,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void) - static struct winbindd_context _ctx = { - .winbindd_fd = -1, - .is_privileged = false, -- .our_pid = 0 -+ .our_pid = 0, -+ .autofree = false, - }; - #endif - -@@ -150,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void) - ctx = get_wb_thread_ctx(); - #else - ctx = &_ctx; -+ if (ctx->prev == NULL && ctx->next == NULL) { -+ DLIST_ADD_END(wb_global_ctx.list, ctx); -+ } - #endif - -- wb_global_ctx.initialized = true; - return ctx; - } - -@@ -226,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx) - } - } - -+static void winbind_ctx_free_locked(struct winbindd_context *ctx) -+{ -+ winbind_close_sock(ctx); -+ DLIST_REMOVE(wb_global_ctx.list, ctx); -+ free(ctx); -+} -+ -+static void winbind_cleanup_list(void) -+{ -+ struct winbindd_context *ctx = NULL, *next = NULL; -+ -+ WB_GLOBAL_LIST_LOCK; -+ for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) { -+ next = ctx->next; -+ -+ if (ctx->autofree) { -+ winbind_ctx_free_locked(ctx); -+ } else { -+ winbind_close_sock(ctx); -+ } -+ } -+ WB_GLOBAL_LIST_UNLOCK; -+} -+ - /* Destructor for global context to ensure fd is closed */ - - #ifdef HAVE_DESTRUCTOR_ATTRIBUTE -@@ -235,18 +313,18 @@ __attribute__((destructor)) - #endif - static void winbind_destructor(void) - { -- struct winbindd_context *ctx; -- -- if (!wb_global_ctx.initialized) { -- return; -+#ifdef HAVE_PTHREAD -+ if (wb_global_ctx.key_initialized) { -+ int ret; -+ ret = pthread_key_delete(wb_global_ctx.key); -+ assert(ret == 0); -+ wb_global_ctx.key_initialized = false; - } - -- ctx = get_wb_global_ctx(); -- if (ctx == NULL) { -- return; -- } -+ wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT; -+#endif /* HAVE_PTHREAD */ - -- winbind_close_sock(ctx); -+ winbind_cleanup_list(); - } - - #define CONNECT_TIMEOUT 30 -@@ -928,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void) - - ctx->winbindd_fd = -1; - -+ WB_GLOBAL_LIST_LOCK; -+ DLIST_ADD_END(wb_global_ctx.list, ctx); -+ WB_GLOBAL_LIST_UNLOCK; -+ - return ctx; - } - - void winbindd_ctx_free(struct winbindd_context *ctx) - { -- winbind_close_sock(ctx); -- free(ctx); -+ WB_GLOBAL_LIST_LOCK; -+ winbind_ctx_free_locked(ctx); -+ WB_GLOBAL_LIST_UNLOCK; - } --- -2.34.1 - diff --git a/SOURCES/samba-4.18.6.tar.asc b/SOURCES/samba-4.18.6.tar.asc deleted file mode 100644 index 7a910c3..0000000 --- a/SOURCES/samba-4.18.6.tar.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA -tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn -LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ -YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU -lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r -qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd -DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE -bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB -61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs -b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG -XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE -JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM= -=GnJM ------END PGP SIGNATURE----- diff --git a/SOURCES/samba-4.19-redhat.patch b/SOURCES/samba-4.19-redhat.patch new file mode 100644 index 0000000..7ec74d1 --- /dev/null +++ b/SOURCES/samba-4.19-redhat.patch @@ -0,0 +1,1632 @@ +From 3c29fc78029e1274f931e171c9e04c19ad0182c1 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Thu, 17 Aug 2023 01:05:54 +0300 +Subject: [PATCH 01/25] gp: Support more global trust directories + +In addition to the SUSE global trust directory, add support for RHEL and +Debian-based distributions (including Ubuntu). + +To determine the correct directory to use, we iterate over the variants +and stop at the first which is a directory. + +In case none is found, fallback to the first option which will produce a +warning as it did previously. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit a1b285e485c0b5a8747499bdbbb9f3f4fc025b2f) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 312c8ddf467..1b90ab46e90 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -45,10 +45,12 @@ cert_wrap = b""" + -----BEGIN CERTIFICATE----- + %s + -----END CERTIFICATE-----""" +-global_trust_dir = '/etc/pki/trust/anchors' + endpoint_re = '(https|HTTPS)://(?P[a-zA-Z0-9.-]+)/ADPolicyProvider' + \ + '_CEP_(?P[a-zA-Z]+)/service.svc/CEP' + ++global_trust_dirs = ['/etc/pki/trust/anchors', # SUSE ++ '/etc/pki/ca-trust/source/anchors', # RHEL/Fedora ++ '/usr/local/share/ca-certificates'] # Debian/Ubuntu + + def octet_string_to_objectGUID(data): + """Convert an octet string to an objectGUID.""" +@@ -249,12 +251,20 @@ def getca(ca, url, trust_dir): + return root_certs + + ++def find_global_trust_dir(): ++ """Return the global trust dir using known paths from various Linux distros.""" ++ for trust_dir in global_trust_dirs: ++ if os.path.isdir(trust_dir): ++ return trust_dir ++ return global_trust_dirs[0] ++ + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + """Install the root certificate chain.""" + data = dict({'files': [], 'templates': []}, **ca) + url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] + root_certs = getca(ca, url, trust_dir) + data['files'].extend(root_certs) ++ global_trust_dir = find_global_trust_dir() + for src in root_certs: + # Symlink the certs to global trust dir + dst = os.path.join(global_trust_dir, os.path.basename(src)) +-- +2.41.0 + + +From 063606e8ec83a58972df47eb561ab267f8937ba4 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Thu, 17 Aug 2023 01:09:28 +0300 +Subject: [PATCH 02/25] gp: Support update-ca-trust helper + +This is used on RHEL/Fedora instead of update-ca-certificates. They +behave similarly so it's enough to change the command name. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit fa80d1d86439749c44e60cf9075e84dc9ed3c268) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 1b90ab46e90..cefdafa21b2 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -258,6 +258,10 @@ def find_global_trust_dir(): + return trust_dir + return global_trust_dirs[0] + ++def update_ca_command(): ++ """Return the command to update the CA trust store.""" ++ return which('update-ca-certificates') or which('update-ca-trust') ++ + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + """Install the root certificate chain.""" + data = dict({'files': [], 'templates': []}, **ca) +@@ -283,7 +287,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + # already exists. Ignore the FileExistsError. Preserve the + # existing symlink in the unapply data. + data['files'].append(dst) +- update = which('update-ca-certificates') ++ update = update_ca_command() + if update is not None: + Popen([update]).wait() + # Setup Certificate Auto Enrollment +-- +2.41.0 + + +From 3b548bf280ca59ef12a7af10a9131813067a850a Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Fri, 11 Aug 2023 18:46:42 +0300 +Subject: [PATCH 03/25] gp: Change root cert extension suffix + +On Ubuntu, certificates must end in '.crt' in order to be considered by +the `update-ca-certificates` helper. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit bce3a89204545dcab5fb39a712590f6e166f997b) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index cefdafa21b2..c562722906b 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -241,7 +241,8 @@ def getca(ca, url, trust_dir): + certs = load_der_pkcs7_certificates(r.content) + for i in range(0, len(certs)): + cert = certs[i].public_bytes(Encoding.PEM) +- dest = '%s.%d' % (root_cert, i) ++ filename, extension = root_cert.rsplit('.', 1) ++ dest = '%s.%d.%s' % (filename, i, extension) + with open(dest, 'wb') as w: + w.write(cert) + root_certs.append(dest) +-- +2.41.0 + + +From 7592ed5032836dc43f657f66607a0a4661edcdb4 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Fri, 18 Aug 2023 17:06:43 +0300 +Subject: [PATCH 04/25] gp: Test with binary content for certificate data + +This fails all GPO-related tests that call `gpupdate --rsop`. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit 1ef722cf66f9ec99f52939f1cfca031c5fe1ad70) +--- + python/samba/tests/gpo.py | 8 ++++---- + selftest/knownfail.d/gpo | 13 +++++++++++++ + 2 files changed, 17 insertions(+), 4 deletions(-) + create mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py +index e4b75cc62a4..963f873f755 100644 +--- a/python/samba/tests/gpo.py ++++ b/python/samba/tests/gpo.py +@@ -6783,14 +6783,14 @@ class GPOTests(tests.TestCase): + ldb.add({'dn': certa_dn, + 'objectClass': 'certificationAuthority', + 'authorityRevocationList': ['XXX'], +- 'cACertificate': 'XXX', ++ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', + 'certificateRevocationList': ['XXX'], + }) + # Write the dummy pKIEnrollmentService + enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) + ldb.add({'dn': enroll_dn, + 'objectClass': 'pKIEnrollmentService', +- 'cACertificate': 'XXXX', ++ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', + 'certificateTemplates': ['Machine'], + 'dNSHostName': hostname, + }) +@@ -7201,14 +7201,14 @@ class GPOTests(tests.TestCase): + ldb.add({'dn': certa_dn, + 'objectClass': 'certificationAuthority', + 'authorityRevocationList': ['XXX'], +- 'cACertificate': 'XXX', ++ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', + 'certificateRevocationList': ['XXX'], + }) + # Write the dummy pKIEnrollmentService + enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) + ldb.add({'dn': enroll_dn, + 'objectClass': 'pKIEnrollmentService', +- 'cACertificate': 'XXXX', ++ 'cACertificate': b'0\x82\x03u0\x82\x02]\xa0\x03\x02\x01\x02\x02\x10I', + 'certificateTemplates': ['Machine'], + 'dNSHostName': hostname, + }) +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +new file mode 100644 +index 00000000000..0aad59607c2 +--- /dev/null ++++ b/selftest/knownfail.d/gpo +@@ -0,0 +1,13 @@ ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From 7f7b235bda9e85c5ea330e52e734d1113a884571 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Wed, 16 Aug 2023 12:20:11 +0300 +Subject: [PATCH 05/25] gp: Convert CA certificates to base64 + +I don't know whether this applies universally, but in our case the +contents of `es['cACertificate'][0]` are binary, so cleanly converting +to a string fails with the following: + +'utf-8' codec can't decode byte 0x82 in position 1: invalid start byte + +We found a fix to be encoding the certificate to base64 when +constructing the CA list. + +Section 4.4.5.2 of MS-CAESO also suggests that the content of +`cACertificate` is binary (OCTET string). + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit 157335ee93eb866f9b6a47486a5668d6e76aced5) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 5 ++--- + selftest/knownfail.d/gpo | 13 ------------- + 2 files changed, 2 insertions(+), 16 deletions(-) + delete mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index c562722906b..c8b5368c16a 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -158,7 +158,7 @@ def fetch_certification_authorities(ldb): + for es in res: + data = { 'name': get_string(es['cn'][0]), + 'hostname': get_string(es['dNSHostName'][0]), +- 'cACertificate': get_string(es['cACertificate'][0]) ++ 'cACertificate': get_string(base64.b64encode(es['cACertificate'][0])) + } + result.append(data) + return result +@@ -176,8 +176,7 @@ def fetch_template_attrs(ldb, name, attrs=None): + return {'msPKI-Minimal-Key-Size': ['2048']} + + def format_root_cert(cert): +- cert = base64.b64encode(cert.encode()) +- return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert, 0, re.DOTALL) ++ return cert_wrap % re.sub(b"(.{64})", b"\\1\n", cert.encode(), 0, re.DOTALL) + + def find_cepces_submit(): + certmonger_dirs = [os.environ.get("PATH"), '/usr/lib/certmonger', +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +deleted file mode 100644 +index 0aad59607c2..00000000000 +--- a/selftest/knownfail.d/gpo ++++ /dev/null +@@ -1,13 +0,0 @@ +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_centrify_crontab_ext +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_user_scripts_ext +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_rsop +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_access +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_files +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_issue +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_motd +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_openssh +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_startup_scripts +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_sudoers +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_vgp_symlink +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From 49cc74015a603e80048a38fe635cd1ac28938ee4 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Fri, 18 Aug 2023 17:16:23 +0300 +Subject: [PATCH 06/25] gp: Test adding new cert templates enforces changes + +Ensure that cepces-submit reporting additional templates and re-applying +will enforce the updated policy. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit 2d6943a864405f324c467e8c3464c31ac08457b0) +--- + python/samba/tests/bin/cepces-submit | 3 +- + python/samba/tests/gpo.py | 48 ++++++++++++++++++++++++++++ + selftest/knownfail.d/gpo | 2 ++ + 3 files changed, 52 insertions(+), 1 deletion(-) + create mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit +index 668682a9f58..de63164692b 100755 +--- a/python/samba/tests/bin/cepces-submit ++++ b/python/samba/tests/bin/cepces-submit +@@ -14,4 +14,5 @@ if __name__ == "__main__": + assert opts.auth == 'Kerberos' + if 'CERTMONGER_OPERATION' in os.environ and \ + os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES': +- print('Machine') # Report a Machine template ++ templates = os.environ.get('CEPCES_SUBMIT_SUPPORTED_TEMPLATES', 'Machine').split(',') ++ print('\n'.join(templates)) # Report the requested templates +diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py +index 963f873f755..e75c411bde7 100644 +--- a/python/samba/tests/gpo.py ++++ b/python/samba/tests/gpo.py +@@ -6812,6 +6812,23 @@ class GPOTests(tests.TestCase): + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + ++ # Subsequent apply should react to new certificate templates ++ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' ++ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') ++ ext.process_group_policy([], gpos, dname, dname) ++ self.assertTrue(os.path.exists(ca_crt), ++ 'Root CA certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine key was not generated') ++ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca_cn) ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation certificate was not requested') ++ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca_cn) ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation key was not generated') ++ + # Verify RSOP does not fail + ext.rsop([g for g in gpos if g.name == guid][0]) + +@@ -6829,11 +6846,17 @@ class GPOTests(tests.TestCase): + 'Machine certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine key was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation certificate was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation key was not removed') + out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() + self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') + out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() + self.assertNotIn(b'Machine', out, + 'Machine certificate not removed') ++ self.assertNotIn(b'Workstation', out, ++ 'Workstation certificate not removed') + + # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate + ldb.delete(certa_dn) +@@ -7233,6 +7256,25 @@ class GPOTests(tests.TestCase): + self.assertTrue(os.path.exists(machine_crt), + 'Machine key was not generated') + ++ # Subsequent apply should react to new certificate templates ++ os.environ['CEPCES_SUBMIT_SUPPORTED_TEMPLATES'] = 'Machine,Workstation' ++ self.addCleanup(os.environ.pop, 'CEPCES_SUBMIT_SUPPORTED_TEMPLATES') ++ ext.process_group_policy([], gpos, dname, dname) ++ for ca in ca_list: ++ self.assertTrue(os.path.exists(ca_crt), ++ 'Root CA certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine key was not generated') ++ ++ workstation_crt = os.path.join(dname, '%s.Workstation.crt' % ca) ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation certificate was not requested') ++ workstation_key = os.path.join(dname, '%s.Workstation.key' % ca) ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation key was not generated') ++ + # Verify RSOP does not fail + ext.rsop([g for g in gpos if g.name == guid][0]) + +@@ -7250,12 +7292,18 @@ class GPOTests(tests.TestCase): + 'Machine certificate was not removed') + self.assertFalse(os.path.exists(machine_crt), + 'Machine key was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation certificate was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation key was not removed') + out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() + for ca in ca_list: + self.assertNotIn(get_bytes(ca), out, 'CA was not removed') + out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() + self.assertNotIn(b'Machine', out, + 'Machine certificate not removed') ++ self.assertNotIn(b'Workstation', out, ++ 'Workstation certificate not removed') + + # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate + ldb.delete(certa_dn) +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +new file mode 100644 +index 00000000000..4edc1dce730 +--- /dev/null ++++ b/selftest/knownfail.d/gpo +@@ -0,0 +1,2 @@ ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From 4c0906bd79f030e591701234bc54bc749a42d686 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Wed, 16 Aug 2023 12:37:17 +0300 +Subject: [PATCH 07/25] gp: Template changes should invalidate cache + +If certificate templates are added or removed, the autoenroll extension +should react to this and reapply the policy. Previously this wasn't +taken into account. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit 2a6ae997f2464b12b72b5314fa80d9784fb0f6c1) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 15 ++++++++++----- + selftest/knownfail.d/gpo | 2 -- + 2 files changed, 10 insertions(+), 7 deletions(-) + delete mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index c8b5368c16a..8233713e8ad 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -262,6 +262,11 @@ def update_ca_command(): + """Return the command to update the CA trust store.""" + return which('update-ca-certificates') or which('update-ca-trust') + ++def changed(new_data, old_data): ++ """Return True if any key present in both dicts has changed.""" ++ return any((new_data[k] != old_data[k] if k in old_data else False) \ ++ for k in new_data.keys()) ++ + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + """Install the root certificate chain.""" + data = dict({'files': [], 'templates': []}, **ca) +@@ -351,12 +356,12 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): + # If the policy has changed, unapply, then apply new policy + old_val = self.cache_get_attribute_value(guid, attribute) + old_data = json.loads(old_val) if old_val is not None else {} +- if all([(ca[k] == old_data[k] if k in old_data else False) \ +- for k in ca.keys()]) or \ +- self.cache_get_apply_state() == GPOSTATE.ENFORCE: ++ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] ++ new_data = { 'templates': templates, **ca } ++ if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: + self.unapply(guid, attribute, old_val) +- # If policy is already applied, skip application +- if old_val is not None and \ ++ # If policy is already applied and unchanged, skip application ++ if old_val is not None and not changed(new_data, old_data) and \ + self.cache_get_apply_state() != GPOSTATE.ENFORCE: + return + +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +deleted file mode 100644 +index 4edc1dce730..00000000000 +--- a/selftest/knownfail.d/gpo ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_advanced_gp_cert_auto_enroll_ext +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From e61f30dc2518d5a1c239f090baea4a309307f3f8 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Fri, 18 Aug 2023 17:26:59 +0300 +Subject: [PATCH 08/25] gp: Test disabled enrollment unapplies policy + +For this we need to stage a Registry.pol file with certificate +autoenrollment enabled, but with checkboxes unticked. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder +(cherry picked from commit ee814f7707a8ddef2657212cd6d31799501b7bb3) +--- + python/samba/tests/gpo.py | 54 +++++++++++++++++++++++++++++++++++++++ + selftest/knownfail.d/gpo | 1 + + 2 files changed, 55 insertions(+) + create mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py +index e75c411bde7..580f3568de8 100644 +--- a/python/samba/tests/gpo.py ++++ b/python/samba/tests/gpo.py +@@ -281,6 +281,28 @@ b""" + + """ + ++auto_enroll_unchecked_reg_pol = \ ++b""" ++ ++ ++ ++ Software\Policies\Microsoft\Cryptography\AutoEnrollment ++ AEPolicy ++ 0 ++ ++ ++ Software\Policies\Microsoft\Cryptography\AutoEnrollment ++ OfflineExpirationPercent ++ 10 ++ ++ ++ Software\Policies\Microsoft\Cryptography\AutoEnrollment ++ OfflineExpirationStoreNames ++ MY ++ ++ ++""" ++ + advanced_enroll_reg_pol = \ + b""" + +@@ -6836,6 +6858,38 @@ class GPOTests(tests.TestCase): + ret = rsop(self.lp) + self.assertEqual(ret, 0, 'gpupdate --rsop failed!') + ++ # Remove policy by staging pol file with auto-enroll unchecked ++ parser.load_xml(etree.fromstring(auto_enroll_unchecked_reg_pol.strip())) ++ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) ++ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) ++ ext.process_group_policy([], gpos, dname, dname) ++ self.assertFalse(os.path.exists(ca_crt), ++ 'Root CA certificate was not removed') ++ self.assertFalse(os.path.exists(machine_crt), ++ 'Machine certificate was not removed') ++ self.assertFalse(os.path.exists(machine_crt), ++ 'Machine key was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation certificate was not removed') ++ self.assertFalse(os.path.exists(workstation_crt), ++ 'Workstation key was not removed') ++ ++ # Reapply policy by staging the enabled pol file ++ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) ++ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) ++ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) ++ ext.process_group_policy([], gpos, dname, dname) ++ self.assertTrue(os.path.exists(ca_crt), ++ 'Root CA certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine certificate was not requested') ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine key was not generated') ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation certificate was not requested') ++ self.assertTrue(os.path.exists(workstation_crt), ++ 'Workstation key was not generated') ++ + # Remove policy + gp_db = store.get_gplog(machine_creds.get_username()) + del_gpos = get_deleted_gpos_list(gp_db, []) +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +new file mode 100644 +index 00000000000..83bc9f0ac1f +--- /dev/null ++++ b/selftest/knownfail.d/gpo +@@ -0,0 +1 @@ ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From 7757b9b48546d71e19798d1260da97780caa99c3 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Wed, 16 Aug 2023 12:33:59 +0300 +Subject: [PATCH 09/25] gp: Send list of keys instead of dict to remove + +`cache_get_all_attribute_values` returns a dict whereas we need to pass +a list of keys to `remove`. These will be interpolated in the gpdb search. + +Signed-off-by: Gabriel Nagy +Reviewed-by: Joseph Sutton +Reviewed-by: David Mulder + +Autobuild-User(master): Andrew Bartlett +Autobuild-Date(master): Mon Aug 28 03:01:22 UTC 2023 on atb-devel-224 + +(cherry picked from commit 7dc181757c76b881ceaf1915ebb0bfbcf5aca83a) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 2 +- + selftest/knownfail.d/gpo | 1 - + 2 files changed, 1 insertion(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 8233713e8ad..64c35782ae8 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -415,7 +415,7 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): + # remove any existing policy + ca_attrs = \ + self.cache_get_all_attribute_values(gpo.name) +- self.clean(gpo.name, remove=ca_attrs) ++ self.clean(gpo.name, remove=list(ca_attrs.keys())) + + def __read_cep_data(self, guid, ldb, end_point_information, + trust_dir, private_dir): +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +deleted file mode 100644 +index 83bc9f0ac1f..00000000000 +--- a/selftest/knownfail.d/gpo ++++ /dev/null +@@ -1 +0,0 @@ +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext +-- +2.41.0 + + +From 4e9b2e6409c5764ec0e66cc6c90b08e70f702e7c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 9 Jan 2024 08:50:01 +0100 +Subject: [PATCH 10/25] python:gp: Print a nice message if cepces-submit can't + be found + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15552 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +(cherry picked from commit 8eb42425a8eb1b30ca0e94dfc01d8175ae5cde4b) + +Autobuild-User(v4-19-test): Jule Anger +Autobuild-Date(v4-19-test): Mon Jan 15 11:11:31 UTC 2024 on atb-devel-224 +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 24 ++++++++++++---------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 64c35782ae8..08d1a7348cd 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -185,17 +185,19 @@ def find_cepces_submit(): + + def get_supported_templates(server): + cepces_submit = find_cepces_submit() +- if os.path.exists(cepces_submit): +- env = os.environ +- env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' +- p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], +- env=env, stdout=PIPE, stderr=PIPE) +- out, err = p.communicate() +- if p.returncode != 0: +- data = { 'Error': err.decode() } +- log.error('Failed to fetch the list of supported templates.', data) +- return out.strip().split() +- return [] ++ if not cepces_submit or not os.path.exists(cepces_submit): ++ log.error('Failed to find cepces-submit') ++ return [] ++ ++ env = os.environ ++ env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES' ++ p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'], ++ env=env, stdout=PIPE, stderr=PIPE) ++ out, err = p.communicate() ++ if p.returncode != 0: ++ data = {'Error': err.decode()} ++ log.error('Failed to fetch the list of supported templates.', data) ++ return out.strip().split() + + + def getca(ca, url, trust_dir): +-- +2.41.0 + + +From fb3aefff51c02cf8ba3f8dfeb7d3f971e8d4902a Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Mon, 8 Jan 2024 18:05:08 +0200 +Subject: [PATCH 11/25] gpo: Test certificate policy without NDES + +As of 8231eaf856b, the NDES feature is no longer required on Windows, as +cert auto-enroll can use the certificate from the LDAP request. + +However, 157335ee93e changed the implementation to convert the LDAP +certificate to base64 due to it failing to cleanly convert to a string. + +Because of insufficient test coverage I missed handling the part where +NDES is disabled or not reachable and the LDAP certificate was imported. +The call to load_der_x509_certificate now fails with an error because it +expects binary data, yet it receives a base64 encoded string. + +This adds a test to confirm the issue. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 + +Signed-off-by: Gabriel Nagy +Reviewed-by: David Mulder +Reviewed-by: Andreas Schneider +(cherry picked from commit 0d1ff69936f18ea729fc11fbbb1569a833302572) +--- + python/samba/tests/gpo.py | 126 ++++++++++++++++++++++++++++++++++++-- + selftest/knownfail.d/gpo | 1 + + 2 files changed, 121 insertions(+), 6 deletions(-) + create mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py +index 580f3568de8..a78af17dba4 100644 +--- a/python/samba/tests/gpo.py ++++ b/python/samba/tests/gpo.py +@@ -102,17 +102,21 @@ def dummy_certificate(): + + # Dummy requests structure for Certificate Auto Enrollment + class dummy_requests(object): +- @staticmethod +- def get(url=None, params=None): ++ class exceptions(object): ++ ConnectionError = Exception ++ ++ def __init__(self, want_exception=False): ++ self.want_exception = want_exception ++ ++ def get(self, url=None, params=None): ++ if self.want_exception: ++ raise self.exceptions.ConnectionError ++ + dummy = requests.Response() + dummy._content = dummy_certificate() + dummy.headers = {'Content-Type': 'application/x-x509-ca-cert'} + return dummy + +- class exceptions(object): +- ConnectionError = Exception +-cae.requests = dummy_requests +- + realm = os.environ.get('REALM') + policies = realm + '/POLICIES' + realm = realm.lower() +@@ -6764,6 +6768,114 @@ class GPOTests(tests.TestCase): + # Unstage the Registry.pol file + unstage_file(reg_pol) + ++ def test_gp_cert_auto_enroll_ext_without_ndes(self): ++ local_path = self.lp.cache_path('gpo_cache') ++ guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' ++ reg_pol = os.path.join(local_path, policies, guid, ++ 'MACHINE/REGISTRY.POL') ++ cache_dir = self.lp.get('cache directory') ++ store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) ++ ++ machine_creds = Credentials() ++ machine_creds.guess(self.lp) ++ machine_creds.set_machine_account() ++ ++ # Initialize the group policy extension ++ cae.requests = dummy_requests(want_exception=True) ++ ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, ++ machine_creds.get_username(), store) ++ ++ gpos = get_gpo_list(self.server, machine_creds, self.lp, ++ machine_creds.get_username()) ++ ++ # Stage the Registry.pol file with test data ++ parser = GPPolParser() ++ parser.load_xml(etree.fromstring(auto_enroll_reg_pol.strip())) ++ ret = stage_file(reg_pol, ndr_pack(parser.pol_file)) ++ self.assertTrue(ret, 'Could not create the target %s' % reg_pol) ++ ++ # Write the dummy CA entry, Enrollment Services, and Templates Entries ++ admin_creds = Credentials() ++ admin_creds.set_username(os.environ.get('DC_USERNAME')) ++ admin_creds.set_password(os.environ.get('DC_PASSWORD')) ++ admin_creds.set_realm(os.environ.get('REALM')) ++ hostname = get_dc_hostname(machine_creds, self.lp) ++ url = 'ldap://%s' % hostname ++ ldb = Ldb(url=url, session_info=system_session(), ++ lp=self.lp, credentials=admin_creds) ++ # Write the dummy CA ++ confdn = 'CN=Public Key Services,CN=Services,CN=Configuration,%s' % base_dn ++ ca_cn = '%s-CA' % hostname.replace('.', '-') ++ certa_dn = 'CN=%s,CN=Certification Authorities,%s' % (ca_cn, confdn) ++ ldb.add({'dn': certa_dn, ++ 'objectClass': 'certificationAuthority', ++ 'authorityRevocationList': ['XXX'], ++ 'cACertificate': dummy_certificate(), ++ 'certificateRevocationList': ['XXX'], ++ }) ++ # Write the dummy pKIEnrollmentService ++ enroll_dn = 'CN=%s,CN=Enrollment Services,%s' % (ca_cn, confdn) ++ ldb.add({'dn': enroll_dn, ++ 'objectClass': 'pKIEnrollmentService', ++ 'cACertificate': dummy_certificate(), ++ 'certificateTemplates': ['Machine'], ++ 'dNSHostName': hostname, ++ }) ++ # Write the dummy pKICertificateTemplate ++ template_dn = 'CN=Machine,CN=Certificate Templates,%s' % confdn ++ ldb.add({'dn': template_dn, ++ 'objectClass': 'pKICertificateTemplate', ++ }) ++ ++ with TemporaryDirectory() as dname: ++ try: ++ ext.process_group_policy([], gpos, dname, dname) ++ except Exception as e: ++ self.fail(str(e)) ++ ++ ca_crt = os.path.join(dname, '%s.crt' % ca_cn) ++ self.assertTrue(os.path.exists(ca_crt), ++ 'Root CA certificate was not requested') ++ machine_crt = os.path.join(dname, '%s.Machine.crt' % ca_cn) ++ self.assertTrue(os.path.exists(machine_crt), ++ 'Machine certificate was not requested') ++ machine_key = os.path.join(dname, '%s.Machine.key' % ca_cn) ++ self.assertTrue(os.path.exists(machine_key), ++ 'Machine key was not generated') ++ ++ # Verify RSOP does not fail ++ ext.rsop([g for g in gpos if g.name == guid][0]) ++ ++ # Check that a call to gpupdate --rsop also succeeds ++ ret = rsop(self.lp) ++ self.assertEqual(ret, 0, 'gpupdate --rsop failed!') ++ ++ # Remove policy ++ gp_db = store.get_gplog(machine_creds.get_username()) ++ del_gpos = get_deleted_gpos_list(gp_db, []) ++ ext.process_group_policy(del_gpos, [], dname) ++ self.assertFalse(os.path.exists(ca_crt), ++ 'Root CA certificate was not removed') ++ self.assertFalse(os.path.exists(machine_crt), ++ 'Machine certificate was not removed') ++ self.assertFalse(os.path.exists(machine_key), ++ 'Machine key was not removed') ++ out, _ = Popen(['getcert', 'list-cas'], stdout=PIPE).communicate() ++ self.assertNotIn(get_bytes(ca_cn), out, 'CA was not removed') ++ out, _ = Popen(['getcert', 'list'], stdout=PIPE).communicate() ++ self.assertNotIn(b'Machine', out, ++ 'Machine certificate not removed') ++ self.assertNotIn(b'Workstation', out, ++ 'Workstation certificate not removed') ++ ++ # Remove the dummy CA, pKIEnrollmentService, and pKICertificateTemplate ++ ldb.delete(certa_dn) ++ ldb.delete(enroll_dn) ++ ldb.delete(template_dn) ++ ++ # Unstage the Registry.pol file ++ unstage_file(reg_pol) ++ + def test_gp_cert_auto_enroll_ext(self): + local_path = self.lp.cache_path('gpo_cache') + guid = '{31B2F340-016D-11D2-945F-00C04FB984F9}' +@@ -6777,6 +6889,7 @@ class GPOTests(tests.TestCase): + machine_creds.set_machine_account() + + # Initialize the group policy extension ++ cae.requests = dummy_requests() + ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, + machine_creds.get_username(), store) + +@@ -7241,6 +7354,7 @@ class GPOTests(tests.TestCase): + machine_creds.set_machine_account() + + # Initialize the group policy extension ++ cae.requests = dummy_requests() + ext = cae.gp_cert_auto_enroll_ext(self.lp, machine_creds, + machine_creds.get_username(), store) + +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +new file mode 100644 +index 00000000000..f1e590bc7d8 +--- /dev/null ++++ b/selftest/knownfail.d/gpo +@@ -0,0 +1 @@ ++^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes +-- +2.41.0 + + +From 1a9af36177c7491687c75df151474bb10285f00e Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Thu, 18 Jan 2024 20:23:24 +0200 +Subject: [PATCH 12/25] gpo: Decode base64 root cert before importing + +The reasoning behind this is described in the previous commit message, +but essentially this should either be wrapped in certificate blocks and +imported as PEM, or converted back to binary and imported as DER. + +I've opted for the latter since it's how it used to work before it +regressed in 157335ee93e. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15557 + +Signed-off-by: Gabriel Nagy +Reviewed-by: David Mulder +Reviewed-by: Andreas Schneider +(cherry picked from commit 3f3ddfa699a33c2c8a59f7fb9ee044bb2a6e0e06) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 5 +++-- + selftest/knownfail.d/gpo | 1 - + 2 files changed, 3 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/gpo + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 08d1a7348cd..cd5e54f1110 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -217,10 +217,11 @@ def getca(ca, url, trust_dir): + ' installed or not configured.') + if 'cACertificate' in ca: + log.warn('Installing the server certificate only.') ++ der_certificate = base64.b64decode(ca['cACertificate']) + try: +- cert = load_der_x509_certificate(ca['cACertificate']) ++ cert = load_der_x509_certificate(der_certificate) + except TypeError: +- cert = load_der_x509_certificate(ca['cACertificate'], ++ cert = load_der_x509_certificate(der_certificate, + default_backend()) + cert_data = cert.public_bytes(Encoding.PEM) + with open(root_cert, 'wb') as w: +diff --git a/selftest/knownfail.d/gpo b/selftest/knownfail.d/gpo +deleted file mode 100644 +index f1e590bc7d8..00000000000 +--- a/selftest/knownfail.d/gpo ++++ /dev/null +@@ -1 +0,0 @@ +-^samba.tests.gpo.samba.tests.gpo.GPOTests.test_gp_cert_auto_enroll_ext_without_ndes +-- +2.41.0 + + +From f5fc88f9ae255f4dc135580f0fa4a02f5addc390 Mon Sep 17 00:00:00 2001 +From: Gabriel Nagy +Date: Fri, 19 Jan 2024 11:36:19 +0200 +Subject: [PATCH 13/25] gpo: Do not get templates list on first run + +This is a visual fix and has no impact on functionality apart from +cleaner log messages. + +The point of this is to get the list of supported templates in order to +compute a diff between the current applied templates and the updated +list, so we are able to unapply and reapply the policy in case there are +differences. + +However this code path is executed on first applies as well, at which +point the root CA is not yet set up. This causes the +`get_supported_templates` call to fail, which is not a hard failure but +still pollutes the logs. In this case it's safe to avoid executing the +command as the policy will be applied regardless. + +Signed-off-by: Gabriel Nagy +Reviewed-by: David Mulder +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Jan 22 16:48:57 UTC 2024 on atb-devel-224 + +(cherry picked from commit 8579340fc540633c13c017d896034904a8dbd55c) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index cd5e54f1110..559c903e1a2 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -359,7 +359,8 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): + # If the policy has changed, unapply, then apply new policy + old_val = self.cache_get_attribute_value(guid, attribute) + old_data = json.loads(old_val) if old_val is not None else {} +- templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] ++ templates = ['%s.%s' % (ca['name'], t.decode()) for t in get_supported_templates(ca['hostname'])] \ ++ if old_val is not None else [] + new_data = { 'templates': templates, **ca } + if changed(new_data, old_data) or self.cache_get_apply_state() == GPOSTATE.ENFORCE: + self.unapply(guid, attribute, old_val) +-- +2.41.0 + + +From e8a6219181f2af87813b53fd09684650c1aa6f90 Mon Sep 17 00:00:00 2001 +From: David Mulder +Date: Fri, 5 Jan 2024 08:47:07 -0700 +Subject: [PATCH 14/25] gp: Skip site GP list if no site is found + +[MS-GPOL] 3.2.5.1.4 Site Search says if the site +search returns ERROR_NO_SITENAME, the GP site +search should be skipped. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15548 + +Signed-off-by: David Mulder +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Jan 23 11:20:35 UTC 2024 on atb-devel-224 + +(cherry picked from commit f05b61b4991e7f51bd184d76a79f8b50114a0ff3) +--- + python/samba/gp/gpclass.py | 30 ++++++++++++++++++------------ + 1 file changed, 18 insertions(+), 12 deletions(-) + +diff --git a/python/samba/gp/gpclass.py b/python/samba/gp/gpclass.py +index 617ef79350c..babd8f90748 100644 +--- a/python/samba/gp/gpclass.py ++++ b/python/samba/gp/gpclass.py +@@ -866,19 +866,25 @@ def get_gpo_list(dc_hostname, creds, lp, username): + + # (S)ite + if gpo_list_machine: +- site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) +- + try: +- log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) +- gp_link = get_gpo_link(samdb, site_dn) +- except ldb.LdbError as e: +- (enum, estr) = e.args +- log.debug(estr) +- else: +- add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, +- site_dn, gp_link, +- gpo.GP_LINK_SITE, +- add_only_forced_gpos, token) ++ site_dn = site_dn_for_machine(samdb, dc_hostname, lp, creds, username) ++ ++ try: ++ log.debug("get_gpo_list: query SITE: [%s] for GPOs" % site_dn) ++ gp_link = get_gpo_link(samdb, site_dn) ++ except ldb.LdbError as e: ++ (enum, estr) = e.args ++ log.debug(estr) ++ else: ++ add_gplink_to_gpo_list(samdb, gpo_list, forced_gpo_list, ++ site_dn, gp_link, ++ gpo.GP_LINK_SITE, ++ add_only_forced_gpos, token) ++ except ldb.LdbError: ++ # [MS-GPOL] 3.2.5.1.4 Site Search: If the method returns ++ # ERROR_NO_SITENAME, the remainder of this message MUST be skipped ++ # and the protocol sequence MUST continue at GPO Search ++ pass + + # (L)ocal + gpo_list.insert(0, gpo.GROUP_POLICY_OBJECT("Local Policy", +-- +2.41.0 + + +From d0d1a890d6f2466691fa4ee663232ee0bd1c3776 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 14:14:30 +0100 +Subject: [PATCH 15/25] python:gp: Avoid path check for cepces-submit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +find_cepces_submit() uses which(), which returns None if not found. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský +(cherry picked from commit 6a9630eff624643fd725219775784e68d967d04c) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 559c903e1a2..7325d5132cf 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -185,7 +185,7 @@ def find_cepces_submit(): + + def get_supported_templates(server): + cepces_submit = find_cepces_submit() +- if not cepces_submit or not os.path.exists(cepces_submit): ++ if not cepces_submit: + log.error('Failed to find cepces-submit') + return [] + +@@ -301,7 +301,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + # Setup Certificate Auto Enrollment + getcert = which('getcert') + cepces_submit = find_cepces_submit() +- if getcert is not None and os.path.exists(cepces_submit): ++ if getcert is not None and cepces_submit is not None: + p = Popen([getcert, 'add-ca', '-c', ca['name'], '-e', + '%s --server=%s --auth=%s' % (cepces_submit, + ca['hostname'], auth)], +-- +2.41.0 + + +From 7f6c9a4945635c6eb8ada2255bd0febbf0f4e540 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 14:07:47 +0100 +Subject: [PATCH 16/25] python:gp: Improve logging for certificate enrollment +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský +(cherry picked from commit 6d5507e05050690cd4c56f3f97f5fb7de0338b87) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 7325d5132cf..a25a9678587 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -274,6 +274,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + """Install the root certificate chain.""" + data = dict({'files': [], 'templates': []}, **ca) + url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] ++ ++ log.info("Try to get root or server certificates") ++ + root_certs = getca(ca, url, trust_dir) + data['files'].extend(root_certs) + global_trust_dir = find_global_trust_dir() +@@ -283,6 +286,7 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + try: + os.symlink(src, dst) + data['files'].append(dst) ++ log.info("Created symlink: %s -> %s" % (src, dst)) + except PermissionError: + log.warn('Failed to symlink root certificate to the' + ' admin trust anchors') +@@ -295,9 +299,14 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + # already exists. Ignore the FileExistsError. Preserve the + # existing symlink in the unapply data. + data['files'].append(dst) ++ + update = update_ca_command() ++ log.info("Running %s" % (update)) + if update is not None: +- Popen([update]).wait() ++ ret = Popen([update]).wait() ++ if ret != 0: ++ log.error('Failed to run %s' % (update)) ++ + # Setup Certificate Auto Enrollment + getcert = which('getcert') + cepces_submit = find_cepces_submit() +-- +2.41.0 + + +From 5321d5b5bd24d7659743576f2e12a7dc0a93a828 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 15:04:36 +0100 +Subject: [PATCH 17/25] python:gp: Do not print an error, if CA already exists +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will get an exit status for duplicate in future: +https://www.pagure.io/certmonger/issue/269 +We can't really fix that right now, as older version of certmonger +don't support the `-v` option. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský +(cherry picked from commit 728757cd1ff0465967fcbda100254c9312e87c93) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index a25a9678587..0b23cd688db 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -318,8 +318,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + out, err = p.communicate() + log.debug(out.decode()) + if p.returncode != 0: +- data = { 'Error': err.decode(), 'CA': ca['name'] } +- log.error('Failed to add Certificate Authority', data) ++ if p.returncode == 2: ++ log.info('The CA [%s] already exists' % ca['name']) ++ else: ++ data = {'Error': err.decode(), 'CA': ca['name']} ++ log.error('Failed to add Certificate Authority', data) ++ + supported_templates = get_supported_templates(ca['hostname']) + for template in supported_templates: + attrs = fetch_template_attrs(ldb, template) +-- +2.41.0 + + +From 6a7a8a4090b8cdb8e71f4ad590260ceeda253ce2 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 15:05:02 +0100 +Subject: [PATCH 18/25] python:gp: Do not print an error if template already + exists +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We will get an exit status for duplicate in future: +https://www.pagure.io/certmonger/issue/269 +We can't really fix that right now, as older version of certmonger +don't support the `-v` option. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský +(cherry picked from commit 98dc44286ea102ef7701ccdea26bbde32b523a7e) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 0b23cd688db..db681cb6f69 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -338,8 +338,12 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + out, err = p.communicate() + log.debug(out.decode()) + if p.returncode != 0: +- data = { 'Error': err.decode(), 'Certificate': nickname } +- log.error('Failed to request certificate', data) ++ if p.returncode == 2: ++ log.info('The template [%s] already exists' % (nickname)) ++ else: ++ data = {'Error': err.decode(), 'Certificate': nickname} ++ log.error('Failed to request certificate', data) ++ + data['files'].extend([keyfile, certfile]) + data['templates'].append(nickname) + if update is not None: +-- +2.41.0 + + +From 43dc3d5d833bc1db885eb45402decd3225a7c946 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 15:05:24 +0100 +Subject: [PATCH 19/25] python:gp: Log an error if update fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský +(cherry picked from commit 367756b85a9ac8daaac2326392bcd1373feed3b7) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index db681cb6f69..c8ad2039dc6 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -347,7 +347,9 @@ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + data['files'].extend([keyfile, certfile]) + data['templates'].append(nickname) + if update is not None: +- Popen([update]).wait() ++ ret = Popen([update]).wait() ++ if ret != 0: ++ log.error('Failed to run %s' % (update)) + else: + log.warn('certmonger and cepces must be installed for ' + + 'certificate auto enrollment to work') +-- +2.41.0 + + +From d8276d6a098d10f405b8f24c4dfb82af4496607c Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 22 Jan 2024 15:46:24 +0100 +Subject: [PATCH 20/25] python:gp: Improve working of log messages to avoid + confusion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We should not use the word "Failed". We are totally fine if we can't +connect to NDES in the meantime. This logs: + +Try to get root or server certificates. +Unable to install root certificates (requires NDES). +Installing the server certificate only. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15559 + +Signed-off-by: Andreas Schneider +Reviewed-by: David Mulder +Reviewed-by: Pavel Filipenský + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Mon Jan 29 10:37:29 UTC 2024 on atb-devel-224 + +(cherry picked from commit 1f823424418e814d9dc0785658e2a7d92643dab2) +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index c8ad2039dc6..2b7f7d22c2b 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -209,12 +209,10 @@ def getca(ca, url, trust_dir): + r = requests.get(url=url, params={'operation': 'GetCACert', + 'message': 'CAIdentifier'}) + except requests.exceptions.ConnectionError: +- log.warn('Failed to establish a new connection') ++ log.warn('Could not connect to Network Device Enrollment Service.') + r = None + if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html': +- log.warn('Failed to fetch the root certificate chain.') +- log.warn('The Network Device Enrollment Service is either not' + +- ' installed or not configured.') ++ log.warn('Unable to fetch root certificates (requires NDES).') + if 'cACertificate' in ca: + log.warn('Installing the server certificate only.') + der_certificate = base64.b64decode(ca['cACertificate']) +-- +2.41.0 + + +From 585357bf0d8889747a2769c2451ee34766087d95 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 29 Jan 2024 17:46:30 +0100 +Subject: [PATCH 21/25] python:gp: Fix logging with gp + +This allows enable INFO level logging with: `samba-gpupdate -d3` + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15558 + +Signed-off-by: Andreas Schneider +Reviewed-by: Joseph Sutton +Reviewed-by: Andrew Bartlett + +Autobuild-User(master): Andreas Schneider +Autobuild-Date(master): Tue Jan 30 07:18:05 UTC 2024 on atb-devel-224 + +(cherry picked from commit 145194071b10c4c1857f28fe79c57fd63ffab889) +--- + python/samba/gp/util/logging.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/python/samba/gp/util/logging.py b/python/samba/gp/util/logging.py +index a74a8707d50..c3de32825db 100644 +--- a/python/samba/gp/util/logging.py ++++ b/python/samba/gp/util/logging.py +@@ -24,9 +24,10 @@ import gettext + import random + import sys + +-logger = logging.getLogger() ++logger = logging.getLogger("gp") ++ ++ + def logger_init(name, log_level): +- logger = logging.getLogger(name) + logger.addHandler(logging.StreamHandler(sys.stdout)) + logger.setLevel(logging.CRITICAL) + if log_level == 1: +-- +2.41.0 + + +From c188f44cf1037f751763db853ab3758d564c0bcd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Wed, 13 Mar 2024 13:55:41 +0100 +Subject: [PATCH 22/25] docs-xml: Add parameter all_groupmem to idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit a485d9de2f2d6a9815dcac6addb988a8987e111c) +--- + docs-xml/manpages/idmap_ad.8.xml | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml +index b364bbfa231..de6d36afe95 100644 +--- a/docs-xml/manpages/idmap_ad.8.xml ++++ b/docs-xml/manpages/idmap_ad.8.xml +@@ -100,6 +100,16 @@ + + + ++ all_groupmem = yes/no ++ ++ If set to yes winbind will retrieve all ++ group members for getgrnam(3), getgrgid(3) and getgrent(3) calls, ++ including those with missing uidNumber. ++ ++ Default: no ++ ++ ++ + deny ous + This parameter is a list of OUs from + which objects will not be mapped via the ad idmap +-- +2.41.0 + + +From 270121c01a04e81704c33e1ce72fe3679dc55911 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Tue, 12 Mar 2024 13:20:24 +0100 +Subject: [PATCH 23/25] s3:winbindd: Improve performance of lookup_groupmem() + in idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The LDAP query of lookup_groupmem() returns all group members from AD +even those with missing uidNumber. Such group members are useless in +UNIX environment for idmap_ad backend since there is no uid mapping. + +'test_user' is member of group "Domanin Users" with 200K members, +only 20K members have set uidNumber. + +Without this fix: + +$ time id test_user + +real 1m5.946s +user 0m0.019s +sys 0m0.012s + +With this fix: + +$ time id test_user + +real 0m3.544s +user 0m0.004s +sys 0m0.007s + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 5d475d26a3d545f04791a04e85a06b8b192e3fcf) +--- + source3/winbindd/winbindd_ads.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c +index d7a665abbc6..e625aa6473f 100644 +--- a/source3/winbindd/winbindd_ads.c ++++ b/source3/winbindd/winbindd_ads.c +@@ -1037,7 +1037,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain, + } + + static NTSTATUS add_primary_group_members( +- ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, ++ ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname, + char ***all_members, size_t *num_all_members) + { + char *filter; +@@ -1049,10 +1049,13 @@ static NTSTATUS add_primary_group_members( + char **members; + size_t num_members; + ads_control args; ++ bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false); + + filter = talloc_asprintf( +- mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))", +- (unsigned)rid); ++ mem_ctx, ++ "(&(objectCategory=user)(primaryGroupID=%u)%s)", ++ (unsigned)rid, ++ all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))"); + if (filter == NULL) { + goto done; + } +@@ -1204,7 +1207,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain, + + DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members)); + +- status = add_primary_group_members(ads, mem_ctx, rid, ++ status = add_primary_group_members(ads, mem_ctx, rid, domain->name, + &members, &num_members); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("%s: add_primary_group_members failed: %s\n", +-- +2.41.0 + + +From 4f9f3c9b8d5d229c0c1da17af3a457b1b49ae353 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Mon, 25 Mar 2024 22:38:18 +0100 +Subject: [PATCH 24/25] selftest: Add "winbind expand groups = 1" to + setup_ad_member_idmap_ad +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider +(cherry picked from commit 2dab3a331b5511b4f2253f2b3b4513db7e52ea9a) +--- + selftest/target/Samba3.pm | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 44ac4a5901a..606c65f8ab1 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1412,6 +1412,7 @@ sub setup_ad_member_idmap_ad + idmap config $dcvars->{TRUST_DOMAIN} : backend = ad + idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 + gensec_gssapi:requested_life_time = 5 ++ winbind expand groups = 1 + "; + + my $ret = $self->provision( +-- +2.41.0 + + +From 569d942a39154bcf1267339bbb79253ac8c89416 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= +Date: Thu, 14 Mar 2024 15:24:21 +0100 +Subject: [PATCH 25/25] tests: Add a test for "all_groups=no" to + test_idmap_ad.sh +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15605 + +Signed-off-by: Pavel Filipenský +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Pavel Filipensky +Autobuild-Date(master): Tue Apr 2 13:25:39 UTC 2024 on atb-devel-224 + +(cherry picked from commit f8b72aa1f72881989990fabc9f4888968bb81967) +--- + nsswitch/tests/test_idmap_ad.sh | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh +index 7ae112ada71..1d4bd395ba9 100755 +--- a/nsswitch/tests/test_idmap_ad.sh ++++ b/nsswitch/tests/test_idmap_ad.sh +@@ -94,6 +94,14 @@ gidNumber: 2000001 + unixHomeDirectory: /home/forbidden + loginShell: /bin/tcsh + gecos: User in forbidden OU ++ ++dn: CN=no_posix_id,CN=Users,$BASE_DN ++changetype: add ++objectClass: user ++samaccountName: no_posix_id ++unixHomeDirectory: /home/no_posix_id ++loginShell: /bin/sh ++gecos: User without uidNumber and gidNumber + EOF + + # +@@ -171,6 +179,17 @@ then + failed=$(($failed + 1)) + fi + ++# ++# Test 6: Make sure that with the default "all_groups=no" ++# the group "domain users" will not show user "no_posix_id" ++# but will show "SAMBA2008R2/administrator" ++# ++ ++dom_users="$DOMAIN/domain users" # Extra step to make sure that all is one word ++out="$($wbinfo --group-info "$dom_users")" ++testit_grep_count "no_posix_id1" "no_posix_id" 0 echo "$out" || failed=$(expr $failed + 1) ++testit_grep "no_posix_id2" "SAMBA2008R2/administrator" echo "$out" || failed=$(expr $failed + 1) ++ + # + # Trusted domain test 1: Test uid of Administrator, should be 2500000 + # +@@ -241,6 +260,9 @@ gidNumber: 2000002 + dn: cn=forbidden,ou=sub,$BASE_DN + changetype: delete + ++dn: CN=no_posix_id,CN=Users,$BASE_DN ++changetype: delete ++ + dn: ou=sub,$BASE_DN + changetype: delete + EOF +-- +2.41.0 + diff --git a/SOURCES/samba-4.19.4.tar.asc b/SOURCES/samba-4.19.4.tar.asc new file mode 100644 index 0000000..c4690ac --- /dev/null +++ b/SOURCES/samba-4.19.4.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA +tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub +Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ +2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq +XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln +iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x +svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar +JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8 +ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ +vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo ++NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++ +1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY= +=kOPP +-----END PGP SIGNATURE----- diff --git a/SOURCES/samba-winbind-systemd-sysusers.conf b/SOURCES/samba-winbind-systemd-sysusers.conf new file mode 100644 index 0000000..7ccc216 --- /dev/null +++ b/SOURCES/samba-winbind-systemd-sysusers.conf @@ -0,0 +1,2 @@ +#Type Name ID +g wbpriv 88 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index c6812f5..1304730 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -121,9 +121,12 @@ #endif fedora || rhel >= 8 %endif -# Build the ctdb-pcp-pmda package by default on Fedora +# Build the ctdb-pcp-pmda package by default on Fedora, except for i686 where +# pcp is no longer supported %if 0%{?fedora} +%ifnarch i686 %bcond_without pcp_pmda +%endif %else %bcond_with pcp_pmda %endif @@ -135,10 +138,16 @@ %bcond_with etcd_mutex %endif +%if 0%{?fedora} || 0%{?rhel} >= 9 +%bcond_with gpupdate +%else +%bcond_with gpupdate +%endif + %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global samba_version 4.18.6 -%global baserelease 102 +%global samba_version 4.19.4 +%global baserelease 105 # This should be rc1 or %%nil %global pre_release %nil @@ -171,10 +180,10 @@ %global libsmbclient_so_version 0 %global libwbclient_so_version 0 -%global talloc_version 2.4.0 -%global tdb_version 1.4.8 -%global tevent_version 0.14.1 -%global ldb_version 2.7.2 +%global talloc_version 2.4.1 +%global tdb_version 1.4.9 +%global tevent_version 0.15.0 +%global ldb_version 2.8.0 %global required_mit_krb5 1.20.1 @@ -188,12 +197,6 @@ # https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md %undefine _strict_symbol_defs_build -%global libwbc_alternatives_version 0.16 -%global libwbc_alternatives_suffix %nil -%if 0%{?__isa_bits} == 64 -%global libwbc_alternatives_suffix -64 -%endif - %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" # Make a copy of this variable to prevent repeated evaluation of the @@ -230,16 +233,16 @@ Source14: samba.pamd Source15: usershares.conf.vendor Source16: samba-systemd-sysusers.conf Source17: samba-usershares-systemd-sysusers.conf +Source18: samba-winbind-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore -Patch0: CVE-2023-3961-pipename-4.18.6.patch -Patch1: CVE-2023-4091-truncate-4.18.patch -Patch2: CVE-2023-42669-remove-rpcecho-4.18.patch -Patch3: samba-4.18-fix-nss-winbind-memory-corruption.patch - -Requires(pre): /usr/sbin/groupadd +# Backport bug fixes to https://gitlab.com/samba-redhat/samba/-/tree/v4-19-redhat +# This will give us CI and makes it easy to generate patchsets. +# +# Generate the patchset using: git format-patch -l1 --stdout -N > samba-4.19-redhat.patch +Patch0: samba-4.19-redhat.patch Requires(pre): %{name}-common = %{samba_depver} Requires: %{name}-common = %{samba_depver} @@ -335,9 +338,11 @@ BuildRequires: zlib-devel >= 1.2.3 BuildRequires: pkgconfig(libsystemd) +%ifnarch i686 %if 0%{?fedora} >= 37 BuildRequires: mold %endif +%endif %if %{with vfs_glusterfs} BuildRequires: glusterfs-api-devel >= 3.4.0.16 @@ -362,6 +367,10 @@ BuildRequires: librados-devel BuildRequires: python3-etcd %endif +%if %{with gpupdate} +BuildRequires: cepces-certmonger +%endif + # pidl requirements BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(FindBin) @@ -726,19 +735,21 @@ Samba VFS module for GlusterFS integration. %endif ### GPUPDATE -%if %{with dc} +%if %{with gpupdate} %package gpupdate Summary: Samba GPO support for clients -Requires: cepces +Requires: cepces-certmonger Requires: certmonger Requires: %{name}-ldb-ldap-modules = %{samba_depver} Requires: python3-%{name} = %{samba_depver} +# samba-tool needs python3-samba-dc also on non-dc build +Requires: python3-%{name}-dc = %{samba_depver} %description gpupdate This package provides the samba-gpupdate tool to apply Group Policy Objects (GPO) on Samba clients. -# /with dc +#endif with gpupdate %endif ### KRB5-PRINTING @@ -903,6 +914,8 @@ Summary: Samba Python libraries for Samba AD Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-dc-libs = %{samba_depver} Requires: python3-%{name} = %{samba_depver} +# for ms_forest_updates_markdown.py and ms_schema_markdown.py +Requires: python3-markdown %description -n python3-samba-dc The python3-%{name}-dc package contains the Python libraries needed by programs @@ -1264,8 +1277,17 @@ rm -f lib/crypto/{aes,rijndael}*.c # TODO: resolve underlinked python modules export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" -# Use the gold linker -export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" +# Use the mold linker if possible +export python_LDFLAGS="$(echo %{__global_ldflags} | sed -e 's/-Wl,-z,defs//g')" + +%ifnarch i686 +%if 0%{?fedora} >= 37 +export LDFLAGS="%{__global_ldflags} -fuse-ld=mold" +export python_LDFLAGS="$(echo ${LDFLAGS} | sed -e 's/-Wl,-z,defs//g')" +#endif fedora >= 37 +%endif +#endif narch i686 +%endif # Add support for mock ccache plugin %if %{with ccache} @@ -1395,6 +1417,7 @@ echo "d /run/ctdb 755 root root" > %{buildroot}%{_tmpfilesdir}/ctdb.conf install -d -m 0755 %{buildroot}%{_sysusersdir} install -m 0644 %{SOURCE16} %{buildroot}%{_sysusersdir}/samba.conf install -m 0644 %{SOURCE17} %{buildroot}%{_sysusersdir}/samba-usershares.conf +install -m 0644 %{SOURCE18} %{buildroot}%{_sysusersdir}/samba-winbind.conf install -d -m 0755 %{buildroot}%{_sysconfdir}/sysconfig install -m 0644 packaging/systemd/samba.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/samba @@ -1422,14 +1445,17 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so for i in \ %{_mandir}/man8/samba.8 \ %{_mandir}/man8/samba_downgrade_db.8 \ - %{_mandir}/man8/samba-gpupdate.8 \ %{_unitdir}/samba.service \ - %{_sbindir}/samba-gpupdate \ ; do rm -f %{buildroot}$i done %endif +%if %{without gpupdate} +rm -f %{buildroot}%{_sbindir}/samba-gpupdate +rm -f %{buildroot}%{_mandir}/man8/samba-gpupdate.8* +%endif + %if %{without vfs_glusterfs} rm -f %{buildroot}%{_mandir}/man8/vfs_glusterfs.8* %endif @@ -1506,11 +1532,8 @@ export WINBINDD_DONT_LOG_STDOUT=1 %systemd_postun_with_restart nmb.service %pre common -%if 0%{?fedora} || 0%{?rhel} > 8 +# This creates the group 'printadmin' %sysusers_create_compat %{SOURCE16} -%else -getent group printadmin >/dev/null || groupadd -r printadmin || : -%endif %post common %{?ldconfig} @@ -1580,14 +1603,12 @@ fi %ldconfig_scriptlets test %pre usershares -%if 0%{?fedora} || 0%{?rhel} > 8 +# This creates the group 'usershares' %sysusers_create_compat %{SOURCE17} -%else -getent group usershares >/dev/null || groupadd -r usershares || : -%endif %pre winbind -/usr/sbin/groupadd -g 88 wbpriv >/dev/null 2>&1 || : +# This creates the group 'wbpriv' +%sysusers_create_compat %{SOURCE18} %post winbind %systemd_post winbind.service @@ -1798,7 +1819,6 @@ fi %{_mandir}/man1/smbclient.1* %{_mandir}/man1/smbcquotas.1* %{_mandir}/man1/smbget.1* -%{_mandir}/man5/smbgetrc.5* %{_mandir}/man1/smbtar.1* %{_mandir}/man1/smbtree.1* %{_mandir}/man7/traffic_learner.7.* @@ -2005,10 +2025,12 @@ fi %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles +%{_bindir}/samba-log-parser %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm %{_mandir}/man1/profiles.1* +%{_mandir}/man1/samba-log-parser.1* %{_mandir}/man1/smbcontrol.1* %{_mandir}/man1/testparm.1* %{_mandir}/man8/net.8* @@ -2029,6 +2051,9 @@ fi %{_libexecdir}/samba/rpcd_fsrvp %{_libexecdir}/samba/rpcd_lsad %{_libexecdir}/samba/rpcd_mdssvc +%if %{with testsuite} +%{_libexecdir}/samba/rpcd_rpcecho +%endif %{_libexecdir}/samba/rpcd_spoolss %{_libexecdir}/samba/rpcd_winreg %{_mandir}/man8/samba-dcerpcd.8* @@ -2151,6 +2176,8 @@ fi %endif %{_libdir}/libdcerpc-server.so.* +%{_libdir}/samba/libad-claims-samba4.so +%{_libdir}/samba/libauthn-policy-util-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so @@ -2319,10 +2346,11 @@ fi %endif ### GPUPDATE -%if %{with dc} +%if %{with gpupdate} %files gpupdate %{_mandir}/man8/samba-gpupdate.8* %{_sbindir}/samba-gpupdate +#endif with gpupdate %endif ### KRB5-PRINTING @@ -2446,6 +2474,7 @@ fi %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc %{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc +%{python3_sitearch}/samba/__pycache__/functional_level.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc @@ -2457,6 +2486,7 @@ fi %{python3_sitearch}/samba/__pycache__/ms_schema.*.pyc %{python3_sitearch}/samba/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/__pycache__/ntacls.*.pyc +%{python3_sitearch}/samba/__pycache__/policies.*.pyc %{python3_sitearch}/samba/__pycache__/safe_tarfile.*.pyc %{python3_sitearch}/samba/__pycache__/sd_utils.*.pyc %{python3_sitearch}/samba/__pycache__/sites.*.pyc @@ -2526,6 +2556,7 @@ fi %{python3_sitearch}/samba/drs_utils.py %{python3_sitearch}/samba/dsdb.*.so %{python3_sitearch}/samba/dsdb_dns.*.so +%{python3_sitearch}/samba/functional_level.py %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/graph.py @@ -2548,6 +2579,8 @@ fi %{python3_sitearch}/samba/emulate/traffic_packets.py %dir %{python3_sitearch}/samba/gp %dir %{python3_sitearch}/samba/gp/__pycache__ +%{python3_sitearch}/samba/gp/__init__.py +%{python3_sitearch}/samba/gp/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_crontab_ext.*.pyc %{python3_sitearch}/samba/gp/__pycache__/gp_centrify_sudoers_ext.*.pyc @@ -2626,12 +2659,12 @@ fi %{python3_sitearch}/samba/netcmd/__pycache__/dbcheck.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/delegation.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/dns.*.pyc -%{python3_sitearch}/samba/netcmd/__pycache__/domain.*.pyc -%{python3_sitearch}/samba/netcmd/__pycache__/domain_backup.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/drs.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/dsacl.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/encoders.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/forest.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/fsmo.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/gpcommon.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/gpo.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/group.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/ldapcmp.*.pyc @@ -2647,19 +2680,102 @@ fi %{python3_sitearch}/samba/netcmd/__pycache__/spn.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/testparm.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/user.*.pyc +%{python3_sitearch}/samba/netcmd/__pycache__/validators.*.pyc %{python3_sitearch}/samba/netcmd/__pycache__/visualize.*.pyc %{python3_sitearch}/samba/netcmd/common.py %{python3_sitearch}/samba/netcmd/computer.py %{python3_sitearch}/samba/netcmd/contact.py %{python3_sitearch}/samba/netcmd/dbcheck.py %{python3_sitearch}/samba/netcmd/delegation.py +%dir %{python3_sitearch}/samba/netcmd/domain +%{python3_sitearch}/samba/netcmd/domain/__init__.py +%dir %{python3_sitearch}/samba/netcmd/domain/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/backup.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/classicupgrade.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/common.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/dcpromo.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/demote.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/functional_prep.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/info.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/join.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/keytab.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/leave.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/level.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/passwordsettings.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/provision.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/samba3upgrade.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/schemaupgrade.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/tombstones.*.pyc +%{python3_sitearch}/samba/netcmd/domain/__pycache__/trust.*.pyc +%dir %{python3_sitearch}/samba/netcmd/domain/auth +%{python3_sitearch}/samba/netcmd/domain/auth/__init__.py +%dir %{python3_sitearch}/samba/netcmd/domain/auth/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/policy.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/silo.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/__pycache__/silo_member.*.pyc +%{python3_sitearch}/samba/netcmd/domain/auth/policy.py +%{python3_sitearch}/samba/netcmd/domain/auth/silo.py +%{python3_sitearch}/samba/netcmd/domain/auth/silo_member.py +%{python3_sitearch}/samba/netcmd/domain/backup.py +%dir %{python3_sitearch}/samba/netcmd/domain/claim +%{python3_sitearch}/samba/netcmd/domain/claim/__init__.py +%dir %{python3_sitearch}/samba/netcmd/domain/claim/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/claim/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/claim/__pycache__/claim_type.*.pyc +%{python3_sitearch}/samba/netcmd/domain/claim/__pycache__/value_type.*.pyc +%{python3_sitearch}/samba/netcmd/domain/claim/claim_type.py +%{python3_sitearch}/samba/netcmd/domain/claim/value_type.py +%{python3_sitearch}/samba/netcmd/domain/classicupgrade.py +%{python3_sitearch}/samba/netcmd/domain/common.py +%{python3_sitearch}/samba/netcmd/domain/dcpromo.py +%{python3_sitearch}/samba/netcmd/domain/demote.py +%{python3_sitearch}/samba/netcmd/domain/functional_prep.py +%{python3_sitearch}/samba/netcmd/domain/info.py +%{python3_sitearch}/samba/netcmd/domain/join.py +%{python3_sitearch}/samba/netcmd/domain/keytab.py +%{python3_sitearch}/samba/netcmd/domain/leave.py +%{python3_sitearch}/samba/netcmd/domain/level.py +%dir %{python3_sitearch}/samba/netcmd/domain/models +%{python3_sitearch}/samba/netcmd/domain/models/__init__.py +%dir %{python3_sitearch}/samba/netcmd/domain/models/__pycache__ +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/auth_policy.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/auth_silo.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/claim_type.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/exceptions.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/fields.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/model.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/schema.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/site.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/subnet.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/user.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/__pycache__/value_type.*.pyc +%{python3_sitearch}/samba/netcmd/domain/models/auth_policy.py +%{python3_sitearch}/samba/netcmd/domain/models/auth_silo.py +%{python3_sitearch}/samba/netcmd/domain/models/claim_type.py +%{python3_sitearch}/samba/netcmd/domain/models/exceptions.py +%{python3_sitearch}/samba/netcmd/domain/models/fields.py +%{python3_sitearch}/samba/netcmd/domain/models/model.py +%{python3_sitearch}/samba/netcmd/domain/models/schema.py +%{python3_sitearch}/samba/netcmd/domain/models/site.py +%{python3_sitearch}/samba/netcmd/domain/models/subnet.py +%{python3_sitearch}/samba/netcmd/domain/models/user.py +%{python3_sitearch}/samba/netcmd/domain/models/value_type.py +%{python3_sitearch}/samba/netcmd/domain/passwordsettings.py +%{python3_sitearch}/samba/netcmd/domain/provision.py +%{python3_sitearch}/samba/netcmd/domain/samba3upgrade.py +%{python3_sitearch}/samba/netcmd/domain/schemaupgrade.py +%{python3_sitearch}/samba/netcmd/domain/tombstones.py +%{python3_sitearch}/samba/netcmd/domain/trust.py %{python3_sitearch}/samba/netcmd/dns.py -%{python3_sitearch}/samba/netcmd/domain.py -%{python3_sitearch}/samba/netcmd/domain_backup.py %{python3_sitearch}/samba/netcmd/drs.py %{python3_sitearch}/samba/netcmd/dsacl.py +%{python3_sitearch}/samba/netcmd/encoders.py %{python3_sitearch}/samba/netcmd/forest.py %{python3_sitearch}/samba/netcmd/fsmo.py +%{python3_sitearch}/samba/netcmd/gpcommon.py %{python3_sitearch}/samba/netcmd/gpo.py %{python3_sitearch}/samba/netcmd/group.py %{python3_sitearch}/samba/netcmd/ldapcmp.py @@ -2675,9 +2791,11 @@ fi %{python3_sitearch}/samba/netcmd/spn.py %{python3_sitearch}/samba/netcmd/testparm.py %{python3_sitearch}/samba/netcmd/user.py +%{python3_sitearch}/samba/netcmd/validators.py %{python3_sitearch}/samba/netcmd/visualize.py %{python3_sitearch}/samba/ntacls.py %{python3_sitearch}/samba/param.*.so +%{python3_sitearch}/samba/policies.py %{python3_sitearch}/samba/policy.*.so %{python3_sitearch}/samba/registry.*.so %{python3_sitearch}/samba/reparse_symlink.*.so @@ -2854,6 +2972,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_whoami.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/logfiles.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc @@ -2901,6 +3020,7 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/safe_tarfile.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/samba_startup_fl_change.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc @@ -3083,8 +3203,11 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/authn_policy_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/claims_in_pac.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/claims_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/device_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/group_tests.*.pyc @@ -3097,6 +3220,7 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/nt_hash_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/pkinit_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/protected_users_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc @@ -3116,8 +3240,11 @@ fi %{python3_sitearch}/samba/tests/krb5/alias_tests.py %{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py %{python3_sitearch}/samba/tests/krb5/as_req_tests.py +%{python3_sitearch}/samba/tests/krb5/authn_policy_tests.py +%{python3_sitearch}/samba/tests/krb5/claims_in_pac.py %{python3_sitearch}/samba/tests/krb5/claims_tests.py %{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/device_tests.py %{python3_sitearch}/samba/tests/krb5/etype_tests.py %{python3_sitearch}/samba/tests/krb5/fast_tests.py %{python3_sitearch}/samba/tests/krb5/group_tests.py @@ -3130,6 +3257,7 @@ fi %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %{python3_sitearch}/samba/tests/krb5/nt_hash_tests.py %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py +%{python3_sitearch}/samba/tests/krb5/pkinit_tests.py %{python3_sitearch}/samba/tests/krb5/protected_users_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py @@ -3151,6 +3279,7 @@ fi %{python3_sitearch}/samba/tests/ldap_spn.py %{python3_sitearch}/samba/tests/ldap_referrals.py %{python3_sitearch}/samba/tests/ldap_upn_sam_account.py +%{python3_sitearch}/samba/tests/ldap_whoami.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/libsmb-basic.py %{python3_sitearch}/samba/tests/loadparm.py @@ -3198,6 +3327,7 @@ fi %{python3_sitearch}/samba/tests/s3_net_join.py %{python3_sitearch}/samba/tests/safe_tarfile.py %{python3_sitearch}/samba/tests/samba3sam.py +%{python3_sitearch}/samba/tests/samba_startup_fl_change.py %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool %{python3_sitearch}/samba/tests/samba_tool/__init__.py @@ -3208,6 +3338,11 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/contact.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/demote.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/dnscmd.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_base.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_policy.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_auth_silo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_claim.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/domain_models.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/drs_clone_dc_data_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/dsacl.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc @@ -3245,6 +3380,11 @@ fi %{python3_sitearch}/samba/tests/samba_tool/contact.py %{python3_sitearch}/samba/tests/samba_tool/demote.py %{python3_sitearch}/samba/tests/samba_tool/dnscmd.py +%{python3_sitearch}/samba/tests/samba_tool/domain_auth_base.py +%{python3_sitearch}/samba/tests/samba_tool/domain_auth_policy.py +%{python3_sitearch}/samba/tests/samba_tool/domain_auth_silo.py +%{python3_sitearch}/samba/tests/samba_tool/domain_claim.py +%{python3_sitearch}/samba/tests/samba_tool/domain_models.py %{python3_sitearch}/samba/tests/samba_tool/drs_clone_dc_data_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/dsacl.py %{python3_sitearch}/samba/tests/samba_tool/forest.py @@ -3344,6 +3484,7 @@ fi %{_libdir}/samba/libnss-info-samba4.so %{_libdir}/samba/libidmap-samba4.so %{_sbindir}/winbindd +%{_sysusersdir}/samba-winbind.conf %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged %{_unitdir}/winbind.service %{_prefix}/lib/NetworkManager @@ -4332,16 +4473,32 @@ fi %endif %changelog -* Tue Jan 23 2024 Andreas Schneider - 4.18.6-102 -- resolves: RHEL-21072 - Fix libnss_winbind memory corruption - -* Mon Oct 09 2023 Pavel Filipenský - 4.18.6-101 -- resolves: RHEL-11937 - Fix CVE-2023-3961 - smbd must check the pipename -- resolves: RHEL-11937 - Fix CVE-2023-4091 - SMB clients can truncate files -- resolves: RHEL-11937 - Fix CVE-2023-42669 - Remove rpcecho server +* Wed Apr 24 2024 Pavel Filipenský - 4.19.4-105 +- resolves: RHEL-33783 - Add option to request only POSIX groups from AD in idmap_ad + +* Mon Feb 19 2024 Andreas Schneider - 4.19.4-104 +- related: RHEL-2109 - Disable support for certificate auto enrollment + +* Tue Jan 30 2024 Andreas Schneider - 4.19.4-102 +- resolves: RHEL-22157 - Don't require NDES for samba-gpupdate +- resolves: RHEL-20897 - Fix site name fetching for samba-gpupdate + +* Wed Jan 10 2024 Andreas Schneider - 4.19.4-100 +- related: RHEL-16476 - Update to version 4.19.4 +- resolves: RHEL-2109 - Add support for certificate auto enrollment +- resolves: RHEL-20761 - Add missing requirements for samba-gpupdate +- resolves: RHEL-19566 - Fix smbget interactive authentication +- resolves: RHEL-21001 - Fix samba-gpupdate paths for RHEL + +* Mon Dec 04 2023 Andreas Schneider - 4.19.3-100 +- resolves: RHEL-16476 - Update to version 4.19.3 +- resolves: RHEL-11362 - Fix security issues: + CVE-2023-4091 CVE-2023-42669 +- resolves: RHEL-18030 - Logging Format Enhancement +- resolves: RHEL-1960 - Fix smbget issues with DFS shares +- resolves: RHEL-2118 - Fix force user/group issues with 'allow trusted domains = yes' +- resolves: RHEL-16875 - Fix memory corruption in libnss_winbind +- resolves: RHEL-19243 - Fix smbget password interactive authentication * Thu Aug 17 2023 Andreas Schneider - 4.18.6-100 - related: rhbz#2190415 - Update to version 4.18.6