[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 102ad9ee6a0 librpc: match gensec_gssapi and call
gsskrb5_set_dns_canonicalize() for Heimdal
via cd5a5f590ff build: Add missing dependency on addns
from b948aeac539 hdb: Initialise HDB structure
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 102ad9ee6a037e2aa6296d0dfbf17f3e4175a581
Author: Andrew Bartlett
Date: Tue Sep 26 15:10:12 2017 +1300
librpc: match gensec_gssapi and call gsskrb5_set_dns_canonicalize() for
Heimdal
This is needed to ensure Heimdal does not attempt to use nss to
canonicalize the name.
Signed-off-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
Autobuild-User(master): Andreas Schneider
Autobuild-Date(master): Thu Dec 9 07:42:38 UTC 2021 on sn-devel-184
commit cd5a5f590ff21587a45405977ab6bef9ff3c2db6
Author: Andrew Bartlett
Date: Tue Dec 7 16:04:08 2021 +1300
build: Add missing dependency on addns
This becomes noticed when we upgrade Heimdal as we do not find
the correct gssapi headers any more.
Signed-off-by: Andrew Bartlett
Reviewed-by: Andreas Schneider
---
Summary of changes:
source3/librpc/crypto/gse.c | 42 --
source3/utils/wscript_build | 3 ++-
2 files changed, 38 insertions(+), 7 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 1cf111bd974..c50a8a036df 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -31,6 +31,7 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/credentials/credentials.h"
#include "../librpc/gen_ndr/dcerpc.h"
+#include "param/param.h"
#if defined(HAVE_KRB5)
@@ -248,7 +249,7 @@ err_out:
return status;
}
-static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
+static NTSTATUS gse_init_client(struct gensec_security *gensec_security,
bool do_sign, bool do_seal,
const char *ccache_name,
const char *server,
@@ -271,13 +272,42 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = gse_context_init(mem_ctx, do_sign, do_seal,
+ status = gse_context_init(gensec_security, do_sign, do_seal,
ccache_name, add_gss_c_flags,
_ctx);
if (!NT_STATUS_IS_OK(status)) {
return NT_STATUS_NO_MEMORY;
}
+#ifdef SAMBA4_USES_HEIMDAL
+ {
+ int ret;
+ bool set_dns_canon = gensec_setting_bool(
+ gensec_security->settings,
+ "krb5", "set_dns_canonicalize",
+ false);
+ const char *server_realm = lpcfg_realm(
+ gensec_security->settings->lp_ctx);
+ if (server_realm != NULL) {
+ ret = gsskrb5_set_default_realm(server_realm);
+ if (ret) {
+ DBG_ERR("gsskrb5_set_default_realm failed\n");
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+
+ /*
+* don't do DNS lookups of any kind, it might/will
+* fail for a netbios name
+*/
+ ret = gsskrb5_set_dns_canonicalize(set_dns_canon);
+ if (ret != GSS_S_COMPLETE) {
+ DBG_ERR("gsskrb5_set_dns_canonicalize failed\n");
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ }
+#endif
+
/* TODO: get krb5 ticket using username/password, if no valid
* one already available in ccache */
@@ -1151,13 +1181,13 @@ static bool gensec_gse_have_feature(struct
gensec_security *gensec_security,
return false;
}
- status = gssapi_get_session_key(talloc_tos(),
+ status = gssapi_get_session_key(talloc_tos(),
gse_ctx->gssapi_context, NULL,
);
- /*
+ /*
* We should do a proper sig on the mechListMic unless
* we know we have to be backwards compatible with
-* earlier windows versions.
-*
+* earlier windows versions.
+*
* Negotiating a non-krb5
* mech for example should be regarded as having
* NEW_SPNEGO
diff --git a/source3/utils/wscript_build b/source3/utils/wscript_build
index 48ce876db27..a89a4db8b59 100644
--- a/source3/utils/wscript_build
+++
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via b948aeac539 hdb: Initialise HDB structure
from 221569a14c8 tests/krb5: Allow PADATA-ENCRYPTED-CHALLENGE to be
missing for skew errors
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit b948aeac5398693e0c8c70cbff531965ed7ecd23
Author: Joseph Sutton
Date: Wed Dec 8 16:42:32 2021 +1300
hdb: Initialise HDB structure
Additional fields may be added to this structure without us explicitly
initialising them. This could cause Heimdal to crash upon reading
garbage data, so we should zero-initialise the structure.
Signed-off-by: Joseph Sutton
Reviewed-by: Andrew Bartlett
Autobuild-User(master): Andrew Bartlett
Autobuild-Date(master): Thu Dec 9 02:47:27 UTC 2021 on sn-devel-184
---
Summary of changes:
source4/kdc/hdb-samba4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index f0939193ad7..92bc5ff28a6 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -530,7 +530,7 @@ NTSTATUS hdb_samba4_create_kdc(struct
samba_kdc_base_context *base_ctx,
return NT_STATUS_ERROR_DS_INCOMPATIBLE_VERSION;
}
- *db = talloc(base_ctx, HDB);
+ *db = talloc_zero(base_ctx, HDB);
if (!*db) {
krb5_set_error_message(context, ENOMEM, "malloc: out of
memory");
return NT_STATUS_NO_MEMORY;
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated
via dd679ce7f44 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
via 1e27b820dff CVE-2020-25717: s3-auth: fix MIT Realm regression
from 105c6a15eff CVE-2020-25717: s3:auth: Fallback to a SID/UID based
mapping if the named based lookup fails
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -
commit dd679ce7f4450765274b085bbee97d1fa8e0f2a0
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
Autobuild-User(v4-13-test): Stefan Metzmacher
Autobuild-Date(v4-13-test): Wed Dec 8 16:49:25 UTC 2021 on sn-devel-184
commit 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
3 files changed, 22 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, , true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, , true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c
b/source4/dsdb/samdb/ldb_modules/operational.c
index 5eaebf98141..4e60feaf14f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1399,7 +1399,7 @@ static const struct op_attributes_replace search_sub[] = {
{ "tokenGroups", "primaryGroupID", objectSid_attr,
construct_token_groups },
{ "tokenGroupsNoGCAcceptable", "primaryGroupID", objectSid_attr,
construct_token_groups_no_gc},
{ "tokenGroupsGlobalAndUniversal", "primaryGroupID", objectSid_attr,
construct_global_universal_token_groups },
- { "parentGUID", NULL, NULL, construct_parent_guid },
+ { "parentGUID", "objectGUID", NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", objectCategory_attr,
construct_msds_isrodc },
{ "msDS-KeyVersionNumber", "replPropertyMetaData", NULL,
construct_msds_keyversionnumber },
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 58c04da5f53..870185ee1d3 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 0dccc6d Add Samba 4.15.3 via 870ebc5 NEWS[4.15.3]: Samba 4.15.3 Available for Download from 795517f updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14922 https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 0dccc6d1e2a761dcdc09961f0e9d79f07b8c71fb Author: Jule Anger Date: Wed Dec 8 15:40:31 2021 +0100 Add Samba 4.15.3 Signed-off-by: Jule Anger commit 870ebc5fab4f1a3c226a50b0caea150f95d6e099 Author: Jule Anger Date: Wed Dec 8 15:38:11 2021 +0100 NEWS[4.15.3]: Samba 4.15.3 Available for Download Signed-off-by: Jule Anger --- Summary of changes: history/header_history.html | 1 + history/samba-4.15.3.html| 119 +++ posted_news/20211208-143903.4.15.3.body.html | 13 +++ posted_news/20211208-143903.4.15.3.headline.html | 3 + 4 files changed, 136 insertions(+) create mode 100644 history/samba-4.15.3.html create mode 100644 posted_news/20211208-143903.4.15.3.body.html create mode 100644 posted_news/20211208-143903.4.15.3.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 7dbe7f8..25c3521 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ Release Notes + samba-4.15.3 samba-4.15.2 samba-4.15.1 samba-4.15.0 diff --git a/history/samba-4.15.3.html b/history/samba-4.15.3.html new file mode 100644 index 000..493015a --- /dev/null +++ b/history/samba-4.15.3.html @@ -0,0 +1,119 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.15.3 - Release Notes + + +Samba 4.15.3 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.15.3.tar.gz;>Samba 4.15.3 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.15.3.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.15.2-4.15.3.diffs.gz;>Patch (gzipped) against Samba 4.15.2 +https://download.samba.org/pub/samba/patches/samba-4.15.2-4.15.3.diffs.asc;>Signature + + + + == + Release Notes for Samba 4.15.3 + December 08, 2021 + == + + +This is the latest stable release of the Samba 4.15 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.15.2: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.15.2 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredspacespaceNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.15.2 + + +o Jeremy Allison j...@samba.org + * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0. + * BUG 14879: A directory containing dangling symlinks cannot be deleted by + SMB2 alone when they are the only entry in the directory. + * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used + uninitialized in rmdir_internals(). + +o Andrew Bartlett abart...@samba.org + * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredspacespaceNurk) become + un-deletable. + +o Ralph Boehme s...@samba.org + * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk. + * BUG 14882: smbXsrv_client_global record validation leads to crash if + existing record points at non-existing process. + * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call. + * BUG 14897: Samba process doesnt log to logfile. + * BUG 14907: set_ea_dos_attribute() fallback calling + get_file_handle_for_metadata() triggers locking.tdb assert. + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + * BUG 14923: Segmentation fault when joining the domain. + +o Alexander Bokovoy a...@samba.org + * BUG 14903: Suppo
[SCM] Samba Shared Repository - branch v4-15-stable updated
The branch, v4-15-stable has been updated via 0c85a0adaa5 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. via ccddc464bd0 WHATSNEW: Add release notes for Samba 4.15.3. via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression via 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO via c22480e2640 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO should work on noperm share via f57b3e1 smb2_server: don't let SMB2_OP_IOCTL force FILE_CLOSED for invalid file ids via 2306c9e7d18 s4:torture/smb2: FSCTL_QUERY_NETWORK_INTERFACE_INFO gives INVALID_PARAMETER with invalid file ids via a68e2904eae smb2_ioctl: return BUFFER_TOO_SMALL in smbd_smb2_request_ioctl_done() via 2c4c3867933 s4:torture/smb2: test FSCTL_QUERY_NETWORK_INTERFACE_INFO with BUFFER_TOO_SMALL via 9e182796362 smb2_server: skip tcon check and chdir_current_service() for FSCTL_VALIDATE_NEGOTIATE_INFO via 2209a095dda smb2_server: decouple IOCTL check from signing/encryption states via 4c8c39a7b55 smb2_server: make sure in_ctl_code = IVAL(body, 0x04); reads valid bytes via 685250e6298 s4:torture/smb2: add smb2.ioctl.bug14788.VALIDATE_NEGOTIATE via eba52e21acb libcli/smb: split out smb2cli_raw_tcon* from smb2cli_tcon* via dc59b392111 s3:winbind: Fix possible NULL pointer dereference via 9aa03f402b7 CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts via 9f4c89d0d3f CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it via 1142f18ff1d CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details via 4f1dbaf60b8 CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing via 6b5cb85c2cc CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero via 12702424935 CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration via 5d39c5b54b9 CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts via bf9fdf5b455 cmdline: Make -P work in clustered mode via f1c064e792a cmdline: Add a callback to set the machine account details via 575e620ad6c lib: Add required includes to source3/include/secrets.h via 3309ab5fa02 selftest: Add reproducer for bug 14908 via 4d68d797f18 s3:modules:recycle - fix crash in recycle_unlink_internal via 9bcba58e4d4 CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails via 5d5e5a1f355 CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs via ae21fe9c01b CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss via 3f009a620a3 CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts via ebe18e23ba6 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials via 38ddd41e9c6 CVE-2020-25727: idmap_nss: verify that the name of the sid belongs to the configured domain via ad6af1bb831 s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable. via 728c9b83564 s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds. via 89903ed1e32 s3: smbd: dirfsp is being used uninitialized inside rmdir_internals(). via 6aae2575b38 smbd: get rid of get_file_handle_for_metadata() via c357c1b2024 lib/cmdline: setup default file logging for servers via 47c00820819 lib/cmdline: remember config_type in
[SCM] Samba Shared Repository - annotated tag samba-4.15.3 created
The annotated tag, samba-4.15.3 has been created at 579069ee4ec96d45215e791062624a3e3e3a80bd (tag) tagging 0c85a0adaa57df2541ec2d395d1f7cf936bc2e43 (commit) replaces samba-4.15.2 tagged by Jule Anger on Wed Dec 8 15:37:57 2021 +0100 - Log - samba: tag release samba-4.15.3 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0UACgkQqplEL7aA tiCWrhAAumxyIGrnervT06lZzt1LnJYSSYnowgwqfXazwyHH8/BIoS7vkl6mr8qS Yv2XmmV1647vBe9jhfJtmAFdLuxj3mjcbElMhHBR6AVIwUkPN4Ij4M9SebHg4dyf 297ygHJfdMff30uT6dMk7F7TjouRXydVI8syIB69d74hHsz5sRRu/irHJZ3wKHjy RZP0nRgOeGUa4Ua9vHF2qF+nl/8azjvpWa7j2m22AUC8mgpHkYvnqjeuydJykTw9 pEUBdEdtLsTCypC6ONoKKUz0nq+340WnA5fg5DIh5ObTooceYXE/9lYXK8x29ezh h3ba/PjbCd8FcVbfrA1mnScH1xkFKuzwsBYFoz3VIKwkX1GeOCHTviROWxiTf5b+ 6OhiAPByi7VEwmpl6Wj7ZM20cvCk98aFrW4M/IrXhNvi2HQfXzCbxt6HS5qmuU+S xzUxClY3HhGLdM7ZXSnYVZ43t0ESL7gvbBcx0064zG7yvjEg1pXWBRnzOsJqHyoj ZYVoCHu6iDhKb/9DwX9WpKKfh04ee3F9o7Rjofv7fFzz6zIXEMTWpgImHvEClcrs YbYoVttgAb3biF8BqkfTwRpt5nmYv6trpOvD4A1jIK3DaOhA8cZm7v8B8ppPbLyy MjB5RBAypR5soMI1aXX+jyF6JQB770QZQWC2yiruxuYkhXAZVGI= =369D -END PGP SIGNATURE- Alexander Bokovoy (1): IPA DC: add missing checks Andreas Schneider (11): testprogs: Use new cmdline option for kerberos lib:cmdline: Fix -k option which doesn't expect anything auth:creds: Guess the username first via getpwuid(my_id) s3:winbind: Fix possible NULL pointer dereference testprogs: Add rpcclient schannel tests s3:rpc_client: Remove trailing white spaces from cli_pipe.c s3:rpcclient: Remove trailing white spaces in rpcclient.c s3:libnet: Remove tailing whitespaces in libnet_join.c s3:libsmb: Remove trailing white spaces from passchange.c s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() libcli:auth: Allow to connect to netlogon server offering only AES Andrew Bartlett (6): CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails CVE-2021-3670 ldb: Confirm the request has not yet timed out in ldb filter processing CVE-2021-3670 ldap_server: Remove duplicate print of LDAP search details CVE-2021-3670 dsdb/anr: Do a copy of the potentially anr query before starting to modify it CVE-2021-3670 ldap_server: Clearly log LDAP queries and timeouts dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object Andrew Walker (1): s3:modules:recycle - fix crash in recycle_unlink_internal Günther Deschner (5): s3-winexe: Fix winexe core dump (use-after-free) s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() Jeremy Allison (12): s3: smbd: Add two tests showing recursive directory delete of a directory containing veto file and msdfs links over SMB2. s3: smbd: Fix recursive directory delete of a directory containing veto file and msdfs links. s3: smbd: Add two tests showing the ability to delete a directory containing a dangling symlink over SMB2 depends on "delete veto files" setting. s3: VFS: streams_depot. Allow unlinkat to cope with dangling symlinks. s3: VFS: xattr_tdb. Allow unlinkat to cope with dangling symlinks. s3: smbd: Fix rmdir_internals() to do an early return if lp_delete_veto_files() is not set. s3: smbd: Fix logic in rmdir_internals() to cope with dangling symlinks. s3: smbd: Fix logic in can_delete_directory_fsp() to cope with dangling symlinks. s3: docs-xml: Clarify the "delete veto files" paramter. s3: smbd: dirfsp is being used uninitialized inside rmdir_internals(). s3: smbtorture3: Add test for setting delete on close on a directory, then creating a file within to see if delete succeeds. s3: smbd: Ensure in the directory scanning loops inside rmdir_internals() we don't overwrite the 'ret' variable. Joseph Sutton (7): CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts CVE-2020-25717: selftest: turn ad_member_no_nss_wb into ad_member_idmap_nss CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs CVE-2021-3670 tests/krb5/test_ldap.py: Add test for LDAP timeouts CVE-2021-3670 ldap_server: Set timeout on requests based on MaxQueryDuration CVE-2021-3670 ldap_server: Ensure value of MaxQueryDuration is greater than zero Jule Anger (2): WHATSNEW: Add release notes for Samba 4.15.3. VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. Martin
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated
via 3d35397e103 smbd: s3-dsgetdcname: handle num_ips == 0
via ce1186e06ed dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching
for the local replicated object
via b0d67dc3d42 CVE-2020-25717: s3-auth: fix MIT Realm regression
from aef700ad3c8 s3: docs-xml: Clarify the "delete veto files" paramter.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -
commit 3d35397e10348317ab2adbaf033c5becf59fcc33
Author: Ralph Boehme
Date: Fri Nov 26 11:59:45 2021 +0100
smbd: s3-dsgetdcname: handle num_ips == 0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
Reviewed-by: Guenther Deschner
Reviewed-by: Jeremy Allison
Autobuild-User(master): Stefan Metzmacher
Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184
(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
Autobuild-User(v4-14-test): Stefan Metzmacher
Autobuild-Date(v4-14-test): Wed Dec 8 14:36:05 UTC 2021 on sn-devel-184
commit ce1186e06ed2581a29af794eb66405a4efe26b71
Author: Andrew Bartlett
Date: Fri Nov 12 12:44:44 2021 +1300
dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local
replicated object
This may allow further processing when the DN normalisation has changed
which changes the indexing, such as seen after fixes for bug 14656.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14656
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14902
Signed-off-by: Andrew Bartlett
Reviewed-by: Stefan Metzmacher
(cherry picked from commit f621317e3b25a8925ab6e448068264488a0a47c7)
commit b0d67dc3d42b81e5e35da26a333c4fcd67baab1f
Author: Ralph Boehme
Date: Fri Nov 26 10:57:17 2021 +0100
CVE-2020-25717: s3-auth: fix MIT Realm regression
This looks like a regression introduced by the recent security fixes. This
commit should hopefully fixes it.
As a quick solution it might be possible to use the username map script
based on
the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're
not
sure this behaves identical, but it might work in the standalone server
case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922
Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html
Pair-Programmed-With: Stefan Metzmacher
Signed-off-by: Ralph Boehme
Signed-off-by: Stefan Metzmacher
(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b)
---
Summary of changes:
source3/auth/user_krb5.c| 9 +
source3/libsmb/dsgetdcname.c| 4
source4/dsdb/samdb/ldb_modules/operational.c| 2 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 -
4 files changed, 26 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index b8f37cbeee0..169bf563368 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char *fuser = NULL;
char *unixuser = NULL;
struct passwd *pw = NULL;
+ bool may_retry = false;
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
domain = realm;
} else {
domain = lp_workgroup();
+ may_retry = true;
}
fuser = talloc_asprintf(mem_ctx,
@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
*mapped_to_guest = false;
pw = smb_getpwnam(mem_ctx, fuser, , true);
+ if (may_retry && pw == NULL && !*is_mapped) {
+ fuser = talloc_strdup(mem_ctx, user);
+ if (!fuser) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ pw = smb_getpwnam(mem_ctx, fuser, , true);
+ }
if (pw) {
if (!unixuser) {
return NT_STATUS_NO_MEMORY;
diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
index ae90e07de77..c313259bcb1 100644
--- a/source3/libsmb/dsgetdcname.c
+++ b/source3/libsmb/dsgetdcname.c
@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
for (i = 0; i < numdcs; i++) {
size_t j;
+ if (dcs[i].num_ips == 0) {
+ continue;
+ }
+
dclist[ret_count].hostname =
talloc_move(dclist, [i].hostname);
diff --git
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 96cd0ab567e VERSION: Bump version up to Samba 4.15.4... via 0c85a0adaa5 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. via ccddc464bd0 WHATSNEW: Add release notes for Samba 4.15.3. from 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 96cd0ab567e5cf5ff8cc41daf9dc7c567b3a88bb Author: Jule Anger Date: Wed Dec 8 15:33:39 2021 +0100 VERSION: Bump version up to Samba 4.15.4... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger commit 0c85a0adaa57df2541ec2d395d1f7cf936bc2e43 Author: Jule Anger Date: Wed Dec 8 15:32:49 2021 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.15.3 release. Signed-off-by: Jule Anger commit ccddc464bd0a2149db318ec6ad73b308fe133b17 Author: Jule Anger Date: Wed Dec 8 15:32:09 2021 +0100 WHATSNEW: Add release notes for Samba 4.15.3. Signed-off-by: Jule Anger --- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 122 ++- 2 files changed, 121 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 4b02d074ee7..0c19e2b24c4 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=15 -SAMBA_VERSION_RELEASE=3 +SAMBA_VERSION_RELEASE=4 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6632cf1c294..05eb72be9e0 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,122 @@ + == + Release Notes for Samba 4.15.3 + December 08, 2021 + == + + +This is the latest stable release of the Samba 4.15 release series. + +Important Notes +=== + +There have been a few regressions in the security release 4.15.2: + +o CVE-2020-25717: A user on the domain can become root on domain members. + https://www.samba.org/samba/security/CVE-2020-25717.html + PLEASE [RE-]READ! + The instructions have been updated and some workarounds + initially adviced for 4.15.2 are no longer required and + should be reverted in most cases. + +o BUG-14902: User with multiple spaces (eg FredNurk) become + un-deletable. While this release should fix this bug, it is + adviced to have a look at the bug report for more detailed + information, see https://bugzilla.samba.org/show_bug.cgi?id=14902. + +Changes since 4.15.2 + + +o Jeremy Allison + * BUG 14878: Recursive directory delete with veto files is broken in 4.15.0. + * BUG 14879: A directory containing dangling symlinks cannot be deleted by + SMB2 alone when they are the only entry in the directory. + * BUG 14892: SIGSEGV in rmdir_internals/synthetic_pathref - dirfsp is used + uninitialized in rmdir_internals(). + +o Andrew Bartlett + * BUG 14694: MaxQueryDuration not honoured in Samba AD DC LDAP. + * BUG 14901: The CVE-2020-25717 username map [script] advice has undesired + side effects for the local nt token. + * BUG 14902: User with multiple spaces (eg FredNurk) become + un-deletable. + +o Ralph Boehme + * BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk. + * BUG 14882: smbXsrv_client_global record validation leads to crash if + existing record points at non-existing process. + * BUG 14890: Crash in vfs_fruit asking for fsp_get_io_fd() for an XATTR call. + * BUG 14897: Samba process doesn't log to logfile. + * BUG 14907: set_ea_dos_attribute() fallback calling + get_file_handle_for_metadata() triggers locking.tdb assert. + * BUG 14922: Kerberos authentication on standalone server in MIT realm + broken. + * BUG 14923: Segmentation fault when joining the domain. + +o Alexander Bokovoy + * BUG 14903: Support for ROLE_IPA_DC is incomplete. + +o Günther Deschner + * BUG 14767: rpcclient cannot connect to ncacn_ip_tcp services anymore + * BUG 14893: winexe crashes since 4.15.0 after popt parsing. + +o Volker Lendecke + * BUG 14908: net ads status -P broken in a clustered environment. + +o Stefan Metzmacher + * BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before + smbd_smb2_ioctl_send. + * BUG 14882: smbXsrv_client_global record validation leads to crash if + existing record points at non-existing process. + * BUG 14899: winbindd doesn't start when "allow trusted domains" is off. + * BUG 14901: The
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 795517f updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14922 from 62c6ffe mark changes with red https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 795517fcb04117b9146647670b7c3707db428e65 Author: Stefan Metzmacher Date: Wed Dec 8 15:11:54 2021 +0100 updates regarding https://bugzilla.samba.org/show_bug.cgi?id=14922 --- Summary of changes: security/CVE-2020-25717.html | 5 + 1 file changed, 5 insertions(+) Changeset truncated at 500 lines: diff --git a/security/CVE-2020-25717.html b/security/CVE-2020-25717.html index 1321426..5afd59f 100644 --- a/security/CVE-2020-25717.html +++ b/security/CVE-2020-25717.html @@ -115,6 +115,11 @@ provided by nss_file, nss_ldap or something similar. as before with the patches from bug 14901. But note the 'min domain uid' setting may still be required. +[Added 2021-12-08] + There was also a regression for standalone setups, which + accept authentication from an MIT Kerberos Realm. + Fixes are available at https://bugzilla.samba.org/show_bug.cgi?id=14922 + Beyond Samba -- Samba Website Repository
[SCM] Samba Shared Repository - branch v4-15-test updated
The branch, v4-15-test has been updated via 5e846fcf74e smbd: s3-dsgetdcname: handle num_ips == 0 via 18c76813587 libcli:auth: Allow to connect to netlogon server offering only AES via b1f0aa5c22f s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() via aca47d48f51 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() via 16d886511f1 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() via 2b9882a4c2f s3:libsmb: Remove trailing white spaces from passchange.c via 460cf672e65 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() via 1b5b96d5a24 s3:libnet: Remove tailing whitespaces in libnet_join.c via 0801cae3df8 s3:rpcclient: Remove trailing white spaces in rpcclient.c via ea845570516 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open() via e72d611c78d s3:rpc_client: Remove trailing white spaces from cli_pipe.c via fea324d9cc4 testprogs: Add rpcclient schannel tests via cd9783148b8 dsdb: Use DSDB_SEARCH_SHOW_EXTENDED_DN when searching for the local replicated object via 5db0cb09e94 CVE-2020-25717: s3-auth: fix MIT Realm regression from 6f7e39b0611 smb2_server: skip tcon check and chdir_current_service() for FSCTL_QUERY_NETWORK_INTERFACE_INFO https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log - commit 5e846fcf74edb883e8aa7756ee51ef8bfbfb6026 Author: Ralph Boehme Date: Fri Nov 26 11:59:45 2021 +0100 smbd: s3-dsgetdcname: handle num_ips == 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Ralph Boehme Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner Reviewed-by: Jeremy Allison Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Dec 3 12:54:04 UTC 2021 on sn-devel-184 (cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44) Autobuild-User(v4-15-test): Stefan Metzmacher Autobuild-Date(v4-15-test): Wed Dec 8 10:46:08 UTC 2021 on sn-devel-184 commit 18c7681358775b079d95cc44c4146b715ffb54cd Author: Andreas Schneider Date: Thu Nov 18 13:46:26 2021 +0100 libcli:auth: Allow to connect to netlogon server offering only AES BUG: https://bugzilla.samba.org/show_bug.cgi?id=14912 Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Dec 2 14:49:35 UTC 2021 on sn-devel-184 (cherry picked from commit d1ea9c5aaba42447f25a15935a9bf5bbd20f7d93) commit b1f0aa5c22fdf65114540d4bb15ac6980f194abf Author: Günther Deschner Date: Thu Nov 18 11:52:18 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_schannel_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 6bf3a39b11832ad2feb655e29da84f8b5aac298e) commit aca47d48f516b43ef20f44f85d50993ca25eb3fa Author: Andreas Schneider Date: Thu Nov 18 11:47:26 2021 +0100 s3:rpc_client: Add remote name and socket to cli_rpc_pipe_open_bind_schannel() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther Deschner Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit 62aa769667464451cda672fc073e52a8e52ae4c1) commit 16d886511f158a56fb0ebb71df91fea127bed606 Author: Günther Deschner Date: Thu Nov 18 11:43:08 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_with_creds() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Andreas Schneider Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher (cherry picked from commit c7ead1292852da371ff53fcdbd7ebd4bc1c08fbd) commit 2b9882a4c2fb94653982d3d4ab9a53d84d658226 Author: Andreas Schneider Date: Wed Nov 24 13:21:28 2021 +0100 s3:libsmb: Remove trailing white spaces from passchange.c Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher (cherry picked from commit be1520d2058a9430cf370f6fefd07bbddf3fbfe0) commit 460cf672e65432d79512ceca2212572c470865f3 Author: Günther Deschner Date: Thu Nov 18 11:31:00 2021 +0100 s3:rpc_client: Pass remote name and socket to cli_rpc_pipe_open_noauth_transport() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14767 Pair-Programmed-With: Andreas Schneider Signed-off-by: Guenther
