298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

samba36: bump version

Browse Source
This commit is contained in:
lean 2022-09-09 11:59:53 +08:00
parent 9e2144f153
commit 3e6a4852da
47 changed files with 1013 additions and 30834 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/lean/autosamba/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=autosamba
PKG_VERSION:=1
PKG_RELEASE:=12
PKG_RELEASE:=13
PKG_ARCH:=all
include $(INCLUDE_DIR)/package.mk
@ -28,8 +28,6 @@ define Build/Compile
endef
define Package/autosamba/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/block
$(INSTALL_BIN) ./files/20-smb $(1)/etc/hotplug.d/block/20-smb
endef
$(eval $(call BuildPackage,autosamba))

139
package/network/services/samba36/Makefile Normal file → Executable file
View File

@ -1,5 +1,5 @@
#
# Copyright (C) 2007-2014 OpenWrt.org
# Copyright (C) 2007-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
@ -8,20 +8,20 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=samba
PKG_VERSION:=3.6.25
PKG_RELEASE:=15
PKG_VERSION:=4.0.26
PKG_RELEASE:=8
PKG_SOURCE_URL:=https://download.samba.org/pub/samba \
https://download.samba.org/pub/samba/stable
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_HASH:=8f2c8a7f2bd89b0dfd228ed917815852f7c625b2bc0936304ac3ed63aaf83751
PKG_SOURCE_URL:=https://ftp.samba.org/pub/samba/stable/
PKG_SOURCE:=samba-$(PKG_VERSION).tar.gz
PKG_HASH:=ce2441992c6d18950d752edb2d1274b3f7e056b2e2e8516fc42e408e4a25894a
PKG_LICENSE:=GPL-3.0
PKG_LICENSE:=GPLv3
PKG_LICENSE_FILES:=COPYING
PKG_CPE_ID:=cpe:/a:samba:samba
PKG_BUILD_PARALLEL:=1
PKG_BUILD_DIR := $(BUILD_DIR)/samba-$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
MAKE_PATH:=source3
@ -29,37 +29,20 @@ CONFIGURE_PATH:=source3
PKG_BUILD_BIN:=$(PKG_BUILD_DIR)/$(MAKE_PATH)/bin
define Package/samba/Default
define Package/samba36-server
SECTION:=net
CATEGORY:=Network
TITLE:=Samba 3.6 SMB/CIFS
URL:=https://www.samba.org/
MAINTAINER:=Felix Fietkau <nbd@nbd.name>
endef
define Package/samba36-server
$(call Package/samba/Default)
TITLE+= server
DEPENDS:=+USE_GLIBC:librt $(ICONV_DEPENDS)
endef
define Package/samba36-client
$(call Package/samba/Default)
TITLE+= client
DEPENDS:=+libreadline +libncurses
endef
define Package/samba36-net
$(call Package/samba/Default)
TITLE+= net commands
DEPENDS:=+libreadline +libncurses
TITLE:=Samba $(PKG_VERSION) SMB/CIFS server
URL:=http://www.samba.org/
DEPENDS:=+libaio +libpthread +zlib +libpopt
endef
define Package/samba36-server/config
config PACKAGE_SAMBA_MAX_DEBUG_LEVEL
int "Maximum level of compiled-in debug messages"
depends on PACKAGE_samba36-server || PACKAGE_samba36-client
depends on PACKAGE_samba36-server
default -1
endef
define Package/samba36-server/description
@ -69,7 +52,9 @@ define Package/samba36-server/description
to as the LanManager or Netbios protocol.
endef
TARGET_CFLAGS += -DMAX_DEBUG_LEVEL=$(CONFIG_PACKAGE_SAMBA_MAX_DEBUG_LEVEL) -D__location__=\\\"\\\" -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
CONFIGURE_VARS += \
@ -79,41 +64,50 @@ CONFIGURE_VARS += \
libreplace_cv_HAVE_C99_VSNPRINTF=yes \
libreplace_cv_HAVE_GETADDRINFO=yes \
libreplace_cv_HAVE_IFACE_IFCONF=yes \
libreplace_cv_HAVE_MREMAP=yes \
libreplace_cv_HAVE_MMAP=yes \
libreplace_cv_HAVE_OPEN_O_DIRECT=yes \
libreplace_cv_REPLACE_INET_NTOA=no \
LINUX_LFS_SUPPORT=yes \
samba_cv_TIME_T_MAX=no \
samba_cv_have_longlong=yes \
samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \
samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \
samba_cv_HAVE_IFACE_IFCONF=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes \
samba_cv_HAVE_SECURE_MKSTEMP=yes \
samba_cv_HAVE_WRFILE_KEYTAB=no \
samba_cv_USE_SETREUID=yes \
samba_cv_USE_SETRESUID=yes \
samba_cv_have_setreuid=yes \
samba_cv_have_setresuid=yes \
ac_cv_header_libunwind_h=no \
ac_cv_header_zlib_h=no \
samba_cv_zlib_1_2_3=no \
ac_cv_path_PYTHON="" \
ac_cv_path_PYTHON_CONFIG=""
samba_cv_zlib_1_2_3=yes \
ac_cv_type_long_long=yes \
samba_cv_USE_SETEUID=yes \
samba_cv_HAVE_BROKEN_GETGROUPS=no \
samba_cv_HAVE_BROKEN_READDIR_NAME=no \
samba_cv_HAVE_BROKEN_LINUX_SENDFILE=no \
samba_cv_HAVE_SENDFILE=yes \
samba_cv_HAVE_FCNTL_LOCK=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=no \
samba_cv_HAVE_KERNEL_SHARE_MODES=yes \
samba_cv_SIZEOF_BLKCNT_T_8=yes
CONFIGURE_ARGS += \
--exec-prefix=/usr \
--exec-prefix=/ \
--prefix=/ \
--disable-avahi \
--disable-cups \
--disable-external-libtalloc \
--disable-external-libtdb \
--disable-external-libtevent \
--disable-pie \
--disable-relro \
--disable-static \
--disable-swat \
--disable-shared-libs \
--with-libiconv="$(ICONV_PREFIX)" \
--with-codepagedir=/etc/samba \
--with-configdir=/etc/samba \
--with-included-iniparser \
--with-included-popt \
--with-included-popt=no \
--with-lockdir=/var/lock \
--with-logfilebase=/var/log \
--with-nmbdsocketdir=/var/nmbd \
@ -121,8 +115,10 @@ CONFIGURE_ARGS += \
--with-privatedir=/etc/samba \
--with-sendfile-support \
--without-acl-support \
--with-aio-support \
--without-cluster-support \
--without-ads \
--with-krb5=no \
--without-krb5 \
--without-ldap \
--without-pam \
@ -134,45 +130,54 @@ CONFIGURE_ARGS += \
--without-libsmbsharemodes \
--without-libtevent \
--without-libaddns \
--enable-cups=no --enable-iprint=no \
--enable-largefile \
--disable-dmalloc \
--disable-debug \
--without-utmp \
--without-quotas \
--with-libiconv=$(ICONV_PREFIX) \
--with-shared-modules=pdb_tdbsam,pdb_wbc_sam,idmap_nss,nss_info_template,auth_winbind,auth_wbc,auth_domain
MAKE_FLAGS += DYNEXP= PICFLAG= MODULES=
define Package/samba36-server/conffiles
/etc/config/samba
/etc/samba/smb.conf.template
/etc/samba/smbpasswd
endef
# special CONFIGURE_ARGS
ifneq ($(CONFIG_mipsel)$(CONFIG_arm)$(CONFIG_x86),)
#Little Endian
CONFIGURE_VARS += samba_cv_big_endian=no samba_cv_little_endian=yes
TARGET_CFLAGS += -O3 -fno-inline-functions -fno-inline-small-functions -fno-inline-functions-called-once
else
#Big Endian
CONFIGURE_VARS += samba_cv_big_endian=yes samba_cv_little_endian=no
endif
define Package/samba36-server/install
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/samba.config $(1)/etc/config/samba
$(INSTALL_DIR) $(1)/etc/samba
$(INSTALL_CONF) ./files/smb.conf.template $(1)/etc/samba
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_DATA) ./files/samba.config $(1)/etc/config/samba
$(INSTALL_DATA) ./files/smb.conf.template $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/lowcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/upcase.dat $(1)/etc/samba
$(INSTALL_DATA) $(PKG_BUILD_DIR)/codepages/valid.dat $(1)/etc/samba
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/samba.init $(1)/etc/init.d/samba
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/uci_defaults_samba $(1)/etc/uci-defaults/99_uci_defaults_samba
$(INSTALL_DIR) $(1)/etc/hotplug.d/block
$(INSTALL_DATA) ./files/smb.auto $(1)/etc/hotplug.d/block/20-smb
$(INSTALL_BIN) $(PKG_BUILD_BIN)/samba_multicall $(1)/usr/sbin
$(LN) samba_multicall $(1)/usr/sbin/smbd
$(LN) samba_multicall $(1)/usr/sbin/nmbd
$(LN) samba_multicall $(1)/usr/sbin/smbpasswd
ln -sf samba_multicall $(1)/usr/sbin/smbd
ln -sf samba_multicall $(1)/usr/sbin/nmbd
ln -sf samba_multicall $(1)/usr/sbin/smbpasswd
endef
define Package/samba36-client/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/smbclient $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/nmblookup $(1)/usr/sbin
endef
define Package/samba36-net/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_BIN)/net $(1)/usr/sbin
endef
$(eval $(call BuildPackage,samba36-client))
$(eval $(call BuildPackage,samba36-server))
$(eval $(call BuildPackage,samba36-net))

5
package/network/services/samba36/files/samba.config
View File

@ -1,6 +1,7 @@
config samba
option 'name' 'OpenWrt'
option 'workgroup' 'WORKGROUP'
option 'description' 'OpenWrt'
option 'description' 'OpenWrt Share'
option 'homes' '1'
option 'autoshare' '1'
option 'enabled' '1'

61
package/network/services/samba36/files/samba.init
View File

@ -2,20 +2,31 @@
# Copyright (C) 2008-2012 OpenWrt.org
START=60
USE_PROCD=1
smb_header() {
config_get samba_iface $1 interface "loopback lan"
local enabled
config_get_bool enabled $1 enabled 1
[ $enabled == "0" ] && {
echo "Samba disabled!"
exit 0
}
local interface
config_get interface $1 interface "loopback lan"
# resolve interfaces
local interfaces=$(
. /lib/functions/network.sh
local net
for net in $samba_iface; do
for net in $interface; do
local device
network_is_up $net || continue
network_get_device device "$net"
network_get_device device "$net" && {
local subnet
network_get_subnet subnet "$net" && echo -n "$subnet "
network_get_subnet6 subnet "$net" && echo -n "$subnet "
}
echo -n "${device:-$net} "
done
)
@ -23,10 +34,11 @@ smb_header() {
local name workgroup description charset
local hostname="$(uci_get system.@system[0].hostname)"
config_get name $1 name "${hostname:-OpenWrt}"
config_get workgroup $1 workgroup "${hostname:-OpenWrt}"
config_get description $1 description "Samba on ${hostname:-OpenWrt}"
config_get name $1 name "${hostname:-PandoraBox}"
config_get workgroup $1 workgroup "${hostname:-PandoraBox}"
config_get description $1 description "Samba on ${hostname:-PandoraBox}"
config_get charset $1 charset "UTF-8"
config_get master $1 master "yes"
mkdir -p /var/etc
sed -e "s#|NAME|#$name#g" \
@ -34,6 +46,7 @@ smb_header() {
-e "s#|DESCRIPTION|#$description#g" \
-e "s#|INTERFACES|#$interfaces#g" \
-e "s#|CHARSET|#$charset#g" \
-e "s#|MASTER|#$master#g" \
/etc/samba/smb.conf.template > /var/etc/smb.conf
local homes
@ -82,34 +95,16 @@ smb_add_share() {
[ -n "$browseable" ] && echo -e "\tbrowseable = $browseable" >> /var/etc/smb.conf
}
init_config() {
start() {
config_load samba
config_foreach smb_header samba
config_foreach smb_add_share sambashare
service_start /usr/sbin/smbd -D
service_start /usr/sbin/nmbd -D
}
service_triggers() {
procd_add_reload_trigger samba
local i
for i in $samba_iface; do
procd_add_reload_interface_trigger $i
done
}
start_service() {
init_config
procd_open_instance
procd_add_mdns "smb" "tcp" "445"
procd_set_param command /usr/sbin/smbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
procd_open_instance
procd_set_param command /usr/sbin/nmbd -F
procd_set_param respawn
procd_set_param file /var/etc/smb.conf
procd_close_instance
stop() {
service_stop /usr/sbin/smbd
service_stop /usr/sbin/nmbd
}

103
package/network/services/samba36/files/smb.auto Executable file
View File

@ -0,0 +1,103 @@
#!/bin/sh
#
# D-Team Technology Co.,Ltd. ShenZhen
# 作者:Vic
#
#
# 警告:对着屏幕的哥们,我们允许你使用此脚本,但不允许你抹去作者的信息,请保留这段话。
#
. /lib/functions.sh
. /lib/functions/service.sh
global=0
config_file="/etc/config/samba"
wait_for_init() {
for i in `seq 30`
do
[ -e /tmp/procd.done ] || {
sleep 1; continue;
}
return
done
}
smb_handle() {
config_get path $1 path
if [ "$path" = "$2" ] ;then
global=1
fi
}
chk_en() {
config_get_bool autoshare $1 autoshare 0
[ $autoshare -eq 0 ] && exit
}
config_load samba
config_foreach chk_en samba
device=`basename $DEVPATH`
case "$ACTION" in
add)
case "$device" in
sd*) ;;
md*) ;;
hd*);;
mmcblk*);;
*) return;;
esac
path="/dev/$device"
wait_for_init
cat /proc/mounts | while read j
do
str=${j%% *}
if [ "$str" == $path ];then
strr=${j#* }
target=${strr%% *}
global=0
config_foreach smb_handle sambashare $target
name=${target#*/mnt/}
if [ $global -eq 0 ] ;then
echo -e "\n\nconfig sambashare" >> $config_file
echo -e "\toption auto '1'" >> $config_file
echo -e "\toption name '$name'" >> $config_file
echo -e "\toption path '$target'" >> $config_file
echo -e "\toption read_only 'no'" >> $config_file
echo -e "\toption guest_ok 'yes'" >> $config_file
echo -e "\toption device '$device'" >> $config_file
/etc/init.d/samba reload
return
fi
fi
done
;;
remove)
i=0
while true
do
dev=`uci get samba.@sambashare[$i].device`
[ $? -ne 0 ] && break
[ "$dev" = "$device" ] && {
auto=`uci get samba.@sambashare[$i].auto`
[ $auto = "1" ] && {
mount_dir=`uci get samba.@sambashare[$i].name`
rm -rf /mnt/$device /mnt/$mount_dir
uci delete samba.@sambashare[$i]
uci commit
/etc/init.d/samba reload
return
}
}
let i+=1
done
;;
esac

38
package/network/services/samba36/files/smb.conf.template
View File

@ -5,17 +5,47 @@
server string = |DESCRIPTION|
unix charset = |CHARSET|
workgroup = |WORKGROUP|
bind interfaces only = yes
browseable = yes
deadtime = 30
domain master = |MASTER|
encrypt passwords = true
enable core files = no
invalid users = root
# guest account = nobody
guest account = root
guest ok = yes
# invalid users = root
local master = yes
load printers = no
map to guest = Bad User
max protocol = SMB2
min receivefile size = 16384
null passwords = yes
obey pam restrictions = yes
os level = 250
lm announce = yes
lm interval = 10
dns proxy = no
passdb backend = smbpasswd
preferred master = yes
printable = no
security = user
smb encrypt = disabled
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY IPTOS_LOWDELAY
syslog = 2
use sendfile = yes
writeable = yes
read raw = yes
write raw = yes
getwd cache = Yes
min receivefile size = 16384
# write cache size = 65536
large readwrite = yes
fake oplocks = yes
oplocks = no
strict locking = no
posix locking = no
kernel oplocks = no
# disable spoolss = yes
# host msdfs = no
# strict allocate = no
use mmap = yes
skip ftruncate = yes

15
package/network/services/samba36/files/uci_defaults_samba Executable file
View File

@ -0,0 +1,15 @@
#!/bin/sh
# Copyright (c) 2013 OpenWrt
# Copyright (C) 2014 D-Team Technology Co.,Ltd. ShenZhen
# Copyright (c) 2005-2014, lintel <lintel.huang@gmail.com>
#
#
# 警告:对着屏幕的哥们,我们允许你使用此脚本,但不允许你抹去作者的信息,请保留这段话。
#
samba_name=`uci get system.@system[0].hostname`
[ -f /etc/config/samba ] && {
uci set samba.@samba[0].name="$samba_name"
uci commit samba
}

240
package/network/services/samba36/patches/008-loose-allocate.patch Normal file
View File

@ -0,0 +1,240 @@
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 41b44b6..3e45935 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -109,6 +109,7 @@ FN_LOCAL_BOOL(onlyuser, bOnlyUser)
FN_LOCAL_PARM_BOOL(manglednames, bMangledNames)
FN_LOCAL_BOOL(symlinks, bSymlinks)
FN_LOCAL_BOOL(syncalways, bSyncAlways)
+FN_LOCAL_BOOL(skip_ftruncate, bSkipFtruncate)
FN_LOCAL_BOOL(strict_allocate, bStrictAllocate)
FN_LOCAL_BOOL(delete_readonly, bDeleteReadonly)
FN_LOCAL_BOOL(fake_oplocks, bFakeOplocks)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 0916023..27cc873 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -1869,6 +1869,15 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
+ .label = "skip ftruncate",
+ .type = P_BOOL,
+ .p_class = P_LOCAL,
+ .offset = LOCAL_VAR(bSkipFtruncate),
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED | FLAG_SHARE,
+ },
+ {
.label = "strict allocate",
.type = P_BOOL,
.p_class = P_LOCAL,
diff --git a/source3/autoconf/lib/param/param_local.h b/source3/autoconf/lib/param/param_local.h
deleted file mode 100644
index 89eb6c3..0000000
--- a/source3/autoconf/lib/param/param_local.h
+++ /dev/null
@@ -1,142 +0,0 @@
-#ifndef __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__
-#define __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__
-
-/* This file was automatically generated by mkparamdefs.pl. DO NOT EDIT */
-
-/**
- * This structure describes a single service.
- */
-struct loadparm_service
-{
- char * szPath;
- const char ** szHostsallow;
- const char ** szHostsdeny;
- char * fstype;
- const char ** ntvfs_handler;
- bool bMSDfsRoot;
- bool bBrowseable;
- bool bRead_only;
- bool bPrint_ok;
- bool bMap_hidden;
- bool bMap_archive;
- bool bOpLocks;
- bool bStrictSync;
- bool bMap_system;
- int iMaxConnections;
- int iCSCPolicy;
- int iCreate_mask;
- int iCreate_force_mode;
- int iDir_mask;
- int iDir_force_mode;
- char * szPreExec;
- char * szPostExec;
- char * szRootPreExec;
- char * szRootPostExec;
- char * szDontdescend;
- char * szUsername;
- const char ** szInvalidUsers;
- const char ** szValidUsers;
- const char ** szAdminUsers;
- char * szPrintcommand;
- char * szLpqcommand;
- char * szLprmcommand;
- char * szLppausecommand;
- char * szLpresumecommand;
- char * szQueuepausecommand;
- char * szQueueresumecommand;
- char * szPrintername;
- char * szPrintjobUsername;
- char * szMagicScript;
- char * szMagicOutput;
- char * comment;
- char * force_user;
- char * force_group;
- const char ** readlist;
- const char ** writelist;
- const char ** printer_admin;
- const char ** szVfsObjects;
- char * szMSDfsProxy;
- char * volume;
- char * szVetoFiles;
- char * szHideFiles;
- char * szVetoOplockFiles;
- char * szAioWriteBehind;
- char * szDfree;
- bool autoloaded;
- bool bPreexecClose;
- bool bRootpreexecClose;
- int iCaseSensitive;
- bool bCasePreserve;
- bool bShortCasePreserve;
- bool bHideDotFiles;
- bool bHideSpecialFiles;
- bool bHideUnReadable;
- bool bHideUnWriteableFiles;
- bool bAccessBasedShareEnum;
- bool bNo_set_dir;
- bool bGuest_ok;
- bool bGuest_only;
- bool bAdministrative_share;
- bool bPrintNotifyBackchannel;
- bool bStoreDosAttributes;
- bool bDmapiSupport;
- bool bLocking;
- int iStrictLocking;
- bool bPosixLocking;
- bool bKernelOplocks;
- bool bLevel2OpLocks;
- bool bKernelShareModes;
- bool bOnlyUser;
- bool bMangledNames;
- bool bSymlinks;
- bool bSyncAlways;
- bool bStrictAllocate;
- bool bDeleteReadonly;
- bool bFakeOplocks;
- bool bDeleteVetoFiles;
- bool bDosFilemode;
- bool bDosFiletimes;
- bool bDosFiletimeResolution;
- bool bFakeDirCreateTimes;
- bool bBlockingLocks;
- bool bInheritPerms;
- bool bInheritACLS;
- bool bInheritOwner;
- bool bUseClientDriver;
- bool bDefaultDevmode;
- bool bForcePrintername;
- bool bNTAclSupport;
- bool bForceUnknownAclUser;
- bool bEASupport;
- bool bUseSendfile;
- bool bProfileAcls;
- bool bMap_acl_inherit;
- bool bAfs_Share;
- bool bAclCheckPermissions;
- bool bAclGroupControl;
- bool bAclMapFullControl;
- bool bAclAllowExecuteAlways;
- int iDefaultCase;
- int iMinPrintSpace;
- int iPrinting;
- int iMaxReportedPrintJobs;
- int iOplockContentionLimit;
- int iWriteCacheSize;
- int iBlock_size;
- int iDfreeCacheTime;
- int iallocation_roundup_size;
- int iAioReadSize;
- int iAioWriteSize;
- int iMap_readonly;
- int iDirectoryNameCacheSize;
- int ismb_encrypt;
- char magic_char;
- char * szCupsOptions;
- bool bChangeNotify;
- bool bKernelChangeNotify;
- bool bDurableHandles;
-LOADPARM_EXTRA_LOCALS
-};
-
-#endif /* __AUTOCONF_LIB_PARAM_PARAM_LOCAL_H__ */
-
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 1d2eaf5..6be58fb 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1299,6 +1299,7 @@ bool lp_widelinks(int );
bool lp_symlinks(int );
bool lp_syncalways(int );
bool lp_strict_allocate(int );
+bool lp_skip_ftruncate(int );
bool lp_strict_sync(int );
bool lp_map_system(int );
bool lp_delete_readonly(int );
diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 429fca1..1b3244c 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1687,7 +1697,31 @@ static int vfswrap_ftruncate(vfs_handle_struct *handle, files_struct *fsp, off_t
END_PROFILE(syscall_ftruncate);
return result;
}
+ /* check for an MSDOS (FAT) filesystem and don't truncate. Ftruncate on an MSDOS filesystem can time causeing failures when the file
+ size reaches about 300MB to 600MB depending in the speed of the system. Allow forcing the ftruncate for shrinking files as not
+ shrinking a file can cause worse problems and for things like smbpasswd that won't timeout.
+ */
+ if(lp_skip_ftruncate(SNUM(fsp->conn)) && !fsp->is_sparse) {
+#if 1
+ struct statfs s;
+ if(fstatfs(fsp->fh->fd, &s)) { /* get filesystem type */
+ syslog("Samba: fstatfs fail\n");
+ goto done;
+ }
+ if(s.f_type == 0x2011bab0 ) {
+ syslog("Samba: exFAT Filesystem,length:0x%X\n", len);
+ goto done;
+ }
+ else if(s.f_type == 0x4d44) {
+ syslog("Samba: vFAT/FAT Filesystem,length:0x%X\n", len);
+ goto done;
+ } else
+ syslog("Samba: Skip Filesystem:0x%X\n", s.f_type);
+#else
+ goto done;
+#endif
+ }
/* we used to just check HAVE_FTRUNCATE_EXTEND and only use
ftruncate if the system supports it. Then I discovered that
you can have some filesystems that support ftruncate
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 878cc3a..53e04f9 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -235,6 +235,7 @@ static struct loadparm_service sDefault =
.bWidelinks = false,
.bSymlinks = true,
.bSyncAlways = false,
+ .bSkipFtruncate = false,
.bStrictAllocate = false,
.bStrictSync = false,
.magic_char = '~',

39
package/network/services/samba36/patches/010-patch-cve-2015-5252.patch
View File

@ -1,39 +0,0 @@
From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 9 Jul 2015 10:58:11 -0700
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
access outside the share).
Ensure matching component ends in '/' or '\0'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/smbd/vfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
if (!allow_widelinks || !allow_symlinks) {
const char *conn_rootdir;
size_t rootdir_len;
+ bool matched;
conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
if (conn_rootdir == NULL) {
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
}
rootdir_len = strlen(conn_rootdir);
- if (strncmp(conn_rootdir, resolved_name,
- rootdir_len) != 0) {
+ matched = (strncmp(conn_rootdir, resolved_name,
+ rootdir_len) == 0);
+ if (!matched || (resolved_name[rootdir_len] != '/' &&
+ resolved_name[rootdir_len] != '\0')) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));

88
package/network/services/samba36/patches/011-patch-cve-2015-5296.patch
View File

@ -1,88 +0,0 @@
From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clidfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALL
const char *username;
const char *password;
NTSTATUS status;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+
+ if (force_encrypt) {
+ signing_state = Required;
+ }
/* make a copy so we don't modify the global string 'service' */
servicename = talloc_strdup(ctx,share);
@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALL
zero_sockaddr(&ss);
/* have to open a new connection */
- c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
+ c = cli_initialise_ex(signing_state);
if (c == NULL) {
d_printf("Connection to %s failed\n", server_n);
return NULL;
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
const char *username_used;
NTSTATUS status;
char *newserver, *newshare;
+ int signing_state = Undefined;
zero_sockaddr(&ss);
ZERO_STRUCT(c);
@@ -404,8 +405,12 @@ again:
zero_sockaddr(&ss);
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
+
/* have to open a new connection */
- if ((c = cli_initialise()) == NULL) {
+ if ((c = cli_initialise_ex(signing_state)) == NULL) {
errno = ENOMEM;
return NULL;
}
@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
+ int signing_state = Undefined;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
zero_sockaddr(&ss);
nt_status = cli_full_connection(&ipc_cli,
@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
*pp_workgroup,
*pp_password,
flags,
- Undefined);
+ signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));

93
package/network/services/samba36/patches/012-patch-cve-2015-5299.patch
View File

@ -1,93 +0,0 @@
From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 23 Oct 2015 14:54:31 -0700
Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
snapdir
Fix originally from <partha@exablox.com>
https://bugzilla.samba.org/show_bug.cgi?id=11529
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
---
source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -21,6 +21,8 @@
#include "includes.h"
#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "../libcli/security/security.h"
#include "system/filesys.h"
#include "ntioctl.h"
@@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle
SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1);
}
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+ const char *path)
+{
+ struct smb_filename smb_fname;
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted = 0;
+
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = talloc_asprintf(talloc_tos(),
+ "%s",
+ path);
+ if (smb_fname.base_name == NULL) {
+ return false;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+
+ status = smbd_check_open_rights(handle->conn,
+ &smb_fname,
+ SEC_DIR_LIST,
+ &access_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("user does not have list permission "
+ "on snapdir %s\n",
+ smb_fname.base_name));
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+ TALLOC_FREE(smb_fname.base_name);
+ return true;
+}
+
static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname)
{
SHADOW2_NEXT(RMDIR, (handle, name), int, -1);
@@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2
SMB_STRUCT_DIRENT *d;
TALLOC_CTX *tmp_ctx = talloc_new(handle->data);
char *snapshot;
+ bool ret;
snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle);
if (snapdir == NULL) {
@@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2
talloc_free(tmp_ctx);
return -1;
}
+ ret = check_access_snapdir(handle, snapdir);
+ if (!ret) {
+ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
+ errno = EACCES;
+ talloc_free(tmp_ctx);
+ return -1;
+ }
p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);

172
package/network/services/samba36/patches/015-patch-cve-2015-7560.patch
View File

@ -1,172 +0,0 @@
From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:18:12 -0800
Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2
files_struct *fsp,
const SMB_STRUCT_STAT *psbuf);
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+ const files_struct *fsp,
+ const char *name)
+{
+ SMB_STRUCT_STAT sbuf;
+ const SMB_STRUCT_STAT *pst = NULL;
+
+ if (fsp) {
+ pst = &fsp->fsp_name->st;
+ } else {
+ int ret = vfs_stat_smb_fname(conn,
+ name,
+ &sbuf);
+ if (ret == -1) {
+ return map_nt_error_from_unix(errno);
+ }
+ pst = &sbuf;
+ }
+ if (S_ISLNK(pst->st_ex_mode)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
/********************************************************************
Roundup a value to the nearest allocation roundup size boundary.
Only do this for Windows clients.
@@ -181,12 +209,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
char **names, **tmp;
size_t num_names;
ssize_t sizeret = -1;
+ NTSTATUS status;
+
+ if (pnames) {
+ *pnames = NULL;
+ }
+ *pnum_names = 0;
if (!lp_ea_support(SNUM(conn))) {
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+ status = refuse_symlink(conn, fsp, fname);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Just return no EA's on a symlink.
+ */
return NT_STATUS_OK;
}
@@ -236,10 +274,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
if (sizeret == 0) {
TALLOC_FREE(names);
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
return NT_STATUS_OK;
}
@@ -550,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn,
const struct smb_filename *smb_fname, struct ea_list *ea_list)
{
char *fname = NULL;
+ NTSTATUS status;
if (!lp_ea_support(SNUM(conn))) {
return NT_STATUS_EAS_NOT_SUPPORTED;
@@ -559,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+
/* For now setting EAs on streams isn't supported. */
fname = smb_fname->base_name;
@@ -4931,6 +4972,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
uint16 num_file_acls = 0;
uint16 num_def_acls = 0;
+ status = refuse_symlink(conn,
+ fsp,
+ smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (fsp && fsp->fh->fd != -1) {
file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
} else {
@@ -6452,6 +6500,7 @@ static NTSTATUS smb_set_posix_acl(connec
uint16 num_def_acls;
bool valid_file_acls = True;
bool valid_def_acls = True;
+ NTSTATUS status;
if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
@@ -6479,6 +6528,11 @@ static NTSTATUS smb_set_posix_acl(connec
return NT_STATUS_INVALID_PARAMETER;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
(unsigned int)num_file_acls,
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struc
return NT_STATUS_OK;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL set on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -1925,6 +1931,12 @@ NTSTATUS smbd_do_query_security_desc(con
return NT_STATUS_ACCESS_DENIED;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL get on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
SECINFO_GROUP|SECINFO_SACL)) {
/* Don't return SECINFO_LABEL if anything else was

6824
package/network/services/samba36/patches/020-CVE-preparation-v3-6.patch
View File

File diff suppressed because it is too large Load Diff

9515
package/network/services/samba36/patches/021-CVE-preparation-v3-6-addition.patch
View File

File diff suppressed because it is too large Load Diff

1791
package/network/services/samba36/patches/022-CVE-2015-5370-v3-6.patch
View File

File diff suppressed because it is too large Load Diff

255
package/network/services/samba36/patches/023-CVE-2016-2110-v3-6.patch
View File

@ -1,255 +0,0 @@
From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 1 Dec 2015 08:46:45 +0100
Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
ntlmssp_state->allow_lm_key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
source3/libsmb/ntlmssp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct nt
* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
*/
if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp
{
/* As per JRA's comment above */
if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SIGN) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SEAL) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (feature & NTLMSSP_FEATURE_CCACHE) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -387,7 +392,12 @@ static NTSTATUS ntlmssp_client_initial(s
}
if (ntlmssp_state->use_ntlmv2) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->allow_lm_key = false;
+ }
+
+ if (ntlmssp_state->allow_lm_key) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
/* generate the ntlmssp negotiate packet */
@@ -422,6 +432,86 @@ static NTSTATUS ntlmssp_client_initial(s
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ uint32_t flags)
+{
+ uint32_t missing_flags = ntlmssp_state->required_flags;
+
+ if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = true;
+ } else {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = false;
+ }
+
+ /*
+ * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ * has priority over NTLMSSP_NEGOTIATE_LM_KEY
+ */
+ if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+
+ if ((flags & NTLMSSP_REQUEST_TARGET)) {
+ ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ }
+
+ missing_flags &= ~ntlmssp_state->neg_flags;
+ if (missing_flags != 0) {
+ NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
+ DEBUG(1, ("%s: Got challenge flags[0x%08x] "
+ "- possible downgrade detected! "
+ "missing_flags[0x%08x] - %s\n",
+ __func__,
+ (unsigned)flags,
+ (unsigned)missing_flags,
+ nt_errstr(status)));
+ debug_ntlmssp_flags(missing_flags);
+ DEBUGADD(4, ("neg_flags[0x%08x]\n",
+ (unsigned)ntlmssp_state->neg_flags));
+ debug_ntlmssp_flags(ntlmssp_state->neg_flags);
+
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@@ -448,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge
DATA_BLOB encrypted_session_key = data_blob_null;
NTSTATUS nt_status = NT_STATUS_OK;
+ if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &server_domain_blob,
+ &chal_flags)) {
+ DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+ dump_data(2, reply.data, reply.length);
+
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ data_blob_free(&server_domain_blob);
+
+ DEBUG(3, ("Got challenge flags:\n"));
+ debug_ntlmssp_flags(chal_flags);
+
+ nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
@@ -498,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge
noccache:
- if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
- "NTLMSSP",
- &ntlmssp_command,
- &server_domain_blob,
- &chal_flags)) {
- DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
- dump_data(2, reply.data, reply.length);
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
talloc_tos(), struct CHALLENGE_MESSAGE);
@@ -525,13 +624,6 @@ noccache:
}
}
- data_blob_free(&server_domain_blob);
-
- DEBUG(3, ("Got challenge flags:\n"));
- debug_ntlmssp_flags(chal_flags);
-
- ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdUdbddB";
@@ -769,6 +861,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
ntlmssp_state->unicode = True;
ntlmssp_state->use_ntlmv2 = use_ntlmv2;
+ ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
@@ -780,6 +873,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
NTLMSSP_NEGOTIATE_KEY_EXCH |
NTLMSSP_REQUEST_TARGET;
+ if (ntlmssp_state->use_ntlmv2) {
+ ntlmssp_state->allow_lm_key = false;
+ }
+
ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
if (!ntlmssp_state->client.netbios_name) {
talloc_free(ntlmssp_state);
--- a/libcli/auth/ntlmssp.h
+++ b/libcli/auth/ntlmssp.h
@@ -83,6 +83,7 @@ struct ntlmssp_state
DATA_BLOB nt_resp;
DATA_BLOB session_key;
+ uint32_t required_flags;
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
/**

681
package/network/services/samba36/patches/024-CVE-2016-2111-v3-6.patch
View File

@ -1,681 +0,0 @@
From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 26 Sep 2015 01:29:10 +0200
Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base
case NetlogonNetworkTransitiveInformation:
{
const char *wksname = nt_workstation;
+ const char *workgroup = lp_workgroup();
status = make_auth_context_fixed(talloc_tos(), &auth_context,
logon->network->challenge);
@@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base
logon->network->nt.length)) {
status = NT_STATUS_NO_MEMORY;
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ }
break;
}
case NetlogonInteractiveInformation:
@@ -1636,6 +1645,14 @@ static NTSTATUS _netr_LogonSamLogon_base
r->out.validation->sam3);
break;
case 6:
+ /* Only allow this if the pipe is protected. */
+ if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+ get_remote_machine_name()));
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+
status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
r->out.validation->sam6);
break;
@@ -2271,11 +2288,13 @@ NTSTATUS _netr_GetForestTrustInformation
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2371,11 +2390,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1122,8 +1122,8 @@ static bool schan(struct torture_context
generate_random_buffer(chal.data, chal.length);
names_blob = NTLMv2_generate_names_blob(
mem_ctx,
- cli_credentials_get_workstation(user_creds),
- cli_credentials_get_domain(user_creds));
+ cli_credentials_get_workstation(wks_creds),
+ cli_credentials_get_domain(wks_creds));
status = cli_credentials_get_ntlm_response(
user_creds, mem_ctx, &flags, chal, names_blob,
&lm_resp, &nt_resp, NULL, NULL);
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup);
/***********************************************************
encode a password buffer with a unicode password. The buffer
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -26,7 +26,7 @@
#include "../libcli/auth/msrpc_parse.h"
#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../librpc/gen_ndr/ntlmssp.h"
+#include "../librpc/gen_ndr/ndr_ntlmssp.h"
void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
lm_response, nt_response, lm_session_key, user_session_key);
}
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup)
+{
+ TALLOC_CTX *frame = NULL;
+ /* RespType + HiRespType */
+ static const char *magic = "\x01\x01";
+ int cmp;
+ struct NTLMv2_RESPONSE v2_resp;
+ enum ndr_err_code err;
+ const struct AV_PAIR *av_nb_cn = NULL;
+ const struct AV_PAIR *av_nb_dn = NULL;
+
+ if (response.length < 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes.
+ */
+ return NT_STATUS_OK;
+ }
+
+ cmp = memcmp(response.data + 16, magic, 2);
+ if (cmp != 0) {
+ /*
+ * It doesn't look like a valid NTLMv2_RESPONSE
+ */
+ return NT_STATUS_OK;
+ }
+
+ frame = talloc_stackframe();
+
+ err = ndr_pull_struct_blob(&response, frame, &v2_resp,
+ (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
+ NTSTATUS status;
+ status = ndr_map_error2ntstatus(err);
+ DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
+ "length %u - %s - %s\n",
+ (unsigned)response.length,
+ ndr_map_error2string(err),
+ nt_errstr(status)));
+ dump_data(2, response.data, response.length);
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ if (DEBUGLVL(10)) {
+ NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
+ }
+
+ /*
+ * Make sure the netbios computer name in the
+ * NTLMv2_RESPONSE matches the computer name
+ * in the secure channel credentials for workstation
+ * trusts.
+ *
+ * And the netbios domain name matches our
+ * workgroup.
+ *
+ * This prevents workstations from requesting
+ * the session key of NTLMSSP sessions of clients
+ * to other hosts.
+ */
+ if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
+ av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbComputerName);
+ av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbDomainName);
+ }
+
+ if (av_nb_cn != NULL) {
+ const char *v = NULL;
+ char *a = NULL;
+ size_t len;
+
+ v = av_nb_cn->Value.AvNbComputerName;
+
+ a = talloc_strdup(frame, creds->account_name);
+ if (a == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ len = strlen(a);
+ if (len > 0 && a[len - 1] == '$') {
+ a[len - 1] = '\0';
+ }
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(a, v);
+#else /* smbd */
+ cmp = StrCaseCmp(a, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbComputerName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+ if (av_nb_dn != NULL) {
+ const char *v = NULL;
+
+ v = av_nb_dn->Value.AvNbDomainName;
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(workgroup, v);
+#else /* smbd */
+ cmp = StrCaseCmp(workgroup, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/***********************************************************
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
- public_deps='MSRPC_PARSE',
+ public_deps='MSRPC_PARSE NDR_NTLMSSP',
public_headers='credentials.h:domain_credentials.h'
)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/
PROFILE_OBJ = profile/profile.o
PROFILES_OBJ = utils/profiles.o \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(PARAM_OBJ) \
$(LIB_OBJ) $(LIB_DUMMY_OBJ) \
$(POPT_LIB_OBJ) \
@@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
STATUS_OBJ = utils/status.o utils/status_profile.o \
$(LOCKING_OBJ) $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
@@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
TESTPARM_OBJ = utils/testparm.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
TEST_LP_LOAD_OBJ = param/test_lp_load.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
$(LIB_NONSMBD_OBJ) \
$(PARAM_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
@@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ
$(LIBNDR_GEN_OBJ0)
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
torture/denytest.o torture/mangle_test.o \
@@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARA
$(LIBNDR_GEN_OBJ0)
MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBNDR_GEN_OBJ0)
@@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
-SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
LOG2PCAP_OBJ = utils/log2pcaphex.o
@@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
EVTLOGADM_OBJ0 = utils/eventlogadm.o
EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
librpc/gen_ndr/ndr_eventlog.o \
librpc/gen_ndr/ndr_lsa.o
SHARESEC_OBJ0 = utils/sharesec.o
SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
- $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
+ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
@libreplacedir@/test/getifaddrs.o \
@@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARA
$(LIBNDR_GEN_OBJ0)
WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
- $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
+ $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
@@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.
DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ)
DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
SPLIT_TOKENS_OBJ = utils/split_tokens.o \
--- a/source4/torture/raw/samba3misc.c
+++ b/source4/torture/raw/samba3misc.c
@@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct tortu
bool ret = true;
TALLOC_CTX *mem_ctx;
bool nt_status_support;
+ bool client_ntlmv2_auth;
if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
d_printf("talloc_init failed\n");
@@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct tortu
}
nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
if (!torture_open_connection(&cli_nt, torture, 0)) {
goto fail;
}
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
if (!torture_open_connection(&cli_dos, torture, 1)) {
goto fail;
@@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct tortu
}
smbcli_deltree(cli_nt->tree, dirname);
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
+ nt_status_support ? "yes":"no"),
+ ret, fail, "Could not set 'nt status support' back to where it was\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no"),
+ ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
status = smbcli_mkdir(cli_nt->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct
static bool torture_samba3_errorpaths(struct torture_context *tctx)
{
bool nt_status_support;
+ bool client_ntlmv2_auth;
struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
bool result = false;
int fnum;
@@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(st
NTSTATUS status;
nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
torture_comment(tctx, "Could not set 'nt status support = yes'\n");
goto fail;
}
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
+ goto fail;
+ }
if (!torture_open_connection(&cli_nt, tctx, 0)) {
goto fail;
}
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
- torture_comment(tctx, "Could not set 'nt status support = yes'\n");
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
goto fail;
}
@@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(st
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
nt_status_support ? "yes":"no")) {
- torture_comment(tctx, "Could not reset 'nt status support = yes'");
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
goto fail;
}
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_st
NTSTATUS status;
/* otherwise do a NT1 style session setup */
+ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
+ /*
+ * Don't send an NTLMv2 response without NTLMSSP
+ * if we want to use spnego support
+ */
+ DEBUG(1, ("Server does not support EXTENDED_SECURITY "
+ " but 'client use spnego = yes"
+ " and 'client ntlmv2 auth = yes'\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
status = cli_session_setup_nt1(cli, user, pass, passlen,
ntpass, ntpasslen, workgroup);
if (!NT_STATUS_IS_OK(status)) {
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -9,6 +9,11 @@
supporting servers (including WindowsXP, Windows2000 and Samba
3.0) to agree upon an authentication
mechanism. This enables Kerberos authentication in particular.</para>
+
+ <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -28,6 +28,11 @@
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
+
+ <para>When <smbconfoption name="client use spnego"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="raw NTLMv2 auth"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+ extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+ <para>If this option, <command moreinfo="none">lanman auth</command>
+ and <command moreinfo="none">ntlm auth</command> are all disabled,
+ then only clients with SPNEGO support will be permitted.
+ That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
int lp_restrict_anonymous(void);
bool lp_lanman_auth(void);
bool lp_ntlm_auth(void);
+bool lp_raw_ntlmv2_auth(void);
bool lp_client_plaintext_auth(void);
bool lp_client_lanman_auth(void);
bool lp_client_ntlmv2_auth(void);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -336,6 +336,7 @@ struct global {
bool bAllowTrustedDomains;
bool bLanmanAuth;
bool bNTLMAuth;
+ bool bRawNTLMv2Auth;
bool bUseSpnego;
bool bClientLanManAuth;
bool bClientNTLMv2Auth;
@@ -1383,6 +1384,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "raw NTLMv2 auth",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bRawNTLMv2Auth,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "client NTLMv2 auth",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5337,6 +5347,7 @@ static void init_globals(bool reinit_glo
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
@@ -5819,6 +5830,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domai
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
+FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -30,6 +30,7 @@
#include "../lib/util/util_pw.h"
#include "lib/winbind_util.h"
#include "passdb.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(st
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
+ bool allow_raw = lp_raw_ntlmv2_auth();
+
+ if (!allow_raw && nt_resp.length >= 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes
+ * and should only be supported via NTLMSSP.
+ */
+ DEBUG(2,("Rejecting raw NTLMv2 authentication with "
+ "user [%s\\%s]\n",
+ client_domain, smb_name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return make_user_info_map(user_info, smb_name,
client_domain,
get_remote_machine_name(),
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -127,6 +127,7 @@ sub setup_dc($$)
domain master = yes
domain logons = yes
lanman auth = yes
+ raw NTLMv2 auth = yes
";
my $vars = $self->provision($path,
@@ -230,6 +231,7 @@ sub setup_secserver($$$)
my $secserver_options = "
security = server
password server = $s3dcvars->{SERVER_IP}
+ client ntlmv2 auth = no
";
my $ret = $self->provision($prefix,

129
package/network/services/samba36/patches/025-CVE-2016-2112-v3-6.patch
View File

@ -1,129 +0,0 @@
From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
ntlmssp_have_feature()
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/include/proto.h | 1 +
source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
return NT_STATUS_OK;
}
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+ uint32_t feature)
+{
+ if (feature & NTLMSSP_FEATURE_SIGN) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SEAL) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+ if (ntlmssp_state->session_key.length > 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
/**
* Request features for the NTLMSSP negotiation
*
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
/* we have a reference conter on ntlmssp_state, if we are signing
then the state will be kept by the signing engine */
+ if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SEAL);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+ }
+
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
</para>
<para>
- The default value is <emphasis>plain</emphasis> which is not irritable
- to KRB5 clock skew errors. That implies synchronizing the time
- with the KDC in the case of using <emphasis>sign</emphasis> or
- <emphasis>seal</emphasis>.
+ The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">plain</value>
+<value type="default">sign</value>
</samba:parameter>
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/

256
package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch
View File

@ -1,256 +0,0 @@
From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 03:43:58 +0100
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
source3/include/proto.h | 1 +
source3/param/loadparm.c | 12 ++++++++++++
4 files changed, 39 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport inside of winbind. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
<para>When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
</para>
</description>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
int lp_winbind_reconnect_delay(void);
int lp_winbind_max_clients(void);
const char **lp_winbind_nss_info(void);
+bool lp_winbind_sealed_pipes(void);
int lp_algorithmic_rid_base(void);
int lp_name_cache_timeout(void);
int lp_client_signing(void);
+int lp_client_ipc_signing(void);
int lp_server_signing(void);
int lp_client_ldap_sasl_wrapping(void);
char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -215,6 +215,7 @@ struct global {
int winbind_expand_groups;
bool bWinbindRefreshTickets;
bool bWinbindOfflineLogon;
+ bool bWinbindSealedPipes;
bool bWinbindNormalizeNames;
bool bWinbindRpcOnly;
bool bCreateKrb5Conf;
@@ -366,6 +367,7 @@ struct global {
int restrict_anonymous;
int name_cache_timeout;
int client_signing;
+ int client_ipc_signing;
int server_signing;
int client_ldap_sasl_wrapping;
int iUsershareMaxShares;
@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "client ipc signing",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_ipc_signing,
+ .special = NULL,
+ .enum_list = enum_smb_signing_vals,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "server signing",
.type = P_ENUM,
.p_class = P_GLOBAL,
@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "winbind sealed pipes",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bWinbindSealedPipes,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "winbind normalize names",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
+ Globals.bWinbindSealedPipes = True;
Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
Globals.bClientUseSpnego = True;
Globals.client_signing = Auto;
+ Globals.client_ipc_signing = Required;
Globals.server_signing = False;
Globals.bDeferSharingViolations = True;
@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
}
+ if (!lp_is_in_client()) {
+ switch (lp_client_ipc_signing()) {
+ case Required:
+ lp_set_cmdline("client signing", "mandatory");
+ break;
+ case Auto:
+ lp_set_cmdline("client signing", "auto");
+ break;
+ case False:
+ lp_set_cmdline("client signing", "disabled");
+ break;
+ }
+ }
+
init_iconv();
bAllowIncludeRegistry = true;
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
"", /* username */
"", /* domain */
"", /* password */
- 0, lp_client_signing());
+ 0, False);
if ( !NT_STATUS_IS_OK( ret ) ) {
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
TALLOC_FREE(conn->samr_pipe);
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(status)));
+ goto done;
+ }
/* Finally fall back to anonymous. */
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc.syntax_id,
&conn->lsa_pipe);
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
no_schannel:
if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ TALLOC_FREE(netlogon_pipe);
+ invalidate_cm_connection(conn);
+ return result;
+ }
/*
* NetSamLogonEx only works for schannel
*/

308
package/network/services/samba36/patches/027-CVE-2016-2118-v3-6.patch
View File

@ -1,308 +0,0 @@
From d68424b5ef92f5810760f90e9eeb664572a61e4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Dec 2015 14:49:36 +0100
Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
---
source3/rpcclient/rpcclient.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -1062,10 +1062,9 @@ out_free:
}
}
if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
- /* If neither Integrity or Privacy are requested then
- * Use just Connect level */
+ /* If nothing is requested then default to integrity */
if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
- pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
}
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_au
/* Perform an authenticated DCE-RPC bind
*/
- if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
+ if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
/*
we are doing an authenticated connection,
- but not using sign or seal. We must force
- the CONNECT dcerpc auth type as a NONE auth
- type doesn't allow authentication
- information to be passed.
+ which needs to use [connect], [sign] or [seal].
+ If nothing is specified, we default to [sign] now.
+ This give roughly the same protection as
+ ncacn_np with smb signing.
*/
- conn->flags |= DCERPC_CONNECT;
+ conn->flags |= DCERPC_SIGN;
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="allow dcerpc auth level connect"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether DCERPC services are allowed to
+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+ but no per message integrity nor privacy protection.</para>
+
+ <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+
+ <para>This option yields precedence to the implentation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
void lp_set_passdb_backend(const char *backend);
void widelinks_warning(int snum);
char *lp_ncalrpc_dir(void);
+bool lp_allow_dcerpc_auth_level_connect(void);
/* The following definitions come from param/loadparm_server_role.c */
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -355,6 +355,7 @@ struct global {
bool bUseMmap;
bool bHostnameLookups;
bool bUnixExtensions;
+ bool bAllowDcerpcAuthLevelConnect;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
int iKerberosMethod;
@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "allow dcerpc auth level connect",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "use spnego",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_glo
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
+
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
Globals.enhanced_browsing = true;
@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_
FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
uint32 context_id;
struct ndr_syntax_id syntax;
+ /*
+ * shall we allow "connect" auth level for this interface ?
+ */
+ bool allow_connect;
} PIPE_RPC_FNS;
/*
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -44,6 +44,11 @@
#include "rpc_server/srv_pipe.h"
#include "../librpc/gen_ndr/ndr_dcerpc.h"
#include "../librpc/ndr/ndr_dcerpc.h"
+#include "../librpc/gen_ndr/ndr_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -340,6 +345,8 @@ static bool check_bind_req(struct pipes_
uint32 context_id)
{
struct pipe_rpc_fns *context_fns;
+ const char *interface_name = NULL;
+ bool ok;
DEBUG(3,("check_bind_req for %s\n",
get_pipe_name_from_syntax(talloc_tos(), abstract)));
@@ -390,12 +397,57 @@ static bool check_bind_req(struct pipes_
return False;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ abstract);
+
+ SMB_ASSERT(interface_name != NULL);
+
context_fns->next = context_fns->prev = NULL;
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
context_fns->context_id = context_id;
context_fns->syntax = *abstract;
+ context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+ /*
+ * for the samr and the lsarpc interfaces we don't allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ /*
+ * for the epmapper and echo interfaces we allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ /*
+ * every interface can be modified to allow "connect" auth_level by
+ * using a parametric option like:
+ * allow dcerpc auth level connect:<interface>
+ * e.g.
+ * allow dcerpc auth level connect:samr = yes
+ */
+ context_fns->allow_connect = lp_parm_bool(-1,
+ "allow dcerpc auth level connect",
+ interface_name, context_fns->allow_connect);
+
/* add to the list of open contexts */
DLIST_ADD( p->contexts, context_fns );
@@ -1736,6 +1788,7 @@ static bool api_pipe_request(struct pipe
TALLOC_CTX *frame = talloc_stackframe();
bool ret = False;
PIPE_RPC_FNS *pipe_fns;
+ const char *interface_name = NULL;
if (!p->pipe_bound) {
DEBUG(1, ("Pipe not bound!\n"));
@@ -1757,8 +1810,36 @@ static bool api_pipe_request(struct pipe
return false;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ &pipe_fns->syntax);
+
+ SMB_ASSERT(interface_name != NULL);
+
DEBUG(5, ("Requested \\PIPE\\%s\n",
- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
+ interface_name));
+
+ switch (p->auth.auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ if (!pipe_fns->allow_connect) {
+ DEBUG(1, ("%s: restrict auth_level_connect access "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__, interface_name,
+ p->auth.auth_type,
+ p->auth.auth_level,
+ derpc_transport_string_by_transport(p->transport),
+ p->client_id->name));
+
+ setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+ TALLOC_FREE(frame);
+ return true;
+ }
+ break;
+ }
if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -18,3 +18,5 @@ samba3.posix_s3.nbt.dgram.*netlogon2
samba3.*rap.sam.*.useradd # Not provided by Samba 3
samba3.*rap.sam.*.userdelete # Not provided by Samba 3
samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -201,6 +201,8 @@ if sub.returncode == 0:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
+ elif t == "rpc.samr.passwords.validate":
+ plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
else:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct p
struct samr_GetDomPwInfo pw;
struct samr_PwInfo dom_pw_info;
+ if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (r->in.level < 1 || r->in.level > 3) {
return NT_STATUS_INVALID_INFO_CLASS;
}

59
package/network/services/samba36/patches/028-CVE-2016-2125-v3.6.patch
View File

@ -1,59 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 28 Dec 2016 19:21:49 +0100
Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
This is a backport of upstream commits
b1a056f77e793efc45df34ab7bf78fbec1bf8a59
b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
---
source3/librpc/crypto/gse.c | 1 -
source3/libsmb/clifsinfo.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
&es->s.gss_state->gss_ctx,
srv_name,
GSS_C_NO_OID, /* default OID. */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
GSS_C_INDEFINITE, /* requested ticket lifetime. */
NULL, /* no channel bindings */
p_tok_in,
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,

6
package/network/services/samba36/patches/029-CVE-2017-7494-v3-6.patch
View File

@ -15,9 +15,9 @@ Reviewed-by: Stefan Metzmacher <metze@samba.org>
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f
pipename += 1;
}
@@ -383,6 +383,11 @@ bool is_known_pipename(const char *pipen
{
NTSTATUS status;
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));

40
package/network/services/samba36/patches/030-CVE-2017-15275-v3.6.patch
View File

@ -1,40 +0,0 @@
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;

136
package/network/services/samba36/patches/031-CVE-2017-12163-v3.6.patch
View File

@ -1,136 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:02:03 +0200
Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Author: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
SMB_OFF_T startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
SMB_OFF_T startpos;
const char *data;
@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
return;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
SMB_OFF_T startpos;
@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);

75
package/network/services/samba36/patches/032-CVE-2017-12150-v3.6.patch
View File

@ -1,75 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:01:34 +0200
Subject: CVE-2017-12150
These are the three upstream patches
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
---
libgpo/gpo_fetch.c | 2 +-
source3/lib/util_cmdline.c | 3 +++
source3/libsmb/clidfs.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ Required);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return Required;
+ }
return auth_info->signing_state;
}
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
/* If a password was not supplied then
* try again with a null username. */
if (password[0] || !username[0] ||
+ force_encrypt || client_is_signing_mandatory(c) ||
get_cmdline_auth_info_use_kerberos(auth_info) ||
+ get_cmdline_auth_info_use_ccache(auth_info) ||
!NT_STATUS_IS_OK(cli_session_setup(c, "",
"", 0,
"", 0,

49
package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
View File

@ -1,49 +0,0 @@
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 2 Jan 2018 15:56:03 -0800
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -176,6 +176,11 @@ static void prune_printername_cache(void
static const char *canon_servername(const char *servername)
{
const char *pservername = servername;
+
+ if (servername == NULL) {
+ return "";
+ }
+
while (*pservername == '\\') {
pservername++;
}
@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if ((version = get_version_id(r->in.architecture)) == -1)
@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if (get_version_id(r->in.architecture) == -1) {
/* this is what NT returns */

14
package/network/services/samba36/patches/100-configure_fixes.patch
View File

@ -1,14 +0,0 @@
--- a/source3/configure
+++ b/source3/configure
@@ -13294,10 +13294,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINF
# see bug 5910, use our replacements if we detect
# a broken system.
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ $as_echo "assuming valid getaddrinfo without bug 5910" >&2
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */

85
package/network/services/samba36/patches/110-multicall.patch
View File

@ -1,8 +1,10 @@
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -73,22 +73,22 @@ LDAP_LIBS=@LDAP_LIBS@
Index: samba-4.0.26/source3/Makefile.in
===================================================================
--- samba-4.0.26.orig/source3/Makefile.in
+++ samba-4.0.26/source3/Makefile.in
@@ -103,25 +103,25 @@ KRB5LIBS=@KRB5_LIBS@
LDAP_LIBS=@LDAP_LIBS@
NSCD_LIBS=@NSCD_LIBS@
UUID_LIBS=@UUID_LIBS@
LIBWBCLIENT=@LIBWBCLIENT_STATIC@ @LIBWBCLIENT_SHARED@
-LIBWBCLIENT_LIBS=@LIBWBCLIENT_LIBS@
+LIBWBCLIENT_LIBS=@LIBWBCLIENT_STATIC@
@ -11,32 +13,36 @@
DNSSD_LIBS=@DNSSD_LIBS@
AVAHI_LIBS=@AVAHI_LIBS@
POPT_LIBS=@POPTLIBS@
LIBTALLOC=@LIBTALLOC_STATIC@ @LIBTALLOC_SHARED@
LIBTALLOC=@LIBTALLOC_STATIC@
-LIBTALLOC_LIBS=@LIBTALLOC_LIBS@
+LIBTALLOC_LIBS=@LIBTALLOC_STATIC@
LIBTEVENT=@LIBTEVENT_STATIC@ @LIBTEVENT_SHARED@
LIBTEVENT=@LIBTEVENT_STATIC@
LIBTEVENT_LIBS=@LIBTEVENT_LIBS@
LIBREPLACE_LIBS=@LIBREPLACE_LIBS@
LIBTDB=@LIBTDB_STATIC@ @LIBTDB_SHARED@
LIBTDB=@LIBTDB_STATIC@
-LIBTDB_LIBS=@LIBTDB_LIBS@
+LIBTDB_LIBS=@LIBTDB_STATIC@
TDB_DEPS=@TDB_DEPS@
LIBNTDB=@LIBNTDB_STATIC@
LIBNTDB_LIBS=@LIBNTDB_LIBS@
NTDB_DEPS=@NTDB_DEPS@
LIBNETAPI=@LIBNETAPI_STATIC@ @LIBNETAPI_SHARED@
-LIBNETAPI_LIBS=@LIBNETAPI_LIBS@
+LIBNETAPI_LIBS=@LIBNETAPI_STATIC@
LIBSMBCLIENT_LIBS=@LIBSMBCLIENT_LIBS@
LIBSMBSHAREMODES_LIBS=@LIBSMBSHAREMODES_LIBS@
@@ -216,7 +216,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_P
@@ -210,7 +210,8 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_P
# Note that all executable programs now provide for an optional executable suffix.
-SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
-SBIN_PROGS = bin/smbd bin/nmbd @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+SBIN_PROGS = bin/samba_multicall@EXEEXT@ bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
+
BIN_PROGS1 = bin/smbclient@EXEEXT@ bin/net@EXEEXT@ bin/smbspool@EXEEXT@ \
bin/testparm@EXEEXT@ bin/smbstatus@EXEEXT@ bin/smbget@EXEEXT@ \
@@ -1799,6 +1799,42 @@ bin/.dummy:
BIN_PROGS1 = bin/smbclient bin/net bin/smbspool \
bin/testparm bin/smbstatus bin/smbget \
@@ -1851,6 +1852,42 @@ bin/.dummy:
dir=bin $(MAKEDIR); fi
@: >> $@ || : > $@ # what a fancy emoticon!
@ -76,12 +82,30 @@
+ $(POPT_LIBS) @SMBD_LIBS@ $(LIBTALLOC_LIBS) $(LIBTEVENT_LIBS) $(LIBTDB_LIBS) \
+ $(LIBWBCLIENT_LIBS) $(ZLIB_LIBS)
+
bin/smbd@EXEEXT@: $(BINARY_PREREQS) $(SMBD_OBJ) $(LIBTALLOC) $(LIBTEVENT) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@
bin/smbd: $(BINARY_PREREQS) $(SMBD_OBJ) $(LIBTALLOC) $(LIBTEVENT) $(LIBTDB) $(LIBWBCLIENT) @BUILD_POPT@
@echo Linking $@
@$(CC) -o $@ $(SMBD_OBJ) $(LDFLAGS) $(LDAP_LIBS) @SMBD_FAM_LIBS@ \
Index: samba-4.0.26/source3/configure
===================================================================
--- samba-4.0.26.orig/source3/configure
+++ samba-4.0.26/source3/configure
@@ -14396,10 +14396,7 @@ if test x"$libreplace_cv_HAVE_GETADDRINF
# see bug 5910, use our replacements if we detect
# a broken system.
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ $as_echo "assuming valid getaddrinfo without bug 5910" >&2
else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
Index: samba-4.0.26/source3/multi.c
===================================================================
--- /dev/null
+++ b/source3/multi.c
@@ -0,0 +1,35 @@
+++ samba-4.0.26/source3/multi.c
@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <string.h>
+
@ -90,30 +114,31 @@
+extern int smbpasswd_main(int argc, char **argv);
+
+static struct {
+ const char *name;
+ int (*func)(int argc, char **argv);
+ const char *name;
+ int (*func)(int argc, char **argv);
+} multicall[] = {
+ { "smbd", smbd_main },
+ { "nmbd", nmbd_main },
+ { "smbpasswd", smbpasswd_main },
+ { "smbd", smbd_main },
+ { "nmbd", nmbd_main },
+ { "smbpasswd", smbpasswd_main },
+};
+
+#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
+
+int main(int argc, char **argv)
+{
+ int i;
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(multicall); i++) {
+ if (strstr(argv[0], multicall[i].name))
+ return multicall[i].func(argc, argv);
+ }
+ for (i = 0; i < ARRAY_SIZE(multicall); i++) {
+ if (strstr(argv[0], multicall[i].name))
+ return multicall[i].func(argc, argv);
+ }
+
+ fprintf(stderr, "Invalid multicall command, available commands:");
+ for (i = 0; i < ARRAY_SIZE(multicall); i++)
+ fprintf(stderr, " %s", multicall[i].name);
+ fprintf(stderr, "Invalid multicall command, available commands:");
+ for (i = 0; i < ARRAY_SIZE(multicall); i++)
+ fprintf(stderr, " %s", multicall[i].name);
+
+ fprintf(stderr, "\n");
+ fprintf(stderr, "\n");
+
+ return 1;
+ return 1;
+}
+

281
package/network/services/samba36/patches/111-owrt_smbpasswd.patch
View File

@ -1,281 +0,0 @@
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -1025,7 +1025,7 @@ TEST_LP_LOAD_OBJ = param/test_lp_load.o
PASSWD_UTIL_OBJ = utils/passwd_util.o
-SMBPASSWD_OBJ = utils/smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
+SMBPASSWD_OBJ = utils/owrt_smbpasswd.o $(PASSWD_UTIL_OBJ) $(PASSCHANGE_OBJ) \
$(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
$(GROUPDB_OBJ) $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) \
$(POPT_LIB_OBJ) $(SMBLDAP_OBJ) \
@@ -1813,7 +1813,7 @@ nmbd/nmbd_multicall.o: nmbd/nmbd.c nmbd/
echo "$(COMPILE_CC_PATH)" 1>&2;\
$(COMPILE_CC_PATH) >/dev/null 2>&1
-utils/smbpasswd_multicall.o: utils/smbpasswd.c utils/smbpasswd.o
+utils/smbpasswd_multicall.o: utils/owrt_smbpasswd.c utils/owrt_smbpasswd.o
@echo Compiling $<.c
@$(COMPILE_CC_PATH) -Dmain=smbpasswd_main && exit 0;\
echo "The following command failed:" 1>&2;\
@@ -1822,7 +1822,7 @@ utils/smbpasswd_multicall.o: utils/smbpa
SMBD_MULTI_O = $(patsubst smbd/server.o,smbd/server_multicall.o,$(SMBD_OBJ))
NMBD_MULTI_O = $(patsubst nmbd/nmbd.o,nmbd/nmbd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(NMBD_OBJ)))
-SMBPASSWD_MULTI_O = $(patsubst utils/smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
+SMBPASSWD_MULTI_O = $(patsubst utils/owrt_smbpasswd.o,utils/smbpasswd_multicall.o,$(filter-out $(LIB_DUMMY_OBJ),$(SMBPASSWD_OBJ)))
MULTI_O = multi.o
MULTICALL_O = $(sort $(SMBD_MULTI_O) $(NMBD_MULTI_O) $(SMBPASSWD_MULTI_O) $(MULTI_O))
--- /dev/null
+++ b/source3/utils/owrt_smbpasswd.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2012 Felix Fietkau <nbd@nbd.name>
+ * Copyright (C) 2008 John Crispin <blogic@openwrt.org>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc., 675
+ * Mass Ave, Cambridge, MA 02139, USA. */
+
+#include "includes.h"
+#include <endian.h>
+#include <stdio.h>
+
+static char buf[256];
+
+static void md4hash(const char *passwd, uchar p16[16])
+{
+ int len;
+ smb_ucs2_t wpwd[129];
+ int i;
+
+ len = strlen(passwd);
+ for (i = 0; i < len; i++) {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+ wpwd[i] = (unsigned char)passwd[i];
+#else
+ wpwd[i] = (unsigned char)passwd[i] << 8;
+#endif
+ }
+ wpwd[i] = 0;
+
+ len = len * sizeof(int16);
+ mdfour(p16, (unsigned char *)wpwd, len);
+ ZERO_STRUCT(wpwd);
+}
+
+
+static bool find_passwd_line(FILE *fp, const char *user, char **next)
+{
+ char *p1;
+
+ while (!feof(fp)) {
+ if(!fgets(buf, sizeof(buf) - 1, fp))
+ continue;
+
+ p1 = strchr(buf, ':');
+
+ if (p1 - buf != strlen(user))
+ continue;
+
+ if (strncmp(buf, user, p1 - buf) != 0)
+ continue;
+
+ if (next)
+ *next = p1;
+ return true;
+ }
+ return false;
+}
+
+/* returns -1 if user is not present in /etc/passwd*/
+static int find_uid_for_user(const char *user)
+{
+ FILE *fp;
+ char *p1, *p2, *p3;
+ int ret = -1;
+
+ fp = fopen("/etc/passwd", "r");
+ if (!fp) {
+ printf("failed to open /etc/passwd");
+ goto out;
+ }
+
+ if (!find_passwd_line(fp, user, &p1)) {
+ printf("User %s not found or invalid in /etc/passwd\n", user);
+ goto out;
+ }
+
+ p2 = strchr(p1 + 1, ':');
+ if (!p2)
+ goto out;
+
+ p2++;
+ p3 = strchr(p2, ':');
+ if (!p1)
+ goto out;
+
+ *p3 = '\0';
+ ret = atoi(p2);
+
+out:
+ if(fp)
+ fclose(fp);
+ return ret;
+}
+
+static void smbpasswd_write_user(FILE *fp, const char *user, int uid, const char *password)
+{
+ static uchar nt_p16[NT_HASH_LEN];
+ int len = 0;
+ int i;
+
+ md4hash(strdup(password), nt_p16);
+
+ len += snprintf(buf + len, sizeof(buf) - len, "%s:%u:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:", user, uid);
+ for(i = 0; i < NT_HASH_LEN; i++)
+ len += snprintf(buf + len, sizeof(buf) - len, "%02X", nt_p16[i]);
+
+ snprintf(buf + len, sizeof(buf) - len, ":[U ]:LCT-00000001:\n");
+ fputs(buf, fp);
+}
+
+static void smbpasswd_delete_user(FILE *fp)
+{
+ fpos_t r_pos, w_pos;
+ int len = strlen(buf);
+
+ fgetpos(fp, &r_pos);
+ fseek(fp, -len, SEEK_CUR);
+ fgetpos(fp, &w_pos);
+ fsetpos(fp, &r_pos);
+
+ while (fgets(buf, sizeof(buf) - 1, fp)) {
+ int cur_len = strlen(buf);
+
+ fsetpos(fp, &w_pos);
+ fputs(buf, fp);
+ fgetpos(fp, &w_pos);
+
+ fsetpos(fp, &r_pos);
+ fseek(fp, cur_len, SEEK_CUR);
+ fgetpos(fp, &r_pos);
+ }
+
+ fsetpos(fp, &w_pos);
+ ftruncate(fileno(fp), ftello(fp));
+}
+
+static int usage(const char *progname)
+{
+ fprintf(stderr,
+ "Usage: %s [options] <username>\n"
+ "\n"
+ "Options:\n"
+ " -s read password from stdin\n"
+ " -a add user\n"
+ " -x delete user\n",
+ progname);
+ return 1;
+}
+
+int main(int argc, char **argv)
+{
+ const char *prog = argv[0];
+ const char *user;
+ char *pw1, *pw2;
+ FILE *fp;
+ bool add = false, delete = false, get_stdin = false, found;
+ int ch;
+ int uid;
+
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ while ((ch = getopt(argc, argv, "asx")) != EOF) {
+ switch (ch) {
+ case 's':
+ get_stdin = true;
+ break;
+ case 'a':
+ add = true;
+ break;
+ case 'x':
+ delete = true;
+ break;
+ default:
+ return usage(prog);
+ }
+ }
+
+ if (add && delete)
+ return usage(prog);
+
+ argc -= optind;
+ argv += optind;
+
+ if (!argc)
+ return usage(prog);
+
+ user = argv[0];
+ if (!delete) {
+ uid = find_uid_for_user(user);
+ if (uid < 0) {
+ fprintf(stderr, "Could not find user '%s' in /etc/passwd\n", user);
+ return 2;
+ }
+ }
+
+ fp = fopen("/etc/samba/smbpasswd", "r+");
+ if(!fp) {
+ fprintf(stderr, "Failed to open /etc/samba/smbpasswd");
+ return 3;
+ }
+
+ found = find_passwd_line(fp, user, NULL);
+ if (!add && !found) {
+ fprintf(stderr, "Could not find user '%s' in /etc/samba/smbpasswd\n", user);
+ return 3;
+ }
+
+ if (delete) {
+ smbpasswd_delete_user(fp);
+ goto out;
+ }
+
+ pw1 = get_pass("New SMB password:", get_stdin);
+ if (!pw1)
+ pw1 = strdup("");
+
+ pw2 = get_pass("Retype SMB password:", get_stdin);
+ if (!pw2)
+ pw2 = strdup("");
+
+ if (strcmp(pw1, pw2) != 0) {
+ fprintf(stderr, "Mismatch - password unchanged.\n");
+ goto out_free;
+ }
+
+ if (found)
+ fseek(fp, -strlen(buf), SEEK_CUR);
+ smbpasswd_write_user(fp, user, uid, pw2);
+
+out_free:
+ free(pw1);
+ free(pw2);
+out:
+ fclose(fp);
+ TALLOC_FREE(frame);
+
+ return 0;
+}

19
package/network/services/samba36/patches/120-add_missing_ifdef.patch
View File

@ -1,6 +1,6 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -119,9 +119,11 @@ static bool initialize_interfaces(void)
@@ -120,9 +120,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
@ -14,7 +14,7 @@
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -628,7 +628,9 @@ static struct cmd_set *rpcclient_command
@@ -631,7 +631,9 @@ static struct cmd_set *rpcclient_command
netlogon_commands,
srvsvc_commands,
dfs_commands,
@ -24,18 +24,3 @@
epmapper_commands,
shutdown_commands,
test_commands,
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -433,10 +433,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = true;
}
+#ifdef DEVELOPER
ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
if (ok) {
context_fns->allow_connect = true;
}
+#endif
/*
* every interface can be modified to allow "connect" auth_level by
* using a parametric option like:

205
package/network/services/samba36/patches/200-remove_printer_support.patch
View File

@ -1,19 +1,21 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -1110,6 +1110,10 @@ bool dcesrv_ep_setup(struct tevent_conte
"rpc_server",
"spoolss",
"embedded");
+#ifndef PRINTER_SUPPORT
+ if (1) {
+ } else
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -501,10 +501,12 @@
goto done;
}
+#ifdef PRINTER_SUPPORT
ok = rpc_setup_spoolss(ev_ctx, msg_ctx);
if (!ok) {
goto done;
}
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0) {
spoolss_cb.init = spoolss_init_cb;
spoolss_cb.shutdown = spoolss_shutdown_cb;
ok = rpc_setup_svcctl(ev_ctx, msg_ctx);
if (!ok) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -624,7 +624,9 @@ static struct cmd_set *rpcclient_command
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
lsarpc_commands,
ds_commands,
samr_commands,
@ -23,11 +25,39 @@
netlogon_commands,
srvsvc_commands,
dfs_commands,
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -114,9 +114,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -86,9 +86,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/printing/spoolssd.c
+++ b/source3/printing/spoolssd.c
@@ -165,6 +165,10 @@ void start_spoolssd(struct tevent_contex
NTSTATUS status;
@@ -615,6 +615,10 @@ void start_spoolssd(struct tevent_contex
int ret;
bool ok;
+#ifndef PRINTER_SUPPORT
+ return;
@ -35,10 +65,10 @@
+
DEBUG(1, ("Forking SPOOLSS Daemon\n"));
pid = sys_fork();
/*
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7841,6 +7841,10 @@ int net_rpc_printer(struct net_context *
@@ -7879,6 +7879,10 @@ int net_rpc_printer(struct net_context *
{NULL, NULL, 0, NULL, NULL}
};
@ -51,7 +81,7 @@
d_printf(_("Usage:\n"));
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -5255,7 +5255,11 @@ void reply_printopen(struct smb_request
@@ -5497,7 +5497,11 @@ void reply_printopen(struct smb_request
return;
}
@ -64,7 +94,7 @@
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplopen);
return;
@@ -5361,7 +5365,10 @@ void reply_printqueue(struct smb_request
@@ -5603,7 +5607,10 @@ void reply_printqueue(struct smb_request
is really quite gross and only worked when there was only
one printer - I think we should now only accept it if they
get it right (tridge) */
@ -100,7 +130,7 @@
if (!param_format || !output_format1 || !p) {
return False;
}
@@ -3105,6 +3113,10 @@ static bool api_RDosPrintJobDel(struct s
@@ -3107,6 +3115,10 @@ static bool api_RDosPrintJobDel(struct s
struct spoolss_DevmodeContainer devmode_ctr;
enum spoolss_JobControl command;
@ -111,7 +141,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -3238,6 +3250,10 @@ static bool api_WPrintQueueCtrl(struct s
@@ -3240,6 +3252,10 @@ static bool api_WPrintQueueCtrl(struct s
struct sec_desc_buf secdesc_ctr;
enum spoolss_PrinterControl command;
@ -122,7 +152,7 @@
if (!str1 || !str2 || !QueueName) {
return False;
}
@@ -3404,6 +3420,10 @@ static bool api_PrintJobInfo(struct smbd
@@ -3406,6 +3422,10 @@ static bool api_PrintJobInfo(struct smbd
union spoolss_JobInfo info;
struct spoolss_SetJobInfo1 info1;
@ -133,7 +163,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -4547,6 +4567,10 @@ static bool api_WPrintJobGetInfo(struct
@@ -4555,6 +4575,10 @@ static bool api_WPrintJobGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_JobInfo info;
@ -144,7 +174,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -4685,6 +4709,10 @@ static bool api_WPrintJobEnumerate(struc
@@ -4693,6 +4717,10 @@ static bool api_WPrintJobEnumerate(struc
uint32_t count = 0;
union spoolss_JobInfo *info;
@ -155,7 +185,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -4890,6 +4918,10 @@ static bool api_WPrintDestGetInfo(struct
@@ -4898,6 +4926,10 @@ static bool api_WPrintDestGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_PrinterInfo info;
@ -166,7 +196,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -5026,6 +5058,10 @@ static bool api_WPrintDestEnum(struct sm
@@ -5034,6 +5066,10 @@ static bool api_WPrintDestEnum(struct sm
union spoolss_PrinterInfo *info;
uint32_t count;
@ -177,7 +207,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -5129,6 +5165,10 @@ static bool api_WPrintDriverEnum(struct
@@ -5137,6 +5173,10 @@ static bool api_WPrintDriverEnum(struct
int succnt;
struct pack_desc desc;
@ -188,7 +218,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -5193,6 +5233,10 @@ static bool api_WPrintQProcEnum(struct s
@@ -5201,6 +5241,10 @@ static bool api_WPrintQProcEnum(struct s
int succnt;
struct pack_desc desc;
@ -199,7 +229,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -5257,6 +5301,10 @@ static bool api_WPrintPortEnum(struct sm
@@ -5265,6 +5309,10 @@ static bool api_WPrintPortEnum(struct sm
int succnt;
struct pack_desc desc;
@ -212,7 +242,7 @@
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -141,7 +141,9 @@ static void exit_server_common(enum serv
@@ -186,7 +186,9 @@ static void exit_server_common(enum serv
rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
@ -224,7 +254,7 @@
rpc_winreg_shutdown();
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1608,6 +1608,9 @@ static NTSTATUS open_file_ntcreate(conne
@@ -1986,6 +1986,9 @@ static NTSTATUS open_file_ntcreate(conne
* Most of the passed parameters are ignored.
*/
@ -236,8 +266,8 @@
}
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -643,6 +643,9 @@ static NTSTATUS close_normal_file(struct
status = ntstatus_keeperror(status, tmp);
@@ -831,6 +831,9 @@ static NTSTATUS close_normal_file(struct
}
if (fsp->print_file) {
+#ifndef PRINTER_SUPPORT
@ -248,7 +278,7 @@
file_free(req, fsp);
--- a/source3/smbd/fileio.c
+++ b/source3/smbd/fileio.c
@@ -298,6 +298,10 @@ ssize_t write_file(struct smb_request *r
@@ -318,6 +318,10 @@ ssize_t write_file(struct smb_request *r
uint32_t t;
int ret;
@ -261,9 +291,9 @@
errno = ret;
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -486,7 +486,10 @@ static struct tevent_req *smbd_smb2_crea
info = FILE_WAS_OPENED;
} else if (CAN_PRINT(smb1req->conn)) {
@@ -525,7 +525,10 @@ static struct tevent_req *smbd_smb2_crea
}
status = file_new(smb1req, smb1req->conn, &result);
- if(!NT_STATUS_IS_OK(status)) {
+#ifdef PRINTER_SUPPORT
@ -273,37 +303,9 @@
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -85,9 +85,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -113,9 +113,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2423,8 +2423,10 @@ static bool housekeeping_fn(const struct
@@ -2691,8 +2691,10 @@ static bool housekeeping_fn(const struct
change_to_root_user();
@ -316,31 +318,52 @@
check_reload(sconn, time_mono(NULL));
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -123,7 +123,9 @@ static void smb_pcap_updated(struct mess
{
struct tevent_context *ev_ctx =
talloc_get_type_abort(private_data, struct tevent_context);
-
+#ifndef PRINTER_SUPPORT
+ return;
+#endif
DEBUG(10,("Got message saying pcap was updated. Reloading.\n"));
change_to_root_user();
reload_printers(ev_ctx, msg);
@@ -1277,6 +1279,7 @@ extern void build_options(bool screen);
* The print backend init also migrates the printing tdb's,
* this requires a winreg pipe.
*/
+#ifdef PRINTER_SUPPORT
if (!print_backend_init(smbd_messaging_context()))
exit(1);
@@ -1315,7 +1318,7 @@ extern void build_options(bool screen);
smbd_messaging_context());
@@ -1486,6 +1486,7 @@
start_lsasd(ev_ctx, msg_ctx);
}
+#ifdef PRINTER_SUPPORT
if (!lp__disable_spoolss() &&
(rpc_spoolss_daemon() != RPC_DAEMON_DISABLED)) {
bool bgq = lp_parm_bool(-1, "smbd", "backgroundqueue", true);
@@ -1499,6 +1502,7 @@
if (!printing_subsystem_init(ev_ctx, msg_ctx, false, false)) {
exit(1);
}
}
-
+#endif
}
if (!is_daemon) {
/* inetd mode */
TALLOC_FREE(frame);
@@ -1531,12 +1533,14 @@
if (!open_sockets_smbd(parent, ev_ctx, msg_ctx, ports))
exit_server("open_sockets_smbd() failed");
+#ifdef PRINTER_SUPPORT
/* do a printer update now that all messaging has been set up,
* before we allow clients to start connecting */
if (!lp__disable_spoolss() &&
(rpc_spoolss_daemon() != RPC_DAEMON_DISABLED)) {
printing_subsystem_update(ev_ctx, msg_ctx, false);
}
+#endif
TALLOC_FREE(frame);
/* make sure we always have a valid stackframe */
--- a/source3/printing/pcap.c 2013-02-04 00:05:58.830980941 +0100
+++ b/source3/printing/pcap.c 2013-02-04 00:06:53.633937357 +0100
@@ -132,6 +132,7 @@
void (*post_cache_fill_fn)(struct tevent_context *,
struct messaging_context *))
{
+#ifdef PRINTER_SUPPORT
const char *pcap_name = lp_printcapname();
bool pcap_reloaded = False;
bool post_cache_fill_fn_handled = false;
@@ -200,6 +201,7 @@
pcap_cache_destroy_specific(&pcache);
return;
+#endif
}

88
package/network/services/samba36/patches/210-remove_ad_support.patch
View File

@ -1,88 +0,0 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -95,9 +95,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
@@ -141,9 +143,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
+#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
return false;
}
+#endif
return true;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -918,6 +918,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -966,6 +967,7 @@ static bool dssetup_init_cb(void *ptr)
return true;
}
+#endif
static bool wkssvc_init_cb(void *ptr)
{
@@ -1172,12 +1174,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
#endif
+#ifdef ACTIVE_DIRECTORY
dssetup_cb.init = dssetup_init_cb;
dssetup_cb.shutdown = NULL;
dssetup_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_dssetup_init(&dssetup_cb))) {
return false;
}
+#endif
wkssvc_cb.init = wkssvc_init_cb;
wkssvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -132,7 +132,9 @@ static void exit_server_common(enum serv
if (am_parent) {
rpc_wkssvc_shutdown();
+#ifdef ACTIVE_DIRECTORY
rpc_dssetup_shutdown();
+#endif
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3391,12 +3391,14 @@ NTSTATUS cli_rpc_pipe_open_noauth_transp
status = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(status)) {
int lvl = 0;
+#ifdef ACTIVE_DIRECTORY
if (ndr_syntax_id_equal(interface,
&ndr_table_dssetup.syntax_id)) {
/* non AD domains just don't have this pipe, avoid
* level 0 statement in that case - gd */
lvl = 3;
}
+#endif
DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
"%s failed with error %s\n",
get_pipe_name_from_syntax(talloc_tos(), interface),

106
package/network/services/samba36/patches/220-remove_services.patch
View File

@ -1,6 +1,38 @@
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -508,6 +508,7 @@
}
#endif
+#ifdef EXTRA_SERVICES
ok = rpc_setup_svcctl(ev_ctx, msg_ctx);
if (!ok) {
goto done;
@@ -522,6 +523,7 @@
if (!ok) {
goto done;
}
+#endif
ok = rpc_setup_initshutdown(ev_ctx, msg_ctx);
if (!ok) {
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -183,9 +183,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -131,6 +131,7 @@ static bool initialize_interfaces(void)
@@ -130,6 +130,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
return false;
}
@ -8,7 +40,7 @@
if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
return false;
}
@@ -140,6 +141,7 @@ static bool initialize_interfaces(void)
@@ -139,6 +140,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
return false;
}
@ -16,75 +48,9 @@
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -697,6 +697,7 @@ static bool spoolss_shutdown_cb(void *pt
return true;
}
+#ifdef EXTRA_SERVICES
static bool svcctl_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -733,6 +734,7 @@ static bool svcctl_init_cb(void *ptr)
return true;
}
+#endif
static bool svcctl_shutdown_cb(void *ptr)
{
@@ -741,6 +743,8 @@ static bool svcctl_shutdown_cb(void *ptr
return true;
}
+#ifdef EXTRA_SERVICES
+
static bool ntsvcs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -802,6 +806,7 @@ static bool eventlog_init_cb(void *ptr)
return true;
}
+#endif
static bool initshutdown_init_cb(void *ptr)
{
@@ -1130,6 +1135,7 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef EXTRA_SERVICES
svcctl_cb.init = svcctl_init_cb;
svcctl_cb.shutdown = svcctl_shutdown_cb;
svcctl_cb.private_data = ep_ctx;
@@ -1150,6 +1156,7 @@ bool dcesrv_ep_setup(struct tevent_conte
if (!NT_STATUS_IS_OK(rpc_eventlog_init(&eventlog_cb))) {
return false;
}
+#endif
initshutdown_cb.init = initshutdown_init_cb;
initshutdown_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -140,9 +140,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
- rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+ rpc_ntsvcs_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -637,9 +637,11 @@ static struct cmd_set *rpcclient_command
@@ -640,9 +640,11 @@ static struct cmd_set *rpcclient_command
shutdown_commands,
test_commands,
wkssvc_commands,
@ -94,5 +60,5 @@
eventlog_commands,
+#endif
winreg_commands,
fss_commands,
NULL
};

71
package/network/services/samba36/patches/230-remove_winreg_support.patch
View File

@ -1,65 +1,34 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -409,6 +409,7 @@ static bool epmapper_shutdown_cb(void *p
return true;
}
--- a/source3/rpc_server/rpc_service_setup.c
+++ b/source3/rpc_server/rpc_service_setup.c
@@ -394,10 +394,12 @@ static bool eventlog_init_cb(void *ptr)
talloc_get_type_abort(ptr, struct messaging_context);
bool ok;
+#ifdef WINREG_SUPPORT
static bool winreg_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -456,6 +457,7 @@ static bool winreg_init_cb(void *ptr)
return true;
}
+#endif
static bool srvsvc_init_cb(void *ptr)
{
@@ -710,10 +712,12 @@ static bool svcctl_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = svcctl_init_winreg(ep_ctx->msg_ctx);
ok = eventlog_init_winreg(msg_ctx);
if (!ok) {
return false;
}
+#endif
/* initialize the control hooks */
init_service_op_table();
@@ -785,10 +789,12 @@ static bool eventlog_init_cb(void *ptr)
"epmapper",
"none");
return true;
}
@@ -454,10 +456,12 @@ static bool svcctl_init_cb(void *ptr)
return false;
}
+#ifdef WINREG_SUPPORT
ok = eventlog_init_winreg(ep_ctx->msg_ctx);
ok = rpc_setup_winreg(ev_ctx, msg_ctx);
if (!ok) {
return false;
goto done;
}
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0 ||
StrCaseCmp(rpcsrv_type, "daemon") == 0) {
@@ -1077,12 +1083,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef WINREG_SUPPORT
winreg_cb.init = winreg_init_cb;
winreg_cb.shutdown = NULL;
winreg_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_winreg_init(&winreg_cb))) {
return false;
}
+#endif
srvsvc_cb.init = srvsvc_init_cb;
srvsvc_cb.shutdown = NULL;
ok = rpc_setup_srvsvc(ev_ctx, msg_ctx);
if (!ok) {
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -150,7 +150,9 @@ static void exit_server_common(enum serv
@@ -193,7 +193,9 @@ static void exit_server_common(enum serv
#endif
rpc_srvsvc_shutdown();
@ -71,7 +40,7 @@
rpc_samr_shutdown();
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -112,9 +112,11 @@ static bool initialize_interfaces(void)
@@ -111,9 +111,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
return false;
}
@ -85,7 +54,7 @@
return false;
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -95,9 +95,11 @@ bool init_service_op_table( void )
@@ -96,9 +96,11 @@ bool init_service_op_table( void )
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
@ -134,13 +103,13 @@
return NULL;
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -642,7 +642,9 @@ static struct cmd_set *rpcclient_command
@@ -645,7 +645,9 @@ static struct cmd_set *rpcclient_command
drsuapi_commands,
eventlog_commands,
#endif
+#ifdef WINREG_SUPPORT
winreg_commands,
+#endif
fss_commands,
NULL
};

71
package/network/services/samba36/patches/240-remove_dfs_api.patch
View File

@ -1,71 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -881,6 +881,7 @@ static bool rpcecho_init_cb(void *ptr) {
#endif
+#ifdef DFS_SUPPORT
static bool netdfs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -928,6 +929,7 @@ static bool netdfs_init_cb(void *ptr)
return true;
}
+#endif
#ifdef ACTIVE_DIRECTORY
static bool dssetup_init_cb(void *ptr)
@@ -1173,12 +1175,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef DFS_SUPPORT
netdfs_cb.init = netdfs_init_cb;
netdfs_cb.shutdown = NULL;
netdfs_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netdfs_init(&netdfs_cb))) {
return false;
}
+#endif
#ifdef DEVELOPER
rpcecho_cb.init = rpcecho_init_cb;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -122,9 +122,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef DFS_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
+#endif
#ifdef DEVELOPER
if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -138,7 +138,9 @@ static void exit_server_common(enum serv
#ifdef DEVELOPER
rpc_rpcecho_shutdown();
#endif
+#ifdef DFS_SUPPORT
rpc_netdfs_shutdown();
+#endif
rpc_initshutdown_shutdown();
#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -629,7 +629,9 @@ static struct cmd_set *rpcclient_command
#endif
netlogon_commands,
srvsvc_commands,
+#ifdef DFS_SUPPORT
dfs_commands,
+#endif
#ifdef DEVELOPER
echo_commands,
#endif

213
package/network/services/samba36/patches/250-remove_domain_logon.patch
View File

@ -1,213 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
return true;
}
+#endif
static bool spoolss_init_cb(void *ptr)
{
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
netlogon_cb.shutdown = NULL;
netlogon_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
return false;
}
+#endif
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server",
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
return false;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
rpc_winreg_shutdown();
#endif
+#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
+#endif
rpc_samr_shutdown();
rpc_lsarpc_shutdown();
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
i++;
#endif
+#ifdef NETLOGON_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#endif
#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
NTSTATUS status;
const char *pdc_name;
+#ifndef NETLOGON_SUPPORT
+ return;
+#endif
+
in_addr_to_sockaddr_storage(&ss, p->ip);
pss = iface_ip((struct sockaddr *)&ss);
if (!pss) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
+#ifdef NETLOGON_SUPPORT
netlogon_commands,
+#endif
srvsvc_commands,
#ifdef DFS_SUPPORT
dfs_commands,
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
}
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
NTSTATUS nt_status;
switch (sec_channel_type) {
+#ifdef NETLOGON_SUPPORT
case SEC_CHAN_WKSTA:
case SEC_CHAN_DOMAIN:
break;
+#endif
default:
return NT_STATUS_NOT_SUPPORTED;
}
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
*num_domains = 0;
*sids = NULL;
+#ifndef NETLOGON_SUPPORT
+ return False;
+#endif
+
+
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+#ifndef NETLOGON_SUPPORT
+ return NT_STATUS_UNSUCCESSFUL;
+#endif
+
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
domain));
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
NTSTATUS auth_domain_init(void)
{
+#ifdef NETLOGON_SUPPORT
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
+#endif
return NT_STATUS_OK;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
+#ifdef NETLOGON_SUPPORT
/* Change machine password if neccessary. */
attempt_machine_password_change();
+#endif
/*
* Force a log file check.
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
/*
* for the epmapper and echo interfaces we allow "connect"
* auth_level by default.
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
struct schannel_state);
struct tevent_req *subreq;
+#ifndef NETLOGON_SUPPORT
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+#endif
if (schannel_auth == NULL ||
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
&ndr_table_netlogon.syntax_id)) {

162
package/network/services/samba36/patches/260-remove_samr.patch
View File

@ -1,162 +0,0 @@
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -59,8 +59,11 @@ struct handle_list {
static bool is_samr_lsa_pipe(const struct ndr_syntax_id *syntax)
{
- return (ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id)
- || ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id));
+ return
+#ifdef SAMR_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
+#endif
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -100,9 +100,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef SAMR_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -557,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -605,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#endif
#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
@@ -1111,12 +1113,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
samr_cb.shutdown = NULL;
samr_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_samr_init(&samr_cb))) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -159,7 +159,9 @@ static void exit_server_common(enum serv
#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
#endif
+#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
+#endif
rpc_lsarpc_shutdown();
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -623,7 +623,9 @@ static struct cmd_set *rpcclient_command
rpcclient_commands,
lsarpc_commands,
ds_commands,
+#ifdef SAMR_SUPPORT
samr_commands,
+#endif
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2353,6 +2353,10 @@ static bool api_RNetGroupEnum(struct smb
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2541,6 +2545,10 @@ static bool api_NetUserGetGroups(struct
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
@@ -2741,6 +2749,10 @@ static bool api_RNetUserEnum(struct smbd
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2979,6 +2991,10 @@ static bool api_SamOEMChangePassword(str
int bufsize;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
*rparam_len = 4;
*rparam = smb_realloc_limit(*rparam,*rparam_len);
if (!*rparam) {
@@ -4020,6 +4036,10 @@ static bool api_RNetUserGetInfo(struct s
union samr_UserInfo *info;
struct dcerpc_binding_handle *b = NULL;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -409,6 +409,7 @@ static bool check_bind_req(struct pipes_
context_fns->syntax = *abstract;
context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+#ifdef SAMR_SUPPORT
/*
* for the samr and the lsarpc interfaces we don't allow "connect"
* auth_level by default.
@@ -417,6 +418,7 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#endif
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;

2
package/network/services/samba36/patches/270-remove_registry_backend.patch
View File

@ -30,7 +30,7 @@
"supported by backend");
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1230,8 +1230,10 @@ extern void build_options(bool screen);
@@ -1413,8 +1413,10 @@ extern void build_options(bool screen);
exit(1);
}

25
package/network/services/samba36/patches/280-strip_srvsvc.patch
View File

@ -1,6 +1,6 @@
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2197,6 +2197,10 @@ static bool api_RNetShareAdd(struct smbd
@@ -2199,6 +2199,10 @@ static bool api_RNetShareAdd(struct smbd
struct srvsvc_NetShareInfo2 info2;
struct dcerpc_binding_handle *b;
@ -11,7 +11,7 @@
if (!str1 || !str2 || !p) {
return False;
}
@@ -3589,10 +3593,7 @@ static bool api_RNetServerGetInfo(struct
@@ -3575,10 +3579,7 @@ static bool api_RNetServerGetInfo(struct
NTSTATUS status;
WERROR werr;
TALLOC_CTX *mem_ctx = talloc_tos();
@ -22,13 +22,13 @@
if (!str1 || !str2 || !p) {
return False;
@@ -3655,66 +3656,16 @@ static bool api_RNetServerGetInfo(struct
@@ -3641,66 +3642,16 @@
p = *rdata;
p2 = p + struct_len;
- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
- conn->session_info,
- &conn->sconn->client_id,
- conn->sconn->remote_address,
- conn->sconn->msg_ctx,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
@ -61,10 +61,9 @@
-
if (uLevel != 20) {
- srvstr_push(NULL, 0, p, info.info101->server_name, 16,
+ srvstr_push(NULL, 0, p, global_myname(), 16,
+ srvstr_push(NULL, 0, p, lp_netbios_name(), 16,
STR_ASCII|STR_UPPER|STR_TERMINATE);
- }
+ }
}
p += 16;
if (uLevel > 0) {
- SCVAL(p,0,info.info101->version_major);
@ -88,14 +87,14 @@
- return False;
- }
- }
+ SCVAL(p,0,lp_major_announce_version());
+ SCVAL(p,1,lp_minor_announce_version());
+ SCVAL(p,0,SAMBA_MAJOR_NBT_ANNOUNCE_VERSION);
+ SCVAL(p,1,SAMBA_MINOR_NBT_ANNOUNCE_VERSION);
+ SIVAL(p,2,lp_default_server_announce());
+ SIVAL(p,6,0);
}
if (uLevel > 1) {
@@ -5405,6 +5356,10 @@ static bool api_RNetSessionEnum(struct s
@@ -5393,6 +5344,10 @@ static bool api_RNetSessionEnum(struct s
uint32_t totalentries, resume_handle = 0;
uint32_t count = 0;
@ -108,7 +107,7 @@
}
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -1533,6 +1533,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi
@@ -1445,6 +1445,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi
TALLOC_CTX *ctx = p->mem_ctx;
union srvsvc_NetShareInfo *info = r->in.info;
@ -119,7 +118,7 @@
DEBUG(5,("_srvsvc_NetShareSetInfo: %d\n", __LINE__));
if (!r->in.share_name) {
@@ -1763,6 +1767,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_
@@ -1675,6 +1679,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_
int max_connections = 0;
TALLOC_CTX *ctx = p->mem_ctx;
@ -130,7 +129,7 @@
DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__));
if (r->out.parm_error) {
@@ -1945,6 +1953,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_
@@ -1857,6 +1865,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_
struct share_params *params;
TALLOC_CTX *ctx = p->mem_ctx;

17
package/network/services/samba36/patches/285-remove_desrep_support.patch Normal file
View File

@ -0,0 +1,17 @@
--- a/source3/librpc/rpc/rpc_common.c 2013-02-04 14:33:53.119988894 +0100
+++ b/source3/librpc/rpc/rpc_common.c 2013-02-04 14:35:04.167465045 +0100
@@ -146,12 +146,14 @@
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
+#ifdef DSREP_SERVICES
if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
return false;
}
if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
return false;
}
+#endif
return true;
}

88
package/network/services/samba36/patches/290-remove_lsa.patch
View File

@ -1,88 +0,0 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -92,9 +92,11 @@ bool smb_register_ndr_interface(const st
static bool initialize_interfaces(void)
{
+#ifdef LSA_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
return false;
}
+#endif
#ifdef ACTIVE_DIRECTORY
if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
return false;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -162,7 +162,9 @@ static void exit_server_common(enum serv
#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
#endif
+#ifdef LSA_SUPPORT
rpc_lsarpc_shutdown();
+#endif
}
/*
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -508,6 +508,7 @@ static bool srvsvc_init_cb(void *ptr)
return true;
}
+#ifdef LSA_SUPPORT
static bool lsarpc_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -556,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#endif
#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
@@ -1106,12 +1108,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
+#ifdef LSA_SUPPORT
lsarpc_cb.init = lsarpc_init_cb;
lsarpc_cb.shutdown = NULL;
lsarpc_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_lsarpc_init(&lsarpc_cb))) {
return false;
}
+#endif
#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -63,7 +63,10 @@ static bool is_samr_lsa_pipe(const struc
#ifdef SAMR_SUPPORT
ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
#endif
- ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
+#ifdef LSA_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id) ||
+#endif
+ false;
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -419,10 +419,12 @@ static bool check_bind_req(struct pipes_
context_fns->allow_connect = false;
}
#endif
+#ifdef LSA_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {

22
package/network/services/samba36/patches/300-assert_debug_level.patch
View File

@ -1,11 +1,11 @@
--- a/lib/util/util.h
+++ b/lib/util/util.h
@@ -53,7 +53,7 @@ extern const char *panic_action;
#else
/* redefine the assert macro for non-developer builds */
#define SMB_ASSERT(b) do { if (!(b)) { \
- DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
+ DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \
__FILE__, __LINE__, #b)); }} while (0)
#endif
--- a/lib/util/samba_util.h
+++ b/lib/util/samba_util.h
@@ -48,7 +48,7 @@ extern const char *panic_action;
#define SMB_ASSERT(b) \
do { \
if (!(b)) { \
- DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
+ DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \
__FILE__, __LINE__, #b)); \
smb_panic("assert failed: " #b); \
} \

224
package/network/services/samba36/patches/310-remove_error_strings.patch
View File

@ -1,3 +1,39 @@
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -71,7 +71,11 @@ typedef uint32_t tdb_off_t;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style
* argument. */
+#ifdef VERBOSE_DEBUG
#define TDB_LOG(x) tdb->log.log_fn x
+#else
+#define TDB_LOG(x) do {} while(0)
+#endif
#ifdef TDB_TRACE
void tdb_trace(struct tdb_context *tdb, const char *op);
--- a/source3/script/mkbuildoptions.awk
+++ b/source3/script/mkbuildoptions.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/buildtools/wafsamba/samba_patterns.py 2013-02-03 09:54:04.868467602 +0100
+++ b/buildtools/wafsamba/samba_patterns.py 2013-02-03 09:54:34.608510724 +0100
@@ -88,7 +88,7 @@
fp.write("****************************************************************************/\n")
fp.write("void build_options(bool screen)\n")
fp.write("{\n")
- fp.write(" if ((DEBUGLEVEL < 4) && (!screen)) {\n")
+ fp.write(" if ((DEBUGLEVEL < 4) || (!screen)) {\n")
fp.write(" return;\n")
fp.write(" }\n")
fp.write("\n")
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@@ -28,6 +28,7 @@ struct werror_code_struct {
@ -65,9 +101,9 @@
}
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -663,4 +663,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum
@@ -652,5 +652,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum
const struct timeval *t);
_PUBLIC_ void ndr_print_bool(struct ndr_print *ndr, const char *name, const bool b);
+#ifndef VERBOSE_ERROR
+#define ndr_print_bool(...) do {} while (0)
@ -84,7 +120,7 @@
+#define ndr_print_NTSTATUS(...) do {} while (0)
+#define ndr_print_WERROR(...) do {} while (0)
+#endif
+
#endif /* __LIBNDR_H__ */
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@ -110,7 +146,7 @@
check for data leaks from the server by looking for non-zero pad bytes
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri
@@ -491,6 +491,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri
return NDR_ERR_SUCCESS;
}
@ -151,40 +187,9 @@
return win_errstr(werr);
}
--- a/source3/libsmb/nterr.c
+++ b/source3/libsmb/nterr.c
@@ -702,6 +702,7 @@ const char *nt_errstr(NTSTATUS nt_code)
NT_STATUS_DOS_CODE(nt_code));
}
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -709,6 +710,7 @@ const char *nt_errstr(NTSTATUS nt_code)
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
NT_STATUS_V(nt_code));
@@ -724,12 +726,14 @@ const char *get_friendly_nt_error_msg(NT
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_err_desc[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
return nt_err_desc[idx].nt_errstr;
}
idx++;
}
+#endif
/* fall back to NT_STATUS_XXX string */
@@ -745,6 +749,7 @@ const char *get_nt_error_c_code(NTSTATUS
--- a/libcli/util/nterr.c
+++ b/libcli/util/nterr.c
@@ -860,6 +860,7 @@ const char *nt_errstr(NTSTATUS nt_code)
char *result;
int idx = 0;
@ -192,15 +197,15 @@
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -752,6 +757,7 @@ const char *get_nt_error_c_code(NTSTATUS
@@ -868,6 +869,7 @@ const char *nt_errstr(NTSTATUS nt_code)
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT_STATUS(0x%08x)",
result = talloc_asprintf(mem_ctx, "NT_STATUS(0x%08x)",
NT_STATUS_V(nt_code));
@@ -767,12 +773,14 @@ NTSTATUS nt_status_string_to_code(const
@@ -882,12 +884,14 @@ NTSTATUS nt_status_string_to_code(const
{
int idx = 0;
@ -215,123 +220,34 @@
return NT_STATUS_UNSUCCESSFUL;
}
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -69,7 +69,11 @@ typedef uint32_t tdb_off_t;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style
* argument. */
+#ifdef VERBOSE_DEBUG
#define TDB_LOG(x) tdb->log.log_fn x
+#else
+#define TDB_LOG(x) do {} while(0)
@@ -927,6 +931,7 @@ const char *get_nt_error_c_code(NTSTATUS
int idx = 0;
char *result;
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -946,6 +951,7 @@ const char *get_nt_error_c_code(NTSTATUS
snprintf(msg, sizeof(msg), "NT code 0x%08x", NT_STATUS_V(nt_code));
return msg;
}
+#endif
#ifdef TDB_TRACE
void tdb_trace(struct tdb_context *tdb, const char *op);
--- a/source3/script/mkbuildoptions.awk
+++ b/source3/script/mkbuildoptions.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/script/mkbuildoptions-waf.awk
+++ b/source3/script/mkbuildoptions-waf.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -445,7 +445,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
NT_STATUS_V(nt_code));
@@ -961,12 +967,14 @@ const char *get_friendly_nt_error_msg(NT
{
int idx = 0;
@@ -466,7 +465,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
+#ifdef VERBOSE_ERROR
while (nt_err_desc[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
return nt_err_desc[idx].nt_errstr;
}
@@ -486,7 +484,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -508,7 +505,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -526,7 +522,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -570,7 +565,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
idx++;
}
+#endif
@@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err;
}
/* fall back to NT_STATUS_XXX string */
@@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
set_incoming_fault(p);
return false;
}

8854
package/network/services/samba36/patches/330-librpc_default_print.patch
View File

File diff suppressed because it is too large Load Diff

20
package/network/services/samba36/patches/390-remove-auth-winbind.patch Normal file
View File

@ -0,0 +1,20 @@
--- a/source3/auth/auth.c 2013-02-11 22:09:08.516106878 +0100
+++ b/source3/auth/auth.c 2013-02-11 22:09:55.158449459 +0100
@@ -449,7 +449,7 @@
case ROLE_DOMAIN_MEMBER:
DEBUG(5,("Making default auth method list for server role = 'domain member'\n"));
auth_method_list = str_list_make_v3(
- talloc_tos(), "guest sam winbind:ntdomain",
+ talloc_tos(), "guest sam",
NULL);
break;
case ROLE_DOMAIN_BDC:
@@ -457,7 +457,7 @@
DEBUG(5,("Making default auth method list for DC\n"));
auth_method_list = str_list_make_v3(
talloc_tos(),
- "guest sam winbind:trustdomain",
+ "guest sam",
NULL);
break;
case ROLE_STANDALONE:

76
package/network/services/samba36/patches/800-ldap-sasl.patch Normal file
View File

@ -0,0 +1,76 @@
--- a/source3/lib/smbldap.c
+++ b/source3/lib/smbldap.c
@@ -876,7 +876,15 @@
Could we get a referral to a machine that we don't want to give our
username and password to? */
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ if (ldap_state->bind_secret)
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ else {
+ struct berval *servercredp=NULL;
+
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", NULL, NULL, NULL, &servercredp);
+ if (rc == LDAP_SASL_BIND_IN_PROGRESS)
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", servercredp, NULL, NULL, &servercredp);
+ }
/* only set the last rebind timestamp when we did rebind after a
* non-read LDAP operation. That way we avoid the replication sleep
@@ -983,7 +991,15 @@
rc = ldap_state->bind_callback(ldap_struct, ldap_state, ldap_state->bind_callback_data);
unbecome_root();
} else {
- rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ if (ldap_state->bind_secret)
+ rc = ldap_simple_bind_s(ldap_struct, ldap_state->bind_dn, ldap_state->bind_secret);
+ else {
+ struct berval *servercredp=NULL;
+
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", NULL, NULL, NULL, &servercredp);
+ if (rc == LDAP_SASL_BIND_IN_PROGRESS)
+ rc = ldap_sasl_bind_s(ldap_struct, NULL, "EXTERNAL", servercredp, NULL, NULL, &servercredp);
+ }
}
if (rc != LDAP_SUCCESS) {
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -6451,16 +6451,21 @@
}
if (!fetch_ldap_pw(&bind_dn, &bind_secret)) {
- DEBUG(0, ("pdb_init_ldapsam_common: Failed to retrieve LDAP password from secrets.tdb\n"));
- return NT_STATUS_NO_MEMORY;
+ DEBUG(1, ("pdb_init_ldapsam_common: Failed to retrieve password from secrets.tdb. Switching to SASL\n"));
}
nt_status = smbldap_init(*pdb_method, pdb_get_tevent_context(),
location, false, bind_dn, bind_secret,
&ldap_state->smbldap_state);
- memset(bind_secret, '\0', strlen(bind_secret));
- SAFE_FREE(bind_secret);
- SAFE_FREE(bind_dn);
+
+ if (bind_secret) {
+ memset(bind_secret, '\0', strlen(bind_secret));
+ SAFE_FREE(bind_secret);
+ }
+
+ if (bind_dn)
+ SAFE_FREE(bind_dn);
+
if ( !NT_STATUS_IS_OK(nt_status) ) {
return nt_status;
}
--- a/source3/passdb/secrets.c 2012-08-18 01:59:39.251910842 +0200
+++ b/source3/passdb/secrets.c 2012-08-18 01:59:51.348560121 +0200
@@ -363,7 +363,7 @@
data=(char *)secrets_fetch(old_style_key, &size);
if ((data == NULL) || (size < sizeof(old_style_pw))) {
- DEBUG(0,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
+ DEBUG(1,("fetch_ldap_pw: neither ldap secret retrieved!\n"));
SAFE_FREE(old_style_key);
SAFE_FREE(*dn);
SAFE_FREE(data);

77
package/network/services/samba36/patches/810-ldap-determine-suffix-automatically.patch Normal file
View File

@ -0,0 +1,77 @@
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5508,3 +5508,17 @@
return lp_find_security(lp__server_role(),
lp__security());
}
+
+bool lp_ldap_suffix_initial()
+{
+ if (Globals.szLdapSuffix == NULL)
+ return true;
+ if (strlen(Globals.szLdapSuffix) == 0)
+ return true;
+ return false;
+}
+
+void lp_set_ldap_suffix(const char *suffix)
+{
+ string_set(&Globals.szLdapSuffix, suffix);
+}
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1486,6 +1486,8 @@
void widelinks_warning(int snum);
const char *lp_ncalrpc_dir(void);
void _lp_set_server_role(int server_role);
+bool lp_ldap_suffix_initial();
+void lp_set_ldap_suffix(const char *suffix);
/* The following definitions come from param/loadparm_ctx.c */
--- a/source3/passdb/pdb_ldap_util.c
+++ b/source3/passdb/pdb_ldap_util.c
@@ -247,6 +247,34 @@
}
/**********************************************************************
+ Autodetermine LDAP suffix
+ **********************************************************************/
+void find_ldap_suffix(struct smbldap_state *ldap_state)
+{
+ const char *namingCtx[] = { "namingContexts", NULL };
+ LDAPMessage *entry = NULL, *result = NULL;
+ int rc;
+
+ if (!lp_ldap_suffix_initial())
+ return;
+
+ rc = smbldap_search(ldap_state, "", LDAP_SCOPE_BASE, "(objectClass=*)", namingCtx, 0, &result);
+ if (rc != LDAP_SUCCESS)
+ return;
+
+ entry = ldap_first_entry(ldap_state->ldap_struct, result);
+ if (entry) {
+ char **values = NULL;
+ values = ldap_get_values(ldap_state->ldap_struct, entry, namingCtx[0]);
+ if (values) {
+ lp_set_ldap_suffix(values[0]);
+ ldap_value_free(values);
+ }
+ }
+ ldap_msgfree(result);
+}
+
+/**********************************************************************
Search for the domain info entry
*********************************************************************/
@@ -261,6 +289,8 @@
int count;
char *escape_domain_name;
+ find_ldap_suffix(ldap_state);
+
escape_domain_name = escape_ldap_string(talloc_tos(), domain_name);
if (!escape_domain_name) {
DEBUG(0, ("Out of memory!\n"));