pktsurf/smlinux
1
1
Fork 0
Code Issues 1 Pull requests Wiki Activity

Moved vim from base to extra

Browse source 
Added xscreensaver in extra
Added elinks to net
Removed samba3 and renamed samba4 as samba in net
Updated base, extra and net build lists
This commit is contained in:
PktSurf 2022-03-05 15:02:14 +05:30
parent dad54926e5
commit 7ab82ed463
58 changed files with 132 additions and 36343 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
base/.buildlist.base
View file

@ -44,7 +44,6 @@ argp-standalone
bison
flex
less
vim
bash
bash-completion
tree

2
extra/.buildlist.extra
View file

@ -48,3 +48,5 @@ calcurse
florence
micro-tetris
cmatrix
vim
xscreensaver

0
base/vim/vim.SMBuild → extra/vim/vim.SMBuild
View file

10
extra/xscreensaver/LICENSE Normal file
View file

@ -0,0 +1,10 @@
/* xscreensaver, Copyright (c) 1991-2013 Jamie Zawinski <jwz@jwz.org>
*
* Permission to use, copy, modify, distribute, and sell this software and its
* documentation for any purpose is hereby granted without fee, provided that
* the above copyright notice appear in all copies and that both that
* copyright notice and this permission notice appear in supporting
* documentation. No representations are made about the suitability of this
* software for any purpose. It is provided "as is" without express or
* implied warranty.
*/

45
extra/xscreensaver/xscreensaver.SMBuild Executable file
View file

@ -0,0 +1,45 @@
app=xscreensaver
version=6.03
build=1sml
homepage="https://www.jwz.org/xscreensaver/"
download="https://www.jwz.org/xscreensaver/xscreensaver-6.03.tar.gz"
desc="Screensaver for Xorg"
requires="gtk2 gdk-pixbuf"
build() {
mkandenterbuilddir
rm -rf $app-$version
tar xf $srcdir/$app-$version.tar.?z*
cd $app-$version
fixbuilddirpermissions
./configure \
--prefix="/" \
--sysconfdir=/etc \
--localstatedir=/var \
--libexecdir=/lib \
--with-login-manager \
--with-gtk \
--with-gl \
--without-gle \
--with-pixbuf \
--with-jpeg \
--without-pam \
--without-kerberos \
--without-elogind \
--without-systemd \
--with-shadow \
--with-app-defaults="/share/X11/app-defaults"
make
make install install_prefix="$pkg"
cp $srcdir/LICENSE $pkgdocs/
mkfinalpkg
}
sha512sums="
4aa30824c972a73dc09aeba478cad074f273839a4c7641cddd292da38fc75db10a3f6243cbe8619c5e39cad54c27d33e1e271dfed167458faa7747fb0a090630 xscreensaver-6.03.tar.gz
"

5
net/.buildlist.net
View file

@ -54,7 +54,6 @@ proftpd
libmicrohttpd
motion
comgt
samba3
cifs-utils
dnsmasq
unbound
@ -81,7 +80,7 @@ poppler
poppler-data
evince
cups-filters
samba4
samba
rpcbind
nfs-utils
net-snmp
@ -102,3 +101,5 @@ ipset
rrdtool
php
traceroute
mariadb
elinks

40
net/elinks/elinks.SMBuild Executable file
View file

@ -0,0 +1,40 @@
app=elinks
version=0.15.0
build=1sml
homepage="https://github.com/rkd77/elinks"
download="https://github.com/rkd77/elinks/archive/refs/tags/v0.15.0.tar.gz"
desc="Full-featured text-mode web browser"
requires="libidn expat zstd openssl lua53"
build() {
mkandenterbuilddir
rm -rf $app-$version
tar xf $srcdir/$app-$version.tar.?z*
cd $app-$version
fixbuilddirpermissions
./autogen.sh
./configure \
--prefix="" \
--sysconfdir=/etc \
--enable-cgi \
--disable-smb \
--without-x \
--enable-html-highlight \
--with-zlib \
--with-luapkg=lua53 \
$builddist
make
make install DESTDIR=$pkg
cp COPYING $pkgdocs/
mkfinalpkg
}
sha512sums="
e54f8ffe20577d7b82498ddeeb1fe3b10c3e4c88e01a84ea70fbf0f4689e0b44b7c7f17fe8a439ec2bb1fba817acfef9a47f2c93a55bf90af4018ac81f674c17 elinks-0.15.0.tar.gz
"

0
net/samba4/add_missing___compar_fn_t.patch → net/samba/add_missing___compar_fn_t.patch
View file

0
net/samba3/doinst.sh → net/samba/doinst.sh
View file

0
net/samba4/getpwent_r.patch → net/samba/getpwent_r.patch
View file

0
net/samba4/missing-headers.patch → net/samba/missing-headers.patch
View file

0
net/samba4/musl_rm_unistd_incl.patch → net/samba/musl_rm_unistd_incl.patch
View file

0
net/samba4/musl_uintptr.patch → net/samba/musl_uintptr.patch
View file

0
net/samba4/netapp.patch → net/samba/netapp.patch
View file

0
net/samba4/netdb-defines.patch → net/samba/netdb-defines.patch
View file

0
net/samba3/nmbd.run → net/samba/nmbd.run
View file

0
net/samba4/pidl.patch → net/samba/pidl.patch
View file

13
net/samba/samba-bgqd-include-signal-h.patch Normal file
View file

@ -0,0 +1,13 @@
SIGTERM and SIGPIPE are used but undefined.
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index 8ac6ec5..09a5d12 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -41,6 +41,7 @@
#include "source3/auth/proto.h"
#include "source3/printing/queue_process.h"
#include "source3/lib/substitute.h"
+#include <signal.h>
static void watch_handler(struct tevent_req *req)
{

30
net/samba4/samba4.SMBuild → net/samba/samba.SMBuild
View file

@ -1,18 +1,17 @@
app=samba4
version=4.12.7
build=2sml
app=samba
version=4.15.5
build=1sml
homepage="https://www.samba.org"
download="https://download.samba.org/pub/samba/stable/samba-4.12.7.tar.gz"
download="https://download.samba.org/pub/samba/stable/samba-4.15.5.tar.gz"
desc="CIFS file and print server, version 4"
requires="acl attr netbsd-curses readline libcap tar db popt libaio perl-modules"
sm_noautoconfsite=1
build() {
mkandenterbuilddir
rm -rf samba-$version
rm -rf $app-$version
tar xf $srcdir/samba-$version.tar.?z*
cd samba-$version
tar xf $srcdir/$app-$version.tar.?z*
cd $app-$version
fixbuilddirpermissions
applypatch $srcdir/add_missing___compar_fn_t.patch
@ -24,13 +23,19 @@ build() {
applypatch $srcdir/netdb-defines.patch
applypatch $srcdir/tevent.patch
applypatch $srcdir/pidl.patch
applypatch $srcdir/samba-bgqd-include-signal-h.patch
# Samba doesn't like our C/CXXFLAGS
unset CFLAGS CXXFLAGS
# samba doesn't like ccache either, it seems...
SAMBAJOBS="$(echo $MAKEFLAGS | sed 's@-j@@')"
# Enabling quotas results in "[2022/03/05 14:15:09.123806, 0] ../../source3/lib/sysquotas.c:566(sys_get_quota)
# sys_path_to_bdev() failed for path [.]!
# in logs, so disable them
# https://codeberg.org/davidak/nixos-config/issues/5
# https://lists.samba.org/archive/samba/2010-October/158650.html
./configure \
--prefix="/" \
--bindir=/bin \
@ -54,6 +59,7 @@ build() {
--disable-rpath-install \
--disable-python \
--without-regedit \
--without-quotas \
--jobs="$SAMBAJOBS"
make
@ -61,6 +67,8 @@ build() {
cp COPYING $pkgdocs/
cp examples/smb.conf.default $pkg/etc/samba/smb.conf.new
rmdir $pkg/bind-dns
preprunitservice smbd down
@ -70,7 +78,7 @@ build() {
}
sha512sums="
5afb1f24b029e665bb4f6bd7b7cf915243476b09b304942b2105586fa99adc6a19b46b4753ca116e230e5bb7b82e011fbe296c62bc70a8a897e56aece55a7f0b samba-4.12.7.tar.gz
808e0f15931bab18a1e36298528a01a1250efaef9f99508dd620d6936dd4a2fc3ccc64ab9dcc94bd73460697d16d6ca0652ccbcdbe1644ffedce0137d796d3ca samba-4.15.5.tar.gz
bc2df70e327fea5dfbd923600225f1448815d842c37d6937dd74eab7f7699d7f52cd7a8e28a61233974649cf86661a0107dce5019d33b71205e4b41bac73f4e2 add_missing___compar_fn_t.patch
58de5e79fdfd06e828d478e112d581d333a8bee88d2602b92204d780f0d707b27dd84f8e2e6b00fca40da81c8fe99aa5bcec70d8b393d3a0a83199c72a4aa48b getpwent_r.patch
c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch
@ -79,6 +87,6 @@ b7906d66fe55a980a54161ee3f311b51bcbce76b8d4c8cc1ba6d0c5bdf98232cb192b9d2c1aa7b3e
3b4759dfcf6ec54f2131390c9eb7fd7dd23071e304905cdeaf7a9828fa888cb3dcb5c5bb6a07a634c51d0392ac47f6e22b937faf4354e3b07cfc0de7fdfa28e9 netapp.patch
1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch
c0bbe1186b150a9bb2a0b741a8cfbd7a5109e5fed1eaa07aaa38cf026ebe054d38cc01e2496f0cab7b40f743e1b7ecfbf8a4d5820810226c4152021df65f36dc pidl.patch
e98fd19f65d954f04f7e3b5be86e9c4bcc9ac090c40037de77bfeb266617747c514aeb42f3daf84113b2f3374480d25e368bc1fdebc1870458eda12329d2062e samba-bgqd-include-signal-h.patch
e7441d4692c354ff265ec5b5666ebd8c02762cffd805b4af6fdcb405e9b7641e195d068b60bb0ed1ffada4db4db84492db598efd37d0a27d66b5b4c923891891 tevent.patch
c5fd6e4dff48b45368c3f7a8be55a431050adb2faf56348ab9ecb476b52896f28dc49f750541247d7fa2b8ce4a19f41045d9bcfdb3768f08b7e79ec2a606a0f5 tevent.h
"

0
net/samba3/smb.conf.default → net/samba/smb.conf.default
View file

0
net/samba3/smbd.run → net/samba/smbd.run
View file

0
net/samba4/tevent.patch → net/samba/tevent.patch
View file

39
net/samba3/010-patch-cve-2015-5252.patch
View file

@ -1,39 +0,0 @@
From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 9 Jul 2015 10:58:11 -0700
Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
access outside the share).
Ensure matching component ends in '/' or '\0'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
source3/smbd/vfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/source3/smbd/vfs.c
+++ b/source3/smbd/vfs.c
@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_s
if (!allow_widelinks || !allow_symlinks) {
const char *conn_rootdir;
size_t rootdir_len;
+ bool matched;
conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
if (conn_rootdir == NULL) {
@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_s
}
rootdir_len = strlen(conn_rootdir);
- if (strncmp(conn_rootdir, resolved_name,
- rootdir_len) != 0) {
+ matched = (strncmp(conn_rootdir, resolved_name,
+ rootdir_len) == 0);
+ if (!matched || (resolved_name[rootdir_len] != '/' &&
+ resolved_name[rootdir_len] != '\0')) {
DEBUG(2, ("check_reduced_name: Bad access "
"attempt: %s is a symlink outside the "
"share path\n", fname));

88
net/samba3/011-patch-cve-2015-5296.patch
View file

@ -1,88 +0,0 @@
From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clidfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -98,6 +98,11 @@ static struct cli_state *do_connect(TALL
const char *username;
const char *password;
NTSTATUS status;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+
+ if (force_encrypt) {
+ signing_state = Required;
+ }
/* make a copy so we don't modify the global string 'service' */
servicename = talloc_strdup(ctx,share);
@@ -132,7 +137,7 @@ static struct cli_state *do_connect(TALL
zero_sockaddr(&ss);
/* have to open a new connection */
- c = cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info));
+ c = cli_initialise_ex(signing_state);
if (c == NULL) {
d_printf("Connection to %s failed\n", server_n);
return NULL;
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -258,6 +258,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
const char *username_used;
NTSTATUS status;
char *newserver, *newshare;
+ int signing_state = Undefined;
zero_sockaddr(&ss);
ZERO_STRUCT(c);
@@ -404,8 +405,12 @@ again:
zero_sockaddr(&ss);
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
+
/* have to open a new connection */
- if ((c = cli_initialise()) == NULL) {
+ if ((c = cli_initialise_ex(signing_state)) == NULL) {
errno = ENOMEM;
return NULL;
}
@@ -750,6 +755,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
+ int signing_state = Undefined;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
@@ -771,6 +777,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = Required;
+ }
zero_sockaddr(&ss);
nt_status = cli_full_connection(&ipc_cli,
@@ -780,7 +789,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
*pp_workgroup,
*pp_password,
flags,
- Undefined);
+ signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));

93
net/samba3/012-patch-cve-2015-5299.patch
View file

@ -1,93 +0,0 @@
From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 23 Oct 2015 14:54:31 -0700
Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on
snapdir
Fix originally from <partha@exablox.com>
https://bugzilla.samba.org/show_bug.cgi?id=11529
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
---
source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -21,6 +21,8 @@
#include "includes.h"
#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "../libcli/security/security.h"
#include "system/filesys.h"
#include "ntioctl.h"
@@ -764,6 +766,43 @@ static int shadow_copy2_mkdir(vfs_handle
SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1);
}
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+ const char *path)
+{
+ struct smb_filename smb_fname;
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted = 0;
+
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = talloc_asprintf(talloc_tos(),
+ "%s",
+ path);
+ if (smb_fname.base_name == NULL) {
+ return false;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+
+ status = smbd_check_open_rights(handle->conn,
+ &smb_fname,
+ SEC_DIR_LIST,
+ &access_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("user does not have list permission "
+ "on snapdir %s\n",
+ smb_fname.base_name));
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+ TALLOC_FREE(smb_fname.base_name);
+ return true;
+}
+
static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname)
{
SHADOW2_NEXT(RMDIR, (handle, name), int, -1);
@@ -877,6 +916,7 @@ static int shadow_copy2_get_shadow_copy2
SMB_STRUCT_DIRENT *d;
TALLOC_CTX *tmp_ctx = talloc_new(handle->data);
char *snapshot;
+ bool ret;
snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle);
if (snapdir == NULL) {
@@ -886,6 +926,13 @@ static int shadow_copy2_get_shadow_copy2
talloc_free(tmp_ctx);
return -1;
}
+ ret = check_access_snapdir(handle, snapdir);
+ if (!ret) {
+ DEBUG(0,("access denied on listing snapdir %s\n", snapdir));
+ errno = EACCES;
+ talloc_free(tmp_ctx);
+ return -1;
+ }
p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0);

172
net/samba3/015-patch-cve-2015-7560.patch
View file

@ -1,172 +0,0 @@
From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 5 Jan 2016 11:18:12 -0800
Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
---
source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
--- a/source3/smbd/trans2.c
+++ b/source3/smbd/trans2.c
@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2
files_struct *fsp,
const SMB_STRUCT_STAT *psbuf);
+/****************************************************************************
+ Check if an open file handle or pathname is a symlink.
+****************************************************************************/
+
+static NTSTATUS refuse_symlink(connection_struct *conn,
+ const files_struct *fsp,
+ const char *name)
+{
+ SMB_STRUCT_STAT sbuf;
+ const SMB_STRUCT_STAT *pst = NULL;
+
+ if (fsp) {
+ pst = &fsp->fsp_name->st;
+ } else {
+ int ret = vfs_stat_smb_fname(conn,
+ name,
+ &sbuf);
+ if (ret == -1) {
+ return map_nt_error_from_unix(errno);
+ }
+ pst = &sbuf;
+ }
+ if (S_ISLNK(pst->st_ex_mode)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ return NT_STATUS_OK;
+}
+
/********************************************************************
Roundup a value to the nearest allocation roundup size boundary.
Only do this for Windows clients.
@@ -181,12 +209,22 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
char **names, **tmp;
size_t num_names;
ssize_t sizeret = -1;
+ NTSTATUS status;
+
+ if (pnames) {
+ *pnames = NULL;
+ }
+ *pnum_names = 0;
if (!lp_ea_support(SNUM(conn))) {
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
+ return NT_STATUS_OK;
+ }
+
+ status = refuse_symlink(conn, fsp, fname);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Just return no EA's on a symlink.
+ */
return NT_STATUS_OK;
}
@@ -236,10 +274,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_C
if (sizeret == 0) {
TALLOC_FREE(names);
- if (pnames) {
- *pnames = NULL;
- }
- *pnum_names = 0;
return NT_STATUS_OK;
}
@@ -550,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn,
const struct smb_filename *smb_fname, struct ea_list *ea_list)
{
char *fname = NULL;
+ NTSTATUS status;
if (!lp_ea_support(SNUM(conn))) {
return NT_STATUS_EAS_NOT_SUPPORTED;
@@ -559,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn,
return NT_STATUS_ACCESS_DENIED;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+
/* For now setting EAs on streams isn't supported. */
fname = smb_fname->base_name;
@@ -4931,6 +4972,13 @@ NTSTATUS smbd_do_qfilepathinfo(connectio
uint16 num_file_acls = 0;
uint16 num_def_acls = 0;
+ status = refuse_symlink(conn,
+ fsp,
+ smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
if (fsp && fsp->fh->fd != -1) {
file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
} else {
@@ -6452,6 +6500,7 @@ static NTSTATUS smb_set_posix_acl(connec
uint16 num_def_acls;
bool valid_file_acls = True;
bool valid_def_acls = True;
+ NTSTATUS status;
if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
return NT_STATUS_INVALID_PARAMETER;
@@ -6479,6 +6528,11 @@ static NTSTATUS smb_set_posix_acl(connec
return NT_STATUS_INVALID_PARAMETER;
}
+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
(unsigned int)num_file_acls,
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struc
return NT_STATUS_OK;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL set on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (psd->owner_sid == NULL) {
security_info_sent &= ~SECINFO_OWNER;
}
@@ -1925,6 +1931,12 @@ NTSTATUS smbd_do_query_security_desc(con
return NT_STATUS_ACCESS_DENIED;
}
+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
+ DEBUG(10, ("ACL get on symlink %s denied.\n",
+ fsp_str_dbg(fsp)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
SECINFO_GROUP|SECINFO_SACL)) {
/* Don't return SECINFO_LABEL if anything else was

6824
net/samba3/020-CVE-preparation-v3-6.patch
View file

File diff suppressed because it is too large Load diff

9515
net/samba3/021-CVE-preparation-v3-6-addition.patch
View file

File diff suppressed because it is too large Load diff

1791
net/samba3/022-CVE-2015-5370-v3-6.patch
View file

File diff suppressed because it is too large Load diff

255
net/samba3/023-CVE-2016-2110-v3-6.patch
View file

@ -1,255 +0,0 @@
From 202d69267c8550b850438877fb51c3d2c992949d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 1 Dec 2015 08:46:45 +0100
Subject: [PATCH 01/10] CVE-2016-2110: s3:ntlmssp: set and use
ntlmssp_state->allow_lm_key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---
source3/libsmb/ntlmssp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -176,17 +176,19 @@ void ntlmssp_want_feature_list(struct nt
* also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
*/
if (in_list("NTLMSSP_FEATURE_SESSION_KEY", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (in_list("NTLMSSP_FEATURE_SIGN", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if(in_list("NTLMSSP_FEATURE_SEAL", feature_list, True)) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (in_list("NTLMSSP_FEATURE_CCACHE", feature_list, true)) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -199,17 +201,20 @@ void ntlmssp_want_feature(struct ntlmssp
{
/* As per JRA's comment above */
if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SIGN) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (feature & NTLMSSP_FEATURE_SEAL) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
if (feature & NTLMSSP_FEATURE_CCACHE) {
ntlmssp_state->use_ccache = true;
}
+
+ ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
}
/**
@@ -387,7 +392,12 @@ static NTSTATUS ntlmssp_client_initial(s
}
if (ntlmssp_state->use_ntlmv2) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_NTLM2;
+ ntlmssp_state->allow_lm_key = false;
+ }
+
+ if (ntlmssp_state->allow_lm_key) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
/* generate the ntlmssp negotiate packet */
@@ -422,6 +432,86 @@ static NTSTATUS ntlmssp_client_initial(s
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS ntlmssp3_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
+ uint32_t flags)
+{
+ uint32_t missing_flags = ntlmssp_state->required_flags;
+
+ if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = true;
+ } else {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_UNICODE;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_OEM;
+ ntlmssp_state->unicode = false;
+ }
+
+ /*
+ * NTLMSSP_NEGOTIATE_NTLM2 (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+ * has priority over NTLMSSP_NEGOTIATE_LM_KEY
+ */
+ if (!(flags & NTLMSSP_NEGOTIATE_NTLM2)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+ }
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_LM_KEY)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_LM_KEY;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_128)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_128;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_56)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_56;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_KEY_EXCH)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_KEY_EXCH;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ }
+
+ if (!(flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+
+ if ((flags & NTLMSSP_REQUEST_TARGET)) {
+ ntlmssp_state->neg_flags |= NTLMSSP_REQUEST_TARGET;
+ }
+
+ missing_flags &= ~ntlmssp_state->neg_flags;
+ if (missing_flags != 0) {
+ NTSTATUS status = NT_STATUS_RPC_SEC_PKG_ERROR;
+ DEBUG(1, ("%s: Got challenge flags[0x%08x] "
+ "- possible downgrade detected! "
+ "missing_flags[0x%08x] - %s\n",
+ __func__,
+ (unsigned)flags,
+ (unsigned)missing_flags,
+ nt_errstr(status)));
+ debug_ntlmssp_flags(missing_flags);
+ DEBUGADD(4, ("neg_flags[0x%08x]\n",
+ (unsigned)ntlmssp_state->neg_flags));
+ debug_ntlmssp_flags(ntlmssp_state->neg_flags);
+
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
/**
* Next state function for the Challenge Packet. Generate an auth packet.
*
@@ -448,6 +538,26 @@ static NTSTATUS ntlmssp_client_challenge
DATA_BLOB encrypted_session_key = data_blob_null;
NTSTATUS nt_status = NT_STATUS_OK;
+ if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
+ "NTLMSSP",
+ &ntlmssp_command,
+ &server_domain_blob,
+ &chal_flags)) {
+ DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
+ dump_data(2, reply.data, reply.length);
+
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ data_blob_free(&server_domain_blob);
+
+ DEBUG(3, ("Got challenge flags:\n"));
+ debug_ntlmssp_flags(chal_flags);
+
+ nt_status = ntlmssp3_handle_neg_flags(ntlmssp_state, chal_flags);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
if (ntlmssp_state->use_ccache) {
struct wbcCredentialCacheParams params;
struct wbcCredentialCacheInfo *info = NULL;
@@ -498,17 +608,6 @@ static NTSTATUS ntlmssp_client_challenge
noccache:
- if (!msrpc_parse(ntlmssp_state, &reply, "CdBd",
- "NTLMSSP",
- &ntlmssp_command,
- &server_domain_blob,
- &chal_flags)) {
- DEBUG(1, ("Failed to parse the NTLMSSP Challenge: (#1)\n"));
- dump_data(2, reply.data, reply.length);
-
- return NT_STATUS_INVALID_PARAMETER;
- }
-
if (DEBUGLEVEL >= 10) {
struct CHALLENGE_MESSAGE *challenge = talloc(
talloc_tos(), struct CHALLENGE_MESSAGE);
@@ -525,13 +624,6 @@ noccache:
}
}
- data_blob_free(&server_domain_blob);
-
- DEBUG(3, ("Got challenge flags:\n"));
- debug_ntlmssp_flags(chal_flags);
-
- ntlmssp_handle_neg_flags(ntlmssp_state, chal_flags, lp_client_lanman_auth());
-
if (ntlmssp_state->unicode) {
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
chal_parse_string = "CdUdbddB";
@@ -769,6 +861,7 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
ntlmssp_state->unicode = True;
ntlmssp_state->use_ntlmv2 = use_ntlmv2;
+ ntlmssp_state->allow_lm_key = lp_client_lanman_auth();
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
@@ -780,6 +873,10 @@ NTSTATUS ntlmssp_client_start(TALLOC_CTX
NTLMSSP_NEGOTIATE_KEY_EXCH |
NTLMSSP_REQUEST_TARGET;
+ if (ntlmssp_state->use_ntlmv2) {
+ ntlmssp_state->allow_lm_key = false;
+ }
+
ntlmssp_state->client.netbios_name = talloc_strdup(ntlmssp_state, netbios_name);
if (!ntlmssp_state->client.netbios_name) {
talloc_free(ntlmssp_state);
--- a/libcli/auth/ntlmssp.h
+++ b/libcli/auth/ntlmssp.h
@@ -83,6 +83,7 @@ struct ntlmssp_state
DATA_BLOB nt_resp;
DATA_BLOB session_key;
+ uint32_t required_flags;
uint32_t neg_flags; /* the current state of negotiation with the NTLMSSP partner */
/**

681
net/samba3/024-CVE-2016-2111-v3-6.patch
View file

@ -1,681 +0,0 @@
From ee105156fa151ebfd34b8febc2928e144b3b7b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Sat, 26 Sep 2015 01:29:10 +0200
Subject: [PATCH 01/15] CVE-2016-2111: s3:rpc_server/netlogon: always go
through netr_creds_server_step_check()
The ensures we apply the "server schannel = yes" restrictions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11749
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1508,6 +1508,7 @@ static NTSTATUS _netr_LogonSamLogon_base
case NetlogonNetworkTransitiveInformation:
{
const char *wksname = nt_workstation;
+ const char *workgroup = lp_workgroup();
status = make_auth_context_fixed(talloc_tos(), &auth_context,
logon->network->challenge);
@@ -1532,6 +1533,14 @@ static NTSTATUS _netr_LogonSamLogon_base
logon->network->nt.length)) {
status = NT_STATUS_NO_MEMORY;
}
+
+ if (NT_STATUS_IS_OK(status)) {
+ status = NTLMv2_RESPONSE_verify_netlogon_creds(
+ user_info->client.account_name,
+ user_info->client.domain_name,
+ user_info->password.response.nt,
+ creds, workgroup);
+ }
break;
}
case NetlogonInteractiveInformation:
@@ -1636,6 +1645,14 @@ static NTSTATUS _netr_LogonSamLogon_base
r->out.validation->sam3);
break;
case 6:
+ /* Only allow this if the pipe is protected. */
+ if (p->auth.auth_level < DCERPC_AUTH_LEVEL_PRIVACY) {
+ DEBUG(0,("netr_Validation6: client %s not using privacy for netlogon\n",
+ get_remote_machine_name()));
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+ }
+
status = serverinfo_to_SamInfo6(server_info, pipe_session_key, 16,
r->out.validation->sam6);
break;
@@ -2271,11 +2288,13 @@ NTSTATUS _netr_GetForestTrustInformation
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2371,11 +2390,13 @@ NTSTATUS _netr_ServerGetTrustInfo(struct
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
- r->in.computer_name,
- r->in.credential,
- r->out.return_authenticator,
- &creds);
+ become_root();
+ status = netr_creds_server_step_check(p, p->mem_ctx,
+ r->in.computer_name,
+ r->in.credential,
+ r->out.return_authenticator,
+ &creds);
+ unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1122,8 +1122,8 @@ static bool schan(struct torture_context
generate_random_buffer(chal.data, chal.length);
names_blob = NTLMv2_generate_names_blob(
mem_ctx,
- cli_credentials_get_workstation(user_creds),
- cli_credentials_get_domain(user_creds));
+ cli_credentials_get_workstation(wks_creds),
+ cli_credentials_get_domain(wks_creds));
status = cli_credentials_get_ntlm_response(
user_creds, mem_ctx, &flags, chal, names_blob,
&lm_resp, &nt_resp, NULL, NULL);
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -139,6 +139,11 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
const DATA_BLOB *names_blob,
DATA_BLOB *lm_response, DATA_BLOB *nt_response,
DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup);
/***********************************************************
encode a password buffer with a unicode password. The buffer
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -26,7 +26,7 @@
#include "../libcli/auth/msrpc_parse.h"
#include "../lib/crypto/crypto.h"
#include "../libcli/auth/libcli_auth.h"
-#include "../librpc/gen_ndr/ntlmssp.h"
+#include "../librpc/gen_ndr/ndr_ntlmssp.h"
void SMBencrypt_hash(const uint8_t lm_hash[16], const uint8_t *c8, uint8_t p24[24])
{
@@ -522,6 +522,146 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ct
lm_response, nt_response, lm_session_key, user_session_key);
}
+NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
+ const char *account_domain,
+ const DATA_BLOB response,
+ const struct netlogon_creds_CredentialState *creds,
+ const char *workgroup)
+{
+ TALLOC_CTX *frame = NULL;
+ /* RespType + HiRespType */
+ static const char *magic = "\x01\x01";
+ int cmp;
+ struct NTLMv2_RESPONSE v2_resp;
+ enum ndr_err_code err;
+ const struct AV_PAIR *av_nb_cn = NULL;
+ const struct AV_PAIR *av_nb_dn = NULL;
+
+ if (response.length < 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes.
+ */
+ return NT_STATUS_OK;
+ }
+
+ cmp = memcmp(response.data + 16, magic, 2);
+ if (cmp != 0) {
+ /*
+ * It doesn't look like a valid NTLMv2_RESPONSE
+ */
+ return NT_STATUS_OK;
+ }
+
+ frame = talloc_stackframe();
+
+ err = ndr_pull_struct_blob(&response, frame, &v2_resp,
+ (ndr_pull_flags_fn_t)ndr_pull_NTLMv2_RESPONSE);
+ if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
+ NTSTATUS status;
+ status = ndr_map_error2ntstatus(err);
+ DEBUG(2,("Failed to parse NTLMv2_RESPONSE "
+ "length %u - %s - %s\n",
+ (unsigned)response.length,
+ ndr_map_error2string(err),
+ nt_errstr(status)));
+ dump_data(2, response.data, response.length);
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ if (DEBUGLVL(10)) {
+ NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp);
+ }
+
+ /*
+ * Make sure the netbios computer name in the
+ * NTLMv2_RESPONSE matches the computer name
+ * in the secure channel credentials for workstation
+ * trusts.
+ *
+ * And the netbios domain name matches our
+ * workgroup.
+ *
+ * This prevents workstations from requesting
+ * the session key of NTLMSSP sessions of clients
+ * to other hosts.
+ */
+ if (creds->secure_channel_type == SEC_CHAN_WKSTA) {
+ av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbComputerName);
+ av_nb_dn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs,
+ MsvAvNbDomainName);
+ }
+
+ if (av_nb_cn != NULL) {
+ const char *v = NULL;
+ char *a = NULL;
+ size_t len;
+
+ v = av_nb_cn->Value.AvNbComputerName;
+
+ a = talloc_strdup(frame, creds->account_name);
+ if (a == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+ len = strlen(a);
+ if (len > 0 && a[len - 1] == '$') {
+ a[len - 1] = '\0';
+ }
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(a, v);
+#else /* smbd */
+ cmp = StrCaseCmp(a, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbComputerName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+ if (av_nb_dn != NULL) {
+ const char *v = NULL;
+
+ v = av_nb_dn->Value.AvNbDomainName;
+
+#ifdef SAMBA4_INTERNAL_HEIMDAL /* smbtorture4 for make test */
+ cmp = strcasecmp_m(workgroup, v);
+#else /* smbd */
+ cmp = StrCaseCmp(workgroup, v);
+#endif
+ if (cmp != 0) {
+ DEBUG(2,("%s: NTLMv2_RESPONSE with "
+ "NbDomainName[%s] rejected "
+ "for user[%s\\%s] "
+ "against SEC_CHAN_WKSTA[%s/%s] "
+ "in workgroup[%s]\n",
+ __func__, v,
+ account_domain,
+ account_name,
+ creds->computer_name,
+ creds->account_name,
+ workgroup));
+ TALLOC_FREE(frame);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+}
+
/***********************************************************
encode a password buffer with a unicode password. The buffer
is filled with random data to make it harder to attack.
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -19,7 +19,7 @@ bld.SAMBA_SUBSYSTEM('MSRPC_PARSE',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
- public_deps='MSRPC_PARSE',
+ public_deps='MSRPC_PARSE NDR_NTLMSSP',
public_headers='credentials.h:domain_credentials.h'
)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -783,6 +783,7 @@ GROUPDB_OBJ = groupdb/mapping.o groupdb/
PROFILE_OBJ = profile/profile.o
PROFILES_OBJ = utils/profiles.o \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(PARAM_OBJ) \
$(LIB_OBJ) $(LIB_DUMMY_OBJ) \
$(POPT_LIB_OBJ) \
@@ -995,10 +996,10 @@ SWAT_OBJ = $(SWAT_OBJ1) $(PARAM_OBJ) $(P
STATUS_OBJ = utils/status.o utils/status_profile.o \
$(LOCKING_OBJ) $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
SMBCONTROL_OBJ = utils/smbcontrol.o $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(POPT_LIB_OBJ) $(PRINTBASE_OBJ)
SMBTREE_OBJ = utils/smbtree.o $(PARAM_OBJ) \
$(PROFILE_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_OBJ) \
@@ -1012,11 +1013,11 @@ SMBTREE_OBJ = utils/smbtree.o $(PARAM_OB
TESTPARM_OBJ = utils/testparm.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTA_UTIL_OBJ = utils/smbta-util.o $(PARAM_OBJ) $(POPT_LIB_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(FNAME_UTIL_OBJ)
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(FNAME_UTIL_OBJ)
TEST_LP_LOAD_OBJ = param/test_lp_load.o \
$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
@@ -1146,6 +1147,7 @@ SMBCONFTORT_OBJ = $(SMBCONFTORT_OBJ0) \
$(LIB_NONSMBD_OBJ) \
$(PARAM_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
PTHREADPOOLTEST_OBJ = lib/pthreadpool/pthreadpool.o \
@@ -1229,7 +1231,7 @@ CUPS_OBJ = client/smbspool.o $(PARAM_OBJ
$(LIBNDR_GEN_OBJ0)
NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(LIBNMB_OBJ) \
- $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+ $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
SMBTORTURE_OBJ1 = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
torture/denytest.o torture/mangle_test.o \
@@ -1253,6 +1255,7 @@ MASKTEST_OBJ = torture/masktest.o $(PARA
$(LIBNDR_GEN_OBJ0)
MSGTEST_OBJ = torture/msgtest.o $(PARAM_OBJ) $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBNDR_GEN_OBJ0)
@@ -1269,7 +1272,7 @@ PDBTEST_OBJ = torture/pdbtest.o $(PARAM_
VFSTEST_OBJ = torture/cmd_vfs.o torture/vfstest.o $(SMBD_OBJ_BASE) $(READLINE_OBJ)
-SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ)
+SMBICONV_OBJ = $(PARAM_OBJ) torture/smbiconv.o $(LIB_NONSMBD_OBJ) $(POPT_LIB_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
LOG2PCAP_OBJ = utils/log2pcaphex.o
@@ -1297,17 +1300,17 @@ SMBCQUOTAS_OBJ = utils/smbcquotas.o $(LI
EVTLOGADM_OBJ0 = utils/eventlogadm.o
EVTLOGADM_OBJ = $(EVTLOGADM_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) $(LIB_EVENTLOG_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIB_EVENTLOG_OBJ) \
librpc/gen_ndr/ndr_eventlog.o \
librpc/gen_ndr/ndr_lsa.o
SHARESEC_OBJ0 = utils/sharesec.o
SHARESEC_OBJ = $(SHARESEC_OBJ0) $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ) \
+ $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
TALLOCTORT_OBJ = @tallocdir@/testsuite.o @tallocdir@/testsuite_main.o \
- $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ)
+ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ)
REPLACETORT_OBJ = @libreplacedir@/test/testsuite.o \
@libreplacedir@/test/getifaddrs.o \
@@ -1323,7 +1326,7 @@ SMBFILTER_OBJ = utils/smbfilter.o $(PARA
$(LIBNDR_GEN_OBJ0)
WINBIND_WINS_NSS_OBJ = ../nsswitch/wins.o $(PARAM_OBJ) \
- $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNMB_OBJ)
+ $(LIB_NONSMBD_OBJ) $(LIBSMB_ERR_OBJ) $(LIBNDR_NTLMSSP_OBJ) $(LIBNMB_OBJ)
PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
pam_smbpass/pam_smb_acct.o pam_smbpass/support.o ../lib/util/asn1.o
@@ -1531,12 +1534,14 @@ RPC_OPEN_TCP_OBJ = torture/rpc_open_tcp.
DBWRAP_TOOL_OBJ = utils/dbwrap_tool.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
- $(LIBSMB_ERR_OBJ)
+ $(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ)
DBWRAP_TORTURE_OBJ = utils/dbwrap_torture.o \
$(PARAM_OBJ) \
$(LIB_NONSMBD_OBJ) \
$(LIBSMB_ERR_OBJ) \
+ $(LIBNDR_NTLMSSP_OBJ) \
$(POPT_LIB_OBJ)
SPLIT_TOKENS_OBJ = utils/split_tokens.o \
--- a/source4/torture/raw/samba3misc.c
+++ b/source4/torture/raw/samba3misc.c
@@ -340,6 +340,7 @@ bool torture_samba3_badpath(struct tortu
bool ret = true;
TALLOC_CTX *mem_ctx;
bool nt_status_support;
+ bool client_ntlmv2_auth;
if (!(mem_ctx = talloc_init("torture_samba3_badpath"))) {
d_printf("talloc_init failed\n");
@@ -347,20 +348,17 @@ bool torture_samba3_badpath(struct tortu
}
nt_status_support = lpcfg_nt_status_support(torture->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(torture->lp_ctx);
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "yes"), ret, fail, "Could not set 'nt status support = yes'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "yes"), ret, fail, "Could not set 'client ntlmv2 auth = yes'\n");
if (!torture_open_connection(&cli_nt, torture, 0)) {
goto fail;
}
- if (!lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no")) {
- printf("Could not set 'nt status support = yes'\n");
- goto fail;
- }
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support", "no"), ret, fail, "Could not set 'nt status support = no'\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth", "no"), ret, fail, "Could not set 'client ntlmv2 auth = no'\n");
if (!torture_open_connection(&cli_dos, torture, 1)) {
goto fail;
@@ -373,6 +371,12 @@ bool torture_samba3_badpath(struct tortu
}
smbcli_deltree(cli_nt->tree, dirname);
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "nt status support",
+ nt_status_support ? "yes":"no"),
+ ret, fail, "Could not set 'nt status support' back to where it was\n");
+ torture_assert_goto(torture, lpcfg_set_cmdline(torture->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no"),
+ ret, fail, "Could not set 'client ntlmv2 auth' back to where it was\n");
status = smbcli_mkdir(cli_nt->tree, dirname);
if (!NT_STATUS_IS_OK(status)) {
--- a/source4/torture/basic/base.c
+++ b/source4/torture/basic/base.c
@@ -1476,6 +1476,7 @@ static bool torture_chkpath_test(struct
static bool torture_samba3_errorpaths(struct torture_context *tctx)
{
bool nt_status_support;
+ bool client_ntlmv2_auth;
struct smbcli_state *cli_nt = NULL, *cli_dos = NULL;
bool result = false;
int fnum;
@@ -1485,18 +1486,27 @@ static bool torture_samba3_errorpaths(st
NTSTATUS status;
nt_status_support = lpcfg_nt_status_support(tctx->lp_ctx);
+ client_ntlmv2_auth = lpcfg_client_ntlmv2_auth(tctx->lp_ctx);
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "yes")) {
torture_comment(tctx, "Could not set 'nt status support = yes'\n");
goto fail;
}
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "yes")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = yes'\n");
+ goto fail;
+ }
if (!torture_open_connection(&cli_nt, tctx, 0)) {
goto fail;
}
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support", "no")) {
- torture_comment(tctx, "Could not set 'nt status support = yes'\n");
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'nt status support = no'\n");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth", "no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not set 'client ntlmv2 auth = no'\n");
goto fail;
}
@@ -1506,7 +1516,12 @@ static bool torture_samba3_errorpaths(st
if (!lpcfg_set_cmdline(tctx->lp_ctx, "nt status support",
nt_status_support ? "yes":"no")) {
- torture_comment(tctx, "Could not reset 'nt status support = yes'");
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'nt status support'");
+ goto fail;
+ }
+ if (!lpcfg_set_cmdline(tctx->lp_ctx, "client ntlmv2 auth",
+ client_ntlmv2_auth ? "yes":"no")) {
+ torture_result(tctx, TORTURE_FAIL, "Could not reset 'client ntlmv2 auth'");
goto fail;
}
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2077,6 +2077,17 @@ NTSTATUS cli_session_setup(struct cli_st
NTSTATUS status;
/* otherwise do a NT1 style session setup */
+ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
+ /*
+ * Don't send an NTLMv2 response without NTLMSSP
+ * if we want to use spnego support
+ */
+ DEBUG(1, ("Server does not support EXTENDED_SECURITY "
+ " but 'client use spnego = yes"
+ " and 'client ntlmv2 auth = yes'\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
status = cli_session_setup_nt1(cli, user, pass, passlen,
ntpass, ntpasslen, workgroup);
if (!NT_STATUS_IS_OK(status)) {
--- a/docs-xml/smbdotconf/protocol/clientusespnego.xml
+++ b/docs-xml/smbdotconf/protocol/clientusespnego.xml
@@ -9,6 +9,11 @@
supporting servers (including WindowsXP, Windows2000 and Samba
3.0) to agree upon an authentication
mechanism. This enables Kerberos authentication in particular.</para>
+
+ <para>When <smbconfoption name="client NTLMv2 auth"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -28,6 +28,11 @@
NTLMv2 by default, and some sites (particularly those following
'best practice' security polices) only allow NTLMv2 responses, and
not the weaker LM or NTLM.</para>
+
+ <para>When <smbconfoption name="client use spnego"/> is also set to
+ <constant>yes</constant> extended security (SPNEGO) is required
+ in order to use NTLMv2 only within NTLMSSP. This behavior was
+ introduced with the patches for CVE-2016-2111.</para>
</description>
<value type="default">yes</value>
</samba:parameter>
--- /dev/null
+++ b/docs-xml/smbdotconf/security/rawntlmv2auth.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="raw NTLMv2 auth"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will allow SMB1 clients without
+ extended security (without SPNEGO) to use NTLMv2 authentication.</para>
+
+ <para>If this option, <command moreinfo="none">lanman auth</command>
+ and <command moreinfo="none">ntlm auth</command> are all disabled,
+ then only clients with SPNEGO support will be permitted.
+ That means NTLMv2 is only supported within NTLMSSP.</para>
+</description>
+
+<related>lanman auth</related>
+<related>ntlm auth</related>
+<value type="default">no</value>
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1489,6 +1489,7 @@ bool lp_map_untrusted_to_domain(void);
int lp_restrict_anonymous(void);
bool lp_lanman_auth(void);
bool lp_ntlm_auth(void);
+bool lp_raw_ntlmv2_auth(void);
bool lp_client_plaintext_auth(void);
bool lp_client_lanman_auth(void);
bool lp_client_ntlmv2_auth(void);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -336,6 +336,7 @@ struct global {
bool bAllowTrustedDomains;
bool bLanmanAuth;
bool bNTLMAuth;
+ bool bRawNTLMv2Auth;
bool bUseSpnego;
bool bClientLanManAuth;
bool bClientNTLMv2Auth;
@@ -1383,6 +1384,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "raw NTLMv2 auth",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bRawNTLMv2Auth,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "client NTLMv2 auth",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5337,6 +5347,7 @@ static void init_globals(bool reinit_glo
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
+ Globals.bRawNTLMv2Auth = false; /* Allow NTLMv2 without NTLMSSP */
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
@@ -5819,6 +5830,7 @@ FN_GLOBAL_BOOL(lp_map_untrusted_to_domai
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
+FN_GLOBAL_BOOL(lp_raw_ntlmv2_auth, &Globals.bRawNTLMv2Auth)
FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
FN_GLOBAL_BOOL(lp_client_ntlmv2_auth, &Globals.bClientNTLMv2Auth)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -30,6 +30,7 @@
#include "../lib/util/util_pw.h"
#include "lib/winbind_util.h"
#include "passdb.h"
+#include "../lib/tsocket/tsocket.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -367,6 +368,19 @@ NTSTATUS make_user_info_for_reply_enc(st
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
+ bool allow_raw = lp_raw_ntlmv2_auth();
+
+ if (!allow_raw && nt_resp.length >= 48) {
+ /*
+ * NTLMv2_RESPONSE has at least 48 bytes
+ * and should only be supported via NTLMSSP.
+ */
+ DEBUG(2,("Rejecting raw NTLMv2 authentication with "
+ "user [%s\\%s]\n",
+ client_domain, smb_name));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
return make_user_info_map(user_info, smb_name,
client_domain,
get_remote_machine_name(),
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -127,6 +127,7 @@ sub setup_dc($$)
domain master = yes
domain logons = yes
lanman auth = yes
+ raw NTLMv2 auth = yes
";
my $vars = $self->provision($path,
@@ -230,6 +231,7 @@ sub setup_secserver($$$)
my $secserver_options = "
security = server
password server = $s3dcvars->{SERVER_IP}
+ client ntlmv2 auth = no
";
my $ret = $self->provision($prefix,

129
net/samba3/025-CVE-2016-2112-v3-6.patch
View file

@ -1,129 +0,0 @@
From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 30 Mar 2016 16:55:44 +0200
Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
ntlmssp_have_feature()
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source3/include/proto.h | 1 +
source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntl
NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
const DATA_BLOB in, DATA_BLOB *out) ;
NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlms
return NT_STATUS_OK;
}
+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
+ uint32_t feature)
+{
+ if (feature & NTLMSSP_FEATURE_SIGN) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SEAL) {
+ if (ntlmssp_state->session_key.length == 0) {
+ return false;
+ }
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ return true;
+ }
+ }
+
+ if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
+ if (ntlmssp_state->session_key.length > 0) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
/**
* Request features for the NTLMSSP negotiation
*
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmss
/* we have a reference conter on ntlmssp_state, if we are signing
then the state will be kept by the signing engine */
+ if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SEAL);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+
+ } else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
+ bool ok;
+
+ ok = ntlmssp_have_feature(ntlmssp_state,
+ NTLMSSP_FEATURE_SIGN);
+ if (!ok) {
+ DEBUG(0,("The gensec feature signing request, but unavailable\n"));
+ TALLOC_FREE(ntlmssp_state);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
+ }
+ }
+
if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -34,11 +34,9 @@
</para>
<para>
- The default value is <emphasis>plain</emphasis> which is not irritable
- to KRB5 clock skew errors. That implies synchronizing the time
- with the KDC in the case of using <emphasis>sign</emphasis> or
- <emphasis>seal</emphasis>.
+ The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">plain</value>
+<value type="default">sign</value>
</samba:parameter>
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_glo
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+
/* This is what we tell the afs client. in reality we set the token
* to never expire, though, when this runs out the afs client will
* forget the token. Set to 0 to get NEVERDATE.*/

256
net/samba3/026-CVE-2016-2115-v3-6.patch
View file

@ -1,256 +0,0 @@
From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Feb 2016 03:43:58 +0100
Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
docs-xml/smbdotconf/security/clientsigning.xml | 3 +++
source3/include/proto.h | 1 +
source3/param/loadparm.c | 12 ++++++++++++
4 files changed, 39 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="client ipc signing"
+ context="G"
+ type="enum"
+ enumlist="enum_smb_signing_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This controls whether the client is allowed or required to use SMB signing for IPC$
+ connections as DCERPC transport inside of winbind. Possible values
+ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
+ and <emphasis>disabled</emphasis>.
+ </para>
+
+ <para>When set to auto, SMB signing is offered, but not enforced and if set
+ to disabled, SMB signing is not offered either.</para>
+
+ <para>Connections from winbindd to Active Directory Domain Controllers
+ always enforce signing.</para>
+</description>
+
+<related>client signing</related>
+
+<value type="default">mandatory</value>
+</samba:parameter>
--- a/docs-xml/smbdotconf/security/clientsigning.xml
+++ b/docs-xml/smbdotconf/security/clientsigning.xml
@@ -12,6 +12,9 @@
<para>When set to auto, SMB signing is offered, but not enforced.
When set to mandatory, SMB signing is required and if set
to disabled, SMB signing is not offered either.
+
+ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
+ <smbconfoption name="client ipc signing"/> option.</para>
</para>
</description>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
int lp_winbind_reconnect_delay(void);
int lp_winbind_max_clients(void);
const char **lp_winbind_nss_info(void);
+bool lp_winbind_sealed_pipes(void);
int lp_algorithmic_rid_base(void);
int lp_name_cache_timeout(void);
int lp_client_signing(void);
+int lp_client_ipc_signing(void);
int lp_server_signing(void);
int lp_client_ldap_sasl_wrapping(void);
char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -215,6 +215,7 @@ struct global {
int winbind_expand_groups;
bool bWinbindRefreshTickets;
bool bWinbindOfflineLogon;
+ bool bWinbindSealedPipes;
bool bWinbindNormalizeNames;
bool bWinbindRpcOnly;
bool bCreateKrb5Conf;
@@ -366,6 +367,7 @@ struct global {
int restrict_anonymous;
int name_cache_timeout;
int client_signing;
+ int client_ipc_signing;
int server_signing;
int client_ldap_sasl_wrapping;
int iUsershareMaxShares;
@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "client ipc signing",
+ .type = P_ENUM,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_ipc_signing,
+ .special = NULL,
+ .enum_list = enum_smb_signing_vals,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "server signing",
.type = P_ENUM,
.p_class = P_GLOBAL,
@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "winbind sealed pipes",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bWinbindSealedPipes,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "winbind normalize names",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
Globals.bWinbindRefreshTickets = False;
Globals.bWinbindOfflineLogon = False;
+ Globals.bWinbindSealedPipes = True;
Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
Globals.bClientUseSpnego = True;
Globals.client_signing = Auto;
+ Globals.client_ipc_signing = Required;
Globals.server_signing = False;
Globals.bDeferSharingViolations = True;
@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
+FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
+FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
}
+ if (!lp_is_in_client()) {
+ switch (lp_client_ipc_signing()) {
+ case Required:
+ lp_set_cmdline("client signing", "mandatory");
+ break;
+ case Auto:
+ lp_set_cmdline("client signing", "auto");
+ break;
+ case False:
+ lp_set_cmdline("client signing", "disabled");
+ break;
+ }
+ }
+
init_iconv();
bAllowIncludeRegistry = true;
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
"", /* username */
"", /* domain */
"", /* password */
- 0, lp_client_signing());
+ 0, False);
if ( !NT_STATUS_IS_OK( ret ) ) {
DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="winbind sealed pipes"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
TALLOC_FREE(conn->samr_pipe);
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ status = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(status)));
+ goto done;
+ }
/* Finally fall back to anonymous. */
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
anonymous:
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make LSA connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ goto done;
+ }
+
result = cli_rpc_pipe_open_noauth(conn->cli,
&ndr_table_lsarpc.syntax_id,
&conn->lsa_pipe);
@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
no_schannel:
if ((lp_client_schannel() == False) ||
- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
+ result = NT_STATUS_DOWNGRADE_DETECTED;
+ DEBUG(1, ("Unwilling to make connection to domain %s "
+ "without connection level security, "
+ "must set 'winbind sealed pipes = false' "
+ "to proceed: %s\n",
+ domain->name, nt_errstr(result)));
+ TALLOC_FREE(netlogon_pipe);
+ invalidate_cm_connection(conn);
+ return result;
+ }
/*
* NetSamLogonEx only works for schannel
*/

308
net/samba3/027-CVE-2016-2118-v3-6.patch
View file

@ -1,308 +0,0 @@
From d68424b5ef92f5810760f90e9eeb664572a61e4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 15 Dec 2015 14:49:36 +0100
Subject: [PATCH 01/10] CVE-2016-2118: s3: rpcclient: change the default auth
level from DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY
ncacn_ip_tcp:server should get the same protection as ncacn_np:server
if authentication and smb signing is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11616
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit dab41dee8a4fb27dbf3913b0e44a4cc726e3ac98)
---
source3/rpcclient/rpcclient.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -1062,10 +1062,9 @@ out_free:
}
}
if (pipe_default_auth_type != DCERPC_AUTH_TYPE_NONE) {
- /* If neither Integrity or Privacy are requested then
- * Use just Connect level */
+ /* If nothing is requested then default to integrity */
if (pipe_default_auth_level == DCERPC_AUTH_LEVEL_NONE) {
- pipe_default_auth_level = DCERPC_AUTH_LEVEL_CONNECT;
+ pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
}
}
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -593,15 +593,15 @@ struct composite_context *dcerpc_pipe_au
/* Perform an authenticated DCE-RPC bind
*/
- if (!(conn->flags & (DCERPC_SIGN|DCERPC_SEAL))) {
+ if (!(conn->flags & (DCERPC_CONNECT|DCERPC_SEAL))) {
/*
we are doing an authenticated connection,
- but not using sign or seal. We must force
- the CONNECT dcerpc auth type as a NONE auth
- type doesn't allow authentication
- information to be passed.
+ which needs to use [connect], [sign] or [seal].
+ If nothing is specified, we default to [sign] now.
+ This give roughly the same protection as
+ ncacn_np with smb signing.
*/
- conn->flags |= DCERPC_CONNECT;
+ conn->flags |= DCERPC_SIGN;
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
--- /dev/null
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -0,0 +1,22 @@
+<samba:parameter name="allow dcerpc auth level connect"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether DCERPC services are allowed to
+ be used with DCERPC_AUTH_LEVEL_CONNECT, which provides authentication,
+ but no per message integrity nor privacy protection.</para>
+
+ <para>The behavior can be controlled per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
+ winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = no' as option.</para>
+
+ <para>This option yields precedence to the implentation specific restrictions.
+ E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
+ While others like samr and lsarpc have a hardcoded default of <constant>no</constant>.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+
+</samba:parameter>
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1821,6 +1821,7 @@ char* lp_perfcount_module(void);
void lp_set_passdb_backend(const char *backend);
void widelinks_warning(int snum);
char *lp_ncalrpc_dir(void);
+bool lp_allow_dcerpc_auth_level_connect(void);
/* The following definitions come from param/loadparm_server_role.c */
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -355,6 +355,7 @@ struct global {
bool bUseMmap;
bool bHostnameLookups;
bool bUnixExtensions;
+ bool bAllowDcerpcAuthLevelConnect;
bool bDisableNetbios;
char * szDedicatedKeytabFile;
int iKerberosMethod;
@@ -2303,6 +2304,15 @@ static struct parm_struct parm_table[] =
.flags = FLAG_ADVANCED,
},
{
+ .label = "allow dcerpc auth level connect",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.bAllowDcerpcAuthLevelConnect,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "use spnego",
.type = P_BOOL,
.p_class = P_GLOBAL,
@@ -5371,6 +5381,8 @@ static void init_globals(bool reinit_glo
Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
/* Note, that we will also use NTLM2 session security (which is different), if it is available */
+ Globals.bAllowDcerpcAuthLevelConnect = false; /* we don't allow this by default */
+
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
Globals.enhanced_browsing = true;
@@ -5745,6 +5757,7 @@ FN_GLOBAL_INTEGER(lp_username_map_cache_
FN_GLOBAL_STRING(lp_check_password_script, &Globals.szCheckPasswordScript)
+FN_GLOBAL_BOOL(lp_allow_dcerpc_auth_level_connect, &Globals.bAllowDcerpcAuthLevelConnect)
FN_GLOBAL_STRING(lp_wins_hook, &Globals.szWINSHook)
FN_GLOBAL_CONST_STRING(lp_template_homedir, &Globals.szTemplateHomedir)
FN_GLOBAL_CONST_STRING(lp_template_shell, &Globals.szTemplateShell)
--- a/source3/include/ntdomain.h
+++ b/source3/include/ntdomain.h
@@ -89,6 +89,10 @@ typedef struct pipe_rpc_fns {
uint32 context_id;
struct ndr_syntax_id syntax;
+ /*
+ * shall we allow "connect" auth level for this interface ?
+ */
+ bool allow_connect;
} PIPE_RPC_FNS;
/*
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -44,6 +44,11 @@
#include "rpc_server/srv_pipe.h"
#include "../librpc/gen_ndr/ndr_dcerpc.h"
#include "../librpc/ndr/ndr_dcerpc.h"
+#include "../librpc/gen_ndr/ndr_samr.h"
+#include "../librpc/gen_ndr/ndr_lsa.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../librpc/gen_ndr/ndr_epmapper.h"
+#include "../librpc/gen_ndr/ndr_echo.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -340,6 +345,8 @@ static bool check_bind_req(struct pipes_
uint32 context_id)
{
struct pipe_rpc_fns *context_fns;
+ const char *interface_name = NULL;
+ bool ok;
DEBUG(3,("check_bind_req for %s\n",
get_pipe_name_from_syntax(talloc_tos(), abstract)));
@@ -390,12 +397,57 @@ static bool check_bind_req(struct pipes_
return False;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ abstract);
+
+ SMB_ASSERT(interface_name != NULL);
+
context_fns->next = context_fns->prev = NULL;
context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
context_fns->context_id = context_id;
context_fns->syntax = *abstract;
+ context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+ /*
+ * for the samr and the lsarpc interfaces we don't allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_samr.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = false;
+ }
+ /*
+ * for the epmapper and echo interfaces we allow "connect"
+ * auth_level by default.
+ */
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_epmapper.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ ok = ndr_syntax_id_equal(abstract, &ndr_table_rpcecho.syntax_id);
+ if (ok) {
+ context_fns->allow_connect = true;
+ }
+ /*
+ * every interface can be modified to allow "connect" auth_level by
+ * using a parametric option like:
+ * allow dcerpc auth level connect:<interface>
+ * e.g.
+ * allow dcerpc auth level connect:samr = yes
+ */
+ context_fns->allow_connect = lp_parm_bool(-1,
+ "allow dcerpc auth level connect",
+ interface_name, context_fns->allow_connect);
+
/* add to the list of open contexts */
DLIST_ADD( p->contexts, context_fns );
@@ -1736,6 +1788,7 @@ static bool api_pipe_request(struct pipe
TALLOC_CTX *frame = talloc_stackframe();
bool ret = False;
PIPE_RPC_FNS *pipe_fns;
+ const char *interface_name = NULL;
if (!p->pipe_bound) {
DEBUG(1, ("Pipe not bound!\n"));
@@ -1757,8 +1810,36 @@ static bool api_pipe_request(struct pipe
return false;
}
+ interface_name = get_pipe_name_from_syntax(talloc_tos(),
+ &pipe_fns->syntax);
+
+ SMB_ASSERT(interface_name != NULL);
+
DEBUG(5, ("Requested \\PIPE\\%s\n",
- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
+ interface_name));
+
+ switch (p->auth.auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ if (!pipe_fns->allow_connect) {
+ DEBUG(1, ("%s: restrict auth_level_connect access "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__, interface_name,
+ p->auth.auth_type,
+ p->auth.auth_level,
+ derpc_transport_string_by_transport(p->transport),
+ p->client_id->name));
+
+ setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_ACCESS_DENIED));
+ TALLOC_FREE(frame);
+ return true;
+ }
+ break;
+ }
if (!srv_pipe_check_verification_trailer(p, pkt, pipe_fns)) {
DEBUG(1, ("srv_pipe_check_verification_trailer: failed\n"));
--- a/source3/selftest/knownfail
+++ b/source3/selftest/knownfail
@@ -18,3 +18,5 @@ samba3.posix_s3.nbt.dgram.*netlogon2
samba3.*rap.sam.*.useradd # Not provided by Samba 3
samba3.*rap.sam.*.userdelete # Not provided by Samba 3
samba3.*rap.basic.*.netsessiongetinfo # Not provided by Samba 3
+samba3.blackbox.rpcclient.over.ncacn_np.with.*connect.* # we don't allow auth_level_connect anymore
+samba3.posix_s3.rpc.lsa.lookupsids.*ncacn_ip_tcp.*connect.* # we don't allow auth_level_connect anymore
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -201,6 +201,8 @@ if sub.returncode == 0:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD')
elif t == "raw.samba3posixtimedlock":
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmpguest -U$USERNAME%$PASSWORD --option=torture:localdir=$SELFTEST_PREFIX/dc/share')
+ elif t == "rpc.samr.passwords.validate":
+ plansmbtorturetestsuite(t, "s3dc", 'ncacn_np:$SERVER_IP[seal] -U$USERNAME%$PASSWORD', 'over ncacn_np ')
else:
plansmbtorturetestsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -6628,6 +6628,11 @@ NTSTATUS _samr_ValidatePassword(struct p
struct samr_GetDomPwInfo pw;
struct samr_PwInfo dom_pw_info;
+ if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (r->in.level < 1 || r->in.level > 3) {
return NT_STATUS_INVALID_INFO_CLASS;
}

59
net/samba3/028-CVE-2016-2125-v3.6.patch
View file

@ -1,59 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 28 Dec 2016 19:21:49 +0100
Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
This is a backport of upstream commits
b1a056f77e793efc45df34ab7bf78fbec1bf8a59
b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
---
source3/librpc/crypto/gse.c | 1 -
source3/libsmb/clifsinfo.c | 2 +-
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
4 files changed, 3 insertions(+), 4 deletions(-)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
&es->s.gss_state->gss_ctx,
srv_name,
GSS_C_NO_OID, /* default OID. */
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
GSS_C_INDEFINITE, /* requested ticket lifetime. */
NULL, /* no channel bindings */
p_tok_in,
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,

29
net/samba3/029-CVE-2017-7494-v3-6.patch
View file

@ -1,29 +0,0 @@
From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Mon, 8 May 2017 21:40:40 +0200
Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
inside
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
source3/rpc_server/srv_pipe.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f
pipename += 1;
}
+ if (strchr(pipename, '/')) {
+ DEBUG(1, ("Refusing open on pipe %s\n", pipename));
+ return false;
+ }
+
if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
DEBUG(10, ("refusing spoolss access\n"));
return false;

40
net/samba3/030-CVE-2017-15275-v3.6.patch
View file

@ -1,40 +0,0 @@
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -70,6 +70,20 @@ ssize_t message_push_string(uint8 **outb
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;

136
net/samba3/031-CVE-2017-12163-v3.6.patch
View file

@ -1,136 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:02:03 +0200
Subject: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Author: Jeremy Allison <jra@samba.org>
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3979,6 +3979,9 @@ void reply_writebraw(struct smb_request
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4080,6 +4083,11 @@ void reply_writebraw(struct smb_request
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4161,6 +4169,7 @@ void reply_writeunlock(struct smb_reques
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
SMB_OFF_T startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4193,6 +4202,17 @@ void reply_writeunlock(struct smb_reques
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4274,6 +4294,7 @@ void reply_write(struct smb_request *req
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
SMB_OFF_T startpos;
const char *data;
@@ -4314,6 +4335,17 @@ void reply_write(struct smb_request *req
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4525,6 +4557,9 @@ void reply_write_and_X(struct smb_reques
return;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4894,6 +4929,7 @@ void reply_writeclose(struct smb_request
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
SMB_OFF_T startpos;
@@ -4927,6 +4963,17 @@ void reply_writeclose(struct smb_request
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5497,6 +5544,9 @@ void reply_printwrite(struct smb_request
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);

75
net/samba3/032-CVE-2017-12150-v3.6.patch
View file

@ -1,75 +0,0 @@
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:01:34 +0200
Subject: CVE-2017-12150
These are the three upstream patches
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
From: Stefan Metzmacher <metze@samba.org>
Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
---
libgpo/gpo_fetch.c | 2 +-
source3/lib/util_cmdline.c | 3 +++
source3/libsmb/clidfs.c | 2 ++
3 files changed, 6 insertions(+), 1 deletion(-)
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ Required);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return Required;
+ }
return auth_info->signing_state;
}
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
/* If a password was not supplied then
* try again with a null username. */
if (password[0] || !username[0] ||
+ force_encrypt || client_is_signing_mandatory(c) ||
get_cmdline_auth_info_use_kerberos(auth_info) ||
+ get_cmdline_auth_info_use_ccache(auth_info) ||
!NT_STATUS_IS_OK(cli_session_setup(c, "",
"", 0,
"", 0,

49
net/samba3/032-CVE-2018-1050-v3-6.patch
View file

@ -1,49 +0,0 @@
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 2 Jan 2018 15:56:03 -0800
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -176,6 +176,11 @@ static void prune_printername_cache(void
static const char *canon_servername(const char *servername)
{
const char *pservername = servername;
+
+ if (servername == NULL) {
+ return "";
+ }
+
while (*pservername == '\\') {
pservername++;
}
@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if ((version = get_version_id(r->in.architecture)) == -1)
@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
return WERR_ACCESS_DENIED;
}
+ if (r->in.architecture == NULL || r->in.driver == NULL) {
+ return WERR_INVALID_ENVIRONMENT;
+ }
+
/* check that we have a valid driver name first */
if (get_version_id(r->in.architecture) == -1) {
/* this is what NT returns */

346
net/samba3/200-remove_printer_support.patch
View file

@ -1,346 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -1110,6 +1110,10 @@ bool dcesrv_ep_setup(struct tevent_conte
"rpc_server",
"spoolss",
"embedded");
+#ifndef PRINTER_SUPPORT
+ if (1) {
+ } else
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0) {
spoolss_cb.init = spoolss_init_cb;
spoolss_cb.shutdown = spoolss_shutdown_cb;
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -624,7 +624,9 @@ static struct cmd_set *rpcclient_command
lsarpc_commands,
ds_commands,
samr_commands,
+#ifdef PRINTER_SUPPORT
spoolss_commands,
+#endif
netlogon_commands,
srvsvc_commands,
dfs_commands,
--- a/source3/printing/spoolssd.c
+++ b/source3/printing/spoolssd.c
@@ -165,6 +165,10 @@ void start_spoolssd(struct tevent_contex
NTSTATUS status;
int ret;
+#ifndef PRINTER_SUPPORT
+ return;
+#endif
+
DEBUG(1, ("Forking SPOOLSS Daemon\n"));
pid = sys_fork();
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -7841,6 +7841,10 @@ int net_rpc_printer(struct net_context *
{NULL, NULL, 0, NULL, NULL}
};
+#ifndef PRINTER_SUPPORT
+ return 0;
+#endif
+
if (argc == 0) {
if (c->display_usage) {
d_printf(_("Usage:\n"));
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -5255,7 +5255,11 @@ void reply_printopen(struct smb_request
return;
}
- if (!CAN_PRINT(conn)) {
+
+#ifdef PRINTER_SUPPORT
+ if (!CAN_PRINT(conn))
+#endif
+ {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplopen);
return;
@@ -5361,7 +5365,10 @@ void reply_printqueue(struct smb_request
is really quite gross and only worked when there was only
one printer - I think we should now only accept it if they
get it right (tridge) */
- if (!CAN_PRINT(conn)) {
+#ifdef PRINTER_SUPPORT
+ if (!CAN_PRINT(conn))
+#endif
+ {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
END_PROFILE(SMBsplretq);
return;
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -784,6 +784,10 @@ static bool api_DosPrintQGetInfo(struct
union spoolss_JobInfo *job_info = NULL;
union spoolss_PrinterInfo printer_info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -999,6 +1003,10 @@ static bool api_DosPrintQEnum(struct smb
union spoolss_DriverInfo *driver_info;
union spoolss_JobInfo **job_info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!param_format || !output_format1 || !p) {
return False;
}
@@ -3105,6 +3113,10 @@ static bool api_RDosPrintJobDel(struct s
struct spoolss_DevmodeContainer devmode_ctr;
enum spoolss_JobControl command;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -3238,6 +3250,10 @@ static bool api_WPrintQueueCtrl(struct s
struct sec_desc_buf secdesc_ctr;
enum spoolss_PrinterControl command;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !QueueName) {
return False;
}
@@ -3404,6 +3420,10 @@ static bool api_PrintJobInfo(struct smbd
union spoolss_JobInfo info;
struct spoolss_SetJobInfo1 info1;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4547,6 +4567,10 @@ static bool api_WPrintJobGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_JobInfo info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4685,6 +4709,10 @@ static bool api_WPrintJobEnumerate(struc
uint32_t count = 0;
union spoolss_JobInfo *info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -4890,6 +4918,10 @@ static bool api_WPrintDestGetInfo(struct
struct spoolss_DevmodeContainer devmode_ctr;
union spoolss_PrinterInfo info;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5026,6 +5058,10 @@ static bool api_WPrintDestEnum(struct sm
union spoolss_PrinterInfo *info;
uint32_t count;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5129,6 +5165,10 @@ static bool api_WPrintDriverEnum(struct
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5193,6 +5233,10 @@ static bool api_WPrintQProcEnum(struct s
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -5257,6 +5301,10 @@ static bool api_WPrintPortEnum(struct sm
int succnt;
struct pack_desc desc;
+#ifndef PRINTER_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -141,7 +141,9 @@ static void exit_server_common(enum serv
rpc_eventlog_shutdown();
rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
+#endif
rpc_srvsvc_shutdown();
rpc_winreg_shutdown();
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1608,6 +1608,9 @@ static NTSTATUS open_file_ntcreate(conne
* Most of the passed parameters are ignored.
*/
+#ifndef PRINTER_SUPPORT
+ return NT_STATUS_ACCESS_DENIED;
+#endif
if (pinfo) {
*pinfo = FILE_WAS_CREATED;
}
--- a/source3/smbd/close.c
+++ b/source3/smbd/close.c
@@ -643,6 +643,9 @@ static NTSTATUS close_normal_file(struct
status = ntstatus_keeperror(status, tmp);
if (fsp->print_file) {
+#ifndef PRINTER_SUPPORT
+ return NT_STATUS_OK;
+#endif
/* FIXME: return spool errors */
print_spool_end(fsp, close_type);
file_free(req, fsp);
--- a/source3/smbd/fileio.c
+++ b/source3/smbd/fileio.c
@@ -298,6 +298,10 @@ ssize_t write_file(struct smb_request *r
uint32_t t;
int ret;
+#ifndef PRINTER_SUPPORT
+ return -1;
+#endif
+
ret = print_spool_write(fsp, data, n, pos, &t);
if (ret) {
errno = ret;
--- a/source3/smbd/smb2_create.c
+++ b/source3/smbd/smb2_create.c
@@ -486,7 +486,10 @@ static struct tevent_req *smbd_smb2_crea
info = FILE_WAS_OPENED;
} else if (CAN_PRINT(smb1req->conn)) {
status = file_new(smb1req, smb1req->conn, &result);
- if(!NT_STATUS_IS_OK(status)) {
+#ifdef PRINTER_SUPPORT
+ if(!NT_STATUS_IS_OK(status))
+#endif
+ {
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -85,9 +85,11 @@ bool init_service_op_table( void )
/* add builtin services */
+#ifdef PRINTER_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "Spooler" );
svcctl_ops[i].ops = &spoolss_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -113,9 +113,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
return false;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2423,8 +2423,10 @@ static bool housekeeping_fn(const struct
change_to_root_user();
+#ifdef PRINTER_SUPPORT
/* update printer queue caches if necessary */
update_monitored_printq_cache(sconn->msg_ctx);
+#endif
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -123,7 +123,9 @@ static void smb_pcap_updated(struct mess
{
struct tevent_context *ev_ctx =
talloc_get_type_abort(private_data, struct tevent_context);
-
+#ifndef PRINTER_SUPPORT
+ return;
+#endif
DEBUG(10,("Got message saying pcap was updated. Reloading.\n"));
change_to_root_user();
reload_printers(ev_ctx, msg);
@@ -1277,6 +1279,7 @@ extern void build_options(bool screen);
* The print backend init also migrates the printing tdb's,
* this requires a winreg pipe.
*/
+#ifdef PRINTER_SUPPORT
if (!print_backend_init(smbd_messaging_context()))
exit(1);
@@ -1315,7 +1318,7 @@ extern void build_options(bool screen);
smbd_messaging_context());
}
}
-
+#endif
if (!is_daemon) {
/* inetd mode */
TALLOC_FREE(frame);

98
net/samba3/220-remove_services.patch
View file

@ -1,98 +0,0 @@
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -131,6 +131,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
return false;
}
+#ifdef EXTRA_SERVICES
if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
return false;
}
@@ -140,6 +141,7 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
return false;
}
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -697,6 +697,7 @@ static bool spoolss_shutdown_cb(void *pt
return true;
}
+#ifdef EXTRA_SERVICES
static bool svcctl_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -733,6 +734,7 @@ static bool svcctl_init_cb(void *ptr)
return true;
}
+#endif
static bool svcctl_shutdown_cb(void *ptr)
{
@@ -741,6 +743,8 @@ static bool svcctl_shutdown_cb(void *ptr
return true;
}
+#ifdef EXTRA_SERVICES
+
static bool ntsvcs_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -802,6 +806,7 @@ static bool eventlog_init_cb(void *ptr)
return true;
}
+#endif
static bool initshutdown_init_cb(void *ptr)
{
@@ -1130,6 +1135,7 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef EXTRA_SERVICES
svcctl_cb.init = svcctl_init_cb;
svcctl_cb.shutdown = svcctl_shutdown_cb;
svcctl_cb.private_data = ep_ctx;
@@ -1150,6 +1156,7 @@ bool dcesrv_ep_setup(struct tevent_conte
if (!NT_STATUS_IS_OK(rpc_eventlog_init(&eventlog_cb))) {
return false;
}
+#endif
initshutdown_cb.init = initshutdown_init_cb;
initshutdown_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -140,9 +140,11 @@ static void exit_server_common(enum serv
#endif
rpc_netdfs_shutdown();
rpc_initshutdown_shutdown();
+#ifdef EXTRA_SERVICES
rpc_eventlog_shutdown();
- rpc_ntsvcs_shutdown();
rpc_svcctl_shutdown();
+ rpc_ntsvcs_shutdown();
+#endif
#ifdef PRINTER_SUPPORT
rpc_spoolss_shutdown();
#endif
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -637,9 +637,11 @@ static struct cmd_set *rpcclient_command
shutdown_commands,
test_commands,
wkssvc_commands,
+#ifdef EXTRA_SERVICES
ntsvcs_commands,
drsuapi_commands,
eventlog_commands,
+#endif
winreg_commands,
NULL
};

146
net/samba3/230-remove_winreg_support.patch
View file

@ -1,146 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -409,6 +409,7 @@ static bool epmapper_shutdown_cb(void *p
return true;
}
+#ifdef WINREG_SUPPORT
static bool winreg_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -456,6 +457,7 @@ static bool winreg_init_cb(void *ptr)
return true;
}
+#endif
static bool srvsvc_init_cb(void *ptr)
{
@@ -710,10 +712,12 @@ static bool svcctl_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = svcctl_init_winreg(ep_ctx->msg_ctx);
if (!ok) {
return false;
}
+#endif
/* initialize the control hooks */
init_service_op_table();
@@ -785,10 +789,12 @@ static bool eventlog_init_cb(void *ptr)
"epmapper",
"none");
+#ifdef WINREG_SUPPORT
ok = eventlog_init_winreg(ep_ctx->msg_ctx);
if (!ok) {
return false;
}
+#endif
if (StrCaseCmp(rpcsrv_type, "embedded") == 0 ||
StrCaseCmp(rpcsrv_type, "daemon") == 0) {
@@ -1077,12 +1083,14 @@ bool dcesrv_ep_setup(struct tevent_conte
}
}
+#ifdef WINREG_SUPPORT
winreg_cb.init = winreg_init_cb;
winreg_cb.shutdown = NULL;
winreg_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_winreg_init(&winreg_cb))) {
return false;
}
+#endif
srvsvc_cb.init = srvsvc_init_cb;
srvsvc_cb.shutdown = NULL;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -150,7 +150,9 @@ static void exit_server_common(enum serv
#endif
rpc_srvsvc_shutdown();
+#ifdef WINREG_SUPPORT
rpc_winreg_shutdown();
+#endif
rpc_netlogon_shutdown();
rpc_samr_shutdown();
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -112,9 +112,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
return false;
}
+#ifdef WINREG_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_winreg)) {
return false;
}
+#endif
#ifdef PRINTER_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
return false;
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -95,9 +95,11 @@ bool init_service_op_table( void )
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
svcctl_ops[i].ops = &winreg_svc_ops;
i++;
+#endif
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "WINS" );
svcctl_ops[i].ops = &wins_svc_ops;
--- a/source3/services/svc_winreg_glue.c
+++ b/source3/services/svc_winreg_glue.c
@@ -88,6 +88,10 @@ struct security_descriptor *svcctl_get_s
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return NULL;
+#endif
+
key = talloc_asprintf(mem_ctx,
"%s\\%s\\Security",
TOP_LEVEL_SERVICES_KEY, name);
@@ -161,6 +165,10 @@ bool svcctl_set_secdesc(struct messaging
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return false;
+#endif
+
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return false;
@@ -272,6 +280,10 @@ const char *svcctl_get_string_value(TALL
NTSTATUS status;
WERROR result = WERR_OK;
+#ifndef WINREG_SUPPORT
+ return NULL;
+#endif
+
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
return NULL;
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -642,7 +642,9 @@ static struct cmd_set *rpcclient_command
drsuapi_commands,
eventlog_commands,
#endif
+#ifdef WINREG_SUPPORT
winreg_commands,
+#endif
NULL
};

213
net/samba3/250-remove_domain_logon.patch
View file

@ -1,213 +0,0 @@
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -606,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -654,6 +655,7 @@ static bool netlogon_init_cb(void *ptr)
return true;
}
+#endif
static bool spoolss_init_cb(void *ptr)
{
@@ -1116,12 +1118,15 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
netlogon_cb.shutdown = NULL;
netlogon_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_netlogon_init(&netlogon_cb))) {
return false;
}
+#endif
+
rpcsrv_type = lp_parm_const_string(GLOBAL_SECTION_SNUM,
"rpc_server",
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -103,9 +103,11 @@ static bool initialize_interfaces(void)
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
}
+#endif
if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
return false;
}
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -156,7 +156,9 @@ static void exit_server_common(enum serv
rpc_winreg_shutdown();
#endif
+#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
+#endif
rpc_samr_shutdown();
rpc_lsarpc_shutdown();
}
--- a/source3/rpc_server/svcctl/srv_svcctl_nt.c
+++ b/source3/rpc_server/svcctl/srv_svcctl_nt.c
@@ -91,9 +91,11 @@ bool init_service_op_table( void )
i++;
#endif
+#ifdef NETLOGON_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "NETLOGON" );
svcctl_ops[i].ops = &netlogon_svc_ops;
i++;
+#endif
#ifdef WINREG_SUPPORT
svcctl_ops[i].name = talloc_strdup( svcctl_ops, "RemoteRegistry" );
--- a/source3/nmbd/nmbd_processlogon.c
+++ b/source3/nmbd/nmbd_processlogon.c
@@ -320,6 +320,10 @@ void process_logon_packet(struct packet_
NTSTATUS status;
const char *pdc_name;
+#ifndef NETLOGON_SUPPORT
+ return;
+#endif
+
in_addr_to_sockaddr_storage(&ss, p->ip);
pss = iface_ip((struct sockaddr *)&ss);
if (!pss) {
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -627,7 +627,9 @@ static struct cmd_set *rpcclient_command
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
+#ifdef NETLOGON_SUPPORT
netlogon_commands,
+#endif
srvsvc_commands,
#ifdef DFS_SUPPORT
dfs_commands,
--- a/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
+++ b/source3/rpc_server/wkssvc/srv_wkssvc_nt.c
@@ -824,6 +824,10 @@ WERROR _wkssvc_NetrJoinDomain2(struct pi
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
}
@@ -901,6 +905,10 @@ WERROR _wkssvc_NetrUnjoinDomain2(struct
WERROR werr;
struct security_token *token = p->session_info->security_token;
+#ifndef NETLOGON_SUPPORT
+ return WERR_NOT_SUPPORTED;
+#endif
+
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
}
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -46,9 +46,11 @@ NTSTATUS trust_pw_change_and_store_it(st
NTSTATUS nt_status;
switch (sec_channel_type) {
+#ifdef NETLOGON_SUPPORT
case SEC_CHAN_WKSTA:
case SEC_CHAN_DOMAIN:
break;
+#endif
default:
return NT_STATUS_NOT_SUPPORTED;
}
@@ -159,6 +161,11 @@ bool enumerate_domain_trusts( TALLOC_CTX
*num_domains = 0;
*sids = NULL;
+#ifndef NETLOGON_SUPPORT
+ return False;
+#endif
+
+
/* lookup a DC first */
if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
@@ -243,6 +250,10 @@ NTSTATUS change_trust_account_password(
struct cli_state *cli = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
+#ifndef NETLOGON_SUPPORT
+ return NT_STATUS_UNSUCCESSFUL;
+#endif
+
DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
domain));
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -538,7 +538,9 @@ static NTSTATUS auth_init_trustdomain(st
NTSTATUS auth_domain_init(void)
{
+#ifdef NETLOGON_SUPPORT
smb_register_auth(AUTH_INTERFACE_VERSION, "trustdomain", auth_init_trustdomain);
smb_register_auth(AUTH_INTERFACE_VERSION, "ntdomain", auth_init_ntdomain);
+#endif
return NT_STATUS_OK;
}
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -2431,8 +2431,10 @@ static bool housekeeping_fn(const struct
/* check if we need to reload services */
check_reload(sconn, time_mono(NULL));
+#ifdef NETLOGON_SUPPORT
/* Change machine password if neccessary. */
attempt_machine_password_change();
+#endif
/*
* Force a log file check.
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -421,10 +421,12 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#ifdef NETLOGON_SUPPORT
ok = ndr_syntax_id_equal(abstract, &ndr_table_netlogon.syntax_id);
if (ok) {
context_fns->allow_connect = false;
}
+#endif
/*
* for the epmapper and echo interfaces we allow "connect"
* auth_level by default.
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2221,6 +2221,10 @@ static void rpc_pipe_bind_step_two_trigg
struct schannel_state);
struct tevent_req *subreq;
+#ifndef NETLOGON_SUPPORT
+ tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+ return;
+#endif
if (schannel_auth == NULL ||
!ndr_syntax_id_equal(&state->cli->abstract_syntax,
&ndr_table_netlogon.syntax_id)) {

162
net/samba3/260-remove_samr.patch
View file

@ -1,162 +0,0 @@
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -59,8 +59,11 @@ struct handle_list {
static bool is_samr_lsa_pipe(const struct ndr_syntax_id *syntax)
{
- return (ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id)
- || ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id));
+ return
+#ifdef SAMR_SUPPORT
+ ndr_syntax_id_equal(syntax, &ndr_table_samr.syntax_id) ||
+#endif
+ ndr_syntax_id_equal(syntax, &ndr_table_lsarpc.syntax_id);
}
size_t num_pipe_handles(struct pipes_struct *p)
--- a/source3/librpc/rpc/rpc_common.c
+++ b/source3/librpc/rpc/rpc_common.c
@@ -100,9 +100,11 @@ static bool initialize_interfaces(void)
return false;
}
#endif
+#ifdef SAMR_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_samr)) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
return false;
--- a/source3/rpc_server/rpc_ep_setup.c
+++ b/source3/rpc_server/rpc_ep_setup.c
@@ -557,6 +557,7 @@ static bool lsarpc_init_cb(void *ptr)
return true;
}
+#ifdef SAMR_SUPPORT
static bool samr_init_cb(void *ptr)
{
struct dcesrv_ep_context *ep_ctx =
@@ -605,6 +606,7 @@ static bool samr_init_cb(void *ptr)
return true;
}
+#endif
#ifdef NETLOGON_SUPPORT
static bool netlogon_init_cb(void *ptr)
@@ -1111,12 +1113,14 @@ bool dcesrv_ep_setup(struct tevent_conte
return false;
}
+#ifdef SAMR_SUPPORT
samr_cb.init = samr_init_cb;
samr_cb.shutdown = NULL;
samr_cb.private_data = ep_ctx;
if (!NT_STATUS_IS_OK(rpc_samr_init(&samr_cb))) {
return false;
}
+#endif
#ifdef NETLOGON_SUPPORT
netlogon_cb.init = netlogon_init_cb;
--- a/source3/smbd/server_exit.c
+++ b/source3/smbd/server_exit.c
@@ -159,7 +159,9 @@ static void exit_server_common(enum serv
#ifdef NETLOGON_SUPPORT
rpc_netlogon_shutdown();
#endif
+#ifdef SAMR_SUPPORT
rpc_samr_shutdown();
+#endif
rpc_lsarpc_shutdown();
}
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -623,7 +623,9 @@ static struct cmd_set *rpcclient_command
rpcclient_commands,
lsarpc_commands,
ds_commands,
+#ifdef SAMR_SUPPORT
samr_commands,
+#endif
#ifdef PRINTER_SUPPORT
spoolss_commands,
#endif
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2353,6 +2353,10 @@ static bool api_RNetGroupEnum(struct smb
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2541,6 +2545,10 @@ static bool api_NetUserGetGroups(struct
NTSTATUS status, result;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
@@ -2741,6 +2749,10 @@ static bool api_RNetUserEnum(struct smbd
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -2979,6 +2991,10 @@ static bool api_SamOEMChangePassword(str
int bufsize;
struct dcerpc_binding_handle *b;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
*rparam_len = 4;
*rparam = smb_realloc_limit(*rparam,*rparam_len);
if (!*rparam) {
@@ -4020,6 +4036,10 @@ static bool api_RNetUserGetInfo(struct s
union samr_UserInfo *info;
struct dcerpc_binding_handle *b = NULL;
+#ifndef SAMR_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !UserName || !p) {
return False;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -409,6 +409,7 @@ static bool check_bind_req(struct pipes_
context_fns->syntax = *abstract;
context_fns->allow_connect = lp_allow_dcerpc_auth_level_connect();
+#ifdef SAMR_SUPPORT
/*
* for the samr and the lsarpc interfaces we don't allow "connect"
* auth_level by default.
@@ -417,6 +418,7 @@ static bool check_bind_req(struct pipes_
if (ok) {
context_fns->allow_connect = false;
}
+#endif
ok = ndr_syntax_id_equal(abstract, &ndr_table_lsarpc.syntax_id);
if (ok) {
context_fns->allow_connect = false;

43
net/samba3/270-remove_registry_backend.patch
View file

@ -1,43 +0,0 @@
--- a/source3/lib/smbconf/smbconf_init.c
+++ b/source3/lib/smbconf/smbconf_init.c
@@ -68,9 +68,12 @@ sbcErr smbconf_init(TALLOC_CTX *mem_ctx,
}
}
+#ifdef REGISTRY_BACKEND
if (strequal(backend, "registry") || strequal(backend, "reg")) {
err = smbconf_init_reg(mem_ctx, conf_ctx, path);
- } else if (strequal(backend, "file") || strequal(backend, "txt")) {
+ } else
+#endif
+ if (strequal(backend, "file") || strequal(backend, "txt")) {
err = smbconf_init_txt(mem_ctx, conf_ctx, path);
} else if (sep == NULL) {
/*
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -557,7 +557,10 @@ static WERROR NetServerSetInfo_l_1005(st
return WERR_INVALID_PARAM;
}
- if (!lp_config_backend_is_registry()) {
+#ifdef REGISTRY_BACKEND
+ if (!lp_config_backend_is_registry())
+#endif
+ {
libnetapi_set_error_string(ctx,
"Configuration manipulation requested but not "
"supported by backend");
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -1230,8 +1230,10 @@ extern void build_options(bool screen);
exit(1);
}
+#ifdef REGISTRY_BACKEND
if (!W_ERROR_IS_OK(registry_init_full()))
exit(1);
+#endif
/* Open the share_info.tdb here, so we don't have to open
after the fork on every single connection. This is a small

143
net/samba3/280-strip_srvsvc.patch
View file

@ -1,143 +0,0 @@
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -2197,6 +2197,10 @@ static bool api_RNetShareAdd(struct smbd
struct srvsvc_NetShareInfo2 info2;
struct dcerpc_binding_handle *b;
+#ifndef SRVSVC_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
@@ -3589,10 +3593,7 @@ static bool api_RNetServerGetInfo(struct
NTSTATUS status;
WERROR werr;
TALLOC_CTX *mem_ctx = talloc_tos();
- struct rpc_pipe_client *cli = NULL;
- union srvsvc_NetSrvInfo info;
int errcode;
- struct dcerpc_binding_handle *b;
if (!str1 || !str2 || !p) {
return False;
@@ -3655,66 +3656,16 @@ static bool api_RNetServerGetInfo(struct
p = *rdata;
p2 = p + struct_len;
- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
- conn->session_info,
- &conn->sconn->client_id,
- conn->sconn->msg_ctx,
- &cli);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0,("api_RNetServerGetInfo: could not connect to srvsvc: %s\n",
- nt_errstr(status)));
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
-
- b = cli->binding_handle;
-
- status = dcerpc_srvsvc_NetSrvGetInfo(b, mem_ctx,
- NULL,
- 101,
- &info,
- &werr);
- if (!NT_STATUS_IS_OK(status)) {
- errcode = W_ERROR_V(ntstatus_to_werror(status));
- goto out;
- }
- if (!W_ERROR_IS_OK(werr)) {
- errcode = W_ERROR_V(werr);
- goto out;
- }
-
- if (info.info101 == NULL) {
- errcode = W_ERROR_V(WERR_INVALID_PARAM);
- goto out;
- }
-
if (uLevel != 20) {
- srvstr_push(NULL, 0, p, info.info101->server_name, 16,
+ srvstr_push(NULL, 0, p, global_myname(), 16,
STR_ASCII|STR_UPPER|STR_TERMINATE);
- }
+ }
p += 16;
if (uLevel > 0) {
- SCVAL(p,0,info.info101->version_major);
- SCVAL(p,1,info.info101->version_minor);
- SIVAL(p,2,info.info101->server_type);
-
- if (mdrcnt == struct_len) {
- SIVAL(p,6,0);
- } else {
- SIVAL(p,6,PTR_DIFF(p2,*rdata));
- if (mdrcnt - struct_len <= 0) {
- return false;
- }
- push_ascii(p2,
- info.info101->comment,
- MIN(mdrcnt - struct_len,
- MAX_SERVER_STRING_LENGTH),
- STR_TERMINATE);
- p2 = skip_string(*rdata,*rdata_len,p2);
- if (!p2) {
- return False;
- }
- }
+ SCVAL(p,0,lp_major_announce_version());
+ SCVAL(p,1,lp_minor_announce_version());
+ SIVAL(p,2,lp_default_server_announce());
+ SIVAL(p,6,0);
}
if (uLevel > 1) {
@@ -5405,6 +5356,10 @@ static bool api_RNetSessionEnum(struct s
uint32_t totalentries, resume_handle = 0;
uint32_t count = 0;
+#ifndef SRVSVC_SUPPORT
+ return False;
+#endif
+
if (!str1 || !str2 || !p) {
return False;
}
--- a/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srvsvc/srv_srvsvc_nt.c
@@ -1533,6 +1533,10 @@ WERROR _srvsvc_NetShareSetInfo(struct pi
TALLOC_CTX *ctx = p->mem_ctx;
union srvsvc_NetShareInfo *info = r->in.info;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareSetInfo: %d\n", __LINE__));
if (!r->in.share_name) {
@@ -1763,6 +1767,10 @@ WERROR _srvsvc_NetShareAdd(struct pipes_
int max_connections = 0;
TALLOC_CTX *ctx = p->mem_ctx;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareAdd: %d\n", __LINE__));
if (r->out.parm_error) {
@@ -1945,6 +1953,10 @@ WERROR _srvsvc_NetShareDel(struct pipes_
struct share_params *params;
TALLOC_CTX *ctx = p->mem_ctx;
+#ifndef FULL_SRVSVC
+ return WERR_ACCESS_DENIED;
+#endif
+
DEBUG(5,("_srvsvc_NetShareDel: %d\n", __LINE__));
if (!r->in.share_name) {

11
net/samba3/300-assert_debug_level.patch
View file

@ -1,11 +0,0 @@
--- a/lib/util/util.h
+++ b/lib/util/util.h
@@ -53,7 +53,7 @@ extern const char *panic_action;
#else
/* redefine the assert macro for non-developer builds */
#define SMB_ASSERT(b) do { if (!(b)) { \
- DEBUG(0,("PANIC: assert failed at %s(%d): %s\n", \
+ DEBUG(3,("PANIC: assert failed at %s(%d): %s\n", \
__FILE__, __LINE__, #b)); }} while (0)
#endif

337
net/samba3/310-remove_error_strings.patch
View file

@ -1,337 +0,0 @@
--- a/libcli/util/doserr.c
+++ b/libcli/util/doserr.c
@@ -28,6 +28,7 @@ struct werror_code_struct {
static const struct werror_code_struct dos_errs[] =
{
+#ifdef VERBOSE_ERROR
{ "WERR_OK", WERR_OK },
{ "WERR_BADFILE", WERR_BADFILE },
{ "WERR_ACCESS_DENIED", WERR_ACCESS_DENIED },
@@ -2668,6 +2669,7 @@ static const struct werror_code_struct d
{ "WERR_AMBIGUOUS_SYSTEM_DEVICE", WERR_AMBIGUOUS_SYSTEM_DEVICE },
{ "WERR_SYSTEM_DEVICE_NOT_FOUND", WERR_SYSTEM_DEVICE_NOT_FOUND },
/* END GENERATED-WIN32-ERROR-CODES */
+#endif
{ NULL, W_ERROR(0) }
};
@@ -2684,12 +2686,14 @@ const char *win_errstr(WERROR werror)
static char msg[40];
int idx = 0;
+#ifdef VERBOSE_ERROR
while (dos_errs[idx].dos_errstr != NULL) {
if (W_ERROR_V(dos_errs[idx].werror) ==
W_ERROR_V(werror))
return dos_errs[idx].dos_errstr;
idx++;
}
+#endif
slprintf(msg, sizeof(msg), "DOS code 0x%08x", W_ERROR_V(werror));
@@ -2702,6 +2706,7 @@ struct werror_str_struct {
};
const struct werror_str_struct dos_err_strs[] = {
+#ifdef VERBOSE_ERROR
{ WERR_OK, "Success" },
{ WERR_ACCESS_DENIED, "Access is denied" },
{ WERR_INVALID_PARAM, "Invalid parameter" },
@@ -5324,6 +5329,7 @@ const struct werror_str_struct dos_err_s
{ WERR_AMBIGUOUS_SYSTEM_DEVICE, "The requested system device cannot be identified due to multiple indistinguishable devices potentially matching the identification criteria." },
{ WERR_SYSTEM_DEVICE_NOT_FOUND, "The requested system device cannot be found." },
/* END GENERATED-WIN32-ERROR-CODES-DESC */
+#endif
};
@@ -5334,6 +5340,7 @@ const struct werror_str_struct dos_err_s
const char *get_friendly_werror_msg(WERROR werror)
{
+#ifdef VERBOSE_ERROR
int i = 0;
for (i = 0; i < ARRAY_SIZE(dos_err_strs); i++) {
@@ -5342,6 +5349,7 @@ const char *get_friendly_werror_msg(WERR
return dos_err_strs[i].friendly_errstr;
}
}
+#endif
return win_errstr(werror);
}
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -663,4 +663,20 @@ _PUBLIC_ enum ndr_err_code ndr_push_enum
_PUBLIC_ void ndr_print_bool(struct ndr_print *ndr, const char *name, const bool b);
+#ifndef VERBOSE_ERROR
+#define ndr_print_bool(...) do {} while (0)
+#define ndr_print_struct(...) do {} while (0)
+#define ndr_print_null(...) do {} while (0)
+#define ndr_print_enum(...) do {} while (0)
+#define ndr_print_bitmap_flag(...) do {} while (0)
+#define ndr_print_ptr(...) do {} while (0)
+#define ndr_print_union(...) do {} while (0)
+#define ndr_print_bad_level(...) do {} while (0)
+#define ndr_print_array_uint8(...) do {} while (0)
+#define ndr_print_string_array(...) do {} while (0)
+#define ndr_print_string_array(...) do {} while (0)
+#define ndr_print_NTSTATUS(...) do {} while (0)
+#define ndr_print_WERROR(...) do {} while (0)
+#endif
+
#endif /* __LIBNDR_H__ */
--- a/librpc/ndr/ndr_basic.c
+++ b/librpc/ndr/ndr_basic.c
@@ -31,6 +31,19 @@
#define NDR_SIVAL(ndr, ofs, v) do { if (NDR_BE(ndr)) { RSIVAL(ndr->data,ofs,v); } else SIVAL(ndr->data,ofs,v); } while (0)
#define NDR_SIVALS(ndr, ofs, v) do { if (NDR_BE(ndr)) { RSIVALS(ndr->data,ofs,v); } else SIVALS(ndr->data,ofs,v); } while (0)
+#undef ndr_print_bool
+#undef ndr_print_struct
+#undef ndr_print_null
+#undef ndr_print_enum
+#undef ndr_print_bitmap_flag
+#undef ndr_print_ptr
+#undef ndr_print_union
+#undef ndr_print_bad_level
+#undef ndr_print_array_uint8
+#undef ndr_print_string_array
+#undef ndr_print_string_array
+#undef ndr_print_NTSTATUS
+#undef ndr_print_WERROR
/*
check for data leaks from the server by looking for non-zero pad bytes
--- a/librpc/ndr/ndr_string.c
+++ b/librpc/ndr/ndr_string.c
@@ -588,6 +588,7 @@ _PUBLIC_ enum ndr_err_code ndr_push_stri
return NDR_ERR_SUCCESS;
}
+#undef ndr_print_string_array
_PUBLIC_ void ndr_print_string_array(struct ndr_print *ndr, const char *name, const char **a)
{
uint32_t count;
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -31,6 +31,7 @@ struct dcerpc_fault_table {
static const struct dcerpc_fault_table dcerpc_faults[] =
{
#define _FAULT_STR(x) { #x , x }
+#ifdef VERBOSE_ERROR
_FAULT_STR(DCERPC_NCA_S_COMM_FAILURE),
_FAULT_STR(DCERPC_NCA_S_OP_RNG_ERROR),
_FAULT_STR(DCERPC_NCA_S_UNKNOWN_IF),
@@ -78,6 +79,7 @@ static const struct dcerpc_fault_table d
_FAULT_STR(DCERPC_NCA_S_FAULT_CODESET_CONV_ERROR),
_FAULT_STR(DCERPC_NCA_S_FAULT_OBJECT_NOT_FOUND),
_FAULT_STR(DCERPC_NCA_S_FAULT_NO_CLIENT_STUB),
+#endif
{ NULL, 0 }
#undef _FAULT_STR
};
@@ -87,12 +89,14 @@ _PUBLIC_ const char *dcerpc_errstr(TALLO
int idx = 0;
WERROR werr = W_ERROR(fault_code);
+#ifdef VERBOSE_ERROR
while (dcerpc_faults[idx].errstr != NULL) {
if (dcerpc_faults[idx].faultcode == fault_code) {
return dcerpc_faults[idx].errstr;
}
idx++;
}
+#endif
return win_errstr(werr);
}
--- a/source3/libsmb/nterr.c
+++ b/source3/libsmb/nterr.c
@@ -702,6 +702,7 @@ const char *nt_errstr(NTSTATUS nt_code)
NT_STATUS_DOS_CODE(nt_code));
}
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -709,6 +710,7 @@ const char *nt_errstr(NTSTATUS nt_code)
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT code 0x%08x",
NT_STATUS_V(nt_code));
@@ -724,12 +726,14 @@ const char *get_friendly_nt_error_msg(NT
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_err_desc[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_err_desc[idx].nt_errcode) == NT_STATUS_V(nt_code)) {
return nt_err_desc[idx].nt_errstr;
}
idx++;
}
+#endif
/* fall back to NT_STATUS_XXX string */
@@ -745,6 +749,7 @@ const char *get_nt_error_c_code(NTSTATUS
char *result;
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (NT_STATUS_V(nt_errs[idx].nt_errcode) ==
NT_STATUS_V(nt_code)) {
@@ -752,6 +757,7 @@ const char *get_nt_error_c_code(NTSTATUS
}
idx++;
}
+#endif
result = talloc_asprintf(talloc_tos(), "NT_STATUS(0x%08x)",
NT_STATUS_V(nt_code));
@@ -767,12 +773,14 @@ NTSTATUS nt_status_string_to_code(const
{
int idx = 0;
+#ifdef VERBOSE_ERROR
while (nt_errs[idx].nt_errstr != NULL) {
if (strcasecmp(nt_errs[idx].nt_errstr, nt_status_str) == 0) {
return nt_errs[idx].nt_errcode;
}
idx++;
}
+#endif
return NT_STATUS_UNSUCCESSFUL;
}
--- a/lib/tdb/common/tdb_private.h
+++ b/lib/tdb/common/tdb_private.h
@@ -69,7 +69,11 @@ typedef uint32_t tdb_off_t;
/* NB assumes there is a local variable called "tdb" that is the
* current context, also takes doubly-parenthesized print-style
* argument. */
+#ifdef VERBOSE_DEBUG
#define TDB_LOG(x) tdb->log.log_fn x
+#else
+#define TDB_LOG(x) do {} while(0)
+#endif
#ifdef TDB_TRACE
void tdb_trace(struct tdb_context *tdb, const char *op);
--- a/source3/script/mkbuildoptions.awk
+++ b/source3/script/mkbuildoptions.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/script/mkbuildoptions-waf.awk
+++ b/source3/script/mkbuildoptions-waf.awk
@@ -55,7 +55,7 @@ BEGIN {
print "****************************************************************************/";
print "void build_options(bool screen)";
print "{";
- print " if ((DEBUGLEVEL < 4) && (!screen)) {";
+ print " if ((DEBUGLEVEL < 4) || (!screen)) {";
print " return;";
print " }";
print "";
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -445,7 +445,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -466,7 +465,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -486,7 +484,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -508,7 +505,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -526,7 +522,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
@@ -570,7 +565,6 @@ static NTSTATUS cli_pipe_validate_curren
rpccli_pipe_txt(talloc_tos(), cli),
pkt->ptype, expected_pkt_type,
nt_errstr(ret)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
return ret;
}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err;
}
@@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
goto err_exit;
}
@@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
nt_errstr(status)));
- NDR_PRINT_DEBUG(ncacn_packet, pkt);
set_incoming_fault(p);
return false;
}

22
net/samba3/320-debug_level_checks.patch
View file

@ -1,22 +0,0 @@
--- a/lib/util/debug.h
+++ b/lib/util/debug.h
@@ -45,7 +45,7 @@ bool dbghdr( int level, const char *loca
* Redefine DEBUGLEVEL because so we don't have to change every source file
* that *unnecessarily* references it.
*/
-#define DEBUGLEVEL DEBUGLEVEL_CLASS[DBGC_ALL]
+#define DEBUGLEVEL 0
/*
* Define all new debug classes here. A class is represented by an entry in
--- a/source3/nmbd/asyncdns.c
+++ b/source3/nmbd/asyncdns.c
@@ -85,7 +85,7 @@ static void asyncdns_process(void)
struct query_record r;
unstring qname;
- DEBUGLEVEL = -1;
+ DEBUGLEVEL_CLASS[DBGC_ALL] = -1;
while (1) {
NTSTATUS status;

8854
net/samba3/330-librpc_default_print.patch
View file

File diff suppressed because it is too large Load diff

148
net/samba3/samba3.SMBuild
View file

@ -1,148 +0,0 @@
app=samba3
version=3.6.25
build=1sml
homepage="https://www.samba.org/"
download="https://download.samba.org/pub/samba/stable/samba-3.6.25.tar.gz"
desc="CIFS file and print server version 3"
requires="acl attr netbsd-curses readline libcap tar db popt libaio"
build() {
mkandenterbuilddir
rm -rf samba-$version
tar xf $srcdir/samba-$version.tar.?z*
cd samba-$version
fixbuilddirpermissions
applypatch $srcdir/010-patch-cve-2015-5252.patch
applypatch $srcdir/011-patch-cve-2015-5296.patch
applypatch $srcdir/012-patch-cve-2015-5299.patch
applypatch $srcdir/015-patch-cve-2015-7560.patch
applypatch $srcdir/020-CVE-preparation-v3-6.patch
applypatch $srcdir/021-CVE-preparation-v3-6-addition.patch
applypatch $srcdir/022-CVE-2015-5370-v3-6.patch
applypatch $srcdir/023-CVE-2016-2110-v3-6.patch
applypatch $srcdir/024-CVE-2016-2111-v3-6.patch
applypatch $srcdir/025-CVE-2016-2112-v3-6.patch
applypatch $srcdir/026-CVE-2016-2115-v3-6.patch
applypatch $srcdir/027-CVE-2016-2118-v3-6.patch
applypatch $srcdir/028-CVE-2016-2125-v3.6.patch
applypatch $srcdir/029-CVE-2017-7494-v3-6.patch
applypatch $srcdir/030-CVE-2017-15275-v3.6.patch
applypatch $srcdir/031-CVE-2017-12163-v3.6.patch
applypatch $srcdir/032-CVE-2017-12150-v3.6.patch
applypatch $srcdir/032-CVE-2018-1050-v3-6.patch
applypatch $srcdir/200-remove_printer_support.patch
applypatch $srcdir/220-remove_services.patch
applypatch $srcdir/230-remove_winreg_support.patch
applypatch $srcdir/250-remove_domain_logon.patch
applypatch $srcdir/270-remove_registry_backend.patch
applypatch $srcdir/280-strip_srvsvc.patch
applypatch $srcdir/300-assert_debug_level.patch
applypatch $srcdir/310-remove_error_strings.patch
applypatch $srcdir/320-debug_level_checks.patch
applypatch $srcdir/330-librpc_default_print.patch
cd source3
ac_cv_lib_attr_getxattr=no \
ac_cv_search_getxattr=no \
ac_cv_file__proc_sys_kernel_core_pattern=yes \
libreplace_cv_HAVE_C99_VSNPRINTF=yes \
libreplace_cv_HAVE_GETADDRINFO=yes \
libreplace_cv_HAVE_IFACE_IFCONF=yes \
LINUX_LFS_SUPPORT=yes \
samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \
samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \
samba_cv_HAVE_IFACE_IFCONF=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes \
samba_cv_HAVE_SECURE_MKSTEMP=yes \
samba_cv_HAVE_WRFILE_KEYTAB=no \
samba_cv_USE_SETREUID=yes \
samba_cv_USE_SETRESUID=yes \
samba_cv_have_setresuid=yes \
samba_cv_have_setreuid=yes \
ac_cv_header_libunwind_h=no \
ac_cv_header_zlib_h=no \
samba_cv_zlib_1_2_3=no \
ac_cv_path_PYTHON="" \
ac_cv_path_PYTHON_CONFIG="" \
CFLAGS="$CFLAGS -ffunction-sections -fdata-sections" \
./configure \
--prefix="/" \
--bindir=/bin \
--sbindir=/bin \
--libexecdir=/lib \
--sysconfdir=/etc \
--localstatedir=/var \
--docdir=/doc/"$app-$version" \
--disable-avahi \
--disable-cups \
--disable-external-libtalloc \
--disable-external-libtdb \
--disable-external-libtevent \
--disable-pie \
--disable-relro \
--disable-static \
--disable-swat \
--disable-shared-libs \
--with-codepagedir=/etc/samba \
--with-configdir=/etc/samba \
--with-included-iniparser \
--with-included-popt \
--with-lockdir=/var/lock \
--with-logfilebase=/var/log \
--with-nmbdsocketdir=/var/nmbd \
--with-piddir=/var/run \
--with-privatedir=/etc/samba \
--with-sendfile-support \
--with-acl-support \
--with-automount \
--with-syslog \
--with-winbind \
--without-ldap \
--without-pam \
$builddist
make -j4 V=s
make install DESTDIR=$pkg
cp ../COPYING $pkgdocs/
preprunitservice smbd down
preprunitservice nmbd down
mkfinalpkg
}
sha512sums="
25a5c56dae4517e82e196b59fa301b661ec75db57effbb0ede35fb23b018f78cdea6513e8760966caf58abc43335fcebda77fe5bf5bb9d4b27fd3ca6e5a3b626 samba-3.6.25.tar.gz
727c32a9bceeea810567ce59c07a17da41411d3dfa4ee95f7baf5e67950b537d35a679a355cf24af522042a2fec0e3a5292b2ff787cc127cb718e89666cea000 010-patch-cve-2015-5252.patch
7eaea41340eeff05adf9ba6453d319ba3c7ed04e43f2c70ea76ea39e6a55feca67029e332cb5ef12d3ac6336b8c7dc302fca4acd07c44ab85252e24eb82201d3 011-patch-cve-2015-5296.patch
db192e710418939028a388146423050106fa77eb95075330ad2051afe333bfe6ed9085cc1ed9a1b0c43a33fdb01eefc78d8b967f29f62d62ebde09953bc0d85d 012-patch-cve-2015-5299.patch
e75cc9a4fd7bde442deeb9c1adc2248dfd11fb528e18d6a2804a2f9fc96b5c3512544f2a83faf85c8c34e42eefae10d677bdd29a557ff554624147e9bb12e23a 015-patch-cve-2015-7560.patch
fee156db6f113a5ae7f4a6128f47d7aeb02d072ea255089acf106ae485d2d0dbaa63d432c199e8794c899c8989ce7ee1b5cb0a914a955a81cc340e0104172947 020-CVE-preparation-v3-6.patch
51f6938418dc9b441a122f56bb18a07d0e1a4539abf7c7dabde9a8785076c52c20c13a17be1e504516b0a48cfb4db93f9294a98a8de05ded8f843e649b26fc44 021-CVE-preparation-v3-6-addition.patch
ed868b99beebb2ac6ee75288498397b3ab05a10ccdbdb79fd9dbab8a114486c630c93ee5f6ae3fa586331ad3e8d84939731bfdb078b0193c25dcc4786f50daf3 022-CVE-2015-5370-v3-6.patch
6fcaf1bad12c55a5d96c581b6547923bdbbbdfc37d85ba63360cf9310aa5b1db14b9d2e35a4e22510664911e2b0809ec9374331a3ccc980e87b5c2986c0b256f 023-CVE-2016-2110-v3-6.patch
5d3734125cf2f36858b2570c8860383e04e4fc4f2e8065816af03f02879e638464d5e31c7137525cda9165f21da0b6b6d4d8778d43f76ca5d23e24bf2b0e07f7 024-CVE-2016-2111-v3-6.patch
92b9d44c3c5d72d72582480fe2722453d8389e56bd8d6391e6e8e880e9e894bee05e11db2ef844e2c0fd22ebe678de6903aa70724ffeaa147249c8572fa95046 025-CVE-2016-2112-v3-6.patch
bd6c573b7e8cb7df64c6bd4d590ddaa87b07909ac0e1e41ab7b026b0e8d481bdd37ce7e9e066e4aceb13330448aff79f108a88d0d6135fa82772f98f7aa334ac 026-CVE-2016-2115-v3-6.patch
e5d33106b5e0af800ca03d5d6d752f58effd389e235011363d6b81dfb942497b17b2cb65c31283db0dd00865d8c15618ffe4eee5436e457dd14deb9d73671036 027-CVE-2016-2118-v3-6.patch
64503ac96af22247402e36dceaecd2234ac289cc617a5a0e6368817da974f280a61f9074f8ecad5c428ca89cbf68c3ae9e41307e0aae5b712d32eb59598a23c6 028-CVE-2016-2125-v3.6.patch
db1aeb4d2c857cbe070036b42d5b5f61c372913c513c0ce8ad672cbecf80ab2e517ed1262e60dcd5de54ff3670067e7fec053935e89a0d4e055e770509fd1d14 029-CVE-2017-7494-v3-6.patch
f6aed92583178b42687b054332202a057b4851f5dab37393fd48e404ed90b3a369fad446f87bfe3120b5f4843623d2311ae1fd632f0caf4e01e4bda92b0b7b24 030-CVE-2017-15275-v3.6.patch
20b0c2c148c65f644432cbad4200b95eeb6a151118b1dc7e3a358f3a18a02c9fba9605706647f405ad945c37e255991f67d22a175a756ab46738efae2b12afd9 031-CVE-2017-12163-v3.6.patch
ca62d58efecda4a868412d780cf86a359e2ed84d4adeb5fe8683f57e668e183b139c7620fa80889990aeebe201afb7f4962640a49654b4fff42b28f05dc7e753 032-CVE-2017-12150-v3.6.patch
8b90909e7a0f304c3f8f483ebd8daa6663729bf02e96c74bebbfd25c0ed10e566a153974df8a47df99cc9041865cc17872e3267efda92b49d526467ef2095d5a 032-CVE-2018-1050-v3-6.patch
018c29e33c1267e4efa87d7463bf802aa035dd07f0ee3641b40a1f60233faba2355fe1e638b234f6af5f77c809e1bf3cfbf0386fd5120cbb16075e6352645a38 200-remove_printer_support.patch
24ba88aabf703d860e66a18891de4b4c5f63bf28c3f33667f700b0a66282672d883615adcc98be46b1025e3d810182600f0e4730b5bc0b9e906e9cfd7c6086ab 220-remove_services.patch
bb8f7b5359f6f0d9640ff491256f8755622c3e87978d91d84a15b08165329fb86aef257b69e388ce682502311d1fdf85850b486917c49d807c2be0c1a1ee6670 230-remove_winreg_support.patch
c7e359b1b4d1d0c843b0ec107481d0d15fd29c6a6c264ad50e1dc2e4ff5381ce86ac37145be376365d9d907e9c709a7d7547970323aba023c37ec444809870f9 250-remove_domain_logon.patch
ae187553e773f2919074a24454059636a9e0e5d72e8986ddaa39e821c39c6d806e95085b19c9a8823ef5ac61dd94b64955b4ca3a735bc5cf90154f2b3aaf857e 260-remove_samr.patch
87f1b97ef65e24f67d71117927e11bfa6bf2af935a22dab0bf8312c6825b23083c01c8e458dd3c45951ba09279eac5c6a051fdadc1cbadac11fb6f54ea27647d 270-remove_registry_backend.patch
acc5bfc79156bc334e321622370235fde9078707eac236ba28a6cd247ba6a68de42c4730f374ec7d50b8b8f95f4780224b0640735cd820cade676a4aff817d77 280-strip_srvsvc.patch
67ef8ccfe245e7afa07e61b540485efc635361878f1d4e3c342edc0d70ca742cb23e51e4e65c79f4377c6ff5ae4a42b4f38a4fbcdaec3391f5c726aaf6ca7f82 300-assert_debug_level.patch
bd84c2e1a297c833be733e85eb7ea9bbcb237e1b62a8610d677c978b444ee2e00f6c9ed095764799c10d277b99fa5b543116009840a3eb2cb0efbcd22de32e10 310-remove_error_strings.patch
63accd6a1cf3537a95ab213049bfc4f6574f0e8e882af8da159456360cc7f5ed69e147fc933d8520aa9619d057eae90649e46ac5b70708854a3cc25bcb9de26c 320-debug_level_checks.patch
504f66b7fe5b78b56aec0c11de2023edd77200fc1b2224d38dc680281c1112267dad731fc09fb7424928e3ae48c658183b88d4c9a4f512adf3da2e19d26b9e61 330-librpc_default_print.patch
"

14
net/samba4/doinst.sh
View file

@ -1,14 +0,0 @@
#!/bin/sh
config() {
NEW="$1"
OLD="`dirname $NEW`/`basename $NEW .new`"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
}
config etc/samba/smb.conf.new

3
net/samba4/nmbd.run
View file

@ -1,3 +0,0 @@
#!/bin/sh
PATH=/bin
exec nmbd -F 2>&1

223
net/samba4/smb.conf.default
View file

@ -1,223 +0,0 @@
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# For a step to step guide on installing, configuring and using samba,
# read the Samba-HOWTO-Collection. This may be obtained from:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# Many working examples of smb.conf files can be found in the
# Samba-Guide which is generated daily and can be downloaded from:
# http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
workgroup = MYGROUP
# server string is the equivalent of the NT Description field
server string = Samba Server
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba.%m
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Specifies the Kerberos or Active Directory realm the host is part of
; realm = MY_REALM
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
; passdb backend = tdbsam
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting.
# Note: Consider carefully the location in the configuration file of
# this line. The included file is read at that point.
; include = /usr/local/samba/lib/smb.conf.%m
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The default is NO.
dns proxy = no
# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
; add user script = /usr/sbin/useradd %u
; add group script = /usr/sbin/groupadd %g
; add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
; delete user script = /usr/sbin/userdel %u
; delete user from group script = /usr/sbin/deluser %u %g
; delete group script = /usr/sbin/groupdel %g
#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
; [netlogon]
; comment = Network Logon Service
; path = /usr/local/samba/lib/netlogon
; guest ok = yes
; writable = no
; share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = no
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765

3
net/samba4/smbd.run
View file

@ -1,3 +0,0 @@
#!/bin/sh
PATH=/bin
exec smbd -F 2>&1

2513
net/samba4/tevent.h
View file

File diff suppressed because it is too large Load diff

2511
net/samba4/tevent.h.orig
View file

File diff suppressed because it is too large Load diff