298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

samba36: bump version

Browse Source
This commit is contained in:
lean 2022-09-09 11:59:53 +08:00
parent 9e2144f153
commit 3e6a4852da
47 changed files with 1013 additions and 30834 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/lean/autosamba/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=autosamba PKG_NAME:=autosamba
PKG_VERSION:=1 PKG_VERSION:=1
PKG_RELEASE:=12 PKG_RELEASE:=13
PKG_ARCH:=all PKG_ARCH:=all
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -28,8 +28,6 @@ define Build/Compile
endef endef
define Package/autosamba/install define Package/autosamba/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/block
$(INSTALL_BIN) ./files/20-smb $(1)/etc/hotplug.d/block/20-smb
endef endef
$(eval $(call BuildPackage,autosamba)) $(eval $(call BuildPackage,autosamba))

141
package/network/services/samba36/Makefile Normal file → Executable file
View File

@ -1,5 +1,5 @@
# #
# Copyright (C) 2007-2014 OpenWrt.org # Copyright (C) 2007-2012 OpenWrt.org
# #
# This is free software, licensed under the GNU General Public License v2. # This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information. # See /LICENSE for more information.
@ -8,20 +8,20 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=samba PKG_NAME:=samba
PKG_VERSION:=3.6.25 PKG_VERSION:=4.0.26
PKG_RELEASE:=15 PKG_RELEASE:=8
PKG_SOURCE_URL:=https://download.samba.org/pub/samba \ PKG_SOURCE_URL:=https://ftp.samba.org/pub/samba/stable/
https://download.samba.org/pub/samba/stable PKG_SOURCE:=samba-$(PKG_VERSION).tar.gz
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_HASH:=ce2441992c6d18950d752edb2d1274b3f7e056b2e2e8516fc42e408e4a25894a
PKG_HASH:=8f2c8a7f2bd89b0dfd228ed917815852f7c625b2bc0936304ac3ed63aaf83751
PKG_LICENSE:=GPL-3.0 PKG_LICENSE:=GPLv3
PKG_LICENSE_FILES:=COPYING PKG_LICENSE_FILES:=COPYING
PKG_CPE_ID:=cpe:/a:samba:samba
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
PKG_BUILD_DIR := $(BUILD_DIR)/samba-$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
MAKE_PATH:=source3 MAKE_PATH:=source3
@ -29,37 +29,20 @@ CONFIGURE_PATH:=source3
PKG_BUILD_BIN:=$(PKG_BUILD_DIR)/$(MAKE_PATH)/bin PKG_BUILD_BIN:=$(PKG_BUILD_DIR)/$(MAKE_PATH)/bin
define Package/samba/Default define Package/samba36-server
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=Samba 3.6 SMB/CIFS TITLE:=Samba $(PKG_VERSION) SMB/CIFS server
URL:=https://www.samba.org/ URL:=http://www.samba.org/
MAINTAINER:=Felix Fietkau <nbd@nbd.name> DEPENDS:=+libaio +libpthread +zlib +libpopt
endef
define Package/samba36-server
$(call Package/samba/Default)
TITLE+= server
DEPENDS:=+USE_GLIBC:librt $(ICONV_DEPENDS)
endef
define Package/samba36-client
$(call Package/samba/Default)
TITLE+= client
DEPENDS:=+libreadline +libncurses
endef
define Package/samba36-net
$(call Package/samba/Default)
TITLE+= net commands
DEPENDS:=+libreadline +libncurses
endef endef
define Package/samba36-server/config define Package/samba36-server/config
config PACKAGE_SAMBA_MAX_DEBUG_LEVEL config PACKAGE_SAMBA_MAX_DEBUG_LEVEL
int "Maximum level of compiled-in debug messages" int "Maximum level of compiled-in debug messages"
depends on PACKAGE_samba36-server || PACKAGE_samba36-client depends on PACKAGE_samba36-server
default -1 default -1
endef endef
define Package/samba36-server/description define Package/samba36-server/description
@ -69,7 +52,9 @@ define Package/samba36-server/description
to as the LanManager or Netbios protocol. to as the LanManager or Netbios protocol.
endef endef
TARGET_CFLAGS += -DMAX_DEBUG_LEVEL=$(CONFIG_PACKAGE_SAMBA_MAX_DEBUG_LEVEL) -D__location__=\\\"\\\" -ffunction-sections -fdata-sections TARGET_CFLAGS += -DMAX_DEBUG_LEVEL=$(CONFIG_PACKAGE_SAMBA_MAX_DEBUG_LEVEL) -D__location__=\\\"\\\" -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections TARGET_LDFLAGS += -Wl,--gc-sections
CONFIGURE_VARS += \ CONFIGURE_VARS += \
@ -79,41 +64,50 @@ CONFIGURE_VARS += \
libreplace_cv_HAVE_C99_VSNPRINTF=yes \ libreplace_cv_HAVE_C99_VSNPRINTF=yes \
libreplace_cv_HAVE_GETADDRINFO=yes \ libreplace_cv_HAVE_GETADDRINFO=yes \
libreplace_cv_HAVE_IFACE_IFCONF=yes \ libreplace_cv_HAVE_IFACE_IFCONF=yes \
libreplace_cv_HAVE_MREMAP=yes \
libreplace_cv_HAVE_MMAP=yes \
libreplace_cv_HAVE_OPEN_O_DIRECT=yes \
libreplace_cv_REPLACE_INET_NTOA=no \
LINUX_LFS_SUPPORT=yes \ LINUX_LFS_SUPPORT=yes \
samba_cv_TIME_T_MAX=no \
samba_cv_have_longlong=yes \
samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \ samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \
samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \ samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \
samba_cv_HAVE_IFACE_IFCONF=yes \ samba_cv_HAVE_IFACE_IFCONF=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes \
samba_cv_HAVE_SECURE_MKSTEMP=yes \ samba_cv_HAVE_SECURE_MKSTEMP=yes \
samba_cv_HAVE_WRFILE_KEYTAB=no \ samba_cv_HAVE_WRFILE_KEYTAB=no \
samba_cv_USE_SETREUID=yes \ samba_cv_USE_SETREUID=yes \
samba_cv_USE_SETRESUID=yes \ samba_cv_USE_SETRESUID=yes \
samba_cv_have_setreuid=yes \ samba_cv_have_setreuid=yes \
samba_cv_have_setresuid=yes \ samba_cv_have_setresuid=yes \
ac_cv_header_libunwind_h=no \
ac_cv_header_zlib_h=no \ ac_cv_header_zlib_h=no \
samba_cv_zlib_1_2_3=no \ samba_cv_zlib_1_2_3=yes \
ac_cv_path_PYTHON="" \ ac_cv_type_long_long=yes \
ac_cv_path_PYTHON_CONFIG="" samba_cv_USE_SETEUID=yes \
samba_cv_HAVE_BROKEN_GETGROUPS=no \
samba_cv_HAVE_BROKEN_READDIR_NAME=no \
samba_cv_HAVE_BROKEN_LINUX_SENDFILE=no \
samba_cv_HAVE_SENDFILE=yes \
samba_cv_HAVE_FCNTL_LOCK=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=no \
samba_cv_HAVE_KERNEL_SHARE_MODES=yes \
samba_cv_SIZEOF_BLKCNT_T_8=yes
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
--exec-prefix=/usr \ --exec-prefix=/ \
--prefix=/ \ --prefix=/ \
--disable-avahi \ --disable-avahi \
--disable-cups \ --disable-cups \
--disable-external-libtalloc \ --disable-external-libtalloc \
--disable-external-libtdb \
--disable-external-libtevent \
--disable-pie \ --disable-pie \
--disable-relro \ --disable-relro \
--disable-static \ --disable-static \
--disable-swat \ --disable-swat \
--disable-shared-libs \ --disable-shared-libs \
--with-libiconv="$(ICONV_PREFIX)" \
--with-codepagedir=/etc/samba \ --with-codepagedir=/etc/samba \
--with-configdir=/etc/samba \ --with-configdir=/etc/samba \
--with-included-iniparser \ --with-included-iniparser \
--with-included-popt \ --with-included-popt=no \
--with-lockdir=/var/lock \ --with-lockdir=/var/lock \
--with-logfilebase=/var/log \ --with-logfilebase=/var/log \
--with-nmbdsocketdir=/var/nmbd \ --with-nmbdsocketdir=/var/nmbd \
@ -121,8 +115,10 @@ CONFIGURE_ARGS += \
--with-privatedir=/etc/samba \ --with-privatedir=/etc/samba \
--with-sendfile-support \ --with-sendfile-support \
--without-acl-support \ --without-acl-support \
--with-aio-support \
--without-cluster-support \ --without-cluster-support \
--without-ads \ --without-ads \
--with-krb5=no \
--without-krb5 \ --without-krb5 \
--without-ldap \ --without-ldap \
--without-pam \ --without-pam \
@ -134,45 +130,54 @@ CONFIGURE_ARGS += \
--without-libsmbsharemodes \ --without-libsmbsharemodes \
--without-libtevent \ --without-libtevent \
--without-libaddns \ --without-libaddns \
--enable-cups=no --enable-iprint=no \
--enable-largefile \
--disable-dmalloc \
--disable-debug \
--without-utmp \
--without-quotas \
--with-libiconv=$(ICONV_PREFIX) \
--with-shared-modules=pdb_tdbsam,pdb_wbc_sam,idmap_nss,nss_info_template,auth_winbind,auth_wbc,auth_domain --with-shared-modules=pdb_tdbsam,pdb_wbc_sam,idmap_nss,nss_info_template,auth_winbind,auth_wbc,auth_domain
MAKE_FLAGS += DYNEXP= PICFLAG= MODULES= MAKE_FLAGS += DYNEXP= PICFLAG= MODULES=
define Package/samba36-server/conffiles # special CONFIGURE_ARGS
/etc/config/samba ifneq ($(CONFIG_mipsel)$(CONFIG_arm)$(CONFIG_x86),)
/etc/samba/smb.conf.template #Little Endian
/etc/samba/smbpasswd CONFIGURE_VARS += samba_cv_big_endian=no samba_cv_little_endian=yes
endef TARGET_CFLAGS += -O3 -fno-inline-functions -fno-inline-small-functions -fno-inline-functions-called-once
else
#Big Endian
CONFIGURE_VARS += samba_cv_big_endian=yes samba_cv_little_endian=no
endif
define Package/samba36-server/install define Package/samba36-server/install
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/samba.config $(1)/etc/config/samba
$(INSTALL_DIR) $(1)/etc/samba $(INSTALL_DIR) $(1)/etc/samba
$(INSTALL_CONF) ./files/smb.conf.template $(1)/etc/samba $(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_DATA) ./files/samba.config $(1)/etc/config/samba
$(INSTALL_DATA) ./files/smb.conf.template $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/lowcase.dat $(1)/etc/samba $(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/lowcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/upcase.dat $(1)/etc/samba $(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/upcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/valid.dat $(1)/etc/samba $(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/valid.dat $(1)/etc/samba
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/samba.init $(1)/etc/init.d/samba $(INSTALL_BIN) ./files/samba.init $(1)/etc/init.d/samba
$(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/uci_defaults_samba $(1)/etc/uci-defaults/99_uci_defaults_samba
$(INSTALL_DIR) $(1)/etc/hotplug.d/block
$(INSTALL_DATA) ./files/smb.auto $(1)/etc/hotplug.d/block/20-smb
$(INSTALL_BIN) $(PKG_BUILD_BIN)/samba_multicall $(1)/usr/sbin $(INSTALL_BIN) $(PKG_BUILD_BIN)/samba_multicall $(1)/usr/sbin
$(LN) samba_multicall $(1)/usr/sbin/smbd ln -sf samba_multicall $(1)/usr/sbin/smbd
$(LN) samba_multicall $(1)/usr/sbin/nmbd ln -sf samba_multicall $(1)/usr/sbin/nmbd
$(LN) samba_multicall $(1)/usr/sbin/smbpasswd ln -sf samba_multicall $(1)/usr/sbin/smbpasswd
endef endef
define Package/samba36-client/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/smbclient $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/nmblookup $(1)/usr/sbin
endef
define Package/samba36-net/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/net $(1)/usr/sbin
endef
$(eval $(call BuildPackage,samba36-client))
$(eval $(call BuildPackage,samba36-server)) $(eval $(call BuildPackage,samba36-server))
$(eval $(call BuildPackage,samba36-net))

5
package/network/services/samba36/files/samba.config
View File

@ -1,6 +1,7 @@
config samba config samba
option 'name' 'OpenWrt' option 'name' 'OpenWrt'
option 'workgroup' 'WORKGROUP' option 'workgroup' 'WORKGROUP'
option 'description' 'OpenWrt' option 'description' 'OpenWrt Share'
option 'homes' '1' option 'homes' '1'
option 'autoshare' '1'
option 'enabled' '1'

63
package/network/services/samba36/files/samba.init
View File

@ -2,20 +2,31 @@
# Copyright (C) 2008-2012 OpenWrt.org # Copyright (C) 2008-2012 OpenWrt.org
START=60 START=60
USE_PROCD=1
smb_header() { smb_header() {
config_get samba_iface $1 interface "loopback lan" local enabled
config_get_bool enabled $1 enabled 1
[ $enabled == "0" ] && {
echo "Samba disabled!"
exit 0
}
local interface
config_get interface $1 interface "loopback lan"
# resolve interfaces # resolve interfaces
local interfaces=$( local interfaces=$(
. /lib/functions/network.sh . /lib/functions/network.sh
local net local net
for net in $samba_iface; do for net in $interface; do
local device local device
network_is_up $net || continue network_get_device device "$net" && {
network_get_device device "$net" local subnet
network_get_subnet subnet "$net" && echo -n "$subnet "
network_get_subnet6 subnet "$net" && echo -n "$subnet "
}
echo -n "${device:-$net} " echo -n "${device:-$net} "
done done
) )
@ -23,17 +34,19 @@ smb_header() {
local name workgroup description charset local name workgroup description charset
local hostname="$(uci_get system.@system[0].hostname)" local hostname="$(uci_get system.@system[0].hostname)"
config_get name $1 name "${hostname:-OpenWrt}" config_get name $1 name "${hostname:-PandoraBox}"
config_get workgroup $1 workgroup "${hostname:-OpenWrt}" config_get workgroup $1 workgroup "${hostname:-PandoraBox}"
config_get description $1 description "Samba on ${hostname:-OpenWrt}" config_get description $1 description "Samba on ${hostname:-PandoraBox}"
config_get charset $1 charset "UTF-8" config_get charset $1 charset "UTF-8"
config_get master $1 master "yes"
mkdir -p /var/etc mkdir -p /var/etc
sed -e "s#|NAME|#$name#g" \ sed -e "s#|NAME|#$name#g" \
-e "s#|WORKGROUP|#$workgroup#g" \ -e "s#|WORKGROUP|#$workgroup#g" \
-e "s#|DESCRIPTION|#$description#g" \ -e "s#|DESCRIPTION|#$description#g" \
-e "s#|INTERFACES|#$interfaces#g" \ -e "s#|INTERFACES|#$interfaces#g" \
-e "s#|CHARSET|#$charset#g" \ -e "s#|CHARSET|#$charset#g" \
-e "s#|MASTER|#$master#g" \
/etc/samba/smb.conf.template > /var/etc/smb.conf /etc/samba/smb.conf.template > /var/etc/smb.conf
local homes local homes
@ -82,34 +95,16 @@ smb_add_share() {
[ -n "$browseable" ] && echo -e "\tbrowseable = $browseable" >> /var/etc/smb.conf [ -n "$browseable" ] && echo -e "\tbrowseable = $browseable" >> /var/etc/smb.conf
} }
init_config() { start() {
config_load samba config_load samba
config_foreach smb_header samba config_foreach smb_header samba
config_foreach smb_add_share sambashare config_foreach smb_add_share sambashare
service_start /usr/sbin/smbd -D
service_start /usr/sbin/nmbd -D
} }
service_triggers() { stop() {
procd_add_reload_trigger samba service_stop /usr/sbin/smbd
service_stop /usr/sbin/nmbd
local i
for i in $samba_iface; do
procd_add_reload_interface_trigger $i
done
}
start_service() {
init_config
procd_open_instance
procd_add_mdns "smb" "tcp" "445"
procd_set_param command /usr/sbin/smbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
procd_open_instance
procd_set_param command /usr/sbin/nmbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
} }

103
package/network/services/samba36/files/smb.auto Executable file
View File

@ -0,0 +1,103 @@
#!/bin/sh
#
# D-Team Technology Co.,Ltd. ShenZhen
# 作者:Vic
#
#
# 警告:对着屏幕的哥们,我们允许你使用此脚本,但不允许你抹去作者的信息,请保留这段话。
#
. /lib/functions.sh
. /lib/functions/service.sh
global=0
config_file="/etc/config/samba"
wait_for_init() {
for i in `seq 30`
do
[ -e /tmp/procd.done ] || {
sleep 1; continue;
}
return
done
}
smb_handle() {
config_get path $1 path
if [ "$path" = "$2" ] ;then
global=1
fi
}
chk_en() {
config_get_bool autoshare $1 autoshare 0
[ $autoshare -eq 0 ] && exit
}
config_load samba
config_foreach chk_en samba
device=`basename $DEVPATH`
case "$ACTION" in
add)
case "$device" in
sd*) ;;
md*) ;;
hd*);;
mmcblk*);;
*) return;;
esac
path="/dev/$device"
wait_for_init
cat /proc/mounts | while read j
do
str=${j%% *}
if [ "$str" == $path ];then
strr=${j#* }
target=${strr%% *}
global=0
config_foreach smb_handle sambashare $target
name=${target#*/mnt/}
if [ $global -eq 0 ] ;then
echo -e "\n\nconfig sambashare" >> $config_file
echo -e "\toption auto '1'" >> $config_file
echo -e "\toption name '$name'" >> $config_file
echo -e "\toption path '$target'" >> $config_file
echo -e "\toption read_only 'no'" >> $config_file
echo -e "\toption guest_ok 'yes'" >> $config_file
echo -e "\toption device '$device'" >> $config_file
/etc/init.d/samba reload
return
fi
fi
done
;;
remove)
i=0
while true
do
dev=`uci get samba.@sambashare[$i].device`
[ $? -ne 0 ] && break
[ "$dev" = "$device" ] && {
auto=`uci get samba.@sambashare[$i].auto`
[ $auto = "1" ] && {
mount_dir=`uci get samba.@sambashare[$i].name`
rm -rf /mnt/$device /mnt/$mount_dir
uci delete samba.@sambashare[$i]
uci commit
/etc/init.d/samba reload
return
}
}
let i+=1
done
;;
esac

38
package/network/services/samba36/files/smb.conf.template
View File

@ -5,17 +5,47 @@
server string = |DESCRIPTION| server string = |DESCRIPTION|
unix charset = |CHARSET| unix charset = |CHARSET|
workgroup = |WORKGROUP| workgroup = |WORKGROUP|
bind interfaces only = yes browseable = yes
deadtime = 30 deadtime = 30
domain master = |MASTER|
encrypt passwords = true
enable core files = no enable core files = no
invalid users = root # guest account = nobody
guest account = root
guest ok = yes
# invalid users = root
local master = yes local master = yes
load printers = no
map to guest = Bad User map to guest = Bad User
max protocol = SMB2 max protocol = SMB2
min receivefile size = 16384
null passwords = yes null passwords = yes
obey pam restrictions = yes
os level = 250
lm announce = yes
lm interval = 10
dns proxy = no
passdb backend = smbpasswd passdb backend = smbpasswd
preferred master = yes
printable = no
security = user security = user
smb encrypt = disabled
smb passwd file = /etc/samba/smbpasswd smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY IPTOS_LOWDELAY syslog = 2
use sendfile = yes use sendfile = yes
writeable = yes
read raw = yes
write raw = yes
getwd cache = Yes
min receivefile size = 16384
# write cache size = 65536
large readwrite = yes
fake oplocks = yes
oplocks = no
strict locking = no
posix locking = no
kernel oplocks = no
# disable spoolss = yes
# host msdfs = no
# strict allocate = no
use mmap = yes
skip ftruncate = yes

15
package/network/services/samba36/files/uci_defaults_samba Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
# Copyright (c) 2013 OpenWrt
# Copyright (C) 2014 D-Team Technology Co.,Ltd. ShenZhen
# Copyright (c) 2005-2014, lintel <lintel.huang@gmail.com>
#
#
# 警告:对着屏幕的哥们,我们允许你使用此脚本,但不允许你抹去作者的信息,请保留这段话。
#
samba_name=`uci get system.@system[0].hostname`
[ -f /etc/config/samba ] && {
uci set samba.@samba[0].name="$samba_name"
uci commit samba
}

240
package/network/services/samba36/patches/008-loose-allocate.patch Normal file
View File

@ -0,0 +1,240 @@
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 41b44b6..3e45935 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -109,6 +109,7 @@ FN_LOCAL_BOOL(onlyuser, bOnlyUser)
FN_LOCAL_PARM_BOOL(manglednames, bMangledNames)
FN_LOCAL_BOOL(symlinks, bSymlinks)
FN_LOCAL_BOOL(syncalways, bSyncAlways)
+FN_LOCAL_BOOL(skip_ftruncate, bSkipFtruncate)
FN_LOCAL_BOOL(strict_allocate, bStrictAllocate)
FN_LOCAL_BOOL(delete_readonly, bDeleteReadonly)
FN_LOCAL_BOOL(fake_oplocks, bFakeOplocks)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 0916023..27cc873 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -1869,6 +1869,15 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
+ .label = "skip ftruncate",
+ .type = P_BOOL,
+ .p_class = P_LOCAL,
+ .offset = LOCAL_VAR(bSkipFtruncate),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED | FLAG_SHARE,
+ },
+ {
.label = "strict allocate",
.type = P_BOOL,
.p_class = P_LOCAL,
diff --git a/source3/autoconf/lib/param/param_local.h b/source3/autoconf/lib/param/param_local.h
deleted file mode 100644
index 89eb6c3..0000000
--- a/source3/autoconf/lib/param/param_local.h
+++ /dev/null
@@ -1,142 +0,0 @@
-#ifndef __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__
-#define __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__
-
-/* This file was automatically generated by mkparamdefs.pl. DO NOT EDIT */
-
-/**
- * This structure describes a single service.
- */
-struct loadparm_service
-{
- char * szPath;
- const char ** szHostsallow;
- const char ** szHostsdeny;
- char * fstype;
- const char ** ntvfs_handler;
- bool bMSDfsRoot;
- bool bBrowseable;
- bool bRead_only;
- bool bPrint_ok;
- bool bMap_hidden;
- bool bMap_archive;
- bool bOpLocks;
- bool bStrictSync;
- bool bMap_system;
- int iMaxConnections;
- int iCSCPolicy;
- int iCreate_mask;
- int iCreate_force_mode;
- int iDir_mask;
- int iDir_force_mode;
- char * szPreExec;
- char * szPostExec;
- char * szRootPreExec;
- char * szRootPostExec;
- char * szDontdescend;
- char * szUsername;
- const char ** szInvalidUsers;
- const char ** szValidUsers;
- const char ** szAdminUsers;
- char * szPrintcommand;
- char * szLpqcommand;
- char * szLprmcommand;
- char * szLppausecommand;
- char * szLpresumecommand;
- char * szQueuepausecommand;
- char * szQueueresumecommand;
- char * szPrintername;
- char * szPrintjobUsername;
- char * szMagicScript;
- char * szMagicOutput;
- char * comment;
- char * force_user;
- char * force_group;
- const char ** readlist;
- const char ** writelist;
- const char ** printer_admin;
- const char ** szVfsObjects;
- char * szMSDfsProxy;
- char * volume;
- char * szVetoFiles;
- char * szHideFiles;
- char * szVetoOplockFiles;
- char * szAioWriteBehind;
- char * szDfree;
- bool autoloaded;
- bool bPreexecClose;
- bool bRootpreexecClose;
- int iCaseSensitive;
- bool bCasePreserve;
- bool bShortCasePreserve;
- bool bHideDotFiles;
- bool bHideSpecialFiles;
- bool bHideUnReadable;
- bool bHideUnWriteableFiles;
- bool bAccessBasedShareEnum;
- bool bNo_set_dir;
- bool bGuest_ok;
- bool bGuest_only;
- bool bAdministrative_share;
- bool bPrintNotifyBackchannel;
- bool bStoreDosAttributes;
- bool bDmapiSupport;
- bool bLocking;
- int iStrictLocking;
- bool bPosixLocking;
- bool bKernelOplocks;
- bool bLevel2OpLocks;
- bool bKernelShareModes;
- bool bOnlyUser;
- bool bMangledNames;
- bool bSymlinks;
- bool bSyncAlways;
- bool bStrictAllocate;
- bool bDeleteReadonly;
- bool bFakeOplocks;
- bool bDeleteVetoFiles;
- bool bDosFilemode;
- bool bDosFiletimes;
- bool bDosFiletimeResolution;
- bool bFakeDirCreateTimes;
- bool bBlockingLocks;
- bool bInheritPerms;
- bool bInheritACLS;
- bool bInheritOwner;
- bool bUseClientDriver;
- bool bDefaultDevmode;
- bool bForcePrintername;
- bool bNTAclSupport;
- bool bForceUnknownAclUser;
- bool bEASupport;
- bool bUseSendfile;
- bool bProfileAcls;
- bool bMap_acl_inherit;
- bool bAfs_Share;
- bool bAclCheckPermissions;
- bool bAclGroupControl;
- bool bAclMapFullControl;
- bool bAclAllowExecuteAlways;
- int iDefaultCase;
- int iMinPrintSpace;
- int iPrinting;
- int iMaxReportedPrintJobs;
- int iOplockContentionLimit;
- int iWriteCacheSize;
- int iBlock_size;
- int iDfreeCacheTime;
- int iallocation_roundup_size;
- int iAioReadSize;
- int iAioWriteSize;
- int iMap_readonly;
- int iDirectoryNameCacheSize;
- int ismb_encrypt;
- char magic_char;
- char * szCupsOptions;
- bool bChangeNotify;
- bool bKernelChangeNotify;
- bool bDurableHandles;
-LOADPARM_EXTRA_LOCALS
-};
-
-#endif /* __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__ */
-
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 1d2eaf5..6be58fb 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1299,6 +1299,7 @@ bool lp_widelinks(int );
bool lp_symlinks(int );
bool lp_syncalways(int );
bool lp_strict_allocate(int );
+bool lp_skip_ftruncate(int );
bool lp_strict_sync(int );
bool lp_map_system(int );
bool lp_delete_readonly(int );
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 429fca1..1b3244c 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1687,7 +1697,31 @@ static int vfswrap_ftruncate(vfs_handle_struct *handle, files_struct *fsp, off_t
END_PROFILE(syscall_ftruncate);
return result;
}
+ /* check for an MSDOS (FAT) filesystem and don't truncate. Ftruncate on an MSDOS filesystem can time causeing failures when the file
+ size reaches about 300MB to 600MB depending in the speed of the system. Allow forcing the ftruncate for shrinking files as not
+ shrinking a file can cause worse problems and for things like smbpasswd that won't timeout.
+ */
+ if(lp_skip_ftruncate(SNUM(fsp->conn)) && !fsp->is_sparse) {
+#if 1
+ struct statfs s;
+ if(fstatfs(fsp->fh->fd, &s)) { /* get filesystem type */
+ syslog("Samba: fstatfs fail\n");
+ goto done;
+ }
+ if(s.f_type == 0x2011bab0 ) {
+ syslog("Samba: exFAT Filesystem,length:0x%X\n", len);
+ goto done;
+ }
+ else if(s.f_type == 0x4d44) {
+ syslog("Samba: vFAT/FAT Filesystem,length:0x%X\n", len);
+ goto done;
+ } else
+ syslog("Samba: Skip Filesystem:0x%X\n", s.f_type);
+#else
+ goto done;
+#endif
+ }
/* we used to just check HAVE_FTRUNCATE_EXTEND and only use
ftruncate if the system supports it. Then I discovered that
you can have some filesystems that support ftruncate
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 878cc3a..53e04f9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -235,6 +235,7 @@ static struct loadparm_service sDefault =
.bWidelinks = false,
.bSymlinks = true,
.bSyncAlways = false,
+ .bSkipFtruncate = false,
.bStrictAllocate = false,
.bStrictSync = false,
.magic_char = '~',

39
package/network/services/samba36/patches/010-patch-cve-2015-5252.patch
View File

@ -1,39 +0,0 @@
From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 9 Jul 2015 10:58:11 -0700
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
access outside the share).
Ensure matching component ends in '/' or '\0'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/smbd/vfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
if (!allow_widelinks || !allow_symlinks) {
const char *conn_rootdir;
size_t rootdir_len;
+ bool matched;
conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
if (conn_rootdir == NULL) {
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
}
rootdir_len = strlen(conn_rootdir);
- if (strncmp(conn_rootdir, resolved_name,
- rootdir_len) != 0) {
+ matched = (strncmp(conn_rootdir, resolved_name,
+ rootdir_len) == 0);
+ if (!matched || (resolved_name[rootdir_len] != '/' &&
+ resolved_name[rootdir_len] != '\0')) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));

88
package/network/services/samba36/patches/011-patch-cve-2015-5296.patch
View File

@ -1,88 +0,0 @@
From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clidfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALL
const char *username;
const char *password;
NTSTATUS status;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+
+ if (force_encrypt) {
+ signing_state = Required;
+ }
/* make a copy so we don't modify the global string 'service' */
servicename = talloc_strdup(ctx,share);
@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALL
zero_sockaddr(&ss);
/* have to open a new connection */
- c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
+ c = cli_initialise_ex(signing_state);
if (c == NULL) {
d_printf("Connection to %s failed\n", server_n);
return NULL;
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
const char *username_used;
NTSTATUS status;
char *newserver, *newshare;
+ int signing_state = Undefined;
zero_sockaddr(&ss);
ZERO_STRUCT(c);
@@ -404,8 +405,12 @@ again:
zero_sockaddr(&ss);
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
+
/* have to open a new connection */
- if ((c = cli_initialise()) == NULL) {
+ if ((c = cli_initialise_ex(signing_state)) == NULL) {
errno = ENOMEM;
return NULL;
}
@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
+ int signing_state = Undefined;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
zero_sockaddr(&ss);
nt_status = cli_full_connection(&ipc_cli,
@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
*pp_workgroup,
*pp_password,
flags,
- Undefined);
+ signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));

93
package/network/services/samba36/patches/012-patch-cve-2015-5299.patch
View File

@ -1,93 +0,0 @@
From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 23 Oct 2015 14:54:31 -0700
Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
snapdir
Fix originally from <partha@exablox.com>
https://bugzilla.samba.org/show_bug.cgi?id=11529
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
---
source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -21,6 +21,8 @@
#include "includes.h"
#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "../libcli/security/security.h"
#include "system/filesys.h"
#include "ntioctl.h"
@@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle
SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1);
}
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+ const char *path)
+{
+ struct smb_filename smb_fname;
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted = 0;
+
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = talloc_asprintf(talloc_tos(),
+ "%s",
+ path);
+ if (smb_fname.base_name == NULL) {
+ return false;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+
+ status = smbd_check_open_rights(handle->conn,
+ &smb_fname,
+ SEC_DIR_LIST,
+ &access_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("user does not have list permission "
+ "on snapdir %s\n",
+ smb_fname.base_name));
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+ TALLOC_FREE(smb_fname.base_name);
+ return true;
+}
+
static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname)
{
SHADOW2_NEXT(RMDIR, (handle, name), int, -1);
@@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2
SMB_STRUCT_DIRENT *d;
TALLOC_CTX *tmp_ctx = talloc_new(handle->data);
char *snapshot;
+ bool ret;
snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle);
if (snapdir == NULL) {
@@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2
talloc_free(tmp_ctx);
return -1;
}
+ ret = check_access_snapdir(handle, snapdir);
+ if (!ret) {
+ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
+ errno = EACCES;
+ talloc_free(tmp_ctx);
+ return -1;
+ }
p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);

172
package/network/services/samba36/patches/015-patch-cve-2015-7560.patch
View File

@ -1,172 +0,0 @@
From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:18:12 -0800
Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2
files_struct *fsp,
const SMB_STRUCT_STAT *psbuf);
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+ const files_struct *fsp,
+ const char *name)
+{
+ SMB_STRUCT_STAT sbuf;
+ const SMB_STRUCT_STAT *pst = NULL;
+
+ if (fsp) {
+ pst = &fsp->fsp_name->st;
+ } else {
+ int ret = vfs_stat_smb_fname(conn,
+ name,
+ &sbuf);
+ if (ret == -1) {
+ return map_nt_error_from_unix(errno);
+ }
+ pst = &sbuf;
+ }
+ if (S_ISLNK(pst->st_ex_mode)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
/********************************************************************
Roundup a value to the nearest allocation roundup size boundary.
Only do this for Windows clients.
@@ -181,12 +209,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
char **names, **tmp;
size_t num_names;
ssize_t sizeret = -1;
+ NTSTATUS status;
+
+ if (pnames) {
+ *pnames = NULL;
+ }
+ *pnum_names = 0;
if (!lp_ea_support(SNUM(conn))) {
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+ status = refuse_symlink(conn, fsp, fname);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Just return no EA's on a symlink.
+ */
return NT_STATUS_OK;
}
@@ -236,10 +274,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
if (sizeret == 0) {
TALLOC_FREE(names);
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
return NT_STATUS_OK;
}
@@ -550,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn,
const struct smb_filename *smb_fname, struct ea_list *ea_list)
{
char *fname = NULL;
+ NTSTATUS status;
if (!lp_ea_support(SNUM(conn))) {
return NT_STATUS_EAS_NOT_SUPPORTED;
@@ -559,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+
/* For now setting EAs on streams isn't supported. */
fname = smb_fname->base_name;
@@ -4931,6 +4972,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
uint16 num_file_acls = 0;
uint16 num_def_acls = 0;
+ status = refuse_symlink(conn,
+ fsp,
+ smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (fsp && fsp->fh->fd != -1) {
file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
} else {
@@ -6452,6 +6500,7 @@ static NTSTATUS smb_set_posix_acl(connec
uint16 num_def_acls;
bool valid_file_acls = True;
bool valid_def_acls = True;
+ NTSTATUS status;
if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
@@ -6479,6 +6528,11 @@ static NTSTATUS smb_set_posix_acl(connec
return NT_STATUS_INVALID_PARAMETER;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
(unsigned int)num_file_acls,
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struc
return NT_STATUS_OK;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL set on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -1925,6 +1931,12 @@ NTSTATUS smbd_do_query_security_desc(con
return NT_STATUS_ACCESS_DENIED;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL get on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
SECINFO_GROUP|SECINFO_SACL)) {
/* Don't return SECINFO_LABEL if anything else was

6824
package/network/services/samba36/patches/020-CVE-preparation-v3-6.patch
View File

File diff suppressed because it is too large Load Diff

9515
package/network/services/samba36/patches/021-CVE-preparation-v3-6-addition.patch
View File

File diff suppressed because it is too large Load Diff

1791
package/network/services/samba36/patches/022-CVE-2015-5370-v3-6.patch
View File

File diff suppressed because it is too large Load Diff

255
package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
View File

@ -1,255 +0,0 @@
From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 1 Dec 2015 08:46:45 +0100
Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
ntlmssp_state->allow_lm_key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
source3/libsmb/ntlmssp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct nt
* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
*/
if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp
{
/* As per JRA's comment above */
if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SIGN) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SEAL) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (feature & NTLMSSP_FEATURE_CCACHE) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -387,7 +392,12 @@ static NTSTATUS ntlmssp_client_initial(s
}
if (ntlmssp_state->use_ntlmv2) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->allow_lm_key = false;
+ }
+
+ if (ntlmssp_state->allow_lm_key) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
/* generate the ntlmssp negotiate packet */
@@ -422,6 +432,86 @@ static NTSTATUS ntlmssp_client_initial(s
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ uint32_t flags)
+{
+ uint32_t missing_flags = ntlmssp_state->required_flags;
+
+ if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = true;
+ } else {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = false;
+ }
+
+ /*
+ * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ * has priority over NTLMSSP_NEGOTIATE_LM_KEY
+ */
+ if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+
+ if ((flags & NTLMSSP_REQUEST_TARGET)) {
+ ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ }
+
+ missing_flags &= ~ntlmssp_state->neg_flags;
+ if (missing_flags != 0) {
+ NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
+ DEBUG(1, ("%s: Got challenge flags[0x%08x] "
+ "- possible downgrade detected! "
+ "missing_flags[0x%08x] - %s\n",
+ __func__,
+ (unsigned)flags,
+ (unsigned)missing_flags,
+ nt_errstr(status)));
+ debug_ntlmssp_flags(missing_flags);
+ DEBUGADD(4, ("neg_flags[0x%08x]\n",
+ (unsigned)ntlmssp_state->neg_flags));
+ debug_ntlmssp_flags(ntlmssp_state->neg_flags);
+
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@@ -448,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge
DATA_BLOB encrypted_session_key = data_blob_null;
NTSTATUS nt_status = NT_STATUS_OK;
+ if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &server_domain_blob,
+ &chal_flags)) {
+ DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+ dump_data(2, reply.data, reply.length);
+
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ data_blob_free(&server_domain_blob);
+
+ DEBUG(3, ("Got challenge flags:\n"));
+ debug_ntlmssp_flags(chal_flags);
+
+ nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
@@ -498,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge
noccache:
- if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
- "NTLMSSP",
- &ntlmssp_command,
- &server_domain_blob,
- &chal_flags)) {
- DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
- dump_data(2, reply.data, reply.length);
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
talloc_tos(), struct CHALLENGE_MESSAGE);
@@ -525,13 +624,6 @@ noccache:
}
}
- data_blob_free(&server_domain_blob);
-
- DEBUG(3, ("Got challenge flags:\n"));
- debug_ntlmssp_flags(chal_flags);
-
- ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdUdbddB";
@@ -769,6 +861,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
ntlmssp_state->unicode = True;
ntlmssp_state->use_ntlmv2 = use_ntlmv2;
+ ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
@@ -780,6 +873,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
NTLMSSP_NEGOTIATE_KEY_EXCH |
NTLMSSP_REQUEST_TARGET;
+ if (ntlmssp_state->use_ntlmv2) {
+ ntlmssp_state->allow_lm_key = false;
+ }
+
ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
if (!ntlmssp_state->client.netbios_name) {
talloc_free(ntlmssp_state);
--- a/libcli/auth/ntlmssp.h
+++ b/libcli/auth/ntlmssp.h
@@ -83,6 +83,7 @@ struct ntlmssp_state
DATA_BLOB nt_resp;
DATA_BLOB session_key;
+ uint32_t required_flags;
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
/**

681
package/network/services/samba36/patches/024-CVE-2016-2111-v3-6.patch
View File

@ -1,681 +0,0 @@
From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 26 Sep 2015 01:29:10 +0200
Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base
case NetlogonNetworkTransitiveInformation:
{
const char *wksname = nt_workstation;
+ const char *workgroup = lp_workgroup();
status = make_auth_context_fixed(talloc_tos(), &auth_context,
logon->network->challenge);
@@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base
logon->network->nt.length)) {
status = NT_STATUS_NO_MEMORY;
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ }
break;
}
case NetlogonInteractiveInformation:
@@ -1636,6 +1645,14 @@ static NTSTATUS _netr_LogonSamLogon_base
r->out.validation->sam3);
break;
case 6:
+ /* Only allow this if the pipe is protected. */
+ if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+ get_remote_machine_name()));
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+
status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
r->out.validation->sam6);
break;
@@ -2271,11 +2288,13 @@ NTSTATUS _netr_GetForestTrustInformation
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2371,11 +2390,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1122,8 +1122,8 @@ static bool schan(struct torture_context
generate_random_buffer(chal.data, chal.length);
names_blob = NTLMv2_generate_names_blob(
mem_ctx,
- cli_credentials_get_workstation(user_creds),
- cli_credentials_get_domain(user_creds));
+ cli_credentials_get_workstation(wks_creds),
+ cli_credentials_get_domain(wks_creds));
status = cli_credentials_get_ntlm_response(
user_creds, mem_ctx, &flags, chal, names_blob,
&lm_resp, &nt_resp, NULL, NULL);
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup);
/***********************************************************
encode a password buffer with a unicode password. The buffer
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -26,7 +26,7 @@
#include "../libcli/auth/msrpc_parse.h"
#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../librpc/gen_ndr/ntlmssp.h"
+#include "../librpc/gen_ndr/ndr_ntlmssp.h"
void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
lm_response, nt_response, lm_session_key, user_session_key);
}
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup)
+{
+ TALLOC_CTX *frame = NULL;
+ /* RespType + HiRespType */
+ static const char *magic = "\x01\x01";
+ int cmp;
+ struct NTLMv2_RESPONSE v2_resp;
+ enum ndr_err_code err;
+ const struct AV_PAIR *av_nb_cn = NULL;
+ const struct AV_PAIR *av_nb_dn = NULL;
+
+ if (response.length < 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes.
+ */
+ return NT_STATUS_OK;
+ }
+
+ cmp = memcmp(response.data + 16, magic, 2);
+ if (cmp != 0) {
+ /*
+ * It doesn't look like a valid NTLMv2_RESPONSE
+ */
+ return NT_STATUS_OK;
+ }
+
+ frame = talloc_stackframe();
+
+ err = ndr_pull_struct_blob(&response, frame, &v2_resp,
+ (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
+ NTSTATUS status;
+ status = ndr_map_error2ntstatus(err);
+ DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
+ "length %u - %s - %s\n",
+ (unsigned)response.length,
+ ndr_map_error2string(err),
+ nt_errstr(status)));
+ dump_data(2, response.data, response.length);
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ if (DEBUGLVL(10)) {
+ NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
+ }
+
+ /*
+ * Make sure the netbios computer name in the
+ * NTLMv2_RESPONSE matches the computer name
+ * in the secure channel credentials for workstation
+ * trusts.
+ *
+ * And the netbios domain name matches our
+ * workgroup.
+ *
+ * This prevents workstations from requesting
+ * the session key of NTLMSSP sessions of clients
+ * to other hosts.
+ */
+ if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
+ av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbComputerName);
+ av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbDomainName);
+ }
+
+ if (av_nb_cn != NULL) {
+ const char *v = NULL;
+ char *a = NULL;
+ size_t len;
+
+ v = av_nb_cn->Value.AvNbComputerName;
+
+ a = talloc_strdup(frame, creds->account_name);
+ if (a == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ len = strlen(a);
+ if (len > 0 && a[len - 1] == '$') {
+ a[len - 1] = '\0';
+ }
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(a, v);
+#else /* smbd */
+ cmp = StrCaseCmp(a, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbComputerName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+ if (av_nb_dn != NULL) {
+ const char *v = NULL;
+
+ v = av_nb_dn->Value.AvNbDomainName;
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(workgroup, v);
+#else /* smbd */
+ cmp = StrCaseCmp(workgroup, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/***********************************************************
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
- public_deps='MSRPC_PARSE',
+ public_deps='MSRPC_PARSE NDR_NTLMSSP',
public_headers='credentials.h:domain_credentials.h'
)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/
PROFILE_OBJ = profile/profile.o
PROFILES_OBJ = utils/profiles.o \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(PARAM_OBJ) \
$(LIB_OBJ) $(LIB_DUMMY_OBJ) \
$(POPT_LIB_OBJ) \
@@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
STATUS_OBJ = utils/status.o utils/status_profile.o \
$(LOCKING_OBJ) $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
@@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
TESTPARM_OBJ = utils/testparm.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
TEST_LP_LOAD_OBJ = param/test_lp_load.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
$(LIB_NONSMBD_OBJ) \
$(PARAM_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
@@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ
$(LIBNDR_GEN_OBJ0)
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
torture/denytest.o torture/mangle_test.o \
@@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARA
$(LIBNDR_GEN_OBJ0)
MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBNDR_GEN_OBJ0)
@@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
-SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
LOG2PCAP_OBJ = utils/log2pcaphex.o
@@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
EVTLOGADM_OBJ0 = utils/eventlogadm.o
EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
librpc/gen_ndr/ndr_eventlog.o \
librpc/gen_ndr/ndr_lsa.o
SHARESEC_OBJ0 = utils/sharesec.o
SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
- $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
+ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
@libreplacedir@/test/getifaddrs.o \
@@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARA
$(LIBNDR_GEN_OBJ0)
WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
- $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
+ $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
@@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.
DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ)
DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
SPLIT_TOKENS_OBJ = utils/split_tokens.o \
--- a/source4/torture/raw/samba3misc.c
+++ b/source4/torture/raw/samba3misc.c
@@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct tortu
bool ret = true;
TALLOC_CTX *mem_ctx;
bool nt_status_support;
+ bool client_ntlmv2_auth;
if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
d_printf("talloc_init failed\n");
@@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct tortu
}
nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
if (!torture_open_connection(&cli_nt, torture, 0)) {
goto fail;
}
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
if (!torture_open_connection(&cli_dos, torture, 1)) {
goto fail;
@@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct tortu
}
smbcli_deltree(cli_nt->tree, dirname);
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
+ nt_status_support ? "yes":"no"),
+ ret, fail, "Could not set 'nt status support' back to where it was\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no"),
+ ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
status = smbcli_mkdir(cli_nt->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct
static bool torture_samba3_errorpaths(struct torture_context *tctx)
{
bool nt_status_support;
+ bool client_ntlmv2_auth;
struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
bool result = false;
int fnum;
@@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(st
NTSTATUS status;
nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
torture_comment(tctx, "Could not set 'nt status support = yes'\n");
goto fail;
}
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
+ goto fail;
+ }
if (!torture_open_connection(&cli_nt, tctx, 0)) {
goto fail;
}
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
- torture_comment(tctx, "Could not set 'nt status support = yes'\n");
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
goto fail;
}
@@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(st
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
nt_status_support ? "yes":"no")) {
- torture_comment(tctx, "Could not reset 'nt status support = yes'");
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
goto fail;
}
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_st
NTSTATUS status;
/* otherwise do a NT1 style session setup */
+ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
+ /*
+ * Don't send an NTLMv2 response without NTLMSSP
+ * if we want to use spnego support
+ */
+ DEBUG(1, ("Server does not support EXTENDED_SECURITY "
+ " but 'client use spnego = yes"
+ " and 'client ntlmv2 auth = yes'\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
status = cli_session_setup_nt1(cli, user, pass, passlen,
ntpass, ntpasslen, workgroup);
if (!NT_STATUS_IS_OK(status)) {
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -9,6 +9,11 @@
supporting servers (including WindowsXP, Windows2000 and Samba
3.0) to agree upon an authentication
mechanism. This enables Kerberos authentication in particular.</para>
+
+ <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -28,6 +28,11 @@
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
+
+ <para>When <smbconfoption name="client use spnego"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="raw NTLMv2 auth"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+ extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+ <para>If this option, <command moreinfo="none">lanman auth</command>
+ and <command moreinfo="none">ntlm auth</command> are all disabled,
+ then only clients with SPNEGO support will be permitted.
+ That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
int lp_restrict_anonymous(void);
bool lp_lanman_auth(void);
bool lp_ntlm_auth(void);
+bool lp_raw_ntlmv2_auth(void);
bool lp_client_plaintext_auth(void);
bool lp_client_lanman_auth(void);
bool lp_client_ntlmv2_auth(void);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -336,6 +336,7 @@ struct global {
bool bAllowTrustedDomains;
bool bLanmanAuth;
bool bNTLMAuth;
+ bool bRawNTLMv2Auth;
bool bUseSpnego;
bool bClientLanManAuth;
bool bClientNTLMv2Auth;
@@ -1383,6 +1384,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "raw NTLMv2 auth",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bRawNTLMv2Auth,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "client NTLMv2 auth",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5337,6 +5347,7 @@ static void init_globals(bool reinit_glo
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
@@ -5819,6 +5830,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domai
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
+FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -30,6 +30,7 @@
#include "../lib/util/util_pw.h"
#include "lib/winbind_util.h"
#include "passdb.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(st
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
+ bool allow_raw = lp_raw_ntlmv2_auth();
+
+ if (!allow_raw && nt_resp.length >= 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes
+ * and should only be supported via NTLMSSP.
+ */
+ DEBUG(2,("Rejecting raw NTLMv2 authentication with "
+ "user [%s\\%s]\n",
+ client_domain, smb_name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return make_user_info_map(user_info, smb_name,
client_domain,
get_remote_machine_name(),
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -127,6 +127,7 @@ sub setup_dc($$)
domain master = yes
domain logons = yes
lanman auth = yes
+ raw NTLMv2 auth = yes
";
my $vars = $self->provision($path,
@@ -230,6 +231,7 @@ sub setup_secserver($$$)
my $secserver_options = "
security = server
password server = $s3dcvars->{SERVER_IP}
+ client ntlmv2 auth = no
";
my $ret = $self->provision($prefix,

129
package/network/services/samba36/patches/025-CVE-2016-2112-v3-6.patch
View File

@ -1,129 +0,0 @@
From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
ntlmssp_have_feature()
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/include/proto.h | 1 +
source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
return NT_STATUS_OK;
}
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+ uint32_t feature)
+{
+ if (feature & NTLMSSP_FEATURE_SIGN) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SEAL) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+ if (ntlmssp_state->session_key.length > 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
/**
* Request features for the NTLMSSP negotiation
*
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
/* we have a reference conter on ntlmssp_state, if we are signing
then the state will be kept by the signing engine */
+ if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SEAL);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+ }
+
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
</para>
<para>
- The default value is <emphasis>plain</emphasis> which is not irritable
- to KRB5 clock skew errors. That implies synchronizing the time
- with the KDC in the case of using <emphasis>sign</emphasis> or
- <emphasis>seal</emphasis>.
+ The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">plain</value>
+<value type="default">sign</value>
</samba:parameter>
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/

256
package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch
View File

@ -1,256 +0,0 @@
From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 03:43:58 +0100
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
source3/include/proto.h | 1 +
source3/param/loadparm.c | 12 ++++++++++++
4 files changed, 39 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport inside of winbind. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
<para>When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
</para>
</description>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
int lp_winbind_reconnect_delay(void);
int lp_winbind_max_clients(void);
const char **lp_winbind_nss_info(void);
+bool lp_winbind_sealed_pipes(void);
int lp_algorithmic_rid_base(void);
int lp_name_cache_timeout(void);
int lp_client_signing(void);
+int lp_client_ipc_signing(void);
int lp_server_signing(void);
int lp_client_ldap_sasl_wrapping(void);
char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -215,6 +215,7 @@ struct global {
int winbind_expand_groups;
bool bWinbindRefreshTickets;
bool bWinbindOfflineLogon;
+ bool bWinbindSealedPipes;
bool bWinbindNormalizeNames;
bool bWinbindRpcOnly;
bool bCreateKrb5Conf;
@@ -366,6 +367,7 @@ struct global {
int restrict_anonymous;
int name_cache_timeout;
int client_signing;
+ int client_ipc_signing;
int server_signing;
int client_ldap_sasl_wrapping;
int iUsershareMaxShares;
@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "client ipc signing",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_ipc_signing,
+ .special = NULL,
+ .enum_list = enum_smb_signing_vals,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "server signing",
.type = P_ENUM,
.p_class = P_GLOBAL,
@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "winbind sealed pipes",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bWinbindSealedPipes,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "winbind normalize names",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
+ Globals.bWinbindSealedPipes = True;
Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
Globals.bClientUseSpnego = True;
Globals.client_signing = Auto;
+ Globals.client_ipc_signing = Required;
Globals.server_signing = False;
Globals.bDeferSharingViolations = True;
@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
}
+ if (!lp_is_in_client()) {
+ switch (lp_client_ipc_signing()) {
+ case Required:
+ lp_set_cmdline("client signing", "mandatory");
+ break;
+ case Auto:
+ lp_set_cmdline("client signing", "auto");
+ break;
+ case False:
+ lp_set_cmdline("client signing", "disabled");
+ break;
+ }
+ }
+
init_iconv();
bAllowIncludeRegistry = true;
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
"", /* username */
"", /* domain */
"", /* password */
- 0, lp_client_signing());
+ 0, False);
if ( !NT_STATUS_IS_OK( ret ) ) {
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
TALLOC_FREE(conn->samr_pipe);
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(status)));
+ goto done;
+ }
/* Finally fall back to anonymous. */
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc.syntax_id,
&conn->lsa_pipe);
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
no_schannel:
if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ TALLOC_FREE(netlogon_pipe);
+ invalidate_cm_connection(conn);
+ return result;
+ }
/*
* NetSamLogonEx only works for schannel
*/

308
package/network/services/samba36/patches/027-CVE-2016-2118-v3-6.patch
View File

@ -1,308 +0,0 @@
From d68424b5ef92f5810760f90e9eeb664572a61e4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Dec 2015 14:49:36 +0100
Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
---
source3/rpcclient/rpcclient.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -1062,10 +1062,9 @@ out_free:
}
}
if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
- /* If neither Integrity or Privacy are requested then
- * Use just Connect level */
+ /* If nothing is requested then default to integrity */
if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
- pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
}
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_au
/* Perform an authenticated DCE-RPC bind
*/
- if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
+ if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
/*
we are doing an authenticated connection,
- but not using sign or seal. We must force
- the CONNECT dcerpc auth type as a NONE auth
- type doesn't allow authentication
- information to be passed.
+ which needs to use [connect], [sign] or [seal].
+ If nothing is specified, we default to [sign] now.
+ This give roughly the same protection as
+ ncacn_np with smb signing.
*/
- conn->flags |= DCERPC_CONNECT;
+ conn->flags |= DCERPC_SIGN;
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="allow dcerpc auth level connect"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether DCERPC services are allowed to
+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+ but no per message integrity nor privacy protection.</para>
+
+ <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+
+ <para>This option yields precedence to the implentation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
void lp_set_passdb_backend(const char *backend);
void widelinks_warning(int snum);
char *lp_ncalrpc_dir(void);
+bool lp_allow_dcerpc_auth_level_connect(void);
/* The following definitions come from param/loadparm_server_role.c */
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -355,6 +355,7 @@ struct global {
bool bUseMmap;
bool bHostnameLookups;
bool bUnixExtensions;
+ bool bAllowDcerpcAuthLevelConnect;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
int iKerberosMethod;
@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "allow dcerpc auth level connect",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "use spnego",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_glo
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
+
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
Globals.enhanced_browsing = true;
@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_
FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
uint32 context_id;
struct ndr_syntax_id syntax;
+ /*
+ * shall we allow "connect" auth level for this interface ?
+ */
+ bool allow_connect;
} PIPE_RPC_FNS;
/*
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -44,6 +44,11 @@
#include "rpc_server/srv_pipe.h"
#include "../librpc/gen_ndr/ndr_dcerpc.h"
#include "../librpc/ndr/ndr_dcerpc.h"
+#include "../librpc/gen_ndr/ndr_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -340,6 +345,8 @@ static bool check_bind_req(struct pipes_
uint32 context_id)
{
struct pipe_rpc_fns *context_fns;
+ const char *interface_name = NULL;
+ bool ok;
DEBUG(3,("check_bind_req for %s\n",
get_pipe_name_from_syntax(talloc_tos(), abstract)));
@@ -390,12 +397,57 @@ static bool check_bind_req(struct pipes_
return False;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ abstract);
+
+ SMB_ASSERT(interface_name != NULL);
+
context_fns->next = context_fns->prev = NULL;
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
context_fns->context_id = context_id;
context_fns->syntax = *abstract;
+ context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+ /*
+ * for the samr and the lsarpc interfaces we don't allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ /*
+ * for the epmapper and echo interfaces we allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ /*
+ * every interface can be modified to allow "connect" auth_level by
+ * using a parametric option like:
+ * allow dcerpc auth level connect:<interface>
+ * e.g.
+ * allow dcerpc auth level connect:samr = yes
+ */
+ context_fns->allow_connect = lp_parm_bool(-1,
+ "allow dcerpc auth level connect",
+ interface_name, context_fns->allow_connect);
+
/* add to the list of open contexts */
DLIST_ADD( p->contexts, context_fns );
@@ -1736,6 +1788,7 @@ static bool api_pipe_request(struct pipe
TALLOC_CTX *frame = talloc_stackframe();
bool ret = False;
PIPE_RPC_FNS *pipe_fns;
+ const char *interface_name = NULL;
if (!p->pipe_bound) {
DEBUG(1, ("Pipe not bound!\n"));
@@ -1757,8 +1810,36 @@ static bool api_pipe_request(struct pipe
return false;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ &pipe_fns->syntax);
+
+ SMB_ASSERT(interface_name != NULL);
+
DEBUG(5, ("Requested \\PIPE\\%s\n",
- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
+ interface_name));
+
+ switch (p->auth.auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ if (!pipe_fns->allow_connect) {
+ DEBUG(1, ("%s: restrict auth_level_connect access "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__, interface_name,
+ p->auth.auth_type,
+ p->auth.auth_level,
+ derpc_transport_string_by_transport(p->transport),
+ p->client_id->name));
+
+ setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+ TALLOC_FREE(frame);
+ return true;
+ }
+ break;
+ }
if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -18,3 +18,5 @@ samba3.posix_s3.nbt.dgram.*netlogon2
samba3.*rap.sam.*.useradd # Not provided by Samba 3
samba3.*rap.sam.*.userdelete # Not provided by Samba 3
samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -201,6 +201,8 @@ if sub.returncode == 0:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
+ elif t == "rpc.samr.passwords.validate":
+ plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
else:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct p
struct samr_GetDomPwInfo pw;
struct samr_PwInfo dom_pw_info;
+ if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (r->in.level < 1 || r->in.level > 3) {
return NT_STATUS_INVALID_INFO_CLASS;
}

59
package/network/services/samba36/patches/028-CVE-2016-2125-v3.6.patch
View File

@ -1,59 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 28 Dec 2016 19:21:49 +0100
Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
This is a backport of upstream commits
b1a056f77e793efc45df34ab7bf78fbec1bf8a59
b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
---
source3/librpc/crypto/gse.c | 1 -
source3/libsmb/clifsinfo.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
&es->s.gss_state->gss_ctx,
srv_name,
GSS_C_NO_OID, /* default OID. */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
GSS_C_INDEFINITE, /* requested ticket lifetime. */
NULL, /* no channel bindings */
p_tok_in,
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,

6
package/network/services/samba36/patches/029-CVE-2017-7494-v3-6.patch
View File

@ -15,9 +15,9 @@ Reviewed-by: Stefan Metzmacher <metze@samba.org>
--- a/source3/rpc_server/srv_pipe.c --- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c
@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f @@ -383,6 +383,11 @@ bool is_known_pipename(const char *pipen
pipename += 1; {
} NTSTATUS status;
+ if (strchr(pipename, '/')) { + if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename)); + DEBUG(1, ("Refusing open on pipe %s\n", pipename));

40
package/network/services/samba36/patches/030-CVE-2017-15275-v3.6.patch
View File

@ -1,40 +0,0 @@
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;

136
package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch
View File

@ -1,136 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:02:03 +0200
Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Author: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
SMB_OFF_T startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
SMB_OFF_T startpos;
const char *data;
@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
return;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
SMB_OFF_T startpos;
@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);

75
package/network/services/samba36/patches/032-CVE-2017-12150-v3.6.patch
View File

@ -1,75 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:01:34 +0200
Subject: CVE-2017-12150
These are the three upstream patches
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
---
libgpo/gpo_fetch.c | 2 +-
source3/lib/util_cmdline.c | 3 +++
source3/libsmb/clidfs.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ Required);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return Required;
+ }
return auth_info->signing_state;
}
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
/* If a password was not supplied then
* try again with a null username. */
if (password[0] || !username[0] ||
+ force_encrypt || client_is_signing_mandatory(c) ||
get_cmdline_auth_info_use_kerberos(auth_info) ||
+ get_cmdline_auth_info_use_ccache(auth_info) ||
!NT_STATUS_IS_OK(cli_session_setup(c, "",
"", 0,
"", 0,

49
package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
View File

@ -1,49 +0,0 @@
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 2 Jan 2018 15:56:03 -0800
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -176,6 +176,11 @@ static void prune_printername_cache(void
static const char *canon_servername(const char *servername)
{
const char *pservername = servername;
+
+ if (servername == NULL) {
+ return "";
+ }
+
while (*pservername == '\\') {
pservername++;
}
@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if ((version = get_version_id(r->in.architecture)) == -1)
@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if (get_version_id(r->in.architecture) == -1) {
/* this is what NT returns */

14
package/network/services/samba36/patches/100-configure_fixes.patch
View File

@ -1,14 +0,0 @@
--- a/source3/configure
+++ b/source3/configure
@@ -13294,10 +13294,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINF
# see bug 5910, use our replacements if we detect
# a broken system.
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ $as_echo "assuming valid getaddrinfo without bug 5910" >&2
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */

85
package/network/services/samba36/patches/110-multicall.patch
View File

@ -1,8 +1,10 @@
--- a/source3/Makefile.in Index: samba-4.0.26/source3/Makefile.in
+++ b/source3/Makefile.in ===================================================================
@@ -73,22 +73,22 @@ LDAP_LIBS=@LDAP_LIBS@ --- samba-4.0.26.orig/source3/Makefile.in
+++ samba-4.0.26/source3/Makefile.in
@@ -103,25 +103,25 @@ KRB5LIBS=@KRB5_LIBS@
LDAP_LIBS=@LDAP_LIBS@
NSCD_LIBS=@NSCD_LIBS@ NSCD_LIBS=@NSCD_LIBS@
UUID_LIBS=@UUID_LIBS@
LIBWBCLIENT=@LIBWBCLIENT_STATIC@ @LIBWBCLIENT_SHARED@ LIBWBCLIENT=@LIBWBCLIENT_STATIC@ @LIBWBCLIENT_SHARED@
-LIBWBCLIENT_LIBS=@LIBWBCLIENT_LIBS@ -LIBWBCLIENT_LIBS=@LIBWBCLIENT_LIBS@
+LIBWBCLIENT_LIBS=@LIBWBCLIENT_STATIC@ +LIBWBCLIENT_LIBS=@LIBWBCLIENT_STATIC@
@ -11,32 +13,36 @@
DNSSD_LIBS=@DNSSD_LIBS@ DNSSD_LIBS=@DNSSD_LIBS@
AVAHI_LIBS=@AVAHI_LIBS@ AVAHI_LIBS=@AVAHI_LIBS@
POPT_LIBS=@POPTLIBS@ POPT_LIBS=@POPTLIBS@
LIBTALLOC=@LIBTALLOC_STATIC@ @LIBTALLOC_SHARED@ LIBTALLOC=@LIBTALLOC_STATIC@
-LIBTALLOC_LIBS=@LIBTALLOC_LIBS@ -LIBTALLOC_LIBS=@LIBTALLOC_LIBS@
+LIBTALLOC_LIBS=@LIBTALLOC_STATIC@ +LIBTALLOC_LIBS=@LIBTALLOC_STATIC@
LIBTEVENT=@LIBTEVENT_STATIC@ @LIBTEVENT_SHARED@ LIBTEVENT=@LIBTEVENT_STATIC@
LIBTEVENT_LIBS=@LIBTEVENT_LIBS@ LIBTEVENT_LIBS=@LIBTEVENT_LIBS@
LIBREPLACE_LIBS=@LIBREPLACE_LIBS@ LIBREPLACE_LIBS=@LIBREPLACE_LIBS@
LIBTDB=@LIBTDB_STATIC@ @LIBTDB_SHARED@ LIBTDB=@LIBTDB_STATIC@
-LIBTDB_LIBS=@LIBTDB_LIBS@ -LIBTDB_LIBS=@LIBTDB_LIBS@
+LIBTDB_LIBS=@LIBTDB_STATIC@ +LIBTDB_LIBS=@LIBTDB_STATIC@
TDB_DEPS=@TDB_DEPS@ TDB_DEPS=@TDB_DEPS@
LIBNTDB=@LIBNTDB_STATIC@
LIBNTDB_LIBS=@LIBNTDB_LIBS@
NTDB_DEPS=@NTDB_DEPS@
LIBNETAPI=@LIBNETAPI_STATIC@ @LIBNETAPI_SHARED@ LIBNETAPI=@LIBNETAPI_STATIC@ @LIBNETAPI_SHARED@
-LIBNETAPI_LIBS=@LIBNETAPI_LIBS@ -LIBNETAPI_LIBS=@LIBNETAPI_LIBS@
+LIBNETAPI_LIBS=@LIBNETAPI_STATIC@ +LIBNETAPI_LIBS=@LIBNETAPI_STATIC@
LIBSMBCLIENT_LIBS=@LIBSMBCLIENT_LIBS@ LIBSMBCLIENT_LIBS=@LIBSMBCLIENT_LIBS@
LIBSMBSHAREMODES_LIBS=@LIBSMBSHAREMODES_LIBS@ LIBSMBSHAREMODES_LIBS=@LIBSMBSHAREMODES_LIBS@
@@ -216,7 +216,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_P @@ -210,7 +210,8 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_P
# Note that all executable programs now provide for an optional executable suffix. # Note that all executable programs now provide for an optional executable suffix.
-SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ -SBIN_PROGS = bin/smbd bin/nmbd @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+SBIN_PROGS = bin/samba_multicall@EXEEXT@ bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ +SBIN_PROGS = bin/samba_multicall@EXEEXT@ bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+
BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \ BIN_PROGS1 = bin/smbclient bin/net bin/smbspool \
bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@ \ bin/testparm bin/smbstatus bin/smbget \
@@ -1799,6 +1799,42 @@ bin/.dummy: @@ -1851,6 +1852,42 @@ bin/.dummy:
dir=bin $(MAKEDIR); fi dir=bin $(MAKEDIR); fi
@: >> $@ || : > $@ # what a fancy emoticon! @: >> $@ || : > $@ # what a fancy emoticon!
@ -76,12 +82,30 @@
+ $(POPT_LIBS) @SMBD_LIBS@ $(LIBTALLOC_LIBS) $(LIBTEVENT_LIBS) $(LIBTDB_LIBS) \ + $(POPT_LIBS) @SMBD_LIBS@ $(LIBTALLOC_LIBS) $(LIBTEVENT_LIBS) $(LIBTDB_LIBS) \
+ $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS) + $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
+ +
bin/smbd@EXEEXT@: $(BINARY_PREREQS) $(SMBD_OBJ) $(LIBTALLOC) $(LIBTEVENT) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@ bin/smbd: $(BINARY_PREREQS) $(SMBD_OBJ) $(LIBTALLOC) $(LIBTEVENT) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@
@echo Linking $@ @echo Linking $@
@$(CC) -o $@ $(SMBD_OBJ) $(LDFLAGS) $(LDAP_LIBS) @SMBD_FAM_LIBS@ \ @$(CC) -o $@ $(SMBD_OBJ) $(LDFLAGS) $(LDAP_LIBS) @SMBD_FAM_LIBS@ \
Index: samba-4.0.26/source3/configure
===================================================================
--- samba-4.0.26.orig/source3/configure
+++ samba-4.0.26/source3/configure
@@ -14396,10 +14396,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINF
# see bug 5910, use our replacements if we detect
# a broken system.
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ $as_echo "assuming valid getaddrinfo without bug 5910" >&2
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
Index: samba-4.0.26/source3/multi.c
===================================================================
--- /dev/null --- /dev/null
+++ b/source3/multi.c +++ samba-4.0.26/source3/multi.c
@@ -0,0 +1,35 @@ @@ -0,0 +1,36 @@
+#include <stdio.h> +#include <stdio.h>
+#include <string.h> +#include <string.h>
+ +
@ -90,30 +114,31 @@
+extern int smbpasswd_main(int argc, char **argv); +extern int smbpasswd_main(int argc, char **argv);
+ +
+static struct { +static struct {
+ const char *name; + const char *name;
+ int (*func)(int argc, char **argv); + int (*func)(int argc, char **argv);
+} multicall[] = { +} multicall[] = {
+ { "smbd", smbd_main }, + { "smbd", smbd_main },
+ { "nmbd", nmbd_main }, + { "nmbd", nmbd_main },
+ { "smbpasswd", smbpasswd_main }, + { "smbpasswd", smbpasswd_main },
+}; +};
+ +
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) +#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
+ +
+int main(int argc, char **argv) +int main(int argc, char **argv)
+{ +{
+ int i; + int i;
+ +
+ for (i = 0; i < ARRAY_SIZE(multicall); i++) { + for (i = 0; i < ARRAY_SIZE(multicall); i++) {
+ if (strstr(argv[0], multicall[i].name)) + if (strstr(argv[0], multicall[i].name))
+ return multicall[i].func(argc, argv); + return multicall[i].func(argc, argv);
+ } + }
+ +
+ fprintf(stderr, "Invalid multicall command, available commands:"); + fprintf(stderr, "Invalid multicall command, available commands:");
+ for (i = 0; i < ARRAY_SIZE(multicall); i++) + for (i = 0; i < ARRAY_SIZE(multicall); i++)
+ fprintf(stderr, " %s", multicall[i].name); + fprintf(stderr, " %s", multicall[i].name);
+ +
+ fprintf(stderr, "\n"); + fprintf(stderr, "\n");
+ +
+ return 1; + return 1;
+} +}
+

281
package/network/services/samba36/patches/111-owrt_smbpasswd.patch
View File

@ -1,281 +0,0 @@
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1025,7 +1025,7 @@ TEST_LP_LOAD_OBJ = param/test_lp_load.o
PASSWD_UTIL_OBJ = utils/passwd_util.o
-SMBPASSWD_OBJ = utils/smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
+SMBPASSWD_OBJ = utils/owrt_smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
$(GROUPDB_OBJ) $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) \
@@ -1813,7 +1813,7 @@ nmbd/nmbd_multicall.o: nmbd/nmbd.c nmbd/
echo "$(COMPILE_CC_PATH)" 1>&2;\
$(COMPILE_CC_PATH) >/dev/null 2>&1
-utils/smbpasswd_multicall.o: utils/smbpasswd.c utils/smbpasswd.o
+utils/smbpasswd_multicall.o: utils/owrt_smbpasswd.c utils/owrt_smbpasswd.o
@echo Compiling $<.c
@$(COMPILE_CC_PATH) -Dmain=smbpasswd_main && exit 0;\
echo "The following command failed:" 1>&2;\
@@ -1822,7 +1822,7 @@ utils/smbpasswd_multicall.o: utils/smbpa
SMBD_MULTI_O = $(patsubst smbd/server.o,smbd/server_multicall.o,$(SMBD_OBJ))
NMBD_MULTI_O = $(patsubst nmbd/nmbd.o,nmbd/nmbd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(NMBD_OBJ)))
-SMBPASSWD_MULTI_O = $(patsubst utils/smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
+SMBPASSWD_MULTI_O = $(patsubst utils/owrt_smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
MULTI_O = multi.o
MULTICALL_O = $(sort $(SMBD_MULTI_O) $(NMBD_MULTI_O) $(SMBPASSWD_MULTI_O) $(MULTI_O))
--- /dev/null
+++ b/source3/utils/owrt_smbpasswd.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2012 Felix Fietkau <nbd@nbd.name>
+ * Copyright (C) 2008 John Crispin <blogic@openwrt.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA. */
+
+#include "includes.h"
+#include <endian.h>
+#include <stdio.h>
+
+static char buf[256];
+
+static void md4hash(const char *passwd, uchar p16[16])
+{
+ int len;
+ smb_ucs2_t wpwd[129];
+ int i;
+
+ len = strlen(passwd);
+ for (i = 0; i < len; i++) {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ wpwd[i] = (unsigned char)passwd[i];
+#else
+ wpwd[i] = (unsigned char)passwd[i] << 8;
+#endif
+ }
+ wpwd[i] = 0;
+
+ len = len * sizeof(int16);
+ mdfour(p16, (unsigned char *)wpwd, len);
+ ZERO_STRUCT(wpwd);
+}
+
+
+static bool find_passwd_line(FILE *fp, const char *user, char **next)
+{
+ char *p1;
+
+ while (!feof(fp)) {
+ if(!fgets(buf, sizeof(buf) - 1, fp))
+ continue;
+
+ p1 = strchr(buf, ':');
+
+ if (p1 - buf != strlen(user))
+ continue;
+
+ if (strncmp(buf, user, p1 - buf) != 0)
+ continue;
+
+ if (next)
+ *next = p1;
+ return true;
+ }
+ return false;
+}
+
+/* returns -1 if user is not present in /etc/passwd*/
+static int find_uid_for_user(const char *user)
+{
+ FILE *fp;
+ char *p1, *p2, *p3;
+ int ret = -1;
+
+ fp = fopen("/etc/passwd", "r");
+ if (!fp) {
+ printf("failed to open /etc/passwd");
+ goto out;
+ }
+
+ if (!find_passwd_line(fp, user, &p1)) {
+ printf("User %s not found or invalid in /etc/passwd\n", user);
+ goto out;
+ }
+
+ p2 = strchr(p1 + 1, ':');
+ if (!p2)
+ goto out;
+
+ p2++;
+ p3 = strchr(p2, ':');
+ if (!p1)
+ goto out;
+
+ *p3 = '\0';
+ ret = atoi(p2);
+
+out:
+ if(fp)
+ fclose(fp);
+ return ret;
+}
+
+static void smbpasswd_write_user(FILE *fp, const char *user, int uid, const char *password)
+{
+ static uchar nt_p16[NT_HASH_LEN];
+ int len = 0;
+ int i;
+
+ md4hash(strdup(password), nt_p16);
+
+ len += snprintf(buf + len, sizeof(buf) - len, "%s:%u:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:", user, uid);
+ for(i = 0; i < NT_HASH_LEN; i++)
+ len += snprintf(buf + len, sizeof(buf) - len, "%02X", nt_p16[i]);
+
+ snprintf(buf + len, sizeof(buf) - len, ":[U ]:LCT-00000001:\n");
+ fputs(buf, fp);
+}
+
+static void smbpasswd_delete_user(FILE *fp)
+{
+ fpos_t r_pos, w_pos;
+ int len = strlen(buf);
+
+ fgetpos(fp, &r_pos);
+ fseek(fp, -len, SEEK_CUR);
+ fgetpos(fp, &w_pos);
+ fsetpos(fp, &r_pos);
+
+ while (fgets(buf, sizeof(buf) - 1, fp)) {
+ int cur_len = strlen(buf);
+
+ fsetpos(fp, &w_pos);
+ fputs(buf, fp);
+ fgetpos(fp, &w_pos);
+
+ fsetpos(fp, &r_pos);
+ fseek(fp, cur_len, SEEK_CUR);
+ fgetpos(fp, &r_pos);
+ }
+
+ fsetpos(fp, &w_pos);
+ ftruncate(fileno(fp), ftello(fp));
+}
+
+static int usage(const char *progname)
+{
+ fprintf(stderr,
+ "Usage: %s [options] <username>\n"
+ "\n"
+ "Options:\n"
+ " -s read password from stdin\n"
+ " -a add user\n"
+ " -x delete user\n",
+ progname);
+ return 1;
+}
+
+int main(int argc, char **argv)
+{
+ const char *prog = argv[0];
+ const char *user;
+ char *pw1, *pw2;
+ FILE *fp;
+ bool add = false, delete = false, get_stdin = false, found;
+ int ch;
+ int uid;
+
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ while ((ch = getopt(argc, argv, "asx")) != EOF) {
+ switch (ch) {
+ case 's':
+ get_stdin = true;
+ break;
+ case 'a':
+ add = true;
+ break;
+ case 'x':
+ delete = true;
+ break;
+ default:
+ return usage(prog);
+ }
+ }
+
+ if (add && delete)
+ return usage(prog);
+
+ argc -= optind;
+ argv += optind;
+
+ if (!argc)
+ return usage(prog);
+
+ user = argv[0];
+ if (!delete) {
+ uid = find_uid_for_user(user);
+ if (uid < 0) {
+ fprintf(stderr, "Could not find user '%s' in /etc/passwd\n", user);
+ return 2;
+ }
+ }
+
+ fp = fopen("/etc/samba/smbpasswd", "r+");
+ if(!fp) {
+ fprintf(stderr, "Failed to open /etc/samba/smbpasswd");
+ return 3;
+ }
+
+ found = find_passwd_line(fp, user, NULL);
+ if (!add && !found) {
+ fprintf(stderr, "Could not find user '%s' in /etc/samba/smbpasswd\n", user);
+ return 3;
+ }
+
+ if (delete) {
+ smbpasswd_delete_user(fp);
+ goto out;
+ }
+
+ pw1 = get_pass("New SMB password:", get_stdin);
+ if (!pw1)
+ pw1 = strdup("");
+
+ pw2 = get_pass("Retype SMB password:", get_stdin);
+ if (!pw2)
+ pw2 = strdup("");
+
+ if (strcmp(pw1, pw2) != 0) {
+ fprintf(stderr, "Mismatch - password unchanged.\n");
+ goto out_free;
+ }
+
+ if (found)
+ fseek(fp, -strlen(buf), SEEK_CUR);
+ smbpasswd_write_user(fp, user, uid, pw2);
+
+out_free:
+ free(pw1);
+ free(pw2);
+out:
+ fclose(fp);
+ TALLOC_FREE(frame);
+
+ return 0;
+}

19
package/network/services/samba36/patches/120-add_missing_ifdef.patch
View File

@ -1,6 +1,6 @@
--- a/source3/librpc/rpc/rpc_common.c --- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c +++ b/source3/librpc/rpc/rpc_common.c
@@ -119,9 +119,11 @@ static bool initialize_interfaces(void) @@ -120,9 +120,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_netdfs)) { if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false; return false;
} }
@ -14,7 +14,7 @@
} }
--- a/source3/rpcclient/rpcclient.c --- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c
@@ -628,7 +628,9 @@ static struct cmd_set *rpcclient_command @@ -631,7 +631,9 @@ static struct cmd_set *rpcclient_command
netlogon_commands, netlogon_commands,
srvsvc_commands, srvsvc_commands,
dfs_commands, dfs_commands,
@ -24,18 +24,3 @@
epmapper_commands, epmapper_commands,
shutdown_commands, shutdown_commands,
test_commands, test_commands,
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -433,10 +433,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = true;
}
+#ifdef DEVELOPER
ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
if (ok) {
context_fns->allow_connect = true;
}
+#endif
/*
* every interface can be modified to allow "connect" auth_level by
* using a parametric option like:

207
package/network/services/samba36/patches/200-remove_printer_support.patch
View File

@ -1,19 +1,21 @@
--- a/source3/rpc_server/rpc_ep_setup.c --- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c +++ b/source3/rpc_server/rpc_service_setup.c
@@ -1110,6 +1110,10 @@ bool dcesrv_ep_setup(struct tevent_conte @@ -501,10 +501,12 @@
"rpc_server", goto done;
"spoolss", }
"embedded");
+#ifndef PRINTER_SUPPORT +#ifdef PRINTER_SUPPORT
+ if (1) { ok = rpc_setup_spoolss(ev_ctx, msg_ctx);
+ } else if (!ok) {
goto done;
}
+#endif +#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0) {
spoolss_cb.init = spoolss_init_cb; ok = rpc_setup_svcctl(ev_ctx, msg_ctx);
spoolss_cb.shutdown = spoolss_shutdown_cb; if (!ok) {
--- a/source3/rpcclient/rpcclient.c --- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c
@@ -624,7 +624,9 @@ static struct cmd_set *rpcclient_command @@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
lsarpc_commands, lsarpc_commands,
ds_commands, ds_commands,
samr_commands, samr_commands,
@ -23,11 +25,39 @@
netlogon_commands, netlogon_commands,
srvsvc_commands, srvsvc_commands,
dfs_commands, dfs_commands,
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -114,9 +114,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -86,9 +86,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/printing/spoolssd.c --- a/source3/printing/spoolssd.c
+++ b/source3/printing/spoolssd.c +++ b/source3/printing/spoolssd.c
@@ -165,6 +165,10 @@ void start_spoolssd(struct tevent_contex @@ -615,6 +615,10 @@ void start_spoolssd(struct tevent_contex
NTSTATUS status;
int ret; int ret;
bool ok;
+#ifndef PRINTER_SUPPORT +#ifndef PRINTER_SUPPORT
+ return; + return;
@ -35,10 +65,10 @@
+ +
DEBUG(1, ("Forking SPOOLSS Daemon\n")); DEBUG(1, ("Forking SPOOLSS Daemon\n"));
pid = sys_fork(); /*
--- a/source3/utils/net_rpc.c --- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c
@@ -7841,6 +7841,10 @@ int net_rpc_printer(struct net_context * @@ -7879,6 +7879,10 @@ int net_rpc_printer(struct net_context *
{NULL, NULL, 0, NULL, NULL} {NULL, NULL, 0, NULL, NULL}
}; };
@ -51,7 +81,7 @@
d_printf(_("Usage:\n")); d_printf(_("Usage:\n"));
--- a/source3/smbd/reply.c --- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c +++ b/source3/smbd/reply.c
@@ -5255,7 +5255,11 @@ void reply_printopen(struct smb_request @@ -5497,7 +5497,11 @@ void reply_printopen(struct smb_request
return; return;
} }
@ -64,7 +94,7 @@
reply_nterror(req, NT_STATUS_ACCESS_DENIED); reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplopen); END_PROFILE(SMBsplopen);
return; return;
@@ -5361,7 +5365,10 @@ void reply_printqueue(struct smb_request @@ -5603,7 +5607,10 @@ void reply_printqueue(struct smb_request
is really quite gross and only worked when there was only is really quite gross and only worked when there was only
one printer - I think we should now only accept it if they one printer - I think we should now only accept it if they
get it right (tridge) */ get it right (tridge) */
@ -78,7 +108,7 @@
return; return;
--- a/source3/smbd/lanman.c --- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c
@@ -784,6 +784,10 @@ static bool api_DosPrintQGetInfo(struct @@ -784,6 +784,10 @@ static bool api_DosPrintQGetInfo(struct
union spoolss_JobInfo *job_info = NULL; union spoolss_JobInfo *job_info = NULL;
union spoolss_PrinterInfo printer_info; union spoolss_PrinterInfo printer_info;
@ -100,7 +130,7 @@
if (!param_format || !output_format1 || !p) { if (!param_format || !output_format1 || !p) {
return False; return False;
} }
@@ -3105,6 +3113,10 @@ static bool api_RDosPrintJobDel(struct s @@ -3107,6 +3115,10 @@ static bool api_RDosPrintJobDel(struct s
struct spoolss_DevmodeContainer devmode_ctr; struct spoolss_DevmodeContainer devmode_ctr;
enum spoolss_JobControl command; enum spoolss_JobControl command;
@ -111,7 +141,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -3238,6 +3250,10 @@ static bool api_WPrintQueueCtrl(struct s @@ -3240,6 +3252,10 @@ static bool api_WPrintQueueCtrl(struct s
struct sec_desc_buf secdesc_ctr; struct sec_desc_buf secdesc_ctr;
enum spoolss_PrinterControl command; enum spoolss_PrinterControl command;
@ -122,7 +152,7 @@
if (!str1 || !str2 || !QueueName) { if (!str1 || !str2 || !QueueName) {
return False; return False;
} }
@@ -3404,6 +3420,10 @@ static bool api_PrintJobInfo(struct smbd @@ -3406,6 +3422,10 @@ static bool api_PrintJobInfo(struct smbd
union spoolss_JobInfo info; union spoolss_JobInfo info;
struct spoolss_SetJobInfo1 info1; struct spoolss_SetJobInfo1 info1;
@ -133,7 +163,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -4547,6 +4567,10 @@ static bool api_WPrintJobGetInfo(struct @@ -4555,6 +4575,10 @@ static bool api_WPrintJobGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr; struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_JobInfo info; union spoolss_JobInfo info;
@ -144,7 +174,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -4685,6 +4709,10 @@ static bool api_WPrintJobEnumerate(struc @@ -4693,6 +4717,10 @@ static bool api_WPrintJobEnumerate(struc
uint32_t count = 0; uint32_t count = 0;
union spoolss_JobInfo *info; union spoolss_JobInfo *info;
@ -155,7 +185,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -4890,6 +4918,10 @@ static bool api_WPrintDestGetInfo(struct @@ -4898,6 +4926,10 @@ static bool api_WPrintDestGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr; struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_PrinterInfo info; union spoolss_PrinterInfo info;
@ -166,7 +196,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -5026,6 +5058,10 @@ static bool api_WPrintDestEnum(struct sm @@ -5034,6 +5066,10 @@ static bool api_WPrintDestEnum(struct sm
union spoolss_PrinterInfo *info; union spoolss_PrinterInfo *info;
uint32_t count; uint32_t count;
@ -177,7 +207,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -5129,6 +5165,10 @@ static bool api_WPrintDriverEnum(struct @@ -5137,6 +5173,10 @@ static bool api_WPrintDriverEnum(struct
int succnt; int succnt;
struct pack_desc desc; struct pack_desc desc;
@ -188,7 +218,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -5193,6 +5233,10 @@ static bool api_WPrintQProcEnum(struct s @@ -5201,6 +5241,10 @@ static bool api_WPrintQProcEnum(struct s
int succnt; int succnt;
struct pack_desc desc; struct pack_desc desc;
@ -199,7 +229,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -5257,6 +5301,10 @@ static bool api_WPrintPortEnum(struct sm @@ -5265,6 +5309,10 @@ static bool api_WPrintPortEnum(struct sm
int succnt; int succnt;
struct pack_desc desc; struct pack_desc desc;
@ -212,7 +242,7 @@
} }
--- a/source3/smbd/server_exit.c --- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c +++ b/source3/smbd/server_exit.c
@@ -141,7 +141,9 @@ static void exit_server_common(enum serv @@ -186,7 +186,9 @@ static void exit_server_common(enum serv
rpc_eventlog_shutdown(); rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown(); rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown(); rpc_svcctl_shutdown();
@ -224,7 +254,7 @@
rpc_winreg_shutdown(); rpc_winreg_shutdown();
--- a/source3/smbd/open.c --- a/source3/smbd/open.c
+++ b/source3/smbd/open.c +++ b/source3/smbd/open.c
@@ -1608,6 +1608,9 @@ static NTSTATUS open_file_ntcreate(conne @@ -1986,6 +1986,9 @@ static NTSTATUS open_file_ntcreate(conne
* Most of the passed parameters are ignored. * Most of the passed parameters are ignored.
*/ */
@ -236,8 +266,8 @@
} }
--- a/source3/smbd/close.c --- a/source3/smbd/close.c
+++ b/source3/smbd/close.c +++ b/source3/smbd/close.c
@@ -643,6 +643,9 @@ static NTSTATUS close_normal_file(struct @@ -831,6 +831,9 @@ static NTSTATUS close_normal_file(struct
status = ntstatus_keeperror(status, tmp); }
if (fsp->print_file) { if (fsp->print_file) {
+#ifndef PRINTER_SUPPORT +#ifndef PRINTER_SUPPORT
@ -248,7 +278,7 @@
file_free(req, fsp); file_free(req, fsp);
--- a/source3/smbd/fileio.c --- a/source3/smbd/fileio.c
+++ b/source3/smbd/fileio.c +++ b/source3/smbd/fileio.c
@@ -298,6 +298,10 @@ ssize_t write_file(struct smb_request *r @@ -318,6 +318,10 @@ ssize_t write_file(struct smb_request *r
uint32_t t; uint32_t t;
int ret; int ret;
@ -261,9 +291,9 @@
errno = ret; errno = ret;
--- a/source3/smbd/smb2_create.c --- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c
@@ -486,7 +486,10 @@ static struct tevent_req *smbd_smb2_crea @@ -525,7 +525,10 @@ static struct tevent_req *smbd_smb2_crea
info = FILE_WAS_OPENED; }
} else if (CAN_PRINT(smb1req->conn)) {
status = file_new(smb1req, smb1req->conn, &result); status = file_new(smb1req, smb1req->conn, &result);
- if(!NT_STATUS_IS_OK(status)) { - if(!NT_STATUS_IS_OK(status)) {
+#ifdef PRINTER_SUPPORT +#ifdef PRINTER_SUPPORT
@ -273,37 +303,9 @@
tevent_req_nterror(req, status); tevent_req_nterror(req, status);
return tevent_req_post(req, ev); return tevent_req_post(req, ev);
} }
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -85,9 +85,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -113,9 +113,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/smbd/process.c --- a/source3/smbd/process.c
+++ b/source3/smbd/process.c +++ b/source3/smbd/process.c
@@ -2423,8 +2423,10 @@ static bool housekeeping_fn(const struct @@ -2691,8 +2691,10 @@ static bool housekeeping_fn(const struct
change_to_root_user(); change_to_root_user();
@ -316,31 +318,52 @@
check_reload(sconn, time_mono(NULL)); check_reload(sconn, time_mono(NULL));
--- a/source3/smbd/server.c --- a/source3/smbd/server.c
+++ b/source3/smbd/server.c +++ b/source3/smbd/server.c
@@ -123,7 +123,9 @@ static void smb_pcap_updated(struct mess @@ -1486,6 +1486,7 @@
{ start_lsasd(ev_ctx, msg_ctx);
struct tevent_context *ev_ctx = }
talloc_get_type_abort(private_data, struct tevent_context);
- +#ifdef PRINTER_SUPPORT
+#ifndef PRINTER_SUPPORT if (!lp__disable_spoolss() &&
+ return; (rpc_spoolss_daemon() != RPC_DAEMON_DISABLED)) {
+#endif bool bgq = lp_parm_bool(-1, "smbd", "backgroundqueue", true);
DEBUG(10,("Got message saying pcap was updated. Reloading.\n")); @@ -1499,6 +1502,7 @@
change_to_root_user(); if (!printing_subsystem_init(ev_ctx, msg_ctx, false, false)) {
reload_printers(ev_ctx, msg); exit(1);
@@ -1277,6 +1279,7 @@ extern void build_options(bool screen);
* The print backend init also migrates the printing tdb's,
* this requires a winreg pipe.
*/
+#ifdef PRINTER_SUPPORT
if (!print_backend_init(smbd_messaging_context()))
exit(1);
@@ -1315,7 +1318,7 @@ extern void build_options(bool screen);
smbd_messaging_context());
} }
}
-
+#endif +#endif
}
if (!is_daemon) { if (!is_daemon) {
/* inetd mode */ @@ -1531,12 +1533,14 @@
TALLOC_FREE(frame); if (!open_sockets_smbd(parent, ev_ctx, msg_ctx, ports))
exit_server("open_sockets_smbd() failed");
+#ifdef PRINTER_SUPPORT
/* do a printer update now that all messaging has been set up,
* before we allow clients to start connecting */
if (!lp__disable_spoolss() &&
(rpc_spoolss_daemon() != RPC_DAEMON_DISABLED)) {
printing_subsystem_update(ev_ctx, msg_ctx, false);
}
+#endif
TALLOC_FREE(frame);
/* make sure we always have a valid stackframe */
--- a/source3/printing/pcap.c 2013-02-04 00:05:58.830980941 +0100
+++ b/source3/printing/pcap.c 2013-02-04 00:06:53.633937357 +0100
@@ -132,6 +132,7 @@
void (*post_cache_fill_fn)(struct tevent_context *,
struct messaging_context *))
{
+#ifdef PRINTER_SUPPORT
const char *pcap_name = lp_printcapname();
bool pcap_reloaded = False;
bool post_cache_fill_fn_handled = false;
@@ -200,6 +201,7 @@
pcap_cache_destroy_specific(&pcache);
return;
+#endif
}

88
package/network/services/samba36/patches/210-remove_ad_support.patch
View File

@ -1,88 +0,0 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -95,9 +95,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
@@ -141,9 +143,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
return false;
}
+#endif
return true;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -918,6 +918,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -966,6 +967,7 @@ static bool dssetup_init_cb(void *ptr)
return true;
}
+#endif
static bool wkssvc_init_cb(void *ptr)
{
@@ -1172,12 +1174,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
#endif
+#ifdef ACTIVE_DIRECTORY
dssetup_cb.init = dssetup_init_cb;
dssetup_cb.shutdown = NULL;
dssetup_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_dssetup_init(&dssetup_cb))) {
return false;
}
+#endif
wkssvc_cb.init = wkssvc_init_cb;
wkssvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -132,7 +132,9 @@ static void exit_server_common(enum serv
if (am_parent) {
rpc_wkssvc_shutdown();
+#ifdef ACTIVE_DIRECTORY
rpc_dssetup_shutdown();
+#endif
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3391,12 +3391,14 @@ NTSTATUS cli_rpc_pipe_open_noauth_transp
status = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(status)) {
int lvl = 0;
+#ifdef ACTIVE_DIRECTORY
if (ndr_syntax_id_equal(interface,
&ndr_table_dssetup.syntax_id)) {
/* non AD domains just don't have this pipe, avoid
* level 0 statement in that case - gd */
lvl = 3;
}
+#endif
DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
"%s failed with error %s\n",
get_pipe_name_from_syntax(talloc_tos(), interface),

106
package/network/services/samba36/patches/220-remove_services.patch
View File

@ -1,6 +1,38 @@
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -508,6 +508,7 @@
}
#endif
+#ifdef EXTRA_SERVICES
ok = rpc_setup_svcctl(ev_ctx, msg_ctx);
if (!ok) {
goto done;
@@ -522,6 +523,7 @@
if (!ok) {
goto done;
}
+#endif
ok = rpc_setup_initshutdown(ev_ctx, msg_ctx);
if (!ok) {
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -183,9 +183,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/librpc/rpc/rpc_common.c --- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c +++ b/source3/librpc/rpc/rpc_common.c
@@ -131,6 +131,7 @@ static bool initialize_interfaces(void) @@ -130,6 +130,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_initshutdown)) { if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
return false; return false;
} }
@ -8,7 +40,7 @@
if (!smb_register_ndr_interface(&ndr_table_svcctl)) { if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
return false; return false;
} }
@@ -140,6 +141,7 @@ static bool initialize_interfaces(void) @@ -139,6 +140,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) { if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
return false; return false;
} }
@ -16,75 +48,9 @@
if (!smb_register_ndr_interface(&ndr_table_epmapper)) { if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false; return false;
} }
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -697,6 +697,7 @@ static bool spoolss_shutdown_cb(void *pt
return true;
}
+#ifdef EXTRA_SERVICES
static bool svcctl_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -733,6 +734,7 @@ static bool svcctl_init_cb(void *ptr)
return true;
}
+#endif
static bool svcctl_shutdown_cb(void *ptr)
{
@@ -741,6 +743,8 @@ static bool svcctl_shutdown_cb(void *ptr
return true;
}
+#ifdef EXTRA_SERVICES
+
static bool ntsvcs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -802,6 +806,7 @@ static bool eventlog_init_cb(void *ptr)
return true;
}
+#endif
static bool initshutdown_init_cb(void *ptr)
{
@@ -1130,6 +1135,7 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef EXTRA_SERVICES
svcctl_cb.init = svcctl_init_cb;
svcctl_cb.shutdown = svcctl_shutdown_cb;
svcctl_cb.private_data = ep_ctx;
@@ -1150,6 +1156,7 @@ bool dcesrv_ep_setup(struct tevent_conte
if (!NT_STATUS_IS_OK(rpc_eventlog_init(&eventlog_cb))) {
return false;
}
+#endif
initshutdown_cb.init = initshutdown_init_cb;
initshutdown_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -140,9 +140,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
- rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+ rpc_ntsvcs_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/rpcclient/rpcclient.c --- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c
@@ -637,9 +637,11 @@ static struct cmd_set *rpcclient_command @@ -640,9 +640,11 @@ static struct cmd_set *rpcclient_command
shutdown_commands, shutdown_commands,
test_commands, test_commands,
wkssvc_commands, wkssvc_commands,
@ -94,5 +60,5 @@
eventlog_commands, eventlog_commands,
+#endif +#endif
winreg_commands, winreg_commands,
fss_commands,
NULL NULL
};

71
package/network/services/samba36/patches/230-remove_winreg_support.patch
View File

@ -1,65 +1,34 @@
--- a/source3/rpc_server/rpc_ep_setup.c --- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c +++ b/source3/rpc_server/rpc_service_setup.c
@@ -409,6 +409,7 @@ static bool epmapper_shutdown_cb(void *p @@ -394,10 +394,12 @@ static bool eventlog_init_cb(void *ptr)
return true; talloc_get_type_abort(ptr, struct messaging_context);
} bool ok;
+#ifdef WINREG_SUPPORT +#ifdef WINREG_SUPPORT
static bool winreg_init_cb(void *ptr) ok = eventlog_init_winreg(msg_ctx);
{
struct dcesrv_ep_context *ep_ctx =
@@ -456,6 +457,7 @@ static bool winreg_init_cb(void *ptr)
return true;
}
+#endif
static bool srvsvc_init_cb(void *ptr)
{
@@ -710,10 +712,12 @@ static bool svcctl_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = svcctl_init_winreg(ep_ctx->msg_ctx);
if (!ok) { if (!ok) {
return false; return false;
} }
+#endif +#endif
/* initialize the control hooks */ return true;
init_service_op_table(); }
@@ -785,10 +789,12 @@ static bool eventlog_init_cb(void *ptr) @@ -454,10 +456,12 @@ static bool svcctl_init_cb(void *ptr)
"epmapper", return false;
"none"); }
+#ifdef WINREG_SUPPORT +#ifdef WINREG_SUPPORT
ok = eventlog_init_winreg(ep_ctx->msg_ctx); ok = rpc_setup_winreg(ev_ctx, msg_ctx);
if (!ok) { if (!ok) {
return false; goto done;
} }
+#endif +#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0 || ok = rpc_setup_srvsvc(ev_ctx, msg_ctx);
StrCaseCmp(rpcsrv_type, "daemon") == 0) { if (!ok) {
@@ -1077,12 +1083,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef WINREG_SUPPORT
winreg_cb.init = winreg_init_cb;
winreg_cb.shutdown = NULL;
winreg_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_winreg_init(&winreg_cb))) {
return false;
}
+#endif
srvsvc_cb.init = srvsvc_init_cb;
srvsvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c --- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c +++ b/source3/smbd/server_exit.c
@@ -150,7 +150,9 @@ static void exit_server_common(enum serv @@ -193,7 +193,9 @@ static void exit_server_common(enum serv
#endif #endif
rpc_srvsvc_shutdown(); rpc_srvsvc_shutdown();
@ -71,7 +40,7 @@
rpc_samr_shutdown(); rpc_samr_shutdown();
--- a/source3/librpc/rpc/rpc_common.c --- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c +++ b/source3/librpc/rpc/rpc_common.c
@@ -112,9 +112,11 @@ static bool initialize_interfaces(void) @@ -111,9 +111,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_wkssvc)) { if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
return false; return false;
} }
@ -85,7 +54,7 @@
return false; return false;
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c --- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c +++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -95,9 +95,11 @@ bool init_service_op_table( void ) @@ -96,9 +96,11 @@ bool init_service_op_table( void )
svcctl_ops[i].ops = &netlogon_svc_ops; svcctl_ops[i].ops = &netlogon_svc_ops;
i++; i++;
@ -134,13 +103,13 @@
return NULL; return NULL;
--- a/source3/rpcclient/rpcclient.c --- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c
@@ -642,7 +642,9 @@ static struct cmd_set *rpcclient_command @@ -645,7 +645,9 @@ static struct cmd_set *rpcclient_command
drsuapi_commands, drsuapi_commands,
eventlog_commands, eventlog_commands,
#endif #endif
+#ifdef WINREG_SUPPORT +#ifdef WINREG_SUPPORT
winreg_commands, winreg_commands,
+#endif +#endif
fss_commands,
NULL NULL
}; };

71
package/network/services/samba36/patches/240-remove_dfs_api.patch
View File

@ -1,71 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -881,6 +881,7 @@ static bool rpcecho_init_cb(void *ptr) {
#endif
+#ifdef DFS_SUPPORT
static bool netdfs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -928,6 +929,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#endif
#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
@@ -1173,12 +1175,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef DFS_SUPPORT
netdfs_cb.init = netdfs_init_cb;
netdfs_cb.shutdown = NULL;
netdfs_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netdfs_init(&netdfs_cb))) {
return false;
}
+#endif
#ifdef DEVELOPER
rpcecho_cb.init = rpcecho_init_cb;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -122,9 +122,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef DFS_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
+#endif
#ifdef DEVELOPER
if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -138,7 +138,9 @@ static void exit_server_common(enum serv
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
+#ifdef DFS_SUPPORT
rpc_netdfs_shutdown();
+#endif
rpc_initshutdown_shutdown();
#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -629,7 +629,9 @@ static struct cmd_set *rpcclient_command
#endif
netlogon_commands,
srvsvc_commands,
+#ifdef DFS_SUPPORT
dfs_commands,
+#endif
#ifdef DEVELOPER
echo_commands,
#endif

213
package/network/services/samba36/patches/250-remove_domain_logon.patch
View File

@ -1,213 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
return true;
}
+#endif
static bool spoolss_init_cb(void *ptr)
{
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
netlogon_cb.shutdown = NULL;
netlogon_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
return false;
}
+#endif
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server",
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
return false;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
rpc_winreg_shutdown();
#endif
+#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
+#endif
rpc_samr_shutdown();
rpc_lsarpc_shutdown();
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
i++;
#endif
+#ifdef NETLOGON_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#endif
#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
NTSTATUS status;
const char *pdc_name;
+#ifndef NETLOGON_SUPPORT
+ return;
+#endif
+
in_addr_to_sockaddr_storage(&ss, p->ip);
pss = iface_ip((struct sockaddr *)&ss);
if (!pss) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
+#ifdef NETLOGON_SUPPORT
netlogon_commands,
+#endif
srvsvc_commands,
#ifdef DFS_SUPPORT
dfs_commands,
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
}
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
NTSTATUS nt_status;
switch (sec_channel_type) {
+#ifdef NETLOGON_SUPPORT
case SEC_CHAN_WKSTA:
case SEC_CHAN_DOMAIN:
break;
+#endif
default:
return NT_STATUS_NOT_SUPPORTED;
}
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
*num_domains = 0;
*sids = NULL;
+#ifndef NETLOGON_SUPPORT
+ return False;
+#endif
+
+
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+#ifndef NETLOGON_SUPPORT
+ return NT_STATUS_UNSUCCESSFUL;
+#endif
+
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
domain));
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
NTSTATUS auth_domain_init(void)
{
+#ifdef NETLOGON_SUPPORT
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
+#endif
return NT_STATUS_OK;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
+#ifdef NETLOGON_SUPPORT
/* Change machine password if neccessary. */
attempt_machine_password_change();
+#endif
/*
* Force a log file check.
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
/*
* for the epmapper and echo interfaces we allow "connect"
* auth_level by default.
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
struct schannel_state);
struct tevent_req *subreq;
+#ifndef NETLOGON_SUPPORT
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+#endif
if (schannel_auth == NULL ||
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
&ndr_table_netlogon.syntax_id)) {

162
package/network/services/samba36/patches/260-remove_samr.patch
View File

@ -1,162 +0,0 @@
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -59,8 +59,11 @@ struct handle_list {
static bool is_samr_lsa_pipe(const struct ndr_syntax_id *syntax)
{
- return (ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id)
- || ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id));
+ return
+#ifdef SAMR_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
+#endif
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -100,9 +100,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef SAMR_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -557,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -605,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#endif
#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
@@ -1111,12 +1113,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
samr_cb.shutdown = NULL;
samr_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_samr_init(&samr_cb))) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -159,7 +159,9 @@ static void exit_server_common(enum serv
#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
#endif
+#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
+#endif
rpc_lsarpc_shutdown();
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -623,7 +623,9 @@ static struct cmd_set *rpcclient_command
rpcclient_commands,
lsarpc_commands,
ds_commands,
+#ifdef SAMR_SUPPORT
samr_commands,
+#endif
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2353,6 +2353,10 @@ static bool api_RNetGroupEnum(struct smb
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2541,6 +2545,10 @@ static bool api_NetUserGetGroups(struct
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
@@ -2741,6 +2749,10 @@ static bool api_RNetUserEnum(struct smbd
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2979,6 +2991,10 @@ static bool api_SamOEMChangePassword(str
int bufsize;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
*rparam_len = 4;
*rparam = smb_realloc_limit(*rparam,*rparam_len);
if (!*rparam) {
@@ -4020,6 +4036,10 @@ static bool api_RNetUserGetInfo(struct s
union samr_UserInfo *info;
struct dcerpc_binding_handle *b = NULL;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -409,6 +409,7 @@ static bool check_bind_req(struct pipes_
context_fns->syntax = *abstract;
context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+#ifdef SAMR_SUPPORT
/*
* for the samr and the lsarpc interfaces we don't allow "connect"
* auth_level by default.
@@ -417,6 +418,7 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#endif
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;

2
package/network/services/samba36/patches/270-remove_registry_backend.patch
View File

@ -30,7 +30,7 @@
"supported by backend"); "supported by backend");
--- a/source3/smbd/server.c --- a/source3/smbd/server.c
+++ b/source3/smbd/server.c +++ b/source3/smbd/server.c
@@ -1230,8 +1230,10 @@ extern void build_options(bool screen); @@ -1413,8 +1413,10 @@ extern void build_options(bool screen);
exit(1); exit(1);
} }

25
package/network/services/samba36/patches/280-strip_srvsvc.patch
View File

@ -1,6 +1,6 @@
--- a/source3/smbd/lanman.c --- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c
@@ -2197,6 +2197,10 @@ static bool api_RNetShareAdd(struct smbd @@ -2199,6 +2199,10 @@ static bool api_RNetShareAdd(struct smbd
struct srvsvc_NetShareInfo2 info2; struct srvsvc_NetShareInfo2 info2;
struct dcerpc_binding_handle *b; struct dcerpc_binding_handle *b;
@ -11,7 +11,7 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
} }
@@ -3589,10 +3593,7 @@ static bool api_RNetServerGetInfo(struct @@ -3575,10 +3579,7 @@ static bool api_RNetServerGetInfo(struct
NTSTATUS status; NTSTATUS status;
WERROR werr; WERROR werr;
TALLOC_CTX *mem_ctx = talloc_tos(); TALLOC_CTX *mem_ctx = talloc_tos();
@ -22,13 +22,13 @@
if (!str1 || !str2 || !p) { if (!str1 || !str2 || !p) {
return False; return False;
@@ -3655,66 +3656,16 @@ static bool api_RNetServerGetInfo(struct @@ -3641,66 +3642,16 @@
p = *rdata; p = *rdata;
p2 = p + struct_len; p2 = p + struct_len;
- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id, - status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
- conn->session_info, - conn->session_info,
- &conn->sconn->client_id, - conn->sconn->remote_address,
- conn->sconn->msg_ctx, - conn->sconn->msg_ctx,
- &cli); - &cli);
- if (!NT_STATUS_IS_OK(status)) { - if (!NT_STATUS_IS_OK(status)) {
@ -61,10 +61,9 @@
- -
if (uLevel != 20) { if (uLevel != 20) {
- srvstr_push(NULL, 0, p, info.info101->server_name, 16, - srvstr_push(NULL, 0, p, info.info101->server_name, 16,
+ srvstr_push(NULL, 0, p, global_myname(), 16, + srvstr_push(NULL, 0, p, lp_netbios_name(), 16,
STR_ASCII|STR_UPPER|STR_TERMINATE); STR_ASCII|STR_UPPER|STR_TERMINATE);
- } }
+ }
p += 16; p += 16;
if (uLevel > 0) { if (uLevel > 0) {
- SCVAL(p,0,info.info101->version_major); - SCVAL(p,0,info.info101->version_major);
@ -88,14 +87,14 @@
- return False; - return False;
- } - }
- } - }
+ SCVAL(p,0,lp_major_announce_version()); + SCVAL(p,0,SAMBA_MAJOR_NBT_ANNOUNCE_VERSION);
+ SCVAL(p,1,lp_minor_announce_version()); + SCVAL(p,1,SAMBA_MINOR_NBT_ANNOUNCE_VERSION);
+ SIVAL(p,2,lp_default_server_announce()); + SIVAL(p,2,lp_default_server_announce());
+ SIVAL(p,6,0); + SIVAL(p,6,0);
} }
if (uLevel > 1) { if (uLevel > 1) {
@@ -5405,6 +5356,10 @@ static bool api_RNetSessionEnum(struct s @@ -5393,6 +5344,10 @@ static bool api_RNetSessionEnum(struct s
uint32_t totalentries, resume_handle = 0; uint32_t totalentries, resume_handle = 0;
uint32_t count = 0; uint32_t count = 0;
@ -108,7 +107,7 @@
} }
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c --- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c +++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -1533,6 +1533,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi @@ -1445,6 +1445,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi
TALLOC_CTX *ctx = p->mem_ctx; TALLOC_CTX *ctx = p->mem_ctx;
union srvsvc_NetShareInfo *info = r->in.info; union srvsvc_NetShareInfo *info = r->in.info;
@ -119,7 +118,7 @@
DEBUG(5,("_srvsvc_NetShareSetInfo: %d\n", __LINE__)); DEBUG(5,("_srvsvc_NetShareSetInfo: %d\n", __LINE__));
if (!r->in.share_name) { if (!r->in.share_name) {
@@ -1763,6 +1767,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_ @@ -1675,6 +1679,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_
int max_connections = 0; int max_connections = 0;
TALLOC_CTX *ctx = p->mem_ctx; TALLOC_CTX *ctx = p->mem_ctx;
@ -130,7 +129,7 @@
DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__)); DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__));
if (r->out.parm_error) { if (r->out.parm_error) {
@@ -1945,6 +1953,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_ @@ -1857,6 +1865,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_
struct share_params *params; struct share_params *params;
TALLOC_CTX *ctx = p->mem_ctx; TALLOC_CTX *ctx = p->mem_ctx;

17
package/network/services/samba36/patches/285-remove_desrep_support.patch Normal file
View File

@ -0,0 +1,17 @@
--- a/source3/librpc/rpc/rpc_common.c 2013-02-04 14:33:53.119988894 +0100
+++ b/source3/librpc/rpc/rpc_common.c 2013-02-04 14:35:04.167465045 +0100
@@ -146,12 +146,14 @@
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
+#ifdef DSREP_SERVICES
if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
return false;
}
if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
return false;
}
+#endif
return true;
}

88
package/network/services/samba36/patches/290-remove_lsa.patch
View File

@ -1,88 +0,0 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -92,9 +92,11 @@ bool smb_register_ndr_interface(const st
static bool initialize_interfaces(void)
{
+#ifdef LSA_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#endif
#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -162,7 +162,9 @@ static void exit_server_common(enum serv
#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
#endif
+#ifdef LSA_SUPPORT
rpc_lsarpc_shutdown();
+#endif
}
/*
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -508,6 +508,7 @@ static bool srvsvc_init_cb(void *ptr)
return true;
}
+#ifdef LSA_SUPPORT
static bool lsarpc_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -556,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#endif
#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
@@ -1106,12 +1108,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
+#ifdef LSA_SUPPORT
lsarpc_cb.init = lsarpc_init_cb;
lsarpc_cb.shutdown = NULL;
lsarpc_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_lsarpc_init(&lsarpc_cb))) {
return false;
}
+#endif
#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -63,7 +63,10 @@ static bool is_samr_lsa_pipe(const struc
#ifdef SAMR_SUPPORT
ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
#endif
- ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
+#ifdef LSA_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id) ||
+#endif
+ false;
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -419,10 +419,12 @@ static bool check_bind_req(struct pipes_
context_fns->allow_connect = false;
}
#endif
+#ifdef LSA_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {

22
package/network/services/samba36/patches/300-assert_debug_level.patch
View File

@ -1,11 +1,11 @@
--- a/lib/util/util.h --- a/lib/util/samba_util.h
+++ b/lib/util/util.h +++ b/lib/util/samba_util.h
@@ -53,7 +53,7 @@ extern const char *panic_action; @@ -48,7 +48,7 @@ extern const char *panic_action;
#else #define SMB_ASSERT(b) \
/* redefine the assert macro for non-developer builds */ do { \
#define SMB_ASSERT(b) do { if (!(b)) { \ if (!(b)) { \
- DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \ - DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
+ DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \ + DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \
__FILE__, __LINE__, #b)); }} while (0) __FILE__, __LINE__, #b)); \
#endif smb_panic("assert failed: " #b); \
} \

224
package/network/services/samba36/patches/310-remove_error_strings.patch
View File

@ -1,3 +1,39 @@
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -71,7 +71,11 @@ typedef uint32_t tdb_off_t;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style
* argument. */
+#ifdef VERBOSE_DEBUG
#define TDB_LOG(x) tdb->log.log_fn x
+#else
+#define TDB_LOG(x) do {} while(0)
+#endif
#ifdef TDB_TRACE
void tdb_trace(struct tdb_context *tdb, const char *op);
--- a/source3/script/mkbuildoptions.awk
+++ b/source3/script/mkbuildoptions.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/buildtools/wafsamba/samba_patterns.py 2013-02-03 09:54:04.868467602 +0100
+++ b/buildtools/wafsamba/samba_patterns.py 2013-02-03 09:54:34.608510724 +0100
@@ -88,7 +88,7 @@
fp.write("****************************************************************************/\n")
fp.write("void build_options(bool screen)\n")
fp.write("{\n")
- fp.write(" if ((DEBUGLEVEL < 4) && (!screen)) {\n")
+ fp.write(" if ((DEBUGLEVEL < 4) || (!screen)) {\n")
fp.write(" return;\n")
fp.write(" }\n")
fp.write("\n")
--- a/libcli/util/doserr.c --- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c +++ b/libcli/util/doserr.c
@@ -28,6 +28,7 @@ struct werror_code_struct { @@ -28,6 +28,7 @@ struct werror_code_struct {
@ -65,9 +101,9 @@
} }
--- a/librpc/ndr/libndr.h --- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h +++ b/librpc/ndr/libndr.h
@@ -663,4 +663,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum @@ -652,5 +652,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum
const struct timeval *t);
_PUBLIC_ void ndr_print_bool(struct ndr_print *ndr, const char *name, const bool b);
+#ifndef VERBOSE_ERROR +#ifndef VERBOSE_ERROR
+#define ndr_print_bool(...) do {} while (0) +#define ndr_print_bool(...) do {} while (0)
@ -84,7 +120,7 @@
+#define ndr_print_NTSTATUS(...) do {} while (0) +#define ndr_print_NTSTATUS(...) do {} while (0)
+#define ndr_print_WERROR(...) do {} while (0) +#define ndr_print_WERROR(...) do {} while (0)
+#endif +#endif
+
#endif /* __LIBNDR_H__ */ #endif /* __LIBNDR_H__ */
--- a/librpc/ndr/ndr_basic.c --- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c +++ b/librpc/ndr/ndr_basic.c
@ -110,7 +146,7 @@
check for data leaks from the server by looking for non-zero pad bytes check for data leaks from the server by looking for non-zero pad bytes
--- a/librpc/ndr/ndr_string.c --- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c +++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri @@ -491,6 +491,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri
return NDR_ERR_SUCCESS; return NDR_ERR_SUCCESS;
} }
@ -151,40 +187,9 @@
return win_errstr(werr); return win_errstr(werr);
} }
--- a/source3/libsmb/nterr.c --- a/libcli/util/nterr.c
+++ b/source3/libsmb/nterr.c +++ b/libcli/util/nterr.c
@@ -702,6 +702,7 @@ const char *nt_errstr(NTSTATUS nt_code) @@ -860,6 +860,7 @@ const char *nt_errstr(NTSTATUS nt_code)
NT_STATUS_DOS_CODE(nt_code));
}
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -709,6 +710,7 @@ const char *nt_errstr(NTSTATUS nt_code)
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
NT_STATUS_V(nt_code));
@@ -724,12 +726,14 @@ const char *get_friendly_nt_error_msg(NT
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_err_desc[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
return nt_err_desc[idx].nt_errstr;
}
idx++;
}
+#endif
/* fall back to NT_STATUS_XXX string */
@@ -745,6 +749,7 @@ const char *get_nt_error_c_code(NTSTATUS
char *result; char *result;
int idx = 0; int idx = 0;
@ -192,15 +197,15 @@
while (nt_errs[idx].nt_errstr != NULL) { while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) == if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) { NT_STATUS_V(nt_code)) {
@@ -752,6 +757,7 @@ const char *get_nt_error_c_code(NTSTATUS @@ -868,6 +869,7 @@ const char *nt_errstr(NTSTATUS nt_code)
} }
idx++; idx++;
} }
+#endif +#endif
result = talloc_asprintf(talloc_tos(), "NT_STATUS(0x%08x)", result = talloc_asprintf(mem_ctx, "NT_STATUS(0x%08x)",
NT_STATUS_V(nt_code)); NT_STATUS_V(nt_code));
@@ -767,12 +773,14 @@ NTSTATUS nt_status_string_to_code(const @@ -882,12 +884,14 @@ NTSTATUS nt_status_string_to_code(const
{ {
int idx = 0; int idx = 0;
@ -215,123 +220,34 @@
return NT_STATUS_UNSUCCESSFUL; return NT_STATUS_UNSUCCESSFUL;
} }
--- a/lib/tdb/common/tdb_private.h @@ -927,6 +931,7 @@ const char *get_nt_error_c_code(NTSTATUS
+++ b/lib/tdb/common/tdb_private.h int idx = 0;
@@ -69,7 +69,11 @@ typedef uint32_t tdb_off_t; char *result;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style +#ifdef VERBOSE_ERROR
* argument. */ while (nt_errs[idx].nt_errstr != NULL) {
+#ifdef VERBOSE_DEBUG if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
#define TDB_LOG(x) tdb->log.log_fn x NT_STATUS_V(nt_code)) {
+#else @@ -946,6 +951,7 @@ const char *get_nt_error_c_code(NTSTATUS
+#define TDB_LOG(x) do {} while(0) snprintf(msg, sizeof(msg), "NT code 0x%08x", NT_STATUS_V(nt_code));
return msg;
}
+#endif +#endif
#ifdef TDB_TRACE result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
void tdb_trace(struct tdb_context *tdb, const char *op); NT_STATUS_V(nt_code));
--- a/source3/script/mkbuildoptions.awk @@ -961,12 +967,14 @@ const char *get_friendly_nt_error_msg(NT
+++ b/source3/script/mkbuildoptions.awk {
@@ -55,7 +55,7 @@ BEGIN { int idx = 0;
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/script/mkbuildoptions-waf.awk
+++ b/source3/script/mkbuildoptions-waf.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -445,7 +445,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -466,7 +465,6 @@ static NTSTATUS cli_pipe_validate_curren +#ifdef VERBOSE_ERROR
rpccli_pipe_txt(talloc_tos(), cli), while (nt_err_desc[idx].nt_errstr != NULL) {
pkt->ptype, expected_pkt_type, if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
nt_errstr(ret))); return nt_err_desc[idx].nt_errstr;
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
} }
idx++;
@@ -486,7 +484,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -508,7 +505,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -526,7 +522,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -570,7 +565,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
} }
+#endif
@@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st /* fall back to NT_STATUS_XXX string */
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err;
}
@@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
set_incoming_fault(p);
return false;
}

8854
package/network/services/samba36/patches/330-librpc_default_print.patch
View File

File diff suppressed because it is too large Load Diff

20
package/network/services/samba36/patches/390-remove-auth-winbind.patch Normal file
View File

@ -0,0 +1,20 @@
--- a/source3/auth/auth.c 2013-02-11 22:09:08.516106878 +0100
+++ b/source3/auth/auth.c 2013-02-11 22:09:55.158449459 +0100
@@ -449,7 +449,7 @@
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam winbind:ntdomain",
+ talloc_tos(), "guest sam",
NULL);
break;
case ROLE_DOMAIN_BDC:
@@ -457,7 +457,7 @@
DEBUG(5,("Making default auth method list for DC\n"));
auth_method_list = str_list_make_v3(
talloc_tos(),
- "guest sam winbind:trustdomain",
+ "guest sam",
NULL);
break;
case ROLE_STANDALONE:

76
package/network/services/samba36/patches/800-ldap-sasl.patch Normal file
View File

@ -0,0 +1,76 @@
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -876,7 +876,15 @@
Could we get a referral to a machine that we don't want to give our
username and password to? */
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ if (ldap_state->bind_secret)
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ else {
+ struct berval *servercredp=NULL;
+
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", NULL, NULL, NULL, &servercredp);
+ if (rc == LDAP_SASL_BIND_IN_PROGRESS)
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", servercredp, NULL, NULL, &servercredp);
+ }
/* only set the last rebind timestamp when we did rebind after a
* non-read LDAP operation. That way we avoid the replication sleep
@@ -983,7 +991,15 @@
rc = ldap_state->bind_callback(ldap_struct, ldap_state, ldap_state->bind_callback_data);
unbecome_root();
} else {
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ if (ldap_state->bind_secret)
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ else {
+ struct berval *servercredp=NULL;
+
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", NULL, NULL, NULL, &servercredp);
+ if (rc == LDAP_SASL_BIND_IN_PROGRESS)
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", servercredp, NULL, NULL, &servercredp);
+ }
}
if (rc != LDAP_SUCCESS) {
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -6451,16 +6451,21 @@
}
if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
- DEBUG(0, ("pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb\n"));
- return NT_STATUS_NO_MEMORY;
+ DEBUG(1, ("pdb_init_ldapsam_common: Failed to retrieve password from secrets.tdb. Switching to SASL\n"));
}
nt_status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
location, false, bind_dn, bind_secret,
&ldap_state->smbldap_state);
- memset(bind_secret, '\0', strlen(bind_secret));
- SAFE_FREE(bind_secret);
- SAFE_FREE(bind_dn);
+
+ if (bind_secret) {
+ memset(bind_secret, '\0', strlen(bind_secret));
+ SAFE_FREE(bind_secret);
+ }
+
+ if (bind_dn)
+ SAFE_FREE(bind_dn);
+
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
}
--- a/source3/passdb/secrets.c 2012-08-18 01:59:39.251910842 +0200
+++ b/source3/passdb/secrets.c 2012-08-18 01:59:51.348560121 +0200
@@ -363,7 +363,7 @@
data=(char *)secrets_fetch(old_style_key, &size);
if ((data == NULL) || (size < sizeof(old_style_pw))) {
- DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ DEBUG(1,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
SAFE_FREE(old_style_key);
SAFE_FREE(*dn);
SAFE_FREE(data);

77
package/network/services/samba36/patches/810-ldap-determine-suffix-automatically.patch Normal file
View File

@ -0,0 +1,77 @@
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5508,3 +5508,17 @@
return lp_find_security(lp__server_role(),
lp__security());
}
+
+bool lp_ldap_suffix_initial()
+{
+ if (Globals.szLdapSuffix == NULL)
+ return true;
+ if (strlen(Globals.szLdapSuffix) == 0)
+ return true;
+ return false;
+}
+
+void lp_set_ldap_suffix(const char *suffix)
+{
+ string_set(&Globals.szLdapSuffix, suffix);
+}
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1486,6 +1486,8 @@
void widelinks_warning(int snum);
const char *lp_ncalrpc_dir(void);
void _lp_set_server_role(int server_role);
+bool lp_ldap_suffix_initial();
+void lp_set_ldap_suffix(const char *suffix);
/* The following definitions come from param/loadparm_ctx.c */
--- a/source3/passdb/pdb_ldap_util.c
+++ b/source3/passdb/pdb_ldap_util.c
@@ -247,6 +247,34 @@
}
/**********************************************************************
+ Autodetermine LDAP suffix
+ **********************************************************************/
+void find_ldap_suffix(struct smbldap_state *ldap_state)
+{
+ const char *namingCtx[] = { "namingContexts", NULL };
+ LDAPMessage *entry = NULL, *result = NULL;
+ int rc;
+
+ if (!lp_ldap_suffix_initial())
+ return;
+
+ rc = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, "(objectClass=*)", namingCtx, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ return;
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ if (entry) {
+ char **values = NULL;
+ values = ldap_get_values(ldap_state->ldap_struct, entry, namingCtx[0]);
+ if (values) {
+ lp_set_ldap_suffix(values[0]);
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
+}
+
+/**********************************************************************
Search for the domain info entry
*********************************************************************/
@@ -261,6 +289,8 @@
int count;
char *escape_domain_name;
+ find_ldap_suffix(ldap_state);
+
escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));