CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

samba: Update to latest stable

Browse Source 
The previous version of Samba had many critical security updates that
would've required significant backporting effort.  Update to the latest
stable release instead.

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This commit is contained in:
Joe MacDonald 2016-04-18 17:00:53 -04:00
parent 5aa6f3727f
commit 825cf152cc
32 changed files with 81 additions and 35585 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
meta-networking/recipes-connectivity/samba/samba-4.1.12/0001-waf-sanitize-and-fix-added-cross-answer.patch
View File

@ -1,60 +0,0 @@
From 1b32c7d7f148bcf2598799b21dfa3ba1ed824d32 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Mon, 18 May 2015 21:12:06 +0300
Subject: [PATCH 1/7] waf: sanitize and fix added cross answer
When configuring samba for cross-compilation using the cross-answers
method, the function add_answer receives the standard output and exit code
of a configuration test and updates the cross-answers file accordingly.
This patch sanitizes the standard output to conform to the cross-answers
file format - one line of output. It also adds a missing newline.
(Note - at this point add_answer is only ever called with empty output
but this change is significant for the reminder of this patchset)
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/samba_cross.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
index 3838e34..fc1d78e 100644
--- a/buildtools/wafsamba/samba_cross.py
+++ b/buildtools/wafsamba/samba_cross.py
@@ -19,6 +19,16 @@ def add_answer(ca_file, msg, answer):
except:
Logs.error("Unable to open cross-answers file %s" % ca_file)
sys.exit(1)
+ (retcode, retstring) = answer
+ # if retstring is more than one line then we probably
+ # don't care about its actual content (the tests should
+ # yield one-line output in order to comply with the cross-answer
+ # format)
+ retstring = retstring.strip()
+ if len(retstring.split('\n')) > 1:
+ retstring = ''
+ answer = (retcode, retstring)
+
if answer == ANSWER_OK:
f.write('%s: OK\n' % msg)
elif answer == ANSWER_UNKNOWN:
@@ -26,8 +36,7 @@ def add_answer(ca_file, msg, answer):
elif answer == ANSWER_FAIL:
f.write('%s: FAIL\n' % msg)
else:
- (retcode, retstring) = answer
- f.write('%s: (%d, "%s")' % (msg, retcode, retstring))
+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
f.close()
--
1.9.1

112
meta-networking/recipes-connectivity/samba/samba-4.1.12/0002-Adds-a-new-mode-to-samba-cross-compiling.patch
View File

@ -1,112 +0,0 @@
From add52538b9a0ccf66ca87c7a691bf59901765849 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Mon, 18 May 2015 21:15:19 +0300
Subject: [PATCH 2/7] Adds a new mode to samba cross-compiling.
When both --cross-answers and --cross-execute are set, this means:
- Use cross-answers
- If answer is unknown, then instead of adding UNKNOWN to the cross-answers
file and failing configure, the new mode runs cross-execute to determine the
answer and adds that to the cross-answers file.
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/samba_cross.py | 46 ++++++++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 12 deletions(-)
diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
index fc1d78e..3f1ef12 100644
--- a/buildtools/wafsamba/samba_cross.py
+++ b/buildtools/wafsamba/samba_cross.py
@@ -45,7 +45,6 @@ def cross_answer(ca_file, msg):
try:
f = open(ca_file, 'r')
except:
- add_answer(ca_file, msg, ANSWER_UNKNOWN)
return ANSWER_UNKNOWN
for line in f:
line = line.strip()
@@ -78,7 +77,6 @@ def cross_answer(ca_file, msg):
else:
raise Utils.WafError("Bad answer format '%s' in %s" % (line, ca_file))
f.close()
- add_answer(ca_file, msg, ANSWER_UNKNOWN)
return ANSWER_UNKNOWN
@@ -86,24 +84,47 @@ class cross_Popen(Utils.pproc.Popen):
'''cross-compilation wrapper for Popen'''
def __init__(*k, **kw):
(obj, args) = k
-
- if '--cross-execute' in args:
- # when --cross-execute is set, then change the arguments
- # to use the cross emulator
- i = args.index('--cross-execute')
- newargs = args[i+1].split()
- newargs.extend(args[0:i])
- args = newargs
- elif '--cross-answers' in args:
+ use_answers = False
+ ans = ANSWER_UNKNOWN
+
+ # Three possibilities:
+ # 1. Only cross-answers - try the cross-answers file, and if
+ # there's no corresponding answer, add to the file and mark
+ # the configure process as unfinished.
+ # 2. Only cross-execute - get the answer from cross-execute
+ # 3. Both - try the cross-answers file, and if there is no
+ # corresponding answer - use cross-execute to get an answer,
+ # and add that answer to the file.
+ if '--cross-answers' in args:
# when --cross-answers is set, then change the arguments
# to use the cross answers if available
+ use_answers = True
i = args.index('--cross-answers')
ca_file = args[i+1]
msg = args[i+2]
ans = cross_answer(ca_file, msg)
+
+ if '--cross-execute' in args and ans == ANSWER_UNKNOWN:
+ # when --cross-execute is set, then change the arguments
+ # to use the cross emulator
+ i = args.index('--cross-execute')
+ newargs = args[i+1].split()
+ newargs.extend(args[0:i])
+ if use_answers:
+ p = real_Popen(newargs,
+ stdout=Utils.pproc.PIPE,
+ stderr=Utils.pproc.PIPE)
+ ce_out, ce_err = p.communicate()
+ ans = (p.returncode, ce_out)
+ add_answer(ca_file, msg, ans)
+ else:
+ args = newargs
+
+ if use_answers:
if ans == ANSWER_UNKNOWN:
global cross_answers_incomplete
cross_answers_incomplete = True
+ add_answer(ca_file, msg, ans)
(retcode, retstring) = ans
args = ['/bin/sh', '-c', "echo -n '%s'; exit %d" % (retstring, retcode)]
real_Popen.__init__(*(obj, args), **kw)
@@ -124,7 +145,8 @@ def SAMBA_CROSS_ARGS(conf, msg=None):
if conf.env.CROSS_EXECUTE:
ret.extend(['--cross-execute', conf.env.CROSS_EXECUTE])
- elif conf.env.CROSS_ANSWERS:
+
+ if conf.env.CROSS_ANSWERS:
if msg is None:
raise Utils.WafError("Cannot have NULL msg in cross-answers")
ret.extend(['--cross-answers', os.path.join(Options.launch_dir, conf.env.CROSS_ANSWERS), msg])
--
1.9.1

66
meta-networking/recipes-connectivity/samba/samba-4.1.12/0003-waf-improve-readability-of-cross-answers-generated-b.patch
View File

@ -1,66 +0,0 @@
From f7052d633396005563e44509428503f42c9faa97 Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Thu, 12 Nov 2015 01:00:11 -0500
Subject: [PATCH 3/7] waf: improve readability of cross-answers generated by cross-execute
When generating a result for cross-answers from the (retcode, retstring) tuple:
- (0, "output") indicated as "output"
- 1 is interpreted as generic fail code, instead of 255, because most
if not all tests fail with 1 as exit code rather than 255
- For failing test, use NO instead of FAIL, because that's not
necessarily a failure (it could mean that something is NOT
broken)
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/samba_cross.py | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
index 3f1ef12..d1e7006 100644
--- a/buildtools/wafsamba/samba_cross.py
+++ b/buildtools/wafsamba/samba_cross.py
@@ -6,7 +6,7 @@ from Configure import conf
real_Popen = None
ANSWER_UNKNOWN = (254, "")
-ANSWER_FAIL = (255, "")
+ANSWER_NO = (1, "")
ANSWER_OK = (0, "")
cross_answers_incomplete = False
@@ -33,10 +33,13 @@ def add_answer(ca_file, msg, answer):
f.write('%s: OK\n' % msg)
elif answer == ANSWER_UNKNOWN:
f.write('%s: UNKNOWN\n' % msg)
- elif answer == ANSWER_FAIL:
- f.write('%s: FAIL\n' % msg)
+ elif answer == ANSWER_NO:
+ f.write('%s: NO\n' % msg)
else:
- f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
+ if retcode == 0:
+ f.write('%s: "%s"\n' % (msg, retstring))
+ else:
+ f.write('%s: (%d, "%s")\n' % (msg, retcode, retstring))
f.close()
@@ -64,7 +67,7 @@ def cross_answer(ca_file, msg):
return ANSWER_UNKNOWN
elif ans == "FAIL" or ans == "NO":
f.close()
- return ANSWER_FAIL
+ return ANSWER_NO
elif ans[0] == '"':
return (0, ans.strip('"'))
elif ans[0] == "'":
--
1.9.1

72
meta-networking/recipes-connectivity/samba/samba-4.1.12/0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch
View File

@ -1,72 +0,0 @@
From 8ffb1892b5c42d8d29124d274aa4b5f1726d7e9f Mon Sep 17 00:00:00 2001
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Mon, 21 Apr 2014 10:18:16 -0300
Subject: [PATCH 4/7] build: make wafsamba CHECK_SIZEOF cross-compile friendly
Use the same trick as commit 0d9bb86293c9d39298786df095c73a6251b08b7e
We do the same array trick iteratively starting from 1 (byte) by powers
of 2 up to 32.
The new 'critical' option is used to make the invocation die or not
according to each test.
The default is True since normally it's expected to find a proper
result and should error out if not.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/samba_autoconf.py | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index fe110bd..59953d9 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -304,23 +304,27 @@ def CHECK_FUNCS(conf, list, link=True, lib=None, headers=None):
@conf
-def CHECK_SIZEOF(conf, vars, headers=None, define=None):
+def CHECK_SIZEOF(conf, vars, headers=None, define=None, critical=True):
'''check the size of a type'''
- ret = True
for v in TO_LIST(vars):
v_define = define
+ ret = False
if v_define is None:
v_define = 'SIZEOF_%s' % v.upper().replace(' ', '_')
- if not CHECK_CODE(conf,
- 'printf("%%u", (unsigned)sizeof(%s))' % v,
- define=v_define,
- execute=True,
- define_ret=True,
- quote=False,
- headers=headers,
- local_include=False,
- msg="Checking size of %s" % v):
- ret = False
+ for size in list((1, 2, 4, 8, 16, 32)):
+ if CHECK_CODE(conf,
+ 'static int test_array[1 - 2 * !(((long int)(sizeof(%s))) <= %d)];' % (v, size),
+ define=v_define,
+ quote=False,
+ headers=headers,
+ local_include=False,
+ msg="Checking if size of %s == %d" % (v, size)):
+ conf.DEFINE(v_define, size)
+ ret = True
+ break
+ if not ret and critical:
+ Logs.error("Couldn't determine size of '%s'" % v)
+ sys.exit(1)
return ret
@conf
--
1.9.1

169
meta-networking/recipes-connectivity/samba/samba-4.1.12/0005-build-unify-and-fix-endian-tests.patch
View File

@ -1,169 +0,0 @@
From 81379b6b14ea725c72953be2170b382403ed8728 Mon Sep 17 00:00:00 2001
From: Gustavo Zacarias <gustavo@zacarias.com.ar>
Date: Mon, 21 Apr 2014 10:18:15 -0300
Subject: [PATCH 5/7] build: unify and fix endian tests
Unify the endian tests out of lib/ccan/wscript into wafsamba since
they're almost cross-compile friendly.
While at it fix them to be so by moving the preprocessor directives out
of main scope since that will fail.
And keep the WORDS_BIGENDIAN, HAVE_LITTLE_ENDIAN and HAVE_BIG_ENDIAN
defines separate because of different codebases.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/wscript | 65 ++++++++++++++++++++++++++++++++++++++++++---
lib/ccan/wscript | 55 --------------------------------------
2 files changed, 62 insertions(+), 58 deletions(-)
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 7984227..1a2cfe6 100755
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -390,9 +390,68 @@ def configure(conf):
else:
conf.define('SHLIBEXT', "so", quote=True)
- conf.CHECK_CODE('long one = 1; return ((char *)(&one))[0]',
- execute=True,
- define='WORDS_BIGENDIAN')
+ # First try a header check for cross-compile friendlyness
+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
+ #define B __BYTE_ORDER
+ #elif defined(BYTE_ORDER)
+ #define B BYTE_ORDER
+ #endif
+
+ #ifdef __LITTLE_ENDIAN
+ #define LITTLE __LITTLE_ENDIAN
+ #elif defined(LITTLE_ENDIAN)
+ #define LITTLE LITTLE_ENDIAN
+ #endif
+
+ #if !defined(LITTLE) || !defined(B) || LITTLE != B
+ #error Not little endian.
+ #endif
+ int main(void) { return 0; }""",
+ addmain=False,
+ headers="endian.h sys/endian.h",
+ define="HAVE_LITTLE_ENDIAN")
+ conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
+ #define B __BYTE_ORDER
+ #elif defined(BYTE_ORDER)
+ #define B BYTE_ORDER
+ #endif
+
+ #ifdef __BIG_ENDIAN
+ #define BIG __BIG_ENDIAN
+ #elif defined(BIG_ENDIAN)
+ #define BIG BIG_ENDIAN
+ #endif
+
+ #if !defined(BIG) || !defined(B) || BIG != B
+ #error Not big endian.
+ #endif
+ int main(void) { return 0; }""",
+ addmain=False,
+ headers="endian.h sys/endian.h",
+ define="HAVE_BIG_ENDIAN")
+
+ if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
+ # That didn't work! Do runtime test.
+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
+ u.i = 0x01020304;
+ return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
+ addmain=True, execute=True,
+ define='HAVE_LITTLE_ENDIAN',
+ msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
+ conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
+ u.i = 0x01020304;
+ return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
+ addmain=True, execute=True,
+ define='HAVE_BIG_ENDIAN',
+ msg="Checking for HAVE_BIG_ENDIAN - runtime")
+
+ # Extra sanity check.
+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
+ Logs.error("Failed endian determination. The PDP-11 is back?")
+ sys.exit(1)
+ else:
+ if conf.CONFIG_SET("HAVE_BIG_ENDIAN"):
+ conf.DEFINE('WORDS_BIGENDIAN', 1)
# check if signal() takes a void function
if conf.CHECK_CODE('return *(signal (0, 0)) (0) == 1',
diff --git a/lib/ccan/wscript b/lib/ccan/wscript
index a0b5406..5b3a910 100644
--- a/lib/ccan/wscript
+++ b/lib/ccan/wscript
@@ -25,61 +25,6 @@ def configure(conf):
conf.CHECK_CODE('int __attribute__((used)) func(int x) { return x; }',
addmain=False, link=False, cflags=conf.env['WERROR_CFLAGS'],
define='HAVE_ATTRIBUTE_USED')
- # We try to use headers for a compile-time test.
- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
- #define B __BYTE_ORDER
- #elif defined(BYTE_ORDER)
- #define B BYTE_ORDER
- #endif
-
- #ifdef __LITTLE_ENDIAN
- #define LITTLE __LITTLE_ENDIAN
- #elif defined(LITTLE_ENDIAN)
- #define LITTLE LITTLE_ENDIAN
- #endif
-
- #if !defined(LITTLE) || !defined(B) || LITTLE != B
- #error Not little endian.
- #endif""",
- headers="endian.h sys/endian.h",
- define="HAVE_LITTLE_ENDIAN")
- conf.CHECK_CODE(code = """#ifdef __BYTE_ORDER
- #define B __BYTE_ORDER
- #elif defined(BYTE_ORDER)
- #define B BYTE_ORDER
- #endif
-
- #ifdef __BIG_ENDIAN
- #define BIG __BIG_ENDIAN
- #elif defined(BIG_ENDIAN)
- #define BIG BIG_ENDIAN
- #endif
-
- #if !defined(BIG) || !defined(B) || BIG != B
- #error Not big endian.
- #endif""",
- headers="endian.h sys/endian.h",
- define="HAVE_BIG_ENDIAN")
-
- if not conf.CONFIG_SET("HAVE_BIG_ENDIAN") and not conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
- # That didn't work! Do runtime test.
- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
- u.i = 0x01020304;
- return u.c[0] == 0x04 && u.c[1] == 0x03 && u.c[2] == 0x02 && u.c[3] == 0x01 ? 0 : 1;""",
- addmain=True, execute=True,
- define='HAVE_LITTLE_ENDIAN',
- msg="Checking for HAVE_LITTLE_ENDIAN - runtime")
- conf.CHECK_CODE("""union { int i; char c[sizeof(int)]; } u;
- u.i = 0x01020304;
- return u.c[0] == 0x01 && u.c[1] == 0x02 && u.c[2] == 0x03 && u.c[3] == 0x04 ? 0 : 1;""",
- addmain=True, execute=True,
- define='HAVE_BIG_ENDIAN',
- msg="Checking for HAVE_BIG_ENDIAN - runtime")
-
- # Extra sanity check.
- if conf.CONFIG_SET("HAVE_BIG_ENDIAN") == conf.CONFIG_SET("HAVE_LITTLE_ENDIAN"):
- Logs.error("Failed endian determination. The PDP-11 is back?")
- sys.exit(1)
conf.CHECK_CODE('return __builtin_choose_expr(1, 0, "garbage");',
link=True,
--
1.9.1

36
meta-networking/recipes-connectivity/samba/samba-4.1.12/0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch
View File

@ -1,36 +0,0 @@
From 649c731526dc1473bd1804d2903d7559e63616da Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni@gmail.com>
Date: Mon, 4 May 2015 09:12:45 +0300
Subject: [PATCH 7/7] waf: Fix parsing of cross-answers file in case answer includes a colon
The answer provided in the cross-answers file may include a colon,
as in:
Checking uname version type: "#57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014"
Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Upstream-Status: Backport
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
buildtools/wafsamba/samba_cross.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/buildtools/wafsamba/samba_cross.py b/buildtools/wafsamba/samba_cross.py
index d1e7006..7961212 100644
--- a/buildtools/wafsamba/samba_cross.py
+++ b/buildtools/wafsamba/samba_cross.py
@@ -54,7 +54,7 @@ def cross_answer(ca_file, msg):
if line == '' or line[0] == '#':
continue
if line.find(':') != -1:
- a = line.split(':')
+ a = line.split(':', 1)
thismsg = a[0].strip()
if thismsg != msg:
continue
--
1.9.1

1448
meta-networking/recipes-connectivity/samba/samba-4.1.12/01-fix-force-user-sec-ads.patch
View File

File diff suppressed because it is too large Load Diff

266
meta-networking/recipes-connectivity/samba/samba-4.1.12/02-fix-ipv6-join.patch
View File

@ -1,266 +0,0 @@
From 168627e1877317db86471a4b0360dccd9f469aaa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 13 Jan 2014 15:59:26 +0100
Subject: [PATCH 1/2] s3-kerberos: remove print_kdc_line() completely.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Just calling print_canonical_sockaddr() is sufficient, as it already deals with
ipv6 as well. The port handling, which was only done for IPv6 (not IPv4), is
removed as well. It was pointless because it always derived the port number from
the provided address which was either a SMB (usually port 445) or LDAP
connection. No KDC will ever run on port 389 or 445 on a Windows/Samba DC.
Finally, the kerberos libraries that we support and build with, can deal with
ipv6 addresses in krb5.conf, so we no longer put the (unnecessary) burden of
resolving the DC name on the kerberos library anymore.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 73 ++++-------------------------------------------
1 file changed, 5 insertions(+), 68 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index b026e09..ea14350 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -592,70 +592,6 @@ int kerberos_kinit_password(const char *principal,
/************************************************************************
************************************************************************/
-static char *print_kdc_line(char *mem_ctx,
- const char *prev_line,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
-{
- char addr[INET6_ADDRSTRLEN];
- uint16_t port = get_sockaddr_port(pss);
-
- if (pss->ss_family == AF_INET) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_canonical_sockaddr(mem_ctx, pss));
- }
-
- /*
- * IPv6 starts here
- */
-
- DEBUG(10, ("print_kdc_line: IPv6 case for kdc_name: %s, port: %d\n",
- kdc_name, port));
-
- if (port != 0 && port != DEFAULT_KRB5_PORT) {
- /* Currently for IPv6 we can't specify a non-default
- krb5 port with an address, as this requires a ':'.
- Resolve to a name. */
- char hostname[MAX_DNS_NAME_LENGTH];
- int ret = sys_getnameinfo((const struct sockaddr *)pss,
- sizeof(*pss),
- hostname, sizeof(hostname),
- NULL, 0,
- NI_NAMEREQD);
- if (ret) {
- DEBUG(0,("print_kdc_line: can't resolve name "
- "for kdc with non-default port %s. "
- "Error %s\n.",
- print_canonical_sockaddr(mem_ctx, pss),
- gai_strerror(ret)));
- return NULL;
- }
- /* Success, use host:port */
- return talloc_asprintf(mem_ctx,
- "%s\tkdc = %s:%u\n",
- prev_line,
- hostname,
- (unsigned int)port);
- }
-
- /* no krb5 lib currently supports "kdc = ipv6 address"
- * at all, so just fill in just the kdc_name if we have
- * it and let the krb5 lib figure out the appropriate
- * ipv6 address - gd */
-
- if (kdc_name) {
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line, kdc_name);
- }
-
- return talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
- prev_line,
- print_sockaddr(addr,
- sizeof(addr),
- pss));
-}
-
/************************************************************************
Create a string list of available kdc's, possibly searching by sitename.
Does DNS queries.
@@ -698,7 +634,8 @@ static char *get_kdc_ip_string(char *mem_ctx,
char *result = NULL;
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
- char *kdc_str = print_kdc_line(mem_ctx, "", pss, kdc_name);
+ char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
+ print_canonical_sockaddr(mem_ctx, pss));
if (kdc_str == NULL) {
TALLOC_FREE(frame);
@@ -788,9 +725,9 @@ static char *get_kdc_ip_string(char *mem_ctx,
}
/* Append to the string - inefficient but not done often. */
- new_kdc_str = print_kdc_line(mem_ctx, kdc_str,
- &dc_addrs[i],
- kdc_name);
+ new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
+ kdc_str,
+ print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto fail;
}
--
1.8.5.3
From 3edb3d4084548960f03356cf4c44a6892e6efb84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 7 Mar 2014 14:47:31 +0100
Subject: [PATCH 2/2] s3-kerberos: remove unused kdc_name from
create_local_private_krb5_conf_for_domain().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/kerberos.c | 10 ++++------
source3/libads/kerberos_proto.h | 3 +--
source3/libnet/libnet_join.c | 3 +--
source3/libsmb/namequery_dc.c | 6 ++----
source3/winbindd/winbindd_cm.c | 6 ++----
5 files changed, 10 insertions(+), 18 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index ea14350..649e568 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -618,8 +618,7 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
static char *get_kdc_ip_string(char *mem_ctx,
const char *realm,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
TALLOC_CTX *frame = talloc_stackframe();
int i;
@@ -756,8 +755,7 @@ fail:
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name)
+ const struct sockaddr_storage *pss)
{
char *dname;
char *tmpname = NULL;
@@ -782,7 +780,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
return false;
}
- if (domain == NULL || pss == NULL || kdc_name == NULL) {
+ if (domain == NULL || pss == NULL) {
return false;
}
@@ -815,7 +813,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
goto done;
}
- kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss, kdc_name);
+ kdc_ip_string = get_kdc_ip_string(dname, realm, sitename, pss);
if (!kdc_ip_string) {
goto done;
}
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index f7470d2..2559634 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -62,8 +62,7 @@ int kerberos_kinit_password(const char *principal,
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
- const struct sockaddr_storage *pss,
- const char *kdc_name);
+ const struct sockaddr_storage *pss);
/* The following definitions come from libads/authdata.c */
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index a87eb38..68884cd 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2152,8 +2152,7 @@ static WERROR libnet_DomainJoin(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(
r->out.dns_domain_name, r->out.netbios_domain_name,
- NULL, smbXcli_conn_remote_sockaddr(cli->conn),
- smbXcli_conn_remote_name(cli->conn));
+ NULL, smbXcli_conn_remote_sockaddr(cli->conn));
if (r->out.domain_is_ad && r->in.account_ou &&
!(r->in.join_flags & WKSSVC_JOIN_FLAGS_JOIN_UNSECURE)) {
diff --git a/source3/libsmb/namequery_dc.c b/source3/libsmb/namequery_dc.c
index 3cfae79..eb34741 100644
--- a/source3/libsmb/namequery_dc.c
+++ b/source3/libsmb/namequery_dc.c
@@ -112,14 +112,12 @@ static bool ads_dc_name(const char *domain,
create_local_private_krb5_conf_for_domain(realm,
domain,
sitename,
- &ads->ldap.ss,
- ads->config.ldap_server_name);
+ &ads->ldap.ss);
} else {
create_local_private_krb5_conf_for_domain(realm,
domain,
NULL,
- &ads->ldap.ss,
- ads->config.ldap_server_name);
+ &ads->ldap.ss);
}
}
#endif
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 669a43e..be13a57 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1233,8 +1233,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
sitename,
- pss,
- *name);
+ pss);
SAFE_FREE(sitename);
} else {
@@ -1242,8 +1241,7 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx,
create_local_private_krb5_conf_for_domain(domain->alt_name,
domain->name,
NULL,
- pss,
- *name);
+ pss);
}
winbindd_set_locator_kdc_envs(domain);
--
1.8.5.3

962
meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch
View File

@ -1,962 +0,0 @@
From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 Jan 2014 14:29:03 +0100
Subject: [PATCH 1/8] s3-libads: pass down local_service to
kerberos_return_pac().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/authdata.c | 6 +-----
source3/libads/kerberos_proto.h | 1 +
source3/utils/net_ads.c | 8 ++++++++
source3/winbindd/winbindd_pam.c | 9 +++++++++
4 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 801e551..dd80dc2 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
+ const char *local_service,
struct PAC_LOGON_INFO **_logon_info)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
const char *auth_princ = NULL;
- const char *local_service = NULL;
const char *cc = "MEMORY:kerberos_return_pac";
struct auth_session_info *session_info;
struct gensec_security *gensec_server_context;
@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
}
NT_STATUS_HAVE_NO_MEMORY(auth_princ);
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
- lp_netbios_name(), lp_realm());
- NT_STATUS_HAVE_NO_MEMORY(local_service);
-
ret = kerberos_kinit_password_ext(auth_princ,
pass,
time_offset,
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 2559634..1151d66 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
+ const char *local_service,
struct PAC_LOGON_INFO **logon_info);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 89eebf3..5a073b1 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
NTSTATUS status;
int ret = -1;
const char *impersonate_princ_s = NULL;
+ const char *local_service = NULL;
if (c->display_usage) {
d_printf( "%s\n"
@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
impersonate_princ_s = argv[0];
}
+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ goto out;
+ }
+
c->opt_password = net_prompt_pass(c, c->opt_user_name);
status = kerberos_return_pac(mem_ctx,
@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
true,
2592000, /* one month */
impersonate_princ_s,
+ local_service,
&info);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3f3ec70..61e2cef 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time_t time_offset = 0;
const char *user_ccache_file;
struct PAC_LOGON_INFO *logon_info = NULL;
+ const char *local_service;
*info3 = NULL;
@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
/* if this is a user ccache, we need to act as the user to let the krb5
* library handle the chown, etc. */
@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
true,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
+ local_service,
&logon_info);
if (user_ccache_file != NULL) {
gain_root_privilege();
--
1.8.5.3
From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 3 Mar 2014 12:14:51 +0100
Subject: [PATCH 2/8] auth/kerberos: fix a typo.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
auth/kerberos/kerberos_pac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 81f7f21..8f55c8f 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
}
/**
-* @brief Decode a blob containing a NDR envoded PAC structure
+* @brief Decode a blob containing a NDR encoded PAC structure
*
* @param mem_ctx - The memory context
* @param pac_data_blob - The data blob containing the NDR encoded data
--
1.8.5.3
From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 10 Mar 2014 15:11:18 +0100
Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used
in "net ads kerberos pac".
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/net_ads.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 5a073b1..ac6346f 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
int ret = -1;
const char *impersonate_princ_s = NULL;
const char *local_service = NULL;
+ int i;
if (c->display_usage) {
d_printf( "%s\n"
@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
return 0;
}
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
+ impersonate_princ_s = get_string_param(argv[i]);
+ if (impersonate_princ_s == NULL) {
+ return -1;
+ }
+ }
+ }
+
mem_ctx = talloc_init("net_ads_kerberos_pac");
if (!mem_ctx) {
goto out;
}
- if (argc > 0) {
- impersonate_princ_s = argv[0];
- }
-
local_service = talloc_asprintf(mem_ctx, "%s$@%s",
lp_netbios_name(), lp_realm());
if (local_service == NULL) {
--
1.8.5.3
From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 11 Mar 2014 16:34:36 +0100
Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads
kerberos pac".
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/net_ads.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index ac6346f..c53c8c6 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
return -1;
}
}
+ if (strnequal(argv[i], "local_service", strlen("local_service"))) {
+ local_service = get_string_param(argv[i]);
+ if (local_service == NULL) {
+ return -1;
+ }
+ }
}
mem_ctx = talloc_init("net_ads_kerberos_pac");
@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
goto out;
}
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
- lp_netbios_name(), lp_realm());
if (local_service == NULL) {
- goto out;
+ local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ lp_netbios_name(), lp_realm());
+ if (local_service == NULL) {
+ goto out;
+ }
}
c->opt_password = net_prompt_pass(c, c->opt_user_name);
--
1.8.5.3
From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 21 Feb 2014 18:56:04 +0100
Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/authdata.c | 28 +++++++++++++++++-----------
source3/libads/kerberos_proto.h | 4 ++--
source3/utils/net_ads.c | 17 ++++++++++++++++-
source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-
4 files changed, 56 insertions(+), 15 deletions(-)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd80dc2..53e40ef 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
tmp_ctx = talloc_new(mem_ctx);
@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
}
if (pac_blob) {
- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
- NULL, NULL, 0, &logon_info);
+ status = kerberos_decode_pac(tmp_ctx,
+ *pac_blob,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ 0,
+ &pac_data);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
+ talloc_set_name_const(pac_data, "struct PAC_DATA");
- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
*session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (!*session_info) {
status = NT_STATUS_NO_MEMORY;
@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
- struct PAC_LOGON_INFO **_logon_info)
+ struct PAC_DATA **_pac_data)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
- struct PAC_LOGON_INFO);
- if (logon_info == NULL) {
+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
+ struct PAC_DATA);
+ if (pac_data == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
- *_logon_info = talloc_move(mem_ctx, &logon_info);
+ *_pac_data = talloc_move(mem_ctx, &pac_data);
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 1151d66..b2f7486 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -32,7 +32,7 @@
#include "system/kerberos.h"
-struct PAC_LOGON_INFO;
+struct PAC_DATA;
#include "libads/ads_status.h"
@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
- struct PAC_LOGON_INFO **logon_info);
+ struct PAC_DATA **pac_data);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index c53c8c6..19da6da 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
{
struct PAC_LOGON_INFO *info = NULL;
+ struct PAC_DATA *pac_data = NULL;
TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
int ret = -1;
@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
2592000, /* one month */
impersonate_princ_s,
local_service,
- &info);
+ &pac_data);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+
+ info = pac_data->buffers[i].info->logon_info.info;
+ if (!info) {
+ goto out;
+ }
+
+ break;
+ }
+
if (info) {
const char *s;
s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 61e2cef..a8daae51 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
time_t time_offset = 0;
const char *user_ccache_file;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct PAC_DATA *pac_data = NULL;
const char *local_service;
+ int i;
*info3 = NULL;
@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
- &logon_info);
+ &pac_data);
if (user_ccache_file != NULL) {
gain_root_privilege();
}
@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
goto failed;
}
+ if (pac_data == NULL) {
+ goto failed;
+ }
+
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+
+ logon_info = pac_data->buffers[i].info->logon_info.info;
+ if (!logon_info) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ break;
+ }
+
*info3 = &logon_info->info3;
DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
--
1.8.5.3
From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 11 Mar 2014 18:07:11 +0100
Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC
container.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/libads/authdata.c | 29 +++++++++++++++++++++--------
source3/libads/kerberos_proto.h | 7 ++++++-
source3/utils/net_ads.c | 5 ++++-
source3/winbindd/winbindd_pam.c | 8 +++++++-
4 files changed, 38 insertions(+), 11 deletions(-)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 53e40ef..276408d 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
{
TALLOC_CTX *tmp_ctx;
struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
tmp_ctx = talloc_new(mem_ctx);
@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
}
}
- talloc_set_name_const(pac_data, "struct PAC_DATA");
+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
+
+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+ pac_blob->data,
+ pac_blob->length);
+
+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
*session_info = talloc_zero(mem_ctx, struct auth_session_info);
if (!*session_info) {
status = NT_STATUS_NO_MEMORY;
@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
- struct PAC_DATA **_pac_data)
+ struct PAC_DATA_CTR **_pac_data_ctr)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
size_t idx = 0;
struct auth4_context *auth_context;
struct loadparm_context *lp_ctx;
- struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
- struct PAC_DATA);
- if (pac_data == NULL) {
+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
+ struct PAC_DATA_CTR);
+ if (pac_data_ctr == NULL) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
- *_pac_data = talloc_move(mem_ctx, &pac_data);
+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
out:
talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index b2f7486..3d0ad4b 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -34,6 +34,11 @@
struct PAC_DATA;
+struct PAC_DATA_CTR {
+ DATA_BLOB pac_blob;
+ struct PAC_DATA *pac_data;
+};
+
#include "libads/ads_status.h"
/* The following definitions come from libads/kerberos.c */
@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_t renewable_time,
const char *impersonate_princ_s,
const char *local_service,
- struct PAC_DATA **pac_data);
+ struct PAC_DATA_CTR **pac_data_ctr);
/* The following definitions come from libads/krb5_setpw.c */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 19da6da..19c28b1 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
{
struct PAC_LOGON_INFO *info = NULL;
struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
int ret = -1;
@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
2592000, /* one month */
impersonate_princ_s,
local_service,
- &pac_data);
+ &pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
+ pac_data = pac_data_ctr->pac_data;
+
for (i=0; i < pac_data->num_buffers; i++) {
if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a8daae51..b41291e 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
const char *user_ccache_file;
struct PAC_LOGON_INFO *logon_info = NULL;
struct PAC_DATA *pac_data = NULL;
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
const char *local_service;
int i;
@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL,
local_service,
- &pac_data);
+ &pac_data_ctr);
if (user_ccache_file != NULL) {
gain_root_privilege();
}
@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
goto failed;
}
+ if (pac_data_ctr == NULL) {
+ goto failed;
+ }
+
+ pac_data = pac_data_ctr->pac_data;
if (pac_data == NULL) {
goto failed;
}
--
1.8.5.3
From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 11 Mar 2014 18:14:39 +0100
Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"
command.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow
dumping of individial pac buffer types. Ommitting type= or using type=0 will
dump the whole PAC structure on stdout.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------
1 file changed, 77 insertions(+), 38 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 19c28b1..f54cf23 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
return ret;
}
-static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,
+ struct PAC_DATA_CTR **pac_data_ctr)
{
- struct PAC_LOGON_INFO *info = NULL;
- struct PAC_DATA *pac_data = NULL;
- struct PAC_DATA_CTR *pac_data_ctr = NULL;
- TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
int ret = -1;
const char *impersonate_princ_s = NULL;
const char *local_service = NULL;
int i;
- if (c->display_usage) {
- d_printf( "%s\n"
- "net ads kerberos pac [impersonation_principal]\n"
- " %s\n",
- _("Usage:"),
- _("Dump the Kerberos PAC"));
- return 0;
- }
-
for (i=0; i<argc; i++) {
if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {
impersonate_princ_s = get_string_param(argv[i]);
@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
}
}
- mem_ctx = talloc_init("net_ads_kerberos_pac");
- if (!mem_ctx) {
- goto out;
- }
-
if (local_service == NULL) {
- local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+ local_service = talloc_asprintf(c, "%s$@%s",
lp_netbios_name(), lp_realm());
if (local_service == NULL) {
goto out;
@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
c->opt_password = net_prompt_pass(c, c->opt_user_name);
- status = kerberos_return_pac(mem_ctx,
+ status = kerberos_return_pac(c,
c->opt_user_name,
c->opt_password,
0,
@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
2592000, /* one month */
impersonate_princ_s,
local_service,
- &pac_data_ctr);
+ pac_data_ctr);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
- pac_data = pac_data_ctr->pac_data;
+ ret = 0;
+ out:
+ return ret;
+}
- for (i=0; i < pac_data->num_buffers; i++) {
+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ int i;
+ int ret = -1;
+ enum PAC_TYPE type = 0;
- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
- continue;
+ if (c->display_usage) {
+ d_printf( "%s\n"
+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Dump the Kerberos PAC"));
+ return -1;
+ }
+
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) {
+ type = get_int_param(argv[i]);
}
+ }
- info = pac_data->buffers[i].info->logon_info.info;
- if (!info) {
- goto out;
+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
+ if (ret) {
+ return ret;
+ }
+
+ if (type == 0) {
+
+ char *s = NULL;
+
+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA,
+ pac_data_ctr->pac_data);
+ if (s != NULL) {
+ d_printf(_("The Pac: %s\n"), s);
+ talloc_free(s);
}
- break;
+ return 0;
}
- if (info) {
- const char *s;
- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
- d_printf(_("The Pac: %s\n"), s);
+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) {
+
+ char *s = NULL;
+
+ if (pac_data_ctr->pac_data->buffers[i].type != type) {
+ continue;
+ }
+
+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type,
+ pac_data_ctr->pac_data->buffers[i].info);
+ if (s != NULL) {
+ d_printf(_("The Pac: %s\n"), s);
+ talloc_free(s);
+ }
+ break;
}
- ret = 0;
- out:
- TALLOC_FREE(mem_ctx);
- return ret;
+ return 0;
+}
+
+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
+{
+ struct functable func[] = {
+ {
+ "dump",
+ net_ads_kerberos_pac_dump,
+ NET_TRANSPORT_ADS,
+ N_("Dump Kerberos PAC"),
+ N_("net ads kerberos pac dump\n"
+ " Dump a Kerberos PAC to stdout")
+ },
+
+ {NULL, NULL, 0, NULL, NULL}
+ };
+
+ return net_run_function(c, argc, argv, "net ads kerberos pac", func);
}
static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv)
--
1.8.5.3
From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 11 Mar 2014 18:16:40 +0100
Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use "filename=string" to define a file where to save the unencrypted PAC to.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index f54cf23..8b8e719 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char
return 0;
}
+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv)
+{
+ struct PAC_DATA_CTR *pac_data_ctr = NULL;
+ char *filename = NULL;
+ int ret = -1;
+ int i;
+
+ if (c->display_usage) {
+ d_printf( "%s\n"
+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Save the Kerberos PAC"));
+ return -1;
+ }
+
+ for (i=0; i<argc; i++) {
+ if (strnequal(argv[i], "filename", strlen("filename"))) {
+ filename = get_string_param(argv[i]);
+ if (filename == NULL) {
+ return -1;
+ }
+ }
+ }
+
+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr);
+ if (ret) {
+ return ret;
+ }
+
+ if (filename == NULL) {
+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n"));
+ return -1;
+ }
+
+ /* save the raw format */
+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) {
+ d_printf(_("failed to save PAC in %s\n"), filename);
+ return -1;
+ }
+
+ return 0;
+}
+
static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
{
struct functable func[] = {
@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
N_("net ads kerberos pac dump\n"
" Dump a Kerberos PAC to stdout")
},
+ {
+ "save",
+ net_ads_kerberos_pac_save,
+ NET_TRANSPORT_ADS,
+ N_("Save Kerberos PAC"),
+ N_("net ads kerberos pac save\n"
+ " Save a Kerberos PAC in a file")
+ },
{NULL, NULL, 0, NULL, NULL}
};
--
1.8.5.3

211
meta-networking/recipes-connectivity/samba/samba-4.1.12/04-ipv6-workaround.patch
View File

@ -1,211 +0,0 @@
From 942dedb71437cd89932a7f39ca73d65c09aa59be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 2 Apr 2014 19:37:34 +0200
Subject: [PATCH] s3-kerberos: make ipv6 support for generated krb5 config
files more robust.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Older MIT Kerberos libraries will add any secondary ipv6 address as
ipv4 address, defining the (default) krb5 port 88 circumvents that.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
---
source3/libads/kerberos.c | 29 +++++++++++++++++++++++++++--
1 file changed, 27 insertions(+), 2 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 649e568..f3c23ea 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -615,6 +615,31 @@ static void add_sockaddr_unique(struct sockaddr_storage *addrs, int *num_addrs,
*num_addrs += 1;
}
+/* print_canonical_sockaddr prints an ipv6 addr in the form of
+* [ipv6.addr]. This string, when put in a generated krb5.conf file is not
+* always properly dealt with by some older krb5 libraries. Adding the hard-coded
+* portnumber workarounds the issue. - gd */
+
+static char *print_canonical_sockaddr_with_port(TALLOC_CTX *mem_ctx,
+ const struct sockaddr_storage *pss)
+{
+ char *str = NULL;
+
+ str = print_canonical_sockaddr(mem_ctx, pss);
+ if (str == NULL) {
+ return NULL;
+ }
+
+ if (pss->ss_family != AF_INET6) {
+ return str;
+ }
+
+#if defined(HAVE_IPV6)
+ str = talloc_asprintf_append(str, ":88");
+#endif
+ return str;
+}
+
static char *get_kdc_ip_string(char *mem_ctx,
const char *realm,
const char *sitename,
@@ -634,7 +659,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
struct netlogon_samlogon_response **responses = NULL;
NTSTATUS status;
char *kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n", "",
- print_canonical_sockaddr(mem_ctx, pss));
+ print_canonical_sockaddr_with_port(mem_ctx, pss));
if (kdc_str == NULL) {
TALLOC_FREE(frame);
@@ -726,7 +751,7 @@ static char *get_kdc_ip_string(char *mem_ctx,
/* Append to the string - inefficient but not done often. */
new_kdc_str = talloc_asprintf(mem_ctx, "%s\tkdc = %s\n",
kdc_str,
- print_canonical_sockaddr(mem_ctx, &dc_addrs[i]));
+ print_canonical_sockaddr_with_port(mem_ctx, &dc_addrs[i]));
if (new_kdc_str == NULL) {
goto fail;
}
--
1.9.0
From 60db71015f84dd242be889576d85ccd5c6a1f73b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 16 Apr 2014 16:07:14 +0200
Subject: [PATCH] s3-libads: allow ads_try_connect() to re-use a resolved ip
address.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Pass down a struct sockaddr_storage to ads_try_connect.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Apr 17 19:56:16 CEST 2014 on sn-devel-104
---
source3/libads/ldap.c | 44 ++++++++++++++++++++++++++------------------
1 file changed, 26 insertions(+), 18 deletions(-)
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index d9bb8e2..8fed8fd 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -228,33 +228,27 @@ bool ads_closest_dc(ADS_STRUCT *ads)
try a connection to a given ldap server, returning True and setting the servers IP
in the ads struct if successful
*/
-static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
+static bool ads_try_connect(ADS_STRUCT *ads, bool gc,
+ struct sockaddr_storage *ss)
{
struct NETLOGON_SAM_LOGON_RESPONSE_EX cldap_reply;
TALLOC_CTX *frame = talloc_stackframe();
bool ret = false;
- struct sockaddr_storage ss;
char addr[INET6_ADDRSTRLEN];
- if (!server || !*server) {
+ if (ss == NULL) {
TALLOC_FREE(frame);
return False;
}
- if (!resolve_name(server, &ss, 0x20, true)) {
- DEBUG(5,("ads_try_connect: unable to resolve name %s\n",
- server ));
- TALLOC_FREE(frame);
- return false;
- }
- print_sockaddr(addr, sizeof(addr), &ss);
+ print_sockaddr(addr, sizeof(addr), ss);
DEBUG(5,("ads_try_connect: sending CLDAP request to %s (realm: %s)\n",
addr, ads->server.realm));
ZERO_STRUCT( cldap_reply );
- if ( !ads_cldap_netlogon_5(frame, &ss, ads->server.realm, &cldap_reply ) ) {
+ if ( !ads_cldap_netlogon_5(frame, ss, ads->server.realm, &cldap_reply ) ) {
DEBUG(3,("ads_try_connect: CLDAP request %s failed.\n", addr));
ret = false;
goto out;
@@ -298,7 +292,7 @@ static bool ads_try_connect(ADS_STRUCT *ads, const char *server, bool gc)
ads->server.workgroup = SMB_STRDUP(cldap_reply.domain_name);
ads->ldap.port = gc ? LDAP_GC_PORT : LDAP_PORT;
- ads->ldap.ss = ss;
+ ads->ldap.ss = *ss;
/* Store our site name. */
sitename_store( cldap_reply.domain_name, cldap_reply.client_site);
@@ -330,6 +324,7 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
bool use_own_domain = False;
char *sitename;
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ bool ok = false;
/* if the realm and workgroup are both empty, assume they are ours */
@@ -384,12 +379,14 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
DEBUG(6,("ads_find_dc: (ldap) looking for %s '%s'\n",
(got_realm ? "realm" : "domain"), realm));
- if (get_dc_name(domain, realm, srv_name, &ip_out)) {
+ ok = get_dc_name(domain, realm, srv_name, &ip_out);
+ if (ok) {
/*
* we call ads_try_connect() to fill in the
* ads->config details
*/
- if (ads_try_connect(ads, srv_name, false)) {
+ ok = ads_try_connect(ads, false, &ip_out);
+ if (ok) {
return NT_STATUS_OK;
}
}
@@ -445,7 +442,8 @@ static NTSTATUS ads_find_dc(ADS_STRUCT *ads)
}
}
- if ( ads_try_connect(ads, server, false) ) {
+ ok = ads_try_connect(ads, false, &ip_list[i].ss);
+ if (ok) {
SAFE_FREE(ip_list);
SAFE_FREE(sitename);
return NT_STATUS_OK;
@@ -630,9 +628,19 @@ ADS_STATUS ads_connect(ADS_STRUCT *ads)
TALLOC_FREE(s);
}
- if (ads->server.ldap_server)
- {
- if (ads_try_connect(ads, ads->server.ldap_server, ads->server.gc)) {
+ if (ads->server.ldap_server) {
+ bool ok = false;
+ struct sockaddr_storage ss;
+
+ ok = resolve_name(ads->server.ldap_server, &ss, 0x20, true);
+ if (!ok) {
+ DEBUG(5,("ads_connect: unable to resolve name %s\n",
+ ads->server.ldap_server));
+ status = ADS_ERROR_NT(NT_STATUS_NOT_FOUND);
+ goto out;
+ }
+ ok = ads_try_connect(ads, ads->server.gc, &ss);
+ if (ok) {
goto got_connection;
}
--
1.9.0

29894
meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch
View File

File diff suppressed because it is too large Load Diff

97
meta-networking/recipes-connectivity/samba/samba-4.1.12/06-fix-nmbd-systemd-status-update.patch
View File

@ -1,97 +0,0 @@
From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Sep 2014 18:02:30 +0200
Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
---
lib/util/become_daemon.c | 11 +++++++++++
lib/util/samba_util.h | 6 ++++++
2 files changed, 17 insertions(+)
diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
index 35c8b32..688bedd 100644
--- a/lib/util/become_daemon.c
+++ b/lib/util/become_daemon.c
@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
#endif
DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
}
+
+_PUBLIC_ void daemon_status(const char *name, const char *msg)
+{
+ if (name == NULL) {
+ name = "Samba";
+ }
+#ifdef HAVE_SYSTEMD
+ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
+#endif
+ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
+}
diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
index e3fe6a6..f4216d8 100644
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
**/
_PUBLIC_ void daemon_ready(const char *daemon);
+/*
+ * Report the daemon status. For example if it is not ready to serve connections
+ * and is waiting for some event to happen.
+ */
+_PUBLIC_ void daemon_status(const char *name, const char *msg);
+
/**
* @brief Get a password from the console.
*
--
2.1.0
From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 16 Sep 2014 18:03:51 +0200
Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
This tells the Administrator what's going on and we should log that IPv6
is not supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
---
source3/nmbd/nmbd_subnetdb.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
index 311a240..6c483af 100644
--- a/source3/nmbd/nmbd_subnetdb.c
+++ b/source3/nmbd/nmbd_subnetdb.c
@@ -247,8 +247,11 @@ bool create_subnets(void)
/* Only count IPv4, non-loopback interfaces. */
if (iface_count_v4_nl() == 0) {
- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
+ daemon_status("nmbd",
+ "No local IPv4 non-loopback interfaces "
+ "available, waiting for interface ...");
+ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
+ "Internet Protocol Version 6 (IPv6).\n"));
}
/* We only count IPv4, non-loopback interfaces here. */
--
2.1.0

42
meta-networking/recipes-connectivity/samba/samba-4.1.12/07-fix-idmap-ad-getgroups-without-gid.patch
View File

@ -1,42 +0,0 @@
From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 19 Sep 2014 13:33:10 +0200
Subject: [PATCH] nsswitch: Skip groups we were not able to map.
If we have configured the idmap_ad backend it is possible that the user
is in a group without a gid set. This will result in (uid_t)-1 as the
gid. We return this invalid gid to NSS which is wrong.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
Signed-off-by: Andreas Schneider <asn@samba.org>
---
nsswitch/winbind_nss_linux.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
index 8d66a74..70ede3e 100644
--- a/nsswitch/winbind_nss_linux.c
+++ b/nsswitch/winbind_nss_linux.c
@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
continue;
}
+ /* Skip groups without a mapping */
+ if (gid_list[i] == (uid_t)-1) {
+ continue;
+ }
+
/* Filled buffer ? If so, resize. */
if (*start == *size) {
--
2.1.0

44
meta-networking/recipes-connectivity/samba/samba-4.1.12/08-fix-idmap-ad-sfu-with-trusted-domains.patch
View File

@ -1,44 +0,0 @@
From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 22 Aug 2014 09:15:59 -0700
Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
When authenticating users in a trusted domain, the idmap_ad module
always connects to a local DC instead of one in the trusted domain.
Fix this by passing the correct realm to connect to.
Also Comment parameters passed to ads_cached_connection_connect
Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
---
source3/winbindd/winbindd_ads.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 4c26389..e47613e 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
}
}
- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
- password, realm, 0);
+ status = ads_cached_connection_connect(
+ adsp, /* Returns ads struct. */
+ wb_dom->alt_name, /* realm to connect to. */
+ dom_name, /* 'workgroup' name for ads_init */
+ ldap_server, /* DNS name to connect to. */
+ password, /* password for auth realm. */
+ realm, /* realm used for krb5 ticket. */
+ 0); /* renewable ticket time. */
+
SAFE_FREE(realm);
return status;
--
1.7.1

35
meta-networking/recipes-connectivity/samba/samba-4.1.12/09-fix-smbclient-echo-cmd-segfault.patch
View File

@ -1,35 +0,0 @@
From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 17 Sep 2014 15:17:50 +0200
Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
on NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
Signed-off-by: Andreas Schneider <asn@samba.org>
---
libcli/smb/smb1cli_echo.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
index 4fb7c60..10dff2d 100644
--- a/libcli/smb/smb1cli_echo.c
+++ b/libcli/smb/smb1cli_echo.c
@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
NULL, /* pbytes_offset */
NULL, /* pinbuf */
expected, ARRAY_SIZE(expected));
- TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
return;
--
2.1.0

180
meta-networking/recipes-connectivity/samba/samba-4.1.12/10-improve-service-principal-guessing-in-net.patch
View File

@ -1,180 +0,0 @@
From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 23 Sep 2014 14:09:41 +0200
Subject: [PATCH] s3-libads: Improve service principle guessing.
If the name passed to the net command with the -S options is the long
hostname of the domaincontroller and not the 15 char NetBIOS name we
should construct a FQDN with the realm to get a Kerberos ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
---
source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
1 file changed, 66 insertions(+), 58 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 33f4e24..1450ff1 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
char **returned_principal)
{
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
char *princ = NULL;
+ TALLOC_CTX *frame;
+ char *server = NULL;
+ char *realm = NULL;
+ int rc;
- if (ads->server.realm && ads->server.ldap_server) {
- char *server, *server_realm;
-
- server = SMB_STRDUP(ads->server.ldap_server);
- server_realm = SMB_STRDUP(ads->server.realm);
-
- if (!server || !server_realm) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
+ frame = talloc_stackframe();
+ if (frame == NULL) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
- if (!strlower_m(server)) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
+ if (ads->server.realm && ads->server.ldap_server) {
+ server = strlower_talloc(frame, ads->server.ldap_server);
+ if (server == NULL) {
+ goto out;
}
- if (!strupper_m(server_realm)) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
+ realm = strupper_talloc(frame, ads->server.realm);
+ if (realm == NULL) {
+ goto out;
}
- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
+ /*
+ * If we got a name which is bigger than a NetBIOS name,
+ * but isn't a FQDN, create one.
+ */
+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
+ char *dnsdomain;
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
+ dnsdomain = strlower_talloc(frame, ads->server.realm);
+ if (dnsdomain == NULL) {
+ goto out;
+ }
- if (!princ) {
- return ADS_ERROR(LDAP_NO_MEMORY);
+ server = talloc_asprintf(frame,
+ "%s.%s",
+ server, dnsdomain);
+ if (server == NULL) {
+ goto out;
+ }
}
} else if (ads->config.realm && ads->config.ldap_server_name) {
- char *server, *server_realm;
-
- server = SMB_STRDUP(ads->config.ldap_server_name);
- server_realm = SMB_STRDUP(ads->config.realm);
-
- if (!server || !server_realm) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
+ server = strlower_talloc(frame, ads->config.ldap_server_name);
+ if (server == NULL) {
+ goto out;
}
- if (!strlower_m(server)) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
+ realm = strupper_talloc(frame, ads->config.realm);
+ if (realm == NULL) {
+ goto out;
}
- if (!strupper_m(server_realm)) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
+ /*
+ * If we got a name which is bigger than a NetBIOS name,
+ * but isn't a FQDN, create one.
+ */
+ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
+ char *dnsdomain;
- SAFE_FREE(server);
- SAFE_FREE(server_realm);
+ dnsdomain = strlower_talloc(frame, ads->server.realm);
+ if (dnsdomain == NULL) {
+ goto out;
+ }
- if (!princ) {
- return ADS_ERROR(LDAP_NO_MEMORY);
+ server = talloc_asprintf(frame,
+ "%s.%s",
+ server, dnsdomain);
+ if (server == NULL) {
+ goto out;
+ }
}
}
- if (!princ) {
- return ADS_ERROR(LDAP_PARAM_ERROR);
+ if (server == NULL || realm == NULL) {
+ goto out;
+ }
+
+ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
+ if (rc == -1 || princ == NULL) {
+ status = ADS_ERROR(LDAP_PARAM_ERROR);
+ goto out;
}
*returned_principal = princ;
- return ADS_SUCCESS;
+ status = ADS_SUCCESS;
+out:
+ TALLOC_FREE(frame);
+ return status;
}
static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
--
2.1.0

329
meta-networking/recipes-connectivity/samba/samba-4.1.12/11-fix-overwriting-of-spns-during-net-ads-join.patch
View File

@ -1,329 +0,0 @@
From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Sep 2014 09:22:03 +0200
Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
computer account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
---
source3/libads/ads_proto.h | 6 +++++
source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 66 insertions(+)
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 17a84d1..6a22807 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
const char *name, const char **vals);
uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns);
ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
const char *my_fqdn, const char *spn);
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index fb99132..51a0883 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
}
/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
+ *
+ * @param[in] ads The ADS context to use.
+ *
+ * @param[in] machine_name The NetBIOS name of the computer, which is used to
+ * identify the computer account.
+ *
+ * @param[in] spn_array A pointer to store the array for SPNs.
+ *
+ * @param[in] num_spns The number of principals stored in the array.
+ *
+ * @return 0 on success, or a ADS error if a failure occured.
+ */
+ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+ char ***spn_array,
+ size_t *num_spns)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ char *dn;
+ int count;
+
+ status = ads_find_machine_acct(ads,
+ &res,
+ machine_name);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
+ machine_name));
+ return status;
+ }
+
+ count = ads_count_replies(ads, res);
+ if (count != 1) {
+ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ goto done;
+ }
+
+ dn = ads_get_dn(ads, mem_ctx, res);
+ if (dn == NULL) {
+ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ goto done;
+ }
+
+ *spn_array = ads_pull_strings(ads,
+ mem_ctx,
+ res,
+ "servicePrincipalName",
+ num_spns);
+
+done:
+ ads_msgfree(ads, res);
+
+ return status;
+}
+
+/**
* This adds a service principal name to an existing computer account
* (found by hostname) in AD.
* @param ads An initialized ADS_STRUCT
--
2.1.0
From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Sep 2014 09:23:58 +0200
Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
---
source3/libads/ads_proto.h | 2 ++
source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
index 6a22807..1e34247 100644
--- a/source3/libads/ads_proto.h
+++ b/source3/libads/ads_proto.h
@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
+
ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
ADS_STRUCT *ads,
const char *machine_name,
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index 51a0883..8d104c2 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
}
/**
+ * @brief Search for an element in a string array.
+ *
+ * @param[in] el_array The string array to search.
+ *
+ * @param[in] num_el The number of elements in the string array.
+ *
+ * @param[in] el The string to search.
+ *
+ * @return True if found, false if not.
+ */
+bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
+{
+ size_t i;
+
+ if (el_array == NULL || num_el == 0 || el == NULL) {
+ return false;
+ }
+
+ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
+ int cmp;
+
+ cmp = strcasecmp_m(el_array[i], el);
+ if (cmp == 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/**
* @brief This gets the service principal names of an existing computer account.
*
* @param[in] mem_ctx The memory context to use to allocate the spn array.
--
2.1.0
From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 26 Sep 2014 03:09:08 +0200
Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
---
source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 1418385..3611cc7 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
return status;
}
+static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r,
+ char ***spn_array,
+ size_t *num_spns)
+{
+ ADS_STATUS status;
+
+ if (r->in.machine_name == NULL) {
+ return ADS_ERROR_SYSTEM(EINVAL);
+ }
+
+ status = ads_get_service_principal_names(mem_ctx,
+ r->in.ads,
+ r->in.machine_name,
+ spn_array,
+ num_spns);
+
+ return status;
+}
+
/****************************************************************
Set a machines dNSHostName and servicePrincipalName attributes
****************************************************************/
--
2.1.0
From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 26 Sep 2014 03:35:43 +0200
Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
---
source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 3611cc7..aa7b5cb 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
ADS_STATUS status;
ADS_MODLIST mods;
fstring my_fqdn;
- const char *spn_array[3] = {NULL, NULL, NULL};
+ const char **spn_array = NULL;
+ size_t num_spns = 0;
char *spn = NULL;
+ bool ok;
/* Find our DN */
@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
return status;
}
+ status = libnet_join_get_machine_spns(mem_ctx,
+ r,
+ discard_const_p(char **, &spn_array),
+ &num_spns);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
+ }
+
/* Windows only creates HOST/shortname & HOST/fqdn. */
spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
if (!strupper_m(spn)) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- spn_array[0] = spn;
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, (int *)&num_spns);
+ if (!ok) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
if (!name_to_fqdn(my_fqdn, r->in.machine_name)
|| (strchr(my_fqdn, '.') == NULL)) {
@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
if (!spn) {
return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
- spn_array[1] = spn;
+
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+ ok = add_string_to_array(spn_array, spn,
+ &spn_array, (int *)&num_spns);
+ if (!ok) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+ }
+ }
+
+ /* make sure to NULL terminate the array */
+ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
+ if (spn_array == NULL) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
}
+ spn_array[num_spns] = NULL;
mods = ads_init_mods(mem_ctx);
if (!mods) {
--
2.1.0

159
meta-networking/recipes-connectivity/samba/samba-4.1.12/12-add-precreated-spns-from-AD-during-keytab-generation.patch
View File

@ -1,159 +0,0 @@
From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 24 Sep 2014 10:51:33 +0200
Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
This adds all SPNs defined in the DC for the computer account to the
keytab using 'net ads keytab create -P'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
---
source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
1 file changed, 52 insertions(+), 22 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 83df088..d13625b 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
krb5_kt_cursor cursor;
krb5_keytab_entry kt_entry;
krb5_kvno kvno;
- int i, found = 0;
+ size_t found = 0;
char *sam_account_name, *upn;
char **oldEntries = NULL, *princ_s[26];
- TALLOC_CTX *tmpctx = NULL;
+ TALLOC_CTX *frame;
char *machine_name;
+ char **spn_array;
+ size_t num_spns;
+ size_t i;
+ ADS_STATUS status;
- /* these are the main ones we need */
- ret = ads_keytab_add_entry(ads, "host");
- if (ret != 0) {
- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
- "adding 'host' principal.\n"));
- return ret;
+ frame = talloc_stackframe();
+ if (frame == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ status = ads_get_service_principal_names(frame,
+ ads,
+ lp_netbios_name(),
+ &spn_array,
+ &num_spns);
+ if (!ADS_ERR_OK(status)) {
+ ret = -1;
+ goto done;
}
+ for (i = 0; i < num_spns; i++) {
+ char *srv_princ;
+ char *p;
+
+ srv_princ = strlower_talloc(frame, spn_array[i]);
+ if (srv_princ == NULL) {
+ ret = -1;
+ goto done;
+ }
+
+ p = strchr_m(srv_princ, '/');
+ if (p == NULL) {
+ continue;
+ }
+ p[0] = '\0';
+
+ /* Add the SPNs found on the DC */
+ ret = ads_keytab_add_entry(ads, srv_princ);
+ if (ret != 0) {
+ DEBUG(1, ("ads_keytab_add_entry failed while "
+ "adding '%s' principal.\n",
+ spn_array[i]));
+ goto done;
+ }
+ }
#if 0 /* don't create the CIFS/... keytab entries since no one except smbd
really needs them and we will fall back to verifying against
@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
if (ret) {
DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
error_message(ret)));
- return ret;
- }
-
- tmpctx = talloc_init(__location__);
- if (!tmpctx) {
- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
- ret = -1;
goto done;
}
- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
+ machine_name = talloc_strdup(frame, lp_netbios_name());
if (!machine_name) {
ret = -1;
goto done;
}
/* now add the userPrincipalName and sAMAccountName entries */
- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
+ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
if (!sam_account_name) {
DEBUG(0, (__location__ ": unable to determine machine "
"account's name in AD!\n"));
@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
}
/* remember that not every machine account will have a upn */
- upn = ads_get_upn(ads, tmpctx, machine_name);
+ upn = ads_get_upn(ads, frame, machine_name);
if (upn) {
ret = ads_keytab_add_entry(ads, upn);
if (ret != 0) {
@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
/* Now loop through the keytab and update any other existing entries */
kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
- if (kvno == -1) {
+ if (kvno == (krb5_kvno)-1) {
DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
"determine the system's kvno.\n"));
goto done;
@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
* have a race condition where someone else could add entries after
* we've counted them. Re-open asap to minimise the race. JRA.
*/
- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
+ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
if (!found) {
goto done;
}
- oldEntries = talloc_array(tmpctx, char *, found);
+ oldEntries = talloc_array(frame, char *, found);
if (!oldEntries) {
DEBUG(1, (__location__ ": Failed to allocate space to store "
"the old keytab entries (talloc failed?).\n"));
@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
done:
TALLOC_FREE(oldEntries);
- TALLOC_FREE(tmpctx);
+ TALLOC_FREE(frame);
{
krb5_keytab_entry zero_kt_entry;
--
2.1.0

988
meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch
View File

@ -1,988 +0,0 @@
From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 24 Sep 2014 22:16:20 +0200
Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 308 insertions(+)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 8b8e719..5f18bf4 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
return net_run_function(c, argc, argv, "net ads kerberos", func);
}
+static int net_ads_enctype_lookup_account(struct net_context *c,
+ ADS_STRUCT *ads,
+ const char *account,
+ LDAPMessage **res,
+ const char **enctype_str)
+{
+ const char *filter;
+ const char *attrs[] = {
+ "msDS-SupportedEncryptionTypes",
+ NULL
+ };
+ int count;
+ int ret = -1;
+ ADS_STATUS status;
+
+ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
+ account);
+ if (filter == NULL) {
+ goto done;
+ }
+
+ status = ads_search(ads, res, filter, attrs);
+ if (!ADS_ERR_OK(status)) {
+ d_printf(_("no account found with filter: %s\n"), filter);
+ goto done;
+ }
+
+ count = ads_count_replies(ads, *res);
+ switch (count) {
+ case 1:
+ break;
+ case 0:
+ d_printf(_("no account found with filter: %s\n"), filter);
+ goto done;
+ default:
+ d_printf(_("multiple accounts found with filter: %s\n"), filter);
+ goto done;
+ }
+
+ if (enctype_str) {
+ *enctype_str = ads_pull_string(ads, c, *res,
+ "msDS-SupportedEncryptionTypes");
+ if (*enctype_str == NULL) {
+ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
+ goto done;
+ }
+ }
+
+ ret = 0;
+ done:
+ return ret;
+}
+
+static void net_ads_enctype_dump_enctypes(const char *username,
+ const char *enctype_str)
+{
+ int enctypes;
+
+ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
+
+ enctypes = atoi(enctype_str);
+
+ printf("[%s] 0x%08x DES-CBC-CRC\n",
+ enctypes & ENC_CRC32 ? "X" : " ",
+ ENC_CRC32);
+ printf("[%s] 0x%08x DES-CBC-MD5\n",
+ enctypes & ENC_RSA_MD5 ? "X" : " ",
+ ENC_RSA_MD5);
+ printf("[%s] 0x%08x RC4-HMAC\n",
+ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
+ ENC_RC4_HMAC_MD5);
+ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
+ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
+ ENC_HMAC_SHA1_96_AES128);
+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
+ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
+ ENC_HMAC_SHA1_96_AES256);
+}
+
+static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
+{
+ int ret = -1;
+ ADS_STATUS status;
+ ADS_STRUCT *ads = NULL;
+ LDAPMessage *res = NULL;
+ const char *str = NULL;
+
+ if (c->display_usage || (argc < 1)) {
+ d_printf( "%s\n"
+ "net ads enctypes list\n"
+ " %s\n",
+ _("Usage:"),
+ _("List supported enctypes"));
+ return 0;
+ }
+
+ status = ads_startup(c, false, &ads);
+ if (!ADS_ERR_OK(status)) {
+ printf("startup failed\n");
+ return ret;
+ }
+
+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
+ if (ret) {
+ goto done;
+ }
+
+ net_ads_enctype_dump_enctypes(argv[0], str);
+
+ ret = 0;
+ done:
+ ads_msgfree(ads, res);
+ ads_destroy(&ads);
+
+ return ret;
+}
+
+static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
+{
+ int ret = -1;
+ ADS_STATUS status;
+ ADS_STRUCT *ads;
+ LDAPMessage *res = NULL;
+ const char *etype_list_str;
+ const char *dn;
+ ADS_MODLIST mods;
+ uint32_t etype_list;
+ const char *str;
+
+ if (c->display_usage || argc < 1) {
+ d_printf( "%s\n"
+ "net ads enctypes set <sAMAccountName> [enctypes]\n"
+ " %s\n",
+ _("Usage:"),
+ _("Set supported enctypes"));
+ return 0;
+ }
+
+ status = ads_startup(c, false, &ads);
+ if (!ADS_ERR_OK(status)) {
+ printf("startup failed\n");
+ return ret;
+ }
+
+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
+ if (ret) {
+ goto done;
+ }
+
+ dn = ads_get_dn(ads, c, res);
+ if (dn == NULL) {
+ goto done;
+ }
+
+ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ etype_list |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ etype_list |= ENC_HMAC_SHA1_96_AES256;
+#endif
+
+ if (argv[1] != NULL) {
+ sscanf(argv[1], "%i", &etype_list);
+ }
+
+ etype_list_str = talloc_asprintf(c, "%d", etype_list);
+ if (!etype_list_str) {
+ goto done;
+ }
+
+ mods = ads_init_mods(c);
+ if (!mods) {
+ goto done;
+ }
+
+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
+ etype_list_str);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ status = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(status)) {
+ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
+ ads_errstr(status));
+ goto done;
+ }
+
+ ads_msgfree(ads, res);
+
+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
+ if (ret) {
+ goto done;
+ }
+
+ net_ads_enctype_dump_enctypes(argv[0], str);
+
+ ret = 0;
+ done:
+ ads_msgfree(ads, res);
+ ads_destroy(&ads);
+
+ return ret;
+}
+
+static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
+{
+ int ret = -1;
+ ADS_STATUS status;
+ ADS_STRUCT *ads;
+ LDAPMessage *res = NULL;
+ const char *dn;
+ ADS_MODLIST mods;
+
+ if (c->display_usage || argc < 1) {
+ d_printf( "%s\n"
+ "net ads enctypes delete <sAMAccountName>\n"
+ " %s\n",
+ _("Usage:"),
+ _("Delete supported enctypes"));
+ return 0;
+ }
+
+ status = ads_startup(c, false, &ads);
+ if (!ADS_ERR_OK(status)) {
+ printf("startup failed\n");
+ return ret;
+ }
+
+ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
+ if (ret) {
+ goto done;
+ }
+
+ dn = ads_get_dn(ads, c, res);
+ if (dn == NULL) {
+ goto done;
+ }
+
+ mods = ads_init_mods(c);
+ if (!mods) {
+ goto done;
+ }
+
+ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+
+ status = ads_gen_mod(ads, dn, mods);
+ if (!ADS_ERR_OK(status)) {
+ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
+ ads_errstr(status));
+ goto done;
+ }
+
+ ret = 0;
+
+ done:
+ ads_msgfree(ads, res);
+ ads_destroy(&ads);
+ return ret;
+}
+
+static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
+{
+ struct functable func[] = {
+ {
+ "list",
+ net_ads_enctypes_list,
+ NET_TRANSPORT_ADS,
+ N_("List the supported encryption types"),
+ N_("net ads enctypes list\n"
+ " List the supported encryption types")
+ },
+ {
+ "set",
+ net_ads_enctypes_set,
+ NET_TRANSPORT_ADS,
+ N_("Set the supported encryption types"),
+ N_("net ads enctypes set\n"
+ " Set the supported encryption types")
+ },
+ {
+ "delete",
+ net_ads_enctypes_delete,
+ NET_TRANSPORT_ADS,
+ N_("Delete the supported encryption types"),
+ N_("net ads enctypes delete\n"
+ " Delete the supported encryption types")
+ },
+
+ {NULL, NULL, 0, NULL, NULL}
+ };
+
+ return net_run_function(c, argc, argv, "net ads enctypes", func);
+}
+
+
int net_ads(struct net_context *c, int argc, const char **argv)
{
struct functable func[] = {
@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
N_("net ads kerberos\n"
" Manage kerberos keytab")
},
+ {
+ "enctypes",
+ net_ads_enctypes,
+ NET_TRANSPORT_ADS,
+ N_("List/modify supported encryption types"),
+ N_("net ads enctypes\n"
+ " List/modify enctypes")
+ },
{NULL, NULL, 0, NULL, NULL}
};
--
1.9.3
From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 24 Sep 2014 23:36:19 +0200
Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index f39b420..9e982e3 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1339,6 +1339,59 @@ to show in the result.
</refsect2>
<refsect2>
+ <title>ADS ENCTYPES</title>
+
+<para>
+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
+</para>
+
+<para>
+ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
+</para>
+
+<para>0x00000001 DES-CBC-CRC</para>
+<para>0x00000002 DES-CBC-MD5</para>
+<para>0x00000004 RC4-HMAC</para>
+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES LIST <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
+
+<para>
+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
+</para>
+
+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES SET <replaceable>&lt;ACCOUNTNAME&gt;</replaceable> <replaceable>[enctypes]</replaceable></title>
+
+<para>
+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES DELETE <replaceable>&lt;ACCOUNTNAME&gt;</replaceable></title>
+
+<para>
+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+
+<refsect2>
<title>SAM CREATEBUILTINGROUP &lt;NAME&gt;</title>
<para>
--
1.9.3
From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 23 Nov 2012 12:34:27 +0100
Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
AD >= 2008.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 65 insertions(+)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 381a59c..e70e11a 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
/****************************************************************
****************************************************************/
+static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+{
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ const char *etype_list_str;
+
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ etype_list |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ etype_list |= ENC_HMAC_SHA1_96_AES256;
+#endif
+
+ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
+ if (!etype_list_str) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ /* Find our DN */
+
+ status = libnet_join_find_machine_acct(mem_ctx, r);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ /* now do the mods */
+
+ mods = ads_init_mods(mem_ctx);
+ if (!mods) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
+ etype_list_str);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ return ads_gen_mod(r->in.ads, r->out.dn, mods);
+}
+
+/****************************************************************
+****************************************************************/
+
static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
struct libnet_JoinCtx *r)
{
ADS_STATUS status;
+ uint32_t func_level = 0;
if (!r->in.ads) {
status = libnet_join_connect_ads(mem_ctx, r);
@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
return status;
}
+ status = ads_domain_func_level(r->in.ads, &func_level);
+ if (!ADS_ERR_OK(status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to query domain controller functional level: %s",
+ ads_errstr(status));
+ return status;
+ }
+
+ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
+ status = libnet_join_set_etypes(mem_ctx, r);
+ if (!ADS_ERR_OK(status)) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "failed to set machine kerberos encryption types: %s",
+ ads_errstr(status));
+ return status;
+ }
+ }
+
if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
}
--
1.9.3
From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 26 Sep 2014 21:06:38 +0200
Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
hostname is lowercase.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Found at MS interop event while working on AES kerberos key support.
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source4/auth/kerberos/srv_keytab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
index d81e27d..3baba14 100644
--- a/source4/auth/kerberos/srv_keytab.c
+++ b/source4/auth/kerberos/srv_keytab.c
@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
return ENOMEM;
}
- machine_username = talloc_strdup(tmp_ctx, samAccountName);
+ machine_username = strlower_talloc(tmp_ctx, samAccountName);
if (!machine_username) {
*error_string = "Cannot duplicate samAccountName";
talloc_free(tmp_ctx);
--
1.9.3
From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 22:49:29 -0700
Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
arguments of copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
Conflicts:
source3/auth/proto.h
source3/auth/server_info.c
---
source3/auth/auth_util.c | 2 +-
source3/auth/proto.h | 4 ++--
source3/auth/server_info.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ceaa706..afa78ec 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
- struct netr_SamInfo3 *info3)
+ const struct netr_SamInfo3 *info3)
{
static const char zeros[16] = {0, };
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 76661fc..6ec206e 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
- struct netr_SamInfo3 *info3);
+ const struct netr_SamInfo3 *info3);
struct wbcAuthUserInfo;
NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3);
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *orig);
+ const struct netr_SamInfo3 *orig);
struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
const struct wbcAuthUserInfo *info);
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index d2b7d6e..066b9a8 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
} } while(0)
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *orig)
+ const struct netr_SamInfo3 *orig)
{
struct netr_SamInfo3 *info3;
unsigned int i;
--
1.9.3
From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 22:54:45 -0700
Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
make_server_info_info3() only reads from the info3 pointer.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source3/auth/auth_generic.c | 2 +-
source3/auth/proto.h | 2 +-
source3/auth/user_krb5.c | 8 ++++----
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index a2ba4e3..2880bc9 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 6ec206e..75d1097 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 974a8aa..0a538b4 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
return status;
}
- } else if (logon_info) {
+ } else if (info3) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
- &logon_info->info3);
+ info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
--
1.9.3
From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 23:11:58 -0700
Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
create a new info3 and merge resource group SIDs into it.
Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source3/auth/proto.h | 3 ++
source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 75d1097..cc51698 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
struct netr_SamInfo3 *sam3);
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
struct netr_SamInfo6 *sam6);
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 **pp_info3);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 066b9a8..dc84794 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
return NT_STATUS_OK;
}
+/*
+ * Merge resource SIDs, if any, into the passed in info3 structure.
+ */
+
+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 *info3)
+{
+ uint32_t i = 0;
+
+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * If there are any resource groups (SID Compression) add
+ * them to the extra sids portion of the info3 in the PAC.
+ *
+ * This makes the info3 look like it would if we got the info
+ * from the DC rather than the PAC.
+ */
+
+ /*
+ * Construct a SID for each RID in the list and then append it
+ * to the info3.
+ */
+ for (i = 0; i < logon_info->res_groups.count; i++) {
+ NTSTATUS status;
+ struct dom_sid new_sid;
+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+
+ sid_compose(&new_sid,
+ logon_info->res_group_dom_sid,
+ logon_info->res_groups.rids[i].rid);
+
+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
+ sid_string_dbg(&new_sid)));
+
+ status = append_netr_SidAttr(info3, &info3->sids,
+ &info3->sidcount,
+ &new_sid,
+ attributes);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
+ sid_string_dbg(&new_sid),
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
+ * then merge resource SIDs, if any, into it. If successful return
+ * the created info3 struct.
+ */
+
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 **pp_info3)
+{
+ NTSTATUS status;
+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
+ &logon_info->info3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ status = merge_resource_sids(logon_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+ *pp_info3 = info3;
+ return NT_STATUS_OK;
+}
+
#define RET_NOMEM(ptr) do { \
if (!ptr) { \
TALLOC_FREE(info3); \
--
1.9.3
From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 23:15:21 -0700
Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
a copy of the info3 struct from the struct PAC_LOGON_INFO.
Call create_info3_from_pac_logon_info() to add in any resource SIDs
from the struct PAC_LOGON_INFO to the info3.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source3/auth/auth_generic.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 2880bc9..f841f0c 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
{
TALLOC_CTX *tmp_ctx;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
bool is_mapped;
bool is_guest;
char *ntuser;
@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
/* save the PAC data if we have it */
if (logon_info) {
- netsamlogon_cache_store(ntuser, &logon_info->info3);
+ status = create_info3_from_pac_logon_info(tmp_ctx,
+ logon_info,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ netsamlogon_cache_store(ntuser, info3_copy);
}
/* setup the string used by %U */
@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
--
1.9.3
From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 23:27:35 -0700
Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
new info3 and merge in resource groups from a trusted PAC.
Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
---
source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c356686..0f1ca28 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
struct winbindd_request *req = state->request;
DATA_BLOB pac_blob;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
NTSTATUS result;
pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
if (logon_info) {
/* Signature verification succeeded, trust the PAC */
- netsamlogon_cache_store(NULL, &logon_info->info3);
+ result = create_info3_from_pac_logon_info(state->mem_ctx,
+ logon_info,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+ netsamlogon_cache_store(NULL, info3_copy);
} else {
/* Try without signature verification */
@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
nt_errstr(result)));
return result;
}
+ if (logon_info) {
+ /*
+ * Don't strictly need to copy here,
+ * but it makes it explicit we're
+ * returning a copy talloc'ed off
+ * the state->mem_ctx.
+ */
+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
+ &logon_info->info3);
+ if (info3_copy == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
}
- *info3 = &logon_info->info3;
+ *info3 = info3_copy;
return NT_STATUS_OK;
}
--
1.9.3

51
meta-networking/recipes-connectivity/samba/samba-4.1.12/14-fix-dnsupdate.patch
View File

@ -1,51 +0,0 @@
From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 29 Sep 2014 17:16:15 +0200
Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
and DNS update.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Guenther
Signed-off-by: Günther Deschner <gd@samba.org>
---
source3/utils/net_ads.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index e96377f..efbc3d2 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
* If the dns update fails, we still consider the join
* operation as succeeded if we came this far.
*/
+
+ if (r->out.dns_domain_name != NULL) {
+
+ /* Avoid potential libkrb5 issues finding a good KDC when we
+ * already found one during the join. When the locator plugin is
+ * installed (but winbind is not yet running) make sure we can
+ * force libkrb5 to reuse that KDC. - gd */
+
+ char *env;
+
+ env = talloc_asprintf_strupper_m(r,
+ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
+ r->out.dns_domain_name);
+ if (env == NULL) {
+ return -1;
+ }
+
+ setenv(env, r->in.ads->auth.kdc_server, 0);
+ setenv("_NO_WINBINDD", "1", 0);
+ }
+
_net_ads_join_dns_updates(c, ctx, r);
TALLOC_FREE(r);
--
1.9.3

154
meta-networking/recipes-connectivity/samba/samba-4.1.12/15-fix-netbios-name-truncation.patch
View File

@ -1,154 +0,0 @@
From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 28 Oct 2014 11:55:30 -0700
Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
Try and cope with truncation more intelligently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
1 file changed, 68 insertions(+), 8 deletions(-)
diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
index 71c4751..8b078e6 100644
--- a/source3/nmbd/nmbd_nameregister.c
+++ b/source3/nmbd/nmbd_nameregister.c
@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
{
struct nmb_name nmbname;
nstring nname;
+ size_t converted_size;
errno = 0;
- push_ascii_nstring(nname, name);
- if (errno == E2BIG) {
- unstring tname;
- pull_ascii_nstring(tname, sizeof(tname), nname);
- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
- name, tname));
- make_nmb_name(&nmbname, tname, type);
- } else {
+ converted_size = push_ascii_nstring(nname, name);
+ if (converted_size != (size_t)-1) {
+ /* Success. */
make_nmb_name(&nmbname, name, type);
+ } else if (errno == E2BIG) {
+ /*
+ * Name converted to CH_DOS is too large.
+ * try to truncate.
+ */
+ char *converted_str_dos = NULL;
+ char *converted_str_unix = NULL;
+ bool ok;
+
+ converted_size = 0;
+
+ ok = convert_string_talloc(talloc_tos(),
+ CH_UNIX,
+ CH_DOS,
+ name,
+ strlen(name)+1,
+ &converted_str_dos,
+ &converted_size);
+ if (!ok) {
+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
+ "converted. Failing to register name.\n",
+ name));
+ return;
+ }
+
+ /*
+ * As it's now CH_DOS codepage
+ * we truncate by writing '\0' at
+ * MAX_NETBIOSNAME_LEN-1 and then
+ * convert back to CH_UNIX which we
+ * need for the make_nmb_name() call.
+ */
+ if (converted_size >= MAX_NETBIOSNAME_LEN) {
+ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
+ }
+
+ ok = convert_string_talloc(talloc_tos(),
+ CH_DOS,
+ CH_UNIX,
+ converted_str_dos,
+ strlen(converted_str_dos)+1,
+ &converted_str_unix,
+ &converted_size);
+ if (!ok) {
+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
+ "converted back to CH_UNIX. "
+ "Failing to register name.\n",
+ converted_str_dos));
+ TALLOC_FREE(converted_str_dos);
+ return;
+ }
+
+ make_nmb_name(&nmbname, converted_str_unix, type);
+
+ TALLOC_FREE(converted_str_dos);
+ TALLOC_FREE(converted_str_unix);
+ } else {
+ /*
+ * Generic conversion error. Fail to register.
+ */
+ DEBUG(0,("register_name: NetBIOS name %s cannot be "
+ "converted (%s). Failing to register name.\n",
+ name, strerror(errno)));
+ return;
}
/* Always set the NB_ACTIVE flag on the name we are
--
2.1.2
From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 31 Oct 2014 11:01:26 -0700
Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
charset, but this is so old we have to live with that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/lib/util_names.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
index cf54a0e..1392b48 100644
--- a/source3/lib/util_names.c
+++ b/source3/lib/util_names.c
@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
{
SAFE_FREE(smb_my_netbios_names[i]);
- smb_my_netbios_names[i] = SMB_STRDUP(name);
+ /*
+ * Don't include space for terminating '\0' in strndup,
+ * it is automatically added. This screws up if the name
+ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
+ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
+ * in the DOS charset, but this is so old we have to live
+ * with that.
+ */
+ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
if (!smb_my_netbios_names[i])
return False;
return strupper_m(smb_my_netbios_names[i]);
--
2.1.2

52
meta-networking/recipes-connectivity/samba/samba-4.1.12/16-do-not-check-xsltproc-manpages.patch
View File

@ -1,52 +0,0 @@
Don't check xsltproc manpages
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
diff -Nurp samba-4.1.12.orig/lib/ldb/wscript samba-4.1.12/lib/ldb/wscript
--- samba-4.1.12.orig/lib/ldb/wscript 2014-07-28 16:13:45.000000000 +0900
+++ samba-4.1.12/lib/ldb/wscript 2015-04-23 17:08:45.277000225 +0900
@@ -56,7 +56,7 @@ def configure(conf):
conf.define('USING_SYSTEM_PYLDB_UTIL', 1)
if conf.env.standalone_ldb:
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
# we need this for the ldap backend
if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
diff -Nurp samba-4.1.12.orig/lib/ntdb/wscript samba-4.1.12/lib/ntdb/wscript
--- samba-4.1.12.orig/lib/ntdb/wscript 2013-12-05 18:16:48.000000000 +0900
+++ samba-4.1.12/lib/ntdb/wscript 2015-04-23 17:09:17.680000274 +0900
@@ -121,7 +121,7 @@ def configure(conf):
Logs.warn('Disabling pyntdb as python devel libs not found')
conf.env.disable_python = True
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
# This make #include <ccan/...> work.
conf.ADD_EXTRA_INCLUDES('''#lib''')
diff -Nurp samba-4.1.12.orig/lib/talloc/wscript samba-4.1.12/lib/talloc/wscript
--- samba-4.1.12.orig/lib/talloc/wscript 2013-12-05 18:16:48.000000000 +0900
+++ samba-4.1.12/lib/talloc/wscript 2015-04-23 17:08:21.781000339 +0900
@@ -55,7 +55,7 @@ def configure(conf):
if conf.env.standalone_talloc:
conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
if not conf.env.disable_python:
# also disable if we don't have the python libs installed
diff -Nurp samba-4.1.12.orig/lib/tdb/wscript samba-4.1.12/lib/tdb/wscript
--- samba-4.1.12.orig/lib/tdb/wscript 2013-12-05 18:16:48.000000000 +0900
+++ samba-4.1.12/lib/tdb/wscript 2015-04-23 17:09:02.538000343 +0900
@@ -43,7 +43,7 @@ def configure(conf):
conf.env.disable_python = getattr(Options.options, 'disable_python', False)
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
if not conf.env.disable_python:
# also disable if we don't have the python libs installed

22
meta-networking/recipes-connectivity/samba/samba-4.1.12/17-execute-prog-by-qemu.patch
View File

@ -1,22 +0,0 @@
samba: execute prog on target directly is impossible.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
diff -Nurp samba-4.1.12.orig/lib/ccan/wscript samba-4.1.12/lib/ccan/wscript
--- samba-4.1.12.orig/lib/ccan/wscript 2013-06-13 18:21:02.000000000 +0900
+++ samba-4.1.12/lib/ccan/wscript 2015-04-27 14:26:25.123000238 +0900
@@ -127,10 +127,10 @@ def configure(conf):
# Only check for FILE_OFFSET_BITS=64 if off_t is normally small:
# use raw routines because wrappers include previous _GNU_SOURCE
# or _FILE_OFFSET_BITS defines.
- conf.check(fragment="""#include <sys/types.h>
- int main(void) { return !(sizeof(off_t) < 8); }""",
- execute=True, msg='Checking for small off_t',
- define_name='SMALL_OFF_T')
+ conf.CHECK_CODE("""#include <sys/types.h>
+ int main(void) { return !(sizeof(off_t) < 8); }""",
+ link=True, execute=True, addmain=False, msg='Checking for small off_t',
+ define='HAVE_SMALL_OFF_T')
# Unreliable return value above, hence use define.
if conf.CONFIG_SET('SMALL_OFF_T'):
conf.check(fragment="""#include <sys/types.h>

22
meta-networking/recipes-connectivity/samba/samba-4.1.12/18-avoid-get-config-by-native-ncurses.patch
View File

@ -1,22 +0,0 @@
waf trys to get package's configuration by native ncurses6-config.
it will make native header files and library be used.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
--- samba-4.1.12.orig/source3/wscript_configure_system_ncurses 2013-12-05 18:16:48.000000000 +0900
+++ samba-4.1.12/source3/wscript_configure_system_ncurses 2015-04-29 16:12:22.619000250 +0900
@@ -2,14 +2,6 @@ import Logs, Options, sys
Logs.info("Looking for ncurses features")
-conf.find_program('ncurses5-config', var='NCURSES_CONFIG')
-if not conf.env.NCURSES_CONFIG:
- conf.find_program('ncurses6-config', var='NCURSES_CONFIG')
-
-if conf.env.NCURSES_CONFIG:
- conf.check_cfg(path=conf.env.NCURSES_CONFIG, args="--cflags --libs",
- package="", uselib_store="NCURSES")
-
conf.CHECK_HEADERS('ncurses.h menu.h panel.h form.h', lib='ncurses')
conf.CHECK_FUNCS_IN('initscr', 'ncurses')

42
meta-networking/recipes-connectivity/samba/samba-4.1.12/19-systemd-daemon-is-contained-by-libsystemd.patch
View File

@ -1,42 +0,0 @@
systemd-daemon is contained by libsystemd, so we just need link libsystemd to
obtain the implementation of systemd-daemon's function.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
diff -Nurp samba-4.1.12.orig/lib/util/wscript_build samba-4.1.12/lib/util/wscript_build
--- samba-4.1.12.orig/lib/util/wscript_build 2014-09-08 18:26:14.000000000 +0900
+++ samba-4.1.12/lib/util/wscript_build 2015-04-29 16:16:58.303000207 +0900
@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
tevent_debug.c util_process.c memcache.c''',
deps='DYNCONFIG',
- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd',
public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
local_include=False,
diff -Nurp samba-4.1.12.orig/wscript samba-4.1.12/wscript
--- samba-4.1.12.orig/wscript 2014-07-28 16:13:45.000000000 +0900
+++ samba-4.1.12/wscript 2015-04-29 16:17:52.338000264 +0900
@@ -183,16 +183,16 @@ def configure(conf):
conf.env['ENABLE_PIE'] = True
if Options.options.enable_systemd != False:
- conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
- msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
- conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
- conf.CHECK_LIB('systemd-daemon', shlib=True)
+ conf.check_cfg(package='libsystemd', args='--cflags --libs',
+ msg='Checking for libsystemd', uselib_store="SYSTEMD-DAEMON")
+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd')
+ conf.CHECK_LIB('systemd', shlib=True)
if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
conf.DEFINE('HAVE_SYSTEMD', '1')
conf.env['ENABLE_SYSTEMD'] = True
else:
- conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
+ conf.SET_TARGET_TYPE('systemd', 'EMPTY')
conf.undefine('HAVE_SYSTEMD')
conf.SAMBA_CONFIG_H('include/config.h')

10
meta-networking/recipes-connectivity/samba/samba-4.1.12/21-avoid-sasl-unless-wanted.patch
View File

@ -1,10 +0,0 @@
--- ./source4/auth/wscript_configure.orig 2015-11-19 19:53:11.022212181 +0100
+++ ./source4/auth/wscript_configure 2015-11-19 19:53:17.466212205 +0100
@@ -2,7 +2,3 @@
conf.CHECK_HEADERS('security/pam_appl.h')
conf.CHECK_FUNCS_IN('pam_start', 'pam', checklibc=True)
-
-if (conf.CHECK_HEADERS('sasl/sasl.h') and
- conf.CHECK_FUNCS_IN('sasl_client_init', 'sasl2')):
- conf.DEFINE('HAVE_SASL', 1)

0
meta-networking/recipes-connectivity/samba/samba-4.1.12/00-fix-typos-in-man-pages.patch → meta-networking/recipes-connectivity/samba/samba-4.4.2/00-fix-typos-in-man-pages.patch
View File

0
meta-networking/recipes-connectivity/samba/samba-4.1.12/0006-avoid-using-colon-in-the-checking-msg.patch → meta-networking/recipes-connectivity/samba/samba-4.4.2/0006-avoid-using-colon-in-the-checking-msg.patch
View File

43
meta-networking/recipes-connectivity/samba/samba-4.4.2/16-do-not-check-xsltproc-manpages.patch Normal file
View File

@ -0,0 +1,43 @@
Don't check xsltproc manpages
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
Index: samba-4.4.2/lib/ldb/wscript
===================================================================
--- samba-4.4.2.orig/lib/ldb/wscript
+++ samba-4.4.2/lib/ldb/wscript
@@ -65,7 +65,7 @@ def configure(conf):
conf.define('USING_SYSTEM_LDB', 1)
if conf.env.standalone_ldb:
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
# we need this for the ldap backend
if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'):
Index: samba-4.4.2/lib/talloc/wscript
===================================================================
--- samba-4.4.2.orig/lib/talloc/wscript
+++ samba-4.4.2/lib/talloc/wscript
@@ -56,7 +56,7 @@ def configure(conf):
if conf.env.standalone_talloc:
conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
if not conf.env.disable_python:
# also disable if we don't have the python libs installed
Index: samba-4.4.2/lib/tdb/wscript
===================================================================
--- samba-4.4.2.orig/lib/tdb/wscript
+++ samba-4.4.2/lib/tdb/wscript
@@ -92,7 +92,7 @@ def configure(conf):
not conf.env.disable_tdb_mutex_locking):
conf.define('USE_TDB_MUTEX_LOCKING', 1)
- conf.CHECK_XSLTPROC_MANPAGES()
+ #conf.CHECK_XSLTPROC_MANPAGES()
if not conf.env.disable_python:
# also disable if we don't have the python libs installed

19
meta-networking/recipes-connectivity/samba/samba-4.1.12/20-do-not-import-target-module-while-cross-compile.patch → meta-networking/recipes-connectivity/samba/samba-4.4.2/20-do-not-import-target-module-while-cross-compile.patch Executable file → Normal file
View File

@ -3,18 +3,19 @@ we just check whether does the module exist.
Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
--- samba-4.1.12.orig/buildtools/wafsamba/samba_bundled.py 2013-06-13 17:21:02.000000000 +0800
+++ samba-4.1.12/buildtools/wafsamba/samba_bundled.py 2015-07-16 16:57:06.649092158 +0800
@@ -1,7 +1,7 @@
# functions to support bundled libraries
Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py
===================================================================
--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py
+++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py
@@ -2,6 +2,7 @@
import sys
import Build, Options, Logs
+import imp, os
from Configure import conf
-import sys, Logs
+import sys, Logs, imp
from samba_utils import *
from samba_utils import TO_LIST
def PRIVATE_NAME(bld, name, private_extension, private_library):
@@ -228,17 +228,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li
# versions
minversion = minimum_library_version(conf, libname, minversion)

0
meta-networking/recipes-connectivity/samba/samba-4.1.12/21-add-config-option-without-valgrind.patch → meta-networking/recipes-connectivity/samba/samba-4.4.2/21-add-config-option-without-valgrind.patch
View File

81
meta-networking/recipes-connectivity/samba/samba_4.1.12.bb → meta-networking/recipes-connectivity/samba/samba_4.4.2.bb
View File

@ -13,38 +13,14 @@ ${SAMBA_MIRROR} http://www.mirrorservice.org/sites/ftp.samba.org \n \
SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://00-fix-typos-in-man-pages.patch \
file://01-fix-force-user-sec-ads.patch \
file://02-fix-ipv6-join.patch \
file://03-net-ads-kerberos-pac.patch \
file://04-ipv6-workaround.patch \
file://05-fix-gecos-field-with-samlogon.patch \
file://06-fix-nmbd-systemd-status-update.patch \
file://07-fix-idmap-ad-getgroups-without-gid.patch \
file://08-fix-idmap-ad-sfu-with-trusted-domains.patch \
file://09-fix-smbclient-echo-cmd-segfault.patch \
file://10-improve-service-principal-guessing-in-net.patch \
file://11-fix-overwriting-of-spns-during-net-ads-join.patch \
file://12-add-precreated-spns-from-AD-during-keytab-generation.patch \
file://13-fix-aes-enctype.patch \
file://14-fix-dnsupdate.patch \
file://15-fix-netbios-name-truncation.patch \
file://16-do-not-check-xsltproc-manpages.patch \
file://17-execute-prog-by-qemu.patch \
file://18-avoid-get-config-by-native-ncurses.patch \
file://19-systemd-daemon-is-contained-by-libsystemd.patch \
file://20-do-not-import-target-module-while-cross-compile.patch \
file://21-add-config-option-without-valgrind.patch \
file://0001-waf-sanitize-and-fix-added-cross-answer.patch \
file://0002-Adds-a-new-mode-to-samba-cross-compiling.patch \
file://0003-waf-improve-readability-of-cross-answers-generated-b.patch \
file://0004-build-make-wafsamba-CHECK_SIZEOF-cross-compile-frien.patch \
file://0005-build-unify-and-fix-endian-tests.patch \
file://0006-avoid-using-colon-in-the-checking-msg.patch \
file://0007-waf-Fix-parsing-of-cross-answers-file-in-case-answer.patch \
"
SRC_URI[md5sum] = "232016d7581a1ba11e991ec2674553c4"
SRC_URI[sha256sum] = "033604674936bf5c77d7df299b0626052b84a41505a6a6afe902f6274fc29898"
SRC_URI[md5sum] = "03a65a3adf08ceb1636ad59d234d7f9d"
SRC_URI[sha256sum] = "eaecd41a85ebb9507b8db9856ada2a949376e9d53cf75664b5493658f6e5926a"
inherit systemd waf-samba cpan-base perlnative
# remove default added RDEPENDS on perl
@ -59,15 +35,15 @@ PACKAGECONFIG ??= "${@base_contains('DISTRO_FEATURES', 'pam', 'pam', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', '${SYSVINITTYPE}', '', d)} \
${@base_contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)} \
${@base_contains('DISTRO_FEATURES', 'zeroconf', 'zeroconf', '', d)} \
acl aio cups ldap \
acl cups ldap \
"
RDEPENDS_${PN}-base += "${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'lsb', '', d)}"
RDEPENDS_${PN}-ctdb-tests += "bash"
PACKAGECONFIG[acl] = "--with-acl-support,--without-acl-support,acl"
PACKAGECONFIG[aio] = "--with-aio-support,--without-aio-support,libaio"
PACKAGECONFIG[fam] = "--with-fam,--without-fam,gamin"
PACKAGECONFIG[pam] = "--with-pam --with-pam_smbpass --with-pammodulesdir=${base_libdir}/security,--without-pam --without-pam_smbpass,libpam"
PACKAGECONFIG[pam] = "--with-pam --with-pammodulesdir=${base_libdir}/security,--without-pam,libpam"
PACKAGECONFIG[lsb] = ",,lsb"
PACKAGECONFIG[sysv] = ",,sysvinit"
PACKAGECONFIG[cups] = "--enable-cups,--disable-cups,cups"
@ -78,8 +54,6 @@ PACKAGECONFIG[dmapi] = "--with-dmapi,--without-dmapi,dmapi"
PACKAGECONFIG[zeroconf] = "--enable-avahi,--disable-avahi,avahi"
PACKAGECONFIG[valgrind] = ",--without-valgrind,valgrind,"
SRC_URI += "${@bb.utils.contains('PACKAGECONFIG', 'sasl', '', 'file://21-avoid-sasl-unless-wanted.patch', d)}"
SAMBA4_IDMAP_MODULES="idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2"
SAMBA4_PDB_MODULES="pdb_tdbsam,${@bb.utils.contains('PACKAGECONFIG', 'ldap', 'pdb_ldap,', '', d)}pdb_ads,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4"
SAMBA4_AUTH_MODULES="auth_unix,auth_wbc,auth_server,auth_netlogond,auth_script,auth_samba4"
@ -87,15 +61,12 @@ SAMBA4_MODULES="${SAMBA4_IDMAP_MODULES},${SAMBA4_PDB_MODULES},${SAMBA4_AUTH_MODU
SAMBA4_LIBS="heimdal,!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb"
PERL_VERNDORLIB="${libdir}/perl5/vendor_perl/${PERLVERSION}"
EXTRA_OECONF += "--enable-fhs \
--with-piddir=/run \
--with-sockets-dir=/run/samba \
--with-modulesdir=${libdir}/samba \
--with-lockdir=${localstatedir}/lib/samba \
--with-cachedir=${localstatedir}/lib/samba \
--with-perl-lib-install-dir=${PERL_VERNDORLIB} \
--disable-gnutls \
--disable-rpath-install \
--with-shared-modules=${SAMBA4_MODULES} \
@ -104,7 +75,6 @@ EXTRA_OECONF += "--enable-fhs \
--without-ad-dc \
${@base_conditional('TARGET_ARCH', 'x86_64', '', '--disable-glusterfs', d)} \
--with-cluster-support \
--enable-old-ctdb \
--with-profiling-data \
--with-libiconv=${STAGING_DIR_HOST}${prefix} \
"
@ -113,13 +83,6 @@ DISABLE_STATIC = ""
LDFLAGS += "-Wl,-z,relro,-z,now"
do_install_append() {
if [ -d "${D}/run" ]; then
if [ -d "${D}/run/samba" ]; then
rmdir --ignore-fail-on-non-empty "${D}/run/samba"
fi
rmdir --ignore-fail-on-non-empty "${D}/run"
fi
if ${@bb.utils.contains('PACKAGECONFIG', 'systemd', 'true', 'false', d)}; then
install -d ${D}${systemd_unitdir}/system
for i in nmb smb winbind; do
@ -127,20 +90,20 @@ do_install_append() {
done
sed -i 's,\(ExecReload=\).*\(/kill\),\1${base_bindir}\2,' ${D}${systemd_unitdir}/system/*.service
install -d ${D}${sysconfdir}/tmpfiles.d
install -d ${D}${sysconfdir}/tmpfiles.d
install -m644 packaging/systemd/samba.conf.tmp ${D}${sysconfdir}/tmpfiles.d/samba.conf
echo "d ${localstatedir}/log/samba 0755 root root -" \
>> ${D}${sysconfdir}/tmpfiles.d/samba.conf
elif ${@bb.utils.contains('PACKAGECONFIG', 'lsb', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
update-rc.d -r ${D} samba.sh start 20 3 5 .
update-rc.d -r ${D} samba.sh start 20 0 1 6 .
install -d ${D}${sysconfdir}/init.d
install -m 0755 packaging/LSB/samba.sh ${D}${sysconfdir}/init.d
update-rc.d -r ${D} samba.sh start 20 3 5 .
update-rc.d -r ${D} samba.sh start 20 0 1 6 .
elif ${@bb.utils.contains('PACKAGECONFIG', 'sysv', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/init.d
install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
update-rc.d -r ${D} samba.sh start 20 3 5 .
update-rc.d -r ${D} samba.sh start 20 0 1 6 .
install -d ${D}${sysconfdir}/init.d
install -m 0755 packaging/sysv/samba.init ${D}${sysconfdir}/init.d/samba.sh
update-rc.d -r ${D} samba.sh start 20 3 5 .
update-rc.d -r ${D} samba.sh start 20 0 1 6 .
fi
install -d ${D}${sysconfdir}/samba
@ -149,11 +112,13 @@ do_install_append() {
install -d ${D}${sysconfdir}/sysconfig/
install -m644 packaging/systemd/samba.sysconfig ${D}${sysconfdir}/sysconfig/samba
rm -rf ${D}/run ${D}${localstatedir}/run
}
PACKAGES += "${PN}-python ${PN}-python-dbg ${PN}-pidl libwinbind libwinbind-dbg libwinbind-krb5-locator"
PACKAGES =+ "libwbclient libnss-winbind winbind winbind-dbg libnetapi libsmbsharemodes \
libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base"
libsmbclient libsmbclient-dev lib${PN}-base ${PN}-base ${PN}-ctdb-tests"
RDEPENDS_${PN} += "${PN}-base"
@ -166,6 +131,12 @@ FILES_${PN}-base = "${sbindir}/nmbd \
${localstatedir}/spool/samba \
"
FILES_${PN}-ctdb-tests = "${bindir}/ctdb_run_tests \
${libdir}/ctdb-tests \
${datadir}/ctdb-tests \
/run/ctdb \
"
# figured out by
# FILES="tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/smbd tmp/work/cortexa9hf-vfp-neon-poky-linux-gnueabi/samba/4.1.12-r0/image/usr/sbin/nmbd"
#
@ -312,16 +283,20 @@ FILES_libwinbind-dbg = "${base_libdir}/security/.debug/pam_winbind.so"
FILES_libwinbind-krb5-locator = "${libdir}/winbind_krb5_locator.so"
FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/_ldb_text.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/dcerpc/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/external/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/kcc/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/netcmd/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/provision/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.py \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/samba3/*.so \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/subunit/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/tests/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/third_party/* \
${libdir}/python${PYTHON_BASEVERSION}/site-packages/samba/web_server/* \
"
@ -332,4 +307,4 @@ FILES_${PN}-python-dbg = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/.d
"
RDEPENDS_${PN}-pidl_append = " perl"
FILES_${PN}-pidl = "${bindir}/pidl ${PERL_VERNDORLIB}/*"
FILES_${PN}-pidl = "${bindir}/pidl ${datadir}/perl5/Parse"