samba-4.7-fix-*: Add backported commits to allow building against samba 4.7. (Closes: #880841)

2025-02-25 18:55:28 -06:00 · 2017-12-16 09:03:09 +02:00
parent a8dd1092c0
commit 98c9c2dae8
6 changed files with 2998 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ freeipa (4.4.4-4) UNRELEASED; urgency=medium

  [ Timo Aaltonen ]
  * fix-opendnssec-setup.diff: Use /usr/sbin prefix for ods binaries.
+  * samba-4.7-fix-*: Add backported commits to allow building against
+    samba 4.7. (Closes: #880841)

  [ Steve Langasek ]
  * Fix autopkgtest to be robust in the face of changed iproute2 output.
--- a/debian/patches/samba-4.7-fix-1.diff
+++ b/debian/patches/samba-4.7-fix-1.diff
@@ -0,0 +1,142 @@
+From 0f450488b0883c3e66cc8dfebd9498e9a5c13a7c Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Tue, 21 Mar 2017 17:33:20 +0100
+Subject: [PATCH] ipa-sam: create the gidNumber attribute in the trusted domain
+ entry
+
+When a trusted domain entry is created, the uidNumber attribute is created
+but not the gidNumber attribute. This causes samba to log
+	Failed to find a Unix account for DOM-AD$
+because the samu structure does not contain a group_sid and is not put
+in the cache.
+The fix creates the gidNumber attribute in the trusted domain entry,
+and initialises the group_sid field in the samu structure returned
+by ldapsam_getsampwnam. This ensures that the entry is put in the cache.
+
+Note that this is only a partial fix for 6660 as it does not prevent
+_netr_ServerAuthenticate3 from failing with the log
+	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.
+
+https://pagure.io/freeipa/issue/6827
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 40 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 37 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 4c1fda5f82..6a29e8e10b 100644
+--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
+@@ -195,6 +195,7 @@ struct ipasam_privates {
+ 	char *trust_dn;
+ 	char *flat_name;
+ 	struct dom_sid fallback_primary_group;
+	char *fallback_primary_group_gid_str;
+ 	char *server_princ;
+ 	char *client_princ;
+ 	struct sss_idmap_ctx *idmap_ctx;
+@@ -2419,6 +2420,9 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods,
+ 	if (entry == NULL || sid == NULL) {
+ 		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+ 				 LDAP_ATTRIBUTE_UIDNUMBER, IPA_MAGIC_ID_STR);
+		smbldap_make_mod(priv2ld(ldap_state), entry, &mods,
+		                 LDAP_ATTRIBUTE_GIDNUMBER,
+				 ldap_state->ipasam_privates->fallback_primary_group_gid_str);
+ 	}
+ 
+ 	if (td->netbios_name != NULL) {
+@@ -2829,6 +2833,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ {
+ 	NTSTATUS status;
+ 	struct dom_sid *u_sid;
+	struct dom_sid *g_sid;
+ 	char *name;
+ 	char *trustpw = NULL;
+ 	char *trustpw_utf8 = NULL;
+@@ -2884,6 +2889,11 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ 	}
+ 	talloc_free(u_sid);
+ 
+	g_sid = &ldap_state->ipasam_privates->fallback_primary_group;
+	if (!pdb_set_group_sid(user, g_sid, PDB_SET)) {
+		return false;
+	}
+
+ 	status = get_trust_pwd(user, &td->trust_auth_incoming, &trustpw, NULL);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		return false;
+@@ -3594,14 +3604,17 @@ static void ipasam_free_private_data(void **vp)
+ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
+ 					      struct smbldap_state *ldap_state,
+ 					      struct sss_idmap_ctx *idmap_ctx,
+-					      LDAPMessage *dom_entry)
+					      LDAPMessage *dom_entry,
+					      char **fallback_group_gid_str)
+ {
+ 	char *dn;
+ 	char *sid;
+	char *gidnumber;
+ 	int ret;
+ 	const char *filter = "objectClass=*";
+ 	const char *attr_list[] = {
+ 					LDAP_ATTRIBUTE_SID,
+					LDAP_ATTRIBUTE_GIDNUMBER,
+ 					NULL};
+ 	LDAPMessage *result;
+ 	LDAPMessage *entry;
+@@ -3648,9 +3661,20 @@ static struct dom_sid *get_fallback_group_sid(TALLOC_CTX *mem_ctx,
+ 		talloc_free(sid);
+ 		return NULL;
+ 	}
+	talloc_free(sid);
+
+	gidnumber = get_single_attribute(mem_ctx, ldap_state->ldap_struct,
+					entry, LDAP_ATTRIBUTE_GIDNUMBER);
+	if (gidnumber == NULL) {
+		DEBUG(0, ("Missing mandatory attribute %s.\n",
+			  LDAP_ATTRIBUTE_GIDNUMBER));
+		ldap_msgfree(result);
+		return NULL;
+	}
+
+	*fallback_group_gid_str = gidnumber;
+ 
+ 	ldap_msgfree(result);
+-	talloc_free(sid);
+ 
+ 	return fallback_group_sid;
+ }
+@@ -4443,6 +4467,7 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ 	char *domain_sid_string = NULL;
+ 	struct dom_sid *ldap_domain_sid = NULL;
+ 	struct dom_sid *fallback_group_sid = NULL;
+	char *fallback_group_gid_str = NULL;
+ 
+ 	LDAPMessage *result = NULL;
+ 	LDAPMessage *entry = NULL;
+@@ -4586,7 +4611,8 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ 	fallback_group_sid = get_fallback_group_sid(ldap_state,
+ 					ldap_state->smbldap_state,
+ 					ldap_state->ipasam_privates->idmap_ctx,
+-					result);
+					result,
+					&fallback_group_gid_str);
+ 	if (fallback_group_sid == NULL) {
+ 		DEBUG(0, ("Cannot find SID of fallback group.\n"));
+ 		ldap_msgfree(result);
+@@ -4596,6 +4622,14 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ 		 fallback_group_sid);
+ 	talloc_free(fallback_group_sid);
+ 
+	if (fallback_group_gid_str == NULL) {
+		DEBUG(0, ("Cannot find gidNumber of fallback group.\n"));
+		ldap_msgfree(result);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	ldap_state->ipasam_privates->fallback_primary_group_gid_str =
+		fallback_group_gid_str;
+
+ 	domain_sid_string = get_single_attribute(
+ 				ldap_state,
+ 				ldap_state->smbldap_state->ldap_struct,
--- a/debian/patches/samba-4.7-fix-2.diff
+++ b/debian/patches/samba-4.7-fix-2.diff
@@ -0,0 +1,77 @@
+From 64d23dd1382223fd2c0eb4aea0988977118b5799 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 16 Jun 2017 16:26:41 +0200
+Subject: [PATCH] ipa-sam: replace encode_nt_key() with E_md4hash()
+
+Since ipa-sam is running as part of smbd is it safe to use the
+E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
+libraries which might depend on other rules like e.g. FIPS mode.
+
+Resolves https://pagure.io/freeipa/issue/7026
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 27 ++-------------------------
+ 1 file changed, 2 insertions(+), 25 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 6a29e8e10b..59d92f37c9 100644
+--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
+@@ -110,6 +110,7 @@ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so *
+ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
+ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
+ void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+bool E_md4hash(const char *passwd, uint8_t p16[16]); /* available in libcliauth-samba4.so */
+ 
+ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
+ #define LDAP_OBJ_TRUSTED_DOMAIN "ipaNTTrustedDomain"
+@@ -2836,11 +2837,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ 	struct dom_sid *g_sid;
+ 	char *name;
+ 	char *trustpw = NULL;
+-	char *trustpw_utf8 = NULL;
+-	char *tmp_str = NULL;
+-	int ret;
+ 	uint8_t nt_key[16];
+-	size_t converted_size;
+ 	bool res;
+ 	char *sid_str;
+ 	enum idmap_error_code err;
+@@ -2899,19 +2896,7 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ 		return false;
+ 	}
+ 
+-	if (!push_utf8_talloc(user, &trustpw_utf8, trustpw, &converted_size)) {
+-		res = false;
+-		goto done;
+-	}
+-
+-	tmp_str = talloc_strdup_upper(user, trustpw);
+-	if (tmp_str == NULL) {
+-		res = false;
+-		goto done;
+-	}
+-
+-	ret = encode_nt_key(trustpw_utf8, nt_key);
+-	if (ret != 0) {
+	if (!E_md4hash(trustpw, nt_key)) {
+ 		res = false;
+ 		goto done;
+ 	}
+@@ -2927,14 +2912,6 @@ static bool init_sam_from_td(struct samu *user, struct pdb_trusted_domain *td,
+ 		memset(trustpw, 0, strlen(trustpw));
+ 		talloc_free(trustpw);
+ 	}
+-	if (trustpw_utf8 != NULL) {
+-		memset(trustpw_utf8, 0, strlen(trustpw_utf8));
+-		talloc_free(trustpw_utf8);
+-	}
+-	if (tmp_str != NULL) {
+-		memset(tmp_str, 0, strlen(tmp_str));
+-		talloc_free(tmp_str);
+-	}
+ 
+ 	return res;
+ }
--- a/debian/patches/samba-4.7-fix-3.diff
+++ b/debian/patches/samba-4.7-fix-3.diff
--- a/debian/patches/samba-4.7-fix-4.diff
+++ b/debian/patches/samba-4.7-fix-4.diff
@@ -0,0 +1,52 @@
+From c2fd529cb3ca56ab243e53fb1098748a76c42cde Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 3 Jul 2017 14:38:05 +0300
+Subject: [PATCH] ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
+
+Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
+opaque. This means ipa-sam module cannot anymore directly set its
+LDAP bind callback.
+
+Use new smbldap API to set the LDAP bind callback.
+
+Fixes https://pagure.io/freeipa/issue/6877
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ daemons/configure.ac      | 5 +++++
+ daemons/ipa-sam/ipa_sam.c | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index b3fed6e79e..b33fc78298 100644
+--- a/daemons/configure.ac
+++ b/daemons/configure.ac
+@@ -230,6 +230,11 @@ AC_CHECK_LIB([smbldap],[smbldap_get_ldap],
+              [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_get_ldap])],
+              [$SAMBA40EXTRA_LIBPATH])
+ 
+AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback],
+             [AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])],
+             [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])],
+             [$SAMBA40EXTRA_LIBPATH])
+
+ dnl ---------------------------------------------------------------------------
+ dnl Check for libunistring
+ dnl ---------------------------------------------------------------------------
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index fe9913d611..0cd48d845b 100644
+--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
+@@ -4532,8 +4532,12 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
+ 				      uri, false, NULL, NULL,
+ 				      &ipasam_state->ldap_state);
+ 		if (NT_STATUS_IS_OK(status)) {
+#ifdef HAVE_SMBLDAP_SET_BIND_CALLBACK
+			smbldap_set_bind_callback(ipasam_state->ldap_state, bind_callback, ipasam_state);
+#else
+ 			ipasam_state->ldap_state->bind_callback = bind_callback;
+ 			ipasam_state->ldap_state->bind_callback_data = ipasam_state;
+#endif
+ 		}
+ 	}
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,7 @@ fix-ipa-otpd-service.diff
 fix-is-running.diff
 fix-kdcproxy-path.diff
 fix-opendnssec-setup.diff
+samba-4.7-fix-1.diff
+samba-4.7-fix-2.diff
+samba-4.7-fix-3.diff
+samba-4.7-fix-4.diff